Date: Fri, 7 Jan 2022 05:57:11 -0800 From: Mark Millard <marklmi@yahoo.com> To: freebsd-current <freebsd-current@freebsd.org> Subject: Re: FYI: An example type of UBSAN failure during kyua test -k /usr/tests/Kyuafile Message-ID: <02A69F9D-FE10-40F3-BEF3-5A54EFC2310A@yahoo.com> In-Reply-To: <91B0824D-C202-40A2-8781-30E6E0502D0B@yahoo.com> References: <CE7EFE82-DDE5-43A5-B02D-1C5F39F20AE2@yahoo.com> <91B0824D-C202-40A2-8781-30E6E0502D0B@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2022-Jan-7, at 05:08, Mark Millard <marklmi@yahoo.com> wrote: > On 2022-Jan-7, at 03:49, Mark Millard <marklmi@yahoo.com> wrote: >=20 >> Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D >> after finding what to control to allow the build, I installed >> it in a directory tree for chroot use and have >> "kyua test -k /usr/tests/Kyuafile" running. >>=20 >> I see evidence of various examples of one type of undefined >> behavior: "applying zero offset to null pointer" >>=20 >> # more = /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/356/stderr.txt=20= >> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying = zero offset to null pointer >> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdio/fread.c:133:10 in=20 >> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying = zero offset to null pointer >> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdio/fread.c:133:10 in=20 >> /usr/main-src/usr.bin/sed/process.c:715:18: runtime error: applying = zero offset to null pointer >> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/sed/process.c:715:18 in=20 >> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying = zero offset to null pointer >> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdio/fread.c:133:10 in=20 >> Fail: stderr not empty >> --- /dev/null 2022-01-07 10:29:57.182903000 +0000 >> +++ /tmp/kyua.FKD2vh/356/work/check.Mk9llD/stderr 2022-01-07 = 10:29:57.173100000 +0000 >> @@ -0,0 +1,2 @@ >> +/usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying = zero offset to null pointer >> +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdio/fread.c:133:10 in=20 >> Files left in work directory after failure: mntpt, mounterr >>=20 >>=20 >> In general the lib/libc/stdio/fread.c:133:10 example seems to >> be in a place that would make it fairly common. >>=20 >> usr.bin/sed/process.c:715:18 is more limited: just sed use. >>=20 >=20 > kyua ran to completion. This note is focused on UBSAN reports. >=20 > By far the most common UBSAN report is for the > lib/libc/stdio/fread.c:133:10 code. >=20 > Another somewhat common UBSAN report is: >=20 > Standard error: > /usr/main-src/usr.bin/cut/cut.c:458:7: runtime error: addition of = unsigned offset to 0x62100000010d overflowed to 0x62100000010c > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/cut/cut.c:458:7 in=20 > Fail: incorrect exit status: 1, expected: 0 >=20 >=20 > There is at least one example of: >=20 > Standard error: > ld-elf.so.1: /lib/libthr.so.3: Undefined symbol = "__asan_option_detect_stack_use_after_return" >=20 >=20 > Some more zero offsets to null are: >=20 > +/usr/main-src/bin/sh/jobs.c:590:35: runtime error: applying zero = offset to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/bin/sh/jobs.c:590:35 in=20 > +/usr/main-src/bin/sh/jobs.c:601:22: runtime error: applying zero = offset to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/bin/sh/jobs.c:601:22 in=20 > +/usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16: runtime = error: applying zero offset to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16 in=20 >=20 > +/usr/main-src/usr.sbin/makefs/ffs.c:1053:35: runtime error: applying = zero offset to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.sbin/makefs/ffs.c:1053:35 in=20 > Files left in work directory after failure: dir, ufs.img >=20 >=20 > contrib/libxo/libxo/xo_buf.h has examples of non-zero offsets: >=20 > +/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22: runtime error: = applying non-zero offset 4 to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22 in=20 > +/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44: runtime error: = applying zero offset to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44 in=20 > +/usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29: runtime error: = applying non-zero offset 4 to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29 in=20 >=20 > As does contrib/openzfs/module/nvpair/nvpair.c : >=20 > /usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49: = runtime error: applying non-zero offset 4 to null pointer > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49 in=20 >=20 >=20 > There is a: >=20 > +/usr/main-src/bin/sh/arith_yacc.c:193:10: runtime error: negation of = -9223372036854775808 cannot be represented in type 'arith_t' (aka = 'long'); cast to an unsigned type to negate this value to itself > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/bin/sh/arith_yacc.c:193:10 in=20 >=20 > And there are various examples similar to: >=20 > +/usr/main-src/sys/contrib/zlib/deflate.c:1262:31: runtime error: load = of misaligned address 0x631000014805 for type 'ushf' (aka 'unsigned = short'), which requires 2 byte alignment > +0x631000014805: note: pointer points here > + 69 6c 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 = 00 00 00 00 00 00 00 00 00 00 > + ^=20 >=20 > but at different lines of the code. >=20 > There are examples of: >=20 > +/usr/main-src/lib/libc/db/hash/hash_page.c:761:3: runtime error: left = shift of 1 by 31 places cannot be represented in type 'int' > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/db/hash/hash_page.c:761:3 in=20 > +/usr/main-src/lib/libc/db/hash/hash_page.c:840:2: runtime error: left = shift of 1 by 31 places cannot be represented in type 'int' > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/db/hash/hash_page.c:840:2 in=20 > +/usr/main-src/lib/libc/db/hash/hash_page.c:774:2: runtime error: left = shift of 1 by 31 places cannot be represented in type 'int' > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/db/hash/hash_page.c:774:2 in=20 >=20 > There are various examples similar to: >=20 > +/usr/main-src/lib/libc/db/btree/bt_conv.c:168:6: runtime error: load = of misaligned address 0x616000000b91 for type 'uint32_t' (aka 'unsigned = int'), which requires 4 byte alignment > +0x616000000b91: note: pointer points here > + 00 00 02 02 03 00 00 00 ec 01 00 00 78 0a 00 08 00 00 00 02 00 00 = 00 02 02 00 00 00 ec 01 00 00 > + ^=20 >=20 > but at different lines of the code. >=20 > There was a: >=20 > /usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36: = runtime error: signed integer overflow: 105827994173648 * 1000000000 = cannot be represented in type 'long long' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36 in=20 >=20 > And a: >=20 > +/usr/main-src/lib/libc/regex/engine.c:1013:53: runtime error: left = shift of 4611686018427387904 by 1 places cannot be represented in type = 'long' > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/regex/engine.c:1013:53 in=20 >=20 > (It occured in multiple places.) >=20 > And: >=20 > /usr/main-src/lib/libc/gen/_rand48.c:45:55: runtime error: signed = integer overflow: 57068 * 43981 cannot be represented in type 'int' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/gen/_rand48.c:45:55 in=20 > /usr/main-src/lib/libc/gen/_rand48.c:45:26: runtime error: signed = integer overflow: 58989 * 55082 cannot be represented in type 'int' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/gen/_rand48.c:45:26 in=20 > /usr/main-src/lib/libc/gen/_rand48.c:45:37: runtime error: signed = integer overflow: 1365949284 + 876906888 cannot be represented in type = 'int' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/gen/_rand48.c:45:37 in=20 >=20 > /usr/main-src/lib/libc/stdlib/getenv.c:169:20: runtime error: load of = value 190, which is not a valid value for type 'bool' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdlib/getenv.c:169:20 in=20 > /usr/main-src/lib/libc/stdlib/getenv.c:684:23: runtime error: load of = value 190, which is not a valid value for type 'bool' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdlib/getenv.c:684:23 in=20 >=20 > And: >=20 > /usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member = access within misaligned address 0xffffffffffffffff for type 'const = ucontext_t' (aka 'const struct __ucontext'), which requires 16 byte = alignment > 0xffffffffffffffff: note: pointer points here > <memory cannot be printed> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in=20 > /usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member = access within misaligned address 0xffffffffffffffff for type 'const = __sigset_t' (aka 'const struct __sigset'), which requires 16 byte = alignment > 0xffffffffffffffff: note: pointer points here > <memory cannot be printed> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in=20 > /usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: load = of misaligned address 0xffffffffffffffff for type 'const __uint32_t' = (aka 'const unsigned int'), which requires 16 byte alignment > 0xffffffffffffffff: note: pointer points here > <memory cannot be printed> > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in=20 >=20 > And: >=20 > +/usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9: runtime error: = load of misaligned address 0x7fffffffc978 for type 'uint128_t' (aka = 'unsigned __int128'), which requires 16 byte alignment > +0x7fffffffc978: note: pointer points here > + 00 00 00 00 00 60 a5 ee dc 01 00 00 00 00 00 00 00 00 00 00 00 00 = 00 00 00 00 00 00 00 00 00 00 > + ^=20 > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9 in=20 >=20 > And: >=20 > /usr/main-src/sys/netinet/libalias/alias_db.c:430:2: runtime error: = member access within null pointer of type 'struct libalias' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/sys/netinet/libalias/alias_db.c:430:2 in=20 >=20 > And: >=20 > /usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: left = shift of 1277217398 by 34 places cannot be represented in type 's64q_t' = (aka 'long') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:569:3 in=20 > /usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: signed = integer overflow: -8928018189856292682 + -9223372036854775808 cannot be = represented in type 'long' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:569:3 in=20 > /usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: left = shift of 674540471 by 34 places cannot be represented in type 's64q_t' = (aka 'long') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:570:3 in=20 > /usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: signed = integer overflow: -7034438991598280603 + -9223372036854775808 cannot be = represented in type 'long' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:570:3 in=20 >=20 > /usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: left = shift of 1099256400 by 34 places cannot be represented in type 's64q_t' = (aka 'long') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:378:3 in=20 > /usr/main-src/tests/sys/sys/qmath_test.c:379:3: runtime error: left = shift of 7397324394137081998 by 3 places cannot be represented in type = 's64q_t' (aka 'long') > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:379:3 in=20 > /usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: signed = integer overflow: -5522065151083782997 + -9223372036854775808 cannot be = represented in type 'long' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/tests/sys/sys/qmath_test.c:378:3 in=20 >=20 > And: >=20 > /usr/main-src/usr.bin/mkimg/ebr.c:89:16: runtime error: member access = within misaligned address 0x61500000023e for type 'struct = dos_partition', which requires 4 byte alignment > 0x61500000023e: note: pointer points here > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 = 00 00 00 00 00 00 00 00 00 00 > ^=20 > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/mkimg/ebr.c:89:16 in=20 >=20 > And: >=20 > /usr/main-src/usr.bin/mkimg/mbr.c:99:8: runtime error: member access = within misaligned address 0x6150000004be for type 'struct = dos_partition', which requires 4 byte alignment > 0x6150000004be: note: pointer points here > 42 0a 42 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 = 00 00 00 00 00 00 00 00 00 00 > ^=20 > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/mkimg/mbr.c:99:8 in=20 >=20 > And: >=20 > +/usr/main-src/usr.bin/rs/rs.c:387:5: runtime error: applying non-zero = offset 108370614813184 to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/rs/rs.c:387:5 in=20 >=20 > And: >=20 > +/usr/main-src/usr.bin/unifdef/unifdef.c:836:52: runtime error: = applying non-zero offset 1 to null pointer > +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/usr.bin/unifdef/unifdef.c:836:52 in=20 With all the line number references, I should have noted what my source context for main [so: 14] is based on: # uname -apKU FreeBSD amd64_ZFS 14.0-CURRENT FreeBSD 14.0-CURRENT #29 = main-n252196-a3522837b021-dirty: Mon Jan 3 22:17:33 PST 2022 = root@amd64_ZFS:/usr/obj/BUILDs/main-amd64-nodbg-clang/usr/main-src/amd64.a= md64/sys/GENERIC-NODBG amd64 amd64 1400046 1400046 # ~/fbsd-based-on-what-commit.sh -C /usr/main-src/ branch: main merge-base: a3522837b021a46f2de81303247599ea51163d13 merge-base: CommitDate: 2022-01-04 03:39:24 +0000 a3522837b021 (HEAD -> main, freebsd/main, freebsd/HEAD) ipfilter = userland: Fix branch mismerge n252196 (--first-parent --count for merge-base) =3D=3D=3D Mark Millard marklmi at yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?02A69F9D-FE10-40F3-BEF3-5A54EFC2310A>