From nobody Sun Jan 9 21:47:35 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D666E1944DDE for ; Sun, 9 Jan 2022 21:47:49 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic301-22.consmr.mail.gq1.yahoo.com (sonic301-22.consmr.mail.gq1.yahoo.com [98.137.64.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JX9YJ3qX4z4dMb for ; Sun, 9 Jan 2022 21:47:48 +0000 (UTC) (envelope-from marklmi@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641764860; bh=0iIb2Kf3t8HReT4QNOkOsnVQxIb7oAZCN9HAmdP9LL0=; h=From:Subject:Date:References:To:In-Reply-To:From:Subject:Reply-To; b=Ka/XwLNH/rT3WLwRuX3JyHM94HgFa8JrniIzckzNuxl7ucOarM3c0a9yL3udByGXBLJ3aAX2YFRFxSJgU2xb0ZlkXR+mhA7ug+Eh9G58lfma/BoIiwJ75lfPgt7OV/IeujCqBMxjPiOf6OMgNBROsRP3ienPhR/WDzHjGdUB5kby5h7dww+oydDlTl8eipS+D9+gJRpCvOud/cBVc5U+3JSMprg2A7+IMe7/9ZWu3x7ECQ2Eie5Q+gUt29NKc98wE686hk0mwXHTF+e+0ePVITAiVw31Fba2x5L5mk3lScPydVyPdRKjMnIqjTPhmU7rtMHbIjTPfTFD89RFjVMvsw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641764860; bh=ktkRKPecyqJuXXjLseh+622e1bBhpDK0c+aFe8xf7md=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=bBtK4yd1KRG9S5LM7Cn5URhB8GPGvXmhPuTJnkF5gSM+BNVZkTSk++tCUIHoT4ZqxOQbFM5Q6BWGD+aIqCaM8dQcFQhI6xM33sk4qF3Z1uBhdFmvx61XAUIl3TBfgdIipMvge5wC02TtfPrYqX+Ds4lGhPri0bv7Mt7p8Svh7YaytILUEcYy+GNyV9dx8ebzmswGBD1VqB+2aMONpI2RiINapeNH8NMyfiGa4S75J2XSuNOU9IFRWd3/Nqp93DDQ5l6Y+rG099aiGe9CuubCH3mwjmCFbXNOAjOqNiFm6G2JRXl1MG5vK5wrbjLUkh8t4O4ddPUGrCFf1/Q5B0GoUw== X-YMail-OSG: SWIsDAUVM1lhqOTP9kK9vD3IwUybDOZIEwl.d942wL3m4rQKpvA2osgBLsDme2Z LEG7O5u8AxiWaolChf7d_6DnkxaPUFIfyFbb8gUJg7_xDsRXwD_qKQM2irlfxOuFkAVFw1vtqkXR ItDU0PkccxGZesi.kVYHaSaDR.C29pFw70Nz0yPdoROSESTFtOHr.8L967sxC0CJM7VkJW0nP.GF nGWXBdibQ7pLPuQpwvkqWAp7UyM.iuMgtE.xiXtRD1581aVUSskMkqolgfh4jF5BfVAZBp7z311F 2kY9beHVUBi6F._STbA.cUu4AXLW0X_Cw4_zo8dHtGJ9PWAm2GxCWe9svNrGo40zO3fX1lMBiPYR sbe9tvKQMJpJYG64ywRrZ1RAjKql24VT5cNn1Nho882KipaFoAwBx2tvVPORuou8wFSLDkM4VzU0 uKopZgSwqUeRnpq_7_dCt21S1bHH8IbEIAb92cUjVpfofgbtGp2oa42i1Zv5TqBZmrqYrlKurAEp dQJ0C3weouvf0vrwsD0QJrOCIGE.9lwQS5l9O7qi_cV8Ck5GalfqAUOdgdyqO._9MCiLkW9L2v5g vde.Jgup5ZqE7bwYaPhq_oIkvkYhibf7yBoBDJTt2pBfou2hGidDeu7BeDz_9R3K0r2rgFjxRBdL d2M8AOb3moRjZGsR8ONwZvpaMYW9mo00TWT3mPS4796Y60XPax2hhSLNeTLbgl8uJRYExeeXlzTD Q6WPUGyki9fHtXDnBe.PycUXsJ_Z9t5PWQZ1Pqvg7G7l0ayC2ICt2.rslNM0zQs78jtGF9.oECAB ELFDE7raZY9ZdwMhIjJ5LC7YfIXkA32WdJBLCmp2k7gXXvnVCHkckFuwWndH4Wu41npnIPJozEtE FX3NbkzL5KOCS_Hg.VQ1vXK_i2RLYu65t6re9N.S5Ac26hsresRmrzJAuPs4TSJSZEX1OOurSnGz Eq.ez5_XtCN4KFSSvyxiWy3fdOFGvhuh4R2yCKrkhw74vNs1wAPsWL5Ie_EeQt5xxl0tIteyfzQQ 6_Z7ZEdkkXdAZtABQ76P2I4xHSyoE03p_jotURMDuB4FC0Mjgqrz6BR5EQlshMtLabpcUtsc6Nx6 MLf_3LU7RfO.2wxmTmHGKkT6.LFJb4LY0I1shcE5Yr61UZZMNeTcEt5RQ5Lwqogcwl2vpu6uCKDG 1U4SHYFoiYN1tcMfzBjC6xlYKmwvnVyqo9c_nagRg6v_VS9DoUEZ0RsXL15wqGcDTs4mEVUV8IeJ 6jLmS_DK126GRDkA7srE9fQpeWDuB1bAizvRsnNoU.P0TtVQLoOjhbusUR__zNMbNXYarFW7N91J wNCFBN1TpwpSOQCco79Xb7Vz2NZ9hu4g3A2AXd1tmE__GuE8Vik2vyhYuRQOp0tvvvAiXwBystfW Jyq1Pn0QWOt73jLsAkd4.lF7cRVpbHWMpgf1Zoeyc2vSEPYlYVV2c5lsq46xhVLTbFv4kYsqlqB_ f_Er3YjWWG8dwjq.DuIewEiUvGclL6pE8pxMfTRIzfyRLN3jpshIYY11npwO0uUSYgZh53vazmlK XX_N9aR3txhDIFmjl0eKWmlokwrnSS2YzP9_ji4RYOpFKuWlpxXYg3x7xk.JBOPio9nJ0bJnEAAv ga5iHWRTKZZqBqGX7zZwcvTszGrGHNDbQ7ib4Nv1xRAMqzAlCWfAJNefpDeCcmFFKfPl6wo8WO8P GKc9WnldafPkQr8vSPKFpPMULiESOLAnhLXmvvZ5KReHL06OjdC1yS43U_blyHb8J2wNONnnzJMr 3KCchmvjiGujuTvgME6.b3BTKLG24kgRtPvC_5gnAd8geCFkBZ49Q3GFFQ6H_MXvT61VpF3AAgZp R9HkL3s_ossTgF5CITJVzEvCUDB4d5Sm1twYBa8QZsi4ja5OKaAx4OxVO2lJV5BIEssTrW5JRe6O n.BiDUncQMecta78dHNIXQcq_areYhGyEtIpaHk7zKm1IOH1AHKDbKLYjy5.gL1YpULteg0Vll7O Q0Jzv3YGTjyU17kKljKH6EhXSUeiNJfw8Pn_jies1YkU5ygXqfhm30Tn1tS0bkIT0bJe7sdsmb5P S4KFGMrjzIwS52Jz5Vu2GFChalea3Z3hMxzqgnDPOxBOzLQIzCADFuOE0EQC.Smj5FkT.rnqVnR1 Bw_syaLsZTAV9iJ0KRP8ZNO0Qfi97n8SKOEsYcOLlpyYPYhI7HkKaL566aJ9tdKcYUSjBDUFbSbi QiCRNc.nCAorS9HtyobalQSs- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.gq1.yahoo.com with HTTP; Sun, 9 Jan 2022 21:47:40 +0000 Received: by kubenode537.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 02b1572cf004d032276ccf0b8503ad44; Sun, 09 Jan 2022 21:47:37 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile (info for some more examples) Date: Sun, 9 Jan 2022 13:47:35 -0800 References: To: freebsd-current In-Reply-To: Message-Id: <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com> X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4JX9YJ3qX4z4dMb X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b="Ka/XwLNH"; dmarc=pass (policy=reject) header.from=yahoo.com; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.64.148 as permitted sender) smtp.mailfrom=marklmi@yahoo.com X-Spamd-Result: default: False [0.50 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.64.148:from]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[yahoo.com]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.999]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[98.137.64.148:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 2022-Jan-7, at 03:39, Mark Millard wrote: > Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D > after finding what to control to allow the build, I installed > it in a directory tree for chroot use and have > "kyua test -k /usr/tests/Kyuafile" running. >=20 > I see evidence of one AddressSanitizer report. (kyua is still > running.) The context is: >=20 > # more = /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt=20= > Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ] > mount -t tmpfs -o size=3D10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt > Executing command [ touch a ] > Executing command [ rm a ] > Executing command [ dd if=3D/dev/zero of=3Da bs=3D1m count=3D15 ] > Executing command [ rm a ] >=20 > # more = /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt=20= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > =3D=3D14384=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp = 0x7fffffffa828 > WRITE of size 8 at 0x7fffffffa948 thread T0 > #0 0x801f38f59 in strtoimax_l = /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 > #1 0x10de6c8 in strtoimax = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:3441:18 > #2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6 > #3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7 > #4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10 > #5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10 > #6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9 > #7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8 > #8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10 > #9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8 > #10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10 > #11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16 > #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4 > #14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 > #15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 > #16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4 > #18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 > #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 > #21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c > #23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3 >=20 > Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 = in frame > #0 0x801f387ff in strtoimax_l = /usr/main-src/lib/libc/stdlib/strtoimax.c:58 >=20 > This frame has 1 object(s): > [32, 36) '__limit.i.i.i' <=3D=3D Memory access at offset 264 = overflows this variable > HINT: this may be a false positive if your program uses some custom = stack unwind mechanism, swapcontext or vfork > (longjmp and C++ exceptions *are* supported) > SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l > Shadow bytes around the buggy address: > 0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3 > 0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > =3D>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00 > 0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 > 0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 > 0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > 0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 > 0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07=20 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D14384=3D=3DABORTING > Files left in work directory after failure: mntpt, mounterr >=20 I've found some manually reproducible AddressSanitizer reports and have a few other notes on some types of reports: # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/builtins/trap1.0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414) LLVMSymbolizer: error reading file: No such file or directory #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 #7 0x10ca344 in memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:827:5 #8 0x80147c861 in handle_signal = /usr/main-src/lib/libthr/thread/thr_sig.c:313:2 #9 0x80147b1f4 in thr_sighandler = /usr/main-src/lib/libthr/thread/thr_sig.c:246:2 #10 0x7fffffffe8a2 ([vdso]+0x2d2) #11 0x801e1d969 in __sys_wait4 = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li= bc/_wait4.S:4 #12 0x801488d1b in __thr_wait4 = /usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8 #13 0x10d6953 in wait3 = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2463:13 #14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9 #15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7 #16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16 #17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4 #18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 # /bin/sh /usr/tests/bin/sh/execution/path1.0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414) #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 #7 0x111163a in __asan_report_store8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1= #8 0x801e0f80c in bintime2timespec = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/tmp/us= r/include/sys/time.h:285:14 #9 0x801e0f80c in __vdso_clock_gettime = /usr/main-src/lib/libc/sys/__vdso_gettimeofday.c:195:2 #10 0x801e0e0c0 in clock_gettime = /usr/main-src/lib/libc/sys/clock_gettime.c:48:11 #11 0x10d54da in clock_gettime = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2189:13 #12 0x11234f5 in __sanitizer::MonotonicNanoTime() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_linux_libcdep.cpp:860:3 #13 0x10ba02c in = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::PopulateFreeArray(__sanitizer::AllocatorStats*, unsigned = long, = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::RegionInfo*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_primary64.h:790:45 #14 0x10b9c4b in = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::GetFromAllocator(__sanitizer::AllocatorStats*, unsigned = long, unsigned int*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_primary64.h:220:11 #15 0x10b9955 in = __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato= r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::Refill(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeCla= ssAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::PerClass*, = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_local_cache.h:103:9 #16 0x10b9615 in = __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato= r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::Allocate(__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::Lo= calAddressSpaceView> >*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_local_cache.h:39:11 #17 0x10b9511 in = __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::A= P64<__sanitizer::LocalAddressSpaceView> >, = __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::Siz= eClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64= <__sanitizer::LocalAddressSpaceView> > >*, unsigned long, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_combined.h:69:20 #18 0x10b6086 in __asan::Allocator::Allocate(unsigned long, unsigned = long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp= :537:29 #19 0x10b4818 in __asan::asan_malloc(unsigned long, = __sanitizer::BufferedStackTrace*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp= :980:34 #20 0x110be9b in malloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:130:10 #21 0x117aca3 in ckmalloc /usr/main-src/bin/sh/memalloc.c:71:6 #22 0x119eafc in redirect /usr/main-src/bin/sh/redir.c:126:9 #23 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3 #24 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #25 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #26 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst21.0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D126718) LLVMSymbolizer: error reading file: No such file or directory #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 #7 0x10ca202 in memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:827:5 #8 0x80147c861 in handle_signal = /usr/main-src/lib/libthr/thread/thr_sig.c:313:2 #9 0x80147b1f4 in thr_sighandler = /usr/main-src/lib/libthr/thread/thr_sig.c:246:2 #10 0x7fffffffe8a2 ([vdso]+0x2d2) #11 0x801e1d8c9 in _sigsuspend = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li= bc/_sigsuspend.S:4 #12 0x80147b997 in __thr_sigsuspend = /usr/main-src/lib/libthr/thread/thr_sig.c:691:8 #13 0x11716d7 in dowait /usr/main-src/bin/sh/jobs.c:1190:4 #14 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7 #15 0x115252f in expbackq /usr/main-src/bin/sh/expand.c:527:16 #16 0x115252f in argstr /usr/main-src/bin/sh/expand.c:323:4 #17 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2 #18 0x1142a0b in evalcommand /usr/main-src/bin/sh/eval.c:862:3 #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #20 0x113f9e6 in evaltree /usr/main-src/bin/sh/eval.c:218:4 #21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 By contrast, I'll note that: # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst6.0 did not report anything (but did in the kyua run). I took one of the simpler backtraces that reports "((ptr[0] =3D=3D kCurrentStackFrameMagic)) !=3D (0)" and took a look: AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D326791) #0 0x10cfbd1 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 #1 0x10eb0ab in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 #2 0x10d2461 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp #3 0x1079643 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 #4 0x1079643 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 #5 0x107b13e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 #6 0x10cd59c in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 #7 0x10ce357 in __asan_report_load8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1= #8 0x8020ca16d in execl /usr/main-src/lib/libc/gen/exec.c:64:9 #9 0x80253dcf2 in _system = /usr/main-src/lib/libc/stdlib/system.c:89:3 #10 0x801acec72 in __thr_system = /usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8 #11 0x10fe434 in systemf = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6 #12 0x10f42bf in test_help = /usr/main-src/contrib/libarchive/cat/test/test_help.c:52:6 #13 0x1101b2c in test_run = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2 #14 0x1101b2c in main = /usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9 *** forcing core dump so failure can be debugged *** Files left in work directory after failure: = bsdcat_test.2022-01-07T10.54.27-000 Looking at lib/libc/gen/exec.c:64 showed: while (va_arg(ap, char *) !=3D NULL) It appears to me that the backtrace runs into another problem during __asan_report_load8_noabort (already an error classification?) and ends up reporting that other problem instead. There are a fair number of other tests that also report such for that line of code in execl. While looking, I got (odd whitespace removed from the output and split into more lines): /usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member = access within null pointer of type 'log_t' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:261:2 in /usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member = access within null pointer of type 'log_t' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:266:21 in /usr/main-src/contrib/nvi/common/log.c:272:37: runtime error: member = access within null pointer of type 'log_t' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:272:37 in=20 (Some of my activity is outside the chroot that has ASAN/UBSAN but the above happened to be in the chroot.) I also looked at: =3D=3D99317=3D=3DERROR: AddressSanitizer: dynamic-stack-buffer-overflow = on address 0x7fffffffa300 at pc 0x0008020ca271 bp 0x7fffffffa2d0 sp = 0x7fffffffa2c8 WRITE of size 8 at 0x7fffffffa300 thread T0 #0 0x8020ca270 in execl /usr/main-src/lib/libc/gen/exec.c:74:10 #1 0x80253dcf2 in _system = /usr/main-src/lib/libc/stdlib/system.c:89:3 #2 0x801acec72 in __thr_system = /usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8 #3 0x10fe434 in systemf = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6 #4 0x10f45f9 in test_stdin = /usr/main-src/contrib/libarchive/cat/test/test_stdin.c:37:6 #5 0x1101b2c in test_run = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2 #6 0x1101b2c in main = /usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9 Address 0x7fffffffa300 is located in stack of thread T0 SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow = /usr/main-src/lib/libc/gen/exec.c:74:10 in execl Shadow bytes around the buggy address: 0x4ffffffff410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca =3D>0x4ffffffff460:[ca]ca ca ca cb cb cb cb f1 f1 f1 f1 00 00 00 f3 0x4ffffffff470: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x4ffffffff480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff4a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x4ffffffff4b0: 04 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D99317=3D=3DABORTING *** forcing core dump so failure can be debugged *** Files left in work directory after failure: = bsdcat_test.2022-01-07T10.54.28-000 Looking at lib/libc/gen/exec.c:74 showed: argv[0] =3D arg; There are a fair number of other tests that also report such for that line of code in execl. There are also examples of the likes of: =3D=3D=3D> bin/pax/legacy_test:main Result: broken: TAP test program yielded invalid data: Load of = '/tmp/kyua.FKD2vh/2679/stdout.txt' failed: Output did not contain any = TAP plan and the program did not bail out . . . Standard error: ld-elf.so.1: /lib/libthr.so.3: Undefined symbol = "__asan_option_detect_stack_use_after_return" where the test does not seem to have been able to run at all because of the undefined symbol. Overall going through trying to summarize the AddressSanitizer reports looks much messier than doing so for the Undefined Behavior reports. =3D=3D=3D Mark Millard marklmi at yahoo.com