Date: Fri, 14 Jan 2022 05:37:20 -0800 From: Mark Millard <marklmi@yahoo.com> To: freebsd-current <freebsd-current@freebsd.org> Subject: UBSAN reported behaviors in view use: Null pointer use oddities in contrib/nvi/... code Message-ID: <99C234B7-AD2F-428F-B697-32A1F89AAC51@yahoo.com> References: <99C234B7-AD2F-428F-B697-32A1F89AAC51.ref@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
# env ASAN_OPTIONS=3Ddetect_container_overflow=3D0 lldb view
(lldb) target create "view"
Current executable set to 'view' (x86_64).
(lldb) run /usr/main-src/contrib/nvi/common/log.c
Process 96507 launched: '/usr/bin/view' (x86_64)
Process 96507 stopped
* thread #1, name =3D 'view', stop reason =3D Nullptr with nonzero =
offset
frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
36 }
37 =09
38 SANITIZER_WEAK_DEFAULT_IMPL
-> 39 void __ubsan::__ubsan_on_report(void) {}
40 =09
41 void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
42 const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'view', stop reason =3D Nullptr with nonzero =
offset
* frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
frame #1: 0x00000000012c36b1 =
view`__ubsan::Diag::~Diag(this=3D0x00007fffffffb9b0) at =
ubsan_diag.cpp:354:29
frame #2: 0x00000000012c85e4 =
view`handlePointerOverflowImpl(Data=3D<unavailable>, Base=3D<unavailable>,=
Result=3D<unavailable>, Opts=3D(FromUnrecoverableHandler =3D false, pc =
=3D 21543807, bp =3D 140737488337936)) at ubsan_diag.h:0:21
frame #3: 0x00000000012c811a =
view`::__ubsan_handle_pointer_overflow(Data=3D<unavailable>, =
Base=3D<unavailable>, Result=3D<unavailable>) at =
ubsan_handlers.cpp:815:3
frame #4: 0x000000000148bb7f view`vs_crel(sp=3D0x00007fffffffbd20, =
count=3D<unavailable>) at v_z.c:138:14
frame #5: 0x0000000001420d78 view`v_optchange(sp=3D<unavailable>, =
offset=3D<unavailable>, str=3D<unavailable>, valp=3D<unavailable>) at =
v_init.c:117:11 [artificial]
frame #6: 0x000000000132d079 view`opts_set(sp=3D0x000061e000000080, =
argv=3D0x00007fffffffbf00, usage=3D<unavailable>) at options.c:684:8
frame #7: 0x0000000001328db4 view`opts_init(sp=3D<unavailable>, =
oargs=3D<unavailable>) at options.c:412:2
frame #8: 0x00000000013184d3 view`editor(gp=3D0x0000621000000100, =
argc=3D<unavailable>, argv=3D0x00007fffffffdb10) at main.c:240:6
frame #9: 0x00000000012d21dd view`main(argc=3D<unavailable>, =
argv=3D<unavailable>) at cl_main.c:115:9
frame #10: 0x0000000001246c7d view`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) up 4
frame #4: 0x000000000148bb7f view`vs_crel(sp=3D0x00007fffffffbd20, =
count=3D<unavailable>) at v_z.c:138:14
135 sp->t_minrows =3D sp->t_rows =3D count;
136 if (sp->t_rows > sp->rows - 1)
137 sp->t_minrows =3D sp->t_rows =3D sp->rows - 1;
-> 138 TMAP =3D HMAP + (sp->t_rows - 1);
139 F_SET(sp, SC_SCR_REDRAW);
140 return (0);
141 }
(lldb) thread info -s
thread #1: tid =3D 125915, 0x00000000012c8ef0 view`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'view', stop reason =3D Nullptr with =
nonzero offset
{
"col": 14,
"description": "nullptr-with-nonzero-offset",
"filename": "/usr/main-src/contrib/nvi/vi/v_z.c",
"instrumentation_class": "UndefinedBehaviorSanitizer",
"line": 138,
"memory_address": 0,
"summary": "Applying non-zero offset 1056 to null pointer",
"tid": 125915,
"trace": []
}
. . . Later: . . .
Process 96507 stopped
* thread #1, name =3D 'view', stop reason =3D Null pointer use
frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
36 }
37 =09
38 SANITIZER_WEAK_DEFAULT_IMPL
-> 39 void __ubsan::__ubsan_on_report(void) {}
40 =09
41 void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
42 const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'view', stop reason =3D Null pointer use
* frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
frame #1: 0x00000000012c36b1 =
view`__ubsan::Diag::~Diag(this=3D0x00007fffffffc3c0) at =
ubsan_diag.cpp:354:29
frame #2: 0x00000000012c4aef =
view`handleTypeMismatchImpl(Data=3D<unavailable>, Pointer=3D<unavailable>,=
Opts=3D(FromUnrecoverableHandler =3D false, pc =3D 19992923, bp =3D =
140737488340592)) at ubsan_handlers.cpp:117:5
frame #3: 0x00000000012c47aa =
view`::__ubsan_handle_type_mismatch_v1(Data=3D<unavailable>, =
Pointer=3D<unavailable>) at ubsan_handlers.cpp:142:3
frame #4: 0x000000000131115b view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:261:2
frame #5: 0x000000000130cd55 view`db_append(sp=3D<unavailable>, =
update=3D<unavailable>, lno=3D<unavailable>, p=3D<unavailable>, =
len=3D<unavailable>) at line.c:295:2
frame #6: 0x000000000141b582 view`v_ecl_log(sp=3D<unavailable>, =
tp=3D<unavailable>) at v_ex.c:605:10
frame #7: 0x0000000001419af2 view`v_ex(sp=3D<unavailable>, =
vp=3D<unavailable>) at v_ex.c:372:38
frame #8: 0x000000000148da62 view`vi(spp=3D<unavailable>) at =
vi.c:226:18
frame #9: 0x0000000001319704 view`editor(gp=3D0x0000621000000100, =
argc=3D<unavailable>, argv=3D<unavailable>) at main.c:402:38
frame #10: 0x00000000012d21dd view`main(argc=3D<unavailable>, =
argv=3D<unavailable>) at cl_main.c:115:9
frame #11: 0x0000000001246c7d view`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) up 4
frame #4: 0x000000000131115b view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:261:2
258 } else
259 if (db_get(sp, lno, DBG_FATAL, &lp, &len))
260 return (1);
-> 261 BINC_RETC(sp,
262 ep->l_lp, ep->l_len,
263 len * sizeof(CHAR_T) + CHAR_T_OFFSET);
264 ep->l_lp[0] =3D action;
(lldb) thread info -s
thread #1: tid =3D 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'view', stop reason =3D Null pointer =
use
{
"col": 2,
"description": "null-pointer-use",
"filename": "/usr/main-src/contrib/nvi/common/log.c",
"instrumentation_class": "UndefinedBehaviorSanitizer",
"line": 261,
"memory_address": 0,
"summary": "Member access within null pointer of type 'log_t'",
"tid": 208533,
"trace": []
}
(lldb) c
Process 96507 resuming
/usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member =
access within null pointer of type 'log_t'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:261:2 in=20
Process 96507 stopped
* thread #1, name =3D 'view', stop reason =3D Null pointer use
frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
36 }
37 =09
38 SANITIZER_WEAK_DEFAULT_IMPL
-> 39 void __ubsan::__ubsan_on_report(void) {}
40 =09
41 void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
42 const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'view', stop reason =3D Null pointer use
* frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
frame #1: 0x00000000012c36b1 =
view`__ubsan::Diag::~Diag(this=3D0x00007fffffffc3c0) at =
ubsan_diag.cpp:354:29
frame #2: 0x00000000012c4aef =
view`handleTypeMismatchImpl(Data=3D<unavailable>, Pointer=3D<unavailable>,=
Opts=3D(FromUnrecoverableHandler =3D false, pc =3D 19993513, bp =3D =
140737488340592)) at ubsan_handlers.cpp:117:5
frame #3: 0x00000000012c47aa =
view`::__ubsan_handle_type_mismatch_v1(Data=3D<unavailable>, =
Pointer=3D<unavailable>) at ubsan_handlers.cpp:142:3
frame #4: 0x00000000013113a9 view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:266:21
frame #5: 0x000000000130cd55 view`db_append(sp=3D<unavailable>, =
update=3D<unavailable>, lno=3D<unavailable>, p=3D<unavailable>, =
len=3D<unavailable>) at line.c:295:2
frame #6: 0x000000000141b582 view`v_ecl_log(sp=3D<unavailable>, =
tp=3D<unavailable>) at v_ex.c:605:10
frame #7: 0x0000000001419af2 view`v_ex(sp=3D<unavailable>, =
vp=3D<unavailable>) at v_ex.c:372:38
frame #8: 0x000000000148da62 view`vi(spp=3D<unavailable>) at =
vi.c:226:18
frame #9: 0x0000000001319704 view`editor(gp=3D0x0000621000000100, =
argc=3D<unavailable>, argv=3D<unavailable>) at main.c:402:38
frame #10: 0x00000000012d21dd view`main(argc=3D<unavailable>, =
argv=3D<unavailable>) at cl_main.c:115:9
frame #11: 0x0000000001246c7d view`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) up 4
frame #4: 0x00000000013113a9 view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:266:21
263 len * sizeof(CHAR_T) + CHAR_T_OFFSET);
264 ep->l_lp[0] =3D action;
265 memmove(ep->l_lp + sizeof(u_char), &lno, =
sizeof(recno_t));
-> 266 memmove(ep->l_lp + CHAR_T_OFFSET, lp, len * =
sizeof(CHAR_T));
267 =09
268 lcur =3D ep->l_cur;
269 key.data =3D &lcur;
(lldb) thread info -s
thread #1: tid =3D 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'view', stop reason =3D Null pointer =
use
{
"col": 21,
"description": "null-pointer-use",
"filename": "/usr/main-src/contrib/nvi/common/log.c",
"instrumentation_class": "UndefinedBehaviorSanitizer",
"line": 266,
"memory_address": 0,
"summary": "Member access within null pointer of type 'log_t'",
"tid": 208533,
"trace": []
}
(lldb) c
Process 96507 resuming
/usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member =
access within null pointer of type 'log_t'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/contrib/nvi/common/log.c:266:21 in=20
Process 96507 stopped
* thread #1, name =3D 'view', stop reason =3D Null pointer use
frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
36 }
37 =09
38 SANITIZER_WEAK_DEFAULT_IMPL
-> 39 void __ubsan::__ubsan_on_report(void) {}
40 =09
41 void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
42 const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'view', stop reason =3D Null pointer use
* frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
frame #1: 0x00000000012c36b1 =
view`__ubsan::Diag::~Diag(this=3D0x00007fffffffc3c0) at =
ubsan_diag.cpp:354:29
frame #2: 0x00000000012c4aef =
view`handleTypeMismatchImpl(Data=3D<unavailable>, Pointer=3D<unavailable>,=
Opts=3D(FromUnrecoverableHandler =3D false, pc =3D 19993957, bp =3D =
140737488340592)) at ubsan_handlers.cpp:117:5
frame #3: 0x00000000012c47aa =
view`::__ubsan_handle_type_mismatch_v1(Data=3D<unavailable>, =
Pointer=3D<unavailable>) at ubsan_handlers.cpp:142:3
frame #4: 0x0000000001311565 view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:272:37
frame #5: 0x000000000130cd55 view`db_append(sp=3D<unavailable>, =
update=3D<unavailable>, lno=3D<unavailable>, p=3D<unavailable>, =
len=3D<unavailable>) at line.c:295:2
frame #6: 0x000000000141b582 view`v_ecl_log(sp=3D<unavailable>, =
tp=3D<unavailable>) at v_ex.c:605:10
frame #7: 0x0000000001419af2 view`v_ex(sp=3D<unavailable>, =
vp=3D<unavailable>) at v_ex.c:372:38
frame #8: 0x000000000148da62 view`vi(spp=3D<unavailable>) at =
vi.c:226:18
frame #9: 0x0000000001319704 view`editor(gp=3D0x0000621000000100, =
argc=3D<unavailable>, argv=3D<unavailable>) at main.c:402:38
frame #10: 0x00000000012d21dd view`main(argc=3D<unavailable>, =
argv=3D<unavailable>) at cl_main.c:115:9
frame #11: 0x0000000001246c7d view`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) up 4
frame #4: 0x0000000001311565 view`log_line(sp=3D<unavailable>, =
lno=3D<unavailable>, action=3D<unavailable>) at log.c:272:37
269 key.data =3D &lcur;
270 key.size =3D sizeof(recno_t);
271 data.data =3D ep->l_lp;
-> 272 data.size =3D len * sizeof(CHAR_T) + CHAR_T_OFFSET;
273 if (ep->log->put(ep->log, &key, &data, 0) =3D=3D -1)
274 LOG_ERR;
275 =09
(lldb) thread info -s
thread #1: tid =3D 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'view', stop reason =3D Null pointer =
use
{
"col": 37,
"description": "null-pointer-use",
"filename": "/usr/main-src/contrib/nvi/common/log.c",
"instrumentation_class": "UndefinedBehaviorSanitizer",
"line": 272,
"memory_address": 0,
"summary": "Member access within null pointer of type 'log_t'",
"tid": 208533,
"trace": []
}
=3D=3D=3D
Mark Millard
marklmi at yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99C234B7-AD2F-428F-B697-32A1F89AAC51>