Site Navigation

Date:      Sun, 16 Jan 2022 00:19:53 -0800
From:      Mark Millard <marklmi@yahoo.com>
To:        freebsd-current <freebsd-current@freebsd.org>
Subject:   UBSAN report from kyua run in WITH_UBSAN= based world (via chroot): /bin/sh 's waitcmdloop does NULL+0 undefined behavior
Message-ID:  <701C64F9-B51D-4DD7-BA74-5BFE580BF562@yahoo.com>
References:  <701C64F9-B51D-4DD7-BA74-5BFE580BF562.ref@yahoo.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

# /bin/sh /usr/tests/bin/sh/builtins/wait6.0
/usr/main-src/bin/sh/jobs.c:590:35: runtime error: applying zero offset =
to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/bin/sh/jobs.c:590:35 in=20
/usr/main-src/bin/sh/jobs.c:601:22: runtime error: applying zero offset =
to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/bin/sh/jobs.c:601:22 in=20

So:

# lldb /bin/sh /usr/tests/bin/sh/builtins/wait6.0
(lldb) target create "/bin/sh"
Current executable set to '/bin/sh' (x86_64).
(lldb) settings set -- target.run-args  =
"/usr/tests/bin/sh/builtins/wait6.0"
(lldb) run
Process 66125 launched: '/bin/sh' (x86_64)
Process 66125 stopped
* thread #1, name =3D 'sh', stop reason =3D Nullptr with offset
    frame #0: 0x0000000001135850 sh`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
   36  	}
   37  =09
   38  	SANITIZER_WEAK_DEFAULT_IMPL
-> 39  	void __ubsan::__ubsan_on_report(void) {}
   40  =09
   41  	void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
   42  	                                              const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'sh', stop reason =3D Nullptr with offset
  * frame #0: 0x0000000001135850 sh`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
    frame #1: 0x0000000001130011 =
sh`__ubsan::Diag::~Diag(this=3D0x00007fffffffcc60) at =
ubsan_diag.cpp:354:29
    frame #2: 0x0000000001134f44 =
sh`handlePointerOverflowImpl(Data=3D<unavailable>, Base=3D<unavailable>, =
Result=3D<unavailable>, Opts=3D(FromUnrecoverableHandler =3D false, pc =3D=
 18263566, bp =3D 140737488343328)) at ubsan_diag.h:0:21
    frame #3: 0x0000000001134a7a =
sh`::__ubsan_handle_pointer_overflow(Data=3D<unavailable>, =
Base=3D<unavailable>, Result=3D<unavailable>) at =
ubsan_handlers.cpp:815:3
    frame #4: 0x000000000116ae0e sh`waitcmdloop(job=3D0x0000000000000000) =
at jobs.c:590:35
    frame #5: 0x000000000114528a sh`evalcommand(cmd=3D<unavailable>, =
flags=3D0, backcmd=3D0x0000000000000000) at eval.c:1107:16
    frame #6: 0x000000000113eeb8 sh`evaltree(n=3D0x00006150000000d8, =
flags=3D<unavailable>) at eval.c:289:4
    frame #7: 0x000000000117a317 sh`cmdloop(top=3D<unavailable>) at =
main.c:228:4
    frame #8: 0x0000000001179789 sh`main(argc=3D2, argv=3D<unavailable>) =
at main.c:175:3
    frame #9: 0x00000000010b35dd sh`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) thread info -s
thread #1: tid =3D 101020, 0x0000000001135850 sh`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'sh', stop reason =3D Nullptr with =
offset

{
  "col": 35,
  "description": "nullptr-with-offset",
  "filename": "/usr/main-src/bin/sh/jobs.c",
  "instrumentation_class": "UndefinedBehaviorSanitizer",
  "line": 590,
  "memory_address": 0,
  "summary": "Applying zero offset to null pointer",
  "tid": 101020,
  "trace": []
}
(lldb) up 4
frame #4: 0x000000000116ae0e sh`waitcmdloop(job=3D0x0000000000000000) at =
jobs.c:590:35
   587 					return retval;
   588 				}
   589 			} else {
-> 590 				for (jp =3D jobtab ; jp < jobtab + =
njobs; jp++)
   591 					if (jp->used && jp->state =3D=3D =
JOBDONE) {
   592 						if (! iflag || ! =
jp->changed)
   593 							freejob(jp);
(lldb) c
Process 66125 resuming
/usr/main-src/bin/sh/jobs.c:590:35: runtime error: applying zero offset =
to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/bin/sh/jobs.c:590:35 in=20
Process 66125 stopped
* thread #1, name =3D 'sh', stop reason =3D Nullptr with offset
    frame #0: 0x0000000001135850 sh`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
   36  	}
   37  =09
   38  	SANITIZER_WEAK_DEFAULT_IMPL
-> 39  	void __ubsan::__ubsan_on_report(void) {}
   40  =09
   41  	void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
   42  	                                              const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'sh', stop reason =3D Nullptr with offset
  * frame #0: 0x0000000001135850 sh`::__ubsan_on_report() at =
ubsan_monitor.cpp:39
    frame #1: 0x0000000001130011 =
sh`__ubsan::Diag::~Diag(this=3D0x00007fffffffcc60) at =
ubsan_diag.cpp:354:29
    frame #2: 0x0000000001134f44 =
sh`handlePointerOverflowImpl(Data=3D<unavailable>, Base=3D<unavailable>, =
Result=3D<unavailable>, Opts=3D(FromUnrecoverableHandler =3D false, pc =3D=
 18264444, bp =3D 140737488343328)) at ubsan_diag.h:0:21
    frame #3: 0x0000000001134a7a =
sh`::__ubsan_handle_pointer_overflow(Data=3D<unavailable>, =
Base=3D<unavailable>, Result=3D<unavailable>) at =
ubsan_handlers.cpp:815:3
    frame #4: 0x000000000116b17c sh`waitcmdloop(job=3D0x0000000000000000) =
at jobs.c:601:22
    frame #5: 0x000000000114528a sh`evalcommand(cmd=3D<unavailable>, =
flags=3D0, backcmd=3D0x0000000000000000) at eval.c:1107:16
    frame #6: 0x000000000113eeb8 sh`evaltree(n=3D0x00006150000000d8, =
flags=3D<unavailable>) at eval.c:289:4
    frame #7: 0x000000000117a317 sh`cmdloop(top=3D<unavailable>) at =
main.c:228:4
    frame #8: 0x0000000001179789 sh`main(argc=3D2, argv=3D<unavailable>) =
at main.c:175:3
    frame #9: 0x00000000010b35dd sh`_start(ap=3D<unavailable>, =
cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) thread info -s
thread #1: tid =3D 101020, 0x0000000001135850 sh`::__ubsan_on_report() =
at ubsan_monitor.cpp:39, name =3D 'sh', stop reason =3D Nullptr with =
offset

{
  "col": 22,
  "description": "nullptr-with-offset",
  "filename": "/usr/main-src/bin/sh/jobs.c",
  "instrumentation_class": "UndefinedBehaviorSanitizer",
  "line": 601,
  "memory_address": 0,
  "summary": "Applying zero offset to null pointer",
  "tid": 101020,
  "trace": []
}
(lldb) up 4
frame #4: 0x000000000116b17c sh`waitcmdloop(job=3D0x0000000000000000) at =
jobs.c:601:22
   598 						}
   599 					}
   600 				for (jp =3D jobtab ; ; jp++) {
-> 601 					if (jp >=3D jobtab + njobs) {	=
/* no running procs */
   602 						return 0;
   603 					}
   604 					if (jp->used && jp->state =3D=3D =
0)
(lldb) c
Process 66125 resuming
/usr/main-src/bin/sh/jobs.c:601:22: runtime error: applying zero offset =
to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior =
/usr/main-src/bin/sh/jobs.c:601:22 in=20
Process 66125 exited with status =3D 0 (0x00000000)=20


=3D=3D=3D
Mark Millard
marklmi at yahoo.com

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?701C64F9-B51D-4DD7-BA74-5BFE580BF562>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact