Site Navigation

Date:      Tue, 18 Jan 2022 20:47:56 -0800
From:      Mark Millard <marklmi@yahoo.com>
To:        freebsd-current <freebsd-current@freebsd.org>
Subject:   UBSAN report for libc: __ldtoa can set up gdtoa to do a "Left shift of negative value -18"
Message-ID:  <B2BA9B3D-1793-413D-B3DB-AFFD5F9ACB23@yahoo.com>
References:  <B2BA9B3D-1793-413D-B3DB-AFFD5F9ACB23.ref@yahoo.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Using lldb to look some at the internals for:

gdtoa_gdtoa.c:254:32: runtime error: left shift of negative value -18

. . .
Process 48846 stopped
* thread #1, name =3D 'acpphint_kernels', stop reason =3D Invalid shift =
base
    frame #0: 0x000000000032b3c0 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__u=
bsan_on_report() at ubsan_monitor.cpp:39
   36  	}
   37  =09
   38  	SANITIZER_WEAK_DEFAULT_IMPL
-> 39  	void __ubsan::__ubsan_on_report(void) {}
   40  =09
   41  	void __ubsan::__ubsan_get_current_report_data(const char =
**OutIssueKind,
   42  	                                              const char =
**OutMessage,
(lldb) bt
* thread #1, name =3D 'acpphint_kernels', stop reason =3D Invalid shift =
base
  * frame #0: 0x000000000032b3c0 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__u=
bsan_on_report() at ubsan_monitor.cpp:39
    frame #1: 0x0000000000325b81 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`__ubs=
an::Diag::~Diag(this=3D0x00007fffffffb960) at ubsan_diag.cpp:354:29
    frame #2: 0x0000000000328819 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`handl=
eShiftOutOfBoundsImpl(Data=3D0x0000000808eb05a0, LHS=3D<unavailable>, =
RHS=3D<unavailable>, Opts=3D(FromUnrecoverableHandler =3D false, pc =3D =
34505352983, bp =3D 140737488337968)) at ubsan_diag.h:0:9
    frame #3: 0x000000000032832a =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__u=
bsan_handle_shift_out_of_bounds(Data=3D<unavailable>, LHS=3D<unavailable>,=
 RHS=3D<unavailable>) at ubsan_handlers.cpp:370:3
    frame #4: 0x0000000808ade717 libc.so.7`__gdtoa(fpi=3D<unavailable>, =
be=3D-81, bits=3D<unavailable>, kindp=3D0x00007fffffffbe80, =
mode=3D<unavailable>, ndigits=3D<unavailable>, decpt=3D<unavailable>, =
rve=3D<unavailable>) at gdtoa_gdtoa.c:254:32
    frame #5: 0x0000000808ad6e43 libc.so.7`__ldtoa(ld=3D<unavailable>, =
mode=3D<unavailable>, ndigits=3D<unavailable>, decpt=3D<unavailable>, =
sign=3D<unavailable>, rve=3D<unavailable>) at _ldtoa.c:106:8
    frame #6: 0x000000080899e0f7 libc.so.7`__vfprintf(fp=3D<unavailable>, =
locale=3D<unavailable>, fmt0=3D<unavailable>, ap=3D<unavailable>) at =
vfprintf.c:718:9
    frame #7: 0x00000008089cab43 =
libc.so.7`vsnprintf_l(str=3D<unavailable>, n=3D29, locale=3D<unavailable>,=
 fmt=3D<unavailable>, ap=3D<unavailable>) at vsnprintf.c:80:8
    frame #8: 0x00000000002c6e84 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__i=
nterceptor_vsnprintf_l(str=3D"\b(j", size=3D30, loc=3D0x0000000000000000, =
format=3D"%.*Lg", ap=3D0x00007fffffffd2b0) at =
sanitizer_common_interceptors.inc:1676:1
    frame #9: 0x00000000002c70c2 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__i=
nterceptor_snprintf_l(str=3D"\b(j", size=3D30, loc=3D0x0000000000000000, =
format=3D"%.*Lg") at sanitizer_common_interceptors.inc:1680:1
    frame #10: 0x000000080171855f libc++.so.1`std::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::do_put(this=3D<unavailable>, __s=3Dstd::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::iter_type @ 0x00007fffffffd320, __iob=3D0x0000000000db2040, __fl=3D' =
', __v=3D0.000006883) const at locale:1631:16
    frame #11: 0x0000000801706129 =
libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> =
>::operator<<(long double) [inlined] std::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::put(this=3D0x0000000801758990, __s=3Dstd::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::iter_type @ r15, __iob=3D0x0000000000db2040, __v=3D<unavailable>) =
const at locale:1325:16
    frame #12: 0x000000080170610d =
libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> =
>::operator<<(this=3D0x0000000000db2040, __n=3D0.000006883) at =
ostream:666:21
    frame #13: 0x0000000000451ccb =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`void =
report_survey<unsigned long long, unsigned long =
long>(clock_info=3D<unavailable>) at =
acpphint_kernelsurveyors_main.cpp:118:17
    frame #14: 0x0000000000450ad1 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`main(=
argc=3D<unavailable>, argv=3D<unavailable>) at =
acpphint_kernelsurveyors_main.cpp:308:5
    frame #15: 0x00000000002a9170 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`_star=
t(ap=3D<unavailable>, cleanup=3D<unavailable>) at crt1_c.c:73:7
(lldb) thread info -s
thread #1: tid =3D 101028, 0x000000000032b3c0 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__u=
bsan_on_report() at ubsan_monitor.cpp:39, name =3D 'acpphint_kernels', =
stop reason =3D Invalid shift base

{
  "col": 32,
  "description": "invalid-shift-base",
  "filename": "gdtoa_gdtoa.c",
  "instrumentation_class": "UndefinedBehaviorSanitizer",
  "line": 254,
  "memory_address": 0,
  "summary": "Left shift of negative value -18",
  "tid": 101028,
  "trace": [
    34505352982,
    34505322050,
    34504040694,
    34504223554,
    34383955294,
    34383880488,
    34383880460
  ]
}
(lldb) up 4
frame #4: 0x0000000808ade717 libc.so.7`__gdtoa(fpi=3D<unavailable>, =
be=3D-81, bits=3D<unavailable>, kindp=3D0x00007fffffffbe80, =
mode=3D<unavailable>, ndigits=3D<unavailable>, decpt=3D<unavailable>, =
rve=3D<unavailable>) at gdtoa_gdtoa.c:254:32
   251 			dval(&d) *=3D 1 << j1;
   252 		word0(&d) +=3D j << Exp_shift - 2 & Exp_mask;
   253 	#else
-> 254 		word0(&d) +=3D (be + bbits - 1) << Exp_shift;
   255 	#endif
   256 		if (k >=3D 0 && k <=3D Ten_pmax) {
   257 			if (dval(&d) < tens[k])
(lldb) up
frame #5: 0x0000000808ad6e43 libc.so.7`__ldtoa(ld=3D<unavailable>, =
mode=3D<unavailable>, ndigits=3D<unavailable>, decpt=3D<unavailable>, =
sign=3D<unavailable>, rve=3D<unavailable>) at _ldtoa.c:106:8
   103 			abort();
   104 		}
   105 =09
-> 106 		ret =3D gdtoa(&fpi, be, vbits, &kind, mode, ndigits, =
decpt, rve);
   107 		if (*decpt =3D=3D -32768)
   108 			*decpt =3D INT_MAX;
   109 		return ret;
(lldb) up
frame #6: 0x000000080899e0f7 libc.so.7`__vfprintf(fp=3D<unavailable>, =
locale=3D<unavailable>, fmt0=3D<unavailable>, ap=3D<unavailable>) at =
vfprintf.c:718:9
   715 				if (flags & LONGDBL) {
   716 					fparg.ldbl =3D GETARG(long =
double);
   717 					dtoaresult =3D cp =3D
-> 718 					    __ldtoa(&fparg.ldbl, expchar =
? 2 : 3, prec,
   719 					    &expt, &signflag, &dtoaend);
   720 				} else {
   721 					fparg.dbl =3D GETARG(double);
(lldb) up
frame #7: 0x00000008089cab43 libc.so.7`vsnprintf_l(str=3D<unavailable>, =
n=3D29, locale=3D<unavailable>, fmt=3D<unavailable>, ap=3D<unavailable>) =
at vsnprintf.c:80:8
   77  		f._flags =3D __SWR | __SSTR;
   78  		f._bf._base =3D f._p =3D (unsigned char *)str;
   79  		f._bf._size =3D f._w =3D n;
-> 80  		ret =3D __vfprintf(&f, locale, fmt, ap);
   81  		if (on > 0)
   82  			*f._p =3D '\0';
   83  		return (ret);
(lldb) up
frame #8: 0x00000000002c6e84 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__i=
nterceptor_vsnprintf_l(str=3D"\b(j", size=3D30, loc=3D0x0000000000000000, =
format=3D"%.*Lg", ap=3D0x00007fffffffd2b0) at =
sanitizer_common_interceptors.inc:1676:1
   1673	#if SANITIZER_INTERCEPT_PRINTF_L
   1674	INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc,
   1675	            const char *format, va_list ap)
-> 1676	VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf_l, str, size, loc, format, =
ap)
   1677=09
   1678	INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc,
   1679	            const char *format, ...)
(lldb) up
frame #9: 0x00000000002c70c2 =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__i=
nterceptor_snprintf_l(str=3D"\b(j", size=3D30, loc=3D0x0000000000000000, =
format=3D"%.*Lg") at sanitizer_common_interceptors.inc:1680:1
   1677=09
   1678	INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc,
   1679	            const char *format, ...)
-> 1680	FORMAT_INTERCEPTOR_IMPL(snprintf_l, vsnprintf_l, str, size, loc, =
format)
   1681	#endif  // SANITIZER_INTERCEPT_PRINTF_L
   1682=09
   1683	INTERCEPTOR(int, vsprintf, char *str, const char *format, =
va_list ap)
(lldb) up
frame #10: 0x000000080171855f libc++.so.1`std::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::do_put(this=3D<unavailable>, __s=3Dstd::__1::num_put<char, =
std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > =
>::iter_type @ 0x00007fffffffd320, __iob=3D0x0000000000db2040, __fl=3D' =
', __v=3D0.000006883) const at locale:1631:16
   1628	    char* __nb =3D __nar;
   1629	    int __nc;
   1630	    if (__specify_precision)
-> 1631	        __nc =3D __libcpp_snprintf_l(__nb, __nbuf, =
_LIBCPP_GET_C_LOCALE, __fmt,
   1632	                                   (int)__iob.precision(), __v);
   1633	    else
   1634	        __nc =3D __libcpp_snprintf_l(__nb, __nbuf, =
_LIBCPP_GET_C_LOCALE, __fmt, __v);
(lldb) up
frame #11: 0x0000000801706129 libc++.so.1`std::__1::basic_ostream<char, =
std::__1::char_traits<char> >::operator<<(long double) [inlined] =
std::__1::num_put<char, std::__1::ostreambuf_iterator<char, =
std::__1::char_traits<char> > >::put(this=3D0x0000000801758990, =
__s=3Dstd::__1::num_put<char, std::__1::ostreambuf_iterator<char, =
std::__1::char_traits<char> > >::iter_type @ r15, =
__iob=3D0x0000000000db2040, __v=3D<unavailable>) const at locale:1325:16
   1322	    iter_type put(iter_type __s, ios_base& __iob, char_type =
__fl,
   1323	                  long double __v) const
   1324	    {
-> 1325	        return do_put(__s, __iob, __fl, __v);
   1326	    }
   1327=09
   1328	    _LIBCPP_INLINE_VISIBILITY
(lldb) up
frame #12: 0x000000080170610d libc++.so.1`std::__1::basic_ostream<char, =
std::__1::char_traits<char> >::operator<<(this=3D0x0000000000db2040, =
__n=3D0.000006883) at ostream:666:21
   663 	        {
   664 	            typedef num_put<char_type, =
ostreambuf_iterator<char_type, traits_type> > _Fp;
   665 	            const _Fp& __f =3D use_facet<_Fp>(this->getloc());
-> 666 	            if (__f.put(*this, *this, this->fill(), =
__n).failed())
   667 	                this->setstate(ios_base::badbit | =
ios_base::failbit);
   668 	        }
   669 	#ifndef _LIBCPP_NO_EXCEPTIONS
(lldb) up
frame #13: 0x0000000000451ccb =
acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-=
FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`void =
report_survey<unsigned long long, unsigned long =
long>(clock_info=3D<unavailable>) at =
acpphint_kernelsurveyors_main.cpp:118:17
   115 	                << =
ks_serial_result.krr.kernel_result.ixes_errs_used_each
   116 	                << "\n"
   117 	            << "krr.total_sec_for_laps_for_median:      "
-> 118 	                << =
ks_serial_result.krr.total_sec_for_laps_for_median.count()
   119 	                << "\n"
   120 	            << "krr.tscout():                           "
   121 	                << ks_serial_result.tscout().count() << "\n"

So simply using << style output resulted in the oddity.

Turns out that be (which ends up as be=3D-81 according to frame 4's =
details,
if accurate) is calculated in __ldtoa via:

   48  	char *
   49  	__ldtoa(long double *ld, int mode, int ndigits, int *decpt, int =
*sign,
   50  	    char **rve)
   51  	{
. . .
   65  		union IEEEl2bits u;
. . .
   69  		u.e =3D *ld;
. . .
   79  		be =3D u.bits.exp - (LDBL_MAX_EXP - 1) - (LDBL_MANT_DIG =
- 1);
. . .
   106 		ret =3D gdtoa(&fpi, be, vbits, &kind, mode, ndigits, =
decpt, rve);
. . .

gdtoa then does (various line numbers & some white space omitted):

. . .
        int bbits, . . .
. . .
        b =3D bitstob(bits, nbits =3D fpi->nbits, &bbits);
        be0 =3D be;
        if ( (i =3D trailz(b)) !=3D0) {
                rshift(b, i);
                be +=3D i;
                bbits -=3D i;
                }
. . .
-> 254  word0(&d) +=3D (be + bbits - 1) << Exp_shift;

So, by the UBSAN report: be + bbits - 1 =3D=3D -18
If be=3D=3D-81, then bbits=3D=3D64 at the time & place.


=3D=3D=3D
Mark Millard
marklmi at yahoo.com

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B2BA9B3D-1793-413D-B3DB-AFFD5F9ACB23>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact