Re: FYI: An example type of UBSAN failure during kyua test -k /usr/tests/Kyuafile

Reply: Mark Millard : "Re: FYI: An example type of UBSAN failure during kyua test -k /usr/tests/Kyuafile"
In reply to: Mark Millard : "FYI: An example type of UBSAN failure during kyua test -k /usr/tests/Kyuafile"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Millard <marklmi_at_yahoo.com>
Date: Fri, 07 Jan 2022 13:08:04 UTC
On 2022-Jan-7, at 03:49, Mark Millard <marklmi@yahoo.com> wrote:

> Having done a buildworld with both WITH_ASAN= and WITH_UBSAN=
> after finding what to control to allow the build, I installed
> it in a directory tree for chroot use and have
> "kyua test -k /usr/tests/Kyuafile" running.
> 
> I see evidence of various examples of one type of undefined
> behavior: "applying zero offset to null pointer"
> 
> # more /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/356/stderr.txt 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> /usr/main-src/usr.bin/sed/process.c:715:18: runtime error: applying zero offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/sed/process.c:715:18 in 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> Fail: stderr not empty
> --- /dev/null   2022-01-07 10:29:57.182903000 +0000
> +++ /tmp/kyua.FKD2vh/356/work/check.Mk9llD/stderr       2022-01-07 10:29:57.173100000 +0000
> @@ -0,0 +1,2 @@
> +/usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero offset to null pointer
> +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> Files left in work directory after failure: mntpt, mounterr
> 
> 
> In general the lib/libc/stdio/fread.c:133:10 example seems to
> be in a place that would make it fairly common.
> 
> usr.bin/sed/process.c:715:18 is more limited: just sed use.
> 

kyua ran to completion. This note is focused on UBSAN reports.

By far the most common UBSAN report is for the
lib/libc/stdio/fread.c:133:10 code.

Another somewhat common UBSAN report is:

Standard error:
/usr/main-src/usr.bin/cut/cut.c:458:7: runtime error: addition of unsigned offset to 0x62100000010d overflowed to 0x62100000010c
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/cut/cut.c:458:7 in 
Fail: incorrect exit status: 1, expected: 0


There is at least one example of:

Standard error:
ld-elf.so.1: /lib/libthr.so.3: Undefined symbol "__asan_option_detect_stack_use_after_return"


Some more zero offsets to null are:

+/usr/main-src/bin/sh/jobs.c:590:35: runtime error: applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/bin/sh/jobs.c:590:35 in 
+/usr/main-src/bin/sh/jobs.c:601:22: runtime error: applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/bin/sh/jobs.c:601:22 in 
+/usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16: runtime error: applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16 in 

+/usr/main-src/usr.sbin/makefs/ffs.c:1053:35: runtime error: applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.sbin/makefs/ffs.c:1053:35 in 
Files left in work directory after failure: dir, ufs.img


contrib/libxo/libxo/xo_buf.h has examples of non-zero offsets:

+/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22: runtime error: applying non-zero offset 4 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22 in 
+/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44: runtime error: applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44 in 
+/usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29: runtime error: applying non-zero offset 4 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29 in 

As does contrib/openzfs/module/nvpair/nvpair.c :

/usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49: runtime error: applying non-zero offset 4 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49 in 


There is a:

+/usr/main-src/bin/sh/arith_yacc.c:193:10: runtime error: negation of -9223372036854775808 cannot be represented in type 'arith_t' (aka 'long'); cast to an unsigned type to negate this value to itself
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/bin/sh/arith_yacc.c:193:10 in 

And there are various examples similar to:

+/usr/main-src/sys/contrib/zlib/deflate.c:1262:31: runtime error: load of misaligned address 0x631000014805 for type 'ushf' (aka 'unsigned short'), which requires 2 byte alignment
+0x631000014805: note: pointer points here
+ 69 6c 65 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00
+             ^ 

but at different lines of the code.

There are examples of:

+/usr/main-src/lib/libc/db/hash/hash_page.c:761:3: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/db/hash/hash_page.c:761:3 in 
+/usr/main-src/lib/libc/db/hash/hash_page.c:840:2: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/db/hash/hash_page.c:840:2 in 
+/usr/main-src/lib/libc/db/hash/hash_page.c:774:2: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/db/hash/hash_page.c:774:2 in 

There are various examples similar to:

+/usr/main-src/lib/libc/db/btree/bt_conv.c:168:6: runtime error: load of misaligned address 0x616000000b91 for type 'uint32_t' (aka 'unsigned int'), which requires 4 byte alignment
+0x616000000b91: note: pointer points here
+ 00 00 02  02 03 00 00 00 ec 01 00  00 78 0a 00 08 00 00 00  02 00 00 00 02 02 00 00  00 ec 01 00 00
+              ^ 

but at different lines of the code.

There was a:

/usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36: runtime error: signed integer overflow: 105827994173648 * 1000000000 cannot be represented in type 'long long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36 in 

And a:

+/usr/main-src/lib/libc/regex/engine.c:1013:53: runtime error: left shift of 4611686018427387904 by 1 places cannot be represented in type 'long'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/regex/engine.c:1013:53 in 

(It occured in multiple places.)

And:

/usr/main-src/lib/libc/gen/_rand48.c:45:55: runtime error: signed integer overflow: 57068 * 43981 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/gen/_rand48.c:45:55 in 
/usr/main-src/lib/libc/gen/_rand48.c:45:26: runtime error: signed integer overflow: 58989 * 55082 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/gen/_rand48.c:45:26 in 
/usr/main-src/lib/libc/gen/_rand48.c:45:37: runtime error: signed integer overflow: 1365949284 + 876906888 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/gen/_rand48.c:45:37 in 

/usr/main-src/lib/libc/stdlib/getenv.c:169:20: runtime error: load of value 190, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdlib/getenv.c:169:20 in 
/usr/main-src/lib/libc/stdlib/getenv.c:684:23: runtime error: load of value 190, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libc/stdlib/getenv.c:684:23 in 

And:

/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member access within misaligned address 0xffffffffffffffff for type 'const ucontext_t' (aka 'const struct __ucontext'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member access within misaligned address 0xffffffffffffffff for type 'const __sigset_t' (aka 'const struct __sigset'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: load of misaligned address 0xffffffffffffffff for type 'const __uint32_t' (aka 'const unsigned int'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 

And:

+/usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9: runtime error: load of misaligned address 0x7fffffffc978 for type 'uint128_t' (aka 'unsigned __int128'), which requires 16 byte alignment
+0x7fffffffc978: note: pointer points here
+ 00 00 00 00  00 60 a5 ee dc 01 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
+              ^ 
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9 in 

And:

/usr/main-src/sys/netinet/libalias/alias_db.c:430:2: runtime error: member access within null pointer of type 'struct libalias'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/sys/netinet/libalias/alias_db.c:430:2 in 

And:

/usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: left shift of 1277217398 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:569:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: signed integer overflow: -8928018189856292682 + -9223372036854775808 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:569:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: left shift of 674540471 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:570:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: signed integer overflow: -7034438991598280603 + -9223372036854775808 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:570:3 in 

/usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: left shift of 1099256400 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:378:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:379:3: runtime error: left shift of 7397324394137081998 by 3 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:379:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: signed integer overflow: -5522065151083782997 + -9223372036854775808 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/tests/sys/sys/qmath_test.c:378:3 in 

And:

/usr/main-src/usr.bin/mkimg/ebr.c:89:16: runtime error: member access within misaligned address 0x61500000023e for type 'struct dos_partition', which requires 4 byte alignment
0x61500000023e: note: pointer points here
 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00
             ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/mkimg/ebr.c:89:16 in 

And:

/usr/main-src/usr.bin/mkimg/mbr.c:99:8: runtime error: member access within misaligned address 0x6150000004be for type 'struct dos_partition', which requires 4 byte alignment
0x6150000004be: note: pointer points here
 42 0a 42 0a 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00
             ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/mkimg/mbr.c:99:8 in 

And:

+/usr/main-src/usr.bin/rs/rs.c:387:5: runtime error: applying non-zero offset 108370614813184 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/rs/rs.c:387:5 in 

And:

+/usr/main-src/usr.bin/unifdef/unifdef.c:836:52: runtime error: applying non-zero offset 1 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/usr.bin/unifdef/unifdef.c:836:52 in 



===
Mark Millard
marklmi at yahoo.com