From nobody Mon Jan 10 02:58:30 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 25D12194EA30 for ; Mon, 10 Jan 2022 02:58:47 +0000 (UTC) (envelope-from marklmi@yahoo.com) Received: from sonic315-55.consmr.mail.gq1.yahoo.com (sonic315-55.consmr.mail.gq1.yahoo.com [98.137.65.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JXJS60cnTz3lTg for ; Mon, 10 Jan 2022 02:58:46 +0000 (UTC) (envelope-from marklmi@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641783517; bh=KGGVwHOvhwoxfkAXHy818JW0YuV7O6faXs5G8dlDS5s=; h=From:Subject:Date:References:To:In-Reply-To:From:Subject:Reply-To; b=l2BE4K1oqrycWeGbd7n/Ezwkj/jaeKNSxrbRDkSaj41oy7EV6gaECBd1M/XJZa5VahhcCT/t2S+HNbTX+YwmspFZW7CzlrHR7iZLAwYOji9QU+XRRXArXHaWYcTjcXQJvx1Gqn2TqXhPrmmQ4IXhXq8x5keGXYZeVi7qcPuRwaC65Lv0X9vNkD17fKUfAbXiSxZsOx5TsDKLWuISqEsZYQMSwSYmgvl5xL9uK9+kkX7Y5a+MlqL1Ik+XC+k/DOhkv9flRs+M74sTA6P/VimdYoJptl96hPehSchAwkEPEmMz0WuZcHZNxpuFvDg4YESbVnwD94pYtCeqVzB0lMFq3w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1641783517; bh=BJF8v4xfk/aL0XJTB2X0uSXncksKX5AIewntGLXqF+n=; h=X-Sonic-MF:From:Subject:Date:To:From:Subject; b=sDlC0DjSL+xwqGqsXY1r9sFer7kMfNpaj/3k4Q6xHwXSQVcNTrCXDB3lO3bggRzW17QmXj65+2dR8PiQR7MbiWtr9UgpIhVsPm5O9ohgxZkh6OEABl6EjOP6YNi9V56AwCbsd/9bMnIRdmZXO1TJdkymIvO1sI3NZuj9l6UwbdE1/KBKVmsHaVv5n75oj47Kp9X4KB6MPSzBwQ/cm81St3W20vWowX2pk5RGP2GChaKhdlYv2CY5ov3QpmsPPPVeWPO3NESpQY1Nlthfvo1wzmvj86ULJOEKI1OywIg7qzfWHF6W53G8jigZ88ogAv+oReaRjMOIMcfzF4ZQjdBuaw== X-YMail-OSG: E7KkeJsVM1lhz1ElsjRh8Xl16MWPSPpGe8jstQzRS8eeH_MzNswpHeTxnIeMKBj XNtCu9Q.sIRLwq5g5gRpziaYBI76a0Vntp.Cc0bgpORjSqeMl63sh9MS9S4ZS18zjjJ6sXNnHmot J67c_YFcAC_8GgRbQBb5u_RIjTo7on4cb5cI4Irpye1JND0ZgdIvVa8PQFbeDztjHA0YZ6cW_obb Wi9oTN8B2yA3Y7KvyQVoUb1OYSQU38rEtQaeN2bw0RGy5SjBRMFkQfAY6cKbnCasnxe.tswEIt.x 0LuSPuvoxhkC0.qCcZjSQh2DhrqjfrOJMBP5xYfdb6bIenoltgSQwM8.8_Py36sRw7HOZE.tRwND XbsnhYaZlxs9SX0hnlpm3eqTJbaJFoIotmz8j_iGpN8_SFYrsDCxUW9ZQm7oajrV3OIDkd1h.NYj xys.65hfNyMHGPxEXFznuIT_s4wdRKLN0.iolVMQ.wurnJuscazyz.tp411zm49beX8Sq00mpHno 0PEF5yBMjEssNAHfcImRZOrYOuTEt3yIPtvyzpz6BdiE7qrC7QH.QElSHWU9sVnS1V8Kuen6piLb 9ivJRuaBGp9GSF4ZoWK694FBJKDGtw4Jo5wl4WfPYXf87KpJUR5dnUHre6pvaU.tw14H28omrK1R O3D_v.VmhbRMeWfFuI6xgdxsscFwZd3c.75XoBg7fQZkiEtuOZ91wNja1FF2ZAgw4dnOC9XRzP4H g3a8Uf.rlvzLWnY6g3mBpj_9KgZ8v1OUo2knfFqqCNcwob.7Bc1Wbl6ffNEDYVuyqmmvWIFoR7bK NCZ.KPF4hMpicrEqpTvCDvDeWHZVYydZkskjE3_gcgAYxRPAM7fQppaHVVhn0x426VAib0RbQsx_ q8.puw2_xd9ZLiO99S5SQkr4Rx6Jx0WNvihg1ssWoprzBn1MpzLzwDrjN06RhsgJViPeBmx4bnNR kmifkYMzZwYfmdEMwNnhdjEreILvYC6s9JrkI9oKY4heaS9kXUwMgZuiXyGdGOrkkazUOM0C6tGg QEAeqftKw1A0vHL1ctGdQdEvIQps16s3hp2CIe6Ux8q53RSp1s9UdWexx6DigAz1_7YCNiGlwc5i 9J6bF6.FiRcxurC7W7vyjZ1KOH0GjDhmGAvJpLsIfEiXMQXOPAlZkHoX6SbZLa.aIqtEr6qRpEci _R6g5lD..yj.c2lxE4Ab0iY87aN54aCgw14G0SqtH_hNMMDM01RfkKNKdGOzKW7xkSHio6Jhwjtp OpyWjVj_Ym6.D654DaeIFlLoYuG_zBMCx4DAfjfWjW5mkEXzkJVTMa81dv6EhakrrO9fOHeX8DGa _6tZKHYKeIA.q71qzxg8aFhjCo9Fxw1.TplQlwX_iVujGAuWhOLJRKdA.UG4EuTtZ53FU.gLFXX. x2y_uofrQ1CHNJetzYZdl2ipkbxP_pX8W2AYEUQi3fuVPNTsi8Uwx8BNzTnOL0U1Q_P2KPcL7QcX QZSiy5mnMxVOp6NGYgnJlLK2tozV9agyrfTRnMqPQz7RxQRzEmT3yT9QBC2DFZsJwPCid6NrFpOL m5snUjWLw9Pew6Qdk0Iw9JS2Z963C7qhlh1_4DEUURP_J6FUCHz_KFZWi.ZYBE079SSAKYQ7WdBj ihyJLyGUQ8ZT83YgqfF0RCB9uqom3DVLaqFT1vFAaQh_ipyVBr4ULiDPa4uxaGZ7fntupsWOVFKK Zy9UOSRTkU15D7OmhkD9VG0hykTBLd1e.59bl_qOmLj.pN_oKToH4HQaIy1eBjMEDM6vY3ohmyHI 0T.ElWTfd7bTue7KdUK2_nWMC_9A09jWM5cPxEbu6rGKBC0wO6EIxOp23aIYR9tBch4RF9icRV6T flIuf_jpgvIEkn2qN_s_l9pFeoJXABRZEiczALg4rif2C2lqgoID5CeLARDL5mDlVUS4dnkWSLo5 BetFVarjUuuTuKzi_O9kznmGh4zlN7x8jIomeGf1pqtt4BeJz1JvyyQ6Y8UUexdT7S2ad1EDTggN JLpTOi0reb6kevXTUGbn4z.e.Q7Nj07Lxww1yWBl1UnPkWqoINmV74oClGlZCe1c2gmlt4Hds5LA wnddLBBXiMysxSEvLQqavWmM9Ga7.SLTBOKeHY4e8VOwFk81yMSgCr56Y_PIgHSVCmylgP5d9otq y7Bn6vy__yLaTilGSpUPspCCyI1lMeIvfQk.mLS68gjFU9wgKOMcr7Mmp6xcMdH591Efp6xqAgAk acXYM1CZKlPs6QilIYg947iA- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.gq1.yahoo.com with HTTP; Mon, 10 Jan 2022 02:58:37 +0000 Received: by kubenode500.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 45e8c4b7a4188b24939bb7a3cb028462; Mon, 10 Jan 2022 02:58:32 +0000 (UTC) From: Mark Millard Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: FYI: An example ASAN failure report during kyua test -k /usr/tests/Kyuafile (info for some more examples) Date: Sun, 9 Jan 2022 18:58:30 -0800 References: <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com> To: freebsd-current In-Reply-To: <4A33AD5F-A930-4E2C-854B-E8498C2928EC@yahoo.com> Message-Id: <6DB6844A-107A-45CA-9041-E851FACB3E90@yahoo.com> X-Mailer: Apple Mail (2.3654.120.0.1.13) X-Rspamd-Queue-Id: 4JXJS60cnTz3lTg X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yahoo.com header.s=s2048 header.b=l2BE4K1o; dmarc=pass (policy=reject) header.from=yahoo.com; spf=pass (mx1.freebsd.org: domain of marklmi@yahoo.com designates 98.137.65.31 as permitted sender) smtp.mailfrom=marklmi@yahoo.com X-Spamd-Result: default: False [-1.35 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; RWL_MAILSPIKE_POSSIBLE(0.00)[98.137.65.31:from]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[yahoo.com]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_MEDIUM(-0.85)[-0.855]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; RCVD_IN_DNSWL_NONE(0.00)[98.137.65.31:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; NEURAL_SPAM_LONG(1.00)[1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36647, ipnet:98.137.64.0/20, country:US]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[yahoo.com:dkim] X-ThisMailContainsUnwantedMimeParts: N On 2022-Jan-9, at 13:47, Mark Millard wrote: > On 2022-Jan-7, at 03:39, Mark Millard wrote: >=20 >> Having done a buildworld with both WITH_ASAN=3D and WITH_UBSAN=3D >> after finding what to control to allow the build, I installed >> it in a directory tree for chroot use and have >> "kyua test -k /usr/tests/Kyuafile" running. >>=20 >> I see evidence of one AddressSanitizer report. (kyua is still >> running.) The context is: >>=20 >> # more = /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stdout.txt=20= >> Executing command [ mkdir /tmp/kyua.FKD2vh/434/work/mntpt ] >> mount -t tmpfs -o size=3D10M tmpfs /tmp/kyua.FKD2vh/434/work/mntpt >> Executing command [ touch a ] >> Executing command [ rm a ] >> Executing command [ dd if=3D/dev/zero of=3Da bs=3D1m count=3D15 ] >> Executing command [ rm a ] >>=20 >> # more = /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/434/stderr.txt=20= >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> =3D=3D14384=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffa948 at pc 0x000801f38f5a bp 0x7fffffffa830 sp = 0x7fffffffa828 >> WRITE of size 8 at 0x7fffffffa948 thread T0 >> #0 0x801f38f59 in strtoimax_l = /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 >> #1 0x10de6c8 in strtoimax = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:3441:18 >> #2 0x11a4723 in getq /usr/main-src/bin/test/test.c:560:6 >> #3 0x11a4523 in intcmp /usr/main-src/bin/test/test.c:584:7 >> #4 0x11a4523 in binop /usr/main-src/bin/test/test.c:351:10 >> #5 0x11a2f06 in primary /usr/main-src/bin/test/test.c:317:10 >> #6 0x11a2f06 in nexpr /usr/main-src/bin/test/test.c:275:9 >> #7 0x11a28cb in aexpr /usr/main-src/bin/test/test.c:261:8 >> #8 0x11a2a03 in aexpr /usr/main-src/bin/test/test.c:263:10 >> #9 0x11a228b in oexpr /usr/main-src/bin/test/test.c:247:8 >> #10 0x11a1fcf in testcmd /usr/main-src/bin/test/test.c:224:10 >> #11 0x1145289 in evalcommand /usr/main-src/bin/sh/eval.c:1107:16 >> #12 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 >> #13 0x113fb34 in evaltree /usr/main-src/bin/sh/eval.c:225:4 >> #14 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 >> #15 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 >> #16 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 >> #17 0x113fc55 in evaltree /usr/main-src/bin/sh/eval.c:241:4 >> #18 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 >> #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 >> #20 0x1144d89 in evalcommand /usr/main-src/bin/sh/eval.c:1053:3 >> #21 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 >> #22 0x113eb88 in evalstring /usr/main-src/bin/sh/eval.c >> #23 0x1179727 in main /usr/main-src/bin/sh/main.c:171:3 >>=20 >> Address 0x7fffffffa948 is located in stack of thread T0 at offset 264 = in frame >> #0 0x801f387ff in strtoimax_l = /usr/main-src/lib/libc/stdlib/strtoimax.c:58 >>=20 >> This frame has 1 object(s): >> [32, 36) '__limit.i.i.i' <=3D=3D Memory access at offset 264 = overflows this variable >> HINT: this may be a false positive if your program uses some custom = stack unwind mechanism, swapcontext or vfork >> (longjmp and C++ exceptions *are* supported) >> SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/lib/libc/stdlib/strtoimax.c:148:11 in strtoimax_l >> Shadow bytes around the buggy address: >> 0x4ffffffff4d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> 0x4ffffffff4e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> 0x4ffffffff4f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> 0x4ffffffff500: f1 f1 f1 f1 00 00 00 00 f1 f1 f1 f1 f8 f3 f3 f3 >> 0x4ffffffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> =3D>0x4ffffffff520: 00 00 00 00 f3 f3 f3 f3 f3[f3]f3 f3 00 00 00 00 >> 0x4ffffffff530: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 >> 0x4ffffffff540: f1 f1 f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 >> 0x4ffffffff550: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >> 0x4ffffffff560: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >> 0x4ffffffff570: f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 >> Shadow byte legend (one shadow byte represents 8 application bytes): >> Addressable: 00 >> Partially addressable: 01 02 03 04 05 06 07=20 >> Heap left redzone: fa >> Freed heap region: fd >> Stack left redzone: f1 >> Stack mid redzone: f2 >> Stack right redzone: f3 >> Stack after return: f5 >> Stack use after scope: f8 >> Global redzone: f9 >> Global init order: f6 >> Poisoned by user: f7 >> Container overflow: fc >> Array cookie: ac >> Intra object redzone: bb >> ASan internal: fe >> Left alloca redzone: ca >> Right alloca redzone: cb >> =3D=3D14384=3D=3DABORTING >> Files left in work directory after failure: mntpt, mounterr >>=20 >=20 > I've found some manually reproducible AddressSanitizer reports > and have a few other notes on some types of reports: >=20 > # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/builtins/trap1.0 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414) > LLVMSymbolizer: error reading file: No such file or directory > #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 > #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 > #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp > #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 > #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 > #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 > #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 > #7 0x10ca344 in memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:827:5 > #8 0x80147c861 in handle_signal = /usr/main-src/lib/libthr/thread/thr_sig.c:313:2 > #9 0x80147b1f4 in thr_sighandler = /usr/main-src/lib/libthr/thread/thr_sig.c:246:2 > #10 0x7fffffffe8a2 ([vdso]+0x2d2) > #11 0x801e1d969 in __sys_wait4 = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li= bc/_wait4.S:4 > #12 0x801488d1b in __thr_wait4 = /usr/main-src/lib/libthr/thread/thr_syscalls.c:581:8 > #13 0x10d6953 in wait3 = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2463:13 > #14 0x11716a7 in dowait /usr/main-src/bin/sh/jobs.c:1181:9 > #15 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7 > #16 0x1142301 in evalsubshell /usr/main-src/bin/sh/eval.c:442:16 > #17 0x113f7e1 in evaltree /usr/main-src/bin/sh/eval.c:234:4 > #18 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 > #19 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 >=20 > # /bin/sh /usr/tests/bin/sh/execution/path1.0 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D207414) > #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 > #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 > #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp > #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 > #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 > #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 > #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 > #7 0x111163a in __asan_report_store8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:128:1= > #8 0x801e0f80c in bintime2timespec = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/tmp/us= r/include/sys/time.h:285:14 > #9 0x801e0f80c in __vdso_clock_gettime = /usr/main-src/lib/libc/sys/__vdso_gettimeofday.c:195:2 > #10 0x801e0e0c0 in clock_gettime = /usr/main-src/lib/libc/sys/clock_gettime.c:48:11 > #11 0x10d54da in clock_gettime = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2189:13 > #12 0x11234f5 in __sanitizer::MonotonicNanoTime() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_linux_libcdep.cpp:860:3 > #13 0x10ba02c in = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::PopulateFreeArray(__sanitizer::AllocatorStats*, unsigned = long, = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::RegionInfo*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_primary64.h:790:45 > #14 0x10b9c4b in = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >::GetFromAllocator(__sanitizer::AllocatorStats*, unsigned = long, unsigned int*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_primary64.h:220:11 > #15 0x10b9955 in = __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato= r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::Refill(__sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeCla= ssAllocator64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::PerClass*, = __sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::LocalAddressSp= aceView> >*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_local_cache.h:103:9 > #16 0x10b9615 in = __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocato= r64<__asan::AP64<__sanitizer::LocalAddressSpaceView> > = >::Allocate(__sanitizer::SizeClassAllocator64<__asan::AP64<__sanitizer::Lo= calAddressSpaceView> >*, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_local_cache.h:39:11 > #17 0x10b9511 in = __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__asan::A= P64<__sanitizer::LocalAddressSpaceView> >, = __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(__sanitizer::Siz= eClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__asan::AP64= <__sanitizer::LocalAddressSpaceView> > >*, unsigned long, unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_allocator_combined.h:69:20 > #18 0x10b6086 in __asan::Allocator::Allocate(unsigned long, = unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp= :537:29 > #19 0x10b4818 in __asan::asan_malloc(unsigned long, = __sanitizer::BufferedStackTrace*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp= :980:34 > #20 0x110be9b in malloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:130:10 > #21 0x117aca3 in ckmalloc /usr/main-src/bin/sh/memalloc.c:71:6 > #22 0x119eafc in redirect /usr/main-src/bin/sh/redir.c:126:9 > #23 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3 > #24 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #25 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 > #26 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 >=20 > # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst21.0 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D126718) > LLVMSymbolizer: error reading file: No such file or directory > #0 0x1112b31 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 > #1 0x112e00b in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 > #2 0x11153c1 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp > #3 0x10bc5a3 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 > #4 0x10bc5a3 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 > #5 0x10be09e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 > #6 0x11104fc in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 > #7 0x10ca202 in memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:827:5 > #8 0x80147c861 in handle_signal = /usr/main-src/lib/libthr/thread/thr_sig.c:313:2 > #9 0x80147b1f4 in thr_sighandler = /usr/main-src/lib/libthr/thread/thr_sig.c:246:2 > #10 0x7fffffffe8a2 ([vdso]+0x2d2) > #11 0x801e1d8c9 in _sigsuspend = /usr/obj/BUILDs/main-amd64-nodbg-clang-alt/usr/main-src/amd64.amd64/lib/li= bc/_sigsuspend.S:4 > #12 0x80147b997 in __thr_sigsuspend = /usr/main-src/lib/libthr/thread/thr_sig.c:691:8 > #13 0x11716d7 in dowait /usr/main-src/bin/sh/jobs.c:1190:4 > #14 0x1167977 in waitforjob /usr/main-src/bin/sh/jobs.c:1092:7 > #15 0x115252f in expbackq /usr/main-src/bin/sh/expand.c:527:16 > #16 0x115252f in argstr /usr/main-src/bin/sh/expand.c:323:4 > #17 0x1151178 in expandarg /usr/main-src/bin/sh/expand.c:241:2 > #18 0x1142a0b in evalcommand /usr/main-src/bin/sh/eval.c:862:3 > #19 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 > #20 0x113f9e6 in evaltree /usr/main-src/bin/sh/eval.c:218:4 > #21 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 > #22 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 >=20 >=20 > By contrast, I'll note that: >=20 > # env SH=3D/bin/sh /bin/sh /usr/tests/bin/sh/expansion/cmdsubst6.0 >=20 > did not report anything (but did in the kyua run). >=20 >=20 > I took one of the simpler backtraces that reports > "((ptr[0] =3D=3D kCurrentStackFrameMagic)) !=3D (0)" and > took a look: >=20 > AddressSanitizer: CHECK failed: asan_thread.cpp:371 "((ptr[0] =3D=3D = kCurrentStackFrameMagic)) !=3D (0)" (0x0, 0x0) (tid=3D326791) > #0 0x10cfbd1 in __asan::CheckUnwind() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67:3 > #1 0x10eb0ab in __sanitizer::CheckFailed(char const*, int, char = const*, unsigned long long, unsigned long long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_termination.cpp:86:5 > #2 0x10d2461 in = __asan::AsanThread::GetStackFrameAccessByAddr(unsigned long, = __asan::AsanThread::StackFrameAccess*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_thread.cpp > #3 0x1079643 in __asan::GetStackAddressInformation(unsigned long, = unsigned long, __asan::StackAddressDescription*) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:202:11 > #4 0x1079643 in = __asan::AddressDescription::AddressDescription(unsigned long, unsigned = long, bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.= cpp:454:21 > #5 0x107b13e in __asan::ErrorGeneric::ErrorGeneric(unsigned int, = unsigned long, unsigned long, unsigned long, unsigned long, bool, = unsigned long) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_errors.cpp:39= 0:7 > #6 0x10cd59c in __asan::ReportGenericError(unsigned long, unsigned = long, unsigned long, unsigned long, bool, unsigned long, unsigned int, = bool) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_report.cpp:47= 5:16 > #7 0x10ce357 in __asan_report_load8_noabort = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:123:1= > #8 0x8020ca16d in execl /usr/main-src/lib/libc/gen/exec.c:64:9 > #9 0x80253dcf2 in _system = /usr/main-src/lib/libc/stdlib/system.c:89:3 > #10 0x801acec72 in __thr_system = /usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8 > #11 0x10fe434 in systemf = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6 > #12 0x10f42bf in test_help = /usr/main-src/contrib/libarchive/cat/test/test_help.c:52:6 > #13 0x1101b2c in test_run = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2 > #14 0x1101b2c in main = /usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9 >=20 > *** forcing core dump so failure can be debugged *** >=20 > Files left in work directory after failure: = bsdcat_test.2022-01-07T10.54.27-000 >=20 > Looking at lib/libc/gen/exec.c:64 showed: >=20 > while (va_arg(ap, char *) !=3D NULL) >=20 > It appears to me that the backtrace runs into another problem > during __asan_report_load8_noabort (already an error classification?) > and ends up reporting that other problem instead. >=20 > There are a fair number of other tests that also report such for > that line of code in execl. >=20 >=20 > While looking, I got (odd whitespace removed from the output and > split into more lines): >=20 > /usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member = access within null pointer of type 'log_t' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:261:2 in > /usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member = access within null pointer of type 'log_t' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:266:21 in > /usr/main-src/contrib/nvi/common/log.c:272:37: runtime error: member = access within null pointer of type 'log_t' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/contrib/nvi/common/log.c:272:37 in=20 >=20 > (Some of my activity is outside the chroot that has ASAN/UBSAN > but the above happened to be in the chroot.) >=20 > I also looked at: >=20 > =3D=3D99317=3D=3DERROR: AddressSanitizer: = dynamic-stack-buffer-overflow on address 0x7fffffffa300 at pc = 0x0008020ca271 bp 0x7fffffffa2d0 sp 0x7fffffffa2c8 > WRITE of size 8 at 0x7fffffffa300 thread T0 > #0 0x8020ca270 in execl /usr/main-src/lib/libc/gen/exec.c:74:10 > #1 0x80253dcf2 in _system = /usr/main-src/lib/libc/stdlib/system.c:89:3 > #2 0x801acec72 in __thr_system = /usr/main-src/lib/libthr/thread/thr_syscalls.c:545:8 > #3 0x10fe434 in systemf = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3071:6 > #4 0x10f45f9 in test_stdin = /usr/main-src/contrib/libarchive/cat/test/test_stdin.c:37:6 > #5 0x1101b2c in test_run = /usr/main-src/contrib/libarchive/test_utils/test_main.c:3561:2 > #6 0x1101b2c in main = /usr/main-src/contrib/libarchive/test_utils/test_main.c:4062:9 >=20 > Address 0x7fffffffa300 is located in stack of thread T0 > SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow = /usr/main-src/lib/libc/gen/exec.c:74:10 in execl > Shadow bytes around the buggy address: > 0x4ffffffff410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff450: 00 00 00 00 00 00 00 00 00 00 00 00 ca ca ca ca > =3D>0x4ffffffff460:[ca]ca ca ca cb cb cb cb f1 f1 f1 f1 00 00 00 f3 > 0x4ffffffff470: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 > 0x4ffffffff480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x4ffffffff4a0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 > 0x4ffffffff4b0: 04 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 > Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07=20 > Heap left redzone: fa > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > Intra object redzone: bb > ASan internal: fe > Left alloca redzone: ca > Right alloca redzone: cb > =3D=3D99317=3D=3DABORTING > *** forcing core dump so failure can be debugged *** >=20 > Files left in work directory after failure: = bsdcat_test.2022-01-07T10.54.28-000 >=20 > Looking at lib/libc/gen/exec.c:74 showed: >=20 > argv[0] =3D arg; >=20 > There are a fair number of other tests that also report such for > that line of code in execl. >=20 >=20 >=20 > There are also examples of the likes of: >=20 > =3D=3D=3D> bin/pax/legacy_test:main > Result: broken: TAP test program yielded invalid data: Load of = '/tmp/kyua.FKD2vh/2679/stdout.txt' failed: Output did not contain any = TAP plan and the program did not bail out > . . . > Standard error: > ld-elf.so.1: /lib/libthr.so.3: Undefined symbol = "__asan_option_detect_stack_use_after_return" >=20 > where the test does not seem to have been able to run at all > because of the undefined symbol. >=20 >=20 > Overall going through trying to summarize the AddressSanitizer reports > looks much messier than doing so for the Undefined Behavior reports. >=20 For: +/usr/main-src/sys/contrib/zlib/deflate.c:1262:31: runtime error: load = of misaligned address 0x6310000148cd for type 'ushf' (aka 'unsigned = short'), which requires 2 byte alignment +0x6310000148cd: note: pointer points here + 19 86 a0 f0 d7 21 54 2f 17 85 a6 45 e3 21 a7 5e a6 24 d5 4a c5 c9 02 = 6f cd b8 04 55 b8 d8 49 a1 + ^=20 and many other examples at that source line, the line looks like: register ush scan_start =3D *(ushf*)scan; in "local uInt longest_match(s, cur_match)". Similarly for various other lines involving *(ushf*) in an expression. There are a lot of examples of the likes of: =3D=3D82301=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffce58 at pc 0x00000110152e bp 0x7fffffffce30 sp = 0x7fffffffc5f8 WRITE of size 24 at 0x7fffffffce58 thread T0 #0 0x110152d in sigaltstack = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 #1 0x110e902 in __asan::PlatformUnpoisonStacks() = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_posix.cpp:44:= 3 #2 0x11127f5 in __asan_handle_no_return = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:605:8= #3 0x1146099 in evalcommand /usr/main-src/bin/sh/eval.c:1151:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x113f42b in evaltree /usr/main-src/bin/sh/eval.c:238:4 #6 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #7 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 Address 0x7fffffffce58 is located in stack of thread T0 SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:10044:5 in sigaltstack Shadow bytes around the buggy address: 0x4ffffffff970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4ffffffff9c0: 00 00 00 00 00 00 00 00 f3 f3 f3[f3]00 00 00 00 0x4ffffffff9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffa10: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb where bin/sh/eval.c:1151 (and 1152) is a common point and is: shellexec(argv, envp, path, cmdentry.u.index); /*NOTREACHED*/ There is an example of the following: =3D=3D82356=3D=3DABORTING #0 0x80148845d in __thr_fcntl = /usr/main-src/lib/libthr/thread/thr_syscalls.c:207:30 #1 0x801e18a44 in fcntl /usr/main-src/lib/libc/sys/fcntl.c:56:10 #2 0x119ef2b in redirect /usr/main-src/bin/sh/redir.c:146:13 #3 0x11450b3 in evalcommand /usr/main-src/bin/sh/eval.c:1092:3 #4 0x113eeb7 in evaltree /usr/main-src/bin/sh/eval.c:289:4 #5 0x113f86b in evaltree /usr/main-src/bin/sh/eval.c:212:4 #6 0x113f672 in evalfor /usr/main-src/bin/sh/eval.c:367:3 #7 0x113f672 in evaltree /usr/main-src/bin/sh/eval.c:257:4 #8 0x117a316 in cmdloop /usr/main-src/bin/sh/main.c:228:4 #9 0x1179788 in main /usr/main-src/bin/sh/main.c:175:3 Address 0x7fffffffc780 is located in stack of thread T0 at offset 128 in = frame #0 0x8014881df in __thr_fcntl = /usr/main-src/lib/libthr/thread/thr_syscalls.c:195 This frame has 1 object(s): [32, 56) 'ap' (line 198) <=3D=3D Memory access at offset 128 = overflows this variable HINT: this may be a false positive if your program uses some custom = stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/lib/libthr/thread/thr_syscalls.c:207:30 in __thr_fcntl Shadow bytes around the buggy address: 0x4ffffffff8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff8e0: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 =3D>0x4ffffffff8f0:[f3]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff900: f1 f1 f1 f1 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 0x4ffffffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff930: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f8 f8 f8 0x4ffffffff940: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb lib/libthr/thread/thr_syscalls.c is the middle line of: } else { ret =3D __sys_fcntl(fd, cmd, va_arg(ap, void *)); } in __thr_fcntl . lib/libc/sys/fcntl.c:56 is: return (((int (*)(int, int, ...)) __libc_interposing[INTERPOS_fcntl])(fd, cmd, arg)); but there seems to be only one report with those listed. So: bin/sh/redir.c:146 is: if ((i =3D fcntl(fd, F_DUPFD_CLOEXEC, 10)) =3D=3D = -1) { in redirect. There are examples like the following that needs a modal setting to enable the original intent of the test: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D14624=3D=3DERROR: AddressSanitizer: requested allocation size = 0xffffffffffffffff (0x800 after adjustments for alignment, red zones = etc.) exceeds maximum supported size of 0x10000000000 (thread T0) #0 0x10bbdfd in malloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:129:3 #1 0x8011583c6 in atf_dynstr_init_rep = /usr/main-src/contrib/atf/atf-c/detail/dynstr.c:230:26 #2 0x10e76db in atfu_init_rep_body = /usr/main-src/contrib/atf/atf-c/detail/dynstr_test.c:207:15 #3 0x80116bfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #4 0x8011725e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #5 0x801171d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #6 0x801171d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #7 0x106359c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #8 0x801112007 () =3D=3D14624=3D=3DHINT: if you don't care about these errors you may set = allocator_may_return_null=3D1 SUMMARY: AddressSanitizer: allocation-size-too-big = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:129:3 in malloc There is: =3D=3D20145=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on = address 0x611000000140 at pc 0x00080197634c bp 0x7fffffffb190 sp = 0x7fffffffb188 WRITE of size 1 at 0x611000000140 thread T0 #0 0x80197634b in strnunvisx = /usr/main-src/contrib/libc-vis/unvis.c:547:7 #1 0x10a4da4 in strnunvisx = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:9250:13 #2 0x10a4a48 in strunvisx = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:9239:13 #3 0x10dc94e in atfu_strvis_basic_body = /usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_vis.c:81:3 #4 0x80115cfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #5 0x8011635e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #6 0x801162d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #7 0x801162d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 0x611000000140 is located 0 bytes to the right of 256-byte region = [0x611000000040,0x611000000140) allocated by thread T0 here: #0 0x10b276d in malloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:129:3 #1 0x10dc7ba in atfu_strvis_basic_body = /usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_vis.c:71:2 #2 0x80115cfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011635e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801162d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801162d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1059f0c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801103007 () SUMMARY: AddressSanitizer: heap-buffer-overflow = /usr/main-src/contrib/libc-vis/unvis.c:547:7 in strnunvisx Shadow bytes around the buggy address: 0x4c21ffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c21ffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c21fffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c2200000000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x4c2200000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4c2200000020: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x4c2200000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c2200000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c2200000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c2200000060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c2200000070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D20145=3D=3DABORTING where contrib/libc-vis/unvis.c:547 is: *dst =3D '\0'; in strnunvisx and contrib/netbsd-tests/lib/libc/gen/t_vis.c:81 is: ATF_REQUIRE(strunvisx(dstbuf, visbuf, styles[i] & (VIS_HTTP1808|VIS_MIMESTYLE)) > 0); using strunvisx. So, looking: int strunvisx(char *dst, const char *src, int flag) { return strnunvisx(dst, (size_t)~0, src, flag); } So allowing being out of bounds, by effectively disabling CHECKSPACE() in strnunvisx, is not surprising. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D20511=3D=3DERROR: AddressSanitizer: stack-buffer-underflow on = address 0x7fffffffc220 at pc 0x000801a784c3 bp 0x7fffffffbcb0 sp = 0x7fffffffbca8 READ of size 4 at 0x7fffffffc220 thread T0 #0 0x801a784c2 in compat_setservent = /usr/main-src/lib/libc/net/getservent.c:855:7 #1 0x801a9144d in nsdispatch = /usr/main-src/lib/libc/net/nsdispatch.c:729:14 #2 0x10e2feb in servent_fill_test_data = /usr/main-src/lib/libc/tests/nss/getserv_test.c:290:2 #3 0x10e2feb in run_tests = /usr/main-src/lib/libc/tests/nss/getserv_test.c:443:7 #4 0x10e2dd4 in atfu_build_snapshot_body = /usr/main-src/lib/libc/tests/nss/getserv_test.c:502:2 #5 0x801165fb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #6 0x80116c5e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #7 0x80116bd70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #8 0x80116bd70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 Address 0x7fffffffc220 is located in stack of thread T0 at offset 0 in = frame #0 0x10e2e1f in run_tests = /usr/main-src/lib/libc/tests/nss/getserv_test.c:415 This frame has 4 object(s): [32, 48) 'param.i' (line 74) [64, 96) 'td' (line 416) [128, 160) 'td_snap' (line 416) [192, 224) 'td_2pass' (line 416) HINT: this may be a false positive if your program uses some custom = stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow = /usr/main-src/lib/libc/net/getservent.c:855:7 in compat_setservent Shadow bytes around the buggy address: 0x4ffffffff7f0: f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f3 f3 f3 f3 f3 0x4ffffffff800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4ffffffff840: 00 00 00 00[f1]f1 f1 f1 f8 f8 f2 f2 00 00 00 00 0x4ffffffff850: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 0x4ffffffff860: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffff870: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x4ffffffff880: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f3 f3 f3 f3 f3 0x4ffffffff890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D20511=3D=3DABORTING Looking around at this I wonder if var_arg handling is a false-positive context fairly generally. There is: =3D=3D=3D> lib/libcrypt/crypt_test:crypt_salts Result: broken: Empty test result or no new line Start time: 2022-01-07T10:55:18.806257Z End time: 2022-01-07T10:55:19.183751Z Duration: 0.377s Metadata: allowed_architectures is empty allowed_platforms is empty description =3D crypt(3) salt consistency checks has_cleanup =3D false is_exclusive =3D false required_configs is empty required_disk_space =3D 0 required_files is empty required_memory =3D 0 required_programs is empty required_user is empty timeout =3D 300 Standard error: *** Expected check failure: Old-style/bad inputs fail on FreeBSD: = /usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 22 = ^A^BUZoIyj/Hy/c !=3D ^A^Bwyd0KZo65Jo *** Expected check failure: Old-style/bad inputs fail on FreeBSD: = /usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 23 = a_Av8awQ0AsR6 !=3D a_C10Dk/ExaG. *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:142: Test 24 = ~UZoIyj/Hy/c !=3D ~.5OTsRVjwLo =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D2331=3D=3DERROR: AddressSanitizer: global-buffer-overflow on = address 0x0000010449c1 at pc 0x0008011c1ccd bp 0x7fffffffb950 sp = 0x7fffffffb948 READ of size 1 at 0x0000010449c1 thread T0 #0 0x8011c1ccc in crypt_des = /usr/main-src/secure/lib/libcrypt/crypt-des.c:651:24 #1 0x80119032f in crypt_r /usr/main-src/lib/libcrypt/crypt.c:130:6 #2 0x10a798d in crypt = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:9881:15 #3 0x10dc8f2 in atfu_crypt_salts_body = /usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:127:16 #4 0x80115bfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #5 0x8011625e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #6 0x801161d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #7 0x801161d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 0x0000010449c1 is located 63 bytes to the left of global variable = '' defined in = '/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:91:12' = (0x1044a00) of size 14 '' is ascii string 'CCX.K.MFy4Ois' 0x0000010449c1 is located 31 bytes to the left of global variable = '' defined in = '/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:90:12' = (0x10449e0) of size 14 '' is ascii string 'CCNf8Sbh3HDfQ' 0x0000010449c1 is located 0 bytes to the right of global variable = '' defined in = '/usr/main-src/contrib/netbsd-tests/lib/libcrypt/t_crypt.c:88:36' = (0x10449c0) of size 1 '' is ascii string '' SUMMARY: AddressSanitizer: global-buffer-overflow = /usr/main-src/secure/lib/libcrypt/crypt-des.c:651:24 in crypt_des Shadow bytes around the buggy address: 0x4000002088e0: 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 0x4000002088f0: 00 00 05 f9 f9 f9 f9 f9 00 00 02 f9 f9 f9 f9 f9 0x400000208900: 00 00 05 f9 f9 f9 f9 f9 00 02 f9 f9 00 00 05 f9 0x400000208910: f9 f9 f9 f9 00 02 f9 f9 00 00 05 f9 f9 f9 f9 f9 0x400000208920: 00 07 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 01 f9 f9 =3D>0x400000208930: 00 00 05 f9 f9 f9 f9 f9[01]f9 f9 f9 00 06 f9 f9 0x400000208940: 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 0x400000208950: 00 06 f9 f9 00 01 f9 f9 00 06 f9 f9 00 06 f9 f9 0x400000208960: 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 00 06 f9 f9 0x400000208970: 00 06 f9 f9 02 f9 f9 f9 03 f9 f9 f9 03 f9 f9 f9 0x400000208980: 00 01 f9 f9 00 02 f9 f9 00 02 f9 f9 00 02 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D2331=3D=3DABORTING secure/lib/libcrypt/crypt-des.c:651 is: salt =3D (ascii_to_bin(setting[1]) << 6) | ascii_to_bin(setting[0]); There is: =3D=3D14241=3D=3DERROR: AddressSanitizer: attempting double-free on = 0x602000001870 in thread T0: #0 0x10cbd02 in free = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:111:3 #1 0x1108577 in (anonymous = namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const = /usr/main-src/lib/libnv/tests/dnv_tests.cc:542:2 #2 0x8011b4fb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x801171e42 in atf::tests::tc::run(std::__1::basic_string, std::__1::allocator > const&) const = /usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23 #4 0x801171e42 in (anonymous = namespace)::run_tc(std::__1::vector >&, std::__1::basic_string, std::__1::alloc ator > const&, atf::fs::path const&) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13 #5 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:627 :19 #6 0x801171e42 in atf::tests::run_tp(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16 0x602000001870 is located 0 bytes inside of 6-byte region = [0x602000001870,0x602000001876) freed by thread T0 here: #0 0x10cbd02 in free = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:111:3 #1 0x110856f in (anonymous = namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const = /usr/main-src/lib/libnv/tests/dnv_tests.cc:541:2 #2 0x8011b4fb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x801171e42 in atf::tests::tc::run(std::__1::basic_string, std::__1::allocator > const&) const = /usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23 #4 0x801171e42 in (anonymous = namespace)::run_tc(std::__1::vector >&, std::__1::basic_string, std::__1::alloc ator > const&, atf::fs::path const&) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13 #5 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:627 :19 #6 0x801171e42 in atf::tests::run_tp(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16 #7 0x10735ec in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #8 0x80113a007 () previously allocated by thread T0 here: #0 0x10c2be4 in strdup = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors.= cpp:439:3 #1 0x11084e3 in set_binary_value(void*&, unsigned long&, char = const*) /usr/main-src/lib/libnv/tests/dnv_tests.cc:474:10 #2 0x11084e3 in (anonymous = namespace)::atfu_tc_dnvlist_take_binary__default_value::body() const = /usr/main-src/lib/libnv/tests/dnv_tests.cc:534:2 #3 0x8011b4fb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #4 0x801171e42 in atf::tests::tc::run(std::__1::basic_string, std::__1::allocator > const&) const = /usr/main-src/contrib/atf/atf-c++/tests.cpp:296:23 #5 0x801171e42 in (anonymous = namespace)::run_tc(std::__1::vector >&, std::__1::basic_string, std::__1::allocator > const&, = atf::fs::path const&) /usr/main-src/contrib/atf/atf-c++/tests.cpp:545:13 #6 0x801171e42 in (anonymous namespace)::safe_main(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:627:19 #7 0x801171e42 in atf::tests::run_tp(int, char**, void = (*)(std::__1::vector >&)) = /usr/main-src/contrib/atf/atf-c++/tests.cpp:651:16 #8 0x10735ec in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #9 0x80113a007 () SUMMARY: AddressSanitizer: double-free = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:111:3 in free =3D=3D14241=3D=3DABORTING Hmm . . . ATF_TEST_CASE_WITHOUT_HEAD(dnvlist_take_binary__empty); ATF_TEST_CASE_BODY(dnvlist_take_binary__empty) { nvlist_t *nvl; void *default_val, *actual_val; size_t default_size, actual_size; nvl =3D nvlist_create(0); set_binary_value(default_val, default_size, = "\xa8\x89\x49\xff\xe2\x08"); actual_val =3D dnvlist_take_binary(nvl, "123", &actual_size, = default_val, default_size); ATF_REQUIRE_EQ(default_size, actual_size); ATF_REQUIRE_EQ(memcmp(actual_val, default_val, actual_size), 0); free(actual_val); free(default_val); nvlist_destroy(nvl); } There are a number of other tests with similar code that also report double-free . =3D=3D=3D> sys/capsicum/functional:test_root . . . AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D9539=3D=3DERROR: AddressSanitizer: SEGV on unknown address = 0x000000000000 (pc 0x0000011fe40b bp 0x7fffffffc4f0 sp 0x7fffffffbcb0 = T0) =3D=3D9539=3D=3DThe signal is caused by a READ memory access. =3D=3D9539=3D=3DHint: address points to the zero page. AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) = =3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101026) AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) = =3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101026) =3D=3D=3D> sys/capsicum/functional:test_unprivileged . . . [uid:977] /usr/tests/sys/capsicum/mini-me immediately returning = (geteuid() =3D=3D 0) =3D 0 AddressSanitizer:DEADLYSIGNAL =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D9645=3D=3DERROR: AddressSanitizer: SEGV on unknown address = 0x000000000000 (pc 0x0000011fe40b bp 0x7fffffffc4f0 sp 0x7fffffffbcb0 = T0) =3D=3D9645=3D=3DThe signal is caused by a READ memory access. =3D=3D9645=3D=3DHint: address points to the zero page. AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) = =3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101076) AddressSanitizer: CHECK failed: sanitizer_procmaps_bsd.cpp:69 "((Err)) = =3D=3D ((0))" (0xffffffffffffffff, 0x0) (tid=3D101076) Below are some reports that are likely for deliberate error handling tests where AddressSanitizer activity messes up the original purpose of the test. There is: Standard output: Executing command [ echo ok |/usr/tests/lib/libc/ssp/h_fgets 10 ] Executing command [ /usr/tests/lib/libc/ssp/h_fgets 10 ] Executing command [ echo 0123456789abc |/usr/tests/lib/libc/ssp/h_fgets = 13 ] Executing command [ /usr/tests/lib/libc/ssp/h_fgets 13 ] Standard error: Fail: program did not receive a signal stdout: /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying = zero offset to null pointer SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior = /usr/main-src/lib/libc/stdio/fread.c:133:10 in=20 stderr: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D22446=3D=3DERROR: AddressSanitizer: stack-buffer-overflow on = address 0x7fffffffd9ca at pc 0x0000010af17a bp 0x7fffffffcfd0 sp = 0x7fffffffc798 WRITE of size 12 at 0x7fffffffd9ca thread T0 #0 0x10af179 in __asan_memcpy = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors_= memintrinsics.cpp:22:3 #1 0x801b66afe in fgets /usr/main-src/lib/libc/stdio/fgets.c:110:9 #2 0x1070456 in fgets = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:1252:15 #3 0x10d9b37 in main = /usr/main-src/contrib/netbsd-tests/lib/libc/ssp/h_fgets.c:42:8 Address 0x7fffffffd9ca is located in stack of thread T0 at offset 42 in = frame #0 0x10d99ff in main = /usr/main-src/contrib/netbsd-tests/lib/libc/ssp/h_fgets.c:39 This frame has 1 object(s): [32, 42) 'b' (line 40) <=3D=3D Memory access at offset 42 overflows = this variable HINT: this may be a false positive if your program uses some custom = stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_interceptors_= memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x4ffffffffae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4ffffffffb30: 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3 00 00 00 00 0x4ffffffffb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4ffffffffb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D22446=3D=3DABORTING This is a very short program [(c) NetBSD]: #include __COPYRIGHT("@(#) Copyright (c) 2008\ The NetBSD Foundation, inc. All rights reserved."); __RCSID("$NetBSD: h_fgets.c,v 1.1 2010/12/27 02:04:19 pgoyette Exp $"); #include #include int main(int argc, char *argv[]) { char b[10]; int len =3D atoi(argv[1]); (void)fgets(b, len, stdin); (void)printf("%s\n", b); return 0; } The report is correct for the len =3D=3D 13 test case but this is another example of needing to avoid AddressSanitizer messing up the purpose of the test relative to normal usage (no ASAN). There are other such examples. Also: =3D=3D21507=3D=3DERROR: AddressSanitizer: invalid alignment requested in = aligned_alloc: 512, alignment must be a power of two and the requested = size 0x1 must be a multiple of alignment (thread T0) #0 0x10b1eb2 in aligned_alloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:176:3 #1 0x10dbc69 in atfu_aligned_alloc_basic_body = /usr/main-src/contrib/netbsd-tests/lib/libc/stdlib/t_posix_memalign.c:105:= 7 #2 0x80115afb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011615e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801160d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801160d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1058f7c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801101007 () =3D=3D21507=3D=3DHINT: if you don't care about these errors you may set = allocator_may_return_null=3D1 SUMMARY: AddressSanitizer: invalid-aligned-alloc-alignment = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:176:3 in aligned_alloc =3D=3D21507=3D=3DABORTING =3D=3D21509=3D=3DERROR: AddressSanitizer: invalid alignment requested in = posix_memalign: 4, alignment must be a power of two and a multiple of = sizeof(void*) =3D=3D 8 (thread T0) #0 0x10b1ff7 in posix_memalign = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:210:3 #1 0x10db8c7 in atfu_posix_memalign_basic_body = /usr/main-src/contrib/netbsd-tests/lib/libc/stdlib/t_posix_memalign.c:69:9= #2 0x80115afb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011615e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801160d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801160d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1058f7c in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801101007 () =3D=3D21509=3D=3DHINT: if you don't care about these errors you may set = allocator_may_return_null=3D1 SUMMARY: AddressSanitizer: invalid-posix-memalign-alignment = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:210:3 in posix_memalign =3D=3D21509=3D=3DABORTING =3D=3D21665=3D=3DERROR: AddressSanitizer: SEGV on unknown address = 0xfffffffffffffff8 (pc 0x000801cd5174 bp 0x7fffffffc390 sp = 0x7fffffffbb48 T0) =3D=3D21665=3D=3DThe signal is caused by a READ memory access. #0 0x801cd5174 in strlen = /usr/main-src/lib/libc/amd64/string/strlen.S:47 #1 0x10dcfe9 in atfu_access_fault_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:107:3 #2 0x80115dfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011645e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801163d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801163d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1059efc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801104007 () AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV = /usr/main-src/lib/libc/amd64/string/strlen.S:47 in strlen =3D=3D21665=3D=3DABORTING =3D=3D21670=3D=3DERROR: AddressSanitizer: heap-buffer-overflow on = address 0x619000000480 at pc 0x000001097bbb bp 0x7fffffffc390 sp = 0x7fffffffbb50 READ of size 1025 at 0x619000000480 thread T0 #0 0x1097bba in access = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:7185:5 #1 0x10ddcc3 in atfu_access_toolong_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:202:3 #2 0x80115dfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011645e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801163d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801163d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 0x619000000480 is located 0 bytes to the right of 1024-byte region = [0x619000000080,0x619000000480) allocated by thread T0 here: #0 0x10b275d in malloc = /usr/main-src/contrib/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.= cpp:129:3 #1 0x10ddc07 in atfu_access_toolong_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_access.c:190:8 #2 0x80115dfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011645e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801163d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801163d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1059efc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801104007 () SUMMARY: AddressSanitizer: heap-buffer-overflow = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:7185:5 in access Shadow bytes around the buggy address: 0x4c3200000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c3200000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c3200000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c3200000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x4c3200000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =3D>0x4c3200000090:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c32000000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c32000000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c32000000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c32000000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x4c32000000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07=20 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb =3D=3D21670=3D=3DABORTING =3D=3D21729=3D=3DERROR: AddressSanitizer: SEGV on unknown address = 0xffffffffffffffff (pc 0x000801203dd9 bp 0x7fffffffc3b0 sp = 0x7fffffffc030 T0) =3D=3D21729=3D=3DThe signal is caused by a READ memory access. #0 0x801203dd9 in __thr_setcontext = /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 #1 0x10db6a3 in atfu_setcontext_err_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_getcontext.c:96:2 #2 0x80115bfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011625e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801161d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801161d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #6 0x1058ddc in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #7 0x801102007 () AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV = /usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in __thr_setcontext =3D=3D21729=3D=3DABORTING =3D=3D21744=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D8) #0 0x107bbd0 in setitimer = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2258:5 #1 0x10dca40 in atfu_setitimer_err_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_getitimer.c:164:2 #2 0x80115bfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #3 0x8011625e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #4 0x801161d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #5 0x801161d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 Address 0xffffffffffffffff is a wild pointer inside of access range of = size 0x000000000001. SUMMARY: AddressSanitizer: negative-size-param = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:2258:5 in setitimer =3D=3D21744=3D=3DABORTING =3D=3D21982=3D=3DERROR: AddressSanitizer: negative-size-param: (size=3D4) #0 0x1087b38 in read_pollfd(void*, __sanitizer::__sanitizer_pollfd*, = unsigned int) = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:3953:5 #1 0x1087b38 in poll = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:3969:20 #2 0x10dd956 in atfu_poll_err_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_poll.c:230:2 #3 0x80115cfb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #4 0x8011635e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #5 0x801162d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #6 0x801162d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 Address 0xffffffffffffffff is a wild pointer inside of access range of = size 0x000000000001. SUMMARY: AddressSanitizer: negative-size-param = /usr/main-src/contrib/llvm-project/compiler-rt/lib/sanitizer_common/saniti= zer_common_interceptors.inc:3953:5 in read_pollfd(void*, = __sanitizer::__sanitizer_pollfd*, unsigned int) =3D=3D21982=3D=3DABORTING =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D22204=3D=3DERROR: AddressSanitizer: SEGV on unknown address = 0x000000000008 (pc 0x0000010dec62 bp 0x7fffffffc3d0 sp 0x7fffffffc120 = T0) =3D=3D22204=3D=3DThe signal is caused by a WRITE memory access. =3D=3D22204=3D=3DHint: address points to the zero page. #0 0x10dec62 in atfu_wait6_coredumped_body = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_wait.c:165:14 #1 0x80115ffb4 in atf_tc_run = /usr/main-src/contrib/atf/atf-c/tc.c:1054:5 #2 0x8011665e3 in run_tc = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:504:15 #3 0x801165d70 in controlled_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:574:15 #4 0x801165d70 in atf_tp_main = /usr/main-src/contrib/atf/atf-c/detail/tp_main.c:604:11 #5 0x105b1ac in _start /usr/main-src/lib/csu/amd64/crt1_c.c:73:7 #6 0x801106007 () AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV = /usr/main-src/contrib/netbsd-tests/lib/libc/sys/t_wait.c:165:14 in = atfu_wait6_coredumped_body =3D=3D22204=3D=3DABORTING =3D=3D=3D> lib/libexecinfo/backtrace_test:backtrace_fmt_basic Result: failed: 6 checks failed; see output for more details . . . Standard output: got nptrs=3D19 ncalls=3D12 (min_frames: 4, max_frames: 9) backtrace is: #0: __interceptor_backtrace #1: myfunc3 #2: myfunc2 #3: myfunc1 #4: myfunc1 #5: myfunc1 #6: myfunc1 #7: myfunc1 #8: myfunc1 #9: myfunc1 #10: myfunc1 #11: myfunc1 #12: myfunc1 #13: myfunc1 #14: myfunc1 #15: myfunc #16: atfu_backtrace_fmt_basic_body #17: = _ZN6__asan9Allocator10DeallocateEPvmmPN11__sanitizer18BufferedStackTraceEN= S_9AllocTypeE #18: = _ZNK6__asan24GlobalAddressDescription27PointsInsideTheSameVariableERKS0_ Standard error: *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:95: = strings[0] !=3D "myfunc3" (__interceptor_backtrace !=3D myfunc3) *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:96: = strings[1] !=3D "myfunc2" (myfunc3 !=3D myfunc2) *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:99: = strings[j] !=3D "myfunc1" (myfunc2 !=3D myfunc1) *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: = strings[j] !=3D frames[i].name (myfunc1 !=3D myfunc) *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: = strings[j] !=3D frames[i].name (myfunc !=3D = atfu_backtrace_fmt_basic_body) *** Check failed: = /usr/main-src/contrib/netbsd-tests/lib/libexecinfo/t_backtrace.c:107: = strings[j] !=3D frames[i].name (atfu_backtrace_fmt_basic_body !=3D = atf_tc_run) The extra levels of calls involved mess up the test. That is all for now. There is lots more that I've not looked at (yet?). =3D=3D=3D Mark Millard marklmi at yahoo.com