UBSAN report for libc: __ldtoa can set up gdtoa to do a "Left shift of negative value -18"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Jan 2022 04:47:56 UTC
Using lldb to look some at the internals for:
gdtoa_gdtoa.c:254:32: runtime error: left shift of negative value -18
. . .
Process 48846 stopped
* thread #1, name = 'acpphint_kernels', stop reason = Invalid shift base
frame #0: 0x000000000032b3c0 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__ubsan_on_report() at ubsan_monitor.cpp:39
36 }
37
38 SANITIZER_WEAK_DEFAULT_IMPL
-> 39 void __ubsan::__ubsan_on_report(void) {}
40
41 void __ubsan::__ubsan_get_current_report_data(const char **OutIssueKind,
42 const char **OutMessage,
(lldb) bt
* thread #1, name = 'acpphint_kernels', stop reason = Invalid shift base
* frame #0: 0x000000000032b3c0 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__ubsan_on_report() at ubsan_monitor.cpp:39
frame #1: 0x0000000000325b81 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`__ubsan::Diag::~Diag(this=0x00007fffffffb960) at ubsan_diag.cpp:354:29
frame #2: 0x0000000000328819 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`handleShiftOutOfBoundsImpl(Data=0x0000000808eb05a0, LHS=<unavailable>, RHS=<unavailable>, Opts=(FromUnrecoverableHandler = false, pc = 34505352983, bp = 140737488337968)) at ubsan_diag.h:0:9
frame #3: 0x000000000032832a acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__ubsan_handle_shift_out_of_bounds(Data=<unavailable>, LHS=<unavailable>, RHS=<unavailable>) at ubsan_handlers.cpp:370:3
frame #4: 0x0000000808ade717 libc.so.7`__gdtoa(fpi=<unavailable>, be=-81, bits=<unavailable>, kindp=0x00007fffffffbe80, mode=<unavailable>, ndigits=<unavailable>, decpt=<unavailable>, rve=<unavailable>) at gdtoa_gdtoa.c:254:32
frame #5: 0x0000000808ad6e43 libc.so.7`__ldtoa(ld=<unavailable>, mode=<unavailable>, ndigits=<unavailable>, decpt=<unavailable>, sign=<unavailable>, rve=<unavailable>) at _ldtoa.c:106:8
frame #6: 0x000000080899e0f7 libc.so.7`__vfprintf(fp=<unavailable>, locale=<unavailable>, fmt0=<unavailable>, ap=<unavailable>) at vfprintf.c:718:9
frame #7: 0x00000008089cab43 libc.so.7`vsnprintf_l(str=<unavailable>, n=29, locale=<unavailable>, fmt=<unavailable>, ap=<unavailable>) at vsnprintf.c:80:8
frame #8: 0x00000000002c6e84 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__interceptor_vsnprintf_l(str="\b(j", size=30, loc=0x0000000000000000, format="%.*Lg", ap=0x00007fffffffd2b0) at sanitizer_common_interceptors.inc:1676:1
frame #9: 0x00000000002c70c2 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__interceptor_snprintf_l(str="\b(j", size=30, loc=0x0000000000000000, format="%.*Lg") at sanitizer_common_interceptors.inc:1680:1
frame #10: 0x000000080171855f libc++.so.1`std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::do_put(this=<unavailable>, __s=std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::iter_type @ 0x00007fffffffd320, __iob=0x0000000000db2040, __fl=' ', __v=0.000006883) const at locale:1631:16
frame #11: 0x0000000801706129 libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> >::operator<<(long double) [inlined] std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::put(this=0x0000000801758990, __s=std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::iter_type @ r15, __iob=0x0000000000db2040, __v=<unavailable>) const at locale:1325:16
frame #12: 0x000000080170610d libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> >::operator<<(this=0x0000000000db2040, __n=0.000006883) at ostream:666:21
frame #13: 0x0000000000451ccb acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`void report_survey<unsigned long long, unsigned long long>(clock_info=<unavailable>) at acpphint_kernelsurveyors_main.cpp:118:17
frame #14: 0x0000000000450ad1 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`main(argc=<unavailable>, argv=<unavailable>) at acpphint_kernelsurveyors_main.cpp:308:5
frame #15: 0x00000000002a9170 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`_start(ap=<unavailable>, cleanup=<unavailable>) at crt1_c.c:73:7
(lldb) thread info -s
thread #1: tid = 101028, 0x000000000032b3c0 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__ubsan_on_report() at ubsan_monitor.cpp:39, name = 'acpphint_kernels', stop reason = Invalid shift base
{
"col": 32,
"description": "invalid-shift-base",
"filename": "gdtoa_gdtoa.c",
"instrumentation_class": "UndefinedBehaviorSanitizer",
"line": 254,
"memory_address": 0,
"summary": "Left shift of negative value -18",
"tid": 101028,
"trace": [
34505352982,
34505322050,
34504040694,
34504223554,
34383955294,
34383880488,
34383880460
]
}
(lldb) up 4
frame #4: 0x0000000808ade717 libc.so.7`__gdtoa(fpi=<unavailable>, be=-81, bits=<unavailable>, kindp=0x00007fffffffbe80, mode=<unavailable>, ndigits=<unavailable>, decpt=<unavailable>, rve=<unavailable>) at gdtoa_gdtoa.c:254:32
251 dval(&d) *= 1 << j1;
252 word0(&d) += j << Exp_shift - 2 & Exp_mask;
253 #else
-> 254 word0(&d) += (be + bbits - 1) << Exp_shift;
255 #endif
256 if (k >= 0 && k <= Ten_pmax) {
257 if (dval(&d) < tens[k])
(lldb) up
frame #5: 0x0000000808ad6e43 libc.so.7`__ldtoa(ld=<unavailable>, mode=<unavailable>, ndigits=<unavailable>, decpt=<unavailable>, sign=<unavailable>, rve=<unavailable>) at _ldtoa.c:106:8
103 abort();
104 }
105
-> 106 ret = gdtoa(&fpi, be, vbits, &kind, mode, ndigits, decpt, rve);
107 if (*decpt == -32768)
108 *decpt = INT_MAX;
109 return ret;
(lldb) up
frame #6: 0x000000080899e0f7 libc.so.7`__vfprintf(fp=<unavailable>, locale=<unavailable>, fmt0=<unavailable>, ap=<unavailable>) at vfprintf.c:718:9
715 if (flags & LONGDBL) {
716 fparg.ldbl = GETARG(long double);
717 dtoaresult = cp =
-> 718 __ldtoa(&fparg.ldbl, expchar ? 2 : 3, prec,
719 &expt, &signflag, &dtoaend);
720 } else {
721 fparg.dbl = GETARG(double);
(lldb) up
frame #7: 0x00000008089cab43 libc.so.7`vsnprintf_l(str=<unavailable>, n=29, locale=<unavailable>, fmt=<unavailable>, ap=<unavailable>) at vsnprintf.c:80:8
77 f._flags = __SWR | __SSTR;
78 f._bf._base = f._p = (unsigned char *)str;
79 f._bf._size = f._w = n;
-> 80 ret = __vfprintf(&f, locale, fmt, ap);
81 if (on > 0)
82 *f._p = '\0';
83 return (ret);
(lldb) up
frame #8: 0x00000000002c6e84 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__interceptor_vsnprintf_l(str="\b(j", size=30, loc=0x0000000000000000, format="%.*Lg", ap=0x00007fffffffd2b0) at sanitizer_common_interceptors.inc:1676:1
1673 #if SANITIZER_INTERCEPT_PRINTF_L
1674 INTERCEPTOR(int, vsnprintf_l, char *str, SIZE_T size, void *loc,
1675 const char *format, va_list ap)
-> 1676 VSNPRINTF_INTERCEPTOR_IMPL(vsnprintf_l, str, size, loc, format, ap)
1677
1678 INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc,
1679 const char *format, ...)
(lldb) up
frame #9: 0x00000000002c70c2 acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`::__interceptor_snprintf_l(str="\b(j", size=30, loc=0x0000000000000000, format="%.*Lg") at sanitizer_common_interceptors.inc:1680:1
1677
1678 INTERCEPTOR(int, snprintf_l, char *str, SIZE_T size, void *loc,
1679 const char *format, ...)
-> 1680 FORMAT_INTERCEPTOR_IMPL(snprintf_l, vsnprintf_l, str, size, loc, format)
1681 #endif // SANITIZER_INTERCEPT_PRINTF_L
1682
1683 INTERCEPTOR(int, vsprintf, char *str, const char *format, va_list ap)
(lldb) up
frame #10: 0x000000080171855f libc++.so.1`std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::do_put(this=<unavailable>, __s=std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::iter_type @ 0x00007fffffffd320, __iob=0x0000000000db2040, __fl=' ', __v=0.000006883) const at locale:1631:16
1628 char* __nb = __nar;
1629 int __nc;
1630 if (__specify_precision)
-> 1631 __nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt,
1632 (int)__iob.precision(), __v);
1633 else
1634 __nc = __libcpp_snprintf_l(__nb, __nbuf, _LIBCPP_GET_C_LOCALE, __fmt, __v);
(lldb) up
frame #11: 0x0000000801706129 libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> >::operator<<(long double) [inlined] std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::put(this=0x0000000801758990, __s=std::__1::num_put<char, std::__1::ostreambuf_iterator<char, std::__1::char_traits<char> > >::iter_type @ r15, __iob=0x0000000000db2040, __v=<unavailable>) const at locale:1325:16
1322 iter_type put(iter_type __s, ios_base& __iob, char_type __fl,
1323 long double __v) const
1324 {
-> 1325 return do_put(__s, __iob, __fl, __v);
1326 }
1327
1328 _LIBCPP_INLINE_VISIBILITY
(lldb) up
frame #12: 0x000000080170610d libc++.so.1`std::__1::basic_ostream<char, std::__1::char_traits<char> >::operator<<(this=0x0000000000db2040, __n=0.000006883) at ostream:666:21
663 {
664 typedef num_put<char_type, ostreambuf_iterator<char_type, traits_type> > _Fp;
665 const _Fp& __f = use_facet<_Fp>(this->getloc());
-> 666 if (__f.put(*this, *this, this->fill(), __n).failed())
667 this->setstate(ios_base::badbit | ios_base::failbit);
668 }
669 #ifndef _LIBCPP_NO_EXCEPTIONS
(lldb) up
frame #13: 0x0000000000451ccb acpphint_kernelsurveyors_main-ThreadRipper1950X-131072MiB-threads_32-LP64-FreeBSD_main_n247756_348c41d1815d_64bit-clang++_13_O3lto-libc++-xSAN`void report_survey<unsigned long long, unsigned long long>(clock_info=<unavailable>) at acpphint_kernelsurveyors_main.cpp:118:17
115 << ks_serial_result.krr.kernel_result.ixes_errs_used_each
116 << "\n"
117 << "krr.total_sec_for_laps_for_median: "
-> 118 << ks_serial_result.krr.total_sec_for_laps_for_median.count()
119 << "\n"
120 << "krr.tscout(): "
121 << ks_serial_result.tscout().count() << "\n"
So simply using << style output resulted in the oddity.
Turns out that be (which ends up as be=-81 according to frame 4's details,
if accurate) is calculated in __ldtoa via:
48 char *
49 __ldtoa(long double *ld, int mode, int ndigits, int *decpt, int *sign,
50 char **rve)
51 {
. . .
65 union IEEEl2bits u;
. . .
69 u.e = *ld;
. . .
79 be = u.bits.exp - (LDBL_MAX_EXP - 1) - (LDBL_MANT_DIG - 1);
. . .
106 ret = gdtoa(&fpi, be, vbits, &kind, mode, ndigits, decpt, rve);
. . .
gdtoa then does (various line numbers & some white space omitted):
. . .
int bbits, . . .
. . .
b = bitstob(bits, nbits = fpi->nbits, &bbits);
be0 = be;
if ( (i = trailz(b)) !=0) {
rshift(b, i);
be += i;
bbits -= i;
}
. . .
-> 254 word0(&d) += (be + bbits - 1) << Exp_shift;
So, by the UBSAN report: be + bbits - 1 == -18
If be==-81, then bbits==64 at the time & place.
===
Mark Millard
marklmi at yahoo.com