Re: FYI: An example type of UBSAN failure during kyua test -k /usr/tests/Kyuafile

Fri, 07 Jan 2022 05:10:31 -0800 

On 2022-Jan-7, at 03:49, Mark Millard <[email protected]> wrote:

> Having done a buildworld with both WITH_ASAN= and WITH_UBSAN=
> after finding what to control to allow the build, I installed
> it in a directory tree for chroot use and have
> "kyua test -k /usr/tests/Kyuafile" running.
> 
> I see evidence of various examples of one type of undefined
> behavior: "applying zero offset to null pointer"
> 
> # more 
> /usr/obj/DESTDIRs/main-amd64-xSAN-chroot/tmp/kyua.FKD2vh/356/stderr.txt 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero 
> offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
> /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero 
> offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
> /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> /usr/main-src/usr.bin/sed/process.c:715:18: runtime error: applying zero 
> offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
> /usr/main-src/usr.bin/sed/process.c:715:18 in 
> /usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero 
> offset to null pointer
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
> /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> Fail: stderr not empty
> --- /dev/null   2022-01-07 10:29:57.182903000 +0000
> +++ /tmp/kyua.FKD2vh/356/work/check.Mk9llD/stderr       2022-01-07 
> 10:29:57.173100000 +0000
> @@ -0,0 +1,2 @@
> +/usr/main-src/lib/libc/stdio/fread.c:133:10: runtime error: applying zero 
> offset to null pointer
> +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
> /usr/main-src/lib/libc/stdio/fread.c:133:10 in 
> Files left in work directory after failure: mntpt, mounterr
> 
> 
> In general the lib/libc/stdio/fread.c:133:10 example seems to
> be in a place that would make it fairly common.
> 
> usr.bin/sed/process.c:715:18 is more limited: just sed use.
> 

kyua ran to completion. This note is focused on UBSAN reports.

By far the most common UBSAN report is for the
lib/libc/stdio/fread.c:133:10 code.

Another somewhat common UBSAN report is:

Standard error:
/usr/main-src/usr.bin/cut/cut.c:458:7: runtime error: addition of unsigned 
offset to 0x62100000010d overflowed to 0x62100000010c
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.bin/cut/cut.c:458:7 in 
Fail: incorrect exit status: 1, expected: 0


There is at least one example of:

Standard error:
ld-elf.so.1: /lib/libthr.so.3: Undefined symbol 
"__asan_option_detect_stack_use_after_return"


Some more zero offsets to null are:

+/usr/main-src/bin/sh/jobs.c:590:35: runtime error: applying zero offset to 
null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/bin/sh/jobs.c:590:35 in 
+/usr/main-src/bin/sh/jobs.c:601:22: runtime error: applying zero offset to 
null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/bin/sh/jobs.c:601:22 in 
+/usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16: runtime error: 
applying zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/contrib/xz/src/liblzma/common/common.c:292:16 in 

+/usr/main-src/usr.sbin/makefs/ffs.c:1053:35: runtime error: applying zero 
offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.sbin/makefs/ffs.c:1053:35 in 
Files left in work directory after failure: dir, ufs.img


contrib/libxo/libxo/xo_buf.h has examples of non-zero offsets:

+/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22: runtime error: applying 
non-zero offset 4 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:22 in 
+/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44: runtime error: applying 
zero offset to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/contrib/libxo/libxo/xo_buf.h:116:44 in 
+/usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29: runtime error: applying 
non-zero offset 4 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/contrib/libxo/libxo/xo_buf.h:120:29 in 

As does contrib/openzfs/module/nvpair/nvpair.c :

/usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49: runtime 
error: applying non-zero offset 4 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/sys/contrib/openzfs/module/nvpair/nvpair.c:3129:49 in 


There is a:

+/usr/main-src/bin/sh/arith_yacc.c:193:10: runtime error: negation of 
-9223372036854775808 cannot be represented in type 'arith_t' (aka 'long'); cast 
to an unsigned type to negate this value to itself
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/bin/sh/arith_yacc.c:193:10 in 

And there are various examples similar to:

+/usr/main-src/sys/contrib/zlib/deflate.c:1262:31: runtime error: load of 
misaligned address 0x631000014805 for type 'ushf' (aka 'unsigned short'), which 
requires 2 byte alignment
+0x631000014805: note: pointer points here
+ 69 6c 65 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 
00 00 00 00 00 00  00
+             ^ 

but at different lines of the code.

There are examples of:

+/usr/main-src/lib/libc/db/hash/hash_page.c:761:3: runtime error: left shift of 
1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/db/hash/hash_page.c:761:3 in 
+/usr/main-src/lib/libc/db/hash/hash_page.c:840:2: runtime error: left shift of 
1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/db/hash/hash_page.c:840:2 in 
+/usr/main-src/lib/libc/db/hash/hash_page.c:774:2: runtime error: left shift of 
1 by 31 places cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/db/hash/hash_page.c:774:2 in 

There are various examples similar to:

+/usr/main-src/lib/libc/db/btree/bt_conv.c:168:6: runtime error: load of 
misaligned address 0x616000000b91 for type 'uint32_t' (aka 'unsigned int'), 
which requires 4 byte alignment
+0x616000000b91: note: pointer points here
+ 00 00 02  02 03 00 00 00 ec 01 00  00 78 0a 00 08 00 00 00  02 00 00 00 02 02 
00 00  00 ec 01 00 00
+              ^ 

but at different lines of the code.

There was a:

/usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36: runtime 
error: signed integer overflow: 105827994173648 * 1000000000 cannot be 
represented in type 'long long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/contrib/netbsd-tests/lib/libc/gen/t_sleep.c:305:36 in 

And a:

+/usr/main-src/lib/libc/regex/engine.c:1013:53: runtime error: left shift of 
4611686018427387904 by 1 places cannot be represented in type 'long'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/regex/engine.c:1013:53 in 

(It occured in multiple places.)

And:

/usr/main-src/lib/libc/gen/_rand48.c:45:55: runtime error: signed integer 
overflow: 57068 * 43981 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/gen/_rand48.c:45:55 in 
/usr/main-src/lib/libc/gen/_rand48.c:45:26: runtime error: signed integer 
overflow: 58989 * 55082 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/gen/_rand48.c:45:26 in 
/usr/main-src/lib/libc/gen/_rand48.c:45:37: runtime error: signed integer 
overflow: 1365949284 + 876906888 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/gen/_rand48.c:45:37 in 

/usr/main-src/lib/libc/stdlib/getenv.c:169:20: runtime error: load of value 
190, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/stdlib/getenv.c:169:20 in 
/usr/main-src/lib/libc/stdlib/getenv.c:684:23: runtime error: load of value 
190, which is not a valid value for type 'bool'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libc/stdlib/getenv.c:684:23 in 

And:

/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member access 
within misaligned address 0xffffffffffffffff for type 'const ucontext_t' (aka 
'const struct __ucontext'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: member access 
within misaligned address 0xffffffffffffffff for type 'const __sigset_t' (aka 
'const struct __sigset'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7: runtime error: load of 
misaligned address 0xffffffffffffffff for type 'const __uint32_t' (aka 'const 
unsigned int'), which requires 16 byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/lib/libthr/thread/thr_sig.c:797:7 in 

And:

+/usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9: runtime error: load of 
misaligned address 0x7fffffffc978 for type 'uint128_t' (aka 'unsigned 
__int128'), which requires 16 byte alignment
+0x7fffffffc978: note: pointer points here
+ 00 00 00 00  00 60 a5 ee dc 01 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 
00 00 00  00 00 00 00
+              ^ 
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/sbin/nvmecontrol/nvmecontrol.h:99:9 in 

And:

/usr/main-src/sys/netinet/libalias/alias_db.c:430:2: runtime error: member 
access within null pointer of type 'struct libalias'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/sys/netinet/libalias/alias_db.c:430:2 in 

And:

/usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: left shift of 
1277217398 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:569:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:569:3: runtime error: signed integer 
overflow: -8928018189856292682 + -9223372036854775808 cannot be represented in 
type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:569:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: left shift of 
674540471 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3: runtime error: signed integer 
overflow: -7034438991598280603 + -9223372036854775808 cannot be represented in 
type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:570:3 in 

/usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: left shift of 
1099256400 by 34 places cannot be represented in type 's64q_t' (aka 'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:378:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:379:3: runtime error: left shift of 
7397324394137081998 by 3 places cannot be represented in type 's64q_t' (aka 
'long')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:379:3 in 
/usr/main-src/tests/sys/sys/qmath_test.c:378:3: runtime error: signed integer 
overflow: -5522065151083782997 + -9223372036854775808 cannot be represented in 
type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/tests/sys/sys/qmath_test.c:378:3 in 

And:

/usr/main-src/usr.bin/mkimg/ebr.c:89:16: runtime error: member access within 
misaligned address 0x61500000023e for type 'struct dos_partition', which 
requires 4 byte alignment
0x61500000023e: note: pointer points here
 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 
00 00 00 00 00  00 00
             ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.bin/mkimg/ebr.c:89:16 in 

And:

/usr/main-src/usr.bin/mkimg/mbr.c:99:8: runtime error: member access within 
misaligned address 0x6150000004be for type 'struct dos_partition', which 
requires 4 byte alignment
0x6150000004be: note: pointer points here
 42 0a 42 0a 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 
00 00 00 00 00  00 00
             ^ 
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.bin/mkimg/mbr.c:99:8 in 

And:

+/usr/main-src/usr.bin/rs/rs.c:387:5: runtime error: applying non-zero offset 
108370614813184 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.bin/rs/rs.c:387:5 in 

And:

+/usr/main-src/usr.bin/unifdef/unifdef.c:836:52: runtime error: applying 
non-zero offset 1 to null pointer
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
/usr/main-src/usr.bin/unifdef/unifdef.c:836:52 in 



===
Mark Millard
marklmi at yahoo.com

Reply via email to