From nobody Fri Jan 14 15:27:57 2022 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9C36F1942938 for ; Fri, 14 Jan 2022 15:28:01 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jb4tn4521z4cKM; Fri, 14 Jan 2022 15:28:01 +0000 (UTC) (envelope-from bapt@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642174081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2gfOPTFToYjLgur/fvw2r0K/rXRIH2Np7d1LFiGnCWw=; b=wFFIr/VhxferY2KiUFy3H1jiL+NEPy2Cnvl1i0+jc7zQzObyqQMsa5CEYsaR4b+nWFyt7h O8jtn8iefQb7WztGSjyJbqM9dtl0g2FL6GnZvjVFq2GktntiUN/uURpVSc1XTDDgGmCiZh ZGQztxTkp+CohGLc9GgNxK8VNjlE9HVRfOaQuljfY2mF8osdHJtswxbPnyDwnnGlte7R6K a45RZU4oJ/E6DHwh2WTE0tmiVOhVk78+bQx7nizmQPFjwvN7nf0c4Mf7xIMmnnKUI00VYg QhzRP/q2OHQXepIZYeHJHONcevHN3lrJx0PmRxJLa0Wcbie803ueIyeSzrBxpw== Received: from aniel.nours.eu (nours.eu [176.31.115.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: bapt) by smtp.freebsd.org (Postfix) with ESMTPSA id 0DFD28ED9; Fri, 14 Jan 2022 15:28:01 +0000 (UTC) (envelope-from bapt@FreeBSD.org) Received: by aniel.nours.eu (Postfix, from userid 1001) id 01FDF7CE4F; Fri, 14 Jan 2022 16:27:57 +0100 (CET) Date: Fri, 14 Jan 2022 16:27:57 +0100 From: Baptiste Daroussin To: Mark Millard Cc: freebsd-current , Zhihao Yuan Subject: Re: UBSAN reported behaviors in view use: Null pointer use oddities in contrib/nvi/... code Message-ID: <20220114152757.bissm73v5vwhdogv@aniel.nours.eu> References: <99C234B7-AD2F-428F-B697-32A1F89AAC51.ref@yahoo.com> <99C234B7-AD2F-428F-B697-32A1F89AAC51@yahoo.com> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <99C234B7-AD2F-428F-B697-32A1F89AAC51@yahoo.com> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1642174081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2gfOPTFToYjLgur/fvw2r0K/rXRIH2Np7d1LFiGnCWw=; b=bMaNT3olnxCGnHpGts2vDevmlbQ9wiFnKqVtKKpAD2b+a/cX5fFMeKqzNF0vf8Jy2D18KU bJzEYpZ7hzlkGmvt8iXISQ5xiBs6YVgz+IyD9lFFGFHYHa19sS3HFU2Hw9LM2egZ6cA2lB npfwI9piQH5PSB7NNbSQLAgg0jxinqM42Jl8hafG+4lCL+Gar1J7+iG1WIblBAbW3vx7IR 9uWIm6zx5QTVEFMUuCVHSZT0jLeyG2Vy7n/nW2jwXpsqznPVFA7C5G/3/V5490MLLQJUXh TJxeO0TTqSMKwFVDJJOW59dFGcwK89ZJa3NhnCEe/q3a0Xg0zS7YiZ+smoNnZQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1642174081; a=rsa-sha256; cv=none; b=ctZJXkROGERRpvkcLHF7Mv1w+VNCF2FkeDwRTGehfIaE+M0AUFSpF2d5XObpgYqxo3FHBD ohS2eOSAw5QeDfxUWr2G/da6mFMTyB39CiFTf8hs6aDIwDHO1bxIUh/vZG6wyWJpiGeN+I ImPpG9Pel6ZCPjQw/gT66RNLZ/rI3/s0k3osj6YTeK4X5z1huUznv3h3buzr/rhL5bgTPE 3Z4z0GJqDrmZmgy4eQif15heCIe4n2YFAQcfPwacyVGTJ4zmGpFq5qSrEE3klltdRe+b8W dAWgXXL0jCR+WT7LflbqZsogZYmwwBfTIoWmK7Gqvswg+1g0uuswiZKe67vGNg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N + CC upstream On Fri, Jan 14, 2022 at 05:37:20AM -0800, Mark Millard wrote: > # env ASAN_OPTIONS=detect_container_overflow=0 lldb view > (lldb) target create "view" > Current executable set to 'view' (x86_64). > (lldb) run /usr/main-src/contrib/nvi/common/log.c > Process 96507 launched: '/usr/bin/view' (x86_64) > Process 96507 stopped > * thread #1, name = 'view', stop reason = Nullptr with nonzero offset > frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > 36 } > 37 > 38 SANITIZER_WEAK_DEFAULT_IMPL > -> 39 void __ubsan::__ubsan_on_report(void) {} > 40 > 41 void __ubsan::__ubsan_get_current_report_data(const char **OutIssueKind, > 42 const char **OutMessage, > (lldb) bt > * thread #1, name = 'view', stop reason = Nullptr with nonzero offset > * frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > frame #1: 0x00000000012c36b1 view`__ubsan::Diag::~Diag(this=0x00007fffffffb9b0) at ubsan_diag.cpp:354:29 > frame #2: 0x00000000012c85e4 view`handlePointerOverflowImpl(Data=, Base=, Result=, Opts=(FromUnrecoverableHandler = false, pc = 21543807, bp = 140737488337936)) at ubsan_diag.h:0:21 > frame #3: 0x00000000012c811a view`::__ubsan_handle_pointer_overflow(Data=, Base=, Result=) at ubsan_handlers.cpp:815:3 > frame #4: 0x000000000148bb7f view`vs_crel(sp=0x00007fffffffbd20, count=) at v_z.c:138:14 > frame #5: 0x0000000001420d78 view`v_optchange(sp=, offset=, str=, valp=) at v_init.c:117:11 [artificial] > frame #6: 0x000000000132d079 view`opts_set(sp=0x000061e000000080, argv=0x00007fffffffbf00, usage=) at options.c:684:8 > frame #7: 0x0000000001328db4 view`opts_init(sp=, oargs=) at options.c:412:2 > frame #8: 0x00000000013184d3 view`editor(gp=0x0000621000000100, argc=, argv=0x00007fffffffdb10) at main.c:240:6 > frame #9: 0x00000000012d21dd view`main(argc=, argv=) at cl_main.c:115:9 > frame #10: 0x0000000001246c7d view`_start(ap=, cleanup=) at crt1_c.c:73:7 > (lldb) up 4 > frame #4: 0x000000000148bb7f view`vs_crel(sp=0x00007fffffffbd20, count=) at v_z.c:138:14 > 135 sp->t_minrows = sp->t_rows = count; > 136 if (sp->t_rows > sp->rows - 1) > 137 sp->t_minrows = sp->t_rows = sp->rows - 1; > -> 138 TMAP = HMAP + (sp->t_rows - 1); > 139 F_SET(sp, SC_SCR_REDRAW); > 140 return (0); > 141 } > (lldb) thread info -s > thread #1: tid = 125915, 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39, name = 'view', stop reason = Nullptr with nonzero offset > > { > "col": 14, > "description": "nullptr-with-nonzero-offset", > "filename": "/usr/main-src/contrib/nvi/vi/v_z.c", > "instrumentation_class": "UndefinedBehaviorSanitizer", > "line": 138, > "memory_address": 0, > "summary": "Applying non-zero offset 1056 to null pointer", > "tid": 125915, > "trace": [] > } > > . . . Later: . . . > > Process 96507 stopped > * thread #1, name = 'view', stop reason = Null pointer use > frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > 36 } > 37 > 38 SANITIZER_WEAK_DEFAULT_IMPL > -> 39 void __ubsan::__ubsan_on_report(void) {} > 40 > 41 void __ubsan::__ubsan_get_current_report_data(const char **OutIssueKind, > 42 const char **OutMessage, > (lldb) bt > * thread #1, name = 'view', stop reason = Null pointer use > * frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > frame #1: 0x00000000012c36b1 view`__ubsan::Diag::~Diag(this=0x00007fffffffc3c0) at ubsan_diag.cpp:354:29 > frame #2: 0x00000000012c4aef view`handleTypeMismatchImpl(Data=, Pointer=, Opts=(FromUnrecoverableHandler = false, pc = 19992923, bp = 140737488340592)) at ubsan_handlers.cpp:117:5 > frame #3: 0x00000000012c47aa view`::__ubsan_handle_type_mismatch_v1(Data=, Pointer=) at ubsan_handlers.cpp:142:3 > frame #4: 0x000000000131115b view`log_line(sp=, lno=, action=) at log.c:261:2 > frame #5: 0x000000000130cd55 view`db_append(sp=, update=, lno=, p=, len=) at line.c:295:2 > frame #6: 0x000000000141b582 view`v_ecl_log(sp=, tp=) at v_ex.c:605:10 > frame #7: 0x0000000001419af2 view`v_ex(sp=, vp=) at v_ex.c:372:38 > frame #8: 0x000000000148da62 view`vi(spp=) at vi.c:226:18 > frame #9: 0x0000000001319704 view`editor(gp=0x0000621000000100, argc=, argv=) at main.c:402:38 > frame #10: 0x00000000012d21dd view`main(argc=, argv=) at cl_main.c:115:9 > frame #11: 0x0000000001246c7d view`_start(ap=, cleanup=) at crt1_c.c:73:7 > (lldb) up 4 > frame #4: 0x000000000131115b view`log_line(sp=, lno=, action=) at log.c:261:2 > 258 } else > 259 if (db_get(sp, lno, DBG_FATAL, &lp, &len)) > 260 return (1); > -> 261 BINC_RETC(sp, > 262 ep->l_lp, ep->l_len, > 263 len * sizeof(CHAR_T) + CHAR_T_OFFSET); > 264 ep->l_lp[0] = action; > (lldb) thread info -s > thread #1: tid = 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39, name = 'view', stop reason = Null pointer use > > { > "col": 2, > "description": "null-pointer-use", > "filename": "/usr/main-src/contrib/nvi/common/log.c", > "instrumentation_class": "UndefinedBehaviorSanitizer", > "line": 261, > "memory_address": 0, > "summary": "Member access within null pointer of type 'log_t'", > "tid": 208533, > "trace": [] > } > (lldb) c > Process 96507 resuming > /usr/main-src/contrib/nvi/common/log.c:261:2: runtime error: member access within null pointer of type 'log_t' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/nvi/common/log.c:261:2 in > Process 96507 stopped > * thread #1, name = 'view', stop reason = Null pointer use > frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > 36 } > 37 > 38 SANITIZER_WEAK_DEFAULT_IMPL > -> 39 void __ubsan::__ubsan_on_report(void) {} > 40 > 41 void __ubsan::__ubsan_get_current_report_data(const char **OutIssueKind, > 42 const char **OutMessage, > (lldb) bt > * thread #1, name = 'view', stop reason = Null pointer use > * frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > frame #1: 0x00000000012c36b1 view`__ubsan::Diag::~Diag(this=0x00007fffffffc3c0) at ubsan_diag.cpp:354:29 > frame #2: 0x00000000012c4aef view`handleTypeMismatchImpl(Data=, Pointer=, Opts=(FromUnrecoverableHandler = false, pc = 19993513, bp = 140737488340592)) at ubsan_handlers.cpp:117:5 > frame #3: 0x00000000012c47aa view`::__ubsan_handle_type_mismatch_v1(Data=, Pointer=) at ubsan_handlers.cpp:142:3 > frame #4: 0x00000000013113a9 view`log_line(sp=, lno=, action=) at log.c:266:21 > frame #5: 0x000000000130cd55 view`db_append(sp=, update=, lno=, p=, len=) at line.c:295:2 > frame #6: 0x000000000141b582 view`v_ecl_log(sp=, tp=) at v_ex.c:605:10 > frame #7: 0x0000000001419af2 view`v_ex(sp=, vp=) at v_ex.c:372:38 > frame #8: 0x000000000148da62 view`vi(spp=) at vi.c:226:18 > frame #9: 0x0000000001319704 view`editor(gp=0x0000621000000100, argc=, argv=) at main.c:402:38 > frame #10: 0x00000000012d21dd view`main(argc=, argv=) at cl_main.c:115:9 > frame #11: 0x0000000001246c7d view`_start(ap=, cleanup=) at crt1_c.c:73:7 > (lldb) up 4 > frame #4: 0x00000000013113a9 view`log_line(sp=, lno=, action=) at log.c:266:21 > 263 len * sizeof(CHAR_T) + CHAR_T_OFFSET); > 264 ep->l_lp[0] = action; > 265 memmove(ep->l_lp + sizeof(u_char), &lno, sizeof(recno_t)); > -> 266 memmove(ep->l_lp + CHAR_T_OFFSET, lp, len * sizeof(CHAR_T)); > 267 > 268 lcur = ep->l_cur; > 269 key.data = &lcur; > (lldb) thread info -s > thread #1: tid = 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39, name = 'view', stop reason = Null pointer use > > { > "col": 21, > "description": "null-pointer-use", > "filename": "/usr/main-src/contrib/nvi/common/log.c", > "instrumentation_class": "UndefinedBehaviorSanitizer", > "line": 266, > "memory_address": 0, > "summary": "Member access within null pointer of type 'log_t'", > "tid": 208533, > "trace": [] > } > (lldb) c > Process 96507 resuming > /usr/main-src/contrib/nvi/common/log.c:266:21: runtime error: member access within null pointer of type 'log_t' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/main-src/contrib/nvi/common/log.c:266:21 in > Process 96507 stopped > * thread #1, name = 'view', stop reason = Null pointer use > frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > 36 } > 37 > 38 SANITIZER_WEAK_DEFAULT_IMPL > -> 39 void __ubsan::__ubsan_on_report(void) {} > 40 > 41 void __ubsan::__ubsan_get_current_report_data(const char **OutIssueKind, > 42 const char **OutMessage, > (lldb) bt > * thread #1, name = 'view', stop reason = Null pointer use > * frame #0: 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39 > frame #1: 0x00000000012c36b1 view`__ubsan::Diag::~Diag(this=0x00007fffffffc3c0) at ubsan_diag.cpp:354:29 > frame #2: 0x00000000012c4aef view`handleTypeMismatchImpl(Data=, Pointer=, Opts=(FromUnrecoverableHandler = false, pc = 19993957, bp = 140737488340592)) at ubsan_handlers.cpp:117:5 > frame #3: 0x00000000012c47aa view`::__ubsan_handle_type_mismatch_v1(Data=, Pointer=) at ubsan_handlers.cpp:142:3 > frame #4: 0x0000000001311565 view`log_line(sp=, lno=, action=) at log.c:272:37 > frame #5: 0x000000000130cd55 view`db_append(sp=, update=, lno=, p=, len=) at line.c:295:2 > frame #6: 0x000000000141b582 view`v_ecl_log(sp=, tp=) at v_ex.c:605:10 > frame #7: 0x0000000001419af2 view`v_ex(sp=, vp=) at v_ex.c:372:38 > frame #8: 0x000000000148da62 view`vi(spp=) at vi.c:226:18 > frame #9: 0x0000000001319704 view`editor(gp=0x0000621000000100, argc=, argv=) at main.c:402:38 > frame #10: 0x00000000012d21dd view`main(argc=, argv=) at cl_main.c:115:9 > frame #11: 0x0000000001246c7d view`_start(ap=, cleanup=) at crt1_c.c:73:7 > (lldb) up 4 > frame #4: 0x0000000001311565 view`log_line(sp=, lno=, action=) at log.c:272:37 > 269 key.data = &lcur; > 270 key.size = sizeof(recno_t); > 271 data.data = ep->l_lp; > -> 272 data.size = len * sizeof(CHAR_T) + CHAR_T_OFFSET; > 273 if (ep->log->put(ep->log, &key, &data, 0) == -1) > 274 LOG_ERR; > 275 > (lldb) thread info -s > thread #1: tid = 208533, 0x00000000012c8ef0 view`::__ubsan_on_report() at ubsan_monitor.cpp:39, name = 'view', stop reason = Null pointer use > > { > "col": 37, > "description": "null-pointer-use", > "filename": "/usr/main-src/contrib/nvi/common/log.c", > "instrumentation_class": "UndefinedBehaviorSanitizer", > "line": 272, > "memory_address": 0, > "summary": "Member access within null pointer of type 'log_t'", > "tid": 208533, > "trace": [] > } > > > === > Mark Millard > marklmi at yahoo.com > >