[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Report 2 UBSan bugs found by an automatic tool
From: |
Bernhard Voelker |
Subject: |
Re: Report 2 UBSan bugs found by an automatic tool |
Date: |
Sat, 3 Jul 2021 17:50:20 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
Hi James,
On 6/30/21 7:23 PM, He Jingxuan wrote:
> Dear findutils developers,
>
> We tested findutils with an automatic tool (based on the symbolic execution
> tool KLEE). 5 test cases triggering UBSan errors were generated. We manually
> checked those test cases and filtered out benign cases. Finally, we
> identified and report 2 cases that could trigger bugs. Below is the
> information for reproducing the bugs.
>
> - findutils version: 4.7.0
> - operating system: Ubuntu 16.04.7
> - compiler: clang version 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final)
> - compilation commands:
> mkdir obj
> cd obj
> CC=clang CFLAGS="-g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES
> -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow
> -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds
> -fsanitize=pointer-overflow -fsanitize=null" ../configure --disable-nls
> --disable-largefile --disable-threads --without-selinux
> make
> - inputs: the attached file contains the input file A of the second bug.
Both issues are in CBO code - find's cost-based-optimizer:
> bug 1 command: find -H - -delete
> relevant error message: ../../find/tree.c:538:23: runtime error: member
> access within null pointer of type 'struct predicate’
This is in consider_arm_swap().
> bug 2 command: find -H -neweraa A
> relevant error message: ../../find/parser.c:698:48: runtime error: signed
> integer overflow: 1624986826 - -9223372036854775808 cannot be represented in
> type ‘long'
> Note: I think this bug depends on the timestamp and is triggered only
> sometimes.
This is in estimate_timestamp_success_rate().
Although I think the first one is a false positive, because the code always
ensures
that the left arm is filled, - and considering the other open bugs related to
CBO -,
maybe it's time to remove that code?
WDYT?
Have a nice day,
Berny
- Re: Report 2 UBSan bugs found by an automatic tool,
Bernhard Voelker <=