GNU bug report logs -
#49300
Report 3 UBSan integer related errors found by an automatic tool
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49300 in the body.
You can then email your comments to 49300 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org
:
bug#49300
; Package
coreutils
.
(Wed, 30 Jun 2021 18:22:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
"He Jingxuan" <jingxuan.he <at> inf.ethz.ch>
:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org
.
(Wed, 30 Jun 2021 18:22:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Dear coreutils developers,
We tested coreutils with an automatic tool (based on the symbolic execution tool KLEE). A number of test cases triggering UBSan integer related errors were generated. We manually checked those test cases and filtered out benign cases. Finally, we identified and report 3 cases that could trigger bugs. Below is the information for reproducing the bugs.
- coreutils version: 8.31
- operating system: Ubuntu 16.04.7
- compiler: 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final)
- compilation commands:
mkdir obj
cd obj
CC=clang CFLAGS="-g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds -fsanitize=pointer-overflow -fsanitize=null" ../configure --disable-nls
make
- inputs: please download the attached bug triggering inputs basenc1.stdin and basenc2.stdin
bug1: basenc
command: cat basenc1.stdin | basenec --z -
relevant error message: ../src/basenc.c:635:25: runtime error: left shift of 128 by 24 places cannot be represented in type ‘int'
bug2: basenc
command: cat basenc2.stdin | basenc --z - -d
relevant error message: ../src/basenc.c:770:18: runtime error: signed integer overflow: 41760500 * 85 cannot be represented in type ‘int'
bug3: seq
command: seq 3 1 1.
relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'
Best,
Jingxuan
[basenc1.stdin (application/octet-stream, attachment)]
[basenc2.stdin (application/octet-stream, attachment)]
Reply sent
to
Paul Eggert <eggert <at> cs.ucla.edu>
:
You have taken responsibility.
(Wed, 30 Jun 2021 20:07:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
"He Jingxuan" <jingxuan.he <at> inf.ethz.ch>
:
bug acknowledged by developer.
(Wed, 30 Jun 2021 20:07:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 49300-done <at> debbugs.gnu.org (full text, mbox):
On 6/30/21 10:07 AM, He Jingxuan wrote:
> bug1: basenc
> command: cat basenc1.stdin | basenec --z -
> relevant error message: ../src/basenc.c:635:25: runtime error: left shift of 128 by 24 places cannot be represented in type ‘int'
>
> bug2: basenc
> command: cat basenc2.stdin | basenc --z - -d
> relevant error message: ../src/basenc.c:770:18: runtime error: signed integer overflow: 41760500 * 85 cannot be represented in type ‘int'
These two bugs were fixed in coreutils 8.32; please try that instead.
> bug3: seq
> command: seq 3 1 1.
> relevant error message: ../src/seq.c:185:21: runtime error: unsigned integer overflow: 2 + 18446744073709551615 cannot be represented in type 'unsigned long'
This diagnostic is a false alarm. It is complaining about this statement:
ret.width += (fraction_len == 0
? -1
: (decimal_point == arg
|| ! ISDIGIT (decimal_point[-1])));
where ret.width (of type size_t) is 2. But (size_t) 2 + (int) -1 has
well-defined behavior in C: in the normal case where size_t does not
promote to int, it is equivalent to (size_t) 2 + (size_t) -1, and this
must equal 1. And in the hypothetical case where size_t promotes to int,
it is equivalent to (int) 2 + (int) -1 which also must equal 1. So there
is no error here.
That being said, coreutils uses size_t too often; it should use idx_t
(from Gnulib) to avoid common mistakes when using unsigned values. I'll
add that to my list of things to do.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 29 Jul 2021 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 242 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.