ENHANCE: Avoid UBSAN errors #1289
Conversation
index -1 out of bounds for type 'definition_ref[7]'
index -1 out of bounds for type 'definition_ref[7]'
addition of unsigned offset to 0x7f6d6eb33000 overflowed to 0x7f6d6eb32fff
applying non-zero offset 64 to null pointer
applying non-zero offset 8864 to null pointer (from incrementing NULL with ++)
index -1 out of bounds for type 'definition_ref[7]'
member access within null pointer of type 'struct clause'
applying non-zero offset 64 to null pointer
member access within null pointer of type 'var_table'
member access within null pointer of type 'struct bit_vector'
|
The above mentioned issue is here, #1290 |
If stack->top is NULL, switch to else branch
If stack->top is NULL, switch to ":" branch
|
I think the remaining problems have been solved with the last two commits. |
|
Hmm. Except for pl-unzip.c, most of this makes the code uglier without giving a lot of benefits. We could probably avoid some/all of the offset warnings by using the standard |
|
Do we really want to avoid the I agree that some of the workarounds are not pretty, but having code that passes UB checks is a good thing in itself. And I mean,
is not that ugly, or is it? |
|
Updated the comment after having pressed "submit" too quickly. |
Well, it is hard to explain and I'd probably change the code back when scanning the code later ... More seriously, it is just as "buggy", but just hides it a level deeper such that the current tools do not spot it. The code uses pointers outside an array and the code ensures these pointers used with an offset that gets/sets valid data. That is just a step too complicated for these tools. The question to me is what are we trying to improve and/or who are we trying to satisfy? If that is sufficiently motivated I vote for some macro that captures this assignment which we can document. That avoids people asking themselves what this code is doing. |
Good point indeed.
The usual motivation, the R interface ("rswipl"/"rolog"). They remove the package from CRAN if it's not fixed. |
That is a good reason 😢 Do you think you can fix the offset issues using standard offsetof()? I'm happy to have a look whether I can find something more elegant to this. How do I reproduce this? I thought the code was ubsan-safe after the previous series of changes? |
|
Reproduce with: Unsure if clang is needed, may also work with gcc
IIRC the previous fixes referred to rswipl's own routines. Now it's swipl's own build process. |
I can have a look at it next week |
I understand that offsetof is available since C99, so I don't check for it.
Done. It's a bit less ugly now. |
|
All the work in this PR is handled. clang-18 seems to add some more ubsan issues, among which checking the types for calls over function pointers. This raised a couple of possible portability issues. I fixed some of them, but not yet all. I now have to work on other projects .... Thanks for the work. |
See here: https://www.stats.ox.ac.uk/pub/bdr/memtests/clang-UBSAN/rswipl/rswipl.log
The individual errors are mentioned in the individual commits. Four error messages are still left, these require inspection, I'll open an issue.