UBSAN errors in `pp_hot.c:880 (Perl_pp_multiconcat)` #20678

thesamesam · 2023-01-07T02:06:02Z

Description

Perl crashes when bulit with Undefined Behavior Sanitizer (UBSAN, -fsanitize=undefined) when running aclocal:

$ export UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1"
$ aclocal
pp_hot.c:880:17: runtime error: load of address 0x7ffdeba10fa8 with insufficient space for an object of type 'ssize_t'
0x7ffdeba10fa8: note: pointer points here
 9f 55 00 00  0e 00 00 00 00 00 00 00  60 19 a3 00 9f 55 00 00  8a 51 72 21 ef 7f 00 00  00 00 00 00
              ^
    #0 0x7fef20e39346 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:880
    #1 0x7fef20e2d628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7fef20b19887 in Perl_call_sv /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:3057
    #3 0x7fef20b209e0 in Perl_call_list /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:5141
    #4 0x7fef20af7985 in S_process_special_blocks /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12102
    #5 0x7fef20afc7aa in Perl_newATTRSUB_x /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12007
    #6 0x7fef20b07543 in Perl_utilize /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:8960
    #7 0x7fef20c2ae7a in Perl_yyparse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perly.y:370
    #8 0x7fef20b2b911 in S_parse_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2536
    #9 0x7fef20b2b911 in perl_parse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:1827
    #10 0x559eff4ba1f1 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:109
    #11 0x7fef20369289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7fef20369344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x559eff4ba390 in _start (/usr/bin/perl+0x1390)

This is with GCC 13.0.0_pre20230101. Note that GCC 13 isn't yet released, but the only other bug I've hit so far of this type was legitimate (gentoo/elfix#3) and this type of object size check is new in 13.

Steps to Reproduce

Build Perl 5.36 with -fsanitize=undefined using GCC 13.
export UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1"
Run perl -V or aclocal.

Expected behavior
perl -V or aclocal to succeed with no errors.

Perl configuration

# perl -V
pp_hot.c:880:17: runtime error: load of address 0x7fffdc937f18 with insufficient space for an object of type 'ssize_t'
0x7fffdc937f18: note: pointer points here
 86 55 00 00  04 00 00 00 00 00 00 00  a0 e7 34 84 86 55 00 00  00 00 00 00 00 00 00 00  a0 e7 34 84
              ^
    #0 0x7f544d7a4346 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:880
    #1 0x7f544d798628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7f544d484887 in Perl_call_sv /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:3057
    #3 0x7f544d48b9e0 in Perl_call_list /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:5141
    #4 0x7f544d462985 in S_process_special_blocks /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12102
    #5 0x7f544d4677aa in Perl_newATTRSUB_x /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12007
    #6 0x7f544d472543 in Perl_utilize /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:8960
    #7 0x7f544d595e7a in Perl_yyparse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perly.y:370
    #8 0x7f544d496911 in S_parse_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2536
    #9 0x7f544d496911 in perl_parse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:1827
    #10 0x558683c821f1 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:109
    #11 0x7f544ccd4289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7f544ccd4344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x558683c82390 in _start (/usr/bin/perl+0x1390)

pp_hot.c:883:17: runtime error: load of address 0x7fffdc937f10 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7fffdc937f10: note: pointer points here
 86 55 00 00  50 29 33 84 86 55 00 00  04 00 00 00 00 00 00 00  a0 e7 34 84 86 55 00 00  00 00 00 00
              ^
    #0 0x7f544d7a4a75 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:883
    #1 0x7f544d798628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7f544d484887 in Perl_call_sv /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:3057
    #3 0x7f544d48b9e0 in Perl_call_list /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:5141
    #4 0x7f544d462985 in S_process_special_blocks /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12102
    #5 0x7f544d4677aa in Perl_newATTRSUB_x /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12007
    #6 0x7f544d472543 in Perl_utilize /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:8960
    #7 0x7f544d595e7a in Perl_yyparse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perly.y:370
    #8 0x7f544d496911 in S_parse_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2536
    #9 0x7f544d496911 in perl_parse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:1827
    #10 0x558683c821f1 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:109
    #11 0x7f544ccd4289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7f544ccd4344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x558683c82390 in _start (/usr/bin/perl+0x1390)

Summary of my perl5 (revision 5 version 36 subversion 0) configuration:

  Platform:
    osname=linux
    osvers=5.15.86-gentoo-dist-hardened
    archname=x86_64-linux
    uname='linux localhost 5.15.86-gentoo-dist-hardened #1 smp sun jan 1 23:14:27 gmt 2023 x86_64 amd ryzen 9 3950x 16-core processor authenticamd gnulinux '
    config_args='-des -Dinstallprefix=/usr -Dinstallusrbinperl=n -Ui_xlocale -Di_ndbm -Di_gdbm -Di_db -DDEBUGGING=-g -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Dnoextensions=ODBM_File -Duseshrplib -Darchname=x86_64-linux -Dcc=x86_64-pc-linux-gnu-gcc -Dar=x86_64-pc-linux-gnu-ar -Dnm=x86_64-pc-linux-gnu-nm -Dcpp=x86_64-pc-linux-gnu-gcc -E -Dranlib=x86_64-pc-linux-gnu-ranlib -Accflags=-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -Doptimize=-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -Dldflags=-Wl,-O1 -Wl,--as-needed -fsanitize=undefined -Wl,--defsym=__gentoo_check_ldflags__=0 -Dprefix=/usr -Dsiteprefix=/usr/local -Dvendorprefix=/usr -Dscriptdir=/usr/bin -Dprivlib=/usr/lib64/perl5/5.36 -Darchlib=/usr/lib64/perl5/5.36/x86_64-linux -Dsitelib=/usr/local/lib64/perl5/5.36 -Dsitearch=/usr/local/lib64/perl5/5.36/x86_64-linux -Dvendorlib=/usr/lib64/perl5/vendor_perl/5.36 -Dvendorarch=/usr/lib64/perl5/vendor_perl/5.36/x86_64-linux -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dvendorman1dir=/usr/share/man/man1 -Dvendorman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dlibperl=libperl.so.5.36.0 -Dlocincpth=/usr/include  -Dglibpth=/lib64 /usr/lib64  -Duselargefiles -Dd_semctl_semun -Dcf_by=Gentoo -Dmyhostname=localhost -Dperladmin=root@localhost -Ud_csh -Dsh=/bin/sh -Dtargetsh=/bin/sh -Uusenm'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='x86_64-pc-linux-gnu-gcc'
    ccflags ='-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    optimize='-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing'
    cppflags='-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing'
    ccversion=''
    gccversion='13.0.0 20230101 (experimental)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='x86_64-pc-linux-gnu-gcc'
    ldflags ='-Wl,-O1 -Wl,--as-needed -fsanitize=undefined -Wl,--defsym=__gentoo_check_ldflags__=0'
    libpth=/usr/local/lib64 /lib64 /usr/lib64 /usr/lib
    libs=-lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-ldl -lm -lcrypt -lutil -lc
    libc=/lib/../lib64/libc.so.6
    so=so
    useshrplib=true
    libperl=libperl.so.5.36.0
    gnulibc_version='2.36'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -Wl,-O1 -Wl,--as-needed -fsanitize=undefined -Wl,--defsym=__gentoo_check_ldflags__=0'


Characteristics of this binary (from libperl):
  Compile-time options:
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Locally applied patches:
    0001-Fix-hpux-hints.patch
    - Fix hpux hints
    0002-aix-gcc-detection-and-shared-library-soname-support.patch
    - aix gcc detection and shared library soname support
    0003-cpan-ExtUtils-MakeMaker-drop-PORTAGE_TMPDIR-from-LD_.patch
    - cpan/ExtUtils-MakeMaker: drop $PORTAGE_TMPDIR from LD_RUN_PATH
    - Bug: https://bugs.gentoo.org/105054
    0004-Remove-rpath-and-append-LDFLAGS-to-lddlflags.patch
    - Remove -rpath and append LDFLAGS to lddlflags
    0005-Add-headers-for-opensolaris.patch
    - Add headers for opensolaris
    0006-List-packaged-patches-in-patchlevel.h.patch
    - List packaged patches for perl-5.36.0-r1(perl-5.36.0-patches-1) in patchlevel.h
    - Bug: https://bugs.debian.org/567489
    0007-Cleanup-PATH-and-shrpenv.patch
    - Cleanup PATH and shrpenv
    0008-Tweak-enc2xs-to-follow-symlinks-and-ignore-missing-I.patch
    - Tweak enc2xs to follow symlinks and ignore missing @INC directories.
    - Bug: https://bugs.debian.org/290336
    0009-darwin-Use-CC-to-link.patch
    - darwin: Use $CC to link
    - Bug: https://bugs.gentoo.org/297751
    0010-Provide-a-sensible-INSTALLDIRS-default-for-modules-i.patch
    - Provide a sensible INSTALLDIRS default for modules installed from CPAN.
    0011-Fix-interix-hints.patch
    - Fix interix hints
    0012-Set-libperl-soname.patch
    - Set libperl soname
    - Bug: https://bugs.gentoo.org/286840
    0013-Add-etc-perl-to-INC.patch
    - Add /etc/perl to @INC
    0014-cpan-ExtUtils-MakeMaker-remove-targets-that-generate.patch
    - cpan/ExtUtils-MakeMaker: remove targets that generate perllocal.pod
    0015-Don-t-force-fstack-protector-on-everyone.patch
    - Don't force -fstack-protector on everyone
    - Bug: https://bugs.gentoo.org/348557
    0016-Do-not-set-custom-CFLAGS-in-cpan-Digest-SHA.patch
    - Do not set custom CFLAGS in cpan/Digest-SHA
    - Bug: https://bugs.gentoo.org/506818
    0017-Configure-Don-t-include-sources-in-usr-local-for-com.patch
    - Configure: Don't include sources in /usr/local/ for compiling perl
    0018-cpan-IO-Socket-IP-Disable-network-tests.patch
    - cpan/IO-Socket-IP: Disable network tests
    0019-Fix-EUMM-podlocal-tests.patch
    - Fix EUMM podlocal tests
    0020-Skip-auto-linking-nsl-and-cl.patch
    - Skip auto-linking nsl and cl
    - Bug: https://rt.perl.org/Public/Bug/Display.html?id=13148
    0021-Disable-porting-tests-which-create-fun-false-failure.patch
    - Disable porting tests which create fun false-failures all over travis
    0022-Disable-PathTools-tests-which-fails-under-sandboxing.patch
    - Disable PathTools tests which fails under sandboxing
    - Bug: https://bugs.gentoo.org/645084
    0023-Fix-CPAN-FirstTime-defaults-with-nonexisting-site-di.patch
    - Fix CPAN::FirstTime defaults with nonexisting site dirs if a parent is writable
    - Bug: https://bugs.debian.org/688842
    0024-Pass-LD-settings-through-to-subdirectories.patch
    - Pass LD settings through to subdirectories
    - Bug: https://bugs.debian.org/758471
    0025-Memoize-Storable-respect-nstore-option-not-respected.patch
    - Memoize::Storable: respect 'nstore' option not respected
    - Bug: https://bugs.debian.org/587650
    - Bug: https://rt.cpan.org/Public/Bug/Display.html?id=77790
    0026-Better-errors-for-man-pages-from-standard-input.patch
    - Better errors for man pages from standard input
    - Bug: https://bugs.debian.org/777405
    0027-Respect-umask-during-installation.patch
    - Respect umask during installation
    0028-Document-that-CCFLAGS-should-include-Config-ccflags.patch
    - Document that CCFLAGS should include $Config{ccflags}
    - Bug: https://bugs.debian.org/628522
    - Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68613
    0029-Fix-parallel-building.patch
    - Fix parallel building
    0030-Add-support-for-Dgentoolibdirs.patch
    - Add support for -Dgentoolibdirs
  Built under linux
  Compiled at Jan  6 2023 04:07:15
  @INC:
    /etc/perl
    /usr/local/lib64/perl5/5.36/x86_64-linux
    /usr/local/lib64/perl5/5.36
    /usr/lib64/perl5/vendor_perl/5.36/x86_64-linux
    /usr/lib64/perl5/vendor_perl/5.36
    /usr/lib64/perl5/5.36/x86_64-linux
    /usr/lib64/perl5/5.36

The text was updated successfully, but these errors were encountered:

thesamesam · 2023-01-07T02:16:56Z

I'm happy to revisit this once GCC 13 is released if you'd prefer.

if I build Perl from master at 244f1aa, I get the same thing during the build but also when running make check:

# ./configure.gnu -Dusedevel -Accflags="-O2 -fsanitize=undefined -ggdb3" -Aldflags="-fsanitize=undefined -ggdb3" && make -j32
# make check
./miniperl -Ilib make_ext.pl cpan/Archive-Tar/pm_to_blib  MAKE="make" LIBPERL_A=libperl.a
pp_hot.c:976:17: runtime error: load of address 0x7ffc66cbb758 with insufficient space for an object of type 'ssize_t'
0x7ffc66cbb758: note: pointer points here
 7e 55 00 00  04 00 00 00 00 00 00 00  f8 5e 1d f9 7e 55 00 00  00 0e 86 08 e0 1b 72 02  58 5f 1d f9
              ^
    #0 0x557ef7a4beab in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:976
    #1 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x557ef76ae43a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x557ef76b4f44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x557ef76567b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x557ef76946c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x557ef76901b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x557ef77b88ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x557ef76bf7f7 in S_parse_body /opt/experiments/perl5/perl.c:2614
    #9 0x557ef76bf7f7 in perl_parse /opt/experiments/perl5/perl.c:1923
    #10 0x557ef76236be in main /opt/experiments/perl5/miniperlmain.c:112
    #11 0x7f1ace4a2289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7f1ace4a2344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x557ef7623870 in _start (/opt/experiments/perl5/miniperl+0x524870)

pp_hot.c:979:17: runtime error: load of address 0x7ffc66cbb750 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7ffc66cbb750: note: pointer points here
 7e 55 00 00  70 fa 19 f9 7e 55 00 00  04 00 00 00 00 00 00 00  f8 5e 1d f9 7e 55 00 00  00 0e 86 08
              ^
    #0 0x557ef7a4bf18 in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:979
    #1 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x557ef76ae43a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x557ef76b4f44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x557ef76567b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x557ef76946c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x557ef76901b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x557ef77b88ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x557ef76bf7f7 in S_parse_body /opt/experiments/perl5/perl.c:2614
    #9 0x557ef76bf7f7 in perl_parse /opt/experiments/perl5/perl.c:1923
    #10 0x557ef76236be in main /opt/experiments/perl5/miniperlmain.c:112
    #11 0x7f1ace4a2289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7f1ace4a2344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x557ef7623870 in _start (/opt/experiments/perl5/miniperl+0x524870)

pp_hot.c:984:29: runtime error: load of address 0x7ffc66cba7b0 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7ffc66cba7b0: note: pointer points here
 00 00 00 00  00 00 00 00 00 00 00 00  fd ff ff ff ff ff ff ff  00 00 00 00 00 00 00 00  90 e2 1c f9
              ^
    #0 0x557ef7a4ab40 in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:984
    #1 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x557ef76ae43a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x557ef76b4f44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x557ef76567b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x557ef76946c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x557ef76901b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x557ef77b88ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x557ef7b703e9 in S_doeval_compile /opt/experiments/perl5/pp_ctl.c:3794
    #9 0x557ef7b75ba5 in S_require_file /opt/experiments/perl5/pp_ctl.c:4825
    #10 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4857
    #11 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4838
    #12 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #13 0x557ef76ae43a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #14 0x557ef76b4f44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #15 0x557ef76567b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #16 0x557ef76946c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #17 0x557ef76901b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #18 0x557ef77b88ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #19 0x557ef7b703e9 in S_doeval_compile /opt/experiments/perl5/pp_ctl.c:3794
    #20 0x557ef7b75ba5 in S_require_file /opt/experiments/perl5/pp_ctl.c:4825
    #21 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4857
    #22 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4838
    #23 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #24 0x557ef76ae43a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #25 0x557ef76b4f44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #26 0x557ef76567b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #27 0x557ef76946c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #28 0x557ef76901b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #29 0x557ef77b88ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #30 0x557ef7b703e9 in S_doeval_compile /opt/experiments/perl5/pp_ctl.c:3794
    #31 0x557ef7b75ba5 in S_require_file /opt/experiments/perl5/pp_ctl.c:4825
    #32 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4857
    #33 0x557ef7b75ba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4838
    #34 0x557ef7a3fd30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #35 0x557ef76c31b1 in S_run_body /opt/experiments/perl5/perl.c:2807
    #36 0x557ef76c31b1 in perl_run /opt/experiments/perl5/perl.c:2722
    #37 0x557ef7623801 in main /opt/experiments/perl5/miniperlmain.c:133
    #38 0x7f1ace4a2289  (/usr/lib64/libc.so.6+0x23289)
    #39 0x7f1ace4a2344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #40 0x557ef7623870 in _start (/opt/experiments/perl5/miniperl+0x524870)

make[1]: Entering directory '/opt/experiments/perl5/cpan/Archive-Tar'
make[1]: Leaving directory '/opt/experiments/perl5/cpan/Archive-Tar'
./miniperl -Ilib make_ext.pl dist/Attribute-Handlers/pm_to_blib  MAKE="make" LIBPERL_A=libperl.a
pp_hot.c:976:17: runtime error: load of address 0x7ffc0f14eaf8 with insufficient space for an object of type 'ssize_t'
0x7ffc0f14eaf8: note: pointer points here
 9e 55 00 00  04 00 00 00 00 00 00 00  38 4e 2c 4e 9e 55 00 00  00 9d 8f b6 a7 37 79 bb  b0 4e 2c 4e
              ^
    #0 0x559e4c2a3eab in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:976
    #1 0x559e4c297d30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x559e4bf0643a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x559e4bf0cf44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x559e4beae7b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x559e4beec6c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x559e4bee81b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x559e4c0108ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x559e4bf177f7 in S_parse_body /opt/experiments/perl5/perl.c:2614
    #9 0x559e4bf177f7 in perl_parse /opt/experiments/perl5/perl.c:1923
    #10 0x559e4be7b6be in main /opt/experiments/perl5/miniperlmain.c:112
    #11 0x7efc94c1d289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7efc94c1d344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x559e4be7b870 in _start (/opt/experiments/perl5/miniperl+0x524870)

pp_hot.c:979:17: runtime error: load of address 0x7ffc0f14eaf0 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7ffc0f14eaf0: note: pointer points here
 9e 55 00 00  70 ea 28 4e 9e 55 00 00  04 00 00 00 00 00 00 00  38 4e 2c 4e 9e 55 00 00  00 9d 8f b6
              ^
    #0 0x559e4c2a3f18 in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:979
    #1 0x559e4c297d30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x559e4bf0643a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x559e4bf0cf44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x559e4beae7b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x559e4beec6c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x559e4bee81b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x559e4c0108ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x559e4bf177f7 in S_parse_body /opt/experiments/perl5/perl.c:2614
    #9 0x559e4bf177f7 in perl_parse /opt/experiments/perl5/perl.c:1923
    #10 0x559e4be7b6be in main /opt/experiments/perl5/miniperlmain.c:112
    #11 0x7efc94c1d289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7efc94c1d344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x559e4be7b870 in _start (/opt/experiments/perl5/miniperl+0x524870)

Running pm_to_blib for dist/Attribute-Handlers directly
pp_hot.c:984:29: runtime error: load of address 0x7ffc0f14eb10 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7ffc0f14eb10: note: pointer points here
 00 00 00 00  00 00 00 00 00 00 00 00  f1 ff ff ff ff ff ff ff  00 00 00 00 00 00 00 00  10 d2 2b 4e
              ^
    #0 0x559e4c2a2b40 in Perl_pp_multiconcat /opt/experiments/perl5/pp_hot.c:984
    #1 0x559e4c297d30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #2 0x559e4bf0643a in Perl_call_sv /opt/experiments/perl5/perl.c:3143
    #3 0x559e4bf0cf44 in Perl_call_list /opt/experiments/perl5/perl.c:5217
    #4 0x559e4beae7b9 in S_process_special_blocks /opt/experiments/perl5/op.c:11039
    #5 0x559e4beec6c7 in Perl_newATTRSUB_x /opt/experiments/perl5/op.c:10876
    #6 0x559e4bee81b1 in Perl_utilize /opt/experiments/perl5/op.c:7779
    #7 0x559e4c0108ee in Perl_yyparse /opt/experiments/perl5/perly.y:404
    #8 0x559e4c3c83e9 in S_doeval_compile /opt/experiments/perl5/pp_ctl.c:3794
    #9 0x559e4c3cdba5 in S_require_file /opt/experiments/perl5/pp_ctl.c:4825
    #10 0x559e4c3cdba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4857
    #11 0x559e4c3cdba5 in Perl_pp_require /opt/experiments/perl5/pp_ctl.c:4838
    #12 0x559e4c297d30 in Perl_runops_standard /opt/experiments/perl5/run.c:41
    #13 0x559e4bf1b1b1 in S_run_body /opt/experiments/perl5/perl.c:2807
    #14 0x559e4bf1b1b1 in perl_run /opt/experiments/perl5/perl.c:2722
    #15 0x559e4be7b801 in main /opt/experiments/perl5/miniperlmain.c:133
    #16 0x7efc94c1d289  (/usr/lib64/libc.so.6+0x23289)
    #17 0x7efc94c1d344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #18 0x559e4be7b870 in _start (/opt/experiments/perl5/miniperl+0x524870)

./miniperl -Ilib make_ext.pl cpan/AutoLoader/pm_to_blib  MAKE="make" LIBPERL_A=libperl.a
pp_hot.c:976:17: runtime error: load of address 0x7ffdc8795bf8 with insufficient space for an object of type 'ssize_t'
0x7ffdc8795bf8: note: pointer points here
 8b 55 00 00  04 00 00 00 00 00 00 00  88 fa a6 7b 8b 55 00 00  00 ab 61 3a 6a 72 ec b7  e8 fa a6 7b
              ^
^Cmake: *** [makefile:603: cpan/AutoLoader/pm_to_blib] Interrupt
[...]

iabyn · 2023-01-09T11:42:58Z

On Fri, Jan 06, 2023 at 06:06:21PM -0800, Sam James wrote: Perl crashes when bulit with Undefined Behavior Sanitizer (UBSAN, `-fsanitize=undefined`) when running `aclocal`:

....

pp_hot.c:880:17: runtime error: load of address 0x7ffdeba10fa8 with insufficient space for an object of type 'ssize_t'

...

#0 0x7fef20e39346 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:880

Do you have the ability to produce a reduced test case? The undefined behaviour is being detected in a string concatenation operation, and Perl -V does many string concatenations - the number and nature of which is dependent on the user's installation. aclocal presumably has many versions and is dependent upon the user's local environment for its exact behaviour. (I don't have GCC 13 installed so can't reproduce the issue).

…

-- Dave's first rule of Opera: If something needs saying, say it: don't warble it.

thesamesam · 2023-01-09T12:06:17Z

Looks like this is enough:

#!/usr/bin/perl
my $x = "a";
print "$x b";

pp_hot.c:880:17: runtime error: load of address 0x7ffd35941418 with insufficient space for an object of type 'ssize_t'
0x7ffd35941418: note: pointer points here
 45 56 00 00  01 00 00 00 00 00 00 00  00 ce 1d 90 45 56 00 00  00 00 00 00 00 00 00 00  40 07 0f 65
              ^
    #0 0x7f496481f346 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:880
    #1 0x7f4964813628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7f4964514f7d in S_run_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2721
    #3 0x7f4964514f7d in perl_run /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2644
    #4 0x56458e94a331 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:110
    #5 0x7f4963d4f289  (/usr/lib64/libc.so.6+0x23289)
    #6 0x7f4963d4f344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #7 0x56458e94a390 in _start (/usr/bin/perl+0x1390)

pp_hot.c:883:17: runtime error: load of address 0x7ffd35941410 with insufficient space for an object of type 'struct multiconcat_svpv'
0x7ffd35941410: note: pointer points here
 45 56 00 00  a0 56 20 90 45 56 00 00  01 00 00 00 00 00 00 00  00 ce 1d 90 45 56 00 00  00 00 00 00
              ^
    #0 0x7f496481fa75 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:883
    #1 0x7f4964813628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7f4964514f7d in S_run_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2721
    #3 0x7f4964514f7d in perl_run /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2644
    #4 0x56458e94a331 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:110
    #5 0x7f4963d4f289  (/usr/lib64/libc.so.6+0x23289)
    #6 0x7f4963d4f344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #7 0x56458e94a390 in _start (/usr/bin/perl+0x1390)

jkeenan · 2023-01-09T12:08:12Z

Description

Perl crashes when bulit with Undefined Behavior Sanitizer (UBSAN, -fsanitize=undefined) when running aclocal:

$ export UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1"
$ aclocal
pp_hot.c:880:17: runtime error: load of address 0x7ffdeba10fa8 with insufficient space for an object of type 'ssize_t'
0x7ffdeba10fa8: note: pointer points here
 9f 55 00 00  0e 00 00 00 00 00 00 00  60 19 a3 00 9f 55 00 00  8a 51 72 21 ef 7f 00 00  00 00 00 00
              ^
    #0 0x7fef20e39346 in Perl_pp_multiconcat /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/pp_hot.c:880
    #1 0x7fef20e2d628 in Perl_runops_standard /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/run.c:41
    #2 0x7fef20b19887 in Perl_call_sv /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:3057
    #3 0x7fef20b209e0 in Perl_call_list /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:5141
    #4 0x7fef20af7985 in S_process_special_blocks /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12102
    #5 0x7fef20afc7aa in Perl_newATTRSUB_x /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:12007
    #6 0x7fef20b07543 in Perl_utilize /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/op.c:8960
    #7 0x7fef20c2ae7a in Perl_yyparse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perly.y:370
    #8 0x7fef20b2b911 in S_parse_body /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:2536
    #9 0x7fef20b2b911 in perl_parse /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perl.c:1827
    #10 0x559eff4ba1f1 in main /var/tmp/portage/dev-lang/perl-5.36.0-r1/work/perl-5.36.0/perlmain.c:109
    #11 0x7fef20369289  (/usr/lib64/libc.so.6+0x23289)
    #12 0x7fef20369344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
    #13 0x559eff4ba390 in _start (/usr/bin/perl+0x1390)

This is with GCC 13.0.0_pre20230101. Note that GCC 13 isn't yet released, but the only other bug I've hit so far of this type was legitimate (gentoo/elfix#3) and this type of object size check is new in 13.

[snip]

Summary of my perl5 (revision 5 version 36 subversion 0) configuration:

Platform:
osname=linux
osvers=5.15.86-gentoo-dist-hardened
archname=x86_64-linux
uname='linux localhost 5.15.86-gentoo-dist-hardened #1 smp sun jan 1 23:14:27 gmt 2023 x86_64 amd ryzen 9 3950x 16-core processor authenticamd gnulinux '
config_args='-des -Dinstallprefix=/usr -Dinstallusrbinperl=n -Ui_xlocale -Di_ndbm -Di_gdbm -Di_db -DDEBUGGING=-g -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Dnoextensions=ODBM_File -Duseshrplib -Darchname=x86_64-linux -Dcc=x86_64-pc-linux-gnu-gcc -Dar=x86_64-pc-linux-gnu-ar -Dnm=x86_64-pc-linux-gnu-nm -Dcpp=x86_64-pc-linux-gnu-gcc -E -Dranlib=x86_64-pc-linux-gnu-ranlib -Accflags=-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -Doptimize=-O2 -pipe -ggdb3 -fdiagnostics-color=always -frecord-gcc-switches -fsanitize=undefined -Werror=implicit-function-declaration -Werror=implicit-int -fno-strict-aliasing -Dldflags=-Wl,-O1 -Wl,--as-needed -fsanitize=undefined -Wl,--defsym=gentoo_check_ldflags=0 -Dprefix=/usr -Dsiteprefix=/usr/local -Dvendorprefix=/usr -Dscriptdir=/usr/bin -Dprivlib=/usr/lib64/perl5/5.36 -Darchlib=/usr/lib64/perl5/5.36/x86_64-linux -Dsitelib=/usr/local/lib64/perl5/5.36 -Dsitearch=/usr/local/lib64/perl5/5.36/x86_64-linux -Dvendorlib=/usr/lib64/perl5/vendor_perl/5.36 -Dvendorarch=/usr/lib64/perl5/vendor_perl/5.36/x86_64-linux -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dvendorman1dir=/usr/share/man/man1 -Dvendorman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dlibperl=libperl.so.5.36.0 -Dlocincpth=/usr/include -Dglibpth=/lib64 /usr/lib64 -Duselargefiles -Dd_semctl_semun -Dcf_by=Gentoo -Dmyhostname=localhost -Dperladmin=root@localhost -Ud_csh -Dsh=/bin/sh -Dtargetsh=/bin/sh -Uusenm'

You have approximately 70 command-line switches here, making debugging difficult. Have you tried to identify the minimum number of such switches needed to generate the failure you're reporting?

thesamesam · 2023-01-09T12:17:24Z

In #20678 (comment), I built from git with just:

# ./configure.gnu -Dusedevel -Accflags="-O2 -fsanitize=undefined -ggdb3" -Aldflags="-fsanitize=undefined -ggdb3" && make -j32
# make check

And that triggered the failures.

tonycoz · 2023-01-10T04:12:43Z

I managed to reproduce this with gcc 13. I added some debug output to show the pointers involved, the first line is before the for(;;) loop, while the second is immediately before the error line:

tony@venus:.../git/perl6$ ./miniperl -DU -le 'my $x = "a"; print "$x b";'

EXECUTING...

svpv_p 7ffd2e2c9130 buf 7ffd2e2c9140 base 7ffd2e2c9140 end 7ffd2e2c9150
svpv_p 7ffd2e2c9140
pp_hot.c:978:17: runtime error: load of address 0x7ffd2e2c9148 with insufficient space for an object of type 'ssize_t'
0x7ffd2e2c9148: note: pointer points here
 00 00 00 00  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^ 
    #0 0x8a5462 in Perl_pp_multiconcat /home/tony/dev/perl/git/perl6/perlstatic.h:978
    #1 0x7d4b84 in Perl_runops_debug /home/tony/dev/perl/git/perl6/dump.c:2781
    #2 0x4b2a18 in S_run_body /home/tony/dev/perl/git/perl6/perlmini.c:2807
    #3 0x4b2a18 in perl_run /home/tony/dev/perl/git/perl6/perlmini.c:2722
    #4 0xbd663c in main /home/tony/dev/perl/git/perl6/miniperlmain.c:133
    #5 0x7fecaa0cdd09 in __libc_start_main ../csu/libc-start.c:308
    #6 0x405fb9 in _start (/home/tony/dev/perl/git/perl6/miniperl+0x405fb9)

Note that buf is an auto array with 64 entries (each with a pointer and length), the value of svpv_p where the error is produced is well within the range of of the svpv_buf[] array.

If I debug and break immediately before the error line:

(gdb) p *svpv_p
$4 = {pv = 0x133fc60 "a", len = 1}
(gdb) p svpv_p
$5 = (struct multiconcat_svpv *) 0x7fffffffe090
(gdb) p &svpv_buf
$6 = (struct multiconcat_svpv (*)[64]) 0x7fffffffe090

diff adding the debug output

diff --git a/pp_hot.c b/pp_hot.c
index 491cffc305..fdb5061385 100644
--- a/pp_hot.c
+++ b/pp_hot.c
@@ -958,6 +958,7 @@ PP(pp_multiconcat)
          * arguments and nargs+1 constant strings. For example, "-$a-$b-"
          */
         svpv_p = svpv_base - 1;
+        DEBUG_U( PerlIO_printf(Perl_debug_log, "svpv_p %p buf %p base %p end %p\n", (void *)svpv_p, (void*)svpv_buf, (void*)svpv_base, (void *)svpv_end) );
 
         for (;;) {
             SSize_t len = (const_lens++)->ssize;
@@ -972,6 +973,7 @@ PP(pp_multiconcat)
             if (++svpv_p == svpv_end)
                 break;
 
+        DEBUG_U( PerlIO_printf(Perl_debug_log, "svpv_p %p\n", (void *)svpv_p) );
             /* append next arg */
             len = svpv_p->len;

thesamesam · 2023-01-12T00:17:38Z

cc @siddhesh

When svpv_base == svpv_buf, svpv_p would be set to point before the buffer, which is undefined. This appears to be what gcc 13 is complaining about in Perl#20678, despite that report including what appears to be a completely valid address, on a line where the value of svpv_p is now within the range of svpv_buf. An intermediate approach to this used: temp = svpv_p; if (svpv_p++ == svpv_end) break but this is also incorrect, since svpv_p would end up as an invalid pointer, though gcc UBSAN didn't pick that up. Fixes Perl#20678.

siddhesh · 2023-01-12T23:07:57Z

The fix looks right; svpv_p pointing before svpv_buf seems to be messing up the object size arithmetic, resulting in the crash. The diagnostic message could have been better though.

siddhesh · 2023-01-13T17:50:21Z

Also FWIW, I've filed a gcc bug for this. It looks like __bdos is overzealous about this and screws up the size computation even if there wasn't actually any undefined behaviour: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108398

When svpv_base == svpv_buf, svpv_p would be set to point before the buffer, which is undefined. This appears to be what gcc 13 is complaining about in #20678, despite that report including what appears to be a completely valid address, on a line where the value of svpv_p is now within the range of svpv_buf. An intermediate approach to this used: temp = svpv_p; if (svpv_p++ == svpv_end) break but this is also incorrect, since svpv_p would end up as an invalid pointer, though gcc UBSAN didn't pick that up. Fixes #20678.

thesamesam · 2023-01-20T00:57:47Z

Thanks for putting the time into this folks!

When svpv_base == svpv_buf, svpv_p would be set to point before the buffer, which is undefined. This appears to be what gcc 13 is complaining about in #20678, despite that report including what appears to be a completely valid address, on a line where the value of svpv_p is now within the range of svpv_buf. An intermediate approach to this used: temp = svpv_p; if (svpv_p++ == svpv_end) break but this is also incorrect, since svpv_p would end up as an invalid pointer, though gcc UBSAN didn't pick that up. Fixes #20678. (cherry picked from commit 92ef216)

When svpv_base == svpv_buf, svpv_p would be set to point before the buffer, which is undefined. This appears to be what gcc 13 is complaining about in Perl#20678, despite that report including what appears to be a completely valid address, on a line where the value of svpv_p is now within the range of svpv_buf. An intermediate approach to this used: temp = svpv_p; if (svpv_p++ == svpv_end) break but this is also incorrect, since svpv_p would end up as an invalid pointer, though gcc UBSAN didn't pick that up. Fixes Perl#20678.

thesamesam added the Needs Triage label Jan 7, 2023

thesamesam changed the title ~~UBSAN crash in pp_hot.c:880 (Perl_pp_multiconcat)~~ UBSAN errors in pp_hot.c:880 (Perl_pp_multiconcat) Jan 7, 2023

jkeenan removed the Needs Triage label Jan 9, 2023

tonycoz mentioned this issue Jan 12, 2023

pp_multiconcat: don't set svpv_p to an invalid pointer #20687

Merged

tonycoz closed this as completed in #20687 Jan 16, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

UBSAN errors in `pp_hot.c:880 (Perl_pp_multiconcat)` #20678

UBSAN errors in `pp_hot.c:880 (Perl_pp_multiconcat)` #20678

thesamesam commented Jan 7, 2023

thesamesam commented Jan 7, 2023 •

edited

Loading

iabyn commented Jan 9, 2023 via email

thesamesam commented Jan 9, 2023

jkeenan commented Jan 9, 2023

thesamesam commented Jan 9, 2023 •

edited

Loading

tonycoz commented Jan 10, 2023

thesamesam commented Jan 12, 2023

siddhesh commented Jan 12, 2023

siddhesh commented Jan 13, 2023

thesamesam commented Jan 20, 2023

UBSAN errors in pp_hot.c:880 (Perl_pp_multiconcat) #20678

UBSAN errors in pp_hot.c:880 (Perl_pp_multiconcat) #20678

Comments

thesamesam commented Jan 7, 2023

thesamesam commented Jan 7, 2023 • edited Loading

iabyn commented Jan 9, 2023 via email

thesamesam commented Jan 9, 2023

jkeenan commented Jan 9, 2023

thesamesam commented Jan 9, 2023 • edited Loading

tonycoz commented Jan 10, 2023

thesamesam commented Jan 12, 2023

siddhesh commented Jan 12, 2023

siddhesh commented Jan 13, 2023

thesamesam commented Jan 20, 2023

UBSAN errors in `pp_hot.c:880 (Perl_pp_multiconcat)` #20678

UBSAN errors in `pp_hot.c:880 (Perl_pp_multiconcat)` #20678

thesamesam commented Jan 7, 2023 •

edited

Loading

thesamesam commented Jan 9, 2023 •

edited

Loading