Runtime error on tests with Address and Undefined behavior sanitizer #2112

durswd · 2020-03-10T15:57:20Z

I added set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=undefined,address") in Cmake and run tests.

These runtime errors are caused. Overflow and accessing uninitialized variables are caused.

glslang/glslang/MachineIndependent/linkValidate.cpp:683:53: runtime error: signed integer overflow: -1094795586 * 4 cannot be represented in type 'int'
glslang/hlsl/hlslParseHelper.cpp:5881:28: runtime error: reference binding to null pointer of type 'const struct TIntermSequence'
glslang/glslang/MachineIndependent/Constant.cpp:532:54: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
glslang/glslang/MachineIndependent/Constant.cpp:539:56: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
glslang/glslang/MachineIndependent/preprocessor/Pp.cpp:377:33: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 240, which is not a valid value for type 'bool'
glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 58, which is not a valid value for type 'bool'
glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 18, which is not a valid value for type 'bool'

The text was updated successfully, but these errors were encountered:

johnkslang · 2020-03-11T06:17:46Z

For linkValidate, it's saying a garbage value for maxTransformFeedbackInterleavedComponents, which should default to 64. But, it depends on you to set up the resources. How did you set the resources to do this run?

I think for the Constant.cpp, we are relying on the host being 2's complement and doing (as tested) the right thing here on behalf of what the target would do in the same situation. Maybe similar in others as well.

For localintermediate.h, where is the load happening? Line 100 is just the data structure. I said more in #2051.

durswd · 2020-03-24T17:09:58Z

I'm sorry for the slow reply.
For linkValidate, it is 64 bit in almost tests.
But it is wrong in some tests such as

Glsl/LinkTest.FromFile/0
Glsl/LinkTestVulkan.FromFile/0
Glsl/LinkTestVulkan.FromFile/1
etc...

johnkslang · 2020-03-24T17:21:58Z

64 is the default count of the minimum value for the max maxTransformFeedbackInterleavedComponents.

Users of the library can set their own defaults. If this is failing somehow, you'd have garbage.

Can you verify how you set this value? Then we can know if it is never set, or is later trashed.

durswd · 2020-04-04T15:29:25Z

Delete all the files and run the ". /glslangtests" again, but I get the same error. It's hard for me to look into this issue any deeper than this.

qarmin · 2020-12-16T16:38:26Z

When running Godot which use Glslang, I still see

thirdparty/glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 32, which is not a valid value for type 'bool'
thirdparty/glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 30, which is not a valid value for type 'bool'
thirdparty/glslang/glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 96, which is not a valid value for type 'bool'

Which version of C++ glslang uses?
In Godot we now trying to move initialization of values from constructors to struct/class definition.
So

glslang/glslang/MachineIndependent/localintermediate.h

Lines 100 to 108 in a5be11b

    
           struct TCall { 
        
               TCall(const TString& pCaller, const TString& pCallee) : caller(pCaller), callee(pCallee) { } 
        
               TString caller; 
        
               TString callee; 
        
               bool visited; 
        
               bool currentPath; 
        
               bool errorGiven; 
        
               int calleeBodyPosition; 
        
           };

become:

 struct TCall { 
     TCall(const TString& pCaller, const TString& pCallee) : caller(pCaller), callee(pCallee) { } 
     TString caller; 
     TString callee; 
     bool visited = false; 
     bool currentPath = false; 
     bool errorGiven = false; 
     int calleeBodyPosition = 0; 
 };

UBSAN rightly complains on `push_front`: glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 160, which is not a valid value for type 'bool' #0 in glslang::TCall::TCall(glslang::TCall&&) glslang/MachineIndependent/localintermediate.h:100 KhronosGroup#1 in void __gnu_cxx::new_allocator<std::_List_node<glslang::TCall> >::construct<glslang::TCall, glslang::TCall>(glslang::TCall*, glslang::TCall&&) /usr/include/c++/10/ext/new_allocator.h:150 KhronosGroup#2 in void std::allocator_traits<std::allocator<std::_List_node<glslang::TCall> > >::construct<glslang::TCall, glslang::TCall>(std::allocator<std::_List_node<glslang::TCall> >&, glslang::TCall*, glslang::TCall&&) /usr/include/c++/10/bits/alloc_traits.h:512 KhronosGroup#3 in std::_List_node<glslang::TCall>* std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::_M_create_node<glslang::TCall>(glslang::TCall&&) (...) KhronosGroup#4 in void std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::_M_insert<glslang::TCall>(std::_List_iterator<glslang::TCall>, glslang::TCall&&) /usr/include/c++/10/bits/stl_list.h:1911 KhronosGroup#5 in std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::push_front(glslang::TCall&&) /usr/include/c++/10/bits/stl_list.h:1167 KhronosGroup#6 in glslang::TIntermediate::addToCallGraph(TInfoSink&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&) glslang/MachineIndependent/Intermediate.cpp:2860 What happens here: 1. TCall's bool fields are not initialized on construction. 2. `push_front` move the `TCall` passed into it. 3. The move constructor copies unitialized bool, which may have an out-of-range value. What this fix does: Calls `emplace_back` to ensure no copy/move constructor is called. Fixes KhronosGroup#2222 Refs KhronosGroup#2112

UBSAN rightly complains on `push_front` here: glslang/MachineIndependent/localintermediate.h:100:8: runtime error: load of value 160, which is not a valid value for type 'bool' #0 in glslang::TCall::TCall(glslang::TCall&&) glslang/MachineIndependent/localintermediate.h:100 KhronosGroup#1 in void __gnu_cxx::new_allocator<std::_List_node<glslang::TCall> >::construct<glslang::TCall, glslang::TCall>(glslang::TCall*, glslang::TCall&&) /usr/include/c++/10/ext/new_allocator.h:150 KhronosGroup#2 in void std::allocator_traits<std::allocator<std::_List_node<glslang::TCall> > >::construct<glslang::TCall, glslang::TCall>(std::allocator<std::_List_node<glslang::TCall> >&, glslang::TCall*, glslang::TCall&&) /usr/include/c++/10/bits/alloc_traits.h:512 KhronosGroup#3 in std::_List_node<glslang::TCall>* std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::_M_create_node<glslang::TCall>(glslang::TCall&&) (...) KhronosGroup#4 in void std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::_M_insert<glslang::TCall>(std::_List_iterator<glslang::TCall>, glslang::TCall&&) /usr/include/c++/10/bits/stl_list.h:1911 KhronosGroup#5 in std::__cxx11::list<glslang::TCall, std::allocator<glslang::TCall> >::push_front(glslang::TCall&&) /usr/include/c++/10/bits/stl_list.h:1167 KhronosGroup#6 in glslang::TIntermediate::addToCallGraph(TInfoSink&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, glslang::pool_allocator<char> > const&) glslang/MachineIndependent/Intermediate.cpp:2860 What happens here: 1. TCall's bool fields are not initialized on construction. 2. `push_front` move the `TCall` passed into it. 3. The move constructor copies unitialized bool, which may have an out-of-range value. What this fix does: Calls `emplace_back` to ensure no copy/move constructor is called. Fixes KhronosGroup#2222 Refs KhronosGroup#2112

greg-lunarg · 2021-02-01T18:00:33Z

I believe the PR above should address this issue. Please reopen if incorrect.

durswd mentioned this issue Mar 10, 2020

Fix a bug that uninitialized valuables are accessed #2113

Closed

johnkslang added Memory question labels Apr 5, 2020

glebm mentioned this issue Jan 30, 2021

callGraph.push_front -> emplace_front to fix UBSAN #2517

Merged

greg-lunarg closed this as completed Feb 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Runtime error on tests with Address and Undefined behavior sanitizer #2112

Runtime error on tests with Address and Undefined behavior sanitizer #2112

durswd commented Mar 10, 2020

johnkslang commented Mar 11, 2020

durswd commented Mar 24, 2020

johnkslang commented Mar 24, 2020

durswd commented Apr 4, 2020

qarmin commented Dec 16, 2020

greg-lunarg commented Feb 1, 2021

Runtime error on tests with Address and Undefined behavior sanitizer #2112

Runtime error on tests with Address and Undefined behavior sanitizer #2112

Comments

durswd commented Mar 10, 2020

johnkslang commented Mar 11, 2020

durswd commented Mar 24, 2020

johnkslang commented Mar 24, 2020

durswd commented Apr 4, 2020

qarmin commented Dec 16, 2020

greg-lunarg commented Feb 1, 2021