One fear I have with this is in expansions of the offsetof macro, where it is a common implementation strategy to cast a null pointer to be of the correct type when calculating member offsets. Do you think you will be able to distinguish between null pointer additions that the user wrote directly (which is UB) as opposed to null pointer additions that come from the implementation (which is not UB)?

In D67122#1656189, @aaron.ballman wrote:

One fear I have with this is in expansions of the offsetof macro, where it is a common implementation strategy to cast a null pointer to be of the correct type when calculating member offsets. Do you think you will be able to distinguish between null pointer additions that the user wrote directly (which is UB) as opposed to null pointer additions that come from the implementation (which is not UB)?

Can you show a snippet on godbolt?

In D67122#1656205, @lebedev.ri wrote:

In D67122#1656189, @aaron.ballman wrote:

One fear I have with this is in expansions of the offsetof macro, where it is a common implementation strategy to cast a null pointer to be of the correct type when calculating member offsets. Do you think you will be able to distinguish between null pointer additions that the user wrote directly (which is UB) as opposed to null pointer additions that come from the implementation (which is not UB)?

Can you show a snippet on godbolt?

https://godbolt.org/z/5DHL2E

This will show that Clang has a __builtin_offsetof() that gets used. I'm worried about situations where there is no __builtin_offsetof() but the canonical reference implementation is used instead (which looks identical to what initializes bad in my link).

Thanks, this is looking pretty good.

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

I finally had time this morning to patch this in and give it a shot. (Sorry for the delay... it's been a real busy week :( )

First, starting off with the good news: I reverted all the fixes I made, and now all the tests fail when running w/ ubsan. Yay!

The error we see in each case is UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset with the logs containing runtime error: applying non-zero offset <non-zero> to null pointer. Which catches the two places where we were adding some non-zero offset to nullptr, but doesn't seem to catch the nullptr-after-nonzero-offset case in https://github.com/google/filament/pull/1566 -- instead, it fails later, when the pointer with a value of nullptr is incremented. (Or... maybe this is actually a separate bug. Hmm. Needs some more testing...)

At any rate, I have some more tests to run to get some idea of what % of code this would flag as being bad.

In D67122#1659882, @rupprecht wrote:

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

I finally had time this morning to patch this in and give it a shot. (Sorry for the delay... it's been a real busy week :( )

First, starting off with the good news: I reverted all the fixes I made, and now all the tests fail when running w/ ubsan. Yay!
The error we see in each case is UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset with the logs containing runtime error: applying non-zero offset <non-zero> to null pointer. Which catches the two places where we were adding some non-zero offset to nullptr,

That is good :)

but doesn't seem to catch the nullptr-after-nonzero-offset case in https://github.com/google/filament/pull/1566 -- instead, it fails later, when the pointer with a value of nullptr is incremented. (Or... maybe this is actually a separate bug. Hmm. Needs some more testing...)

Well yeah, there are quite a few cases in clang codegen where we create gep inbounds without sanitization, so it may or may not be one of those cases.

At any rate, I have some more tests to run to get some idea of what % of code this would flag as being bad.

I will still need to see where else EmitCheckedInBoundsGEP() should be used, but i'm wondering
if it should be best done in follow-ups, since this already catches the interesting bits..

In D67122#1659721, @vsk wrote:

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

There were 1.5 occurrences in test-suite.
I'd prefer not to try running it over llvm stage-2/3 (i can, but it's gonna be slow..)

Though i guess you were talking about *performance* numbers?

I'm not good with using test-suite for perf, so i'm yet again going to use my own bench.

TLDR: (all measurements done with llvm ToT, the sanitizer never fired.)

• no sanitization vs. existing check: average +20.75% slowdown
• existing check vs. check after this patch: average +26.36% slowdown
• no sanitization vs. this patch: average +52.58% slowdown

I suspect some of this might be recoverable, but i don't know yet.

@vsk let me know if that answered your questions. thanks!

In D67122#1659896, @lebedev.ri wrote:

In D67122#1659882, @rupprecht wrote:

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

I finally had time this morning to patch this in and give it a shot. (Sorry for the delay... it's been a real busy week :( )

First, starting off with the good news: I reverted all the fixes I made, and now all the tests fail when running w/ ubsan. Yay!
The error we see in each case is UndefinedBehaviorSanitizer: nullptr-with-nonzero-offset with the logs containing runtime error: applying non-zero offset <non-zero> to null pointer. Which catches the two places where we were adding some non-zero offset to nullptr,

That is good :)

but doesn't seem to catch the nullptr-after-nonzero-offset case in https://github.com/google/filament/pull/1566 -- instead, it fails later, when the pointer with a value of nullptr is incremented. (Or... maybe this is actually a separate bug. Hmm. Needs some more testing...)

Well yeah, there are quite a few cases in clang codegen where we create gep inbounds without sanitization, so it may or may not be one of those cases.

At any rate, I have some more tests to run to get some idea of what % of code this would flag as being bad.

@rupprecht

So i have tried to reduce https://github.com/google/filament/pull/1566/files
CommandBase by hand, and arrived at: https://godbolt.org/z/O7svxp

And it is clearly being sanitized, and you wouldn't even get to call execute()
with this = nullptr, a check for that was inserted too.

If you revert whatever fixes that were applied, fix the code
about which sanitizer complaints, does that fix miscompilation?

But TLDR, either the fix in https://github.com/google/filament/pull/1566
is incorrect and the actually-bad code is elsewhere,
or you have some other unsanitized UB elsewhere. Could be both :S

But TLDR, either the fix in https://github.com/google/filament/pull/1566
is incorrect and the actually-bad code is elsewhere,
or you have some other unsanitized UB elsewhere. Could be both :S

My money is on "both" :p

I tested a random sample of a couple thousand tests internally and ~1% of them failed, but when I looked at them, they were all coming from two separate widely used libraries. I fixed those, and I'll do a broader test now to see how bad the long tail of issues are.

In D67122#1659721, @vsk wrote:

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

There were 1.5 occurrences in test-suite.

I'd prefer not to try running it over llvm stage-2/3 (i can, but it's gonna be slow..)

Though i guess you were talking about *performance* numbers?

Yes, I'm primarily interested in run-time and compile-time performance (at {-O0 -g, -Os -g}). The number of occurrences of new diagnostics is also interesting. What does the .5 mean?

I'm not good with using test-suite for perf, so i'm yet again going to use my own bench.

rawspeed-pointer-overflow-0-baseline.json688 KBDownload

rawspeed-pointer-overflow-1-old.json688 KBDownload

rawspeed-pointer-overflow-2-new.json688 KBDownload

I see, I'll make some time to collect & share stats from it soon. On that note, I've never had any problems with running the suite in the past, and the results have been very helpful (if nothing else, it's nice to have a mid-size test corpus everyone can share). What sorts of issues are you running into? Were you able to get interesting results with -DTEST_SUITE_RUN_BENCHMARKS=0 set?

TLDR: (all measurements done with llvm ToT, the sanitizer never fired.)

• no sanitization vs. existing check: average +20.75% slowdown
• existing check vs. check after this patch: average +26.36% slowdown
• no sanitization vs. this patch: average +52.58% slowdown

I suspect some of this might be recoverable, but i don't know yet.

In D67122#1663619, @vsk wrote:

In D67122#1659721, @vsk wrote:

Still think this looks good. Have you tried running this on the llvm test suite, or some other interesting corpus? Would be curious to see any pre/post patch numbers.

There were 1.5 occurrences in test-suite.

I'd prefer not to try running it over llvm stage-2/3 (i can, but it's gonna be slow..)

Though i guess you were talking about *performance* numbers?

Yes, I'm primarily interested in run-time and compile-time performance (at {-O0 -g, -Os -g}).

Uh, feel free to measure _that_ yourself :D

The number of occurrences of new diagnostics is also interesting. What does the .5 mean?

There were two occurrences - rL371219 and rL371220, and only one of those is new.
(as per @rupprecht it catches something in the original miscompile test, so there's that too)

I'm not good with using test-suite for perf, so i'm yet again going to use my own bench.

rawspeed-pointer-overflow-0-baseline.json688 KBDownload

rawspeed-pointer-overflow-1-old.json688 KBDownload

rawspeed-pointer-overflow-2-new.json688 KBDownload

I see, I'll make some time to collect & share stats from it soon.

Cool

On that note, I've never had any problems with running the suite in the past,
and the results have been very helpful (if nothing else,
it's nice to have a mid-size test corpus everyone can share).
What sorts of issues are you running into?
Were you able to get interesting results with -DTEST_SUITE_RUN_BENCHMARKS=0 set?

Note that i wasn't looking for compile time stats, let alone at -O0,
there is nothing odd in the diff that could have an impact other than the usual "death by a thousand cuts".

As for benchmarking, it has pretty long run-time,
multiply that by the number of repetitions, and the results are noisy still.

TLDR: (all measurements done with llvm ToT, the sanitizer never fired.)

• no sanitization vs. existing check: average +20.75% slowdown
• existing check vs. check after this patch: average +26.36% slowdown
• no sanitization vs. this patch: average +52.58% slowdown

^ so i provide my own numbers.

I'm chirping away at missed folds, already handled two, two more coming,
so i suspect runtime overhead is already lower and will be lower still.

There's definitely a lot of new findings this creates, but it's hard to say exactly how many root causes there are due to the way test failures are (not) grouped well in the way I'm testing. So far they all seem like true positives, so this would be good to submit. However a few are positive yet benign, like this interesting one (simplified):

void ParseString(char *s) {
  char *next = s;
  for (char *end = s; end; next = end + 1) { // ubsan error computing (nil + 1), although it doesn't matter because the loop terminates when end == nil and next is not read after the loop
    // ...
    end = strchr(next, 'x'); // returns null if not found
    // ...
  }
}

If I had to guesstimate, I'd say 20-100 bugs in a couple billion lines of code, so a lot, but shouldn't be too disruptive to anyone that has these checks enabled globally.

I haven't noticed any timeouts -- which is not to say this isn't a slowdown, but at least it's not egregious.

BTW, here's a minimal + complete repro of the original issue:

$ cat ub.cc
#include <cstdio>
#include <cstdlib>

static void Test(const char *x, int offset) {
  printf("%p + %d => %s\n", x, offset, x + offset ? "true" : "false");
}

int main(int argc, char **argv) {
  if (argc != 3) return 1;

  const char *x = reinterpret_cast<const char *>(atoi(argv[1]));
  int offset = atoi(argv[2]);

  Test(x, offset);

  return 0;
}
$ previous-clang++ -O3 ub.cc && ./a.out 0 1
(nil) + 1 => true
$ next-clang++ -O3 ub.cc && ./a.out 0 1
(nil) + 1 => false
$ patch-D67122-clang++ -O3 -fsanitize=undefined ub.cc && ./a.out 0 1
ubsan: ub.cc:5:42: runtime error: applying non-zero offset 1 to null pointer                                                                                                    
(nil) + 1 => false

Did you run it with the linux kernel? It could be interesting

cc @nickdesaulniers

In D67122#1691307, @lebedev.ri wrote:

Ping.
After talking with @aaron.ballman, revised the check to also handle the C semantics ("ptr+0 is UB").

And that resulted in one more occurrence in test-suite - rL373486.

Ping.
Friendly remainder that the unsanitized UB is still being miscompiled.

Looks fine to me with some doc improvements.

Just wanna say huge +1 for this patch. Thanks!

This is failing the sanitizer lint check:
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/23819/steps/64-bit%20check-sanitizer/logs/stdio

<path...>/compiler-rt/lib/ubsan/ubsan_checks.inc:22: Lines should be <= 80 characters long [whitespace/line_length] [2]
<path...>/compiler-rt/lib/ubsan/ubsan_checks.inc:23: Lines should be <= 80 characters long [whitespace/line_length] [2]

Please could you take a look?

In D67122#1703482, @russell.gallop wrote:

This is failing the sanitizer lint check:
http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/23819/steps/64-bit%20check-sanitizer/logs/stdio

<path...>/compiler-rt/lib/ubsan/ubsan_checks.inc:22: Lines should be <= 80 characters long [whitespace/line_length] [2]
<path...>/compiler-rt/lib/ubsan/ubsan_checks.inc:23: Lines should be <= 80 characters long [whitespace/line_length] [2]

Please could you take a look?

Hm, i didn't see *that* failure, thanks for relaying the message.
Should be good now, or not..

Not unexpectedly, this broke sanitizer-x86_64-linux-bootstrap-ubsan.
I'm going to attempt to address uncovered issues

http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-bootstrap-ubsan/builds/15329/steps/annotate/logs/stdio appears to contain "only" 3 distinct issues.
I've pushed those 3 fixes, but maybe that is not enough, we'll see.

In D67122#1703616, @lebedev.ri wrote:

http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-bootstrap-ubsan/builds/15329/steps/annotate/logs/stdio appears to contain "only" 3 distinct issues.
I've pushed those 3 fixes, but maybe that is not enough, we'll see.

And we're green. Thanks for everyone's patience and lack of reverts :)
As per that bot(!) there were "only" 3 places in LLVM that had that UB.