[Tarantool-patches] [PATCH luajit 1/2] build: introduce LUAJIT_USE_UBSAN option
Sergey Kaplun
skaplun at tarantool.org
Mon May 27 15:28:41 MSK 2024
Hi, Maxim!
Thanks for the review!
Please consider my answers below.
On 27.05.24, Maxim Kokryashkin wrote:
> Hi, Sergey!
> Thanks for the patch!
> Please consider my comments below.
>
> On Wed, May 15, 2024 at 03:32:00PM UTC, Sergey Kaplun wrote:
> > This patch adds Undefined Behaviour Sanitizer [1] support. It enables
> > all checks except several that are not useful for LuaJIT. Also, it
> > instruments all known issues to be fixed in future patches (except
> > `kfold_intop()` since cdata arithmetic relies on integer overflow).
> >
> > [1]: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
> >
> > Resolves tarantool/tarantool#8473
> > ---
> > CMakeLists.txt | 45 ++++++++++++++++++++++++++++++++++++++
> > cmake/SetDynASMFlags.cmake | 11 ++++++++++
> > src/lj_carith.c | 5 +++++
> > src/lj_opt_fold.c | 5 +++++
> > src/lj_parse.c | 5 +++++
> > src/lj_snap.c | 7 ++++++
> > src/lj_strfmt.c | 5 +++++
> > 7 files changed, 83 insertions(+)
> >
> > diff --git a/CMakeLists.txt b/CMakeLists.txt
> > index 2355ce17..edf2012f 100644
> > --- a/CMakeLists.txt
> > +++ b/CMakeLists.txt
> > @@ -300,6 +300,51 @@ if(LUAJIT_USE_ASAN)
> > )
> > endif()
> >
> > +option(LUAJIT_USE_UBSAN "Build LuaJIT with UndefinedBehaviorSanitizer" OFF)
> > +if(LUAJIT_USE_UBSAN)
> > + # Use all recommendations from the UndefinedBehaviorSanitizer
> > + # documentation:
> > + # https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html.
> > + string(JOIN "," UBSAN_IGNORE_OPTIONS
> > + # Misaligned pseudo-pointers are used to determine internal
> > + # variable names inside the `for` cycle.
> > + alignment
> > + # Not interested in float cast overflow errors.
> > + float-cast-overflow
> Why we are not interested in them though?
Most warnings are referenced by `lj_num2int()`, which just converts the `double` to `int`. All such checks are covered by the corresponding check that the resulted value of the `int` cast back to `double` remains the same number.
I've added the following comment:
===================================================================
diff --git a/CMakeLists.txt b/CMakeLists.txt
index edf2012f..5eeea783 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -309,7 +309,9 @@ if(LUAJIT_USE_UBSAN)
# Misaligned pseudo-pointers are used to determine internal
# variable names inside the `for` cycle.
alignment
- # Not interested in float cast overflow errors.
+ # Not interested in float cast overflow errors. These
+ # overflows are handled by special checks after
+ # `lj_num2int()`, etc.
float-cast-overflow
# NULL checking is disabled because this is not a UB and
# raises lots of false-positive fails.
===================================================================
> > + # NULL checking is disabled because this is not a UB and
> > + # raises lots of false-positive fails.
> > + null
> > + # Not interested in checking arithmetic with NULL.
> > + pointer-overflow
> > + # Shifts of negative numbers are widely used in parsing ULEB,
> > + # cdata arithmetic, vmevent hash calculation, etc.
> > + shift-base
> > + )
> > + if(NOT CMAKE_C_COMPILER_ID STREQUAL "GNU")
> > + string(JOIN "," UBSAN_IGNORE_OPTIONS
> > + ${UBSAN_IGNORE_OPTIONS}
> > + # Not interested in function type mismatch errors.
> > + function
> > + )
> > + endif()
> Please drop a comment explaining why this additional configuration
> is needed.
Added.
===================================================================
diff --git a/CMakeLists.txt b/CMakeLists.txt
index edf2012f..5eeea783 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -320,6 +322,7 @@ if(LUAJIT_USE_UBSAN)
# cdata arithmetic, vmevent hash calculation, etc.
shift-base
)
+ # GCC has no "function" UB check.
if(NOT CMAKE_C_COMPILER_ID STREQUAL "GNU")
string(JOIN "," UBSAN_IGNORE_OPTIONS
${UBSAN_IGNORE_OPTIONS}
===================================================================
> > + AppendFlags(CMAKE_C_FLAGS
> > + # Enable hints for UndefinedBehaviorSanitizer.
> > + -DLUAJIT_USE_UBSAN
> > + # XXX: To get nicer stack traces in error messages.
> > + -fno-omit-frame-pointer
> > + # Enable UndefinedBehaviorSanitizer support.
> > + # This flag enables all supported options (the documentation
> > + # on cite is not correct about that moment, unfortunately)
> > + # except float-divide-by-zero. Floating point division by zero
> > + # behaviour is defined without -ffast-math and uses the
> > + # IEEE 754 standard on which all NaN tagging is based.
> > + -fsanitize=undefined
> > + -fno-sanitize=${UBSAN_IGNORE_OPTIONS}
> > + # Print a verbose error report and exit the program.
> > + -fno-sanitize-recover=undefined
> > + )
> > +endif()
>
> The whole chunk above is a bit too large to include into the root
> CMakeLists.txt, so I propose to move it into a separate CMake module.
It has a size similar to the ASAN blob (44 lines, most of which are
comments, against 25 lines), so ignoring.
> > +
> <snipped>
Also, added the additional instrumentation for `lj_buf_wmem()` as a
result of this discussion [1]:
===================================================================
diff --git a/src/lj_buf.h b/src/lj_buf.h
index a4051694..de7bee06 100644
--- a/src/lj_buf.h
+++ b/src/lj_buf.h
@@ -70,6 +70,13 @@ LJ_FUNC SBuf *lj_buf_putmem(SBuf *sb, const void *q, MSize len);
LJ_FUNC SBuf * LJ_FASTCALL lj_buf_putchar(SBuf *sb, int c);
LJ_FUNC SBuf * LJ_FASTCALL lj_buf_putstr(SBuf *sb, GCstr *s);
+#if LUAJIT_USE_UBSAN
+/* The `NULL` argument with the zero length, like in the case:
+** | luajit -e 'error("x", 3)'
+*/
+static LJ_AINLINE char *lj_buf_wmem(char *p, const void *q, MSize len)
+ __attribute__((no_sanitize("nonnull-attribute")));
+#endif
static LJ_AINLINE char *lj_buf_wmem(char *p, const void *q, MSize len)
{
return (char *)memcpy(p, q, len) + len;
===================================================================
[1]: https://lists.tarantool.org/pipermail/tarantool-patches/2024-May/029192.html
--
Best regards,
Sergey Kaplun
More information about the Tarantool-patches
mailing list