Skip to content

extendhfsf2_test.c seems to exhibit undefined behavior #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atrosinenko opened this issue May 20, 2020 · 4 comments
Closed

extendhfsf2_test.c seems to exhibit undefined behavior #23

atrosinenko opened this issue May 20, 2020 · 4 comments
Labels
msp430 MSP430 target

Comments

@atrosinenko
Copy link
Contributor

The extendhfsf2_test.c unit test looks suspicious. When debugging optimization-related test failures on MSP430, I have finally managed to make all tests either pass or not, not depending on the optimization level. Except extendhfsf2_test. It passed with -O0, -O1, -Os, -Oz but not with -O2 and higher. After a bit of debugging, turned out that the test__extendhfsf2 function was inlined.

How to reproduce

Compile the compiler-rt builtins with

$ CFLAGS=-O2 cmake ../compiler-rt -G Ninja -DCOMPILER_RT_INCLUDE_TESTS=ON -DCOMPILER_RT_BUILD_BUILTINS=ON -DCMAKE_C_COMPILER=$llvmbin/clang -DCMAKE_CXX_COMPILER=$llvmbin/clang++ -DLLVM_CONFIG_PATH=$llvmbin/llvm-config
$ ninja
$ ninja check-builtins

Everything is OK. Then apply the following patch:

--- a/compiler-rt/test/builtins/Unit/extendhfsf2_test.c
+++ b/compiler-rt/test/builtins/Unit/extendhfsf2_test.c
@@ -18,7 +18,7 @@
 
 float __extendhfsf2(uint16_t a);
 
-int test__extendhfsf2(uint16_t a, float expected)
+int __attribute__((always_inline)) test__extendhfsf2(uint16_t a, float expected)
 {
     float x = __extendhfsf2(a);
     int ret = compareResultH(x, expected);

and add -O2 to the compiler parameters in test/builtins/Unit/X86_64LinuxConfig/Output/extendhfsf2_test.c.script.

While these changes are not expected to change the behavior, now running extendhfsf2_test.c.script prints:

error in test__extendhfsf2(0xc248) = -3.140625, expected -3.141593

For me, it is the call to compareResultH seems suspicious because if expects two uint16_t arguments but two floats are passed.

If I add the following patch in addition to forcefully inlining:

@@ -26,7 +26,7 @@ int test__extendhfsf2(uint16_t a, float expected)
     if (ret){
         printf("error in test__extendhfsf2(%#.4x) = %f, "
                "expected %f\n", a, x, expected);
-    }
+    } else printf("OK\n");
     return ret;
 }

it just prints lots of OK and exits successfully.
@atrosinenko
Copy link
Contributor Author

With some clumsy and possibly incorrectly rewritten compiler command line (because plain -fsanitize=undefined does not work for such setup due to -nodefaultlibs, etc.) I got the following UBSan diagnostics:

/old_ssd/ast/msp430-projects/llvm-project/compiler-rt/test/builtins/Unit/extendhfsf2_test.c:24:30: runtime error: nan is outside the range of representable values of type 'unsigned short'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /old_ssd/ast/msp430-projects/llvm-project/compiler-rt/test/builtins/Unit/extendhfsf2_test.c:24:30 in 
/old_ssd/ast/msp430-projects/llvm-project/compiler-rt/test/builtins/Unit/extendhfsf2_test.c:24:33: runtime error: nan is outside the range of representable values of type 'unsigned short'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /old_ssd/ast/msp430-projects/llvm-project/compiler-rt/test/builtins/Unit/extendhfsf2_test.c:24:33 in 
error in test__extendhfsf2(0xc248) = -3.140625, expected -3.141593

@asl
Copy link
Contributor

asl commented May 21, 2020
edited
Loading

This might be an ubsan fault after all :) Or something within the pipeline that has some similar weird requirements.

@atrosinenko
Copy link
Contributor Author

This particular diagnostic message can surely be ubsan fault because the compiler command line was very hackish and "best-effort". But the fact everything "works correctly" when adding more debug output seems very suspicious. On the other hand, technically, this can be some controlled UB usage by the compiler developers. :)

Another question is why two float arguments are passed for comparison to compareResultH(uint16_t result, uint16_t expected)? As I understand, uint16_t here is a substitution for some "IEEE754 type with half-precision" but actual arguments are traditional single-precision floats. As I understand, the compiler tries to convert them to integral type according to their numerical value while the expected behavior here is probably reinterpret_cast.

Looking at other such tests:

llvm-project/compiler-rt/test/builtins/Unit/extendsfdf2vfp_test.c

Lines 26 to 31 in 40ae542

double actual = __extendsfdf2vfp(a);
double expected = a;
if (actual != expected)
printf("error in test__extendsfdf2vfp(%f) = %f, expected %f\n",
a, actual, expected);
return actual != expected;

Here doubles are just compared with !=.

llvm-project/compiler-rt/test/builtins/Unit/extendsftf2_test.c

Lines 26 to 34 in 40ae542

long double x = __extendsftf2(a);
int ret = compareResultLD(x, expectedHi, expectedLo);
if (ret)
{
printf("error in test__extendsftf2(%f) = %.20Lf, "
"expected %.20Lf\n", a, x, fromRep128(expectedHi, expectedLo));
}
return ret;

Here long double is checked against its binary representation (represented by two uint64_t values) by compareResultLD.

In the test__extendhfsf2 compareResultF was probably expected.

@asl
Copy link
Contributor

asl commented May 21, 2020

Most probably here're we're dealing with uint16_t being a storage-only representation of half precision FPs on ARM. This is storage-only type, it is implicitly converted to / from float on every operation per specification.

I would simply disable hfsf builtin for us, it does not make any sense.

atrosinenko pushed a commit that referenced this issue Aug 25, 2020
@DimitryAndric
Instantiate Error in Target::GetEntryPointAddress() only when necessary
1ce07cd 
When `Target::GetEntryPointAddress()` calls `exe_module->GetObjectFile()->GetEntryPointAddress()`, and the returned
`entry_addr` is valid, it can immediately be returned.

However, just before that, an `llvm::Error` value has been setup, but in this case it is not consumed before returning, like is done further below in the function.

In https://bugs.freebsd.org/248745 we got a bug report for this, where a very simple test case aborts and dumps core:

```
* thread #1, name = 'testcase', stop reason = breakpoint 1.1
    frame #0: 0x00000000002018d4 testcase`main(argc=1, argv=0x00007fffffffea18) at testcase.c:3:5
   1	int main(int argc, char *argv[])
   2	{
-> 3	    return 0;
   4	}
(lldb) p argc
Program aborted due to an unhandled Error:
Error value was Success. (Note: Success values must still be checked prior to being destroyed).

Thread 1 received signal SIGABRT, Aborted.
thr_kill () at thr_kill.S:3
3	thr_kill.S: No such file or directory.
(gdb) bt
#0  thr_kill () at thr_kill.S:3
#1  0x00000008049a0004 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
#2  0x0000000804916229 in abort () at /usr/src/lib/libc/stdlib/abort.c:67
#3  0x000000000451b5f5 in fatalUncheckedError () at /usr/src/contrib/llvm-project/llvm/lib/Support/Error.cpp:112
#4  0x00000000019cf008 in GetEntryPointAddress () at /usr/src/contrib/llvm-project/llvm/include/llvm/Support/Error.h:267
#5  0x0000000001bccbd8 in ConstructorSetup () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:67
#6  0x0000000001bcd2c0 in ThreadPlanCallFunction () at /usr/src/contrib/llvm-project/lldb/source/Target/ThreadPlanCallFunction.cpp:114
#7  0x00000000020076d4 in InferiorCallMmap () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/Utility/InferiorCallPOSIX.cpp:97
#8  0x0000000001f4be33 in DoAllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Plugins/Process/FreeBSD/ProcessFreeBSD.cpp:604
#9  0x0000000001fe51b9 in AllocatePage () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:347
#10 0x0000000001fe5385 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Memory.cpp:383
#11 0x0000000001974da2 in AllocateMemory () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2301
#12 CanJIT () at /usr/src/contrib/llvm-project/lldb/source/Target/Process.cpp:2331
#13 0x0000000001a1bf3d in Evaluate () at /usr/src/contrib/llvm-project/lldb/source/Expression/UserExpression.cpp:190
#14 0x00000000019ce7a2 in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Target/Target.cpp:2372
#15 0x0000000001ad784c in EvaluateExpression () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:414
#16 0x0000000001ad86ae in DoExecute () at /usr/src/contrib/llvm-project/lldb/source/Commands/CommandObjectExpression.cpp:646
#17 0x0000000001a5e3ed in Execute () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandObject.cpp:1003
#18 0x0000000001a6c4a3 in HandleCommand () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:1762
#19 0x0000000001a6f98c in IOHandlerInputComplete () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2760
#20 0x0000000001a90b08 in Run () at /usr/src/contrib/llvm-project/lldb/source/Core/IOHandler.cpp:548
#21 0x00000000019a6c6a in ExecuteIOHandlers () at /usr/src/contrib/llvm-project/lldb/source/Core/Debugger.cpp:903
#22 0x0000000001a70337 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/Interpreter/CommandInterpreter.cpp:2946
#23 0x0000000001d9d812 in RunCommandInterpreter () at /usr/src/contrib/llvm-project/lldb/source/API/SBDebugger.cpp:1169
#24 0x0000000001918be8 in MainLoop () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:675
#25 0x000000000191a114 in main () at /usr/src/contrib/llvm-project/lldb/tools/driver/Driver.cpp:890```

Fix the incorrect error catch by only instantiating an `Error` object if it is necessary.

Reviewed By: JDevlieghere

Differential Revision: https://reviews.llvm.org/D86355
@asl asl added the msp430 MSP430 target label Nov 13, 2023
@asl asl closed this as completed Nov 13, 2023
kovdan01 pushed a commit that referenced this issue Mar 14, 2024
@arichardson
[tsan] Fix running check-ubsan with COMPILER_RT_DEBUG=ON
6c76506 
TestCases/Misc/Linux/sigaction.cpp fails because dlsym() may call malloc
on failure. And then the wrapped malloc appears to access thread local
storage using global dynamic accesses, thus calling
___interceptor___tls_get_addr, before REAL(__tls_get_addr) has
been set, so we get a crash inside ___interceptor___tls_get_addr. For
example, this can happen when looking up __isoc23_scanf which might not
exist in some libcs.

Fix this by marking the thread local variable accessed inside the
debug checks as "initial-exec", which does not require __tls_get_addr.

This is probably a better alternative to llvm/llvm-project#83886.

This fixes a different crash but is related to llvm/llvm-project#46204.

Backtrace:
```
#0 0x0000000000000000 in ?? ()
#1 0x00007ffff6a9d89e in ___interceptor___tls_get_addr (arg=0x7ffff6b27be8) at /path/to/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:2759
#2 0x00007ffff6a46bc6 in __sanitizer::CheckedMutex::LockImpl (this=0x7ffff6b27be8, pc=140737331846066) at /path/to/llvm/compiler-rt/lib/sanitizer_common/sanitizer_mutex.cpp:218
#3 0x00007ffff6a448b2 in __sanitizer::CheckedMutex::Lock (this=0x7ffff6b27be8, this@entry=0x730000000580) at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_mutex.h:129
#4 __sanitizer::Mutex::Lock (this=0x7ffff6b27be8, this@entry=0x730000000580) at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_mutex.h:167
#5 0x00007ffff6abdbb2 in __sanitizer::GenericScopedLock<__sanitizer::Mutex>::GenericScopedLock (mu=0x730000000580, this=<optimized out>) at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_mutex.h:383
#6 __sanitizer::SizeClassAllocator64<__tsan::AP64>::GetFromAllocator (this=0x7ffff7487dc0 <__tsan::allocator_placeholder>, stat=stat@entry=0x7ffff570db68, class_id=11, chunks=chunks@entry=0x7ffff5702cc8, n_chunks=n_chunks@entry=128) at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_allocator_primary64.h:207
#7 0x00007ffff6abdaa0 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__tsan::AP64> >::Refill (this=<optimized out>, c=c@entry=0x7ffff5702cb8, allocator=<optimized out>, class_id=<optimized out>)
 at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_allocator_local_cache.h:103
#8 0x00007ffff6abd731 in __sanitizer::SizeClassAllocator64LocalCache<__sanitizer::SizeClassAllocator64<__tsan::AP64> >::Allocate (this=0x7ffff6b27be8, allocator=0x7ffff5702cc8, class_id=140737311157448)
 at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_allocator_local_cache.h:39
#9 0x00007ffff6abc397 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<__tsan::AP64>, __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate (this=0x7ffff5702cc8, cache=0x7ffff6b27be8, size=<optimized out>, size@entry=175, alignment=alignment@entry=16)
 at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_allocator_combined.h:69
#10 0x00007ffff6abaa6a in __tsan::user_alloc_internal (thr=0x7ffff7ebd980, pc=140737331499943, sz=sz@entry=175, align=align@entry=16, signal=true) at /path/to/llvm/compiler-rt/lib/tsan/rtl/tsan_mman.cpp:198
#11 0x00007ffff6abb0d1 in __tsan::user_alloc (thr=0x7ffff6b27be8, pc=140737331846066, sz=11, sz@entry=175) at /path/to/llvm/compiler-rt/lib/tsan/rtl/tsan_mman.cpp:223
#12 0x00007ffff6a693b5 in ___interceptor_malloc (size=175) at /path/to/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:666
#13 0x00007ffff7fce7f2 in malloc (size=175) at ../include/rtld-malloc.h:56
#14 __GI__dl_exception_create_format (exception=exception@entry=0x7fffffffd0d0, objname=0x7ffff7fc3550 "/path/to/llvm/compiler-rt/cmake-build-all-sanitizers/lib/linux/libclang_rt.tsan-x86_64.so",
 fmt=fmt@entry=0x7ffff7ff2db9 "undefined symbol: %s%s%s") at ./elf/dl-exception.c:157
#15 0x00007ffff7fd50e8 in _dl_lookup_symbol_x (undef_name=0x7ffff6af868b "__isoc23_scanf", undef_map=<optimized out>, ref=0x7fffffffd148, symbol_scope=<optimized out>, version=<optimized out>, type_class=0, flags=2, skip_map=0x7ffff7fc35e0) at ./elf/dl-lookup.c:793
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x00007ffff656d6ed in do_sym (handle=<optimized out>, name=0x7ffff6af868b "__isoc23_scanf", who=0x7ffff6a3bb84 <__interception::InterceptFunction(char const*, unsigned long*, unsigned long, unsigned long)+36>, vers=vers@entry=0x0, flags=flags@entry=2) at ./elf/dl-sym.c:146
#17 0x00007ffff656d9dd in _dl_sym (handle=<optimized out>, name=<optimized out>, who=<optimized out>) at ./elf/dl-sym.c:195
#18 0x00007ffff64a2854 in dlsym_doit (a=a@entry=0x7fffffffd3b0) at ./dlfcn/dlsym.c:40
#19 0x00007ffff7fcc489 in __GI__dl_catch_exception (exception=exception@entry=0x7fffffffd310, operate=0x7ffff64a2840 <dlsym_doit>, args=0x7fffffffd3b0) at ./elf/dl-catch.c:237
#20 0x00007ffff7fcc5af in _dl_catch_error (objname=0x7fffffffd368, errstring=0x7fffffffd370, mallocedp=0x7fffffffd367, operate=<optimized out>, args=<optimized out>) at ./elf/dl-catch.c:256
#21 0x00007ffff64a2257 in _dlerror_run (operate=operate@entry=0x7ffff64a2840 <dlsym_doit>, args=args@entry=0x7fffffffd3b0) at ./dlfcn/dlerror.c:138
#22 0x00007ffff64a28e5 in dlsym_implementation (dl_caller=<optimized out>, name=<optimized out>, handle=<optimized out>) at ./dlfcn/dlsym.c:54
#23 ___dlsym (handle=<optimized out>, name=<optimized out>) at ./dlfcn/dlsym.c:68
#24 0x00007ffff6a3bb84 in __interception::GetFuncAddr (name=0x7ffff6af868b "__isoc23_scanf", trampoline=140737311157448) at /path/to/llvm/compiler-rt/lib/interception/interception_linux.cpp:42
#25 __interception::InterceptFunction (name=0x7ffff6af868b "__isoc23_scanf", ptr_to_real=0x7ffff74850e8 <__interception::real___isoc23_scanf>, func=11, trampoline=140737311157448)
 at /path/to/llvm/compiler-rt/lib/interception/interception_linux.cpp:61
#26 0x00007ffff6a9f2d9 in InitializeCommonInterceptors () at /path/to/llvm/compiler-rt/lib/tsan/rtl/../../sanitizer_common/sanitizer_common_interceptors.inc:10315
```

Reviewed By: vitalybuka, MaskRay

Pull Request: llvm/llvm-project#83890
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
msp430 MSP430 target
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asl @atrosinenko