Undefined behavior sanitizer reports misaligned memory accesses in SystemC library

[derchr]

Hello, when compiling with -fsanitize=address,undefined, even in empty SystemC projects misaligned memory accesses are detected by the undefined behavior sanitizer. Can be observed with both GCC and Clang.

This issue is not related to https://github.com/accellera-official/systemc/pull/19 as this can also be observed in the new 2.3.4 version.

GCC output:

        SystemC 2.3.4-Accellera --- Jun  5 2023 09:45:57
        Copyright (c) 1996-2022 by all Contributors,
        ALL RIGHTS RESERVED
/home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286:12: runtime error: member access within misaligned address 0x0000000000db for type 'struct sc_method_process', which requires 8 byte alignment
0x0000000000db: note: pointer points here
<memory cannot be printed>
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3517==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000db (pc 0x7fb65b11fe8a bp 0x7ffe1045eb80 sp 0x7ffe1045e9e0 T0)
==3517==The signal is caused by a READ memory access.
==3517==Hint: address points to the zero page.
    #0 0x7fb65b11fe8a in sc_core::sc_method_process::next_runnable() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286
    #1 0x7fb65b11fe8a in sc_core::sc_runnable::toggle_methods() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_runnable_int.h:464
    #2 0x7fb65b11fe8a in sc_core::sc_simcontext::crunch(bool) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:482
    #3 0x7fb65b111a0c in sc_core::sc_simcontext::simulate(sc_core::sc_time const&) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:887
    #4 0x7fb65b113e57 in sc_core::sc_start(sc_core::sc_time const&, sc_core::sc_starvation_policy) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:1718
    #5 0x7fb65b11502c in sc_core::sc_start() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:1752
    #6 0x55fb2e65838c in sc_main /home/derek/sanitize/main.cpp:5
    #7 0x7fb65affbba9 in sc_elab_and_sim /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_main_main.cpp:89
    #8 0x7fb658e6fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7fb658e6fe3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55fb2e6582b4 in _start (/home/derek/sanitize/build/sanitize+0x22b4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286 in sc_core::sc_method_process::next_runnable()
==3517==ABORTING

Clang output:

        SystemC 2.3.4-Accellera --- Jun  5 2023 10:00:10
        Copyright (c) 1996-2022 by all Contributors,
        ALL RIGHTS RESERVED
/home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:280:20: runtime error: upcast of misaligned address 0x0000000000db for type 'sc_core::sc_method_process', which requires 8 byte alignment
0x0000000000db: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:280:20 in
/home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_thread_process.h:437:20: runtime error: upcast of misaligned address 0x0000000000db for type 'sc_core::sc_thread_process', which requires 8 byte alignment
0x0000000000db: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_thread_process.h:437:20 in
/home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286:12: runtime error: downcast of misaligned address 0x0000000000db for type 'class sc_method_process', which requires 8 byte alignment
0x0000000000db: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286:12 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6136==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000db (pc 0x7fb1a0d77ebf bp 0x843b6d40b9976ed1 sp 0x7ffe9fb7d9d0 T0)
==6136==The signal is caused by a READ memory access.
==6136==Hint: address points to the zero page.
    #0 0x7fb1a0d77ebf in sc_core::sc_method_process::next_runnable() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286:12
    #1 0x7fb1a0dbbf34 in sc_core::sc_runnable::toggle_methods() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_runnable_int.h:464:39
    #2 0x7fb1a0db6d84 in sc_core::sc_simcontext::crunch(bool) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:482:18
    #3 0x7fb1a0dae489 in sc_core::sc_simcontext::simulate(sc_core::sc_time const&) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:887:2
    #4 0x7fb1a0db4408 in sc_core::sc_start(sc_core::sc_time const&, sc_core::sc_starvation_policy) /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:1718:16
    #5 0x7fb1a0db4b7f in sc_core::sc_start() /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_simcontext.cpp:1752:5
    #6 0x55cfd4f9b59d in sc_main /home/derek/sanitize/main.cpp:5:5
    #7 0x7fb1a0d6eb83 in sc_elab_and_sim /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_main_main.cpp:89:18
    #8 0x7fb1a040fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7fb1a040fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x55cfd4edb384 in _start (/home/derek/sanitize/build/sanitize+0x1e384) (BuildId: ac89e2b3c78c26cd0d56ce9c1ff8b672cdf0b2ce)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/derek/sanitize/build/_deps/systemc-src/src/sysc/kernel/sc_method_process.h:286:12 in sc_core::sc_method_process::next_runnable()
==6136==ABORTING

For completeness, the program:

#include <systemc>

int sc_main(int argc, char* argv[])
{
    sc_core::sc_start();
    return 0;
}

[eactor]

Hello @derchr , I just tested your example against the new 3.0.0 and could not reproduce the behaviour. I used gcc 13.2 on a debian 12.2 machine, and tested QuickThreads and Pthreads for Systemc. Pthreads are more easy when testing with santize options.

This was my compile command for your example:

g++ -std=c++17 -fsanitize=address,undefined  -I${SYSTEMC_HOME}/include -L${SYSTEMC_HOME}/lib-linux64 -lsystemc test.cpp -o test_program

And my output without error:

root@0731fe770d83:/testdir# ./test_program                                                                                  
        SystemC 3.0.0_pub_rev_20231124-Accellera --- Dec 13 2023 12:32:10
        Copyright (c) 1996-2023 by all Contributors,
        ALL RIGHTS RESERVED

Could you re-check with the new SYSTEMC 3.0.0?

[eactor]

I just reproduced your errors with 2.3.4 with Quick and Pthreads on the same system. So I'm certain it will work for you with the new SystemC 3.0.0. Please re-open if you have further issues.

This Issue can be closed.

[AndrewGoodrich]

The use of 0xdb as an end of list indicator in next pointer fields was removed in 3.0.0 so this issue can definitely be closed.

[derchr]

I can confirm that the issue has been fixed with 3.0.0. Thanks all!