search

nasa / osal

The Core Flight System (cFS) Operating System Abstraction Layer (OSAL)
Apache License 2.0
555 stars 217 forks source link

coverage-vxworks-timebase: potential bug in the test implementation reported by Clang Address Sanitizer on macOS #1163

Open stanislaw opened 3 years ago

stanislaw commented 3 years ago

Describe the bug

When the Address Sanitizer is enabled in macOS / clang, I get the following error in the OS_VxWorks_TimeBaseAPI_Impl_Init test. The reproducibility is 100%.

There are two more issues found using Address Sanitizer. I have linked them to this ticket in the form of a comment.

17/75 Test #17: coverage-vxworks-timebase .........Subprocess aborted***Exception:   0.32 sec

[BEGIN] UNIT TEST

[BEGIN] 01 SETUP
[  END] No test cases

[BEGIN] 01 OS_VxWorks_TimeBaseAPI_Impl_Init
=================================================================
==32782==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001018062b8 at pc 0x000101860845 bp 0x7ffeee4446e0 sp 0x7ffeee443ea8
WRITE of size 480 at 0x0001018062b8 thread T0
    #0 0x101860844 in __asan_memset+0xf4 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x46844)
    #1 0x1017c238b in Osapi_Test_Setup+0x6b (coverage-vxworks-timebase-testrunner:x86_64+0x10000738b)
    #2 0x1017de8c7 in UtTest_Run+0x237 (coverage-vxworks-timebase-testrunner:x86_64+0x1000238c7)
    #3 0x1017d79a8 in OS_Application_Run+0x8 (coverage-vxworks-timebase-testrunner:x86_64+0x10001c9a8)
    #4 0x1017df318 in main+0x178 (coverage-vxworks-timebase-testrunner:x86_64+0x100024318)
    #5 0x7fff20404f3c in start+0x0 (libdyld.dylib:x86_64+0x15f3c)

0x0001018062b8 is located 40 bytes to the left of global variable 'OS_stub_timecb_table' defined in '/Users/stanislaw/workspace/projects/code/osal/src/unit-test-coverage/ut-stubs/src/osapi-shared-idmap-table-stubs.c:42:20' (0x1018062e0) of size 240
0x0001018062b8 is located 0 bytes to the right of global variable 'OS_stub_timebase_table' defined in '/Users/stanislaw/workspace/projects/code/osal/src/unit-test-coverage/ut-stubs/src/osapi-shared-idmap-table-stubs.c:41:20' (0x101806240) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x46844) in __asan_memset+0xf4
Shadow bytes around the buggy address:
  0x100020300c00: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9
  0x100020300c10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020300c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020300c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9
  0x100020300c40: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x100020300c50: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 00 00 00
  0x100020300c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020300c70: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x100020300c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020300c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100020300ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==32782==ABORTING

To Reproduce

Enable Address Sanitizer in the root CMakeLists.txt.

add_compile_options("-fsanitize=address")
add_link_options("-fsanitize=address")

#add_compile_options("-fsanitize=thread")
#add_link_options("-fsanitize=thread")

#add_compile_options("-fsanitize=undefined")
#add_link_options("-fsanitize=undefined")

Run the tests, including the

Expected behavior

I suspect a memory management error that needs to be investigated. When the issue is fixed, the Address Sanitizer should report no issues.

Code

System observed on:

Additional context

Reporter Info

Stanislav Pankevich (Personal contribution)

stanislaw commented 3 years ago

Adding two more Address Sanitizer issues without opening more tickets for now:

69/75 Test #69: timer-test ........................Subprocess aborted***Exception:   0.36 sec

[BEGIN] UNIT TEST

[BEGIN] 01 SETUP
[  END] No test cases

[BEGIN] 01 TimerTest
[ PASS] 01.001 timer-test.c:97 - Timer Test Task Created RC=0
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9920==ERROR: AddressSanitizer: stack-overflow on address 0x70000e6810d8 (pc 0x0001061b2adc bp 0x70000e68ec70 sp 0x70000e6810e0 T2)
    #0 0x1061b2adc in __lsan::DisableInThisThread()+0x1c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x73adc)
    #1 0x1061815db in wrap_pthread_create+0xab (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x425db)
    #2 0x1060e974f in OS_Posix_InternalTaskCreate_Impl+0x46f (timer-test:x86_64+0x10002d74f)
    #3 0x1060eb861 in OS_TimeBaseCreate_Impl+0x281 (timer-test:x86_64+0x10002f861)
    #4 0x1060dd9f4 in OS_TimeBaseCreate+0x4a4 (timer-test:x86_64+0x1000219f4)
    #5 0x1060e0a8c in OS_TimerCreate+0x2ac (timer-test:x86_64+0x100024a8c)
    #6 0x1060bf4f6 in TimerTestTask+0x266 (timer-test:x86_64+0x1000034f6)
    #7 0x1060db81a in OS_TaskEntryPoint+0x14a (timer-test:x86_64+0x10001f81a)
    #8 0x1060ea096 in OS_PthreadTaskEntry+0x176 (timer-test:x86_64+0x10002e096)
    #9 0x7fff203e98fb in _pthread_start+0xdf (libsystem_pthread.dylib:x86_64+0x68fb)
    #10 0x7fff203e5442 in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x2442)

SUMMARY: AddressSanitizer: stack-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x73adc) in __lsan::DisableInThisThread()+0x1c
Thread T2 created by T0 here:
    #0 0x10618158a in wrap_pthread_create+0x5a (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4258a)
    #1 0x1060e974f in OS_Posix_InternalTaskCreate_Impl+0x46f (timer-test:x86_64+0x10002d74f)
    #2 0x1060e9d8c in OS_TaskCreate_Impl+0x2ec (timer-test:x86_64+0x10002dd8c)
    #3 0x1060dc26f in OS_TaskCreate+0x4df (timer-test:x86_64+0x10002026f)
    #4 0x1060bf1c3 in TimerTestSetup+0x123 (timer-test:x86_64+0x1000031c3)
    #5 0x1060c53e7 in UtTest_Run+0x237 (timer-test:x86_64+0x1000093e7)
    #6 0x1060c3828 in OS_Application_Run+0x8 (timer-test:x86_64+0x100007828)
    #7 0x1060fe9d8 in main+0x178 (timer-test:x86_64+0x1000429d8)
    #8 0x7fff20404f3c in start+0x0 (libdyld.dylib:x86_64+0x15f3c)

==9920==ABORTING
62/75 Test #62: queue-test ........................Subprocess aborted***Exception:  11.40 sec

[BEGIN] UNIT TEST

[BEGIN] 01 SETUP
[  END] No test cases

[BEGIN] 01 QueueTimeoutTest
[ PASS] 01.001 queue-test.c:147 - MsgQ create Id=20001 Rc=0
[ PASS] 01.002 queue-test.c:154 - Task 1 create Id=10001 Rc=0
Starting task 1
Delay for 1 second before starting
[ PASS] 01.003 queue-test.c:160 - Timer 1 create Id=90001 Rc=0
[ INFO] queue-test.c:161:Timer Accuracy = 10000 microseconds
[ PASS] 01.004 queue-test.c:167 - Timer 1 set Rc=0
TASK 1: Timeout on Queue! Timer counter = 20
TASK 1: Timeout on Queue! Timer counter = 30
TASK 1: Timeout on Queue! Timer counter = 40
TASK 1: Timeout on Queue! Timer counter = 50
TASK 1: Timeout on Queue! Timer counter = 60
TASK 1: Timeout on Queue! Timer counter = 70
TASK 1: Timeout on Queue! Timer counter = 80
TASK 1: Timeout on Queue! Timer counter = 90
[ PASS] 01.005 queue-test.c:113 - Timer delete Rc=0
[ PASS] 01.006 queue-test.c:115 - Task 1 delete Rc=0
[ PASS] 01.007 queue-test.c:117 - Queue 1 delete Rc=0
[ PASS] 01.008 queue-test.c:120 - Task 1 failures = 0
[ PASS] 01.009 queue-test.c:126 - Task 1 messages = 0
[ PASS] 01.010 queue-test.c:130 - Task 1 timeouts 8 <= 10
[ PASS] 01.011 queue-test.c:134 - Task 1 timeouts 8 >= 6
[  END] 01 QueueTimeoutTest     TOTAL::11    PASS::11    FAIL::0     MIR::0     TSF::0     TTF::0     WARN::0

[BEGIN] 02 QueueMessageCheck
[ PASS] 02.001 queue-test.c:207 - MsgQ create Id=20002 Rc=0
[ PASS] 02.002 queue-test.c:214 - Task 1 create Id=10002 Rc=0
Starting task 1
Delay for 1 second before starting
[ PASS] 02.003 queue-test.c:220 - Timer 1 create Id=90002 Rc=0
[ INFO] queue-test.c:221:Timer Accuracy = 10000 microseconds
[ PASS] 02.004 queue-test.c:227 - Timer 1 set Rc=0
[ PASS] 02.005 queue-test.c:240 - OS Queue Put Rc=0
[ PASS] 02.006 queue-test.c:240 - OS Queue Put Rc=0
[ PASS] 02.007 queue-test.c:240 - OS Queue Put Rc=0
[ PASS] 02.008 queue-test.c:240 - OS Queue Put Rc=0
[ PASS] 02.009 queue-test.c:240 - OS Queue Put Rc=0
[ PASS] 02.010 queue-test.c:240 - OS Queue Put Rc=0
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9911==ERROR: AddressSanitizer: stack-overflow on address 0x700004583e38 (pc 0x00010c79cc70 bp 0x700004584680 sp 0x700004583e40 T6)
    #0 0x10c79cc70 in wrap_memmove+0xc0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1cc70)
    #1 0x7fff202fa098 in __sfvwrite+0x15a (libsystem_c.dylib:x86_64+0x3c098)
    #2 0x7fff20302e2b in __vfprintf+0x2d69 (libsystem_c.dylib:x86_64+0x44e2b)
    #3 0x7fff20327964 in __v2printf+0x1d4 (libsystem_c.dylib:x86_64+0x69964)
    #4 0x7fff2030da34 in _vsnprintf+0x19a (libsystem_c.dylib:x86_64+0x4fa34)
    #5 0x7fff2030dadb in vsnprintf+0x43 (libsystem_c.dylib:x86_64+0x4fadb)
    #6 0x10c7a3a7a in wrap_vsnprintf+0xaa (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x23a7a)
    #7 0x10c7a44c5 in wrap_snprintf+0xa5 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x244c5)
    #8 0x10c700699 in UtAssert_DoReport+0x2b9 (queue-test:x86_64+0x100005699)
    #9 0x10c701615 in UtAssertEx+0x3a5 (queue-test:x86_64+0x100006615)
    #10 0x10c6fe530 in task_1+0x350 (queue-test:x86_64+0x100003530)
    #11 0x10c71b42a in OS_TaskEntryPoint+0x14a (queue-test:x86_64+0x10002042a)
    #12 0x10c729ca6 in OS_PthreadTaskEntry+0x176 (queue-test:x86_64+0x10002eca6)
    #13 0x7fff203e98fb in _pthread_start+0xdf (libsystem_pthread.dylib:x86_64+0x68fb)
    #14 0x7fff203e5442 in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x2442)

SUMMARY: AddressSanitizer: stack-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1cc70) in wrap_memmove+0xc0
Thread T6 created by T0 here:
    #0 0x10c7c258a in wrap_pthread_create+0x5a (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4258a)
    #1 0x10c72935f in OS_Posix_InternalTaskCreate_Impl+0x46f (queue-test:x86_64+0x10002e35f)
    #2 0x10c72999c in OS_TaskCreate_Impl+0x2ec (queue-test:x86_64+0x10002e99c)
    #3 0x10c71be7f in OS_TaskCreate+0x4df (queue-test:x86_64+0x100020e7f)
    #4 0x10c6ffe6b in QueueMessageSetup+0x3ab (queue-test:x86_64+0x100004e6b)
    #5 0x10c7050e7 in UtTest_Run+0x237 (queue-test:x86_64+0x10000a0e7)
    #6 0x10c703528 in OS_Application_Run+0x8 (queue-test:x86_64+0x100008528)
    #7 0x10c73d9b8 in main+0x178 (queue-test:x86_64+0x1000429b8)
    #8 0x7fff20404f3c in start+0x0 (libdyld.dylib:x86_64+0x15f3c)

==9911==ABORTING
skliper commented 3 years ago

Thanks for the report! Running the code through an address sanitizer has been a recent topic... it'd be nice to get it in CI at some point and/or at least have a triggerable workflow.