[PATCH 0/5] building git with clang/gcc address sanitizer

[PATCH 0/5] building git with clang/gcc address sanitizer

[Jeff King]

I mentioned recently that I sometimes run the test suite with ASan, so
here are a few tweaks to make this easier (most of which I've been
carrying in my personal config.mak for a few years).

In my experience ASan does at least as well as valgrind at finding
memory bugs, and runs way faster. With this series, running:

  make SANITIZE=address test

takes about 4.5 minutes on my machine. A normal build+test is about 1.5
minutes on the same machine. I haven't timed a full run with --valgrind
recently, but I know that it is much much slower. :)

If you want to see it in action, you can do:

  make SANITIZE=address
  ./git log -g HEAD HEAD >/dev/null

which finds a bug I recently fixed (but the fix isn't in master yet).

There are other sanitizers, too. I _thought_ I had

  make SANITIZE=undefined test

running cleanly at one point, but it's definitely not clean now. Patch 5
helps a little by disabling unaligned loads in our get_be32() macros.
Once upon a time I had to set INTERNAL_QSORT, but it isn't necessary
anymore since everything goes through sane_qsort(). Most of the
remaining bugs are of a similar form, doing something like:

  memcpy(NULL, NULL, 0);

I don't know if it's worth having a sane_memcpy() there, or simply
tweaking the code to avoid the call (almost all of them are a single
call from apply.c:2870).

It looks like we also have a case of shifting off the left side of a
signed int, which is undefined.

You can also try:

  make SANITIZE=thread test

but it's not clean. I poked at some of the errors, and I don't think
there a problem in practice (though they may be worth cleaning up in the
name of code hygiene).

There's also:

  make SANITIZE=memory test

This is clang-only. It's supposed to find uses of uninitialized memory.
But it complains about writing out anything that zlib has touched. I
seem to recall that valgrind had a similar problem. I'm not sure what
zlib does to confuse these analyzers. For valgrind we were able to add a
suppression. We could probably do the same here, but I haven't looked
into it.

  [1/5]: test-lib: set ASAN_OPTIONS variable before we run git
  [2/5]: test-lib: turn on ASan abort_on_error by default
  [3/5]: Makefile: add helper for compiling with -fsanitize
  [4/5]: Makefile: turn off -fomit-frame-pointer with sanitizers
  [5/5]: Makefile: disable unaligned loads with UBSan

 Makefile      |  8 ++++++++
 t/test-lib.sh | 11 ++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

-Peff

[PATCH 1/5] test-lib: set ASAN_OPTIONS variable before we run git

[Jeff King]

We turn off ASan's leak detection by default in the test
suite because it's too noisy. But we don't do so until
part-way through test-lib. This is before we've run any
tests, but after we do our initial "./git" to see if the
binary has even been built.

When built with clang, this seems to work fine. However,
using "gcc -fsanitize=address", the leak checker seems to
complain more aggressively:

  $ ./git
  ...
  ==5352==ERROR: LeakSanitizer: detected memory leaks
  Direct leak of 2 byte(s) in 1 object(s) allocated from:
      #0 0x7f120e7afcf8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1cf8)
      #1 0x559fc2a3ce41 in do_xmalloc /home/peff/compile/git/wrapper.c:60
      #2 0x559fc2a3cf1a in do_xmallocz /home/peff/compile/git/wrapper.c:100
      #3 0x559fc2a3d0ad in xmallocz /home/peff/compile/git/wrapper.c:108
      #4 0x559fc2a3d0ad in xmemdupz /home/peff/compile/git/wrapper.c:124
      #5 0x559fc2a3d0ad in xstrndup /home/peff/compile/git/wrapper.c:130
      #6 0x559fc274535a in main /home/peff/compile/git/common-main.c:39
      #7 0x7f120dabd2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

This is a leak in the sense that we never free it, but it's
in a global that is meant to last the whole program. So it's
not really interesting or in need of fixing. And at any
rate, mentioning leaks outside of the test_expect blocks is
certainly unwelcome, as it pollutes stderr.

Let's bump the setting of ASAN_OPTIONS higher in test-lib.sh
to catch our initial "can we even run git?" test.  While
we're at it, we can add a comment to make it a bit less
inscrutable.

Signed-off-by: Jeff King <peff@peff.net>
---
 t/test-lib.sh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/t/test-lib.sh b/t/test-lib.sh
index 2306574dc..961194a50 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -36,6 +36,14 @@ then
 fi
 GIT_BUILD_DIR="$TEST_DIRECTORY"/..
 
+# If we were built with ASAN, it may complain about leaks
+# of program-lifetime variables. Disable it by default to lower
+# the noise level. This needs to happen at the start of the script,
+# before we even do our "did we build git yet" check (since we don't
+# want that one to complain to stderr).
+: ${ASAN_OPTIONS=detect_leaks=0}
+export ASAN_OPTIONS
+
 ################################################################
 # It appears that people try to run tests without building...
 "$GIT_BUILD_DIR/git" >/dev/null
@@ -148,9 +156,6 @@ else
 	}
 fi
 
-: ${ASAN_OPTIONS=detect_leaks=0}
-export ASAN_OPTIONS
-
 # Protect ourselves from common misconfiguration to export
 # CDPATH into the environment
 unset CDPATH
-- 
2.13.2.1071.gcd8104b61

[PATCH 2/5] test-lib: turn on ASan abort_on_error by default

[Jeff King]

By default, ASan will exit with code 1 when it sees an
error. This means we'll notice a problem when we expected
git to succeed, but not in a test_must_fail block.

Let's ask it to actually raise SIGABRT instead. That will
give us a signal death that test_must_fail will notice. As a
bonus, it may also leave a coredump, which can be handy for
digging into a failure.

Signed-off-by: Jeff King <peff@peff.net>
---
 t/test-lib.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/test-lib.sh b/t/test-lib.sh
index 961194a50..1b6e53f78 100644
--- a/t/test-lib.sh
+++ b/t/test-lib.sh
@@ -41,7 +41,7 @@ GIT_BUILD_DIR="$TEST_DIRECTORY"/..
 # the noise level. This needs to happen at the start of the script,
 # before we even do our "did we build git yet" check (since we don't
 # want that one to complain to stderr).
-: ${ASAN_OPTIONS=detect_leaks=0}
+: ${ASAN_OPTIONS=detect_leaks=0:abort_on_error=1}
 export ASAN_OPTIONS
 
 ################################################################
-- 
2.13.2.1071.gcd8104b61

Re: [PATCH 2/5] test-lib: turn on ASan abort_on_error by default

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> By default, ASan will exit with code 1 when it sees an
> error. This means we'll notice a problem when we expected
> git to succeed, but not in a test_must_fail block.
>
> Let's ask it to actually raise SIGABRT instead. That will
> give us a signal death that test_must_fail will notice. As a
> bonus, it may also leave a coredump, which can be handy for
> digging into a failure.

Well thought-out.  Thanks.

> Signed-off-by: Jeff King <peff@peff.net>
> ---
>  t/test-lib.sh | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/t/test-lib.sh b/t/test-lib.sh
> index 961194a50..1b6e53f78 100644
> --- a/t/test-lib.sh
> +++ b/t/test-lib.sh
> @@ -41,7 +41,7 @@ GIT_BUILD_DIR="$TEST_DIRECTORY"/..
>  # the noise level. This needs to happen at the start of the script,
>  # before we even do our "did we build git yet" check (since we don't
>  # want that one to complain to stderr).
> -: ${ASAN_OPTIONS=detect_leaks=0}
> +: ${ASAN_OPTIONS=detect_leaks=0:abort_on_error=1}
>  export ASAN_OPTIONS
>  
>  ################################################################

[PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Jeff King]

You can already build and test with ASan by doing:

  make CFLAGS=-fsanitize=address test

but there are a few slight annoyances:

  1. It's a little long to type.

  2. It override your CFLAGS completely. You'd probably
     still want -O2, for instance.

  3. It's a good idea to also turn off "recovery", which
     lets the program keep running after a problem is
     detected (with the intention of finding as many bugs as
     possible in a given run). Since Git's test suite should
     generally run without triggering any problems, it's
     better to abort immediately and fail the test when we
     do find an issue.

With this patch, all of that happens automatically when you
run:

  make SANITIZE=address test

Signed-off-by: Jeff King <peff@peff.net>
---
 Makefile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Makefile b/Makefile
index 9c9c42f8f..59f6bdcd7 100644
--- a/Makefile
+++ b/Makefile
@@ -1012,6 +1012,10 @@ ifdef DEVELOPER
 CFLAGS += $(DEVELOPER_CFLAGS)
 endif
 
+ifdef SANITIZE
+BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
+endif
+
 ifndef sysconfdir
 ifeq ($(prefix),/usr)
 sysconfdir = /etc
-- 
2.13.2.1071.gcd8104b61

Re: [PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> You can already build and test with ASan by doing:
>
>   make CFLAGS=-fsanitize=address test
>
> but there are a few slight annoyances:
>
>   1. It's a little long to type.
>
>   2. It override your CFLAGS completely. You'd probably
>      still want -O2, for instance.
>
>   3. It's a good idea to also turn off "recovery", which
>      lets the program keep running after a problem is
>      detected (with the intention of finding as many bugs as
>      possible in a given run). Since Git's test suite should
>      generally run without triggering any problems, it's
>      better to abort immediately and fail the test when we
>      do find an issue.

Unfortunately I do not think Comparing between versions in
https://gcc.gnu.org/onlinedocs, it appears that -fsanitize-recover
is not configurable for folks still with GCC 4.x series, and this
patch is not very useful unless you disable the recovery for the
purpose of running our tests as you said X-<.

> With this patch, all of that happens automatically when you
> run:
>
>   make SANITIZE=address test
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
>  Makefile | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/Makefile b/Makefile
> index 9c9c42f8f..59f6bdcd7 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1012,6 +1012,10 @@ ifdef DEVELOPER
>  CFLAGS += $(DEVELOPER_CFLAGS)
>  endif
>  
> +ifdef SANITIZE
> +BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
> +endif
> +
>  ifndef sysconfdir
>  ifeq ($(prefix),/usr)
>  sysconfdir = /etc

Re: [PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Jeff King]

On Mon, Jul 10, 2017 at 10:35:24AM -0700, Junio C Hamano wrote:

> Jeff King <peff@peff.net> writes:
> 
> > You can already build and test with ASan by doing:
> >
> >   make CFLAGS=-fsanitize=address test
> >
> > but there are a few slight annoyances:
> >
> >   1. It's a little long to type.
> >
> >   2. It override your CFLAGS completely. You'd probably
> >      still want -O2, for instance.
> >
> >   3. It's a good idea to also turn off "recovery", which
> >      lets the program keep running after a problem is
> >      detected (with the intention of finding as many bugs as
> >      possible in a given run). Since Git's test suite should
> >      generally run without triggering any problems, it's
> >      better to abort immediately and fail the test when we
> >      do find an issue.
> 
> Unfortunately I do not think Comparing between versions in
> https://gcc.gnu.org/onlinedocs, it appears that -fsanitize-recover
> is not configurable for folks still with GCC 4.x series, and this
> patch is not very useful unless you disable the recovery for the
> purpose of running our tests as you said X-<.

I didn't actually dig into the history of gcc support at all. Back in
the 4.x time-frame I tried using ASan and couldn't get it to work at
all. I ended up just always building with clang (which from my
mostly-ignorant view seems to to be the primary platform for ASan
development).

Since this is an optional build that doesn't need to be available
everywhere, I'd actually be fine with saying "just use clang". But as
far as I can tell, gcc seems to work fine these days. I consider this
mostly a best-effort tool.

I'm also not sure of the behavior without -fno-sanitize-recover. I think
ASan may barf either way. The commit message for my config.mak from a
year or two ago claims that the problem was actually with UBSan. It
would be useful in the long run for that to work, too.

-Peff

Re: [PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Mon, Jul 10, 2017 at 10:35:24AM -0700, Junio C Hamano wrote:
>
>> Jeff King <peff@peff.net> writes:
>> 
>> > You can already build and test with ASan by doing:
>> >
>> >   make CFLAGS=-fsanitize=address test
>> >
>> > but there are a few slight annoyances:
>> >
>> >   1. It's a little long to type.
>> >
>> >   2. It override your CFLAGS completely. You'd probably
>> >      still want -O2, for instance.
>> >
>> >   3. It's a good idea to also turn off "recovery", which
>> >      lets the program keep running after a problem is
>> >      detected (with the intention of finding as many bugs as
>> >      possible in a given run). Since Git's test suite should
>> >      generally run without triggering any problems, it's
>> >      better to abort immediately and fail the test when we
>> >      do find an issue.
>> 
>> Unfortunately I do not think Comparing between versions in
>> https://gcc.gnu.org/onlinedocs, it appears that -fsanitize-recover
>> is not configurable for folks still with GCC 4.x series, and this
>> patch is not very useful unless you disable the recovery for the
>> purpose of running our tests as you said X-<.
>
> I didn't actually dig into the history of gcc support at all. Back in
> the 4.x time-frame I tried using ASan and couldn't get it to work at
> all. I ended up just always building with clang (which from my
> mostly-ignorant view seems to to be the primary platform for ASan
> development).
>
> Since this is an optional build that doesn't need to be available
> everywhere, I'd actually be fine with saying "just use clang". But as
> far as I can tell, gcc seems to work fine these days. I consider this
> mostly a best-effort tool.
>
> I'm also not sure of the behavior without -fno-sanitize-recover. I think
> ASan may barf either way. The commit message for my config.mak from a
> year or two ago claims that the problem was actually with UBSan. It
> would be useful in the long run for that to work, too.

Yes.  I'd agree with all of the above.  While copyediting my
response, I somehow ended up removing one paragraph before that
"Unfortunately" by accident X-<, but the paragraph said essentially
the same "this is optional so it is a strict improvement, and I do
agree recovery must be disabled to be useful in our context".

Sorry for a possible confusion.

Re: [PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Ramsay Jones]

On 10/07/17 18:44, Jeff King wrote:
> On Mon, Jul 10, 2017 at 10:35:24AM -0700, Junio C Hamano wrote:
> 
>> Jeff King <peff@peff.net> writes:
>>
>>> You can already build and test with ASan by doing:
>>>
>>>   make CFLAGS=-fsanitize=address test
>>>
>>> but there are a few slight annoyances:
>>>
>>>   1. It's a little long to type.
>>>
>>>   2. It override your CFLAGS completely. You'd probably
>>>      still want -O2, for instance.
>>>
>>>   3. It's a good idea to also turn off "recovery", which
>>>      lets the program keep running after a problem is
>>>      detected (with the intention of finding as many bugs as
>>>      possible in a given run). Since Git's test suite should
>>>      generally run without triggering any problems, it's
>>>      better to abort immediately and fail the test when we
>>>      do find an issue.
>>
>> Unfortunately I do not think Comparing between versions in
>> https://gcc.gnu.org/onlinedocs, it appears that -fsanitize-recover
>> is not configurable for folks still with GCC 4.x series, and this
>> patch is not very useful unless you disable the recovery for the
>> purpose of running our tests as you said X-<.
> 
> I didn't actually dig into the history of gcc support at all. Back in
> the 4.x time-frame I tried using ASan and couldn't get it to work at
> all. I ended up just always building with clang (which from my
> mostly-ignorant view seems to to be the primary platform for ASan
> development).
> 
> Since this is an optional build that doesn't need to be available
> everywhere, I'd actually be fine with saying "just use clang". But as
> far as I can tell, gcc seems to work fine these days. I consider this
> mostly a best-effort tool.
> 
> I'm also not sure of the behavior without -fno-sanitize-recover. I think
> ASan may barf either way. The commit message for my config.mak from a
> year or two ago claims that the problem was actually with UBSan. It
> would be useful in the long run for that to work, too.

Just FYI, I had a quick look at this tonight. I applied your
patches to master, the tried 'make SANITIZE=address test', which
worked fine. I then tried 'make SANITIZE=undefined test' and I had
to control+C it after nearly two hours on one test! ;-) (somewhere
in the t4xxx - unfortunately I overwrote the output file without
thinking).

[BTW I am on Linux Mint 18.2 x86_64, gcc version 5.4.0]

After a quick look at the ./t0000-basic.sh test, I managed to get
the test to complete (with 15 tests failing), with the following
patch applied:

-- >8 --
diff --git a/Makefile b/Makefile
index 3c341b2a6..8e6433738 100644
--- a/Makefile
+++ b/Makefile
@@ -1016,7 +1016,7 @@ ifdef SANITIZE
 BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
 BASIC_CFLAGS += -fno-omit-frame-pointer
 ifeq ($(SANITIZE),undefined)
-BASIC_CFLAGS += -DNO_UNALIGNED_LOADS
+BASIC_CFLAGS += -DNO_UNALIGNED_LOADS -DSHA1DC_FORCE_ALIGNED_ACCESS
 endif
 endif
 
diff --git a/sha1dc/sha1.c b/sha1dc/sha1.c
index 25eded139..3baddc636 100644
--- a/sha1dc/sha1.c
+++ b/sha1dc/sha1.c
@@ -118,6 +118,10 @@
 #define SHA1DC_ALLOW_UNALIGNED_ACCESS
 #endif /*UNALIGNMENT DETECTION*/
 
+#if defined(SHA1DC_ALLOW_UNALIGNED_ACCESS) && defined(SHA1DC_FORCE_ALIGNED_ACCESS)
+#undef SHA1DC_ALLOW_UNALIGNED_ACCESS
+#endif
+
 
 #define rotate_right(x,n) (((x)>>(n))|((x)<<(32-(n))))
 #define rotate_left(x,n)  (((x)<<(n))|((x)>>(32-(n))))
--------

Hmm, hopefully that is not whitespace damaged.

ATB,
Ramsay Jones

Re: [PATCH 3/5] Makefile: add helper for compiling with -fsanitize

[Jeff King]

On Mon, Jul 10, 2017 at 09:02:24PM +0100, Ramsay Jones wrote:

> After a quick look at the ./t0000-basic.sh test, I managed to get
> the test to complete (with 15 tests failing), with the following
> patch applied:
> 
> -- >8 --
> diff --git a/Makefile b/Makefile
> index 3c341b2a6..8e6433738 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1016,7 +1016,7 @@ ifdef SANITIZE
>  BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
>  BASIC_CFLAGS += -fno-omit-frame-pointer
>  ifeq ($(SANITIZE),undefined)
> -BASIC_CFLAGS += -DNO_UNALIGNED_LOADS
> +BASIC_CFLAGS += -DNO_UNALIGNED_LOADS -DSHA1DC_FORCE_ALIGNED_ACCESS
>  endif
>  endif

Thanks, I forgot to mention SHA1DC. When I had originally tested with
"undefined", it was before we had SHA1DC. I hacked around it earlier
today by just using OPENSSL_SHA1. ;)

I agree if we can ask it to avoid unaligned access that is even better.

> diff --git a/sha1dc/sha1.c b/sha1dc/sha1.c
> index 25eded139..3baddc636 100644
> --- a/sha1dc/sha1.c
> +++ b/sha1dc/sha1.c
> @@ -118,6 +118,10 @@
>  #define SHA1DC_ALLOW_UNALIGNED_ACCESS
>  #endif /*UNALIGNMENT DETECTION*/
>  
> +#if defined(SHA1DC_ALLOW_UNALIGNED_ACCESS) && defined(SHA1DC_FORCE_ALIGNED_ACCESS)
> +#undef SHA1DC_ALLOW_UNALIGNED_ACCESS
> +#endif

I think our current strategy is to avoid touching sha1.c as much as
possible. I think we'd prefer a patch to the upstream project to support
FORCE_ALIGNED_ACCESS (unfortunately I do not see a way to tweak it using
only external defines.

-Peff

[PATCH 4/5] Makefile: turn off -fomit-frame-pointer with sanitizers

[Jeff King]

The ASan manual recommends disabling this optimization, as
it can make the backtraces produced by the tool harder to
follow (and since this is a test-debug build, we don't care
about squeezing out every last drop of performance).

Signed-off-by: Jeff King <peff@peff.net>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index 59f6bdcd7..cc03b3c95 100644
--- a/Makefile
+++ b/Makefile
@@ -1014,6 +1014,7 @@ endif
 
 ifdef SANITIZE
 BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
+BASIC_CFLAGS += -fno-omit-frame-pointer
 endif
 
 ifndef sysconfdir
-- 
2.13.2.1071.gcd8104b61

[PATCH 5/5] Makefile: disable unaligned loads with UBSan

[Jeff King]

The undefined behavior sanitizer complains about unaligned
loads, even if they're OK for a particular platform in
practice. It's possible that they _are_ a problem, of
course, but since it's a known tradeoff the UBSan errors are
just noise.

Let's quiet it automatically by building with
NO_UNALIGNED_LOADS when SANITIZE=undefined is in use.

Signed-off-by: Jeff King <peff@peff.net>
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Makefile b/Makefile
index cc03b3c95..3c341b2a6 100644
--- a/Makefile
+++ b/Makefile
@@ -1015,6 +1015,9 @@ endif
 ifdef SANITIZE
 BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
 BASIC_CFLAGS += -fno-omit-frame-pointer
+ifeq ($(SANITIZE),undefined)
+BASIC_CFLAGS += -DNO_UNALIGNED_LOADS
+endif
 endif
 
 ifndef sysconfdir
-- 
2.13.2.1071.gcd8104b61

Re: [PATCH 5/5] Makefile: disable unaligned loads with UBSan

[René Scharfe]

Am 10.07.2017 um 15:24 schrieb Jeff King:
> The undefined behavior sanitizer complains about unaligned
> loads, even if they're OK for a particular platform in
> practice. It's possible that they _are_ a problem, of
> course, but since it's a known tradeoff the UBSan errors are
> just noise.
> 
> Let's quiet it automatically by building with
> NO_UNALIGNED_LOADS when SANITIZE=undefined is in use.
> 
> Signed-off-by: Jeff King <peff@peff.net>
> ---
>   Makefile | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/Makefile b/Makefile
> index cc03b3c95..3c341b2a6 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1015,6 +1015,9 @@ endif
>   ifdef SANITIZE
>   BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
>   BASIC_CFLAGS += -fno-omit-frame-pointer
> +ifeq ($(SANITIZE),undefined)
> +BASIC_CFLAGS += -DNO_UNALIGNED_LOADS
> +endif
>   endif
>   
>   ifndef sysconfdir

Nice, but let's be even nicer!

-- >8 --
Subject: [PATCH] Makefile: allow combining UBSan with other sanitizers

Multiple sanitizers can be specified as a comma-separated list.  Set
the flag NO_UNALIGNED_LOADS even if UndefinedBehaviorSanitizer is not
the only sanitizer to build with.

Signed-off-by: Rene Scharfe <l.s.r@web.de>
---
 Makefile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index ba4359ef8d..9b98535a04 100644
--- a/Makefile
+++ b/Makefile
@@ -1022,10 +1022,15 @@ ifdef DEVELOPER
 CFLAGS += $(DEVELOPER_CFLAGS)
 endif
 
+comma := ,
+empty :=
+space := $(empty) $(empty)
+
 ifdef SANITIZE
+SANITIZERS := $(foreach flag,$(subst $(comma),$(space),$(SANITIZE)),$(flag))
 BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
 BASIC_CFLAGS += -fno-omit-frame-pointer
-ifeq ($(SANITIZE),undefined)
+ifneq ($(filter undefined,$(SANITIZERS)),)
 BASIC_CFLAGS += -DNO_UNALIGNED_LOADS
 endif
 endif
-- 
2.13.3

Re: [PATCH 5/5] Makefile: disable unaligned loads with UBSan

[Jeff King]

On Sat, Jul 15, 2017 at 07:18:56PM +0200, René Scharfe wrote:

> -- >8 --
> Subject: [PATCH] Makefile: allow combining UBSan with other sanitizers
> 
> Multiple sanitizers can be specified as a comma-separated list.  Set
> the flag NO_UNALIGNED_LOADS even if UndefinedBehaviorSanitizer is not
> the only sanitizer to build with.

Nice, I didn't know you could do comma-separation here. ;)

I always just built the various sanitizers separately since I was
testing whether each one worked. But if we can get UBSan to build
cleanly, I agree that "make SANITIZE=address,undefined test" would be a
nice thing to run periodically.

> diff --git a/Makefile b/Makefile
> index ba4359ef8d..9b98535a04 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -1022,10 +1022,15 @@ ifdef DEVELOPER
>  CFLAGS += $(DEVELOPER_CFLAGS)
>  endif
>  
> +comma := ,
> +empty :=
> +space := $(empty) $(empty)
> +
>  ifdef SANITIZE
> +SANITIZERS := $(foreach flag,$(subst $(comma),$(space),$(SANITIZE)),$(flag))
>  BASIC_CFLAGS += -fsanitize=$(SANITIZE) -fno-sanitize-recover=$(SANITIZE)
>  BASIC_CFLAGS += -fno-omit-frame-pointer
> -ifeq ($(SANITIZE),undefined)
> +ifneq ($(filter undefined,$(SANITIZERS)),)

The implementation is convoluted in the way that "make" usually forces
us into. ;)

I would have written it as:

  ifeq ($findstring $(SANITIZERS), undefined), undefined)

but I think your version:

  1. Isn't fooled by superstrings like a potential undefined-foo
     sanitizer.

  2. Handles SANITIZE=undefined,undefined correctly.

Neither are expected, but it doesn't hurt to be a bit more robust.

-Peff

Re: [PATCH 5/5] Makefile: disable unaligned loads with UBSan

[René Scharfe]

Am 16.07.2017 um 12:17 schrieb Jeff King:
> On Sat, Jul 15, 2017 at 07:18:56PM +0200, René Scharfe wrote:
> 
>> -- >8 --
>> Subject: [PATCH] Makefile: allow combining UBSan with other sanitizers
>>
>> Multiple sanitizers can be specified as a comma-separated list.  Set
>> the flag NO_UNALIGNED_LOADS even if UndefinedBehaviorSanitizer is not
>> the only sanitizer to build with.
> 
> Nice, I didn't know you could do comma-separation here. ;)
> 
> I always just built the various sanitizers separately since I was
> testing whether each one worked. But if we can get UBSan to build
> cleanly, I agree that "make SANITIZE=address,undefined test" would be a
> nice thing to run periodically.

There are *some* restrictions: You can only use one of address, memory
and thread, as mentioned here:

http://clang.llvm.org/docs/UsersManual.html#controlling-code-generation

Combining ASan and UBSan works fine.

René

Re: [PATCH 0/5] building git with clang/gcc address sanitizer

[Jeff King]

On Mon, Jul 10, 2017 at 09:24:18AM -0400, Jeff King wrote:

> You can also try:
> 
>   make SANITIZE=thread test
> 
> but it's not clean. I poked at some of the errors, and I don't think
> there a problem in practice (though they may be worth cleaning up in the
> name of code hygiene).

Here's an example that I fixed up long ago, but never quite had the
stomach to seriously propose.

If it were the last one, it might be worth applying to get a clean run
of "make test", but I think it's just one of many.

-- >8 --
Date: Mon, 8 Dec 2014 03:02:34 -0500
Subject: [PATCH] transport-helper: initialize debug flag before starting
 threads

The transport_debug() function uses a static variable to
lazily cache the boolean value of $TRANSPORT_DEBUG. If a
program uses transport-helper's bidirectional_transfer_loop
(as remote-ext and remote-fd do), then two threads may both
try to write the variable at the same time.

We can fix this by initializing the variable right before
starting the threads.

Noticed by "-fsanitize=thread". This probably isn't a
problem in practice, as both threads will write the same
value, and we are unlikely to see a torn write on an "int"
(i.e., on sane platforms a write to an int is atomic).

Signed-off-by: Jeff King <peff@peff.net>
---
 transport-helper.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/transport-helper.c b/transport-helper.c
index 33cff38cc..76f19ddb0 100644
--- a/transport-helper.c
+++ b/transport-helper.c
@@ -1113,17 +1113,23 @@ int transport_helper_init(struct transport *transport, const char *name)
 /* This should be enough to hold debugging message. */
 #define PBUFFERSIZE 8192
 
+static int transport_debug_enabled(void)
+{
+	static int debug_enabled = -1;
+
+	if (debug_enabled < 0)
+		debug_enabled = getenv("GIT_TRANSLOOP_DEBUG") ? 1 : 0;
+	return debug_enabled;
+}
+
 /* Print bidirectional transfer loop debug message. */
 __attribute__((format (printf, 1, 2)))
 static void transfer_debug(const char *fmt, ...)
 {
 	va_list args;
 	char msgbuf[PBUFFERSIZE];
-	static int debug_enabled = -1;
 
-	if (debug_enabled < 0)
-		debug_enabled = getenv("GIT_TRANSLOOP_DEBUG") ? 1 : 0;
-	if (!debug_enabled)
+	if (!transport_debug_enabled())
 		return;
 
 	va_start(args, fmt);
@@ -1292,6 +1298,10 @@ static int tloop_spawnwait_tasks(struct bidirectional_transfer_state *s)
 	pthread_t ptg_thread;
 	int err;
 	int ret = 0;
+
+	/* initialize static global debug flag as a side effect */
+	transport_debug_enabled();
+
 	err = pthread_create(&gtp_thread, NULL, udt_copy_task_routine,
 		&s->gtp);
 	if (err)
-- 
2.13.2.1071.gcd8104b61

Re: [PATCH 0/5] building git with clang/gcc address sanitizer

[Lars Schneider]

> On 10 Jul 2017, at 15:24, Jeff King <peff@peff.net> wrote:
> 
> I mentioned recently that I sometimes run the test suite with ASan, so
> here are a few tweaks to make this easier (most of which I've been
> carrying in my personal config.mak for a few years).
> 
> In my experience ASan does at least as well as valgrind at finding
> memory bugs, and runs way faster. With this series, running:
> 
>  make SANITIZE=address test
> 
> takes about 4.5 minutes on my machine. A normal build+test is about 1.5
> minutes on the same machine. I haven't timed a full run with --valgrind
> recently, but I know that it is much much slower. :)
> 
> If you want to see it in action, you can do:
> 
>  make SANITIZE=address
>  ./git log -g HEAD HEAD >/dev/null
> 
> which finds a bug I recently fixed (but the fix isn't in master yet).

Do you think it would make sense to run these sanitizers on TravisCI
to ensure they keep clean? If yes, should we run only "address" or all
of them (if they run clean)?

- Lars


> 
> There are other sanitizers, too. I _thought_ I had
> 
>  make SANITIZE=undefined test
> 
> running cleanly at one point, but it's definitely not clean now. Patch 5
> helps a little by disabling unaligned loads in our get_be32() macros.
> Once upon a time I had to set INTERNAL_QSORT, but it isn't necessary
> anymore since everything goes through sane_qsort(). Most of the
> remaining bugs are of a similar form, doing something like:
> 
>  memcpy(NULL, NULL, 0);
> 
> I don't know if it's worth having a sane_memcpy() there, or simply
> tweaking the code to avoid the call (almost all of them are a single
> call from apply.c:2870).
> 
> It looks like we also have a case of shifting off the left side of a
> signed int, which is undefined.
> 
> You can also try:
> 
>  make SANITIZE=thread test
> 
> but it's not clean. I poked at some of the errors, and I don't think
> there a problem in practice (though they may be worth cleaning up in the
> name of code hygiene).
> 
> There's also:
> 
>  make SANITIZE=memory test
> 
> This is clang-only. It's supposed to find uses of uninitialized memory.
> But it complains about writing out anything that zlib has touched. I
> seem to recall that valgrind had a similar problem. I'm not sure what
> zlib does to confuse these analyzers. For valgrind we were able to add a
> suppression. We could probably do the same here, but I haven't looked
> into it.
> 
>  [1/5]: test-lib: set ASAN_OPTIONS variable before we run git
>  [2/5]: test-lib: turn on ASan abort_on_error by default
>  [3/5]: Makefile: add helper for compiling with -fsanitize
>  [4/5]: Makefile: turn off -fomit-frame-pointer with sanitizers
>  [5/5]: Makefile: disable unaligned loads with UBSan
> 
> Makefile      |  8 ++++++++
> t/test-lib.sh | 11 ++++++++---
> 2 files changed, 16 insertions(+), 3 deletions(-)
> 
> -Peff

Re: [PATCH 0/5] building git with clang/gcc address sanitizer

[Jeff King]

On Mon, Jul 10, 2017 at 04:40:42PM +0200, Lars Schneider wrote:

> > If you want to see it in action, you can do:
> > 
> >  make SANITIZE=address
> >  ./git log -g HEAD HEAD >/dev/null
> > 
> > which finds a bug I recently fixed (but the fix isn't in master yet).
> 
> Do you think it would make sense to run these sanitizers on TravisCI
> to ensure they keep clean? If yes, should we run only "address" or all
> of them (if they run clean)?

Maybe. It's expensive and it's relatively rare that it catches anything.
I used to run valgrind (which is even more expensive) once every release
or so. This is much cheaper, but I've noticed that the Travis
environment is a lot slower than my laptop. So it might take an hour to
run there, which I think would trigger some timeouts?

I guess the best way is to try it and see. I probably wouldn't do an
ASan run for each environment, but just one Linux ASan run, due to the
CPU expense. (TBH, I think the existing gcc versus clang on both
platforms is already slight overkill. But I guess if we have CPU to
burn, more coverage is better than less).

I think "address" is the only one that runs clean right now. With some
work I think we could get "undefined" to run clean. The others, I'm not
so sure.

Some of them can actually be combined in a single build, but I'd have to
dig into the documentation to see which (I think "thread" and "address"
don't work well together, but "undefined" and "address" might). My
SANITIZE trick doesn't handle multiple entries, but it could probably be
taught to.

-Peff