Hi James, On 6/30/21 7:23 PM, He Jingxuan wrote: > Dear findutils developers, > > We tested findutils with an automatic tool (based on the symbolic execution > tool KLEE). 5 test cases triggering UBSan errors were generated. We manually > checked those test cases and filtered out benign cases. Finally, we > identified and report 2 cases that could trigger bugs. Below is the > information for reproducing the bugs. > > - findutils version: 4.7.0 > - operating system: Ubuntu 16.04.7 > - compiler: clang version 6.0.0-1ubuntu2~16.04.1 (tags/RELEASE_600/final) > - compilation commands: > mkdir obj > cd obj > CC=clang CFLAGS="-g -O1 -Xclang -disable-llvm-passes -D__NO_STRING_INLINES > -D_FORTIFY_SOURCE=0 -U__OPTIMIZE__ -fsanitize=signed-integer-overflow > -fsanitize=unsigned-integer-overflow -fsanitize=shift -fsanitize=bounds > -fsanitize=pointer-overflow -fsanitize=null" ../configure --disable-nls > --disable-largefile --disable-threads --without-selinux > make > - inputs: the attached file contains the input file A of the second bug.
Both issues are in CBO code - find's cost-based-optimizer: > bug 1 command: find -H - -delete > relevant error message: ../../find/tree.c:538:23: runtime error: member > access within null pointer of type 'struct predicate’ This is in consider_arm_swap(). > bug 2 command: find -H -neweraa A > relevant error message: ../../find/parser.c:698:48: runtime error: signed > integer overflow: 1624986826 - -9223372036854775808 cannot be represented in > type ‘long' > Note: I think this bug depends on the timestamp and is triggered only > sometimes. This is in estimate_timestamp_success_rate(). Although I think the first one is a false positive, because the code always ensures that the left arm is filled, - and considering the other open bugs related to CBO -, maybe it's time to remove that code? WDYT? Have a nice day, Berny
