henrylhtsang opened a new issue, #413:
URL: https://github.com/apache/tvm-ffi/issues/413
Hello experts! I am testing tvm-ffi, but then see some sanitizer errors. I
am trying to see if they are fixable from upstream.
# Repro
```
// Compile with: clang++ -std=c++17 -fsanitize=undefined -I./include
-I./3rdparty/dlpack/include repro.cpp -o repro
// run ./repro
#include <tvm/ffi/string.h>
#include <tvm/ffi/object.h>
#include <iostream>
// A simple subclass to trigger GetObjectOffsetToSubclass
class TestObj : public tvm::ffi::Object {
public:
static constexpr const char* _type_key = "test.TestObj";
};
int main() {
std::cout << "Testing TVM FFI sanitizer issues...\n";
// Issue 1: Null pointer to memcpy in String::InitData
// This is triggered when passing a TVMFFIByteArray with null data
std::cout << "Test 1: Creating string from null TVMFFIByteArray...\n";
TVMFFIByteArray null_bytes;
null_bytes.data = nullptr;
null_bytes.size = 0;
tvm::ffi::String str_from_null(null_bytes);
std::cout << "String from null bytes size: " << str_from_null.size() <<
"\n";
// Issue 2: Null pointer dereference in GetObjectOffsetToSubclass
// This is typically triggered during module loading/type registration
std::cout << "Test 2: Computing object offset...\n";
int64_t offset =
tvm::ffi::details::ObjectUnsafe::GetObjectOffsetToSubclass<TestObj>();
std::cout << "Offset: " << offset << "\n";
std::cout << "Done.\n";
return 0;
}
```
# errors
```
Test 1: Creating string from null TVMFFIByteArray...
include/tvm/ffi/string.h:757:28: runtime error: null pointer passed as
argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
include/tvm/ffi/string.h:757:28
String from null bytes size: 0
Test 2: Computing object offset...
include/tvm/ffi/object.h:1097:71: runtime error: member access within null
pointer of type 'tvm::ffi::Object'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
include/tvm/ffi/object.h:1097:71
include/tvm/ffi/object.h:1098:72: runtime error: member access within null
pointer of type 'Object'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
include/tvm/ffi/object.h:1098:72
Offset: 0
Done.
```
# potential fixes?
I asked claude and it suggested replacing
```
std::memcpy(dest_data, data, size);
```
with
```
if (size > 0) {
std::memcpy(dest_data, data, size);
}
```
and
```
return
(reinterpret_cast<int64_t>(&(static_cast<Class*>(nullptr)->header_)) -
reinterpret_cast<int64_t>(&(static_cast<Object*>(nullptr)->header_)));
```
with
```
return static_cast<int64_t>(__builtin_offsetof(Class, header_)) -
static_cast<int64_t>(__builtin_offsetof(Object, header_));
```
But I want to get some feedback first.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
