[tlbuild] Repeated Mac arm64 crashes of xdvi-xaw with "set_no_char: attempt to set character of unknown font, offset 42"

John Hawkinson jhawk at alum.mit.edu
Wed Jan 26 00:28:08 CET 2022 

On Tue, Jan 25, 2022 at 6:11 PM Karl Berry <karl at freefriends.org> wrote:

>     build with the various clang "sanitizer"
>
> Maybe -fsanitize=address (CFLAGS and LDFLAGS) would show something.

I was just getting to this. I built with both ASAN (-fsanitize=addresss) and UBSAN (-fsanitize=undefined) and they both say things, though the ASAN errors appear more concerning, and causes xdvi to abort before bringing up the document, whereas UBSAN merely offers some diagnostics but still proceeds.

> Maybe per Luigi, set a watchpoint on m_dvi_fp (or whatever the variable
> name is) and see when it changes to zero? Maybe the reopening of the dvi
> file on R is failing? -k

I will also look into this but probably not until Wednesday.


I'm not sure if the clang sanitizer outputs are worth running down, so I'm offering them here before I've had a chance to chase them down as I'm scrapped for time today. (And again, I'm not familiar with the tools, so I'm coming to this as a n00b).

I built with

  TL_COMPILER_GFLAGS="-g -fsanitize=address" ./Build --debug
  TL_COMPILER_GFLAGS="-g -fsanitize=undefined" ./Build --debug

Here's the ASAN:
jhawk at loud-room xdvik % TEXMFROOT=/usr/local/texlive/2021 TEXMFCNF=$TEXMFROOT/texmf-dist/web2c  ./xdvi-asan   t2a 
=================================================================
==89436==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000100efdea6 at pc 0x000101a9675c bp 0x00016f2f9c90 sp 0x00016f2f9420
READ of size 11 at 0x000100efdea6 thread T0
    #0 0x101a96758 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)+0x208 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x16758)
    #1 0x101a96aa0 in wrap_memcmp+0xa0 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x16aa0)
    #2 0x100b53fe8 in compile_action events.c:550
    #3 0x100c044f8 in compile_mouse_actions xdvi.c:2112
    #4 0x100c01318 in create_widgets xdvi.c:2797
    #5 0x100bfd31c in run_dvi_file xdvi.c:3491
    #6 0x100b0a460 in main main.c:1311
    #7 0x1012690f0 in start+0x204 (dyld:arm64e+0x50f0)

0x000100efdea6 is located 58 bytes to the left of global variable '<string literal>' defined in '../../../texk/xdvik/events.c:422:6' (0x100efdee0) of size 12
  '<string literal>' is ascii string 'mouse-modes'
0x000100efdea6 is located 0 bytes to the right of global variable '<string literal>' defined in '../../../texk/xdvik/events.c:421:6' (0x100efdea0) of size 6
  '<string literal>' is ascii string 'digit'
SUMMARY: AddressSanitizer: global-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x16758) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)+0x208
Shadow bytes around the buggy address:
  0x0070201ffb80: f9 f9 f9 f9 00 03 f9 f9 f9 f9 f9 f9 00 00 01 f9
  0x0070201ffb90: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x0070201ffba0: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 03 f9 f9
  0x0070201ffbb0: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 06 f9 f9
  0x0070201ffbc0: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 05 f9 f9
=>0x0070201ffbd0: f9 f9 f9 f9[06]f9 f9 f9 f9 f9 f9 f9 00 04 f9 f9
  0x0070201ffbe0: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0070201ffbf0: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0070201ffc00: f9 f9 f9 f9 00 05 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0070201ffc10: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0070201ffc20: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 00 02 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==89436==ABORTING
zsh: abort      TEXMFROOT=/usr/local/texlive/2021 TEXMFCNF=$TEXMFROOT/texmf-dist/web2c  t2a

And here is the UBSAN:

jhawk at loud-room xdvik % TEXMFROOT=/usr/local/texlive/2021 TEXMFCNF=$TEXMFROOT/texmf-dist/web2c  ./xdvi-ubsan   t2a 
../../../texk/xdvik/dvi-draw.c:458:9: runtime error: left shift of negative value -3
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../../texk/xdvik/dvi-draw.c:458:9 in 
/Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:149:40: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:149:40 in 
/Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:150:40: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:150:40 in 
/Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:192:42: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/jhawk/src/xdvik-22.87.05/libs/freetype2/freetype-src/src/base/ftgloadr.c:192:42 in 
../../../texk/xdvik/ft.c:184:35: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../../texk/xdvik/ft.c:184:35 in 
xdvi-ubsan: set_no_char: attempt to set character of unknown font, offset 42
xdvi-ubsan 22.87.05 (Xaw toolkit): ../../../texk/xdvik/dvi-draw.c:488: Shouldn't happen: I'll abort now, to help you debugging this.


I also built Valgrind on my older x86_64 Mac (which does *not* see the xdvi crash) and it reports some concerns, but I think they are perhaps not meaningful (I'm not experienced with valgrind). Output below:

pb3:xdvik jhawk$ TEXMFROOT=/usr/local/texlive/2015 
TEXMFCNF=/usr/local/texlive/2015/texmf-dist/web2c valgrind 
--track-origins=yes  ./xdvi-bin  ~/Downloads/t2a.dvi 
==76741== Memcheck, a memory error detector
==76741== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==76741== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==76741== Command: ./xdvi-bin /Users/jhawk/Downloads/t2a.dvi
==76741== 
==76741== Conditional jump or move depends on uninitialised value(s)
==76741==    at 0x1006D52BC: generate_block (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x1006D4FA9: drbg_update (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x1006D48EC: nistctr_init (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x1006D41FD: init (in /usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x100850383: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10085022E: arc4random (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10085066D: arc4random_uniform (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B227: find_temp_path (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B4CF: mkstemp (in /usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10005667A: xdvi_temp_fd (util.c:858)
==76741==    by 0x1000160FB: make_backup_fp (dvi-init.c:1171)
==76741==    by 0x100015D46: internal_open_dvi (dvi-init.c:1368)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x1008502CB: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741== 
==76741== Conditional jump or move depends on uninitialised value(s)
==76741==    at 0x1006D52BC: generate_block (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x1006D43A6: generate (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x100850267: arc4random (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10085066D: arc4random_uniform (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B227: find_temp_path (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B4CF: mkstemp (in /usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10005667A: xdvi_temp_fd (util.c:858)
==76741==    by 0x1000160FB: make_backup_fp (dvi-init.c:1171)
==76741==    by 0x100015D46: internal_open_dvi (dvi-init.c:1368)
==76741==    by 0x10006026D: run_dvi_file (xdvi.c:3398)
==76741==    by 0x10000210A: main (main.c:1311)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x1008502CB: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741== 
==76741== Conditional jump or move depends on uninitialised value(s)
==76741==    at 0x1006D4F08: drbg_update (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x1006D443C: generate (in 
/usr/lib/system/libcorecrypto.dylib)
==76741==    by 0x100850267: arc4random (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10085066D: arc4random_uniform (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B227: find_temp_path (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B4CF: mkstemp (in /usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10005667A: xdvi_temp_fd (util.c:858)
==76741==    by 0x1000160FB: make_backup_fp (dvi-init.c:1171)
==76741==    by 0x100015D46: internal_open_dvi (dvi-init.c:1368)
==76741==    by 0x10006026D: run_dvi_file (xdvi.c:3398)
==76741==    by 0x10000210A: main (main.c:1311)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x1008502CB: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741== 
==76741== Conditional jump or move depends on uninitialised value(s)
==76741==    at 0x100850676: arc4random_uniform (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B227: find_temp_path (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B4CF: mkstemp (in /usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10005667A: xdvi_temp_fd (util.c:858)
==76741==    by 0x1000160FB: make_backup_fp (dvi-init.c:1171)
==76741==    by 0x100015D46: internal_open_dvi (dvi-init.c:1368)
==76741==    by 0x10006026D: run_dvi_file (xdvi.c:3398)
==76741==    by 0x10000210A: main (main.c:1311)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x1008502CB: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741== 
==76741== Use of uninitialised value of size 8
==76741==    at 0x10086B22A: find_temp_path (in 
/usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10086B4CF: mkstemp (in /usr/lib/system/libsystem_c.dylib)
==76741==    by 0x10005667A: xdvi_temp_fd (util.c:858)
==76741==    by 0x1000160FB: make_backup_fp (dvi-init.c:1171)
==76741==    by 0x100015D46: internal_open_dvi (dvi-init.c:1368)
==76741==    by 0x10006026D: run_dvi_file (xdvi.c:3398)
==76741==    by 0x10000210A: main (main.c:1311)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x1008502CB: arc4_init (in 
/usr/lib/system/libsystem_c.dylib)
==76741== 
==76741== Syscall param writev(vector[...]) points to uninitialised byte(s)
==76741==    at 0x10097D7FE: writev (in 
/usr/lib/system/libsystem_kernel.dylib)
==76741==    by 0x10063D1D5: _xcb_conn_wait (in /opt/X11/lib/libxcb.1.dylib)
==76741==    by 0x10063DDAA: _xcb_out_send (in /opt/X11/lib/libxcb.1.dylib)
==76741==    by 0x10063DD3D: xcb_writev (in /opt/X11/lib/libxcb.1.dylib)
==76741==    by 0x10041E8F8: _XSend (in /opt/X11/lib/libX11.6.dylib)
==76741==    by 0x10041EFEF: _XFlush (in /opt/X11/lib/libX11.6.dylib)
==76741==    by 0x1004033BD: XFlush (in /opt/X11/lib/libX11.6.dylib)
==76741==    by 0x10002433B: Act_switch_mode (events.c:3527)
==76741==    by 0x10037857C: XtCallActionProc (in 
/opt/X11/lib/libXt.6.dylib)
==76741==    by 0x100060BE9: run_dvi_file (xdvi.c:3615)
==76741==    by 0x10000210A: main (main.c:1311)
==76741==  Address 0x10113538e is 494 bytes inside a block of size 16,384 
alloc'd
==76741==    at 0x1002B80C2: calloc (vg_replace_malloc.c:1335)
==76741==    by 0x1004103E3: XOpenDisplay (in /opt/X11/lib/libX11.6.dylib)
==76741==    by 0x100359228: XtOpenDisplay (in /opt/X11/lib/libXt.6.dylib)
==76741==    by 0x1003596AB: _XtAppInit (in /opt/X11/lib/libXt.6.dylib)
==76741==    by 0x1003625DF: XtOpenApplication (in 
/opt/X11/lib/libXt.6.dylib)
==76741==    by 0x100362769: XtInitialize (in /opt/X11/lib/libXt.6.dylib)
==76741==    by 0x10000177E: main (main.c:1077)
==76741==  Uninitialised value was created by a stack allocation
==76741==    at 0x100063C94: h_get_empty_cursor (xdvi.c:1687)
==76741== 
--76741:0:syswrap- WARNING: Ignoring sigreturn( ..., UC_RESET_ALT_STACK );
xdvi-bin: Warning: Could not find graphics file "l3backend-dvips.pro"
==76741== 
==76741== HEAP SUMMARY:
==76741==     in use at exit: 7,996,323 bytes in 306,832 blocks
==76741==   total heap usage: 476,755 allocs, 169,923 frees, 21,199,682 
bytes allocated
==76741== 
==76741== LEAK SUMMARY:
==76741==    definitely lost: 9,524 bytes in 455 blocks
==76741==    indirectly lost: 3,621 bytes in 160 blocks
==76741==      possibly lost: 83 bytes in 4 blocks
==76741==    still reachable: 7,965,367 bytes in 306,063 blocks
==76741==         suppressed: 17,728 bytes in 150 blocks
==76741== Rerun with --leak-check=full to see details of leaked memory


--
jhawk at alum.mit.edu
John Hawkinson

More information about the tlbuild mailing list.