Runtime errors running UBSAN sanitizer
I've tried to compile ns-3 with UBSAN, a sanitizer included in gcc/clang to warn about code undefined behavior. The line is the following:
LDFLAGS="-fsanitize=address -fsanitize=leak -fsanitize=undefined" CXXFLAGS="-fsanitize=address -fsanitize=leak -fsanitize=undefined -g3 -fno-omit-frame-pointer" CXX="clang++" ./waf configure --enable-examples --disable-gtk --disable-python --enable-tests -d debug
and then, you can run the program you wish (for example, lena-dual-stripe) with
./waf --run lena-dual-stripe
and you can see the output:
../src/core/model/hash-murmur3.cc:127:10: runtime error: addition of unsigned offset to 0x7ffc4f6eebdc overflowed to 0x7ffc4f6eebd0
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/core/model/hash-murmur3.cc:127:10 in
../src/network/model/byte-tag-list.cc:211:31: runtime error: index 24 out of bounds for type 'uint8_t [4]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/network/model/byte-tag-list.cc:211:31 in
../src/network/model/byte-tag-list.cc:273:39: runtime error: index 24 out of bounds for type 'uint8_t [4]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/network/model/byte-tag-list.cc:273:39 in
../src/lte/model/lte-mi-error-model.cc:576:19: runtime error: 76359.7 is outside the range of representable values of type 'unsigned short'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/lte/model/lte-mi-error-model.cc:576:19 in
to block inside a message, and see what is happening, you can use gdb:
./waf --run lena-dual-stripe --command-template="gdb --args %s"
and blocking inside the ubsan with:
break __ubsan::ScopedReport::~ScopedReport
and then running as usual. The second message trace is the following, for instance:
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/core/model/hash-murmur3.cc:127:10 in
../src/network/model/byte-tag-list.cc:211:31: runtime error: index 24 out of bounds for type 'uint8_t [4]'
Breakpoint 1, 0x00005555556847c0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x00005555556847c0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x0000555555685570 in handleOutOfBoundsImpl(__ubsan::OutOfBoundsData*, unsigned long, __ubsan::ReportOptions) ()
#2 0x0000555555688f41 in __ubsan_handle_out_of_bounds ()
#3 0x00007fffece0faee in ns3::ByteTagList::Add (this=0x60b0000664a8, tid=..., bufferSize=8, start=1, end=81) at ../src/network/model/byte-tag-list.cc:211
#4 0x00007fffecee45f2 in ns3::Packet::AddByteTag (this=0x60b000066480, tag=..., start=1, end=81) at ../src/network/model/packet.cc:834
#5 0x00007ffff511d47f in ns3::LteRlcSm::DoNotifyTxOpportunity (this=0x60c000024c40, txOpParams=...) at ../src/lte/model/lte-rlc.cc:248
#6 0x00007ffff5110e59 in ns3::LteRlcSpecificLteMacSapUser::NotifyTxOpportunity (this=0x602000049a90, params=...) at ../src/lte/model/lte-rlc.cc:68
#7 0x00007ffff64cc911 in ns3::NoOpComponentCarrierManager::DoNotifyTxOpportunity (this=0x614000006e40, txOpParams=...) at ../src/lte/model/no-op-component-carrier-manager.cc:110
#8 0x00007ffff64fd9b9 in ns3::MemberLteCcmMacSapUser<ns3::NoOpComponentCarrierManager>::NotifyTxOpportunity (this=0x6020000039b0, txOpParams=...) at ./ns3/lte-ccm-mac-sap.h:202
#9 0x00007ffff5760c7e in ns3::LteEnbMac::DoSchedDlConfigInd (this=0x616000022e80, ind=...) at ../src/lte/model/lte-enb-mac.cc:1128
#10 0x00007ffff575bcbc in ns3::EnbMacMemberFfMacSchedSapUser::SchedDlConfigInd (this=0x602000003590, params=...) at ../src/lte/model/lte-enb-mac.cc:174
#11 0x00007ffff5901c05 in ns3::PfFfMacScheduler::DoSchedDlTriggerReq (this=0x61a000001280, params=...) at ../src/lte/model/pf-ff-mac-scheduler.cc:1237
#12 0x00007ffff5946c3b in ns3::MemberSchedSapProvider<ns3::PfFfMacScheduler>::SchedDlTriggerReq (this=0x602000003690, params=...) at ./ns3/ff-mac-sched-sap.h:409
#13 0x00007ffff57761f2 in ns3::LteEnbMac::DoSubframeIndication (this=0x616000022e80, frameNo=3, subframeNo=2) at ../src/lte/model/lte-enb-mac.cc:588
#14 0x00007ffff576f78f in ns3::EnbMacMemberLteEnbPhySapUser::SubframeIndication (this=0x6020000035d0, frameNo=3, subframeNo=2) at ../src/lte/model/lte-enb-mac.cc:297
#15 0x00007ffff4aba525 in ns3::LteEnbPhy::StartSubFrame (this=0x617000004d80) at ../src/lte/model/lte-enb-phy.cc:768
#16 0x00007ffff4b32d30 in ns3::MakeEvent<void (ns3::LteEnbPhy::*)(), ns3::LteEnbPhy*>(void (ns3::LteEnbPhy::*)(), ns3::LteEnbPhy*)::EventMemberImpl0::Notify() (this=0x6040003ccc10)
at ./ns3/make-event.h:376
#17 0x00007fffebce748b in ns3::EventImpl::Invoke (this=0x6040003ccc10) at ../src/core/model/event-impl.cc:51
#18 0x00007fffebcfee75 in ns3::DefaultSimulatorImpl::ProcessOneEvent (this=0x60e000005360) at ../src/core/model/default-simulator-impl.cc:151
#19 0x00007fffebd0004b in ns3::DefaultSimulatorImpl::Run (this=0x60e000005360) at ../src/core/model/default-simulator-impl.cc:204
#20 0x00007fffebcea8c5 in ns3::Simulator::Run () at ../src/core/model/simulator.cc:174
#21 0x00005555556b7a5e in main (argc=1, argv=0x7fffffffddd8) at ../src/lte/examples/lena-dual-stripe.cc:883
EPC and RRC are full of these undefined behaviors as well:
Breakpoint 1, 0x0000555555664fb0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x0000555555664fb0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x000055555566657f in handleLoadInvalidValue(__ubsan::InvalidValueData*, unsigned long, __ubsan::ReportOptions) ()
#2 0x0000555555669951 in __ubsan_handle_load_invalid_value ()
#3 0x00007ffff5eb7baa in ns3::GtpcIes::SerializeFteid (this=0x7fffffff8ff4, i=..., fteid=...) at ../src/lte/model/epc-gtpc-header.cc:437
#4 0x00007ffff5ebc50f in ns3::GtpcCreateSessionRequestMessage::Serialize (this=0x7fffffff8fe0, start=...) at ../src/lte/model/epc-gtpc-header.cc:547
#5 0x00007fffeced35cd in ns3::Packet::AddHeader (this=0x60b00001bc60, header=...) at ../src/network/model/packet.cc:263
#6 0x00007ffff5fd8e45 in ns3::EpcMmeApplication::DoInitialUeMessage (this=0x611000009780, mmeUeS1Id=1, enbUeS1Id=1, imsi=1, gci=1) at ../src/lte/model/epc-mme-application.cc:151
#7 0x00007ffff5ff87ba in ns3::MemberEpcS1apSapMme<ns3::EpcMmeApplication>::InitialUeMessage (this=0x602000004490, mmeUeS1Id=1, enbUeS1Id=1, imsi=1, ecgi=1) at ./ns3/epc-s1ap-sap.h:265
#8 0x00007ffff5f0151a in ns3::EpcEnbApplication::DoInitialUeMessage (this=0x613000003140, imsi=1, rnti=1) at ../src/lte/model/epc-enb-application.cc:157
#9 0x00007ffff5f25fc3 in ns3::MemberEpcEnbS1SapProvider<ns3::EpcEnbApplication>::InitialUeMessage (this=0x602000006a70, imsi=1, rnti=1) at ./ns3/epc-enb-s1-sap.h:205
#10 0x00007ffff4ccf632 in ns3::UeManager::RecvRrcConnectionSetupCompleted (this=0x614000008a40, msg=...) at ../src/lte/model/lte-enb-rrc.cc:1004
#11 0x00007ffff4d214a3 in ns3::LteEnbRrc::DoRecvRrcConnectionSetupCompleted (this=0x61a000003c80, rnti=1, msg=...) at ../src/lte/model/lte-enb-rrc.cc:2403
#12 0x00007ffff4e5ead2 in ns3::MakeEvent<void (ns3::LteEnbRrc::*)(unsigned short, ns3::LteRrcSap::RrcConnectionSetupCompleted), ns3::LteEnbRrc*, unsigned short, ns3::LteRrcSap::RrcConnectionSetupCompleted>(void (ns3::LteEnbRrc::*)(unsigned short, ns3::LteRrcSap::RrcConnectionSetupCompleted), ns3::LteEnbRrc*, unsigned short, ns3::LteRrcSap::RrcConnectionSetupCompleted)::EventMemberImpl2::Notify() (this=0x6040000c9050) at ./ns3/make-event.h:437
#13 0x00007fffebce748b in ns3::EventImpl::Invoke (this=0x6040000c9050) at ../src/core/model/event-impl.cc:51
#14 0x00007fffebcfee75 in ns3::DefaultSimulatorImpl::ProcessOneEvent (this=0x60e000005360) at ../src/core/model/default-simulator-impl.cc:151
#15 0x00007fffebd0004b in ns3::DefaultSimulatorImpl::Run (this=0x60e000005360) at ../src/core/model/default-simulator-impl.cc:204
#16 0x00007fffebcea8c5 in ns3::Simulator::Run () at ../src/core/model/simulator.cc:174
#17 0x0000555555675402 in main (argc=1, argv=0x7fffffffddd8) at ../src/lte/examples/lena-simple-epc.cc:200
The first error of these examples is here ../src/core/model/hash-murmur3.cc
, but I am not sure if this is needed for the hash to work correctly (an overflow needed for random initialization, maybe? I don't know), but I think that for the moment it can be ignored.
I know it's a lot of work looking into these, one at time, but we should try to reduce the number of undefined behaviors there.
Let me know if I can be of any help.