gcc ubsan reports pointer overflow in bitsetasshortlong perhaps a false positive

[RobertHenry6bev]

Description

ubuntu linux x64 all gcc's report a runtime error with

runtime/src/coreclr/jit/bitsetasshortlong.h

Line 492 in a85b782

m_bsEnd = bs + 1;

When ubsan complains The bs is a reference to a pointer; the pointer has value 0xff*fYULL. Adding 1 to the pointer adds sizeof (uint64)_t) to the bit value which wraps around in 64 bit integer, resulting in a new pointer with value 0x7ULL assigned to m_bsEnd.

It seems that this is OK because a while later in the code ++m_bs; is used, which will wrap in presumably the same way, and so compare == with m_bsEnd.

The code understandably works hard to save storage. Perhaps the code could be cleaned up using unions, and that would also silence ubsan.

Reproduction Steps

Compile gcc -fsanitize=undefined and run

Expected behavior

no runtime errors

Actual behavior

runtime errors from ubsan about pointer arithmetic overflowing and wrapping aound.

Regression?

No response

Known Workarounds

One can dynamically or statically suppress the ubsan error in a variety of ways

Configuration

No response

Other information

/cc @BruceForstall

category:implementation
theme:bitset
skill-level:beginner
cost:small
impact:small

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

Tagging subscribers to this area: @JulieLeeMSFT, @jakobbotsch
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

ubuntu linux x64 all gcc's report a runtime error with

runtime/src/coreclr/jit/bitsetasshortlong.h

Line 492 in a85b782

m_bsEnd = bs + 1;

When ubsan complains The bs is a reference to a pointer; the pointer has value 0xff*fYULL. Adding 1 to the pointer adds sizeof (uint64)_t) to the bit value which wraps around in 64 bit integer, resulting in a new pointer with value 0x7ULL assigned to m_bsEnd.

It seems that this is OK because a while later in the code ++m_bs; is used, which will wrap in presumably the same way, and so compare == with m_bsEnd.

The code understandably works hard to save storage. Perhaps the code could be cleaned up using unions, and that would also silence ubsan.

Reproduction Steps

Compile gcc -fsanitize=undefined and run

Expected behavior

no runtime errors

Actual behavior

runtime errors from ubsan about pointer arithmetic overflowing and wrapping aound.

Regression?

No response

Known Workarounds

One can dynamically or statically suppress the ubsan error in a variety of ways

Configuration

No response

Other information

/cc @bruce

Author:	RobertHenry6bev
Assignees:	BruceForstall
Labels:	area-CodeGen-coreclr
Milestone:	-

[BruceForstall]

A simple fix would be to initialize m_bs=nullptr in the short case (before setting m_bsEnd) so the tool doesn't get upset about rounding.

[BruceForstall]

(Fixed reference to wrong Bruce)