Discussion:
[PATCH SET] Fix test harness issues and fix tests
(too old to reply)
Andy Chu
2016-03-19 01:24:50 UTC
Permalink
This is a pretty big cleanup, still in progress, but I think these
parts are ready to merge.

I think we should change the test "protocol" to be a subprocess rather
sourcing the .test file, as you alluded to. But that can be done in a
separate step on top of this.

There's also some cruft like '. testing.sh' at the top of most tests,
but it doesn't seem to exist. As long as I'm going in the right
direction I can fix all this.


Summary after patch 1 but before patch 2:

Tested 66 toybox commands: 90 test failures

Commands with test failures: bzcat chattr date find groupadd groupdel
hostname ls modinfo mount mv pgrep pkill renice tar touch xzcat zcat

(skipped commands not listed)

After patch 2:

Tested 61 toybox commands: 36 test failures

Commands with test failures: date find ls modinfo mv pgrep pkill
renice tar zcat

Commands skipped: chattr chgrp chown groupadd groupdel hostname
ifconfig losetup mount useradd

make: *** [tests] Error 1

-----

[PATCH 1/2] Refactor the test harness to triage tests, and fix some
bugs.

genconfig.sh:
- Fix a name clash bug where 'make test' would run all tests and then try to
build the 'test' binary. 'make test_bin' is special cased for now.
- Make the test targets .PHONY, since we're not creating files called test_sed,
etc.
- Use here docs to write Makefile fragments, for readability and to be
consistent with the rest of the script. Refactor into functions.
- Add comments.

make.sh:
- Add the output binary name as the first param. This fixes an issue where
'make; make test_sed' would leave you without a 'toybox' binary because
single.sh created another toybox binary and renamed it to sed.

runtest.sh:
- Changed the 'testing' function to return 0. This fixes a bug where the
return value of the script depends on the return code of the last command --
NOT whether it passed or failed. For example, 'make test_test' would fail
with code 1, even though all tests passed (because 'test' exits 1 validly).
On the other hand, tests with failures would still return 0 if the last
command didn't fail.
- Use local variables instead of globals since we are sharing globals with the
tests themselves.
- Add a common function to skip tests if not running as root, and keep track of
skipped commands.

test.sh:
- Refactor it into separate functions/actions and add usage.
- Fix a bug where tests would succeed under 'make test_$COMMAND' but fail under
'make test'. The problem is if you are running the xzcat command, 'tar'
could be either the host binary or the toybox binary, depending on what tools
are in the modified test $PATH. To fix this, the test harness finds the host
binary and sets $HOST_BIN_TAR, etc. before invoking the test.
- Keep track of the number of failures per *command*, and exit 1 if any failed
- Use a distinct test directory for each command, instead of repeatedly setting
up and tearing down the same one.
- When running all tests, print out a summary at the end.

single.sh:
- Call scripts/make.sh directly instead of 'make'.
- Add comments.
---
Makefile | 2 +-
scripts/genconfig.sh | 103 ++++++++++++++++++++++++++---------
scripts/make.sh | 16 ++++--
scripts/runtest.sh | 40 +++++++++-----
scripts/single.sh | 28 +++++++---
scripts/test.sh | 149 +++++++++++++++++++++++++++++++++++++++++----------
6 files changed, 258 insertions(+), 80 deletions(-)



[PATCH 2/2] Various test fixes and cleanup.

bzcat: Fix a test that was succeeding for the wrong reason. The test
was looking for a 1 exit code in the case of bad data, but there was a
typo in the input path, so it failed 1 for the wrong reason.

bzcat, xzcat, zcat: Use $HOST_BIN_TAR to fix the issue where they fail
under 'make test' but not 'make test_bzcat'.

hostname: Use $HOST_BIN_HOSTNAME, and skip one test if not root.

chgrp, groupadd, groupdel, ifconfig, losetup, mount, useradd: Skip if
not root.

pgrep, pkill: style cleanup and speedup of the tests (change sleep 1 to
sleep 0.1). No fixes yet.

renice: Fix some quoting problems (revealing further errors, not fixed)

tar: Style cleanup in preparation to fix failures under 'make test' but
not 'make test_tar' (due to host/toybox discrepancy)

touch: Use $HOST_BIN_DATE because toybox doesn't support %N nanoseconds
---
tests/bzcat.test | 41 ++++++++++---------
tests/chattr.test | 4 +-
tests/chgrp.test | 7 +---
tests/chown.test | 7 +---
tests/groupadd.test | 2 +
tests/groupdel.test | 2 +
tests/hostname.test | 16 +++++---
tests/ifconfig.test | 7 +---
tests/losetup.test | 7 +---
tests/mount.test | 6 ++-
tests/pgrep.test | 51 ++++++++++++------------
tests/pkill.test | 54 ++++++++++++-------------
tests/renice.test | 8 ++--
tests/tar.test | 111 ++++++++++++++++++++++++++++++++--------------------
tests/touch.test | 6 +--
tests/useradd.test | 7 +---
tests/xzcat.test | 36 +++++++++--------
tests/zcat.test | 39 +++++++++---------
18 files changed, 216 insertions(+), 195 deletions(-)
Andy Chu
2016-03-19 18:09:34 UTC
Permalink
Forgot to change this one line.
Rob Landley
2016-03-21 04:08:43 UTC
Permalink
Post by Andy Chu
This is a pretty big cleanup, still in progress, but I think these
parts are ready to merge.
It's a large lump, some bits of which I disagree with. Should I apply
and then apply an undo patch, or chip off bits?
Post by Andy Chu
I think we should change the test "protocol" to be a subprocess rather
sourcing the .test file, as you alluded to. But that can be done in a
separate step on top of this.
Agreed.

The problem is that when you ctrl-C and it's executing a (subshell),
the host process doesn't get killed. So I tried to do it myself, and
it got... complicated.

When you have multiple shell levels ((subshell) within subshell),
which is easy to do with shell functions calling shell functions,
it's hard to get the PIDs of the various shell levels. (You'd think
$PPID would be the parent of the current process and $$ would be the
current process, but just try it: it doesn't work. And it's hard to
interact with /proc/self without spawning a temporary process to do
so, which gives you the wrong answers...)

Anyway, I've made it work sometimes, by having trap EXIT call this:

https://github.com/landley/aboriginal/blob/master/sources/utility_functions.sh#L93

But sometimes it doesn't work, and I never figured out why. (That's on
the todo list for when I open the toysh can of worms.)
Post by Andy Chu
There's also some cruft like '. testing.sh' at the top of most tests,
but it doesn't seem to exist. As long as I'm going in the right
direction I can fix all this.
Yeah that's historical. Commit 387edf547eb0 moved it.

In theory you used to be able run the blah.test files yourself if you
were willing to set up your $PATH. Then the wrapper grew TEST_HOST,
and single tests vs adding all the commands in the current toybox
binary to the $PATH... And running them by themselves became less
interesting, and having a file in the tests directory that wasn't
a test was kind of awkward...

The test suite isn't 100% tied to toybox. Before my most recent encounter
with the posix mailing list convinced me it's Jorg Schilling's pet
project, I was thinking making an independent command line test would
be a good thing. Now, posix can go hang, the committee is dead and it's
a historical document.

The '. testing.sh' stuff is leftover from wanting to break out the test
suite into its own project someday.
Post by Andy Chu
[PATCH 1/2] Refactor the test harness to triage tests, and fix some
bugs.
- Fix a name clash bug where 'make test' would run all tests and then
try to build the 'test' binary. 'make test_bin' is special cased for now.
In scripts/genconfig.sh there's:

while IFS=":" read FILE NAME
do
[ "$NAME" == help ] && continue
[ "$NAME" == install ] && continue

I should have added 'test' to that.

Adding the individual command names to the makefile target list is
awkward, and there are multiple conflicts, but I haven't tought of a
better interface yet.
Post by Andy Chu
- Make the test targets .PHONY, since we're not creating files called
test_sed, etc.
Good.
Post by Andy Chu
- Use here docs to write Makefile fragments, for readability and to be
consistent with the rest of the script. Refactor into functions.
Sure.

(On the one hand, here documents are efficiently collated. On the other
hand, they break indentation.)
Post by Andy Chu
- Add comments.
Often a good thing. :)
Post by Andy Chu
- Add the output binary name as the first param.
I still want scripts/make.sh to work if run by itself, and you've sort
of broken that unless people know to provide a magic default argument.

The way it used to work is that scripts/single.sh set environment variables
that modified the behavior of scripts/make.sh, so the communication was
sort of out of band.
Post by Andy Chu
This fixes an issue where 'make; make test_sed' would leave you without
a 'toybox' binary because single.sh created another toybox binary and
renamed it to sed.
Indeed. This is worth fixing, but I'd prefer to have single.sh set more
environment variables ot modify the behavior further rather than adding
another mechanism to be used on top of the existing mechanisms. (Since
scripts/single.sh is assembling a config file with sed, you can't
easily bypass that script to build your own singleconfig files anyway.)

The design hiccup is that scripts/single.sh can have a $PREFIX on
the start of the filename. Should the _unstripped versions be in that
directory, or stay in the toybox directory? Also, if it's making
ls_unstripped in the toybox directory then I need to teach make clean
to kill *_unstripped.
Post by Andy Chu
- Changed the 'testing' function to return 0. This fixes a bug where
the return value of the script depends on the return code of the
last command -- NOT whether it passed or failed. For example,
'make test_test' would fail with code 1, even though all tests
passed (because 'test' exits 1 validly).
The pass/fail stuff written to stdout was the result, the return
code never meant anything. (There was some attempt to return the number
of pass/fail but the "who is calling us" question kinda screwed that
up.)

Still... sure?
Post by Andy Chu
On the other hand, tests with failures would still return 0 if the last
command didn't fail.
- Use local variables instead of globals since we are sharing globals
with the tests themselves.
Some of the variables were meant to be shared with the tests, but ok.

(This is more leftover from the days when you ran the scripts directly,
transitioning to it being run by a wrapper. There's dangling design
elements I never got back to...)
Post by Andy Chu
- Add a common function to skip tests if not running as root,
and keep track of skipped commands.
Ok.
Post by Andy Chu
[PATCH 2/2] Various test fixes and cleanup.
bzcat: Fix a test that was succeeding for the wrong reason. The test
was looking for a 1 exit code in the case of bad data, but there was a
typo in the input path, so it failed 1 for the wrong reason.
bzcat, xzcat, zcat: Use $HOST_BIN_TAR to fix the issue where they fail
under 'make test' but not 'make test_bzcat'.
tar is in pending for a reason.

"make test" tests the current toybox binary, built with the current .config.
If you don't select a command in menuconfig, it doesn't get built into
the toybox binary, so it tests the host version. So you could test
individual versions before I made scripts/single.sh, I just did that
so you could build binaries without the multiplexier (because people
wanted that).
Post by Andy Chu
hostname: Use $HOST_BIN_HOSTNAME, and skip one test if not root.
No, we should fix toybox hostname.
Post by Andy Chu
chgrp, groupadd, groupdel, ifconfig, losetup, mount, useradd: Skip if
not root.
Good. (I've got a couple of those locally, but swapping out for the
function is good.)
Post by Andy Chu
pgrep, pkill: style cleanup and speedup of the tests (change sleep 1 to
sleep 0.1). No fixes yet.
I've been using sleep .25 because I've had .1 hiccup testing under qemu
on a slow box when the host system isn't idle, but yes. :)
Post by Andy Chu
renice: Fix some quoting problems (revealing further errors, not fixed)
tar: Style cleanup in preparation to fix failures under 'make test' but
not 'make test_tar' (due to host/toybox discrepancy)
Then we should fix the host/toybox discrepancies.

(That said, both the tar.test and tar.c files were contributed and I've
only glanced at them a bit.)
Post by Andy Chu
touch: Use $HOST_BIN_DATE because toybox doesn't support %N nanoseconds
No, the correct solution is to fix toybox date. We can test using the
host date by switching our date to N in menuconfig.

Rob
Andy Chu
2016-03-21 04:57:46 UTC
Permalink
Post by Rob Landley
Post by Andy Chu
This is a pretty big cleanup, still in progress, but I think these
parts are ready to merge.
It's a large lump, some bits of which I disagree with. Should I apply
and then apply an undo patch, or chip off bits?
Yeah sorry about the big lump, but the original history is super messy
-- there was a lot of churn of going back and forth as I was figuring
things out and learning the code.

If you read the commit description, it seems disjointed, but
everything is related to producing a "green build" (passing tests).
If you compare "make test" before and after, all the changes show up
there, and I think it's good progress.

But I have another large lump coming up (call it patch 0004)! It adds
some significant functionality (ASAN and all that, which found some
good bugs), as well as fixing test environment issues.

There was a recurring theme in the test failures -- under "make test",
you would have a directory in your PATH with ALL toybox binaries.
Under "make test_sed", you would only have sed in that dir. Patches
1-3 don't fix that but patch 4 does.

Patch 0004 also addresses some of the issues below. I changed it to
"make generated/single/sed" instead of "make sed", and this eliminates
the namespace clash. I kept "make sed" as a phony target for backward
compatibility, but personally I would prefer to remove them.

I'll respond in detail to the issues below after I send it out ... I
can definitely change things based on your feedback, but it might have
to be on top of this patch... patch #5 on top of #4 to address your
feedback.

Andy
Andy Chu
2016-03-21 05:56:35 UTC
Permalink
OK here's the patch I was talking about... I actually wrote it in Make
first and then completely rewrote it, and it's much simpler now.

My rant is that Makefiles should be for dataflow and shell scripts are
for actions, and they work together beautifully (makefiles call shell
scripts, and sometimes shell scripts call 'make').

But I think .PHONY targets are usually a sign of abusing Makefiles as
shell scripts. There's nothing really different about 'make test' vs
'./test.sh all'.

I think 'make test' should be kept as an alias for downstream
familiarity, but 'make test_sed' etc. should be removed in favor of
'./test.sh single sed'. They are preserved in this patch though.

I would patch this and try ./test.sh single -asan expr. It's super
nice and gives a stack trace of a memory leak. It definitely found
leaks before your last patch with 'refree'. I didn't try yet but I
think it will find leaks in the string -> int conversion (or it will
if we add the proper test cases.)

-msan is finding unitialized reads, like in xabspath(), *buf is used
without initializing char buf[4096].
-ubsan is finding some integer overflows, and some more stuff I didn't
look into deeply yet.

Note that this is runtime instrumentation, not static analysis, so
they are actually happening.

Also I think these renaming would be nice:

scripts/test.sh -> scripts/run_tests.sh # helper script for "front
end" ./test.sh
scripts/runtest.sh -> scripts/test_lib.sh # the thing all the tests source
scripts/install.c -> scripts/instlist.c ? Because the binary is
generated/instlist?

(I didn't do that because I'm not sure how it would patch...)

Also there is a TODO in test.sh... there seems to be a couple places
where we are grepping toys/*/*.c for info about commands, and I think
one is wrong because I get '-toysh' in addition to 'toysh'. This can
probably be cleaned up... if you want me to do that in this patch set
let me know.

Andy
Post by Andy Chu
Post by Rob Landley
Post by Andy Chu
This is a pretty big cleanup, still in progress, but I think these
parts are ready to merge.
It's a large lump, some bits of which I disagree with. Should I apply
and then apply an undo patch, or chip off bits?
Yeah sorry about the big lump, but the original history is super messy
-- there was a lot of churn of going back and forth as I was figuring
things out and learning the code.
If you read the commit description, it seems disjointed, but
everything is related to producing a "green build" (passing tests).
If you compare "make test" before and after, all the changes show up
there, and I think it's good progress.
But I have another large lump coming up (call it patch 0004)! It adds
some significant functionality (ASAN and all that, which found some
good bugs), as well as fixing test environment issues.
There was a recurring theme in the test failures -- under "make test",
you would have a directory in your PATH with ALL toybox binaries.
Under "make test_sed", you would only have sed in that dir. Patches
1-3 don't fix that but patch 4 does.
Patch 0004 also addresses some of the issues below. I changed it to
"make generated/single/sed" instead of "make sed", and this eliminates
the namespace clash. I kept "make sed" as a phony target for backward
compatibility, but personally I would prefer to remove them.
I'll respond in detail to the issues below after I send it out ... I
can definitely change things based on your feedback, but it might have
to be on top of this patch... patch #5 on top of #4 to address your
feedback.
Andy
Andy Chu
2016-03-21 06:55:20 UTC
Permalink
Post by Rob Landley
The problem is that when you ctrl-C and it's executing a (subshell),
the host process doesn't get killed. So I tried to do it myself, and
it got... complicated.
By host process do you mean parent process? I thought this is only a
problem if you do 'foo.test &' which detaches from the terminal (I
think), which we're not doing. I think this is what session groups in
Unix are for -- if you Ctrl-C then SIGINT is sent to every process in
the same session (roughly).

We can talk about this later but I don't think it should be a problem,
at least if you're running tests serially, as we are.
Post by Rob Landley
https://github.com/landley/aboriginal/blob/master/sources/utility_functions.sh#L93
(I happen to know a lot of trivia about killing untrusted processes,
but that's probably not what you're going for here...)
Post by Rob Landley
The test suite isn't 100% tied to toybox. Before my most recent encounter
with the posix mailing list convinced me it's Jorg Schilling's pet
project, I was thinking making an independent command line test would
be a good thing. Now, posix can go hang, the committee is dead and it's
a historical document.
The '. testing.sh' stuff is leftover from wanting to break out the test
suite into its own project someday.
OK thanks for the background.
Post by Rob Landley
while IFS=":" read FILE NAME
do
[ "$NAME" == help ] && continue
[ "$NAME" == install ] && continue
I should have added 'test' to that.
That's essentially what I did in patches 1-3, but as mentioned in
patch #4 I moved single command binaries to generated/single/test. I
suggest getting rid of the top level aliases, but I didn't do that (in
order not to stomp all over your project :) )

I like to think of the arguments to make as *data*, not *actions*.
Data can't collide with data; only actions can collide with data.
It's convenient that data lives on the file system, which already has
namespaces :)
Post by Rob Landley
I still want scripts/make.sh to work if run by itself, and you've sort
of broken that unless people know to provide a magic default argument.
scripts/make.sh without arguments still works... the default is 'toybox'.
Post by Rob Landley
Post by Andy Chu
This fixes an issue where 'make; make test_sed' would leave you without
a 'toybox' binary because single.sh created another toybox binary and
renamed it to sed.
Indeed. This is worth fixing, but I'd prefer to have single.sh set more
environment variables ot modify the behavior further rather than adding
another mechanism to be used on top of the existing mechanisms. (Since
scripts/single.sh is assembling a config file with sed, you can't
easily bypass that script to build your own singleconfig files anyway.)
I can change it to an env variable if you want, or if you'd rather go
through everything yourself that's fine too. I guess that makes sense
since it's optional and not required, and positional arguments are
usually required. Right now I see that single.sh sets KCONFIG_CONFIG
for make.sh.
Post by Rob Landley
The design hiccup is that scripts/single.sh can have a $PREFIX on
the start of the filename. Should the _unstripped versions be in that
directory, or stay in the toybox directory? Also, if it's making
ls_unstripped in the toybox directory then I need to teach make clean
to kill *_unstripped.
With patch #4, you get

toybox
toybox_unstripped
generated/
single/
sed
sed_unstripped

I got rid of PREFIX in single.sh. I think make PREFIX=foo install
should work, because that's a Unix UI convention. But I don't think I
broke that (I didn't touch install.sh).
Post by Rob Landley
The pass/fail stuff written to stdout was the result, the return
code never meant anything. (There was some attempt to return the number
of pass/fail but the "who is calling us" question kinda screwed that
up.)
Still... sure?
I think this was bad because you get an error from make:

$ make test_test
... EVERYTHING PASSES
PASS: test -lt
PASS: test -le
make: *** [test_test] Error 1
Post by Rob Landley
Post by Andy Chu
- Use local variables instead of globals since we are sharing globals
with the tests themselves.
Some of the variables were meant to be shared with the tests, but ok.
We already agreed that a subprocess is better, but I really think the
globals used for communication should be the ONLY globals. Right now
the tests can change internal state in the harness and totally screw
it up. They can't do that if the test harness uses local variables.
Post by Rob Landley
Post by Andy Chu
[PATCH 2/2] Various test fixes and cleanup.
bzcat: Fix a test that was succeeding for the wrong reason. The test
was looking for a 1 exit code in the case of bad data, but there was a
typo in the input path, so it failed 1 for the wrong reason.
bzcat, xzcat, zcat: Use $HOST_BIN_TAR to fix the issue where they fail
under 'make test' but not 'make test_bzcat'.
tar is in pending for a reason.
"make test" tests the current toybox binary, built with the current .config.
If you don't select a command in menuconfig, it doesn't get built into
the toybox binary, so it tests the host version. So you could test
individual versions before I made scripts/single.sh, I just did that
so you could build binaries without the multiplexier (because people
wanted that).
Post by Andy Chu
hostname: Use $HOST_BIN_HOSTNAME, and skip one test if not root.
No, we should fix toybox hostname.
So for these two issues, I agree the tests aren't in good shape and
there's still work to do on the commands. But I'm trying not to fix
the entire world in one patch -- I'm just preserving the intent of the
existing tests. I think the tests need a lot of work, and shouldn't
even use host binaries at all, because that makes them flaky and
unreproducible.
Post by Rob Landley
Post by Andy Chu
tar: Style cleanup in preparation to fix failures under 'make test' but
not 'make test_tar' (due to host/toybox discrepancy)
Then we should fix the host/toybox discrepancies.
(That said, both the tar.test and tar.c files were contributed and I've
only glanced at them a bit.)
Post by Andy Chu
touch: Use $HOST_BIN_DATE because toybox doesn't support %N nanoseconds
No, the correct solution is to fix toybox date. We can test using the
host date by switching our date to N in menuconfig.
Yeah same response... these are obviously not permanent fixes, but
they're much better than what's there! I'm making more tests green
(at least under some environment; see the stats in my first message).

Now these tests can EASILY be detected by setting HOST_BIN_* to empty
strings. Before this patch there's no way to detect them, other than
through some tedious labor... I basically triaged the non-hermetic
tests for us, and they can be improved later.

Let me know what you think of the bigger patch. Hopefully it is in
line philosophically with what you are thinking... I'm game to change
details. The immediate goal is just to have a test harness that can
prevent trivial regressions like the 'factor' thing, which saves time
and makes it easier to contribute.

Larger goals were on the testing thread from a week ago ... though I
think everything discussed there has this kind of stuff (basic smoke
tests and a green build) as prerequisites.

Andy
Andy Chu
2016-03-21 07:42:39 UTC
Permalink
Updated patch 0004 to fix the shell brace style ...

Also, it mentions this in the test.sh help, but the best way to try it
is to download the latest pre-built binaries from Clang, and then
export CLANG_DIR when running any of the -asan,-msan,-ubsan modes.

http://llvm.org/releases/download.html#3.8.0

Andy
Andy Chu
2016-03-28 00:48:26 UTC
Permalink
FYI with these patches, and this addition to expr.test:

# Case that triggers ASAN error
testing "regex" "expr 3 : '\(.\)' = 4 : '\(.\)'" "0\n" "" ""

Then running the following command line shows a heap-use-after-free
error in expr, detected by ASAN. (Basically there are two regex
captures, and you compare them for equality. There are definitely
other cases that will fail at head -- I'm just pointing out this one.)

I think the 3rd patch I sent with track() is the shortest and simplest
solution that's correct ... If you want to free sooner, I think you
would have to separate out "ret" and "lhs", and probably have a flag
inside 'struct value' about whether the string needs to be freed or
not. However that is more code that will intertwine itself throughout
the evaluation logic.

$ ./test.sh single -asan expr
scripts/make.sh toybox_asan
Generate headers from toys/*/*.c...
...

PASS: expr adjacent literals
PASS: expr non-integer argument
=================================================================
==25529==ERROR: AddressSanitizer: heap-use-after-free on address
0x60200000edd0 at pc 0x00000045098e bp 0x7fffa02938f0 sp
0x7fffa02930b0
READ of size 1 at 0x60200000edd0 thread T0
#0 0x45098d in StrtolFixAndCheck(void*, char const*, char**,
char*, int) /home/development/llvm/3.8.0/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2596:3
#1 0x4a0952 in strtoll
/home/development/llvm/3.8.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:686:3
#2 0x53808e in get_int /home/andy/git/other/toybox/toys/pending/expr.c:84:12
#3 0x538501 in eval_op /home/andy/git/other/toybox/toys/pending/expr.c:169:9
#4 0x539358 in eval_expr
/home/andy/git/other/toybox/toys/pending/expr.c:241:5
#5 0x538db4 in expr_main
/home/andy/git/other/toybox/toys/pending/expr.c:251:3
#6 0x4e7539 in toy_exec /home/andy/git/other/toybox/main.c:148:19
#7 0x4e693c in toybox_main /home/andy/git/other/toybox/main.c:161:21
#8 0x4e770b in main /home/andy/git/other/toybox/main.c:220:5
#9 0x7fc2d5d3eec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#10 0x41bc75 in _start (/home/andy/git/other/toybox/toybox_asan+0x41bc75)

0x60200000edd0 is located 0 bytes inside of 2-byte region
[0x60200000edd0,0x60200000edd2)
freed by thread T0 here:
#0 0x4b1ceb in __interceptor_free
/home/development/llvm/3.8.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x538967 in re /home/andy/git/other/toybox/toys/pending/expr.c:117:22
#2 0x538967 in eval_op /home/andy/git/other/toybox/toys/pending/expr.c:203
#3 0x539358 in eval_expr
/home/andy/git/other/toybox/toys/pending/expr.c:241:5
#4 0x539349 in eval_expr
/home/andy/git/other/toybox/toys/pending/expr.c:240:5
#5 0x538db4 in expr_main
/home/andy/git/other/toybox/toys/pending/expr.c:251:3
#6 0x4e7539 in toy_exec /home/andy/git/other/toybox/main.c:148:19
#7 0x4e693c in toybox_main /home/andy/git/other/toybox/main.c:161:21
#8 0x7fc2d5d3eec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287

previously allocated by thread T0 here:
#0 0x4b200b in malloc
/home/development/llvm/3.8.0/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e4082 in xmalloc /home/andy/git/other/toybox/lib/xwrap.c:62:15
#2 0x538928 in re /home/andy/git/other/toybox/toys/pending/expr.c:116:16
#3 0x538928 in eval_op /home/andy/git/other/toybox/toys/pending/expr.c:203
#4 0x539358 in eval_expr
/home/andy/git/other/toybox/toys/pending/expr.c:241:5
#5 0x538db4 in expr_main
/home/andy/git/other/toybox/toys/pending/expr.c:251:3
#6 0x4e7539 in toy_exec /home/andy/git/other/toybox/main.c:148:19
#7 0x4e693c in toybox_main /home/andy/git/other/toybox/main.c:161:21
#8 0x7fc2d5d3eec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free
/home/development/llvm/3.8.0/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2596:3
in StrtolFixAndCheck(void*, char const*, char**, char*, i
nt)
Shadow bytes around the buggy address:
0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d70: fa fa 02 fa fa fa fd fa fa fa fd fd fa fa fd fa
0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9d90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9da0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff9db0: fa fa fd fa fa fa fd fa fa fa[fd]fa fa fa fd fa
0x0c047fff9dc0: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9dd0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25529==ABORTING
FAIL: expr regex
toybox expr: 1 total failures

Loading...