Skip to content

Fix two issues that undefined behavior sanitizer caught #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
henrylhtsang wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix two issues that undefined behavior sanitizer caught #419

henrylhtsang wants to merge 2 commits into from

Conversation

@henrylhtsang
Copy link

@henrylhtsang henrylhtsang commented Jan 20, 2026

Fixes #413

Changes

  1. string.h: Guard std::memcpy call with size check to avoid passing null source pointer with size 0
  2. object.h: Replace null pointer member access with standard offsetof macro for computing object header offsets

I tested manually for clang and gcc. Didn't test locally for msvc since I don't have access to windows. CI should test that.

script:

#include <tvm/ffi/string.h>
#include <tvm/ffi/object.h>
#include <iostream>

class TestObj : public tvm::ffi::Object {
  public:
  static constexpr const char* _type_key = "test.TestObj";
};

int main() {
  std::cout << "Test 1: Creating string from null TVMFFIByteArray...\n";
  TVMFFIByteArray null_bytes{nullptr, 0};
  tvm::ffi::String str_from_null(null_bytes);
  std::cout << "String size: " << str_from_null.size() << "\n";

  std::cout << "Test 2: Computing object offset...\n";
  int64_t offset = tvm::ffi::details::ObjectUnsafe::GetObjectOffsetToSubclass<TestObj>();
  std::cout << "Offset: " << offset << "\n";

  std::cout << "Done - no UBSan errors!\n";
  return 0;
}

commands:

cd ~/tvm-ffi
git submodule update --init --recursive

clang++ -std=c++17 -fsanitize=undefined -I./include -I./3rdparty/dlpack/include -x c++  repro.cpp  -o repro

g++ -std=c++17 -fsanitize=undefined -I./include -I./3rdparty/dlpack/include repro.cpp -o repro

@henrylhtsang
fix(string): avoid undefined behavior when memcpy source is null
03396ce 
Add size check before calling std::memcpy to avoid undefined behavior
when the source pointer is null with size 0. The C standard states that
passing null to memcpy is undefined behavior even with size 0.

Fixes UBSan warning: null pointer passed as argument 2, which is
declared to never be null.
@henrylhtsang
fix(object): use offsetof instead of null pointer arithmetic
2550deb 
Replace null pointer member access with the standard offsetof macro
from <cstddef> to compute object offset. This avoids undefined behavior
caught by UBSan (member access within null pointer).

The offsetof macro is portable across GCC, Clang, and MSVC:
- GCC/Clang: internally uses __builtin_offsetof
- MSVC: uses its own internal mechanism

Fixes UBSan warning: member access within null pointer of type 'Object'.
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Jan 20, 2026

Summary of Changes

Hello @henrylhtsang, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses two distinct instances of undefined behavior identified by the Undefined Behavior Sanitizer (UBSan). The changes enhance the robustness and correctness of the codebase by ensuring safer memory operations and standard-compliant offset calculations, thereby preventing potential crashes or unexpected program behavior.

Highlights

  • string.h fix: Guarded std::memcpy call with a size check to prevent passing a null source pointer when the size is zero, addressing potential undefined behavior.
  • object.h fix: Replaced a non-standard null pointer member access pattern with the offsetof macro for computing object header offsets, improving standard compliance and safety.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@henrylhtsang
Copy link
Author

henrylhtsang commented Jan 20, 2026

cc @junrushao

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses two sources of undefined behavior. The change in object.h to use the standard offsetof macro instead of manual pointer arithmetic is a great improvement for correctness and portability. Similarly, adding a size check before std::memcpy in string.h correctly prevents undefined behavior. The changes are approved.

include/tvm/ffi/string.h
Comment on lines +757 to +759
if (size > 0) {
std::memcpy(dest_data, data, size);
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This is a great fix to prevent undefined behavior when memcpy is called with a size of 0 and a null source pointer. I noticed that the Bytes::InitData method in this same file has a similar implementation without this check. It would be beneficial to apply the same fix there to ensure consistency and prevent the same undefined behavior in the Bytes class.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

UndefinedBehaviorSanitizer errors in string.h and object.h

1 participant

@henrylhtsang