Fixes multiple memory safety bugs exposed by -fsanitize=address,undefined.#167
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR fixes a series of memory safety bugs discovered after enabling AddressSanitizer and UBSan in the build (
-fsanitize=address,undefined -fno-omit-frame-pointer -g). All bugs share a common root cause: rawchar *strings being used without explicit length tracking, causing over-reads, invalid frees, and buffer overflows. The fix systematically replaces unsafe patterns with the existingStringstruct ({ char *data; size_t len; }).Makefile Change
Added sanitizer flags to
CFLAGSfor development builds:Note:
$(STDROT_LIB)is compiled without sanitizer flags since it's a shared library loaded at runtime viadlopen. If ASan is added to the.sobuild it must match the main binary's runtime exactly.Bugs Fixed
semantic_analyzer.c—safe_strdupcalled withlen = MAX_BUFFER_LENon string literals**add_semantic_errorconstructed aStringwith.len = MAX_BUFFER_LENregardless of actual message length, causingsafe_strduptomemcpy512 bytes off the end of short string literals into adjacent global memory. Fixed by changingadd_semantic_errorto accept aStringparameter with correct length. Call sites usingsnprintfnow capture the return value as the length. Bare string literal call sites use the newSTRING_LITERAL(s)macro (sizeof(s) - 1).New Macro Added (
string_value.h)Safely wraps compile-time string literals into
Stringstructs with exact length computed at compile time — nostrlen, no runtime cost.Related Issue
Fixes #162
Type of Change
Checklist