From fe4c8ae82a76ccd853171ce7547a4e1785d0de87 Mon Sep 17 00:00:00 2001 From: Ayaz Salikhov Date: Mon, 15 Jun 2026 20:04:33 +0100 Subject: [PATCH 1/2] build: Add ClangBuildAnalyzer to Nix (#7538) Co-authored-by: Bart --- nix/docker/check-tools.sh | 1 + nix/packages.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/nix/docker/check-tools.sh b/nix/docker/check-tools.sh index 276e5977ff..a46c2dd997 100755 --- a/nix/docker/check-tools.sh +++ b/nix/docker/check-tools.sh @@ -6,6 +6,7 @@ ccache --version clang --version clang++ --version clang-format --version +ClangBuildAnalyzer --version cmake --version conan --version curl --version diff --git a/nix/packages.nix b/nix/packages.nix index fc4eff679e..5a7f20ec49 100644 --- a/nix/packages.nix +++ b/nix/packages.nix @@ -9,6 +9,7 @@ in { commonPackages = with pkgs; [ ccache + clangbuildanalyzer cmake conan curlMinimal # needed for codecov/codecov-action From 2df96b155061bbd23a6477776ea3af3f0cd26e94 Mon Sep 17 00:00:00 2001 From: Pratik Mankawde <3397372+pratikmankawde@users.noreply.github.com> Date: Mon, 15 Jun 2026 20:25:37 +0100 Subject: [PATCH 2/2] fix: Silence UBSan diagnostics in the ubsan build config (#7531) Co-authored-by: Claude Opus 4.8 --- .../workflows/reusable-build-test-config.yml | 35 +++--- .../suppressions/runtime-ubsan-options.txt | 2 +- sanitizers/suppressions/ubsan.supp | 106 +++++++++++++----- src/xrpld/rpc/handlers/ledger/Ledger.cpp | 15 ++- 4 files changed, 112 insertions(+), 46 deletions(-) diff --git a/.github/workflows/reusable-build-test-config.yml b/.github/workflows/reusable-build-test-config.yml index 8cb5f8c46a..28d317e4dd 100644 --- a/.github/workflows/reusable-build-test-config.yml +++ b/.github/workflows/reusable-build-test-config.yml @@ -164,6 +164,27 @@ jobs: ${CMAKE_ARGS} \ .. + # Export the sanitizer options before any instrumented binary runs. The + # protocol code-gen and build steps below invoke instrumented dependency + # tools (protoc, grpc), so setting UBSAN_OPTIONS here lets the UBSan + # suppression list silence their diagnostics too, not just at test time. + # GITHUB_WORKSPACE (not the github.workspace context) is used so the path + # resolves correctly inside the container job. + - name: Set sanitizer options + if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }} + env: + CONFIG_NAME: ${{ inputs.config_name }} + run: | + SUPP="${GITHUB_WORKSPACE}/sanitizers/suppressions" + ASAN_OPTS="include=${SUPP}/runtime-asan-options.txt:suppressions=${SUPP}/asan.supp" + if [[ "${CONFIG_NAME}" == *gcc* ]]; then + ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0" + fi + echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV} + echo "TSAN_OPTIONS=include=${SUPP}/runtime-tsan-options.txt:suppressions=${SUPP}/tsan.supp" >>${GITHUB_ENV} + echo "UBSAN_OPTIONS=include=${SUPP}/runtime-ubsan-options.txt:suppressions=${SUPP}/ubsan.supp" >>${GITHUB_ENV} + echo "LSAN_OPTIONS=include=${SUPP}/runtime-lsan-options.txt:suppressions=${SUPP}/lsan.supp" >>${GITHUB_ENV} + - name: Check protocol autogen files are up-to-date working-directory: ${{ env.BUILD_DIR }} env: @@ -279,20 +300,6 @@ jobs: run: | ./xrpld --version | grep libvoidstar - - name: Set sanitizer options - if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }} - env: - CONFIG_NAME: ${{ inputs.config_name }} - run: | - ASAN_OPTS="include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-asan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp" - if [[ "${CONFIG_NAME}" == *gcc* ]]; then - ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0" - fi - echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV} - echo "TSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-tsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >>${GITHUB_ENV} - echo "UBSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >>${GITHUB_ENV} - echo "LSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-lsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >>${GITHUB_ENV} - - name: Run the separate tests if: ${{ !inputs.build_only }} working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }} diff --git a/sanitizers/suppressions/runtime-ubsan-options.txt b/sanitizers/suppressions/runtime-ubsan-options.txt index fcfccf7bae..4b48efbe08 100644 --- a/sanitizers/suppressions/runtime-ubsan-options.txt +++ b/sanitizers/suppressions/runtime-ubsan-options.txt @@ -1 +1 @@ -halt_on_error=false +halt_on_error=true diff --git a/sanitizers/suppressions/ubsan.supp b/sanitizers/suppressions/ubsan.supp index 88d8e82e33..7e3e02f855 100644 --- a/sanitizers/suppressions/ubsan.supp +++ b/sanitizers/suppressions/ubsan.supp @@ -72,7 +72,7 @@ vptr:boost # Google protobuf - intentional overflows in hash functions undefined:protobuf -unsigned-integer-overflow:google/protobuf/stubs/stringpiece.h +unsigned-integer-overflow:protobuf # gRPC intentional overflows in timer calculations unsigned-integer-overflow:grpc @@ -102,47 +102,103 @@ undefined:nudb # Snappy compression library intentional overflows unsigned-integer-overflow:snappy.cc -# Abseil intentional overflows -unsigned-integer-overflow:absl/strings/numbers.cc -unsigned-integer-overflow:absl/strings/internal/cord_rep_flat.h -unsigned-integer-overflow:absl/base/internal/low_level_alloc.cc -unsigned-integer-overflow:absl/hash/internal/hash.h -unsigned-integer-overflow:absl/container/internal/raw_hash_set.h +# Abseil intentional overflows in hashing, RNG and time arithmetic. +# Matched at library scope (like boost above): the wraparound is by design +# across many absl files (hash mixing, raw_hash_set probing, duration math, +# int128, uniform_int_distribution), so listing individual files just churns. +unsigned-integer-overflow:absl # Standard library intentional overflows unsigned-integer-overflow:basic_string.h +unsigned-integer-overflow:bits/align.h +unsigned-integer-overflow:bits/basic_string.tcc unsigned-integer-overflow:bits/chrono.h unsigned-integer-overflow:bits/random.h unsigned-integer-overflow:bits/random.tcc unsigned-integer-overflow:bits/stl_algobase.h +unsigned-integer-overflow:bits/string_view.tcc unsigned-integer-overflow:bits/uniform_int_dist.h unsigned-integer-overflow:string_view unsigned-integer-overflow:__random/seed_seq.h unsigned-integer-overflow:__charconv/traits.h unsigned-integer-overflow:__chrono/duration.h +# libstdc++ (std::__bit_ceil etc.) negates an unsigned width; is a +# distinct header from the bits/ directory so it needs its own entry. +unsigned-integer-overflow:include/c++/*/bit # ============================================================================= # Rippled code suppressions # ============================================================================= -# Signed integer negation (-value) in amount types. -# INT64_MIN cannot occur in practice due to domain invariants (mantissa ranges -# are well within int64_t bounds), but UBSan flags the pattern as potential -# signed overflow. Narrowed to operator- to avoid suppressing unrelated -# overflows anywhere in a stack trace containing these type names. -signed-integer-overflow:operator-*IOUAmount* -signed-integer-overflow:operator-*XRPAmount* -signed-integer-overflow:operator-*MPTAmount* -signed-integer-overflow:operator-*STAmount* +# These suppressions are keyed by SOURCE FILE, not function name. This UBSan +# build runs without symbol information, so the runtime only knows the +# file:line of each report, never the enclosing function — function-name +# patterns silently never match. Each entry below is therefore scoped to the +# file whose arithmetic is intentional; the comment names the specific +# construct. -# STAmount::operator+ signed addition — operands are bounded by total supply -# (~10^17 for XRP, ~10^18 for MPT) so overflow cannot occur in practice. -signed-integer-overflow:operator+*STAmount* +# STAmount amount-type arithmetic. Unary negation of the mantissa in xrp()/ +# iou()/mpt()/canonicalize() and getInt64Value, plus bounded +/- on amounts: +# INT64_MIN cannot occur because canonicalize() keeps the mantissa well within +# int64_t, and operands are bounded by total supply (~10^17 XRP, ~10^18 MPT). +signed-integer-overflow:protocol/STAmount.cpp -# STAmount::getRate uses unsigned shift and addition -unsigned-integer-overflow:*STAmount*getRate* -# STAmount::serialize uses unsigned bitwise operations -unsigned-integer-overflow:*STAmount*serialize* +# nft::cipheredTaxon uses intentional uint32 wraparound (LCG permutation); +# the helper lives in the generated protocol header nft.h. +unsigned-integer-overflow:protocol/nft.h -# nft::cipheredTaxon uses intentional uint32 wraparound (LCG permutation) -unsigned-integer-overflow:cipheredTaxon +# STPathElement::getHash multiplies/adds accumulators (non-secure, speed-first). +unsigned-integer-overflow:protocol/STPathSet.cpp + +# beast XorShiftEngine PRNG and murmurhash3 mixing wrap by design. +unsigned-integer-overflow:beast/xor_shift_engine.h + +# Number::normalizeToRange multiplies the mantissa by powers of ten; the result +# is intentionally allowed to wrap while searching for the in-range value. +unsigned-integer-overflow:basics/Number.h + +# Counter / sequence arithmetic with intentional unsigned wraparound, each +# guarded by an explicit overflow or domain check at the call site: +# base_uint operator++/-- wrap by definition; +# ApplyView::insertPage ++page is asserted to wrap to 0 (page exhaustion); +# confineOwnerCount documents "overflow is well defined on unsigned"; +# NFTokenMint checks tokenSeq + 1u == 0u; AmendmentTable does (seq - 1) / 256. +unsigned-integer-overflow:basics/base_uint.h +unsigned-integer-overflow:ledger/ApplyView.cpp +unsigned-integer-overflow:ledger/helpers/AccountRootHelpers.cpp +unsigned-integer-overflow:tx/transactors/nft/NFTokenMint.cpp +unsigned-integer-overflow:app/misc/detail/AmendmentTable.cpp + +# Sentinel / bounded subtractions that wrap by design (loop counters, reverse +# iteration, "not found" sentinels, balance math bounded by issuance invariants, +# base58/base64 codec index math, hash-router and role bit math). +unsigned-integer-overflow:shamap/SHAMap.cpp +unsigned-integer-overflow:protocol/Permissions.cpp +unsigned-integer-overflow:protocol/tokens.cpp +unsigned-integer-overflow:basics/base64.cpp +unsigned-integer-overflow:json/json_value.cpp +unsigned-integer-overflow:app/misc/NetworkOPs.cpp +unsigned-integer-overflow:rpc/detail/Role.cpp +unsigned-integer-overflow:tx/transactors/oracle/OracleSet.cpp +unsigned-integer-overflow:ledger/helpers/MPTokenHelpers.cpp +unsigned-integer-overflow:crypto/RFC1751.cpp +unsigned-integer-overflow:tx/paths/detail/StrandFlow.h +unsigned-integer-overflow:protocol/STObject.h + +# GetAggregatePrice negates an unsigned trim count to step a reverse iterator; +# trimCount is bounded by the price set size. +unsigned-integer-overflow:rpc/handlers/orderbook/GetAggregatePrice.cpp + +# Test-only intentional overflow/underflow in fixture and unit-test arithmetic. +unsigned-integer-overflow:tests/libxrpl/basics/RangeSet.cpp +unsigned-integer-overflow:test/app/Batch_test.cpp +unsigned-integer-overflow:test/app/Invariants_test.cpp +unsigned-integer-overflow:test/app/Loan_test.cpp +unsigned-integer-overflow:test/app/NFToken_test.cpp +unsigned-integer-overflow:test/app/OfferMPT_test.cpp +unsigned-integer-overflow:test/app/Offer_test.cpp +unsigned-integer-overflow:test/app/Path_test.cpp +unsigned-integer-overflow:test/jtx/impl/acctdelete.cpp +unsigned-integer-overflow:test/ledger/SkipList_test.cpp +unsigned-integer-overflow:test/rpc/Subscribe_test.cpp +signed-integer-overflow:test/basics/XRPAmount_test.cpp diff --git a/src/xrpld/rpc/handlers/ledger/Ledger.cpp b/src/xrpld/rpc/handlers/ledger/Ledger.cpp index 5938c8c9c5..23a97a5026 100644 --- a/src/xrpld/rpc/handlers/ledger/Ledger.cpp +++ b/src/xrpld/rpc/handlers/ledger/Ledger.cpp @@ -30,6 +30,7 @@ #include #include #include +#include #include namespace xrpl { @@ -349,13 +350,15 @@ doLedgerGrpc(RPC::GRPCContext& context) auto end = std::chrono::system_clock::now(); auto duration = std::chrono::duration_cast(end - begin).count() * 1.0; + // Guard the per-item rates: an empty ledger has zero objects and/or zero + // transactions, and dividing by zero is undefined for these doubles. + auto const numObjects = response.ledger_objects().objects_size(); + auto const numTxns = response.transactions_list().transactions_size(); + std::string const msPerObj = numObjects > 0 ? std::to_string(duration / numObjects) : "n/a"; + std::string const msPerTxn = numTxns > 0 ? std::to_string(duration / numTxns) : "n/a"; JLOG(context.j.warn()) << __func__ << " - Extract time = " << duration - << " - num objects = " << response.ledger_objects().objects_size() - << " - num txns = " << response.transactions_list().transactions_size() - << " - ms per obj " - << duration / response.ledger_objects().objects_size() - << " - ms per txn " - << duration / response.transactions_list().transactions_size(); + << " - num objects = " << numObjects << " - num txns = " << numTxns + << " - ms per obj " << msPerObj << " - ms per txn " << msPerTxn; return {response, status}; }