* Brian Mastenbrook [2015-10-06 19:09:45 -0500]: > __secs_to_tm (used by gmtime_r et al) may invoke undefined behavior due to signed integer overflow in two places. At __secs_to_tm.c:58, 400*qc_cycles may overflow. At __secs_to_tm.c:63, there is a nonsensical comparison between an already overflowed value and INT_MAX or INT_MIN; the compiler will delete this test due to overflow. Here are some example values that provoke the overflow: > i think that computation was supposed to be done with long longs and then the comparision is sensical and both problems go away. can you try the attached patch? > t = -67771633420944000 > > __secs_to_tm.c:58:[kernel] warning: signed overflow. assert -2147483648 ??? 400*qc_cycles; > > t = 67768037838810496 > > __secs_to_tm.c:63:[kernel] warning: signed overflow. assert years+100 ??? 2147483647; > > These errors were found using KLEE and clang's undefined behavior sanitizer together. (Unfortunately KLEE also produced a false report of an out-of-bounds access to the days_in_month array due to a solver bug.) > i have some questions: have you look at other parts of musl? can klee model libc/syscall api behaviour? is it possible to instrument a libc.a with klee and then use small programs to check various libc interfaces?