UndefinedBehaviorSanitizer errors in string.h and object.h

[henrylhtsang]

Hello experts! I am testing tvm-ffi, but then see some sanitizer errors. I am trying to see if they are fixable from upstream.

Repro

// Compile with: clang++ -std=c++17 -fsanitize=undefined -I./include -I./3rdparty/dlpack/include repro.cpp -o repro
// run ./repro

#include <tvm/ffi/string.h>
#include <tvm/ffi/object.h>
#include <iostream>

// A simple subclass to trigger GetObjectOffsetToSubclass
class TestObj : public tvm::ffi::Object {
 public:
  static constexpr const char* _type_key = "test.TestObj";
};

int main() {
  std::cout << "Testing TVM FFI sanitizer issues...\n";

  // Issue 1: Null pointer to memcpy in String::InitData
  // This is triggered when passing a TVMFFIByteArray with null data
  std::cout << "Test 1: Creating string from null TVMFFIByteArray...\n";
  TVMFFIByteArray null_bytes;
  null_bytes.data = nullptr;
  null_bytes.size = 0;
  tvm::ffi::String str_from_null(null_bytes);
  std::cout << "String from null bytes size: " << str_from_null.size() << "\n";

  // Issue 2: Null pointer dereference in GetObjectOffsetToSubclass
  // This is typically triggered during module loading/type registration
  std::cout << "Test 2: Computing object offset...\n";
  int64_t offset = tvm::ffi::details::ObjectUnsafe::GetObjectOffsetToSubclass<TestObj>();
  std::cout << "Offset: " << offset << "\n";

  std::cout << "Done.\n";
  return 0;
}

errors

Test 1: Creating string from null TVMFFIByteArray...
include/tvm/ffi/string.h:757:28: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior include/tvm/ffi/string.h:757:28 
String from null bytes size: 0
Test 2: Computing object offset...
include/tvm/ffi/object.h:1097:71: runtime error: member access within null pointer of type 'tvm::ffi::Object'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior include/tvm/ffi/object.h:1097:71 
include/tvm/ffi/object.h:1098:72: runtime error: member access within null pointer of type 'Object'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior include/tvm/ffi/object.h:1098:72 
Offset: 0
Done.

potential fixes?

I asked claude and it suggested replacing

    std::memcpy(dest_data, data, size);

with

    if (size > 0) {
      std::memcpy(dest_data, data, size);
    }

and

    return (reinterpret_cast<int64_t>(&(static_cast<Class*>(nullptr)->header_)) -
            reinterpret_cast<int64_t>(&(static_cast<Object*>(nullptr)->header_)));

with

    return static_cast<int64_t>(__builtin_offsetof(Class, header_)) -
           static_cast<int64_t>(__builtin_offsetof(Object, header_));

But I want to get some feedback first.

[junrushao]

Thanks for reporting the issues! On the first case, yes please feel free to submit a fix; On the second case, I'm not quite sure - does __builtin_offsetof ` work for GCC/Clang/MSVC? If so, please help us with a PR too!