Skip to content

Fix undefined behavior from function pointer type casts flagged by UBSan#619

Open
bjosv wants to merge 3 commits intoawslabs:mainfrom
Nordix:ubsan-fixes
Open

Fix undefined behavior from function pointer type casts flagged by UBSan#619
bjosv wants to merge 3 commits intoawslabs:mainfrom
Nordix:ubsan-fixes

Conversation

@bjosv
Copy link
Copy Markdown

@bjosv bjosv commented Mar 26, 2026

Replace function pointer casts with properly-typed static wrapper functions throughout the codebase.
Casting function pointers to a different type and calling through that pointer is undefined behavior in C (C11
§6.5.2.2¶6), even when the underlying ABI happens to work.

Three categories of casts are fixed:

  1. (aws_hash_callback_eq_fn *) and (aws_hash_callback_destroy_fn *) casts on hash table callbacks
  2. (aws_simple_completion_callback *) casts on aws_ref_count_init() destroy callbacks where the function takes a concrete struct pointer instead of void *
  3. (aws_simple_completion_callback *) casts on vtable destroy function pointers passed to aws_ref_count_init()

Each cast is replaced with a small static void wrapper function that forwards to the original.

How to reproduce:

Build as described in https://github.com/awslabs/aws-c-s3?tab=readme-ov-file#building but with UBSan enabled:
-DCMAKE_C_FLAGS="-fsanitize=undefined -fno-sanitize-recover=undefined"
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=undefined"

When running tests UBSan will report errors like:

source/s3express_credentials_provider.c:929:5: runtime error: call through pointer to incorrect function type 'bool (*)(const void *, const void *)'
source/s3_default_buffer_pool.c:298:5: runtime error: call through pointer to incorrect function type 'void (*)(void *)'

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

bjosv added 3 commits March 26, 2026 23:03
Replace (aws_hash_callback_eq_fn *) and (aws_hash_callback_destroy_fn *) casts
with properly-typed static wrapper functions.

Casting function pointers to a different type and calling through that pointer
is undefined behavior in C. UBSan reports these at hash_table.c:68 in
s_safe_eq_check() where the equals_fn callback is invoked.

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
Add void (*)(void *) wrapper functions for destroy callbacks that have
concrete struct pointer signatures. These are passed to aws_ref_count_init()
which expects aws_simple_completion_callback (void (*)(void *)).

UBSan reports these at ref_count.c:29 when the destroy callback is invoked
through the mismatched function pointer type.

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
…stroy

Add void (*)(void *) wrapper functions for destroy callbacks registered via
aws_ref_count_init() that have concrete struct pointer signatures.

Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant