Add kubsan(4), a undefined behavior sanitizer for the kernel. It's

capable of detecting undefined behavior at runtime and all findings are
printed to the system console, including the offending line in the
source code.

kubsan is limited to architectures using Clang as their default compiler
and is not enabled by default.

Derived from the NetBSD implementation.

ok kettenis@ visa@

3 files changed, 107 insertions, 5 deletions

diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index cff5be21dbb..f693b6b804c 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.702 2019/03/11 10:48:45 dlg Exp $
+#	$OpenBSD: Makefile,v 1.703 2019/03/18 17:30:07 anton Exp $
 
 MAN=	aac.4 abcrtc.4 ac97.4 acphy.4 acrtc.4 \
 	acpi.4 acpiac.4 acpials.4 acpiasus.4 acpibat.4 \
@@ -38,8 +38,8 @@ MAN=	aac.4 abcrtc.4 ac97.4 acphy.4 acrtc.4 \
 	ip.4 ip6.4 ipcomp.4 ipgphy.4 ipmi.4 ips.4 ipsec.4 ipw.4 \
 	isa.4 isagpio.4 isapnp.4 islrtc.4 it.4 itherm.4 iwi.4 iwn.4 iwm.4 \
 	ix.4 ixgb.4 ixl.4 jmb.4 jme.4 jmphy.4 \
-	kate.4 kcov.4 km.4 ksyms.4 kue.4 lc.4 lge.4 lii.4 lisa.4 lm.4 \
-	lmenv.4 lmn.4 lmtemp.4 lo.4 lpt.4 lxtphy.4 luphy.4 \
+	kate.4 kcov.4 km.4 ksyms.4 kubsan.4 kue.4 lc.4 lge.4 lii.4 lisa.4 \
+	lm.4 lmenv.4 lmn.4 lmtemp.4 lo.4 lpt.4 lxtphy.4 luphy.4 \
 	maestro.4 mainbus.4 malo.4 maxds.4 maxrtc.4 maxtmp.4 mbg.4 midi.4 \
 	mii.4 mfi.4 \
 	mfii.4 mlphy.4 mobileip.4 moscom.4 mos.4 mpe.4 mpath.4 mpi.4 mpii.4 \
diff --git a/share/man/man4/kubsan.4 b/share/man/man4/kubsan.4
new file mode 100644
index 00000000000..23c91d17a13
--- /dev/null
+++ b/share/man/man4/kubsan.4
@@ -0,0 +1,98 @@
+.\"	$OpenBSD: kubsan.4,v 1.1 2019/03/18 17:30:07 anton Exp $
+.\"
+.\" Copyright (c) 2019 Anton Lindqvist <anton@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.Dd $Mdocdate: March 18 2019 $
+.Dt KUBSAN 4
+.Os
+.Sh NAME
+.Nm kubsan
+.Nd kernel undefined behavior sanitizer
+.Sh SYNOPSIS
+.Cd option KUBSAN
+.Sh DESCRIPTION
+.Nm
+detects undefined behavior at runtime inside the kernel.
+Detected undefined behavior is printed to the system console,
+including the offending line in the source code.
+.Pp
+By default,
+.Nm
+is not enabled but instead requires the following line to be present in the
+kernel configuration:
+.Bd -literal -offset indent
+option KUBSAN
+.Ed
+.Pp
+The following undefined behavior is detected:
+.Bl -tag -width 4n
+.It Integer overflow
+The result of an aritmetic computation on two integer operands cannot be
+represented by the destination type.
+.It Negate overflow
+Negation of an integer cannot be represented by the destination type.
+.It Pointer overflow
+Pointer aritmetic overflow.
+.It Out of bounds
+Array indexing out of bounds, limited to cases where the size of the array
+can be statically determined.
+.It Shift out of bounds
+Undefined logical shift caused by:
+.Bl -dash
+.It
+The shift amount being negative.
+.It
+The shift operand being negative.
+.It
+The shift amount exceeds the number of bits as given by the shift operand
+type.
+.It
+The result of the shift computation cannot be represented by the destination
+type.
+.El
+.It Invalid load
+Loading a value that cannot be represented by the destination type.
+.It Type mismatch
+Mismatch between pointer and value type caused by:
+.Bl -dash
+.It
+A pointer which does not fulfill the alignment requirements of the value type.
+.It
+A pointer to an address which lacks sufficient space to store the value type.
+.El
+.It Unreachable
+Execution reached passed a function annotated as
+.Dv __dead .
+.El
+.Sh SEE ALSO
+.Xr options 4
+.Sh HISTORY
+The
+.Nm
+implementation
+is derived from
+.Nx
+and first appeared in
+.Ox 6.5 .
+.Sh AUTHORS
+The
+.Nm
+implementation was written by
+.An Anton Lindqvist Aq Mt anton@openbsd.org .
+.Sh CAVEATS
+The
+.Nm
+implementation is limited to architectures using
+.Xr clang 1
+as their default compiler.
diff --git a/share/man/man4/options.4 b/share/man/man4/options.4
index 6c9f58b9935..dc042fe92f7 100644
--- a/share/man/man4/options.4
+++ b/share/man/man4/options.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: options.4,v 1.262 2019/02/07 15:11:38 visa Exp $
+.\"	$OpenBSD: options.4,v 1.263 2019/03/18 17:30:07 anton Exp $
 .\"	$NetBSD: options.4,v 1.21 1997/06/25 03:13:00 thorpej Exp $
 .\"
 .\" Copyright (c) 1998 Theo de Raadt
@@ -34,7 +34,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\"
-.Dd $Mdocdate: February 7 2019 $
+.Dd $Mdocdate: March 18 2019 $
 .Dt OPTIONS 4
 .Os
 .Sh NAME
@@ -114,6 +114,10 @@ Adds hooks for the system call tracing facility, which allows users to
 watch the system call invocation behavior of processes.
 See
 .Xr ktrace 1 .
+.It Cd option KUBSAN
+Detect undefined behavior in the kernel.
+See
+.Xr kubsan 4 .
 .It Cd option NO_PROPOLICE
 Do not compile the kernel with the ProPolice stack protection.
 See