I'm performing a UBsan run on GnuPG 2.2.15 and all of its dependencies. Everything was built with -fsanitize=undefined -fno-sanitize-recover. For Autotools projects the two flags get placed in CFLAGS, CXXFLAGS and LDFLAGS.
It looks like UBsan is producing some findings:
Checking that a valid signature is verified as such. ("/home/build/gnupg-2.2.15/sm/gpgsm" --yes --verify "/tmp/gpgscm-20190510T190415-verify-fyLDre/sig" "/tmp/gpgscm-20190510T190415-verify-2dLyKY/body") failed: gpgsm: WARNING: running with faked system time: 2001-12-13 11:00:00 gpgsm: Signature made [date not given] using certificate ID 0x33BDB76E gpgsm: CRLs not checked due to --disable-crl-checks option certdump.c:695:3: runtime error: null pointer passed as argument 2, which is declared to never be null 0: tests.scm:122: (throw (string-append (stringify what) " failed") (:stderr result)) 1: verify.scm:49: (call-check `(,@gpgsm --verify ,sig ,body)) FAIL: tests/gpgsm/verify.scm
Because -fno-sanitize-recover is used, abort() is called on a finding. It is needed because test frameworks often swallow the message *runtime error: ...* and the tester never gets to see it.