https://bugs.kde.org/show_bug.cgi?id=388862

            Bug ID: 388862
           Summary: false positive of __wcsnlen_sse4_1 with glibc 2.26
           Product: valgrind
           Version: 3.13.0
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: memcheck
          Assignee: jsew...@acm.org
          Reporter: faragon.git...@gmail.com
  Target Milestone: ---

I reported the problem yesterday in the GLIB bugzilla, because thinking it was
a GLIBC bug ("sprintf "%ls": uninitialized memory access because of using SSE
4.1 (__wcsnlen_sse4_1)"), but Andreas Schwab pointed that it could be a false
positive. Could it be a Valgrind regression problem?

https://sourceware.org/bugzilla/show_bug.cgi?id=22703

>From the GLIB ticket:

The uninitialized memory access comes from the internal function
__wcsnlen_sse4_1 (using SSE 4.1 on x86_64), both with and without optimizations
-O0/-O3). I've found it with a Valgrind test that reported an error after
updating the build machine from Ubuntu 16.04 to Ubuntu 17.10 (GCC 7.2.0, ldd
--version shows "Ubuntu GLIBC 2.26-0ubuntu2"). Actual behavior seems "right",
but because of Valgrind reporting conditional behavior based on uninitialized
memory, I've set the severity to critical.

Valgrind output:

$ uname -a
Linux luna 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux

$ gcc -O0 -ggdb sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22373== Conditional jump or move depends on uninitialised value(s)
==22373==    at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22373==    by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22373==    by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22373==    by 0x4EB513D: vsprintf (iovsprintf.c:42)
==22373==    by 0x4E98FA3: sprintf (sprintf.c:32)
==22373==    by 0x108833: main (sprintf_bug.c:13)
==22373==  Uninitialised value was created by a heap allocation
==22373==    at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22373==    by 0x1087ED: main (sprintf_bug.c:9)
(...)

$ gcc -O3 sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22707== Conditional jump or move depends on uninitialised value(s)
==22707==    at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22707==    by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22707==    by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22707==    by 0x4F60A8A: __vsprintf_chk (vsprintf_chk.c:82)
==22707==    by 0x4F609B9: __sprintf_chk (sprintf_chk.c:31)
==22707==    by 0x108757: main (in /r0/done/repos/mlibsrt/a.out)
(...)


Source code for reproducing the bug:

$ cat sprintf_bug.c

#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <wchar.h>

int main()
{
        char tmp[4096];
        wchar_t *hello_bug = (wchar_t *)malloc(sizeof(wchar_t) * 4096);
        if (!hello_bug)
                return 1;
        wcscpy(hello_bug, L"Hello bug!");
        sprintf(tmp, "%ls", hello_bug);  /* <-- Valgrind blames this */
        printf("%s\n", tmp);
        free(hello_bug);
        return 0;
}

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to