https://bugs.kde.org/show_bug.cgi?id=388862
Bug ID: 388862
Summary: false positive of __wcsnlen_sse4_1 with glibc 2.26
Product: valgrind
Version: 3.13.0
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: memcheck
Assignee: jsew...@acm.org
Reporter: faragon.git...@gmail.com
Target Milestone: ---
I reported the problem yesterday in the GLIB bugzilla, because thinking it was
a GLIBC bug ("sprintf "%ls": uninitialized memory access because of using SSE
4.1 (__wcsnlen_sse4_1)"), but Andreas Schwab pointed that it could be a false
positive. Could it be a Valgrind regression problem?
https://sourceware.org/bugzilla/show_bug.cgi?id=22703
>From the GLIB ticket:
The uninitialized memory access comes from the internal function
__wcsnlen_sse4_1 (using SSE 4.1 on x86_64), both with and without optimizations
-O0/-O3). I've found it with a Valgrind test that reported an error after
updating the build machine from Ubuntu 16.04 to Ubuntu 17.10 (GCC 7.2.0, ldd
--version shows "Ubuntu GLIBC 2.26-0ubuntu2"). Actual behavior seems "right",
but because of Valgrind reporting conditional behavior based on uninitialized
memory, I've set the severity to critical.
Valgrind output:
$ uname -a
Linux luna 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64
x86_64 x86_64 GNU/Linux
$ gcc -O0 -ggdb sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22373== Conditional jump or move depends on uninitialised value(s)
==22373== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22373== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22373== by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22373== by 0x4EB513D: vsprintf (iovsprintf.c:42)
==22373== by 0x4E98FA3: sprintf (sprintf.c:32)
==22373== by 0x108833: main (sprintf_bug.c:13)
==22373== Uninitialised value was created by a heap allocation
==22373== at 0x4C2FB0F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22373== by 0x1087ED: main (sprintf_bug.c:9)
(...)
$ gcc -O3 sprintf_bug.c
$ valgrind --tool=memcheck ./a.out
(...)
==22707== Conditional jump or move depends on uninitialised value(s)
==22707== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161)
==22707== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104)
==22707== by 0x4E91EE1: vfprintf (vfprintf.c:1643)
==22707== by 0x4F60A8A: __vsprintf_chk (vsprintf_chk.c:82)
==22707== by 0x4F609B9: __sprintf_chk (sprintf_chk.c:31)
==22707== by 0x108757: main (in /r0/done/repos/mlibsrt/a.out)
(...)
Source code for reproducing the bug:
$ cat sprintf_bug.c
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#include <wchar.h>
int main()
{
char tmp[4096];
wchar_t *hello_bug = (wchar_t *)malloc(sizeof(wchar_t) * 4096);
if (!hello_bug)
return 1;
wcscpy(hello_bug, L"Hello bug!");
sprintf(tmp, "%ls", hello_bug); /* <-- Valgrind blames this */
printf("%s\n", tmp);
free(hello_bug);
return 0;
}
--
You are receiving this mail because:
You are watching all bug changes.
