https://bugs.kde.org/show_bug.cgi?id=388862
Bug ID: 388862 Summary: false positive of __wcsnlen_sse4_1 with glibc 2.26 Product: valgrind Version: 3.13.0 Platform: Other OS: Linux Status: UNCONFIRMED Severity: normal Priority: NOR Component: memcheck Assignee: jsew...@acm.org Reporter: faragon.git...@gmail.com Target Milestone: --- I reported the problem yesterday in the GLIB bugzilla, because thinking it was a GLIBC bug ("sprintf "%ls": uninitialized memory access because of using SSE 4.1 (__wcsnlen_sse4_1)"), but Andreas Schwab pointed that it could be a false positive. Could it be a Valgrind regression problem? https://sourceware.org/bugzilla/show_bug.cgi?id=22703 >From the GLIB ticket: The uninitialized memory access comes from the internal function __wcsnlen_sse4_1 (using SSE 4.1 on x86_64), both with and without optimizations -O0/-O3). I've found it with a Valgrind test that reported an error after updating the build machine from Ubuntu 16.04 to Ubuntu 17.10 (GCC 7.2.0, ldd --version shows "Ubuntu GLIBC 2.26-0ubuntu2"). Actual behavior seems "right", but because of Valgrind reporting conditional behavior based on uninitialized memory, I've set the severity to critical. Valgrind output: $ uname -a Linux luna 4.13.0-25-generic #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ gcc -O0 -ggdb sprintf_bug.c $ valgrind --tool=memcheck ./a.out (...) ==22373== Conditional jump or move depends on uninitialised value(s) ==22373== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161) ==22373== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104) ==22373== by 0x4E91EE1: vfprintf (vfprintf.c:1643) ==22373== by 0x4EB513D: vsprintf (iovsprintf.c:42) ==22373== by 0x4E98FA3: sprintf (sprintf.c:32) ==22373== by 0x108833: main (sprintf_bug.c:13) ==22373== Uninitialised value was created by a heap allocation ==22373== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==22373== by 0x1087ED: main (sprintf_bug.c:9) (...) $ gcc -O3 sprintf_bug.c $ valgrind --tool=memcheck ./a.out (...) ==22707== Conditional jump or move depends on uninitialised value(s) ==22707== at 0x4F029D1: __wcsnlen_sse4_1 (strlen.S:161) ==22707== by 0x4EF0C4A: wcsrtombs (wcsrtombs.c:104) ==22707== by 0x4E91EE1: vfprintf (vfprintf.c:1643) ==22707== by 0x4F60A8A: __vsprintf_chk (vsprintf_chk.c:82) ==22707== by 0x4F609B9: __sprintf_chk (sprintf_chk.c:31) ==22707== by 0x108757: main (in /r0/done/repos/mlibsrt/a.out) (...) Source code for reproducing the bug: $ cat sprintf_bug.c #include <stdio.h> #include <string.h> #include <malloc.h> #include <wchar.h> int main() { char tmp[4096]; wchar_t *hello_bug = (wchar_t *)malloc(sizeof(wchar_t) * 4096); if (!hello_bug) return 1; wcscpy(hello_bug, L"Hello bug!"); sprintf(tmp, "%ls", hello_bug); /* <-- Valgrind blames this */ printf("%s\n", tmp); free(hello_bug); return 0; } -- You are receiving this mail because: You are watching all bug changes.