[valgrind] [Bug 436152] New: memcheck does not allow undefined SIMD shift distances

Sun, 25 Apr 2021 00:43:28 -0700 

https://bugs.kde.org/show_bug.cgi?id=436152

            Bug ID: 436152
           Summary: memcheck does not allow undefined SIMD shift distances
           Product: valgrind
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: memcheck
          Assignee: jsew...@acm.org
          Reporter: bugzilla-...@box.cr.yp.to
  Target Milestone: ---

Try memcheck on an AVX2 shift with an undefined distance; minimal example
below. Expected behavior: no errors. Observed behavior: "Use of uninitialised
value of size 1" error. (As a side note, track-origins doesn't seem to work
here.)

My impression is that this particular error is generated by line 4840 of
memcheck/mc_translate.c in current valgrind git. An accompanying comment says
"this is wrong now", and a comment at the top of the file says that memcheck
"complains, but should not" when an undefined value is used as "the shift value
in certain SIMD shift operations". So there appears to be consensus that this
is a bug.

The actual application leading to this bug report is intentionally and
correctly using an undefined value here for security reasons explained in
https://neuromancer.sk/article/26, so a bug fix would be helpful. I presume
that the fix would look like the existing scalarShift() function.

timecop@bolero-bullseye1:~$ uname -a
Linux bolero-bullseye1 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC
2020 x86_64 GNU/Linux
timecop@bolero-bullseye1:~$ gcc --version
gcc (Debian 10.2.1-6) 10.2.1 20210110
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

timecop@bolero-bullseye1:~$ valgrind --version
valgrind-3.16.1
timecop@bolero-bullseye1:~$ cat x.c
#include <immintrin.h>

volatile __m256i x;

int main()
{
  int i;
  x = _mm256_slli_epi32(x,i);
  return 0;
}
timecop@bolero-bullseye1:~$ gcc -o x x.c -march=native -g
timecop@bolero-bullseye1:~$ valgrind -v ./x
==29256== Memcheck, a memory error detector
==29256== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==29256== Using Valgrind-3.16.1-36d6727e1d-20200622X and LibVEX; rerun with -h
for copyright info
==29256== Command: ./x
==29256== 
--29256-- Valgrind options:
--29256--    -v
--29256-- Contents of /proc/version:
--29256--   Linux version 4.15.0-96-generic (buildd@lgw01-amd64-004) (gcc
version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #97-Ubuntu SMP Wed Apr 1 03:25:46
UTC 2020
--29256-- 
--29256-- Arch and hwcaps: AMD64, LittleEndian,
amd64-cx16-lzcnt-sse3-ssse3-avx-avx2-bmi-f16c-rdrand
--29256-- Page sizes: currently 4096, max supported 4096
--29256-- Valgrind library directory: /home/timecop/lib/valgrind
--29256-- Reading syms from /home/timecop/x
--29256-- Reading syms from /lib/x86_64-linux-gnu/ld-2.31.so
--29256--   Considering
/usr/lib/debug/.build-id/ab/75e6eb59378454f315620832dff4d450abc6ab.debug ..
--29256--   .. build-id is valid
--29256-- Reading syms from /home/timecop/lib/valgrind/memcheck-amd64-linux
--29256--    object doesn't have a dynamic symbol table
--29256-- Scheduler: using generic scheduler lock implementation.
--29256-- Reading suppressions file: /home/timecop/lib/valgrind/default.supp
==29256== embedded gdbserver: reading from
/tmp/vgdb-pipe-from-vgdb-to-29256-by-timecop-on-???
==29256== embedded gdbserver: writing to  
/tmp/vgdb-pipe-to-vgdb-from-29256-by-timecop-on-???
==29256== embedded gdbserver: shared mem  
/tmp/vgdb-pipe-shared-mem-vgdb-29256-by-timecop-on-???
==29256== 
==29256== TO CONTROL THIS PROCESS USING vgdb (which you probably
==29256== don't want to do, unless you know exactly what you're doing,
==29256== or are doing some strange experiment):
==29256==   /home/timecop/lib/valgrind/../../bin/vgdb --pid=29256 ...command...
==29256== 
==29256== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==29256==   /path/to/gdb ./x
==29256== and then give GDB the following command
==29256==   target remote | /home/timecop/lib/valgrind/../../bin/vgdb
--pid=29256
==29256== --pid is optional if only one valgrind process is running
==29256== 
--29256-- REDIR: 0x401f8f0 (ld-linux-x86-64.so.2:strlen) redirected to
0x580b9662 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--29256-- REDIR: 0x401f6d0 (ld-linux-x86-64.so.2:index) redirected to
0x580b967c (vgPlain_amd64_linux_REDIR_FOR_index)
--29256-- Reading syms from
/home/timecop/lib/valgrind/vgpreload_core-amd64-linux.so
--29256-- Reading syms from
/home/timecop/lib/valgrind/vgpreload_memcheck-amd64-linux.so
==29256== WARNING: new redirection conflicts with existing -- ignoring it
--29256--     old: 0x0401f8f0 (strlen              ) R-> (0000.0) 0x580b9662
vgPlain_amd64_linux_REDIR_FOR_strlen
--29256--     new: 0x0401f8f0 (strlen              ) R-> (2007.0) 0x0483ba70
strlen
--29256-- REDIR: 0x401c110 (ld-linux-x86-64.so.2:strcmp) redirected to
0x483c940 (strcmp)
--29256-- REDIR: 0x401fe30 (ld-linux-x86-64.so.2:mempcpy) redirected to
0x4840130 (mempcpy)
--29256-- Reading syms from /lib/x86_64-linux-gnu/libc-2.31.so
--29256--   Considering
/usr/lib/debug/.build-id/38/b3269ce84ff6aa4d681208b45b868391ccc3bd.debug ..
--29256--   .. build-id is valid
--29256-- REDIR: 0x48dfea0 (libc.so.6:memmove) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df250 (libc.so.6:strncpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e01c0 (libc.so.6:strcasecmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48deb70 (libc.so.6:strcat) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df2b0 (libc.so.6:rindex) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e1550 (libc.so.6:rawmemchr) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48f9710 (libc.so.6:wmemchr) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48f92b0 (libc.so.6:wcscmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0000 (libc.so.6:mempcpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48dfe30 (libc.so.6:bcmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df1f0 (libc.so.6:strncmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48dec20 (libc.so.6:strcmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48dff60 (libc.so.6:memset) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48f9270 (libc.so.6:wcschr) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df150 (libc.so.6:strnlen) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48decf0 (libc.so.6:strcspn) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0210 (libc.so.6:strncasecmp) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48dec90 (libc.so.6:strcpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0360 (libc.so.6:memcpy@@GLIBC_2.14) redirected to
0x482e198 (_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48fa910 (libc.so.6:wcsnlen) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48f92f0 (libc.so.6:wcscpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df2f0 (libc.so.6:strpbrk) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48debd0 (libc.so.6:index) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df110 (libc.so.6:strlen) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e58b0 (libc.so.6:memrchr) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0260 (libc.so.6:strcasecmp_l) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48dfdf0 (libc.so.6:memchr) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48f9390 (libc.so.6:wcslen) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48df590 (libc.so.6:strspn) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0160 (libc.so.6:stpncpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e0100 (libc.so.6:stpcpy) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e1590 (libc.so.6:strchrnul) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x48e02b0 (libc.so.6:strncasecmp_l) redirected to 0x482e198
(_vgnU_ifunc_wrapper)
--29256-- REDIR: 0x49b08f0 (libc.so.6:__strrchr_avx2) redirected to 0x483b4b0
(rindex)
==29256== Use of uninitialised value of size 1
==29256==    at 0x109149: _mm256_slli_epi32 (avx2intrin.h:684)
==29256==    by 0x109149: main (x.c:8)
==29256== 
--29256-- REDIR: 0x48db720 (libc.so.6:free) redirected to 0x483987b (free)
==29256== 
==29256== HEAP SUMMARY:
==29256==     in use at exit: 0 bytes in 0 blocks
==29256==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==29256== 
==29256== All heap blocks were freed -- no leaks are possible
==29256== 
==29256== Use --track-origins=yes to see where uninitialised values come from
==29256== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==29256== 
==29256== 1 errors in context 1 of 1:
==29256== Use of uninitialised value of size 1
==29256==    at 0x109149: _mm256_slli_epi32 (avx2intrin.h:684)
==29256==    by 0x109149: main (x.c:8)
==29256== 
==29256== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
timecop@bolero-bullseye1:~$

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to