[valgrind] [Bug 466884] Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884 --- Comment #3 from Matthew Fennell --- (In reply to Paul Floyd from comment #1) > Can you find the source in xcb that is causing this? I'll do my best :) To be honest - I'm not at all familiar with how these libraries interact, so forgive me if this description is not very good. But, here goes: I made a more minimal example that does not require openscenegraph. Here is the backtrace of the bug: #0 __GI___writev (fd=3, iov=0x7fffdbf0, iovcnt=3) at ../sysdeps/unix/sysv/linux/writev.c:26 #1 0x77c38fb9 in write_vec (count=0x7fffdb8c, vector=0x7fffdb90, c=0xc430) at ../../src/xcb_conn.c:277 #2 _xcb_conn_wait (c=c@entry=0xc430, cond=cond@entry=0xd560, vector=vector@entry=0x7fffdb90, count=count@entry=0x7fffdb8c) at ../../src/xcb_conn.c:523 #3 0x77c39381 in _xcb_out_send (count=, vector=, c=0xc430) at ../../src/xcb_out.c:464 #4 xcb_writev (c=c@entry=0xc430, vector=vector@entry=0x7fffdbf0, count=-9332, count@entry=3, requests=requests@entry=8) at ../../src/xcb_out.c:412 #5 0x77ea3eae in _XSend (dpy=0x9d80, data=0x7fffdc20 "8\004", data@entry=0x0, size=size@entry=0) at ../../src/xcb_io.c:578 #6 0x77ea447c in _XReply (dpy=dpy@entry=0x9d80, rep=rep@entry=0x7fffdcf0, extra=extra@entry=0, discard=discard@entry=1) at ../../src/xcb_io.c:670 #7 0x77e8eac4 in XInternAtom (dpy=0x9d80, name=0x603f "_MOTIF_WM_HINTS", onlyIfExists=0) at ../../src/IntAtom.c:182 #8 0x55cb in main () at /home/matthew/Documents/libre-racing/dependencies/bug-reports/x11-uninitialised-variable-usage/example.cpp:70 Frame 8: The bug is triggered by a call to XInternAtom(display, "_MOTIF_WM_HINTS", 0); This call on its own does not cause any reports - it relies on the previous lines. Frame 7 (libX11): libX11 has a Display struct which contains a char * dpy->buffer. It also has another char * dpy->bufptr, which starts set to the same position as dpy->buffer, but expands and shrinks throughout the lifetime of the program. In the call to XInternAtom, libX11 passes dpy to xcb. Frame 5 (xcb): xcb creates the struct iovec * like so: vec[0].iov_base = dpy->buffer vec[0].iov_len = dpy->bufptr - dpy->buffer There is also vec[1], and vec[2], but they both have iov_len values of 0. At this point: dpy->buffer: "\001\030\f" dpy->bufptr: "" dpy->bufptr - dpy->buffer = 296 Frames #4-0: This iovec * is passed down to the writev call without modification. Then, on the writev call, valgrind reports: ==21464== Syscall param writev(vector[...]) points to uninitialised byte(s) ==21464==at 0x4AD770D: __writev (writev.c:26) ==21464==by 0x4AD770D: writev (writev.c:24) ==21464==by 0x4BC6FB8: write_vec (xcb_conn.c:277) ==21464==by 0x4BC6FB8: _xcb_conn_wait (xcb_conn.c:523) ==21464==by 0x4BC7380: _xcb_out_send (xcb_out.c:464) ==21464==by 0x4BC7380: xcb_writev (xcb_out.c:412) ==21464==by 0x48B1EAD: _XSend (xcb_io.c:578) ==21464==by 0x48B247B: _XReply (xcb_io.c:670) ==21464==by 0x489CAC3: XInternAtom (IntAtom.c:182) ==21464==by 0x1095CA: main (example.cpp:70) ==21464== Address 0x4ee5738 is 264 bytes inside a block of size 16,384 alloc'd ==21464==at 0x483AB65: calloc (vg_replace_malloc.c:760) ==21464==by 0x48A1D79: XOpenDisplay (OpenDis.c:240) ==21464==by 0x10920B: main (example.cpp:5) ==21464== Uninitialised value was created by a stack allocation ==21464==at 0x109207: main (example.cpp:5) ==21464== { Memcheck:Param writev(vector[...]) fun:__writev fun:writev fun:write_vec fun:_xcb_conn_wait fun:_xcb_out_send fun:xcb_writev fun:_XSend fun:_XReply fun:XInternAtom fun:main } I believe the error is ultimately caused by 296 (iov_len = dpy->bufptr - dpy->buffer) > 264 (amount of initialised memory in dpy->buffer). However, unfortunately, I don't know enough about X11 to understand why this is happening, or if it's expected. Nevertheless, I hope this helps a little. Let me know if you'd like me to do more research or there's some other info that would help. I initially reported here since I noticed the almost identical suppressions, but I'm certainly open to the suggestion that this is a real bug in X. I just don't know enough to know how to tell for sure :) -- You are receiving this mail because: You are watching all bug changes.
[valgrind] [Bug 466884] Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884 --- Comment #2 from Matthew Fennell --- Created attachment 157026 --> https://bugs.kde.org/attachment.cgi?id=157026&action=edit Minimal example without openscenegraph dependency -- You are receiving this mail because: You are watching all bug changes.
[valgrind] [Bug 466884] New: Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884 Bug ID: 466884 Summary: Missing writev uninit padding suppression for _XSend Classification: Developer tools Product: valgrind Version: 3.16.1 Platform: unspecified OS: Linux Status: REPORTED Severity: wishlist Priority: NOR Component: memcheck Assignee: jsew...@acm.org Reporter: matthew.robert.fennell+bugzi...@gmail.com Target Milestone: --- Created attachment 157011 --> https://bugs.kde.org/attachment.cgi?id=157011&action=edit A minimal example making use of openscenegraph to reproduce the error $ uname -a Linux matthew-laptop 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux $ valgrind --suppressions=.valgrind-suppressions --leak-check=full --track-origins=yes --gen-suppressions=all -v build/example ==49016== Memcheck, a memory error detector ==49016== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==49016== Using Valgrind-3.16.1-36d6727e1d-20200622X and LibVEX; rerun with -h for copyright info ==49016== Command: build/example ==49016== --49016-- Valgrind options: --49016----suppressions=.valgrind-suppressions --49016----leak-check=full --49016----track-origins=yes --49016----gen-suppressions=all --49016---v --49016-- Contents of /proc/version: --49016-- Linux version 5.10.0-21-amd64 (debian-ker...@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.162-1 (2023-01-21) --49016-- --49016-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-bmi-f16c-rdrand --49016-- Page sizes: currently 4096, max supported 4096 --49016-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind --49016-- Reading syms from /home/matthew/Documents/libre-racing/dependencies/bug-reports/osg-uninitialised-variable-usage/build/example --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.31.so --49016-- Considering /usr/lib/debug/.build-id/e2/5570740d590e5cb7b1a20d86332a8d1bb3b65f.debug .. --49016-- .. build-id is valid --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux --49016-- Considering /usr/lib/debug/.build-id/54/299c4aec0e5e5f3d7b8135341351d0e1dbfc64.debug .. --49016-- .. build-id is valid --49016--object doesn't have a dynamic symbol table --49016-- Scheduler: using generic scheduler lock implementation. --49016-- Reading suppressions file: .valgrind-suppressions --49016-- Reading suppressions file: /usr/lib/x86_64-linux-gnu/valgrind/default.supp ==49016== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-49016-by-matthew-on-??? ==49016== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-49016-by-matthew-on-??? ==49016== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-49016-by-matthew-on-??? ==49016== ==49016== TO CONTROL THIS PROCESS USING vgdb (which you probably ==49016== don't want to do, unless you know exactly what you're doing, ==49016== or are doing some strange experiment): ==49016== /usr/bin/vgdb --pid=49016 ...command... ==49016== ==49016== TO DEBUG THIS PROCESS USING GDB: start GDB like this ==49016== /path/to/gdb build/example ==49016== and then give GDB the following command ==49016== target remote | /usr/bin/vgdb --pid=49016 ==49016== --pid is optional if only one valgrind process is running ==49016== --49016-- REDIR: 0x401fa70 (ld-linux-x86-64.so.2:strlen) redirected to 0x580ca5f2 (vgPlain_amd64_linux_REDIR_FOR_strlen) --49016-- REDIR: 0x401f850 (ld-linux-x86-64.so.2:index) redirected to 0x580ca60c (vgPlain_amd64_linux_REDIR_FOR_index) --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_core-amd64-linux.so --49016-- Considering /usr/lib/debug/.build-id/f2/7641e081d3c37b410d7f31da4e2bf21040f356.debug .. --49016-- .. build-id is valid --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so --49016-- Considering /usr/lib/debug/.build-id/25/7cdcdf80e04f91ca9e3b185ee3b52995e89946.debug .. --49016-- .. build-id is valid ==49016== WARNING: new redirection conflicts with existing -- ignoring it --49016-- old: 0x0401fa70 (strlen ) R-> (.0) 0x580ca5f2 vgPlain_amd64_linux_REDIR_FOR_strlen --49016-- new: 0x0401fa70 (strlen ) R-> (2007.0) 0x0483bda0 strlen --49016-- REDIR: 0x401c290 (ld-linux-x86-64.so.2:strcmp) redirected to 0x483cc90 (strcmp) --49016-- REDIR: 0x401ffb0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4840740 (mempcpy) --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/libosgViewer.so.3.6.5 --49016-- Considering /usr/lib/debug/.build-id/c1/b58ee69597280de8be7efe5df82d4c91a09b1c.debug .. --49016-- .. build-id is valid --49016-- Considering /usr/lib/debug/.dwz/x86_64-linux-gnu/libopenscenegraph161.debug .. --49016-- .. build-id is valid --4901