[valgrind] [Bug 466884] Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884
--- Comment #3 from Matthew Fennell
---
(In reply to Paul Floyd from comment #1)
> Can you find the source in xcb that is causing this?
I'll do my best :) To be honest - I'm not at all familiar with how these
libraries interact, so forgive me if this description is not very good. But,
here goes:
I made a more minimal example that does not require openscenegraph. Here is the
backtrace of the bug:
#0 __GI___writev (fd=3, iov=0x7fffdbf0, iovcnt=3) at
../sysdeps/unix/sysv/linux/writev.c:26
#1 0x77c38fb9 in write_vec (count=0x7fffdb8c,
vector=0x7fffdb90, c=0xc430) at ../../src/xcb_conn.c:277
#2 _xcb_conn_wait (c=c@entry=0xc430, cond=cond@entry=0xd560,
vector=vector@entry=0x7fffdb90, count=count@entry=0x7fffdb8c) at
../../src/xcb_conn.c:523
#3 0x77c39381 in _xcb_out_send (count=,
vector=, c=0xc430) at ../../src/xcb_out.c:464
#4 xcb_writev (c=c@entry=0xc430, vector=vector@entry=0x7fffdbf0,
count=-9332, count@entry=3, requests=requests@entry=8) at
../../src/xcb_out.c:412
#5 0x77ea3eae in _XSend (dpy=0x9d80, data=0x7fffdc20
"8\004", data@entry=0x0, size=size@entry=0) at ../../src/xcb_io.c:578
#6 0x77ea447c in _XReply (dpy=dpy@entry=0x9d80,
rep=rep@entry=0x7fffdcf0, extra=extra@entry=0, discard=discard@entry=1) at
../../src/xcb_io.c:670
#7 0x77e8eac4 in XInternAtom (dpy=0x9d80, name=0x603f
"_MOTIF_WM_HINTS", onlyIfExists=0) at ../../src/IntAtom.c:182
#8 0x55cb in main () at
/home/matthew/Documents/libre-racing/dependencies/bug-reports/x11-uninitialised-variable-usage/example.cpp:70
Frame 8:
The bug is triggered by a call to XInternAtom(display, "_MOTIF_WM_HINTS", 0);
This call on its own does not cause any reports - it relies on the previous
lines.
Frame 7 (libX11):
libX11 has a Display struct which contains a char * dpy->buffer. It also has
another char * dpy->bufptr, which starts set to the same position as
dpy->buffer, but expands and shrinks throughout the lifetime of the program.
In the call to XInternAtom, libX11 passes dpy to xcb.
Frame 5 (xcb):
xcb creates the struct iovec * like so:
vec[0].iov_base = dpy->buffer
vec[0].iov_len = dpy->bufptr - dpy->buffer
There is also vec[1], and vec[2], but they both have iov_len values of 0.
At this point:
dpy->buffer: "\001\030\f"
dpy->bufptr: ""
dpy->bufptr - dpy->buffer = 296
Frames #4-0:
This iovec * is passed down to the writev call without modification.
Then, on the writev call, valgrind reports:
==21464== Syscall param writev(vector[...]) points to uninitialised byte(s)
==21464==at 0x4AD770D: __writev (writev.c:26)
==21464==by 0x4AD770D: writev (writev.c:24)
==21464==by 0x4BC6FB8: write_vec (xcb_conn.c:277)
==21464==by 0x4BC6FB8: _xcb_conn_wait (xcb_conn.c:523)
==21464==by 0x4BC7380: _xcb_out_send (xcb_out.c:464)
==21464==by 0x4BC7380: xcb_writev (xcb_out.c:412)
==21464==by 0x48B1EAD: _XSend (xcb_io.c:578)
==21464==by 0x48B247B: _XReply (xcb_io.c:670)
==21464==by 0x489CAC3: XInternAtom (IntAtom.c:182)
==21464==by 0x1095CA: main (example.cpp:70)
==21464== Address 0x4ee5738 is 264 bytes inside a block of size 16,384 alloc'd
==21464==at 0x483AB65: calloc (vg_replace_malloc.c:760)
==21464==by 0x48A1D79: XOpenDisplay (OpenDis.c:240)
==21464==by 0x10920B: main (example.cpp:5)
==21464== Uninitialised value was created by a stack allocation
==21464==at 0x109207: main (example.cpp:5)
==21464==
{
Memcheck:Param
writev(vector[...])
fun:__writev
fun:writev
fun:write_vec
fun:_xcb_conn_wait
fun:_xcb_out_send
fun:xcb_writev
fun:_XSend
fun:_XReply
fun:XInternAtom
fun:main
}
I believe the error is ultimately caused by 296 (iov_len = dpy->bufptr -
dpy->buffer) > 264 (amount of initialised memory in dpy->buffer).
However, unfortunately, I don't know enough about X11 to understand why this is
happening, or if it's expected. Nevertheless, I hope this helps a little.
Let me know if you'd like me to do more research or there's some other info
that would help. I initially reported here since I noticed the almost identical
suppressions, but I'm certainly open to the suggestion that this is a real bug
in X. I just don't know enough to know how to tell for sure :)
--
You are receiving this mail because:
You are watching all bug changes.
[valgrind] [Bug 466884] Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884 --- Comment #2 from Matthew Fennell --- Created attachment 157026 --> https://bugs.kde.org/attachment.cgi?id=157026&action=edit Minimal example without openscenegraph dependency -- You are receiving this mail because: You are watching all bug changes.
[valgrind] [Bug 466884] New: Missing writev uninit padding suppression for _XSend
https://bugs.kde.org/show_bug.cgi?id=466884 Bug ID: 466884 Summary: Missing writev uninit padding suppression for _XSend Classification: Developer tools Product: valgrind Version: 3.16.1 Platform: unspecified OS: Linux Status: REPORTED Severity: wishlist Priority: NOR Component: memcheck Assignee: jsew...@acm.org Reporter: matthew.robert.fennell+bugzi...@gmail.com Target Milestone: --- Created attachment 157011 --> https://bugs.kde.org/attachment.cgi?id=157011&action=edit A minimal example making use of openscenegraph to reproduce the error $ uname -a Linux matthew-laptop 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux $ valgrind --suppressions=.valgrind-suppressions --leak-check=full --track-origins=yes --gen-suppressions=all -v build/example ==49016== Memcheck, a memory error detector ==49016== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==49016== Using Valgrind-3.16.1-36d6727e1d-20200622X and LibVEX; rerun with -h for copyright info ==49016== Command: build/example ==49016== --49016-- Valgrind options: --49016----suppressions=.valgrind-suppressions --49016----leak-check=full --49016----track-origins=yes --49016----gen-suppressions=all --49016---v --49016-- Contents of /proc/version: --49016-- Linux version 5.10.0-21-amd64 (debian-ker...@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.162-1 (2023-01-21) --49016-- --49016-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-ssse3-avx-avx2-bmi-f16c-rdrand --49016-- Page sizes: currently 4096, max supported 4096 --49016-- Valgrind library directory: /usr/lib/x86_64-linux-gnu/valgrind --49016-- Reading syms from /home/matthew/Documents/libre-racing/dependencies/bug-reports/osg-uninitialised-variable-usage/build/example --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.31.so --49016-- Considering /usr/lib/debug/.build-id/e2/5570740d590e5cb7b1a20d86332a8d1bb3b65f.debug .. --49016-- .. build-id is valid --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/memcheck-amd64-linux --49016-- Considering /usr/lib/debug/.build-id/54/299c4aec0e5e5f3d7b8135341351d0e1dbfc64.debug .. --49016-- .. build-id is valid --49016--object doesn't have a dynamic symbol table --49016-- Scheduler: using generic scheduler lock implementation. --49016-- Reading suppressions file: .valgrind-suppressions --49016-- Reading suppressions file: /usr/lib/x86_64-linux-gnu/valgrind/default.supp ==49016== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-49016-by-matthew-on-??? ==49016== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-49016-by-matthew-on-??? ==49016== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-49016-by-matthew-on-??? ==49016== ==49016== TO CONTROL THIS PROCESS USING vgdb (which you probably ==49016== don't want to do, unless you know exactly what you're doing, ==49016== or are doing some strange experiment): ==49016== /usr/bin/vgdb --pid=49016 ...command... ==49016== ==49016== TO DEBUG THIS PROCESS USING GDB: start GDB like this ==49016== /path/to/gdb build/example ==49016== and then give GDB the following command ==49016== target remote | /usr/bin/vgdb --pid=49016 ==49016== --pid is optional if only one valgrind process is running ==49016== --49016-- REDIR: 0x401fa70 (ld-linux-x86-64.so.2:strlen) redirected to 0x580ca5f2 (vgPlain_amd64_linux_REDIR_FOR_strlen) --49016-- REDIR: 0x401f850 (ld-linux-x86-64.so.2:index) redirected to 0x580ca60c (vgPlain_amd64_linux_REDIR_FOR_index) --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_core-amd64-linux.so --49016-- Considering /usr/lib/debug/.build-id/f2/7641e081d3c37b410d7f31da4e2bf21040f356.debug .. --49016-- .. build-id is valid --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so --49016-- Considering /usr/lib/debug/.build-id/25/7cdcdf80e04f91ca9e3b185ee3b52995e89946.debug .. --49016-- .. build-id is valid ==49016== WARNING: new redirection conflicts with existing -- ignoring it --49016-- old: 0x0401fa70 (strlen ) R-> (.0) 0x580ca5f2 vgPlain_amd64_linux_REDIR_FOR_strlen --49016-- new: 0x0401fa70 (strlen ) R-> (2007.0) 0x0483bda0 strlen --49016-- REDIR: 0x401c290 (ld-linux-x86-64.so.2:strcmp) redirected to 0x483cc90 (strcmp) --49016-- REDIR: 0x401ffb0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x4840740 (mempcpy) --49016-- Reading syms from /usr/lib/x86_64-linux-gnu/libosgViewer.so.3.6.5 --49016-- Considering /usr/lib/debug/.build-id/c1/b58ee69597280de8be7efe5df82d4c91a09b1c.debug .. --49016-- .. build-id is valid --49016-- Considering /usr/lib/debug/.dwz/x86_64-linux-gnu/libopenscenegraph161.debug .. --49016-- .. build-id is valid --4901
