GCC strcmp optimizations causing valgrind uninitialized conditional jumps

William Kennington wak at google.com
Wed Jul 4 04:26:55 AEST 2018


Hi,

I've noticed while trying to do some valgrind testing on code linked
against system libraries that have inlined strcmps that valgrind is
unhappy about branches depending on uninitialized memory. I've read
through the generated inline assembly, and it looks like the assembly
will always produce the correct result regardless of the intermediate
compare using uninitialized data. I'm trying to figure out what to do
as next steps since it's non-trivial to suppress this inlined code.

Using the following simple test case which generates the optmizations
using gcc 7.3.0 and gcc 9 devel. This is reproducible using `gcc -O2
-o test test.c` with the following code.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main()
{
        char *heap_str = malloc(16);
        strcpy(heap_str, "RandString");
        int res = strcmp("RandString", heap_str) == 0;
        free(heap_str);
        return res;
}

A snippet of the inline assembly causing issues is, valgrind correctly
identifies a branch taken based on uninitialized memory for the first
`bne` in `.L7` since it's reading bytes 8-16 from the 11 byte string:
 # test.c:9:    int res = strcmp("RandString", heap_str) == 0;
        .loc 1 9 12 view .LVU20
        li 8,0           # tmp172,
        cmpb 3,9,10      # tmp169, tmp133, tmp134
        cmpb 8,9,8       # tmp170, tmp133, tmp172
        orc 3,8,3        #, tmp169, tmp170, tmp169
        cntlzd 3,3       # tmp171, tmp169
        addi 3,3,8       # tmp171, tmp171,
        rldcl 9,9,3,56   # tmp171, tmp174, tmp133,
        rldcl 3,10,3,56  # tmp171, tmp176, tmp134,
        subf 3,3,9       # tmp132, tmp176, tmp174
        b .L2            #
.L7:
        addi 9,5,8       # tmp190, tmp126,
        addi 10,30,8     # tmp191, heap_str,
        ldbrx 9,0,9      # tmp133, MEM[(void *)"RandString"]
        ldbrx 10,0,10    # tmp134, MEM[(void *)heap_str_5]
        subf. 3,10,9     # tmp132, tmp134, tmp133
        bne 0,.L4        #
        cmpb 10,9,3      # tmp140, tmp133, tmp132
        cmpdi 7,10,0     #, tmp141, tmp140
        bne 7,.L2

Sample valgrind output looks like:
==63162== Memcheck, a memory error detector
==63162== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==63162== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==63162== Command: ./test
==63162==
==63162== Conditional jump or move depends on uninitialised value(s)
==63162==    at 0x100005D4: main (test.c:9)
==63162==  Uninitialised value was created by a heap allocation
==63162==    at 0x4093F00: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-ppc64le-linux.so)
==63162==    by 0x10000513: main (test.c:7)
==63162==
==63162== Conditional jump or move depends on uninitialised value(s)
==63162==    at 0x100005E0: main (test.c:9)
==63162==  Uninitialised value was created by a heap allocation
==63162==    at 0x4093F00: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-ppc64le-linux.so)
==63162==    by 0x10000513: main (test.c:7)
==63162==
==63162== Syscall param exit_group(status) contains uninitialised byte(s)
==63162==    at 0x41E8C2C: _Exit (_exit.c:31)
==63162==    by 0x4132C67: __run_exit_handlers (exit.c:132)
==63162==    by 0x4104423: generic_start_main.isra.0 (libc-start.c:344)
==63162==    by 0x4104617: (below main) (libc-start.c:116)
==63162==  Uninitialised value was created by a heap allocation
==63162==    at 0x4093F00: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-ppc64le-linux.so)
==63162==    by 0x10000513: main (test.c:7)
==63162==
==63162==
==63162== HEAP SUMMARY:
==63162==     in use at exit: 0 bytes in 0 blocks
==63162==   total heap usage: 1 allocs, 1 frees, 16 bytes allocated
==63162==
==63162== All heap blocks were freed -- no leaks are possible
==63162==
==63162== For counts of detected and suppressed errors, rerun with: -v
==63162== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

Any ideas on how to workaround / fix this?

Best,
William


More information about the Linuxppc-dev mailing list