[Bug c/94187] New: valgrind error in count_nonzero

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c/94187] New: valgrind error in count_nonzero_bytes ?
@ 2020-03-16  8:10 dcb314 at hotmail dot com
  2020-03-16 10:51 ` [Bug tree-optimization/94187] " marxin at gcc dot gnu.org
                   ` (12 more replies)
  0 siblings, 13 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-16  8:10 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

            Bug ID: 94187
           Summary: valgrind error in count_nonzero_bytes ?
           Product: gcc
           Version: 10.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: dcb314 at hotmail dot com
  Target Milestone: ---

For this C code:

int
foo (void)
{
  return *(int *) "";
}

I ran the code through a valgrind version of recent gcc trunk, 
with the compiler flag -O2, and got this:

./gcc.dg/pr68785.c
==49861== Invalid read of size 1
==49861==    at 0xD9CDDD: count_nonzero_bytes(tree_node*, unsigned long,
unsigned long, unsigned int*, bool*, bool*, bool*, vr_values const*,
ssa_name_limit_t&) (tree-ssa-strlen.c:4891)
==49861==    by 0xD9CF17: count_nonzero_bytes(tree_node*, unsigned long,
unsigned long, unsigned int*, bool*, bool*, bool*, vr_values const*,
ssa_name_limit_t&) (tree-ssa-strlen.c:4801)
==49861==    by 0xDA19EE: count_nonzero_bytes (tree-ssa-strlen.c:4920)
==49861==    by 0xDA19EE: handle_integral_assign(gimple_stmt_iterator*, bool*,
vr_values const*) (tree-ssa-strlen.c:5547)

This bug is strongly related to bug # 68785.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] valgrind error in count_nonzero_bytes ?
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
@ 2020-03-16 10:51 ` marxin at gcc dot gnu.org
  2020-03-16 11:18 ` dcb314 at hotmail dot com
                   ` (11 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-03-16 10:51 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marxin at gcc dot gnu.org
   Last reconfirmed|                            |2020-03-16
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |WAITING

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
I can't confirm that with current master with valgrind.
Similarly -fsanitize=address is also fine.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] valgrind error in count_nonzero_bytes ?
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
  2020-03-16 10:51 ` [Bug tree-optimization/94187] " marxin at gcc dot gnu.org
@ 2020-03-16 11:18 ` dcb314 at hotmail dot com
  2020-03-16 11:20 ` jakub at gcc dot gnu.org
                   ` (10 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-16 11:18 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #2 from David Binderman <dcb314 at hotmail dot com> ---
I checked again and I see this problem in all my valgrind versions of gcc
from date 20200216 onwards. I have no earlier version.

I use the latest development version of valgrind. Latest release
version seems to be 3.15.0

Hardware is AMD 64 bit Piledriver.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] valgrind error in count_nonzero_bytes ?
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
  2020-03-16 10:51 ` [Bug tree-optimization/94187] " marxin at gcc dot gnu.org
  2020-03-16 11:18 ` dcb314 at hotmail dot com
@ 2020-03-16 11:20 ` jakub at gcc dot gnu.org
  2020-03-16 11:28 ` jakub at gcc dot gnu.org
                   ` (9 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-03-16 11:20 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org
             Status|WAITING                     |NEW

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I can reproduce it.
The bug is obvious.  We have exp STRING_CST "", nchars is 1, offset is 0 and
nbytes is 4 (because of the UB in the source code).

4812      const char *prep = NULL;
4813      if (TREE_CODE (exp) == STRING_CST)
4814        {
4815          unsigned nchars = TREE_STRING_LENGTH (exp);
4816          if (nchars < offset)
4817            return false;
4818    
4819          if (!nbytes)
4820            /* If NBYTES hasn't been determined earlier, either from
ADDR_EXPR
4821               (i.e., it's the size of a pointer), or from MEM_REF (as the
size
4822               of the access), set it here to the size of the string,
including
4823               all internal and trailing nuls if the string has any.  */
4824            nbytes = nchars - offset;
4825    
4826          prep = TREE_STRING_POINTER (exp) + offset;
4827        }
...
4887              /* When either ALLNUL is set and N is zero, also determine
4888                 whether all subsequent bytes after the first one (which
4889                 is nul) are zero or nonzero and clear ALLNUL if not.  */
4890              for (const char *p = prep; p != prep + nbytes; ++p)
4891                if (*p)
4892                  {
4893                    *allnul = false;
4894                    break;
4895                  }
Which means we happily read bytes from the "" string beyond the limit.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] valgrind error in count_nonzero_bytes ?
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (2 preceding siblings ...)
  2020-03-16 11:20 ` jakub at gcc dot gnu.org
@ 2020-03-16 11:28 ` jakub at gcc dot gnu.org
  2020-03-16 11:35 ` [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101 jakub at gcc dot gnu.org
                   ` (8 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-03-16 11:28 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at gcc dot gnu.org      |jakub at gcc dot gnu.org
             Status|NEW                         |ASSIGNED

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 48040
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48040&action=edit
gcc10-pr94187.patch

Untested fix.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (3 preceding siblings ...)
  2020-03-16 11:28 ` jakub at gcc dot gnu.org
@ 2020-03-16 11:35 ` jakub at gcc dot gnu.org
  2020-03-16 11:40 ` jakub at gcc dot gnu.org
                   ` (7 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-03-16 11:35 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |10.0
            Summary|valgrind error in           |[10 Regression] valgrind
                   |count_nonzero_bytes ?       |error in
                   |                            |count_nonzero_bytes since
                   |                            |r10-2101
           Priority|P3                          |P1

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Started with r10-2101-gb631bdb3c16e85f35d38e39b3d315c35e4a5747c

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (4 preceding siblings ...)
  2020-03-16 11:35 ` [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101 jakub at gcc dot gnu.org
@ 2020-03-16 11:40 ` jakub at gcc dot gnu.org
  2020-03-16 12:07 ` dcb314 at hotmail dot com
                   ` (6 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-03-16 11:40 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Actually, I'll take the testcase out, since gcc/testsuite/gcc.dg/pr68785.c is
identical except for -O3 instead of -O2, but the bug reproduces also at -O3.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (5 preceding siblings ...)
  2020-03-16 11:40 ` jakub at gcc dot gnu.org
@ 2020-03-16 12:07 ` dcb314 at hotmail dot com
  2020-03-16 21:04 ` dcb314 at hotmail dot com
                   ` (5 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-16 12:07 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #7 from David Binderman <dcb314 at hotmail dot com> ---
Once a month or so, it might be worthwhile running a valgrind enabled
version of gcc over the C testsuite.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (6 preceding siblings ...)
  2020-03-16 12:07 ` dcb314 at hotmail dot com
@ 2020-03-16 21:04 ` dcb314 at hotmail dot com
  2020-03-17  8:38 ` marxin at gcc dot gnu.org
                   ` (4 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-16 21:04 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #8 from David Binderman <dcb314 at hotmail dot com> ---
>From the testsuite, files ./gcc.dg/Warray-bounds-29.c and
./gcc.dg/Warray-bounds-32.c seem to cause similar problems with
function count_nonzero_bytes, so it might be worthwhile checking
that these two testcases are ok with the proposed patch.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (7 preceding siblings ...)
  2020-03-16 21:04 ` dcb314 at hotmail dot com
@ 2020-03-17  8:38 ` marxin at gcc dot gnu.org
  2020-03-17  8:52 ` dcb314 at hotmail dot com
                   ` (3 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-03-17  8:38 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #9 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to David Binderman from comment #7)
> Once a month or so, it might be worthwhile running a valgrind enabled
> version of gcc over the C testsuite.

I run ASAN and UBSAN GCC build on weekly basis. But I must confess that I
remove some problematic tests (for those we have a PRs).

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (8 preceding siblings ...)
  2020-03-17  8:38 ` marxin at gcc dot gnu.org
@ 2020-03-17  8:52 ` dcb314 at hotmail dot com
  2020-03-17  9:44 ` cvs-commit at gcc dot gnu.org
                   ` (2 subsequent siblings)
  12 siblings, 0 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-17  8:52 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #10 from David Binderman <dcb314 at hotmail dot com> ---
(In reply to Martin Liška from comment #9)
> (In reply to David Binderman from comment #7)
> > Once a month or so, it might be worthwhile running a valgrind enabled
> > version of gcc over the C testsuite.
> 
> I run ASAN and UBSAN GCC build on weekly basis. But I must confess that I
> remove some problematic tests (for those we have a PRs).

So if I run a valgrind enabled gcc trunk over the C, C++ and Fortran
code in the testsuite once a week, then that should match your testing
activity.

There are about 5,800 Fortran source code files, about 16,100 C++
and about 35,800 C source code files. That's a lot. 

I'll start with Fortran, then add in C++ then C and see how I get on.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (9 preceding siblings ...)
  2020-03-17  8:52 ` dcb314 at hotmail dot com
@ 2020-03-17  9:44 ` cvs-commit at gcc dot gnu.org
  2020-03-17  9:54 ` jakub at gcc dot gnu.org
  2020-03-25 16:08 ` dcb314 at hotmail dot com
  12 siblings, 0 replies; 14+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-03-17  9:44 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #11 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:741ff2a263fe0ddc343288331c0047c1a32af8b2

commit r10-7207-g741ff2a263fe0ddc343288331c0047c1a32af8b2
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Tue Mar 17 10:43:46 2020 +0100

    strlen: Punt on UB reads past end of string literal [PR94187]

    The gcc.dg/pr68785.c test which contains:
    int
    foo (void)
    {
      return *(int *) "";
    }
    has UB in the program if it is ever called, but causes UB in the compiler
    as well as at least in theory non-reproduceable code generation.
    The problem is that nbytes is in this case 4, prep is the
    TREE_STRING_POINTER of a "" string literal with TREE_STRING_LENGTH of 1 and
    we do:
    4890              for (const char *p = prep; p != prep + nbytes; ++p)
    4891                if (*p)
    4892                  {
    4893                    *allnul = false;
    4894                    break;
    4895                  }
    and so read the bytes after the STRING_CST payload, which can be random.
    I think we should just punt in this case.

    2020-03-17  Jakub Jelinek  <jakub@redhat.com>

            PR tree-optimization/94187
            * tree-ssa-strlen.c (count_nonzero_bytes): Punt if
            nchars - offset < nbytes.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (10 preceding siblings ...)
  2020-03-17  9:44 ` cvs-commit at gcc dot gnu.org
@ 2020-03-17  9:54 ` jakub at gcc dot gnu.org
  2020-03-25 16:08 ` dcb314 at hotmail dot com
  12 siblings, 0 replies; 14+ messages in thread
From: jakub at gcc dot gnu.org @ 2020-03-17  9:54 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #12 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101
  2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
                   ` (11 preceding siblings ...)
  2020-03-17  9:54 ` jakub at gcc dot gnu.org
@ 2020-03-25 16:08 ` dcb314 at hotmail dot com
  12 siblings, 0 replies; 14+ messages in thread
From: dcb314 at hotmail dot com @ 2020-03-25 16:08 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94187

--- Comment #13 from David Binderman <dcb314 at hotmail dot com> ---
(In reply to David Binderman from comment #10)
> There are about 5,800 Fortran source code files, about 16,100 C++
> and about 35,800 C source code files. That's a lot. 
> 
> I'll start with Fortran, then add in C++ then C and see how I get on.

Fortran has be done, C++ is just about possible, but C 
consumes days of processor time.

I've reported all the bugs I found for all three languages, 
but I think from now on I'll just do incremental testing i.e.
only test new source code files. Something like

$ find ~/gcc/trunk/gcc/testsuite -name \*.c -newer_than <LAST_WEEK> -print |
sort > file.c.list
$ for i in `cat file.c.list`
do
  echo $i
  valgrind_C_compiler -c -O3 $i
done

Not ideal, but about as much as I can achieve until I get access to faster
processors.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2020-03-25 16:08 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-16  8:10 [Bug c/94187] New: valgrind error in count_nonzero_bytes ? dcb314 at hotmail dot com
2020-03-16 10:51 ` [Bug tree-optimization/94187] " marxin at gcc dot gnu.org
2020-03-16 11:18 ` dcb314 at hotmail dot com
2020-03-16 11:20 ` jakub at gcc dot gnu.org
2020-03-16 11:28 ` jakub at gcc dot gnu.org
2020-03-16 11:35 ` [Bug tree-optimization/94187] [10 Regression] valgrind error in count_nonzero_bytes since r10-2101 jakub at gcc dot gnu.org
2020-03-16 11:40 ` jakub at gcc dot gnu.org
2020-03-16 12:07 ` dcb314 at hotmail dot com
2020-03-16 21:04 ` dcb314 at hotmail dot com
2020-03-17  8:38 ` marxin at gcc dot gnu.org
2020-03-17  8:52 ` dcb314 at hotmail dot com
2020-03-17  9:44 ` cvs-commit at gcc dot gnu.org
2020-03-17  9:54 ` jakub at gcc dot gnu.org
2020-03-25 16:08 ` dcb314 at hotmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).