[Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result
@ 2022-06-08 19:33 goldstein.w.n at gmail dot com
  2022-06-08 19:53 ` [Bug string/29234] " goldstein.w.n at gmail dot com
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: goldstein.w.n at gmail dot com @ 2022-06-08 19:33 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=29234

            Bug ID: 29234
           Summary: Bug in rawmemchr-avx2 can return incorrect result
           Product: glibc
           Version: 2.36
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: goldstein.w.n at gmail dot com
  Target Milestone: ---

commit 6dcbb7d95dded20153b12d76d2f4e0ef0cda4f35
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date:   Mon Jun 6 21:11:33 2022 -0700

    x86: Shrink code size of memchr-avx2.S


Added a bug to rawmemchr which returns the incorrect result if the pointer is
near the end of a page, there are out of range matches right before the
beginning of pointer, and there is no match between pointer and the end of the
page.

I.e

```

void
bad_rawmemchr() {
    char * buf = mmap(0, 8192, PROT_READ | PROT_WRITE,
                      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    assert(buf != MAP_FAILED);
    memset(buf, -1, 8192);


    char * ptr_start = buf + 4096 - 8;


    /* Out of range matches. */
    memset(ptr_start - 8, 0x1, 8);

    ptr_start[32] = 0x1;


    /* Fails. */
    assert(rawmemchr_avx2_dev(ptr_start, 0x1) == ptr_start + 32);
}

```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug string/29234] Bug in rawmemchr-avx2 can return incorrect result
  2022-06-08 19:33 [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result goldstein.w.n at gmail dot com
@ 2022-06-08 19:53 ` goldstein.w.n at gmail dot com
  2022-06-08 20:10 ` goldstein.w.n at gmail dot com
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: goldstein.w.n at gmail dot com @ 2022-06-08 19:53 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=29234

--- Comment #1 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
Created attachment 14138
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14138&action=edit
Fix + Tests

Patch with fix/tests. Testing right now.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug string/29234] Bug in rawmemchr-avx2 can return incorrect result
  2022-06-08 19:33 [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result goldstein.w.n at gmail dot com
  2022-06-08 19:53 ` [Bug string/29234] " goldstein.w.n at gmail dot com
@ 2022-06-08 20:10 ` goldstein.w.n at gmail dot com
  2023-11-02 16:22 ` carlos at redhat dot com
  2023-11-02 18:16 ` goldstein.w.n at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: goldstein.w.n at gmail dot com @ 2022-06-08 20:10 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=29234

--- Comment #2 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
(In reply to Noah Goldstein from comment #1)
> Created attachment 14138 [details]
> Fix + Tests
> 
> Patch with fix/tests. Testing right now.

There are some build issues with the attached patch (in the added tests). Patch
posted on mailing list shoud be used.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug string/29234] Bug in rawmemchr-avx2 can return incorrect result
  2022-06-08 19:33 [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result goldstein.w.n at gmail dot com
  2022-06-08 19:53 ` [Bug string/29234] " goldstein.w.n at gmail dot com
  2022-06-08 20:10 ` goldstein.w.n at gmail dot com
@ 2023-11-02 16:22 ` carlos at redhat dot com
  2023-11-02 18:16 ` goldstein.w.n at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: carlos at redhat dot com @ 2023-11-02 16:22 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=29234

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.36
         Resolution|---                         |FIXED
                 CC|                            |carlos at redhat dot com
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
Fixed already.

commit 2c9af8421d2b4a7fcce163e7bc81a118d22fd346
Author: Noah Goldstein <goldstein.w.n@gmail.com>
Date:   Wed Jun 8 14:34:59 2022 -0700

    x86: Fix page cross case in rawmemchr-avx2 [BZ #29234]

    commit 6dcbb7d95dded20153b12d76d2f4e0ef0cda4f35
    Author: Noah Goldstein <goldstein.w.n@gmail.com>
    Date:   Mon Jun 6 21:11:33 2022 -0700

        x86: Shrink code size of memchr-avx2.S

    Changed how the page cross case aligned string (rdi) in
    rawmemchr. This was incompatible with how
    `L(cross_page_continue)` expected the pointer to be aligned and
    would cause rawmemchr to read data start started before the
    beginning of the string. What it would read was in valid memory
    but could count CHAR matches resulting in an incorrect return
    value.

    This commit fixes that issue by essentially reverting the changes to
    the L(page_cross) case as they didn't really matter.

    Test cases added and all pass with the new code (and where confirmed
    to fail with the old code).
    Reviewed-by: H.J. Lu <hjl.tools@gmail.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [Bug string/29234] Bug in rawmemchr-avx2 can return incorrect result
  2022-06-08 19:33 [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result goldstein.w.n at gmail dot com
                   ` (2 preceding siblings ...)
  2023-11-02 16:22 ` carlos at redhat dot com
@ 2023-11-02 18:16 ` goldstein.w.n at gmail dot com
  3 siblings, 0 replies; 5+ messages in thread
From: goldstein.w.n at gmail dot com @ 2023-11-02 18:16 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=29234

--- Comment #4 from Noah Goldstein <goldstein.w.n at gmail dot com> ---
you spooked me :)


On Thu, Nov 2, 2023 at 11:22 AM carlos at redhat dot com
<sourceware-bugzilla@sourceware.org> wrote:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=29234
>
> Carlos O'Donell <carlos at redhat dot com> changed:
>
>            What    |Removed                     |Added
> ----------------------------------------------------------------------------
>    Target Milestone|---                         |2.36
>          Resolution|---                         |FIXED
>                  CC|                            |carlos at redhat dot com
>              Status|UNCONFIRMED                 |RESOLVED
>
> --- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
> Fixed already.
>
> commit 2c9af8421d2b4a7fcce163e7bc81a118d22fd346
> Author: Noah Goldstein <goldstein.w.n@gmail.com>
> Date:   Wed Jun 8 14:34:59 2022 -0700
>
>     x86: Fix page cross case in rawmemchr-avx2 [BZ #29234]
>
>     commit 6dcbb7d95dded20153b12d76d2f4e0ef0cda4f35
>     Author: Noah Goldstein <goldstein.w.n@gmail.com>
>     Date:   Mon Jun 6 21:11:33 2022 -0700
>
>         x86: Shrink code size of memchr-avx2.S
>
>     Changed how the page cross case aligned string (rdi) in
>     rawmemchr. This was incompatible with how
>     `L(cross_page_continue)` expected the pointer to be aligned and
>     would cause rawmemchr to read data start started before the
>     beginning of the string. What it would read was in valid memory
>     but could count CHAR matches resulting in an incorrect return
>     value.
>
>     This commit fixes that issue by essentially reverting the changes to
>     the L(page_cross) case as they didn't really matter.
>
>     Test cases added and all pass with the new code (and where confirmed
>     to fail with the old code).
>     Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
>
> --
> You are receiving this mail because:
> You reported the bug.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-11-02 18:16 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-08 19:33 [Bug string/29234] New: Bug in rawmemchr-avx2 can return incorrect result goldstein.w.n at gmail dot com
2022-06-08 19:53 ` [Bug string/29234] " goldstein.w.n at gmail dot com
2022-06-08 20:10 ` goldstein.w.n at gmail dot com
2023-11-02 16:22 ` carlos at redhat dot com
2023-11-02 18:16 ` goldstein.w.n at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).