You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I'm currently scanning the Geant4-based toolkit GATE using the memory checker Valgrind (see OpenGATE/Gate#480, OpenGATE/opengate#8). This brought up several Conditional jump or move depends on uninitialised value(s) messages like this one.
The expected result of the Valgrind scan is that no such messages come up:
If a message is a true positive, this could introduce undefined (e.g., non-deterministic) behaviour.
If a message is a false positive, it draws attention from true positives.
What is wrong here?
This is a known false positive in zlib. A buffer allocated here is not initialized when this do-while loop modifies it using the ?: operator, and that's what Valgrind reports. As the modification just applies a function m->(m>=wsize ? m-wsize : 0) to each element of the buffer, this is not dangerous - undefined elements will remain undefined, but that's it.
Therefore, the valgrind message for this known zlib trickyness is usually suppressed; e.g. on my system, /usr/libexec/valgrind/default.supp contains these lines. The suppression mechanism recognizes the false positive by the combination of the function name slide_hash and the library path /*lib*/libz.so.1.2.*. As the library is named libG4zlib.so in Geant4, the false positive is not recognized.
Proposed changes
Patch zlib to initialize the buffer with zeros, as in the Chromium patch that is referenced below.
versions 1.2.4 and later was changed to not stimulate these checkers
I'm not sure if this is correct. As soon as I build and link the current zlib-1.2.11 shared object with a different file name and soname (in a minimal example), the valgrind message shows up.
Thanks for the info, and for fixing the problem upstream! To sum up the approach taken there: A no_sanitize("memory") attribute was added in a separate PR, in order to disable uninitialized-memory checks in the slide_hash function. Compared to the solutions cited above and applied here, this alternative solution has zero overhead (I presume). According to my tests with a minimal example memorybug.cpp.txt, it works for the Clang memory sanitizer. For Valgrind, a client request macro like VALGRIND_MAKE_MEM_DEFINED would need to be added, introducing a dependency on the Valgrind headers.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
I'm currently scanning the Geant4-based toolkit GATE using the memory checker Valgrind (see OpenGATE/Gate#480, OpenGATE/opengate#8). This brought up several Conditional jump or move depends on uninitialised value(s) messages like this one.
The expected result of the Valgrind scan is that no such messages come up:
What is wrong here?
This is a known false positive in zlib. A buffer allocated here is not initialized when this do-while loop modifies it using the
?:operator, and that's what Valgrind reports. As the modification just applies a functionm->(m>=wsize ? m-wsize : 0)to each element of the buffer, this is not dangerous - undefined elements will remain undefined, but that's it.Therefore, the valgrind message for this known zlib trickyness is usually suppressed; e.g. on my system,
/usr/libexec/valgrind/default.suppcontains these lines. The suppression mechanism recognizes the false positive by the combination of the function nameslide_hashand the library path/*lib*/libz.so.1.2.*. As the library is namedlibG4zlib.soin Geant4, the false positive is not recognized.Proposed changes
Patch zlib to initialize the buffer with zeros, as in the Chromium patch that is referenced below.
Related work
The zlib FAQ say that
I'm not sure if this is correct. As soon as I build and link the current zlib-1.2.11 shared object with a different file name and soname (in a minimal example), the valgrind message shows up.
There is already an upstream PR oss-fuzz/11360: clear out s->prev buffer to avoid undefined behavior madler/zlib#393, however without activity for the last two years.
As stated in that PR, Chromium uses a modified version of zlib and one of their patches addresses this issue.
Additional checks
Note that the Geant4 zlib in
source/externals/zlibdiffers from the original zlib-1.2.11 (sources) in various ways:srcandincludedirectorygzread.candgzwrite.cwere modified even more.When I replaced the modified files with the original ones, the
libG4zlib.socould still be compiled and linked and the error message remained.