MemorySanitizer: use-of-uninitialized-value

[xTachyon]

This code:

#include <cstdio>
#include <fmt/color.h>
#include <fmt/format.h>

int main() {
    printf("a");
    fmt::print(fmt::fg({}), "b");
}

Platform: Ubuntu 24.04.3
Compiler: Ubuntu clang version 21.1.5 (++20251023083335+45afac62e373-1exp120251023083454.54)

Compiled and ran with memory sanitizer on the latest fmt master produces the following:

Uninitialized bytes in memchr at offset 0 inside [0x718000000000, 2)
==1877268==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x59bbcbe3000f in fmt::v12::detail::glibc_file<_IO_FILE>::needs_flush() const .../fmt/include/fmt/format-inl.h:1552:12
    #1 0x59bbcbcfd4de in fmt::v12::detail::file_print_buffer<_IO_FILE, void>::~file_print_buffer() .../fmt/include/fmt/format-inl.h:1687:24
    #2 0x59bbcbcf0491 in fmt::v12::vprint(_IO_FILE*, fmt::v12::basic_string_view<char>, fmt::v12::basic_format_args<fmt::v12::context>) .../fmt/include/fmt/format-inl.h:1742:1
    #3 0x59bbcbcdd0c8 in void fmt::v12::print<fmt::v12::basic_string_view<char>>(_IO_FILE*, fmt::v12::fstring<fmt::v12::basic_string_view<char>>::t, fmt::v12::basic_string_view<char>&&) .../fmt/include/fmt/base.h:2982:39
    #4 0x59bbcbcdb9b8 in fmt::v12::vprint(_IO_FILE*, fmt::v12::text_style, fmt::v12::basic_string_view<char>, fmt::v12::basic_format_args<fmt::v12::context>) .../fmt/include/fmt/color.h:500:3
    #5 0x59bbcbcdac96 in void fmt::v12::print<>(_IO_FILE*, fmt::v12::text_style, fmt::v12::fstring<>::t) .../fmt/include/fmt/color.h:514:3
    #6 0x59bbcbcda03c in void fmt::v12::print<>(fmt::v12::text_style, fmt::v12::fstring<>::t) .../fmt/include/fmt/color.h:528:10
    #7 0x59bbcbcd9c73 in main .../tmp/cmake_test/the_bin/main.cpp:7:5
    #8 0x7ae21ee2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7ae21ee2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
    #10 0x59bbcbc3b574 in _start (.../tmp/cmake_test/build/the_bin/the_bin+0x34574) (BuildId: eb41b054cafd37969ac772da3dfac73234bb46c7)

  Uninitialized value was created by a heap allocation
    #0 0x59bbcbc7a566 in malloc (.../tmp/cmake_test/build/the_bin/the_bin+0x73566) (BuildId: eb41b054cafd37969ac772da3dfac73234bb46c7)
    #1 0x7ae21ee851b4 in _IO_file_doallocate libio/filedoalloc.c:101:7
    #2 0x7ae21ee95523 in _IO_doallocbuf libio/genops.c:347:9
    #3 0x7ae21ee92f8f in _IO_file_overflow libio/fileops.c:745:4
    #4 0x7ae21ee93aae in _IO_new_file_xsputn libio/fileops.c:1244:11
    #5 0x7ae21ee93aae in _IO_file_xsputn libio/fileops.c:1197:1
    #6 0x7ae21ee60cc8 in __printf_buffer_flush_to_file stdio-common/printf_buffer_to_file.c:59:20
    #7 0x7ae21ee60cc8 in __printf_buffer_to_file_done stdio-common/printf_buffer_to_file.c:120:3
    #8 0x7ae21ee6b742 in __vfprintf_internal stdio-common/vfprintf-internal.c:1545:14
    #9 0x59bbcbc84cc7 in vprintf (.../tmp/cmake_test/build/the_bin/the_bin+0x7dcc7) (BuildId: eb41b054cafd37969ac772da3dfac73234bb46c7)

SUMMARY: MemorySanitizer: use-of-uninitialized-value .../fmt/include/fmt/format-inl.h:1552:12 in fmt::v12::detail::glibc_file<_IO_FILE>::needs_flush() const
Exiting

[xTachyon]

Minimized code further:

#include <cstdio>
#include <fmt/format.h>

int main() {
    printf("a");
    fmt::print("b");
}

[sunmy2019]

This bug report is most likely a false alarm.

The memory read is initialized inside glibc.
https://github.com/bminor/glibc/blob/c7d699b55b4e2f5644495a156b0d778105a5e4e3/libio/fileops.c#L815

• This glibc code is not instrumented by msan. (because glibc is not compiled with msan).
• The intercepted printf call did not handle this. You can check there's no special handle for vprintf here.
  https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
• MSan did not handle printf buffer. You can check there's no unpoison for vprintf here.
  https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/msan/msan_interceptors.cpp

You might report a bug to LLVM.

[sunmy2019]

I confirmed it is a false alarm.

I wrote a program to output MSan internal state. https://godbolt.org/z/nrnnPTbYP

As demonstrated in the picture, memory initialized by printf is not correctly set in MSan. A patch should be sent there.

Another copy if godbolt is unavailable

// compiled with clang++-20 -fsanitize=memory
#define FMT_HEADER_ONLY
#include <fmt/format.h>

// taken from MSan source
#define LINEARIZE_MEM(mem) \
  (((unsigned long long)(mem) & ~0xc00000000000ULL) ^ 0x200000000000ULL)
#define MEM_TO_SHADOW(mem) (LINEARIZE_MEM((mem)) + 0x100000000000ULL)

// Configure MSan to continue execution after detecting errors
extern "C" auto __msan_default_options() -> const char* {
  return "halt_on_error=0";
}

void check_msan_shadow() __attribute__((no_sanitize("memory"))) {
  const char* buffer_start = stdout->_IO_write_base;
  const char* buffer_end = stdout->_IO_write_ptr;

  fprintf(stderr, "\nChecking MSan shadow memory from %p to %p\n", buffer_start,
          buffer_end);

  for (const char* p = buffer_start; p < buffer_end; ++p) {
    auto shadow_byte = *(unsigned char*)MEM_TO_SHADOW(p);
    fprintf(stderr, "mem: %p val: %c, MSAN state: %s\n", p, *p,
            (shadow_byte == 0) ? "initialized" : "uninitialized");
  }

  fprintf(stderr, "MSan shadow memory check done\n\n");
}

/**
 * This test demonstrates a difference in MSan initialization behavior between
 * printf() and fmt::print():
 *
 * - printf("ab") writes to stdout buffer but MSan marks the bytes as
 * uninitialized
 * - fmt::print("cd") writes to stdout buffer and MSan correctly marks them as
 * initialized
 *
 * This helps diagnose potential MSan false positives or uninitialized memory
 * issues.
 */
int main() {
  // Check 1: Initial state (empty buffer)
  check_msan_shadow();
  // Expected: Buffer is empty (nil to nil)

  // Write using standard printf
  printf("ab");

  // Check 2: After printf - bytes marked as uninitialized
  check_msan_shadow();
  // Expected: 2 bytes written, but MSan shows them as uninitialized

  // Write using fmt::print
  fmt::print("cd");

  // Check 3: After fmt::print - bytes marked as initialized
  check_msan_shadow();
  // Expected: 4 bytes total, last 2 (from fmt::print) are initialized
}

[vitaut]

Thank you for the detailed analysis, @sunmy2019! Closing now.

[xTachyon]

Thank you for taking the time to investigate this. I suspected myself that it's not the fault of fmt in this case, but it's some missing sanitizer implementation, because the memory looked good.

However, I believe this is still an issue. Yes, fmt is right in what it's doing, but at the end of the day, this lib makes any project that uses it not being able to use Memory Sanitizer, which is an invaluable tool for finding memory problems. The fix would be better in LLVM, but until they get to it, could this lib provide a way to still be able to use MSan?

For a similar precedent, re2 for instance has a flag RE2_ON_VALGRIND (and a special impl for sanitizers that I just noticed) in order to support this usecase.

Thank you again for all the work.

[sunmy2019]

Could this lib provide a way to still be able to use MSan?

We can patch it as they do in MSan. If someone is interested, he can raise a PR.
Apple file can be patched in the same way, but I don't know if it is affected.

diff --git a/include/fmt/format-inl.h b/include/fmt/format-inl.h
index 945cb912..15f5de18 100644
--- a/include/fmt/format-inl.h
+++ b/include/fmt/format-inl.h
@@ -30,6 +30,15 @@
 #  define FMT_FUNC
 #endif
 
+#if defined (__has_feature)
+#  if __has_feature(memory_sanitizer)
+#    include <sanitizer/msan_interface.h>
+#    define FMT_MEMORY_SANITIZER 1
+#  else
+#    define FMT_MEMORY_SANITIZER 0
+#  endif
+#endif
+
 FMT_BEGIN_NAMESPACE
 
 #ifndef FMT_CUSTOM_ASSERT_FAIL
@@ -1549,6 +1558,10 @@ template <typename F> class glibc_file : public file_base<F> {
     if ((this->file_->_flags & line_buffered) == 0) return false;
     char* end = this->file_->_IO_write_end;
     auto size = max_of<ptrdiff_t>(this->file_->_IO_write_ptr - end, 0);
+#if FMT_MEMORY_SANITIZER
+    // Workaround for MSan false positive.
+    __msan_unpoison(end, static_cast<size_t>(size));
+#endif
     return memchr(end, '\n', static_cast<size_t>(size));
   }
 

Now it passed.

Checking MSan shadow memory from (nil) to (nil)
MSan shadow memory check done


Checking MSan shadow memory from 0x718000000000 to 0x718000000002
mem: 0x718000000000 val: a, MSAN state: uninitialized
mem: 0x718000000001 val: b, MSAN state: uninitialized
MSan shadow memory check done


Checking MSan shadow memory from 0x718000000000 to 0x718000000004
mem: 0x718000000000 val: a, MSAN state: initialized
mem: 0x718000000001 val: b, MSAN state: initialized
mem: 0x718000000002 val: c, MSAN state: initialized
mem: 0x718000000003 val: d, MSAN state: initialized
MSan shadow memory check done

[xTachyon]

MSan doesn't work on Apple platforms, so it's probably fine.

I'll try the patch and come back. Thank you.