The following code reliably results in invalid reads when running under valgrind. This is with glibc 2.38 from Fedora 39. Whether an invalid read happens or not seems to depend on the alignment of the input buffer or something else that I couldn't figure out completely yet. In the code below it always happens on the last call, i.e. with the second malloc'd buffer. It seems like __wcpncpy_avx2() wrongly assumes under certain conditions that at least 32 bytes (i.e. one AVX register) of input data is available. -------- #include <stdio.h> #include <stdlib.h> #include <string.h> #include <wchar.h> int main() { const wchar_t in[] = {L'a', L'b', L'c', 0}; wchar_t out[3+1] = {0, }; printf("%p %p\n", in, out); size_t res = wcsxfrm(out, in, 3); printf("%lu\n", res); wchar_t *in2 = malloc(sizeof(wchar_t) * 4); memcpy(in2, in, sizeof(in)); printf("%p %p\n", in2, out); res = wcsxfrm(out, in2, 3); printf("%lu\n", res); free(in2); wchar_t *in3 = malloc(sizeof(wchar_t) * 4); memcpy(in3, in, sizeof(in)); printf("%p %p\n", in3, out); res = wcsxfrm(out, in3, 3); printf("%lu\n", res); free(in3); } -------- ==139735== Memcheck, a memory error detector ==139735== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==139735== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info ==139735== Command: ./test ==139735== 0x1fff000330 0x1fff000320 3 0x4a5c480 0x1fff000320 3 0x4a5c4d0 0x1fff000320 ==139735== Invalid read of size 32 ==139735== at 0x49DAA2E: __wcpncpy_avx2 (strncpy-avx2.S:85) ==139735== by 0x493C560: wcsxfrm_l (strxfrm_l.c:679) ==139735== by 0x4012A1: main (in /home/slomo/tmp/test/test) ==139735== Address 0x4a5c4d0 is 0 bytes inside a block of size 16 alloc'd ==139735== at 0x484280F: malloc (vg_replace_malloc.c:442) ==139735== by 0x401258: main (in /home/slomo/tmp/test/test) ==139735== 3 ==139735== ==139735== HEAP SUMMARY: ==139735== in use at exit: 0 bytes in 0 blocks ==139735== total heap usage: 3 allocs, 3 frees, 1,056 bytes allocated ==139735== ==139735== All heap blocks were freed -- no leaks are possible ==139735== ==139735== For lists of detected and suppressed errors, rerun with: -s ==139735== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
(In reply to Sebastian Dröge from comment #0) > ==139735== Invalid read of size 32 > ==139735== at 0x49DAA2E: __wcpncpy_avx2 (strncpy-avx2.S:85) > ==139735== by 0x493C560: wcsxfrm_l (strxfrm_l.c:679) > ==139735== by 0x4012A1: main (in /home/slomo/tmp/test/test) > ==139735== Address 0x4a5c4d0 is 0 bytes inside a block of size 16 alloc'd > ==139735== at 0x484280F: malloc (vg_replace_malloc.c:442) > ==139735== by 0x401258: main (in /home/slomo/tmp/test/test) > ==139735== This read does not case a page boundary, so overreading is harmless here. This seems more like a valgrind limitation.
Please report that to the valgrind project so that they can add that to their default suppression list.
Will do, thanks. OOC, how does the function make sure that it won't read across a page boundary?
Reported to valgrind at https://bugs.kde.org/show_bug.cgi?id=484002
Moved per comment 4.