libmusl has: void *__malloc0(size_t n) { void *p = malloc(n); if (p && !IS_MMAPPED(MEM_TO_CHUNK(p))) { size_t *z; n = (n + sizeof *z - 1)/sizeof *z; for (z=p; n; n--, z++) if (*z) *z=0; } return p; } Memcheck should recognize the idiom "if (*z) *z=0;", then not complain "Conditional jump or move depends on uninitialised value(s)". The final state is "all initialized [and zero!]", and the two-instruction intermediate state [Compare, Branch if already 0] has no lasting consequences. Of course libmusl should integrate better with memcheck, but the idiom occurs in "random" user code, too.
Using reasoning that is similar to that the NOT_EQUAL operator (not_equal in any bit position that is initialized, implies not_equal in the whole word, regardless of uninit bits in other positions), then the "read-only" operator EQUAL_TO_A_CONSTANT can *change* the initialization status of bits in memory. One version of actual code {loop(j): if (rv[j] != 0) rv[j] = 0)} for i386 is 0xe10102 <__malloc0+27>: add $0x3,%ebx // length in bytes 0xe10105 <__malloc0+30>: xor %edx,%edx // j = 0; 0xe10107 <__malloc0+32>: shr $0x2,%ebx // length in words 0xe1010a <__malloc0+35>: cmp %edx,%ebx 0xe1010c <__malloc0+37>: je 0xe1011e <__malloc0+55> // array is empty 0xe1010e <__malloc0+39>: cmpl $0x0,(%eax,%edx,4) // if (0==rv[j]) 0xe10112 <__malloc0+43>: je 0xe1011b <__malloc0+52> // already 0 0xe10114 <__malloc0+45>: movl $0x0,(%eax,%edx,4) // rv[j] = 0; 0xe1011b <__malloc0+52>: inc %edx // ++j; 0xe1011c <__malloc0+53>: jmp 0xe1010a <__malloc0+35> If the branch is taken in 0xe1010e <__malloc0+39>: cmpl $0x0,(%eax,%edx,4) // if (0==rv[j]) 0xe10112 <__malloc0+43>: je 0xe1011b <__malloc0+52> // already 0 then we know that the word in memory at address (%eax,%edx,4) is zero. In particular: ALL ITS BITS ARE NOW KNOWN TO BE INITIALIZED, regardless of previous state! So there were NO writes to memory, but the V bits must now be all 1's (signifying initialized), even if previously some of them were 0 (signifying uninitialized). So, EQUAL_TO_A_CONSTANT erases Uninitialized.
(In reply to John Reiser from comment #0) for (z=p; n; n--, z++) if (*z) *z=0; What is the point of this? Why not just assign zeroes unconditionally? Is this some game with the MESI protocol, to avoid unnecessary RFOs?
(In reply to Julian Seward from comment #2) > for (z=p; n; n--, z++) if (*z) *z=0; > > What is the point of this? Why not just assign zeroes unconditionally? > Is this some game with the MESI protocol, to avoid unnecessary RFOs? [It's been 30 years, so some of this is hazy ...] i386 did not have on-die cache (4kB of on-CPU cache in the i486 was a HUGE improvement), the write buffer was shallow (one? zero?), and the CPU execution pipeline was very short (little penalty for branching: decoding only.) A memory operation took 4 cycles; you could afford 2 instructions to avoid a write, especially if those two instructions fit into one memory read operation as input to the decoder.
(In reply to John Reiser from comment #1) More generally, when memcheck complains about uninit in a test for equality between variables, then the Valid bits should "cross-pollinate": if (a == b) { // 'a' and 'b' are the user values if (~aV | ~bV) { //' 'aV' are the Valid bits for 'a' complain("uninit bits in equality test", ...); old_aV = aV; old_bV = bV; // The user bits are equal. Therefore the Valid bits // of each operand must erase Uninit // for the corresponding bits of the other operand. // There is no difference between being Initialized by a Write, // and being equal to an Initialized bit. aV |= old_bV; bV |= old_aV; } } else { ... } Carried to extremes, this could mean that some previous complaints are no longer correct! The user bits have not changed (there were no Write operations), but we have learned new information: some bits that a while ago were thought to be Uninit, have turned out to be initialized after all. (This is not the French national Dictée dictation examination, where late discovery of gender requires that you go back and correct previous pronouns, but ...)
(In reply to John Reiser from comment #4) Interesting, but I don't really understand it. What's the underlying insight here? In particular, why is it the case that knowing the two operands are equal allows us to mark the operands as more defined than they were originally? Is this specific to == and !=, or is it more general?
In particular I am trying to figure out if this can somehow be used to avoid the problems shown at https://bugs.llvm.org//show_bug.cgi?id=12319 and https://github.com/rust-lang/rust/issues/11710
(In reply to Julian Seward from comment #6) > In particular I am trying to figure out if this can somehow be used to avoid > the problems shown at > https://bugs.llvm.org//show_bug.cgi?id=12319 > and > https://github.com/rust-lang/rust/issues/11710 The 0x45600000123 case (https://bugs.llvm.org//show_bug.cgi?id=12319#c2) is not related. Instead, it is "not-equal in any bit position where both operands have valid bits, implies not-equal for the whole word." As *presented*, the main Description for " if (!h(&a, &b) || a == 42 || b == 33)", namely https://bugs.llvm.org//show_bug.cgi?id=12319#c0 , is a bug in gcc. The code for h() is not shown, so it and its post-conditions are *unknown*. Therefore gcc must evaluate the if-expression according to the rules of C, namely left-to-right; but gcc evaluated the a==42 before the !result_of_h(). Besides, the dcache has latency, so it would be 1 to 3 cycles faster (and 3 bytes larger) to fetch 'a' first: call h mov 4(%rsp),%ecx // overlap cache latency; result might be unused testb %al,%al; je .LBB0_3 cmpl $42,%ecx; je .LBB0_3 The 'rust' case https://github.com/rust-lang/rust/issues/11710#issuecomment-33315140 is similarly muddled by imprecise presentation. "LLVM is allowed to generate undefined reads if it can not change the program behavior." memcheck does not complain about the Read, but about the Compare.
(In reply to Julian Seward from comment #5) > What's the underlying insight > here? In particular, why is it the case that knowing the two operands are > equal allows us to mark the operands as more defined than they were > originally? > > Is this specific to == and !=, or is it more general? The underlying principle is that it can be useful to view "a bit is initialized" as equivalent to "the cardinality of the set of possible values is 1, not 2." It also applies to <, <=, >=, > when there are enough Valid bits that are contiguous with the MostSignificantBit, and the operands satisfy the relation when restricted to those contiguous bits.
(In reply to John Reiser from comment #8) > The underlying principle is that it can be useful to view "a bit is > initialized" as equivalent to "the cardinality of the set of possible values > is 1, not 2." Expanding: if 'a' is initialized and 'x' is not, then > > It also applies to <, <=, >=, > when there are enough Valid bits that are > contiguous with the MostSignificantBit, and the operands satisfy the > relation when restricted to those contiguous bits.
(In reply to John Reiser from comment #8) > The underlying principle is that it can be useful to view "a bit is > initialized" as equivalent to "the cardinality of the set of possible values > is 1, not 2." Expanding: if int 'a' is initialized and int 'x' is not, then consider the code: /* memcheck should complain about the comparison because x is uninit */ if (x == a) { /* Now x is known to have only 1 value (namely, the value of 'a'), * so 'x' has become initialized. So memcheck should no longer complain * about 'x' in this True branch of the 'if'. */ g(x); /* arbitrary code that does not change 'x' */ } else { x = 42; /* Initialize 'x' */ } /* Here the fan-out of if-else has re-converged, and 'x' is known to be * initialized at the end of all (both) branches, so 'x' is has become initialized. */ so the initialization status of 'x' has been changed by a Read-and-Compare (to an initialized value, with result Equal), and not by a Write. The converging of all branches to the same point, with 'x' initialized at the end of each branch, "solidifies" the initialization going forward. Even more fortuitously, the detailed analysis is necessary only in the unlikely case when there are some Uninit bits, so can be done by a closed subroutine in the infrequent branch. In the extreme case where the bit width of 'x' is 1, then comparing to any initialized bit makes 'x' initialized, even without the balancing branch. If the result of the comparison is Equal then by the same reasoning as before, and if NotEqual then that means Equal to the complement *bit*, whose set of all possible values also has cardinality 1. > It also applies to <, <=, >=, > when there are enough Valid bits that are > contiguous with the MostSignificantBit, and the operands satisfy the > relation when restricted to those contiguous bits. The case of <= and >= is only for the '<' or '>' result implying non-equality (unless the whole words are valid.)
This comment is to confirm that the bug still exists today 2024-06-24, 7 years after original filing. Actually there are two bugs: 1) In the True branch after a test for Equality (==) then the Defined bits propagate in both directions. Some bits which previously were Uninit may become dynamically Defined because they are equal to a Defined bit in the other operand. Thus dynamic Equality is NOT necessarily a Read-Only operation with respect to the Defined bits for each operand. (Of course if all input bits in both operands are Defined then there is no issue, and no accounting bits change.) 2) When control-flow paths converge at run time, then the Defined bits after the Join become equal to the AND of the corresponding Defined bits for each variable along any path that enters the Join.
I'm loathe to cater to making Undefined Behaviour defined in any way. clang-tidy says it all /home/paulf/x.c:18:44: warning: Branch condition evaluates to a garbage value [clang-analyzer-core.uninitialized.Branch] 18 | for (z=p; n; n--, z++) if (*z) *z=0; | ^~ (browsers are likely to use variable with fonts, the caret is under the *z in the if statement). Who knows what compilers will do with this. Maybe ignore the 'if'. Maybe ignore the initialization. Also how can we be sure that the use of garbage is intentional?