Bug 1423434

Summary: out of bounds stack access triggered by __sync_synchronize() on i686
Product: [Fedora] Fedora Reporter: Kamil Dudka <kdudka>
Component: gccAssignee: Jakub Jelinek <jakub>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 26CC: davejohansen, dueno, jakub, jstanek, jwakely, kdudka, law, lslebodn, mjw, mpolacek, pkubat, wilmer5
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1428286 (view as bug list) Environment:
Last Closed: 2017-03-01 20:35:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1423318, 1428286    

Description Kamil Dudka 2017-02-17 10:20:10 UTC 
Description of problem:
I see invalid (read) access to stack under valgrind on i686.


Version-Release number of selected component (if applicable):
sqlite-libs-3.16.2-3.fc26.i686


How reproducible:
Reliably.


Steps to Reproduce:
$ mock -vr fedora-rawhide-i386 --init
$ mock -vr fedora-rawhide-i386 --install https://kojipkgs.fedoraproject.org//packages/sqlite/3.16.2/3.fc26/i686/sqlite-libs-3.16.2-3.fc26.i686.rpm https://kojipkgs.fedoraproject.org//packages/sqlite/3.16.2/3.fc26/i686/sqlite-debuginfo-3.16.2-3.fc26.i686.rpm
$ mock -vr fedora-rawhide-i386 --install curl valgrind
$ mock -vr fedora-rawhide-i386 --no-clean --chroot 'valgrind curl -svo/dev/null https://google.com'


Actual results:
==15600== Invalid read of size 4
==15600==    at 0x6311D17: UnknownInlinedFun (sqlite3.c:23079)
==15600==    by 0x6311D17: sqlite3MutexInit (sqlite3.c:22651)
==15600==    by 0x6329854: sqlite3_initialize (sqlite3.c:139163)
==15600==    by 0x6352A73: sqlite3_mprintf (sqlite3.c:25881)
==15600==    by 0x62E484D: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x62E88D0: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x62CE7C2: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x62CEC12: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x62CF944: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x62CFBFD: ??? (in /usr/lib/libsoftokn3.so)
==15600==    by 0x498BCC4: ??? (in /usr/lib/libnss3.so)
==15600==    by 0x498C3EB: ??? (in /usr/lib/libnss3.so)
==15600==    by 0x499A71F: SECMOD_LoadModule (in /usr/lib/libnss3.so)
==15600==  Address 0xfe9a5bec is on thread 1's stack
==15600==  4 bytes below stack pointer



Expected results:
valgrind output is clean.


Additional info:
This breaks nss-softokn and consequently curl.  Everything works as expected after downgrading to sqlite-libs-3.16.2-2.fc26.i686.  So it is most likely a new version of the compiler what triggered this bug.
Comment 1 Kamil Dudka 2017-02-17 10:33:12 UTC 
The minimal example seems to be as easy as:

int main()
{
    __sync_synchronize();
}

==18365== Invalid read of size 4
==18365==    at 0x80483D9: main (test.c:3)
==18365==  Address 0xfec676b4 is on thread 1's stack
==18365==  4 bytes below stack pointer

# rpm -q gcc valgrind
gcc-7.0.1-0.8.fc26.i686
valgrind-3.12.0-3.fc26.i686

Switching to gcc...
Comment 2 Jakub Jelinek 2017-02-20 15:09:27 UTC 
*** Bug 1425107 has been marked as a duplicate of this bug. ***
Comment 3 Jakub Jelinek 2017-02-20 15:12:54 UTC 
This has been reverted upstream today, the lock orl $0, -4(%esp) form of mfence has been done that way for performance reasons, but people who care about performance should not be using 32-bit code anyway, so it will be again lock orl $0, (%esp).
See http://gcc.gnu.org/r245577

This will be picked by Fedora gcc mid to late this week, then you'll need to rebuild anything that uses __sync_synchronize or similar atomic barriers and you care about running it under valgrind in 32-bit mode (the code is really harmless, because it doesn't change the word below sp, but valgrind is still unhappy about that).
Comment 4 Mark Wielaard 2017-02-20 15:30:35 UTC 
Thanks. The valgrind bug related to below stack accesses to implement memory fences on i386 is https://bugs.kde.org/show_bug.cgi?id=374940
Comment 5 Fedora End Of Life 2017-02-28 11:28:12 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 6 Jakub Jelinek 2017-03-01 20:35:32 UTC 
Should be fixed in gcc-7.0.1-0.10.fc26.  You need to rebuild 32-bit packages that use such barriers and you want to run them under valgrind (outside of valgrind it is really harmless).