Bug 174324

Summary: re_compile_fastmap_iter uses uninit value
Product: [Fedora] Fedora Reporter: John Reiser <jreiser>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-11-28 12:50:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Reiser 2005-11-27 23:14:18 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20051118 Fedora/1.5-0.5.0.rc3 Firefox/1.5

Description of problem:
memcheck complains that internal testcase posix/tst-rxspencer uses an uninit value.   Snippet of un-redirected stdout (helping to locate which test):
-----
abc             &       xabcy   abc
a\(b\)?c\1d     b       acd
aBc             i       Abc     Abc
a[Bc]*d         i       abBCcd  abBCcd
==24586== Conditional jump or move depends on uninitialised value(s)
==24586==    at 0x4AA97C7: re_compile_fastmap_iter (regcomp.c:325)
==24586==    by 0x4AA9B2A: re_compile_fastmap (regcomp.c:275)
==24586==    by 0x4AB5D18: regcomp (regcomp.c:491)
==24586==    by 0x400FA6: test (tst-rxspencer.c:226)
==24586==    by 0x401E3C: main (tst-rxspencer.c:545)
==24586==
-----


Version-Release number of selected component (if applicable):
glibc-2.3.90-18

How reproducible:
Always

Steps to Reproduce:
1. Run internal testcase posix/tst-rxspencer under valgrind-3.1.0 on x86_64.
2.
3.
  

Actual Results:  memcheck complains as in Description.

Expected Results:  No complaints.

Additional info:
Comment 1 Jakub Jelinek 2005-11-28 12:50:00 UTC 
valgrind bug (though probably really hard to fix).
There are some bitfields in the structure:
...
  re_token_type_t type : 8;
  unsigned int constraint : 10; /* context constraint */
  unsigned int duplicated : 1;
  unsigned int opt_subexp : 1;
  unsigned int accept_mb : 1;
  unsigned int mb_partial : 1;
  unsigned int word_char : 1;
and GCC optimizes:
              while (++node < dfa->nodes_len
                     && dfa->nodes[node].type == CHARACTER
                     && dfa->nodes[node].mb_partial)
as reading whole 32-bit word that contains both type and mb_partial bitfield,
masking it and then comparing.  mb_partial is known to be initialized when
type == CHARACTER, but not otherwise.  If type is not CHARACTER, it is
uninitialized, but that doesn't matter, as it doesn't influence runtime at all
in that case.  But valgrind isn't able to figure it out.