GMP 5.1.1: Valgrind reports incorrect read in __gmpn_copyd (called from __gmpz_mul_2exp)

Alexander Kruppa akruppa at gmail.com
Wed Feb 20 14:58:45 CET 2013


The attached program triggers a valgrind error for an incorrect read.

gcc -I ~/gmp-5.1.1/include/ -o test_mpmod test_mpmod.c
gmp-5.1.1/lib/libgmp.a && valgrind ./test_mpmod

==17830== Memcheck, a memory error detector
==17830== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==17830== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==17830== Command: ./test_mpmod
==17830==
==17830== Invalid read of size 8
==17830==    at 0x401A74: __gmpn_copyd (in /users/caramel/kruppaal/test_mpmod)
==17830==    by 0x4009CF: __gmpz_mul_2exp (in
/users/caramel/kruppaal/test_mpmod)
==17830==    by 0x40086D: main (test_mpmod.c:20)
==17830==  Address 0x51f45a8 is 0 bytes after a block of size 984 alloc'd
==17830==    at 0x4C2C861: realloc (vg_replace_malloc.c:662)
==17830==    by 0x401C9B: __gmp_default_reallocate (in
/users/caramel/kruppaal/test_mpmod)
==17830==    by 0x400A26: __gmpz_realloc (in /users/caramel/kruppaal/test_mpmod)
==17830==    by 0x400AE5: __gmpz_set (in /users/caramel/kruppaal/test_mpmod)
==17830==    by 0x400854: main (test_mpmod.c:17)
==17830==
==17830==
==17830== HEAP SUMMARY:
==17830==     in use at exit: 0 bytes in 0 blocks
==17830==   total heap usage: 8 allocs, 8 frees, 7,032 bytes allocated
==17830==
==17830== All heap blocks were freed -- no leaks are possible
==17830==
==17830== For counts of detected and suppressed errors, rerun with: -v
==17830== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 2 from 2)

GMP was configured with

./configure --prefix=/users/caramel/kruppaal/gmp-5.1.1/ CFLAGS="-O2 -g
-pedantic -m64 -mtune=core2 -march=core2" LDFLAGS=-g

but the error occurred without the CFLAGS and LDFLAGS settings as well.

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu/Linaro
4.6.3-1ubuntu5'
--with-bugurl=file:///usr/share/doc/gcc-4.6/README.Bugs
--enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.6 --enable-shared --enable-linker-build-id
--with-system-zlib --libexecdir=/usr/lib --without-included-gettext
--enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--enable-gnu-unique-object --enable-plugin --enable-objc-gc
--disable-werror --with-arch-32=i686 --with-tune=generic
--enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

uname -a
Linux quiche 3.2.0-37-generic #58-Ubuntu SMP Thu Jan 24 15:28:10 UTC
2013 x86_64 x86_64 x86_64 GNU/Linux

./config.guess
core2-unknown-linux-gnu
/bin/sh ./configfsf.guess
x86_64-unknown-linux-gnu

The attached test case is stripped-down code of mpmod.c in GMP-ECM.
With GMP version 5.0.2, valgrind does not report an error with this
reduced test case, but does show use of uninitialised values when the
whole of GMP-ECM is run. I'll see if I can reproduce these errors with
GMP 5.0.5, and if yes, whether I can track down the origin.

This may be related to GMP sometimes reading past the end of an array for
efficiency (e.g., with 16-byte SSE3 data transfer instructions), as pointed out
at http://gmplib.org/manual/Debugging.html under Debugging. If it is related
to that, and not a problem that affects program correctness, could you provide
a suppression file for these cases? It would be a pity to lose the
ability to use
valgrind for automated software tests, or having to trace down each report to
see if it is a "benign read" or not.

Thanks,
Alex


More information about the gmp-bugs mailing list