[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] Unitialized Memory Read when pushing >64 events at once



Sorry I didn't get a chance to fiddle with this until just now.  The short program below does generate uninitialized memory reads when executing the printf().  If I add a memset() right after the events[200] declaration (before the epoll_wait() call), the uninitialized memory issue goes away, though it's clear the epoll underpinnings are actually filling in that memory before we get back to our program space (gdb examination looks clean).

Looks like a false positive to me at this point as well.

- scott

On Sun, May 29, 2011 at 9:34 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
On Sun, May 29, 2011 at 9:25 PM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
[...]
> Below is a short program I tried to use to reproduce this, but
> valgrind didn't tell me about any reads of uninitialized memory.  Does
> purify complain about the program below?
>

And here's a simpler program to check whether purify has the false
positive that I suspect it might.

If purify complains about this code using uninitialized RAM, I believe
purify is wrong, or my understanding of epoll is somehow deficient.
If purify doesn't complain about this code, then we are likely to have
a genuine libevent bug on our hands.

=====
#include <string.h>
#include <stdio.h>
#include <sys/epoll.h>
#include <sys/socket.h>

int main(int c, char **v)
{
  int epfd;
  int fd[128];
  int i;

  epfd = epoll_create(1000);

  for (i=0;i<128;++i) {
    struct epoll_event ctl;
    fd[i] = socket(AF_INET, SOCK_DGRAM, 0);
    if (fd[i]<0) {
      perror("socket");
      return 1;
    }
    memset(&ctl, 0, sizeof(ctl));
    ctl.data.fd = fd[i];
    ctl.events = EPOLLOUT;
    if (epoll_ctl(epfd, EPOLL_CTL_ADD, fd[i], &ctl) < 0) {
      perror("epoll_ctl");
      return 1;
    }
  }

  for (i = 0; i < 10; ++i) {
    int j, res;
    struct epoll_event events[200];
    res = epoll_wait(epfd, events, 200, 0);
    printf("%d\n", res);
    if (res < 0) break;
    for (j=0;j<res;++j) {
       printf("  - %d\n", events[j].data.fd);
    }
  }

  return 0;
}
=====

hth,
--
Nick