Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive: UNINITIALIZED READ: reading register edx #1035

Open
derekbruening opened this issue Nov 28, 2014 · 3 comments
Open

False Positive: UNINITIALIZED READ: reading register edx #1035

derekbruening opened this issue Nov 28, 2014 · 3 comments

Comments

@derekbruening
Copy link
Contributor

From zhao...@google.com on September 25, 2012 14:19:33

Error #1: UNINITIALIZED READ: reading register edx
...
Note: instruction: shr $0x0000000a %edx -> %edx

TAG 0x010a7671
+0 L3 8b 4d cc mov 0xffffffcc(%ebp) -> %ecx <== stack to ecx
+3 L3 0f b7 c1 movzx %cx -> %eax
+6 L3 8b f8 mov %eax -> %edi
+8 L3 8b d0 mov %eax -> %edx
+10 L3 c1 e8 0c shr $0x0000000c %eax -> %eax
+13 L3 83 e0 03 and $0x00000003 %eax -> %eax
+16 L3 89 43 38 mov %eax -> 0x38(%ebx)
+19 L3 8a c1 mov %cl -> %al
+21 L3 c0 e8 02 shr $0x02 %al -> %al
+24 L3 24 03 and $0x03 %al -> %al
+26 L3 88 45 fe mov %al -> 0xfffffffe(%ebp)
+29 L3 d1 ea shr $0x00000001 %edx -> %edx
+31 L3 8a c1 mov %cl -> %al
+33 L3 c0 e8 04 shr $0x04 %al -> %al
+36 L3 83 e2 01 and $0x00000001 %edx -> %edx
+39 L3 24 03 and $0x03 %al -> %al
+41 L3 89 53 08 mov %edx -> 0x08(%ebx)
+44 L3 88 45 ff mov %al -> 0xffffffff(%ebp)
+47 L3 8b d1 mov %ecx -> %edx <== ecx to edx
+49 L3 8a c1 mov %cl -> %al
+51 L3 c1 ea 0a shr $0x0000000a %edx -> %edx <== Uninit Error Reports on edx
+54 L3 c0 e8 06 shr $0x06 %al -> %al
+57 L3 c0 e9 07 shr $0x07 %cl -> %cl
+60 L3 83 e7 01 and $0x00000001 %edi -> %edi
+63 L3 80 e2 03 and $0x03 %dl -> %dl
+66 L3 24 01 and $0x01 %al -> %al
+68 L3 80 e1 01 and $0x01 %cl -> %cl
+71 L3 89 7b 04 mov %edi -> 0x04(%ebx)
+74 L3 88 53 2c mov %dl -> 0x2c(%ebx)
+77 L3 88 45 fd mov %al -> 0xfffffffd(%ebp)
+80 L3 88 4d fc mov %cl -> 0xfffffffc(%ebp)
+83 L3 85 ff test %edi %edi
+85 L3 75 3b jnz $0x010a7703
END 0x010a7671

Trace back

TAG 0x010a7654
+0 L3 83 c4 0c add $0x0000000c %esp -> %esp
+3 L3 8b df mov %edi -> %ebx
+5 L3 8b 0e mov (%esi) -> %ecx
+7 L3 8d 55 cc lea 0xffffffcc(%ebp) -> %edx <== pass to a function call.
+10 L3 89 0b mov %ecx -> (%ebx)
+12 L3 8b 4e 0c mov 0x0c(%esi) -> %ecx
+15 L3 52 push %edx %esp -> %esp 0xfffffffc(%esp)
+16 L3 e8 07 f1 ff ff call $0x010a6770 %esp -> %esp 0xfffffffc(%esp)
END 0x010a7654

function callee

0:000> Uf 010a6770
...
310 010a6781 0fb610 movzx edx,byte ptr [eax]
310 010a6784 0fb64001 movzx eax,byte ptr [eax+0x1]
310 010a6788 66c1e208 shl dx,0x8
310 010a678c 660bd0 or dx,ax
310 010a678f 8b4508 mov eax,[ebp+0x8]
310 010a6792 668910 mov [eax],dx

Similar uninit reported:

967 010a7ee7 8d45e8 lea eax,[ebp-0x18]
967 010a7eea 50 push eax
967 010a7eeb e880e8ffff call 010a6770
...
1000 010a7f8e 8b45e8 mov eax,[ebp-0x18]
...
1005 010a7fc5 8bc8 mov ecx,eax
..
1006 010a7fc9 c1e90a shr ecx,0xa
...
1006 010a7fcf 80e103 and cl,0x3
...
1007 010a7fda 884dfd mov [ebp-0x3],cl
...
1113 010a81b0 807dfe02 cmp byte ptr [ebp-0x2],0x2 <== uninit reported.

Error #1: UNINITIALIZED READ: reading 0x003cf671-0x003cf672 1 byte(s)
...
Dr.M Note: instruction: cmp 0xfffffffd(%ebp) $0x02

Because neither "shl dx, 0x8" nor "or dx, ax" reports uninit, we can assume the whole dx is initialized.
report uninit on "shr ecx, 0xa" seems reasonable, as the upper ecx is not initialized.
But after "and cl, 0x3", why would it report uninit on "cmp byte ptr [ebp-0x2],0x2"

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1035

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 25, 2012 11:30:01

1000 010a7f8e 8b45e8 mov eax,[ebp-0x18]
...
1004 010a7fb4 8bd0 mov edx,eax
1004 010a7fb6 c1ea08 shr edx,0x8
1004 010a7fb9 80e103 and cl,0x3
1004 010a7fbc 80e203 and dl,0x3
1004 010a7fbf 884dff mov [ebp-0x1],cl
1004 010a7fc2 8855fe mov [ebp-0x2],dl

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on September 25, 2012 11:40:12

I don't understand: can you clarify.

What is the relationship between the top sequence of code and the bottom?

Why would any uninit be reported on a "shl" or "or"? DrMem only reports on comparisons.

The "and cl,0x3": are you claiming cl has a value shown earlier to not be uninit? You didn't paste the code in between: how are sure?

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 25, 2012 11:42:02

when run with uninit_non_moves, similar error reports
instruction: shr $0x00000008 %edx -> %edx
so I believe it is not the & 0x3 is the problem, but inside the callee i.e.:

function callee

0:000> Uf 010a6770
...
310 010a6781 0fb610 movzx edx,byte ptr [eax]
310 010a6784 0fb64001 movzx eax,byte ptr [eax+0x1]
310 010a6788 66c1e208 shl dx,0x8
310 010a678c 660bd0 or dx,ax
310 010a678f 8b4508 mov eax,[ebp+0x8]
310 010a6792 668910 mov [eax],dx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant