Fixed
Status Update
No update yet.
Comments
en...@google.com
this was fixed by https://code.google.com/p/android/issues/detail?id=147048 .
00037128 <memchr>:
37128: b530 push {r4, r5, lr}
3712a: b162 cbz r2, 37146 <memchr+0x1e>
3712c: b2c9 uxtb r1, r1
3712e: 4603 mov r3, r0
37130: 461d mov r5, r3
37132: f815 4b01 ldrb.w r4, [r5], #1
37136: 428c cmp r4, r1
37138: d007 beq.n 3714a <memchr+0x22>
3713a: 1b54 subs r4, r2, r5
3713c: 462b mov r3, r5
3713e: 1905 adds r5, r0, r4
37140: d1f6 bne.n 37130 <memchr+0x8>
37142: 4628 mov r0, r5
37144: bd30 pop {r4, r5, pc}
37146: 4610 mov r0, r2
37148: bd30 pop {r4, r5, pc}
3714a: 4618 mov r0, r3
3714c: bd30 pop {r4, r5, pc}
i'll add a regression test for this specific case though:https://android-review.googlesource.com/#/c/161910/
00037128 <memchr>:
37128: b530 push {r4, r5, lr}
3712a: b162 cbz r2, 37146 <memchr+0x1e>
3712c: b2c9 uxtb r1, r1
3712e: 4603 mov r3, r0
37130: 461d mov r5, r3
37132: f815 4b01 ldrb.w r4, [r5], #1
37136: 428c cmp r4, r1
37138: d007 beq.n 3714a <memchr+0x22>
3713a: 1b54 subs r4, r2, r5
3713c: 462b mov r3, r5
3713e: 1905 adds r5, r0, r4
37140: d1f6 bne.n 37130 <memchr+0x8>
37142: 4628 mov r0, r5
37144: bd30 pop {r4, r5, pc}
37146: 4610 mov r0, r2
37148: bd30 pop {r4, r5, pc}
3714a: 4618 mov r0, r3
3714c: bd30 pop {r4, r5, pc}
i'll add a regression test for this specific case though:
Description
size_t result = strnlen("test", 0xFFFFFFFF).
Expected result: 4
Actual result: 0xFFFFFFFF
Internally strnlen calls memchr. There is a carry generated during addition of the maxlen to the beginning of pointer when executing memchr. This carry is apparently discarded and the next compare instruction wrongly returns 0. Here is the assembly:
r0 has the beginning pointer for the string "test".
r1 is 0 since memchr has to look for 0x00 in the string.
r2 has maxlen 0xFFFFFFFF
=> 0x400b8f1a <+0>: adds r2, r0, r2 <-- sets the carry bit,r0 < r2!
0x400b8f1c <+2>: adds r3, r0, #3
0x400b8f1e <+4>: push {r4, r5, r6, lr}
0x400b8f20 <+6>: cmp r0, r2 <- r0 < r2!! sets the carry bit
0x400b8f22 <+8>: bcs.n 0x400b8f56 <memchr+60> <- on CS branch
...
0x400b8f56 <+60>: movs r0, #0 <-- executes this and returns 0
0x400b8f58 <+62>: pop {r4, r5, r6, pc}
Thanks.