Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional jump or move depends on uninitialised value #6

Closed
kbingham opened this issue Sep 30, 2020 · 1 comment
Closed

Conditional jump or move depends on uninitialised value #6

kbingham opened this issue Sep 30, 2020 · 1 comment

Comments

@kbingham
Copy link
Owner

It appears we're using an uninitalised variable, and valgrind picked up on it.

libcamera/libcamera-daily$ valgrind ./build/build-clang-10/src/cam/cam -c 3 -C10
==1784336== Memcheck, a memory error detector
==1784336== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1784336== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1784336== Command: ./build/build-clang-10/src/cam/cam -c 3 -C10
==1784336== 
[22:47:52.899435142] [1784336]  INFO IPAManager ipa_manager.cpp:136 libcamera is not installed. Adding '/home/linuxembedded/iob/libcamera/libcamera-daily/build/build-clang-10/src/ipa' to the IPA search path
[22:47:53.002443094] [1784336]  INFO Camera camera_manager.cpp:287 libcamera v0.0.0+1855-b83ee94f
[22:47:53.824898947] [1784338]  INFO IPAProxy ipa_proxy.cpp:122 libcamera is not installed. Loading IPA configuration from '/home/linuxembedded/iob/libcamera/libcamera-daily/src/ipa/vimc/data'
Using camera platform/vimc.0 Sensor B
[22:47:54.223156621] [1784336]  INFO VIMC vimc.cpp:212 Skipping unsupported pixel format RGB888
[22:47:54.286875950] [1784336]  INFO Camera camera.cpp:811 configuring streams: (0) 1920x1080-BGR888
Capture 10 frames
==1784336== Thread 2:
==1784336== Conditional jump or move depends on uninitialised value(s)
==1784336==    at 0x4118EC: Capture::requestComplete(libcamera::Request*) (capture.cpp:167)
==1784336==    by 0x4152EF: libcamera::BoundMethodMember<Capture, void, libcamera::Request*>::activate(libcamera::Request*, bool) (bound_method.h:190)
==1784336==    by 0x4AEDBEA: libcamera::Signal<libcamera::Request*>::emit(libcamera::Request*) (signal.h:127)
==1784336==    by 0x4AEBEE5: libcamera::Camera::requestComplete(libcamera::Request*) (camera.cpp:996)
==1784336==    by 0x4B838ED: libcamera::PipelineHandler::completeRequest(libcamera::Camera*, libcamera::Request*) (pipeline_handler.cpp:476)
==1784336==    by 0x4C24155: libcamera::VimcCameraData::bufferReady(libcamera::FrameBuffer*) (vimc.cpp:533)
==1784336==    by 0x4C268AF: libcamera::BoundMethodMember<libcamera::VimcCameraData, void, libcamera::FrameBuffer*>::activate(libcamera::FrameBuffer*, bool) (bound_method.h:190)
==1784336==    by 0x4BB3A3A: libcamera::Signal<libcamera::FrameBuffer*>::emit(libcamera::FrameBuffer*) (signal.h:127)
==1784336==    by 0x4BAD309: libcamera::V4L2VideoDevice::bufferAvailable(libcamera::EventNotifier*) (v4l2_videodevice.cpp:1472)
==1784336==    by 0x4BB7B8F: libcamera::BoundMethodMember<libcamera::V4L2VideoDevice, void, libcamera::EventNotifier*>::activate(libcamera::EventNotifier*, bool) (bound_method.h:190)
==1784336==    by 0x4B5179A: libcamera::Signal<libcamera::EventNotifier*>::emit(libcamera::EventNotifier*) (signal.h:127)
==1784336==    by 0x4B509C6: libcamera::EventDispatcherPoll::processNotifiers(std::vector<pollfd, std::allocator<pollfd> > const&) (event_dispatcher_poll.cpp:282)
==1784336== 
82074.640012 (0.00 fps) stream0 seq: 000000 bytesused: 6220800
82074.680018 (25.00 fps) stream0 seq: 000001 bytesused: 6220800
82074.727088 (21.24 fps) stream0 seq: 000002 bytesused: 6220800
82074.766777 (25.20 fps) stream0 seq: 000003 bytesused: 6220800
82074.808468 (23.99 fps) stream0 seq: 000004 bytesused: 6220800
82074.856303 (20.91 fps) stream0 seq: 000005 bytesused: 6220800
82074.901783 (21.99 fps) stream0 seq: 000006 bytesused: 6220800
82074.950037 (20.72 fps) stream0 seq: 000007 bytesused: 6220800
82074.997260 (21.18 fps) stream0 seq: 000008 bytesused: 6220800
82075.044010 (21.39 fps) stream0 seq: 000009 bytesused: 6220800
==1784336== Warning: invalid file descriptor -1 in syscall close()
==1784336== 
==1784336== HEAP SUMMARY:
==1784336==     in use at exit: 0 bytes in 0 blocks
==1784336==   total heap usage: 9,034 allocs, 9,034 frees, 2,140,653 bytes allocated
==1784336== 
==1784336== All heap blocks were freed -- no leaks are possible
==1784336== 
==1784336== Use --track-origins=yes to see where uninitialised values come from
==1784336== For lists of detected and suppressed errors, rerun with: -s
==1784336== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
@kbingham
Copy link
Owner Author

Solved thanks to Tomi's fixups.

libcamera-daily$ valgrind ./build/build-clang-10/src/cam/cam -c 3 -C10
==188975== Memcheck, a memory error detector
==188975== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==188975== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==188975== Command: ./build/build-clang-10/src/cam/cam -c 3 -C10
==188975==
[162:49:50.348921731] [188975] INFO IPAManager ipa_manager.cpp:136 libcamera is not installed. Adding '/home/linuxembedded/iob/libcamera/libcamera-daily/build/build-clang-10/src/ipa' to the IPA search path
[162:49:50.473354028] [188975] INFO Camera camera_manager.cpp:292 libcamera v0.0.0+1924-b2b8c4dc
[162:49:51.278188183] [188978] INFO IPAProxy ipa_proxy.cpp:122 libcamera is not installed. Loading IPA configuration from '/home/linuxembedded/iob/libcamera/libcamera-daily/src/ipa/vimc/data'
Using camera platform/vimc.0 Sensor B
[162:49:51.679072374] [188975] INFO VIMC vimc.cpp:212 Skipping unsupported pixel format RGB888
[162:49:51.743390870] [188975] INFO Camera camera.cpp:811 configuring streams: (0) 1920x1080-BGR888
Capture 10 frames
586192.110806 (0.00 fps) stream0 seq: 000000 bytesused: 6220800
586192.149556 (25.81 fps) stream0 seq: 000001 bytesused: 6220800
586192.186044 (27.41 fps) stream0 seq: 000002 bytesused: 6220800
586192.222157 (27.69 fps) stream0 seq: 000003 bytesused: 6220800
586192.270507 (20.68 fps) stream0 seq: 000004 bytesused: 6220800
586192.312244 (23.96 fps) stream0 seq: 000005 bytesused: 6220800
586192.355167 (23.30 fps) stream0 seq: 000006 bytesused: 6220800
586192.394722 (25.28 fps) stream0 seq: 000007 bytesused: 6220800
586192.436829 (23.75 fps) stream0 seq: 000008 bytesused: 6220800
586192.475741 (25.70 fps) stream0 seq: 000009 bytesused: 6220800
==188975==
==188975== HEAP SUMMARY:
==188975== in use at exit: 0 bytes in 0 blocks
==188975== total heap usage: 9,001 allocs, 9,001 frees, 2,137,733 bytes allocated
==188975==
==188975== All heap blocks were freed -- no leaks are possible
==188975==
==188975== For lists of detected and suppressed errors, rerun with: -s
==188975== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

kbingham pushed a commit that referenced this issue Apr 17, 2021
@pinchartl
libcamera: bound_method: Please the gcc undefined behaviour sanitizer
5a76290 
Enabling the gcc undefined behaviour sanitizer (with the meson configure
-Db_sanitize=undefined option) causes many tests to fail, with errors
such as the following (for test/object-invoke):

------------------------------------------------------------------------
../../include/libcamera/bound_method.h:198:27: runtime error: member access within address 0x55fcd7bfbd38 which does not point to an object of type 'BoundMethodBase'
0x55fcd7bfbd38: note: object has invalid vptr
 fc 55 00 00  2a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  31 00 00 00 00 00 00 00  4b c6 72 88
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
../../include/libcamera/bound_method.h:198:41: runtime error: member call on null pointer of type 'struct InvokedObject'
../../include/libcamera/bound_method.h:198:41: runtime error: member access within null pointer of type 'struct InvokedObject'
Segmentation fault
------------------------------------------------------------------------

or

------------------------------------------------------------------------
../../include/libcamera/bound_method.h:198:27: runtime error: member access within address 0x603000006628 which does not point to an object of type 'BoundMethodBase'
0x603000006628: note: object has invalid vptr
 70 55 00 00  2a 00 00 00 be be be be  03 02 00 00 18 00 00 00  01 00 00 60 00 00 00 00  05 00 80 07
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
=================================================================
==941==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000006630 at pc 0x55704e461371 bp 0x7fff539b9040 sp 0x7fff539b9030
READ of size 8 at 0x603000006630 thread T0
    #0 0x55704e461370 in libcamera::BoundMethodMember<InvokedObject, void, int>::invoke(int) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x47370)
    #1 0x55704e4622ca in void libcamera::BoundMethodArgs<void, int>::invokePack<0ul>(libcamera::BoundMethodPackBase*, std::integer_sequence<unsigned long, 0ul>) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x482ca)
    #2 0x55704e460a93 in libcamera::BoundMethodArgs<void, int>::invokePack(libcamera::BoundMethodPackBase*) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x46a93)
    #3 0x7fdc38a5fec4 in libcamera::InvokeMessage::invoke() ../../src/libcamera/message.cpp:154
    #4 0x7fdc38a62faf in libcamera::Object::message(libcamera::Message*) ../../src/libcamera/object.cpp:183
    #5 0x7fdc38ad3742 in libcamera::Thread::dispatchMessages(libcamera::Message::Type) ../../src/libcamera/thread.cpp:575
    #6 0x7fdc38972d8d in libcamera::EventDispatcherPoll::processEvents() ../../src/libcamera/event_dispatcher_poll.cpp:148
    #7 0x55704e44bc15 in ObjectInvokeTest::run() (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x31c15)
    #8 0x55704e4630ab in Test::execute() ../../test/libtest/test.cpp:28
    #9 0x55704e44965b in main ../../test/object-invoke.cpp:204
    #10 0x7fdc36090eba in __libc_start_main ../csu/libc-start.c:314
    #11 0x55704e449359 in _start (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x2f359)

0x603000006630 is located 0 bytes to the right of 32-byte region [0x603000006610,0x603000006630)
allocated by thread T0 here:
    #0 0x7fdc3ad757c7 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-11.0.1_pre9999/work/gcc-11.0.1_pre9999/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x55704e45afea in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x40fea)
    #2 0x55704e45a45d in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x4045d)
    #3 0x55704e458339 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, (__gnu_cxx::_Lock_policy)2> >&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3e339)
    #4 0x55704e4574ad in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, int&>(libcamera::BoundMethodPack<void, int>*&, std::_Sp_alloc_shared_tag<std::allocator<libcamera::BoundMethodPack<void, int> > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3d4ad)
    #5 0x55704e4569c7 in std::__shared_ptr<libcamera::BoundMethodPack<void, int>, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<libcamera::BoundMethodPack<void, int> >, int&>(std::_Sp_alloc_shared_tag<std::allocator<libcamera::BoundMethodPack<void, int> > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3c9c7)
    #6 0x55704e455f9d in std::shared_ptr<libcamera::BoundMethodPack<void, int> >::shared_ptr<std::allocator<libcamera::BoundMethodPack<void, int> >, int&>(std::_Sp_alloc_shared_tag<std::allocator<libcamera::BoundMethodPack<void, int> > >, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3bf9d)
    #7 0x55704e454eb5 in std::shared_ptr<libcamera::BoundMethodPack<void, int> > std::allocate_shared<libcamera::BoundMethodPack<void, int>, std::allocator<libcamera::BoundMethodPack<void, int> >, int&>(std::allocator<libcamera::BoundMethodPack<void, int> > const&, int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3aeb5)
    #8 0x55704e454220 in std::shared_ptr<libcamera::BoundMethodPack<void, int> > std::make_shared<libcamera::BoundMethodPack<void, int>, int&>(int&) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x3a220)
    #9 0x55704e450e60 in libcamera::BoundMethodMember<InvokedObject, void, int>::activate(int, bool) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x36e60)
    #10 0x55704e44efb2 in void libcamera::Object::invokeMethod<InvokedObject, void, int, int, (void*)0>(void (InvokedObject::*)(int), libcamera::ConnectionType, int) (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x34fb2)
    #11 0x55704e44b7cc in ObjectInvokeTest::run() (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x317cc)
    #12 0x55704e4630ab in Test::execute() ../../test/libtest/test.cpp:28
    #13 0x55704e44965b in main ../../test/object-invoke.cpp:204
    #14 0x7fdc36090eba in __libc_start_main ../csu/libc-start.c:314

SUMMARY: AddressSanitizer: heap-buffer-overflow (libcamera/build/x86-gcc-11.0.1/test/object-invoke+0x47370) in libcamera::BoundMethodMember<InvokedObject, void, int>::invoke(int)
Shadow bytes around the buggy address:
  0x0c067fff8c70: 00 fa fa fa 00 00 06 fa fa fa fd fd fd fd fa fa
  0x0c067fff8c80: 00 00 06 fa fa fa 00 00 03 fa fa fa 00 00 00 05
  0x0c067fff8c90: fa fa 00 00 04 fa fa fa 00 00 00 00 fa fa fd fd
  0x0c067fff8ca0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8cb0: fd fd fd fd fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff8cc0: fa fa 00 00 00 00[fa]fa fd fd fd fa fa fa fa fa
  0x0c067fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==941==ABORTING
------------------------------------------------------------------------

The root cause isn't clear, but this change fixes the issue. It may be a
bug in gcc.

Signed-off-by: Laurent Pinchart <[email protected]>
Acked-by: Kieran Bingham <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kbingham