From: Alex Rousskov Date: Thu, 6 Oct 2016 00:05:38 +0000 (-0600) Subject: Hide OpenSSL tricks from Valgrind far-reaching initialization errors. X-Git-Tag: SQUID_4_0_15~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=afc199f98b6d102670e4dae51e3fc1795f7d6edd;p=thirdparty%2Fsquid.git Hide OpenSSL tricks from Valgrind far-reaching initialization errors. This change has no effect unless ./configured --with-valgrind-debug. OpenSSL, including its Assembly code, contains many optimizations and timing defenses that Valgrind misinterprets as uninitialized value usage. Most of those tricks can be disabled by #defining PURIFY when building OpenSSL, but some are not protected with PURIFY and most OpenSSL libraries are (and should be) built without that #define. To make matters worse, once Valgrind misdetects uninitialized memory, it will complain about every usage of that memory. Those complaints create a lot of noise, complicate triage, and effectively mask true bugs. AFAICT, they cannot be suppressed by listing the source of that memory. For example, this OpenSSL Assembly trick: Uninitialised value was created by a stack allocation at 0x556C2F7: aesni_cbc_encrypt (aesni-x86_64.s:2081) Triggers many false errors like this one: Conditional jump or move depends on uninitialised value(s) by 0x750838: Debug::Finish() by 0x942E68: Http::One::ResponseParser::parse(SBuf const&) ... This change marks OpenSSL-returned decrypted bytes as initialized. This might miss some true OpenSSL bugs, but we should focus on Squid bugs. --- diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 075bfd7a30..26eeb17d21 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -707,6 +707,9 @@ ssl_read_method(int fd, char *buf, int len) #endif int i = SSL_read(ssl, buf, len); + if (i > 0) { + (void)VALGRIND_MAKE_MEM_DEFINED(buf, i); + } if (i > 0 && SSL_pending(ssl) > 0) { debugs(83, 2, "SSL FD " << fd << " is pending");