From: Alex Rousskov Date: Sun, 9 Oct 2016 14:30:11 +0000 (+1300) Subject: Hide OpenSSL tricks from Valgrind far-reaching initialization errors. X-Git-Tag: SQUID_3_5_22~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56b8555facad21b086dfd9eeb7166f1b6a070fd6;p=thirdparty%2Fsquid.git Hide OpenSSL tricks from Valgrind far-reaching initialization errors. This change has no effect unless ./configured --with-valgrind-debug. OpenSSL, including its Assembly code, contains many optimizations and timing defenses that Valgrind misinterprets as uninitialized value usage. Most of those tricks can be disabled by #defining PURIFY when building OpenSSL, but some are not protected with PURIFY and most OpenSSL libraries are (and should be) built without that #define. To make matters worse, once Valgrind misdetects uninitialized memory, it will complain about every usage of that memory. Those complaints create a lot of noise, complicate triage, and effectively mask true bugs. AFAICT, they cannot be suppressed by listing the source of that memory. For example, this OpenSSL Assembly trick: Uninitialised value was created by a stack allocation at 0x556C2F7: aesni_cbc_encrypt (aesni-x86_64.s:2081) Triggers many false errors like this one: Conditional jump or move depends on uninitialised value(s) by 0x750838: Debug::Finish() by 0x942E68: Http::One::ResponseParser::parse(SBuf const&) ... This change marks OpenSSL-returned decrypted bytes as initialized. This might miss some true OpenSSL bugs, but we should focus on Squid bugs. --- diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 5e334473b2..cc2cbc0472 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1350,7 +1350,6 @@ int ssl_read_method(int fd, char *buf, int len) { SSL *ssl = fd_table[fd].ssl; - int i; #if DONT_DO_THIS @@ -1361,7 +1360,10 @@ ssl_read_method(int fd, char *buf, int len) #endif - i = SSL_read(ssl, buf, len); + int i = SSL_read(ssl, buf, len); + if (i > 0) { + (void)VALGRIND_MAKE_MEM_DEFINED(buf, i); + } if (i > 0 && SSL_pending(ssl) > 0) { debugs(83, 2, "SSL FD " << fd << " is pending");