Re: [Valgrind-users] Extending memcheck's validity bit propagation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

>   int a; /* invalid value */
>   int b;
>   if (a > 0) /* conditional on invalid value */
>     b = a;
>   else
>     b = 0;
>
> ...memcheck produces a warning on the conditional branch. But if you look at what this code actually computes, it is just "b = max(a,0)", which is not so different from "b = a + 1". (That is, b is just some simple function of a.) I want to teach memcheck to treat this second example like the first;
> that is, just taint b as invalid if a is invalid.

Teaching VEX about the x86 opcode CMOVG (conditional move if Greater)
might not be so difficult.  Teaching VEX about branch-and-reconverge
control flow involving multiple instructions, probably is harder.

>
> Another example:
>
>   extern unsigned char lookup[256]; // assume this is initialized
>
>   unsigned char x;
>   unsigned char y = lookup[x];
>
> Here, I have some 8-bit function implemented using a lookup table. Again, memcheck issues a diagnostic for using x as part of computing an address. But I want to think of y as a simple function of x, and tell memcheck to just let y inherit x's invalidity.
>

The key here is range analysis on the subscripting operation "lookup[x]".
If the bounds on 'x' propagate, and if 'lookup' has effective bounds,
then probably it is not so hard.

-- 