Erik de Castro Lopo wrote:
Brad House wrote:
I assume you didn't forget to compile OpenSSL with
-DPURIFY before testing it with Valgrind, right? That
typically resolves most issues with Valgrind and false
positives. (Purify is a commercial valgrind competitor).
I am aware of the -DPURIFY compile flag, but I do not consider that
a useful solution to this problem.
I think he was asking, you did compile OpenSSL with -DPURIFY and
reverify your findings ? You may have a valid new case, but most of the
time the real source of the uninitialized data is that one line
#ifdef'ed in the OpenSSL source.
valgrind will track down to byte level granularity data which is
uninitialized, it even tracks when that uninitialized is copied to
another location and marks that new location as also containing
uninitialized data.
So the most common report from valgrind is a bogus error of the first
user of that uninitialized data it does not track the source of the
uninitialized data (which is really where you should be fixing the problem).
So the -DPURIFY kills the only known source of uninitialized data
warnings in the OpenSSL project that has been reported todate.
The problem is that the vast, **vast** majority of people who might
want to valgrind code that links to openssl do not want to compile
and install openssl from source. They just want to use the precompiled
binary and development packages released by their distribution.
I'd also like to speak up on behalf of the **vast** majority.
They don't want unnecessary zeroing of memory in frequently executed
code paths (for which the only reason is to satisfy an infrequently
executed testing environment that valgrind provides). Those wanting to
run valgrind WITH OpenSSL -DPURIFY is provided.
In addition, I'm not convinced of the quality of the -DPURIFY solution.
In the source code package for openssl-0.9.8c from Ubuntu I can only
find one usage of the PURFIFY define, this one:
>
> ...SNIPPED...
So, firstly in the source code I was hacking the code the -DPURIFY was
supposed to affect is already being disabled. Secondly, if that code
is really as un-necessary as it seems to be, why is it still in there?
If the Ubuntu is different from the official OpenSSL tree then you
really need to take this particular issue up with them.
FYI this is how things currently look today with us:
http://cvs.openssl.org/getfile/openssl/crypto/rand/md_rand.c
Darryl
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
