FTBFS against glibc 2.37

I did some tests on master (2f39e44a84) for the upcoming 2.37 release, and I found a regression in libunistring test suite on amd64 with AVX-2 instructions, more specifically on gnulib's test-strncat. It can be reproduced using these instructions:

https://sourceware.org/glibc/wiki/Testing/Gnulib

I bisected the issue to
commit 642933158e7cf072d873231b1a9bb03291f2b989
Author: Noah Goldstein <email address hidden>
Date: Tue Nov 8 17:38:39 2022 -0800

    x86: Optimize and shrink st{r|p}{n}{cat|cpy}-avx2 functions

    Optimizations are:
        1. Use more overlapping stores to avoid branches.
        2. Reduce how unrolled the aligning copies are (this is more of a
           code-size save, its a negative for some sizes in terms of
           perf).
        3. For st{r|p}n{cat|cpy} re-order the branches to minimize the
           number that are taken.

I get the following backtrace:

#0 __strncat_avx2 () at ../sysdeps/x86_64/multiarch/strncat-avx2.S:76
#1 0x00005555555555d7 in strncat (__len=0, __src=0x7ffff7de4000 "", __dest=0x55555555c2a1 "") at /tmp/glibc-dev/include/bits/string_fortified.h:138
#2 check_single (input=input@entry=0x7ffff7de4000 "", n=n@entry=0, length=90) at unistr/test-strncat.h:41
#3 0x0000555555555352 in check (input=0x555555559100 <input> "Grüß Gott. Здравствуйте! x=(-b±sqrt(b²-4ac))/(2a) 日本語,中文,한글", input_length=91)
    at unistr/test-strncat.h:86
#4 main () at test-strncat.c:58

I'm out of my depth in the assembler code.

(In reply to Simon Chopin from comment #0)
> I did some tests on master (2f39e44a84) for the upcoming 2.37 release, and I
> found a regression in libunistring test suite on amd64 with AVX-2
> instructions, more specifically on gnulib's test-strncat. It can be
> reproduced using these instructions:
>
> https://sourceware.org/glibc/wiki/Testing/Gnulib

Those directions seem a bit outdated, any chance you can share your build steps?

>
>
> I bisected the issue to
> commit 642933158e7cf072d873231b1a9bb03291f2b989
> Author: Noah Goldstein <email address hidden>
> Date: Tue Nov 8 17:38:39 2022 -0800
>
> x86: Optimize and shrink st{r|p}{n}{cat|cpy}-avx2 functions
>
> Optimizations are:
> 1. Use more overlapping stores to avoid branches.
> 2. Reduce how unrolled the aligning copies are (this is more of a
> code-size save, its a negative for some sizes in terms of
> perf).
> 3. For st{r|p}n{cat|cpy} re-order the branches to minimize the
> number that are taken.
>
> I get the following backtrace:
>
> #0 __strncat_avx2 () at ../sysdeps/x86_64/multiarch/strncat-avx2.S:76
> #1 0x00005555555555d7 in strncat (__len=0, __src=0x7ffff7de4000 "",
> __dest=0x55555555c2a1 "") at
> /tmp/glibc-dev/include/bits/string_fortified.h:138
> #2 check_single (input=input@entry=0x7ffff7de4000 "", n=n@entry=0,
> length=90) at unistr/test-strncat.h:41
> #3 0x0000555555555352 in check (input=0x555555559100 <input> "Grüß Gott.
> Здравствуйте! x=(-b±sqrt(b²-4ac))/(2a) 日本語,中文,한글", input_length=91)
> at unistr/test-strncat.h:86
> #4 main () at test-strncat.c:58
>
> I'm out of my depth in the assembler code.

So far unable to reproduce, haven't been able to build gnulib against installed GLIBC, but pulled out the u8/u32 strncat and tested them both.

As well have done exhaustive strncat/wcsncpy at the end of page (exhaustive for len {0..128} with all alignments {4096-128...4095} for s1/s2. So far unable to reproduce. Maybe the issue is uninitialized register.

(In reply to Simon Chopin from comment #0)
> I did some tests on master (2f39e44a84) for the upcoming 2.37 release, and I
> found a regression in libunistring test suite on amd64 with AVX-2
> instructions, more specifically on gnulib's test-strncat. It can be
> reproduced using these instructions:
>
> https://sourceware.org/glibc/wiki/Testing/Gnulib
>
>
> I bisected the issue to
> commit 642933158e7cf072d873231b1a9bb03291f2b989
> Author: Noah Goldstein <email address hidden>
> Date: Tue Nov 8 17:38:39 2022 -0800
>
> x86: Optimize and shrink st{r|p}{n}{cat|cpy}-avx2 functions
>
> Optimizations are:
> 1. Use more overlapping stores to avoid branches.
> 2. Reduce how unrolled the aligning copies are (this is more of a
> code-size save, its a negative for some sizes in terms of
> perf).
> 3. For st{r|p}n{cat|cpy} re-order the branches to minimize the
> number that are taken.
>
> I get the following backtrace:
>
> #0 __strncat_avx2 () at ../sysdeps/x86_64/multiarch/strncat-avx2.S:76

Do you know what instruction its segfaulting at?
> #1 0x00005555555555d7 in strncat (__len=0, __src=0x7ffff7de4000 "",
> __dest=0x55555555c2a1 "") at
> /tmp/glibc-dev/include/bits/string_fortified.h:138
> #2 check_single (input=input@entry=0x7ffff7de4000 "", n=n@entry=0,
> length=90) at unistr/test-strncat.h:41
> #3 0x0000555555555352 in check (input=0x555555559100 <input> "Grüß Gott.
> Здравствуйте! x=(-b±sqrt(b²-4ac))/(2a) 日本語,中文,한글", input_length=91)
> at unistr/test-strncat.h:86
> #4 main () at test-strncat.c:58
>
> I'm out of my depth in the assembler code.

(In reply to Noah Goldstein from comment #2)
> (In reply to Simon Chopin from comment #0)
> > I did some tests on master (2f39e44a84) for the upcoming 2.37 release, and I
> > found a regression in libunistring test suite on amd64 with AVX-2
> > instructions, more specifically on gnulib's test-strncat. It can be
> > reproduced using these instructions:
> >
> > https://sourceware.org/glibc/wiki/Testing/Gnulib
> >
> >
> > I bisected the issue to
> > commit 642933158e7cf072d873231b1a9bb03291f2b989
> > Author: Noah Goldstein <email address hidden>
> > Date: Tue Nov 8 17:38:39 2022 -0800
> >
> > x86: Optimize and shrink st{r|p}{n}{cat|cpy}-avx2 functions
> >
> > Optimizations are:
> > 1. Use more overlapping stores to avoid branches.
> > 2. Reduce how unrolled the aligning copies are (this is more of a
> > code-size save, its a negative for some sizes in terms of
> > perf).
> > 3. For st{r|p}n{cat|cpy} re-order the branches to minimize the
> > number that are taken.
> >
> > I get the following backtrace:
> >
> > #0 __strncat_avx2 () at ../sysdeps/x86_64/multiarch/strncat-avx2.S:76
>
> Do you know what instruction its segfaulting at?
> > #1 0x00005555555555d7 in strncat (__len=0, __src=0x7ffff7de4000 "",
> > __dest=0x55555555c2a1 "") at
> > /tmp/glibc-dev/include/bits/string_fortified.h:138
> > #2 check_single (input=input@entry=0x7ffff7de4000 "", n=n@entry=0,
> > length=90) at unistr/test-strncat.h:41
> > #3 0x0000555555555352 in check (input=0x555555559100 <input> "Grüß Gott.
> > Здравствуйте! x=(-b±sqrt(b²-4ac))/(2a) 日本語,中文,한글", input_length=91)
> > at unistr/test-strncat.h:86
> > #4 main () at test-strncat.c:58
> >
> > I'm out of my depth in the assembler code.

Reproduced. Changed the `malloc` to mmap and put it at the end of the code.

Issue is:
```
 test %rdx, %rdx
 jl L(zero_len)
```

Needs to be `jle` (was `decq` at some point, when changed didn't update flag).
I think the test is actually UB b.c `dst` is not a valid null-terminated string (even though zero length), but will fix.

(In reply to Noah Goldstein from comment #3)
> (In reply to Noah Goldstein from comment #2)
> > (In reply to Simon Chopin from comment #0)
> > > I did some tests on master (2f39e44a84) for the upcoming 2.37 release, and I
> > > found a regression in libunistring test suite on amd64 with AVX-2
> > > instructions, more specifically on gnulib's test-strncat. It can be
> > > reproduced using these instructions:
> > >
> > > https://sourceware.org/glibc/wiki/Testing/Gnulib
> > >
> > >
> > > I bisected the issue to
> > > commit 642933158e7cf072d873231b1a9bb03291f2b989
> > > Author: Noah Goldstein <email address hidden>
> > > Date: Tue Nov 8 17:38:39 2022 -0800
> > >
> > > x86: Optimize and shrink st{r|p}{n}{cat|cpy}-avx2 functions
> > >
> > > Optimizations are:
> > > 1. Use more overlapping stores to avoid branches.
> > > 2. Reduce how unrolled the aligning copies are (this is more of a
> > > code-size save, its a negative for some sizes in terms of
> > > perf).
> > > 3. For st{r|p}n{cat|cpy} re-order the branches to minimize the
> > > number that are taken.
> > >
> > > I get the following backtrace:
> > >
> > > #0 __strncat_avx2 () at ../sysdeps/x86_64/multiarch/strncat-avx2.S:76
> >
> > Do you know what instruction its segfaulting at?
> > > #1 0x00005555555555d7 in strncat (__len=0, __src=0x7ffff7de4000 "",
> > > __dest=0x55555555c2a1 "") at
> > > /tmp/glibc-dev/include/bits/string_fortified.h:138
> > > #2 check_single (input=input@entry=0x7ffff7de4000 "", n=n@entry=0,
> > > length=90) at unistr/test-strncat.h:41
> > > #3 0x0000555555555352 in check (input=0x555555559100 <input> "Grüß Gott.
> > > Здравствуйте! x=(-b±sqrt(b²-4ac))/(2a) 日本語,中文,한글", input_length=91)
> > > at unistr/test-strncat.h:86
> > > #4 main () at test-strncat.c:58
> > >
> > > I'm out of my depth in the assembler code.
>
> Reproduced. Changed the `malloc` to mmap and put it at the end of the code.
>
> Issue is:
> ```
> test %rdx, %rdx
> jl L(zero_len)
> ```
>
> Needs to be `jle` (was `decq` at some point, when changed didn't update
> flag).
> I think the test is actually UB b.c `dst` is not a valid null-terminated
> string (even though zero length), but will fix.
`src` is not a valid null-terminated string*

The second argument of strncat is not required to be a string, and the function shall not access more bytes than indicated by the third argument.

(In reply to Andreas Schwab from comment #5)
> The second argument of strncat is not required to be a string, and the
> function shall not access more bytes than indicated by the third argument.

You're right, re-read man page. Have fix coming up shortly + test.

Bugfix patch posted.

Fix pushed: https://sourceware.org/git/?p=glibc.git;a=commit;h=b2c474f8de4c92bfe7435853a96805ec32d68dfa

Marking this as fixed for 2.37.