[2/2] wcsmbs: Add gconv module ref counter overflow test
Checks
| Context |
Check |
Description |
| redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
| redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
Commit Message
Adds a new xtest, tst-wcsmbs-clone-overflow, to detect reference count
leaks in gconv modules.
The test specifically targets an issue where functions like swscanf
trigger __wcsmbs_clone_conv without a corresponding release when
processing wide character strings from stack-allocated buffers. This
results in a leaked reference count for the gconv module.
The test performs 0x80000000 iterations to ensure a 32-bit signed
integer reference counter overflows, thus reliably reproducing and
verifying the leak. It is marked as an xtest due to its long runtime.
Assisted-by: LLM
---
wcsmbs/Makefile | 3 +-
wcsmbs/tst-wcsmbs-clone-overflow.c | 50 ++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
create mode 100644 wcsmbs/tst-wcsmbs-clone-overflow.c
Comments
On 29/04/26 11:59, Frédéric Bérat wrote:
> Adds a new xtest, tst-wcsmbs-clone-overflow, to detect reference count
> leaks in gconv modules.
>
> The test specifically targets an issue where functions like swscanf
> trigger __wcsmbs_clone_conv without a corresponding release when
> processing wide character strings from stack-allocated buffers. This
> results in a leaked reference count for the gconv module.
>
> The test performs 0x80000000 iterations to ensure a 32-bit signed
> integer reference counter overflows, thus reliably reproducing and
> verifying the leak. It is marked as an xtest due to its long runtime.
>
> Assisted-by: LLM
I usually see xtests are not that useful, they are not actively tested
and usually require some specific configuration to run (like some kernel
support). And requiring 3-5 minutes on a recent chip does not really
help the test-suite, which requires a lot of time already.
Maybe you can make it an unit test / internal test that calls
__vfwscanf_internal / _IO_wstrfile_fclose_stack and checks the counter
value directly.
> ---
> wcsmbs/Makefile | 3 +-
> wcsmbs/tst-wcsmbs-clone-overflow.c | 50 ++++++++++++++++++++++++++++++
> 2 files changed, 52 insertions(+), 1 deletion(-)
> create mode 100644 wcsmbs/tst-wcsmbs-clone-overflow.c
>
> diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile
> index 849a47971e..e9db577220 100644
> --- a/wcsmbs/Makefile
> +++ b/wcsmbs/Makefile
> @@ -208,7 +208,7 @@ tests := \
> # tests
>
> # This test runs for a long time.
> -xtests += test-wcsncmp-nonarray
> +xtests += test-wcsncmp-nonarray tst-wcsmbs-clone-overflow
It should be
xtests += \
test-wcsncmp-nonarray \
tst-wcsmbs-clone-overflow \
# xtest
>
>
> include ../Rules
> @@ -241,6 +241,7 @@ $(objpfx)tst-c32-state.out: $(gen-locales)
> $(objpfx)test-c8rtomb.out: $(gen-locales)
> $(objpfx)test-mbrtoc8.out: $(gen-locales)
> $(objpfx)tst-wscanf-to_inpunct.out: $(gen-locales)
> +$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales)
> endif
>
> $(objpfx)tst-wcstod-round: $(libm)
> diff --git a/wcsmbs/tst-wcsmbs-clone-overflow.c b/wcsmbs/tst-wcsmbs-clone-overflow.c
> new file mode 100644
> index 0000000000..a6f0a25685
> --- /dev/null
> +++ b/wcsmbs/tst-wcsmbs-clone-overflow.c
> @@ -0,0 +1,50 @@
> +/* Test for gconv module reference counter overflow.
> + Copyright (C) 2026 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <https://www.gnu.org/licenses/>. */
> +
> +#include <stdio.h>
> +#include <wchar.h>
> +#include <locale.h>
> +#include <support/check.h>
> +#include <support/support.h>
> +
> +static int
> +do_test (int argc, char **argv)
> +{
> + if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL)
> + FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated");
> +
> + /* The reproduction loop. 0x80000000 iterations are required to overflow
> + a 32-bit signed integer. This typically takes 3-5 minutes. */
> + wchar_t buf[32] = L"123";
> + int j;
> + for (long long i = 0; i < 0x80000000LL; i++)
> + {
> + /* swscanf on a stack-allocated buffer triggers __wcsmbs_clone_conv
> + without a corresponding release, leaking a reference count. */
> + if (swscanf (buf, L"%d", &j) < 1)
> + FAIL_EXIT1 ("swscanf failed at iteration %lld", i);
> + /* Prevent compiler from optimizing the loop away. */
> + __asm__ volatile ("" : : "g" (j) : "memory");
> + }
> +
> + return 0;
> +}
> +
> +/* This test is slow because it requires billions of iterations. */
> +#define TIMEOUT 600
> +#include "../test-skeleton.c"
#include <support/test-driver.c>
@@ -208,7 +208,7 @@ tests := \
# tests
# This test runs for a long time.
-xtests += test-wcsncmp-nonarray
+xtests += test-wcsncmp-nonarray tst-wcsmbs-clone-overflow
include ../Rules
@@ -241,6 +241,7 @@ $(objpfx)tst-c32-state.out: $(gen-locales)
$(objpfx)test-c8rtomb.out: $(gen-locales)
$(objpfx)test-mbrtoc8.out: $(gen-locales)
$(objpfx)tst-wscanf-to_inpunct.out: $(gen-locales)
+$(objpfx)tst-wcsmbs-clone-overflow.out: $(gen-locales)
endif
$(objpfx)tst-wcstod-round: $(libm)
new file mode 100644
@@ -0,0 +1,50 @@
+/* Test for gconv module reference counter overflow.
+ Copyright (C) 2026 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <wchar.h>
+#include <locale.h>
+#include <support/check.h>
+#include <support/support.h>
+
+static int
+do_test (int argc, char **argv)
+{
+ if (setlocale (LC_ALL, "de_DE.ISO-8859-1") == NULL)
+ FAIL_EXIT1 ("setlocale failed, check if de_DE.ISO-8859-1 is generated");
+
+ /* The reproduction loop. 0x80000000 iterations are required to overflow
+ a 32-bit signed integer. This typically takes 3-5 minutes. */
+ wchar_t buf[32] = L"123";
+ int j;
+ for (long long i = 0; i < 0x80000000LL; i++)
+ {
+ /* swscanf on a stack-allocated buffer triggers __wcsmbs_clone_conv
+ without a corresponding release, leaking a reference count. */
+ if (swscanf (buf, L"%d", &j) < 1)
+ FAIL_EXIT1 ("swscanf failed at iteration %lld", i);
+ /* Prevent compiler from optimizing the loop away. */
+ __asm__ volatile ("" : : "g" (j) : "memory");
+ }
+
+ return 0;
+}
+
+/* This test is slow because it requires billions of iterations. */
+#define TIMEOUT 600
+#include "../test-skeleton.c"