This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind

From: Yury Gribov <tetra2005 dot patches at gmail dot com>
To: "H.J. Lu" <hjl dot tools at gmail dot com>
Cc: Jeff Law <law at redhat dot com>, Jakub Jelinek <jakub at redhat dot com>, Yuri Gribov <tetra2005 at gmail dot com>, GCC Patches <gcc-patches at gcc dot gnu dot org>, Ian Lance Taylor <ian at airs dot com>, Andrew Pinski <pinskia at gmail dot com>
Date: Thu, 3 Aug 2017 16:07:46 +0100
Subject: Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
Authentication-results: sourceware.org; auth=none
References: <CAJOtW+4_FR+1zBiTvL_EBN7NGj-S9=7cR5Qsm560P7XsyLfFzA@mail.gmail.com> <96fda4ab-0c92-96ea-1993-5c235b1a8b03@redhat.com> <20170802184706.GO2123@tucnak> <0145b4fc-c15e-be6d-164d-d3a284e82079@redhat.com> <504e9af1-e4d6-91d6-3fc9-888e6da01e4e@gmail.com> <CAMe9rOqm1aeZ2dr9wSZAKkFjHPW888SOt0tUPLcWg3GHB-BY9A@mail.gmail.com> <f52270ec-2ce1-fa94-2229-7d409bd388a9@gmail.com> <CAMe9rOr1jKtRKqCKccoj+SPyrceL1YiJyAw9+0yU1evQLMCPWg@mail.gmail.com> <1519cce3-048c-3ca2-89d3-5486592c08df@gmail.com> <CAMe9rOr7k0j4CCGGCrmxbsbxvM3Bw1htpV4oo-WXHy2d8VkK=w@mail.gmail.com> <CAKuS3cujNgeQRG8Ai7gBOBGDER=4t1iBt3C87V6CixROcYhh1Q@mail.gmail.com> <CAMe9rOrQE+6Wa+zD_wo0-foLQKggKmerqJx6+wUoc33XdVNSkw@mail.gmail.com> <CAKuS3cuwvEHeKzPcmWzVNUhNYmuc9O1wsnnwdi2Z_vGYs_BYtQ@mail.gmail.com> <CAMe9rOrJgB9O+A+mONFcVERzqc854W5cMp5dgpwSTRG47BUfkQ@mail.gmail.com>

On Thu, Aug 3, 2017 at 3:55 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Thu, Aug 3, 2017 at 7:17 AM, Yury Gribov <tetra2005.patches@gmail.com> wrote:
>> On Thu, Aug 3, 2017 at 2:01 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>> On Thu, Aug 3, 2017 at 5:52 AM, Yury Gribov <tetra2005.patches@gmail.com> wrote:
>>>> On Thu, Aug 3, 2017 at 1:22 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
>>>>> On Wed, Aug 2, 2017 at 9:29 PM, Yury Gribov <tetra2005.patches@gmail.com> wrote:
>>>>>> On 02.08.2017 23:04, H.J. Lu wrote:
>>>>>>>
>>>>>>> On Wed, Aug 2, 2017 at 1:56 PM, Yury Gribov <tetra2005.patches@gmail.com>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> On 02.08.2017 21:48, H.J. Lu wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Aug 2, 2017 at 1:39 PM, Yury Gribov
>>>>>>>>> <tetra2005.patches@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 02.08.2017 20:02, Jeff Law wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 08/02/2017 12:47 PM, Jakub Jelinek wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Aug 02, 2017 at 12:38:13PM -0600, Jeff Law wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/17/2017 01:23 AM, Yuri Gribov wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've rebased the previous patch to trunk per Andrew's suggestion.
>>>>>>>>>>>>>> Original patch description/motivation/questions are in
>>>>>>>>>>>>>> https://gcc.gnu.org/ml/gcc-patches/2017-06/msg01869.html
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Is his stuff used for exception handling?  If so, doesn't that make
>>>>>>>>>>>>> the
>>>>>>>>>>>>> performance a significant concern (ie that msync call?)
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> For the performance issue, I wonder if it wouldn't be better to just
>>>>>>>>>>>> compile the unwinder twice, basically include everything needed for
>>>>>>>>>>>> the
>>>>>>>>>>>> verification backtrace in a single *.c file with special defines, and
>>>>>>>>>>>> not export anything from that *.o file except the single entrypoint.
>>>>>>>>>>>> That would also handle the ABI problems.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Yea.
>>>>>>>>>>>
>>>>>>>>>>> Given that the vast majority of the time the addresses are valid, I
>>>>>>>>>>> wonder if we could take advantage of that property to keep the
>>>>>>>>>>> overhead
>>>>>>>>>>> lower in the most common cases.
>>>>>>>>>>>
>>>>>>>>>>>> For the concurrent calls of other threads unmapping stacks of running
>>>>>>>>>>>> threads (that is where most of the verification goes against), I'm
>>>>>>>>>>>> afraid
>>>>>>>>>>>> that is simply non-solveable, even if you don't cache anything, it
>>>>>>>>>>>> will
>>>>>>>>>>>> still be racy.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Absolutely -- I think solving this stuff 100% reliably without races
>>>>>>>>>>> isn't possible.  I think the question is can we make this
>>>>>>>>>>> significantly
>>>>>>>>>>> better.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> All,
>>>>>>>>>>
>>>>>>>>>> First of all, thanks for the feedback.  This is indeed not a 100%
>>>>>>>>>> robust
>>>>>>>>>> solution, just something to allow tools like Asan to produce more sane
>>>>>>>>>> backtraces on crash (currently when stack is corrupted they would crash
>>>>>>>>>> in
>>>>>>>>>> the unwinder without printing at least partial backtrace).
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> FWIW, glibc 2.26 is changed to abort as soon as possible when stack is
>>>>>>>>> corrupted:
>>>>>>>>>
>>>>>>>>> https://sourceware.org/bugzilla/show_bug.cgi?id=21752
>>>>>>>>> https://sourceware.org/bugzilla/show_bug.cgi?id=12189
>>>>>>>>>
>>>>>>>>> There is very little point to unwind stack when stack is corrupted.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I'd argue that situation with __stack_chk_fail is very special.  It's
>>>>>>>> used
>>>>>>>> in production code where you'd want to halt as soon as corruption is
>>>>>>>> detected to prevent further damage so even printing message is an
>>>>>>>> additional
>>>>>>>> risk.  Debugging tools (e.g. sanitizers) are different and would prefer
>>>>>>>> to
>>>>>>>> print as many survived frames as possible.
>>>>>>>>
>>>>>>>
>>>>>>> But stack unwinder in libgcc is primarily for production use, not for
>>>>>>> debugging.
>>>>>>
>>>>>>
>>>>>> I can see it used in different projects to print backtraces on error (bind9,
>>>>>> SimGrid, sanitizers).  backtrace(3) also sits on top of libgcc unwinder and
>>>>>> seems to be meant primarily for debugging (at least many projects use it for
>>>>>> this purpose:
>>>>>> https://codesearch.debian.net/search?q=backtrace_symbols&perpkg=1). Same for
>>>>>> libbacktrace which, as its README mentions, is meant to "print a detailed
>>>>>> backtrace when an error occurs or to gather detailed profiling information".
>>>>>
>>>>> But it shouldn't be performed on a corrupted stack.  When a stack is
>>>>> corrupted, there is just no way to reliably unwind it.
>>>>
>>>> Why not? Attached patch shows that it's possible (up to a point of
>>>> corruption of course).
>>>>
>>>>> It isn't a problem
>>>>> for a debugger which is designed to analyze corrupted program.
>>>>
>>>> Yes but forcing all applications that would like to print helpful
>>>> message on stack corruption to employ gdb sounds less efficient that
>>>> providing fail-safe APIs in standard library...
>>>                 ^^^^^^^^^^^  There is no such a thing of fail-safe on corrupted
>>> stack.   A bad, but valid address, can be put on corrupted stack.  When
>>> you unwind it, the unwinder may not crash, but give you bogus stack
>>> backtrace.
>>
>> Agreed but at least my users were fine with this.  Having at least
>> partial stack is very helpful when you app fails early during OS
>> startup with no chance to attach debugger.
>>
>
> Unwinder in libgcc is used for C++ exception support, which assumes
> that the unwind information is correct, including stack.  Should we
> slowdown C++ exception to check fir corrupted unwind info, which
> can't be done 100%?

We definitely don't want to slow down exceptions (I think this has
already been discussed above).  Note that Jakub provided some ideas on
how to achieve this without penalty.

Note that noone has expressed interest in this feature so I probly
won't actively work on it in near future.

-Y

Follow-Ups:
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu

References:
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Jeff Law
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Jakub Jelinek
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Jeff Law
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Yury Gribov
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Yury Gribov
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Yury Gribov
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Yury Gribov
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: Yury Gribov
- Re: [RFC][PR 67336][PING^6] Verify pointers during stack unwind
  - From: H.J. Lu

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]