[RFC][PR 67336][PING^6] Verify pointers during stack unwind
Jeff Law
law@redhat.com
Thu Aug 3 17:20:00 GMT 2017
On 08/03/2017 11:03 AM, Florian Weimer wrote:
> * Jeff Law:
>
>>> If speed is not a concern, but reliability is, call fork (the system
>>> call, not glibc's wrapper which calls fork handlers) and do the work
>>> in a single-threaded copy of the process. There, you can set up
>>> signal handlers as you see fit, and the VM layout won't change
>>> unexpectedly.
>
>> Speed is one of the concerns.
>
> I thought this was debugging-only, optional unwinder behavior.
My understanding was this was in the EH path as well. If it's outside
the EH path, then I don't care about the cost of msync and the like :-)
>
>> Essentially we're pondering an efficient
>> mechanism to know if a given code address is valid so that we know if we
>> should even try to unwind through a particular stack frame.
>
> Efficient code address validation is possible using data structures
> maintained by ld.so. If those data structures are mostly read-only,
> they cannot be corrupted, so pointers and offsets in them don't have
> to be validated before derefencing them.
Understood.
>
> But the main problem is the frame pointer chain, and the current lack
> of registration for stacks. The program can just malloc some area,
> switch the SP, and start running from there. Some libraries do
> exactly that. And without knowledge of the bottom address of the
> stack, it is impossible to verify that the frame pointer chain goes
> somewhere off the stack.
Yea.
>
>> One could probably claim that in the EH path a call to msync shouldn't
>> be a concern. I'm skeptical these days, but could be convinced that
>> it's tolerable.
>
> Quite a few applications are sensitive to EH performance. The current
> freshness check for the cache is very inefficient, which is a
> significant problem for some users. If we can push out the flag check
> the top level (essentially compiling the unwinder twice, with and
> without checking), I don't think this would cause significant
> additional performance issues.
Yea. I went back and reviewed the internal BZ. It's actually just the
print-a-backtrace thing rather than EH unwinding. SO yea, if the
print-a-backtrace path and EH path both use bits, we could just compile
them twice, once with checking once without respectively.
Jeff
More information about the Gcc-patches
mailing list