Page MenuHomeFreeBSD
Differential D23997

malloc debugging: detect mismatched mtp in alloc/free with redzone
AcceptedPublic
Actions

Authored by rlibby on Mar 7 2020, 10:10 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 20 2023, 3:03 AM
Unknown Object (File)
Dec 2 2023, 2:41 AM
Unknown Object (File)
Oct 28 2023, 9:28 PM
Unknown Object (File)
Oct 9 2023, 12:56 PM
Unknown Object (File)
Aug 18 2023, 7:44 AM
Unknown Object (File)
Jul 25 2023, 9:44 AM
Unknown Object (File)
May 14 2023, 6:48 PM
Unknown Object (File)
May 9 2023, 1:50 PM
View All 13 Files
Subscribers
glebius
jeff

Details

Reviewers
markj
pjd
Summary

XXX This is just a quick hack / demo. It would be nice to have
debugging for mismatched malloc types between alloc/free. A simple way
is to stash the mtp pointer alongside the malloc memory. This hacks
redzone to do that, because it already stashes stuff alongside the
malloc memory, has the pointer adjustments for doing so, stores a stack,
etc. I am hoping for review of the general idea, and of doing it with
redzone or not. Any better way?

Mismatched mtp in malloc/free causes malloc accounting bugs. Enhance
redzone so that it stashes a context cookie (the mtp pointer) on alloc
and checks it on free.

This is a bit of a misuse of redzone(9), but the machinery is already
available.

Test Plan

Manually insert a bug into accept1() and observe that this detects it.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 29842
Build 27667: arc lint + arc unit

Event Timeline

rlibby created this revision.Mar 7 2020, 10:10 PM
Harbormaster completed remote builds in B29842: Diff 69301.Mar 7 2020, 10:10 PM
rlibby edited the summary of this revision. (Show Details)Mar 7 2020, 10:12 PM
rlibby added a subscriber: glebius.Mar 7 2020, 10:28 PM
markj accepted this revision.Mar 9 2020, 3:24 PM

So while it seems perfectly fine to use redzone for this purpose, I suspect it'd be somewhat ineffective for debugging since users typically do not run with redzone configured.

Have you considered including DEBUG_REDZONE in INVARIANTS kernel configurations? Then, provide a tunable to enable it. That way you could at least try and catch the bug without having to recompile the kernel. Ideally you'd be able to flip redzone on with a sysctl but I can't really see a way to implement that since redzone_check() has no way of knowing whether a given chunk of memory was padded. You might even implement multiple modes for redzone: one, perhaps on by default, pads with only enough space to do mtp checking, and the other does full checking, stack-saving, etc..

I suspect there's no good reason to exclude DEBUG_REDZONE (and maybe even MEMGUARD on platforms with plentiful KVA) from INVARIANTS kernels now that we have GENERIC-NODEBUG.

This revision is now accepted and ready to land.Mar 9 2020, 3:24 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
6 lines
vm/
4 lines
43 lines

Diff 69301

View Options

sys/kern/kern_malloc.c

Loading...
View Options

sys/vm/redzone.h

Loading...
View Options

sys/vm/redzone.c

Loading...