public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "torbjorn.svensson at st dot com" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug gdb/28549] ARM/Cortex-M: improper stack unwinding when the target is in lockup state Date: Fri, 14 Oct 2022 14:07:33 +0000 [thread overview] Message-ID: <bug-28549-4717-ASTNiTtjjg@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-28549-4717@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=28549 --- Comment #48 from tomas.vanek at fbl dot cz --- (In reply to Torbjörn SVENSSON from comment #47) > > From what I heard, the FSF copyright process has now completed. Yes, it's finally done. Sorry, it was my fault: I replied to copyright-clerk@fsf.org first instead of sending the signed form to assign@gnu.org > Tomas, can you please send your patch to the gdb-patches ML in order to get > it merged after a review process? If it helps, I can help with adapting the > patch for the review comments, but you need to send the initial version. Will do. The discussion here narrowed to 'ARM M lockup frame unwinder' patch. I originally attached 3 patches, see above. TBH I never intended to use just the unwinder without accompanying changes. 'Show frame unwinder name in signal name' gives user little bit better info than <signal handler called> - it might be mergeable (I didn't check, will do). The rest of work in 'Fixes for ARM M exception frame unwinder' is probably definitely unusable because of merging ARMv8 profile M security extension support. I need some time to check the new code and see if some parts of my old changes are applicable. Back to 'ARM M lockup frame unwinder' and Torbjörn's comments Fredrik forwarded me by mail: > 1. arm_m_lockup_prev_register > I think arm_m_lockup_prev_register should have an assert statement as it > should never be reached unless the sniffer is incorrectly implemented. I think the same but I was not able to find the part of the general frame code (frame-unwind.c, frame.c ...) which ensures it. That's why I wanted to avoid gdb fail or assert because post-mortem debugging of frame related structures seemed me almost impossible. So if you confirm that prev_register method cannot be called when this_id method returned outer_frame in any corner case like sniffing of corrupted data, then ok, let's just assert(0) in prev_register > 2. arm_m_lockup_unwind_sniffer > I would have inlined the arm_m_addr_is_lockup function here as there is > only one call to it and it would make it easier to see what is happening. I just kept the format of original arm_m_addr_is_magic(). Maybe keeping all tests for 'special' addresses together has some advantage in code readability. > 3. registering the lockup unwinder > I think it makes sense to have the lockup unwinder as early in the list > as possible to avoid any of the other unwinders to preserve the state of > the target as much as possible Well the lockup unwinder gets registered with the exception unwinder as the first two unwinders. You might miss the code from 'Fixes for ARM M exception frame unwinder' - with this patch, lockup and exception are sniffed as mutually exclusive, no matter which one is sniffed first. I agree, without the second patch the lockup unwinder registration should precede the exception unwinder, especially with ARMv8 profile M security extension with arm_m_addr_is_magic() catching lockup magic codes. I looked to the new code to support ARMv8 profile M security extension just very shortly. I wonder why arm_m_addr_is_magic() decoding differs so much in branches without and with the security extension. The former decodes just the used special addresses, the latter whole pages with lot of 'undefined behaviour' codes. IMO the frame unwinding should proceed as long as sniffers encounter frames possibly saved by the processor and stop as soon as a sniffer hits something suspicious like a special address described as 'undefined behaviour' in architecture manual. Stopping frame unwinding seems me much better than generating nonsense frames from corrupted data. Considering this I think we need another meta unwinder - or better said unwind stopper for 'undefined behaviour'. Registered as the last one and catching everything what all other sniffers refuse. What do you think? --- Comment #49 from Torbjörn SVENSSON <torbjorn.svensson at st dot com> --- (In reply to tomas.vanek from comment #48) > The discussion here narrowed to 'ARM M lockup frame unwinder' patch. I > originally attached 3 patches, see above. TBH I never intended to use just > the unwinder without accompanying changes. Right now, I'm more concerned about the endless(?) loop when the target is in lockup state. I think we should first solve that problem and then look into if there is improvements to do to make it more obvious for the user what's going on. > 'Show frame unwinder name in signal name' gives user little bit better info > than <signal handler called> - it might be mergeable (I didn't check, will > do). I think this patch could be an improvement, but not as important as the previous one. Lets focus on getting the other one in first, okay? > The rest of work in 'Fixes for ARM M exception frame unwinder' is probably > definitely unusable because of merging ARMv8 profile M security extension > support. I don't think any of the other changes are needed anymore. > I need some time to check the new code and see if some parts of my old > changes are applicable. > > Back to 'ARM M lockup frame unwinder' and Torbjörn's comments Fredrik > forwarded me by mail: > > > 1. arm_m_lockup_prev_register > > I think arm_m_lockup_prev_register should have an assert statement as it > > should never be reached unless the sniffer is incorrectly implemented. > > I think the same but I was not able to find the part of the general frame > code (frame-unwind.c, frame.c ...) which ensures it. That's why I wanted to > avoid gdb fail or assert because post-mortem debugging of frame related > structures seemed me almost impossible. > So if you confirm that prev_register method cannot be called when this_id > method returned outer_frame in any corner case like sniffing of corrupted > data, then ok, let's just assert(0) in prev_register I just landed a patch that shows how you can use the frame_unwind_stop_reason hook to stop the unwinding. I think the same logic could be used in your patch too. Regarding the assurance, please see Pedro's reply to the very same question here: https://sourceware.org/pipermail/gdb-patches/2022-October/192655.html > > 2. arm_m_lockup_unwind_sniffer > > I would have inlined the arm_m_addr_is_lockup function here as there is > > only one call to it and it would make it easier to see what is happening. > > I just kept the format of original arm_m_addr_is_magic(). > Maybe keeping all tests for 'special' addresses together has some advantage > in code readability. > > > 3. registering the lockup unwinder > > I think it makes sense to have the lockup unwinder as early in the list > > as possible to avoid any of the other unwinders to preserve the state of > > the target as much as possible > > Well the lockup unwinder gets registered with the exception unwinder as the > first two unwinders. You might miss the code from 'Fixes for ARM M exception > frame unwinder' - with this patch, lockup and exception are sniffed as > mutually exclusive, no matter which one is sniffed first. I agree, without > the second patch the lockup unwinder registration should precede the > exception unwinder, > especially with ARMv8 profile M security extension with > arm_m_addr_is_magic() catching lockup magic codes. > > I looked to the new code to support ARMv8 profile M security extension just > very shortly. > I wonder why arm_m_addr_is_magic() decoding differs so much in branches > without and with the security extension. The former decodes just the used > special addresses, the latter whole pages with lot of 'undefined behaviour' > codes. On https://developer.arm.com/documentation/100701/0200/The-EXC-RETURN-register, it's written as that 0xffxxxxxx is an EXC_RETURN pattern, even if there are combinations within that that is illegal. > IMO the frame unwinding should proceed as long as sniffers encounter frames > possibly saved by the processor and stop as soon as a sniffer hits something > suspicious like a special address described as 'undefined behaviour' in > architecture manual. Stopping frame unwinding seems me much better than > generating nonsense frames from corrupted data. I agree completely with this statement. > Considering this I think we need another meta unwinder - or better said > unwind stopper for 'undefined behaviour'. Registered as the last one and > catching everything what all other sniffers refuse. > What do you think? I don't think we need another unwinder, but we might need to have some more checks in the arm_m_exception_cache function to stop the unwind in case an unsupported state is detected. -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2022-10-14 14:08 UTC|newest] Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-11-05 9:51 [Bug gdb/28549] New: " tarek.bouchkati at gmail dot com 2021-11-05 10:34 ` [Bug gdb/28549] " tarek.bouchkati at gmail dot com 2021-11-05 10:59 ` tarek.bouchkati at gmail dot com 2021-11-05 12:26 ` tarek.bouchkati at gmail dot com 2021-11-05 12:36 ` tarek.bouchkati at gmail dot com 2021-11-05 13:16 ` alahay01 at gcc dot gnu.org 2021-11-05 13:22 ` luis.machado at linaro dot org 2021-11-05 14:02 ` luis.machado at linaro dot org 2021-11-05 14:02 ` luis.machado at linaro dot org 2021-11-05 15:43 ` fredrik.hederstierna@securitas-direct.com 2021-11-05 15:51 ` tarek.bouchkati at gmail dot com 2021-11-05 23:14 ` fredrik.hederstierna@securitas-direct.com 2021-11-05 23:25 ` fredrik.hederstierna@securitas-direct.com 2021-11-06 0:20 ` fredrik.hederstierna@securitas-direct.com 2021-11-15 12:04 ` tarek.bouchkati at gmail dot com 2021-11-15 12:52 ` luis.machado at linaro dot org 2021-11-15 13:15 ` tarek.bouchkati at gmail dot com 2021-11-15 18:09 ` fredrik.hederstierna@securitas-direct.com 2021-11-15 18:46 ` luis.machado at linaro dot org 2021-11-18 11:18 ` tarek.bouchkati at gmail dot com 2021-12-10 12:30 ` tomas.vanek at fbl dot cz 2021-12-13 8:30 ` luis.machado at linaro dot org 2021-12-13 9:55 ` tomas.vanek at fbl dot cz 2021-12-13 10:07 ` clyon at gcc dot gnu.org 2021-12-13 10:35 ` luis.machado at linaro dot org 2021-12-13 10:37 ` luis.machado at linaro dot org 2021-12-13 20:22 ` tomas.vanek at fbl dot cz 2021-12-13 21:48 ` fredrik.hederstierna@securitas-direct.com 2021-12-13 22:00 ` fredrik.hederstierna@securitas-direct.com 2021-12-14 0:09 ` tomas.vanek at fbl dot cz 2021-12-14 0:33 ` tomas.vanek at fbl dot cz 2021-12-14 10:27 ` tomas.vanek at fbl dot cz 2021-12-14 14:42 ` tomas.vanek at fbl dot cz 2021-12-14 14:45 ` tomas.vanek at fbl dot cz 2021-12-14 14:50 ` tomas.vanek at fbl dot cz 2021-12-15 16:44 ` luis.machado at linaro dot org 2021-12-15 16:56 ` fredrik.hederstierna@securitas-direct.com 2021-12-15 17:42 ` tomas.vanek at fbl dot cz 2022-01-19 11:34 ` tarek.bouchkati at gmail dot com 2022-01-19 11:35 ` luis.machado at linaro dot org 2022-01-19 11:36 ` luis.machado at linaro dot org 2022-01-19 11:40 ` clyon at gcc dot gnu.org 2022-01-19 12:18 ` tarekbouchkati at gmail dot com 2022-09-09 8:25 ` luis.machado at arm dot com 2022-09-09 23:35 ` fredrik.hederstierna@securitas-direct.com 2022-09-10 7:27 ` luis.machado at arm dot com 2022-09-11 13:59 ` tomas.vanek at fbl dot cz 2022-09-12 9:32 ` luis.machado at arm dot com 2022-09-14 9:07 ` tomas.vanek at fbl dot cz 2022-09-14 12:10 ` luis.machado at arm dot com 2022-10-02 7:13 ` torbjorn.svensson at st dot com 2022-10-02 7:18 ` tomas.vanek at fbl dot cz 2022-10-06 13:07 ` luis.machado at arm dot com 2022-10-11 8:08 ` torbjorn.svensson at st dot com 2022-10-14 14:07 ` torbjorn.svensson at st dot com [this message] 2022-10-16 12:24 ` tomas.vanek at fbl dot cz 2022-10-21 10:01 ` luis.machado at arm dot com 2022-10-29 18:40 ` brobecker at gnat dot com 2022-10-31 10:18 ` luis.machado at arm dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-28549-4717-ASTNiTtjjg@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).