[Bug malloc/23343] tcache_init() confuses mtrace()

["bungeman at gmail dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=23343

bungeman at gmail dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bungeman at gmail dot com

--- Comment #1 from bungeman at gmail dot com ---
I recently also ran into this with `mcheck` and the associated hooks. Both the
`tcache` and its `entries` are always backed directly as chunks (bare
`mchunkptr` or `malloc_chunk` allocations) as they always come directly out of
`_int_malloc` or `int_free`. Looking at the rest of the file (and since these
are internal allocations) it appears that these should be freed with
`_int_free` after finding the correct arena.

Currently `tcache_thread_shutdown` calls `__libc_free` on both the `tcache` and
its `entries`. When running with `mcheck` the hooks install or expect a `hdr`
before the mem ptr (the `malloc_chunk` will come before this `hdr`). Since
these allocations did not go through `__libc_malloc` or have already gone
through `__libc_free` they do not have a `hdr` present (and the pointer value
has already been adjusted to before where the `hdr` was installed in the
allocation). As a result, the mcheck `freehook` which is called when
`__libc_free` is called fails in `checkhdr` since there isn't actually a `hdr`
there.

I managed to capture this happening in rr with an tcache entry. A somewhat
simplified reverse debugging session demonstrating the issue looks like

347           msg = _ ("memory clobbered before allocated block\n");
#0  0x00007f6f2b98bc95 in mabort (status=<optimized out>) at mcheck.c:347
#1  0x00007f6f2b98bd2b in checkhdr (hdr=hdr@entry=0x55e969231090) at
mcheck.c:111
#2  0x00007f6f2b98c129 in checkhdr (hdr=0x55e969231090) at mcheck.c:86
#3  freehook (ptr=0x55e9692310c0, caller=0x7f6f2b98a87b
<__malloc_arena_thread_freeres+75>) at mcheck.c:184
#4  0x00007f6f2b98a87b in tcache_thread_shutdown () at malloc.c:2964
#5  __malloc_arena_thread_freeres () at arena.c:951
#6  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#7  0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at
pthread_create.c:491
#8  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) reverse-finish  // a few times

2964              __libc_free (e);
#0  tcache_thread_shutdown () at malloc.c:2964
#1  __malloc_arena_thread_freeres () at arena.c:951
#2  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#3  0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at
pthread_create.c:491

(rr) when-ticks
Current tick: 25415

(rr) print e
$1 = (tcache_entry *) 0x55e9692310c0

(rr) print *e
$2 = {next = 0x0, key = 0x7f6f240008d0}

// The data before e looks like a legal malloc_chunk
(rr) print *(mchunkptr)((char*)e - 2*sizeof(size_t))
$11 = {mchunk_prev_size = 96, mchunk_size = 97, ...}

// The data before e does not look like a legal mcheck hdr, so checkhdr aborted
(rr) print ((struct hdr *) e) - 1
$17 = (struct hdr *) 0x55e969231090
(rr) print *(((struct hdr *) e) - 1)
$19 = {size = 4294967298, magic = 10778686036297936231, prev =
0x9595959595959595, next = 0x9595959595959595, block = 0x60, magic2 = 97}

(rr) reverse-next   // a few times to get before while loop

2954      tcache_shutting_down = true;
#0  tcache_thread_shutdown () at malloc.c:2954
#1  __malloc_arena_thread_freeres () at arena.c:951
#2  0x00007f6f2b98db6c in __libc_thread_freeres () at thread-freeres.c:38
#3  0x00007f6f2c0b9ebf in start_thread (arg=<optimized out>) at
pthread_create.c:491
#4  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) print *tcache_tmp
$20 = {counts = {0, 0, 0, 0, 1, 0 <repeats 59 times>}, entries = {0x0, 0x0,
0x0, 0x0, 0x55e9692310c0, 0x0 <repeats 59 times>}}

(rr) print *tcache_tmp->entries[4]
$21 = {next = 0x0, key = 0x7f6f240008d0}

(rr) watch -l tcache_tmp->entries[4]
(rr) reverse-cont

2927      tcache->entries[tc_idx] = e;
#0  tcache_put (tc_idx=4, chunk=0x55e9692310b0) at malloc.c:2927
#1  _int_free (av=0x7f6f2babeb80 <main_arena>, p=0x55e9692310b0, have_lock=0)
at malloc.c:4208
#2  0x00007f6f2b98c1b8 in freehook (ptr=0x55e9692310c0, caller=0x55e964dbca21)
at mcheck.c:196
#3  0x000055e964dbca21 in std::thread::_State_impl<...>::~_State_impl()
(this=0x55e9692310f0, __in_chrg=<optimized out>) at
/usr/include/c++/10/thread:205
#4  0x00007f6f2bcf531a in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007f6f2c0b9ea7 in start_thread (arg=<optimized out>) at
pthread_create.c:477
#6  0x00007f6f2b9fddef in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

(rr) when-ticks
Current tick: 13449

(rr) print e
$25 = (tcache_entry *) 0x55e9692310c0
(rr) print *e
$26 = {next = 0x0, key = 0x7f6f240008d0}

Where it is easy to verify that `freehook` removed the `hdr` (overwriting it to
mark it) by adjusting the pointer back to before the `hdr`, then calls
`_int_free` which adds this now non-mcheck chunk to the tcache.  As a result
this now "hook-clean" freed allocation must not be freed through the hooks (as
they have already cleaned up their claim on this allocation and marked it
free). tcache_thread_shutdown is already careful to remove the entry from the
entries list before attempting to free it, so just calling _int_free (with the
correct arena) should be correct.

-- 
You are receiving this mail because:
You are on the CC list for the bug.