From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 93474 invoked by alias); 26 Jun 2018 11:25:54 -0000 Mailing-List: contact gnu-gabi-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: gnu-gabi-owner@sourceware.org Received: (qmail 90719 invoked by uid 89); 26 Jun 2018 11:25:53 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=thankfully, corrupted, Hx-languages-length:1859 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-Spam-User: qpsmtpd, 3 recipients X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 26 Jun 2018 11:25:51 +0000 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C8775C059B7C; Tue, 26 Jun 2018 11:25:50 +0000 (UTC) Received: from tucnak.zalov.cz (ovpn-116-221.ams2.redhat.com [10.36.116.221]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6293282F7B; Tue, 26 Jun 2018 11:25:49 +0000 (UTC) Received: from tucnak.zalov.cz (localhost [127.0.0.1]) by tucnak.zalov.cz (8.15.2/8.15.2) with ESMTP id w5QBPl4F008350; Tue, 26 Jun 2018 13:25:48 +0200 Received: (from jakub@localhost) by tucnak.zalov.cz (8.15.2/8.15.2/Submit) id w5QBPiMl008349; Tue, 26 Jun 2018 13:25:44 +0200 Date: Mon, 01 Jan 2018 00:00:00 -0000 From: Jakub Jelinek To: Florian Weimer Cc: Nathan Sidwell , GCC , GNU C Library , Binutils , gnu-gabi@sourceware.org Subject: Re: Invalid program counters and unwinding Message-ID: <20180626112544.GP7166@tucnak> Reply-To: Jakub Jelinek References: <7ada5491-f3f4-e048-dfec-6e51cd937163@acm.org> <0c58f1bb-220c-d03d-7375-6066fb7d53e6@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0c58f1bb-220c-d03d-7375-6066fb7d53e6@redhat.com> User-Agent: Mutt/1.9.2 (2017-12-15) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 26 Jun 2018 11:25:50 +0000 (UTC) X-SW-Source: 2018-q2/txt/msg00019.txt.bz2 On Tue, Jun 26, 2018 at 01:01:06PM +0200, Florian Weimer wrote: > On 06/26/2018 12:56 PM, Nathan Sidwell wrote: > > On 06/26/2018 05:26 AM, Florian Weimer wrote: > > > > > So it looks to me that the caller of _Unwind_Find_FDE needs to > > > ensure that the PC is a valid element of the call stack.  Is this a > > > correct assumption? > > > > I thought this was an (implicit?) requirement. You're unwinding a stack > > to deliver an exception up it.  Are there use cases where that is not > > the case? > > We have something approaching this scenario. > > pthread_cancel in glibc unwinds the stack using DWARF information until > encounters a frame without unwind information, when it switches to longjmp > to get past that obstacle. > > However, at the point of transition from a valid DWARF frame into the > wilderness (without unwind data), we should still have accurate information > on the caller's PC, so _Unwind_Find_FDE will reliably fail to find any > unwind data for it. It's not a random pointer somewhere else, so I think > even the pthread_cancel case is fully supported. The usual ways to get bogus PCs in the frames is: 1) stack corruption 2) setcontext/swapcontext with uninitialized or corrupted ucontext_t 3) bogus unwind info (compiler or linker etc. bug) At least for unwinding, I think we don't and shouldn't care, we assume only valid programs. For cases like _Unwind_Backtrace when used to print info in case of fatal signal or stack corruption, it is more questionable, but at least the current implmentation doesn't care either. There have been some requests e.g. to use extremely slow safe accesses like syscalls from the potential invalid memory, or mincore, or parsing of /proc/self/maps to make it work even if everything is corrupted, but so far nothing thankfully made it in. Jakub