From: Carlos O'Donell <carlos@redhat.com>
To: Stefani Seibold <stefani@seibold.net>,
libc-help@sourceware.org, DJ Delorie <dj@redhat.com>
Subject: Re: glibc 2.26 mtrace broken, missing allocations
Date: Thu, 05 Apr 2018 20:21:00 -0000 [thread overview]
Message-ID: <33298b52-27e5-636b-03e2-799be2b9c0f5@redhat.com> (raw)
In-Reply-To: <1522958519.9141.11.camel@seibold.net>
On 04/05/2018 03:01 PM, Stefani Seibold wrote:
> Hi,
>
> when using mtrace i get a report of a reallocation which has an address
> which was not reported.
>
> For example:
>
> @ /usr/lib64/libgobject-2.0.so.0:(g_signal_newv+0x23d)[0x7ffff7eb409d] - 0x5555559344c0
> @ /usr/lib64/libglib-2.0.so.0:(g_malloc+0x19)[0x7ffff7244039] + 0x555555922d40 0x60
> @ /usr/lib64/libglib-2.0.so.0:(g_realloc+0x20)[0x7ffff72440f0] < 0x5555558f0ea0
> @ /usr/lib64/libglib-2.0.so.0:(g_realloc+0x20)[0x7ffff72440f0] > 0x5555558f0ea0 0x10
> @ /usr/lib64/libglib-2.0.so.0:(g_realloc+0x20)[0x7ffff72440f0] < 0x5555558f0e70
>
> The ingoing address 0x5555558f0ea0 for the realloc was not reported by
> an other alloc.
That's odd.
> The process (gvim -f) is single threaded and it is always the same
> address without address layout randomization.
OK, so as a single-threaded process it should be perfectly safe to use mtrace
(which is not MT-safe).
> How is this possible? Are there allocation functions which are not
> traced by mtrace?
I don't have any good answer for you.
The allocation functions all have hooks into the hook functions which are used
by mtrace. They are embedded into the libc.so.6 malloc API functions directly
e.g.
3026 void *
3027 __libc_malloc (size_t bytes)
3028 {
3029 mstate ar_ptr;
3030 void *victim;
3031
3032 void *(*hook) (size_t, const void *)
3033 = atomic_forced_read (__malloc_hook);
3034 if (__builtin_expect (hook != NULL, 0))
3035 return (*hook)(bytes, RETURN_ADDRESS (0));
...
3136 void *(*hook) (void *, size_t, const void *) =
3137 atomic_forced_read (__realloc_hook);
3138 if (__builtin_expect (hook != NULL, 0))
3139 return (*hook)(oldmem, bytes, RETURN_ADDRESS (0));
And happen right away and record the result.
You should see *almost* all the results.
In theory the early dynamic loader bootstrap uses dl-minimal.c which has micro
allocator there for early bootstrap before libc.so.6's malloc can be called,
but none of those addresses should ever leak into the post-bootstrap for a realloc.
If such a thing did happen it would be a bug.
You can try running mcheck() and associated functions to enable additional checking.
Likewise mprobe().
DJ, You've been poking at this area, any thoughts?
--
Cheers,
Carlos.
next prev parent reply other threads:[~2018-04-05 20:21 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-05 20:02 Stefani Seibold
2018-04-05 20:21 ` Carlos O'Donell [this message]
2018-04-05 20:33 ` Stefani Seibold
2018-04-05 20:52 ` Carlos O'Donell
2018-04-05 21:01 ` DJ Delorie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33298b52-27e5-636b-03e2-799be2b9c0f5@redhat.com \
--to=carlos@redhat.com \
--cc=dj@redhat.com \
--cc=libc-help@sourceware.org \
--cc=stefani@seibold.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).