delta/haproxy.git/include/haproxy/bug.h, branch master github.com: haproxy/haproxy.git DEBUG: crash using an invalid opcode on aarch64 instead of an invalid access 2023-04-25T17:53:39+00:00 Willy Tarreau w@1wt.eu 2023-04-25T17:01:48+00:00 543e2544cabf9900af92d45658b122bc25011c3d On aarch64 there's also a guaranted invalid instruction, called UDF, and which even supports an optional 16-bit immediate operand: https://developer.arm.com/documentation/ddi0596/2021-12/Base-Instructions/UDF--Permanently-Undefined-?lang=en It's conveniently encoded as 4 zeroes (when the operand is zero). It's unclear when support for it was added into GAS, if at all; even a not-so-old 2.27 doesn't know about it. Let's byte-encode it. Tested on an A72 and works as expected. 
On aarch64 there's also a guaranted invalid instruction, called UDF, and
which even supports an optional 16-bit immediate operand:

   https://developer.arm.com/documentation/ddi0596/2021-12/Base-Instructions/UDF--Permanently-Undefined-?lang=en

It's conveniently encoded as 4 zeroes (when the operand is zero). It's
unclear when support for it was added into GAS, if at all; even a
not-so-old 2.27 doesn't know about it. Let's byte-encode it.

Tested on an A72 and works as expected.
DEBUG: crash using an invalid opcode on x86/x86_64 instead of an invalid access 2023-04-25T16:51:10+00:00 Willy Tarreau w@1wt.eu 2023-04-25T16:44:58+00:00 77787ec9bccaa6904dceb0dcce9bd8184cfdbece BUG_ON() calls currently trigger a segfault. This is more convenient than abort() as it doesn't rely on any function call nor signal handler and never causes non-unwindable stacks when opening cores. But it adds quite some confusion in bug reports which are rightfully tagged "segv" and do not instantly allow to distinguish real segv (e.g. null derefs) from code asserts. Some CPU architectures offer various crashing methods. On x86 we have INT3 (0xCC), which stops into the debugger, and UD0/UD1/UD2. INT3 looks appealing but for whatever reason (maybe signal handling somewhere) it loses the last call point in the stack, making backtraces unusable. UD2 has the merit of being only 2 bytes and causing an invalid instruction, which almost never happens normally, so it's easily distinguishable. Here it was defined as a macro so that the line number in the core matches the one where the BUG_ON() macro is called, and the debugger shows the last frame exactly at its calligg point. E.g. when calling "debug dev bug": Program terminated with signal SIGILL, Illegal instruction. #0 debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:408 408 BUG_ON(one > zero); [Current thread is 1 (Thread 0x7f7a660cc1c0 (LWP 14238))] (gdb) bt #0 debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:408 #1 debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:402 #2 0x000000000061a69f in cli_parse_request (appctx=appctx@entry=0x181c0160) at src/cli.c:832 #3 0x000000000061af86 in cli_io_handler (appctx=0x181c0160) at src/cli.c:1035 #4 0x00000000006ca2f2 in task_run_applet (t=0x181c0290, context=0x181c0160, state=<optimized out>) at src/applet.c:449 
BUG_ON() calls currently trigger a segfault. This is more convenient
than abort() as it doesn't rely on any function call nor signal handler
and never causes non-unwindable stacks when opening cores. But it adds
quite some confusion in bug reports which are rightfully tagged "segv"
and do not instantly allow to distinguish real segv (e.g. null derefs)
from code asserts.

Some CPU architectures offer various crashing methods. On x86 we have
INT3 (0xCC), which stops into the debugger, and UD0/UD1/UD2. INT3 looks
appealing but for whatever reason (maybe signal handling somewhere) it
loses the last call point in the stack, making backtraces unusable. UD2
has the merit of being only 2 bytes and causing an invalid instruction,
which almost never happens normally, so it's easily distinguishable.
Here it was defined as a macro so that the line number in the core
matches the one where the BUG_ON() macro is called, and the debugger
shows the last frame exactly at its calligg point.

E.g. when calling "debug dev bug":

Program terminated with signal SIGILL, Illegal instruction.
  #0  debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:408
  408             BUG_ON(one > zero);
  [Current thread is 1 (Thread 0x7f7a660cc1c0 (LWP 14238))]
  (gdb) bt
  #0  debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:408
  #1  debug_parse_cli_bug (args=<optimized out>, payload=<optimized out>, appctx=<optimized out>, private=<optimized out>) at src/debug.c:402
  #2  0x000000000061a69f in cli_parse_request (appctx=appctx@entry=0x181c0160) at src/cli.c:832
  #3  0x000000000061af86 in cli_io_handler (appctx=0x181c0160) at src/cli.c:1035
  #4  0x00000000006ca2f2 in task_run_applet (t=0x181c0290, context=0x181c0160, state=<optimized out>) at src/applet.c:449
BUILD: bug.h: add a warning in the base API when unsafe functions are used 2023-04-07T16:21:36+00:00 Willy Tarreau w@1wt.eu 2023-04-07T12:57:13+00:00 7f2b3f9431f279d71a59dc73b77139d2ce16e503 Once in a while we introduce an sprintf() or strncat() function by accident. These ones are particularly dangerous and must never ever be used because the only way to use them safely is at least as complicated if not more, than their safe counterparts. By redefining a few of these functions with an attribute_warning() we can deliver a message to the developer who is tempted to use them. This commit does it for strcat(), strcpy(), strncat(), sprintf(), vsprintf(). More could come later if needed, such as strtok() and maybe a few others, but these are less common. 
Once in a while we introduce an sprintf() or strncat() function by
accident. These ones are particularly dangerous and must never ever
be used because the only way to use them safely is at least as
complicated if not more, than their safe counterparts. By redefining
a few of these functions with an attribute_warning() we can deliver a
message to the developer who is tempted to use them. This commit does
it for strcat(), strcpy(), strncat(), sprintf(), vsprintf(). More could
come later if needed, such as strtok() and maybe a few others, but these
are less common.
MINOR: pools: report a replaced memory allocator instead of just malloc_trim() 2023-03-22T17:05:02+00:00 Willy Tarreau w@1wt.eu 2023-03-22T17:01:41+00:00 1751db140ab609e38af8218efbd23427115a42aa Instead of reporting the inaccurate "malloc_trim() support" on -vv, let's report the case where the memory allocator was actively replaced from the one used at build time, as this is the corner case we want to be cautious about. We also put a tainted bit when this happens so that it's possible to detect it at run time (e.g. the user might have inherited it from an environment variable during a reload operation). The now unused is_trim_enabled() function was finally dropped. 
Instead of reporting the inaccurate "malloc_trim() support" on -vv, let's
report the case where the memory allocator was actively replaced from the
one used at build time, as this is the corner case we want to be cautious
about. We also put a tainted bit when this happens so that it's possible
to detect it at run time (e.g. the user might have inherited it from an
environment variable during a reload operation).

The now unused is_trim_enabled() function was finally dropped.
BUILD: debug: remove unnecessary quotes in HA_WEAK() calls 2022-11-14T10:12:49+00:00 Willy Tarreau w@1wt.eu 2022-11-13T11:14:10+00:00 eedcea8b900b2397cbfcfe54f458f7fe1bbe6b35 HA_WEAK() is supposed to take a symbol in argument, not a string, since the asm statements it produces already quote the argument. Having it quoted twice doesn't work on older compilers and was the only reason why DEBUG_MEM_STATS didn't work on older compilers. 
HA_WEAK() is supposed to take a symbol in argument, not a string, since
the asm statements it produces already quote the argument. Having it
quoted twice doesn't work on older compilers and was the only reason
why DEBUG_MEM_STATS didn't work on older compilers.
CLEANUP: debug: use struct ha_caller for memstat 2022-09-08T12:19:15+00:00 Willy Tarreau w@1wt.eu 2022-09-06T06:05:59+00:00 d96d214b4ca443a8153830fdcf14c07500f2915f The memstats code currently defines its own file/function/line number, type and extra pointer. We don't need to keep them separate and we can easily replace them all with just a struct ha_caller. Note that the extra pointer could be converted to a pool ID stored into arg8 or arg32 and be dropped as well, but this would first require to define IDs for pools (which we currently do not have). 
The memstats code currently defines its own file/function/line number,
type and extra pointer. We don't need to keep them separate and we can
easily replace them all with just a struct ha_caller. Note that the
extra pointer could be converted to a pool ID stored into arg8 or
arg32 and be dropped as well, but this would first require to define
IDs for pools (which we currently do not have).
MINOR: debug: add struct ha_caller to describe a calling location 2022-09-08T12:19:15+00:00 Willy Tarreau w@1wt.eu 2022-09-06T05:55:44+00:00 7f2f1f294c073302df30de4f08fe1bd6be472936 The purpose of this structure is to assemble all constant parts of a generic calling point for a specific event. These ones are created by the compiler as a static const element outside of the code path, so they cost nothing in terms of CPU, and a pointer to that descriptor can be passed to the place that needs it. This is very similar to what is being done for the mem_stat stuff. This will be useful to simplify and improve DEBUG_TASK. 
The purpose of this structure is to assemble all constant parts of a
generic calling point for a specific event. These ones are created by
the compiler as a static const element outside of the code path, so
they cost nothing in terms of CPU, and a pointer to that descriptor
can be passed to the place that needs it. This is very similar to what
is being done for the mem_stat stuff.

This will be useful to simplify and improve DEBUG_TASK.
BUILD: debug: make sure debug macros are never empty 2022-08-31T08:53:53+00:00 Willy Tarreau w@1wt.eu 2022-08-31T08:52:25+00:00 d8009a1ca6607bfe08978476ae2c77679b2b5453 As outlined in commit f7ebe584d7 ("BUILD: debug: Add braces to if statement calling only CHECK_IF()"), the BUG_ON() family of macros is incorrectly defined to be empty when debugging is disabled, and that can lead to trouble. Make sure they always fall back to the usual "do { } while (0)". This may be backported to 2.6 if needed, though no such issue was met there to date. 
As outlined in commit f7ebe584d7 ("BUILD: debug: Add braces to if
statement calling only CHECK_IF()"), the BUG_ON() family of macros
is incorrectly defined to be empty when debugging is disabled, and
that can lead to trouble. Make sure they always fall back to the
usual "do { } while (0)". This may be backported to 2.6 if needed,
though no such issue was met there to date.
MINOR: debug/memstats: permit to pass the size to free() 2022-08-09T07:11:27+00:00 Willy Tarreau w@1wt.eu 2022-08-09T07:08:18+00:00 db3716b8db98c45fcf24fd4a10d326c9a3b3e9c1 Right now the free() call is not intercepted since all this is done using macros and that would break a lot of stuff. Instead a __free() macro was provided but never used. In addition it used to only report a zero size, which is not very convenient. With this patch comes a better solution. Instead it provides a new will_free() macro that can be prepended before a call to free(). It only keeps the counters up to date, and also supports being passed a size. The pool_free_area() command now uses it, which finally allows the stats to look correct: pool-os.h:38 MALLOC size: 5802127832 calls: 3868044 size/call: 1500 pool-os.h:47 FREE size: 5800041576 calls: 3867444 size/call: 1499 The few other places directly calling free() could now be instrumented to use this and to pass the correct sizeof() when known. 
Right now the free() call is not intercepted since all this is done
using macros and that would break a lot of stuff. Instead a __free()
macro was provided but never used. In addition it used to only report
a zero size, which is not very convenient.

With this patch comes a better solution. Instead it provides a new
will_free() macro that can be prepended before a call to free(). It
only keeps the counters up to date, and also supports being passed a
size. The pool_free_area() command now uses it, which finally allows
the stats to look correct:

  pool-os.h:38   MALLOC  size:   5802127832  calls:   3868044  size/call:   1500
  pool-os.h:47     FREE  size:   5800041576  calls:   3867444  size/call:   1499

The few other places directly calling free() could now be instrumented to
use this and to pass the correct sizeof() when known.
MINOR: debug: also store the function name in struct mem_stats 2022-08-09T06:42:42+00:00 Willy Tarreau w@1wt.eu 2022-08-09T06:40:08+00:00 17200dd1f33b4cd8236d43c6d93f31ca23875fc8 The calling function name is now stored in the structure, and it's reported when the "all" argument is passed. The first column is significantly enlarged because some names are really wide :-( 
The calling function name is now stored in the structure, and it's
reported when the "all" argument is passed. The first column is
significantly enlarged because some names are really wide :-(