This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [RFC] Knobs to detect undefined behaviour.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: OndÅej BÃlka <neleai at seznam dot cz>
- Cc: Jeff Law <law at redhat dot com>, Rich Felker <dalias at aerifal dot cx>, libc-alpha at sourceware dot org
- Date: Wed, 09 Oct 2013 14:33:25 -0400
- Subject: Re: [RFC] Knobs to detect undefined behaviour.
- Authentication-results: sourceware.org; auth=none
- References: <20131003122009 dot GA8891 at domone dot podge> <524DCA52 dot 2030609 at redhat dot com> <20131007141928 dot GV20515 at brightrain dot aerifal dot cx> <52542C63 dot 10305 at redhat dot com> <20131008162738 dot GG20515 at brightrain dot aerifal dot cx> <52545389 dot 6000901 at redhat dot com> <52545730 dot 6090306 at redhat dot com> <20131009072830 dot GA19974 at domone dot podge>
On 10/09/2013 03:28 AM, OndÅej BÃlka wrote:
> On Tue, Oct 08, 2013 at 01:04:16PM -0600, Jeff Law wrote:
>> When I first proposed the idea for these sanity checking dl-preload
>> libraries for Fedora I envisioned that we could go beyond just
>> checking for overlapping memory areas in the mem* and str*
>> functions. There could be a set of pthread wrapper functions that
>> check for whatever invariants we can in the pthread* functions
>> without a huge performance hit.
>>
> It is possible but we could use a environment variable in libc as
> alternative. Then we could choose detecting implementation by ifunc.
>
> Or add assert-like macro that will be compiled into libc_sanitized.so
>
> Main advantage is visibility. If user needs to find ten various libraries
> and preload them few of users will do that. It should be moved to one place
>
> As we could add to manpages something like:
>
> A glibc could detect various undefined behaviours and abort when it is
> detected. But it could break third party binaries so this needs to be
> enabled manually. For checking use:
>
> GLIBC_SANITIZE=true program
>
>
> There are various areas that could be covered:
>
> str/mem routines - could we merge memstomp?
>
> malloc - A efence got this almost right but tried to detect all
> overruns.
>
> If we detect these only statisticaly it could be done only with using
> twice more memory, for requests upto 4096 bytes we will use arena that
> alternates between protected and usable pages like:
> prot use prot use prot use prot
> and for more than 4096 bytes we could use mmap.
>
> If we placed a 64-bit canary before/after each alloc we could also add
> bounds checking by looking for that canary.
>
> What else?
There is a lot we could talk about here.
The linker already does process the environment variables so it could
be done via env vars I think.
We need to make forward progress on tunnables per our discussions
at Cauldron 2013, which is to unify internally all the existing
tunnables.
We also need to make forward progress on env vars, which is to flesh
out the policy and check to see if existing env vars match the
policy and if not then talk about how we might clean things up.
https://sourceware.org/glibc/wiki/TuningLibraryRuntimeBehavior
https://sourceware.org/glibc/wiki/EnvVarGuide
Cheers,
Carlos.