[PATCH] malloc tcache: Debugger now sees the address of the corrupted chunk.

Thu Dec 17 04:18:39 GMT 2020

Adder <adder.thief@gmail.com> writes:
> But perhaps the speed cost is lower than it appears.
> I have always been bad at evaluating time.
> I am going to think about a way to benchmark this.
> Suggestions are warmly welcome.

https://developers.redhat.com/blog/2016/03/11/practical-micro-benchmarking-with-ltrace-and-sched/

> In the meanwhile, could we also consider the following alternative ?
>
>   if (e_next)
>     {
>       if (__glibc_unlikely (e_next->key != tcache))
>         please_crash_in_a_way_which_allows_debugger_to_print_e ();
>     }
>
> Advantages (YMMV):
>
>   - no (volatile T *), no (void), no other cast;
>   - easier to understand (even without "corrupted pointer" in mind);
>   - only loads, no stores;
>   - probability of e_next accidentally being valid and having a good key is low.

Note that it's checking the next ptr in one chunk, and the key in a
*different* chunk.  I think that's OK, corruption can happen anywhere,
except that the please_crash would need to decide which 'e' is the
relevent one for the message it's printing.

But I think we need to ask the larger glibc group if there's a preferred
idiom for "make this variable available to the debugger"

> Disadvantages:
>
>   - conditional jump;

That's what __glibc_unlikely() is for - it tells gcc to optimize the
conditional for the common path, often negating the costs of the jump
completely.

>> This is where malloc_printerr should be called.  Even if the data is
>> corrupt, this is what we do elsewhere in these cases.
>
> Purpose is to give "e" to the debugger (including the human debugger).
> In my testing (on x86_64), adding malloc_printerr here loses "e".
>
> For clarity and consistence with usage of malloc_printerr elsewhere,
> I wish to suggest adding a function malloc_printerr_4
> which is given the pointer to the string and 4 additional uint64_t args.

I was going to suggest passing a chunk_ptr to malloc_printerr as that's
what we usually have (or pass NULL if we don't).  We have macros to
convert tcache pointers to chunk pointers.