* feature/asan-gc-poisoning: Better memory checks using AddressSanitizer
@ 2022-12-05 20:35 Vibhav Pant
2022-12-17 20:08 ` Vibhav Pant
0 siblings, 1 reply; 4+ messages in thread
From: Vibhav Pant @ 2022-12-05 20:35 UTC (permalink / raw)
To: Emacs developers
As part of trying to debug the deluge of GC borks in
scratch/comp-static-data, I took a slight detour through Emacs' memory
management code and the sanity checks that it optionally comes with.
The changes in feature/asan-gc-poisoning attempt to augment the
latter, specifically when Emacs is built with '-fsanitize=address'.
When enabled, almost all memory management operations are instrumented
with calls to ASan's "(un)poisoning" functions, which allow ASan to
mark allocated but not freed addresses as "poisoned", triggering
errors whenever they have been accessed. The idea behind this is to
add another layer of checks against code that makes use of free lists
and arena based allocators, only allowing access to regions of the
memory that are actually intended to be accessible (aka "unpoisoned"
in ASan parlance) by non alloc-related C code. An instance of this is
any object on a free list, or a vectorlike with the type PVEC_FREE (we
do abort whenever we come across such a vector, but this ideally
catches the bug way earlier in the flow, and therefore closer to the
source of the actual problem). Additional documentation explaining
this feature is available both on src/alloc.c and the "Running Emacs
with address sanitization" section in etc/DEBUG.
The branch bootstraps successfully both with native-comp enabled and
disabled, and passes everything on the test suite on my machine.
Because enabling Address Sanitizer comes with a significant
performance + memory overhead, using it as a daily driver isn't
without a decent bit of sluggishness, although building with -O2 and
native compilation seems to help, at least a little.
I plan to get install this in `master` soon, so both feedback and
testing from other users would be greatly appreciated. The current
codebase quite likely does everything alloc related correctly, so an
ASan error might be indicative of a snag in this branch instead of
Emacs itself (fingers crossed for the opposite, however :)).
Thanks,
Vibhav
--
Vibhav Pant
vibhavp@gmail.com
GPG: 7ED1 D48C 513C A024 BE3A 785F E3FB 28CB 6AB5 9598
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: feature/asan-gc-poisoning: Better memory checks using AddressSanitizer
2022-12-05 20:35 feature/asan-gc-poisoning: Better memory checks using AddressSanitizer Vibhav Pant
@ 2022-12-17 20:08 ` Vibhav Pant
2022-12-17 20:24 ` Eli Zaretskii
0 siblings, 1 reply; 4+ messages in thread
From: Vibhav Pant @ 2022-12-17 20:08 UTC (permalink / raw)
To: Emacs developers
[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]
Unless there are any objections, I plan to merge this branch into master
today.
Thanks,
Vibhav
Vibhav Pant
vibhavp@gmail.com
On Tue, Dec 6, 2022, 02:05 Vibhav Pant <vibhavp@gmail.com> wrote:
> As part of trying to debug the deluge of GC borks in
> scratch/comp-static-data, I took a slight detour through Emacs' memory
> management code and the sanity checks that it optionally comes with.
> The changes in feature/asan-gc-poisoning attempt to augment the
> latter, specifically when Emacs is built with '-fsanitize=address'.
>
> When enabled, almost all memory management operations are instrumented
> with calls to ASan's "(un)poisoning" functions, which allow ASan to
> mark allocated but not freed addresses as "poisoned", triggering
> errors whenever they have been accessed. The idea behind this is to
> add another layer of checks against code that makes use of free lists
> and arena based allocators, only allowing access to regions of the
> memory that are actually intended to be accessible (aka "unpoisoned"
> in ASan parlance) by non alloc-related C code. An instance of this is
> any object on a free list, or a vectorlike with the type PVEC_FREE (we
> do abort whenever we come across such a vector, but this ideally
> catches the bug way earlier in the flow, and therefore closer to the
> source of the actual problem). Additional documentation explaining
> this feature is available both on src/alloc.c and the "Running Emacs
> with address sanitization" section in etc/DEBUG.
>
> The branch bootstraps successfully both with native-comp enabled and
> disabled, and passes everything on the test suite on my machine.
> Because enabling Address Sanitizer comes with a significant
> performance + memory overhead, using it as a daily driver isn't
> without a decent bit of sluggishness, although building with -O2 and
> native compilation seems to help, at least a little.
> I plan to get install this in `master` soon, so both feedback and
> testing from other users would be greatly appreciated. The current
> codebase quite likely does everything alloc related correctly, so an
> ASan error might be indicative of a snag in this branch instead of
> Emacs itself (fingers crossed for the opposite, however :)).
>
> Thanks,
> Vibhav
> --
> Vibhav Pant
> vibhavp@gmail.com
> GPG: 7ED1 D48C 513C A024 BE3A 785F E3FB 28CB 6AB5 9598
>
[-- Attachment #2: Type: text/html, Size: 3057 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: feature/asan-gc-poisoning: Better memory checks using AddressSanitizer
2022-12-17 20:08 ` Vibhav Pant
@ 2022-12-17 20:24 ` Eli Zaretskii
2022-12-18 14:59 ` Vibhav Pant
0 siblings, 1 reply; 4+ messages in thread
From: Eli Zaretskii @ 2022-12-17 20:24 UTC (permalink / raw)
To: Vibhav Pant; +Cc: emacs-devel
> From: Vibhav Pant <vibhavp@gmail.com>
> Date: Sun, 18 Dec 2022 01:38:33 +0530
>
> Unless there are any objections, I plan to merge this branch into master today.
No objections, but please make the ASAN_POISON_* functions macros that
expand either to corresponding asan_poison_* functions or to nothing,
depending on whether GC_ASAN_POISON_* is defined. That's because I'd
like to avoid unnecessary overhead of a function call in a "normal"
build without optimizations.
Thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: feature/asan-gc-poisoning: Better memory checks using AddressSanitizer
2022-12-17 20:24 ` Eli Zaretskii
@ 2022-12-18 14:59 ` Vibhav Pant
0 siblings, 0 replies; 4+ messages in thread
From: Vibhav Pant @ 2022-12-18 14:59 UTC (permalink / raw)
To: Eli Zaretskii; +Cc: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 713 bytes --]
On Sat, 2022-12-17 at 22:24 +0200, Eli Zaretskii wrote:
> > From: Vibhav Pant <vibhavp@gmail.com>
> > Date: Sun, 18 Dec 2022 01:38:33 +0530
> >
> > Unless there are any objections, I plan to merge this branch into
> > master today.
>
> No objections, but please make the ASAN_POISON_* functions macros
> that
> expand either to corresponding asan_poison_* functions or to nothing,
> depending on whether GC_ASAN_POISON_* is defined. That's because I'd
> like to avoid unnecessary overhead of a function call in a "normal"
> build without optimizations.
>
> Thanks.
Sure, Eli.
Thanks,
Vibhav
--
Vibhav Pant
vibhavp@gmail.com
GPG: 7ED1 D48C 513C A024 BE3A 785F E3FB 28CB 6AB5 9598
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-12-18 14:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-05 20:35 feature/asan-gc-poisoning: Better memory checks using AddressSanitizer Vibhav Pant
2022-12-17 20:08 ` Vibhav Pant
2022-12-17 20:24 ` Eli Zaretskii
2022-12-18 14:59 ` Vibhav Pant
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).