| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Dec 2015 10:55:54 +0100
From: Ingo Molnar <mingo@...nel.org>
To: Peter Zijlstra <peterz@...radead.org>
Cc: "Wangnan (F)" <wangnan0@...wei.com>, Jiri Olsa <jolsa@...nel.org>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
David Ahern <dsahern@...il.com>,
Milian Wolff <milian.wolff@...b.com>,
linux-kernel@...r.kernel.org, pi3orama <pi3orama@....com>,
lizefan 00213767 <lizefan@...wei.com>
Subject: Re: [BUG REPORT] perf tools: x86_64: Broken calllchain when sampling
taken at 'callq' instruction
* Peter Zijlstra <peterz@...radead.org> wrote:
> On Tue, Dec 01, 2015 at 05:11:25PM +0100, Ingo Molnar wrote:
> >
> > * Peter Zijlstra <peterz@...radead.org> wrote:
> >
> > > > so I think the problem here is that the RSP does not match up to the RIP. We
> > > > can either pass along the original RIP+RSP, or the fixed up one - but what we
> > > > do currently is that we pass along only half of it - which corrupts dwarf
> > > > unwinding state that doesn't tolerate such errors.
> > >
> > > Still not sure what that gets you. Then you get a sample at a known wrong
> > > location, why would you want that?
> >
> > Well, we'd at least get a valid call trace - which the 'mixed' one isn't? I.e.
> > this only matters with --call-graph.
> >
> > But yeah, with my suggestion we'd essentially fall back from cycles:pp to
> > cycles:p, ideally we'd want to have real_rsp. Does the hardware provide that?
>
> No, no real_rsp.
>
> > User-space cannot compute that reliably I think, what if the 'real' instruction
> > was manipulating RSP in more complex ways than doing a CALL?
>
> I'm not really too aware of these asm details :/
So the way I understand it is that dwarf unwind relies on having consistent pairs
of {RIP,RSP}, to be able to look at the precise instruction, look up the debuginfo
what the function-internal stack offset at that instruction is (as there's no RBP
frame information available so the stack offset varies).
That method really relies on having precise {RIP,RSP} pairs - it may otherwise
lose its notion of where the next return address on the stack is, and the
backtrace goes off into la-la-land. I suppose such broken callchains were how
Wangnan noticed the problem?
( As a comparison, RBP based backtraces only rely on having an exact RBP available
as a starting point, that will define the next backtrace link and the next RBP
value. That is why we can do the backtrace walk in the kernel. )
There are other ways a dwarf unwind can fail: for example if there's no dwarf
debuginfo available for the binary in question, or if the stack snapshot we did is
too small to find the next link in the backtrace. But having an off-by-few RIP is
enough to throw the backtrace off at the very first step.
> Jiri, what is in PERF_SAMPLE_REGS_USER.IP ? from a quick reading that is
> whatever is returned from task_pt_regs(current), not the perf_data.regs.ip field
> which contains the corrected IP.
>
> Should the uwinder then not use PERF_SAMPLE_REGS_USER.{IP,SP} for a consistent
> unwind?
Yeah, if we have the real RIP belonging to that RSP value, then all should be
golden. That way the unwinder can find the next link. (If all the other conditions
for a successful backtrace are also there.)
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists