Florian Krohm [Sat, 16 Jan 2016 21:44:31 +0000 (21:44 +0000)]
In ML_(am_allocate_segname) do not set the reference count of the
slot to 1. Rather do that in add_segment which is where the segment
refering to that name actually comes into existence.
Properly handle the case in add_segment where the to-be-added segment
and one (or more) of the segments it replaces have the same name
This may occur when doing a mremap.
fix n-i-bz false positive leaks due to aspacemgr merging non heap segments with heap segments.
aspace mgr provides VG_(am_mmap_client_heap) that mmaps memory and
marks it as being client heap memory. Marking superblock segments used
for malloc/free as heap is critical for correct leak search: segments
mmap-ed for malloc/free cannot be considered as part of the root set.
On the other hand, other mmap-ed segments cannot be marked as client
heap, otherwise these segments will not be part of the root set, and
will not be scanned.
aspacemgr merges adjacent segments when they have the same characteristics
e.g. kind, RWX and isCH (is client heap) must be the same (see function
maybe_merge_nsegments).
However, VG_(am_mmap_client_heap) has a bug:
* it first mmaps a normal segment (not marked as heap) using
VG_(am_mmap_anon_float_client)
* it then searches the segment that contains the just mmap-ed address and
marks it as heap.
The problem is that VG_(am_mmap_anon_float_client) has already
possibly merged the new segment with a neighbour segment, without
taking the to be marked isCH into account, as the newly allocated memory
has not yet been marked as Client Heap. So, this results in some memory being
marked as client heap, while it in fact is not client heap. This
memory will then not be scanned by the leak search.
The fix consists in having VG_(am_mmap_anon_float_client) and
VG_(am_mmap_client_heap) calling a new function
am_mmap_anon_float_client, which will mark (or not) the new segment as
client heap *before* trying to merge it with neighbouring segments.
Then the new (heap) segment will only be merged with neighbours that are also
client heap segments.
Petar Jovanovic [Wed, 23 Dec 2015 18:48:18 +0000 (18:48 +0000)]
mips: update exp files for helgrind/tests/tc20_verifywrap
Some recent changes, starting from r15426, have modified the test and
its expected output. The exp files have been only partially updated for
MIPS. We complete that with this change.
Petar Jovanovic [Tue, 22 Dec 2015 16:06:07 +0000 (16:06 +0000)]
mips: update expected output for helgrind/tests/tc18_semabuse
r15620 changed the test and the expected output for tc18_semabuse,
r15630 fixed the expected output file for other architectures but not
for mips.
Now we update it for mips as well.
Ivo Raisr [Mon, 14 Dec 2015 20:14:44 +0000 (20:14 +0000)]
Fix expected output of massif/tests/mmapunmap on Solaris.
On Solaris and Linux, mmap() is an optimized function without
prologue and epilogue. However, Solaris libc does not currently
bear any DWARF CFI. Therefore stack chain unwinder grabs only
two entries: IP inside mmap() and return address from the previous
frame which points inside _start(), right after where main()
is invoked. By introducing an intermediate function f(), main()
is now visible in the stack trace even on Solaris.
n-i-bz
Fix massif --pages-as-heap=yes does not report peak caused by mmap+munmap
ms_unrecord_page_mem was wrongly taking the (possible) peak snapshot
when unrecording the last block.
But the peak snapshot will be detected when unrecording the first block
of an munmap, not when unrecording the last block.
Ivo Raisr [Fri, 4 Dec 2015 13:14:10 +0000 (13:14 +0000)]
Dwarf line info reader now correctly interprets 'is_stmt' register
Line numbers should correctly reflect all instructions belonging to a source line,
regardless of is_stmt value. Previously only instructions covered by
'is_stmt = 1' were attributed to a source line.
Petar Jovanovic [Thu, 26 Nov 2015 18:20:44 +0000 (18:20 +0000)]
mips: get isa level information from /proc/cpuinfo
Rewrite parts of VG_(parse_cpuinfo) (previously VG_(get_machine_model))
function to extract information on supported ISAs. These values are then
packed in hwcaps. This will help Valgrind better distinguish different MIPS
CPUs and raise illegal instructions when required.
Carl Love [Wed, 25 Nov 2015 17:48:25 +0000 (17:48 +0000)]
This is a fix to Bug 354797 which added the vbit test support for the
Power 8 instructions.
The patch for bug 354797 moved the declaration for rc outside of the
architecture #ifdef. This results in an message about rc being unused
on architectures other then s390 and powerpc. This commit eliminates
the issue by:
powerpc: move rc declaration into #ifdef for powerpc.
Remove tab, put in missing break.
s390: remove rc declaration from inside case statement. Put rc declaration
before the switch statement but within the #ifdef for s390 so it will
be declared for use in both case clauses.
Petar Jovanovic [Mon, 23 Nov 2015 15:35:54 +0000 (15:35 +0000)]
mips: improve recognition of different MIPS processors
Recognize correctly MIPS processors. Previously, for some of the cpu models,
Valgrind would incorrectly assume it is a regular MIPS model, as it would
find word MIPS in /proc/cpuinfo that came from "BogoMIPS" label.
Ivo Raisr [Sat, 21 Nov 2015 21:35:34 +0000 (21:35 +0000)]
Implement properly setjmp/longjmp on Solaris x86/amd64.
The default implementation provided by __builtin functions
does very weird things.
Uncovered by Philippe's commit r15716.
find_chunk_for has a special case for zero size block.
The special case was missing in the find_chunk_for_OLD.
So, when enabling the leak check debug, the following assert
is raised with ./vg-in-place ./memcheck/tests/leak-0
if you comment the lines (in find_chunk_for_OLD)
if (a_lo == a_hi)
a_hi++; // Special case for szB 0. See find_chunk_for.
and define VG_DEBUG_FIND_CHUNK
Fix incorrect (or infinite loop) unwind on RHEL7 x86 32 bits.
On RHEL7 x86 32 bits, Valgrind unwinder cannot properly unwind
the stack just after a thread creation : the unwinder always retrieves
the same pc/sp/bp.
See below for an example.
This has as consequences that some stack traces are bigger than
needed (i.e. they always fill up the ips array). If
--merge-recursive-frames is given, then the unwinder enters in an
infinite loop (as identical frames will be merged, and the ips array
will never be filled in).
Thi patch adds an additional exit condition : after unwinding
a frame, if the previous sp is >= new sp, then unwinding stops.
Patch has been tested on debian 8/x86, RHEL7/x86.
0x0417db67 <+55>: mov 0x18(%esp),%ebx
0x0417db6b <+59>: mov 0x28(%esp),%edi
0x0417db6f <+63>: mov $0x78,%eax
0x0417db74 <+68>: mov %ebx,(%ecx)
0x0417db76 <+70>: int $0x80
=> 0x0417db78 <+72>: pop %edi
0x0417db79 <+73>: pop %esi
0x0417db7a <+74>: pop %ebx
0x0417db7b <+75>: test %eax,%eax
Valgrind stacktrace gives:
==21261== at 0x417DB78: clone (clone.S:110)
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
==21261== by 0x424702F: ???
...
(till the array of ips is full)
while gdb stacktrace gives:
(gdb) bt
#0 clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:110
#1 0x00000000 in ?? ()
(gdb) p $pc
$2 = (void (*)()) 0x417db78 <clone+72>
(gdb)
With the fix, valgrind gives:
==21261== at 0x417DB78: clone (clone.S:110)
==21261== by 0x424702F: ???
which looks more reasonable.
Ivo Raisr [Wed, 18 Nov 2015 20:38:37 +0000 (20:38 +0000)]
When searching for global public symbols (like for the somalloc
synonym symbols), exclude the dynamic (runtime) linker as it is very
special.
Fixes BZ#355454
Mark Wielaard [Sun, 15 Nov 2015 16:50:43 +0000 (16:50 +0000)]
BZ#355188 valgrind should intercept all malloc related global functions.
This implements the interception of all globally public allocation
functions by default. It works by adding a flag to the spec to say the
interception only applies to global functions. Which is set for the
somalloc spec. The librarypath to match is set to "*" unless the user
overrides it. Then each DiSym keeps track of whether the symbol is local
or global. For a spec which has isGlobal set only isGlobal symbols will
match.
Note that because of padding to keep the addresses in DiSym aligned the
addition of the extra bool isGlobal doesn't actually grow the struct.
The comments explain how the struct could be made more compact on 32bit
systems, but this isn't as easy on 64bit systems. So I didn't try to do
that in this patch.
For ELF symbols keeping track of which are global is trivial. For pdb I
had to guess and made only the "Public" symbols global. I don't know
how/if macho keeps track of global symbols or not. For now I just mark
all of them local (which just means things work as previously on platforms
that use machos, no non-system symbols are matches by default for somalloc
unless the user explicitly tells which library name to match).
Included are two testcases for shared libraries (wrapmalloc) and staticly
linked (wrapmallocstatic) malloc/free overrides that depend on the new
default. One existing testcase (new_override) was adjusted to explicitly
not use the new somalloc default because it depends on a user defined
new implementation that has side-effects and should explicitly not be
intercepted.
Carl Love [Tue, 3 Nov 2015 17:48:04 +0000 (17:48 +0000)]
Add ISA 2.07 vbit test support
The ISA 2.07 support adds new Iops as well as support for some existing
Iops. None of these Iops have been enabled in the vbit tester. This commit
adds the needed support to the files in memcheck/tests/vbit-test.
These changes add support for additional immediate operands and additional
undefined bit checking functions.
There are additional changes to files VEX/priv/ir_inject.c and VEX/pub/libvex.h
that are in VEX commit 3202
Ivo Raisr [Thu, 29 Oct 2015 07:28:58 +0000 (07:28 +0000)]
ELF debug info reader was confused with multiple .rodata sections on Solaris
The ELF debug info reader on Solaris now performs a quick pre-scan of section
headers for .rodata sections. If there are multiple .rodata sections
present then symbols from .symtab are scanned which section they point to.
The "true" .rodata section is thus determined.
Fixes BZ#353802.
All memory dereferences during leak search are checked either with
aspacemgr or using the VA-bits.
So, in theory, no memory fault should occur.
However, the leak search is done so as to resist to e.g.
- desynchronisation between the real pages mapped and the aspacemgr state.
- client pages mprotected against reading
- any other reason why dereferencing a client address would fail.
So, the function lc_scan_memory installs a fault catcher that
is called if a memory fault signal is raised during memory scan.
However, memory dereference is also done in the function heuristic_reachedness.
So, this function must also resist to memory fault.
This patch also installs a fault catcher for the function heuristic_reachedness.
More in details, the following changes are done:
* pub_tool_signal.h and m_signals.c :
VG_(set_fault_catcher) now returns the previously set fault catcher.
This is needed so that heuristic_reachedness/lc_scan_memory can save
and restore the previous fault catcher.
* mc_leakcheck.c:
Addition of leak_search_fault_catcher that contains the common
code for the (currently 2) fault catchers used during leak search.
* Modification of heuristic_reachedness and lc_scan_memory:
Add 2 (small) specific fault catcher that are calling the common
leak_search_fault_catcher.
* The way sigprocmask is handled has been changed:
Before this patch, lc_scan_memory was saving/restoring the procsigmask
for each scanned block (and was restoring it when the fault catcher
was longjmp-ing back to lc_scan_memory in case of SEGV or BUS.
This was causing 2 system calls for each block scanned.
Now, lc_scan_memory and heuristic_reachedness are not saving/restoring
the procmask: the work to reset the sigprocmask is only done
in leak_search_fault_catcher. This is more efficient as no syscall
anymore is done during leak search, except for (normally) unfrequent
SIGSEGV/BUS. It is also simpler as signal handling is now done at
a single place.
It is ok to reset the procmask (in fact, just remove the caught signal
from the process sigmask) as during leak search, no other activity than
the leak search is on-going, and so no other SEGV/BUS can be received
while the handler runs.
This gives moderate speed improvements for applications allocating a lot of
blocks (about 10% improvement when leak searching in 1 million small blocks).
Test case (slightly modified) by Matthias Schwarzott.
m_replacemalloc/vg_replace_malloc.c:1286:1: warning: returning 'const char *' from a function with result type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
ZONE_GET_NAME(VG_Z_LIBC_SONAME, malloc_get_zone_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1283:14: note: expanded from macro 'ZONE_GET_NAME'
return vg_default_zone.zone_name; \
^~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1287:1: warning: returning 'const char *' from a function with result type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
ZONE_GET_NAME(SO_SYN_MALLOC, malloc_get_zone_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1283:14: note: expanded from macro 'ZONE_GET_NAME'
return vg_default_zone.zone_name; \
^~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1286:1: warning: returning 'const char *' from a function with result type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
ZONE_GET_NAME(VG_Z_LIBC_SONAME, malloc_get_zone_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1283:14: note: expanded from macro 'ZONE_GET_NAME'
return vg_default_zone.zone_name; \
^~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1287:1: warning: returning 'const char *' from a function with result type 'char *' discards qualifiers [-Wincompatible-pointer-types-discards-qualifiers]
ZONE_GET_NAME(SO_SYN_MALLOC, malloc_get_zone_name);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
m_replacemalloc/vg_replace_malloc.c:1283:14: note: expanded from macro 'ZONE_GET_NAME'
return vg_default_zone.zone_name; \
^~~~~~~~~~~~~~~~~~~~~~~~~
Florian Krohm [Mon, 12 Oct 2015 20:35:56 +0000 (20:35 +0000)]
On a zEC12 or z13, a glibc with lock elision enabled infers from HWCAP
that the prerequisites for lock elision are met. Then it may use TBEGIN
and other transactional-execution instructions which are not implemented
by Valgrind. Likewise, the upcoming glibc 2.23 will exploit vector
instructions if they are advertised by HWCAP; and those are currently
not implemented by Valgrind either. In general, the increased use of
ifunc may lead to more such cases in the future.
This patch suppresses the advertising of those hardware features via
HWCAP which are either not known to Valgrind or currently unsupported.
Patch by Andreas Arnez (arnez@linux.vnet.ibm.com).
Fixes BZ #353680.
Make sure no executable stack gets created.
Explanation by Matthias Schwarzott:
The linker will request an executable stack as soon as at least one
object file, that is linked in, wants an executable stack.
And the absence of the
.section .note.GNU-stack."",@progbits
is enough to tell the linker that an executable stack is needed.
So even an empty asm-file must at least contain this statement to not
force executable stacks on the whole executable.
* Define a helper macro MARK_STACK_NO_EXEC that disables the
executable stack.
* Instantiate this macro unconditionally at the end of each asm file.
Ivo Raisr [Tue, 29 Sep 2015 18:57:56 +0000 (18:57 +0000)]
Move more complicated tests out of memcheck/tests/solaris/scalar_ioctl
to memcheck/tests/solaris/ioctl.
While at it, remove a fixed size buffer as reported by Florian Krohm.
n-i-bz
Followup to r14908 (BZ #342603).
Comparing the command byte with VKI_I2C_SMBUS_QUICK is like comparing
apples to carrots, it makes no sense. The command byte is unused for
quick transactions anyway so checking its value is pointless.
Patch by Jean Delvare <jdelvare@suse.de>.
Followup to r14908 (BZ #342603).
The first byte of the data array holds the length, so the actual data
length is the value of that byte plus one.
Patch by Jean Delvare <jdelvare@suse.de>.
Carl Love [Wed, 16 Sep 2015 23:33:40 +0000 (23:33 +0000)]
Add Power PC ISA check to the vbit-test
The support for the Valgrind Iops is dependent on the Power processor
support for various instructions. The instructions supported by a
given Power processor is based on the version of the ISA. The patch
add a check to the vbit-test to ensure it does not try to test an Iop
that generates an instruction on the host that is not supported.
Pick up 'egrep' and 'strings' from $PATH instead of using
hardwired absolute path names. People can always arrange $PATH
such that these tools are found.
Fixes BZ #294065. Patch by Austin English <austinenglish@gmail.com>
projects / thirdparty / valgrind.git / log
