From owner-freebsd-hackers@freebsd.org Sat Feb 23 16:02:45 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 96DE1151AF9D for ; Sat, 23 Feb 2019 16:02:45 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1AB2090E4B for ; Sat, 23 Feb 2019 16:02:45 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-ot1-x32a.google.com with SMTP id c18so4410636otl.13 for ; Sat, 23 Feb 2019 08:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5QnD0QAhCma/VJGtPWkuvzCupwDN7O9Zs3v0IZ3E6jk=; b=R581xzvAC6wYoIsY5PbaaijxbAMjBbOAm3krm/+F3/KsxRlXvmeorKUi8UYTEYxYKB U57C+Vq4tVlAamQP2ghL/lh66hWxbZ7c4V9F3D4rnRrZMjfLLQggXvdfQ5DE4S+A72GG RMyJA6wfVJqzcnQbTUrJE7LDdm0gNK6KFL0ynBVtAWSSAt4HOeXTsJk3vl5korEz1+pg KdGLvyCD8Mn+KWmtPOufePMv/RphLxeWO+5pJvhoW3I4ucw2JTiY9wYwcnoyiQ+LPojd zjm5cCh1OZ3qGN1SUks+OmuxuOQJxOt2UBfi2jhC98c5WW8hnX8xCxgVBfGeuRohVe9t nXLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5QnD0QAhCma/VJGtPWkuvzCupwDN7O9Zs3v0IZ3E6jk=; b=f6zHa3MXbHL+jFbZlEdW5gBdMTHQmjs7z4zIIx7J2tePZNpPj82Es33QBExuKwOE7g vAokJsQNr7M6owvEG/A5z/uVZI19yBCbCGb7nrLyDZ/lMTcSo0S5lqtoMP12qH7Y3MQ6 THgI7tCorrj1jINaCA14KQ+lkR7az3BOecbvFvJVCS/lj5afOfxcsXp8i3f9qrBhywTD 7uDAdQLMAdP+cjYIcBUawbmxrbyBRgnZj5N5phQc4s4hXe6BCXLj9OLE1SxWhz4oPLYD L40bEPY3PGiJ44d+Zryrlfr06Id/+q0QUqPmxvaskzsjBJSIRfM7gHy0zleBp5p3A5WD zOWg== X-Gm-Message-State: AHQUAubpJbVSV6dMCbfN+kseYJC5Jaeuv4OIM1YqZqIyRraXYEat8/A5 tgtwwCm6jJRc52AC/IM1KSchl1yzk0Ba0a0Ctr/j5k8= X-Google-Smtp-Source: AHgI3IY0XNE3gCnQ4BLzZtpieZWmFI5uL1dZPg8843KDC6Wj0W6fo6Mio/AmuZaMz/G95JSuxGH+RF1aVGSKsoM9Ayk= X-Received: by 2002:a9d:6c98:: with SMTP id c24mr6124253otr.351.1550937764168; Sat, 23 Feb 2019 08:02:44 -0800 (PST) MIME-Version: 1.0 References: <20190222101026.GX2420@kib.kiev.ua> <20190223113246.GH2420@kib.kiev.ua> In-Reply-To: <20190223113246.GH2420@kib.kiev.ua> From: Robert Ayrapetyan Date: Sat, 23 Feb 2019 08:02:07 -0800 Message-ID: Subject: Re: ptrace: SIGTRAP and EXIT race To: Konstantin Belousov Cc: FreeBSD X-Rspamd-Queue-Id: 1AB2090E4B X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.94)[-0.937,0]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Feb 2019 16:02:45 -0000 raise(SIGSTOP) is not necessary - child stops by itself on the first instruction after execve. Let's see what's in these 700 lines of code: Read\Write memory (this is for Add\Remove breakpoints); TrapWait (main debugger cycle, handles threads born\destroy); Init\Launch\Attach - this is all necessary to bootstrap; GetNumLwps\GetLwpList - misc, you can't work with threads without these; Step\Continue - self explanatory, you can't reproduce BP issue without these functions; GetRegs\SetRegs\GetEip\SetEip - all are needed for handling logic around BPs. That's it! There is one more function - EntryPoint, it just retrieves the entry point from executable, you can ignore it. If you can do the same using less amount of code (with all error checks in place) - perfect, but I'm afraid it will not be less than 500 lines. So if you don't like - just don't do that, no one can force you to lol. Thanks! On Sat, Feb 23, 2019 at 3:32 AM Konstantin Belousov wrote: > On Fri, Feb 22, 2019 at 03:57:49PM -0800, Robert Ayrapetyan wrote: > > Hi, thanks for a prompt reply. Here are the instructions of how to > > reproduce (sorry for inconvenient way of specifying BP address when > running > > app): > > > > uname -a > > FreeBSD XXX 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 GENERIC amd64 > > > > cd /tmp > > git clone https://github.com/rayrapetyan/ptrace_bug_poc.git > > cd ptrace_bug_poc > > mkdir build > > cd build > > cmake .. > > make > > > > Run ~20 times: > > > > /tmp/ptrace_bug_poc/build/src/ptrace_test/ptrace_test > > /tmp/ptrace_bug_poc/build/src/mt_example/mt_example 0x201385 > > > > ------- > > Note: make sure 0x201385 is a call to in > > "/tmp/ptrace_bug_poc/build/src/mt_example/mt_example": > > gdb /tmp/ptrace_bug_poc/build/src/mt_example/mt_example > > disassemble foo > > ------- > > > > Wait fo appearance of: > > "BOOM! Invalid BP hits counter (hits: 1, tid: XXXX)" > > at the end of the output (most of the times it will be "SUCCESS") > > > > ~700 lines of C++ code definitely do not fall under the 'minimal repro' > spec. I do not to read all of it. > > From looking at Debugger::Launch(), it seems that you missed the > required debugger/child synchronization for PT_TRACE_ME. Typically child > does > raise(SIGSTOP); > immediately after PT_TRACE_ME, and the tracer must consume this signal. > Otherwise the child continues the execution and might just execute the > place where you intend to set a breakpoint. I may missed the sync (or it > might be done by other means in your code), because as I said, I do not > want to read 700 lines of C++. > >