From: David Malcolm <dmalcolm@redhat.com>
To: Ian Rogers <irogers@google.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>, Jiri Olsa <jolsa@redhat.com>,
Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Mark Rutland <mark.rutland@arm.com>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Stephane Eranian <eranian@google.com>,
LKML <linux-kernel@vger.kernel.org>,
Andi Kleen <ak@linux.intel.com>
Subject: Re: [PATCH 05/11] perf parse-event: Fix memory leak in evsel->unit
Date: Tue, 15 Sep 2020 15:56:32 -0400 [thread overview]
Message-ID: <0679eacce01f187037e726a45e6acdacde61f99d.camel@redhat.com> (raw)
In-Reply-To: <CAP-5=fXwuS_GAjnQgBav=Ugc26OACimUmbhtAHbeThb_BEk0UQ@mail.gmail.com>
On Tue, 2020-09-15 at 11:59 -0700, Ian Rogers wrote:
> On Tue, Sep 15, 2020 at 5:19 AM Arnaldo Carvalho de Melo
> <acme@kernel.org> wrote:
> > Em Tue, Sep 15, 2020 at 12:18:13PM +0900, Namhyung Kim escreveu:
> > > The evsel->unit borrows a pointer of pmu event or alias instead
> > > of
> > > owns a string. But tool event (duration_time) passes a result of
> > > strdup() caused a leak.
> > >
> > > It was found by ASAN during metric test:
> >
> > Thanks, applied.
>
> Thanks Namhyung and Arnaldo, just to raise a meta point. A lot of the
> parse-events asan failures were caused by a lack of strdup causing
> frees of string literals. It seems we're now adding strdup
> defensively
> but introducing memory leaks. Could we be doing this in a smarter
> way?
> For C++ I'd likely use std::string and walk away. For perf code the
> best source of "ownership" I've found is to look at the "delete"
> functions and figure out ownership from what gets freed there - this
> can be burdensome. For strings, the code is also using strbuf and
> asprintf. One possible improvement could be to document ownership
> next
> to the struct member variable declarations. Another idea would be to
> declare a macro whose usage would look like:
>
> struct evsel {
> ...
> OWNER(char *name, "this");
> ...
> UNOWNED(const char *unit);
> ...
>
> Maybe then we could get a static analyzer to complain if a literal
> were assigned to an owned struct variable. Perhaps if a strdup were
> assigned to an UNOWNED struct variable perhaps it could warn too, as
> presumably the memory allocation is a request to own the memory.
>
> There was a talk about GCC's -fanalyzer option doing malloc/free
> checking at Linux plumbers 2 weeks ago:
> https://linuxplumbersconf.org/event/7/contributions/721/attachments/542/961/2020-LPC-analyzer-talk.pdf
> I added David Malcolm, the LPC presenter, as he may have ideas on how
> we could do this in a better way.
Hi Ian.
Some ideas (with the caveat that I'm a GCC developer, and not a regular
on LKML): can you capture the ownership status in the type system?
I'm brainstorming here but how about:
typedef char *owned_string_t;
typedef const char *borrowed_string_t;
This would at least capture the intent in human-readable form, and
*might* make things more amenable to checking by a machine. It's also
less macro cruft.
I take it that capturing the ownership status with a runtime flag next
to the pointer in a struct is too expensive for your code?
Some notes on -fanalyzer:
Caveat: The implementation of -fanalyzer in gcc 10 is an early
prototype and although it has found its first CVE I don't recommend it
for use "in anger" yet; I'm working on getting it more suitable for
general usage for C in gcc 11. (mostly scaling issues and other
bugfixing)
-fanalyzer associates state machines with APIs; one of these state
machines implements leak detection for malloc, along with e.g. double-
free detection. I'm generalizing this checker to other acquire/release
APIs: I have a semi-working patch under development (targeting GCC 11)
that exposes this via a fndecl attribute, currently named
"deallocated_by", so that fn decls can be labeled e.g.:
extern void foo_release (foo *);
extern foo *foo_acquire (void)
__attribute__((deallocated_by(foo_release));
and have -fanalyzer detect leaks, double-releases, use-after-release,
failure to check for NULL (alloc failure) etc.
Ultimately this attribute might land in the libc header for strdup (and
friends), but I can also special-case strdup so that the analyzer
"knows" that the result needs to be freed if non-NULL (and that it can
fail and return NULL).
Hope this is constructive
Dave
[...]
next prev parent reply other threads:[~2020-09-15 19:57 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 3:18 [PATCHSET v2 00/11] perf tools: Fix various memory leaks Namhyung Kim
2020-09-15 3:18 ` [PATCH 01/11] perf metric: Fix some " Namhyung Kim
2020-09-15 11:58 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 02/11] perf metric: Fix some memory leaks - part 2 Namhyung Kim
2020-09-15 11:59 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 03/11] perf evlist: Fix cpu/thread map leak Namhyung Kim
2020-09-15 3:18 ` [PATCH 04/11] perf parse-event: Fix cpu map leaks Namhyung Kim
2020-09-15 12:18 ` Arnaldo Carvalho de Melo
2020-09-15 14:39 ` Namhyung Kim
2020-09-15 16:51 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 05/11] perf parse-event: Fix memory leak in evsel->unit Namhyung Kim
2020-09-15 12:19 ` Arnaldo Carvalho de Melo
2020-09-15 18:59 ` Ian Rogers
2020-09-15 19:56 ` David Malcolm [this message]
2020-09-16 7:12 ` Namhyung Kim
2020-09-16 18:37 ` Ian Rogers
2020-09-15 20:03 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 06/11] perf test: Fix memory leaks in parse-metric test Namhyung Kim
2020-09-15 12:23 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 07/11] perf metric: Release expr_parse_ctx after testing Namhyung Kim
2020-09-15 3:18 ` [PATCH 08/11] perf metric: Free metric when it failed to resolve Namhyung Kim
2020-09-15 12:24 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 09/11] perf metric: Do not free metric when " Namhyung Kim
2020-09-15 3:18 ` [PATCH 10/11] perf test: Free aliases for PMU event map aliases test Namhyung Kim
2020-09-15 7:37 ` John Garry
2020-09-15 11:57 ` Arnaldo Carvalho de Melo
2020-09-15 3:18 ` [PATCH 11/11] perf test: Free formats for perf pmu parse test Namhyung Kim
2020-09-15 5:15 ` [PATCHSET v2 00/11] perf tools: Fix various memory leaks Ian Rogers
2020-09-15 14:49 ` Namhyung Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0679eacce01f187037e726a45e6acdacde61f99d.camel@redhat.com \
--to=dmalcolm@redhat.com \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@kernel.org \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=eranian@google.com \
--cc=irogers@google.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=namhyung@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).