mismatch between type and bitfield width #4

yonghong-song · 2015-05-04T22:16:24Z

I added the arp support in proto.h as below:

state ethernet {
switch $ethernet.type {
case 0x0800 {
next proto::ip;
};
case 0x0806 {
next proto::arp;
};
case 0x8100 {
next proto::dot1q;
};
case * {
goto EOP;
};
}
}

struct arp {
u8 htype:16;
u8 ptype:16;
u32 hlen:8;
u32 plen:8;
u32 oper:16;
u32 sha:48;
u32 spa:32;
u64 tha:48;
u32 tpa:32;
};

state arp {
goto EOP;
}

No compiler warning/error is given at this point.
Notice that there are some mismatch between type and bitfield width.

drzaeus77 · 2015-06-13T01:58:22Z

This is fixed with clang frontend.

Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] (MODULE+OFFSET) Print backtrace of ip if it failed to get syms. Before: # profile -d psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # profile -d #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#1 0xffffffc01009a93c el0_svc_handler+0x34 iovisor#2 0xffffffc010084a08 el0_svc+0x8 iovisor#3 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 -- iovisor#4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) iovisor#5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) iovisor#6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) iovisor#7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) iovisor#8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) iovisor#9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) iovisor#10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#1 0xffffffc0102ba634 __handle_mm_fault+0x8dc iovisor#2 0xffffffc0102baa20 handle_mm_fault+0x168 iovisor#3 0xffffffc010ad23c0 do_page_fault+0x148 iovisor#4 0xffffffc010ad27c0 do_translation_fault+0xb0 iovisor#5 0xffffffc0100816b0 do_mem_abort+0x50 iovisor#6 0xffffffc0100843b0 el0_da+0x1c iovisor#7 0xffffffc01027daa4 generic_copy_file_checks+0x334 -- failed to get syms iovisor#8 0x0000007f8dc12648 iovisor#9 0x0000007f8dc0aef8 iovisor#10 0x0000007f8dc1c990 iovisor#11 0x0000007f8dc08b0c iovisor#12 0x0000007f8dc08e48 iovisor#13 0x0000007f8dc081c8 - PmLogCtl (2412) 1 Signed-off-by: Eunseon Lee <es.lee@lge.com>

Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] (MODULE+OFFSET) Print backtrace of ip if it failed to get syms. Before: # profile -d psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # profile -d #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#1 0xffffffc01009a93c el0_svc_handler+0x34 iovisor#2 0xffffffc010084a08 el0_svc+0x8 iovisor#3 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 -- iovisor#4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) iovisor#5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) iovisor#6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) iovisor#7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) iovisor#8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) iovisor#9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) iovisor#10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#1 0xffffffc0102ba634 __handle_mm_fault+0x8dc iovisor#2 0xffffffc0102baa20 handle_mm_fault+0x168 iovisor#3 0xffffffc010ad23c0 do_page_fault+0x148 iovisor#4 0xffffffc010ad27c0 do_translation_fault+0xb0 iovisor#5 0xffffffc0100816b0 do_mem_abort+0x50 iovisor#6 0xffffffc0100843b0 el0_da+0x1c iovisor#7 0xffffffc01027daa4 generic_copy_file_checks+0x334 -- iovisor#8 0x0000007f8dc12648 [unknown] iovisor#9 0x0000007f8dc0aef8 [unknown] iovisor#10 0x0000007f8dc1c990 [unknown] iovisor#11 0x0000007f8dc08b0c [unknown] iovisor#12 0x0000007f8dc08e48 [unknown] iovisor#13 0x0000007f8dc081c8 [unknown] - PmLogCtl (2412) 1 Signed-off-by: Eunseon Lee <es.lee@lge.com>

Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] [(MODULE+OFFSET)] Print backtrace of ip if it failed to get syms. Before: # profile -d psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # profile -d #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#1 0xffffffc01009a93c el0_svc_handler+0x34 iovisor#2 0xffffffc010084a08 el0_svc+0x8 iovisor#3 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 -- iovisor#4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) iovisor#5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) iovisor#6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) iovisor#7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) iovisor#8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) iovisor#9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) iovisor#10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#1 0xffffffc0102ba634 __handle_mm_fault+0x8dc iovisor#2 0xffffffc0102baa20 handle_mm_fault+0x168 iovisor#3 0xffffffc010ad23c0 do_page_fault+0x148 iovisor#4 0xffffffc010ad27c0 do_translation_fault+0xb0 iovisor#5 0xffffffc0100816b0 do_mem_abort+0x50 iovisor#6 0xffffffc0100843b0 el0_da+0x1c iovisor#7 0xffffffc01027daa4 generic_copy_file_checks+0x334 -- iovisor#8 0x0000007f8dc12648 [unknown] iovisor#9 0x0000007f8dc0aef8 [unknown] iovisor#10 0x0000007f8dc1c990 [unknown] iovisor#11 0x0000007f8dc08b0c [unknown] iovisor#12 0x0000007f8dc08e48 [unknown] iovisor#13 0x0000007f8dc081c8 [unknown] - PmLogCtl (2412) 1 Signed-off-by: Eunseon Lee <es.lee@lge.com>

Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] [(MODULE+OFFSET)] Print backtrace of ip if it failed to get syms. Before: # profile -d psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # profile -d #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#1 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#2 0xffffffc01009a93c el0_svc_handler+0x34 iovisor#3 0xffffffc010084a08 el0_svc+0x8 -- iovisor#4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) iovisor#5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) iovisor#6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) iovisor#7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) iovisor#8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) iovisor#9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) iovisor#10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#1 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#2 0xffffffc0102ba634 __handle_mm_fault+0x8dc iovisor#3 0xffffffc0102baa20 handle_mm_fault+0x168 iovisor#4 0xffffffc010ad23c0 do_page_fault+0x148 iovisor#5 0xffffffc010ad27c0 do_translation_fault+0xb0 iovisor#6 0xffffffc0100816b0 do_mem_abort+0x50 iovisor#7 0xffffffc0100843b0 el0_da+0x1c -- iovisor#8 0x0000007f8dc12648 [unknown] iovisor#9 0x0000007f8dc0aef8 [unknown] iovisor#10 0x0000007f8dc1c990 [unknown] iovisor#11 0x0000007f8dc08b0c [unknown] iovisor#12 0x0000007f8dc08e48 [unknown] iovisor#13 0x0000007f8dc081c8 [unknown] - PmLogCtl (2412) 1 Signed-off-by: Eunseon Lee <es.lee@lge.com>

There are two pass managers in LLVM. Currently BCC uses the legacy one. Switch to the new pass manager because the legacy one will be removed in upcoming releases of LLVM. Running the following script: ``` from bcc import BPF bpf_text = ''' static int foobar() { bpf_trace_printk("enter vfs_read"); return 0; } KFUNC_PROBE(vfs_read) { return foobar(); } ''' BPF(text=bpf_text, debug=1) ``` The IR output is the same with or without this change using LLVM 15: ; ModuleID = 'sscanf' source_filename = "sscanf" ; ModuleID = '/virtual/main.c' source_filename = "/virtual/main.c" target datalayout = "e-m:e-p:64:64-i64:64-i128:128-n32:64-S128" target triple = "bpf-pc-linux" @_version = dso_local global i32 332032, section "version", align 4, !dbg !0 @_license = dso_local global [4 x i8] c"GPL\00", section "license", align 1, !dbg !5 @__const.foobar._fmt = private unnamed_addr constant [15 x i8] c"enter vfs_read\00", align 1 @llvm.compiler.used = appending global [2 x ptr] [ptr @_license, ptr @_version], section "llvm.metadata" ; Function Attrs: alwaysinline nounwind define dso_local i32 @kfunc__vfs_read(ptr nocapture noundef readnone %0) local_unnamed_addr #0 section ".bpf.fn.kfunc__vfs_read" !dbg !33 { %2 = alloca [15 x i8], align 1 call void @llvm.dbg.value(metadata ptr %0, metadata !39, metadata !DIExpression()), !dbg !41 call void @llvm.dbg.value(metadata ptr undef, metadata !42, metadata !DIExpression()) iovisor#4, !dbg !45 call void @llvm.lifetime.start.p0(i64 15, ptr nonnull %2) iovisor#4, !dbg !47 call void @llvm.dbg.declare(metadata ptr %2, metadata !53, metadata !DIExpression()) iovisor#4, !dbg !58 call void @llvm.memcpy.p0.p0.i64(ptr noundef nonnull align 1 dereferenceable(15) %2, ptr noundef nonnull align 1 dereferenceable(15) @__const.foobar._fmt, i64 15, i1 false) iovisor#4, !dbg !58 %3 = call i32 (ptr, i64, ...) inttoptr (i64 6 to ptr)(ptr noundef nonnull %2, i64 noundef 15) iovisor#4, !dbg !59 call void @llvm.lifetime.end.p0(i64 15, ptr nonnull %2) iovisor#4, !dbg !60 call void @llvm.dbg.value(metadata i32 0, metadata !40, metadata !DIExpression()), !dbg !41 ret i32 0, !dbg !61 } ; Function Attrs: alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn declare void @llvm.dbg.declare(metadata, metadata, metadata) #1 ; Function Attrs: alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn declare void @llvm.lifetime.start.p0(i64 immarg, ptr nocapture) iovisor#2 ; Function Attrs: alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn declare void @llvm.lifetime.end.p0(i64 immarg, ptr nocapture) iovisor#2 ; Function Attrs: alwaysinline argmemonly mustprogress nofree nounwind willreturn declare void @llvm.memcpy.p0.p0.i64(ptr noalias nocapture writeonly, ptr noalias nocapture readonly, i64, i1 immarg) iovisor#3 ; Function Attrs: alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn declare void @llvm.dbg.value(metadata, metadata, metadata) #1 attributes #0 = { alwaysinline nounwind "frame-pointer"="none" "min-legal-vector-width"="0" "no-jump-tables"="true" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" } attributes #1 = { alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn } attributes iovisor#2 = { alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn } attributes iovisor#3 = { alwaysinline argmemonly mustprogress nofree nounwind willreturn } attributes iovisor#4 = { nounwind } !llvm.dbg.cu = !{!2} !llvm.module.flags = !{!27, !28, !29, !30, !31} !llvm.ident = !{!32} !0 = !DIGlobalVariableExpression(var: !1, expr: !DIExpression()) !1 = distinct !DIGlobalVariable(name: "_version", scope: !2, file: !14, line: 526, type: !26, isLocal: false, isDefinition: true) !2 = distinct !DICompileUnit(language: DW_LANG_C99, file: !3, producer: "Ubuntu clang version 15.0.0-++20220426083628+d738d4717f6d-1~exp1~20220426203725.435", isOptimized: true, runtimeVersion: 0, emissionKind: FullDebug, globals: !4, splitDebugInlining: false, nameTableKind: None) !3 = !DIFile(filename: "/virtual/main.c", directory: "/home/ubuntu/sources/bpf-next") !4 = !{!0, !5, !12} !5 = !DIGlobalVariableExpression(var: !6, expr: !DIExpression()) !6 = distinct !DIGlobalVariable(name: "_license", scope: !2, file: !7, line: 26, type: !8, isLocal: false, isDefinition: true) !7 = !DIFile(filename: "/virtual/include/bcc/footer.h", directory: "") !8 = !DICompositeType(tag: DW_TAG_array_type, baseType: !9, size: 32, elements: !10) !9 = !DIBasicType(name: "char", size: 8, encoding: DW_ATE_signed_char) !10 = !{!11} !11 = !DISubrange(count: 4) !12 = !DIGlobalVariableExpression(var: !13, expr: !DIExpression()) !13 = distinct !DIGlobalVariable(name: "bpf_trace_printk_", scope: !2, file: !14, line: 542, type: !15, isLocal: true, isDefinition: true) !14 = !DIFile(filename: "/virtual/include/bcc/helpers.h", directory: "") !15 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !16, size: 64) !16 = !DISubroutineType(types: !17) !17 = !{!18, !19, !21, null} !18 = !DIBasicType(name: "int", size: 32, encoding: DW_ATE_signed) !19 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !20, size: 64) !20 = !DIDerivedType(tag: DW_TAG_const_type, baseType: !9) !21 = !DIDerivedType(tag: DW_TAG_typedef, name: "u64", file: !22, line: 23, baseType: !23) !22 = !DIFile(filename: "include/asm-generic/int-ll64.h", directory: "/home/ubuntu/sources/bpf-next") !23 = !DIDerivedType(tag: DW_TAG_typedef, name: "__u64", file: !24, line: 31, baseType: !25) !24 = !DIFile(filename: "include/uapi/asm-generic/int-ll64.h", directory: "/home/ubuntu/sources/bpf-next") !25 = !DIBasicType(name: "unsigned long long", size: 64, encoding: DW_ATE_unsigned) !26 = !DIBasicType(name: "unsigned int", size: 32, encoding: DW_ATE_unsigned) !27 = !{i32 7, !"Dwarf Version", i32 4} !28 = !{i32 2, !"Debug Info Version", i32 3} !29 = !{i32 1, !"wchar_size", i32 4} !30 = !{i32 7, !"PIC Level", i32 2} !31 = !{i32 7, !"PIE Level", i32 2} !32 = !{!"Ubuntu clang version 15.0.0-++20220426083628+d738d4717f6d-1~exp1~20220426203725.435"} !33 = distinct !DISubprogram(name: "kfunc__vfs_read", scope: !34, file: !34, line: 23, type: !35, scopeLine: 23, flags: DIFlagPrototyped | DIFlagAllCallsDescribed, spFlags: DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !38) !34 = !DIFile(filename: "/virtual/main.c", directory: "") !35 = !DISubroutineType(types: !36) !36 = !{!18, !37} !37 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !25, size: 64) !38 = !{!39, !40} !39 = !DILocalVariable(name: "ctx", arg: 1, scope: !33, file: !34, line: 23, type: !37) !40 = !DILocalVariable(name: "__ret", scope: !33, file: !34, line: 23, type: !18) !41 = !DILocation(line: 0, scope: !33) !42 = !DILocalVariable(name: "ctx", arg: 1, scope: !43, file: !34, line: 23, type: !37) !43 = distinct !DISubprogram(name: "____kfunc__vfs_read", scope: !34, file: !34, line: 23, type: !35, scopeLine: 24, flags: DIFlagPrototyped | DIFlagAllCallsDescribed, spFlags: DISPFlagLocalToUnit | DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !44) !44 = !{!42} !45 = !DILocation(line: 0, scope: !43, inlinedAt: !46) !46 = distinct !DILocation(line: 23, column: 1, scope: !33) !47 = !DILocation(line: 15, column: 5, scope: !48, inlinedAt: !57) !48 = distinct !DILexicalBlock(scope: !49, file: !34, line: 15, column: 3) !49 = distinct !DISubprogram(name: "foobar", scope: !34, file: !34, line: 13, type: !50, scopeLine: 14, flags: DIFlagAllCallsDescribed, spFlags: DISPFlagLocalToUnit | DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !52) !50 = !DISubroutineType(types: !51) !51 = !{!18} !52 = !{!53} !53 = !DILocalVariable(name: "_fmt", scope: !48, file: !34, line: 15, type: !54) !54 = !DICompositeType(tag: DW_TAG_array_type, baseType: !9, size: 120, elements: !55) !55 = !{!56} !56 = !DISubrange(count: 15) !57 = distinct !DILocation(line: 25, column: 9, scope: !43, inlinedAt: !46) !58 = !DILocation(line: 15, column: 10, scope: !48, inlinedAt: !57) !59 = !DILocation(line: 15, column: 37, scope: !48, inlinedAt: !57) !60 = !DILocation(line: 15, column: 76, scope: !49, inlinedAt: !57) !61 = !DILocation(line: 23, column: 1, scope: !33) Closes iovisor#3947. References: [0]: https://llvm.org/docs/NewPassManager.html [1]: https://blog.llvm.org/posts/2021-03-26-the-new-pass-manager/ Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>

There are two pass managers in LLVM. Currently BCC uses the legacy one. Switch to the new pass manager because the legacy one will be removed in upcoming releases of LLVM. Running the following script: ``` from bcc import BPF bpf_text = ''' static int foobar() { bpf_trace_printk("enter vfs_read"); return 0; } KFUNC_PROBE(vfs_read) { return foobar(); } ''' BPF(text=bpf_text, debug=1) ``` The IR output is the same with or without this change using LLVM 15: ; ModuleID = 'sscanf' source_filename = "sscanf" ; ModuleID = '/virtual/main.c' source_filename = "/virtual/main.c" target datalayout = "e-m:e-p:64:64-i64:64-i128:128-n32:64-S128" target triple = "bpf-pc-linux" @_version = dso_local global i32 332032, section "version", align 4, !dbg !0 @_license = dso_local global [4 x i8] c"GPL\00", section "license", align 1, !dbg !5 @__const.foobar._fmt = private unnamed_addr constant [15 x i8] c"enter vfs_read\00", align 1 @llvm.compiler.used = appending global [2 x ptr] [ptr @_license, ptr @_version], section "llvm.metadata" ; Function Attrs: alwaysinline nounwind define dso_local i32 @kfunc__vfs_read(ptr nocapture noundef readnone %0) local_unnamed_addr #0 section ".bpf.fn.kfunc__vfs_read" !dbg !33 { %2 = alloca [15 x i8], align 1 call void @llvm.dbg.value(metadata ptr %0, metadata !39, metadata !DIExpression()), !dbg !41 call void @llvm.dbg.value(metadata ptr undef, metadata !42, metadata !DIExpression()) #4, !dbg !45 call void @llvm.lifetime.start.p0(i64 15, ptr nonnull %2) #4, !dbg !47 call void @llvm.dbg.declare(metadata ptr %2, metadata !53, metadata !DIExpression()) #4, !dbg !58 call void @llvm.memcpy.p0.p0.i64(ptr noundef nonnull align 1 dereferenceable(15) %2, ptr noundef nonnull align 1 dereferenceable(15) @__const.foobar._fmt, i64 15, i1 false) #4, !dbg !58 %3 = call i32 (ptr, i64, ...) inttoptr (i64 6 to ptr)(ptr noundef nonnull %2, i64 noundef 15) #4, !dbg !59 call void @llvm.lifetime.end.p0(i64 15, ptr nonnull %2) #4, !dbg !60 call void @llvm.dbg.value(metadata i32 0, metadata !40, metadata !DIExpression()), !dbg !41 ret i32 0, !dbg !61 } ; Function Attrs: alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn declare void @llvm.dbg.declare(metadata, metadata, metadata) #1 ; Function Attrs: alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn declare void @llvm.lifetime.start.p0(i64 immarg, ptr nocapture) #2 ; Function Attrs: alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn declare void @llvm.lifetime.end.p0(i64 immarg, ptr nocapture) #2 ; Function Attrs: alwaysinline argmemonly mustprogress nofree nounwind willreturn declare void @llvm.memcpy.p0.p0.i64(ptr noalias nocapture writeonly, ptr noalias nocapture readonly, i64, i1 immarg) #3 ; Function Attrs: alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn declare void @llvm.dbg.value(metadata, metadata, metadata) #1 attributes #0 = { alwaysinline nounwind "frame-pointer"="none" "min-legal-vector-width"="0" "no-jump-tables"="true" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" } attributes #1 = { alwaysinline mustprogress nocallback nofree nosync nounwind readnone speculatable willreturn } attributes #2 = { alwaysinline argmemonly mustprogress nocallback nofree nosync nounwind willreturn } attributes #3 = { alwaysinline argmemonly mustprogress nofree nounwind willreturn } attributes #4 = { nounwind } !llvm.dbg.cu = !{!2} !llvm.module.flags = !{!27, !28, !29, !30, !31} !llvm.ident = !{!32} !0 = !DIGlobalVariableExpression(var: !1, expr: !DIExpression()) !1 = distinct !DIGlobalVariable(name: "_version", scope: !2, file: !14, line: 526, type: !26, isLocal: false, isDefinition: true) !2 = distinct !DICompileUnit(language: DW_LANG_C99, file: !3, producer: "Ubuntu clang version 15.0.0-++20220426083628+d738d4717f6d-1~exp1~20220426203725.435", isOptimized: true, runtimeVersion: 0, emissionKind: FullDebug, globals: !4, splitDebugInlining: false, nameTableKind: None) !3 = !DIFile(filename: "/virtual/main.c", directory: "/home/ubuntu/sources/bpf-next") !4 = !{!0, !5, !12} !5 = !DIGlobalVariableExpression(var: !6, expr: !DIExpression()) !6 = distinct !DIGlobalVariable(name: "_license", scope: !2, file: !7, line: 26, type: !8, isLocal: false, isDefinition: true) !7 = !DIFile(filename: "/virtual/include/bcc/footer.h", directory: "") !8 = !DICompositeType(tag: DW_TAG_array_type, baseType: !9, size: 32, elements: !10) !9 = !DIBasicType(name: "char", size: 8, encoding: DW_ATE_signed_char) !10 = !{!11} !11 = !DISubrange(count: 4) !12 = !DIGlobalVariableExpression(var: !13, expr: !DIExpression()) !13 = distinct !DIGlobalVariable(name: "bpf_trace_printk_", scope: !2, file: !14, line: 542, type: !15, isLocal: true, isDefinition: true) !14 = !DIFile(filename: "/virtual/include/bcc/helpers.h", directory: "") !15 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !16, size: 64) !16 = !DISubroutineType(types: !17) !17 = !{!18, !19, !21, null} !18 = !DIBasicType(name: "int", size: 32, encoding: DW_ATE_signed) !19 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !20, size: 64) !20 = !DIDerivedType(tag: DW_TAG_const_type, baseType: !9) !21 = !DIDerivedType(tag: DW_TAG_typedef, name: "u64", file: !22, line: 23, baseType: !23) !22 = !DIFile(filename: "include/asm-generic/int-ll64.h", directory: "/home/ubuntu/sources/bpf-next") !23 = !DIDerivedType(tag: DW_TAG_typedef, name: "__u64", file: !24, line: 31, baseType: !25) !24 = !DIFile(filename: "include/uapi/asm-generic/int-ll64.h", directory: "/home/ubuntu/sources/bpf-next") !25 = !DIBasicType(name: "unsigned long long", size: 64, encoding: DW_ATE_unsigned) !26 = !DIBasicType(name: "unsigned int", size: 32, encoding: DW_ATE_unsigned) !27 = !{i32 7, !"Dwarf Version", i32 4} !28 = !{i32 2, !"Debug Info Version", i32 3} !29 = !{i32 1, !"wchar_size", i32 4} !30 = !{i32 7, !"PIC Level", i32 2} !31 = !{i32 7, !"PIE Level", i32 2} !32 = !{!"Ubuntu clang version 15.0.0-++20220426083628+d738d4717f6d-1~exp1~20220426203725.435"} !33 = distinct !DISubprogram(name: "kfunc__vfs_read", scope: !34, file: !34, line: 23, type: !35, scopeLine: 23, flags: DIFlagPrototyped | DIFlagAllCallsDescribed, spFlags: DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !38) !34 = !DIFile(filename: "/virtual/main.c", directory: "") !35 = !DISubroutineType(types: !36) !36 = !{!18, !37} !37 = !DIDerivedType(tag: DW_TAG_pointer_type, baseType: !25, size: 64) !38 = !{!39, !40} !39 = !DILocalVariable(name: "ctx", arg: 1, scope: !33, file: !34, line: 23, type: !37) !40 = !DILocalVariable(name: "__ret", scope: !33, file: !34, line: 23, type: !18) !41 = !DILocation(line: 0, scope: !33) !42 = !DILocalVariable(name: "ctx", arg: 1, scope: !43, file: !34, line: 23, type: !37) !43 = distinct !DISubprogram(name: "____kfunc__vfs_read", scope: !34, file: !34, line: 23, type: !35, scopeLine: 24, flags: DIFlagPrototyped | DIFlagAllCallsDescribed, spFlags: DISPFlagLocalToUnit | DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !44) !44 = !{!42} !45 = !DILocation(line: 0, scope: !43, inlinedAt: !46) !46 = distinct !DILocation(line: 23, column: 1, scope: !33) !47 = !DILocation(line: 15, column: 5, scope: !48, inlinedAt: !57) !48 = distinct !DILexicalBlock(scope: !49, file: !34, line: 15, column: 3) !49 = distinct !DISubprogram(name: "foobar", scope: !34, file: !34, line: 13, type: !50, scopeLine: 14, flags: DIFlagAllCallsDescribed, spFlags: DISPFlagLocalToUnit | DISPFlagDefinition | DISPFlagOptimized, unit: !2, retainedNodes: !52) !50 = !DISubroutineType(types: !51) !51 = !{!18} !52 = !{!53} !53 = !DILocalVariable(name: "_fmt", scope: !48, file: !34, line: 15, type: !54) !54 = !DICompositeType(tag: DW_TAG_array_type, baseType: !9, size: 120, elements: !55) !55 = !{!56} !56 = !DISubrange(count: 15) !57 = distinct !DILocation(line: 25, column: 9, scope: !43, inlinedAt: !46) !58 = !DILocation(line: 15, column: 10, scope: !48, inlinedAt: !57) !59 = !DILocation(line: 15, column: 37, scope: !48, inlinedAt: !57) !60 = !DILocation(line: 15, column: 76, scope: !49, inlinedAt: !57) !61 = !DILocation(line: 23, column: 1, scope: !33) Closes #3947. References: [0]: https://llvm.org/docs/NewPassManager.html [1]: https://blog.llvm.org/posts/2021-03-26-the-new-pass-manager/ Signed-off-by: Hengqi Chen <chenhengqi@outlook.com>

doublefree tool can detect double free on user space Usage: doublefree [OPTION...] Detect and report double free error. Either -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report example: $ ~/test/doublefree_generator & [1] 48310 $ sudo ./doublefree -p 48310 Warn: Is this process alive? pid: 48310 Found double free... Allocation happended on: stack_id: 50292 iovisor#1 0x0055b302c34219 foo iovisor#2 0x0055b302c341d0 main iovisor#3 0x007f5d6379dd90 __libc_init_first First deallocation happended on: stack_id: 57265 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c341ea main iovisor#3 0x007f5d6379dd90 __libc_init_first Second deallocation happended on: stack_id: 2974 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c342eb baz iovisor#3 0x0055b302c34200 main iovisor#4 0x007f5d6379dd90 __libc_init_first Source code of test program: $ cat Makefile OBJ = doublefree_generator.o foobar.o baz.o TARGET = doublefree_generator all: clean $(TARGET) $(TARGET): $(OBJ) gcc -o $@ $^ %.o: %.c gcc -c $< -o $@ clean: rm -f $(OBJ) $(TARGET) $ cat doublefree_generator.c \#include <unistd.h> \#include "foobar.h" \#include "baz.h" int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; baz(val); return 0; } $ cat foobar.h \#include <stdio.h> int* foo(); void bar(int* p); $ cat foobar.c \#include <stdlib.h> \#include "foobar.h" int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { printf("bar: %p\n", p); free(p); } $ cat baz.h \#include <stdio.h> void baz(int* p); $ cat baz.c \#include <stdlib.h> \#include <stdbool.h> \#include "baz.h" void func(int* p) { while (true) { if (p != NULL) { printf("free %d\n", *p); free(p); break; } } } void baz(int* p) { printf("baz: %p\n", p); printf("bazz: %d\n", *p); func(p); }

…for -v option Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] (MODULE+OFFSET) Print backtrace of ip if it failed to get syms. Before: # offcputime -v psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # offcputime -v #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 iovisor#1 0xffffffc01009a93c el0_svc_handler+0x34 iovisor#2 0xffffffc010084a08 el0_svc+0x8 iovisor#3 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 -- iovisor#4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) iovisor#5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) iovisor#6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) iovisor#7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) iovisor#8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) iovisor#9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) iovisor#10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 iovisor#1 0xffffffc0102ba634 __handle_mm_fault+0x8dc iovisor#2 0xffffffc0102baa20 handle_mm_fault+0x168 iovisor#3 0xffffffc010ad23c0 do_page_fault+0x148 iovisor#4 0xffffffc010ad27c0 do_translation_fault+0xb0 iovisor#5 0xffffffc0100816b0 do_mem_abort+0x50 iovisor#6 0xffffffc0100843b0 el0_da+0x1c iovisor#7 0xffffffc01027daa4 generic_copy_file_checks+0x334 -- iovisor#8 0x0000007f8dc12648 [unknown] iovisor#9 0x0000007f8dc0aef8 [unknown] iovisor#10 0x0000007f8dc1c990 [unknown] iovisor#11 0x0000007f8dc08b0c [unknown] iovisor#12 0x0000007f8dc08e48 [unknown] iovisor#13 0x0000007f8dc081c8 [unknown] - PmLogCtl (2412) 1 Fixed: iovisor#3884 Signed-off-by: Eunseon Lee <es.lee@lge.com>

doublefree tool can detect double free on user space Usage: doublefree [OPTION...] Detect and report double free error. Either -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report example: $ ~/test/doublefree_generator & [1] 48310 $ sudo ./doublefree -p 48310 Warn: Is this process alive? pid: 48310 Found double free... Allocation happended on: stack_id: 50292 iovisor#1 0x0055b302c34219 foo iovisor#2 0x0055b302c341d0 main iovisor#3 0x007f5d6379dd90 __libc_init_first First deallocation happended on: stack_id: 57265 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c341ea main iovisor#3 0x007f5d6379dd90 __libc_init_first Second deallocation happended on: stack_id: 2974 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c342eb baz iovisor#3 0x0055b302c34200 main iovisor#4 0x007f5d6379dd90 __libc_init_first Source code of test program: $ cat Makefile OBJ = doublefree_generator.o foobar.o baz.o TARGET = doublefree_generator all: clean $(TARGET) $(TARGET): $(OBJ) gcc -o $@ $^ %.o: %.c gcc -c $< -o $@ clean: rm -f $(OBJ) $(TARGET) $ cat doublefree_generator.c \#include <unistd.h> \#include "foobar.h" \#include "baz.h" int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; baz(val); return 0; } $ cat foobar.h \#include <stdio.h> int* foo(); void bar(int* p); $ cat foobar.c \#include <stdlib.h> \#include "foobar.h" int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { printf("bar: %p\n", p); free(p); } $ cat baz.h \#include <stdio.h> void baz(int* p); $ cat baz.c \#include <stdlib.h> \#include <stdbool.h> \#include "baz.h" void func(int* p) { while (true) { if (p != NULL) { printf("free %d\n", *p); free(p); break; } } } void baz(int* p) { printf("baz: %p\n", p); printf("bazz: %d\n", *p); func(p); }

…for -v option Add additional information and change format of backtrace - add symbol base offset, dso name, dso base offset - symbol and dso info is included if it's available in target binary - changed format: INDEX ADDR [SYMBOL+OFFSET] (MODULE+OFFSET) Print backtrace of ip if it failed to get syms. Before: # offcputime -v psiginfo vscanf __snprintf_chk [unknown] [unknown] [unknown] [unknown] [unknown] sd_event_exit sd_event_dispatch sd_event_run [unknown] __libc_start_main [unknown] - systemd-journal (204) 1 xas_load xas_find filemap_map_pages __handle_mm_fault handle_mm_fault do_page_fault do_translation_fault do_mem_abort do_el0_ia_bp_hardening el0_ia xas_load -- failed to get syms - PmLogCtl (138757) 1 After: # offcputime -v #0 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 #1 0xffffffc01009a93c el0_svc_handler+0x34 #2 0xffffffc010084a08 el0_svc+0x8 #3 0xffffffc01018b7e8 __arm64_sys_clock_nanosleep+0x0 -- #4 0x0000007fa0bffd14 clock_nanosleep+0x94 (/usr/lib/libc-2.31.so+0x9ed14) #5 0x0000007fa0c0530c nanosleep+0x1c (/usr/lib/libc-2.31.so+0xa430c) #6 0x0000007fa0c051e4 sleep+0x34 (/usr/lib/libc-2.31.so+0xa41e4) #7 0x000000558a5a9608 flb_loop+0x28 (/usr/bin/fluent-bit+0x52608) #8 0x000000558a59f1c4 flb_main+0xa84 (/usr/bin/fluent-bit+0x481c4) #9 0x0000007fa0b85124 __libc_start_main+0xe4 (/usr/lib/libc-2.31.so+0x24124) #10 0x000000558a59d828 _start+0x34 (/usr/bin/fluent-bit+0x46828) - fluent-bit (1238) 1 #0 0xffffffc01027daa4 generic_copy_file_checks+0x334 #1 0xffffffc0102ba634 __handle_mm_fault+0x8dc #2 0xffffffc0102baa20 handle_mm_fault+0x168 #3 0xffffffc010ad23c0 do_page_fault+0x148 #4 0xffffffc010ad27c0 do_translation_fault+0xb0 #5 0xffffffc0100816b0 do_mem_abort+0x50 #6 0xffffffc0100843b0 el0_da+0x1c #7 0xffffffc01027daa4 generic_copy_file_checks+0x334 -- #8 0x0000007f8dc12648 [unknown] #9 0x0000007f8dc0aef8 [unknown] #10 0x0000007f8dc1c990 [unknown] #11 0x0000007f8dc08b0c [unknown] #12 0x0000007f8dc08e48 [unknown] #13 0x0000007f8dc081c8 [unknown] - PmLogCtl (2412) 1 Fixed: #3884 Signed-off-by: Eunseon Lee <es.lee@lge.com>

doublefree tool can detect double free on user space Usage: doublefree [OPTION...] Detect and report double free error. Either -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument doublefree -k # Detect doublefree on kernel -k, --kernel Kernel threads only (no user threads) -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report example: $ ~/test/doublefree_generator & [1] 48310 $ sudo ./doublefree -p 48310 Warn: Is this process alive? pid: 48310 Found double free... Allocation happended on: stack_id: 50292 iovisor#1 0x0055b302c34219 foo iovisor#2 0x0055b302c341d0 main iovisor#3 0x007f5d6379dd90 __libc_init_first First deallocation happended on: stack_id: 57265 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c341ea main iovisor#3 0x007f5d6379dd90 __libc_init_first Second deallocation happended on: stack_id: 2974 iovisor#1 0x007f5d63819460 free iovisor#2 0x0055b302c342eb baz iovisor#3 0x0055b302c34200 main iovisor#4 0x007f5d6379dd90 __libc_init_first Source code of test program: $ cat Makefile OBJ = doublefree_generator.o foobar.o baz.o TARGET = doublefree_generator all: clean $(TARGET) $(TARGET): $(OBJ) gcc -o $@ $^ %.o: %.c gcc -c $< -o $@ clean: rm -f $(OBJ) $(TARGET) $ cat doublefree_generator.c \#include <unistd.h> \#include "foobar.h" \#include "baz.h" int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; baz(val); return 0; } $ cat foobar.h \#include <stdio.h> int* foo(); void bar(int* p); $ cat foobar.c \#include <stdlib.h> \#include "foobar.h" int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { printf("bar: %p\n", p); free(p); } $ cat baz.h \#include <stdio.h> void baz(int* p); $ cat baz.c \#include <stdlib.h> \#include <stdbool.h> \#include "baz.h" void func(int* p) { while (true) { if (p != NULL) { printf("free %d\n", *p); free(p); break; } } } void baz(int* p) { printf("baz: %p\n", p); printf("bazz: %d\n", *p); func(p); }

Add doublefree tool to detect double free. It could detect user level double free error currently and can be expanded to detect kernel level double free error. Followings are the usage and example. Usage: $ ./doublefree --help Usage: doublefree [OPTION...] Detect and report double free error. -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report bugs to https://github.com/iovisor/bcc/tree/master/libbpf-tools. Example: $ cat doublefree_generator.c \#include <unistd.h> \#include <stdlib.h> int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { free(p); } int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; bar(val); return 0; } $ gcc doublefree_generator.c $ ./a.out & [1] 5718 $ sudo ./doublefree -p 5718 2023-Dec-21 10:29:01 WARN Is this process alive? pid: 5718 iovisor#1 Found double free... Allocation happended on stack_id: 19655 iovisor#1 0x0000557abf0824 foo+0x10 (/home/bojun/test/doublefree_generator/a.out+0x824) iovisor#2 0x0000557abf0868 main+0x1c (/home/bojun/test/doublefree_generator/a.out+0x868) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) First deallocation happended on stack_id: 52798 iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) iovisor#2 0x0000557abf0880 main+0x34 (/home/bojun/test/doublefree_generator/a.out+0x880) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) Second deallocation happended on stack_id: 14228 iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) iovisor#2 0x0000557abf0894 main+0x48 (/home/bojun/test/doublefree_generator/a.out+0x894) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730)

Add doublefree tool to detect double free. It could detect user level double free error currently and can be expanded to detect kernel level double free error. Followings are the usage and example. Usage: $ ./doublefree --help Usage: doublefree [OPTION...] Detect and report double free error. -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report bugs to https://github.com/iovisor/bcc/tree/master/libbpf-tools. Example: $ cat doublefree_generator.c \#include <unistd.h> \#include <stdlib.h> int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { free(p); } int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; bar(val); return 0; } $ gcc doublefree_generator.c $ ./a.out & [1] 5718 $ sudo ./doublefree -p 5718 2023-Dec-21 10:29:01 WARN Is this process alive? pid: 5718 \iovisor#1 Found double free... Allocation happended on stack_id: 19655 \iovisor#1 0x0000557abf0824 foo+0x10 (/home/bojun/test/doublefree_generator/a.out+0x824) \iovisor#2 0x0000557abf0868 main+0x1c (/home/bojun/test/doublefree_generator/a.out+0x868) \iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) \iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) \iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) First deallocation happended on stack_id: 52798 \iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) \iovisor#2 0x0000557abf0880 main+0x34 (/home/bojun/test/doublefree_generator/a.out+0x880) \iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) \iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) \iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) Second deallocation happended on stack_id: 14228 \iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) \iovisor#2 0x0000557abf0894 main+0x48 (/home/bojun/test/doublefree_generator/a.out+0x894) \iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) \iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) \iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730)

Add doublefree tool to detect double free. It could detect user level double free error currently and can be expanded to detect kernel level double free error. Followings are the usage and example. Usage: $ ./doublefree --help Usage: doublefree [OPTION...] Detect and report double free error. -c or -p is a mandatory option EXAMPLES: doublefree -p 1234 # Detect doublefree on process id 1234 doublefree -c a.out # Detect doublefree on a.out doublefree -c 'a.out arg' # Detect doublefree on a.out with argument doublefree -c "a.out arg" # Detect doublefree on a.out with argument -c, --command=COMMAND Execute and trace the specified command -i, --interval=INTERVAL Set interval in second to detect leak -p, --pid=PID Set pid -T, --top=TOP Report only specified amount of backtraces -v, --verbose Verbose debug output -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. Report bugs to https://github.com/iovisor/bcc/tree/master/libbpf-tools. Example: $ cat doublefree_generator.c #include <unistd.h> #include <stdlib.h> int* foo() { return (int*)malloc(sizeof(int)); } void bar(int* p) { free(p); } int main(int argc, char* argv[]) { sleep(50); int *val = foo(); *val = 33; bar(val); *val = 84; bar(val); return 0; } $ gcc doublefree_generator.c $ ./a.out & [1] 5718 $ sudo ./doublefree -p 5718 2023-Dec-21 10:29:01 WARN Is this process alive? pid: 5718 iovisor#1 Found double free... Allocation happended on stack_id: 19655 iovisor#1 0x0000557abf0824 foo+0x10 (/home/bojun/test/doublefree_generator/a.out+0x824) iovisor#2 0x0000557abf0868 main+0x1c (/home/bojun/test/doublefree_generator/a.out+0x868) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) First deallocation happended on stack_id: 52798 iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) iovisor#2 0x0000557abf0880 main+0x34 (/home/bojun/test/doublefree_generator/a.out+0x880) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730) Second deallocation happended on stack_id: 14228 iovisor#1 0x00007f9911f614 free+0 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x8f614) iovisor#2 0x0000557abf0894 main+0x48 (/home/bojun/test/doublefree_generator/a.out+0x894) iovisor#3 0x00007f990b7780 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27780) iovisor#4 0x00007f990b7858 __libc_start_main+0x98 (/usr/lib/aarch64-linux-gnu/libc.so.6+0x27858) iovisor#5 0x0000557abf0730 _start+0x30 (/home/bojun/test/doublefree_generator/a.out+0x730)

drzaeus77 closed this as completed Jun 13, 2015

Serafean mentioned this issue Jul 27, 2016

python 3.4, llvm 3.8.1 -> segfault #633

Closed

yonghong-song mentioned this issue Aug 2, 2017

Segmentation fault (core dumped) when running btrfsslower.py #1221

Closed

mcaleavya mentioned this issue Aug 2, 2017

Problems with execsnoop on Ubuntu 17.04 Zesty #1276

Open

smun mentioned this issue Nov 8, 2017

Debian Jessie build from source is hanging #1434

Open

151henry151 mentioned this issue Jun 23, 2018

Debuild hangs on test #15 on Debian 9 #1849

Closed

yonghong-song mentioned this issue Jul 24, 2019

invalid mem access #2471

Closed

balasu mentioned this issue Aug 8, 2019

Centos7.5 build failure #2478

Closed

DiffeoInvariant mentioned this issue Nov 16, 2020

14 tests fail on ubuntu 20.04 #3171

Open

w00560594 mentioned this issue Feb 2, 2021

test:Fix the test_libbcc/test_libbcc_no_libbpf testcase failure when the kernel version is lower than 4.20 #3257

Merged

planetharsh mentioned this issue Aug 11, 2022

runqlat (from libbpf-tools) doesn't work on powerpc: ENOTSUPP #3753

Open

This was referenced Jan 10, 2023

libbpf-tools:some demo tools excute failed!such as biotop tcpstaus filetop.... #4417

Closed

a searies of tcp tools can't excute on arm-64 platform! #4432

Closed

dubeyabhishek mentioned this issue Sep 21, 2023

broken ksnoop tool #4746

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mismatch between type and bitfield width #4

mismatch between type and bitfield width #4

yonghong-song commented May 4, 2015

drzaeus77 commented Jun 13, 2015

mismatch between type and bitfield width #4

mismatch between type and bitfield width #4

Comments

yonghong-song commented May 4, 2015

drzaeus77 commented Jun 13, 2015