New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tcmalloc large alloc crashes #245
Comments
FWIW, 18446744073661849600 == 0xFFFFFFFFFD282000 |
Did you mean you have a pcap to reproduce and just can't provide it (but maybe willing to dig on your own with hints) or don't have a pcap at all ? I'm a bit stumped by the stack, which ends in RVAS::Parse of the PE file analyzer. Here's a snip of generated code from my int RVAS::Parse(const_byteptr const t_begin_of_data, const_byteptr const t_end_of_data, int t_byteorder)
{
// Parse "rvas"
int t_rvas__arraylength;
t_rvas__arraylength = 0;
t_rvas__arraylength = num();
if ( t_rvas__arraylength < 0 )
{
throw binpac::ExceptionOutOfBound("RVAS:rvas",
t_rvas__arraylength, (t_end_of_data) - (t_begin_of_data));
}
// Check bounds for static-size array: RVAS:rvas
if ( t_begin_of_data + ((8) * (t_rvas__arraylength)) > t_end_of_data || t_begin_of_data + ((8) * (t_rvas__arraylength)) < t_begin_of_data )
throw binpac::ExceptionOutOfBound("RVAS:rvas",
((8) * (t_rvas__arraylength)), (t_end_of_data) - (t_begin_of_data));
rvas__elem_ = 0;
int t_rvas__elem__it;
t_rvas__elem__it = 0;
int t_rvas__size;
rvas_ = new vector<RVA *>;
rvas_->reserve(t_rvas__arraylength); The only allocation in this function seems to be that last line doing a I did happen to notice this possibly similar/related report: gperftools/gperftools#497. Not that it's necessarily the same thing, just that there's precedent for possible bugs in tcmalloc causing such an issue and so maybe worth testing if things are more stable without tcmalloc. |
Large mallocs don't generate a core file, so it is a little difficult for me to identify the stream / file that is causing this issue. I don't actually have a pcap or file that generates this issue. |
Have you tried using jemalloc to see if the problem exists there? I've been meaning to make a change for quite some time that switches to jemalloc by default. tcmalloc seems to have bitrotted in the past few years. It would be nice to know if the problem is in the PE analyzer or the allocator as Jon suggested. |
I rebuilt my development environment to use jemalloc and waited. We saw the same exact crash under jemalloc that we saw with tcmalloc. Unfortunately, jemalloc doesn't provide the nice stack that tcmalloc does, so I don't have much debug info to provide. |
The commits previously mentioned do address one potential way to end up with large allocations and they're in v2.6.2 now, so would be great to hear feedback if that version helps here. |
I'm still seeing large alloc crashes in the PE analyzer under 2.6.2...
|
@hosom if you're able to test, interested to know if this proposed patch has any effect: Can't say if it's directly related to this problem: a signed integer overflow is Undefined Behavior and hard to reason what sorts of weirdness to expect out of it, so best take it off the table before further troubleshooting. |
@hosom any feedback for whether the last binpac patch (it's also now in zeek/master branch) may help or alter the situation ? If not, maybe the only idea left to explore is trying to fuzz the PE analyzer to get a repro. In case the specific platform/compiler end up mattering, would be nice if you can give that version info. |
I’ll update to zeek/master on Monday morning and test.
I’ll get you compiler and platform info at the same time.
…On Thu, Jul 11, 2019 at 8:43 PM Jon Siwek ***@***.***> wrote:
@hosom <https://github.com/hosom> any feedback for whether the last
binpac patch (it's also now in zeek/master branch) may help or alter the
situation ?
If not, maybe the only idea left to explore is trying to fuzz the PE
analyzer to get a repro. In case the specific platform/compiler end up
mattering, would be nice if you can give that version info.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#245?email_source=notifications&email_token=ABGI53FUTI567LN7F6UH4VDP67HTPA5CNFSM4GQGSZVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZYLHQQ#issuecomment-510702530>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABGI53GDBFPRA6WK7E36UMLP67HTPANCNFSM4GQGSZVA>
.
|
Installed master today. I'll report back on whether or not I see crashes. |
It's been a while and I have not seen a crash since I updated to master. It looks like the binpac patch may have been the solution here. |
Thanks for the feedback. Previously, what was the frequency of crashes (daily, weekly, etc.) ? Just trying to judge how likely it is to really be fixed. |
We were seeing these crashes several times a day at the highest frequency. We haven't seen one in 20 days or so. |
The binpac patch is now incorporated in v2.6.3. |
Since 2.6, I've noticed an increase in these crashes in my environments. I'm able to replicate it across several installations monitoring the same traffic. Unfortunately, I'm unable to provide a pcap of the issue.
I went ahead and printed all the symbols.
This may not be an issue with 2.6 specifically. I cannot confirm if the traffic pattern this is happening on was taking place prior to my 2.6 upgrade.
The text was updated successfully, but these errors were encountered: