[Lldb-commits] [PATCH] D37651: Fix for bug 34532 - A few rough corners related to post-mortem debugging (core/minidump)

Leonard Mosescu via lldb-commits lldb-commits at lists.llvm.org
Mon Sep 11 10:24:34 PDT 2017 

I think everyone is in agreement that input should be sanitized, and
ill-formed input should not trigger an abrupt termination if there's a way
to recover (which is not always feasible).

The conversation started around fail-fast for inconsistent and
unrecoverable state, where I think the math is very clear in this case.
Using one the the comments about the long-lasting debugging sessions as
example, let's say that we have a bug and the debugger state gets corrupted
after 1h of debugging:
1. debugger crashes immediately: lost 1h of debugging -> angry bug report
(or ideally automated bug report)
2. debugger limps along for a few more hours behaving erratically (not
necessarily in an obvious fashion)

a. developer gives up after many hours or debugging without understanding
what's going on

b. developer figures out that the debugger is unreliable

While it is choosing between two evils, I think #1 is clearly the right
choice: #2 results in more lost time and frustration, less chance of
getting a bug report and can result in a general impression that the
debugger is not to be trusted (which for a developer tool is infinitely
worse than an unstable tool)

--------------------------------------

Going back to the original fix, I think most observations are very
pertinent - yes, the result is not ideal. This is because the current
logic, changing the state in Process::Resume() before the whole operation
completes successfully is ... unfortunate. So here are the options I see:

1. Fix Process::Resume() so we only change the state late, after everything
succeds
2. Rollback state change if anything fails while resuming
3. Patch the specific case of "resume is not supported"
4. Do nothing

The proposed fix is #3, since it's the less intrusive (ie. doesn't change
the core resume logic) patch for a very specific and narrow case. IMO the
"right" fix is #1, but it seems a more radical change. #2 seems tempting in
terms of code changes, but I find it less compelling overall since
rollbacks are generally fragile if the code is not designed with that in
mind.

So, LLDB experts, what do you think? I'd be happy to go with #1 if someone
with experience in this area can review the change. Anything else that I
missed?

Thanks!






On Sun, Sep 10, 2017 at 1:52 PM, Jim Ingham via lldb-commits <
lldb-commits at lists.llvm.org> wrote:

>
> On Sep 9, 2017, at 7:38 PM, Zachary Turner <zturner at google.com> wrote:
>
> Sure, but reading a core file involves handling user input. Obviously that
> has to be sanitized and you can't crash on user input. I don't think
> there's ever been any disagreement about that. On the other hand, if you
> just type an expression in the debugger and expect an answer back, after
> clang says the ast is valid, the whole stack should be asserts all the way
> down, because everything is validated
>
>
> Yes, but even that ends up not matching with the facts on the ground,
> because the debug information for types as used by lldb has to be produced
> from debug info, and the debug info can be malformed and not infrequently
> is.  So at some point clang is going to ask for something that it assumes
> must always be available because if it had read the types in from header
> files it would have asserted at an early stage but when it is fed types
> from debug info incrementally - which is the only efficient way the
> debugger can do it - is going to cause something to look wrong at a point
> where that “shouldn’t be possible.”  clang's rigid structure means it can’t
> cope with this and will crash on something the user didn’t themselves get
> wrong.
>
> According to your classification, we should really consider debug
> information “user input” as well.  But that means we’re wiring “user input”
> into a pretty deep place in clang and you’d probably have to weaken your
> strict assert model to handle that. And it makes me wonder if there’s
> anything the debugger consumes that wouldn’t fall into this category?
>
> For instance, we also let plugins provide threads and their stacks, and we
> try pretty hard not to crash and burn if these plugins get it a little
> wrong.  So process state really needs to be treated as “user data” as
> well.  And since we use SPI’s for most of this info that we are pretty much
> the only clients of, they can be expected to be flakey as well, again a
> fact that we should not inflict on users of the debugger if we can help it.
>
> The answer of trying to do everything dangerous out of process I think
> will make a  slow and fragile architecture.  And while I agree with the
> llvm.org decision not to use C++ exceptions because they make reasoning
> about the program more difficult, replacing that with SIGSEGV as the
> exception mechanism of choice seems really weak.  You are not the first
> person to point out that we could use the crash-protected threads, but I’m
> remain very unenthusiastic about this approach...
>
> Moreover, there are a bunch of problematic areas in lldb, but I don’t
> think any of them are problematic for the reasons that you are describing
> here.  There are areas of weak memory management in the data formatters &
> some places where we don’t manage locking right in handling process stops &
> the reconstruction of program state after that, and those cause the vast
> majority of the infrequent but annoying crashes we see.  I don’t myself
> believe that putting in this assert everywhere architecture would pay off
> in reduced crashes to compensate for the brittleness it would introduce.
>
> Finally, and most crucially, no failure of any expression evaluation and
> no malformed type is worth taking down a debug session, and it’s our
> responsibility working on lldb to make sure it doesn't.  If the makes our
> job a little harder, so be it.  This was Jason’s point earlier, but it is
> worth reiterating because it makes lldb a very different kind of program
> from all the other programs in the suite collected under the llvm project.
> If the compiler gets into an inconsistent state compiling a source file,
> it’s fine for it to just exit.  It wasn’t going to do any more useful work
> anyway.  That is definitely NOT true of lldb, and makes reasonable the
> notion that general solutions that seem appropriate for the other tools are
> not appropriate for lldb.
>
>
> Jim
>
>
> On Sat, Sep 9, 2017 at 6:53 PM Jim Ingham <jingham at apple.com> wrote:
>
>> I think we are talking at cross purposes.  Seems to me you are saying “If
>> we can assert that the answers to questions I ask must always copacetic,
>> then we can express that in software, and that will make things so much
>> easier".  I’m saying "my experience of the data debuggers have to deal with
>> is such that assuming such assertions will lead you to over-react to such
>> errors.  Instead you should write your code so that if somebody gives you
>> bad data you don’t fall over allowing the people who called you to decide
>> how important the error was.”  Every core file that was written out by OS X
>> for years had a section that was ill-formed.  Asserting when you get an
>> ill-formed object file might seem a good way to ensure that you don’t have
>> to make guesses that might lead you astray.  But the people who need to
>> load core files on OS X are rightly unmoved by such arguments if lldb
>> disappears out from under them when reading in core files.
>>
>> Jim
>>
>>
>>
>> On Sep 9, 2017, at 1:31 PM, Zachary Turner <zturner at google.com> wrote:
>>
>>
>>
>> On Sat, Sep 9, 2017 at 12:04 PM Jim Ingham <jingham at apple.com> wrote:
>>
>>>
>>> I disagree here.  If you can reasonably unwind from an error you should
>>> do so even if you can’t figure out how you could have gotten an answer you
>>> didn’t expect.  If an API is returning a pointer to something you should
>>> assume it might return nullptr unless the API explicitly states otherwise.
>>>
>> But that's exactly what an assert is.  It's an explicit statement by the
>> API about what should happen.  Which is why by adding them liberally, these
>> assumptions can then be propagated all the way up through many layers of
>> the code, vastly simplifying the codebase.
>>
>> if you have
>>
>> void *foo(int x) {
>>   // do some stuff
>>
>>   assert(x < 0 || foo != nullptr);
>> }
>>
>> Then you're documenting that if x is greater than 0, the caller doesn't
>> need to check the return value for nullptr.  Now instead of this:
>>
>> void *bar(unsigned x) {
>>   void *ptr = foo(x);
>>   if (!ptr) {
>>     // log an error
>>     return nullptr;
>>   }
>>   return ptr;
>> }
>>
>> You just have
>>
>> void *bar(unsigned x) {
>>   void *ptr = foo(x);
>>   assert(x);
>>   return x;
>> }
>>
>> And now the caller of bar doesn't have to check either.  The code has
>> greatly reduced complexity due to the butterfly efflect of propagating
>> these assumptions up.
>>
>> This is a simple example but the point is that building assumptions into
>> your API is a good thing, because you can enforce them and it vastly
>> simplifies the code.
>>
>>
>>
>
> _______________________________________________
> lldb-commits mailing list
> lldb-commits at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-commits
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/lldb-commits/attachments/20170911/27f90b8b/attachment-0001.html>

More information about the lldb-commits mailing list