Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 16 Jul 2021 17:06:48 -0500 (CDT)
From: Ariadne Conill <ariadne@...eferenced.org>
To: musl@...ts.openwall.com
cc: Timo Teras <timo.teras@....fi>
Subject: Re: option to enable eh_frame

Hello,

On Fri, 16 Jul 2021, Rich Felker wrote:

> On Fri, Jul 16, 2021 at 12:16:25PM +0300, Timo Teras wrote:
>> Hi,
>>
>> This has been discussed few times, and I know there are arguments also
>> not to do this. But at this time we at Alpine think the reasons to keep
>> eh_frame outweight the reasons to not include it.
>
> As explained on the tracker issue, what you'r requesting is a patch to
> make a configure option that changes the public interface contract of
> musl, making different interface contract profiles. This is not a
> change to be made lightly. There has been *some* consideration in the
> past for accepting this kind of option in the opposite direction:
> omitting large functionality that might not be needed in some contexts
> (like iconv), but where the default is to have it and omitting it is
> just a choice particular users can make for working in a very
> constrained environment. But if you add the option, you're essentially
> making "having it" the de facto default, even if configure has
> "disable" as the default. Once something is using it, there's an
> implicit requirement to have it.
>
> Honestly, proposing that it always be available (or configurable but
> on by default) would be less controversial than a configure option.
> I'd still be against it but at least some of the badness is gone.
>
>> Main arguments against .eh_frame being:
>>
>> 1) Having .eh_frame makes it seem like C++ exception throwing works
>>    through C-library functions (e.g. throwing exception form qsort
>>    callback to return over qsort back to application).
>>
>>    Counter arguments:
>>    - C++ exceptions is just one way to jump through musl functions.
>>      E.g. setjmp/longjmp can do that just fine even without .eh_frame
>>
>> 2) Having application unwind itself for backtrace printing purposes
>>    especially in signal handler is bad. This is agreed, but there's
>>    still other cases when unwinding is good for debugging, and other
>>    reasons. The fix for this root cause is to remove the unwinding from
>>    signal handlers.
>
> The debugger already can do debugging/unwinding because it has access
> to the debug information (if you've installed it) and there is a
> clear, understood-by-users contract that this information is not an
> inherent part of the program but something optional for external
> debugging tools only.
>
>> Arguments to have .eh_frame:
>>  - It allows debugging things even if musl-dbg is not or cannot be
>>    installed for some reason (e.g. gdb, valgrind), or is no longer
>>    available
>>  - libunwind/libexecinfo will start to work and give meaningful
>>    backtraces
>
> This is explicitly a reason not to. backtrace() considered harmful.
>
>>  - Continuous kernel based profiling (e.g. perf record -g dwarf) will
>>    work
>
> This already works if you have debug info.
>
>> Given that the main arguments against are either making UB crash, or
>> not the best fix, and keeping eh_frame enables useful features to work,
>> I think it would make sense to allow enabling it.
>>
>> Please consider the the attached patch to make it a configure option to
>> enable keeping eh_frame (defaulting still to not keeping it).
>
> You can solve this problem just as well for the things you want to
> have work by including the (part of) the debug info you want in the
> main libc.so binary: .debug_frame. Of course I can't stop Alpine from
> doing it in a different way locally, but I would strongly recommend
> you do that rather than making a contract that diverges from musl.

The problem is that Alpine users want backtrace(3) to work.  You consider 
it harmful, but users complain frequently.  We also want C++ exception 
throwing across libc boundary to work, but admittedly that is a lot harder 
to achieve.

I am concerned about the unilateral approach we have taken to enable 
backtrace(3) though, if we are forking the musl ABI, we probably will wind 
up forking the musl API too to add user-requested functionality.

We (Alpine) should consider whether we actually want this.  Historically, 
we have been able to find compromises that allow us to enable the user 
requests in a way that Rich finds acceptable.

Ariadne

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.