Annotation of embedaddon/ntp/ElectricFence/libefence.3, revision 1.1
1.1 ! misho 1: .TH efence 3 27-April-1993
! 2: .SH NAME
! 3: efence \- Electric Fence Malloc Debugger
! 4: .SH SYNOPSIS
! 5: .nf
! 6: .ft B
! 7: #include <stdlib.h>
! 8: .ft
! 9: .fi
! 10: .LP
! 11: .nf
! 12: .ft B
! 13: void * malloc (size_t size);
! 14: .ft
! 15: .fi
! 16: .LP
! 17: .nf
! 18: .ft B
! 19: void free (void *ptr);
! 20: .ft
! 21: .fi
! 22: .LP
! 23: .nf
! 24: .ft B
! 25: void * realloc (void *ptr, size_t size);
! 26: .ft
! 27: .fi
! 28: .LP
! 29: .nf
! 30: .ft B
! 31: void * calloc (size_t nelem, size_t elsize);
! 32: .ft
! 33: .fi
! 34: .LP
! 35: .nf
! 36: .ft B
! 37: void * memalign (size_t alignment, size_t size);
! 38: .ft
! 39: .fi
! 40: .LP
! 41: .nf
! 42: .ft B
! 43: void * valloc (size_t size);
! 44: .ft
! 45: .fi
! 46: .LP
! 47: .nf
! 48: .ft B
! 49: extern int EF_ALIGNMENT;
! 50: .ft
! 51: .fi
! 52: .LP
! 53: .nf
! 54: .ft B
! 55: extern int EF_PROTECT_BELOW;
! 56: .ft
! 57: .fi
! 58: .LP
! 59: .nf
! 60: .ft B
! 61: extern int EF_PROTECT_FREE;
! 62: .ft
! 63: .fi
! 64: .SH DESCRIPTION
! 65: .I Electric Fence
! 66: helps you detect two common programming bugs:
! 67: software that overruns the boundaries of a malloc() memory
! 68: allocation, and software that touches a memory allocation that has been
! 69: released by free(). Unlike other malloc() debuggers, Electric Fence will
! 70: detect
! 71: .I read
! 72: accesses as well as writes, and it will pinpoint the exact instruction that
! 73: causes an error. It has been in use at Pixar since 1987, and at many other
! 74: sites for years.
! 75: .LP
! 76: Electric Fence uses the virtual memory hardware of your computer to place an
! 77: inaccessible memory page immediately after (or before, at the user's option)
! 78: each memory allocation. When software reads or writes this inaccessible page,
! 79: the
! 80: hardware issues a segmentation fault, stopping the program at the offending
! 81: instruction. It is then trivial to find the erroneous statement using your
! 82: favorite debugger. In a similar manner, memory that has been released by
! 83: free() is made inaccessible, and any code that touches it will get a
! 84: segmentation fault.
! 85: .LP
! 86: Simply linking your application with libefence.a will allow you to detect
! 87: most, but not all, malloc buffer overruns and accesses of free memory.
! 88: If you want to be reasonably sure that you've found
! 89: .I all
! 90: bugs of this type, you'll have to read and understand the rest of this
! 91: man page.
! 92: .SH USAGE
! 93: Link your program with the library
! 94: .B libefence.a .
! 95: Make sure you are
! 96: .I not
! 97: linking with
! 98: .B -lmalloc,
! 99: .B -lmallocdebug,
! 100: or with other malloc-debugger or malloc-enhancer libraries.
! 101: You can only use one at a time.
! 102: If your system administrator
! 103: has installed Electric Fence for public use, you'll be able to use the
! 104: .B -lefence
! 105: argument to the linker, otherwise you'll have to put the path-name for
! 106: .B libefence.a
! 107: in the linker's command line.
! 108: Some systems will require special arguments to the linker to assure that
! 109: you are using the Electric Fence malloc() and not the one from your C library.
! 110: On AIX systems, you may have to use the flags
! 111: .br
! 112: .B -bnso
! 113: .B -bnodelcsect
! 114: .B -bI:/lib/syscalls.exp
! 115: .br
! 116: On Sun systems running SunOS 4.X, you'll probably have to use
! 117: .B -Bstatic.
! 118: .LP
! 119: Run your program
! 120: .I using a debugger.
! 121: It's easier to work this way than to create a
! 122: .B core
! 123: file and post-mortem debug it. Electric Fence can create
! 124: .I huge
! 125: core files, and some operating systems will thus take minutes simply to dump
! 126: core! Some operating systems will not create usable core files from programs
! 127: that are linked with Electric Fence.
! 128: If your program has one of the errors detected by Electric Fence, it will
! 129: get a segmentation fault (SIGSEGV) at the offending instruction. Use the
! 130: debugger to locate the erroneous statement, and repair it.
! 131: .SH GLOBAL AND ENVIRONMENT VARIABLES
! 132: Electric Fence has four configuration switches that can be enabled via
! 133: the shell environment, or by setting the value of global integer variables
! 134: using a debugger. These switches change what bugs Electric Fence will detect,
! 135: so it's important that you know how to use them.
! 136: .TP
! 137: EF_ALIGNMENT
! 138: This is an integer that specifies the alignment for any memory allocations
! 139: that will be returned by malloc(), calloc(), and realloc().
! 140: The value is specified in
! 141: bytes, thus a value of 4 will cause memory to be aligned to 32-bit boundaries
! 142: unless your system doesn't have a 8-bit characters. EF_ALIGNMENT is set to
! 143: sizeof(int) by default, since that is generally the word-size of your CPU.
! 144: If your program requires that allocations be aligned to 64-bit
! 145: boundaries and you have a 32-bit
! 146: .B int
! 147: you'll have to set this value to 8. This is the case when compiling with the
! 148: .B -mips2
! 149: flag on MIPS-based systems such as those from SGI.
! 150: The memory allocation that is returned by Electric Fence malloc() is aligned
! 151: using the value in EF_ALIGNMENT, and
! 152: .I its size the multiple of
! 153: .I that value
! 154: that is greater than or equal to the requested size.
! 155: For this reason, you will sometimes want to set EF_ALIGNMENT to 0 (no
! 156: alignment), so that
! 157: you can detect overruns of less than your CPU's word size. Be sure to read
! 158: the section
! 159: .I WORD-ALIGNMENT AND OVERRUN DETECTION
! 160: in this manual page before you try this.
! 161: To change this value, set EF_ALIGNMENT in the shell environment to an
! 162: integer value, or assign
! 163: to the global integer variable EF_ALIGNMENT using a debugger.
! 164: .TP
! 165: EF_PROTECT_BELOW
! 166: Electric Fence usually places an inaccessible page immediately after each
! 167: memory allocation, so that software that runs past the end of the allocation
! 168: will be detected. Setting EF_PROTECT_BELOW to 1 causes Electric Fence
! 169: to place the inaccessible page
! 170: .I before
! 171: the allocation in the address space, so that under-runs will be detected
! 172: instead of over-runs.
! 173: When EF_PROTECT_BELOW is set, the EF_ALIGNMENT parameter is ignored.
! 174: All allocations will be aligned to virtual-memory-page boundaries, and
! 175: their size will be the exact size that was requested.
! 176: To change this value, set EF_PROTECT_BELOW in the shell environment to an
! 177: integer value, or assign to the global integer variable EF_PROTECT_BELOW using
! 178: a debugger.
! 179: .TP
! 180: EF_PROTECT_FREE
! 181: Electric Fence usually returns free memory to a pool from which it may be
! 182: re-allocated. If you suspect that a program may be touching free memory,
! 183: set EF_PROTECT_FREE to 1. This will cause Electric Fence to never re-allocate
! 184: memory once it has been freed, so that any access to free memory will be
! 185: detected. Some programs will use tremendous amounts of memory when this
! 186: parameter is set.
! 187: To change this value, set EF_PROTECT_FREE in the shell environment to an
! 188: integer value, or assign to the global integer variable EF_PROTECT_FREE using
! 189: a debugger.
! 190: .TP
! 191: EF_ALLOW_MALLOC_0
! 192: By default, Electric Fence traps calls to malloc() with a size of zero, because
! 193: they are often the result of a software bug. If EF_ALLOW_MALLOC_0 is non-zero,
! 194: the software will not trap calls to malloc() with a size of zero.
! 195: To change this value, set EF_ALLOC_MALLOC_0 in the shell environment to an
! 196: integer value, or assign to the global integer variable EF_ALLOC_MALLOC_0 using
! 197: a debugger.
! 198: .SH WORD-ALIGNMENT AND OVERRUN DETECTION
! 199: There is a conflict between the alignment restrictions that malloc() operates
! 200: under and the debugging strategy used by Electric Fence. When detecting
! 201: overruns, Electric Fence malloc() allocates two or more virtual memory
! 202: pages for each allocation. The last page is made inaccessible in such a way
! 203: that any read, write, or execute access will cause a segmentation fault.
! 204: Then, Electric Fence malloc() will return an address such that the first
! 205: byte after
! 206: the end of the allocation is on the inaccessible page.
! 207: Thus, any overrun
! 208: of the allocation will cause a segmentation fault.
! 209: .LP
! 210: It follows that the
! 211: address returned by malloc() is the address of the inaccessible page minus
! 212: the size of the memory allocation.
! 213: Unfortunately, malloc() is required to return
! 214: .I word-aligned
! 215: allocations, since many CPUs can only access a word when its address is aligned.
! 216: The conflict happens when software makes a memory allocation using a size that
! 217: is not a multiple of the word size, and expects to do word accesses to that
! 218: allocation. The location of the inaccessible page is fixed by hardware at
! 219: a word-aligned address. If Electric Fence malloc() is to return an aligned
! 220: address, it must increase the size of the allocation to a multiple of the
! 221: word size.
! 222: In addition, the functions memalign() and valloc() must honor explicit
! 223: specifications on the alignment of the memory allocation, and this, as well
! 224: can only be implemented by increasing the size of the allocation.
! 225: Thus, there will be situations in which the end of a memory allocation
! 226: contains some padding space, and accesses of that padding space will not
! 227: be detected, even if they are overruns.
! 228: .LP
! 229: Electric Fence provides the variable EF_ALIGNMENT so that the user can
! 230: control the default alignment used by malloc(), calloc(), and realloc().
! 231: To debug overruns as small as a single byte, you can set EF_ALIGNMENT to
! 232: zero. This will result in Electric Fence malloc() returning unaligned
! 233: addresses for allocations with sizes that are not a multiple of the word
! 234: size. This is not a problem in most cases, because compilers must pad the
! 235: size of objects so that alignment restrictions are honored when storing
! 236: those objects in arrays. The problem surfaces when software allocates
! 237: odd-sized buffers for objects that must be word-aligned. One case of this
! 238: is software that allocates a buffer to contain a structure and a
! 239: string, and the string has an odd size (this example was in a popular TIFF
! 240: library). If word references are made to un-aligned buffers, you will see
! 241: a bus error (SIGBUS) instead of a segmentation fault. The only way to fix
! 242: this is to re-write the offending code to make byte references or not make
! 243: odd-sized allocations, or to set EF_ALIGNMENT to the word size.
! 244: .LP
! 245: Another example of software incompatible with
! 246: EF_ALIGNMENT < word-size
! 247: is the strcmp() function and other string functions on SunOS (and probably
! 248: Solaris), which make word-sized accesses to character strings, and may
! 249: attempt to access up to three bytes beyond the end of a string. These
! 250: result in a segmentation fault (SIGSEGV). The only way around this is to
! 251: use versions of the string functions that perform byte references instead
! 252: of word references.
! 253: .SH INSTRUCTIONS FOR DEBUGGING YOUR PROGRAM
! 254: .TP
! 255: 1.
! 256: Link with libefence.a as explained above.
! 257: .TP
! 258: 2.
! 259: Run your program in a debugger and fix any overruns or accesses to free memory.
! 260: .TP
! 261: 3.
! 262: Quit the debugger.
! 263: .TP
! 264: 4.
! 265: Set EF_PROTECT_BELOW = 1 in the shell environment.
! 266: .TP
! 267: 5.
! 268: Repeat step 2, this time repairing underruns if they occur.
! 269: .TP
! 270: 6.
! 271: Quit the debugger.
! 272: .TP
! 273: 7.
! 274: Read the restrictions in the section on
! 275: .I WORD-ALIGNMENT AND OVERRUN DETECTION.
! 276: See if you can
! 277: set EF_ALIGNMENT to 0 and repeat step 2. Sometimes this will be too much work,
! 278: or there will be problems with library routines for which you don't have the
! 279: source, that will prevent you from doing this.
! 280: .SH MEMORY USAGE AND EXECUTION SPEED
! 281: Since Electric Fence uses at least two virtual memory pages for each of its
! 282: allocations, it's a terrible memory hog. I've sometimes found it necessary to
! 283: add a swap file using swapon(8) so that the system would have enough virtual
! 284: memory to debug my program. Also, the way we manipulate memory results in
! 285: various cache and translation buffer entries being flushed with each call
! 286: to malloc or free. The end result is that your program will be much slower
! 287: and use more resources while you are debugging it with Electric Fence.
! 288: .LP
! 289: Don't leave libefence.a linked into production software! Use it only
! 290: for debugging.
! 291: .SH PORTING
! 292: Electric Fence is written for ANSI C. You should be able to port it with
! 293: simple changes to the Makefile and to page.c,
! 294: which contains the memory management primitives .
! 295: Many POSIX platforms will require only a re-compile.
! 296: The operating system facilities required to port Electric Fence are:
! 297: .IP
! 298: A way to allocate memory pages
! 299: .br
! 300: A way to make selected pages inaccessible.
! 301: .br
! 302: A way to make the pages accessible again.
! 303: .br
! 304: A way to detect when a program touches an inaccessible page.
! 305: .br
! 306: A way to print messages.
! 307: .LP
! 308: Please e-mail me a copy of any changes you have to make, so that I can
! 309: merge them into the distribution.
! 310: .SH AUTHOR
! 311: Bruce Perens
! 312: .SH WARNINGS
! 313: I have tried to do as good a job as I can on this software, but I doubt
! 314: that it is even theoretically possible to make it bug-free.
! 315: This software has no warranty. It will not detect some bugs that you might
! 316: expect it to detect, and will indicate that some non-bugs are bugs.
! 317: Bruce Perens and/or Pixar will not be liable to any claims resulting
! 318: from the use of this software or the ideas within it.
! 319: The entire responsibility for its use must
! 320: be assumed by the user. If you use it and it results in loss of life
! 321: and/or property, tough. If it leads you on a wild goose chase and you waste
! 322: two weeks debugging something, too bad.
! 323: If you can't deal with the above, please don't use the software! I've written
! 324: this in an attempt to help other people, not to get myself sued or prosecuted.
! 325: .SH LICENSE
! 326: Copyright 1987-1995 Bruce Perens. All rights reserved.
! 327: .br
! 328: This program is free software; you can redistribute it and/or modify
! 329: it under the terms of the GNU General Public License, Version 2,
! 330: as published by the Free Software Foundation. A copy of this license is
! 331: distributed with this software in the file "COPYING".
! 332:
! 333: This program is distributed in the hope that it will be useful,
! 334: but WITHOUT ANY WARRANTY; without even the implied warranty of
! 335: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Read the
! 336: file "COPYING" for more details.
! 337: .SH CONTACTING THE AUTHOR
! 338: .nf
! 339: Bruce Perens
! 340: c/o Pixar
! 341: 1001 West Cutting Blvd., Suite 200
! 342: Richmond, CA 94804
! 343:
! 344: Telephone: 510-215-3502
! 345: Fax: 510-236-0388
! 346: Internet: Bruce@Pixar.com
! 347: .fi
! 348: .ft
! 349: .SH FILES
! 350: /dev/zero: Source of memory pages (via mmap(2)).
! 351: .SH SEE ALSO
! 352: malloc(3), mmap(2), mprotect(2), swapon(8)
! 353: .SH DIAGNOSTICS
! 354: Segmentation Fault: Examine the offending statement for violation of the
! 355: boundaries of a memory allocation.
! 356: .br
! 357: Bus Error: See the section on
! 358: .I WORD-ALIGNMENT AND OVERRUN DETECTION.
! 359: in this manual page.
! 360: .SH BUGS
! 361: My explanation of the alignment issue could be improved.
! 362: .LP
! 363: Some Sun systems running SunOS 4.1 are reported to signal an access to a
! 364: protected page with
! 365: .B SIGBUS
! 366: rather than
! 367: .B SIGSEGV,
! 368: I suspect this is an undocumented feature of a particular Sun hardware
! 369: version, not just the operating system.
! 370: On these systems, eftest will fail with a bus error until you modify the
! 371: Makefile to define
! 372: .B PAGE_PROTECTION_VIOLATED_SIGNAL
! 373: as
! 374: .B SIGBUS.
! 375: .LP
! 376: There are, without doubt, other bugs and porting issues. Please contact me via
! 377: e-mail if you have any bug reports, ideas, etc.
! 378: .SH WHAT'S BETTER
! 379: PURIFY, from Purify Systems, does a much better job than Electric Fence, and
! 380: does much more. It's available at this writing on SPARC and HP.
! 381: I'm not affiliated with Purify, I just think it's a wonderful product
! 382: and you should check it out.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>