On 9/12/25 14:41, Alexander Potapenko wrote:
On Fri, Sep 12, 2025 at 7:51 AM Jinchao Wang <wangjinchao...@gmail.com> wrote:
FYI: The current patchset contains lockdep issues due to the kprobe handler
running in NMI context. Please do not spend time reviewing this version.
Thanks.
--
Jinchao
Hi Jinchao,
In the next version, could you please elaborate more on the user
workflow of this tool?
It occurs to me that in order to detect the corruption the user has to
know precisely in which function the corruption is happening, which is
usually the hardest part.
Hi Alexander,
Thank you for the question. I agree with your observation about the
challenge of detecting stack corruption.
Stack corruption debugging typically involves three steps:
1. Detect the corruption
2. Find the root cause
3. Fix the issue
Your question addresses step 1, which is indeed a challenging
part. Currently, we have several approaches for detection:
- Compile with CONFIG_STACKPROTECTOR_STRONG to add stack canaries
and trigger __stack_chk_fail() on corruption
- Manual detection when local variables are unexpectedly modified
(though this is quite difficult in practice)
However, KStackWatch is specifically designed for step 2 rather than
step 1. Let me illustrate with a complex scenario:
In one actual case, the corruption path was:
- A calls B (the buggy function) through N1 call levels
- B stores its stack variable L1's address in P (through a global
variable or queue or list...)
- C (the victim) called by A through N2 levels, unexpectedly has a
canary or local variable L2 with the overlapping address with L1
- D uses P in a separate task (N3 call levels deep), which modifies
the value of L1, and L2 is corrupted
- C finds the corruption
The only clue might be identifying function D first, which then leads
us to B through P.
Key advantages of KStackWatch:
- Lightweight overhead that doesn't reduce reproduction probability
- Real-time capability to identify corruption exactly when it happens
- Precise location tracking of where corruptions occur
KStackWatch helps identify function D directly, bypassing the complex
call chains (N1, N2, N3) and intermediate functions. Once we locate D,
we can trace back through the corruption path and resolve the issue.
Does this clarify the tool's intended workflow?
--
Jinchao
