On Mon, Aug 4, 2025 at 11:43 AM Roberto A. Foglietta
<[email protected]> wrote:
> > I reproduced it. It's overzealous optimization. gcc just doesn't store
> > the pointer into *to_free,
> > because it can see that in all callers of the static function where
> > the store is done, the address
> > points to a local (on-stack) variable, therefore this variable is not
> > visible to any other thread,
> > and also the store can't alias with any global variables. And we are
> > in a NORETURN function,
> > so gcc can see the entire execution path until the program "ends"
> > So, the store looks "dead" to gcc and it eliminates it.
> >
> > I discovered this when an added debugging statement took the address
> > of the variable and passed
> > it to a printf. The conclusion that the store is "dead" become invalid
> > and the leak disappeared
> > (gcc no longer eliminated the store).
>
> Therefore a free() instead of a printf() that calls such a pointer
> variable, solves both the problems at once: free it, and call it into
> the scope avoiding the gcc over-optimisation. Right? ;-)
The free is called in the parent, after vforked child execs or exits.
What gcc sees is: "we have a pointer pointing to a local variable
in our caller. We store to it:
*to_free = argv = xzalloc(...);
and never load it back, and never store its address
anywhere. Any other parallel thread can't see it.
Then we call a function which never returns
(bb_simple_error_msg_and_die), so we never return to the caller
which may have further code which uses the variable:
execve(bb_busybox_exec_path, argv, pp);
/* Fallback. Useful for init=/bin/hush usage etc */
if (argv[0][0] == '/')
execve(argv[0], argv, pp);
xfunc_error_retval = 127;
bb_simple_error_msg_and_die("can't re-execute the shell");
Therefore, the store is dead, and can be eliminated."
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
