# msgid "" msgstr "" msgid "" "title: \"ANN: fallible - Fault injection library for stress-testing failure " "scenarios\"" msgstr "" msgid "date: 2021-02-16" msgstr "" msgid "layout: post" msgstr "" msgid "lang: en" msgstr "" msgid "" "ref: ann-fallible-fault-injection-library-for-stress-testing-failure-" "scenarios" msgstr "" msgid "" "Yesterday I pushed v0.1.0 of [fallible](https://fallible.euandreh.xyz), a " "miniscule library for fault-injection and stress-testing C programs." msgstr "" msgid "Existing solutions" msgstr "" msgid "" "Writing robust code can be challenging, and tools like static analyzers, " "fuzzers and friends can help you get there with more certainty. As I would " "try to improve some of my C code and make it more robust, in order to handle" " system crashes, filled disks, out-of-memory and similar scenarios, I didn't" " find existing tooling to help me get there as I expected to find. I " "couldn't find existing tools to help me explicitly stress-test those failure" " scenarios." msgstr "" msgid "" "Take the \"[Writing Robust " "Programs](https://www.gnu.org/prep/standards/standards.html#Semantics)\" " "section of the GNU Coding Standards:" msgstr "" msgid "" "Check every system call for an error return, unless you know you wish to " "ignore errors. (...) Check every call to malloc or realloc to see if it " "returned NULL." msgstr "" msgid "" "From a robustness standpoint, this is a reasonable stance: if you want to " "have a robust program that knows how to fail when you're out of memory and " "`malloc` returns `NULL`, than you ought to check every call to `malloc`." msgstr "" msgid "Take a sample code snippet for clarity:" msgstr "" msgid "" "At a first glance, this code is unsafe: if any of the calls to `malloc` " "returns `NULL`, `strcpy` will be given a `NULL` pointer." msgstr "" msgid "My first instinct was to change this code to something like this:" msgstr "" msgid "" "@@ -1,7 +1,15 @@\n" " void a_function() {\n" " char *s1 = malloc(A_NUMBER);\n" "+ if (!s1) {\n" "+ fprintf(stderr, \"out of memory, exitting\\n\");\n" "+ exit(1);\n" "+ }\n" " strcpy(s1, \"some string\");\n" "\n" " char *s2 = malloc(A_NUMBER);\n" "+ if (!s2) {\n" "+ fprintf(stderr, \"out of memory, exitting\\n\");\n" "+ exit(1);\n" "+ }\n" " strcpy(s2, \"another string\");\n" " }\n" msgstr "" msgid "" "As I later found out, there are at least 2 problems with this approach:" msgstr "" msgid "" "**it gives up instead of handling failures**: the actual handling goes a bit" " beyond stopping. What about open file handles, in-memory caches, unflushed " "bytes, etc.?" msgstr "" msgid "" "If you could force only the second call to `malloc` to fail, " "[Valgrind](https://www.valgrind.org/) would correctly complain that the " "program exitted with unfreed memory." msgstr "" msgid "So the last change to make the best version of the above code is:" msgstr "" msgid "" "@@ -1,15 +1,14 @@\n" "-void a_function() {\n" "+bool a_function() {\n" " char *s1 = malloc(A_NUMBER);\n" " if (!s1) {\n" "- fprintf(stderr, \"out of memory, exitting\\n\");\n" "- exit(1);\n" "+ return false;\n" " }\n" " strcpy(s1, \"some string\");\n" "\n" " char *s2 = malloc(A_NUMBER);\n" " if (!s2) {\n" "- fprintf(stderr, \"out of memory, exitting\\n\");\n" "- exit(1);\n" "+ free(s1);\n" "+ return false;\n" " }\n" " strcpy(s2, \"another string\");\n" " }\n" msgstr "" msgid "" "Instead of returning `void`, `a_function` now returns `bool` to indicate " "whether an error ocurred during its execution. If `a_function` returned a " "pointer to something, the return value could be `NULL`, or an `int` that " "represents an error code." msgstr "" msgid "" "The code is now a) safe and b) failing gracefully, returning the control to " "the caller to properly handle the error case." msgstr "" msgid "" "After seeing similar patterns on well designed APIs, I adopted this practice" " for my own code, but was still left with manually verifying the correctness" " and robustness of it." msgstr "" msgid "" "How could I add assertions around my code that would help me make sure the " "`free(s1);` exists, before getting an error report? How do other people and " "projects solve this?" msgstr "" msgid "" "From what I could see, either people a) hope for the best, b) write safe " "code but don't strees-test it or c) write ad-hoc code to stress it." msgstr "" msgid "" "When searching for it online, an [interesting " "thread](https://stackoverflow.com/questions/1711170/unit-testing-for-failed-" "malloc) caught my atention: fail the call to `malloc` for each time it is " "called, and when the same stacktrace appears again, allow it to proceed." msgstr "" msgid "Implementation" msgstr "" msgid "" "A working implementation of that already exists: " "[mallocfail](https://github.com/ralight/mallocfail). It uses `LD_PRELOAD` to" " replace `malloc` at run-time, computes the SHA of the stacktrace and fails " "once for each SHA." msgstr "" msgid "" "I initially envisioned and started implementing something very similar to " "mallocfail. However I wanted it to go beyond out-of-memory scenarios, and " "using `LD_PRELOAD` for every possible corner that could fail wasn't a good " "idea on the long run." msgstr "" msgid "" "Also, mallocfail won't work together with tools such as Valgrind, who want " "to do their own override of `malloc` with `LD_PRELOAD`." msgstr "" msgid "" "I instead went with less automatic things: starting with a " "`fallible_should_fail(char *filename, int lineno)` function that fails once " "for each `filename`+`lineno` combination, I created macro wrappers around " "common functions such as `malloc`:" msgstr "" msgid "" "void *fallible_malloc(size_t size, const char *const filename, int lineno) {\n" "#ifdef FALLIBLE\n" " if (fallible_should_fail(filename, lineno)) {\n" " return NULL;\n" " }\n" "#else\n" " (void)filename;\n" " (void)lineno;\n" "#endif\n" " return malloc(size);\n" "}\n" "\n" "#define MALLOC(size) fallible_malloc(size, __FILE__, __LINE__)\n" msgstr "" msgid "" "With this definition, I could replace the calls to `malloc` with `MALLOC` " "(or any other name that you want to `#define`):" msgstr "" msgid "" "--- 3.c\t2021-02-17 00:15:38.019706074 -0300\n" "+++ 4.c\t2021-02-17 00:44:32.306885590 -0300\n" "@@ -1,11 +1,11 @@\n" " bool a_function() {\n" "- char *s1 = malloc(A_NUMBER);\n" "+ char *s1 = MALLOC(A_NUMBER);\n" " if (!s1) {\n" " return false;\n" " }\n" " strcpy(s1, \"some string\");\n" "\n" "- char *s2 = malloc(A_NUMBER);\n" "+ char *s2 = MALLOC(A_NUMBER);\n" " if (!s2) {\n" " free(s1);\n" " return false;\n" msgstr "" msgid "" "The price for such fine-grained control is that this approach requires more " "manual work." msgstr "" msgid "Usage examples" msgstr "" msgid "`MALLOC` from the `README.md`" msgstr "" msgid "" "// leaky.c\n" "#include \n" "#include \n" "\n" "int main() {\n" " char *aaa = MALLOC(100);\n" " if (!aaa) {\n" " return 1;\n" " }\n" " strcpy(aaa, \"a safe use of strcpy\");\n" "\n" " char *bbb = MALLOC(100);\n" " if (!bbb) {\n" " // free(aaa);\n" " return 1;\n" " }\n" " strcpy(bbb, \"not unsafe, but aaa is leaking\");\n" "\n" " free(bbb);\n" " free(aaa);\n" " return 0;\n" "}\n" msgstr "" msgid "" "Compile with `-DFALLIBLE` and run [`fallible-" "check.1`](https:/fallible.euandreh.xyz/fallible-check.1.html):" msgstr "" msgid "" "$ c99 -DFALLIBLE -o leaky leaky.c -lfallible\n" "$ fallible-check ./leaky\n" "Valgrind failed when we did not expect it to:\n" "(...suppressed output...)\n" "# exit status is 1\n" msgstr "" msgid "Conclusion" msgstr "" msgid "" "For my personal use, I'll [package](https://euandre.org/git/package-" "repository/) them for GNU Guix and Nix. Packaging it to any other " "distribution should be trivial, or just downloading the tarball and running " "`[sudo] make install`." msgstr "" msgid "Patches welcome!" msgstr "" msgid "" "With this change, if the program gets compiled with the `-DFALLIBLE` flag " "the fault-injection mechanism will run, and `MALLOC` will fail once for each" " `filename`+`lineno` combination. When the flag is missing, `MALLOC` is a " "very thin wrapper around `malloc`, which compilers could remove entirely, " "and the `-lfallible` flags can be omitted." msgstr "" msgid "" "The actual code is just this single function, " "[`fallible_should_fail`](https://euandre.org/git/fallible/tree/src/fallible.c?id=v0.1.0#n16)," " which ended-up taking only ~40 lines. In fact, there are more lines of " "either Makefile (111), README.md (82) or troff (306) on this first version." msgstr "" msgid "" "void a_function() {\n" " char *s1 = malloc(A_NUMBER);\n" " strcpy(s1, \"some string\");\n" "\n" " char *s2 = malloc(A_NUMBER);\n" " strcpy(s2, \"another string\");\n" "}\n" msgstr "" msgid "" "**it doesn't compose**: this could arguably work if `a_function` was `main`." " But if `a_function` lives inside a library, an `exit(1);` is a inelegant " "way of handling failures, and will catch the top-level `main` consuming the " "library by surprise;" msgstr "" msgid "" "The most proeminent case of c) is SQLite: it has a few wrappers around the " "familiar `malloc` to do fault injection, check for memory limits, add " "warnings, create shim layers for other environments, etc. All of that, " "however, is tightly couple with SQLite itself, and couldn't be easily pulled" " off for using somewhere else." msgstr "" msgid "" "This applies not only to `malloc` or other `stdlib.h` functions. If " "`a_function` is important or relevant, I could add a wrapper around it too, " "that checks if `fallible_should_fail` to exercise if its callers are also " "doing the proper clean-up." msgstr "" #~ msgid "" #~ "void a_function() {\n" #~ " char *s1 = malloc(A_NUMBER);\n" #~ " strcpy(s1, \"some string\");\n" #~ "\n" #~ " char *s2 = malloc(A_NUMBER);\n" #~ " strcpy(s2, \"another string\");\n" #~ "}\n" #~ msgstr "" #~ msgid "" #~ "**it doesn't compose**: this could arguably work if `a_function` was `main`." #~ " But if `a_function` lives inside a library, an `exit(1)` is a inelegant way" #~ " of handling failures, and will catch the top-level `main` consuming the " #~ "library by surprise;" #~ msgstr "" #~ msgid "" #~ "The most proeminent one is SQLite: it has a few wrapeers around the familiar" #~ " `malloc` to do fault injection, check for memory limits, add warnings, " #~ "create shim layers for other environments, etc. All of that, however, is " #~ "tightly couple with SQLite itself, and couldn't be easily pulled off for " #~ "using somewhere else." #~ msgstr "" #~ msgid "" #~ "This applies not only to `malloc` of other system calls. If `a_function` is " #~ "important or relevant, I could add a wrapper around it too, that checks if " #~ "`fallible_should_fail` to exercise if its callers are also doing the proper " #~ "clean-up." #~ msgstr "" #~ msgid "" #~ "With this change, if the program gets compiled with the `-DFALLIBLE` flag " #~ "the fault-injection mechanism will run, and `MALLOC` will fail once for each" #~ " `filename`+`lineno` combination. When the flag is missing, `MALLOC` is a " #~ "very thin wrapper around `malloc`, which compilers could remove entirely." #~ msgstr ""