Forks from never ran machines crash

[chc4]

tinykvm has a forkserver feature, where you can prepare a VM for copy-on-write, and then initialize a forked machine off of that parent.

This works fine in cases where the parent machine has ran and the forks do vmcalls to other functions (such as the Fork and run main() testcase), but trying to use it for a forkserver which repeatedly runs the main entry point instead crashes with a kernel fault.

For example:

TEST_CASE("Fork before main()", "[Fork]")
{
	const auto binary = build_and_load(R"M(
#include <stdio.h>
int main() {
	printf("Hello World!\n");
	return 666;
}
static unsigned value = 12345;
void set_value(int v) {
	value = v;
}
int func1() {
	return value;
}
int func2() {
	return 54321;
}
)M");

	tinykvm::Machine machine { binary, {
		.max_mem = MAX_MEMORY,
		.master_direct_memory_writes = true
	} };

	// We need to create a Linux environment for runtimes to work well
	machine.setup_linux({"fork"}, env);
	auto main_regs = machine.registers();
	machine.prepare_copy_on_write();
	REQUIRE(machine.is_forkable());
	REQUIRE(!machine.is_forked());

	auto fork1 = tinykvm::Machine { machine, {
		.max_mem = MAX_MEMORY, .max_cow_mem = MAX_COWMEM
	} };

	fork1.run(4.0f);
	REQUIRE(fork1.return_value() == 666); // Main() return value
	fork1.reset_to(machine, tinykvm::MachineOptions { });
	fork1.run(4.0f);
	REQUIRE(fork1.return_value() == 666); // Main() return value

}

crashes with

3: *** Page Fault on address 0x0
3: Error code: 0x4 (memory read)
3: * Page not present
3: * CPL=3 Page fault
3: CR0: 0x80040033  CR3: 0x7000000000
3: CR2: 0x0  CR4: 0x350E20
3: RAX: 0x4  RBX: 0x1  RCX: 0xA
3: RDX: 0x4A5F50  RSI: 0x0  RDI: 0x0
3: RIP: 0x21E6  RBP: 0x641AE0  RSP: 0x3FC0
3: SS: 0x0  CS: 0x8  DS: 0x23  FS: 0x0  GS: 0x0
3: FS BASE: 0x0  GS BASE: 0x5050
3: Failing RIP: 0x404224
3: Fail RFLAGS: 0x13046
3: Failing CS:  0x2B
3: Failing RSP: 0x641A80
3: Failing SS:  0x23
3: RIP  0x404224   __libc_setup_tls + 0x64

I suspect what's going on here is something to do with the usercode.asm entrypoint stub? But honestly I have been trying to figure out what's the issue for a while and it's kind of impossible.

I'd like to use tinykvm for a fuzzer, which needs to be able to run a guest program from its ELF entrypoint repeatedly. I can probably work around this by always using a shim fuzzing harness which has a "setup" function which loads the program under test and then a vmcall-able "run_one" instead, but this seems like something that probably should be working.

[chc4]

The relevant RIP from the above crash on my machine is also

00000000004041c0 <__libc_setup_tls>:
  4041c0:       f3 0f 1e fa             endbr64
  4041c4:       55                      push   %rbp
  4041c5:       48 89 e5                mov    %rsp,%rbp
  4041c8:       41 57                   push   %r15
  4041ca:       41 56                   push   %r14
  4041cc:       41 55                   push   %r13
  4041ce:       41 54                   push   %r12
  4041d0:       53                      push   %rbx
  4041d1:       48 83 ec 38             sub    $0x38,%rsp
  4041d5:       4c 8b 35 a4 69 0a 00    mov    0xa69a4(%rip),%r14        # 4aab80 <_dl_ns>
  4041dc:       e8 1f 4c 01 00          call   418e00 <__tls_pre_init_tp>
  4041e1:       48 8b 0d 90 c7 0a 00    mov    0xac790(%rip),%rcx        # 4b0978 <_dl_phnum>
  4041e8:       48 8b 05 91 c7 0a 00    mov    0xac791(%rip),%rax        # 4b0980 <_dl_phdr>
  4041ef:       48 8d 14 cd 00 00 00    lea    0x0(,%rcx,8),%rdx
  4041f6:       00 
  4041f7:       48 29 ca                sub    %rcx,%rdx
  4041fa:       48 8d 14 d0             lea    (%rax,%rdx,8),%rdx
  4041fe:       48 39 d0                cmp    %rdx,%rax
  404201:       72 0e                   jb     404211 <__libc_setup_tls+0x51>
  404203:       eb 6b                   jmp    404270 <__libc_setup_tls+0xb0>
  404205:       0f 1f 00                nopl   (%rax)
  404208:       48 83 c0 38             add    $0x38,%rax
  40420c:       48 39 d0                cmp    %rdx,%rax
  40420f:       73 5f                   jae    404270 <__libc_setup_tls+0xb0>
  404211:       83 38 07                cmpl   $0x7,(%rax)
  404214:       75 f2                   jne    404208 <__libc_setup_tls+0x48>
  404216:       4c 8b 68 30             mov    0x30(%rax),%r13
  40421a:       41 bc 40 00 00 00       mov    $0x40,%r12d
  404220:       48 8b 50 10             mov    0x10(%rax),%rdx
  404224:       49 03 16                add    (%r14),%rdx

which is not particularly enlightening to me for what is going wrong here.

[fwsGonzo]

Mysterious, but that should indeed work. I'll have a look

[fwsGonzo]

As always, hashtag osdev is some kind of hell. Turns out that the Machine isn't setting the dirty bit properly for the stuff that it's doing at initialization time, and so the paging sub-system thinks that it can just zero everything. I need to go through all the initialization and the pagetable setup to make sure that the dirty bit is correctly applied. None of this applied to the master VM because it doesn't use copy-on-write page faults. At most it uses unlocking to count and constrain memory usage.

Here is the fix, with test case: 77533c5

The boogeyman was a fast-path for copying into the guest that didn't involve page tables at all, and it was hard to see what was missing from what looked like correct code. What was missing was giving the backing pages a dirty stamp, so that the fork wouldn't just copy-on-write using zeroes.

I pondered enabling "split_hugepages" by default, because it's a good default for forks, but it would also split hugepages in master VMs, which creates pointless pagetable walking everywhere. But, if you look at the test now:
https://github.com/varnish/tinykvm/blob/master/tests/unit/fork.cpp#L607-L673

I enable split_hugepages for the forks, and reset_keep_all_work_memory is a fast-path for resets.

[chc4]

I think there are still some bugs around hugepages here, because I also get crashes with

        .split_hugepages = true,
        .split_all_hugepages_during_loading = true,

on loading statically linked binaries (e.g. /bin/busybox), even without using the forkserver.

[fwsGonzo]

a6a044c

I think the issue was due to the strict pagewalk that you also experienced in another issue just now. AMD64 doesn't really care too much about flags in non-branch page table entries, but TinyKVM does. I use it for consistency.