test(callgrind): add C reproducer for runtime obj-skip cxt==0 leak

Minimal C test that triggers the leak path where a function in a
skipped object becomes a top-level fn= block in the dump.

The trigger: the lib calls CALLGRIND_START_INSTRUMENTATION from
inside one of its own functions, so the first BB callgrind sees
post-start lives in the skipped object. With cxt == 0 at that point,
setup_bbcc force-pushes the skipped fn as the new top context and it
leaks into the output.

Currently RED: post-check fails because fn=skipme_run appears in the
output despite skipme_run's containing .so being on the skip list.

Author: not-matthias

callgrind/tests/Makefile.am

@@ -13,6 +13,8 @@ EXTRA_DIST = \
 	find_debuginfo.vgtest find_debuginfo.stderr.exp find_debuginfo.post.exp \
 	runtime_obj_skip_py.vgtest runtime_obj_skip_py.stderr.exp runtime_obj_skip_py.post.exp \
 	runtime_obj_skip_py.py runtime_obj_skip_py_shim.c \
+	runtime_obj_skip_c.vgtest runtime_obj_skip_c.stderr.exp runtime_obj_skip_c.post.exp \
+	runtime_obj_skip_c.c runtime_obj_skip_c_lib.c \
 	bug497723.stderr.exp bug497723.post.exp bug497723.vgtest \
 	simwork1.vgtest simwork1.stdout.exp simwork1.stderr.exp \
 	simwork2.vgtest simwork2.stdout.exp simwork2.stderr.exp \
@@ -31,7 +33,7 @@ EXTRA_DIST = \
 	inline-crossfile.vgtest inline-crossfile.stderr.exp inline-crossfile.stdout.exp inline-crossfile.post.exp \
 	inline-crossfile-helper1.h inline-crossfile-helper2.h filter_inline
 
-check_PROGRAMS = clreq find_debuginfo simwork threads inline-samefile inline-crossfile
+check_PROGRAMS = clreq find_debuginfo simwork threads inline-samefile inline-crossfile runtime_obj_skip_c
 
 AM_CFLAGS   += $(AM_FLAG_M3264_PRI)
 AM_CXXFLAGS += $(AM_FLAG_M3264_PRI)
@@ -44,10 +46,21 @@ threads_LDADD = -lpthread
 
 # Shim loaded by runtime_obj_skip_py.py via ctypes. Built unconditionally;
 # the test's prereq skips it if the .so is missing.
-check_DATA = runtime_obj_skip_py_shim.so
+check_DATA = runtime_obj_skip_py_shim.so runtime_obj_skip_c_lib.so
 
 runtime_obj_skip_py_shim.so: runtime_obj_skip_py_shim.c
 	$(CC) -shared -fPIC -O2 -I$(top_srcdir) -I$(top_srcdir)/include \
 	    $< -o $@
 
-CLEANFILES = runtime_obj_skip_py_shim.so
+# Shared lib for the runtime_obj_skip_c test. Lives in a separate ELF
+# so the main binary can register its path for runtime obj-skip.
+runtime_obj_skip_c_lib.so: runtime_obj_skip_c_lib.c
+	$(CC) -shared -fPIC -O2 -I$(top_srcdir) -I$(top_srcdir)/include \
+	    $< -o $@
+
+runtime_obj_skip_c_LDADD = -ldl
+runtime_obj_skip_c_LDFLAGS = $(AM_LDFLAGS) -L. -l:runtime_obj_skip_c_lib.so \
+                             -Wl,-rpath,'$$ORIGIN'
+runtime_obj_skip_c_DEPENDENCIES = runtime_obj_skip_c_lib.so
+
+CLEANFILES = runtime_obj_skip_py_shim.so runtime_obj_skip_c_lib.so

callgrind/tests/runtime_obj_skip_c.c

@@ -0,0 +1,30 @@
+/* Minimal C reproducer for the runtime obj-skip leak: a fn from a
+ * skipped object ends up as a top-level fn= block in the callgrind
+ * output when it is the first BB instrumented after START.
+ *
+ * Strategy: register the lib for skip, then call into the lib BEFORE
+ * starting instrumentation. The lib itself calls
+ * CALLGRIND_START_INSTRUMENTATION mid-function, so the first BB
+ * processed by callgrind lives in the skipped object — which trips
+ * the (cxt == 0) push_cxt path that ignores the skip flag. */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <stdio.h>
+#include "../callgrind.h"
+
+extern void skipme_run(int n);
+
+int main(void)
+{
+    Dl_info info;
+    if (dladdr((void*)skipme_run, &info) == 0 || !info.dli_fname) {
+        fprintf(stderr, "dladdr failed\n");
+        return 1;
+    }
+    CALLGRIND_ADD_OBJ_SKIP(info.dli_fname);
+
+    skipme_run(1000);
+
+    return 0;
+}

callgrind/tests/runtime_obj_skip_c.post.exp

@@ -0,0 +1 @@
+OK

callgrind/tests/runtime_obj_skip_c.stderr.exp

@@ -0,0 +1,5 @@
+prereq: test -f runtime_obj_skip_c && test -f runtime_obj_skip_c_lib.so
+prog-asis: ./runtime_obj_skip_c
+vgopts: --instr-atstart=no --compress-strings=no --callgrind-out-file=callgrind.out.runtime_obj_skip_c
+post: sh -c 'if grep -q "^fn=skipme_func" callgrind.out.runtime_obj_skip_c; then echo "FAIL: skipme_func leaked into top-level fn= block"; else echo OK; fi'
+cleanup: rm -f callgrind.out.runtime_obj_skip_c

callgrind/tests/runtime_obj_skip_c.vgtest

@@ -0,0 +1,27 @@
+/* Library that lives in a separate ELF object so the main binary
+ * can register its path for runtime obj-skip.
+ *
+ * skipme_run() flips instrumentation on from *inside* the skipped
+ * object, then calls skipme_func. This is the trigger for the
+ * `current_state.cxt == 0` push path in setup_bbcc: the very first
+ * BB after instrumentation start lives in a skipped object, so the
+ * (cxt==0) clause force-pushes a skipped fn as the new top context
+ * and it leaks into the dump as a top-level fn= block. */
+
+#include "../callgrind.h"
+
+volatile long sink;
+
+__attribute__((noinline))
+void skipme_func(int n)
+{
+    for (int i = 0; i < n; i++) sink += i;
+}
+
+__attribute__((noinline))
+void skipme_run(int n)
+{
+    CALLGRIND_START_INSTRUMENTATION;
+    skipme_func(n);
+    CALLGRIND_STOP_INSTRUMENTATION;
+}