test(callgrind): C reproducer for cascading underflow obj-skip leak

not-matthias · not-matthias · commit f2437972363d · 2026-05-27T13:00:19.000+02:00
Triggers the call-stack-underflow leak channel observed in the Python
case (28 underflow events / run, almost all libpython interpreter
frames). Mechanism:

- Lib runs recursive skipme_recurse(N) with instrumentation OFF, so
  callgrind never sees the calls and its csp stays at 0.
- At the deepest frame (n==0), CALLGRIND_START_INSTRUMENTATION fires.
- Each RET on the way back hits csp == 0, triggers handleUnderflow,
  resets cxt to 0, and force-pushes the fn we're returning into.
- Because that fn is in the skipped lib, it leaks as a top-level fn=
  block in the dump — N times for an N-deep recursion.

With depth=5 the diagnostic logs show 1 (cxt==0) push + 6 underflow
resets (5x skipme_recurse + 1x skipme_run), and the .out has
fn=skipme_run and fn=skipme_recurse as top-level blocks.
diff --git a/callgrind/tests/runtime_obj_skip_underflow.c b/callgrind/tests/runtime_obj_skip_underflow.c
@@ -0,0 +1,22 @@
+/* Driver for the underflow-channel obj-skip leak reproducer. */
+
+#define _GNU_SOURCE
+#include <dlfcn.h>
+#include <stdio.h>
+#include "../callgrind.h"
+
+extern void skipme_run(int depth);
+
+int main(void)
+{
+    Dl_info info;
+    if (dladdr((void*)skipme_run, &info) == 0 || !info.dli_fname) {
+        fprintf(stderr, "dladdr failed\n");
+        return 1;
+    }
+    CALLGRIND_ADD_OBJ_SKIP(info.dli_fname);
+
+    skipme_run(5);
+
+    return 0;
+}
diff --git a/callgrind/tests/runtime_obj_skip_underflow_lib.c b/callgrind/tests/runtime_obj_skip_underflow_lib.c
@@ -0,0 +1,37 @@
+/* Library that triggers the call-stack-underflow leak channel in
+ * callgrind obj-skip.
+ *
+ * Setup: recursive function in the skipped lib. Main calls in with
+ * instrumentation OFF, so callgrind's call stack is never populated.
+ * At the deepest frame, instrumentation is flipped ON. Each RET on
+ * the way back then sees csp == 0, hits handleUnderflow, resets
+ * cxt = 0, and force-pushes the current fn (which lives in the
+ * skipped lib) as the new top context — leaking N times for an
+ * N-deep stack.
+ *
+ * This is the same shape as Python 3.14's interpreter dispatch
+ * leaks: deep recursive eval-loop frames where instrumentation was
+ * started somewhere down the stack and every return pops past an
+ * empty callgrind stack. */
+
+#include "../callgrind.h"
+
+volatile long sink;
+
+__attribute__((noinline))
+void skipme_recurse(int n)
+{
+    if (n == 0) {
+        CALLGRIND_START_INSTRUMENTATION;
+        return;
+    }
+    skipme_recurse(n - 1);
+    sink += n;
+}
+
+__attribute__((noinline))
+void skipme_run(int depth)
+{
+    skipme_recurse(depth);
+    CALLGRIND_STOP_INSTRUMENTATION;
+}
