-
Notifications
You must be signed in to change notification settings - Fork 11
Add compile-time fault-injection infrastructure for stack-walker recovery paths #661
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
zhengyu123
wants to merge
7
commits into
main
Choose a base branch
from
zgu/fault-injection
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
05bde60
Investigate and implement fault injection for Java profiler
zhengyu123 608094b
Merge branch 'main' into zgu/fault-injection
zhengyu123 d85f055
Add counters
zhengyu123 a12b80b
Potential fix for pull request finding
zhengyu123 6367efe
Potential fix for pull request finding
zhengyu123 f1c6dc1
Potential fix for pull request finding
zhengyu123 b88f34e
New counters and missing includes
zhengyu123 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| /* | ||
| * Copyright 2026, Datadog, Inc. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| #include "faultInjection.h" | ||
|
|
||
| // The whole translation unit is empty unless fault injection is enabled, so a | ||
| // normal build links a no-op object file. | ||
| #ifdef __FAULT_INJECTION__ | ||
|
|
||
| #include "counters.h" // Counters::increment (FAULTS_INJECTED) | ||
| #include "os.h" // OS::page_size | ||
| #include "threadLocalData.h" // ProfiledThread::currentSignalSafe / nextFiRandom | ||
| #include <atomic> | ||
| #include <sys/mman.h> | ||
|
|
||
| namespace faultinj { | ||
|
|
||
| // Knuth multiplicative constant (== common.h KNUTH_MULTIPLICATIVE_CONSTANT), | ||
| // used to hash the function name and to advance the global fallback PRNG. | ||
| static constexpr u64 KNUTH = 0x9e3779b97f4a7c15ULL; | ||
|
|
||
| // Word-alignment mask for produced addresses. | ||
| static constexpr uintptr_t ALIGN_MASK = ~(uintptr_t)(sizeof(void*) - 1); | ||
|
|
||
| // Guard region: mmapped once at init() with PROT_NONE so any access faults. | ||
| // Written only by init() (off the signal path); read-only afterwards. | ||
| static std::atomic<uintptr_t> g_guard_base{0}; | ||
| static std::atomic<uintptr_t> g_guard_span{0}; | ||
| static std::atomic<bool> g_guard_ok{false}; | ||
|
|
||
| // Fallback PRNG for threads with no ProfiledThread context. Relaxed atomics | ||
| // keep it lock-free and async-signal-safe; a lost update on a race is harmless. | ||
| static std::atomic<u64> g_fallback_rng{KNUTH}; | ||
|
|
||
| void init() { | ||
| // Avoid repeated mmaps (tests call init() in each fixture SetUp()). | ||
| if (g_guard_ok.load(std::memory_order_acquire)) { | ||
| return; | ||
| } | ||
|
|
||
| // A handful of pages is plenty of distinct fault addresses; keep it small. | ||
| size_t span = 16 * OS::page_size; | ||
| void* p = mmap(nullptr, span, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | ||
| if (p == MAP_FAILED) { | ||
| return; | ||
| } | ||
|
|
||
| g_guard_base.store((uintptr_t)p, std::memory_order_relaxed); | ||
| g_guard_span.store(span, std::memory_order_relaxed); | ||
| g_guard_ok.store(true, std::memory_order_release); | ||
| } | ||
|
|
||
| u64 nextRandom() { | ||
| ProfiledThread* t = ProfiledThread::currentSignalSafe(); // never allocates | ||
| if (t != nullptr) { | ||
| return t->nextFiRandom(); | ||
| } | ||
| // Fallback: relaxed atomic xorshift64. Not perfectly serialised, but the | ||
| // stream only needs to be roughly uniform for injection decisions. | ||
| u64 x = g_fallback_rng.load(std::memory_order_relaxed); | ||
| if (x == 0) x = 1; | ||
| x ^= x << 13; | ||
| x ^= x >> 7; | ||
| x ^= x << 17; | ||
| g_fallback_rng.store(x, std::memory_order_relaxed); | ||
| return x; | ||
| } | ||
|
|
||
| bool shouldFire(u64 threshold, const char* fn) { | ||
| // XOR with a per-function hash is a bijection on 64 bits, so it perturbs the | ||
| // stream per call site while keeping the fire probability exactly | ||
| // threshold/2^64. | ||
| u64 r = nextRandom() ^ ((u64)(uintptr_t)fn * KNUTH); | ||
| if (__builtin_expect(r < threshold, 0)) { | ||
| // Every address/int/long injection routes through here, so this is the one | ||
| // place that counts an actually-injected fault. | ||
| Counters::increment(FAULTS_INJECTED); | ||
| return true; | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| uintptr_t poisonAddress() { | ||
| u64 r = nextRandom(); | ||
| if (g_guard_ok.load(std::memory_order_acquire)) { | ||
| // Guaranteed-unmapped guard page — deterministic SIGSEGV. | ||
| uintptr_t base = g_guard_base.load(std::memory_order_relaxed); | ||
| uintptr_t span = g_guard_span.load(std::memory_order_relaxed); | ||
| return (base + (uintptr_t)(r % span)) & ALIGN_MASK; | ||
| } | ||
| // Fallback: best-effort garbage address if init() failed. | ||
| return ((uintptr_t)r | (uintptr_t)0x8000000000000000ULL) & ALIGN_MASK; | ||
| } | ||
|
Copilot marked this conversation as resolved.
|
||
|
|
||
| int32_t injectInt(int32_t v, u64 threshold, const char* fn) { | ||
| if (__builtin_expect(shouldFire(threshold, fn), 0)) { | ||
| return (int32_t)nextRandom(); | ||
| } | ||
| return v; | ||
| } | ||
|
|
||
| int64_t injectLong(int64_t v, u64 threshold, const char* fn) { | ||
| if (__builtin_expect(shouldFire(threshold, fn), 0)) { | ||
| return (int64_t)nextRandom(); | ||
| } | ||
| return v; | ||
| } | ||
|
|
||
| } // namespace faultinj | ||
|
|
||
| #endif // __FAULT_INJECTION__ | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| /* | ||
| * Copyright 2026, Datadog, Inc. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| // Compile-time fault-injection layer for the profiler's memory-access sites. | ||
| // | ||
| // The macros below wrap a pointer or value expression at a real dereference | ||
| // site (VMStructs::at, walkVM, walkFP, walkDwarf). When __FAULT_INJECTION__ is | ||
| // defined, each wrapped expression, with the tier's probability, is replaced by | ||
| // a deliberately bad address (so the load faults and the profiler's recovery | ||
| // path — SafeAccess safefetch or walkVM's setjmp/longjmp — is exercised) or a | ||
| // random int/long value. When the flag is NOT defined, every macro is a strict | ||
| // identity: it expands to exactly the parenthesized original expression, with | ||
| // unchanged type and value category and zero runtime cost. | ||
| // | ||
| // pc = SafeAccess::load(INJECT_FAULT_ADDRESS_LIKELY((void**)fp)); | ||
| // VMMethod* m = ((VMMethod**)INJECT_FAULT_ADDRESS_UNLIKELY(fp))[off]; | ||
| // | ||
| // The three tiers name their firing frequency: RARE 0.01%, UNLIKELY 0.1%, | ||
| // LIKELY 1%. See faultInjection.cpp for the poison-address and PRNG details. | ||
|
|
||
| #ifndef _FAULT_INJECTION_H | ||
| #define _FAULT_INJECTION_H | ||
|
|
||
| #ifdef __FAULT_INJECTION__ | ||
|
|
||
| #include "arch.h" // u64 | ||
| #include <cstdint> | ||
|
|
||
| namespace faultinj { | ||
|
|
||
| // Firing probability expressed as an xorshift64 threshold (round(p * 2^64)), so | ||
| // the hot-path check is a single integer compare (rng < threshold) with no | ||
| // floating point in the signal handler. | ||
| constexpr u64 PROB_RARE = 1844674407370955ULL; // 1e-4 (0.01%) | ||
| constexpr u64 PROB_UNLIKELY = 18446744073709552ULL; // 1e-3 (0.1%) | ||
| constexpr u64 PROB_LIKELY = 184467440737095520ULL; // 1e-2 (1%) | ||
|
|
||
| // Called once at profiler startup (off the signal path) to mmap the PROT_NONE | ||
| // guard region used by poisonAddress(). Safe to call before any injection. | ||
| void init(); | ||
|
|
||
| // Draws one per-thread (or global-fallback) PRNG value. Async-signal-safe. | ||
| u64 nextRandom(); | ||
|
|
||
| // Returns true with probability threshold/2^64. The function name perturbs the | ||
| // draw so distinct call sites get statistically independent decisions. | ||
| bool shouldFire(u64 threshold, const char* fn); | ||
|
|
||
| // A word-aligned address intended to fault on access. When init() has reserved the | ||
| // mmap'd PROT_NONE guard region, this returns an address inside it (deterministic | ||
| // SIGSEGV). If init() failed, it falls back to a best-effort garbage address. | ||
| uintptr_t poisonAddress(); | ||
|
|
||
| // Returns ptr unchanged, or a poison address (cast to T) when the tier fires. | ||
| // Templated so the wrapped expression's static type (void**, const char*, | ||
| // uintptr_t, ...) is preserved exactly. | ||
| template <typename T> | ||
| inline T injectAddress(T ptr, u64 threshold, const char* fn) { | ||
| if (__builtin_expect(shouldFire(threshold, fn), 0)) { | ||
| // C-style cast intentionally: converts the numeric poison address to any | ||
| // pointer type or to uintptr_t. This code only ever compiles under the flag. | ||
| return (T)poisonAddress(); | ||
| } | ||
| return ptr; | ||
| } | ||
|
|
||
| // Returns v unchanged, or a pseudo-random value when the tier fires. | ||
| int32_t injectInt(int32_t v, u64 threshold, const char* fn); | ||
| int64_t injectLong(int64_t v, u64 threshold, const char* fn); | ||
|
|
||
| } // namespace faultinj | ||
|
|
||
| #define INJECT_FAULT_ADDRESS_RARE(ptr) \ | ||
| ::faultinj::injectAddress((ptr), ::faultinj::PROB_RARE, __func__) | ||
| #define INJECT_FAULT_ADDRESS_UNLIKELY(ptr) \ | ||
| ::faultinj::injectAddress((ptr), ::faultinj::PROB_UNLIKELY, __func__) | ||
| #define INJECT_FAULT_ADDRESS_LIKELY(ptr) \ | ||
| ::faultinj::injectAddress((ptr), ::faultinj::PROB_LIKELY, __func__) | ||
|
|
||
| #define INJECT_FAULT_INT_RARE(v) \ | ||
| ::faultinj::injectInt((v), ::faultinj::PROB_RARE, __func__) | ||
| #define INJECT_FAULT_INT_UNLIKELY(v) \ | ||
| ::faultinj::injectInt((v), ::faultinj::PROB_UNLIKELY, __func__) | ||
| #define INJECT_FAULT_INT_LIKELY(v) \ | ||
| ::faultinj::injectInt((v), ::faultinj::PROB_LIKELY, __func__) | ||
|
|
||
| #define INJECT_FAULT_LONG_RARE(v) \ | ||
| ::faultinj::injectLong((v), ::faultinj::PROB_RARE, __func__) | ||
| #define INJECT_FAULT_LONG_UNLIKELY(v) \ | ||
| ::faultinj::injectLong((v), ::faultinj::PROB_UNLIKELY, __func__) | ||
| #define INJECT_FAULT_LONG_LIKELY(v) \ | ||
| ::faultinj::injectLong((v), ::faultinj::PROB_LIKELY, __func__) | ||
|
|
||
| #else // __FAULT_INJECTION__ not defined — strict identity, zero cost. | ||
|
|
||
| #define INJECT_FAULT_ADDRESS_RARE(ptr) (ptr) | ||
| #define INJECT_FAULT_ADDRESS_UNLIKELY(ptr) (ptr) | ||
| #define INJECT_FAULT_ADDRESS_LIKELY(ptr) (ptr) | ||
|
|
||
| #define INJECT_FAULT_INT_RARE(v) (v) | ||
| #define INJECT_FAULT_INT_UNLIKELY(v) (v) | ||
| #define INJECT_FAULT_INT_LIKELY(v) (v) | ||
|
|
||
| #define INJECT_FAULT_LONG_RARE(v) (v) | ||
| #define INJECT_FAULT_LONG_UNLIKELY(v) (v) | ||
| #define INJECT_FAULT_LONG_LIKELY(v) (v) | ||
|
|
||
| #endif // __FAULT_INJECTION__ | ||
|
|
||
| #endif // _FAULT_INJECTION_H |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.