logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

The-worst-bugs.md (8745B)

    

  1. ---
  2. date: 2014-02-02
  3. layout: post
  4. title: The bug that hides from breakpoints
  5. tags: [KnightOS, kernel hacking]
  6. ---
  8. This is the story of the most difficult bug I ever had to solve. See if you can
  9. figure it out before the conclusion.
  11. ### Background
  13. For some years now, I've worked on a kernel for Texas
  14. Instruments calculators called [KnightOS](https://github.com/KnightOS/kernel).
  15. This kernel is written entirely in assembly, and targets the old-school z80
  16. processor from back in 1976. This classic processor was built without any
  17. concept of protection rings. It's an 8-bit processor, with 150-some instructions
  18. and (in this application) 32K of RAM and 32K of Flash. This stuff is so old, I
  19. ended up writing most of the KnightOS toolchain from scratch rather than try to
  20. get archaic assemblers and compilers running on modern systems.
  22. When you're working in an enviornment like this, there's no seperation between
  23. kernel and userland. All "userspace" programs run as root, and crashing the entire
  24. system is a simple task. All the memory my kernel sets aside for the
  25. process table, or memory ownership, file handles, stacks, any other executing
  26. process - any program can modify this freely. Of course, we have to rely on the
  27. userland to play nice, and it usually does. But when there are bugs, they can be a
  28. real pain in the ass to hunt down.
  30. ### The elusive bug
  32. The original bug report: **When running the counting demo and switching between
  33. applications, the thread list graphics become corrupted.**
  35. I can reproduce this problem, so I settle into my development enviornment and I
  36. set a breakpoint near the thread list's graphical code. I fire up the emulator and
  37. repeat the steps... but it doesn't happen. This happened consistently: **the bug
  38. was not reproduceable when a breakpoint was set**. Keep in mind, I'm running this
  39. in a z80 emulator, so the enviornment is supposedly no different. There's no
  40. debugger attached here.
  42. Though this is quite strange, I don't immediately despair. I try instead setting a
  43. "breakpoint" by dropping an infinite loop in the code, instead of a formal
  44. breakpoint. I figure that I can halt the program flow manually and open the
  45. debugger to inspect the problem. However, the bug wouldn't be tamed quite so
  46. easily. The bug was unreproducable when I had this psuedo-breakpoint in place,
  47. too.
  49. At this point, I started to get a little frustrated. How do I debug a problem that
  50. disappears when you debug it? I decided to try and find out what caused it after
  51. it had taken place, by setting the breakpoint to be hit only after the graphical
  52. corruption happened. Here, I gained some ground. I was able to reproduce it, and
  53. *then* halt the machine, and I could examine memory and such after the bug was
  54. given a chance to have its way over the system.
  56. I discovered the reason the graphics were being corrupted. The kernel kept the
  57. length of the process table at a fixed address. The thread list, in order to draw
  58. the list of active threads, looks to this value to determine how many threads it
  59. should draw. Well, when the bug occured, the value was too high! The thread list
  60. was drawing threads that did not exist, and the text rendering puked non-ASCII
  61. characters all over the display. But why was that value being corrupted?
  63. It was an oddly specific address to change. None of the surrounding memory was
  64. touched. Making it even more odd was the very specific conditions this happened
  65. under - only when the counting demo was running. I asked myself, "what makes the
  66. counting demo unique?" It hit me after a moment of thought. The counting demo
  67. existed to demonstrate non-supsendable threads. The kernel would stop executing
  68. threads (or "suspend" them) when they lost focus, in an attempt to keep the
  69. system's very limited resources available. The counting demo was marked as
  70. non-suspendable, a feature that had been implemented a few months prior. It
  71. showed a number on the screen that counted up forever, and the idea was that you
  72. could go give some other application focus, come back, and the number would have
  73. been counting up while you were away. A background task, if you will.
  75. A more accurate description of the bug emerged: "the length of the kernel process
  76. table gets corrupted when launching the thread list when a non-suspendable thread
  77. is running". What followed was hours and hours of crawling through the hundreds of
  78. lines of assembly between summoning the thread list, and actually seeing it. I'll
  79. spare you the details, because they are very boring. We'll pick the story back up
  80. at the point where I had isolated the area in which it occured: applib.
  82. The KnightOS userland offered "applib", a library of common functions applications
  83. would need to get the general UX of the system. Among these was the function
  84. `applibGetKey`, which was a wrapper around the kernel's `getKey` function. The
  85. idea was that it would work the same way (return the last key pressed), but for
  86. special keys, it would do the appropriate action for you. For example, if you
  87. pressed the F5 key, it would suspend the current thread and launch the thread
  88. list. This is the mechanism with which most applications transfer control out of
  89. their own thread and into the thread list.
  91. Eager that I had found the source of the issue, I placed a breakpoint nearby. That
  92. same issue from before struck again - the bug vanished when the breakpoint was
  93. set. I tried a more creative approach: instead of using a proper breakpoint, I
  94. asked the emulator to halt whenever that address was written to. Even still - the
  95. bug hid itself whenever this happened.
  97. I decided to dive into the kernel's getKey function. Here's the start of the
  98. function, as it appeared at the time:
  100. ```
  101. getKey:
  102.     call hasKeypadLock
  103.     jr _
  104.     xor a
  105.     ret
  106. _:  push bc
  107. ; ...
  108. ```
  110. I started going through this code line-by-line, trying to see if there was
  111. anything here that could concievably touch the thread table. I noticed a minor
  112. error here, and corrected it without thinking:
  114. ```
  115. getKey:
  116.     call hasKeypadLock
  117.     jr z, _
  118.     xor a
  119.     ret
  120. _:  push bc
  121. ; ...
  122. ```
  124. The simple error I had corrected: getKey was pressing forward, even when the
  125. current thread didn't have control of the keyboard hardware. This was a silly
  126. error - only two characters were omitted.
  128. A moment after I fixed that issue, the answer set in - this was the source of the
  129. entire problem. Confirming it, I booted up the emulator with this change applied
  130. and the bug was indeed resolved.
  132. Can you guess what happened here? Here's the other piece of the puzzle to help you
  133. out, translated more or less into C for readability:
  135. ```c
  136. int applibGetKey() {
  137.     int key = getKey();
  138.     if (key == KEY_F5) {
  139.         launch_threadlist();
  140.         suspend_thread();
  141.     }
  142.     return key;
  143. }
  144. ```
  146. Two more details you might not have picked up on:
  148. * applibGetKey is non-blocking
  149. * suspend_thread suspends the current thread immediately, so it doesn't return until the
  150.   thread resumes.
  152. ### The bug, uncovered
  154. Here's what actually happened. For most threads (the suspendable kind), that
  155. thread stops processing when `suspend_thread()` is called. The usually
  156. non-blocking applibGetKey function blocks until the thread is resumed in this
  157. scenario. However, the counting demo was *non-suspendable*. The suspend_thread
  158. function has no effect, by design. So, suspend_thread did not block, and the
  159. keypress was returned straight away. By this point, the thread list had launched
  160. properly and it was given control of the keyboard.
  162. However, the counting demo went back into its main loop, and started calling
  163. applibGetKey again. Since the average user's finger remained pressed against the
  164. button for a few moments more, applibGetKey *continued to launch the thread list,
  165. over and over*. The thread list itself is a special thread, and it doesn't
  166. actually have a user-friendly name. It was designed to ignore itself when it drew
  167. the active threads. However, it was *not* designed to ignore other instances of
  168. itself, the reason being that there would never be two of them running at once.
  169. When attempting to draw these other instances, the thread list started rendering
  170. text that wasn't there, causing the corruption.
  172. This bug vanished whenever I set a breakpoint because it would halt the system's
  173. keyboard processing logic. I lifted my finger from the key before allowing it to
  174. move on.
  176. The solution was to make the kernel's getKey function respect hardware locks by
  177. fixing that simple, two-character typo. That way, the counting demo, which had no
  178. right to know what keys were being pressed, would not know that they key was still
  179. being pressed.
  181. The debugging described by this blog post took approximately three weeks.
  183. [Discussion on Hacker News](https://news.ycombinator.com/item?id=7688700)