Unaligned pointers in the core client library

behos · April 29, 2023, 2:29pm

Hi,

Rust has recently enabled a debug assertion which checks pointer alignment on dereference and it started failing with misaligned pointer dereference when dereferencing objects provided by the core client (for example in the fdb_transaction_get_range result).

I tried to find out why this is the case, and stumbled upon this note in the Arena.cpp which has this note.

github.com

apple/foundationdb/blob/5e8feac8c980fbef6b6f523360e42d28dd120e5d/flow/Arena.cpp#L28-L31


      
          // We don't align memory properly, and we need to tell lsan about that.
          extern "C" const char* __lsan_default_options(void) {
          	return "use_unaligned=1";
          }

Does this mean that any object returned by the shared lib might be unaligned?

Dereferencing unaligned pointers is treated as undefined behaviour in most languages, and is usually tied with a performance hit too. While there are workarounds (like silencing the warning, or handling the unaligned addresses to re-align them) it would be nice to not have to add additional manual memory management when interacting with the core client.

Is this a known issue?

atn34 · May 1, 2023, 9:18pm

Hi! Welcome.

I agree with all points. Unfortunately, misaligned pointers is currently required by the existing ABI, since the the FDBKeyValue type is declared within a pragma pack as follows. There’s no way to respect the pragma pack and align both pointers to 8 bytes.

#pragma pack(push, 4)
...
typedef struct keyvalue {
	const uint8_t* key;
	int key_length;
	const uint8_t* value;
	int value_length;
} FDBKeyValue;
...
#pragma pack(pop)

That said, we do technically have a mechanism for changing the ABI (in new header versions) without impacting existing users in theory.

This is actually referring to a much deeper internal problem, but one that’s mostly an implementation detail and shouldn’t affect the shared lib ABI. There are misaligned accesses happening in the shared lib internally, but rust’s instrumentation presumably won’t be able to see that.

There’s an issue tracking aligning memory properly, but it doesn’t have any momentum right now it seems: Undefined behaviour analyzer : Member access within misaligned address · Issue #1434 · apple/foundationdb · GitHub

behos · May 6, 2023, 3:26am

Thanks for the quick response

I think the issue I’m seeing is not related to the packed struct pointer addresses.

One of the calls that’s affected by this is fdb_transaction_get_range which results in a Future<[keyvalue]>.

github.com

apple/foundationdb/blob/65ed7775fd5777a95547239b22c91e1800f9cdf3/bindings/c/fdb_c.cpp#L1053-L1060


      
          	    FDBFuture*)(TXN(tr)
          	                    ->getRange(
          	                        KeySelectorRef(KeyRef(begin_key_name, begin_key_name_length), begin_or_equal, begin_offset),
          	                        KeySelectorRef(KeyRef(end_key_name, end_key_name_length), end_or_equal, end_offset),
          	                        GetRangeLimits(limit, target_bytes),
          	                        snapshot,
          	                        reverse)
          	                    .extractPtr());

This should eventually resolve to a pointed pointing at an array of keyvalue which is pack(4) foundationdb/fdb_c.h at 65ed7775fd5777a95547239b22c91e1800f9cdf3 · apple/foundationdb · GitHub. The expected alignment should be 4.

The resulting pointer has address 0x7f034cefb0a8 and the address it points to is 0x7f034cc916c6. When converting this to a rust pointer and dereferencing, the complaint is that the address that it points to is not a multiple of 4. Indeed the referenced address is simply a multiple of 2. The address of the pointer itself is aligned.

The complaint from the alignment checker is

misaligned pointer dereference: address must be a multiple of 0x4 but is 0x7f034cc916c6'

Which is also referring to the pointed address.

Digging in the FoundationDB side of things, it looks like the referenced address is directly pointing to a Standalone<>, which if I understand correctly is allocated through the Arena and could be at any point in memory.

The “fix” involves reallocating the memory needed for the resulting array, and copying it over, so that makes me think that the packing itself is not a problem because it’s not the pointers’ addresses that are checked here, but the memory that they point to instead.

What do you think? Could this point to the arena allocations leaking to the ABI?

atn34 · May 8, 2023, 8:49pm

Thanks for digging. I think you’re right.

I think this is the case after all

behos · June 9, 2023, 12:51pm

Quick update here, in case anyone bumps into this in the future. For Rust to understand that the API structs are misaligned, when using rust you need to make sure that you are exposing the packed structs, and not wrapping them in a transparent.

github.com/foundationdb-rs/foundationdb-rs

Fix alignment

foundationdb-rs:main ← Wonshtrum:fix_align

opened 11:23AM - 31 May 23 UTC

Wonshtrum

+97 -63

Fdb Arenas allocate structs not aligned, even though `fdb_c.h` explicitly specif…ies a 4bytes alignment for most of them (the others using their default alignment, 8bytes in general): https://github.com/foundationdb-rs/foundationdb-rs/blob/e8463554a2cc5f582842bf6b27aef0db57f00456/foundationdb-sys/include/710/fdb_c.h#L88-L92 These alignment constraints are translated in Rust in bindings.rs by bindgen and exported by `foundationdb_sys`: https://github.com/foundationdb-rs/foundationdb-rs/blob/e8463554a2cc5f582842bf6b27aef0db57f00456/foundationdb-sys/build.rs#L114-L115 ```rs #[repr(C, packed(4))] #[derive(Debug, Copy, Clone)] pub struct key { pub key: *const u8, pub key_length: ::std::os::raw::c_int, } pub type FDBKey = key; ``` And inherited by their "local wrappers": https://github.com/foundationdb-rs/foundationdb-rs/blob/e8463554a2cc5f582842bf6b27aef0db57f00456/foundationdb/src/fdb_keys.rs#L156-L158 Data is transferred between the fdbserver and foundationdb-rs via pointers which lead to this kind of code: https://github.com/foundationdb-rs/foundationdb-rs/blob/e8463554a2cc5f582842bf6b27aef0db57f00456/foundationdb/src/fdb_keys.rs#L42-L49 `self.keys` is a C pointer that points to a `FDBKey` potentially misaligned in a Fdb Arena. In the newer versions of Rust `from_raw_parts` panics with debug_assertions on pointer misalignment. Even if we ignore this, the fact that misaligned structs are currently read correctly is probably due to x86 compliance but is still undefined behavior. In this PR, "local wrappers" are annotated with `packed` instead of `transparent`: https://github.com/Wonshtrum/foundationdb-rs/blob/c6b198ddef85ca77bab40ea11cda1c08c9d09e35/foundationdb/src/fdb_keys.rs#L157-L159 This explicitly tells Rust that we do not expect these structs to be aligned. This removes the panics on newer versions as these structs are 1byte align (which a pointer will always be) and furthermore, we do not have to rely on x86 to magically accept unaligned structs as misalignment will be explicitly taken care of at machine code generation. These wrappers are used everywhere in favor of their raw counterparts from `fdb_sys`, and `deref` functions are rewritten using this form: https://github.com/Wonshtrum/foundationdb-rs/blob/c6b198ddef85ca77bab40ea11cda1c08c9d09e35/foundationdb/src/fdb_keys.rs#L46-L50 > note also the `assert_eq_align!(FdbKey, u8);`

rajivr · June 12, 2023, 1:18pm

Thanks @behos for digging into this issue and @atn34 for confirming. I just ran into this issue with my binding, and in my case decided to use ptr::read_unaligned instead of regular Rust dereference.