This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/trunk/
-
trunk/
-
lib/asan/
-
asan/
-
asan_mac.cc
-
test/asan/TestCases/Darwin/
-
asan/
-
TestCases/
-
Darwin/
-
xpc_interceptors.mm

Differential D12490

[asan] Intercept and wrap XPC callback blocks
ClosedPublic

Authored by kubamracek on Aug 31 2015, 2:33 AM.

Download Raw Diff

Details

Reviewers

glider
samsonov

Commits

rGdfaac293dc71: [asan] Intercept and wrap XPC callback blocks
rCRT246961: [asan] Intercept and wrap XPC callback blocks
rL246961: [asan] Intercept and wrap XPC callback blocks

Summary

On recent OS X systems, blocks used as callbacks for XPC events (set up e.g. via xpc_connection_set_event_handler) are not later executed via the public libdispatch API (dispatch_async, etc). Because we don't intercept the path where the block is executed, we can fail to register the newly created dispatch thread. To fix that, let's intercept libxpc's APIs that take a block as a callback handler, and let's wrap these blocks in the same way as we do for libdispatch API.

Diff Detail

Repository: rL LLVM

Event Timeline

kubamracek updated this revision to Diff 33562.Aug 31 2015, 2:33 AM

kubamracek retitled this revision from to [asan] Intercept and wrap XPC callback blocks.

kubamracek updated this object.

kubamracek added reviewers: samsonov, glider.

kubamracek added subscribers: llvm-commits, samsonov, glider and 2 others.

ping

How does this test check that the underlying thread(s) has been correctly registered?
Should we make the callback crash to make sure the report is correct?

lib/asan/asan_mac.cc
47 ↗	(On Diff #33562)	While at it, can you please fix the inclusion order?
test/asan/TestCases/Darwin/xpc_interceptors.mm
29 ↗	(On Diff #33562)	Why pass trace[0] to fprintf here?

In D12490#240066, @glider wrote:

How does this test check that the underlying thread(s) has been correctly registered?
Should we make the callback crash to make sure the report is correct?

__asan_get_alloc_stack will internally try to retrieve the thread from ThreadRegistry, which will currently (without the patch) crash.

Got it. Can you please add a comment about this?

In D12490#240083, @glider wrote:

Got it. Can you please add a comment about this?

I'll change the test to perform a buffer overflow or something, that'll be better.

Updating patch to perform a buffer overflow in the XPC callback thread. Added comment explaining the bug. Fixed inclusion order.

LGTM if xpc.h available on all OSX versions for which ASan is supported.

lib/asan/asan_mac.cc
47 ↗	(On Diff #34134)	Is this header available on all OSX versions we're targeting?

This revision is now accepted and ready to land.Sep 7 2015, 4:11 AM

Yes, the APIs and the header is available on 10.7+.

Closed by commit rL246961: [asan] Intercept and wrap XPC callback blocks (authored by kuba.brecka). · Explain WhySep 7 2015, 4:20 AM

This revision was automatically updated to reflect the committed changes.

Reverted in r246967. The header's not available in the simulator SDK.

Revision Contents

Path

Size

compiler-rt/

trunk/

lib/

asan/

asan_mac.cc

54 lines

test/

asan/

TestCases/

Darwin/

xpc_interceptors.mm

37 lines

Diff 34142

compiler-rt/trunk/lib/asan/asan_mac.cc

Show All 27 Lines
#include <crt_externs.h> // for _NSGetArgv and _NSGetEnviron		#include <crt_externs.h> // for _NSGetArgv and _NSGetEnviron
#else		#else
extern "C" {		extern "C" {
extern char ***_NSGetArgv(void);		extern char ***_NSGetArgv(void);
}		}
#endif		#endif

#include <dlfcn.h> // for dladdr()		#include <dlfcn.h> // for dladdr()
		#include <fcntl.h>
		#include <libkern/OSAtomic.h>
#include <mach-o/dyld.h>		#include <mach-o/dyld.h>
#include <mach-o/loader.h>		#include <mach-o/loader.h>
		#include <pthread.h>
		#include <stdlib.h> // for free()
#include <sys/mman.h>		#include <sys/mman.h>
#include <sys/resource.h>		#include <sys/resource.h>
#include <sys/sysctl.h>		#include <sys/sysctl.h>
#include <sys/ucontext.h>		#include <sys/ucontext.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdlib.h> // for free()
#include <unistd.h>		#include <unistd.h>
#include <libkern/OSAtomic.h>		#include <xpc/xpc.h>

namespace __asan {		namespace __asan {

void InitializePlatformInterceptors() {}		void InitializePlatformInterceptors() {}

bool PlatformHasDifferentMemcpyAndMemmove() {		bool PlatformHasDifferentMemcpyAndMemmove() {
// On OS X 10.7 memcpy() and memmove() are both resolved		// On OS X 10.7 memcpy() and memmove() are both resolved
// into memmove$VARIANT$sse42.		// into memmove$VARIANT$sse42.
▲ Show 20 Lines • Show All 212 Lines • ▼ Show 20 Lines
// dispatch_source_set_event_handler_f()		// dispatch_source_set_event_handler_f()
// dispatch_source_set_event_handler()		// dispatch_source_set_event_handler()
//		//
// The reference manual for Grand Central Dispatch is available at		// The reference manual for Grand Central Dispatch is available at
// http://developer.apple.com/library/mac/#documentation/Performance/Reference/GCD_libdispatch_Ref/Reference/reference.html		// http://developer.apple.com/library/mac/#documentation/Performance/Reference/GCD_libdispatch_Ref/Reference/reference.html
// The implementation details are at		// The implementation details are at
// http://libdispatch.macosforge.org/trac/browser/trunk/src/queue.c		// http://libdispatch.macosforge.org/trac/browser/trunk/src/queue.c

typedef void* dispatch_group_t;
typedef void* dispatch_queue_t;
typedef void* dispatch_source_t;
typedef u64 dispatch_time_t;
typedef void (dispatch_function_t)(void block);
typedef void* (worker_t)(void block);		typedef void* (worker_t)(void block);

// A wrapper for the ObjC blocks used to support libdispatch.		// A wrapper for the ObjC blocks used to support libdispatch.
typedef struct {		typedef struct {
void *block;		void *block;
dispatch_function_t func;		dispatch_function_t func;
u32 parent_tid;		u32 parent_tid;
} asan_block_context_t;		} asan_block_context_t;
▲ Show 20 Lines • Show All 106 Lines • ▼ Show 20 Lines	#define GET_ASAN_BLOCK(work) \
void (^asan_block)(void); \		void (^asan_block)(void); \
int parent_tid = GetCurrentTidOrInvalid(); \		int parent_tid = GetCurrentTidOrInvalid(); \
asan_block = ^(void) { \		asan_block = ^(void) { \
GET_STACK_TRACE_THREAD; \		GET_STACK_TRACE_THREAD; \
asan_register_worker_thread(parent_tid, &stack); \		asan_register_worker_thread(parent_tid, &stack); \
work(); \		work(); \
}		}

		#define GET_ASAN_BLOCK_XPC(work) \
		void (^asan_block)(xpc_object_t object); \
		int parent_tid = GetCurrentTidOrInvalid(); \
		asan_block = ^(xpc_object_t object) { \
		GET_STACK_TRACE_THREAD; \
		asan_register_worker_thread(parent_tid, &stack); \
		work(object); \
		}

INTERCEPTOR(void, dispatch_async,		INTERCEPTOR(void, dispatch_async,
dispatch_queue_t dq, void(^work)(void)) {		dispatch_queue_t dq, void(^work)(void)) {
ENABLE_FRAME_POINTER;		ENABLE_FRAME_POINTER;
GET_ASAN_BLOCK(work);		GET_ASAN_BLOCK(work);
REAL(dispatch_async)(dq, asan_block);		REAL(dispatch_async)(dq, asan_block);
}		}

INTERCEPTOR(void, dispatch_group_async,		INTERCEPTOR(void, dispatch_group_async,
Show All 22 Lines
}		}

INTERCEPTOR(void, dispatch_source_set_event_handler,		INTERCEPTOR(void, dispatch_source_set_event_handler,
dispatch_source_t ds, void(^work)(void)) {		dispatch_source_t ds, void(^work)(void)) {
ENABLE_FRAME_POINTER;		ENABLE_FRAME_POINTER;
GET_ASAN_BLOCK(work);		GET_ASAN_BLOCK(work);
REAL(dispatch_source_set_event_handler)(ds, asan_block);		REAL(dispatch_source_set_event_handler)(ds, asan_block);
}		}

		INTERCEPTOR(void, xpc_connection_send_message_with_reply,
		xpc_connection_t connection, xpc_object_t message,
		dispatch_queue_t replyq, xpc_handler_t handler) {
		ENABLE_FRAME_POINTER;
		GET_ASAN_BLOCK_XPC(handler);
		REAL(xpc_connection_send_message_with_reply)(connection, message, replyq,
		asan_block);
		}

		INTERCEPTOR(void, xpc_connection_set_event_handler, xpc_connection_t connection,
		xpc_handler_t handler) {
		ENABLE_FRAME_POINTER;
		GET_ASAN_BLOCK_XPC(handler);
		REAL(xpc_connection_set_event_handler)(connection, asan_block);
		}

		INTERCEPTOR(void, xpc_set_event_stream_handler, const char *stream,
		dispatch_queue_t targetq, xpc_handler_t handler) {
		ENABLE_FRAME_POINTER;
		GET_ASAN_BLOCK_XPC(handler);
		REAL(xpc_set_event_stream_handler)(stream, targetq, asan_block);
		}

		INTERCEPTOR(void, xpc_connection_send_barrier, xpc_connection_t connection,
		dispatch_block_t barrier) {
		ENABLE_FRAME_POINTER;
		GET_ASAN_BLOCK(barrier);
		REAL(xpc_connection_send_barrier)(connection, asan_block);
		}

#endif		#endif

#endif // SANITIZER_MAC		#endif // SANITIZER_MAC

compiler-rt/trunk/test/asan/TestCases/Darwin/xpc_interceptors.mm

				// Check that blocks executed on the XPC callback queue are handled correctly by
				// ASan.

				// RUN: %clangxx_asan -O0 %s -o %t -framework Foundation && not %run %t 2>&1 \| FileCheck %s

				#import <Foundation/Foundation.h>
				#include <sanitizer/asan_interface.h>
				#include <xpc/xpc.h>

				int main() {
				//!Set up a 5-second timeout.
				dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC),
				dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0),
				^{
				exit(0);
				});

				xpc_connection_t _connection = xpc_connection_create_mach_service(
				"com.example.non.existing.xpc", NULL, 0);

				xpc_connection_set_event_handler(_connection, ^(xpc_object_t event) {
				char mem = (char )malloc(10);
				NSLog(@"mem = %p", mem);

				// Without the XPC API interceptors, this would cause an assertion failure
				// when describing the current thread (XPC callback thread).
				fprintf(stderr, "%s\n", mem + 10); // BOOM.
				// CHECK: ERROR: AddressSanitizer: heap-buffer-overflow
				// CHECK: READ of size 1 at
				// CHECK: allocated by thread
				// CHECK: {{ #0 0x.* in .*malloc}}
				});

				xpc_connection_resume(_connection);
				dispatch_main();
				return 0;
				}