This is an archive of the discontinued LLVM Phabricator instance.

[TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a pointer
ClosedPublic

Authored by yln on Sep 22 2021, 5:52 AM.

Download Raw Diff

Details

Reviewers

kubamracek
delcypher
aralisza
dvyukov

Commits

rG858eb8fc11e2: [TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a…

Summary

We would like to use TLS to store the ThreadState object (or at least a
reference ot it), but on Darwin accessing TLS via __thread or manually
by using pthread_key_* is problematic, because there are several places
where interceptors are called when TLS is not accessible (early process
startup, thread cleanup, ...).

Previously, we used a "poor man's TLS" implementation, where we use the
shadow memory of the pointer returned by pthread_self() to store a
pointer to the ThreadState object.

The problem with that was that certain operations can populate shadow
bytes unbeknownst to TSan, and we later interpret these non-zero bytes
as the pointer to our ThreadState object and crash on when dereferencing
the pointer.

This patch changes the storage location of our reference to the
ThreadState object to "real" TLS. We make this work by artificially
keeping this reference alive in the pthread_key destructor by resetting
the key value with pthread_setspecific().

This change also fixes the issue were the ThreadState object is
re-allocated after DestroyThreadState() because intercepted functions
can still get called on the terminating thread after the
THREAD_TERMINATE event.

Radar-Id: rdar://problem/72010355

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	60 ms	x64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::trivial-cxa-atexit.S
	80 ms	x64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::trivial-static-initializer.S
	70 ms	x64 debian > ORC-x86_64-linux.TestCases/Linux/x86-64::trivial-tls.S

Event Timeline

yln requested review of this revision.Sep 22 2021, 5:52 AM

yln created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptSep 22 2021, 5:52 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B125094: Diff 374194.Sep 22 2021, 6:08 AM

yln retitled this revision from Avoid crashes due to interpreting non-zero shadow content as a pointer to [TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a pointer.Sep 23 2021, 7:47 AM

yln edited the summary of this revision. (Show Details)

yln mentioned this in D110162: [TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a pointer.Sep 29 2021, 10:14 AM

yln added a reviewer: dvyukov.Sep 29 2021, 10:18 AM

dvyukov accepted this revision.Sep 30 2021, 6:44 AM

dvyukov added inline comments.

compiler-rt/lib/tsan/rtl/tsan_platform_mac.cpp
49	s/64/SANITIZER_CACHE_LINE_SIZE/
298	Please rebase this on ade5023c54cffcbefe0557b5473d55b06e40809b or it will break the test again.

This revision is now accepted and ready to land.Sep 30 2021, 6:44 AM

Rebase and address review feedback.

yln added inline comments.Sep 30 2021, 8:21 AM

compiler-rt/lib/tsan/rtl/tsan_platform_mac.cpp
298	Yes and thank you for the quick review Dmitry! :)

yln mentioned this in D108950: [TSan][Darwin] Avoid potential crashes after unobserved operations.Sep 30 2021, 8:55 AM

Harbormaster completed remote builds in B126580: Diff 376231.Sep 30 2021, 8:56 AM

Is there anything blocking this?
I need this for https://reviews.llvm.org/D112603
That changes start re-setting shadow periodically which wipes ThreadState* pointer currently stored in the shadow:
https://reviews.llvm.org/D112603#3146853
(the current runtime can do the same if flush_memory_ms/memory_limit_mb flags are enabled, but somehow nobody noticed that)
If ThreadState* is stored as pthread specific, then it should resolve the issue as well.

dvyukov mentioned this in D112603: tsan: new runtime (v3).Nov 22 2021, 10:56 AM

This revision was landed with ongoing or failed builds.Nov 30 2021, 2:49 PM

Closed by commit rG858eb8fc11e2: [TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a… (authored by yln). · Explain Why

This revision was automatically updated to reflect the committed changes.

yln added a commit: rG858eb8fc11e2: [TSan][Darwin] Avoid crashes due to interpreting non-zero shadow content as a….

yln mentioned this in D45646: [tsan] Zero out the shadow memory for the stack and TLS in ThreadFinish.Nov 30 2021, 3:07 PM

Revision Contents

Path

Size

compiler-rt/

lib/

tsan/

rtl/

tsan_platform_mac.cpp

144 lines

Diff 374194

compiler-rt/lib/tsan/rtl/tsan_platform_mac.cpp

//===-- tsan_platform_mac.cpp ---------------------------------------------===//		//===-- tsan_platform_mac.cpp ---------------------------------------------===//
		Lint: Lint Inline Actions clang-format not found in user’s local PATH; not linting file. Lint: Lint: clang-format not found in user’s local PATH; not linting file.
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// This file is a part of ThreadSanitizer (TSan), a race detector.		// This file is a part of ThreadSanitizer (TSan), a race detector.
//		//
// Mac-specific code.		// Mac-specific code.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "sanitizer_common/sanitizer_platform.h"		#include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_MAC		#if SANITIZER_MAC

#include "sanitizer_common/sanitizer_atomic.h"		#include "sanitizer_common/sanitizer_atomic.h"
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code -#include "sanitizer_common/sanitizer_atomic.h" -#include "sanitizer_common/sanitizer_common.h" -#include "sanitizer_common/sanitizer_libc.h" -#include "sanitizer_common/sanitizer_posix.h" -#include "sanitizer_common/sanitizer_procmaps.h" -#include "sanitizer_common/sanitizer_ptrauth.h" -#include "sanitizer_common/sanitizer_stackdepot.h" -#include "tsan_platform.h" -#include "tsan_rtl.h" -#include "tsan_flags.h" 17 diff lines are omitted. See full path. Lint: Pre-merge checks: clang-format: please reformat the code ``` -#include "sanitizer_common/sanitizer_atomic.h"…
#include "sanitizer_common/sanitizer_common.h"		#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_libc.h"		#include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_posix.h"		#include "sanitizer_common/sanitizer_posix.h"
#include "sanitizer_common/sanitizer_procmaps.h"		#include "sanitizer_common/sanitizer_procmaps.h"
#include "sanitizer_common/sanitizer_ptrauth.h"		#include "sanitizer_common/sanitizer_ptrauth.h"
#include "sanitizer_common/sanitizer_stackdepot.h"		#include "sanitizer_common/sanitizer_stackdepot.h"
#include "tsan_platform.h"		#include "tsan_platform.h"
#include "tsan_rtl.h"		#include "tsan_rtl.h"
#include "tsan_flags.h"		#include "tsan_flags.h"

		#include <limits.h>
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code -#include <limits.h> -#include <mach/mach.h> -#include <pthread.h> -#include <signal.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <stdarg.h> -#include <sys/mman.h> -#include <sys/syscall.h> 17 diff lines are omitted. See full path. Lint: Pre-merge checks: clang-format: please reformat the code ``` -#include <limits.h> -#include <mach/mach.h>…
#include <mach/mach.h>		#include <mach/mach.h>
#include <pthread.h>		#include <pthread.h>
#include <signal.h>		#include <signal.h>
#include <stdio.h>		#include <stdio.h>
#include <stdlib.h>		#include <stdlib.h>
#include <string.h>		#include <string.h>
#include <stdarg.h>		#include <stdarg.h>
#include <sys/mman.h>		#include <sys/mman.h>
#include <sys/syscall.h>		#include <sys/syscall.h>
#include <sys/time.h>		#include <sys/time.h>
#include <sys/types.h>		#include <sys/types.h>
#include <sys/resource.h>		#include <sys/resource.h>
#include <sys/stat.h>		#include <sys/stat.h>
#include <unistd.h>		#include <unistd.h>
#include <errno.h>		#include <errno.h>
#include <sched.h>		#include <sched.h>

namespace __tsan {		namespace __tsan {

#if !SANITIZER_GO		#if !SANITIZER_GO
static void SignalSafeGetOrAllocate(uptr dst, uptr size) {		static char main_thread_state[sizeof(ThreadState)] ALIGNED(64);
		dvyukovUnsubmitted Done Reply Inline Actions s/64/SANITIZER_CACHE_LINE_SIZE/ dvyukov: s/64/SANITIZER_CACHE_LINE_SIZE/
atomic_uintptr_t a = (atomic_uintptr_t )dst;		static ThreadState *dead_thread_state;
void val = (void )atomic_load_relaxed(a);		static pthread_key_t thread_state_key;
atomic_signal_fence(memory_order_acquire); // Turns the previous load into
// acquire wrt signals.		// We rely on the following documented, but Darwin-specific behavior to keep the
if (UNLIKELY(val == nullptr)) {		// reference to the ThreadState object alive in TLS:
val = (void *)internal_mmap(nullptr, size, PROT_READ \| PROT_WRITE,		// man pthread_key_create:
MAP_PRIVATE \| MAP_ANON, -1, 0);		// If, after all the destructors have been called for all non-NULL values with
CHECK(val);		// associated destructors, there are still some non-NULL values with
void *cmp = nullptr;		// associated destructors, then the process is repeated. If, after at least
if (!atomic_compare_exchange_strong(a, (uintptr_t *)&cmp, (uintptr_t)val,		// [PTHREAD_DESTRUCTOR_ITERATIONS] iterations of destructor calls for
memory_order_acq_rel)) {		// outstanding non-NULL values, there are still some non-NULL values with
internal_munmap(val, size);		// associated destructors, the implementation stops calling destructors.
val = cmp;		static_assert(PTHREAD_DESTRUCTOR_ITERATIONS == 4, "Small number of iterations");
}		static void ThreadStateDestructor(void *thr) {
}		int res = pthread_setspecific(thread_state_key, thr);
return val;		CHECK_EQ(res, 0);
}		}

// On OS X, accessing TLVs via __thread or manually by using pthread_key_* is		static void InitializeThreadStateStorage() {
// problematic, because there are several places where interceptors are called		int res;
// when TLVs are not accessible (early process startup, thread cleanup, ...).		CHECK_EQ(thread_state_key, 0);
// The following provides a "poor man's TLV" implementation, where we use the		res = pthread_key_create(&thread_state_key, ThreadStateDestructor);
// shadow memory of the pointer returned by pthread_self() to store a pointer to		CHECK_EQ(res, 0);
// the ThreadState object. The main thread's ThreadState is stored separately		res = pthread_setspecific(thread_state_key, main_thread_state);
// in a static variable, because we need to access it even before the		CHECK_EQ(res, 0);
// shadow memory is set up.
static uptr main_thread_identity = 0;		auto dts = (ThreadState *)MmapOrDie(sizeof(ThreadState), "ThreadState");
ALIGNED(64) static char main_thread_state[sizeof(ThreadState)];		dts->fast_state.SetIgnoreBit();
static ThreadState main_thread_state_loc = (ThreadState )main_thread_state;		dts->ignore_interceptors = 1;
		dts->is_dead = true;
// We cannot use pthread_self() before libpthread has been initialized. Our		const_cast<int>(&dts->tid) = -1;
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - const_cast<int>(&dts->tid) = -1; + const_cast<int >(&dts->tid) = -1; Lint: Pre-merge checks: clang-format: please reformat the code ``` - const_cast<int>(&dts->tid) = -1; +…
// current heuristic for guarding this is checking `main_thread_identity` which		res = internal_mprotect(dts, sizeof(ThreadState), PROT_READ); // immutable
// is only assigned in `__tsan::InitializePlatform`.		CHECK_EQ(res, 0);
static ThreadState **cur_thread_location() {		dead_thread_state = dts;
if (main_thread_identity == 0)
return &main_thread_state_loc;
uptr thread_identity = (uptr)pthread_self();
if (thread_identity == main_thread_identity)
return &main_thread_state_loc;
return (ThreadState **)MemToShadow(thread_identity);
}		}

ThreadState *cur_thread() {		ThreadState *cur_thread() {
return (ThreadState *)SignalSafeGetOrAllocate(		// Some interceptors get called before libpthread has been initialized and in
(uptr *)cur_thread_location(), sizeof(ThreadState));		// these cases we must avoid calling any pthread APIs.
		if (UNLIKELY(!thread_state_key)) {
		return (ThreadState *)main_thread_state;
		}

		// We only reach this line after InitializeThreadStateStorage() ran, i.e,
		// after TSan (and therefore libpthread) have been initialized.
		ThreadState thr = (ThreadState )pthread_getspecific(thread_state_key);
		if (UNLIKELY(!thr)) {
		thr = (ThreadState *)MmapOrDie(sizeof(ThreadState), "ThreadState");
		int res = pthread_setspecific(thread_state_key, thr);
		CHECK_EQ(res, 0);
		}
		return thr;
}		}

void set_cur_thread(ThreadState *thr) {		void set_cur_thread(ThreadState *thr) {
*cur_thread_location() = thr;		int res = pthread_setspecific(thread_state_key, thr);
		CHECK_EQ(res, 0);
}		}

// TODO(kuba.brecka): This is not async-signal-safe. In particular, we call
// munmap first and then clear `fake_tls`; if we receive a signal in between,
// handler will try to access the unmapped ThreadState.
void cur_thread_finalize() {		void cur_thread_finalize() {
ThreadState **thr_state_loc = cur_thread_location();		ThreadState thr = (ThreadState )pthread_getspecific(thread_state_key);
if (thr_state_loc == &main_thread_state_loc) {		CHECK(thr);
		if (thr == (ThreadState *)main_thread_state) {
// Calling dispatch_main() or xpc_main() actually invokes pthread_exit to		// Calling dispatch_main() or xpc_main() actually invokes pthread_exit to
// exit the main thread. Let's keep the main thread's ThreadState.		// exit the main thread. Let's keep the main thread's ThreadState.
return;		return;
}		}
internal_munmap(*thr_state_loc, sizeof(ThreadState));		// Intercepted functions can still get called after cur_thread_finalize()
*thr_state_loc = nullptr;		// (called from DestroyThreadState()), so put a fake thread state for "dead"
		// threads. An alternative solution would be to release the ThreadState
		// object from THREAD_DESTROY (which is delivered later and on the parent
		// thread) instead of THREAD_TERMINATE.
		int res = pthread_setspecific(thread_state_key, dead_thread_state);
		CHECK_EQ(res, 0);
		UnmapOrDie(thr, sizeof(ThreadState));
}		}
#endif		#endif

void FlushShadowMemory() {		void FlushShadowMemory() {
}		}

static void RegionMemUsage(uptr start, uptr end, uptr res, uptr dirty) {		static void RegionMemUsage(uptr start, uptr end, uptr res, uptr dirty) {
vm_address_t address = start;		vm_address_t address = start;
▲ Show 20 Lines • Show All 95 Lines • ▼ Show 20 Lines	if (thread == pthread_self()) {
Processor *proc = ProcCreate();		Processor *proc = ProcCreate();
ProcWire(proc, thr);		ProcWire(proc, thr);
ThreadState *parent_thread_state = nullptr; // No parent.		ThreadState *parent_thread_state = nullptr; // No parent.
Tid tid = ThreadCreate(parent_thread_state, 0, (uptr)thread, true);		Tid tid = ThreadCreate(parent_thread_state, 0, (uptr)thread, true);
CHECK_NE(tid, kMainTid);		CHECK_NE(tid, kMainTid);
ThreadStart(thr, tid, GetTid(), ThreadType::Worker);		ThreadStart(thr, tid, GetTid(), ThreadType::Worker);
}		}
} else if (event == PTHREAD_INTROSPECTION_THREAD_TERMINATE) {		} else if (event == PTHREAD_INTROSPECTION_THREAD_TERMINATE) {
if (thread == pthread_self()) {		CHECK_EQ(thread, pthread_self());
ThreadState *thr = cur_thread();		ThreadState *thr = cur_thread();
if (thr->tctx) {		if (thr->tctx) {
DestroyThreadState();		DestroyThreadState();
}		}
}		}
}

if (prev_pthread_introspection_hook != nullptr)		if (prev_pthread_introspection_hook != nullptr)
prev_pthread_introspection_hook(event, thread, addr, size);		prev_pthread_introspection_hook(event, thread, addr, size);
}		}
#endif		#endif

void InitializePlatformEarly() {		void InitializePlatformEarly() {
# if !SANITIZER_GO && SANITIZER_IOS		# if !SANITIZER_GO && SANITIZER_IOS
uptr max_vm = GetMaxUserVirtualAddress() + 1;		uptr max_vm = GetMaxUserVirtualAddress() + 1;
if (max_vm != HiAppMemEnd()) {		if (max_vm != HiAppMemEnd()) {
Printf("ThreadSanitizer: unsupported vm address limit %p, expected %p.\n",		Printf("ThreadSanitizer: unsupported vm address limit %p, expected %p.\n",
max_vm, HiAppMemEnd());		max_vm, HiAppMemEnd());
Die();		Die();
}		}
#endif		#endif
}		}

static uptr longjmp_xor_key = 0;		static uptr longjmp_xor_key = 0;

void InitializePlatform() {		void InitializePlatform() {
DisableCoreDumperIfNecessary();		DisableCoreDumperIfNecessary();
#if !SANITIZER_GO		#if !SANITIZER_GO
CheckAndProtect();		CheckAndProtect();

CHECK_EQ(main_thread_identity, 0);		InitializeThreadStateStorage();
main_thread_identity = (uptr)pthread_self();

prev_pthread_introspection_hook =		prev_pthread_introspection_hook =
pthread_introspection_hook_install(&my_pthread_introspection_hook);		pthread_introspection_hook_install(&my_pthread_introspection_hook);
#endif		#endif

if (GetMacosAlignedVersion() >= MacosVersion(10, 14)) {		if (GetMacosAlignedVersion() >= MacosVersion(10, 14)) {
// Libsystem currently uses a process-global key; this might change.		// Libsystem currently uses a process-global key; this might change.
const unsigned kTLSLongjmpXorKeySlot = 0x7;		const unsigned kTLSLongjmpXorKeySlot = 0x7;
Show All 13 Lines	uptr ExtractLongJmpSp(uptr *env) {
uptr sp = mangled_sp ^ longjmp_xor_key;		uptr sp = mangled_sp ^ longjmp_xor_key;
sp = (uptr)ptrauth_auth_data((void *)sp, ptrauth_key_asdb,		sp = (uptr)ptrauth_auth_data((void *)sp, ptrauth_key_asdb,
ptrauth_string_discriminator("sp"));		ptrauth_string_discriminator("sp"));
return sp;		return sp;
}		}

#if !SANITIZER_GO		#if !SANITIZER_GO
void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {		void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {
// The pointer to the ThreadState object is stored in the shadow memory		// Unlike Linux, we only store a pointer to the ThreadState object in TLS;
// of the tls.		// just mark the entire range as written to.
uptr tls_end = tls_addr + tls_size;
uptr thread_identity = (uptr)pthread_self();
if (thread_identity == main_thread_identity) {
MemoryRangeImitateWrite(thr, /pc=/2, tls_addr, tls_size);		MemoryRangeImitateWrite(thr, /pc=/2, tls_addr, tls_size);
		dvyukovUnsubmitted Done Reply Inline Actions Please rebase this on ade5023c54cffcbefe0557b5473d55b06e40809b or it will break the test again. dvyukov: Please rebase this on ade5023c54cffcbefe0557b5473d55b06e40809b or it will break the test again.
		ylnAuthorUnsubmitted Done Reply Inline Actions Yes and thank you for the quick review Dmitry! :) yln: Yes and thank you for the quick review Dmitry! :)
} else {
uptr thr_state_start = thread_identity;
uptr thr_state_end = thr_state_start + sizeof(uptr);
CHECK_GE(thr_state_start, tls_addr);
CHECK_LE(thr_state_start, tls_addr + tls_size);
CHECK_GE(thr_state_end, tls_addr);
CHECK_LE(thr_state_end, tls_addr + tls_size);
MemoryRangeImitateWrite(thr, /pc=/2, tls_addr,
thr_state_start - tls_addr);
MemoryRangeImitateWrite(thr, /pc=/2, thr_state_end,
tls_end - thr_state_end);
}
}		}
#endif		#endif

#if !SANITIZER_GO		#if !SANITIZER_GO
// Note: this function runs with async signals enabled,		// Note: this function runs with async signals enabled,
// so it must not touch any tsan state.		// so it must not touch any tsan state.
int call_pthread_cancel_with_cleanup(int (fn)(void arg),		int call_pthread_cancel_with_cleanup(int (fn)(void arg),
void (cleanup)(void arg), void *arg) {		void (cleanup)(void arg), void *arg) {
Show All 13 Lines