This is an archive of the discontinued LLVM Phabricator instance.

Differential D125040

[Support] Fix UB in BumpPtrAllocator when first allocation is zero.
ClosedPublic

Authored by sammccall on May 5 2022, 1:54 PM.

Details

Reviewers
hokein
Commits
rGba0d50ad7ec6: [Support] Fix UB in BumpPtrAllocator when first allocation is zero.
Summary

BumpPtrAllocator::Allocate() is marked attribute((returns_nonnull)) when the
compiler supports it, which makes it UB to return null.

When there have been no allocations yet, the current slab is [nullptr, nullptr).
A zero-sized allocation fits in this range, and so Allocate(0, 1) returns null.

There's no explicit docs whether Allocate(0) is valid. I think we have to assume
that it is:

  • the implementation tries to support it (e.g. >= tests instead of >)
  • malloc(0) is allowed
  • requiring each callsite to do a check is bug-prone
  • I found real LLVM code that makes zero-sized allocations

Diff Detail

Unit TestsFailed

TimeTest
60,060 msx64 debian > libFuzzer.libFuzzer::large.test

Event Timeline

sammccall created this revision.May 5 2022, 1:54 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 5 2022, 1:55 PM
sammccall requested review of this revision.May 5 2022, 1:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 5 2022, 1:55 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
sammccall added a comment.May 5 2022, 1:59 PM

Here's an example of an innocuous-looking Allocate() that can be zero-sized: https://github.com/llvm/llvm-project/blob/16dcbb53dc7968a3752661aac731172ebe0faf64/clang-tools-extra/pseudo/lib/Forest.cpp#L130

Found this by running a fuzzer on clang-pseudo, in an environment that instruments returns_nonnull functions (probably it's UBSan)

Harbormaster completed remote builds in B162998: Diff 427438.May 5 2022, 3:01 PM
hokein accepted this revision.May 5 2022, 10:16 PM
hokein added inline comments.
llvm/include/llvm/Support/Allocator.h
142

mention this specific behavior of Allocate(0) in the doc: Allocate(0) returns a non-NULL zero-sized pointer (Dereferencing this pointer is UB).

This revision is now accepted and ready to land.May 5 2022, 10:16 PM
This revision was landed with ongoing or failed builds.May 5 2022, 11:57 PM
Closed by commit rGba0d50ad7ec6: [Support] Fix UB in BumpPtrAllocator when first allocation is zero. (authored by sammccall). · Explain Why
This revision was automatically updated to reflect the committed changes.
sammccall marked an inline comment as done.
sammccall added a commit: rGba0d50ad7ec6: [Support] Fix UB in BumpPtrAllocator when first allocation is zero..

Revision Contents

PathSize
llvm/
include/
llvm/
Support/
4 lines
unittests/
Support/
25 lines

Diff 427438

llvm/include/llvm/Support/Allocator.h

Show First 20 LinesShow All 133 Lines▼ Show 20 Lines void Reset() {
__asan_poison_memory_region(*Slabs.begin(), computeSlabSize(0)); __asan_poison_memory_region(*Slabs.begin(), computeSlabSize(0));
DeallocateSlabs(std::next(Slabs.begin()), Slabs.end()); DeallocateSlabs(std::next(Slabs.begin()), Slabs.end());
Slabs.erase(std::next(Slabs.begin()), Slabs.end()); Slabs.erase(std::next(Slabs.begin()), Slabs.end());
} }
/// Allocate space at the specified alignment. /// Allocate space at the specified alignment.
// This method is *not* marked noalias, because // This method is *not* marked noalias, because
// SpecificBumpPtrAllocator::DestroyAll() loops over all allocations, and // SpecificBumpPtrAllocator::DestroyAll() loops over all allocations, and
// that loop is not based on the Allocate() return value. // that loop is not based on the Allocate() return value.
hokeinUnsubmitted
Done
ReplyInline Actions

mention this specific behavior of Allocate(0) in the doc: Allocate(0) returns a non-NULL zero-sized pointer (Dereferencing this pointer is UB).

hokein: mention this specific behavior of Allocate(0) in the doc: `Allocate(0) returns a non-NULL zero…
LLVM_ATTRIBUTE_RETURNS_NONNULL void *Allocate(size_t Size, Align Alignment) { LLVM_ATTRIBUTE_RETURNS_NONNULL void *Allocate(size_t Size, Align Alignment) {
// Keep track of how many bytes we've allocated. // Keep track of how many bytes we've allocated.
BytesAllocated += Size; BytesAllocated += Size;
size_t Adjustment = offsetToAlignedAddr(CurPtr, Alignment); size_t Adjustment = offsetToAlignedAddr(CurPtr, Alignment);
assert(Adjustment + Size >= Size && "Adjustment + Size must not overflow"); assert(Adjustment + Size >= Size && "Adjustment + Size must not overflow");
size_t SizeToAllocate = Size; size_t SizeToAllocate = Size;
#if LLVM_ADDRESS_SANITIZER_BUILD #if LLVM_ADDRESS_SANITIZER_BUILD
// Add trailing bytes as a "red zone" under ASan. // Add trailing bytes as a "red zone" under ASan.
SizeToAllocate += RedZoneSize; SizeToAllocate += RedZoneSize;
#endif #endif
// Check if we have enough space. // Check if we have enough space.
if (Adjustment + SizeToAllocate <= size_t(End - CurPtr)) { if (Adjustment + SizeToAllocate <= size_t(End - CurPtr)
// We can't return nullptr even for a zero-sized allocation!
&& CurPtr != nullptr) {
char *AlignedPtr = CurPtr + Adjustment; char *AlignedPtr = CurPtr + Adjustment;
CurPtr = AlignedPtr + SizeToAllocate; CurPtr = AlignedPtr + SizeToAllocate;
// Update the allocation point of this memory block in MemorySanitizer. // Update the allocation point of this memory block in MemorySanitizer.
// Without this, MemorySanitizer messages for values originated from here // Without this, MemorySanitizer messages for values originated from here
// will point to the allocation of the entire slab. // will point to the allocation of the entire slab.
__msan_allocated_memory(AlignedPtr, Size); __msan_allocated_memory(AlignedPtr, Size);
// Similarly, tell ASan about this space. // Similarly, tell ASan about this space.
__asan_unpoison_memory_region(AlignedPtr, Size); __asan_unpoison_memory_region(AlignedPtr, Size);
▲ Show 20 LinesShow All 281 LinesShow Last 20 Lines

llvm/unittests/Support/AllocatorTest.cpp

Show First 20 LinesShow All 93 Lines▼ Show 20 LinesTEST(AllocatorTest, TestAlignment) {
a = (uintptr_t)Alloc.Allocate(1, 32); a = (uintptr_t)Alloc.Allocate(1, 32);
EXPECT_EQ(0U, a & 31); EXPECT_EQ(0U, a & 31);
a = (uintptr_t)Alloc.Allocate(1, 64); a = (uintptr_t)Alloc.Allocate(1, 64);
EXPECT_EQ(0U, a & 63); EXPECT_EQ(0U, a & 63);
a = (uintptr_t)Alloc.Allocate(1, 128); a = (uintptr_t)Alloc.Allocate(1, 128);
EXPECT_EQ(0U, a & 127); EXPECT_EQ(0U, a & 127);
} }
// Test zero-sized allocations.
// In general we don't need to allocate memory for these.
// However Allocate never returns null, so if the first allocation is zero-sized
// we end up creating a slab for it.
TEST(AllocatorTest, TestZero) {
BumpPtrAllocator Alloc;
EXPECT_EQ(0u, Alloc.GetNumSlabs());
EXPECT_EQ(0u, Alloc.getBytesAllocated());
void *Empty = Alloc.Allocate(0, 1);
EXPECT_NE(Empty, nullptr) << "Allocate is __attribute__((returns_nonnull))";
EXPECT_EQ(1u, Alloc.GetNumSlabs()) << "Allocated a slab to point to";
EXPECT_EQ(0u, Alloc.getBytesAllocated());
void *Large = Alloc.Allocate(4096, 1);
EXPECT_EQ(1u, Alloc.GetNumSlabs());
EXPECT_EQ(4096u, Alloc.getBytesAllocated());
EXPECT_EQ(Empty, Large);
void *Empty2 = Alloc.Allocate(0, 1);
EXPECT_NE(Empty2, nullptr);
EXPECT_EQ(1u, Alloc.GetNumSlabs());
EXPECT_EQ(4096u, Alloc.getBytesAllocated());
}
// Test allocating just over the slab size. This tests a bug where before the // Test allocating just over the slab size. This tests a bug where before the
// allocator incorrectly calculated the buffer end pointer. // allocator incorrectly calculated the buffer end pointer.
TEST(AllocatorTest, TestOverflow) { TEST(AllocatorTest, TestOverflow) {
BumpPtrAllocator Alloc; BumpPtrAllocator Alloc;
// Fill the slab right up until the end pointer. // Fill the slab right up until the end pointer.
Alloc.Allocate(4096, 1); Alloc.Allocate(4096, 1);
EXPECT_EQ(1U, Alloc.GetNumSlabs()); EXPECT_EQ(1U, Alloc.GetNumSlabs());
▲ Show 20 LinesShow All 126 LinesShow Last 20 Lines