This is an archive of the discontinued LLVM Phabricator instance.

Differential D129385

[lsan][Darwin] Scan libdispatch and Foundation memory regions
ClosedPublic

Authored by lgrey on Jul 8 2022, 10:48 AM.

Details

Reviewers
yln
thetruestblue
rsundahl
wrotki
vitalybuka
Commits
rGed2c3f46f5a7: [lsan][Darwin] Scan libdispatch and Foundation memory regions
Summary

libdispatch uses its own heap (_dispatch_main_heap) for some allocations, including the dispatch_continuation_t that holds a dispatch source's event handler.
Objective-C block trampolines (creating methods at runtime with a block as the implementations) use the VM_MEMORY_FOUNDATION region (see https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-block-trampolines.mm#L371).

This change scans both regions to fix false positives. See tests for details; unfortunately I was unable to reduce the trampoline example with imp_implementationWithBlock on a new class, so I'm resorting to something close to the bug as seen in the wild.

Diff Detail

Event Timeline

lgrey created this revision.Jul 8 2022, 10:48 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 8 2022, 10:48 AM
Herald added a subscriber: Enna1. · View Herald Transcript
lgrey requested review of this revision.Jul 8 2022, 10:48 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 8 2022, 10:48 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
fjricci resigned from this revision.Jul 8 2022, 10:52 AM

Hey sorry, it’s been several years since I’ve done anything LLVM-related, I don’t think I’m still the right reviewer for this code.

I actually don’t even write C++ anymore.

Harbormaster completed remote builds in B174418: Diff 443287.Jul 8 2022, 11:07 AM
lgrey edited reviewers, added: yln; removed: fjricci.Jul 8 2022, 11:09 AM
yln added a comment.Jul 8 2022, 11:40 AM

Hi Leonard!

Does this fix the check-lsan and check-asan targets (currently many tests are failing there on macOS Beta 13)?

If this fixes a specific problem not already exposed by existing tests, then can we try to add a test for it?
If this fixes existing tests, can you mention in the commit messages which ones they are?

Thanks!

yln added a comment.Jul 8 2022, 11:41 AM
This comment was removed by yln.
yln added reviewers: thetruestblue, rsundahl, wrotki.Jul 8 2022, 11:41 AM
lgrey added a comment.Jul 8 2022, 12:43 PM
In D129385#3639506, @yln wrote:

Does this fix the check-lsan and check-asan targets (currently many tests are failing there on macOS Beta 13)?
Thanks!

To be perfectly honest, I'm not sure since the objc runtime issues are masking everything else! I'm going to send a separate change to suppress those and get back to you :) (For context, I'm working on enabling LSAN for Mac Chromium, so there's probably a few more of these in the pipeline).

Are there any public builders running these suites on 13? My 13 machine doesn't have a dev environment so I'd be curious to see if there's anything happening beyond what I'm seeing on 11/12.

lgrey added a comment.Jul 14 2022, 8:59 AM
In D129385#3639640, @lgrey wrote:

To be perfectly honest, I'm not sure since the objc runtime issues are masking everything else! I'm going to send a separate change to suppress those and get back to you :)

On second thought: What I'm realizing is that suppressing ObjC runtime errors is not great, since they're so common. The stack still needs to be symbolized to do the suppression, so everything is very slow.

Instead of suppressing, WDYT about just ignoring the relevant regions? Details on why this happens here: https://docs.google.com/document/d/11h3N06tN-_n7nbwVK8qTRnWz3paICI_HlrVM8BvmZ9s

yln added a comment.Jul 15 2022, 2:50 PM
In D129385#3639640, @lgrey wrote:

I'm working on enabling LSAN for Mac Chromium

Very cool and good to know! :)

Are there any public builders running these suites on 13? My 13 machine doesn't have a dev environment so I'd be curious to see if there's anything happening beyond what I'm seeing on 11/12.

Apple doesn't support LSan because we ship the leaks tool in our toolchain already that serves this purpose. I don't think we are running check-lsan anywhere.
However, I think that this mostly worked on macOS until recently (before macOS 13?) so I initially thought that your are fixing that problem.

Instead of suppressing, WDYT about just ignoring the relevant regions? Details on why this happens here: https://docs.google.com/document/d/11h3N06tN-_n7nbwVK8qTRnWz3paICI_HlrVM8BvmZ9s

Yes, I think that sounds like a better approach.

Now, that I better understand what this revision is trying to do my general feedback would be: if we fix a false positive, it would be nice to have a test for it!

yln added a reviewer: vitalybuka.Jul 15 2022, 2:50 PM
lgrey updated this revision to Diff 458864.Sep 8 2022, 2:28 PM
lgrey retitled this revision from [lsan][Darwin] Scan libdispatch heap to [lsan][Darwin] Scan libdispatch and Foundation memory regions.
lgrey edited the summary of this revision. (Show Details)

Updated with test now that https://reviews.llvm.org/D133126 has landed.

I originally wanted the Foundation part to be a different patch, but it makes more sense to do it at once, since the scanning logic has to change anyway.

Harbormaster completed remote builds in B185715: Diff 458864.Sep 8 2022, 2:59 PM
yln added inline comments.Sep 8 2022, 5:56 PM
compiler-rt/lib/lsan/lsan_common_mac.cpp
40–41

Can we get rid of this #ifdef here? I think we can drop support for compiling with SDK versions <= macOS 10.9 by now.
Maybe even inline the usage of the macros altogether?

51

Slight preference to make this an enum class and drop the k prefix:

enum class RegionKind {
  None = 0,
....

scan_state.seen_regions |= RegionKind::AllocOnce;
lgrey updated this revision to Diff 459465.Sep 12 2022, 8:20 AM
lgrey marked an inline comment as done.

enum -> enum class, remove memory tag aliases, clang-format

compiler-rt/lib/lsan/lsan_common_mac.cpp
51

Done (but a little uglier now since it needs casts if that makes a difference).

Harbormaster completed remote builds in B186160: Diff 459465.Sep 12 2022, 9:22 AM
yln added inline comments.Sep 12 2022, 10:53 AM
compiler-rt/lib/lsan/lsan_common_mac.cpp
59

Would making this a SeenRegion field get rid of the casts?

yln accepted this revision.EditedSep 12 2022, 10:55 AM

LGTM, after my final nit. Let's give others a few days to chime in.

This revision is now accepted and ready to land.Sep 12 2022, 10:55 AM
lgrey added inline comments.Sep 12 2022, 11:27 AM
compiler-rt/lib/lsan/lsan_common_mac.cpp
59

Only if we implement operator| on it and do the casts in there. Given the number of uses it seems like a wash to me, happy to go with whichever you prefer.

yln added inline comments.Sep 12 2022, 11:49 AM
compiler-rt/lib/lsan/lsan_common_mac.cpp
59

Ahh, sorry I didn't realize this complication when suggesting using the enum class. TIL that enum classes and bitwise flags don't mesh well out of the box.

Since we are already halfway there, something like this should work, right?

inline AnimalFlags operator|(AnimalFlags a, AnimalFlags b)
{
    return static_cast<AnimalFlags>(static_cast<int>(a) | static_cast<int>(b));
}

Thank you and apologies for the detour.

lgrey updated this revision to Diff 459557.Sep 12 2022, 2:21 PM

Add operator| and operator|=, remove casting

Harbormaster completed remote builds in B186226: Diff 459557.Sep 12 2022, 2:57 PM
yln accepted this revision.Sep 12 2022, 3:53 PM
lgrey added a comment.Sep 14 2022, 9:11 AM

I'll merge this later today if nobody has objections.

lgrey updated this revision to Diff 460193.Sep 14 2022, 1:03 PM

Format

Harbormaster completed remote builds in B186699: Diff 460193.Sep 14 2022, 1:24 PM
Closed by commit rGed2c3f46f5a7: [lsan][Darwin] Scan libdispatch and Foundation memory regions (authored by lgrey). · Explain WhySep 14 2022, 1:47 PM
This revision was automatically updated to reflect the committed changes.
lgrey added a commit: rGed2c3f46f5a7: [lsan][Darwin] Scan libdispatch and Foundation memory regions.
hans mentioned this in D147984: ASan: move allocator base to avoid conflict with high-entropy ASLR for x86-64 Linux.Apr 13 2023, 12:54 AM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
74 lines
test/
lsan/
TestCases/
Darwin/
24 lines
18 lines

Diff 460210

compiler-rt/lib/lsan/lsan_common_mac.cpp

Show All 11 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "lsan_common.h" #include "lsan_common.h"
#if CAN_SANITIZE_LEAKS && SANITIZER_APPLE #if CAN_SANITIZE_LEAKS && SANITIZER_APPLE
#include "sanitizer_common/sanitizer_allocator_internal.h"
#include "lsan_allocator.h"
#include <pthread.h>
#include <mach/mach.h> # include <mach/mach.h>
# include <mach/vm_statistics.h>
# include <pthread.h>
// Only introduced in Mac OS X 10.9. # include "lsan_allocator.h"
#ifdef VM_MEMORY_OS_ALLOC_ONCE # include "sanitizer_common/sanitizer_allocator_internal.h"
static const int kSanitizerVmMemoryOsAllocOnce = VM_MEMORY_OS_ALLOC_ONCE;
#else
static const int kSanitizerVmMemoryOsAllocOnce = 73;
#endif
namespace __lsan { namespace __lsan {
enum class SeenRegion {
None = 0,
AllocOnce = 1 << 0,
LibDispatch = 1 << 1,
Foundation = 1 << 2,
All = AllocOnce | LibDispatch | Foundation
};
inline SeenRegion operator|(SeenRegion left, SeenRegion right) {
return static_cast<SeenRegion>(static_cast<int>(left) |
static_cast<int>(right));
}
inline SeenRegion &operator|=(SeenRegion &left, const SeenRegion &right) {
ylnUnsubmitted
Done
ReplyInline Actions

Can we get rid of this #ifdef here? I think we can drop support for compiling with SDK versions <= macOS 10.9 by now.
Maybe even inline the usage of the macros altogether?

yln: Can we get rid of this #ifdef here? I think we can drop support for compiling with SDK…
left = left | right;
return left;
}
struct RegionScanState {
SeenRegion seen_regions = SeenRegion::None;
bool in_libdispatch = false;
};
typedef struct { typedef struct {
ylnUnsubmitted
Not Done
ReplyInline Actions

Slight preference to make this an enum class and drop the k prefix:

enum class RegionKind {
  None = 0,
....

scan_state.seen_regions |= RegionKind::AllocOnce;
yln: Slight preference to make this an enum class and drop the `k` prefix: ``` enum class…
lgreyAuthorUnsubmitted
Done
ReplyInline Actions

Done (but a little uglier now since it needs casts if that makes a difference).

lgrey: Done (but a little uglier now since it needs casts if that makes a difference).
int disable_counter; int disable_counter;
u32 current_thread_id; u32 current_thread_id;
AllocatorCache cache; AllocatorCache cache;
} thread_local_data_t; } thread_local_data_t;
static pthread_key_t key; static pthread_key_t key;
static pthread_once_t key_once = PTHREAD_ONCE_INIT; static pthread_once_t key_once = PTHREAD_ONCE_INIT;
ylnUnsubmitted
Not Done
ReplyInline Actions

Would making this a SeenRegion field get rid of the casts?

yln: Would making this a `SeenRegion` field get rid of the casts?
lgreyAuthorUnsubmitted
Done
ReplyInline Actions

Only if we implement operator| on it and do the casts in there. Given the number of uses it seems like a wash to me, happy to go with whichever you prefer.

lgrey: Only if we implement `operator|` on it and do the casts in there. Given the number of uses it…
ylnUnsubmitted
Not Done
ReplyInline Actions

Ahh, sorry I didn't realize this complication when suggesting using the enum class. TIL that enum classes and bitwise flags don't mesh well out of the box.

Since we are already halfway there, something like this should work, right?

inline AnimalFlags operator|(AnimalFlags a, AnimalFlags b)
{
    return static_cast<AnimalFlags>(static_cast<int>(a) | static_cast<int>(b));
}

Thank you and apologies for the detour.

yln: Ahh, sorry I didn't realize this complication when suggesting using the `enum class`. TIL that…
// The main thread destructor requires the current thread id, // The main thread destructor requires the current thread id,
// so we can't destroy it until it's been used and reset to invalid tid // so we can't destroy it until it's been used and reset to invalid tid
void restore_tid_data(void *ptr) { void restore_tid_data(void *ptr) {
thread_local_data_t *data = (thread_local_data_t *)ptr; thread_local_data_t *data = (thread_local_data_t *)ptr;
if (data->current_thread_id != kInvalidTid) if (data->current_thread_id != kInvalidTid)
pthread_setspecific(key, data); pthread_setspecific(key, data);
} }
▲ Show 20 LinesShow All 90 Lines▼ Show 20 Lines
} }
void ProcessPlatformSpecificAllocations(Frontier *frontier) { void ProcessPlatformSpecificAllocations(Frontier *frontier) {
vm_address_t address = 0; vm_address_t address = 0;
kern_return_t err = KERN_SUCCESS; kern_return_t err = KERN_SUCCESS;
InternalMmapVectorNoCtor<RootRegion> const *root_regions = GetRootRegions(); InternalMmapVectorNoCtor<RootRegion> const *root_regions = GetRootRegions();
RegionScanState scan_state;
while (err == KERN_SUCCESS) { while (err == KERN_SUCCESS) {
vm_size_t size = 0; vm_size_t size = 0;
unsigned depth = 1; unsigned depth = 1;
struct vm_region_submap_info_64 info; struct vm_region_submap_info_64 info;
mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64; mach_msg_type_number_t count = VM_REGION_SUBMAP_INFO_COUNT_64;
err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth, err = vm_region_recurse_64(mach_task_self(), &address, &size, &depth,
(vm_region_info_t)&info, &count); (vm_region_info_t)&info, &count);
uptr end_address = address + size; uptr end_address = address + size;
if (info.user_tag == VM_MEMORY_OS_ALLOC_ONCE) {
// libxpc stashes some pointers in the Kernel Alloc Once page, // libxpc stashes some pointers in the Kernel Alloc Once page,
// make sure not to report those as leaks. // make sure not to report those as leaks.
if (info.user_tag == kSanitizerVmMemoryOsAllocOnce) { scan_state.seen_regions |= SeenRegion::AllocOnce;
ScanRangeForPointers(address, end_address, frontier, "GLOBAL",
kReachable);
} else if (info.user_tag == VM_MEMORY_FOUNDATION) {
// Objective-C block trampolines use the Foundation region.
scan_state.seen_regions |= SeenRegion::Foundation;
ScanRangeForPointers(address, end_address, frontier, "GLOBAL",
kReachable);
} else if (info.user_tag == VM_MEMORY_LIBDISPATCH) {
// Dispatch continuations use the libdispatch region. Empirically, there
// can be more than one region with this tag, so we'll optimistically
// assume that they're continguous. Otherwise, we would need to scan every
// region to ensure we find them all.
scan_state.in_libdispatch = true;
ScanRangeForPointers(address, end_address, frontier, "GLOBAL", ScanRangeForPointers(address, end_address, frontier, "GLOBAL",
kReachable); kReachable);
} else if (scan_state.in_libdispatch) {
scan_state.seen_regions |= SeenRegion::LibDispatch;
scan_state.in_libdispatch = false;
}
// Recursing over the full memory map is very slow, break out // Recursing over the full memory map is very slow, break out
// early if we don't need the full iteration. // early if we don't need the full iteration.
if (!flags()->use_root_regions || !root_regions->size()) if (scan_state.seen_regions == SeenRegion::All &&
!(flags()->use_root_regions && root_regions->size() > 0)) {
break; break;
} }
// This additional root region scan is required on Darwin in order to // This additional root region scan is required on Darwin in order to
// detect root regions contained within mmap'd memory regions, because // detect root regions contained within mmap'd memory regions, because
// the Darwin implementation of sanitizer_procmaps traverses images // the Darwin implementation of sanitizer_procmaps traverses images
// as loaded by dyld, and not the complete set of all memory regions. // as loaded by dyld, and not the complete set of all memory regions.
// //
// TODO(fjricci) - remove this once sanitizer_procmaps_mac has the same // TODO(fjricci) - remove this once sanitizer_procmaps_mac has the same
Show All 15 Lines
void HandleLeaks() {} void HandleLeaks() {}
void LockStuffAndStopTheWorld(StopTheWorldCallback callback, void LockStuffAndStopTheWorld(StopTheWorldCallback callback,
CheckForLeaksParam *argument) { CheckForLeaksParam *argument) {
ScopedStopTheWorldLock lock; ScopedStopTheWorldLock lock;
StopTheWorld(callback, argument); StopTheWorld(callback, argument);
} }
} // namespace __lsan } // namespace __lsan
#endif // CAN_SANITIZE_LEAKS && SANITIZER_APPLE #endif // CAN_SANITIZE_LEAKS && SANITIZER_APPLE

compiler-rt/test/lsan/TestCases/Darwin/dispatch_continuations.mm

  • This file was added.
// Test that dispatch continuation memory region is scanned.
// RUN: %clangxx_lsan %s -o %t -framework Foundation
// RUN: %env_lsan_opts="report_objects=1" %run %t 2>&1 && echo "" | FileCheck %s
#include <dispatch/dispatch.h>
#include <sanitizer/lsan_interface.h>
int main() {
// Reduced from `CFRunLoopCreate`
dispatch_queue_t fake_rl_queue = dispatch_get_global_queue(2, 0);
dispatch_source_t timer =
dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, fake_rl_queue);
dispatch_source_set_event_handler(timer, ^{
});
dispatch_source_set_timer(timer, DISPATCH_TIME_FOREVER, DISPATCH_TIME_FOREVER,
321);
dispatch_resume(timer);
__lsan_do_leak_check();
dispatch_source_cancel(timer);
dispatch_release(timer);
return 0;
}
// CHECK-NOT: LeakSanitizer: detected memory leaks

compiler-rt/test/lsan/TestCases/Darwin/trampoline.mm

  • This file was added.
// Test that the memory region that contains Objective-C block trampolines
// is scanned.
// FIXME: Find a way to reduce this without AppKit to remove Mac requirement.
// UNSUPPORTED: ios
// RUN: %clangxx_lsan %s -o %t -framework Cocoa -fno-objc-arc
// RUN: %env_lsan_opts="report_objects=1" %run %t 2>&1 && echo "" | FileCheck %s
#import <Cocoa/Cocoa.h>
#include <sanitizer/lsan_interface.h>
int main() {
NSView *view =
[[[NSView alloc] initWithFrame:CGRectMake(0, 0, 20, 20)] autorelease];
__lsan_do_leak_check();
return 0;
}
// CHECK-NOT: LeakSanitizer: detected memory leaks