This is an archive of the discontinued LLVM Phabricator instance.

Differential D133126

[lsan][darwin] Unmask camouflaged class_rw_t pointers
ClosedPublic

Authored by lgrey on Sep 1 2022, 10:21 AM.

Details

Reviewers
vitalybuka
yln
Commits
rGf458d9f6f892: [lsan][darwin] Unmask camouflaged class_rw_t pointers
Summary

Detailed motivation here: https://docs.google.com/document/d/1xUNo5ovPKJMYxitiHUQVRxGI3iUmspI51Jm4w8puMwo

check-asan (with LSAN enabled) and check-lsan are currently broken on recent macOS versions, due to pervasive false positives. Whenever the Objective-C runtime realizes a class, it allocates data for it, then stores that data with flags in the low bits. This means LSAN can not recognize it as a pointer while scanning.

This change checks every potential pointer on Apple platforms, and if the high bit is set, attempts to extract a pointer by masking out the high bit and flags. This is ugly, but it's also the best approach I could think of (see doc above); very open to other suggestions.

Diff Detail

Event Timeline

lgrey created this revision.Sep 1 2022, 10:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2022, 10:21 AM
Herald added a subscriber: Enna1. · View Herald Transcript
lgrey requested review of this revision.Sep 1 2022, 10:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2022, 10:21 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B184615: Diff 457312.Sep 1 2022, 10:41 AM
yln accepted this revision.Sep 1 2022, 12:25 PM

Thanks!

I've applied the patch and can confirm that this fixes the LSan-related test failures for check-asan on a recent version of macOS.

This revision is now accepted and ready to land.Sep 1 2022, 12:25 PM
Closed by commit rGf458d9f6f892: [lsan][darwin] Unmask camouflaged class_rw_t pointers (authored by lgrey). · Explain WhySep 2 2022, 8:26 AM
This revision was automatically updated to reflect the committed changes.
lgrey added a commit: rGf458d9f6f892: [lsan][darwin] Unmask camouflaged class_rw_t pointers.
lgrey mentioned this in D129385: [lsan][Darwin] Scan libdispatch and Foundation memory regions.Sep 8 2022, 2:28 PM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
26 lines

Diff 457312

compiler-rt/lib/lsan/lsan_common.cpp

Show All 20 Lines
#include "sanitizer_common/sanitizer_report_decorator.h" #include "sanitizer_common/sanitizer_report_decorator.h"
#include "sanitizer_common/sanitizer_stackdepot.h" #include "sanitizer_common/sanitizer_stackdepot.h"
#include "sanitizer_common/sanitizer_stacktrace.h" #include "sanitizer_common/sanitizer_stacktrace.h"
#include "sanitizer_common/sanitizer_suppressions.h" #include "sanitizer_common/sanitizer_suppressions.h"
#include "sanitizer_common/sanitizer_thread_registry.h" #include "sanitizer_common/sanitizer_thread_registry.h"
#include "sanitizer_common/sanitizer_tls_get_addr.h" #include "sanitizer_common/sanitizer_tls_get_addr.h"
#if CAN_SANITIZE_LEAKS #if CAN_SANITIZE_LEAKS
# if SANITIZER_APPLE
// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L127
# if SANITIZER_IOS && !SANITIZER_IOSSIM
# define OBJC_DATA_MASK 0x0000007ffffffff8UL
# else
# define OBJC_DATA_MASK 0x00007ffffffffff8UL
# endif
// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L139
# define OBJC_FAST_IS_RW 0x8000000000000000UL
# endif
namespace __lsan { namespace __lsan {
// This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and // This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and
// also to protect the global list of root regions. // also to protect the global list of root regions.
Mutex global_mutex; Mutex global_mutex;
Flags lsan_flags; Flags lsan_flags;
▲ Show 20 LinesShow All 118 Lines▼ Show 20 Lines
static uptr GetCallerPC(const StackTrace &stack) { static uptr GetCallerPC(const StackTrace &stack) {
// The top frame is our malloc/calloc/etc. The next frame is the caller. // The top frame is our malloc/calloc/etc. The next frame is the caller.
if (stack.size >= 2) if (stack.size >= 2)
return stack.trace[1]; return stack.trace[1];
return 0; return 0;
} }
# if SANITIZER_APPLE
// Objective-C class data pointers are stored with flags in the low bits, so
// they need to be transformed back into something that looks like a pointer.
static inline void *MaybeTransformPointer(void *p) {
uptr ptr = reinterpret_cast<uptr>(p);
if ((ptr & OBJC_FAST_IS_RW) == OBJC_FAST_IS_RW)
ptr &= OBJC_DATA_MASK;
return reinterpret_cast<void *>(ptr);
}
# endif
// On Linux, treats all chunks allocated from ld-linux.so as reachable, which // On Linux, treats all chunks allocated from ld-linux.so as reachable, which
// covers dynamically allocated TLS blocks, internal dynamic loader's loaded // covers dynamically allocated TLS blocks, internal dynamic loader's loaded
// modules accounting etc. // modules accounting etc.
// Dynamic TLS blocks contain the TLS variables of dynamically loaded modules. // Dynamic TLS blocks contain the TLS variables of dynamically loaded modules.
// They are allocated with a __libc_memalign() call in allocate_and_init() // They are allocated with a __libc_memalign() call in allocate_and_init()
// (elf/dl-tls.c). Glibc won't tell us the address ranges occupied by those // (elf/dl-tls.c). Glibc won't tell us the address ranges occupied by those
// blocks, but we can make sure they come from our own allocator by intercepting // blocks, but we can make sure they come from our own allocator by intercepting
// __libc_memalign(). On top of that, there is no easy way to reach them. Their // __libc_memalign(). On top of that, there is no easy way to reach them. Their
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Linesvoid ScanRangeForPointers(uptr begin, uptr end, Frontier *frontier,
const uptr alignment = flags()->pointer_alignment(); const uptr alignment = flags()->pointer_alignment();
LOG_POINTERS("Scanning %s range %p-%p.\n", region_type, (void *)begin, LOG_POINTERS("Scanning %s range %p-%p.\n", region_type, (void *)begin,
(void *)end); (void *)end);
uptr pp = begin; uptr pp = begin;
if (pp % alignment) if (pp % alignment)
pp = pp + alignment - pp % alignment; pp = pp + alignment - pp % alignment;
for (; pp + sizeof(void *) <= end; pp += alignment) { for (; pp + sizeof(void *) <= end; pp += alignment) {
void *p = *reinterpret_cast<void **>(pp); void *p = *reinterpret_cast<void **>(pp);
# if SANITIZER_APPLE
p = MaybeTransformPointer(p);
# endif
if (!MaybeUserPointer(reinterpret_cast<uptr>(p))) if (!MaybeUserPointer(reinterpret_cast<uptr>(p)))
continue; continue;
uptr chunk = PointsIntoChunk(p); uptr chunk = PointsIntoChunk(p);
if (!chunk) if (!chunk)
continue; continue;
// Pointers to self don't count. This matters when tag == kIndirectlyLeaked. // Pointers to self don't count. This matters when tag == kIndirectlyLeaked.
if (chunk == begin) if (chunk == begin)
continue; continue;
▲ Show 20 LinesShow All 757 LinesShow Last 20 Lines