This is an archive of the discontinued LLVM Phabricator instance.

Differential D133790

Fix heap-use-after-free when clearing DIEs in fission compile units.
ClosedPublic

Authored by rupprecht on Sep 13 2022, 10:53 AM.

Details

Reviewers
labath
clayborg
Commits
rG1f3def30ca86: Fix heap-use-after-free when clearing DIEs in fission compile units.
Summary

D131437 caused heap-use-after-free failures when testing TestCreateAfterAttach.py in asan mode, and "regular" crashes outside of asan.

This appears to be due to a mismatch in a couple places where we choose to clear the DIEs. When we clear the DIE of a skeleton unit, we unconditionally clear the DIE of the DWO unit if it exists. However, ~ScopedExtractDIEs() only looks at the skeleton unit when deciding to clear. If we decide to clear the skeleton unit because it is now unused, we end up clearing the DWO unit that _is_ used. This change adds a guard by checking m_cancel_scopes to prevent clearing the DWO unit.

This is 100% reproducible by running TestCreateAfterAttach.py in asan mode, although it only seems to reproduce in our internal build, so no test case is added here. If someone has suggestions on how to write one, I can add it.

Diff Detail

Event Timeline

rupprecht created this revision.Sep 13 2022, 10:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 13 2022, 10:53 AM
rupprecht requested review of this revision.Sep 13 2022, 10:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 13 2022, 10:53 AM
Herald added a subscriber: lldb-commits. · View Herald Transcript
rupprecht added a subscriber: jgorbe.Sep 13 2022, 10:53 AM
Herald added a subscriber: JDevlieghere. · View Herald TranscriptSep 13 2022, 10:53 AM
rupprecht mentioned this in D131437: Don't index the skeleton CU when we have a fission compile unit..Sep 13 2022, 10:54 AM
Harbormaster completed remote builds in B186410: Diff 459805.Sep 13 2022, 11:08 AM
clayborg added a comment.Sep 13 2022, 11:10 AM

LGTM, but I will let Pavel comment since he did the fission support.

labath accepted this revision.Sep 14 2022, 2:25 AM
This revision is now accepted and ready to land.Sep 14 2022, 2:25 AM
Closed by commit rG1f3def30ca86: Fix heap-use-after-free when clearing DIEs in fission compile units. (authored by rupprecht). · Explain WhySep 14 2022, 6:52 AM
This revision was automatically updated to reflect the committed changes.
rupprecht added a commit: rG1f3def30ca86: Fix heap-use-after-free when clearing DIEs in fission compile units..
clayborg added a comment.Sep 15 2022, 3:54 PM

Thanks for following up on this and fixing the issue!

Revision Contents

PathSize
lldb/
source/
Plugins/
SymbolFile/
DWARF/
2 lines

Diff 460069

lldb/source/Plugins/SymbolFile/DWARF/DWARFUnit.cpp

Show First 20 LinesShow All 592 Lines▼ Show 20 Linesdw_addr_t DWARFUnit::ReadAddressFromDebugAddrSection(uint32_t index) const {
return LLDB_INVALID_ADDRESS; return LLDB_INVALID_ADDRESS;
} }
// It may be called only with m_die_array_mutex held R/W. // It may be called only with m_die_array_mutex held R/W.
void DWARFUnit::ClearDIEsRWLocked() { void DWARFUnit::ClearDIEsRWLocked() {
m_die_array.clear(); m_die_array.clear();
m_die_array.shrink_to_fit(); m_die_array.shrink_to_fit();
if (m_dwo) if (m_dwo && !m_dwo->m_cancel_scopes)
m_dwo->ClearDIEsRWLocked(); m_dwo->ClearDIEsRWLocked();
} }
lldb::ByteOrder DWARFUnit::GetByteOrder() const { lldb::ByteOrder DWARFUnit::GetByteOrder() const {
return m_dwarf.GetObjectFile()->GetByteOrder(); return m_dwarf.GetObjectFile()->GetByteOrder();
} }
void DWARFUnit::SetBaseAddress(dw_addr_t base_addr) { m_base_addr = base_addr; } void DWARFUnit::SetBaseAddress(dw_addr_t base_addr) { m_base_addr = base_addr; }
▲ Show 20 LinesShow All 468 LinesShow Last 20 Lines