This is an archive of the discontinued LLVM Phabricator instance.

Differential D141407

[scudo] Call __scudo_deallocate_hook on reallocations.
ClosedPublic

Authored by chelfi on Jan 10 2023, 9:36 AM.

Details

Reviewers
Chia-hungDuan
cryptoad
bsdaemon
Commits
rG4e3dac6f0a4c: [scudo] Call __scudo_deallocate_hook on reallocations.
Summary

Scudo is expected to call scudo_allocate_hook on allocations, and
scudo_deallocate_hook on deallocations, but it's behavior is not
clear on reallocations. Currently, non-trivial reallocations call
scudo_allocate_hook but never scudo_deallocate_hook. We should
prefer either calling both, none, or a dedicated
hook (__scudo_reallocate_hook, for instance).

This patch implements the former, and adds a unit test to enforce
those expectations.

Diff Detail

Event Timeline

chelfi created this revision.Jan 10 2023, 9:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 10 2023, 9:36 AM
Herald added subscribers: Chia-hungDuan, Enna1, cryptoad. · View Herald Transcript
chelfi requested review of this revision.Jan 10 2023, 9:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 10 2023, 9:36 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B206827: Diff 487847.Jan 10 2023, 10:44 AM
cryptoad added inline comments.Jan 10 2023, 11:15 AM
compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
780 ↗(On Diff #487847)

Can this test be put in a separate unit so that the hooks don't impact the rest of combined_test?

786 ↗(On Diff #487847)

Maybe __attribute__((visibility("default")))?

813 ↗(On Diff #487847)

This likely will depend on the chosen SizeClass for the platform this is running on.
Ideally you could check that the returned pointer is indeed different, and then verified the callbacks were called.
Same for next test case, check that they are the same.

Chia-hungDuan added inline comments.Jan 10 2023, 11:39 AM
compiler-rt/lib/scudo/standalone/combined.h
691

I'm thinking that we can move this to quarantineOrDeallocateChunk() then we have single location for both allocation and deallocation. Then for the tests, we only need to ensure that calling allocate/deallocate have the callback invoked, i.e., we don't need to depend on the implementation (like the size-class in the test case)

The only case we may miss is when nullptr deallocation but I think that may be fine.

@cryptoad, what do you think?

cryptoad added inline comments.Jan 10 2023, 11:53 AM
compiler-rt/lib/scudo/standalone/combined.h
691

I think we would miss more than the nullptr.
Any report... in deallocate as well a the GWP-ASan path wouldn't have the hook called, and those cases are arguably valuable.
So I think it makes sense to have the hook in a "top" functions.

Chia-hungDuan added inline comments.Jan 10 2023, 12:08 PM
compiler-rt/lib/scudo/standalone/tests/combined_test.cpp
813 ↗(On Diff #487847)

You can also try to do realloc according to the sizes in SizeClassMap so that you can expect its returning different pointer, then you can always check thing like,

ptr = malloc(...);
for (size : size_in_size_class_map) {
  new_ptr = realloc(ptr, size);
  if (same_pointer) 
    // expect no allocate
  else
    // expect deallocation and allocation
}
Chia-hungDuan added inline comments.Jan 10 2023, 12:25 PM
compiler-rt/lib/scudo/standalone/combined.h
691

I see. I thought this is only used to report the valid pointers. May I know what's the goal of using these hooks?

cryptoad added inline comments.Jan 10 2023, 12:35 PM
compiler-rt/lib/scudo/standalone/combined.h
691

Generally, yes, as it is mostly used for memory tracing (like https://cs.github.com/vsrinivas/fuchsia/blob/30435a9d0f0b67c94e3c70760b522c9f7fbbd6be/src/performance/memory/profile/memory_trace.cc#L120).
But ideally, it should report *all* allocations and deallocations, including the "bogus" ones (eg: allocation of 0-sized chunks, free of null pointers, non-fatal inconsistencies, etc), mostly because we initially did not want to make a choice for the user as to what is reported and what isn't.

chelfi added reviewers: Chia-hungDuan, cryptoad, bsdaemon.Jan 12 2023, 5:53 AM
chelfi added inline comments.
compiler-rt/lib/scudo/standalone/combined.h
691

What would you prefer we do, in the context of this patch? I see two obvious options:

  1. Keep it here, with maybe a comment to revisit exposing more info in a future patch.
  2. Call the hook everywhere relevant. We can maybe move those calls to the top of the allocate/deallocate/reallocate, so that everything is reported regardless of what is actually happening in the allocator. We might even introduce a __scudo_reallocate_hook so that we don't have to translate reallocate calls to non-obvious combinations of allocate/deallocate calls (though this might just push the complexity downwards to profiler implementations.)

Any preference?

chelfi marked an inline comment as not done.Jan 12 2023, 5:54 AM
chelfi updated this revision to Diff 488678.Jan 12 2023, 8:57 AM

Apply reviewer comments.

  • Move tests to a separate compile unit.
  • Programmatically iterate through the size class map to ensure meaningful reallocations.

This update copies a non-trivial amount of helper macros from combined_test.cpp, in order to reuse the nice support for iterating tests on allocator configs.

Herald added subscribers: abrachet, phosek. · View Herald TranscriptJan 12 2023, 8:57 AM
chelfi marked 4 inline comments as done.Jan 12 2023, 8:59 AM
cryptoad added inline comments.Jan 12 2023, 9:33 AM
compiler-rt/lib/scudo/standalone/combined.h
691

I personally prefer it this way in reallocate

Harbormaster completed remote builds in B207422: Diff 488678.Jan 12 2023, 10:03 AM
Chia-hungDuan added inline comments.Jan 12 2023, 11:18 AM
compiler-rt/lib/scudo/standalone/combined.h
691

@cryptoad , thanks for the background and Yes, I agree with you. Let's stick on the way here

compiler-rt/lib/scudo/standalone/tests/scudo_hooks_test.cpp
47–56

I think we don't need to distinguish the platform and a DefaultConfig may be enough. The goal is to ensure the hooks are invoked properly and iterate the size-class-map is to ensure the hooks will be called.

In addition, we may not need the SCUDO_TYPED_TEST, a simple TEST with the use of DefaultConfig should be enough

133–134

I may suggest just to add something more concrete rather than just a counter. For example,

if (NewPtr != Ptr) {
  // We expect Ptr to be reported to deallocate-hook and NewPtr to be reported allocate-hook
}

So that we won't report wrong information (e.g., report the block address rather than the aligned address)

1c3t3a added a subscriber: 1c3t3a.Jan 13 2023, 1:57 AM
chelfi updated this revision to Diff 488991.Jan 13 2023, 7:00 AM
chelfi marked an inline comment as done.

Improve unit tests.

  • Remove the SCUDO_TYPED_TEST machinery.
  • Further verify the data reported by the hooks (i.e. check content rather than just calls).
chelfi updated this revision to Diff 488993.Jan 13 2023, 7:05 AM

Fix whitespace issues.

chelfi marked 2 inline comments as done.Jan 13 2023, 7:06 AM
Harbormaster completed remote builds in B207636: Diff 488993.Jan 13 2023, 8:04 AM
chelfi updated this revision to Diff 489032.Jan 13 2023, 9:06 AM

Fix type issue.

I've manually tested the change in a Fuchsia checkout, because I was worried about the binary stripping policy in that toolchain.
My worries were unwarranted, so I removed part of the warnings in the test comments.

Harbormaster completed remote builds in B207659: Diff 489032.Jan 13 2023, 10:14 AM
Chia-hungDuan accepted this revision.Jan 18 2023, 12:04 PM
Chia-hungDuan added inline comments.
compiler-rt/lib/scudo/standalone/tests/scudo_hooks_test.cpp
23

compilation

26–28

Do we need them to be in the scope of extern "C"? I may suggest moving them out and mark as static

55

lint: I suggest spelling it out, void

75

Let's still catch the return value and you may want to expect the same pointer.

98

Same as above

102

I may suggest LastRequestSize

This revision is now accepted and ready to land.Jan 18 2023, 12:04 PM
Herald added subscribers: yaneury, supersymetrie. · View Herald TranscriptJan 18 2023, 12:04 PM
chelfi updated this revision to Diff 490543.Jan 19 2023, 8:59 AM

Applying reviewer comments:

  • Use explicit type names instead of auto.
  • Make unnecessarily exposed symbols static.
  • Ensure no-op reallocations return the same pointer.
chelfi marked 6 inline comments as done.Jan 19 2023, 9:00 AM
Harbormaster completed remote builds in B208776: Diff 490543.Jan 19 2023, 9:47 AM
Chia-hungDuan added inline comments.Feb 13 2023, 11:12 PM
compiler-rt/lib/scudo/standalone/tests/CMakeLists.txt
134

lit: align with s like others

compiler-rt/lib/scudo/standalone/tests/scudo_hooks_test.cpp
47

scudo::Allocator has larger alignment requirement so that we can't use make_unique here. Can you change this to local variable instead? Like

scudo::Allocator<scudo::DefaultConfig> Allocator;
...

I'll fix the other tests which are luckily got aligned.

chelfi updated this revision to Diff 497272.Feb 14 2023, 4:32 AM
  • Fix alignment issues.
  • Rebase.
chelfi marked 2 inline comments as done.Feb 14 2023, 4:34 AM
Harbormaster completed remote builds in B213625: Diff 497272.Feb 14 2023, 4:56 AM
Closed by commit rG4e3dac6f0a4c: [scudo] Call __scudo_deallocate_hook on reallocations. (authored by chelfi, committed by Chia-hungDuan). · Explain WhyFeb 14 2023, 11:04 AM
This revision was automatically updated to reflect the committed changes.
Chia-hungDuan added a commit: rG4e3dac6f0a4c: [scudo] Call __scudo_deallocate_hook on reallocations..
stefanp added a subscriber: stefanp.Feb 15 2023, 9:22 AM

@chelfi
It looks like this changeset has broken one of the bots on PowerPC.
https://lab.llvm.org/buildbot/#/builders/57

Could you please take a look at this?
If you have any questions or would like help reproducing the issue please let me know.

cryptoad added a comment.Feb 15 2023, 10:23 AM

Seems to be EXPECT_EQ(0, LastRequestSize); related. Potential fix would be 0U for both instances.

Chia-hungDuan added a comment.Feb 15 2023, 10:28 AM
In D141407#4129696, @cryptoad wrote:

Seems to be EXPECT_EQ(0, LastRequestSize); related. Potential fix would be 0U for both instances.

Yep, I'm on it. D144121

chelfi added a comment.Feb 16 2023, 1:44 AM

Sorry for the breakage; thanks for the fix!

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
2 lines
2 lines
tests/
8 lines
114 lines

Diff 497393

compiler-rt/lib/scudo/standalone/allocator_config.h

Show All 20 Lines
namespace scudo { namespace scudo {
// The combined allocator uses a structure as a template argument that // The combined allocator uses a structure as a template argument that
// specifies the configuration options for the various subcomponents of the // specifies the configuration options for the various subcomponents of the
// allocator. // allocator.
// //
// struct ExampleConfig { // struct ExampleConfig {
// // SizeClasMmap to use with the Primary. // // SizeClassMap to use with the Primary.
// using SizeClassMap = DefaultSizeClassMap; // using SizeClassMap = DefaultSizeClassMap;
// // Indicates possible support for Memory Tagging. // // Indicates possible support for Memory Tagging.
// static const bool MaySupportMemoryTagging = false; // static const bool MaySupportMemoryTagging = false;
// // Defines the Primary allocator to use. // // Defines the Primary allocator to use.
// typedef SizeClassAllocator64<ExampleConfig> Primary; // typedef SizeClassAllocator64<ExampleConfig> Primary;
// // Log2 of the size of a size class region, as used by the Primary. // // Log2 of the size of a size class region, as used by the Primary.
// static const uptr PrimaryRegionSizeLog = 30U; // static const uptr PrimaryRegionSizeLog = 30U;
// // Log2 of the size of block group, as used by the Primary. Each group // // Log2 of the size of block group, as used by the Primary. Each group
▲ Show 20 LinesShow All 183 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 681 Lines▼ Show 20 Lines#endif // GWP_ASAN_HOOKS
// Otherwise we allocate a new one, and deallocate the old one. Some // Otherwise we allocate a new one, and deallocate the old one. Some
// allocators will allocate an even larger chunk (by a fixed factor) to // allocators will allocate an even larger chunk (by a fixed factor) to
// allow for potential further in-place realloc. The gains of such a trick // allow for potential further in-place realloc. The gains of such a trick
// are currently unclear. // are currently unclear.
void *NewPtr = allocate(NewSize, Chunk::Origin::Malloc, Alignment); void *NewPtr = allocate(NewSize, Chunk::Origin::Malloc, Alignment);
if (LIKELY(NewPtr)) { if (LIKELY(NewPtr)) {
memcpy(NewPtr, OldTaggedPtr, Min(NewSize, OldSize)); memcpy(NewPtr, OldTaggedPtr, Min(NewSize, OldSize));
if (UNLIKELY(&__scudo_deallocate_hook))
__scudo_deallocate_hook(OldTaggedPtr);
Chia-hungDuanUnsubmitted
Not Done
ReplyInline Actions

I'm thinking that we can move this to quarantineOrDeallocateChunk() then we have single location for both allocation and deallocation. Then for the tests, we only need to ensure that calling allocate/deallocate have the callback invoked, i.e., we don't need to depend on the implementation (like the size-class in the test case)

The only case we may miss is when nullptr deallocation but I think that may be fine.

@cryptoad, what do you think?

Chia-hungDuan: I'm thinking that we can move this to `quarantineOrDeallocateChunk()` then we have single…
cryptoadUnsubmitted
Not Done
ReplyInline Actions

I think we would miss more than the nullptr.
Any report... in deallocate as well a the GWP-ASan path wouldn't have the hook called, and those cases are arguably valuable.
So I think it makes sense to have the hook in a "top" functions.

cryptoad: I think we would miss more than the nullptr. Any `report...` in `deallocate` as well a the GWP…
Chia-hungDuanUnsubmitted
Not Done
ReplyInline Actions

I see. I thought this is only used to report the valid pointers. May I know what's the goal of using these hooks?

Chia-hungDuan: I see. I thought this is only used to report the valid pointers. May I know what's the goal of…
cryptoadUnsubmitted
Not Done
ReplyInline Actions

Generally, yes, as it is mostly used for memory tracing (like https://cs.github.com/vsrinivas/fuchsia/blob/30435a9d0f0b67c94e3c70760b522c9f7fbbd6be/src/performance/memory/profile/memory_trace.cc#L120).
But ideally, it should report *all* allocations and deallocations, including the "bogus" ones (eg: allocation of 0-sized chunks, free of null pointers, non-fatal inconsistencies, etc), mostly because we initially did not want to make a choice for the user as to what is reported and what isn't.

cryptoad: Generally, yes, as it is mostly used for memory tracing (like https://cs.github.
chelfiAuthorUnsubmitted
Not Done
ReplyInline Actions

What would you prefer we do, in the context of this patch? I see two obvious options:

  1. Keep it here, with maybe a comment to revisit exposing more info in a future patch.
  2. Call the hook everywhere relevant. We can maybe move those calls to the top of the allocate/deallocate/reallocate, so that everything is reported regardless of what is actually happening in the allocator. We might even introduce a __scudo_reallocate_hook so that we don't have to translate reallocate calls to non-obvious combinations of allocate/deallocate calls (though this might just push the complexity downwards to profiler implementations.)

Any preference?

chelfi: What would you prefer we do, in the context of this patch? I see two obvious options: # Keep…
cryptoadUnsubmitted
Not Done
ReplyInline Actions

I personally prefer it this way in reallocate

cryptoad: I personally prefer it this way in `reallocate`
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

@cryptoad , thanks for the background and Yes, I agree with you. Let's stick on the way here

Chia-hungDuan: @cryptoad , thanks for the background and Yes, I agree with you. Let's stick on the way here
quarantineOrDeallocateChunk(Options, OldTaggedPtr, &OldHeader, OldSize); quarantineOrDeallocateChunk(Options, OldTaggedPtr, &OldHeader, OldSize);
} }
return NewPtr; return NewPtr;
} }
// TODO(kostyak): disable() is currently best-effort. There are some small // TODO(kostyak): disable() is currently best-effort. There are some small
// windows of time when an allocation could still succeed after // windows of time when an allocation could still succeed after
// this function finishes. We will revisit that later. // this function finishes. We will revisit that later.
▲ Show 20 LinesShow All 830 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/tests/CMakeLists.txt

Show First 20 LinesShow All 121 Lines▼ Show 20 Lines
set(SCUDO_CXX_UNIT_TEST_SOURCES set(SCUDO_CXX_UNIT_TEST_SOURCES
wrappers_cpp_test.cpp wrappers_cpp_test.cpp
scudo_unit_test_main.cpp scudo_unit_test_main.cpp
) )
add_scudo_unittest(ScudoCxxUnitTest add_scudo_unittest(ScudoCxxUnitTest
SOURCES ${SCUDO_CXX_UNIT_TEST_SOURCES} SOURCES ${SCUDO_CXX_UNIT_TEST_SOURCES}
ADDITIONAL_RTOBJECTS RTScudoStandaloneCWrappers RTScudoStandaloneCxxWrappers) ADDITIONAL_RTOBJECTS RTScudoStandaloneCWrappers RTScudoStandaloneCxxWrappers)
set(SCUDO_HOOKS_UNIT_TEST_SOURCES
scudo_hooks_test.cpp
scudo_unit_test_main.cpp
)
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

lit: align with s like others

Chia-hungDuan: lit: align with `s` like others
add_scudo_unittest(ScudoHooksUnitTest
SOURCES ${SCUDO_HOOKS_UNIT_TEST_SOURCES})

compiler-rt/lib/scudo/standalone/tests/scudo_hooks_test.cpp

  • This file was added.
//===-- scudo_hooks_test.cpp ------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "tests/scudo_unit_test.h"
#include "allocator_config.h"
#include "combined.h"
namespace {
void *LastAllocatedPtr = nullptr;
size_t LastRequestSize = 0;
void *LastDeallocatedPtr = nullptr;
} // namespace
// Scudo defines weak symbols that can be defined by a client binary
// to register callbacks at key points in the allocation timeline. In
// order to enforce those invariants, we provide definitions that
// update some global state every time they are called, so that tests
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

compilation

Chia-hungDuan: compilation
// can inspect their effects. An unfortunate side effect of this
// setup is that because those symbols are part of the binary, they
// can't be selectively enabled; that means that they will get called
// on unrelated tests in the same compilation unit. To mitigate this
// issue, we insulate those tests in a separate compilation unit.
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

Do we need them to be in the scope of extern "C"? I may suggest moving them out and mark as static

Chia-hungDuan: Do we need them to be in the scope of `extern "C"`? I may suggest moving them out and mark as…
extern "C" {
__attribute__((visibility("default"))) void __scudo_allocate_hook(void *Ptr,
size_t Size) {
LastAllocatedPtr = Ptr;
LastRequestSize = Size;
}
__attribute__((visibility("default"))) void __scudo_deallocate_hook(void *Ptr) {
LastDeallocatedPtr = Ptr;
}
}
// Simple check that allocation callbacks, when registered, are called:
// 1) __scudo_allocate_hook is called when allocating.
// 2) __scudo_deallocate_hook is called when deallocating.
// 3) Both hooks are called when reallocating.
// 4) Neither are called for a no-op reallocation.
TEST(ScudoHooksTest, AllocateHooks) {
scudo::Allocator<scudo::DefaultConfig> Allocator;
constexpr scudo::uptr DefaultSize = 16U;
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

scudo::Allocator has larger alignment requirement so that we can't use make_unique here. Can you change this to local variable instead? Like

scudo::Allocator<scudo::DefaultConfig> Allocator;
...

I'll fix the other tests which are luckily got aligned.

Chia-hungDuan: `scudo::Allocator` has larger alignment requirement so that we can't use make_unique here. Can…
constexpr scudo::Chunk::Origin Origin = scudo::Chunk::Origin::Malloc;
// Simple allocation and deallocation.
{
LastAllocatedPtr = nullptr;
LastRequestSize = 0;
void *Ptr = Allocator.allocate(DefaultSize, Origin);
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

lint: I suggest spelling it out, void

Chia-hungDuan: lint: I suggest spelling it out, `void`
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

I think we don't need to distinguish the platform and a DefaultConfig may be enough. The goal is to ensure the hooks are invoked properly and iterate the size-class-map is to ensure the hooks will be called.

In addition, we may not need the SCUDO_TYPED_TEST, a simple TEST with the use of DefaultConfig should be enough

Chia-hungDuan: I think we don't need to distinguish the platform and a DefaultConfig may be enough. The goal…
EXPECT_EQ(Ptr, LastAllocatedPtr);
EXPECT_EQ(DefaultSize, LastRequestSize);
LastDeallocatedPtr = nullptr;
Allocator.deallocate(Ptr, Origin);
EXPECT_EQ(Ptr, LastDeallocatedPtr);
}
// Simple no-op, same size reallocation.
{
void *Ptr = Allocator.allocate(DefaultSize, Origin);
LastAllocatedPtr = nullptr;
LastRequestSize = 0;
LastDeallocatedPtr = nullptr;
void *NewPtr = Allocator.reallocate(Ptr, DefaultSize);
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

Let's still catch the return value and you may want to expect the same pointer.

Chia-hungDuan: Let's still catch the return value and you may want to expect the same pointer.
EXPECT_EQ(Ptr, NewPtr);
EXPECT_EQ(nullptr, LastAllocatedPtr);
EXPECT_EQ(0, LastRequestSize);
EXPECT_EQ(nullptr, LastDeallocatedPtr);
}
// Reallocation in increasing size classes. This ensures that at
// least one of the reallocations will be meaningful.
{
void *Ptr = Allocator.allocate(0, Origin);
for (scudo::uptr ClassId = 1U;
ClassId <= scudo::DefaultConfig::Primary::SizeClassMap::LargestClassId;
++ClassId) {
const scudo::uptr Size =
scudo::DefaultConfig::Primary::SizeClassMap::getSizeByClassId(
ClassId);
LastAllocatedPtr = nullptr;
LastRequestSize = 0;
LastDeallocatedPtr = nullptr;
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

Same as above

Chia-hungDuan: Same as above
void *NewPtr = Allocator.reallocate(Ptr, Size);
if (NewPtr != Ptr) {
EXPECT_EQ(NewPtr, LastAllocatedPtr);
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

I may suggest LastRequestSize

Chia-hungDuan: I may suggest `LastRequestSize`
EXPECT_EQ(Size, LastRequestSize);
EXPECT_EQ(Ptr, LastDeallocatedPtr);
} else {
EXPECT_EQ(nullptr, LastAllocatedPtr);
EXPECT_EQ(0, LastRequestSize);
EXPECT_EQ(nullptr, LastDeallocatedPtr);
}
Ptr = NewPtr;
}
}
}
Chia-hungDuanUnsubmitted
Done
ReplyInline Actions

I may suggest just to add something more concrete rather than just a counter. For example,

if (NewPtr != Ptr) {
  // We expect Ptr to be reported to deallocate-hook and NewPtr to be reported allocate-hook
}

So that we won't report wrong information (e.g., report the block address rather than the aligned address)

Chia-hungDuan: I may suggest just to add something more concrete rather than just a counter. For example, ```…