This is an archive of the discontinued LLVM Phabricator instance.

Differential D144155

[ASan] Unpoisoning vectors memory before deallocation
AbandonedPublic

Authored by AdvenamTacet on Feb 15 2023, 6:42 PM.

Details

Reviewers
philnik
vitalybuka
Group Reviewers
Restricted Project
Summary

This revision fixes unpoisoning in std::vector.

A call to __annotate_delete() in operator() (in __destroy_vector class) is moved after a call to clear(), because clear may poison memory (as container overflow - fc).
It also adds unpoisoning memory before passing it to the deallocator in __vdeallocate() and __copy_assign_alloc(const vector& __c, true_type).

It guarantees that __alloc_traits::deallocate may access returned memory.

Change is motivated by false positives after committing D136765 (currently reverted):

Standard deallocator does not access the memory, so it does not produce an error, but a fix is necessary to turn on support for non-standard allocators.

Additionally, with that change, revision D136765 should not cause false positives, as returned memory will always be unpoisoned.

Diff Detail

Event Timeline

AdvenamTacet created this revision.Feb 15 2023, 6:42 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 15 2023, 6:42 PM
AdvenamTacet requested review of this revision.Feb 15 2023, 6:42 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 15 2023, 6:42 PM
Herald added a reviewer: Restricted Project. · View Herald Transcript
Herald added a subscriber: libcxx-commits. · View Herald Transcript
AdvenamTacet added a child revision: D136765: [ASan][libcxx] Annotating std::vector with all allocators.Feb 15 2023, 6:46 PM
Harbormaster completed remote builds in B214036: Diff 497862.Feb 15 2023, 6:48 PM
AdvenamTacet retitled this revision from [ASan]Unpoisoning vectors memory before deallocation to [ASan] Unpoisoning vectors memory before deallocation.Feb 15 2023, 6:50 PM
AdvenamTacet added reviewers: philnik, vitalybuka.
AdvenamTacet added a project: Restricted Project.
AdvenamTacet added a subscriber: hans.
MaskRay added a subscriber: MaskRay.EditedFeb 15 2023, 10:41 PM

clear() calls __annotate_shrink(__old_size); which eventually calls __sanitizer_annotate_contiguous_container (with new size as 0). The inserted __annotate_delete calls __sanitizer_annotate_contiguous_container (with new size as the capacity) as well. Isn't it wasteful? Notably the second __sanitizer_annotate_contiguous_container call will unpoison the full capacity bytes.

AdvenamTacet added a comment.Feb 16 2023, 12:29 AM

The point of __annotate_delete is to return memory in the same state as it was just after allocation. And yes, clear() is poisoning memory of all present objects in a vector (at the end, whole buffer is poisoned as container overflow).

  1. Therefore, there is no point to unpoison memory before a call to clear.
  2. I don't think clear() is called there because of ASan, as from ASan point of view, container does not have to be empty.
  3. The goal is to deallocate unpoisoned memory and there is no easy way to turn off poisoning inside a single call to the clear function (at least I don't know it).

If complexity is the main concern, I can add additional if before every __annotate_delete() call, and don't call them with standard allocator, as in that implementation, it's not necessary. But it depends on memory deallocator implementation.
Also, that memory will be probably poisoned by deallocator soon after, but sometimes deallocator may access memory and then it cannot be poisoned.

AdvenamTacet added a subscriber: Restricted Project.Feb 16 2023, 12:16 PM
philnik requested changes to this revision.Feb 17 2023, 3:11 AM

I think this should be put in D136765 and not as a separate commit. Regression tests are also missing.

This revision now requires changes to proceed.Feb 17 2023, 3:11 AM
AdvenamTacet edited the summary of this revision. (Show Details)Feb 17 2023, 6:30 AM
AdvenamTacet added a comment.Feb 17 2023, 8:48 AM

Sure, I can add it there.

I created a new revision, because I considered it a separate issue, which should be fixed regardless of the support for more allocators.

Right now, __annotate_delete() in __destroy_vector class makes no sense (it unpoisons whole memory, and just after that, clear() poisons part of it), but the purpose of __annotate_delete(); is to unpoison memory before deallocation.
Missing __annotate_delete() in __vdeallocate() and __copy_assign_alloc(const vector& __c, true_type) makes all existing calls to __annotate_delete() pointless, as with todays implementation of default deallocator, everything should work without calling __annotate_delete() at all.

But I will add it in D136765 and I will add there a simple test with allocator which cleans the memory during allocation and deallocation.

AdvenamTacet abandoned this revision.Feb 19 2023, 8:24 PM
AdvenamTacet mentioned this in D136765: [ASan][libcxx] Annotating std::vector with all allocators.Feb 19 2023, 9:05 PM
AdvenamTacet removed a child revision: D136765: [ASan][libcxx] Annotating std::vector with all allocators.Feb 19 2023, 9:38 PM
philnik mentioned this in rGa9356a515b5a: [ASan][libcxx] Annotating std::vector with all allocators.Feb 23 2023, 11:46 AM
philnik mentioned this in rGc08d4ad25cf3: [ASan][libcxx] Annotating std::vector with all allocators.May 4 2023, 5:45 PM

Revision Contents

PathSize
libcxx/
include/
4 lines

Diff 497862

libcxx/include/vector

Show First 20 LinesShow All 433 Lines▼ Show 20 Lines#endif
vector(_ForwardIterator __first, _ForwardIterator __last, const allocator_type& __a); vector(_ForwardIterator __first, _ForwardIterator __last, const allocator_type& __a);
private: private:
class __destroy_vector { class __destroy_vector {
public: public:
_LIBCPP_CONSTEXPR __destroy_vector(vector& __vec) : __vec_(__vec) {} _LIBCPP_CONSTEXPR __destroy_vector(vector& __vec) : __vec_(__vec) {}
_LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI void operator()() { _LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI void operator()() {
__vec_.__annotate_delete();
std::__debug_db_erase_c(std::addressof(__vec_)); std::__debug_db_erase_c(std::addressof(__vec_));
if (__vec_.__begin_ != nullptr) { if (__vec_.__begin_ != nullptr) {
__vec_.__clear(); __vec_.__clear();
__vec_.__annotate_delete();
__alloc_traits::deallocate(__vec_.__alloc(), __vec_.__begin_, __vec_.capacity()); __alloc_traits::deallocate(__vec_.__alloc(), __vec_.__begin_, __vec_.capacity());
} }
} }
private: private:
vector& __vec_; vector& __vec_;
}; };
▲ Show 20 LinesShow All 406 Lines▼ Show 20 Lines#endif
} }
_LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI
void __copy_assign_alloc(const vector& __c, true_type) void __copy_assign_alloc(const vector& __c, true_type)
{ {
if (__alloc() != __c.__alloc()) if (__alloc() != __c.__alloc())
{ {
__clear(); __clear();
__annotate_delete();
__alloc_traits::deallocate(__alloc(), this->__begin_, capacity()); __alloc_traits::deallocate(__alloc(), this->__begin_, capacity());
this->__begin_ = this->__end_ = __end_cap() = nullptr; this->__begin_ = this->__end_ = __end_cap() = nullptr;
} }
__alloc() = __c.__alloc(); __alloc() = __c.__alloc();
} }
_LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI _LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI
void __copy_assign_alloc(const vector&, false_type) void __copy_assign_alloc(const vector&, false_type)
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Lines
template <class _Tp, class _Allocator> template <class _Tp, class _Allocator>
_LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_CONSTEXPR_SINCE_CXX20
void void
vector<_Tp, _Allocator>::__vdeallocate() _NOEXCEPT vector<_Tp, _Allocator>::__vdeallocate() _NOEXCEPT
{ {
if (this->__begin_ != nullptr) if (this->__begin_ != nullptr)
{ {
clear(); clear();
__annotate_delete();
__alloc_traits::deallocate(this->__alloc(), this->__begin_, capacity()); __alloc_traits::deallocate(this->__alloc(), this->__begin_, capacity());
this->__begin_ = this->__end_ = this->__end_cap() = nullptr; this->__begin_ = this->__end_ = this->__end_cap() = nullptr;
} }
} }
template <class _Tp, class _Allocator> template <class _Tp, class _Allocator>
_LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_CONSTEXPR_SINCE_CXX20
typename vector<_Tp, _Allocator>::size_type typename vector<_Tp, _Allocator>::size_type
▲ Show 20 LinesShow All 2,402 LinesShow Last 20 Lines