This is an archive of the discontinued LLVM Phabricator instance.

Differential D148427

[BOLT] Fix use-after-free in RewriteInstance::mapCodeSections
ClosedPublic

Authored by jobnoorman on Apr 15 2023, 5:36 AM.

Details

Reviewers
rafauler
maksfb
yota9
Amir
Commits
rG48ad4296f784: [BOLT] Fix use-after-free in RewriteInstance::mapCodeSections
Summary

When a cold function is too large, its section gets deregistered.
However, the section is still dereferenced later to get its RuntimeDyld
ID. This patch moves the deregistration to after the last dereference.

Note that this came up in D147544 and I haven't found a way to actually
trigger this bug (i.e., I'm not sure how to create a cold function
that's considered "too large"). I tried to resolve the issue without
affecting BOLT's behavior but there might be better ways to solve it
(e.g., not deregistering, not mapping the deregistered section in
RuntimeDyld?).

Diff Detail

Event Timeline

jobnoorman created this revision.Apr 15 2023, 5:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 15 2023, 5:36 AM
Herald added subscribers: asb, treapster, pmatos, ayermolo. · View Herald Transcript
jobnoorman requested review of this revision.Apr 15 2023, 5:36 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 15 2023, 5:36 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B225836: Diff 513894.Apr 15 2023, 5:41 AM
jobnoorman mentioned this in D147544: [BOLT] Move from RuntimeDyld to JITLink.Apr 15 2023, 5:42 AM
Amir accepted this revision.Apr 17 2023, 5:08 AM

Good catch!

This revision is now accepted and ready to land.Apr 17 2023, 5:08 AM
Amir added a comment.Apr 17 2023, 5:09 AM

Please remove "[NFC]" from title as bugfix is a functional change

jobnoorman retitled this revision from [BOLT][NFC] Fix use-after-free in RewriteInstance::mapCodeSections to [BOLT] Fix use-after-free in RewriteInstance::mapCodeSections.Apr 17 2023, 5:54 AM
This revision was landed with ongoing or failed builds.Apr 17 2023, 7:17 AM
Closed by commit rG48ad4296f784: [BOLT] Fix use-after-free in RewriteInstance::mapCodeSections (authored by jobnoorman). · Explain Why
This revision was automatically updated to reflect the committed changes.
jobnoorman added a commit: rG48ad4296f784: [BOLT] Fix use-after-free in RewriteInstance::mapCodeSections.

Revision Contents

PathSize
bolt/
lib/
Rewrite/
4 lines

Diff 514222

bolt/lib/Rewrite/RewriteInstance.cpp

Show First 20 LinesShow All 4,091 Lines▼ Show 20 Lines for (auto &BFI : BC->getBinaryFunctions()) {
// Cold fragments are aligned at 16 bytes. // Cold fragments are aligned at 16 bytes.
NextAvailableAddress = alignTo(NextAvailableAddress, 16); NextAvailableAddress = alignTo(NextAvailableAddress, 16);
if (TooLarge) { if (TooLarge) {
// The corresponding FDE will refer to address 0. // The corresponding FDE will refer to address 0.
FF.setAddress(0); FF.setAddress(0);
FF.setImageAddress(0); FF.setImageAddress(0);
FF.setImageSize(0); FF.setImageSize(0);
FF.setFileOffset(0); FF.setFileOffset(0);
BC->deregisterSection(*ColdSection);
} else { } else {
FF.setAddress(NextAvailableAddress); FF.setAddress(NextAvailableAddress);
FF.setImageAddress(ColdSection->getAllocAddress()); FF.setImageAddress(ColdSection->getAllocAddress());
FF.setImageSize(ColdSection->getOutputSize()); FF.setImageSize(ColdSection->getOutputSize());
FF.setFileOffset(getFileOffsetForAddress(NextAvailableAddress)); FF.setFileOffset(getFileOffsetForAddress(NextAvailableAddress));
ColdSection->setOutputAddress(FF.getAddress()); ColdSection->setOutputAddress(FF.getAddress());
} }
LLVM_DEBUG( LLVM_DEBUG(
dbgs() << formatv( dbgs() << formatv(
"BOLT: mapping cold fragment {0:x+} to {1:x+} with size {2:x+}\n", "BOLT: mapping cold fragment {0:x+} to {1:x+} with size {2:x+}\n",
FF.getImageAddress(), FF.getAddress(), FF.getImageSize())); FF.getImageAddress(), FF.getAddress(), FF.getImageSize()));
RTDyld.reassignSectionAddress(ColdSection->getSectionID(), FF.getAddress()); RTDyld.reassignSectionAddress(ColdSection->getSectionID(), FF.getAddress());
if (TooLarge)
BC->deregisterSection(*ColdSection);
NextAvailableAddress += FF.getImageSize(); NextAvailableAddress += FF.getImageSize();
} }
// Add the new text section aggregating all existing code sections. // Add the new text section aggregating all existing code sections.
// This is pseudo-section that serves a purpose of creating a corresponding // This is pseudo-section that serves a purpose of creating a corresponding
// entry in section header table. // entry in section header table.
int64_t NewTextSectionSize = int64_t NewTextSectionSize =
NextAvailableAddress - NewTextSectionStartAddress; NextAvailableAddress - NewTextSectionStartAddress;
▲ Show 20 LinesShow All 1,957 LinesShow Last 20 Lines