This is an archive of the discontinued LLVM Phabricator instance.

Differential D148909

[hwasan] Fix data race between ReleaseThread() and VisitAllLiveThreads()
ClosedPublic

Authored by Enna1 on Apr 21 2023, 2:26 AM.

Details

Reviewers
vitalybuka
eugenis
Commits
rGf9dd3ea475e4: [hwasan] Fix data race between ReleaseThread() and VisitAllLiveThreads()
Summary

Data race scenario:

Thread 1                                | Thread 2
ReportTagMismatch()                     |
Call VisitAllLiveThreads() to scan all  |
threads' ring buffers to find           |
if it's a heap-use-after-free.          |
Lock live_list_mutex_                   |
                                        | Thread 2 exit
                                        | ReleaseThread() calls Thread::Destroy() for Thread 2,
                                        | which frees heap alloctions ring buffer
                                        | RemoveThreadFromLiveList() tries to take live_list_mutex_ again
Iterate the heap alloctions ring buffer |
of Thread 2, which is already freed     |

Diff Detail

Event Timeline

Enna1 created this revision.Apr 21 2023, 2:26 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 21 2023, 2:26 AM
Enna1 edited the summary of this revision. (Show Details)Apr 21 2023, 2:28 AM
Enna1 edited the summary of this revision. (Show Details)
Enna1 added a subscriber: MTC.
Enna1 published this revision for review.Apr 21 2023, 2:43 AM

We encountered a crash due to this data race during the process of enabling hwasan for our server-side applications on AArch64/Linux. With this change, the crash will be fixed.

But can't figure out how to write a test case for this, still trying.

Herald added a project: Restricted Project. · View Herald TranscriptApr 21 2023, 2:43 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B227122: Diff 515656.Apr 21 2023, 2:44 AM
Enna1 added reviewers: vitalybuka, eugenis.Apr 21 2023, 2:44 AM
vitalybuka accepted this revision.Apr 26 2023, 1:13 PM

Would be nice to have a simple reproducer as a test, but LGTM as-is if that's hard.

This revision is now accepted and ready to land.Apr 26 2023, 1:13 PM
Closed by commit rGf9dd3ea475e4: [hwasan] Fix data race between ReleaseThread() and VisitAllLiveThreads() (authored by Enna1). · Explain WhyMay 5 2023, 3:39 AM
This revision was automatically updated to reflect the committed changes.
Enna1 added a commit: rGf9dd3ea475e4: [hwasan] Fix data race between ReleaseThread() and VisitAllLiveThreads().

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
2 lines

Diff 519793

compiler-rt/lib/hwasan/hwasan_thread_list.h

Show First 20 LinesShow All 125 Lines▼ Show 20 Lines for (Thread *&t2 : live_list_)
live_list_.pop_back(); live_list_.pop_back();
return; return;
} }
CHECK(0 && "thread not found in live list"); CHECK(0 && "thread not found in live list");
} }
void ReleaseThread(Thread *t) SANITIZER_EXCLUDES(free_list_mutex_) { void ReleaseThread(Thread *t) SANITIZER_EXCLUDES(free_list_mutex_) {
RemoveThreadStats(t); RemoveThreadStats(t);
RemoveThreadFromLiveList(t);
t->Destroy(); t->Destroy();
DontNeedThread(t); DontNeedThread(t);
RemoveThreadFromLiveList(t);
SpinMutexLock l(&free_list_mutex_); SpinMutexLock l(&free_list_mutex_);
free_list_.push_back(t); free_list_.push_back(t);
} }
Thread *GetThreadByBufferAddress(uptr p) { Thread *GetThreadByBufferAddress(uptr p) {
return (Thread *)(RoundDownTo(p, ring_buffer_size_ * 2) + return (Thread *)(RoundDownTo(p, ring_buffer_size_ * 2) +
ring_buffer_size_); ring_buffer_size_);
} }
▲ Show 20 LinesShow All 82 LinesShow Last 20 Lines