This is an archive of the discontinued LLVM Phabricator instance.

Differential D151175

[lsan] Invoke hooks on realloc
ClosedPublic

Authored by Northbadge on May 22 2023, 5:56 PM.

Details

Reviewers
vitalybuka
Commits
rG90418dc95ec1: [lsan] Invoke hooks on realloc
Summary

Previously lsan would not invoke hooks on reallocations.
An accompanying regression test is included in sanitizer_common.

This change also moves hook calls to a location where subsequent
calls (via an external caller) to __sanitizer_get_allocated_size
via hooks will return a valid size.

This allows a faster version of __sanitizer_get_allocated_size
to be implemented, which can skip checks.

Test to ensure RunFreeHooks' call order will come with
__sanitizer_get_allocated_size_fast

Diff Detail

Event Timeline

Northbadge created this revision.May 22 2023, 5:56 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 22 2023, 5:56 PM
Herald added a subscriber: Enna1. · View Herald Transcript
Northbadge published this revision for review.May 22 2023, 6:05 PM
Northbadge added a reviewer: vitalybuka.
Herald added a project: Restricted Project. · View Herald TranscriptMay 22 2023, 6:06 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka accepted this revision.May 22 2023, 6:09 PM
This revision is now accepted and ready to land.May 22 2023, 6:09 PM
Northbadge added inline comments.May 22 2023, 6:09 PM
compiler-rt/test/sanitizer_common/TestCases/malloc_hook.cpp
45

this is to avoid asan complaining of non-matching alloc-dealloc calls. e.g. it was doing new-free(from realloc) before.

Harbormaster completed remote builds in B233760: Diff 524547.May 22 2023, 6:32 PM
Closed by commit rG90418dc95ec1: [lsan] Invoke hooks on realloc (authored by Northbadge). · Explain WhyMay 23 2023, 9:44 AM
This revision was automatically updated to reflect the committed changes.
Northbadge added a commit: rG90418dc95ec1: [lsan] Invoke hooks on realloc.
usama54321 reopened this revision.May 31 2023, 4:19 PM
usama54321 added a subscriber: usama54321.

Hi. This is breaking malloc_hook.cpp test. Can you please revert or fix this? Thanks

https://green.lab.llvm.org/green/job/clang-stage1-RA/34460/testReport/junit/SanitizerCommon-tsan-x86_64-Darwin/SanitizerCommon-tsan-x86_64-Darwin/malloc_hook_cpp/

This revision is now accepted and ready to land.May 31 2023, 4:19 PM
usama54321 added a comment.May 31 2023, 4:22 PM

Also breaking https://green.lab.llvm.org/green/job/clang-stage1-RA/34460/testReport/SanitizerCommon-tsan-x86_64-Darwin/SanitizerCommon-tsan-x86_64-Darwin/malloc_hook_get_allocated_size_fast_cpp/

Northbadge added a comment.May 31 2023, 5:25 PM
In D151175#4385784, @usama54321 wrote:

Also breaking https://green.lab.llvm.org/green/job/clang-stage1-RA/34460/testReport/SanitizerCommon-tsan-x86_64-Darwin/SanitizerCommon-tsan-x86_64-Darwin/malloc_hook_get_allocated_size_fast_cpp/

Thanks! I sent over D151860 to disable the tests on tsan & darwin for now

zequanwu added a subscriber: zequanwu.Jun 1 2023, 10:54 AM

It looks like also failing in chromium mac bots. I haven't confirmed, but it's very likely.
Build: https://logs.chromium.org/logs/chromium/buildbucket/cr-buildbucket/8780155112582797025/+/u/package_clang/stdout?format=raw

FAIL: SanitizerCommon-tsan-x86_64-Darwin :: malloc_hook.cpp (67438 of 71222)
 ******************** TEST 'SanitizerCommon-tsan-x86_64-Darwin :: malloc_hook.cpp' FAILED ********************
 Script:
 --
 : 'RUN: at line 1';      /opt/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/./bin/clang  --driver-mode=g++ -gline-tables-only -fsanitize=thread  -arch x86_64 -stdlib=libc++ -mmacosx-version-min=10.12 -isysroot /opt/s/w/ir/cache/osx_sdk/XCode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk  -I/opt/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test -O2 /opt/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/sanitizer_common/TestCases/malloc_hook.cpp -o /opt/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/runtimes/runtimes-bins/compiler-rt/test/sanitizer_common/tsan-x86_64-Darwin/Output/malloc_hook.cpp.tmp &&  /opt/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/runtimes/runtimes-bins/compiler-rt/test/sanitizer_common/tsan-x86_64-Darwin/Output/malloc_hook.cpp.tmp 2>&1 | FileCheck /opt/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/sanitizer_common/TestCases/malloc_hook.cpp
 --
 Exit Code: 2
 
 Command Output (stderr):
 --
 FileCheck error: '<stdin>' is empty.
 FileCheck command line:  FileCheck /opt/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/sanitizer_common/TestCases/malloc_hook.cpp
 
 --
Northbadge closed this revision.Jun 1 2023, 11:15 AM

Test failures on darwin should be resolved past https://github.com/llvm/llvm-project/commit/2de54b919ba5fd9ccf37038cddfc36e97eb480af , sorry for the trouble!

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
4 lines
test/
sanitizer_common/
TestCases/
18 lines

Diff 524770

compiler-rt/lib/lsan/lsan_allocator.cpp

Show First 20 LinesShow All 59 Lines▼ Show 20 Lines
static void RegisterAllocation(const StackTrace &stack, void *p, uptr size) { static void RegisterAllocation(const StackTrace &stack, void *p, uptr size) {
if (!p) return; if (!p) return;
ChunkMetadata *m = Metadata(p); ChunkMetadata *m = Metadata(p);
CHECK(m); CHECK(m);
m->tag = DisabledInThisThread() ? kIgnored : kDirectlyLeaked; m->tag = DisabledInThisThread() ? kIgnored : kDirectlyLeaked;
m->stack_trace_id = StackDepotPut(stack); m->stack_trace_id = StackDepotPut(stack);
m->requested_size = size; m->requested_size = size;
atomic_store(reinterpret_cast<atomic_uint8_t *>(m), 1, memory_order_relaxed); atomic_store(reinterpret_cast<atomic_uint8_t *>(m), 1, memory_order_relaxed);
RunMallocHooks(p, size);
} }
static void RegisterDeallocation(void *p) { static void RegisterDeallocation(void *p) {
if (!p) return; if (!p) return;
ChunkMetadata *m = Metadata(p); ChunkMetadata *m = Metadata(p);
CHECK(m); CHECK(m);
RunFreeHooks(p);
atomic_store(reinterpret_cast<atomic_uint8_t *>(m), 0, memory_order_relaxed); atomic_store(reinterpret_cast<atomic_uint8_t *>(m), 0, memory_order_relaxed);
} }
static void *ReportAllocationSizeTooBig(uptr size, const StackTrace &stack) { static void *ReportAllocationSizeTooBig(uptr size, const StackTrace &stack) {
if (AllocatorMayReturnNull()) { if (AllocatorMayReturnNull()) {
Report("WARNING: LeakSanitizer failed to allocate 0x%zx bytes\n", size); Report("WARNING: LeakSanitizer failed to allocate 0x%zx bytes\n", size);
return nullptr; return nullptr;
} }
Show All 17 Lines if (UNLIKELY(!p)) {
if (AllocatorMayReturnNull()) if (AllocatorMayReturnNull())
return nullptr; return nullptr;
ReportOutOfMemory(size, &stack); ReportOutOfMemory(size, &stack);
} }
// Do not rely on the allocator to clear the memory (it's slow). // Do not rely on the allocator to clear the memory (it's slow).
if (cleared && allocator.FromPrimary(p)) if (cleared && allocator.FromPrimary(p))
memset(p, 0, size); memset(p, 0, size);
RegisterAllocation(stack, p, size); RegisterAllocation(stack, p, size);
RunMallocHooks(p, size);
return p; return p;
} }
static void *Calloc(uptr nmemb, uptr size, const StackTrace &stack) { static void *Calloc(uptr nmemb, uptr size, const StackTrace &stack) {
if (UNLIKELY(CheckForCallocOverflow(size, nmemb))) { if (UNLIKELY(CheckForCallocOverflow(size, nmemb))) {
if (AllocatorMayReturnNull()) if (AllocatorMayReturnNull())
return nullptr; return nullptr;
ReportCallocOverflow(nmemb, size, &stack); ReportCallocOverflow(nmemb, size, &stack);
} }
size *= nmemb; size *= nmemb;
return Allocate(stack, size, 1, true); return Allocate(stack, size, 1, true);
} }
void Deallocate(void *p) { void Deallocate(void *p) {
RunFreeHooks(p);
RegisterDeallocation(p); RegisterDeallocation(p);
allocator.Deallocate(GetAllocatorCache(), p); allocator.Deallocate(GetAllocatorCache(), p);
} }
void *Reallocate(const StackTrace &stack, void *p, uptr new_size, void *Reallocate(const StackTrace &stack, void *p, uptr new_size,
uptr alignment) { uptr alignment) {
if (new_size > max_malloc_size) { if (new_size > max_malloc_size) {
ReportAllocationSizeTooBig(new_size, stack); ReportAllocationSizeTooBig(new_size, stack);
▲ Show 20 LinesShow All 253 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/malloc_hook.cpp

Show All 15 Lines
extern "C" { extern "C" {
const volatile void *global_ptr; const volatile void *global_ptr;
#define WRITE(s) write(1, s, sizeof(s)) #define WRITE(s) write(1, s, sizeof(s))
// Note: avoid calling functions that allocate memory in malloc/free // Note: avoid calling functions that allocate memory in malloc/free
// to avoid infinite recursion. // to avoid infinite recursion.
void __sanitizer_malloc_hook(const volatile void *ptr, size_t sz) { void __sanitizer_malloc_hook(const volatile void *ptr, size_t sz) {
if (__sanitizer_get_ownership(ptr) && sz == 4) { if (__sanitizer_get_ownership(ptr) && sz == sizeof(int)) {
WRITE("MallocHook\n"); WRITE("MallocHook\n");
global_ptr = ptr; global_ptr = ptr;
} }
} }
void __sanitizer_free_hook(const volatile void *ptr) { void __sanitizer_free_hook(const volatile void *ptr) {
if (__sanitizer_get_ownership(ptr) && ptr == global_ptr) if (__sanitizer_get_ownership(ptr) && ptr == global_ptr)
WRITE("FreeHook\n"); WRITE("FreeHook\n");
} }
} // extern "C" } // extern "C"
volatile int *x; volatile int *x;
void MallocHook1(const volatile void *ptr, size_t sz) { WRITE("MH1\n"); } void MallocHook1(const volatile void *ptr, size_t sz) { WRITE("MH1\n"); }
void MallocHook2(const volatile void *ptr, size_t sz) { WRITE("MH2\n"); } void MallocHook2(const volatile void *ptr, size_t sz) { WRITE("MH2\n"); }
void FreeHook1(const volatile void *ptr) { WRITE("FH1\n"); } void FreeHook1(const volatile void *ptr) { WRITE("FH1\n"); }
void FreeHook2(const volatile void *ptr) { WRITE("FH2\n"); } void FreeHook2(const volatile void *ptr) { WRITE("FH2\n"); }
// Call this function with uninitialized arguments to poison // Call this function with uninitialized arguments to poison
// TLS shadow for function parameters before calling operator // TLS shadow for function parameters before calling operator
// new and, eventually, user-provided hook. // new and, eventually, user-provided hook.
__attribute__((noinline)) void allocate(int *unused1, int *unused2) { __attribute__((noinline)) void allocate(int *unused1, int *unused2) {
x = new int; x = reinterpret_cast<int *>(malloc(sizeof(int)));
NorthbadgeAuthorUnsubmitted
Done
ReplyInline Actions

this is to avoid asan complaining of non-matching alloc-dealloc calls. e.g. it was doing new-free(from realloc) before.

Northbadge: this is to avoid asan complaining of non-matching alloc-dealloc calls. e.g. it was doing new…
} }
int main() { int main() {
__sanitizer_install_malloc_and_free_hooks(MallocHook1, FreeHook1); __sanitizer_install_malloc_and_free_hooks(MallocHook1, FreeHook1);
__sanitizer_install_malloc_and_free_hooks(MallocHook2, FreeHook2); __sanitizer_install_malloc_and_free_hooks(MallocHook2, FreeHook2);
int *undef1, *undef2; int *undef1, *undef2;
allocate(undef1, undef2); allocate(undef1, undef2);
// CHECK: MallocHook // CHECK: MallocHook
// CHECK: MH1 // CHECK: MH1
// CHECK: MH2 // CHECK: MH2
// Check that malloc hook was called with correct argument. // Check that malloc hook was called with correct argument.
if (global_ptr != (void*)x) { if (global_ptr != (void*)x) {
_exit(1); _exit(1);
} }
*x = 0;
delete x; // Check that realloc invokes hooks
// CHECK: FreeHook // We realloc to 128 here to avoid potential oversizing by allocators
// making this a no-op.
x = reinterpret_cast<int *>(realloc((int *)x, sizeof(int) * 128));
// CHECK-DAG: FreeHook{{[[:space:]].*}}FH1{{[[:space:]].*}}FH2
// CHECK-DAG: MH1{{[[:space:]].*}}MH2
x[0] = 0;
x[127] = -1;
free((void *)x);
// CHECK: FH1 // CHECK: FH1
// CHECK: FH2 // CHECK: FH2
return 0; return 0;
} }