This is an archive of the discontinued LLVM Phabricator instance.

Differential D155110

[memprof] Fix use-after-free in peekBuildIds.
ClosedPublic

Authored by snehasish on Jul 12 2023, 12:59 PM.

Download Raw Diff

Details

Reviewers

tejohnson

Commits

rG787a5efb020f: [memprof] Fix use-after-free in peekBuildIds.

Summary

To check the uniqueness of buildids, we held on to a StringRef of the build id string pushed into the vector. If the number of build ids were large enough to trigger a realloc in the vector then these references where invalidated resulting in a use-after free. This was exposed in downstream usage.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

snehasish created this revision.Jul 12 2023, 12:59 PM

Herald added a project: Restricted Project. · View Herald TranscriptJul 12 2023, 12:59 PM

Herald added a subscriber: hiraditya. · View Herald Transcript

snehasish requested review of this revision.Jul 12 2023, 12:59 PM

Herald added a project: Restricted Project. · View Herald TranscriptJul 12 2023, 12:59 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

lgtm but you could also consider collapsing both BuildIds and BuildIdsSet into a single SetVector for conciseness.

This revision is now accepted and ready to land.Jul 12 2023, 1:59 PM

In D155110#4495040, @tejohnson wrote:

lgtm but you could also consider collapsing both BuildIds and BuildIdsSet into a single SetVector for conciseness.

I did consider this prior to sending out the patch. Since SetVector::takeVector return a SmallVector we need to either

create a new result std::vector prior to avoid changing the return type, negating the benefit
update the return type which breaks downstream usage and will need to be updated

Since this isn't performance critical I chose the simplest approach.

In D155110#4495062, @snehasish wrote:

In D155110#4495040, @tejohnson wrote:

lgtm but you could also consider collapsing both BuildIds and BuildIdsSet into a single SetVector for conciseness.

I did consider this prior to sending out the patch. Since SetVector::takeVector return a SmallVector we need to either

create a new result std::vector prior to avoid changing the return type, negating the benefit

update the return type which breaks downstream usage and will need to be updated

Since this isn't performance critical I chose the simplest approach.

Ack - thanks for the explanation. Agree with the approach you chose.

This revision was landed with ongoing or failed builds.Jul 12 2023, 2:21 PM

Closed by commit rG787a5efb020f: [memprof] Fix use-after-free in peekBuildIds. (authored by snehasish). · Explain Why

This revision was automatically updated to reflect the committed changes.

snehasish added a commit: rG787a5efb020f: [memprof] Fix use-after-free in peekBuildIds..

Harbormaster completed remote builds in B244880: Diff 539692.Jul 12 2023, 3:29 PM

Revision Contents

Path

Size

llvm/

lib/

ProfileData/

RawMemProfReader.cpp

4 lines

Diff 539732

llvm/lib/ProfileData/RawMemProfReader.cpp

Show First 20 Lines • Show All 546 Lines • ▼ Show 20 Lines	RawMemProfReader::peekBuildIds(MemoryBuffer *DataBuffer) {
const char *Next = DataBuffer->getBufferStart();		const char *Next = DataBuffer->getBufferStart();
// Use a set + vector since a profile file may contain multiple raw profile		// Use a set + vector since a profile file may contain multiple raw profile
// dumps, each with segment information. We want them unique and in order they		// dumps, each with segment information. We want them unique and in order they
// were stored in the profile; the profiled binary should be the first entry.		// were stored in the profile; the profiled binary should be the first entry.
// The runtime uses dl_iterate_phdr and the "... first object visited by		// The runtime uses dl_iterate_phdr and the "... first object visited by
// callback is the main program."		// callback is the main program."
// https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html		// https://man7.org/linux/man-pages/man3/dl_iterate_phdr.3.html
std::vector<std::string> BuildIds;		std::vector<std::string> BuildIds;
llvm::SmallSet<StringRef, 4> BuildIdsSet;		llvm::SmallSet<std::string, 10> BuildIdsSet;
while (Next < DataBuffer->getBufferEnd()) {		while (Next < DataBuffer->getBufferEnd()) {
auto Header = reinterpret_cast<const memprof::Header >(Next);		auto Header = reinterpret_cast<const memprof::Header >(Next);

const llvm::SmallVector<SegmentEntry> Entries =		const llvm::SmallVector<SegmentEntry> Entries =
readSegmentEntries(Next + Header->SegmentOffset);		readSegmentEntries(Next + Header->SegmentOffset);

for (const auto &Entry : Entries) {		for (const auto &Entry : Entries) {
const std::string Id = getBuildIdString(Entry);		const std::string Id = getBuildIdString(Entry);
if (BuildIdsSet.contains(Id))		if (BuildIdsSet.contains(Id))
continue;		continue;
BuildIds.push_back(Id);		BuildIds.push_back(Id);
BuildIdsSet.insert(BuildIds.back());		BuildIdsSet.insert(Id);
}		}

Next += Header->TotalSize;		Next += Header->TotalSize;
}		}
return BuildIds;		return BuildIds;
}		}

Error RawMemProfReader::readRawProfile(		Error RawMemProfReader::readRawProfile(
▲ Show 20 Lines • Show All 91 Lines • Show Last 20 Lines