This is an archive of the discontinued LLVM Phabricator instance.

Differential D27083

[sanitizer] Handle malloc_destroy_zone() on Darwin
ClosedPublic

Authored by kubamracek on Nov 23 2016, 5:41 PM.

Details

Reviewers
glider
filcab
dvyukov
eugenis
zaks.anna
rnk
Commits
rG1c002267fb83: [sanitizer] Make sure libmalloc doesn't remove the sanitizer zone from…
rGb93f78128f5e: [sanitizer] Handle malloc_destroy_zone() on Darwin
rCRT289376: [sanitizer] Make sure libmalloc doesn't remove the sanitizer zone from…
rCRT289375: [sanitizer] Handle malloc_destroy_zone() on Darwin
rL289376: [sanitizer] Make sure libmalloc doesn't remove the sanitizer zone from…
rL289375: [sanitizer] Handle malloc_destroy_zone() on Darwin
Summary

We currently have a interceptor for malloc_create_zone, which returns a new zone that redirects all the zone requests to our sanitizer zone. However, calling malloc_destroy_zone on that zone will cause libmalloc to print out some warning messages, because the zone is not registered in the list of zones. This patch handles this and adds a testcase for that.

Secondly, in certain OS versions, it was possible that libmalloc replaced the sanitizer zone from being the default zone (i.e. being in malloc_zones[0]). This patch also introduces a failsafe that makes sure we always stay the default zone. No testcase for this, because this doesn't reproduce under normal circumstances.

Diff Detail

Event Timeline

kubamracek updated this revision to Diff 79179.Nov 23 2016, 5:41 PM
kubamracek retitled this revision from to [sanitizer] Handle malloc_destroy_zone() on Darwin.
kubamracek updated this object.
kubamracek added reviewers: filcab, zaks.anna, dvyukov, rnk, eugenis.
kubamracek set the repository for this revision to rL LLVM.
kubamracek added a project: Restricted Project.
kubamracek added a subscriber: llvm-commits.
dvyukov added a reviewer: glider.Nov 23 2016, 11:41 PM
filcab edited edge metadata.Nov 29 2016, 9:29 AM

Please split this in two commits: The malloc_zone_destroy part and the bugfix for malloc_zones[0]. They seem orthogonal.

I'd really like a test for the malloc_zones[0] problem, though. Is it not possible at all? Does it happen only on certain versions (as in: maybe it was a bug somewhere else)?
Otherwise LGTM, but you might want to check if anyone that's using ASan on the mac on more complex systems (Google Chrome?) have something to say.

lib/sanitizer_common/sanitizer_malloc_mac.inc
78

Why not this (seems more explicit to me. Not a big deal, though)?

malloc_zones[i] = malloc_zones[0];
malloc_zones[0] = &sanitizer_zone;
kubamracek updated this revision to Diff 79620.Nov 29 2016, 12:27 PM
kubamracek edited edge metadata.
kubamracek removed rL LLVM as the repository for this revision.

Updating patch.

Please split this in two commits: The malloc_zone_destroy part and the bugfix for malloc_zones[0]. They seem orthogonal.

Ok, I'll commit this separately.

I'd really like a test for the malloc_zones[0] problem, though. Is it not possible at all? Does it happen only on certain versions (as in: maybe it was a bug somewhere else)?
you might want to check if anyone that's using ASan on the mac on more complex systems (Google Chrome?) have something to say.

I'm afraid I can't come up with a test for this. This was a "bug" (or rather an incompatible change) in some versions of libmalloc on macOS, where in certain cases this mprotect() interceptor was needed; but I believe the problem was fixed before ending in any public release. We have been using this patch internally for a long time now, so it should be safe.

zaks.anna added inline comments.Dec 1 2016, 3:54 PM
lib/sanitizer_common/sanitizer_malloc_mac.inc
68

I'd add a comment that explains the intent here (why are we doing this), ex:
// Ensure that the sanitizer_zone is registered as malloc_zones[0].

74

You could strengthen the condition above to malloc_num_zones > 1 && and start iteration from '1'. If there is a single zone:

  • if it is sanitizer_zone, we are good to go.
  • if it is not a sanitizer_zone, there is nothing to swap it with.
kubamracek updated this revision to Diff 80293.Dec 5 2016, 10:45 AM

Updating patch, addressing review comments.

zaks.anna added inline comments.Dec 5 2016, 10:54 AM
lib/sanitizer_common/sanitizer_malloc_mac.inc
75

Iteration should start with 1 since the condition will always be false for i==0. The current version is correct, but was a bit more complicated to reason about since the intention is never to malloc_zones[0] with malloc_zones[0].

kubamracek updated this revision to Diff 80296.Dec 5 2016, 10:56 AM
zaks.anna accepted this revision.Dec 6 2016, 3:59 PM
zaks.anna edited edge metadata.

LGTM!

This revision is now accepted and ready to land.Dec 6 2016, 3:59 PM
kubamracek added a comment.Dec 11 2016, 1:17 AM

Landed in r289375 and r289376.

Closed by commit rL289375: [sanitizer] Handle malloc_destroy_zone() on Darwin (authored by kuba.brecka). · Explain WhyDec 11 2016, 1:49 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
sanitizer_common/
35 lines
test/
asan/
TestCases/
Darwin/
21 lines

Diff 79179

lib/sanitizer_common/sanitizer_malloc_mac.inc

Show All 40 LinesINTERCEPTOR(malloc_zone_t *, malloc_create_zone,
internal_memcpy(new_zone, &sanitizer_zone, sizeof(sanitizer_zone)); internal_memcpy(new_zone, &sanitizer_zone, sizeof(sanitizer_zone));
new_zone->zone_name = NULL; // The name will be changed anyway. new_zone->zone_name = NULL; // The name will be changed anyway.
if (GetMacosVersion() >= MACOS_VERSION_LION) { if (GetMacosVersion() >= MACOS_VERSION_LION) {
// Prevent the client app from overwriting the zone contents. // Prevent the client app from overwriting the zone contents.
// Library functions that need to modify the zone will set PROT_WRITE on it. // Library functions that need to modify the zone will set PROT_WRITE on it.
// This matches the behavior of malloc_create_zone() on OSX 10.7 and higher. // This matches the behavior of malloc_create_zone() on OSX 10.7 and higher.
mprotect(new_zone, allocated_size, PROT_READ); mprotect(new_zone, allocated_size, PROT_READ);
} }
// We're explicitly *NOT* registering the zone.
return new_zone; return new_zone;
} }
INTERCEPTOR(void, malloc_destroy_zone, malloc_zone_t *zone) {
COMMON_MALLOC_ENTER();
// We don't need to do anything here. We're not registering new zones, so we
// don't to unregister. Just un-mprotect and free() the zone.
if (GetMacosVersion() >= MACOS_VERSION_LION) {
uptr page_size = GetPageSizeCached();
uptr allocated_size = RoundUpTo(sizeof(sanitizer_zone), page_size);
mprotect(zone, allocated_size, PROT_READ | PROT_WRITE);
}
COMMON_MALLOC_FREE(zone);
}
extern unsigned malloc_num_zones;
extern malloc_zone_t **malloc_zones;
// If libmalloc tries to set up a different zone as malloc_zones[0], it will
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

I'd add a comment that explains the intent here (why are we doing this), ex:
// Ensure that the sanitizer_zone is registered as malloc_zones[0].

zaks.anna: I'd add a comment that explains the intent here (why are we doing this), ex: // Ensure that…
// call mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch
// that and make sure we are still the first (default) zone.
INTERCEPTOR(int, mprotect, void *addr, size_t len, int prot) {
if (addr == malloc_zones && prot == PROT_READ) {
if (malloc_num_zones > 0 && malloc_zones[0] != &sanitizer_zone) {
for (unsigned i = 0; i < malloc_num_zones; i++) {
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

You could strengthen the condition above to malloc_num_zones > 1 && and start iteration from '1'. If there is a single zone:

  • if it is sanitizer_zone, we are good to go.
  • if it is not a sanitizer_zone, there is nothing to swap it with.
zaks.anna: You could strengthen the condition above to `malloc_num_zones > 1 &&` and start iteration from…
if (malloc_zones[i] == &sanitizer_zone) {
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Iteration should start with 1 since the condition will always be false for i==0. The current version is correct, but was a bit more complicated to reason about since the intention is never to malloc_zones[0] with malloc_zones[0].

zaks.anna: Iteration should start with 1 since the condition will always be false for i==0. The current…
malloc_zone_t *tmp = malloc_zones[0];
malloc_zones[0] = malloc_zones[i];
malloc_zones[i] = tmp;
filcabUnsubmitted
Not Done
ReplyInline Actions

Why not this (seems more explicit to me. Not a big deal, though)?

malloc_zones[i] = malloc_zones[0];
malloc_zones[0] = &sanitizer_zone;
filcab: Why not this (seems more explicit to me. Not a big deal, though)? ```malloc_zones[i] =…
break;
}
}
}
}
return REAL(mprotect)(addr, len, prot);
}
INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) { INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) {
COMMON_MALLOC_ENTER(); COMMON_MALLOC_ENTER();
return &sanitizer_zone; return &sanitizer_zone;
} }
INTERCEPTOR(malloc_zone_t *, malloc_default_purgeable_zone, void) { INTERCEPTOR(malloc_zone_t *, malloc_default_purgeable_zone, void) {
// FIXME: ASan should support purgeable allocations. // FIXME: ASan should support purgeable allocations.
// https://github.com/google/sanitizers/issues/139 // https://github.com/google/sanitizers/issues/139
▲ Show 20 LinesShow All 270 LinesShow Last 20 Lines

test/asan/TestCases/Darwin/malloc_destroy_zone.cc

// RUN: %clangxx_asan %s -o %t && %run %t 2>&1 | FileCheck %s
#include <malloc/malloc.h>
#include <stdlib.h>
#include <stdio.h>
int main() {
fprintf(stderr, "start\n");
malloc_zone_t *zone = malloc_create_zone(0, 0);
fprintf(stderr, "zone = %p\n", zone);
malloc_set_zone_name(zone, "myzone");
fprintf(stderr, "name changed\n");
malloc_destroy_zone(zone);
fprintf(stderr, "done\n");
return 0;
}
// CHECK: start
// CHECK-NEXT: zone = 0x{{.*}}
// CHECK-NEXT: name changed
// CHECK-NEXT: done