This is an archive of the discontinued LLVM Phabricator instance.

Differential D37269

Add support for custom loaders to the sanitizer symbolizer
ClosedPublic

Authored by fjricci on Aug 29 2017, 12:51 PM.

Details

Reviewers
kubamracek
rnk
vitalybuka
eugenis
Commits
rGdaf210f7b664: Add support for custom loaders to the sanitizer symbolizer
rGe2aa5b2ace43: Add support for custom loaders to the sanitizer symbolizer
rGb9a32d470af2: Add support for custom loaders to the sanitizer symbolizer
rCRT314713: Add support for custom loaders to the sanitizer symbolizer
rCRT314671: Add support for custom loaders to the sanitizer symbolizer
rCRT314431: Add support for custom loaders to the sanitizer symbolizer
rL314713: Add support for custom loaders to the sanitizer symbolizer
rL314671: Add support for custom loaders to the sanitizer symbolizer
rL314431: Add support for custom loaders to the sanitizer symbolizer
Summary

Adds a fallback mode to procmaps when the symbolizer
fails to locate a module for a given address by using
dl_iterate_phdr.

Diff Detail

Repository
rL LLVM

Event Timeline

fjricci created this revision.Aug 29 2017, 12:51 PM
fjricci added a parent revision: D37268: Invalidate symbolizer module list from dlopen/dlclose interceptors.Aug 29 2017, 12:52 PM
Harbormaster completed remote builds in B9747: Diff 113137.Aug 29 2017, 12:52 PM
vitalybuka added a reviewer: eugenis.Aug 31 2017, 4:22 PM
eugenis edited edge metadata.Aug 31 2017, 5:28 PM

I don't understand. What are these custom loaders that fail to list all modules? What prevents FindModuleForAddress from going into infinite recursion if an address is not found even in proc/maps?

fjricci added a comment.Sep 1 2017, 7:49 AM

modules_.enableFallbackInit() will only return true once (if use_fallback_init_ is already enabled, it returns false), so there shouldn't be an infinite recursion anywhere.

The issue that this is trying to solve is that the Linux LoadedModules uses dl_iterate_phdr by default. This is an api function of the system loader, so it works fine for libraries loaded by the system loader, but won't find any libraries not loaded by the system loader. If you use a custom loader (for example, Faulty.lib) to load some of your libraries, they won't appear in dl_iterate_phdr, because the system loader didn't load them. They are still loaded in the memory map though, so they will appear in procmaps.

fjricci added a comment.Sep 7 2017, 8:27 AM

ping - I'm open to alternate ways of dealing with this, but it's pretty important for our use case (and presumably affects anyone else using faulty or other custom loaders).

eugenis added inline comments.Sep 7 2017, 5:33 PM
lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc
191 ↗(On Diff #113137)

Does this branch need to set modules_fresh_ to false to trigger reinitialization in the recursive call?

This function got super confusing and difficult to reason about. Could you rewrite it without recursion? The real logic behind this is very simple - if dl_iterate_phdr fails, use procmaps. There is nothing recursive about it.

fjricci added inline comments.Sep 8 2017, 12:13 PM
lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc
191 ↗(On Diff #113137)

Yeah, that makes sense. I mainly went for recursion because that's the way the existing fallback case works (I actually wonder whether that needs to be recursive, maybe I can change that one too). Will refactor.

fjricci updated this revision to Diff 114738.Sep 11 2017, 4:59 PM

Remove recursion and refactor to make more understandable

Harbormaster completed remote builds in B10115: Diff 114738.Sep 11 2017, 4:59 PM
eugenis added a comment.Sep 13 2017, 5:46 PM

This implementation never returns to dl_iterate_phdr once it finds the first module lookup error. This is not great, because proc/maps does not provide reliable base address for DSOs (see the comment in MemoryMappingLayout::DumpListOfModules).

I suggest keeping the fallback list of modules in parallel with the primary list, and always trying the latter first.

lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc
175 ↗(On Diff #114738)

consider early exit here and below: if (module) return module;

188 ↗(On Diff #114738)

This will do extra work on platforms where fallbackInit == init. Move it under smth like if (hasFallback()) ?

fjricci updated this revision to Diff 115233.Sep 14 2017, 9:39 AM

Address comments

Herald added a subscriber: srhines. · View Herald TranscriptSep 14 2017, 9:39 AM
Harbormaster completed remote builds in B10227: Diff 115233.Sep 14 2017, 9:39 AM
eugenis added inline comments.Sep 15 2017, 4:00 PM
lib/sanitizer_common/sanitizer_symbolizer.h
155 ↗(On Diff #115233)

Please make sure that this does not allocate memory unless it's necessary.
Looks like it can be done by switching ListOfModules to InternalMmapVectorNoCtor.

fjricci updated this revision to Diff 115653.Sep 18 2017, 7:59 AM

Use NoCtor

Harbormaster completed remote builds in B10361: Diff 115653.Sep 18 2017, 7:59 AM
fjricci mentioned this in D37268: Invalidate symbolizer module list from dlopen/dlclose interceptors.Sep 18 2017, 8:02 AM
fjricci updated this revision to Diff 115670.Sep 18 2017, 10:03 AM

Fix build issues

Harbormaster completed remote builds in B10363: Diff 115670.Sep 18 2017, 10:03 AM
fjricci added a comment.Sep 25 2017, 10:38 AM

ping - I think this should be pretty close to finished at this point

vitalybuka edited edge metadata.Sep 25 2017, 11:40 AM

LGTM, but lets wait a little to see if eugenis wants other changes

eugenis added inline comments.Sep 25 2017, 12:51 PM
lib/sanitizer_common/sanitizer_common.h
723 ↗(On Diff #115670)

Is not this backwards?

fjricci updated this revision to Diff 116600.Sep 25 2017, 1:20 PM

Fix conditional

Harbormaster completed remote builds in B10577: Diff 116600.Sep 25 2017, 1:20 PM
eugenis accepted this revision.Sep 25 2017, 1:46 PM
This revision is now accepted and ready to land.Sep 25 2017, 1:46 PM
Closed by commit rL314431: Add support for custom loaders to the sanitizer symbolizer (authored by fjricci). · Explain WhySep 28 2017, 10:00 AM
This revision was automatically updated to reflect the committed changes.
fjricci reopened this revision.Sep 28 2017, 1:36 PM

This caused a hang on one of the linux buildbots: http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/4146

I'm not sure why this would affect only that buildbot, as it seems like a pretty generic one. I don't see any linux issues locally. My only idea is potentially that initialized could introduce a race condition leading to double-initialization, but I don't understand how two threads could be using the ListOfModules at the same time (or why that would cause a hang instead of data corruption/leaking). I can try introducing a mutex there if it seems problematic.

This revision is now accepted and ready to land.Sep 28 2017, 1:36 PM
fjricci added a comment.Sep 29 2017, 7:58 AM

Actually, I think I'll try splitting this up into a few smaller commits to diagnose where the issue is. There are a few pieces that seem NFC/low risk, so hopefully merging those will help figure out which of the remaining parts actually broke the buildbot.

fjricci updated this revision to Diff 117150.Sep 29 2017, 8:26 AM

Rebase onto rL314520 and rL314518

fjricci added a comment.Sep 29 2017, 8:27 AM

Once it looks like all the buildbots are happy with those two NFC revisions, I'll merge the NoCtor part of this change (which I suspect is the problematic part).

fjricci added a comment.Sep 29 2017, 11:16 AM

Interestingly, the buildbot also looks happy with the NoCtor change (rL314533): http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/4167. Must be that the fallbackInit causes issues somehow.

fjricci updated this revision to Diff 117188.Sep 29 2017, 11:17 AM

Rebase onto rL314533

Closed by commit rL314671: Add support for custom loaders to the sanitizer symbolizer (authored by fjricci). · Explain WhyOct 2 2017, 7:32 AM
This revision was automatically updated to reflect the committed changes.
fjricci reopened this revision.Oct 2 2017, 8:57 AM

Interestingly, this small change still causes a hang somewhere on the gcc sanitizer buildbot: http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/4222. Reverted again.

This revision is now accepted and ready to land.Oct 2 2017, 8:57 AM
eugenis added a comment.Oct 2 2017, 10:07 AM
#0  atomic_exchange<__sanitizer::atomic_uint32_t> ()
    at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_atomic_clang.h:68
#1  Lock () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux.cc:620
#2  0x00000000004dcf82 in GenericScopedLock () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_mutex.h:187
#3  SymbolizePC () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc:76
#4  0x00000000004dba18 in Print () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc:35
#5  0x00000000004c38ef in AsanCheckFailed () at /code/llvm-project/compiler-rt/lib/asan/asan_rtl.cc:69
#6  0x00000000004d8910 in CheckFailed () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:79
#7  0x00000000004d44d8 in MemoryMappingLayout ()
    at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_procmaps_common.cc:80
#8  0x00000000004daad4 in procmapsInit () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cc:477
#9  fallbackInit () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cc:496
#10 0x00000000004dd34a in RefreshModules ()
    at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc:168
#11 FindModuleForAddress () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc:186
#12 0x00000000004dcf98 in FindModuleNameAndOffsetForAddress ()
    at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc:157
#13 SymbolizePC () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc:81
#14 0x00000000004dba18 in Print () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc:35
#15 0x00000000004d92c4 in ReportDeadlySignalImpl ()
    at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_libcdep.cc:242
#16 ReportDeadlySignal () at /code/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common_libcdep.cc:255
#17 0x00000000004c0225 in ~ScopedInErrorReport () at /code/llvm-project/compiler-rt/lib/asan/asan_report.cc:138
#18 0x00000000004bffb2 in ReportDeadlySignal () at /code/llvm-project/compiler-rt/lib/asan/asan_report.cc:211
#19 0x00000000004bf9a3 in AsanOnDeadlySignal () at /code/llvm-project/compiler-rt/lib/asan/asan_posix.cc:39
#20 <signal handler called>
#21 0x00000000004eabe0 in main ()
    at /code/llvm-project/compiler-rt/test/asan/TestCases/Linux/sanbox_read_proc_self_maps_test.cc:26

Hope it helps.

fjricci added a comment.Oct 2 2017, 10:34 AM

Thanks!

fjricci added a comment.Oct 2 2017, 10:47 AM

aha - looks like that test removes access to proc/maps, which then causes reading procmaps to fail. Not sure why that failure wasn't reproducing locally, but I'll try to figure out a way to handle that case.

fjricci added a comment.Oct 2 2017, 10:52 AM

Looks like PrepareForSandboxing could perhaps shut off the fallbackInit somehow

fjricci added a comment.Oct 2 2017, 11:22 AM

Actually, I'm pretty sure that fixing this is as easy as allowing the fallback cache for the LoadedModule list.

fjricci updated this revision to Diff 117399.Oct 2 2017, 11:23 AM

Allow fallback cache - should fix sandboxing issues

Harbormaster completed remote builds in B10738: Diff 117399.Oct 2 2017, 11:23 AM
Closed by commit rL314713: Add support for custom loaders to the sanitizer symbolizer (authored by fjricci). · Explain WhyOct 2 2017, 1:24 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
sanitizer_common/
1 line
13 lines
2 lines
1 line
5 lines
4 lines

Diff 117411

compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 724 Lines▼ Show 20 Lines
// List of LoadedModules. OS-dependent implementation is responsible for // List of LoadedModules. OS-dependent implementation is responsible for
// filling this information. // filling this information.
class ListOfModules { class ListOfModules {
public: public:
ListOfModules() : initialized(false) {} ListOfModules() : initialized(false) {}
~ListOfModules() { clear(); } ~ListOfModules() { clear(); }
void init(); void init();
void fallbackInit(); // Uses fallback init if available, otherwise clears
const LoadedModule *begin() const { return modules_.begin(); } const LoadedModule *begin() const { return modules_.begin(); }
LoadedModule *begin() { return modules_.begin(); } LoadedModule *begin() { return modules_.begin(); }
const LoadedModule *end() const { return modules_.end(); } const LoadedModule *end() const { return modules_.end(); }
LoadedModule *end() { return modules_.end(); } LoadedModule *end() { return modules_.end(); }
uptr size() const { return modules_.size(); } uptr size() const { return modules_.size(); }
const LoadedModule &operator[](uptr i) const { const LoadedModule &operator[](uptr i) const {
CHECK_LT(i, modules_.size()); CHECK_LT(i, modules_.size());
return modules_[i]; return modules_[i];
▲ Show 20 LinesShow All 187 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux_libcdep.cc

Show First 20 LinesShow All 468 Lines▼ Show 20 Lines#if SANITIZER_ANDROID && __ANDROID_API__ <= 22
// both K and L (and future) Android releases. // both K and L (and future) Android releases.
return AndroidGetApiLevel() <= ANDROID_LOLLIPOP_MR1; return AndroidGetApiLevel() <= ANDROID_LOLLIPOP_MR1;
#else #else
return false; return false;
#endif #endif
} }
static void procmapsInit(InternalMmapVectorNoCtor<LoadedModule> *modules) { static void procmapsInit(InternalMmapVectorNoCtor<LoadedModule> *modules) {
MemoryMappingLayout memory_mapping(false); MemoryMappingLayout memory_mapping(/*cache_enabled*/true);
memory_mapping.DumpListOfModules(modules); memory_mapping.DumpListOfModules(modules);
} }
void ListOfModules::init() { void ListOfModules::init() {
clearOrInit(); clearOrInit();
if (requiresProcmaps()) { if (requiresProcmaps()) {
procmapsInit(&modules_); procmapsInit(&modules_);
} else { } else {
DlIteratePhdrData data = {&modules_, true}; DlIteratePhdrData data = {&modules_, true};
dl_iterate_phdr(dl_iterate_phdr_cb, &data); dl_iterate_phdr(dl_iterate_phdr_cb, &data);
} }
} }
// When a custom loader is used, dl_iterate_phdr may not contain the full
// list of modules. Allow callers to fall back to using procmaps.
void ListOfModules::fallbackInit() {
if (!requiresProcmaps()) {
clearOrInit();
procmapsInit(&modules_);
} else {
clear();
}
}
// getrusage does not give us the current RSS, only the max RSS. // getrusage does not give us the current RSS, only the max RSS.
// Still, this is better than nothing if /proc/self/statm is not available // Still, this is better than nothing if /proc/self/statm is not available
// for some reason, e.g. due to a sandbox. // for some reason, e.g. due to a sandbox.
static uptr GetRSSFromGetrusage() { static uptr GetRSSFromGetrusage() {
struct rusage usage; struct rusage usage;
if (getrusage(RUSAGE_SELF, &usage)) // Failed, probably due to a sandbox. if (getrusage(RUSAGE_SELF, &usage)) // Failed, probably due to a sandbox.
return 0; return 0;
return usage.ru_maxrss << 10; // ru_maxrss is in Kb. return usage.ru_maxrss << 10; // ru_maxrss is in Kb.
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc

Show First 20 LinesShow All 410 Lines▼ Show 20 Lines
} }
void ListOfModules::init() { void ListOfModules::init() {
clearOrInit(); clearOrInit();
MemoryMappingLayout memory_mapping(false); MemoryMappingLayout memory_mapping(false);
memory_mapping.DumpListOfModules(&modules_); memory_mapping.DumpListOfModules(&modules_);
} }
void ListOfModules::fallbackInit() { clear(); }
static HandleSignalMode GetHandleSignalModeImpl(int signum) { static HandleSignalMode GetHandleSignalModeImpl(int signum) {
switch (signum) { switch (signum) {
case SIGABRT: case SIGABRT:
return common_flags()->handle_abort; return common_flags()->handle_abort;
case SIGILL: case SIGILL:
return common_flags()->handle_sigill; return common_flags()->handle_sigill;
case SIGFPE: case SIGFPE:
return common_flags()->handle_sigfpe; return common_flags()->handle_sigfpe;
▲ Show 20 LinesShow All 577 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_symbolizer.h

Show First 20 LinesShow All 146 Lines▼ Show 20 Lines private:
/// Platform-specific function for creating a Symbolizer object. /// Platform-specific function for creating a Symbolizer object.
static Symbolizer *PlatformInit(); static Symbolizer *PlatformInit();
bool FindModuleNameAndOffsetForAddress(uptr address, const char **module_name, bool FindModuleNameAndOffsetForAddress(uptr address, const char **module_name,
uptr *module_offset, uptr *module_offset,
ModuleArch *module_arch); ModuleArch *module_arch);
ListOfModules modules_; ListOfModules modules_;
ListOfModules fallback_modules_;
// If stale, need to reload the modules before looking up addresses. // If stale, need to reload the modules before looking up addresses.
bool modules_fresh_; bool modules_fresh_;
// Platform-specific default demangler, must not return nullptr. // Platform-specific default demangler, must not return nullptr.
const char *PlatformDemangle(const char *name); const char *PlatformDemangle(const char *name);
void PlatformPrepareForSandboxing(); void PlatformPrepareForSandboxing();
static Symbolizer *symbolizer_; static Symbolizer *symbolizer_;
Show All 31 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc

Show First 20 LinesShow All 159 Lines▼ Show 20 Linesbool Symbolizer::FindModuleNameAndOffsetForAddress(uptr address,
*module_name = module->full_name(); *module_name = module->full_name();
*module_offset = address - module->base_address(); *module_offset = address - module->base_address();
*module_arch = module->arch(); *module_arch = module->arch();
return true; return true;
} }
void Symbolizer::RefreshModules() { void Symbolizer::RefreshModules() {
modules_.init(); modules_.init();
fallback_modules_.fallbackInit();
RAW_CHECK(modules_.size() > 0); RAW_CHECK(modules_.size() > 0);
modules_fresh_ = true; modules_fresh_ = true;
} }
static const LoadedModule *SearchForModule(const ListOfModules &modules, static const LoadedModule *SearchForModule(const ListOfModules &modules,
uptr address) { uptr address) {
for (uptr i = 0; i < modules.size(); i++) { for (uptr i = 0; i < modules.size(); i++) {
if (modules[i].containsAddress(address)) { if (modules[i].containsAddress(address)) {
Show All 17 Linesconst LoadedModule *Symbolizer::FindModuleForAddress(uptr address) {
// case the module list changed. // case the module list changed.
#if !SANITIZER_INTERCEPT_DLOPEN_DLCLOSE #if !SANITIZER_INTERCEPT_DLOPEN_DLCLOSE
if (!modules_were_reloaded) { if (!modules_were_reloaded) {
RefreshModules(); RefreshModules();
module = SearchForModule(modules_, address); module = SearchForModule(modules_, address);
if (module) return module; if (module) return module;
} }
#endif #endif
if (fallback_modules_.size()) {
module = SearchForModule(fallback_modules_, address);
}
return module; return module;
} }
// For now we assume the following protocol: // For now we assume the following protocol:
// For each request of the form // For each request of the form
// <module_name> <module_offset> // <module_name> <module_offset>
// passed to STDIN, external symbolizer prints to STDOUT response: // passed to STDIN, external symbolizer prints to STDOUT response:
// <function_name> // <function_name>
▲ Show 20 LinesShow All 286 LinesShow Last 20 Lines

compiler-rt/trunk/lib/sanitizer_common/sanitizer_win.cc

Show First 20 LinesShow All 577 Lines▼ Show 20 Lines for (size_t i = 0; i < num_modules; ++i) {
LoadedModule cur_module; LoadedModule cur_module;
cur_module.set(module_name, adjusted_base); cur_module.set(module_name, adjusted_base);
// We add the whole module as one single address range. // We add the whole module as one single address range.
cur_module.addAddressRange(base_address, end_address, /*executable*/ true, cur_module.addAddressRange(base_address, end_address, /*executable*/ true,
/*writable*/ true); /*writable*/ true);
modules_.push_back(cur_module); modules_.push_back(cur_module);
} }
UnmapOrDie(hmodules, modules_buffer_size); UnmapOrDie(hmodules, modules_buffer_size);
}; }
void ListOfModules::fallbackInit() { clear(); }
// We can't use atexit() directly at __asan_init time as the CRT is not fully // We can't use atexit() directly at __asan_init time as the CRT is not fully
// initialized at this point. Place the functions into a vector and use // initialized at this point. Place the functions into a vector and use
// atexit() as soon as it is ready for use (i.e. after .CRT$XIC initializers). // atexit() as soon as it is ready for use (i.e. after .CRT$XIC initializers).
InternalMmapVectorNoCtor<void (*)(void)> atexit_functions; InternalMmapVectorNoCtor<void (*)(void)> atexit_functions;
int Atexit(void (*function)(void)) { int Atexit(void (*function)(void)) {
atexit_functions.push_back(function); atexit_functions.push_back(function);
▲ Show 20 LinesShow All 472 LinesShow Last 20 Lines