This is an archive of the discontinued LLVM Phabricator instance.

Differential D40382

Plug dlerror() leak for swift_demangle
ClosedPublic

Authored by krytarowski on Nov 22 2017, 10:16 PM.

Details

Reviewers
joerg
kubamracek
vitalybuka
dvyukov
eugenis
Commits
rGe36f5cb48072: Plug dlerror() leak for swift_demangle
rCRT318980: Plug dlerror() leak for swift_demangle
rL318980: Plug dlerror() leak for swift_demangle
Summary

InitializeSwiftDemangler() attempts to resolve the
swift_demangle symbol. If this is not available, we
observe dlerror message leak.

Caught on NetBSD/amd64 in TSan.

Sponsored by <The NetBSD Foundation>

Diff Detail

Repository
rL LLVM

Event Timeline

krytarowski created this revision.Nov 22 2017, 10:16 PM
dvyukov accepted this revision.Nov 25 2017, 4:41 AM
This revision is now accepted and ready to land.Nov 25 2017, 4:41 AM
krytarowski closed this revision.Nov 25 2017, 8:47 AM
marcan added a subscriber: marcan.EditedMar 13 2023, 2:39 AM

FYI, this introduces a subtle regression. dlerror() calls into gettext to translate the error. ASAN itself can be initialized from a random malloc intercept which can turn out to be in gettext, which is quite common since apps initialize gettext early, and some libraries even do so in loader init calls. This ends up re-entering into gettext and corrupting a rwmutex by trying to take the write lock while the read-side is locked. The unlock sequence leaves the rwlock in a bad state. Things then deadlock much later on the bad mutex.

Herald added a project: Restricted Project. · View Herald TranscriptMar 13 2023, 2:39 AM
pcc added a subscriber: pcc.Mar 21 2023, 5:52 PM
In D40382#4188437, @marcan wrote:

FYI, this introduces a subtle regression. dlerror() calls into gettext to translate the error. ASAN itself can be initialized from a random malloc intercept which can turn out to be in gettext, which is quite common since apps initialize gettext early, and some libraries even do so in loader init calls. This ends up re-entering into gettext and corrupting a rwmutex by trying to take the write lock while the read-side is locked. The unlock sequence leaves the rwlock in a bad state. Things then deadlock much later on the bad mutex.

Looks like this was fixed by D128992 by removing the call to dlerror().

Revision Contents

PathSize
lib/
sanitizer_common/
1 line

Diff 124036

lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cc

Show First 20 LinesShow All 71 Lines▼ Show 20 Linestypedef char *(*swift_demangle_ft)(const char *mangledName,
size_t *outputBufferSize, uint32_t flags); size_t *outputBufferSize, uint32_t flags);
static swift_demangle_ft swift_demangle_f; static swift_demangle_ft swift_demangle_f;
// This must not happen lazily at symbolication time, because dlsym uses // This must not happen lazily at symbolication time, because dlsym uses
// malloc and thread-local storage, which is not a good thing to do during // malloc and thread-local storage, which is not a good thing to do during
// symbolication. // symbolication.
static void InitializeSwiftDemangler() { static void InitializeSwiftDemangler() {
swift_demangle_f = (swift_demangle_ft)dlsym(RTLD_DEFAULT, "swift_demangle"); swift_demangle_f = (swift_demangle_ft)dlsym(RTLD_DEFAULT, "swift_demangle");
(void)dlerror(); // Cleanup error message in case of failure
} }
// Attempts to demangle a Swift name. The demangler will return nullptr if a // Attempts to demangle a Swift name. The demangler will return nullptr if a
// non-Swift name is passed in. // non-Swift name is passed in.
const char *DemangleSwift(const char *name) { const char *DemangleSwift(const char *name) {
if (!name) return nullptr; if (!name) return nullptr;
// Check if we are dealing with a Swift mangled name first. // Check if we are dealing with a Swift mangled name first.
▲ Show 20 LinesShow All 453 LinesShow Last 20 Lines