This is an archive of the discontinued LLVM Phabricator instance.

Differential D52091

[winasan] Unpoison the stack in NtTerminateThread
ClosedPublic

Authored by dmajor on Sep 14 2018, 5:58 AM.

Details

Reviewers
rnk
Commits
rG6d6c9150f935: Reland r342652 "[winasan] Unpoison the stack in NtTerminateThread"
rG468f53b58c62: [winasan] Unpoison the stack in NtTerminateThread
rCRT343606: Reland r342652 "[winasan] Unpoison the stack in NtTerminateThread"
rL343606: Reland r342652 "[winasan] Unpoison the stack in NtTerminateThread"
rL342652: [winasan] Unpoison the stack in NtTerminateThread
rCRT342652: [winasan] Unpoison the stack in NtTerminateThread
Summary

In long-running builds we've seen some ASan complaints during thread creation that we suspect are due to leftover poisoning from previous threads whose stacks occupied that memory. This patch adds a hook that unpoisons the stack just before the NtTerminateThread syscall.

Diff Detail

Event Timeline

dmajor created this revision.Sep 14 2018, 5:58 AM
Herald added subscribers: Restricted Project, llvm-commits, kubamracek. · View Herald TranscriptSep 14 2018, 5:58 AM
rnk accepted this revision.Sep 19 2018, 1:40 PM

lgtm

This revision is now accepted and ready to land.Sep 19 2018, 1:40 PM
Closed by commit rCRT342652: [winasan] Unpoison the stack in NtTerminateThread (authored by dmajor). · Explain WhySep 20 2018, 8:00 AM
This revision was automatically updated to reflect the committed changes.
hans added a subscriber: hans.Sep 28 2018, 7:42 AM

This appears to have caused the thread exit code to get clobbered, as shown by some Chromium test failures: https://bugs.chromium.org/p/chromium/issues/detail?id=890310

I've reverted in r343322.

rnk added a comment.Sep 28 2018, 9:10 AM

I think NtTerminateThread has a richer prototype:
NTEXPORT NTSTATUS NTAPI
NtTerminateThread(IN HANDLE ThreadHandle OPTIONAL, IN NTSTATUS ExitStatus)
https://github.com/DynamoRIO/dynamorio/blob/f1713ec4a9a856d1038c6095da67a5bd95b6a1c7/core/win32/ntdll_imports.c#L154
http://codewarrior.cn/ntdoc/win2k/ps/NtTerminateThread.htm

It should be fine to recommit with a better prototype.

dmajor added a comment.Oct 3 2018, 2:53 PM

Relanded in r343606.

Revision Contents

PathSize
lib/
asan/
asan_win.cc
asan_win.cc (revision 341967)
12 lines

Diff 165483

lib/asan/asan_win.cc

Show First 20 LinesShow All 148 Lines▼ Show 20 LinesINTERCEPTOR_WINAPI(DWORD, CreateThread,
bool detached = false; // FIXME: how can we determine it on Windows? bool detached = false; // FIXME: how can we determine it on Windows?
u32 current_tid = GetCurrentTidOrInvalid(); u32 current_tid = GetCurrentTidOrInvalid();
AsanThread *t = AsanThread *t =
AsanThread::Create(start_routine, arg, current_tid, &stack, detached); AsanThread::Create(start_routine, arg, current_tid, &stack, detached);
return REAL(CreateThread)(security, stack_size, return REAL(CreateThread)(security, stack_size,
asan_thread_start, t, thr_flags, tid); asan_thread_start, t, thr_flags, tid);
} }
INTERCEPTOR_WINAPI(void, NtTerminateThread, void* rcx) {
// Unpoison the terminating thread's stack because the memory may be re-used.
NT_TIB* pTib = reinterpret_cast<NT_TIB*>(NtCurrentTeb());
uptr stackSize = (uptr)pTib->StackBase - (uptr)pTib->StackLimit;
__asan_unpoison_memory_region(pTib->StackLimit, stackSize);
return REAL(NtTerminateThread(rcx));
}
// }}} // }}}
namespace __asan { namespace __asan {
void InitializePlatformInterceptors() { void InitializePlatformInterceptors() {
ASAN_INTERCEPT_FUNC(CreateThread); ASAN_INTERCEPT_FUNC(CreateThread);
ASAN_INTERCEPT_FUNC(SetUnhandledExceptionFilter); ASAN_INTERCEPT_FUNC(SetUnhandledExceptionFilter);
CHECK(::__interception::OverrideFunction("NtTerminateThread",
(uptr)WRAP(NtTerminateThread),
(uptr *)&REAL(NtTerminateThread)));
#ifdef _WIN64 #ifdef _WIN64
ASAN_INTERCEPT_FUNC(__C_specific_handler); ASAN_INTERCEPT_FUNC(__C_specific_handler);
#else #else
ASAN_INTERCEPT_FUNC(_except_handler3); ASAN_INTERCEPT_FUNC(_except_handler3);
ASAN_INTERCEPT_FUNC(_except_handler4); ASAN_INTERCEPT_FUNC(_except_handler4);
#endif #endif
// Try to intercept kernel32!RaiseException, and if that fails, intercept // Try to intercept kernel32!RaiseException, and if that fails, intercept
▲ Show 20 LinesShow All 176 LinesShow Last 20 Lines