This is an archive of the discontinued LLVM Phabricator instance.

Differential D60176

[libc++][libc++abi] Don't provide new/delete when built with ASan, HWASan or TSan
AbandonedPublic

Authored by phosek on Apr 2 2019, 8:40 PM.

Details

Reviewers
EricWF
ldionne
vitalybuka
eugenis
mcgrathr
Summary

ASan, HWASan and TSan provide their own operator new/delete to intercept
all allocations and deallocations. Currently, they rely on overriding
weak symbols that are already provided by libc++abi and libc++, but that
solution is fragile and breaks in certain scenarios, e.g. when libc++abi
is statically linked into a shared libc++.

Rather we should avoid providing new/delete operators when built with
ASan, HWASan and TSan altogether and rely on new/delete operators
provided by the sanitizer runtimes.

Diff Detail

Event Timeline

phosek created this revision.Apr 2 2019, 8:40 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 2 2019, 8:40 PM
Herald added subscribers: libcxx-commits, dexonsmith, christof, mehdi_amini. · View Herald Transcript
mcgrathr accepted this revision.Apr 2 2019, 8:44 PM
mcgrathr added a subscriber: mcgrathr.

lgtm

libcxxabi/src/stdlib_new_delete.cpp
268

Comment the conditions

This revision is now accepted and ready to land.Apr 2 2019, 8:44 PM
phosek updated this revision to Diff 193427.Apr 2 2019, 8:50 PM
phosek marked an inline comment as done.
eugenis accepted this revision.Apr 3 2019, 2:31 PM

LGTM

ldionne requested changes to this revision.Apr 3 2019, 2:34 PM

The right thing to do seems to be to provide -DLIBCXX_ENABLE_NEW_DELETE_DEFINITIONS=OFF when you configure libc++.

This revision now requires changes to proceed.Apr 3 2019, 2:34 PM
ldionne added a comment.Apr 3 2019, 2:37 PM
In D60176#1454062, @ldionne wrote:

The right thing to do seems to be to provide -DLIBCXX_ENABLE_NEW_DELETE_DEFINITIONS=OFF when you configure libc++.

What I mean here is that I don't see the justification for hardcoding this into the sources. Similarly, I find it wrong for this to be dependent on _LIBCPP_ABI_VCRUNTIME and __GLIBCXX__.

phosek updated this revision to Diff 193616.Apr 3 2019, 3:45 PM
phosek added a comment.Apr 3 2019, 3:55 PM
In D60176#1454066, @ldionne wrote:
In D60176#1454062, @ldionne wrote:

The right thing to do seems to be to provide -DLIBCXX_ENABLE_NEW_DELETE_DEFINITIONS=OFF when you configure libc++.

What I mean here is that I don't see the justification for hardcoding this into the sources. Similarly, I find it wrong for this to be dependent on _LIBCPP_ABI_VCRUNTIME and __GLIBCXX__.

I've changed the implementation to make those independent. D60235 is the alternative that relies entirely on CMake and only disables those for Fuchsia. IMO the problem with that solution is that anyone who builds libc++/libc++abi will need to apply the same solution. I was also thinking about changing the CMake option default, but there's no easy way to detect whether the sanitizer is being enabled e.g. through CFLAGS/LDFLAGS.

phosek mentioned this in D60235: [CMake] Disable libc++ and libc++abi new/delete definitions when built with ASan.Apr 3 2019, 3:56 PM
mclow.lists added a subscriber: mclow.lists.Apr 3 2019, 4:38 PM

I think we're way, way out on the bell curve here.
People who are building their own libc++ and statically linking it with libc++abi and using the sanitizers.
Those people (I believe) will be able to set a CMake flag.

eugenis added a comment.Apr 3 2019, 4:45 PM

I think I prefer the cmake flag, too.
It's not unthinkable that hwasan might stop providing operator new and friends in the future. I was a bit surprised that we even do it now in COMPILER_RT_HWASAN_WITH_INTERCEPTORS=OFF configuration - but it looks like we are keeping it.
Anyway, lets not hardcode this decision.

phosek abandoned this revision.Apr 3 2019, 4:51 PM

SGTM

Revision Contents

PathSize
libcxx/
src/
6 lines
libcxxabi/
src/
7 lines

Diff 193616

libcxx/src/new.cpp

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines
#endif // !LIBSTDCXX #endif // !LIBSTDCXX
} // std } // std
#if !defined(__GLIBCXX__) && \ #if !defined(__GLIBCXX__) && \
!defined(_LIBCPP_ABI_VCRUNTIME) && \ !defined(_LIBCPP_ABI_VCRUNTIME) && \
!defined(_LIBCPP_DISABLE_NEW_DELETE_DEFINITIONS) !defined(_LIBCPP_DISABLE_NEW_DELETE_DEFINITIONS)
// Sanitizer runtimes provide their own definitions of new and delete operators.
#if !__has_feature(address_sanitizer) && \
!__has_feature(hwaddress_sanitizer) && \
!__has_feature(thread_sanitizer)
// Implement all new and delete operators as weak definitions // Implement all new and delete operators as weak definitions
// in this shared library, so that they can be overridden by programs // in this shared library, so that they can be overridden by programs
// that define non-weak copies of the functions. // that define non-weak copies of the functions.
_LIBCPP_WEAK _LIBCPP_WEAK
void * void *
operator new(std::size_t size) _THROW_BAD_ALLOC operator new(std::size_t size) _THROW_BAD_ALLOC
{ {
▲ Show 20 LinesShow All 225 Lines▼ Show 20 Lines
_LIBCPP_WEAK _LIBCPP_WEAK
void void
operator delete[] (void* ptr, size_t, std::align_val_t alignment) _NOEXCEPT operator delete[] (void* ptr, size_t, std::align_val_t alignment) _NOEXCEPT
{ {
::operator delete[](ptr, alignment); ::operator delete[](ptr, alignment);
} }
#endif // !_LIBCPP_HAS_NO_LIBRARY_ALIGNED_ALLOCATION #endif // !_LIBCPP_HAS_NO_LIBRARY_ALIGNED_ALLOCATION
#endif // !address_sanitizer && !hwaddress_sanitizer && !thread_sanitizer
#endif // !__GLIBCXX__ && !_LIBCPP_ABI_VCRUNTIME && !_LIBCPP_DISABLE_NEW_DELETE_DEFINITIONS #endif // !__GLIBCXX__ && !_LIBCPP_ABI_VCRUNTIME && !_LIBCPP_DISABLE_NEW_DELETE_DEFINITIONS

libcxxabi/src/stdlib_new_delete.cpp

Show All 11 Lines
#include "__cxxabi_config.h" #include "__cxxabi_config.h"
#include <new> #include <new>
#include <cstdlib> #include <cstdlib>
#if !defined(_THROW_BAD_ALLOC) || !defined(_NOEXCEPT) || !defined(_LIBCXXABI_WEAK) #if !defined(_THROW_BAD_ALLOC) || !defined(_NOEXCEPT) || !defined(_LIBCXXABI_WEAK)
#error The _THROW_BAD_ALLOC, _NOEXCEPT, and _LIBCXXABI_WEAK libc++ macros must \ #error The _THROW_BAD_ALLOC, _NOEXCEPT, and _LIBCXXABI_WEAK libc++ macros must \
already be defined by libc++. already be defined by libc++.
#endif #endif
// Sanitizer runtimes provide their own definitions of new and delete operators.
#if !__has_feature(address_sanitizer) && \
!__has_feature(hwaddress_sanitizer) && \
!__has_feature(thread_sanitizer)
// Implement all new and delete operators as weak definitions // Implement all new and delete operators as weak definitions
// in this shared library, so that they can be overridden by programs // in this shared library, so that they can be overridden by programs
// that define non-weak copies of the functions. // that define non-weak copies of the functions.
_LIBCXXABI_WEAK _LIBCXXABI_WEAK
void * void *
operator new(std::size_t size) _THROW_BAD_ALLOC operator new(std::size_t size) _THROW_BAD_ALLOC
{ {
▲ Show 20 LinesShow All 226 Lines▼ Show 20 Lines
_LIBCXXABI_WEAK _LIBCXXABI_WEAK
void void
operator delete[] (void* ptr, size_t, std::align_val_t alignment) _NOEXCEPT operator delete[] (void* ptr, size_t, std::align_val_t alignment) _NOEXCEPT
{ {
::operator delete[](ptr, alignment); ::operator delete[](ptr, alignment);
} }
#endif // !address_sanitizer && !hwaddress_sanitizer && !thread_sanitizer
mcgrathrUnsubmitted
Done
ReplyInline Actions

Comment the conditions

mcgrathr: Comment the conditions
#endif // !_LIBCPP_HAS_NO_LIBRARY_ALIGNED_ALLOCATION #endif // !_LIBCPP_HAS_NO_LIBRARY_ALIGNED_ALLOCATION