This is an archive of the discontinued LLVM Phabricator instance.

Differential D66231

[scudo][standalone] Fix malloc_iterate
ClosedPublic

Authored by cryptoad on Aug 14 2019, 10:18 AM.

Details

Reviewers
cferris
morehouse
hctim
vitalybuka
eugenis
Commits
rG3e5360f19465: [scudo][standalone] Fix malloc_iterate
rCRT369400: [scudo][standalone] Fix malloc_iterate
rL369400: [scudo][standalone] Fix malloc_iterate
Summary

cferris's Bionic tests found an issue in Scudo's malloc_iterate.

We were inclusive of both boundaries, which resulted in a Block that
was located on said boundary to be possibly accounted for twice, or
just being accounted for while iterating on regions that are not ours
(usually the unmapped ones in between Primary regions).

The fix is to exclude the upper boundary in iterateOverChunks, and
add a regression test.

This additionally corrects a typo in a comment, and change the 64-bit
Primary iteration function to not assume that BatchClassId is 0.

Diff Detail

Repository
rL LLVM

Event Timeline

cryptoad created this revision.Aug 14 2019, 10:18 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptAug 14 2019, 10:18 AM
Herald added subscribers: Restricted Project, delcypher. · View Herald Transcript
Harbormaster completed remote builds in B36758: Diff 215161.Aug 14 2019, 10:21 AM
cryptoad updated this revision to Diff 215163.Aug 14 2019, 10:27 AM

Update the test.

Harbormaster completed remote builds in B36759: Diff 215163.Aug 14 2019, 10:29 AM
hctim added inline comments.Aug 14 2019, 11:18 AM
lib/scudo/standalone/tests/wrappers_c_test.cpp
260 ↗(On Diff #215163)

BoundaryP and Counter should be zeroed in the initialisation sequence for this test to make it end-to-end.

265 ↗(On Diff #215163)

Nit: std::vector<std::unique_ptr>? to avoid manual cleanup later.

266 ↗(On Diff #215163)

From what I see, it looks like the goal of this loop is to (hopefully) get a page-aligned allocation. All the other allocations seem to not be important.

Could this test be simplified by guaranteeing a page-aligned pointer through pvalloc()?

cryptoad added inline comments.Aug 14 2019, 11:28 AM
lib/scudo/standalone/tests/wrappers_c_test.cpp
260 ↗(On Diff #215163)

Ack.

265 ↗(On Diff #215163)

Ack.

266 ↗(On Diff #215163)

Unfortunately the Block (backend) has to be aligned on a boundary (page is my choice, but it could be anything that matches the iteration), pvaloc would guarantee that the Chunk (frontend) is aligned. Hence the gymnastics with the delta.

cryptoad updated this revision to Diff 215197.Aug 14 2019, 12:16 PM
  • Additional comments to the test function
  • Moving the initialization of the static variables within the test function
Harbormaster completed remote builds in B36766: Diff 215197.Aug 14 2019, 12:16 PM
cryptoad marked 2 inline comments as done.Aug 14 2019, 12:17 PM
cryptoad added a comment.Aug 19 2019, 11:24 AM

Is this good from the reviewers perspective?

hctim added inline comments.Aug 19 2019, 2:15 PM
lib/scudo/standalone/tests/wrappers_c_test.cpp
266 ↗(On Diff #215163)

I see. Is there any way to guarantee that a Block is page-aligned without trial-and-error? If we set SpecialSize = PageSize - BlockDelta, would this guarantee this?

cryptoad added inline comments.Aug 19 2019, 2:34 PM
lib/scudo/standalone/tests/wrappers_c_test.cpp
266 ↗(On Diff #215163)

This is indeed the case if we have a class size of PageSize, then all allocations of PageSize - BlockDelta would end up in it.
It's the case for the default one, I can go with it, and if the SizeClassMap ever changes, add a bailing condition.

cryptoad updated this revision to Diff 215997.Aug 19 2019, 2:57 PM

Following Mitch's suggestion, modify the test to use a
PageSize - BlockDelta sized chunk, that in all likelihood will be
backed by a page-aligned block (dependent on the SizeClassMap but
works with our default).

Double-checked that this was returning a Count of 2 pre-patch, now 1.

Harbormaster completed remote builds in B36985: Diff 215997.Aug 19 2019, 2:58 PM
cryptoad marked 4 inline comments as done.Aug 19 2019, 2:58 PM
hctim accepted this revision.Aug 19 2019, 3:09 PM

LGTM. Thanks :)

This revision is now accepted and ready to land.Aug 19 2019, 3:09 PM
Closed by commit rL369400: [scudo][standalone] Fix malloc_iterate (authored by cryptoad). · Explain WhyAug 20 2019, 9:15 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
scudo/
standalone/
2 lines
6 lines
tests/
41 lines

Diff 216177

compiler-rt/trunk/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 369 Lines▼ Show 20 Linespublic:
// within the provided memory range. Said callback must not use this allocator // within the provided memory range. Said callback must not use this allocator
// or a deadlock can ensue. This fits Android's malloc_iterate() needs. // or a deadlock can ensue. This fits Android's malloc_iterate() needs.
void iterateOverChunks(uptr Base, uptr Size, iterate_callback Callback, void iterateOverChunks(uptr Base, uptr Size, iterate_callback Callback,
void *Arg) { void *Arg) {
initThreadMaybe(); initThreadMaybe();
const uptr From = Base; const uptr From = Base;
const uptr To = Base + Size; const uptr To = Base + Size;
auto Lambda = [this, From, To, Callback, Arg](uptr Block) { auto Lambda = [this, From, To, Callback, Arg](uptr Block) {
if (Block < From || Block > To) if (Block < From || Block >= To)
return; return;
uptr ChunkSize; uptr ChunkSize;
const uptr ChunkBase = getChunkFromBlock(Block, &ChunkSize); const uptr ChunkBase = getChunkFromBlock(Block, &ChunkSize);
if (ChunkBase != InvalidChunk) if (ChunkBase != InvalidChunk)
Callback(ChunkBase, ChunkSize, Arg); Callback(ChunkBase, ChunkSize, Arg);
}; };
Primary.iterateOverBlocks(Lambda); Primary.iterateOverBlocks(Lambda);
Secondary.iterateOverBlocks(Lambda); Secondary.iterateOverBlocks(Lambda);
▲ Show 20 LinesShow All 171 LinesShow Last 20 Lines

compiler-rt/trunk/lib/scudo/standalone/primary64.h

Show All 30 Lines
// they belong to. The Blocks created are shuffled to prevent predictable // they belong to. The Blocks created are shuffled to prevent predictable
// address patterns (the predictability increases with the size of the Blocks). // address patterns (the predictability increases with the size of the Blocks).
// //
// The 1st Region (for size class 0) holds the TransferBatches. This is a // The 1st Region (for size class 0) holds the TransferBatches. This is a
// structure used to transfer arrays of available pointers from the class size // structure used to transfer arrays of available pointers from the class size
// freelist to the thread specific freelist, and back. // freelist to the thread specific freelist, and back.
// //
// The memory used by this allocator is never unmapped, but can be partially // The memory used by this allocator is never unmapped, but can be partially
// released it the platform allows for it. // released if the platform allows for it.
template <class SizeClassMapT, uptr RegionSizeLog> class SizeClassAllocator64 { template <class SizeClassMapT, uptr RegionSizeLog> class SizeClassAllocator64 {
public: public:
typedef SizeClassMapT SizeClassMap; typedef SizeClassMapT SizeClassMap;
typedef SizeClassAllocator64<SizeClassMap, RegionSizeLog> ThisT; typedef SizeClassAllocator64<SizeClassMap, RegionSizeLog> ThisT;
typedef SizeClassAllocatorLocalCache<ThisT> CacheT; typedef SizeClassAllocatorLocalCache<ThisT> CacheT;
typedef typename CacheT::TransferBatch TransferBatch; typedef typename CacheT::TransferBatch TransferBatch;
▲ Show 20 LinesShow All 82 Lines▼ Show 20 Linespublic:
} }
void enable() { void enable() {
for (sptr I = static_cast<sptr>(NumClasses) - 1; I >= 0; I--) for (sptr I = static_cast<sptr>(NumClasses) - 1; I >= 0; I--)
getRegionInfo(static_cast<uptr>(I))->Mutex.unlock(); getRegionInfo(static_cast<uptr>(I))->Mutex.unlock();
} }
template <typename F> void iterateOverBlocks(F Callback) const { template <typename F> void iterateOverBlocks(F Callback) const {
for (uptr I = 1; I < NumClasses; I++) { for (uptr I = 0; I < NumClasses; I++) {
if (I == SizeClassMap::BatchClassId)
continue;
const RegionInfo *Region = getRegionInfo(I); const RegionInfo *Region = getRegionInfo(I);
const uptr BlockSize = getSizeByClassId(I); const uptr BlockSize = getSizeByClassId(I);
const uptr From = Region->RegionBeg; const uptr From = Region->RegionBeg;
const uptr To = From + Region->AllocatedUser; const uptr To = From + Region->AllocatedUser;
for (uptr Block = From; Block < To; Block += BlockSize) for (uptr Block = From; Block < To; Block += BlockSize)
Callback(Block); Callback(Block);
} }
} }
▲ Show 20 LinesShow All 237 LinesShow Last 20 Lines

compiler-rt/trunk/lib/scudo/standalone/tests/wrappers_c_test.cpp

//===-- wrappers_c_test.cpp -------------------------------------*- C++ -*-===// //===-- wrappers_c_test.cpp -------------------------------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "platform.h" #include "platform.h"
#include "gtest/gtest.h" #include "gtest/gtest.h"
#include <limits.h> #include <limits.h>
#include <malloc.h> #include <malloc.h>
#include <unistd.h> #include <unistd.h>
extern "C" {
void malloc_enable(void);
void malloc_disable(void);
int malloc_iterate(uintptr_t base, size_t size,
void (*callback)(uintptr_t base, size_t size, void *arg),
void *arg);
}
// Note that every C allocation function in the test binary will be fulfilled // Note that every C allocation function in the test binary will be fulfilled
// by Scudo (this includes the gtest APIs, etc.), which is a test by itself. // by Scudo (this includes the gtest APIs, etc.), which is a test by itself.
// But this might also lead to unexpected side-effects, since the allocation and // But this might also lead to unexpected side-effects, since the allocation and
// deallocation operations in the TEST functions will coexist with others (see // deallocation operations in the TEST functions will coexist with others (see
// the EXPECT_DEATH comment below). // the EXPECT_DEATH comment below).
// We have to use a small quarantine to make sure that our double-free tests // We have to use a small quarantine to make sure that our double-free tests
// trigger. Otherwise EXPECT_DEATH ends up reallocating the chunk that was just // trigger. Otherwise EXPECT_DEATH ends up reallocating the chunk that was just
▲ Show 20 LinesShow All 209 Lines▼ Show 20 LinesTEST(ScudoWrappersCTest, MallInfo) {
MI = mallinfo(); MI = mallinfo();
EXPECT_GE(static_cast<size_t>(MI.uordblks), Allocated + BypassQuarantineSize); EXPECT_GE(static_cast<size_t>(MI.uordblks), Allocated + BypassQuarantineSize);
EXPECT_GT(static_cast<size_t>(MI.hblkhd), 0U); EXPECT_GT(static_cast<size_t>(MI.hblkhd), 0U);
size_t Free = MI.fordblks; size_t Free = MI.fordblks;
free(P); free(P);
MI = mallinfo(); MI = mallinfo();
EXPECT_GE(static_cast<size_t>(MI.fordblks), Free + BypassQuarantineSize); EXPECT_GE(static_cast<size_t>(MI.fordblks), Free + BypassQuarantineSize);
} }
static uintptr_t BoundaryP;
static size_t Count;
static void callback(uintptr_t Base, size_t Size, void *Arg) {
if (Base == BoundaryP)
Count++;
}
// Verify that a block located on an iteration boundary is not mis-accounted.
// To achieve this, we allocate a chunk for which the backing block will be
// aligned on a page, then run the malloc_iterate on both the pages that the
// block is a boundary for. It must only be seen once by the callback function.
TEST(ScudoWrappersCTest, MallocIterateBoundary) {
const size_t PageSize = sysconf(_SC_PAGESIZE);
const size_t BlockDelta = FIRST_32_SECOND_64(8U, 16U);
const size_t SpecialSize = PageSize - BlockDelta;
void *P = malloc(SpecialSize);
EXPECT_NE(P, nullptr);
BoundaryP = reinterpret_cast<uintptr_t>(P);
const uintptr_t Block = BoundaryP - BlockDelta;
EXPECT_EQ((Block & (PageSize - 1)), 0U);
Count = 0U;
malloc_disable();
malloc_iterate(Block - PageSize, PageSize, callback, nullptr);
malloc_iterate(Block, PageSize, callback, nullptr);
malloc_enable();
EXPECT_EQ(Count, 1U);
free(P);
}