This is an archive of the discontinued LLVM Phabricator instance.

Differential D67738

[lsan] Fix deadlock in dl_iterate_phdr.
ClosedPublic

Authored by eugenis on Sep 18 2019, 3:56 PM.

Details

Reviewers
vitalybuka
hctim
Commits
rGf1b6bd403d52: [lsan] Fix deadlock in dl_iterate_phdr.
rCRT372348: [lsan] Fix deadlock in dl_iterate_phdr.
rL372348: [lsan] Fix deadlock in dl_iterate_phdr.
Summary

Do not grab the allocator lock before calling dl_iterate_phdr. This may
cause a lock order inversion with (valid) user code that uses malloc
inside a dl_iterate_phdr callback.

Diff Detail

Event Timeline

eugenis created this revision.Sep 18 2019, 3:56 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptSep 18 2019, 3:56 PM
Herald added subscribers: Restricted Project, jfb. · View Herald Transcript
Harbormaster completed remote builds in B38283: Diff 220766.Sep 18 2019, 4:04 PM
hctim accepted this revision.Sep 18 2019, 6:41 PM
hctim added inline comments.
compiler-rt/test/lsan/TestCases/Linux/libdl_deadlock.cpp
5

Nit: order includes

13

nit: int Callback

20

nit: replace with if (step == 0)

32

Nit: 80chars

This revision is now accepted and ready to land.Sep 18 2019, 6:41 PM
eugenis updated this revision to Diff 220897.Sep 19 2019, 12:46 PM

addressed review comments

eugenis marked 4 inline comments as done.Sep 19 2019, 12:46 PM
Harbormaster completed remote builds in B38302: Diff 220897.Sep 19 2019, 12:47 PM
Closed by commit rL372348: [lsan] Fix deadlock in dl_iterate_phdr. (authored by eugenis). · Explain WhySep 19 2019, 12:52 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptSep 19 2019, 12:52 PM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
5 lines
6 lines
12 lines
6 lines
test/
lsan/
TestCases/
Linux/
53 lines

Diff 220766

compiler-rt/lib/lsan/lsan_common.h

Show First 20 LinesShow All 123 Lines▼ Show 20 Lines
struct RootRegion { struct RootRegion {
uptr begin; uptr begin;
uptr size; uptr size;
}; };
InternalMmapVector<RootRegion> const *GetRootRegions(); InternalMmapVector<RootRegion> const *GetRootRegions();
void ScanRootRegion(Frontier *frontier, RootRegion const &region, void ScanRootRegion(Frontier *frontier, RootRegion const &region,
uptr region_begin, uptr region_end, bool is_readable); uptr region_begin, uptr region_end, bool is_readable);
// Run stoptheworld while holding any platform-specific locks. // Run stoptheworld while holding any platform-specific locks, as well as the
void DoStopTheWorld(StopTheWorldCallback callback, void* argument); // allocator and thread registry locks.
void LockStuffAndStopTheWorld(StopTheWorldCallback callback, void* argument);
void ScanRangeForPointers(uptr begin, uptr end, void ScanRangeForPointers(uptr begin, uptr end,
Frontier *frontier, Frontier *frontier,
const char *region_type, ChunkTag tag); const char *region_type, ChunkTag tag);
void ScanGlobalRange(uptr begin, uptr end, Frontier *frontier); void ScanGlobalRange(uptr begin, uptr end, Frontier *frontier);
enum IgnoreObjectResult { enum IgnoreObjectResult {
kIgnoreObjectSuccess, kIgnoreObjectSuccess,
▲ Show 20 LinesShow All 125 LinesShow Last 20 Lines

compiler-rt/lib/lsan/lsan_common.cpp

Show First 20 LinesShow All 564 Lines▼ Show 20 Lines
} }
static bool CheckForLeaks() { static bool CheckForLeaks() {
if (&__lsan_is_turned_off && __lsan_is_turned_off()) if (&__lsan_is_turned_off && __lsan_is_turned_off())
return false; return false;
EnsureMainThreadIDIsCorrect(); EnsureMainThreadIDIsCorrect();
CheckForLeaksParam param; CheckForLeaksParam param;
param.success = false; param.success = false;
LockThreadRegistry(); LockStuffAndStopTheWorld(CheckForLeaksCallback, &param);
LockAllocator();
DoStopTheWorld(CheckForLeaksCallback, &param);
UnlockAllocator();
UnlockThreadRegistry();
if (!param.success) { if (!param.success) {
Report("LeakSanitizer has encountered a fatal error.\n"); Report("LeakSanitizer has encountered a fatal error.\n");
Report( Report(
"HINT: For debugging, try setting environment variable " "HINT: For debugging, try setting environment variable "
"LSAN_OPTIONS=verbosity=1:log_threads=1\n"); "LSAN_OPTIONS=verbosity=1:log_threads=1\n");
Report( Report(
"HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)\n"); "HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)\n");
▲ Show 20 LinesShow All 319 LinesShow Last 20 Lines

compiler-rt/lib/lsan/lsan_common_linux.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
// While calling Die() here is undefined behavior and can potentially // While calling Die() here is undefined behavior and can potentially
// cause race conditions, it isn't possible to intercept exit on linux, // cause race conditions, it isn't possible to intercept exit on linux,
// so we have no choice but to call Die() from the atexit handler. // so we have no choice but to call Die() from the atexit handler.
void HandleLeaks() { void HandleLeaks() {
if (common_flags()->exitcode) Die(); if (common_flags()->exitcode) Die();
} }
static int DoStopTheWorldCallback(struct dl_phdr_info *info, size_t size, static int LockStuffAndStopTheWorldCallback(struct dl_phdr_info *info,
void *data) { size_t size, void *data) {
LockThreadRegistry();
LockAllocator();
DoStopTheWorldParam *param = reinterpret_cast<DoStopTheWorldParam *>(data); DoStopTheWorldParam *param = reinterpret_cast<DoStopTheWorldParam *>(data);
StopTheWorld(param->callback, param->argument); StopTheWorld(param->callback, param->argument);
UnlockAllocator();
UnlockThreadRegistry();
return 1; return 1;
} }
// LSan calls dl_iterate_phdr() from the tracer task. This may deadlock: if one // LSan calls dl_iterate_phdr() from the tracer task. This may deadlock: if one
// of the threads is frozen while holding the libdl lock, the tracer will hang // of the threads is frozen while holding the libdl lock, the tracer will hang
// in dl_iterate_phdr() forever. // in dl_iterate_phdr() forever.
// Luckily, (a) the lock is reentrant and (b) libc can't distinguish between the // Luckily, (a) the lock is reentrant and (b) libc can't distinguish between the
// tracer task and the thread that spawned it. Thus, if we run the tracer task // tracer task and the thread that spawned it. Thus, if we run the tracer task
// while holding the libdl lock in the parent thread, we can safely reenter it // while holding the libdl lock in the parent thread, we can safely reenter it
// in the tracer. The solution is to run stoptheworld from a dl_iterate_phdr() // in the tracer. The solution is to run stoptheworld from a dl_iterate_phdr()
// callback in the parent thread. // callback in the parent thread.
void DoStopTheWorld(StopTheWorldCallback callback, void *argument) { void LockStuffAndStopTheWorld(StopTheWorldCallback callback, void *argument) {
DoStopTheWorldParam param = {callback, argument}; DoStopTheWorldParam param = {callback, argument};
dl_iterate_phdr(DoStopTheWorldCallback, &param); dl_iterate_phdr(LockStuffAndStopTheWorldCallback, &param);
} }
} // namespace __lsan } // namespace __lsan
#endif #endif

compiler-rt/lib/lsan/lsan_common_mac.cpp

Show First 20 LinesShow All 187 Lines▼ Show 20 Linesvoid ProcessPlatformSpecificAllocations(Frontier *frontier) {
} }
} }
// On darwin, we can intercept _exit gracefully, and return a failing exit code // On darwin, we can intercept _exit gracefully, and return a failing exit code
// if required at that point. Calling Die() here is undefined behavior and // if required at that point. Calling Die() here is undefined behavior and
// causes rare race conditions. // causes rare race conditions.
void HandleLeaks() {} void HandleLeaks() {}
void DoStopTheWorld(StopTheWorldCallback callback, void *argument) { void LockStuffAndStopTheWorld(StopTheWorldCallback callback, void *argument) {
LockThreadRegistry();
LockAllocator();
StopTheWorld(callback, argument); StopTheWorld(callback, argument);
UnlockAllocator();
UnlockThreadRegistry();
} }
} // namespace __lsan } // namespace __lsan
#endif // CAN_SANITIZE_LEAKS && SANITIZER_MAC #endif // CAN_SANITIZE_LEAKS && SANITIZER_MAC

compiler-rt/test/lsan/TestCases/Linux/libdl_deadlock.cpp

  • This file was added.
// Regression test for a deadlock in leak detection,
// where lsan would call dl_iterate_phdr while holding the allocator lock.
// RUN: %clangxx_lsan %s -o %t && %run %t
#include <link.h>
hctimUnsubmitted
Done
ReplyInline Actions

Nit: order includes

hctim: Nit: order includes
#include <stdlib.h>
#include <unistd.h>
#include <thread>
#include <mutex>
std::mutex in, out;
int cb(struct dl_phdr_info *info, size_t size, void *data) {
hctimUnsubmitted
Done
ReplyInline Actions

nit: int Callback

hctim: nit: `int Callback`
bool first = true;
for (int step = 0; step < 50; ++step) {
void *p[1000];
for (int i = 0; i < 1000; ++i)
p[i] = malloc(10 * i);
if (first)
hctimUnsubmitted
Done
ReplyInline Actions

nit: replace with if (step == 0)

hctim: nit: replace with `if (step == 0)`
in.unlock();
first = false;
for (int i = 0; i < 1000; ++i)
free(p[i]);
}
out.unlock();
return 1; // just once
}
void Watchdog() {
// This is just a fail-safe to turn a deadlock (in case the bug reappears) into a (slow) test failure.
hctimUnsubmitted
Done
ReplyInline Actions

Nit: 80chars

hctim: Nit: 80chars
usleep(10000000);
if (!out.try_lock()) {
write(2, "DEADLOCK\n", 9);
exit(1);
}
}
int main() {
in.lock();
out.lock();
std::thread t([] { dl_iterate_phdr(cb, nullptr); });
t.detach();
std::thread w(Watchdog);
w.detach();
// Wait for the malloc thread to preheat, then start leak detection (on exit)
in.lock();
return 0;
}