This is an archive of the discontinued LLVM Phabricator instance.

Differential D71719

[scudo][standalone] Implement TSD registry disabling
ClosedPublic

Authored by cryptoad on Dec 19 2019, 10:37 AM.

Details

Reviewers
cferris
pcc
hctim
morehouse
eugenis
Commits
rG77e906ac78ab: [scudo][standalone] Implement TSD registry disabling
Summary

In order to implement malloc_{enable|disable} we were just disabling
(or really locking) the Primary and the Secondary. That meant that
allocations could still be serviced from the TSD as long as the cache
wouldn't have to be filled from the Primary.

This wasn't working out for Android tests, so this change implements
registry disabling (eg: locking) so that getTSDAndLock doesn't
return a TSD if the allocator is disabled. This also means that the
Primary doesn't have to be disabled in this situation.

For the Shared Registry, we loop through all the TSDs and lock them.
For the Exclusive Registry, we add a Disabled boolean to the Registry
that forces getTSDAndLock to use the Fallback TSD instead of the
thread local one. Disabling the Registry is then done by locking the
Fallback TSD and setting the boolean in question (I don't think this
needed an atomic variable but I might be wrong).

I clang-formatted the whole thing as usual hence the couple of extra
whiteline changes in this CL.

Diff Detail

Event Timeline

cryptoad created this revision.Dec 19 2019, 10:37 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptDec 19 2019, 10:37 AM
Herald added subscribers: Restricted Project, jfb. · View Herald Transcript
Harbormaster completed remote builds in B42788: Diff 234750.Dec 19 2019, 10:42 AM
cryptoad updated this revision to Diff 234752.Dec 19 2019, 10:44 AM

Extra whiteline.

Harbormaster completed remote builds in B42790: Diff 234752.Dec 19 2019, 10:44 AM
eugenis added inline comments.Dec 19 2019, 11:22 AM
compiler-rt/lib/scudo/standalone/tsd_exclusive.h
51–52

is not this a data race?

cryptoad marked an inline comment as done.Dec 19 2019, 11:26 AM
cryptoad added inline comments.
compiler-rt/lib/scudo/standalone/tsd_exclusive.h
51–52

I think it's OK for allocations to succeed until disable() returns, which I assume is the racey part you are referring to?

cryptoad marked an inline comment as not done.Dec 19 2019, 11:26 AM
eugenis added inline comments.Dec 19 2019, 11:36 AM
compiler-rt/lib/scudo/standalone/tsd_exclusive.h
51–52

If the read of Disabled is not an acquire-read, the thread may not observe the change for a very long time. If you want any guarantee there, both the reading and writing threads need to do some kind of synchronize-y thing.

This sounds like a hard problem if we don't want to sacrifice performance of the fast path.

cryptoad added inline comments.Dec 19 2019, 11:41 AM
compiler-rt/lib/scudo/standalone/tsd_exclusive.h
51–52

Right. I'll update this to use an atomic and run some quick tests.

cryptoad updated this revision to Diff 234763.EditedDec 19 2019, 11:56 AM

Use an atomic_u8 for Disabled in the Exclusive Registry.
This should ensure that changes to the variable are visible to the
threads in a somewhat timely manner.

A run of rpc2-benchmark with this new change doesn't show noticeable
performance degradation.

EDIT: doesn't, not does :(

Harbormaster completed remote builds in B42792: Diff 234763.Dec 19 2019, 12:03 PM
eugenis added inline comments.Dec 19 2019, 12:09 PM
compiler-rt/lib/scudo/standalone/tsd_shared.h
83

I'm also concerned about the shared tsd code path. Is locking the tsd enough to ensure that no allocations will happen in the future? It looks like threads hold the tsd lock for as short a time as possible, and do the rest of the work such as updating the chuck state later without synchronization. This work may not be finished by the time malloc_disable returns. Could malloc_iterate be confused if it sees the allocator in that state?

cryptoad added inline comments.Dec 19 2019, 12:20 PM
compiler-rt/lib/scudo/standalone/tsd_shared.h
83

You are correct, a thread could still be updating a block by the time disable returns.

Hopefully the window is small enough for the amount of potential confusion to be low. Given that this is mostly used in the context of libmemunreachable, which is mostly for debugging purposes, I think a best-effort approach as opposed to a catch-all that might have stronger performance implication is acceptable.

To be fair there might be something better that I haven't thought about as well.

cryptoad added inline comments.Dec 19 2019, 12:22 PM
compiler-rt/lib/scudo/standalone/tsd_shared.h
83

PS: I can add a TODO stating so.

eugenis accepted this revision.Dec 19 2019, 12:49 PM

LGTM

compiler-rt/lib/scudo/standalone/tsd_shared.h
83

I think this can be fixed properly with one or several strategically placed atomic stores in the block update code such that malloc_iterate can always recognize the state the block is in. We've made changes like this in asan & lsan some time ago, mostly in response to bad reports of racy use-after-frees.

This stuff is really hard to reason about. I think this change is OK as a first step, but please leave a TODO.

This revision is now accepted and ready to land.Dec 19 2019, 12:49 PM
cryptoad updated this revision to Diff 234783.Dec 19 2019, 2:12 PM

Add a comment for disable() with a TODO to improve the behavior.

Harbormaster completed remote builds in B42796: Diff 234783.Dec 19 2019, 2:14 PM
cryptoad marked 7 inline comments as done.Dec 19 2019, 3:25 PM
Closed by commit rG77e906ac78ab: [scudo][standalone] Implement TSD registry disabling (authored by cryptoad). · Explain WhyDec 20 2019, 6:58 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
12 lines
2 lines
tests/
15 lines
16 lines
10 lines

Diff 234894

compiler-rt/lib/scudo/standalone/combined.h

Show All 16 Lines
#include "local_cache.h" #include "local_cache.h"
#include "quarantine.h" #include "quarantine.h"
#include "report.h" #include "report.h"
#include "secondary.h" #include "secondary.h"
#include "string_utils.h" #include "string_utils.h"
#include "tsd.h" #include "tsd.h"
#ifdef GWP_ASAN_HOOKS #ifdef GWP_ASAN_HOOKS
# include "gwp_asan/guarded_pool_allocator.h" #include "gwp_asan/guarded_pool_allocator.h"
// GWP-ASan is declared here in order to avoid indirect call overhead. It's also // GWP-ASan is declared here in order to avoid indirect call overhead. It's also
// instantiated outside of the Allocator class, as the allocator is only // instantiated outside of the Allocator class, as the allocator is only
// zero-initialised. GWP-ASan requires constant initialisation, and the Scudo // zero-initialised. GWP-ASan requires constant initialisation, and the Scudo
// allocator doesn't have a constexpr constructor (see discussion here: // allocator doesn't have a constexpr constructor (see discussion here:
// https://reviews.llvm.org/D69265#inline-624315). // https://reviews.llvm.org/D69265#inline-624315).
static gwp_asan::GuardedPoolAllocator GuardedAlloc; static gwp_asan::GuardedPoolAllocator GuardedAlloc;
#endif // GWP_ASAN_HOOKS #endif // GWP_ASAN_HOOKS
▲ Show 20 LinesShow All 375 Lines▼ Show 20 Lines#endif // GWP_ASAN_HOOKS
if (NewPtr) { if (NewPtr) {
const uptr OldSize = getSize(OldPtr, &OldHeader); const uptr OldSize = getSize(OldPtr, &OldHeader);
memcpy(NewPtr, OldPtr, Min(NewSize, OldSize)); memcpy(NewPtr, OldPtr, Min(NewSize, OldSize));
quarantineOrDeallocateChunk(OldPtr, &OldHeader, OldSize); quarantineOrDeallocateChunk(OldPtr, &OldHeader, OldSize);
} }
return NewPtr; return NewPtr;
} }
// TODO(kostyak): while this locks the Primary & Secondary, it still allows // TODO(kostyak): disable() is currently best-effort. There are some small
// pointers to be fetched from the TSD. We ultimately want to // windows of time when an allocation could still succeed after
// lock the registry as well. For now, it's good enough. // this function finishes. We will revisit that later.
void disable() { void disable() {
initThreadMaybe(); initThreadMaybe();
Primary.disable(); TSDRegistry.disable();
Secondary.disable(); Secondary.disable();
} }
void enable() { void enable() {
initThreadMaybe(); initThreadMaybe();
Secondary.enable(); Secondary.enable();
Primary.enable(); TSDRegistry.enable();
} }
// The function returns the amount of bytes required to store the statistics, // The function returns the amount of bytes required to store the statistics,
// which might be larger than the amount of bytes provided. Note that the // which might be larger than the amount of bytes provided. Note that the
// statistics buffer is not necessarily constant between calls to this // statistics buffer is not necessarily constant between calls to this
// function. This can be called with a null buffer or zero size for buffer // function. This can be called with a null buffer or zero size for buffer
// sizing purposes. // sizing purposes.
uptr getStats(char *Buffer, uptr Size) { uptr getStats(char *Buffer, uptr Size) {
▲ Show 20 LinesShow All 241 LinesShow Last 20 Lines

compiler-rt/lib/scudo/standalone/flags.cpp

Show All 34 Lines
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) \ #define SCUDO_FLAG(Type, Name, DefaultValue, Description) \
Parser->registerFlag(#Name, Description, FlagType::FT_##Type, \ Parser->registerFlag(#Name, Description, FlagType::FT_##Type, \
reinterpret_cast<void *>(&F->Name)); reinterpret_cast<void *>(&F->Name));
#include "flags.inc" #include "flags.inc"
#undef SCUDO_FLAG #undef SCUDO_FLAG
#ifdef GWP_ASAN_HOOKS #ifdef GWP_ASAN_HOOKS
#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \ #define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
Parser->registerFlag("GWP_ASAN_"#Name, Description, FlagType::FT_##Type, \ Parser->registerFlag("GWP_ASAN_" #Name, Description, FlagType::FT_##Type, \
reinterpret_cast<void *>(&F->GWP_ASAN_##Name)); reinterpret_cast<void *>(&F->GWP_ASAN_##Name));
#include "gwp_asan/options.inc" #include "gwp_asan/options.inc"
#undef GWP_ASAN_OPTION #undef GWP_ASAN_OPTION
#endif // GWP_ASAN_HOOKS #endif // GWP_ASAN_HOOKS
} }
static const char *getCompileDefinitionScudoDefaultOptions() { static const char *getCompileDefinitionScudoDefaultOptions() {
#ifdef SCUDO_DEFAULT_OPTIONS #ifdef SCUDO_DEFAULT_OPTIONS
Show All 21 Lines

compiler-rt/lib/scudo/standalone/tests/wrappers_c_test.cpp

Show First 20 LinesShow All 278 Lines▼ Show 20 LinesTEST(ScudoWrappersCTest, MallocIterateBoundary) {
malloc_iterate(Block - PageSize, PageSize, callback, nullptr); malloc_iterate(Block - PageSize, PageSize, callback, nullptr);
malloc_iterate(Block, PageSize, callback, nullptr); malloc_iterate(Block, PageSize, callback, nullptr);
malloc_enable(); malloc_enable();
EXPECT_EQ(Count, 1U); EXPECT_EQ(Count, 1U);
free(P); free(P);
} }
// We expect heap operations within a disable/enable scope to deadlock.
TEST(ScudoWrappersCTest, MallocDisableDeadlock) {
EXPECT_DEATH(
{
void *P = malloc(Size);
EXPECT_NE(P, nullptr);
free(P);
malloc_disable();
alarm(1);
P = malloc(Size);
malloc_enable();
},
"");
}
#if !SCUDO_FUCHSIA #if !SCUDO_FUCHSIA
TEST(ScudoWrappersCTest, MallocInfo) { TEST(ScudoWrappersCTest, MallocInfo) {
char Buffer[64]; char Buffer[64];
FILE *F = fmemopen(Buffer, sizeof(Buffer), "w+"); FILE *F = fmemopen(Buffer, sizeof(Buffer), "w+");
EXPECT_NE(F, nullptr); EXPECT_NE(F, nullptr);
errno = 0; errno = 0;
EXPECT_EQ(malloc_info(0, F), 0); EXPECT_EQ(malloc_info(0, F), 0);
EXPECT_EQ(errno, 0); EXPECT_EQ(errno, 0);
fclose(F); fclose(F);
EXPECT_EQ(strncmp(Buffer, "<malloc version=\"scudo-", 23), 0); EXPECT_EQ(strncmp(Buffer, "<malloc version=\"scudo-", 23), 0);
} }
#endif #endif

compiler-rt/lib/scudo/standalone/tsd_exclusive.h

Show First 20 LinesShow All 42 Lines▼ Show 20 Linestemplate <class Allocator> struct TSDRegistryExT {
ALWAYS_INLINE void initThreadMaybe(Allocator *Instance, bool MinimalInit) { ALWAYS_INLINE void initThreadMaybe(Allocator *Instance, bool MinimalInit) {
if (LIKELY(State != ThreadState::NotInitialized)) if (LIKELY(State != ThreadState::NotInitialized))
return; return;
initThread(Instance, MinimalInit); initThread(Instance, MinimalInit);
} }
ALWAYS_INLINE TSD<Allocator> *getTSDAndLock(bool *UnlockRequired) { ALWAYS_INLINE TSD<Allocator> *getTSDAndLock(bool *UnlockRequired) {
if (LIKELY(State == ThreadState::Initialized)) { if (LIKELY(State == ThreadState::Initialized &&
!atomic_load(&Disabled, memory_order_acquire))) {
eugenisUnsubmitted
Done
ReplyInline Actions

is not this a data race?

eugenis: is not this a data race?
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

I think it's OK for allocations to succeed until disable() returns, which I assume is the racey part you are referring to?

cryptoad: I think it's OK for allocations to succeed until `disable()` returns, which I assume is the…
eugenisUnsubmitted
Done
ReplyInline Actions

If the read of Disabled is not an acquire-read, the thread may not observe the change for a very long time. If you want any guarantee there, both the reading and writing threads need to do some kind of synchronize-y thing.

This sounds like a hard problem if we don't want to sacrifice performance of the fast path.

eugenis: If the read of Disabled is not an acquire-read, the thread may not observe the change for a…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

Right. I'll update this to use an atomic and run some quick tests.

cryptoad: Right. I'll update this to use an atomic and run some quick tests.
*UnlockRequired = false; *UnlockRequired = false;
return &ThreadTSD; return &ThreadTSD;
} }
DCHECK(FallbackTSD); DCHECK(FallbackTSD);
FallbackTSD->lock(); FallbackTSD->lock();
*UnlockRequired = true; *UnlockRequired = true;
return FallbackTSD; return FallbackTSD;
} }
// To disable the exclusive TSD registry, we effectively lock the fallback TSD
// and force all threads to attempt to use it instead of their local one.
void disable() {
FallbackTSD->lock();
atomic_store(&Disabled, 1U, memory_order_release);
}
void enable() {
atomic_store(&Disabled, 0U, memory_order_release);
FallbackTSD->unlock();
}
private: private:
void initOnceMaybe(Allocator *Instance) { void initOnceMaybe(Allocator *Instance) {
ScopedLock L(Mutex); ScopedLock L(Mutex);
if (LIKELY(Initialized)) if (LIKELY(Initialized))
return; return;
initLinkerInitialized(Instance); // Sets Initialized. initLinkerInitialized(Instance); // Sets Initialized.
} }
// Using minimal initialization allows for global initialization while keeping // Using minimal initialization allows for global initialization while keeping
// the thread specific structure untouched. The fallback structure will be // the thread specific structure untouched. The fallback structure will be
// used instead. // used instead.
NOINLINE void initThread(Allocator *Instance, bool MinimalInit) { NOINLINE void initThread(Allocator *Instance, bool MinimalInit) {
initOnceMaybe(Instance); initOnceMaybe(Instance);
if (UNLIKELY(MinimalInit)) if (UNLIKELY(MinimalInit))
return; return;
CHECK_EQ( CHECK_EQ(
pthread_setspecific(PThreadKey, reinterpret_cast<void *>(Instance)), 0); pthread_setspecific(PThreadKey, reinterpret_cast<void *>(Instance)), 0);
ThreadTSD.initLinkerInitialized(Instance); ThreadTSD.initLinkerInitialized(Instance);
State = ThreadState::Initialized; State = ThreadState::Initialized;
} }
pthread_key_t PThreadKey; pthread_key_t PThreadKey;
bool Initialized; bool Initialized;
atomic_u8 Disabled;
TSD<Allocator> *FallbackTSD; TSD<Allocator> *FallbackTSD;
HybridMutex Mutex; HybridMutex Mutex;
static THREADLOCAL ThreadState State; static THREADLOCAL ThreadState State;
static THREADLOCAL TSD<Allocator> ThreadTSD; static THREADLOCAL TSD<Allocator> ThreadTSD;
friend void teardownThread<Allocator>(void *Ptr); friend void teardownThread<Allocator>(void *Ptr);
}; };
Show All 27 Lines

compiler-rt/lib/scudo/standalone/tsd_shared.h

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines ALWAYS_INLINE TSD<Allocator> *getTSDAndLock(bool *UnlockRequired) {
*UnlockRequired = true; *UnlockRequired = true;
// Try to lock the currently associated context. // Try to lock the currently associated context.
if (TSD->tryLock()) if (TSD->tryLock())
return TSD; return TSD;
// If that fails, go down the slow path. // If that fails, go down the slow path.
return getTSDAndLockSlow(TSD); return getTSDAndLockSlow(TSD);
} }
void disable() {
for (u32 I = 0; I < NumberOfTSDs; I++)
TSDs[I].lock();
}
void enable() {
for (u32 I = 0; I < NumberOfTSDs; I++)
TSDs[I].unlock();
}
eugenisUnsubmitted
Done
ReplyInline Actions

I'm also concerned about the shared tsd code path. Is locking the tsd enough to ensure that no allocations will happen in the future? It looks like threads hold the tsd lock for as short a time as possible, and do the rest of the work such as updating the chuck state later without synchronization. This work may not be finished by the time malloc_disable returns. Could malloc_iterate be confused if it sees the allocator in that state?

eugenis: I'm also concerned about the shared tsd code path. Is locking the tsd enough to ensure that no…
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

You are correct, a thread could still be updating a block by the time disable returns.

Hopefully the window is small enough for the amount of potential confusion to be low. Given that this is mostly used in the context of libmemunreachable, which is mostly for debugging purposes, I think a best-effort approach as opposed to a catch-all that might have stronger performance implication is acceptable.

To be fair there might be something better that I haven't thought about as well.

cryptoad: You are correct, a thread could still be updating a block by the time `disable` returns.
cryptoadAuthorUnsubmitted
Done
ReplyInline Actions

PS: I can add a TODO stating so.

cryptoad: PS: I can add a TODO stating so.
eugenisUnsubmitted
Not Done
ReplyInline Actions

I think this can be fixed properly with one or several strategically placed atomic stores in the block update code such that malloc_iterate can always recognize the state the block is in. We've made changes like this in asan & lsan some time ago, mostly in response to bad reports of racy use-after-frees.

This stuff is really hard to reason about. I think this change is OK as a first step, but please leave a TODO.

eugenis: I think this can be fixed properly with one or several strategically placed atomic stores in…
private: private:
ALWAYS_INLINE void setCurrentTSD(TSD<Allocator> *CurrentTSD) { ALWAYS_INLINE void setCurrentTSD(TSD<Allocator> *CurrentTSD) {
#if _BIONIC #if _BIONIC
*getAndroidTlsPtr() = reinterpret_cast<uptr>(CurrentTSD); *getAndroidTlsPtr() = reinterpret_cast<uptr>(CurrentTSD);
#elif SCUDO_LINUX #elif SCUDO_LINUX
ThreadTSD = CurrentTSD; ThreadTSD = CurrentTSD;
#else #else
CHECK_EQ( CHECK_EQ(
▲ Show 20 LinesShow All 88 LinesShow Last 20 Lines