This is an archive of the discontinued LLVM Phabricator instance.

Differential D86931

[Asan] Don't crash if metadata is not initialized
ClosedPublic

Authored by vitalybuka on Sep 1 2020, 5:11 AM.

Details

Reviewers
morehouse
Group Reviewers
Restricted Project
Commits
rGc05095cd6865: [Asan] Don't crash if metadata is not initialized
Summary

Fixes https://github.com/google/sanitizers/issues/1193.

AsanChunk can be uninitialized yet just after return from the secondary
allocator. If lsan starts scan just before metadata assignment it can
fail to find corresponding AsanChunk.

It should be safe to ignore this and let lsan to assume that
AsanChunk is in the beginning of the block. This block is from the
secondary allocator and created with mmap, so it should not contain
any pointers and will make lsan to miss some leaks.

Similar already happens for primary allocator. If it can't find real
AsanChunk it falls back and assume that block starts with AsanChunk.
Then if the block is already returned to allocator we have garbage in
AsanChunk and may scan dead memory hiding some leaks.
I'll fix this in D87135.

Diff Detail

Event Timeline

vitalybuka created this revision.Sep 1 2020, 5:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptSep 1 2020, 5:11 AM
Herald added subscribers: Restricted Project, jfb. · View Herald Transcript
vitalybuka requested review of this revision.Sep 1 2020, 5:11 AM
vitalybuka added a child revision: D86932: [NFC][Asan] Don't use allocator Metadata.
vitalybuka edited the summary of this revision. (Show Details)Sep 1 2020, 5:20 AM
vitalybuka added a reviewer: Restricted Project.
Harbormaster completed remote builds in B70222: Diff 289137.Sep 1 2020, 5:36 AM
vitalybuka updated this revision to Diff 289356.Sep 1 2020, 11:13 PM

simplify test

Harbormaster completed remote builds in B70347: Diff 289356.Sep 1 2020, 11:47 PM
kcc added a reviewer: morehouse.Sep 2 2020, 10:18 AM
morehouse added inline comments.Sep 2 2020, 5:16 PM
compiler-rt/lib/asan/asan_allocator.cpp
742

The reason for falling back to alloc_beg is not obvious from the code.

Could you add a comment explaining why we do this, and why it's safe? (both here and below)

750

Since we're here, could you also document why falling back to alloc_beg is safe for the primary?

vitalybuka mentioned this in D86922: [Asan] Don't use MetaData for size.Sep 3 2020, 4:20 PM
vitalybuka updated this revision to Diff 289850.Sep 3 2020, 8:56 PM

move nullptr handling closer to lsan

vitalybuka marked an inline comment as done.Sep 3 2020, 9:03 PM
vitalybuka added inline comments.
compiler-rt/lib/asan/asan_allocator.cpp
750

Looks like this is not very safe as well, lsan is lucky as LsanMetadata::allocated() will return false and the chunk will be ignored.
Other callers like AsanChunkView can handle nullptr, but will display wrong information in case of the current primary fallback.

Harbormaster completed remote builds in B70610: Diff 289850.Sep 3 2020, 9:45 PM
vitalybuka updated this revision to Diff 289891.Sep 4 2020, 1:35 AM

rebase

vitalybuka added a child revision: D86933: [NFC][Asan] Remove Debug code.Sep 4 2020, 1:50 AM
vitalybuka removed a child revision: D86932: [NFC][Asan] Don't use allocator Metadata.
Harbormaster completed remote builds in B70632: Diff 289891.Sep 4 2020, 2:01 AM
vitalybuka added a child revision: D86932: [NFC][Asan] Don't use allocator Metadata.Sep 4 2020, 4:19 AM
vitalybuka removed a child revision: D86932: [NFC][Asan] Don't use allocator Metadata.Sep 4 2020, 4:19 AM
vitalybuka removed a parent revision: D86922: [Asan] Don't use MetaData for size.Sep 6 2020, 6:37 PM
vitalybuka removed a child revision: D86933: [NFC][Asan] Remove Debug code.
vitalybuka edited the summary of this revision. (Show Details)
vitalybuka added a child revision: D86933: [NFC][Asan] Remove Debug code.
vitalybuka added a child revision: D87135: [Asan] Return nullptr for invalid chunks.Sep 6 2020, 6:44 PM
morehouse accepted this revision.Sep 8 2020, 1:11 PM

Please update the commit message.

compiler-rt/lib/asan/asan_allocator.cpp
1111

Do we also need to make these changes in lsan_allocator.cpp?

1113

s/0/nullptr

This revision is now accepted and ready to land.Sep 8 2020, 1:11 PM
vitalybuka edited the summary of this revision. (Show Details)Sep 8 2020, 1:51 PM
vitalybuka updated this revision to Diff 290578.Sep 8 2020, 1:55 PM
vitalybuka marked an inline comment as done.
vitalybuka edited the summary of this revision. (Show Details)

0 -> nullptr

compiler-rt/lib/asan/asan_allocator.cpp
1111

Yes. LsanMetadata argument is results of GetUserBegin
pure lsan version of GetUserBegin never returns null
asan has to return null as we can get into situations when AsanChunk is not yet initialized.

This revision was landed with ongoing or failed builds.Sep 8 2020, 1:58 PM
Closed by commit rGc05095cd6865: [Asan] Don't crash if metadata is not initialized (authored by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rGc05095cd6865: [Asan] Don't crash if metadata is not initialized.
Harbormaster completed remote builds in B70997: Diff 290578.Sep 8 2020, 2:25 PM

Revision Contents

PathSize
compiler-rt/
lib/
asan/
22 lines
test/
asan/
TestCases/
31 lines

Diff 290579

compiler-rt/lib/asan/asan_allocator.cpp

Show First 20 LinesShow All 724 Lines▼ Show 20 Lines void CommitBack(AsanThreadLocalMallocStorage *ms, BufferedStackTrace *stack) {
AllocatorCache *ac = GetAllocatorCache(ms); AllocatorCache *ac = GetAllocatorCache(ms);
quarantine.Drain(GetQuarantineCache(ms), QuarantineCallback(ac, stack)); quarantine.Drain(GetQuarantineCache(ms), QuarantineCallback(ac, stack));
allocator.SwallowCache(ac); allocator.SwallowCache(ac);
} }
// -------------------------- Chunk lookup ---------------------- // -------------------------- Chunk lookup ----------------------
// Assumes alloc_beg == allocator.GetBlockBegin(alloc_beg). // Assumes alloc_beg == allocator.GetBlockBegin(alloc_beg).
// Returns nullptr if AsanChunk is not yet initialized just after
// get_allocator().Allocate(), or is being destroyed just before
// get_allocator().Deallocate().
AsanChunk *GetAsanChunk(void *alloc_beg) { AsanChunk *GetAsanChunk(void *alloc_beg) {
if (!alloc_beg) if (!alloc_beg)
return nullptr; return nullptr;
if (!allocator.FromPrimary(alloc_beg)) { if (!allocator.FromPrimary(alloc_beg)) {
uptr *meta = reinterpret_cast<uptr *>(allocator.GetMetaData(alloc_beg)); uptr *meta = reinterpret_cast<uptr *>(allocator.GetMetaData(alloc_beg));
AsanChunk *m = reinterpret_cast<AsanChunk *>(meta[1]); AsanChunk *m = reinterpret_cast<AsanChunk *>(meta[1]);
return m; return m;
morehouseUnsubmitted
Done
ReplyInline Actions

The reason for falling back to alloc_beg is not obvious from the code.

Could you add a comment explaining why we do this, and why it's safe? (both here and below)

morehouse: The reason for falling back to `alloc_beg` is not obvious from the code. Could you add a…
} }
uptr *alloc_magic = reinterpret_cast<uptr *>(alloc_beg); uptr *alloc_magic = reinterpret_cast<uptr *>(alloc_beg);
if (alloc_magic[0] == kAllocBegMagic) if (alloc_magic[0] == kAllocBegMagic)
return reinterpret_cast<AsanChunk *>(alloc_magic[1]); return reinterpret_cast<AsanChunk *>(alloc_magic[1]);
// FIXME: This is either valid small chunk with tiny redzone or invalid // FIXME: This is either valid small chunk with tiny redzone or invalid
// chunk which is beeing allocated/deallocated. The latter case should // chunk which is beeing allocated/deallocated. The latter case should
// return nullptr like secondary allocator does. // return nullptr like secondary allocator does.
return reinterpret_cast<AsanChunk *>(alloc_beg); return reinterpret_cast<AsanChunk *>(alloc_beg);
morehouseUnsubmitted
Not Done
ReplyInline Actions

Since we're here, could you also document why falling back to alloc_beg is safe for the primary?

morehouse: Since we're here, could you also document why falling back to `alloc_beg` is safe for the…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

Looks like this is not very safe as well, lsan is lucky as LsanMetadata::allocated() will return false and the chunk will be ignored.
Other callers like AsanChunkView can handle nullptr, but will display wrong information in case of the current primary fallback.

vitalybuka: Looks like this is not very safe as well, lsan is lucky as LsanMetadata::allocated() will…
} }
AsanChunk *GetAsanChunkDebug(void *alloc_beg) { AsanChunk *GetAsanChunkDebug(void *alloc_beg) {
if (!alloc_beg) if (!alloc_beg)
return nullptr; return nullptr;
if (!allocator.FromPrimary(alloc_beg)) { if (!allocator.FromPrimary(alloc_beg)) {
uptr *meta = reinterpret_cast<uptr *>(allocator.GetMetaData(alloc_beg)); uptr *meta = reinterpret_cast<uptr *>(allocator.GetMetaData(alloc_beg));
AsanChunk *m = reinterpret_cast<AsanChunk *>(meta[1]); AsanChunk *m = reinterpret_cast<AsanChunk *>(meta[1]);
▲ Show 20 LinesShow All 341 Lines▼ Show 20 Linesvoid GetUserBeginDebug(uptr chunk) {
Printf("GetUserBeginDebug1 chunk %p\n", chunk); Printf("GetUserBeginDebug1 chunk %p\n", chunk);
__asan::AsanChunk *m = __asan::AsanChunk *m =
__asan::instance.GetAsanChunkByAddrFastLockedDebug(chunk); __asan::instance.GetAsanChunkByAddrFastLockedDebug(chunk);
Printf("GetUserBeginDebug2 m %p\n", m); Printf("GetUserBeginDebug2 m %p\n", m);
} }
uptr GetUserBegin(uptr chunk) { uptr GetUserBegin(uptr chunk) {
__asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(chunk); __asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(chunk);
if (!m) { return m ? m->Beg() : 0;
Printf(
"ASAN is about to crash with a CHECK failure.\n"
"The ASAN developers are trying to chase down this bug,\n"
"so if you've encountered this bug please let us know.\n"
"See also: https://github.com/google/sanitizers/issues/1193\n"
"Internal ref b/149237057\n"
"chunk: %p caller %p __lsan_current_stage %s\n",
chunk, GET_CALLER_PC(), __lsan_current_stage);
GetUserBeginDebug(chunk);
}
CHECK(m);
return m->Beg();
} }
LsanMetadata::LsanMetadata(uptr chunk) { LsanMetadata::LsanMetadata(uptr chunk) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

Do we also need to make these changes in lsan_allocator.cpp?

morehouse: Do we also need to make these changes in lsan_allocator.cpp?
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

Yes. LsanMetadata argument is results of GetUserBegin
pure lsan version of GetUserBegin never returns null
asan has to return null as we can get into situations when AsanChunk is not yet initialized.

vitalybuka: Yes. LsanMetadata argument is results of GetUserBegin pure lsan version of GetUserBegin never…
metadata_ = reinterpret_cast<void *>(chunk - __asan::kChunkHeaderSize); metadata_ = chunk ? reinterpret_cast<void *>(chunk - __asan::kChunkHeaderSize)
: nullptr;
morehouseUnsubmitted
Done
ReplyInline Actions

s/0/nullptr

morehouse: s/0/nullptr
} }
bool LsanMetadata::allocated() const { bool LsanMetadata::allocated() const {
if (!metadata_)
return false;
__asan::AsanChunk *m = reinterpret_cast<__asan::AsanChunk *>(metadata_); __asan::AsanChunk *m = reinterpret_cast<__asan::AsanChunk *>(metadata_);
return atomic_load(&m->chunk_state, memory_order_relaxed) == return atomic_load(&m->chunk_state, memory_order_relaxed) ==
__asan::CHUNK_ALLOCATED; __asan::CHUNK_ALLOCATED;
} }
ChunkTag LsanMetadata::tag() const { ChunkTag LsanMetadata::tag() const {
__asan::AsanChunk *m = reinterpret_cast<__asan::AsanChunk *>(metadata_); __asan::AsanChunk *m = reinterpret_cast<__asan::AsanChunk *>(metadata_);
return static_cast<ChunkTag>(m->lsan_tag); return static_cast<ChunkTag>(m->lsan_tag);
▲ Show 20 LinesShow All 85 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/lsan_crash.cpp

  • This file was added.
// RUN: %clangxx_asan -O2 %s -o %t && %run %t
#include <atomic>
#include <memory>
#include <sanitizer/lsan_interface.h>
#include <thread>
#include <vector>
std::atomic<bool> done;
void foo() {
std::unique_ptr<char[]> mem;
while (!done)
mem.reset(new char[1000000]);
}
int main() {
std::vector<std::thread> threads;
for (int i = 0; i < 10; ++i)
threads.emplace_back(foo);
for (int i = 0; i < 100; ++i)
__lsan_do_recoverable_leak_check();
done = true;
for (auto &t : threads)
t.join();
return 0;
}