This is an archive of the discontinued LLVM Phabricator instance.

Differential D87552

[Asan] Fix false leak report
ClosedPublic

Authored by vitalybuka on Sep 11 2020, 4:51 PM.

Details

Reviewers
morehouse
kcc
eugenis
Commits
rG9d01612db48f: [Asan] Fix false leak report
Summary

If user thread is in the allocator, the allocator
may have no pointer into future user's part of
the allocated block. AddrIsInside ignores such
pointers and lsan reports a false memory leak.

Diff Detail

Event Timeline

vitalybuka created this revision.Sep 11 2020, 4:51 PM
Herald added a project: Restricted Project. · View Herald TranscriptSep 11 2020, 4:51 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka requested review of this revision.Sep 11 2020, 4:51 PM
vitalybuka updated this revision to Diff 291360.Sep 11 2020, 4:53 PM

re-word comment

Harbormaster completed remote builds in B71447: Diff 291360.Sep 11 2020, 5:26 PM
Harbormaster completed remote builds in B71446: Diff 291359.Sep 11 2020, 5:41 PM
morehouse accepted this revision.Sep 14 2020, 9:32 AM
morehouse added inline comments.
compiler-rt/lib/asan/asan_allocator.cpp
1120–1125
This revision is now accepted and ready to land.Sep 14 2020, 9:32 AM
vitalybuka updated this revision to Diff 291667.Sep 14 2020, 1:32 PM
vitalybuka marked an inline comment as done.

comments

vitalybuka added a comment.Sep 14 2020, 1:32 PM

thanks

This revision was landed with ongoing or failed builds.Sep 14 2020, 1:32 PM
Closed by commit rG9d01612db48f: [Asan] Fix false leak report (authored by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG9d01612db48f: [Asan] Fix false leak report.
Harbormaster completed remote builds in B71610: Diff 291667.Sep 14 2020, 2:12 PM
morehouse added inline comments.Sep 15 2020, 3:14 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Removing this check seems to introduce some LSan false negatives. Ran into it while playing with libFuzzer:

$ bin/clang++ -fsanitize=address,fuzzer ../compiler-rt/test/fuzzer/LeakTest.cpp -m32 -g
$ rm -rf corpus && mkdir corpus
$ ./a.out -runs=100000 -detect_leaks=1 -entropic=1 -seed=1 corpus/

libFuzzer finds an input H that triggers a leak, but LSan doesn't detect it. Only happens after this patch, and only with -m32.

Still trying to figure out why this check is needed...

morehouse added inline comments.Sep 15 2020, 3:23 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Presumably we have some internal pointer to the ASanChunk header that is causing the allocation to be marked reachable.

vitalybuka added a comment.Sep 15 2020, 3:47 PM

thanks

compiler-rt/lib/asan/asan_allocator.cpp
1121

I don't know what to do about this.
E.g. vector<> usually keeps end() pointer which can be the first byte of the next chunk. Before the patch is was not an issue.
But now it's going to hold next chunk as reachable.

morehouse added inline comments.Sep 15 2020, 4:19 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Shouldn't the acquire-load above be enough to guarantee that we've stored a pointer to the user allocation either on stack or in a register, since we store-release in Allocate()?

vitalybuka added inline comments.Sep 15 2020, 4:53 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

I think not, memory order only requires that we return same as user_beg calculated before atomic operation.

morehouse added inline comments.Sep 15 2020, 5:12 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Can we force the guarantee, for example by storing to a volatile stack variable before store-releasing?

If we can, then the LSan false positive this patch fixed shouldn't come back if we add the AddrIsInside check back.

vitalybuka added inline comments.Sep 15 2020, 5:36 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Actually I tried that after landing the patch, and I still see the same bug on that binary. Either my way to pin pointer is too week, or I misdiagnosed the bug. I am trying to add more logs to confirm either way.

However even if pinning pointer is possible we have case when we have small allocations without magic. There is a probability that the primary allocator returns CHUNK_ALLOCATED for uninitialized chunk. It's theoretical but I was able to catch that with CHECK(). I tried to solve that with that patch which always adds magic, the one which extends header from 16 to 24 D87359.
I have idea how to use size bits for additional validation magic, as we need magic only when we have small size and we don't use most of bits. But it's needed only we can have guaranteed user pointer.

vitalybuka added inline comments.Sep 15 2020, 11:28 PM
compiler-rt/lib/asan/asan_allocator.cpp
1121

Compiler puts pointer into FP registers.
I will undo this patch and fix how we read registers.

vitalybuka added a reverting change: rGb42fa0c04096: Revert "[Asan] Fix false leak report".Sep 16 2020, 12:26 AM

Revision Contents

PathSize
compiler-rt/
lib/
asan/
14 lines
test/
asan/
TestCases/
28 lines

Diff 291667

compiler-rt/lib/asan/asan_allocator.cpp

Show First 20 LinesShow All 1,105 Lines▼ Show 20 Linesvoid UnlockAllocator() {
__asan::get_allocator().ForceUnlock(); __asan::get_allocator().ForceUnlock();
} }
void GetAllocatorGlobalRange(uptr *begin, uptr *end) { void GetAllocatorGlobalRange(uptr *begin, uptr *end) {
*begin = (uptr)&__asan::get_allocator(); *begin = (uptr)&__asan::get_allocator();
*end = *begin + sizeof(__asan::get_allocator()); *end = *begin + sizeof(__asan::get_allocator());
} }
uptr PointsIntoChunk(void* p) { uptr PointsIntoChunk(void *p) {
uptr addr = reinterpret_cast<uptr>(p); uptr addr = reinterpret_cast<uptr>(p);
__asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(addr); __asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(addr);
if (!m || atomic_load(&m->chunk_state, memory_order_acquire) != if (!m || atomic_load(&m->chunk_state, memory_order_acquire) !=
__asan::CHUNK_ALLOCATED) __asan::CHUNK_ALLOCATED)
return 0; return 0;
uptr chunk = m->Beg(); // AsanChunk presence means that we point into some block from underlying
if (m->AddrIsInside(addr, /*locked_version=*/true)) // allocators. Don't check whether p points into user memory, since until
morehouseUnsubmitted
Not Done
ReplyInline Actions

Removing this check seems to introduce some LSan false negatives. Ran into it while playing with libFuzzer:

$ bin/clang++ -fsanitize=address,fuzzer ../compiler-rt/test/fuzzer/LeakTest.cpp -m32 -g
$ rm -rf corpus && mkdir corpus
$ ./a.out -runs=100000 -detect_leaks=1 -entropic=1 -seed=1 corpus/

libFuzzer finds an input H that triggers a leak, but LSan doesn't detect it. Only happens after this patch, and only with -m32.

Still trying to figure out why this check is needed...

morehouse: Removing this check seems to introduce some LSan false negatives. Ran into it while playing…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Presumably we have some internal pointer to the ASanChunk header that is causing the allocation to be marked reachable.

morehouse: Presumably we have some internal pointer to the `ASanChunk` header that is causing the…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

I don't know what to do about this.
E.g. vector<> usually keeps end() pointer which can be the first byte of the next chunk. Before the patch is was not an issue.
But now it's going to hold next chunk as reachable.

vitalybuka: I don't know what to do about this. E.g. vector<> usually keeps end() pointer which can be the…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Shouldn't the acquire-load above be enough to guarantee that we've stored a pointer to the user allocation either on stack or in a register, since we store-release in Allocate()?

morehouse: Shouldn't the acquire-load above be enough to guarantee that we've stored a pointer to the user…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

I think not, memory order only requires that we return same as user_beg calculated before atomic operation.

vitalybuka: I think not, memory order only requires that we return same as user_beg calculated before…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Can we force the guarantee, for example by storing to a volatile stack variable before store-releasing?

If we can, then the LSan false positive this patch fixed shouldn't come back if we add the AddrIsInside check back.

morehouse: Can we force the guarantee, for example by storing to a volatile stack variable before store…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

Actually I tried that after landing the patch, and I still see the same bug on that binary. Either my way to pin pointer is too week, or I misdiagnosed the bug. I am trying to add more logs to confirm either way.

However even if pinning pointer is possible we have case when we have small allocations without magic. There is a probability that the primary allocator returns CHUNK_ALLOCATED for uninitialized chunk. It's theoretical but I was able to catch that with CHECK(). I tried to solve that with that patch which always adds magic, the one which extends header from 16 to 24 D87359.
I have idea how to use size bits for additional validation magic, as we need magic only when we have small size and we don't use most of bits. But it's needed only we can have guaranteed user pointer.

vitalybuka: Actually I tried that after landing the patch, and I still see the same bug on that binary.
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

Compiler puts pointer into FP registers.
I will undo this patch and fix how we read registers.

vitalybuka: Compiler puts pointer into FP registers. I will undo this patch and fix how we read registers.
return chunk; // the return from AsanAllocator::Allocator we may have no such
if (IsSpecialCaseOfOperatorNew0(chunk, m->UsedSize(/*locked_version*/ true), // pointer anywhere. But we must already have a pointer to GetBlockBegin().
addr)) return m->Beg();
return chunk;
return 0;
} }
morehouseUnsubmitted
Done
ReplyInline Actions
return 0;
- // AsanChunk presense means that we point into some block from underlying
- // allocators. Don't check anything else, like if p points into user
- // memory. Up to return from AsanAllocator::Allocator we may have no such
- // pointer anywere. But we must already have a pointer to GetBlockBegin()
+ // AsanChunk presence means that we point into some block from underlying
+ // allocators. Don't check whether p points into user memory, since until
+ // the return from AsanAllocator::Allocator we may have no such
+ // pointer anywhere. But we must already have a pointer to GetBlockBegin()
// somewhere.
return m->Beg();
morehouse:
uptr GetUserBegin(uptr chunk) { uptr GetUserBegin(uptr chunk) {
__asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(chunk); __asan::AsanChunk *m = __asan::instance.GetAsanChunkByAddrFastLocked(chunk);
return m ? m->Beg() : 0; return m ? m->Beg() : 0;
} }
LsanMetadata::LsanMetadata(uptr chunk) { LsanMetadata::LsanMetadata(uptr chunk) {
metadata_ = chunk ? reinterpret_cast<void *>(chunk - __asan::kChunkHeaderSize) metadata_ = chunk ? reinterpret_cast<void *>(chunk - __asan::kChunkHeaderSize)
▲ Show 20 LinesShow All 102 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/redzone_noleak.cpp

  • This file was added.
// Test whether pointers into left redzone count memory are reachable.
// If user thread is inside asan allocator code then we may have no
// pointers into user part of memory yet. However we should have a pointer
// into the allocated memory chunk.
//
// RUN: %clangxx_asan %s -o %t
// RUN: %run %t 2>&1
#include <cstdlib>
#include <stdio.h>
#include <thread>
void *pointers[1000];
void **cur = pointers;
void leak(int n, int offset) {
printf("%d %d\n", n, offset);
for (int i = 0; i < 3; ++i)
*(cur++) = (new int[n]) + offset;
}
int main(int argc, char **argv) {
for (int n = 1; n < 10000000; n = n * 2) {
leak(n, 0);
leak(n, -1);
}
return 0;
}