This is an archive of the discontinued LLVM Phabricator instance.

Differential D89606

[asan][fuchsia] set current thread before reading thread state
ClosedPublic

Authored by zarvox on Oct 16 2020, 5:12 PM.

Details

Reviewers
mcgrathr
phosek
Commits
rG29480c6c746c: [asan][fuchsia] set current thread before reading thread state
Summary

When enabling stack use-after-free detection, we discovered that we read
the thread ID on the main thread while it is still set to 2^24-1.

This patch moves our call to AsanThread::Init() out of CreateAsanThread,
so that we can call SetCurrentThread first on the main thread.

Diff Detail

Event Timeline

zarvox created this revision.Oct 16 2020, 5:12 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 16 2020, 5:12 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
zarvox requested review of this revision.Oct 16 2020, 5:12 PM
charco added a subscriber: charco.Oct 16 2020, 5:27 PM
Harbormaster completed remote builds in B75397: Diff 298785.Oct 16 2020, 5:51 PM
venkatesh.srinivas added a subscriber: venkatesh.srinivas.Oct 18 2020, 8:24 PM
mcgrathr accepted this revision.Oct 23 2020, 10:58 AM

Thanks for the fix!

compiler-rt/lib/asan/asan_fuchsia.cpp
135

Since that's the invariant and elsewhere there's the invariant that the main thread has tid 0, how about DCHECK_EQ(t->tid(), 0); here? There could also be a DCHECK_NE(tid(), ThreadRegistry::kUnknownTid); in ASanThread::Init, which would have caught this bug.

This revision is now accepted and ready to land.Oct 23 2020, 10:58 AM
zarvox updated this revision to Diff 300361.Oct 23 2020, 11:39 AM

Added DCHECKs per mcgrathr's feedback.

zarvox added inline comments.Oct 23 2020, 11:40 AM
compiler-rt/lib/asan/asan_fuchsia.cpp
135

Yeah, both sound reasonable.

Harbormaster completed remote builds in B76227: Diff 300361.Oct 23 2020, 12:36 PM
Closed by commit rG29480c6c746c: [asan][fuchsia] set current thread before reading thread state (authored by zarvox, committed by mcgrathr). · Explain WhyOct 24 2020, 2:23 PM
This revision was automatically updated to reflect the committed changes.
mcgrathr added a commit: rG29480c6c746c: [asan][fuchsia] set current thread before reading thread state.

Revision Contents

PathSize
compiler-rt/
lib/
asan/
31 lines
1 line

Diff 300502

compiler-rt/lib/asan/asan_fuchsia.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Lines
struct AsanThread::InitOptions { struct AsanThread::InitOptions {
uptr stack_bottom, stack_size; uptr stack_bottom, stack_size;
}; };
// Shared setup between thread creation and startup for the initial thread. // Shared setup between thread creation and startup for the initial thread.
static AsanThread *CreateAsanThread(StackTrace *stack, u32 parent_tid, static AsanThread *CreateAsanThread(StackTrace *stack, u32 parent_tid,
uptr user_id, bool detached, uptr user_id, bool detached,
const char *name, uptr stack_bottom, const char *name) {
uptr stack_size) {
// In lieu of AsanThread::Create. // In lieu of AsanThread::Create.
AsanThread *thread = (AsanThread *)MmapOrDie(AsanThreadMmapSize(), __func__); AsanThread *thread = (AsanThread *)MmapOrDie(AsanThreadMmapSize(), __func__);
AsanThreadContext::CreateThreadContextArgs args = {thread, stack}; AsanThreadContext::CreateThreadContextArgs args = {thread, stack};
u32 tid = u32 tid =
asanThreadRegistry().CreateThread(user_id, detached, parent_tid, &args); asanThreadRegistry().CreateThread(user_id, detached, parent_tid, &args);
asanThreadRegistry().SetThreadName(tid, name); asanThreadRegistry().SetThreadName(tid, name);
// On other systems, AsanThread::Init() is called from the new
// thread itself. But on Fuchsia we already know the stack address
// range beforehand, so we can do most of the setup right now.
const AsanThread::InitOptions options = {stack_bottom, stack_size};
thread->Init(&options);
return thread; return thread;
} }
// This gets the same arguments passed to Init by CreateAsanThread, above. // This gets the same arguments passed to Init by CreateAsanThread, above.
// We're in the creator thread before the new thread is actually started, // We're in the creator thread before the new thread is actually started,
// but its stack address range is already known. We don't bother tracking // but its stack address range is already known. We don't bother tracking
// the static TLS address range because the system itself already uses an // the static TLS address range because the system itself already uses an
// ASan-aware allocator for that. // ASan-aware allocator for that.
Show All 12 LinesAsanThread *CreateMainThread() {
char name[ZX_MAX_NAME_LEN]; char name[ZX_MAX_NAME_LEN];
CHECK_NE(__sanitizer::MainThreadStackBase, 0); CHECK_NE(__sanitizer::MainThreadStackBase, 0);
CHECK_GT(__sanitizer::MainThreadStackSize, 0); CHECK_GT(__sanitizer::MainThreadStackSize, 0);
AsanThread *t = CreateAsanThread( AsanThread *t = CreateAsanThread(
nullptr, 0, reinterpret_cast<uptr>(self), true, nullptr, 0, reinterpret_cast<uptr>(self), true,
_zx_object_get_property(thrd_get_zx_handle(self), ZX_PROP_NAME, name, _zx_object_get_property(thrd_get_zx_handle(self), ZX_PROP_NAME, name,
sizeof(name)) == ZX_OK sizeof(name)) == ZX_OK
? name ? name
: nullptr, : nullptr);
__sanitizer::MainThreadStackBase, __sanitizer::MainThreadStackSize); // We need to set the current thread before calling AsanThread::Init() below,
// since it reads the thread ID.
SetCurrentThread(t); SetCurrentThread(t);
DCHECK_EQ(t->tid(), 0);
mcgrathrUnsubmitted
Not Done
ReplyInline Actions

Since that's the invariant and elsewhere there's the invariant that the main thread has tid 0, how about DCHECK_EQ(t->tid(), 0); here? There could also be a DCHECK_NE(tid(), ThreadRegistry::kUnknownTid); in ASanThread::Init, which would have caught this bug.

mcgrathr: Since that's the invariant and elsewhere there's the invariant that the main thread has tid 0…
zarvoxAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, both sound reasonable.

zarvox: Yeah, both sound reasonable.
const AsanThread::InitOptions options = {__sanitizer::MainThreadStackBase,
__sanitizer::MainThreadStackSize};
t->Init(&options);
return t; return t;
} }
// This is called before each thread creation is attempted. So, in // This is called before each thread creation is attempted. So, in
// its first call, the calling thread is the initial and sole thread. // its first call, the calling thread is the initial and sole thread.
static void *BeforeThreadCreateHook(uptr user_id, bool detached, static void *BeforeThreadCreateHook(uptr user_id, bool detached,
const char *name, uptr stack_bottom, const char *name, uptr stack_bottom,
uptr stack_size) { uptr stack_size) {
EnsureMainThreadIDIsCorrect(); EnsureMainThreadIDIsCorrect();
// Strict init-order checking is thread-hostile. // Strict init-order checking is thread-hostile.
if (flags()->strict_init_order) StopInitOrderChecking(); if (flags()->strict_init_order) StopInitOrderChecking();
GET_STACK_TRACE_THREAD; GET_STACK_TRACE_THREAD;
u32 parent_tid = GetCurrentTidOrInvalid(); u32 parent_tid = GetCurrentTidOrInvalid();
return CreateAsanThread(&stack, parent_tid, user_id, detached, name, AsanThread *thread =
stack_bottom, stack_size); CreateAsanThread(&stack, parent_tid, user_id, detached, name);
// On other systems, AsanThread::Init() is called from the new
// thread itself. But on Fuchsia we already know the stack address
// range beforehand, so we can do most of the setup right now.
const AsanThread::InitOptions options = {stack_bottom, stack_size};
thread->Init(&options);
return thread;
} }
// This is called after creating a new thread (in the creating thread), // This is called after creating a new thread (in the creating thread),
// with the pointer returned by BeforeThreadCreateHook (above). // with the pointer returned by BeforeThreadCreateHook (above).
static void ThreadCreateHook(void *hook, bool aborted) { static void ThreadCreateHook(void *hook, bool aborted) {
AsanThread *thread = static_cast<AsanThread *>(hook); AsanThread *thread = static_cast<AsanThread *>(hook);
if (!aborted) { if (!aborted) {
// The thread was created successfully. // The thread was created successfully.
▲ Show 20 LinesShow All 65 LinesShow Last 20 Lines

compiler-rt/lib/asan/asan_thread.cpp

Show First 20 LinesShow All 212 Lines▼ Show 20 Lines if (atomic_compare_exchange_strong(
fake_stack_ = FakeStack::Create(stack_size_log); fake_stack_ = FakeStack::Create(stack_size_log);
SetTLSFakeStack(fake_stack_); SetTLSFakeStack(fake_stack_);
return fake_stack_; return fake_stack_;
} }
return nullptr; return nullptr;
} }
void AsanThread::Init(const InitOptions *options) { void AsanThread::Init(const InitOptions *options) {
DCHECK_NE(tid(), ThreadRegistry::kUnknownTid);
next_stack_top_ = next_stack_bottom_ = 0; next_stack_top_ = next_stack_bottom_ = 0;
atomic_store(&stack_switching_, false, memory_order_release); atomic_store(&stack_switching_, false, memory_order_release);
CHECK_EQ(this->stack_size(), 0U); CHECK_EQ(this->stack_size(), 0U);
SetThreadStackAndTls(options); SetThreadStackAndTls(options);
if (stack_top_ != stack_bottom_) { if (stack_top_ != stack_bottom_) {
CHECK_GT(this->stack_size(), 0U); CHECK_GT(this->stack_size(), 0U);
CHECK(AddrIsInMem(stack_bottom_)); CHECK(AddrIsInMem(stack_bottom_));
CHECK(AddrIsInMem(stack_top_ - 1)); CHECK(AddrIsInMem(stack_top_ - 1));
▲ Show 20 LinesShow All 312 LinesShow Last 20 Lines