This is an archive of the discontinued LLVM Phabricator instance.

Differential D91208

[hwasan] Fix Thread reuse.
ClosedPublic

Authored by eugenis on Nov 10 2020, 2:19 PM.

Details

Reviewers
pcc
hctim
Commits
rGe1eeb026e66c: [hwasan] Fix Thread reuse.
Summary

HwasanThreadList::DontNeedThread clobbers Thread::next_, breaking the
freelist. As a result, only the top of the freelist ever gets reused,
and the rest of it is lost.

Since the Thread object its associated ring buffer is only 8Kb, this is
typically only noticable in long running processes, such as fuzzers.

Fix the problem by switching from an intrusive linked list to a vector.

Diff Detail

Event Timeline

eugenis created this revision.Nov 10 2020, 2:19 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 10 2020, 2:19 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
eugenis requested review of this revision.Nov 10 2020, 2:19 PM
Harbormaster completed remote builds in B78368: Diff 304329.Nov 10 2020, 2:56 PM
pcc accepted this revision.Nov 10 2020, 4:19 PM

LGTM

This revision is now accepted and ready to land.Nov 10 2020, 4:19 PM
This revision was landed with ongoing or failed builds.Nov 10 2020, 5:24 PM
Closed by commit rGe1eeb026e66c: [hwasan] Fix Thread reuse. (authored by eugenis). · Explain Why
This revision was automatically updated to reflect the committed changes.
eugenis added a commit: rGe1eeb026e66c: [hwasan] Fix Thread reuse..
thakis added a subscriber: thakis.Nov 11 2020, 6:39 AM

This test is failing on our clang packaging bots: https://logs.chromium.org/logs/chromium/buildbucket/cr-buildbucket.appspot.com/8863946222064502624/+/steps/package_clang/0/stdout?format=raw

Testing:  0.. 10.. 20.. 30.. 40.
 FAIL: HWAddressSanitizer-x86_64 :: TestCases/Linux/reuse-threads.cpp (36788 of 78839)
 ******************** TEST 'HWAddressSanitizer-x86_64 :: TestCases/Linux/reuse-threads.cpp' FAILED ********************
 Script:
 --
 : 'RUN: at line 2';      /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/./bin/clang  --driver-mode=g++  -m64  -gline-tables-only -fsanitize=hwaddress -fuse-ld=lld -mcmodel=large -mllvm -hwasan-globals -mllvm -hwasan-use-short-granules -mllvm -hwasan-instrument-landing-pads=0 -mllvm -hwasan-instrument-personality-functions -mllvm -hwasan-instrument-stack=0 /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/hwasan/TestCases/Linux/reuse-threads.cpp -o /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/projects/compiler-rt/test/hwasan/X86_64/TestCases/Linux/Output/reuse-threads.cpp.tmp && env HWASAN_OPTIONS=disable_allocator_tagging=1:random_tags=0:verbose_threads=1  /b/s/w/ir/cache/builder/src/third_party/llvm-build/Release+Asserts/projects/compiler-rt/test/hwasan/X86_64/TestCases/Linux/Output/reuse-threads.cpp.tmp 2>&1 | FileCheck /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/hwasan/TestCases/Linux/reuse-threads.cpp
 --
 Exit Code: 1
 
 Command Output (stderr):
 --
 /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/hwasan/TestCases/Linux/reuse-threads.cpp:49:16: error: CHECK-DAG: expected string not found in input
  // CHECK-DAG: Creating : T{{[0-9]+}} [[A]] stack:
                ^
 <stdin>:26:38: note: scanning from here
 Creating : T12 0x770000006000 stack: [0x7f017d89f000,0x7f017e09ef80) sz: 8388480 tls: [0x7f017e09ef80,0x7f017e0a0000)
                                      ^
 <stdin>:26:38: note: with "A" equal to "0x770000006000"
 Creating : T12 0x770000006000 stack: [0x7f017d89f000,0x7f017e09ef80) sz: 8388480 tls: [0x7f017e09ef80,0x7f017e0a0000)
                                      ^
 <stdin>:27:10: note: possible intended match here
 Destroying: T12 0x770000006000 stack: [0x7f017d89f000,0x7f017e09ef80) sz: 8388480 tls: [0x7f017e09ef80,0x7f017e0a0000)
          ^
 
 Input file: <stdin>
 Check file: /b/s/w/ir/cache/builder/src/third_party/llvm/compiler-rt/test/hwasan/TestCases/Linux/reuse-threads.cpp
 
 -dump-input=help explains the following input dump.
 
 Input was:
 <<<<<<
           .
           .
           .
          21: Destroying: T9 0x77000000a000 stack: [0x7f017f0a2000,0x7f017f8a1f80) sz: 8388480 tls: [0x7f017f8a1f80,0x7f017f8a3000)
          22: Creating : T10 0x770000012000 stack: [0x7f017e8a1000,0x7f017f0a0f80) sz: 8388480 tls: [0x7f017f0a0f80,0x7f017f0a2000)
          23: Destroying: T10 0x770000012000 stack: [0x7f017e8a1000,0x7f017f0a0f80) sz: 8388480 tls: [0x7f017f0a0f80,0x7f017f0a2000)
          24: Creating : T11 0x77000000e000 stack: [0x7f017e0a0000,0x7f017e89ff80) sz: 8388480 tls: [0x7f017e89ff80,0x7f017e8a1000)
          25: Destroying: T11 0x77000000e000 stack: [0x7f017e0a0000,0x7f017e89ff80) sz: 8388480 tls: [0x7f017e89ff80,0x7f017e8a1000)
          26: Creating : T12 0x770000006000 stack: [0x7f017d89f000,0x7f017e09ef80) sz: 8388480 tls: [0x7f017e09ef80,0x7f017e0a0000)
 dag:49'0                                          X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
 dag:49'1                                                                                                                           with "A" equal to "0x770000006000"
          27: Destroying: T12 0x770000006000 stack: [0x7f017d89f000,0x7f017e09ef80) sz: 8388480 tls: [0x7f017e09ef80,0x7f017e0a0000)
 dag:49'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 dag:49'2              ?                                                                                                             possible intended match
 >>>>>>
 
 --
 
 ********************
 Testing:  0.. 10.. 20.. 30.. 40.. 50.. 60.. 70.. 80.. 90.. 
 ********************
 Failed Tests (1):
   HWAddressSanitizer-x86_64 :: TestCases/Linux/reuse-threads.cpp

PTAL!

thakis added a comment.Nov 11 2020, 6:56 AM

Reverted in 6ab31eeb62612fc7f488811f3fdda95d9caa9350 for now.

thakis added a reverting change: rG6ab31eeb6261: Revert "[hwasan] Fix Thread reuse.".Nov 11 2020, 6:56 AM
thakis added a comment.Nov 11 2020, 8:35 AM

Also failing on other bots, but not all the time: http://45.33.8.238/linux/32598/step_10.txt

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
2 lines
60 lines
sanitizer_common/
6 lines
tests/
26 lines
test/
hwasan/
TestCases/
Linux/
54 lines
4 lines

Diff 304360

compiler-rt/lib/hwasan/hwasan_thread.h

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines private:
u32 random_state_; u32 random_state_;
u32 random_buffer_; u32 random_buffer_;
AllocatorCache allocator_cache_; AllocatorCache allocator_cache_;
HeapAllocationsRingBuffer *heap_allocations_; HeapAllocationsRingBuffer *heap_allocations_;
StackAllocationsRingBuffer *stack_allocations_; StackAllocationsRingBuffer *stack_allocations_;
Thread *next_; // All live threads form a linked list.
u64 unique_id_; // counting from zero. u64 unique_id_; // counting from zero.
u32 tagging_disabled_; // if non-zero, malloc uses zero tag in this thread. u32 tagging_disabled_; // if non-zero, malloc uses zero tag in this thread.
bool announced_; bool announced_;
friend struct ThreadListHead; friend struct ThreadListHead;
}; };
Show All 12 Lines

compiler-rt/lib/hwasan/hwasan_thread_list.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines for (int shift = 1; shift < 7; ++shift) {
if (size >= desired_bytes) if (size >= desired_bytes)
return size; return size;
} }
Printf("stack history size too large: %d\n", flags()->stack_history_size); Printf("stack history size too large: %d\n", flags()->stack_history_size);
CHECK(0); CHECK(0);
return 0; return 0;
} }
struct ThreadListHead {
Thread *list_;
ThreadListHead() : list_(nullptr) {}
void Push(Thread *t) {
t->next_ = list_;
list_ = t;
}
Thread *Pop() {
Thread *t = list_;
if (t)
list_ = t->next_;
return t;
}
void Remove(Thread *t) {
Thread **cur = &list_;
while (*cur != t) cur = &(*cur)->next_;
CHECK(*cur && "thread not found");
*cur = (*cur)->next_;
}
template <class CB>
void ForEach(CB cb) {
Thread *t = list_;
while (t) {
cb(t);
t = t->next_;
}
}
};
struct ThreadStats { struct ThreadStats {
uptr n_live_threads; uptr n_live_threads;
uptr total_stack_size; uptr total_stack_size;
}; };
class HwasanThreadList { class HwasanThreadList {
public: public:
HwasanThreadList(uptr storage, uptr size) HwasanThreadList(uptr storage, uptr size)
: free_space_(storage), free_space_end_(storage + size) { : free_space_(storage), free_space_end_(storage + size) {
// [storage, storage + size) is used as a vector of // [storage, storage + size) is used as a vector of
// thread_alloc_size_-sized, ring_buffer_size_*2-aligned elements. // thread_alloc_size_-sized, ring_buffer_size_*2-aligned elements.
// Each element contains // Each element contains
// * a ring buffer at offset 0, // * a ring buffer at offset 0,
// * a Thread object at offset ring_buffer_size_. // * a Thread object at offset ring_buffer_size_.
ring_buffer_size_ = RingBufferSize(); ring_buffer_size_ = RingBufferSize();
thread_alloc_size_ = thread_alloc_size_ =
RoundUpTo(ring_buffer_size_ + sizeof(Thread), ring_buffer_size_ * 2); RoundUpTo(ring_buffer_size_ + sizeof(Thread), ring_buffer_size_ * 2);
} }
Thread *CreateCurrentThread() { Thread *CreateCurrentThread() {
Thread *t; Thread *t;
{ {
SpinMutexLock l(&list_mutex_); SpinMutexLock l(&list_mutex_);
t = free_list_.Pop(); if (!free_list_.empty()) {
if (t) { t = free_list_.back();
free_list_.pop_back();
uptr start = (uptr)t - ring_buffer_size_; uptr start = (uptr)t - ring_buffer_size_;
internal_memset((void *)start, 0, ring_buffer_size_ + sizeof(Thread)); internal_memset((void *)start, 0, ring_buffer_size_ + sizeof(Thread));
} else { } else {
t = AllocThread(); t = AllocThread();
} }
live_list_.Push(t); live_list_.push_back(t);
} }
t->Init((uptr)t - ring_buffer_size_, ring_buffer_size_); t->Init((uptr)t - ring_buffer_size_, ring_buffer_size_);
AddThreadStats(t); AddThreadStats(t);
return t; return t;
} }
void DontNeedThread(Thread *t) { void DontNeedThread(Thread *t) {
uptr start = (uptr)t - ring_buffer_size_; uptr start = (uptr)t - ring_buffer_size_;
ReleaseMemoryPagesToOS(start, start + thread_alloc_size_); ReleaseMemoryPagesToOS(start, start + thread_alloc_size_);
} }
void RemoveThreadFromLiveList(Thread *t) {
for (Thread *&t2 : live_list_)
if (t2 == t) {
live_list_.erase(&t2);
return;
}
CHECK(0 && "thread not found in live list");
}
void ReleaseThread(Thread *t) { void ReleaseThread(Thread *t) {
RemoveThreadStats(t); RemoveThreadStats(t);
t->Destroy(); t->Destroy();
SpinMutexLock l(&list_mutex_); SpinMutexLock l(&list_mutex_);
live_list_.Remove(t); RemoveThreadFromLiveList(t);
free_list_.Push(t); free_list_.push_back(t);
DontNeedThread(t); DontNeedThread(t);
} }
Thread *GetThreadByBufferAddress(uptr p) { Thread *GetThreadByBufferAddress(uptr p) {
return (Thread *)(RoundDownTo(p, ring_buffer_size_ * 2) + return (Thread *)(RoundDownTo(p, ring_buffer_size_ * 2) +
ring_buffer_size_); ring_buffer_size_);
} }
uptr MemoryUsedPerThread() { uptr MemoryUsedPerThread() {
uptr res = sizeof(Thread) + ring_buffer_size_; uptr res = sizeof(Thread) + ring_buffer_size_;
if (auto sz = flags()->heap_history_size) if (auto sz = flags()->heap_history_size)
res += HeapAllocationsRingBuffer::SizeInBytes(sz); res += HeapAllocationsRingBuffer::SizeInBytes(sz);
return res; return res;
} }
template <class CB> template <class CB>
void VisitAllLiveThreads(CB cb) { void VisitAllLiveThreads(CB cb) {
SpinMutexLock l(&list_mutex_); SpinMutexLock l(&list_mutex_);
live_list_.ForEach(cb); for (Thread *t : live_list_) cb(t);
} }
void AddThreadStats(Thread *t) { void AddThreadStats(Thread *t) {
SpinMutexLock l(&stats_mutex_); SpinMutexLock l(&stats_mutex_);
stats_.n_live_threads++; stats_.n_live_threads++;
stats_.total_stack_size += t->stack_size(); stats_.total_stack_size += t->stack_size();
} }
Show All 18 Lines Thread *AllocThread() {
return t; return t;
} }
uptr free_space_; uptr free_space_;
uptr free_space_end_; uptr free_space_end_;
uptr ring_buffer_size_; uptr ring_buffer_size_;
uptr thread_alloc_size_; uptr thread_alloc_size_;
ThreadListHead free_list_; InternalMmapVector<Thread *> free_list_;
ThreadListHead live_list_; InternalMmapVector<Thread *> live_list_;
SpinMutex list_mutex_; SpinMutex list_mutex_;
ThreadStats stats_; ThreadStats stats_;
SpinMutex stats_mutex_; SpinMutex stats_mutex_;
}; };
void InitThreadList(uptr storage, uptr size); void InitThreadList(uptr storage, uptr size);
HwasanThreadList &hwasanThreadList(); HwasanThreadList &hwasanThreadList();
} // namespace } // namespace

compiler-rt/lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 537 Lines▼ Show 20 Lines public:
} }
void swap(InternalMmapVectorNoCtor &other) { void swap(InternalMmapVectorNoCtor &other) {
Swap(data_, other.data_); Swap(data_, other.data_);
Swap(capacity_bytes_, other.capacity_bytes_); Swap(capacity_bytes_, other.capacity_bytes_);
Swap(size_, other.size_); Swap(size_, other.size_);
} }
void erase(T *t) {
if (t + 1 < end())
internal_memmove(t, t + 1, (end() - t - 1) * sizeof(T));
--size_;
}
private: private:
void Realloc(uptr new_capacity) { void Realloc(uptr new_capacity) {
CHECK_GT(new_capacity, 0); CHECK_GT(new_capacity, 0);
CHECK_LE(size_, new_capacity); CHECK_LE(size_, new_capacity);
uptr new_capacity_bytes = uptr new_capacity_bytes =
RoundUpTo(new_capacity * sizeof(T), GetPageSizeCached()); RoundUpTo(new_capacity * sizeof(T), GetPageSizeCached());
T *new_data = (T *)MmapOrDie(new_capacity_bytes, "InternalMmapVector"); T *new_data = (T *)MmapOrDie(new_capacity_bytes, "InternalMmapVector");
internal_memcpy(new_data, data_, size_ * sizeof(T)); internal_memcpy(new_data, data_, size_ * sizeof(T));
▲ Show 20 LinesShow All 476 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/tests/sanitizer_common_test.cpp

Show First 20 LinesShow All 87 Lines▼ Show 20 Lines
} }
TEST(SanitizerCommon, InternalMmapVectorRoundUpCapacity) { TEST(SanitizerCommon, InternalMmapVectorRoundUpCapacity) {
InternalMmapVector<uptr> v; InternalMmapVector<uptr> v;
v.reserve(1); v.reserve(1);
CHECK_EQ(v.capacity(), GetPageSizeCached() / sizeof(uptr)); CHECK_EQ(v.capacity(), GetPageSizeCached() / sizeof(uptr));
} }
TEST(SanitizerCommon, InternalMmapVectorReize) { TEST(SanitizerCommon, InternalMmapVectorResize) {
InternalMmapVector<uptr> v; InternalMmapVector<uptr> v;
CHECK_EQ(0U, v.size()); CHECK_EQ(0U, v.size());
CHECK_GE(v.capacity(), v.size()); CHECK_GE(v.capacity(), v.size());
v.reserve(1000); v.reserve(1000);
CHECK_EQ(0U, v.size()); CHECK_EQ(0U, v.size());
CHECK_GE(v.capacity(), 1000U); CHECK_GE(v.capacity(), 1000U);
▲ Show 20 LinesShow All 66 Lines▼ Show 20 LinesTEST(SanitizerCommon, InternalMmapVectorSwap) {
} }
EXPECT_NE(vector2, vector3); EXPECT_NE(vector2, vector3);
EXPECT_NE(vector1, vector4); EXPECT_NE(vector1, vector4);
vector1.swap(vector3); vector1.swap(vector3);
EXPECT_EQ(vector2, vector3); EXPECT_EQ(vector2, vector3);
EXPECT_EQ(vector1, vector4); EXPECT_EQ(vector1, vector4);
} }
TEST(SanitizerCommon, InternalMmapVectorErase) {
InternalMmapVector<uptr> v;
std::vector<uptr> r;
for (uptr i = 0; i < 10; i++) {
v.push_back(i);
r.push_back(i);
}
v.erase(&v[9]);
r.erase(r.begin() + 9);
EXPECT_EQ(r.size(), v.size());
for (uptr i = 0; i < r.size(); i++) EXPECT_EQ(r[i], v[i]);
v.erase(&v[3]);
r.erase(r.begin() + 3);
EXPECT_EQ(r.size(), v.size());
for (uptr i = 0; i < r.size(); i++) EXPECT_EQ(r[i], v[i]);
v.erase(&v[0]);
r.erase(r.begin());
EXPECT_EQ(r.size(), v.size());
for (uptr i = 0; i < r.size(); i++) EXPECT_EQ(r[i], v[i]);
}
void TestThreadInfo(bool main) { void TestThreadInfo(bool main) {
uptr stk_addr = 0; uptr stk_addr = 0;
uptr stk_size = 0; uptr stk_size = 0;
uptr tls_addr = 0; uptr tls_addr = 0;
uptr tls_size = 0; uptr tls_size = 0;
GetThreadStackAndTls(main, &stk_addr, &stk_size, &tls_addr, &tls_size); GetThreadStackAndTls(main, &stk_addr, &stk_size, &tls_addr, &tls_size);
int stack_var; int stack_var;
▲ Show 20 LinesShow All 263 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/Linux/reuse-threads.cpp

  • This file was added.
// Test that Thread objects are reused.
// RUN: %clangxx_hwasan -mllvm -hwasan-instrument-stack=0 %s -o %t && %env_hwasan_opts=verbose_threads=1 %run %t 2>&1 | FileCheck %s
#include <assert.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sanitizer/hwasan_interface.h>
#include "../utils.h"
pthread_mutex_t mu = PTHREAD_MUTEX_INITIALIZER;
void *threadfn(void *) {
pthread_mutex_lock(UNTAG(&mu));
pthread_mutex_unlock(UNTAG(&mu));
return nullptr;
}
void start_stop_threads() {
constexpr int N = 4;
pthread_t threads[N];
pthread_mutex_lock(UNTAG(&mu));
for (auto &t : threads)
pthread_create(&t, nullptr, threadfn, nullptr);
pthread_mutex_unlock(UNTAG(&mu));
for (auto &t : threads)
pthread_join(t, nullptr);
}
int main() {
// Cut off initial threads.
// CHECK: === test start ===
untag_fprintf(stderr, "=== test start ===\n");
// CHECK: Creating : T{{[0-9]+}} [[A:0x[0-9a-f]+]] stack:
// CHECK: Creating : T{{[0-9]+}} [[B:0x[0-9a-f]+]] stack:
start_stop_threads();
// CHECK-DAG: Creating : T{{[0-9]+}} [[A]] stack:
// CHECK-DAG: Creating : T{{[0-9]+}} [[B]] stack:
start_stop_threads();
// CHECK-DAG: Creating : T{{[0-9]+}} [[A]] stack:
// CHECK-DAG: Creating : T{{[0-9]+}} [[B]] stack:
start_stop_threads();
return 0;
}

compiler-rt/test/hwasan/TestCases/thread-uaf.c

Show All 28 Linesvoid *Use(void *arg) {
x[5] = 42; x[5] = 42;
// CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address // CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address
// CHECK: WRITE of size 1 {{.*}} in thread T3 // CHECK: WRITE of size 1 {{.*}} in thread T3
// CHECK: thread-uaf.c:[[@LINE-3]] // CHECK: thread-uaf.c:[[@LINE-3]]
// CHECK: freed by thread T2 here // CHECK: freed by thread T2 here
// CHECK: in Deallocate // CHECK: in Deallocate
// CHECK: previously allocated here: // CHECK: previously allocated here:
// CHECK: in Allocate // CHECK: in Allocate
// CHECK: Thread: T2 0x // CHECK-DAG: Thread: T2 0x
// CHECK: Thread: T3 0x // CHECK-DAG: Thread: T3 0x
// CHECK-DAG: Thread: T0 0x // CHECK-DAG: Thread: T0 0x
// CHECK-DAG: Thread: T1 0x // CHECK-DAG: Thread: T1 0x
__sync_fetch_and_add(&state, 1); __sync_fetch_and_add(&state, 1);
return NULL; return NULL;
} }
int main() { int main() {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
Show All 12 Lines