[libcxx-commits] [PATCH] D144155: [ASan]Unpoisoning vectors memory before deallocation

Tacet via Phabricator via libcxx-commits libcxx-commits at lists.llvm.org
Wed Feb 15 18:42:09 PST 2023 

AdvenamTacet created this revision.
Herald added a project: All.
AdvenamTacet requested review of this revision.
Herald added a project: libc++.
Herald added a subscriber: libcxx-commits.
Herald added a reviewer: libc++.

This revision fixes unpoisoning in std::vector.

A call to `__annotate_delete()` in  `operator()` is moved after a call to `clear()`, because clear may poison memory (as container overflow - fc).
It also adds unpoisoning memory before passing it to the deallocator in `__vdeallocate()` and `__destroy_vector`.

It guarantees that `__alloc_traits::deallocate` may access returned memory.

Change is motivated by false positives after committing D136765 <https://reviews.llvm.org/D136765> (currently reverted):

- https://bugs.chromium.org/p/chromium/issues/detail?id=1410719#c6)
- https://github.com/llvm/llvm-project/issues/60384 (minimal failing example)

Standard deallocator does not access the memory, so it does not produce an error, but a fix is necessary to turn on support for non-standard allocators.

Additionally, with that change, revision D136765 <https://reviews.llvm.org/D136765> should not cause false positives, as returned memory will always be unpoisoned.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D144155

Files:
  libcxx/include/vector


Index: libcxx/include/vector
===================================================================
--- libcxx/include/vector
+++ libcxx/include/vector
@@ -439,11 +439,11 @@
       _LIBCPP_CONSTEXPR __destroy_vector(vector& __vec) : __vec_(__vec) {}
 
       _LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI void operator()() {
-          __vec_.__annotate_delete();
           std::__debug_db_erase_c(std::addressof(__vec_));
 
           if (__vec_.__begin_ != nullptr) {
             __vec_.__clear();
+            __vec_.__annotate_delete();
             __alloc_traits::deallocate(__vec_.__alloc(), __vec_.__begin_, __vec_.capacity());
           }
       }
@@ -866,6 +866,7 @@
     if (__alloc() != __c.__alloc())
     {
       __clear();
+      __annotate_delete();
       __alloc_traits::deallocate(__alloc(), this->__begin_, capacity());
       this->__begin_ = this->__end_ = __end_cap() = nullptr;
     }
@@ -954,6 +955,7 @@
     if (this->__begin_ != nullptr)
     {
         clear();
+        __annotate_delete();
         __alloc_traits::deallocate(this->__alloc(), this->__begin_, capacity());
         this->__begin_ = this->__end_ = this->__end_cap() = nullptr;
     }


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D144155.497862.patch
Type: text/x-patch
Size: 1186 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20230216/62224a98/attachment.bin>

More information about the libcxx-commits mailing list