[PATCH] D27083: [sanitizer] Handle malloc_destroy_zone() on Darwin
Kuba (Brecka) Mracek via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Tue Nov 29 12:27:07 PST 2016
kubabrecka removed rL LLVM as the repository for this revision.
kubabrecka updated this revision to Diff 79620.
kubabrecka added a comment.
Updating patch.
> Please split this in two commits: The malloc_zone_destroy part and the bugfix for malloc_zones[0]. They seem orthogonal.
Ok, I'll commit this separately.
> I'd really like a test for the malloc_zones[0] problem, though. Is it not possible at all? Does it happen only on certain versions (as in: maybe it was a bug somewhere else)?
> you might want to check if anyone that's using ASan on the mac on more complex systems (Google Chrome?) have something to say.
I'm afraid I can't come up with a test for this. This was a "bug" (or rather an incompatible change) in some versions of libmalloc on macOS, where in certain cases this mprotect() interceptor was needed; but I believe the problem was fixed before ending in any public release. We have been using this patch internally for a long time now, so it should be safe.
https://reviews.llvm.org/D27083
Files:
lib/sanitizer_common/sanitizer_malloc_mac.inc
test/asan/TestCases/Darwin/malloc_destroy_zone.cc
Index: test/asan/TestCases/Darwin/malloc_destroy_zone.cc
===================================================================
--- test/asan/TestCases/Darwin/malloc_destroy_zone.cc
+++ test/asan/TestCases/Darwin/malloc_destroy_zone.cc
@@ -0,0 +1,21 @@
+// RUN: %clangxx_asan %s -o %t && %run %t 2>&1 | FileCheck %s
+
+#include <malloc/malloc.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+ fprintf(stderr, "start\n");
+ malloc_zone_t *zone = malloc_create_zone(0, 0);
+ fprintf(stderr, "zone = %p\n", zone);
+ malloc_set_zone_name(zone, "myzone");
+ fprintf(stderr, "name changed\n");
+ malloc_destroy_zone(zone);
+ fprintf(stderr, "done\n");
+ return 0;
+}
+
+// CHECK: start
+// CHECK-NEXT: zone = 0x{{.*}}
+// CHECK-NEXT: name changed
+// CHECK-NEXT: done
Index: lib/sanitizer_common/sanitizer_malloc_mac.inc
===================================================================
--- lib/sanitizer_common/sanitizer_malloc_mac.inc
+++ lib/sanitizer_common/sanitizer_malloc_mac.inc
@@ -46,9 +46,44 @@
// This matches the behavior of malloc_create_zone() on OSX 10.7 and higher.
mprotect(new_zone, allocated_size, PROT_READ);
}
+ // We're explicitly *NOT* registering the zone.
return new_zone;
}
+INTERCEPTOR(void, malloc_destroy_zone, malloc_zone_t *zone) {
+ COMMON_MALLOC_ENTER();
+ // We don't need to do anything here. We're not registering new zones, so we
+ // don't to unregister. Just un-mprotect and free() the zone.
+ if (GetMacosVersion() >= MACOS_VERSION_LION) {
+ uptr page_size = GetPageSizeCached();
+ uptr allocated_size = RoundUpTo(sizeof(sanitizer_zone), page_size);
+ mprotect(zone, allocated_size, PROT_READ | PROT_WRITE);
+ }
+ COMMON_MALLOC_FREE(zone);
+}
+
+extern unsigned malloc_num_zones;
+extern malloc_zone_t **malloc_zones;
+
+// If libmalloc tries to set up a different zone as malloc_zones[0], it will
+// call mprotect(malloc_zones, ..., PROT_READ). This interceptor will catch
+// that and make sure we are still the first (default) zone.
+INTERCEPTOR(int, mprotect, void *addr, size_t len, int prot) {
+ if (addr == malloc_zones && prot == PROT_READ) {
+ if (malloc_num_zones > 0 && malloc_zones[0] != &sanitizer_zone) {
+ for (unsigned i = 0; i < malloc_num_zones; i++) {
+ if (malloc_zones[i] == &sanitizer_zone) {
+ // Swap malloc_zones[0] and malloc_zones[i].
+ malloc_zones[i] = malloc_zones[0];
+ malloc_zones[0] = &sanitizer_zone;
+ break;
+ }
+ }
+ }
+ }
+ return REAL(mprotect)(addr, len, prot);
+}
+
INTERCEPTOR(malloc_zone_t *, malloc_default_zone, void) {
COMMON_MALLOC_ENTER();
return &sanitizer_zone;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D27083.79620.patch
Type: text/x-patch
Size: 2682 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20161129/acaf081a/attachment.bin>
More information about the llvm-commits
mailing list