[compiler-rt] [scudo][Fuchsia] Avoid variable access after unmap (PR #102344)

Caslyn Tonelli via llvm-commits llvm-commits at lists.llvm.org
Wed Aug 7 11:02:20 PDT 2024 

https://github.com/Caslyn created https://github.com/llvm/llvm-project/pull/102344

Following #102024, unmap() no longer transfers ownership of the MemMapT instance before it performs the unmapping. Since the instance itself is stored in the mapped pages, instance variable accesses in MemMapFuchsia::unmapImpl() cannot be safely made after the zx_vmar_unmap() call.

This PR re-arranges variable accesses in MemMapFuchsia::unmapImpl to before the zx_vmar_unmap() call. This should resolve the crash that surfaced in Fuchsia's Scudo integration roller: https://ci.chromium.org/ui/p/turquoise/builders/global.try/core.arm64-release/b8740290070678159665/overview

>From bafd4adf347b7dd634094c1348f20d965732a1c0 Mon Sep 17 00:00:00 2001
From: Caslyn Tonelli <caslyn at google.com>
Date: Wed, 7 Aug 2024 10:48:37 -0700
Subject: [PATCH] [scudo][Fuchsia] Avoid variable access after unmap

Following PR#102024, unmap() will not temporarily transfer ownership of
the MemMapT instance before it performs the unmapping. Since the
instance itself is stored in the mapped pages, instance variable
accesses in MemMapFuchsia::unmapImpl() cannot be safely made after the
zx_vmar_unmap() call.

This PR re-arranges variable accesses in MemMapFuchsia::unmapImpl to
before the zx_vmar_unmap() call.
---
 compiler-rt/lib/scudo/standalone/mem_map_fuchsia.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/compiler-rt/lib/scudo/standalone/mem_map_fuchsia.cpp b/compiler-rt/lib/scudo/standalone/mem_map_fuchsia.cpp
index 9d6df2bc699969..b98e594ad4735f 100644
--- a/compiler-rt/lib/scudo/standalone/mem_map_fuchsia.cpp
+++ b/compiler-rt/lib/scudo/standalone/mem_map_fuchsia.cpp
@@ -156,11 +156,13 @@ void MemMapFuchsia::unmapImpl(uptr Addr, uptr Size) {
     // the same operations in the opposite order.
     Status = _zx_handle_close(Vmo);
     CHECK_EQ(Status, ZX_OK);
-    Status = _zx_vmar_unmap(_zx_vmar_root_self(), Addr, Size);
-    CHECK_EQ(Status, ZX_OK);
+    Vmo = ZX_HANDLE_INVALID;
 
     MapAddr = WindowBase = WindowSize = 0;
-    Vmo = ZX_HANDLE_INVALID;
+
+    // NB: This instance is stored on the pages that will become unmapped.
+    Status = _zx_vmar_unmap(_zx_vmar_root_self(), Addr, Size);
+    CHECK_EQ(Status, ZX_OK);
   } else {
     // Unmap the subrange.
     Status = _zx_vmar_unmap(_zx_vmar_root_self(), Addr, Size);

More information about the llvm-commits mailing list