forked from OSchip/llvm-project
[DFSan] Don't unmap during dfsan_flush().
Unmapping and remapping is dangerous since another thread could touch the shadow memory while it is unmapped. But there is really no need to unmap anyway, since mmap(MAP_FIXED) will happily clobber the existing mapping with zeroes. This is thread-safe since the mmap() is done under the same kernel lock as page faults are done. Reviewed By: vitalybuka Differential Revision: https://reviews.llvm.org/D85947
This commit is contained in:
parent
65049f9b79
commit
bb3a3da38d
|
@ -80,9 +80,11 @@ dfsan_label dfsan_has_label_with_desc(dfsan_label label, const char *desc);
|
||||||
size_t dfsan_get_label_count(void);
|
size_t dfsan_get_label_count(void);
|
||||||
|
|
||||||
/// Flushes the DFSan shadow, i.e. forgets about all labels currently associated
|
/// Flushes the DFSan shadow, i.e. forgets about all labels currently associated
|
||||||
/// with the application memory. Will work only if there are no other
|
/// with the application memory. Use this call to start over the taint tracking
|
||||||
/// threads executing DFSan-instrumented code concurrently.
|
/// within the same process.
|
||||||
/// Use this call to start over the taint tracking within the same procces.
|
///
|
||||||
|
/// Note: If another thread is working with tainted data during the flush, that
|
||||||
|
/// taint could still be written to shadow after the flush.
|
||||||
void dfsan_flush(void);
|
void dfsan_flush(void);
|
||||||
|
|
||||||
/// Sets a callback to be invoked on calls to write(). The callback is invoked
|
/// Sets a callback to be invoked on calls to write(). The callback is invoked
|
||||||
|
|
|
@ -428,7 +428,6 @@ static void dfsan_fini() {
|
||||||
}
|
}
|
||||||
|
|
||||||
extern "C" void dfsan_flush() {
|
extern "C" void dfsan_flush() {
|
||||||
UnmapOrDie((void*)ShadowAddr(), UnusedAddr() - ShadowAddr());
|
|
||||||
if (!MmapFixedNoReserve(ShadowAddr(), UnusedAddr() - ShadowAddr()))
|
if (!MmapFixedNoReserve(ShadowAddr(), UnusedAddr() - ShadowAddr()))
|
||||||
Die();
|
Die();
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
// Tests that doing dfsan_flush() while another thread is executing doesn't
|
||||||
|
// segfault.
|
||||||
|
// RUN: %clang_dfsan %s -o %t && %run %t
|
||||||
|
#include <assert.h>
|
||||||
|
#include <pthread.h>
|
||||||
|
#include <sanitizer/dfsan_interface.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
static unsigned char GlobalBuf[4096];
|
||||||
|
static int ShutDownThread;
|
||||||
|
static int StartFlush;
|
||||||
|
|
||||||
|
// Access GlobalBuf continuously, causing its shadow to be touched as well.
|
||||||
|
// When main() calls dfsan_flush(), no segfault should be triggered.
|
||||||
|
static void *accessGlobalInBackground(void *Arg) {
|
||||||
|
__atomic_store_n(&StartFlush, 1, __ATOMIC_RELEASE);
|
||||||
|
|
||||||
|
while (!__atomic_load_n(&ShutDownThread, __ATOMIC_ACQUIRE))
|
||||||
|
for (unsigned I = 0; I < sizeof(GlobalBuf); ++I)
|
||||||
|
++GlobalBuf[I];
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
pthread_t Thread;
|
||||||
|
pthread_create(&Thread, NULL, accessGlobalInBackground, NULL);
|
||||||
|
while (!__atomic_load_n(&StartFlush, __ATOMIC_ACQUIRE))
|
||||||
|
; // Spin
|
||||||
|
|
||||||
|
dfsan_flush();
|
||||||
|
|
||||||
|
__atomic_store_n(&ShutDownThread, 1, __ATOMIC_RELEASE);
|
||||||
|
pthread_join(Thread, NULL);
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in New Issue