forked from OSchip/llvm-project
3afc797e42
Summary: There is a race window in the deallocation path when the Quarantine is bypassed. Initially we would just erase the header of a chunk if we were not to use the Quarantine, as opposed to using a compare-exchange primitive, to make things faster. It turned out to be a poor decision, as 2 threads (or more) could simultaneously deallocate the same pointer, and if the checks were to done before the header got erased, this would result in the pointer being added twice (or more) to distinct thread caches, and eventually be reused. Winning the race is not trivial but can happen with enough control over the allocation primitives. The repro added attempts to trigger the bug, with a moderate success rate, but it should be enough to notice if the bug ever make its way back into the code. Since I am changing things in this file, there are 2 smaller changes tagging along, marking a variable `const`, and improving the Quarantine bypass test at runtime. Reviewers: alekseyshl, eugenis, kcc, vitalybuka Reviewed By: eugenis, vitalybuka Subscribers: delcypher, #sanitizers, llvm-commits Differential Revision: https://reviews.llvm.org/D50655 llvm-svn: 339705 |
||
|---|---|---|
| .. | ||
| CMakeLists.txt | ||
| aligned-new.cpp | ||
| alignment.c | ||
| dealloc-race.c | ||
| double-free.cpp | ||
| fsanitize.c | ||
| interface.cpp | ||
| lit.cfg | ||
| lit.site.cfg.in | ||
| malloc.cpp | ||
| memalign.c | ||
| mismatch.cpp | ||
| options.cpp | ||
| overflow.c | ||
| preinit.c | ||
| preload.cpp | ||
| quarantine.c | ||
| random_shuffle.cpp | ||
| realloc.cpp | ||
| rss.c | ||
| secondary.c | ||
| sized-delete.cpp | ||
| sizes.cpp | ||
| stats.c | ||
| symbols.test | ||
| threads.c | ||
| tsd_destruction.c | ||
| valloc.c | ||