From f458d9f6f892c3765174ad8f0cc912d930329f43 Mon Sep 17 00:00:00 2001 From: Leonard Grey Date: Thu, 1 Sep 2022 10:58:13 -0400 Subject: [PATCH] [lsan][darwin] Unmask camouflaged class_rw_t pointers Detailed motivation here: https://docs.google.com/document/d/1xUNo5ovPKJMYxitiHUQVRxGI3iUmspI51Jm4w8puMwo check-asan (with LSAN enabled) and check-lsan are currently broken on recent macOS versions, due to pervasive false positives. Whenever the Objective-C runtime realizes a class, it allocates data for it, then stores that data with flags in the low bits. This means LSAN can not recognize it as a pointer while scanning. This change checks every potential pointer on Apple platforms, and if the high bit is set, attempts to extract a pointer by masking out the high bit and flags. This is ugly, but it's also the best approach I could think of (see doc above); very open to other suggestions. Differential Revision: https://reviews.llvm.org/D133126 --- compiler-rt/lib/lsan/lsan_common.cpp | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/compiler-rt/lib/lsan/lsan_common.cpp b/compiler-rt/lib/lsan/lsan_common.cpp index 94bb3cc..ade0b80 100644 --- a/compiler-rt/lib/lsan/lsan_common.cpp +++ b/compiler-rt/lib/lsan/lsan_common.cpp @@ -26,6 +26,18 @@ #include "sanitizer_common/sanitizer_tls_get_addr.h" #if CAN_SANITIZE_LEAKS + +# if SANITIZER_APPLE +// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L127 +# if SANITIZER_IOS && !SANITIZER_IOSSIM +# define OBJC_DATA_MASK 0x0000007ffffffff8UL +# else +# define OBJC_DATA_MASK 0x00007ffffffffff8UL +# endif +// https://github.com/apple-oss-distributions/objc4/blob/8701d5672d3fd3cd817aeb84db1077aafe1a1604/runtime/objc-runtime-new.h#L139 +# define OBJC_FAST_IS_RW 0x8000000000000000UL +# endif + namespace __lsan { // This mutex is used to prevent races between DoLeakCheck and IgnoreObject, and @@ -160,6 +172,17 @@ static uptr GetCallerPC(const StackTrace &stack) { return 0; } +# if SANITIZER_APPLE +// Objective-C class data pointers are stored with flags in the low bits, so +// they need to be transformed back into something that looks like a pointer. +static inline void *MaybeTransformPointer(void *p) { + uptr ptr = reinterpret_cast(p); + if ((ptr & OBJC_FAST_IS_RW) == OBJC_FAST_IS_RW) + ptr &= OBJC_DATA_MASK; + return reinterpret_cast(ptr); +} +# endif + // On Linux, treats all chunks allocated from ld-linux.so as reachable, which // covers dynamically allocated TLS blocks, internal dynamic loader's loaded // modules accounting etc. @@ -276,6 +299,9 @@ void ScanRangeForPointers(uptr begin, uptr end, Frontier *frontier, pp = pp + alignment - pp % alignment; for (; pp + sizeof(void *) <= end; pp += alignment) { void *p = *reinterpret_cast(pp); +# if SANITIZER_APPLE + p = MaybeTransformPointer(p); +# endif if (!MaybeUserPointer(reinterpret_cast(p))) continue; uptr chunk = PointsIntoChunk(p); -- 2.7.4