From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tromey@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2126)
	id 0EE673858408; Tue, 16 Apr 2024 22:53:50 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 0EE673858408
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1713308030;
	bh=qcGFLgrOFs1vQn2ptzSNkPYCTgwDtT8Umo//ax947pg=;
	h=From:To:Subject:Date:From;
	b=YIYc6bR52HjQ+tsCX5OJKoNe5rgt3vU/T5m+3d5plI+GED33RgobEGEVOsIapKqH0
	 HiJAGp3HiQC2f25iexkQelaaGuOpD/ARC9WLaq1ALQJdCHZycMIaSYjyv7noqYduCR
	 uf4aCK1iBBULYj3SRM5XD/EctBydiZODVhIIqDiY=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Tom Tromey <tromey@sourceware.org>
To: binutils-cvs@sourceware.org
Subject: [binutils-gdb] Avoid cache race in bfd_check_format_matches
X-Act-Checkin: binutils-gdb
X-Git-Author: Tom Tromey <tom@tromey.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: bacc61fd3e6fd61a59fb59bcc657be17a381520d
X-Git-Newrev: 20bf7711bce2188c1af985a87df23c4653c2cc7a
Message-Id: <20240416225350.0EE673858408@sourceware.org>
Date: Tue, 16 Apr 2024 22:53:50 +0000 (GMT)
List-Id: <binutils-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3D20bf7711bce2=
188c1af985a87df23c4653c2cc7a

commit 20bf7711bce2188c1af985a87df23c4653c2cc7a
Author: Tom Tromey <tom@tromey.com>
Date:   Sat Mar 23 15:19:20 2024 -0600

    Avoid cache race in bfd_check_format_matches
   =20
    Running the gdb test suite with the thread sanitizer enabled shows a
    race when bfd_check_format_matches and bfd_cache_close_all are called
    simultaneously on different threads.
   =20
    This patch fixes this race by having bfd_check_format_matches
    temporarily remove the BFD from the file descriptor cache -- leaving
    it open while format-checking proceeds.
   =20
    In this setup, the BFD client is responsible for closing the BFD again
    on the "checking" thread, should that be desired.  gdb does this by
    calling bfd_cache_close in the relevant worker thread.
   =20
    An earlier version of this patch omitted the "possibly_cached" helper
    function.  However, this ran into crashes in the binutils test suite
    involving the archive-checking abort in bfd_cache_lookup_worker.  I do
    not understand the purpose of this check, so I've simply had the new
    function work around it.  I couldn't find any comments explaining this
    situation, either.  I suspect that there may still be races related to
    this case, but I don't think I have access to the platforms where gdb
    deals with archives.
   =20
    Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31264

Diff:
---
 bfd/bfd-in2.h |  6 +++++
 bfd/bfd.c     |  6 +++++
 bfd/cache.c   | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+---
 bfd/format.c  | 16 +++++++++++-
 bfd/libbfd.h  |  2 ++
 5 files changed, 109 insertions(+), 5 deletions(-)

diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
index 109de767a39..e3b5a8b8522 100644
--- a/bfd/bfd-in2.h
+++ b/bfd/bfd-in2.h
@@ -2186,6 +2186,12 @@ struct bfd
   /* LTO object type.  */
   ENUM_BITFIELD (bfd_lto_object_type) lto_type : 2;
=20
+  /* Set if this BFD is currently being processed by
+     bfd_check_format_matches.  This is checked by the cache to
+     avoid closing the BFD in this case.  This should only be
+     examined or modified while the BFD lock is held.  */
+  unsigned int in_format_matches : 1;
+
   /* Set to dummy BFD created when claimed by a compiler plug-in
      library.  */
   bfd *plugin_dummy_bfd;
diff --git a/bfd/bfd.c b/bfd/bfd.c
index ace2f67954f..ae79c6490b5 100644
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -307,6 +307,12 @@ CODE_FRAGMENT
 .  {* LTO object type.  *}
 .  ENUM_BITFIELD (bfd_lto_object_type) lto_type : 2;
 .
+.  {* Set if this BFD is currently being processed by
+.     bfd_check_format_matches.  This is checked by the cache to
+.     avoid closing the BFD in this case.  This should only be
+.     examined or modified while the BFD lock is held.  *}
+.  unsigned int in_format_matches : 1;
+.
 .  {* Set to dummy BFD created when claimed by a compiler plug-in
 .     library.  *}
 .  bfd *plugin_dummy_bfd;
diff --git a/bfd/cache.c b/bfd/cache.c
index 0f994c74239..5c825433b62 100644
--- a/bfd/cache.c
+++ b/bfd/cache.c
@@ -226,6 +226,20 @@ close_one (void)
    ? (FILE *) (bfd_last_cache->iostream)	\
    : bfd_cache_lookup_worker (x, flag))
=20
+/* A helper function that returns true if ABFD can possibly be cached
+   -- that is, whether bfd_cache_lookup_worker will accept it.  */
+
+static bool
+possibly_cached (bfd *abfd)
+{
+  if ((abfd->flags & BFD_IN_MEMORY) !=3D 0)
+    return false;
+  if (abfd->my_archive !=3D NULL
+      && !bfd_is_thin_archive (abfd->my_archive))
+    return false;
+  return true;
+}
+
 /* Called when the macro <<bfd_cache_lookup>> fails to find a
    quick answer.  Find a file descriptor for @var{abfd}.  If
    necessary, it open it.  If there are already more than
@@ -236,12 +250,17 @@ close_one (void)
 static FILE *
 bfd_cache_lookup_worker (bfd *abfd, enum cache_flag flag)
 {
-  if ((abfd->flags & BFD_IN_MEMORY) !=3D 0)
+  if (!possibly_cached (abfd))
     abort ();
=20
-  if (abfd->my_archive !=3D NULL
-      && !bfd_is_thin_archive (abfd->my_archive))
-    abort ();
+  /* If the BFD is being processed by bfd_check_format_matches, it
+     must already be open and won't be on the list.  */
+  if (abfd->in_format_matches)
+    {
+      if (abfd->iostream =3D=3D NULL)
+	abort ();
+      return (FILE *) abfd->iostream;
+    }
=20
   if (abfd->iostream !=3D NULL)
     {
@@ -654,6 +673,63 @@ bfd_cache_close_all (void)
   return ret;
 }
=20
+/*
+INTERNAL_FUNCTION
+	bfd_cache_set_uncloseable
+
+SYNOPSIS
+	bool bfd_cache_set_uncloseable (bfd *abfd, bool value, bool *old);
+
+DESCRIPTION
+	Internal function to mark ABFD as either closeable or not.
+	This is used by bfd_check_format_matches to avoid races
+	where bfd_cache_close_all is called in another thread.
+	VALUE is true to mark the BFD as temporarily uncloseable
+	by the cache; false to mark it as closeable once again.
+	OLD, if non-NULL, is set to the previous value of the flag.
+	Returns false on error, true on success.
+*/
+
+bool
+bfd_cache_set_uncloseable (bfd *abfd, bool value, bool *old)
+{
+  bool result =3D true;
+
+  if (!bfd_lock ())
+    return false;
+  if (old !=3D NULL)
+    *old =3D abfd->in_format_matches;
+
+  /* Only perform any action when the state changes,and only when this
+     BFD is actually using the cache.  */
+  if (value !=3D abfd->in_format_matches
+      && abfd->iovec =3D=3D &cache_iovec
+      && possibly_cached (abfd))
+    {
+      if (value)
+	{
+	  /* Marking as uncloseable for the first time.  Ensure the
+	     file is open, and remove from the cache list.  */
+	  FILE *f =3D bfd_cache_lookup (abfd, CACHE_NORMAL);
+	  if (f =3D=3D NULL)
+	    result =3D false;
+	  else
+	    snip (abfd);
+	}
+      else
+	{
+	  /* Mark as closeable again.  */
+	  insert (abfd);
+	}
+
+      abfd->in_format_matches =3D value;
+    }
+
+  if (!bfd_unlock ())
+    return false;
+  return result;
+}
+
 /*
 FUNCTION
 	bfd_cache_size
diff --git a/bfd/format.c b/bfd/format.c
index 2a700bab557..443fc6dbde0 100644
--- a/bfd/format.c
+++ b/bfd/format.c
@@ -86,6 +86,13 @@ DESCRIPTION
=20
 	o <<bfd_error_file_ambiguously_recognized>> -
 	more than one backend recognised the file format.
+
+	When calling bfd_check_format (or bfd_check_format_matches),
+	any underlying file descriptor will be kept open for the
+	duration of the call.  This is done to avoid races when
+	another thread calls bfd_cache_close_all.  In this scenario,
+	the thread calling bfd_check_format must call bfd_cache_close
+	itself.
 */
=20
 bool
@@ -383,6 +390,7 @@ bfd_check_format_matches (bfd *abfd, bfd_format format,=
 char ***matching)
   bfd_cleanup cleanup =3D NULL;
   struct per_xvec_messages messages =3D { abfd, PER_XVEC_NO_TARGET, NULL, =
NULL };
   struct per_xvec_messages *orig_messages;
+  bool old_in_format_matches;
=20
   if (matching !=3D NULL)
     *matching =3D NULL;
@@ -410,6 +418,11 @@ bfd_check_format_matches (bfd *abfd, bfd_format format=
, char ***matching)
 	return false;
     }
=20
+  /* Avoid clashes with bfd_cache_close_all running in another
+     thread.  */
+  if (!bfd_cache_set_uncloseable (abfd, true, &old_in_format_matches))
+    return false;
+
   /* Presume the answer is yes.  */
   abfd->format =3D format;
   save_targ =3D abfd->xvec;
@@ -665,7 +678,7 @@ bfd_check_format_matches (bfd *abfd, bfd_format format,=
 char ***matching)
       bfd_set_lto_type (abfd);
=20
       /* File position has moved, BTW.  */
-      return true;
+      return bfd_cache_set_uncloseable (abfd, old_in_format_matches, NULL);
     }
=20
   if (match_count =3D=3D 0)
@@ -708,6 +721,7 @@ bfd_check_format_matches (bfd *abfd, bfd_format format,=
 char ***matching)
   bfd_preserve_restore (abfd, &preserve);
   _bfd_restore_error_handler_caching (orig_messages);
   print_and_clear_messages (&messages, PER_XVEC_NO_TARGET);
+  bfd_cache_set_uncloseable (abfd, old_in_format_matches, NULL);
   return false;
 }
=20
diff --git a/bfd/libbfd.h b/bfd/libbfd.h
index d1062620d65..5e8ed9eeefe 100644
--- a/bfd/libbfd.h
+++ b/bfd/libbfd.h
@@ -1055,6 +1055,8 @@ void *bfd_arch_default_fill (bfd_size_type count,
 /* Extracted from cache.c.  */
 bool bfd_cache_init (bfd *abfd) ATTRIBUTE_HIDDEN;
=20
+bool bfd_cache_set_uncloseable (bfd *abfd, bool value, bool *old) ATTRIBUT=
E_HIDDEN;
+
 FILE* bfd_open_file (bfd *abfd) ATTRIBUTE_HIDDEN;
=20
 /* Extracted from hash.c.  */