From: Florian Weimer <fweimer@redhat.com>
To: Fangrui Song <maskray@google.com>
Cc: "Adhemerval Zanella Netto" <adhemerval.zanella@linaro.org>,
"Szabolcs Nagy" <szabolcs.nagy@arm.com>,
"Cristian Rodríguez" <cristian@rodriguez.im>,
"H.J. Lu" <hjl.tools@gmail.com>,
libc-alpha@sourceware.org, "Vitaly Buka" <vitalybuka@google.com>,
"Fangrui Song" <i@maskray.me>,
"Evgenii Stepanov" <eugenis@google.com>,
"Kostya Serebryany" <kcc@google.com>,
"Dmitry Vyukov" <dvyukov@google.com>
Subject: Re: [PATCH] aarch64: Remove ld.so __tls_get_addr plt usage
Date: Wed, 10 Apr 2024 10:23:44 +0200 [thread overview]
Message-ID: <87a5m14odr.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <CAFP8O3+rzjfPrMt_rquq4c9tgGBzh8qHuMVsTPTh-PaKPAQ12g@mail.gmail.com> (Fangrui Song's message of "Tue, 9 Apr 2024 10:50:38 -0700")
* Fangrui Song:
> Last time I analyzed the __tls_get_addr interceptor in sanitizers, I
> have made quite some notes at
> https://maskray.me/blog/2021-02-14-all-about-thread-local-storage#why-does-compiler-rt-need-to-know-tls-blocks
>
> Yes, an interceptor is needed.
There's no guarantuee that TLS access goes through a regular function
call, so any design that relies on such a call happening is
fundamentally broken.
Quoting from your article:
| Note: if the allocation is rtld/libc internal and not intercepted,
| there is no need to unpoison the range. The associated shadow is
| supposed to be zeros. However, if the allocation is intercepted, the
| runtime should unpoison the range in case the range reuses a previous
| allocation which happens to contain poisoned bytes.
|
| In glibc, _dl_allocate_tls and _dl_deallocate_tls call malloc/free
| functions which are internal and not intercepted, so the allocations
| are opaque to the runtime and the shadow bytes are all zeroes.
I don't think this is accurate. We call the application malloc/free for
non-main threads after initialization.
Having an accurate description of sanitizer needs in this area would be
really helpful, but I think we are not quite there yet. (This is
different from an API description.)
I think there are several aspects here:
(a) Avoid false errors for bounds checks for Address Sanitizer.
(b) Support pointer discovery for Leak Sanitizer (essentially conservative
garbage collection).
(c) Avoid false data race reports for Thread Sanitizer after TLS reuse
from one thread for a different thread (only with non-overlapping
lifetimes).
Based on your description, I'm not sure if (a) is actually a problem.
If we don't use application malloc for TLS allocations, bounds checking
is bypassed apparently? And if we use malloc, out-of-bounds accesses
would be actual bugs.
Aspect (b) is a real issue. Could we address that by allocating the TCB
(with static TLS) and all dynamic TLS with application malloc (or
rather, memalign/aligned_alloc), and keep a pointer to the allocation on
the thread stack? Then a conservative collector could find it, and scan
it for pointers. A gap remains for the main thread, whose TCB is not
allocated using application malloc—and can't be, as the application
malloc itself very likely depends on the TCB already being there. We
could switch TCBs after allocating another one with malloc, but that
would require some hand-off protocol, I believe. Maybe it's better to
register early allocations with the sanitizer directly, using some
appropriate API.
For (c), we could just stop caching TCBs after thread exit. If we call
free, and reallocate for the new thread, that should avoid the false
data race. This issue does not affect the main thread.
Based on that, I don't think we need to support discovery of TLS areas,
or export any other internal implementation details. We just need to
use more malloc within glibc if we detect an active sanitizer, and find
a way to make the TCB allocation of the main thread known to the
sanitizer.
Thanks,
Florian
next prev parent reply other threads:[~2024-04-10 8:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-05 12:35 Adhemerval Zanella
2024-04-05 14:58 ` Szabolcs Nagy
2024-04-05 16:29 ` Adhemerval Zanella Netto
2024-04-06 17:40 ` Szabolcs Nagy
2024-04-08 8:04 ` Florian Weimer
2024-04-07 20:29 ` Cristian Rodríguez
2024-04-08 7:26 ` Szabolcs Nagy
2024-04-08 16:57 ` Adhemerval Zanella Netto
2024-04-09 8:30 ` Szabolcs Nagy
2024-04-09 14:03 ` Adhemerval Zanella Netto
2024-04-09 14:05 ` H.J. Lu
2024-04-09 14:11 ` Palmer Dabbelt
2024-04-09 14:46 ` H.J. Lu
2024-04-09 17:50 ` Fangrui Song
2024-04-10 7:29 ` Szabolcs Nagy
2024-04-10 8:23 ` Florian Weimer [this message]
2024-04-10 15:46 ` enh
2024-04-15 11:41 ` Florian Weimer
2024-04-15 20:22 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a5m14odr.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=adhemerval.zanella@linaro.org \
--cc=cristian@rodriguez.im \
--cc=dvyukov@google.com \
--cc=eugenis@google.com \
--cc=hjl.tools@gmail.com \
--cc=i@maskray.me \
--cc=kcc@google.com \
--cc=libc-alpha@sourceware.org \
--cc=maskray@google.com \
--cc=szabolcs.nagy@arm.com \
--cc=vitalybuka@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).