From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) by sourceware.org (Postfix) with ESMTPS id 730DE3858428 for ; Wed, 10 Apr 2024 15:47:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 730DE3858428 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=google.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 730DE3858428 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::733 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712764031; cv=none; b=YGLCedM9gqeJ7zTBkpnb4X++dG4usFxD89CDbmOyir+RQSt1tPRgQkmdEQ7TBxVSwdGFLk9cs7zSbU5wulUpCLDU3Oe1f1qSsApFWoHjPZFroGNMxkKmMb1gbLMkUEAwNbTrNgLlPn9SwcmtI4OLpTK2ZEcfPOnx5IrDgr+W1XI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712764031; c=relaxed/simple; bh=LnLWgEg8k6Z9T5f3yCF68Ei4eBeoYraiMob3J8xI4MI=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=qVTpwoQ22SboZC4xl93Dky+0S2g4KpRQxpPcX6NzBVe8FafO0goR0iMB4q5aOYyzyNVLeKl8NWrdQZ5/YVUuZBwhuXPZSZwvJ1GiowLax6FGrCsGj9toSSUBtxD195MEpcWiGLrbPOjYJEGvJvCEcHaIlR560fLFnuiUAqzYCLc= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-78d6021e2e3so255821485a.1 for ; Wed, 10 Apr 2024 08:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712764029; x=1713368829; darn=sourceware.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=hwhGUUkRRdLIhIPJE+AYgQqH/KsmFWIdIEHxBx3golg=; b=epyntd3tFDvwk2gq1badtYl6TRL/Fqtu15Sxk05ddG4o5zJJspAJehMcq4mfXMIQGP r9QFfRJCA7X/wy4wpadnn3fQqEajWl61C7mF1usiuLqphhSZsYuG2lqMF01u2HMfYTdy GVUhm1oR2fX2XXoul46dp7od5rTbJp+4HuOmjuwV1Hif/VWzj9z8VhNcyCruI0/j3mXx 0cyhjprxL5B4JJJwgDlccLRl9PZQiKjlTKH/+fYAXfg5871xD/dO6Lwvuhc2hX7F7EP4 AnilINxDz6wADKcrLdYbTht+e8iWVl5rfURLNLN72xS3lXdJ24o8EBf2NuPxumQtivqD EOKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712764029; x=1713368829; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hwhGUUkRRdLIhIPJE+AYgQqH/KsmFWIdIEHxBx3golg=; b=rJSZMAHlta3KxYDC6uPu8/AUU+5vuCTfgj/AYABlvshnfUY4u3PTDSOvW0OPZt/I8d lRJeipNEvwadmUVOokmalCWmK0DCrp3W2/rOMk7K3NPSkRVAPzyu3YW6S4A8v+YafCSW UmZymLhP9FdMuSMFDLeoxbj4ctzfXgKzfjhnVTKdDMaiY4uczfYoLN1drLp4rE5oomdn CWzkBxnrlGTMJyTTjRZmee+1vSpSYMH1AT2a4G2jgsMLPfu+UvoOt+p+SsL/Wz9Qdjeu GHZkU0yQlzu3BKjWiNiUH3TTXhwQyc7AWZn2ctc5DlBlrqcZW+gMZxt6RfIY9dRUX1oO mXdQ== X-Forwarded-Encrypted: i=1; AJvYcCURgDkrdaF6LEiEkAJ3/3WsS9sBv7UDhLMkNhR75MowttUAsYfuLAY+TUBTP7bNRPjZNLJNZGaM7JgJZvjfzjScZmyYFPzw0EzB X-Gm-Message-State: AOJu0YzC1IQ1P1xc2AGML0djeF7QbnyqQgRrODUhpk1VKzeGPGr8DJyn Ozwizreu6+Xr0XMLgw7KXT4WW0ru4A1DliPhDkkh72f7qljuBzz/pnzMK1WIsEHGmUNbT5dBBq/ BvWTVqAw8WoRlQd8+sb2FfHZotYq3j9K3l6SxXpDz1ebVcAYFnH36l78= X-Google-Smtp-Source: AGHT+IGdw74WKTW716YWyTf0phB3faZySTmYvzcZT0idTV2TCH9hXqvmxzCB2jqurz27civD2m6ze8H1LNt9IL5w5yA= X-Received: by 2002:a05:6214:2686:b0:69b:2523:fcd3 with SMTP id gm6-20020a056214268600b0069b2523fcd3mr3625335qvb.60.1712764028433; Wed, 10 Apr 2024 08:47:08 -0700 (PDT) MIME-Version: 1.0 References: <20240405123550.1748641-1-adhemerval.zanella@linaro.org> <87a5m14odr.fsf@oldenburg.str.redhat.com> In-Reply-To: <87a5m14odr.fsf@oldenburg.str.redhat.com> From: enh Date: Wed, 10 Apr 2024 08:46:57 -0700 Message-ID: Subject: Re: [PATCH] aarch64: Remove ld.so __tls_get_addr plt usage To: Florian Weimer Cc: Fangrui Song , Adhemerval Zanella Netto , Szabolcs Nagy , =?UTF-8?Q?Cristian_Rodr=C3=ADguez?= , "H.J. Lu" , libc-alpha@sourceware.org, Vitaly Buka , Fangrui Song , Evgenii Stepanov , Kostya Serebryany , Dmitry Vyukov Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH,KAM_INFOUSMEBIZ,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: bionic implemented https://sourceware.org/glibc/wiki/ThreadPropertiesAPI in https://android.googlesource.com/platform/bionic/+/refs/heads/main/libc/inc= lude/sys/thread_properties.h but tbh i'm not sure that the sanitizer folks moved over to the new api? (i don't think we could just use malloc() because jemalloc -- which we still haven't fully removed for very low-end users in favor of scudo -- was itself using TLS thread locals? scudo has its own reserved constant slot in bionic, so that should be fine, i think, but we're not there yet.) On Wed, Apr 10, 2024 at 1:24=E2=80=AFAM Florian Weimer = wrote: > > * Fangrui Song: > > > Last time I analyzed the __tls_get_addr interceptor in sanitizers, I > > have made quite some notes at > > https://maskray.me/blog/2021-02-14-all-about-thread-local-storage#why-d= oes-compiler-rt-need-to-know-tls-blocks > > > > Yes, an interceptor is needed. > > There's no guarantuee that TLS access goes through a regular function > call, so any design that relies on such a call happening is > fundamentally broken. > > Quoting from your article: > > | Note: if the allocation is rtld/libc internal and not intercepted, > | there is no need to unpoison the range. The associated shadow is > | supposed to be zeros. However, if the allocation is intercepted, the > | runtime should unpoison the range in case the range reuses a previous > | allocation which happens to contain poisoned bytes. > | > | In glibc, _dl_allocate_tls and _dl_deallocate_tls call malloc/free > | functions which are internal and not intercepted, so the allocations > | are opaque to the runtime and the shadow bytes are all zeroes. > > I don't think this is accurate. We call the application malloc/free for > non-main threads after initialization. > > Having an accurate description of sanitizer needs in this area would be > really helpful, but I think we are not quite there yet. (This is > different from an API description.) > > I think there are several aspects here: > > (a) Avoid false errors for bounds checks for Address Sanitizer. > > (b) Support pointer discovery for Leak Sanitizer (essentially conservativ= e > garbage collection). > > (c) Avoid false data race reports for Thread Sanitizer after TLS reuse > from one thread for a different thread (only with non-overlapping > lifetimes). > > Based on your description, I'm not sure if (a) is actually a problem. > If we don't use application malloc for TLS allocations, bounds checking > is bypassed apparently? And if we use malloc, out-of-bounds accesses > would be actual bugs. > > Aspect (b) is a real issue. Could we address that by allocating the TCB > (with static TLS) and all dynamic TLS with application malloc (or > rather, memalign/aligned_alloc), and keep a pointer to the allocation on > the thread stack? Then a conservative collector could find it, and scan > it for pointers. A gap remains for the main thread, whose TCB is not > allocated using application malloc=E2=80=94and can't be, as the applicati= on > malloc itself very likely depends on the TCB already being there. We > could switch TCBs after allocating another one with malloc, but that > would require some hand-off protocol, I believe. Maybe it's better to > register early allocations with the sanitizer directly, using some > appropriate API. > > For (c), we could just stop caching TCBs after thread exit. If we call > free, and reallocate for the new thread, that should avoid the false > data race. This issue does not affect the main thread. > > Based on that, I don't think we need to support discovery of TLS areas, > or export any other internal implementation details. We just need to > use more malloc within glibc if we detect an active sanitizer, and find > a way to make the TCB allocation of the main thread known to the > sanitizer. > > Thanks, > Florian >