[asan] Intercept and wrap XPC callback blocks

On recent OS X systems, blocks used as callbacks for XPC events (set up e.g. via xpc_connection_set_event_handler) are not later executed via the public libdispatch API (dispatch_async, etc). Because we don't intercept the path where the block is executed, we can fail to register the newly created dispatch thread. To fix that, let's intercept libxpc's APIs that take a block as a callback handler, and let's wrap these blocks in the same way as we do for libdispatch API. Differential Revision: http://reviews.llvm.org/D12490 llvm-svn: 246961
llvm · Sep 7, 2015 · dfaac29 · dfaac29
1 parent 14f308e
commit dfaac29
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 9 deletions.
diff --git a/compiler-rt/lib/asan/asan_mac.cc b/compiler-rt/lib/asan/asan_mac.cc
@@ -33,17 +33,18 @@ extern "C" {
 #endif
 
 #include <dlfcn.h>  // for dladdr()
+#include <fcntl.h>
+#include <libkern/OSAtomic.h>
 #include <mach-o/dyld.h>
 #include <mach-o/loader.h>
+#include <pthread.h>
+#include <stdlib.h>  // for free()
 #include <sys/mman.h>
 #include <sys/resource.h>
 #include <sys/sysctl.h>
 #include <sys/ucontext.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <stdlib.h>  // for free()
 #include <unistd.h>
-#include <libkern/OSAtomic.h>
+#include <xpc/xpc.h>
 
 namespace __asan {
 
@@ -272,11 +273,6 @@ void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
 // The implementation details are at
 //   http://libdispatch.macosforge.org/trac/browser/trunk/src/queue.c
 
-typedef void* dispatch_group_t;
-typedef void* dispatch_queue_t;
-typedef void* dispatch_source_t;
-typedef u64 dispatch_time_t;
-typedef void (*dispatch_function_t)(void *block);
 typedef void* (*worker_t)(void *block);
 
 // A wrapper for the ObjC blocks used to support libdispatch.
@@ -399,6 +395,15 @@ void dispatch_source_set_event_handler(dispatch_source_t ds, void(^work)(void));
     work(); \
   }
 
+#define GET_ASAN_BLOCK_XPC(work) \
+  void (^asan_block)(xpc_object_t object);  \
+  int parent_tid = GetCurrentTidOrInvalid(); \
+  asan_block = ^(xpc_object_t object) { \
+    GET_STACK_TRACE_THREAD; \
+    asan_register_worker_thread(parent_tid, &stack); \
+    work(object); \
+  }
+
 INTERCEPTOR(void, dispatch_async,
             dispatch_queue_t dq, void(^work)(void)) {
   ENABLE_FRAME_POINTER;
@@ -437,6 +442,37 @@ INTERCEPTOR(void, dispatch_source_set_event_handler,
   GET_ASAN_BLOCK(work);
   REAL(dispatch_source_set_event_handler)(ds, asan_block);
 }
+
+INTERCEPTOR(void, xpc_connection_send_message_with_reply,
+            xpc_connection_t connection, xpc_object_t message,
+            dispatch_queue_t replyq, xpc_handler_t handler) {
+  ENABLE_FRAME_POINTER;
+  GET_ASAN_BLOCK_XPC(handler);
+  REAL(xpc_connection_send_message_with_reply)(connection, message, replyq,
+                                               asan_block);
+}
+
+INTERCEPTOR(void, xpc_connection_set_event_handler, xpc_connection_t connection,
+            xpc_handler_t handler) {
+  ENABLE_FRAME_POINTER;
+  GET_ASAN_BLOCK_XPC(handler);
+  REAL(xpc_connection_set_event_handler)(connection, asan_block);
+}
+
+INTERCEPTOR(void, xpc_set_event_stream_handler, const char *stream,
+            dispatch_queue_t targetq, xpc_handler_t handler) {
+  ENABLE_FRAME_POINTER;
+  GET_ASAN_BLOCK_XPC(handler);
+  REAL(xpc_set_event_stream_handler)(stream, targetq, asan_block);
+}
+
+INTERCEPTOR(void, xpc_connection_send_barrier, xpc_connection_t connection,
+            dispatch_block_t barrier) {
+  ENABLE_FRAME_POINTER;
+  GET_ASAN_BLOCK(barrier);
+  REAL(xpc_connection_send_barrier)(connection, asan_block);
+}
+
 #endif
 
 #endif  // SANITIZER_MAC
diff --git a/compiler-rt/test/asan/TestCases/Darwin/xpc_interceptors.mm b/compiler-rt/test/asan/TestCases/Darwin/xpc_interceptors.mm
@@ -0,0 +1,37 @@
+// Check that blocks executed on the XPC callback queue are handled correctly by
+// ASan.
+
+// RUN: %clangxx_asan -O0 %s -o %t -framework Foundation && not %run %t 2>&1 | FileCheck %s
+
+#import <Foundation/Foundation.h>
+#include <sanitizer/asan_interface.h>
+#include <xpc/xpc.h>
+
+int main() {
+  // Set up a 5-second timeout.
+  dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 5 * NSEC_PER_SEC),
+                 dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0),
+                 ^{
+                   exit(0);
+                 });
+
+  xpc_connection_t _connection = xpc_connection_create_mach_service(
+      "com.example.non.existing.xpc", NULL, 0);
+
+  xpc_connection_set_event_handler(_connection, ^(xpc_object_t event) {
+    char *mem = (char *)malloc(10);
+    NSLog(@"mem = %p", mem);
+
+    // Without the XPC API interceptors, this would cause an assertion failure
+    // when describing the current thread (XPC callback thread).
+    fprintf(stderr, "%s\n", mem + 10);  // BOOM.
+    // CHECK: ERROR: AddressSanitizer: heap-buffer-overflow
+    // CHECK: READ of size 1 at
+    // CHECK: allocated by thread
+    // CHECK: {{    #0 0x.* in .*malloc}}
+  });
+
+  xpc_connection_resume(_connection);
+  dispatch_main();
+  return 0;
+}