| commit | 9444b11e0c4e1f079c87067b5bbab1c5ff718809 | [log] [tgz] |
|---|---|---|
| author | Abseil Team <absl-team@google.com> | Tue May 17 01:44:42 2022 -0700 |
| committer | Copybara-Service <copybara-worker@google.com> | Tue May 17 01:45:38 2022 -0700 |
| tree | d533400407231d6e74c0f21883b4e6a9dea033ee | |
| parent | aac2279f22eef04d01fc42e66fc183a32f08a9b4 [diff] |
absl: fix use-after-free in Mutex/CondVar
Both Mutex and CondVar signal PerThreadSem/Waiter after satisfying the wait condition,
as the result the waiting thread may return w/o waiting on the
PerThreadSem/Waiter at all. If the waiting thread then exits, it currently
destroys Waiter object. As the result Waiter::Post can be called on
already destroyed object.
PerThreadSem/Waiter must be type-stable after creation and must not be destroyed.
The futex-based implementation is the only one that is not affected by the bug
since there is effectively nothing to destroy (maybe only UBSan/ASan
could complain about calling methods on a destroyed object).
Here is the problematic sequence of events:
1: void Mutex::Block(PerThreadSynch *s) {
2: while (s->state.load(std::memory_order_acquire) == PerThreadSynch::kQueued) {
3: if (!DecrementSynchSem(this, s, s->waitp->timeout)) {
4: PerThreadSynch *Mutex::Wakeup(PerThreadSynch *w) {
5: ...
6: w->state.store(PerThreadSynch::kAvailable, std::memory_order_release);
7: IncrementSynchSem(this, w);
8: ...
9: }
Consider line 6 is executed, then line 2 observes kAvailable and
line 3 is not called. The thread executing Mutex::Block returns from
the method, acquires the mutex, releases the mutex, exits and destroys
PerThreadSem/Waiter.
Now Mutex::Wakeup resumes and executes line 7 on the destroyed object. Boom!
CondVar uses a similar pattern.
Moreover the semaphore-based Waiter implementation is not even destruction-safe
(the Waiter cannot be used to signal own destruction). So even if Mutex/CondVar
would always pair Waiter::Post with Waiter::Wait before destroying PerThreadSem/Waiter,
it would still be subject to use-after-free bug on the semaphore.
PiperOrigin-RevId: 449159939
Change-Id: I497134fa8b6ce1294a422827c5f0de0e897cea31
The repository contains the Abseil C++ library code. Abseil is an open-source collection of C++ code (compliant to C++11) designed to augment the C++ standard library.
Abseil is an open-source collection of C++ library code designed to augment the C++ standard library. The Abseil library code is collected from Google's own C++ code base, has been extensively tested and used in production, and is the same code we depend on in our daily coding lives.
In some cases, Abseil provides pieces missing from the C++ standard; in others, Abseil provides alternatives to the standard for special needs we've found through usage in the Google code base. We denote those cases clearly within the library code we provide you.
Abseil is not meant to be a competitor to the standard library; we've just found that many of these utilities serve a purpose within our code base, and we now want to provide those resources to the C++ community as a whole.
If you want to just get started, make sure you at least run through the Abseil Quickstart. The Quickstart contains information about setting up your development environment, downloading the Abseil code, running tests, and getting a simple binary working.
Bazel and CMake are the official build systems for Abseil.
See the quickstart for more information on building Abseil using the Bazel build system.
If you require CMake support, please check the CMake build instructions and CMake Quickstart.
Abseil is officially supported on many platforms. See the Abseil platform support guide for details on supported operating systems, compilers, CPUs, etc.
Abseil contains the following C++ library components:
base Abseil Fundamentals base library contains initialization code and other code which all other Abseil code depends on. Code within base may not depend on any other code (other than the C++ standard library).algorithm algorithm library contains additions to the C++ <algorithm> library and container-based versions of such algorithms.cleanup cleanup library contains the control-flow-construct-like type absl::Cleanup which is used for executing a callback on scope exit.container container library contains additional STL-style containers, including Abseil's unordered “Swiss table” containers.debugging debugging library contains code useful for enabling leak checks, and stacktrace and symbolization utilities.hash hash library contains the hashing framework and default hash functor implementations for hashable types in Abseil.memory memory library contains C++11-compatible versions of std::make_unique() and related memory management facilities.meta meta library contains C++11-compatible versions of type checks available within C++14 and C++17 versions of the C++ <type_traits> library.numeric numeric library contains C++11-compatible 128-bit integers.profiling profiling library contains utility code for profiling C++ entities. It is currently a private dependency of other Abseil libraries.status status contains abstractions for error handling, specifically absl::Status and absl::StatusOr<T>.strings strings library contains a variety of strings routines and utilities, including a C++11-compatible version of the C++17 std::string_view type.synchronization synchronization library contains concurrency primitives (Abseil's absl::Mutex class, an alternative to std::mutex) and a variety of synchronization abstractions.time time library contains abstractions for computing with absolute points in time, durations of time, and formatting and parsing time within time zones.types types library contains non-container utility types, like a C++11-compatible version of the C++17 std::optional type.utility utility library contains utility and helper code.Abseil recommends users “live-at-head” (update to the latest commit from the master branch as often as possible). However, we realize this philosophy doesn't work for every project, so we also provide Long Term Support Releases to which we backport fixes for severe bugs. See our release management document for more details.
The Abseil C++ library is licensed under the terms of the Apache license. See LICENSE for more information.
For more information about Abseil: