Dispose llvm::TargetMachines prior to llvm::Context being disposed

wesleywiser · Mark-Simulacrum · commit 23030871cc21 · 2023-12-04T09:51:01.000-05:00
If the TargetMachine is disposed after the Context is disposed, it can
lead to use after frees in some cases.

I've observed this happening occasionally on code compiled for
aarch64-pc-windows-msvc using `-Zstack-protector=strong` but other users
have reported AVs from host aarch64-pc-windows-msvc compilers as well.
diff --git a/compiler/rustc_codegen_llvm/src/back/lto.rs b/compiler/rustc_codegen_llvm/src/back/lto.rs
@@ -26,6 +26,7 @@ use std::ffi::{CStr, CString};
 use std::fs::File;
 use std::io;
 use std::iter;
+use std::mem::ManuallyDrop;
 use std::path::Path;
 use std::slice;
 use std::sync::Arc;
@@ -736,7 +737,7 @@ pub unsafe fn optimize_thin_module(
     let llcx = llvm::LLVMRustContextCreate(cgcx.fewer_names);
     let llmod_raw = parse_module(llcx, module_name, thin_module.data(), &diag_handler)? as *const _;
     let mut module = ModuleCodegen {
-        module_llvm: ModuleLlvm { llmod_raw, llcx, tm },
+        module_llvm: ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) },
         name: thin_module.name().to_string(),
         kind: ModuleKind::Regular,
     };
diff --git a/compiler/rustc_codegen_llvm/src/lib.rs b/compiler/rustc_codegen_llvm/src/lib.rs
@@ -49,6 +49,7 @@ use rustc_span::symbol::Symbol;
 use std::any::Any;
 use std::ffi::CStr;
 use std::io::Write;
+use std::mem::ManuallyDrop;
 
 mod back {
     pub mod archive;
@@ -404,8 +405,9 @@ pub struct ModuleLlvm {
     llcx: &'static mut llvm::Context,
     llmod_raw: *const llvm::Module,
 
-    // independent from llcx and llmod_raw, resources get disposed by drop impl
-    tm: OwnedTargetMachine,
+    // This field is `ManuallyDrop` because it is important that the `TargetMachine`
+    // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
+    tm: ManuallyDrop<OwnedTargetMachine>,
 }
 
 unsafe impl Send for ModuleLlvm {}
@@ -416,15 +418,23 @@ impl ModuleLlvm {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }
+            ModuleLlvm {
+                llmod_raw,
+                llcx,
+                tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)),
+            }
         }
     }
 
     fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }
+            ModuleLlvm {
+                llmod_raw,
+                llcx,
+                tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)),
+            }
         }
     }
 
@@ -445,7 +455,7 @@ impl ModuleLlvm {
                 }
             };
 
-            Ok(ModuleLlvm { llmod_raw, llcx, tm })
+            Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })
         }
     }
 
@@ -457,6 +467,7 @@ impl ModuleLlvm {
 impl Drop for ModuleLlvm {
     fn drop(&mut self) {
         unsafe {
+            drop(ManuallyDrop::take(&mut self.tm));
             llvm::LLVMContextDispose(&mut *(self.llcx as *mut _));
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ use rustc_span::symbol::Symbol;`
`49`	`49`	`use std::any::Any;`
`50`	`50`	`use std::ffi::CStr;`
`51`	`51`	`use std::io::Write;`
	`52`	`+use std::mem::ManuallyDrop;`
`52`	`53`
`53`	`54`	`mod back {`
`54`	`55`	`pub mod archive;`
`@@ -404,8 +405,9 @@ pub struct ModuleLlvm {`
`404`	`405`	`llcx: &'static mut llvm::Context,`
`405`	`406`	`llmod_raw: *const llvm::Module,`
`406`	`407`
`407`		`- // independent from llcx and llmod_raw, resources get disposed by drop impl`
`408`		`- tm: OwnedTargetMachine,`
	`408`	+ // This field is `ManuallyDrop` because it is important that the `TargetMachine`
	`409`	+ // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
	`410`	`+ tm: ManuallyDrop<OwnedTargetMachine>,`
`409`	`411`	`}`
`410`	`412`
`411`	`413`	`unsafe impl Send for ModuleLlvm {}`
`@@ -416,15 +418,23 @@ impl ModuleLlvm {`
`416`	`418`	`unsafe {`
`417`	`419`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`418`	`420`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`419`		`- ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }`
	`421`	`+ ModuleLlvm {`
	`422`	`+ llmod_raw,`
	`423`	`+ llcx,`
	`424`	`+ tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)),`
	`425`	`+ }`
`420`	`426`	`}`
`421`	`427`	`}`
`422`	`428`
`423`	`429`	`fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {`
`424`	`430`	`unsafe {`
`425`	`431`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`426`	`432`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`427`		`- ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }`
	`433`	`+ ModuleLlvm {`
	`434`	`+ llmod_raw,`
	`435`	`+ llcx,`
	`436`	`+ tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)),`
	`437`	`+ }`
`428`	`438`	`}`
`429`	`439`	`}`
`430`	`440`
`@@ -445,7 +455,7 @@ impl ModuleLlvm {`
`445`	`455`	`}`
`446`	`456`	`};`
`447`	`457`
`448`		`- Ok(ModuleLlvm { llmod_raw, llcx, tm })`
	`458`	`+ Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })`
`449`	`459`	`}`
`450`	`460`	`}`
`451`	`461`
`@@ -457,6 +467,7 @@ impl ModuleLlvm {`
`457`	`467`	`impl Drop for ModuleLlvm {`
`458`	`468`	`fn drop(&mut self) {`
`459`	`469`	`unsafe {`
	`470`	`+ drop(ManuallyDrop::take(&mut self.tm));`
`460`	`471`	`llvm::LLVMContextDispose(&mut (self.llcx as mut _));`
`461`	`472`	`}`
`462`	`473`	`}`