Dispose llvm::TargetMachines prior to llvm::Context being disposed

wesleywiser · wesleywiser · commit 33762eb0b5ea · 2023-11-29T17:43:08.000-06:00
If the TargetMachine is disposed after the Context is disposed, it can
lead to use after frees in some cases.

I've observed this happening occasionally on code compiled for
aarch64-pc-windows-msvc using `-Zstack-protector=strong` but other users
have reported AVs from host aarch64-pc-windows-msvc compilers as well.
diff --git a/compiler/rustc_codegen_llvm/src/back/lto.rs b/compiler/rustc_codegen_llvm/src/back/lto.rs
@@ -25,6 +25,7 @@ use std::ffi::{CStr, CString};
 use std::fs::File;
 use std::io;
 use std::iter;
+use std::mem::ManuallyDrop;
 use std::path::Path;
 use std::slice;
 use std::sync::Arc;
@@ -734,7 +735,7 @@ pub unsafe fn optimize_thin_module(
     let llcx = llvm::LLVMRustContextCreate(cgcx.fewer_names);
     let llmod_raw = parse_module(llcx, module_name, thin_module.data(), &diag_handler)? as *const _;
     let mut module = ModuleCodegen {
-        module_llvm: ModuleLlvm { llmod_raw, llcx, tm },
+        module_llvm: ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) },
         name: thin_module.name().to_string(),
         kind: ModuleKind::Regular,
     };
diff --git a/compiler/rustc_codegen_llvm/src/lib.rs b/compiler/rustc_codegen_llvm/src/lib.rs
@@ -52,6 +52,7 @@ use rustc_span::symbol::Symbol;
 use std::any::Any;
 use std::ffi::CStr;
 use std::io::Write;
+use std::mem::ManuallyDrop;
 
 mod back {
     pub mod archive;
@@ -407,8 +408,9 @@ pub struct ModuleLlvm {
     llcx: &'static mut llvm::Context,
     llmod_raw: *const llvm::Module,
 
-    // independent from llcx and llmod_raw, resources get disposed by drop impl
-    tm: OwnedTargetMachine,
+    // This field is `ManuallyDrop` because it is important that the `TargetMachine`
+    // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
+    tm: ManuallyDrop<OwnedTargetMachine>,
 }
 
 unsafe impl Send for ModuleLlvm {}
@@ -419,15 +421,15 @@ impl ModuleLlvm {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }
+            ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)) }
         }
     }
 
     fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }
+            ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)) }
         }
     }
 
@@ -448,7 +450,7 @@ impl ModuleLlvm {
                 }
             };
 
-            Ok(ModuleLlvm { llmod_raw, llcx, tm })
+            Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })
         }
     }
 
@@ -460,6 +462,7 @@ impl ModuleLlvm {
 impl Drop for ModuleLlvm {
     fn drop(&mut self) {
         unsafe {
+            drop(ManuallyDrop::take(&mut self.tm));
             llvm::LLVMContextDispose(&mut *(self.llcx as *mut _));
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ use rustc_span::symbol::Symbol;`
`52`	`52`	`use std::any::Any;`
`53`	`53`	`use std::ffi::CStr;`
`54`	`54`	`use std::io::Write;`
	`55`	`+use std::mem::ManuallyDrop;`
`55`	`56`
`56`	`57`	`mod back {`
`57`	`58`	`pub mod archive;`
`@@ -407,8 +408,9 @@ pub struct ModuleLlvm {`
`407`	`408`	`llcx: &'static mut llvm::Context,`
`408`	`409`	`llmod_raw: *const llvm::Module,`
`409`	`410`
`410`		`- // independent from llcx and llmod_raw, resources get disposed by drop impl`
`411`		`- tm: OwnedTargetMachine,`
	`411`	+ // This field is `ManuallyDrop` because it is important that the `TargetMachine`
	`412`	+ // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
	`413`	`+ tm: ManuallyDrop<OwnedTargetMachine>,`
`412`	`414`	`}`
`413`	`415`
`414`	`416`	`unsafe impl Send for ModuleLlvm {}`
`@@ -419,15 +421,15 @@ impl ModuleLlvm {`
`419`	`421`	`unsafe {`
`420`	`422`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`421`	`423`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`422`		`- ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }`
	`424`	`+ ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)) }`
`423`	`425`	`}`
`424`	`426`	`}`
`425`	`427`
`426`	`428`	`fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {`
`427`	`429`	`unsafe {`
`428`	`430`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`429`	`431`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`430`		`- ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }`
	`432`	`+ ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)) }`
`431`	`433`	`}`
`432`	`434`	`}`
`433`	`435`
`@@ -448,7 +450,7 @@ impl ModuleLlvm {`
`448`	`450`	`}`
`449`	`451`	`};`
`450`	`452`
`451`		`- Ok(ModuleLlvm { llmod_raw, llcx, tm })`
	`453`	`+ Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })`
`452`	`454`	`}`
`453`	`455`	`}`
`454`	`456`
`@@ -460,6 +462,7 @@ impl ModuleLlvm {`
`460`	`462`	`impl Drop for ModuleLlvm {`
`461`	`463`	`fn drop(&mut self) {`
`462`	`464`	`unsafe {`
	`465`	`+ drop(ManuallyDrop::take(&mut self.tm));`
`463`	`466`	`llvm::LLVMContextDispose(&mut (self.llcx as mut _));`
`464`	`467`	`}`
`465`	`468`	`}`