[Runtime] Don't try to demangle unprefixed untrusted names. Remove operator new/delete hackery.

mikeash · mikeash · commit 604eb053135f · 2022-05-25T20:56:47.000-04:00
The operator new/delete overrides aren't working out due to inconsistent inlining of std::string creation/deletion. We can end up creating one with the global new but destroying it with our local delete. If they aren't compatible, this crashes.

Instead, avoid problematic new/delete activity coming from lookup of ObjC class names. Names passed to getObjCClassByMangledName/swift_stdlib_getTypeByMangledNameUntrusted must either have a standard mangled name prefix, start with a digit (for unprefixed mangled names) or use the convenience dot syntax. Check for those up front and immediately reject anything else. This has the added bonus of failing more quickly for non-Swift names.

rdar://93863030
diff --git a/stdlib/public/runtime/Heap.cpp b/stdlib/public/runtime/Heap.cpp
@@ -133,30 +133,3 @@ static void swift_slowDeallocImpl(void *ptr, size_t alignMask) {
 void swift::swift_slowDealloc(void *ptr, size_t bytes, size_t alignMask) {
   swift_slowDeallocImpl(ptr, alignMask);
 }
-
-#if defined(__APPLE__) && defined(__MACH__) && SWIFT_STDLIB_HAS_DARWIN_LIBMALLOC
-// On Darwin, define our own, hidden operator new/delete implementations. We
-// don't want to pick up any overrides that come from other code, but we also
-// don't want to expose our overrides to any other code. We can't do this
-// directly in C++, as the compiler has an implicit prototype with default
-// visibility. However, if we implement them as C functions using the C++
-// mangled names, the compiler accepts them without complaint, and the linker
-// still links all internal uses with these overrides.
-
-__attribute__((visibility(("hidden")))) extern "C" void *_Znwm(size_t size) {
-  return swift_slowAlloc(size, MALLOC_ALIGN_MASK);
-}
-
-__attribute__((visibility(("hidden")))) extern "C" void _ZdlPv(void *ptr) {
-  swift_slowDeallocImpl(ptr, MALLOC_ALIGN_MASK);
-}
-
-__attribute__((visibility(("hidden")))) extern "C" void *_Znam(size_t size) {
-  return swift_slowAlloc(size, MALLOC_ALIGN_MASK);
-}
-
-__attribute__((visibility(("hidden")))) extern "C" void _ZdaPv(void *ptr) {
-  swift_slowDeallocImpl(ptr, MALLOC_ALIGN_MASK);
-}
-
-#endif
diff --git a/stdlib/public/runtime/MetadataLookup.cpp b/stdlib/public/runtime/MetadataLookup.cpp
@@ -1920,17 +1920,42 @@ swift_getTypeByMangledNameInContextInMetadataState(
     }).getType().getMetadata();
 }
 
-/// Demangle a mangled name, but don't allow symbolic references.
+static bool validateUntrustedName(llvm::StringRef typeName) {
+  size_t dotCount = false;
+  for (char c : typeName) {
+    // No symbolic references allowed in untrusted names.
+    if (c >= '\x01' && c <= '\x1F')
+      return false;
+    if (c == '.')
+      dotCount += 1;
+  }
+
+  // Accept any name with one dot.
+  if (dotCount == 1)
+    return true;
+
+  // Accept names with a mangling prefix.
+  if (getManglingPrefixLength(typeName))
+    return true;
+
+  // Accept names that start with a digit (unprefixed mangled names).
+  if (typeName.size() > 0 && isdigit(typeName[0]))
+    return true;
+
+  // Reject anything else.
+  return false;
+}
+
+/// Demangle a mangled name, but don't allow symbolic references, and require a
+/// known prefix or a dot.
 SWIFT_CC(swift) SWIFT_RUNTIME_STDLIB_INTERNAL
 const Metadata *_Nullable
 swift_stdlib_getTypeByMangledNameUntrusted(const char *typeNameStart,
                                            size_t typeNameLength) {
   llvm::StringRef typeName(typeNameStart, typeNameLength);
-  for (char c : typeName) {
-    if (c >= '\x01' && c <= '\x1F')
-      return nullptr;
-  }
-  
+  if (!validateUntrustedName(typeName))
+    return nullptr;
+
   return swift_getTypeByMangledName(MetadataState::Complete, typeName, nullptr,
                                     {}, {}).getType().getMetadata();
 }
