Package CMO: add deserialization checks to ensure correct memory layout #78258
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
elsh
requested review from
eeckstein,
xymus,
jckarter,
artemcm,
tshortli,
zoecarver,
hyp,
egorzhdan,
beccadax,
ian-twilightcoder,
Xazax-hun,
hborla,
slavapestov and
xedin
as code owners
|
@swift-ci test |
elsh
force-pushed
the
elsh/disallow-bypass-deser-check
branch
from
2a5a1e6 to
9589546
Compare
|
@swift-ci test |
elsh
force-pushed
the
elsh/disallow-bypass-deser-check
branch
from
c24f01a to
be6e16a
Compare
elsh
force-pushed
the
elsh/disallow-bypass-deser-check
branch
from
be6e16a to
0633894
Compare
|
@swift-ci test |
|
@swift-ci test linux |
elsh
force-pushed
the
elsh/disallow-bypass-deser-check
branch
from
c50fd24 to
12c2e3d
Compare
|
@swift-ci smoke test |
elsh
changed the title
…e memory layout of the decl being accessed is correct. When this assumption fails due to a deserialization error of its members, the use site accesses the layout with a wrong field offset, resulting in UB or a crash. The deserialization error is currently not caught at compile time due to LangOpts.EnableDeserializationRecovery being enabled by default to allow for recovery of some of the deserialization errors at a later time. In case of member deserialization, however, it's not necessarily recovered later on. This PR tracks whether member deserialization had an error by recursively loading members and checking for deserialization error, and fails and emits a diagnostic. It provides a way to prevent resilience bypassing when the deserialized decl's layout is incorrect. Resolves rdar://132411524
elsh
force-pushed
the
elsh/disallow-bypass-deser-check
branch
from
12c2e3d to
c03abed
Compare
|
@swift-ci smoke test |
|
This PR is probably worth an eye from @xymus . |
|
@swift-ci smoke test |
|
Calling the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Package optimization allows bypassing resilience, but that assumes the memory layout of the decl being accessed is correct. When this assumption fails due to a deserialization error of its members, the use site accesses the layout of the decl with a wrong field offset, resulting in UB or a crash. The deserialization error is currently not caught at compile time due to LangOpts.EnableDeserializationRecovery being enabled by default (to allow for recovery of some of the deserialization errors at a later time). In case of member deserialization, however, it's not necessarily recovered later on and is silently dropped.
This PR tracks errors in member deserialization by recursively loading members of a type and checking for deserialization errors. and fails and emits a diagnostic. It prevents resilience bypassing when the deserialized decl's layout is incorrect. It also provides an opt-out flag for deserialization checks for temporary migration purposes.
Resolves rdar://132411524