New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 882733 link

Starred by 2 users
Status: Verified
Owner:
jmgao@google.com
Last visit 26 days ago
Closed: Oct 31
Cc:
torne@chromium.org
agrieve@chromium.org
nyquist@chromium.org
gab@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Task

Blocking:
issue 885015



Sign in to add a comment

fdsan support in ScopedFd

Project Member Reported by jmgao@google.com, Sep 11 
Android Q is adding a feature to track down file descriptor double closes by making it so that types can enforce their file descriptor ownership. Basically, you can mark a file descriptor with a tag (e.g. the address of a ScopedFd that owns it), after which a raw close called on that fd will result in an error being emitted (or an abort, if you configure it that way at runtime). See go/fdsan for more details.

The probability of fdsan actually catching a mistake is roughly proportional to the percentage of file descriptors that are guarded with it in the process, so it'd be nice if the generic fd-owning types had support built-in. I added fdsan support to most of the built-in Java classes, and it's found dozens of bugs so far (including one in chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=882608). It would also make debugging bugs like https://bugs.chromium.org/p/chromium/issues/detail?id=640281 significantly easier.

Assuming that this is something you would want, it seems like there's two ways to go about doing this:

1. Copy/paste ScopedFd and specialize it - easy, but ugly
2. Refactor ScopedGeneric to be able to model this.
  - make ScopedGeneric::Data support move-only Traits
  - add an AndroidScopedFDCloseTraits with new methods Acquire/Release to call the fdsan methods to set the tag, and a (non-static) Free that closes with the tag (using the address of the Traits object as the tag). (With availability checking via __attribute__((weak))...are you still using crazy_linker?) 
  - add Acquire/Release methods to ScopedGeneric::Data that either forward to the parent Traits or are no-ops if Traits doesn't have them
  - sprinkle those throughout in the places where the ownership changes (reset, release, etc.)

Thoughts? I'll take a stab at #2 if this seems reasonable.

Comment 1 by torne@chromium.org, Sep 12

Cc: nyquist@chromium.org agrieve@chromium.org
Components: Mobile>WebView
Labels: -Type-Feature Type-Task
Status: Available (was: Unconfirmed)
This is of particular interest to WebView since we run in other people's processes and the lack of supporting this might actually make the tool less effective for apps, but is probably interesting in general to catch actual errors in our code. I think this is something we would want to have, though I'm not sure what priority we would consider it to have. If you are interested in implementing this for us then I doubt we'd be against it, though :)

I'm switching the type to Task because it's not a user-facing feature, though; internal code improvements generally are tracked there.

We are still using the crazy linker. I'm not sure what that implies for weak symbols/etc.

Adding Andrew and Tommy for any additional comments (may want a general base owner also since this is going to involve adding more parts there; dunno who would be the best person to ask about this though)

Comment 2 by nyquist@chromium.org, Sep 13

Cc: gab@chromium.org dcheng@chromium.org
Maybe gab@ or dcheng@ would be interested in this? Adding them to CC in case they want to be involved.

I agree that this looks like something we'd want for Chrome.

Comment 3 by jmgao@google.com, Sep 13 

I started on an implementation yesterday and fell into a pile of SFINAE goop for detecting when to enable this. It seems much easier to just use an explicit tag type that the traits must inherit from to enable the Acquire/Release tracking, so I implemented that instead.

One additional complication is that ScopedGeneric::receive is fundamentally incompatible with this. I hid that method when using the ownership tracking stuff, but I'm not sure whether there are any actual uses of ScopedFD::receive. I tried to code search for it, but the signal to noise ratio wasn't great. I'll just implement AndroidScopedFDCloseTraits tomorrow and see what happens...

CL at https://chromium-review.googlesource.com/c/chromium/src/+/1224112

Comment 4 by jmgao@google.com, Sep 13

Owner: jmgao@google.com
Status: Started (was: Available)

Comment 5 by gab@chromium.org, Sep 18

Blocking: 885015
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/00ce84541f824dbf1ae1860193415227254dba07

commit 00ce84541f824dbf1ae1860193415227254dba07
Author: Josh Gao <jmgao@google.com>
Date: Wed Oct 31 00:05:42 2018

ScopedGeneric: add support for ownership tracking.

Add support for ScopedGeneric traits that track the ownership of owned
objects externally. The intent is to use this with Android Q's file
descriptor ownership sanitizer, but this is conceivably useful for
other purposes as well (e.g. guarded_fd on Darwin).

TBR=wez@chromium.org,sergeyu@chromium.org,alexilin@chromium.org,vollick@chromium.org,dcastagna@chromium.org

Bug:  882733 
Change-Id: I2fb0617ce6471b290edcc726de4117041d91d10d
Reviewed-on: https://chromium-review.googlesource.com/c/1224112
Commit-Queue: Josh Gao <jmgao@google.com>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Reviewed-by: Daniele Castagna <dcastagna@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604067}
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/fuchsia/file_utils.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/memory/platform_shared_memory_region_mac.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/metrics/field_trial_memory_mac.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/metrics/field_trial_memory_mac_unittest.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/scoped_generic.h
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/base/scoped_generic_unittest.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/chrome/browser/android/vr/arcore_device/arcore_impl.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/components/exo/wayland/clients/client_base.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/mojo/core/channel_fuchsia.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/mojo/core/channel_posix.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/ui/ozone/platform/drm/gpu/hardware_display_plane_manager_atomic.cc
[modify] https://crrev.com/00ce84541f824dbf1ae1860193415227254dba07/ui/ozone/platform/drm/gpu/hardware_display_plane_manager_atomic.h
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/913a828a460849b6a2a9eac8a206bcdb4008f3e3

commit 913a828a460849b6a2a9eac8a206bcdb4008f3e3
Author: Josh Gao <jmgao@google.com>
Date: Wed Oct 31 00:49:39 2018

Use fdsan on Android.

When available, use ScopedGeneric's ownership tracking to guard its
file descriptors with fdsan.

Bug:  882733 
Change-Id: Ibe600465d6bb7e3032e23ed813dea3d8f8ededa8
Reviewed-on: https://chromium-review.googlesource.com/c/1225309
Commit-Queue: Josh Gao <jmgao@google.com>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Richard Coles <torne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604083}
[modify] https://crrev.com/913a828a460849b6a2a9eac8a206bcdb4008f3e3/base/BUILD.gn
[modify] https://crrev.com/913a828a460849b6a2a9eac8a206bcdb4008f3e3/base/files/scoped_file.h
[add] https://crrev.com/913a828a460849b6a2a9eac8a206bcdb4008f3e3/base/files/scoped_file_android.cc

Comment 8 by jmgao@google.com, Oct 31

Status: Verified (was: Started)

Sign in to add a comment