Dispose llvm::TargetMachines prior to llvm::Context being disposed

wesleywiser · cuviper · commit 76e6681b1f79 · 2023-11-30T16:53:42.000-08:00
If the TargetMachine is disposed after the Context is disposed, it can lead to use after frees in some cases. I've observed this happening occasionally on code compiled for aarch64-pc-windows-msvc using `-Zstack-protector=strong` but other users have reported AVs from host aarch64-pc-windows-msvc compilers as well. (cherry picked from commit 3323e4d)
diff --git a/compiler/rustc_codegen_llvm/src/back/lto.rs b/compiler/rustc_codegen_llvm/src/back/lto.rs
@@ -25,6 +25,7 @@ use std::ffi::{CStr, CString};
 use std::fs::File;
 use std::io;
 use std::iter;
+use std::mem::ManuallyDrop;
 use std::path::Path;
 use std::slice;
 use std::sync::Arc;
@@ -734,7 +735,7 @@ pub unsafe fn optimize_thin_module(
     let llcx = llvm::LLVMRustContextCreate(cgcx.fewer_names);
     let llmod_raw = parse_module(llcx, module_name, thin_module.data(), &diag_handler)? as *const _;
     let mut module = ModuleCodegen {
-        module_llvm: ModuleLlvm { llmod_raw, llcx, tm },
+        module_llvm: ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) },
         name: thin_module.name().to_string(),
         kind: ModuleKind::Regular,
     };
diff --git a/compiler/rustc_codegen_llvm/src/lib.rs b/compiler/rustc_codegen_llvm/src/lib.rs
@@ -53,6 +53,7 @@ use rustc_span::symbol::Symbol;
 use std::any::Any;
 use std::ffi::CStr;
 use std::io::Write;
+use std::mem::ManuallyDrop;
 
 mod back {
     pub mod archive;
@@ -408,8 +409,9 @@ pub struct ModuleLlvm {
     llcx: &'static mut llvm::Context,
     llmod_raw: *const llvm::Module,
 
-    // independent from llcx and llmod_raw, resources get disposed by drop impl
-    tm: OwnedTargetMachine,
+    // This field is `ManuallyDrop` because it is important that the `TargetMachine`
+    // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
+    tm: ManuallyDrop<OwnedTargetMachine>,
 }
 
 unsafe impl Send for ModuleLlvm {}
@@ -420,15 +422,23 @@ impl ModuleLlvm {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }
+            ModuleLlvm {
+                llmod_raw,
+                llcx,
+                tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)),
+            }
         }
     }
 
     fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {
         unsafe {
             let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());
             let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;
-            ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }
+            ModuleLlvm {
+                llmod_raw,
+                llcx,
+                tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)),
+            }
         }
     }
 
@@ -449,7 +459,7 @@ impl ModuleLlvm {
                 }
             };
 
-            Ok(ModuleLlvm { llmod_raw, llcx, tm })
+            Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })
         }
     }
 
@@ -461,6 +471,7 @@ impl ModuleLlvm {
 impl Drop for ModuleLlvm {
     fn drop(&mut self) {
         unsafe {
+            drop(ManuallyDrop::take(&mut self.tm));
             llvm::LLVMContextDispose(&mut *(self.llcx as *mut _));
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ use rustc_span::symbol::Symbol;`
`53`	`53`	`use std::any::Any;`
`54`	`54`	`use std::ffi::CStr;`
`55`	`55`	`use std::io::Write;`
	`56`	`+use std::mem::ManuallyDrop;`
`56`	`57`
`57`	`58`	`mod back {`
`58`	`59`	`pub mod archive;`
`@@ -408,8 +409,9 @@ pub struct ModuleLlvm {`
`408`	`409`	`llcx: &'static mut llvm::Context,`
`409`	`410`	`llmod_raw: *const llvm::Module,`
`410`	`411`
`411`		`- // independent from llcx and llmod_raw, resources get disposed by drop impl`
`412`		`- tm: OwnedTargetMachine,`
	`412`	+ // This field is `ManuallyDrop` because it is important that the `TargetMachine`
	`413`	+ // is disposed prior to the `Context` being disposed otherwise UAFs can occur.
	`414`	`+ tm: ManuallyDrop<OwnedTargetMachine>,`
`413`	`415`	`}`
`414`	`416`
`415`	`417`	`unsafe impl Send for ModuleLlvm {}`
`@@ -420,15 +422,23 @@ impl ModuleLlvm {`
`420`	`422`	`unsafe {`
`421`	`423`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`422`	`424`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`423`		`- ModuleLlvm { llmod_raw, llcx, tm: create_target_machine(tcx, mod_name) }`
	`425`	`+ ModuleLlvm {`
	`426`	`+ llmod_raw,`
	`427`	`+ llcx,`
	`428`	`+ tm: ManuallyDrop::new(create_target_machine(tcx, mod_name)),`
	`429`	`+ }`
`424`	`430`	`}`
`425`	`431`	`}`
`426`	`432`
`427`	`433`	`fn new_metadata(tcx: TyCtxt<'_>, mod_name: &str) -> Self {`
`428`	`434`	`unsafe {`
`429`	`435`	`let llcx = llvm::LLVMRustContextCreate(tcx.sess.fewer_names());`
`430`	`436`	`let llmod_raw = context::create_module(tcx, llcx, mod_name) as *const _;`
`431`		`- ModuleLlvm { llmod_raw, llcx, tm: create_informational_target_machine(tcx.sess) }`
	`437`	`+ ModuleLlvm {`
	`438`	`+ llmod_raw,`
	`439`	`+ llcx,`
	`440`	`+ tm: ManuallyDrop::new(create_informational_target_machine(tcx.sess)),`
	`441`	`+ }`
`432`	`442`	`}`
`433`	`443`	`}`
`434`	`444`
`@@ -449,7 +459,7 @@ impl ModuleLlvm {`
`449`	`459`	`}`
`450`	`460`	`};`
`451`	`461`
`452`		`- Ok(ModuleLlvm { llmod_raw, llcx, tm })`
	`462`	`+ Ok(ModuleLlvm { llmod_raw, llcx, tm: ManuallyDrop::new(tm) })`
`453`	`463`	`}`
`454`	`464`	`}`
`455`	`465`
`@@ -461,6 +471,7 @@ impl ModuleLlvm {`
`461`	`471`	`impl Drop for ModuleLlvm {`
`462`	`472`	`fn drop(&mut self) {`
`463`	`473`	`unsafe {`
	`474`	`+ drop(ManuallyDrop::take(&mut self.tm));`
`464`	`475`	`llvm::LLVMContextDispose(&mut (self.llcx as mut _));`
`465`	`476`	`}`
`466`	`477`	`}`