commit b49b78ef3f781b1d34c5b07204ee92d2dc70a2a7
author Adam Langley <agl@google.com> Thu Sep 02 14:57:02 2021 -0700
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Sep 03 17:11:40 2021 +0000
tree 653695149694d61b6bb229b37e911f162e2e9e3a
parent 19fe7943ce593068bf447f05c2dbed4a324146ef

Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"

This reverts commit 80df7398ce52574801821ce7a76c031c35d6b882.

See https://github.com/grpc/grpc/issues/25450#issuecomment-910806034

Even if we want to do this, turns out that we still need the weak symbol
in order to work in important environments.

Change-Id: I50b9aef0cfe7ed70bda433c3046d46f194636d54
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49205
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

crypto/mem.c

diff --git a/crypto/mem.c b/crypto/mem.c
index 4ccc263..8988937 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -93,19 +93,15 @@
 #define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL;
 #endif
 
-#if defined(BORINGSSL_SDALLOCX)
 // sdallocx is a sized |free| function. By passing the size (which we happen to
-// always know in BoringSSL), the malloc implementation can save work.
+// always know in BoringSSL), the malloc implementation can save work. We cannot
+// depend on |sdallocx| being available, however, so it's a weak symbol.
 //
-// This is guarded by BORINGSSL_SDALLOCX, rather than being a weak symbol,
-// because it can work poorly if there are two malloc implementations in the
-// address space. (Which probably isn't valid, ODR etc, but
-// https://github.com/grpc/grpc/issues/25450). In that situation, |malloc| can
-// come from one allocator but |sdallocx| from another and crashes quickly
-// result. We can't match |sdallocx| with |mallocx| because tcmalloc only
-// provides the former, so a mismatch can still happen.
-void sdallocx(void *ptr, size_t size, int flags);
-#endif
+// This will always be safe, but will only be overridden if the malloc
+// implementation is statically linked with BoringSSL. So, if |sdallocx| is
+// provided in, say, libc.so, we still won't use it because that's dynamically
+// linked. This isn't an ideal result, but its helps in some cases.
+WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags));
 
 // The following three functions can be defined to override default heap
 // allocation and freeing. If defined, it is the responsibility of
@@ -166,11 +162,11 @@
 
   size_t size = *(size_t *)ptr;
   OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX);
-#if defined(BORINGSSL_SDALLOCX)
-  sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
-#else
-  free(ptr);
-#endif
+  if (sdallocx) {
+    sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);
+  } else {
+    free(ptr);
+  }
 }
 
 void *OPENSSL_realloc(void *orig_ptr, size_t new_size) {