Google Git
Sign in
boringssl/boringssl/eca12891ed873dc183624f28e4e5442e7bc2f4a2^!/.
commit
eca12891ed873dc183624f28e4e5442e7bc2f4a2
[log]
author
David Benjamin <davidben@google.com>
Tue Nov 12 18:27:15 2024 -0500
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Tue Nov 12 23:50:37 2024 +0000
tree
53abcfdcbd468a1fba79d285c0555aa0e379c16e
parent
619da367f3979d36b0678dd3e0038f5453eff8ce [diff]
Disable sdallocx detection by default

The comment about it only detecting statically linked symbols is, as far
as I can tell, not actually true? It gets picked up when you LD_PRELOAD
libjemalloc.

This means that if you have a binary where some random dependency pulls
in libjemalloc, but you actually use a different malloc implementation
without sdallocx, things break. We've also had an issue with
https://github.com/grpc/grpc/issues/25450, though that one was a bit
more obviously a problem with their build.

Given this mess, and sdallocx not quite being standard, probably we
should just leave this opt-in. Maybe decades from now, everyone will
standardize on C23's free_sized. Or maybe we'll just be Rust by then.

Update-Note: sdallocx detection can be restored by building with
BORINGSSL_DETECT_SDALLOCX.

Fixed: 378077860
Change-Id: I7c6bd718a154f31abec09623fddbdd0637380b9a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73030
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/crypto/mem.c b/crypto/mem.c
index 9b466c1..2113a25 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c

@@ -102,18 +102,23 @@
 #define WEAK_SYMBOL_FUNC(rettype, name, args) \
   rettype name args __attribute__((weak));
 #else
-#define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL;
+#define WEAK_SYMBOL_FUNC(rettype, name, args) \
+  static rettype(*const name) args = NULL;
 #endif
 
+#if defined(BORINGSSL_DETECT_SDALLOCX)
 // sdallocx is a sized |free| function. By passing the size (which we happen to
 // always know in BoringSSL), the malloc implementation can save work. We cannot
 // depend on |sdallocx| being available, however, so it's a weak symbol.
 //
-// This will always be safe, but will only be overridden if the malloc
-// implementation is statically linked with BoringSSL. So, if |sdallocx| is
-// provided in, say, libc.so, we still won't use it because that's dynamically
-// linked. This isn't an ideal result, but its helps in some cases.
+// This mechanism is kept opt-in because it assumes that, when |sdallocx| is
+// defined, it is part of the same allocator as |malloc|. This is usually true
+// but may break if |malloc| does not implement |sdallocx|, but some other
+// allocator with |sdallocx| is imported which does.
 WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags));
+#else
+static void (*const sdallocx)(void *ptr, size_t size, int flags) = NULL;
+#endif
 
 // The following three functions can be defined to override default heap
 // allocation and freeing. If defined, it is the responsibility of