[msan] Don't delete MSanAtExitRecord

Summary:
Pre 2.27 libc can run same atexit handler twice
We will keep MSanAtExitRecord and reset fun to mark it as executed.

Fix PR40162

Reviewers: eugenis

Subscribers: jfb, jdoerfert, #sanitizers, llvm-commits

Tags: #sanitizers, #llvm

Differential Revision: https://reviews.llvm.org/D58221

llvm-svn: 354005

2 files changed, 40 insertions, 1 deletions

diff --git a/compiler-rt/lib/msan/msan_interceptors.cc b/compiler-rt/lib/msan/msan_interceptors.cc
index ba0599e333b..58b9c39e35c 100644
--- a/compiler-rt/lib/msan/msan_interceptors.cc
+++ b/compiler-rt/lib/msan/msan_interceptors.cc
@@ -1118,8 +1118,12 @@ void MSanAtExitWrapper() {
 void MSanCxaAtExitWrapper(void *arg) {
   UnpoisonParam(1);
   MSanAtExitRecord *r = (MSanAtExitRecord *)arg;
+  // libc before 2.27 had race which caused occasional double handler execution
+  // https://sourceware.org/ml/libc-alpha/2017-08/msg01204.html
+  if (!r->func)
+    return;
   r->func(r->arg);
-  InternalFree(r);
+  r->func = nullptr;
 }
 
 static int setup_at_exit_wrapper(void(*f)(), void *arg, void *dso);
diff --git a/compiler-rt/test/msan/cxa_atexit_race.cc b/compiler-rt/test/msan/cxa_atexit_race.cc
new file mode 100644
index 00000000000..f6e7a225ba1
--- /dev/null
+++ b/compiler-rt/test/msan/cxa_atexit_race.cc
@@ -0,0 +1,35 @@
+// RUN: %clangxx_msan %s -o %t && %run %t 2>&1 | FileCheck %s
+
+#include <atomic>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+extern "C" int
+__cxa_atexit(void (*func)(void *), void *arg, void *d);
+
+void handler(void *) {
+}
+
+std::atomic_int counter;
+
+void *thread(void *) {
+  for (int i = 0; i < 10000; ++i) {
+    __cxa_atexit(&handler, 0, (void *)&handler);
+    ++counter;
+  }
+  return 0;
+}
+
+int main(void) {
+  printf("TEST_MAIN\n");
+  pthread_t pt;
+  for (int i = 0; i < 2; ++i)
+    pthread_create(&pt, 0, &thread, 0);
+  while (counter < 1000) {
+  };
+  return 0;
+}
+// CHECK: TEST_MAIN
+// CHECK-NOT: MemorySanitizer