Delete |pthread_key_t| on dlclose.

When OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY is defined during the build, this change adds a destructor function that is called when BoringSSL is unloaded via |dlclose| or during process exit. Using |dlclose| with BoringSSL is not supported and will leak memory, but this change allows some code that is already doing it to survive longer. Change-Id: Ifc6d6aae61ed0f15d61cd3dbb4ea9f8006e43dba Reviewed-on: https://boringssl-review.googlesource.com/25784 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Fred Gylys-Colwell <fredgc@google.com>
6 years ago · 02d696f2a1
--- a/crypto/thread_pthread.c
+++ b/crypto/thread_pthread.c
@@ -94,6 +94,8 @@ void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {
 static pthread_mutex_t g_destructors_lock = PTHREAD_MUTEX_INITIALIZER;
 static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];

 // thread_local_destructor is called when a thread exits. It releases thread
 // local data for that thread only.
 static void thread_local_destructor(void *arg) {
  if (arg == NULL) {
    return;
@@ -119,16 +121,44 @@ static void thread_local_destructor(void *arg) {

 static pthread_once_t g_thread_local_init_once = PTHREAD_ONCE_INIT;
 static pthread_key_t g_thread_local_key;
 static int g_thread_local_failed = 0;
 static int g_thread_local_key_created = 0;

 // OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY can be defined to cause
 // |pthread_key_delete| to be called in a destructor function. This can be
 // useful for programs that dlclose BoringSSL.
 //
 // Note that dlclose()ing BoringSSL is not supported and will leak memory:
 // thread-local values will be leaked as well as anything initialised via a
 // once. The |pthread_key_t| is destroyed because they run out very quickly,
 // while the other leaks are slow, and this allows code that happens to use
 // dlclose() despite all the problems to continue functioning.
 //
 // This is marked "dangerous" because it can cause multi-threaded processes to
 // crash (even if they don't use dlclose): if the destructor runs while other
 // threads are still executing then they may end up using an invalid key to
 // access thread-local variables.
 //
 // This may be removed after February 2020.
 #if defined(OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY) && \
    (defined(__GNUC__) || defined(__clang__))
 // thread_key_destructor is called when the library is unloaded with dlclose.
 static void thread_key_destructor(void) __attribute__((destructor, unused));
 static void thread_key_destructor(void) {
  if (g_thread_local_key_created) {
    g_thread_local_key_created = 0;
    pthread_key_delete(g_thread_local_key);
  }
 }
 #endif

 static void thread_local_init(void) {
  g_thread_local_failed =
      pthread_key_create(&g_thread_local_key, thread_local_destructor) != 0;
  g_thread_local_key_created =
      pthread_key_create(&g_thread_local_key, thread_local_destructor) == 0;
 }

 void *CRYPTO_get_thread_local(thread_local_data_t index) {
  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
  if (g_thread_local_failed) {
  if (!g_thread_local_key_created) {
    return NULL;
  }

@@ -142,7 +172,7 @@ void *CRYPTO_get_thread_local(thread_local_data_t index) {
 int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
                            thread_local_destructor_t destructor) {
  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
  if (g_thread_local_failed) {
  if (!g_thread_local_key_created) {
    destructor(value);
    return 0;
  }