Fix/linker crash tls symbol without tls base #6008
Conversation
There was a problem hiding this comment.
Pull request overview
This PR fixes a potential deadlock in the Linker and addresses a crash that occurs when resolving TLS symbols from modules that don't export their __tls_base. The deadlock fix involves moving the is_closure check earlier in the call chain to avoid holding multiple locks simultaneously.
- Refactored
is_closureto be called before acquiring exclusive store access, preventing potential deadlocks - Added proper error handling for TLS symbols without TLS base exports
- Updated error messages for better clarity when TLS resolution fails
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| lib/wasix/src/syscalls/wasix/reflect_signature.rs | Moves the is_closure check to execute before data_and_store_mut() to avoid deadlock; reuses the computed cacheable value in error handling |
| lib/wasix/src/state/linker.rs | Adds Display impl for ModuleHandle; adds MissingTlsBaseExport error variant; updates is_closure signature to require FunctionEnvMut parameter; improves TLS error handling with better error propagation |
| lib/wasix/src/state/handles/mod.rs | Updates is_closure to be a static method taking FunctionEnvMut parameter, consistent with the linker API changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Also, please add a test that doesn't crash when a module is missing the TLS base export. |
| // Otherwise, fall back to the path where we apply DL ops and acquire | ||
| // a write lock afterwards | ||
| lock_instance_group_state!( | ||
| group_state_guard, | ||
| group_state, | ||
| self, | ||
| LinkError::InstanceGroupIsDead | ||
| ); | ||
| write_linker_state!(linker_state, self, group_state, ctx); | ||
| Ok(linker_state | ||
| .allocated_closure_functions | ||
| .contains_key(&function_id)) |
There was a problem hiding this comment.
In general I like the try_lock approach. However combining it with the direct locking increases the complexity even more.
We could return an error in case the try_lock fails. The reflection function can then be adjusted to be like
fn reflection() {
do_pending_linker_ops()?;
let Ok(is_closure) = is_closure() else {
trace!("Unlikely")
return Ok(Errno::Again);
};
...I think that would simplify the control flow, however it would also mean that reflect_signature can now also return an error if the caller didn't do anything wrong, which is stupid.
There was a problem hiding this comment.
This is similar to what we are doing in allocate_closure where we return Ok(Errno::Fault) in that case.
There was a problem hiding this comment.
But I think both are bad ideas.
zebreus
left a comment
zebreus
left a comment
There was a problem hiding this comment.
Not happy with the solution in refelct_signature but we need to merge this at some point
This PR also contains a fix to a potential deadlock in the Linker. Mostly the same implementation as #5879 otherwise.