memory_maps: move ia2_threads_metadata global definition to INIT_RUNTIME to have a once-mapped definition

kkysen · kkysen · commit f3107c21dfb9 · 2025-07-30T23:29:19.000-07:00
Without this, `liblibia2.a` contains the `ia2_threads_metadata`,
which is then linked into each compartment's `*.so`,
causing each compartment to reference a different version of the global,
causing lots of errors and segfaults.

This also requires moving the type and other definitions
from `memory_maps.{h,c}` to `ia2.h`.
diff --git a/runtime/libia2/include/ia2.h b/runtime/libia2/include/ia2.h
@@ -12,6 +12,7 @@
 #endif
 
 #include <errno.h>
+#include <pthread.h>
 #include <stdint.h>
 #include <unistd.h>
 
@@ -190,6 +191,52 @@
 /// Convert a compartment pkey to a PKRU register value
 #define PKRU(pkey) (~((3U << (2 * pkey)) | 3))
 
+// Moved `ia2_thread_metadata` from `memory_maps.h`
+// and `IA2_MAX_THREADS` and `ia2_all_threads_metadata`
+// from `memory_maps.c` to here
+// so that it can be used in `ia2_internal.h` within `_IA2_INIT_RUNTIME`
+// to only initialize the `ia2_threads_metadata` global once.
+
+/// The data here is shared, so it should not be trusted for use as a pointer,
+/// but it can be used best effort for non-trusted purposes.
+struct ia2_thread_metadata {
+  pid_t tid;
+  pthread_t thread;
+
+  /// The start function passed to `pthread_create`.
+  void *(*start_fn)(void *arg);
+
+  /// The addresses of each compartment's stack for this thread.
+  uintptr_t stack_addrs[IA2_MAX_COMPARTMENTS];
+
+  /// The addresses of each compartment's TLS region for this thread,
+  /// except for compartment 1, which has split TLS regions (see below).
+  uintptr_t tls_addrs[IA2_MAX_COMPARTMENTS];
+
+  /// The TLS region is split only for the first compartment,
+  /// so we need two addresses for just that one.
+  ///
+  /// Compartment 1's TLS region is split because there is a page of
+  /// unprotected data for `ia2_stackptr_0` (in compartment 0), plus padding,
+  /// as we don't have a general implementation of shared TLS yet,
+  /// but `ia2_stackptr_0` is special-cased for now
+  /// as it must be stored in TLS and unprotected.
+  uintptr_t tls_addr_compartment1_first;
+  uintptr_t tls_addr_compartment1_second;
+};
+
+// It's much simpler to only support a static number of created threads,
+// especially because we want to have very few dependencies.
+// If a program needs more threads, you can just increase this number.
+#define IA2_MAX_THREADS 512
+
+struct ia2_all_threads_metadata {
+  pthread_mutex_t lock;
+  size_t num_threads;
+  pid_t tids[IA2_MAX_THREADS];
+  struct ia2_thread_metadata thread_metadata[IA2_MAX_THREADS];
+};
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/runtime/libia2/include/ia2_internal.h b/runtime/libia2/include/ia2_internal.h
@@ -439,7 +439,19 @@ __attribute__((__noreturn__)) void ia2_reinit_stack_err(int i);
                                                                                                       \
   void ia2_setup_destructors(void) {                                                                  \
     REPEATB##n(setup_destructors_for_compartment, nop_macro);                                         \
-  }
+  }                                                                                                   \
+                                                                                                      \
+  /* Moved `ia2_threads_metadata` from `memory_maps.c` to here */                                     \
+  /* so that it can be used in `_IA2_INIT_RUNTIME` */                                                 \
+  /* to only initialize the `ia2_threads_metadata` global once. */                                    \
+                                                                                                      \
+  /* All zeroed, so this should go in `.bss` */                                                       \
+  /* and only have pages lazily allocated. */                                                         \
+  struct ia2_all_threads_metadata ia2_threads_metadata IA2_SHARED_DATA = {                            \
+      .lock = PTHREAD_MUTEX_INITIALIZER,                                                              \
+      .num_threads = 0,                                                                               \
+      .thread_metadata = {0},                                                                         \
+  };
 
 #if IA2_VERBOSE
 #define ia2_log(fmt, ...) fprintf(stdout, "%s: " fmt, __func__, ##__VA_ARGS__)
diff --git a/runtime/libia2/memory_maps.c b/runtime/libia2/memory_maps.c
@@ -6,17 +6,9 @@
 // This reduces the trusted codebase and avoids runtime overhead.
 #if IA2_DEBUG_MEMORY
 
-// It's much simpler to only support a static number of created threads,
-// especially because we want to have very few dependencies.
-// If a program needs more threads, you can just increase this number.
-#define IA2_MAX_THREADS 512
-
-struct ia2_all_threads_metadata {
-  pthread_mutex_t lock;
-  size_t num_threads;
-  pid_t tids[IA2_MAX_THREADS];
-  struct ia2_thread_metadata thread_metadata[IA2_MAX_THREADS];
-};
+// Moved `IA2_MAX_THREADS` and `ia2_all_threads_metadata` from here to `ia2.h`
+// so that it can be used in `ia2_internal.h` within `_IA2_INIT_RUNTIME`
+// to only initialize the `ia2_threads_metadata` global once.
 
 #define array_len(a) (sizeof(a) / sizeof(*(a)))
 
@@ -101,12 +93,10 @@ struct ia2_addr_location ia2_all_threads_metadata_find_addr(struct ia2_all_threa
   return location;
 }
 
-// All zeroed, so this should go in `.bss` and only have pages lazily allocated.
-static struct ia2_all_threads_metadata IA2_SHARED_DATA ia2_threads_metadata = {
-    .lock = PTHREAD_MUTEX_INITIALIZER,
-    .num_threads = 0,
-    .thread_metadata = {0},
-};
+// Moved `ia2_threads_metadata` from here to `ia2_internal.h`
+// so that it can be used in `_IA2_INIT_RUNTIME`
+// to only initialize the `ia2_threads_metadata` global once.
+extern struct ia2_all_threads_metadata ia2_threads_metadata;
 
 struct ia2_thread_metadata *ia2_thread_metadata_get_current_thread(void) {
   return ia2_all_threads_metadata_lookup(&ia2_threads_metadata);
diff --git a/runtime/libia2/memory_maps.h b/runtime/libia2/memory_maps.h
@@ -9,33 +9,9 @@
 // This reduces the trusted codebase and avoids runtime overhead.
 #if IA2_DEBUG_MEMORY
 
-/// The data here is shared, so it should not be trusted for use as a pointer,
-/// but it can be used best effort for non-trusted purposes.
-struct ia2_thread_metadata {
-  pid_t tid;
-  pthread_t thread;
-
-  /// The start function passed to `pthread_create`.
-  void *(*start_fn)(void *arg);
-
-  /// The addresses of each compartment's stack for this thread.
-  uintptr_t stack_addrs[IA2_MAX_COMPARTMENTS];
-
-  /// The addresses of each compartment's TLS region for this thread,
-  /// except for compartment 1, which has split TLS regions (see below).
-  uintptr_t tls_addrs[IA2_MAX_COMPARTMENTS];
-
-  /// The TLS region is split only for the first compartment,
-  /// so we need two addresses for just that one.
-  ///
-  /// Compartment 1's TLS region is split because there is a page of
-  /// unprotected data for `ia2_stackptr_0` (in compartment 0), plus padding,
-  /// as we don't have a general implementation of shared TLS yet,
-  /// but `ia2_stackptr_0` is special-cased for now
-  /// as it must be stored in TLS and unprotected.
-  uintptr_t tls_addr_compartment1_first;
-  uintptr_t tls_addr_compartment1_second;
-};
+// Moved `ia2_thread_metadata` from here to `ia2.h`
+// so that it can be used in `ia2_internal.h` within `_IA2_INIT_RUNTIME`
+// to only initialize the `ia2_threads_metadata` global once.
 
 /// Find the `struct ia2_thread_metadata*` for the current thread,
 /// adding (but not allocating) one if there isn't one yet.
