This is an archive of the discontinued LLVM Phabricator instance.

Differential D95731

[asan] Fix pthread_create interceptor
ClosedPublic

Authored by vitalybuka on Jan 30 2021, 12:44 AM.

Details

Reviewers
delcypher
Commits
rG9da05cf6ed16: [asan] Fix pthread_create interceptor
Summary

AsanThread::Destroy implementation expected to be called on
child thread.

I missed authors concern regarding this reviewing D95184.

Diff Detail

Event Timeline

vitalybuka requested review of this revision.Jan 30 2021, 12:44 AM
vitalybuka created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJan 30 2021, 12:44 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B87259: Diff 320288.Jan 30 2021, 1:12 AM
delcypher requested changes to this revision.Jan 31 2021, 8:13 PM

Thanks for catching this. Did this break something somewhere? I didn't see any emails about breaking CI.

I've left some minor comments in the review but overall the approach seems good to me.

compiler-rt/lib/asan/asan_thread.cpp
103

Should we have something like this to document the assumption and catch if it's being violated?

// Must be called on owning thread if `create_failed` is false.
AsanThread::Destroy(bool create_failed) {
...

bool called_by_owning_thread = tid == GetCurrentTidOrInvalid();

...
if (!create_failed) {
  CHECK(called_by_owning_thread);
  ...
}
compiler-rt/test/sanitizer_common/TestCases/Posix/create_thread_fail.cpp
22

I'm guessing you're trying to zero the 16 least significant bits in sz which makes the size 64KiB aligned. Maybe add a comment explaining why? Perhaps you need to do this to make pthread_attr_setstacksize() to succeed?

I presume the idea here is that the requested stack size is supposed to be too large to succeed? If that's the case could you add a comment explaining this?

This revision now requires changes to proceed.Jan 31 2021, 8:13 PM
vitalybuka updated this revision to Diff 320413.Feb 1 2021, 1:23 AM

update

vitalybuka marked 2 inline comments as done.Feb 1 2021, 1:23 AM
vitalybuka added a comment.Feb 1 2021, 1:35 AM
In D95731#2533103, @delcypher wrote:

Thanks for catching this. Did this break something somewhere? I didn't see any emails about breaking CI.

It fails many_threads_detach.cpp on my workstation. Probably bots have higher thread limits.

Harbormaster completed remote builds in B87339: Diff 320413.Feb 1 2021, 1:58 AM
delcypher added inline comments.Feb 1 2021, 10:46 AM
compiler-rt/lib/asan/asan_thread.cpp
103

@vitalybuka Do you want to add the checks I suggested to AsanThread::Destroy()? It's fine to not do it I'd just like to understand why.

131

Maybe add a comment here about keeping this in sync with AsanThread::Destroy()?

compiler-rt/lib/asan/asan_thread.h
67 ↗(On Diff #320413)

How about?

// Destroy this object. Should be called from the corresponding thread when it terminates.
void Destroy();
// Destroy this object. Should be called if the thread fails to start. May be called from any thread
void DestroyFailed();

Perhaps we should pick clearer names. E.g. DestroyOnThreadTermination() and DestroyOnFailedCreate()?

vitalybuka updated this revision to Diff 320575.Feb 1 2021, 1:15 PM
vitalybuka marked an inline comment as done.

update

vitalybuka added inline comments.Feb 1 2021, 1:21 PM
compiler-rt/lib/asan/asan_thread.cpp
103

I guess we we have enough info to perform appropriate version cleanup here.

vitalybuka updated this revision to Diff 320577.Feb 1 2021, 1:22 PM

fix typo

vitalybuka added inline comments.Feb 1 2021, 1:28 PM
compiler-rt/lib/asan/asan_thread.cpp
109

I changing order of UnsetAlternateSignalStack/FinishThread but I don't see a reason for particular order.

Harbormaster completed remote builds in B87413: Diff 320575.Feb 1 2021, 2:29 PM
Harbormaster completed remote builds in B87414: Diff 320577.Feb 1 2021, 2:35 PM
delcypher added inline comments.Feb 2 2021, 12:08 PM
compiler-rt/lib/asan/asan_thread.cpp
102–103

@vitalybuka Should malloc_storage().CommitBack(); be guarded by `was_running too?

I'm not very familiar with this part of ASan's allocator but it looks like malloc_storage() is returning some kind of thread local cache for the quarantine and the primary allocator. I'm guessing that this cache would not be used if was_running is false because we never started the thread and so no allocations could have occurred. That would imply that technically calling malloc_storage().CommitBack(); when was_running is false is unnecessary.

However, for simplicity and to avoid creating an avenue for future bugs calling malloc_storage().CommitBack(); unguarded is probably better provided we are sure it's safe to do this for storage for a thread that was never started. Are we sure it's safe?

109

Seems reasonable. I think the only impact would be if a signal was raised in this function. Previously if a signal was raised in asanThreadRegistry().FinishThread(tid); then I think it would not use the alt signal stack. In the new patch if a signal is raised in asanThreadRegistry().FinishThread(tid) then it will use the alt signal stack.

We should not be raising a signal from asanThreadRegistry().FinishThread(tid); so I think this change should be okay.

delcypher added a comment.Feb 2 2021, 12:12 PM

Thanks for working on this. The new approach LGTM apart from calling malloc_storage().CommitBack();. I've left a comment on this. I suspect it's probably okay but I wanted to bring this up before we land this.

vitalybuka updated this revision to Diff 320898.Feb 2 2021, 1:37 PM

update

vitalybuka added inline comments.Feb 2 2021, 1:41 PM
compiler-rt/lib/asan/asan_thread.cpp
102–103

I think it should be safe either way.
"was_running" is hot case so if we wrong about running it after FinishThread() we should notice that soon.

Alternative to add getter for thread state, but it will require additional lock and so fare it looks unnecessary

Harbormaster completed remote builds in B87578: Diff 320898.Feb 2 2021, 2:12 PM
delcypher accepted this revision.Feb 3 2021, 8:08 AM

LGTM. Thanks for working on this.

This revision is now accepted and ready to land.Feb 3 2021, 8:08 AM
Closed by commit rG9da05cf6ed16: [asan] Fix pthread_create interceptor (authored by vitalybuka). · Explain WhyFeb 3 2021, 12:58 PM
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG9da05cf6ed16: [asan] Fix pthread_create interceptor.

Revision Contents

PathSize
compiler-rt/
lib/
asan/
29 lines
sanitizer_common/
3 lines
4 lines
test/
sanitizer_common/
TestCases/
Posix/
31 lines

Diff 321199

compiler-rt/lib/asan/asan_thread.cpp

Show First 20 LinesShow All 93 Lines▼ Show 20 Linesvoid AsanThread::TSDDtor(void *tsd) {
VReport(1, "T%d TSDDtor\n", context->tid); VReport(1, "T%d TSDDtor\n", context->tid);
if (context->thread) if (context->thread)
context->thread->Destroy(); context->thread->Destroy();
} }
void AsanThread::Destroy() { void AsanThread::Destroy() {
int tid = this->tid(); int tid = this->tid();
VReport(1, "T%d exited\n", tid); VReport(1, "T%d exited\n", tid);
bool was_running =
delcypherUnsubmitted
Done
ReplyInline Actions

Should we have something like this to document the assumption and catch if it's being violated?

// Must be called on owning thread if `create_failed` is false.
AsanThread::Destroy(bool create_failed) {
...

bool called_by_owning_thread = tid == GetCurrentTidOrInvalid();

...
if (!create_failed) {
  CHECK(called_by_owning_thread);
  ...
}
delcypher: Should we have something like this to document the assumption and catch if it's being violated?
delcypherUnsubmitted
Not Done
ReplyInline Actions

@vitalybuka Do you want to add the checks I suggested to AsanThread::Destroy()? It's fine to not do it I'd just like to understand why.

delcypher: @vitalybuka Do you want to add the checks I suggested to `AsanThread::Destroy()`? It's fine to…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

I guess we we have enough info to perform appropriate version cleanup here.

vitalybuka: I guess we we have enough info to perform appropriate version cleanup here.
delcypherUnsubmitted
Not Done
ReplyInline Actions

@vitalybuka Should malloc_storage().CommitBack(); be guarded by `was_running too?

I'm not very familiar with this part of ASan's allocator but it looks like malloc_storage() is returning some kind of thread local cache for the quarantine and the primary allocator. I'm guessing that this cache would not be used if was_running is false because we never started the thread and so no allocations could have occurred. That would imply that technically calling malloc_storage().CommitBack(); when was_running is false is unnecessary.

However, for simplicity and to avoid creating an avenue for future bugs calling malloc_storage().CommitBack(); unguarded is probably better provided we are sure it's safe to do this for storage for a thread that was never started. Are we sure it's safe?

delcypher: @vitalybuka Should `malloc_storage().CommitBack();` be guarded by `was_running too? I'm not…
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

I think it should be safe either way.
"was_running" is hot case so if we wrong about running it after FinishThread() we should notice that soon.

Alternative to add getter for thread state, but it will require additional lock and so fare it looks unnecessary

vitalybuka: I think it should be safe either way. "was_running" is hot case so if we wrong about running…
(asanThreadRegistry().FinishThread(tid) == ThreadStatusRunning);
if (was_running) {
if (AsanThread *thread = GetCurrentThread())
CHECK_EQ(this, thread);
malloc_storage().CommitBack(); malloc_storage().CommitBack();
if (common_flags()->use_sigaltstack) UnsetAlternateSignalStack(); if (common_flags()->use_sigaltstack)
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

I changing order of UnsetAlternateSignalStack/FinishThread but I don't see a reason for particular order.

vitalybuka: I changing order of UnsetAlternateSignalStack/FinishThread but I don't see a reason for…
delcypherUnsubmitted
Not Done
ReplyInline Actions

Seems reasonable. I think the only impact would be if a signal was raised in this function. Previously if a signal was raised in asanThreadRegistry().FinishThread(tid); then I think it would not use the alt signal stack. In the new patch if a signal is raised in asanThreadRegistry().FinishThread(tid) then it will use the alt signal stack.

We should not be raising a signal from asanThreadRegistry().FinishThread(tid); so I think this change should be okay.

delcypher: Seems reasonable. I think the only impact would be if a signal was raised in this function.
asanThreadRegistry().FinishThread(tid); UnsetAlternateSignalStack();
FlushToDeadThreadStats(&stats_); FlushToDeadThreadStats(&stats_);
// We also clear the shadow on thread destruction because // We also clear the shadow on thread destruction because
// some code may still be executing in later TSD destructors // some code may still be executing in later TSD destructors
// and we don't want it to have any poisoned stack. // and we don't want it to have any poisoned stack.
ClearShadowForThreadStackAndTLS(); ClearShadowForThreadStackAndTLS();
DeleteFakeStack(tid); DeleteFakeStack(tid);
} else {
CHECK_NE(this, GetCurrentThread());
}
uptr size = RoundUpTo(sizeof(AsanThread), GetPageSizeCached()); uptr size = RoundUpTo(sizeof(AsanThread), GetPageSizeCached());
UnmapOrDie(this, size); UnmapOrDie(this, size);
if (was_running)
DTLS_Destroy(); DTLS_Destroy();
} }
void AsanThread::StartSwitchFiber(FakeStack **fake_stack_save, uptr bottom, void AsanThread::StartSwitchFiber(FakeStack **fake_stack_save, uptr bottom,
uptr size) { uptr size) {
if (atomic_load(&stack_switching_, memory_order_relaxed)) { if (atomic_load(&stack_switching_, memory_order_relaxed)) {
Report("ERROR: starting fiber switch while in fiber switch\n"); Report("ERROR: starting fiber switch while in fiber switch\n");
Die(); Die();
} }
delcypherUnsubmitted
Done
ReplyInline Actions

Maybe add a comment here about keeping this in sync with AsanThread::Destroy()?

delcypher: Maybe add a comment here about keeping this in sync with `AsanThread::Destroy()`?
next_stack_bottom_ = bottom; next_stack_bottom_ = bottom;
next_stack_top_ = bottom + size; next_stack_top_ = bottom + size;
atomic_store(&stack_switching_, 1, memory_order_release); atomic_store(&stack_switching_, 1, memory_order_release);
FakeStack *current_fake_stack = fake_stack_; FakeStack *current_fake_stack = fake_stack_;
if (fake_stack_save) if (fake_stack_save)
*fake_stack_save = fake_stack_; *fake_stack_save = fake_stack_;
▲ Show 20 LinesShow All 417 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_thread_registry.h

Show First 20 LinesShow All 120 Lines▼ Show 20 Lines public:
ThreadContextBase *FindThreadContextLocked(FindThreadCallback cb, ThreadContextBase *FindThreadContextLocked(FindThreadCallback cb,
void *arg); void *arg);
ThreadContextBase *FindThreadContextByOsIDLocked(tid_t os_id); ThreadContextBase *FindThreadContextByOsIDLocked(tid_t os_id);
void SetThreadName(u32 tid, const char *name); void SetThreadName(u32 tid, const char *name);
void SetThreadNameByUserId(uptr user_id, const char *name); void SetThreadNameByUserId(uptr user_id, const char *name);
void DetachThread(u32 tid, void *arg); void DetachThread(u32 tid, void *arg);
void JoinThread(u32 tid, void *arg); void JoinThread(u32 tid, void *arg);
void FinishThread(u32 tid); // Finishes thread and returns previous status.
ThreadStatus FinishThread(u32 tid);
void StartThread(u32 tid, tid_t os_id, ThreadType thread_type, void *arg); void StartThread(u32 tid, tid_t os_id, ThreadType thread_type, void *arg);
void SetThreadUserId(u32 tid, uptr user_id); void SetThreadUserId(u32 tid, uptr user_id);
private: private:
const ThreadContextFactory context_factory_; const ThreadContextFactory context_factory_;
const u32 max_threads_; const u32 max_threads_;
const u32 thread_quarantine_size_; const u32 thread_quarantine_size_;
const u32 max_reuse_; const u32 max_reuse_;
Show All 24 Lines

compiler-rt/lib/sanitizer_common/sanitizer_thread_registry.cpp

Show First 20 LinesShow All 272 Lines▼ Show 20 Linesvoid ThreadRegistry::JoinThread(u32 tid, void *arg) {
} while (!destroyed); } while (!destroyed);
} }
// Normally this is called when the thread is about to exit. If // Normally this is called when the thread is about to exit. If
// called in ThreadStatusCreated state, then this thread was never // called in ThreadStatusCreated state, then this thread was never
// really started. We just did CreateThread for a prospective new // really started. We just did CreateThread for a prospective new
// thread before trying to create it, and then failed to actually // thread before trying to create it, and then failed to actually
// create it, and so never called StartThread. // create it, and so never called StartThread.
void ThreadRegistry::FinishThread(u32 tid) { ThreadStatus ThreadRegistry::FinishThread(u32 tid) {
BlockingMutexLock l(&mtx_); BlockingMutexLock l(&mtx_);
CHECK_GT(alive_threads_, 0); CHECK_GT(alive_threads_, 0);
alive_threads_--; alive_threads_--;
CHECK_LT(tid, n_contexts_); CHECK_LT(tid, n_contexts_);
ThreadContextBase *tctx = threads_[tid]; ThreadContextBase *tctx = threads_[tid];
CHECK_NE(tctx, 0); CHECK_NE(tctx, 0);
bool dead = tctx->detached; bool dead = tctx->detached;
ThreadStatus prev_status = tctx->status;
if (tctx->status == ThreadStatusRunning) { if (tctx->status == ThreadStatusRunning) {
CHECK_GT(running_threads_, 0); CHECK_GT(running_threads_, 0);
running_threads_--; running_threads_--;
} else { } else {
// The thread never really existed. // The thread never really existed.
CHECK_EQ(tctx->status, ThreadStatusCreated); CHECK_EQ(tctx->status, ThreadStatusCreated);
dead = true; dead = true;
} }
tctx->SetFinished(); tctx->SetFinished();
if (dead) { if (dead) {
tctx->SetDead(); tctx->SetDead();
QuarantinePush(tctx); QuarantinePush(tctx);
} }
tctx->SetDestroyed(); tctx->SetDestroyed();
return prev_status;
} }
void ThreadRegistry::StartThread(u32 tid, tid_t os_id, ThreadType thread_type, void ThreadRegistry::StartThread(u32 tid, tid_t os_id, ThreadType thread_type,
void *arg) { void *arg) {
BlockingMutexLock l(&mtx_); BlockingMutexLock l(&mtx_);
running_threads_++; running_threads_++;
CHECK_LT(tid, n_contexts_); CHECK_LT(tid, n_contexts_);
ThreadContextBase *tctx = threads_[tid]; ThreadContextBase *tctx = threads_[tid];
▲ Show 20 LinesShow All 41 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Posix/create_thread_fail.cpp

  • This file was added.
// Sanitizer should not crash if pthread_create fails.
// RUN: %clangxx -pthread %s -o %t && %run %t
// pthread_create with lsan i386 does not fail here.
// UNSUPPORTED: i386-linux && lsan
#include <cassert>
#include <pthread.h>
#include <stdlib.h>
void *null_func(void *args) {
return NULL;
}
int main(void) {
pthread_t thread;
pthread_attr_t attrs;
pthread_attr_init(&attrs);
// Set size huge enough to fail pthread_create.
size_t sz = ~0;
// Align the size just in case.
sz >>= 16;
delcypherUnsubmitted
Done
ReplyInline Actions

I'm guessing you're trying to zero the 16 least significant bits in sz which makes the size 64KiB aligned. Maybe add a comment explaining why? Perhaps you need to do this to make pthread_attr_setstacksize() to succeed?

I presume the idea here is that the requested stack size is supposed to be too large to succeed? If that's the case could you add a comment explaining this?

delcypher: I'm guessing you're trying to zero the 16 least significant bits in `sz` which makes the size…
sz <<= 16;
int res = pthread_attr_setstacksize(&attrs, sz);
assert(res == 0);
for (size_t i = 0; i < 10; ++i) {
res = pthread_create(&thread, &attrs, null_func, NULL);
assert(res != 0);
}
return 0;
}