This is an archive of the discontinued LLVM Phabricator instance.

Differential D112703

tsan: add debugging code for ptrace test failures
ClosedPublic

Authored by dvyukov on Oct 28 2021, 4:02 AM.

Details

Reviewers
vitalybuka
melver
amyk
Commits
rGd31b2dc235f1: tsan: add debugging code for ptrace test failures
Summary

Debugging of crashes on powerpc after commit:
c80604f7a3 ("tsan: remove real func check from interceptors")
Somehow replacing if with DCHECK leads to strange failures in:
SanitizerCommon-tsan-powerpc64le-Linux :: Linux/ptrace.cpp
https://lab.llvm.org/buildbot/#/builders/105
https://lab.llvm.org/buildbot/#/builders/121
https://lab.llvm.org/buildbot/#/builders/57

The hypothesis is that something writes out-of-bounds
into pt_regs on stack and that corrupts internal tsan state.

Diff Detail

Event Timeline

dvyukov created this revision.Oct 28 2021, 4:02 AM
Herald added a subscriber: steven.zhang. · View Herald TranscriptOct 28 2021, 4:02 AM
dvyukov requested review of this revision.Oct 28 2021, 4:02 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 28 2021, 4:02 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
dvyukov mentioned this in D112540: tsan: remove real func check from interceptors.Oct 28 2021, 4:05 AM
Harbormaster completed remote builds in B131169: Diff 382981.Oct 28 2021, 4:21 AM
melver accepted this revision.Oct 28 2021, 4:27 AM

This is very strange.

@amyk
Just in case, is there a way to get ssh access to a powerpc environment to repro these kinds of failures? There have been a number of powerpc-related issues, and we just can't repro them. :-/

This revision is now accepted and ready to land.Oct 28 2021, 4:27 AM
dvyukov added a comment.Oct 28 2021, 4:29 AM

Yes, this is very strange :)

The failure looks like the ScopedInterceptor object on stack was corrupted when returning from the interceptor (after the real syscall). So I don't know if it's the case or not, but if we assume that syscall assumes that pt_regs are larger and overwrites more memory, then it would explain the failure mode perfectly.

amyk added a comment.Oct 28 2021, 7:27 AM

Hi @melver @dvyukov,

I've checked and we do have a Power environment that can be accessed. I've sent an e-mail to you both regarding this.

amyk added a comment.Oct 29 2021, 7:51 AM

Hi @melver @dvyukov,

Just wanted to check in - I believe I've granted access to a PPC machine. Were we able to determine if this patch resolves the issues seen on the buildbot, and would this patch be ready to commit?

dvyukov added a comment.EditedOct 29 2021, 8:18 AM

Hi Any,

I only get to this point:

# to get newer cmake
export PATH=/usr/sbin:$PATH
CC=/home/fedora/gcc/install/gcc-7.1.0/bin/gcc CXX=/home/fedora/gcc/install/gcc-7.1.0/bin/g++ cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;clang-tools-extra;compiler-rt;libcxx;libcxxabi;lld" -GNinja ../llvm
...
CMake Error in /home/llvmguest/dvyukov/llvm-project/libcxx/benchmarks/CMakeLists.txt:
  The compiler feature "cxx_std_20" is not known to CXX compiler
  version 7.1.0.

I can't find any other gcc/clang on the machine.

amyk added a comment.Oct 29 2021, 8:34 AM
In D112703#3096790, @dvyukov wrote:

Hi Any,

I only get to this point:

# to get newer cmake
export PATH=/usr/sbin:$PATH
CC=/home/fedora/gcc/install/gcc-7.1.0/bin/gcc CXX=/home/fedora/gcc/install/gcc-7.1.0/bin/g++ cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;clang-tools-extra;compiler-rt;libcxx;libcxxabi;lld" -GNinja ../llvm
...
CMake Error in /home/llvmguest/dvyukov/llvm-project/libcxx/benchmarks/CMakeLists.txt:
  The compiler feature "cxx_std_20" is not known to CXX compiler
  version 7.1.0.

I can't find any other gcc/clang on the machine.

I'm sorry that you were having troubles building on the machine. I can look into that further.
In any case, I just tested this patch on the machine I am on right now and this resolves the SanitizerCommon-tsan-powerpc64le-Linux :: Linux/ptrace.cpp failure.
Since this patch resolves the failure, can this be committed? Or were you planning on investigating the problem further on the machine (If this is the case and if this patch cannot be committed, perhaps we can revert the offending patch first prior to doing more investigation)?

Closed by commit rGd31b2dc235f1: tsan: add debugging code for ptrace test failures (authored by dvyukov). · Explain WhyOct 29 2021, 8:37 AM
This revision was automatically updated to reflect the committed changes.
dvyukov added a commit: rGd31b2dc235f1: tsan: add debugging code for ptrace test failures.
dvyukov added a comment.Oct 29 2021, 8:38 AM

Thanks for testing. I've landed this change.

Marco helped me to figure out the command that works. For the record:

export PATH=/usr/sbin:$PATH
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_PROJECTS="clang;compiler-rt;" -GNinja ../llvm
ninja && ninja check-sanitizer

It's now building...

amyk added a comment.Oct 29 2021, 9:07 AM

Great, thank you very much Dmitry. Really appreciate it!

dvyukov added a comment.Oct 29 2021, 10:53 AM

I've reproduced the failure and reproduced "fixing" by this change.
I see some stack corruption and it's affected by small unrelated changes like adding Printf's. I've tried dumping corrupted memory, etc, but it did not give me any glues.
At this point I suspect gcc/glibc/kernel bug. I don't think it makes sense to spend more time debugging this with gcc 6.1 and kernel 4.11. Thousands of bugs were fixed since then.

Revision Contents

PathSize
compiler-rt/
lib/
tsan/
rtl/
19 lines
test/
sanitizer_common/
TestCases/
Linux/
12 lines

Diff 383369

compiler-rt/lib/tsan/rtl/tsan_interceptors.h

Show All 37 Lines
} // namespace __tsan } // namespace __tsan
#define SCOPED_INTERCEPTOR_RAW(func, ...) \ #define SCOPED_INTERCEPTOR_RAW(func, ...) \
ThreadState *thr = cur_thread_init(); \ ThreadState *thr = cur_thread_init(); \
ScopedInterceptor si(thr, #func, GET_CALLER_PC()); \ ScopedInterceptor si(thr, #func, GET_CALLER_PC()); \
UNUSED const uptr pc = GET_CURRENT_PC(); UNUSED const uptr pc = GET_CURRENT_PC();
#ifdef __powerpc64__
// Debugging of crashes on powerpc after commit:
// c80604f7a3 ("tsan: remove real func check from interceptors")
// Somehow replacing if with DCHECK leads to strange failures in:
// SanitizerCommon-tsan-powerpc64le-Linux :: Linux/ptrace.cpp
// https://lab.llvm.org/buildbot/#/builders/105
// https://lab.llvm.org/buildbot/#/builders/121
// https://lab.llvm.org/buildbot/#/builders/57
# define CHECK_REAL_FUNC(func) \
if (REAL(func) == 0) { \
Report("FATAL: ThreadSanitizer: failed to intercept %s\n", #func); \
Die(); \
}
#else
# define CHECK_REAL_FUNC(func) DCHECK(REAL(func))
#endif
#define SCOPED_TSAN_INTERCEPTOR(func, ...) \ #define SCOPED_TSAN_INTERCEPTOR(func, ...) \
SCOPED_INTERCEPTOR_RAW(func, __VA_ARGS__); \ SCOPED_INTERCEPTOR_RAW(func, __VA_ARGS__); \
DCHECK(REAL(func)); \ CHECK_REAL_FUNC(func); \
if (!thr->is_inited || thr->ignore_interceptors || thr->in_ignored_lib) \ if (!thr->is_inited || thr->ignore_interceptors || thr->in_ignored_lib) \
return REAL(func)(__VA_ARGS__); return REAL(func)(__VA_ARGS__);
#define SCOPED_TSAN_INTERCEPTOR_USER_CALLBACK_START() \ #define SCOPED_TSAN_INTERCEPTOR_USER_CALLBACK_START() \
si.DisableIgnores(); si.DisableIgnores();
#define SCOPED_TSAN_INTERCEPTOR_USER_CALLBACK_END() \ #define SCOPED_TSAN_INTERCEPTOR_USER_CALLBACK_END() \
si.EnableIgnores(); si.EnableIgnores();
Show All 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Linux/ptrace.cpp

// RUN: %clangxx -O0 %s -o %t && %run %t // RUN: %clangxx -O0 %s -o %t && %run %t
// UNSUPPORTED: android // UNSUPPORTED: android
#include <assert.h> #include <assert.h>
#include <elf.h>
#include <signal.h> #include <signal.h>
#include <stdio.h> #include <stdio.h>
#include <string.h>
#include <sys/ptrace.h> #include <sys/ptrace.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/uio.h>
#include <sys/user.h> #include <sys/user.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/uio.h>
#include <unistd.h> #include <unistd.h>
#include <elf.h>
#if __mips64 || __arm__ #if __mips64 || __arm__
#include <asm/ptrace.h> #include <asm/ptrace.h>
#include <sys/procfs.h> #include <sys/procfs.h>
#endif #endif
#ifdef __aarch64__ #ifdef __aarch64__
// GLIBC 2.20+ sys/user does not include asm/ptrace.h // GLIBC 2.20+ sys/user does not include asm/ptrace.h
#include <asm/ptrace.h> #include <asm/ptrace.h>
#endif #endif
Show All 18 Lines#if __x86_64__
user_fpregs_struct fpregs; user_fpregs_struct fpregs;
res = ptrace(PTRACE_GETFPREGS, pid, NULL, &fpregs); res = ptrace(PTRACE_GETFPREGS, pid, NULL, &fpregs);
assert(!res); assert(!res);
if (fpregs.mxcsr) if (fpregs.mxcsr)
printf("%x\n", fpregs.mxcsr); printf("%x\n", fpregs.mxcsr);
#endif // __x86_64__ #endif // __x86_64__
#if (__powerpc64__ || __mips64 || __arm__) #if (__powerpc64__ || __mips64 || __arm__)
struct pt_regs regs; // Check that nothing writes out-of-bounds.
struct pt_regs regs_buf[4];
memset(&regs_buf, 0xcd, sizeof(regs_buf));
struct pt_regs &regs = regs_buf[1];
res = ptrace((enum __ptrace_request)PTRACE_GETREGS, pid, NULL, &regs); res = ptrace((enum __ptrace_request)PTRACE_GETREGS, pid, NULL, &regs);
assert(!res); assert(!res);
assert(memcmp(&regs_buf[0], &regs_buf[3], sizeof(regs_buf[3])) == 0);
assert(memcmp(&regs_buf[2], &regs_buf[3], sizeof(regs_buf[3])) == 0);
#if (__powerpc64__) #if (__powerpc64__)
if (regs.nip) if (regs.nip)
printf("%lx\n", regs.nip); printf("%lx\n", regs.nip);
#elif (__mips64) #elif (__mips64)
if (regs.cp0_epc) if (regs.cp0_epc)
printf("%lx\n", regs.cp0_epc); printf("%lx\n", regs.cp0_epc);
#elif (__arm__) #elif (__arm__)
if (regs.ARM_pc) if (regs.ARM_pc)
▲ Show 20 LinesShow All 68 LinesShow Last 20 Lines