This is an archive of the discontinued LLVM Phabricator instance.

Differential D127845

tsan: fix deadlock/crash in signal handling
ClosedPublic

Authored by dvyukov on Jun 15 2022, 4:20 AM.

Details

Reviewers
melver
Commits
rG3056ccdbae7c: tsan: fix deadlock/crash in signal handling
Summary

We set in_blocking_func around some blocking C functions so that we don't
delay signal infinitely (if in_blocking_func is set we deliver signals
synchronously).

However, pthread_join is blocking but also call munmap/free to free thread
resources. If we are inside the munmap/free interceptors called from
pthread_join and deliver a signal synchronously, it can lead to deadlocks
and crashes since we re-enter runtime and try to lock the same mutexes
or use the same per-thread data structures.

If we re-enter runtime via an interceptor when in_blocking_func is set,
temporary reset in_blocking_func around the interceptor and restore it back
when we return from the recursive interceptor.

Also move in_blocking_func from ThreadSignalContext to ThreadContext
so that we can CHECK that it's not set in SlotLocker ctor.

Fixes https://github.com/google/sanitizers/issues/1540

Diff Detail

Event Timeline

dvyukov created this revision.Jun 15 2022, 4:20 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2022, 4:20 AM
Herald added a subscriber: Enna1. · View Herald Transcript
dvyukov requested review of this revision.Jun 15 2022, 4:20 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2022, 4:20 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B169949: Diff 437108.Jun 15 2022, 4:43 AM
melver accepted this revision.Jun 15 2022, 5:50 AM
melver added inline comments.
compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
179

typo -> synchronously

compiler-rt/lib/tsan/rtl/tsan_rtl.h
633

synchronously

This revision is now accepted and ready to land.Jun 15 2022, 5:50 AM
dvyukov updated this revision to Diff 437197.Jun 15 2022, 8:51 AM

fixed typos in comments

Harbormaster completed remote builds in B170013: Diff 437197.Jun 15 2022, 9:12 AM
melver accepted this revision.Sep 30 2022, 4:50 AM
dvyukov updated this revision to Diff 464221.Sep 30 2022, 4:59 AM

rebase

Harbormaster completed remote builds in B189648: Diff 464221.Sep 30 2022, 5:17 AM
This revision was landed with ongoing or failed builds.Sep 30 2022, 5:24 AM
Closed by commit rG3056ccdbae7c: tsan: fix deadlock/crash in signal handling (authored by dvyukov). · Explain Why
This revision was automatically updated to reflect the committed changes.
dvyukov added a commit: rG3056ccdbae7c: tsan: fix deadlock/crash in signal handling.

Revision Contents

PathSize
compiler-rt/
lib/
tsan/
rtl/
5 lines
67 lines
8 lines
test/
tsan/
66 lines

Diff 464225

compiler-rt/lib/tsan/rtl/tsan_interceptors.h

Show All 15 Lines public:
} }
void EnableIgnores() { void EnableIgnores() {
if (UNLIKELY(ignoring_)) if (UNLIKELY(ignoring_))
EnableIgnoresImpl(); EnableIgnoresImpl();
} }
private: private:
ThreadState *const thr_; ThreadState *const thr_;
bool in_ignored_lib_; bool in_ignored_lib_ = false;
bool ignoring_; bool in_blocking_func_ = false;
bool ignoring_ = false;
void DisableIgnoresImpl(); void DisableIgnoresImpl();
void EnableIgnoresImpl(); void EnableIgnoresImpl();
}; };
LibIgnore *libignore(); LibIgnore *libignore();
#if !SANITIZER_GO #if !SANITIZER_GO
▲ Show 20 LinesShow All 72 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp

Show First 20 LinesShow All 159 Lines▼ Show 20 Lines
struct SignalDesc { struct SignalDesc {
bool armed; bool armed;
__sanitizer_siginfo siginfo; __sanitizer_siginfo siginfo;
ucontext_t ctx; ucontext_t ctx;
}; };
struct ThreadSignalContext { struct ThreadSignalContext {
int int_signal_send; int int_signal_send;
atomic_uintptr_t in_blocking_func;
SignalDesc pending_signals[kSigCount]; SignalDesc pending_signals[kSigCount];
// emptyset and oldset are too big for stack. // emptyset and oldset are too big for stack.
__sanitizer_sigset_t emptyset; __sanitizer_sigset_t emptyset;
__sanitizer_sigset_t oldset; __sanitizer_sigset_t oldset;
}; };
void EnterBlockingFunc(ThreadState *thr) {
for (;;) {
// The order is important to not delay a signal infinitely if it's
// delivered right before we set in_blocking_func. Note: we can't call
// ProcessPendingSignals when in_blocking_func is set, or we can handle
// a signal synchronously when we are already handling a signal.
melverUnsubmitted
Not Done
ReplyInline Actions

typo -> synchronously

melver: typo -> synchronously
atomic_store(&thr->in_blocking_func, 1, memory_order_relaxed);
if (atomic_load(&thr->pending_signals, memory_order_relaxed) == 0)
break;
atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
ProcessPendingSignals(thr);
}
}
// The sole reason tsan wraps atexit callbacks is to establish synchronization // The sole reason tsan wraps atexit callbacks is to establish synchronization
// between callback setup and callback execution. // between callback setup and callback execution.
struct AtExitCtx { struct AtExitCtx {
void (*f)(); void (*f)();
void *arg; void *arg;
uptr pc; uptr pc;
}; };
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines if (ctx == 0 && !thr->is_dead) {
MemoryResetRange(thr, (uptr)&SigCtx, (uptr)ctx, sizeof(*ctx)); MemoryResetRange(thr, (uptr)&SigCtx, (uptr)ctx, sizeof(*ctx));
thr->signal_ctx = ctx; thr->signal_ctx = ctx;
} }
return ctx; return ctx;
} }
ScopedInterceptor::ScopedInterceptor(ThreadState *thr, const char *fname, ScopedInterceptor::ScopedInterceptor(ThreadState *thr, const char *fname,
uptr pc) uptr pc)
: thr_(thr), in_ignored_lib_(false), ignoring_(false) { : thr_(thr) {
LazyInitialize(thr); LazyInitialize(thr);
if (UNLIKELY(atomic_load(&thr->in_blocking_func, memory_order_relaxed))) {
// pthread_join is marked as blocking, but it's also known to call other
// intercepted functions (mmap, free). If we don't reset in_blocking_func
// we can get deadlocks and memory corruptions if we deliver a synchronous
// signal inside of an mmap/free interceptor.
// So reset it and restore it back in the destructor.
// See https://github.com/google/sanitizers/issues/1540
atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
in_blocking_func_ = true;
}
if (!thr_->is_inited) return; if (!thr_->is_inited) return;
if (!thr_->ignore_interceptors) FuncEntry(thr, pc); if (!thr_->ignore_interceptors) FuncEntry(thr, pc);
DPrintf("#%d: intercept %s()\n", thr_->tid, fname); DPrintf("#%d: intercept %s()\n", thr_->tid, fname);
ignoring_ = ignoring_ =
!thr_->in_ignored_lib && (flags()->ignore_interceptors_accesses || !thr_->in_ignored_lib && (flags()->ignore_interceptors_accesses ||
libignore()->IsIgnored(pc, &in_ignored_lib_)); libignore()->IsIgnored(pc, &in_ignored_lib_));
EnableIgnores(); EnableIgnores();
} }
ScopedInterceptor::~ScopedInterceptor() { ScopedInterceptor::~ScopedInterceptor() {
if (!thr_->is_inited) return; if (!thr_->is_inited) return;
DisableIgnores(); DisableIgnores();
if (UNLIKELY(in_blocking_func_))
EnterBlockingFunc(thr_);
if (!thr_->ignore_interceptors) { if (!thr_->ignore_interceptors) {
ProcessPendingSignals(thr_); ProcessPendingSignals(thr_);
FuncExit(thr_); FuncExit(thr_);
CheckedMutex::CheckNoLocks(); CheckedMutex::CheckNoLocks();
} }
} }
NOINLINE NOINLINE
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
#define READ_STRING(thr, pc, s, n) \ #define READ_STRING(thr, pc, s, n) \
READ_STRING_OF_LEN((thr), (pc), (s), internal_strlen(s), (n)) READ_STRING_OF_LEN((thr), (pc), (s), internal_strlen(s), (n))
#define BLOCK_REAL(name) (BlockingCall(thr), REAL(name)) #define BLOCK_REAL(name) (BlockingCall(thr), REAL(name))
struct BlockingCall { struct BlockingCall {
explicit BlockingCall(ThreadState *thr) explicit BlockingCall(ThreadState *thr)
: thr(thr) : thr(thr) {
, ctx(SigCtx(thr)) { EnterBlockingFunc(thr);
for (;;) {
atomic_store(&ctx->in_blocking_func, 1, memory_order_relaxed);
if (atomic_load(&thr->pending_signals, memory_order_relaxed) == 0)
break;
atomic_store(&ctx->in_blocking_func, 0, memory_order_relaxed);
ProcessPendingSignals(thr);
}
// When we are in a "blocking call", we process signals asynchronously // When we are in a "blocking call", we process signals asynchronously
// (right when they arrive). In this context we do not expect to be // (right when they arrive). In this context we do not expect to be
// executing any user/runtime code. The known interceptor sequence when // executing any user/runtime code. The known interceptor sequence when
// this is not true is: pthread_join -> munmap(stack). It's fine // this is not true is: pthread_join -> munmap(stack). It's fine
// to ignore munmap in this case -- we handle stack shadow separately. // to ignore munmap in this case -- we handle stack shadow separately.
thr->ignore_interceptors++; thr->ignore_interceptors++;
} }
~BlockingCall() { ~BlockingCall() {
thr->ignore_interceptors--; thr->ignore_interceptors--;
atomic_store(&ctx->in_blocking_func, 0, memory_order_relaxed); atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
} }
ThreadState *thr; ThreadState *thr;
ThreadSignalContext *ctx;
}; };
TSAN_INTERCEPTOR(unsigned, sleep, unsigned sec) { TSAN_INTERCEPTOR(unsigned, sleep, unsigned sec) {
SCOPED_TSAN_INTERCEPTOR(sleep, sec); SCOPED_TSAN_INTERCEPTOR(sleep, sec);
unsigned res = BLOCK_REAL(sleep)(sec); unsigned res = BLOCK_REAL(sleep)(sec);
AfterSleep(thr, pc); AfterSleep(thr, pc);
return res; return res;
} }
▲ Show 20 LinesShow All 156 Lines▼ Show 20 Linesstatic void SetJmp(ThreadState *thr, uptr sp) {
// Cleanup old bufs. // Cleanup old bufs.
JmpBufGarbageCollect(thr, sp); JmpBufGarbageCollect(thr, sp);
// Remember the buf. // Remember the buf.
JmpBuf *buf = thr->jmp_bufs.PushBack(); JmpBuf *buf = thr->jmp_bufs.PushBack();
buf->sp = sp; buf->sp = sp;
buf->shadow_stack_pos = thr->shadow_stack_pos; buf->shadow_stack_pos = thr->shadow_stack_pos;
ThreadSignalContext *sctx = SigCtx(thr); ThreadSignalContext *sctx = SigCtx(thr);
buf->int_signal_send = sctx ? sctx->int_signal_send : 0; buf->int_signal_send = sctx ? sctx->int_signal_send : 0;
buf->in_blocking_func = sctx ? buf->in_blocking_func = atomic_load(&thr->in_blocking_func, memory_order_relaxed);
atomic_load(&sctx->in_blocking_func, memory_order_relaxed) :
false;
buf->in_signal_handler = atomic_load(&thr->in_signal_handler, buf->in_signal_handler = atomic_load(&thr->in_signal_handler,
memory_order_relaxed); memory_order_relaxed);
} }
static void LongJmp(ThreadState *thr, uptr *env) { static void LongJmp(ThreadState *thr, uptr *env) {
uptr sp = ExtractLongJmpSp(env); uptr sp = ExtractLongJmpSp(env);
// Find the saved buf with matching sp. // Find the saved buf with matching sp.
for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) { for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) {
JmpBuf *buf = &thr->jmp_bufs[i]; JmpBuf *buf = &thr->jmp_bufs[i];
if (buf->sp == sp) { if (buf->sp == sp) {
CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos); CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos);
// Unwind the stack. // Unwind the stack.
while (thr->shadow_stack_pos > buf->shadow_stack_pos) while (thr->shadow_stack_pos > buf->shadow_stack_pos)
FuncExit(thr); FuncExit(thr);
ThreadSignalContext *sctx = SigCtx(thr); ThreadSignalContext *sctx = SigCtx(thr);
if (sctx) { if (sctx)
sctx->int_signal_send = buf->int_signal_send; sctx->int_signal_send = buf->int_signal_send;
atomic_store(&sctx->in_blocking_func, buf->in_blocking_func, atomic_store(&thr->in_blocking_func, buf->in_blocking_func,
memory_order_relaxed); memory_order_relaxed);
}
atomic_store(&thr->in_signal_handler, buf->in_signal_handler, atomic_store(&thr->in_signal_handler, buf->in_signal_handler,
memory_order_relaxed); memory_order_relaxed);
JmpBufGarbageCollect(thr, buf->sp - 1); // do not collect buf->sp JmpBufGarbageCollect(thr, buf->sp - 1); // do not collect buf->sp
return; return;
} }
} }
Printf("ThreadSanitizer: can't find longjmp buf\n"); Printf("ThreadSanitizer: can't find longjmp buf\n");
CHECK(0); CHECK(0);
▲ Show 20 LinesShow All 642 Lines▼ Show 20 Lines
template <class Fn> template <class Fn>
void CondMutexUnlockCtx<Fn>::Unlock() const { void CondMutexUnlockCtx<Fn>::Unlock() const {
// pthread_cond_wait interceptor has enabled async signal delivery // pthread_cond_wait interceptor has enabled async signal delivery
// (see BlockingCall below). Disable async signals since we are running // (see BlockingCall below). Disable async signals since we are running
// tsan code. Also ScopedInterceptor and BlockingCall destructors won't run // tsan code. Also ScopedInterceptor and BlockingCall destructors won't run
// since the thread is cancelled, so we have to manually execute them // since the thread is cancelled, so we have to manually execute them
// (the thread still can run some user code due to pthread_cleanup_push). // (the thread still can run some user code due to pthread_cleanup_push).
ThreadSignalContext *ctx = SigCtx(thr); CHECK_EQ(atomic_load(&thr->in_blocking_func, memory_order_relaxed), 1);
CHECK_EQ(atomic_load(&ctx->in_blocking_func, memory_order_relaxed), 1); atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
atomic_store(&ctx->in_blocking_func, 0, memory_order_relaxed);
MutexPostLock(thr, pc, (uptr)m, MutexFlagDoPreLockOnPostLock); MutexPostLock(thr, pc, (uptr)m, MutexFlagDoPreLockOnPostLock);
// Undo BlockingCall ctor effects. // Undo BlockingCall ctor effects.
thr->ignore_interceptors--; thr->ignore_interceptors--;
si->~ScopedInterceptor(); si->~ScopedInterceptor();
} }
} // namespace } // namespace
INTERCEPTOR(int, pthread_cond_init, void *c, void *a) { INTERCEPTOR(int, pthread_cond_init, void *c, void *a) {
▲ Show 20 LinesShow All 872 Lines▼ Show 20 Lines if (sig < 0 || sig >= kSigCount) {
return; return;
} }
// Don't mess with synchronous signals. // Don't mess with synchronous signals.
const bool sync = is_sync_signal(sctx, sig); const bool sync = is_sync_signal(sctx, sig);
if (sync || if (sync ||
// If we are in blocking function, we can safely process it now // If we are in blocking function, we can safely process it now
// (but check if we are in a recursive interceptor, // (but check if we are in a recursive interceptor,
// i.e. pthread_join()->munmap()). // i.e. pthread_join()->munmap()).
(sctx && atomic_load(&sctx->in_blocking_func, memory_order_relaxed))) { atomic_load(&thr->in_blocking_func, memory_order_relaxed)) {
atomic_fetch_add(&thr->in_signal_handler, 1, memory_order_relaxed); atomic_fetch_add(&thr->in_signal_handler, 1, memory_order_relaxed);
if (sctx && atomic_load(&sctx->in_blocking_func, memory_order_relaxed)) { if (atomic_load(&thr->in_blocking_func, memory_order_relaxed)) {
atomic_store(&sctx->in_blocking_func, 0, memory_order_relaxed); atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
CallUserSignalHandler(thr, sync, true, sig, info, ctx); CallUserSignalHandler(thr, sync, true, sig, info, ctx);
atomic_store(&sctx->in_blocking_func, 1, memory_order_relaxed); atomic_store(&thr->in_blocking_func, 1, memory_order_relaxed);
} else { } else {
// Be very conservative with when we do acquire in this case. // Be very conservative with when we do acquire in this case.
// It's unsafe to do acquire in async handlers, because ThreadState // It's unsafe to do acquire in async handlers, because ThreadState
// can be in inconsistent state. // can be in inconsistent state.
// SIGSYS looks relatively safe -- it's synchronous and can actually // SIGSYS looks relatively safe -- it's synchronous and can actually
// need some global state. // need some global state.
bool acq = (sig == SIGSYS); bool acq = (sig == SIGSYS);
CallUserSignalHandler(thr, sync, acq, sig, info, ctx); CallUserSignalHandler(thr, sync, acq, sig, info, ctx);
▲ Show 20 LinesShow All 978 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_rtl.h

Show First 20 LinesShow All 185 Lines▼ Show 20 Lines#if !SANITIZER_GO
IgnoreSet mop_ignore_set; IgnoreSet mop_ignore_set;
IgnoreSet sync_ignore_set; IgnoreSet sync_ignore_set;
#endif #endif
uptr *shadow_stack; uptr *shadow_stack;
uptr *shadow_stack_end; uptr *shadow_stack_end;
#if !SANITIZER_GO #if !SANITIZER_GO
Vector<JmpBuf> jmp_bufs; Vector<JmpBuf> jmp_bufs;
int in_symbolizer; int in_symbolizer;
atomic_uintptr_t in_blocking_func;
bool in_ignored_lib; bool in_ignored_lib;
bool is_inited; bool is_inited;
#endif #endif
MutexSet mset; MutexSet mset;
bool is_dead; bool is_dead;
const Tid tid; const Tid tid;
uptr stk_addr; uptr stk_addr;
uptr stk_size; uptr stk_size;
▲ Show 20 LinesShow All 420 Lines▼ Show 20 Linesenum FiberSwitchFlags {
FiberSwitchFlagNoSync = 1 << 0, // __tsan_switch_to_fiber_no_sync FiberSwitchFlagNoSync = 1 << 0, // __tsan_switch_to_fiber_no_sync
}; };
class SlotLocker { class SlotLocker {
public: public:
ALWAYS_INLINE ALWAYS_INLINE
SlotLocker(ThreadState *thr, bool recursive = false) SlotLocker(ThreadState *thr, bool recursive = false)
: thr_(thr), locked_(recursive ? thr->slot_locked : false) { : thr_(thr), locked_(recursive ? thr->slot_locked : false) {
#if !SANITIZER_GO
// We are in trouble if we are here with in_blocking_func set.
// If in_blocking_func is set, all signals will be delivered synchronously,
melverUnsubmitted
Not Done
ReplyInline Actions

synchronously

melver: synchronously
// which means we can't lock slots since the signal handler will try
// to lock it recursively and deadlock.
DCHECK(!atomic_load(&thr->in_blocking_func, memory_order_relaxed));
#endif
if (!locked_) if (!locked_)
SlotLock(thr_); SlotLock(thr_);
} }
ALWAYS_INLINE ALWAYS_INLINE
~SlotLocker() { ~SlotLocker() {
if (!locked_) if (!locked_)
SlotUnlock(thr_); SlotUnlock(thr_);
▲ Show 20 LinesShow All 165 LinesShow Last 20 Lines

compiler-rt/test/tsan/signal_thread2.cpp

  • This file was added.
// RUN: %clangxx_tsan %s -o %t && %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: darwin
// Test case for https://github.com/google/sanitizers/issues/1540
#include <errno.h>
#include <pthread.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
volatile int X;
static void handler(int sig) {
(void)sig;
if (X != 0)
printf("bad");
}
static void *thr1(void *p) {
sleep(1);
return 0;
}
static void *thr(void *p) {
pthread_t th[10];
for (int i = 0; i < sizeof(th) / sizeof(th[0]); i++)
pthread_create(&th[i], 0, thr1, 0);
for (int i = 0; i < sizeof(th) / sizeof(th[0]); i++)
pthread_join(th[i], 0);
return 0;
}
int main() {
struct sigaction act = {};
act.sa_handler = &handler;
if (sigaction(SIGPROF, &act, 0)) {
perror("sigaction");
exit(1);
}
itimerval t;
t.it_value.tv_sec = 0;
t.it_value.tv_usec = 10;
t.it_interval = t.it_value;
if (setitimer(ITIMER_PROF, &t, 0)) {
perror("setitimer");
exit(1);
}
pthread_t th[100];
for (int i = 0; i < sizeof(th) / sizeof(th[0]); i++)
pthread_create(&th[i], 0, thr, 0);
for (int i = 0; i < sizeof(th) / sizeof(th[0]); i++)
pthread_join(th[i], 0);
fprintf(stderr, "DONE\n");
return 0;
}
// CHECK-NOT: WARNING: ThreadSanitizer:
// CHECK: DONE
// CHECK-NOT: WARNING: ThreadSanitizer: