This is an archive of the discontinued LLVM Phabricator instance.

Differential D130237

[LeakSanitizer] Capture calling thread SP early to avoid false negatives.
ClosedPublic

Authored by wiktorg on Jul 21 2022, 2:55 AM.

Details

Reviewers
kcc
vitalybuka
Commits
rG39db491957dc: [LeakSanitizer] Capture calling thread SP early to avoid false negatives.
Summary

As shown in https://github.com/llvm/llvm-project/issues/42932 dead pointers might be overlapped by a new stack frame inside CheckForLeaks, which does not use bytes with pointers.
This leads to false negatives.

It's not a full solution for the problem as it does not solve "overlapping" new/old frames for frames below the CheckForLeaks and in other threads.
It should improve leaks found in direct callers of __lsan_do_leak_check.

Diff Detail

Event Timeline

wiktorg created this revision.Jul 21 2022, 2:55 AM
wiktorg created this object with visibility "All Users".
Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2022, 2:55 AM
Herald added a subscriber: Enna1. · View Herald Transcript
wiktorg requested review of this revision.Jul 21 2022, 2:55 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2022, 2:55 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B176696: Diff 446399.Jul 21 2022, 3:15 AM
wiktorg changed the visibility from "All Users" to "Public (No Login Required)".Jul 21 2022, 5:04 AM
vitalybuka added a comment.Jul 21 2022, 11:20 AM

LGTM
Would you be able to create a test from reproducer?

compiler-rt/lib/lsan/lsan_common.cpp
744

why do we need noinline? I guess to avoid "i" to move too far
With __builtin_frame_address it should not be needed.

799

__builtin_frame_address

wiktorg updated this revision to Diff 455288.Aug 24 2022, 10:57 AM
wiktorg marked 2 inline comments as done.
Harbormaster completed remote builds in B183160: Diff 455288.Aug 24 2022, 11:20 AM
vitalybuka accepted this revision.Oct 12 2022, 4:46 PM
This revision is now accepted and ready to land.Oct 12 2022, 4:46 PM
Closed by commit rG39db491957dc: [LeakSanitizer] Capture calling thread SP early to avoid false negatives. (authored by wiktorg, committed by vitalybuka). · Explain WhyOct 12 2022, 4:46 PM
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG39db491957dc: [LeakSanitizer] Capture calling thread SP early to avoid false negatives..
haowei added a subscriber: haowei.Oct 12 2022, 5:19 PM

We are seeing build failures after this change landed:

[1184/1522] Building CXX object compiler-rt/lib/lsan/CMakeFiles/RTLSanCommon.x86_64.dir/lsan_common.cpp.obj
FAILED: compiler-rt/lib/lsan/CMakeFiles/RTLSanCommon.x86_64.dir/lsan_common.cpp.obj 
/b/s/w/ir/cache/goma/client/gomacc /b/s/w/ir/x/w/staging/llvm_build/./bin/clang++ --target=x86_64-unknown-fuchsia --sysroot=/b/s/w/ir/x/w/cipd/sdk/arch/x64/sysroot -D_DEBUG -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -I/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/lib/lsan/.. --target=x86_64-unknown-fuchsia -I/b/s/w/ir/x/w/cipd/sdk/pkg/sync/include -I/b/s/w/ir/x/w/cipd/sdk/pkg/fdio/include -fPIC -fno-semantic-interposition -fvisibility-inlines-hidden -Werror=date-time -Werror=unguarded-availability-new -Wall -Wextra -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wmissing-field-initializers -Wimplicit-fallthrough -Wcovered-switch-default -Wno-noexcept-type -Wnon-virtual-dtor -Wdelete-non-virtual-dtor -Wsuggest-override -Wno-comment -Wstring-conversion -Wmisleading-indentation -Wctad-maybe-unsupported -ffunction-sections -fdata-sections -ffile-prefix-map=/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-fuchsia-bins=../staging/llvm_build/runtimes/runtimes-x86_64-unknown-fuchsia-bins -ffile-prefix-map=/b/s/w/ir/x/w/llvm-llvm-project/= -no-canonical-prefixes -Wall -Wno-unused-parameter -O2 -g -DNDEBUG -fPIC -fno-builtin -fno-exceptions -fomit-frame-pointer -funwind-tables -fno-stack-protector -fno-sanitize=safe-stack -fvisibility=hidden -fno-lto -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -O3 -gline-tables-only -Wno-gnu -Wno-variadic-macros -Wno-c99-extensions -nostdinc++ -fno-rtti -Wno-format -std=c++17 -MD -MT compiler-rt/lib/lsan/CMakeFiles/RTLSanCommon.x86_64.dir/lsan_common.cpp.obj -MF compiler-rt/lib/lsan/CMakeFiles/RTLSanCommon.x86_64.dir/lsan_common.cpp.obj.d -o compiler-rt/lib/lsan/CMakeFiles/RTLSanCommon.x86_64.dir/lsan_common.cpp.obj -c /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/lib/lsan/lsan_common.cpp
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/lib/lsan/lsan_common.cpp:615:3: error: no matching function for call to 'ProcessThreads'
  ProcessThreads(suspended_threads, frontier, caller_tid, caller_sp);
  ^~~~~~~~~~~~~~
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/lib/lsan/lsan_common.cpp:361:13: note: candidate function not viable: requires 2 arguments, but 4 were provided
static void ProcessThreads(SuspendedThreadsList const &, Frontier *) {}
            ^
1 error generated.

Looks like you forgot to change the declaration at L361. Could you revert your change if it takes a while to fix please?

wiktorg mentioned this in D135860: Fix lsan build for Fuchsia.Oct 13 2022, 1:51 AM
vitalybuka mentioned this in D135716: [compiler-rt] Add opt-in -ftrivial-auto-var-init flag for writing over uninitialized stack variiables.Oct 18 2022, 1:02 PM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
2 lines
20 lines

Diff 467303

compiler-rt/lib/lsan/lsan_common.h

Show First 20 LinesShow All 139 Lines▼ Show 20 Lines
// LockStuffAndStopTheWorld can start to use Scan* calls to collect into // LockStuffAndStopTheWorld can start to use Scan* calls to collect into
// this Frontier vector before the StopTheWorldCallback actually runs. // this Frontier vector before the StopTheWorldCallback actually runs.
// This is used when the OS has a unified callback API for suspending // This is used when the OS has a unified callback API for suspending
// threads and enumerating roots. // threads and enumerating roots.
struct CheckForLeaksParam { struct CheckForLeaksParam {
Frontier frontier; Frontier frontier;
LeakedChunks leaks; LeakedChunks leaks;
tid_t caller_tid;
uptr caller_sp;
bool success = false; bool success = false;
}; };
InternalMmapVectorNoCtor<RootRegion> const *GetRootRegions(); InternalMmapVectorNoCtor<RootRegion> const *GetRootRegions();
void ScanRootRegion(Frontier *frontier, RootRegion const &region, void ScanRootRegion(Frontier *frontier, RootRegion const &region,
uptr region_begin, uptr region_end, bool is_readable); uptr region_begin, uptr region_end, bool is_readable);
void ForEachExtraStackRangeCb(uptr begin, uptr end, void* arg); void ForEachExtraStackRangeCb(uptr begin, uptr end, void* arg);
void GetAdditionalThreadContextPtrs(ThreadContextBase *tctx, void *ptrs); void GetAdditionalThreadContextPtrs(ThreadContextBase *tctx, void *ptrs);
▲ Show 20 LinesShow All 161 LinesShow Last 20 Lines

compiler-rt/lib/lsan/lsan_common.cpp

Show First 20 LinesShow All 385 Lines▼ Show 20 Lines for (uptr i = 0; i < ptrs.size(); ++i) {
LOG_POINTERS("Treating pointer %p from ThreadContext as reachable\n", ptr); LOG_POINTERS("Treating pointer %p from ThreadContext as reachable\n", ptr);
m.set_tag(kReachable); m.set_tag(kReachable);
frontier->push_back(chunk); frontier->push_back(chunk);
} }
} }
// Scans thread data (stacks and TLS) for heap pointers. // Scans thread data (stacks and TLS) for heap pointers.
static void ProcessThreads(SuspendedThreadsList const &suspended_threads, static void ProcessThreads(SuspendedThreadsList const &suspended_threads,
Frontier *frontier) { Frontier *frontier, tid_t caller_tid,
uptr caller_sp) {
InternalMmapVector<uptr> registers; InternalMmapVector<uptr> registers;
for (uptr i = 0; i < suspended_threads.ThreadCount(); i++) { for (uptr i = 0; i < suspended_threads.ThreadCount(); i++) {
tid_t os_id = static_cast<tid_t>(suspended_threads.GetThreadID(i)); tid_t os_id = static_cast<tid_t>(suspended_threads.GetThreadID(i));
LOG_THREADS("Processing thread %llu.\n", os_id); LOG_THREADS("Processing thread %llu.\n", os_id);
uptr stack_begin, stack_end, tls_begin, tls_end, cache_begin, cache_end; uptr stack_begin, stack_end, tls_begin, tls_end, cache_begin, cache_end;
DTLS *dtls; DTLS *dtls;
bool thread_found = bool thread_found =
GetThreadRangesLocked(os_id, &stack_begin, &stack_end, &tls_begin, GetThreadRangesLocked(os_id, &stack_begin, &stack_end, &tls_begin,
Show All 10 Lines for (uptr i = 0; i < suspended_threads.ThreadCount(); i++) {
if (have_registers != REGISTERS_AVAILABLE) { if (have_registers != REGISTERS_AVAILABLE) {
Report("Unable to get registers from thread %llu.\n", os_id); Report("Unable to get registers from thread %llu.\n", os_id);
// If unable to get SP, consider the entire stack to be reachable unless // If unable to get SP, consider the entire stack to be reachable unless
// GetRegistersAndSP failed with ESRCH. // GetRegistersAndSP failed with ESRCH.
if (have_registers == REGISTERS_UNAVAILABLE_FATAL) if (have_registers == REGISTERS_UNAVAILABLE_FATAL)
continue; continue;
sp = stack_begin; sp = stack_begin;
} }
if (suspended_threads.GetThreadID(i) == caller_tid) {
sp = caller_sp;
}
if (flags()->use_registers && have_registers) { if (flags()->use_registers && have_registers) {
uptr registers_begin = reinterpret_cast<uptr>(registers.data()); uptr registers_begin = reinterpret_cast<uptr>(registers.data());
uptr registers_end = uptr registers_end =
reinterpret_cast<uptr>(registers.data() + registers.size()); reinterpret_cast<uptr>(registers.data() + registers.size());
ScanRangeForPointers(registers_begin, registers_end, frontier, ScanRangeForPointers(registers_begin, registers_end, frontier,
"REGISTERS", kReachable); "REGISTERS", kReachable);
} }
▲ Show 20 LinesShow All 164 Lines▼ Show 20 Lines if (m.allocated() && m.tag() == kIgnored) {
LOG_POINTERS("Ignored: chunk %p-%p of size %zu.\n", (void *)chunk, LOG_POINTERS("Ignored: chunk %p-%p of size %zu.\n", (void *)chunk,
(void *)(chunk + m.requested_size()), m.requested_size()); (void *)(chunk + m.requested_size()), m.requested_size());
reinterpret_cast<Frontier *>(arg)->push_back(chunk); reinterpret_cast<Frontier *>(arg)->push_back(chunk);
} }
} }
// Sets the appropriate tag on each chunk. // Sets the appropriate tag on each chunk.
static void ClassifyAllChunks(SuspendedThreadsList const &suspended_threads, static void ClassifyAllChunks(SuspendedThreadsList const &suspended_threads,
Frontier *frontier) { Frontier *frontier, tid_t caller_tid,
uptr caller_sp) {
const InternalMmapVector<u32> &suppressed_stacks = const InternalMmapVector<u32> &suppressed_stacks =
GetSuppressionContext()->GetSortedSuppressedStacks(); GetSuppressionContext()->GetSortedSuppressedStacks();
if (!suppressed_stacks.empty()) { if (!suppressed_stacks.empty()) {
ForEachChunk(IgnoredSuppressedCb, ForEachChunk(IgnoredSuppressedCb,
const_cast<InternalMmapVector<u32> *>(&suppressed_stacks)); const_cast<InternalMmapVector<u32> *>(&suppressed_stacks));
} }
ForEachChunk(CollectIgnoredCb, frontier); ForEachChunk(CollectIgnoredCb, frontier);
ProcessGlobalRegions(frontier); ProcessGlobalRegions(frontier);
ProcessThreads(suspended_threads, frontier); ProcessThreads(suspended_threads, frontier, caller_tid, caller_sp);
ProcessRootRegions(frontier); ProcessRootRegions(frontier);
FloodFillTag(frontier, kReachable); FloodFillTag(frontier, kReachable);
// The check here is relatively expensive, so we do this in a separate flood // The check here is relatively expensive, so we do this in a separate flood
// fill. That way we can skip the check for chunks that are reachable // fill. That way we can skip the check for chunks that are reachable
// otherwise. // otherwise.
LOG_POINTERS("Processing platform-specific allocations.\n"); LOG_POINTERS("Processing platform-specific allocations.\n");
ProcessPlatformSpecificAllocations(frontier); ProcessPlatformSpecificAllocations(frontier);
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Lines
# endif // !SANITIZER_FUCHSIA # endif // !SANITIZER_FUCHSIA
static void CheckForLeaksCallback(const SuspendedThreadsList &suspended_threads, static void CheckForLeaksCallback(const SuspendedThreadsList &suspended_threads,
void *arg) { void *arg) {
CheckForLeaksParam *param = reinterpret_cast<CheckForLeaksParam *>(arg); CheckForLeaksParam *param = reinterpret_cast<CheckForLeaksParam *>(arg);
CHECK(param); CHECK(param);
CHECK(!param->success); CHECK(!param->success);
ReportUnsuspendedThreads(suspended_threads); ReportUnsuspendedThreads(suspended_threads);
ClassifyAllChunks(suspended_threads, &param->frontier); ClassifyAllChunks(suspended_threads, &param->frontier, param->caller_tid,
param->caller_sp);
ForEachChunk(CollectLeaksCb, &param->leaks); ForEachChunk(CollectLeaksCb, &param->leaks);
// Clean up for subsequent leak checks. This assumes we did not overwrite any // Clean up for subsequent leak checks. This assumes we did not overwrite any
// kIgnored tags. // kIgnored tags.
ForEachChunk(ResetTagsCb, nullptr); ForEachChunk(ResetTagsCb, nullptr);
param->success = true; param->success = true;
} }
static bool PrintResults(LeakReport &report) { static bool PrintResults(LeakReport &report) {
Show All 15 Lines if (unsuppressed_count > 0) {
report.PrintSummary(); report.PrintSummary();
return true; return true;
} }
return false; return false;
} }
static bool CheckForLeaks() { static bool CheckForLeaks() {
if (&__lsan_is_turned_off && __lsan_is_turned_off()) if (&__lsan_is_turned_off && __lsan_is_turned_off())
return false; return false;
vitalybukaUnsubmitted
Done
ReplyInline Actions

why do we need noinline? I guess to avoid "i" to move too far
With __builtin_frame_address it should not be needed.

vitalybuka: why do we need noinline? I guess to avoid "i" to move too far With __builtin_frame_address it…
// Inside LockStuffAndStopTheWorld we can't run symbolizer, so we can't match // Inside LockStuffAndStopTheWorld we can't run symbolizer, so we can't match
// suppressions. However if a stack id was previously suppressed, it should be // suppressions. However if a stack id was previously suppressed, it should be
// suppressed in future checks as well. // suppressed in future checks as well.
for (int i = 0;; ++i) { for (int i = 0;; ++i) {
EnsureMainThreadIDIsCorrect(); EnsureMainThreadIDIsCorrect();
CheckForLeaksParam param; CheckForLeaksParam param;
// Capture calling thread's stack pointer early, to avoid false negatives.
// Old frame with dead pointers might be overlapped by new frame inside
// CheckForLeaks which does not use bytes with pointers before the
// threads are suspended and stack pointers captured.
param.caller_tid = GetTid();
param.caller_sp = reinterpret_cast<uptr>(__builtin_frame_address(0));
LockStuffAndStopTheWorld(CheckForLeaksCallback, &param); LockStuffAndStopTheWorld(CheckForLeaksCallback, &param);
if (!param.success) { if (!param.success) {
Report("LeakSanitizer has encountered a fatal error.\n"); Report("LeakSanitizer has encountered a fatal error.\n");
Report( Report(
"HINT: For debugging, try setting environment variable " "HINT: For debugging, try setting environment variable "
"LSAN_OPTIONS=verbosity=1:log_threads=1\n"); "LSAN_OPTIONS=verbosity=1:log_threads=1\n");
Report( Report(
"HINT: LeakSanitizer does not work under ptrace (strace, gdb, " "HINT: LeakSanitizer does not work under ptrace (strace, gdb, "
Show All 26 Lines
static bool has_reported_leaks = false; static bool has_reported_leaks = false;
bool HasReportedLeaks() { return has_reported_leaks; } bool HasReportedLeaks() { return has_reported_leaks; }
void DoLeakCheck() { void DoLeakCheck() {
Lock l(&global_mutex); Lock l(&global_mutex);
static bool already_done; static bool already_done;
if (already_done) if (already_done)
return; return;
already_done = true; already_done = true;
vitalybukaUnsubmitted
Done
ReplyInline Actions

__builtin_frame_address

vitalybuka: __builtin_frame_address
has_reported_leaks = CheckForLeaks(); has_reported_leaks = CheckForLeaks();
if (has_reported_leaks) if (has_reported_leaks)
HandleLeaks(); HandleLeaks();
} }
static int DoRecoverableLeakCheck() { static int DoRecoverableLeakCheck() {
Lock l(&global_mutex); Lock l(&global_mutex);
bool have_leaks = CheckForLeaks(); bool have_leaks = CheckForLeaks();
▲ Show 20 LinesShow All 274 LinesShow Last 20 Lines