This is an archive of the discontinued LLVM Phabricator instance.

Differential D130269

tsan: prevent pathological slowdown for spurious races
ClosedPublic

Authored by dvyukov on Jul 21 2022, 6:51 AM.

Details

Reviewers
melver
Commits
rG7ec308715c6e: tsan: prevent pathological slowdown for spurious races
Summary

Prevent the following pathological behavior:
Since memory access handling is not synchronized with DoReset,
a thread running concurrently with DoReset can leave a bogus shadow value
that will be later falsely detected as a race. For such false races
RestoreStack will return false and we will not report it.
However, consider that a thread leaves a whole lot of such bogus values
and these values are later read by a whole lot of threads.
This will cause massive amounts of ReportRace calls and lots of
serialization. In very pathological cases the resulting slowdown
can be >100x. This is very unlikely, but it was presumably observed
in practice: https://github.com/google/sanitizers/issues/1552
If this happens, previous access sid+epoch will be the same for all of
these false races b/c if the thread will try to increment epoch, it will
notice that DoReset has happened and will stop producing bogus shadow
values. So, last_spurious_race is used to remember the last sid+epoch
for which RestoreStack returned false. Then it is used to filter out
races with the same sid+epoch very early and quickly.
It is of course possible that multiple threads left multiple bogus shadow
values and all of them are read by lots of threads at the same time.
In such case last_spurious_race will only be able to deduplicate a few
races from one thread, then few from another and so on. An alternative
would be to hold an array of such sid+epoch, but we consider such scenario
as even less likely.
Note: this can lead to some rare false negatives as well:

  1. When a legit access with the same sid+epoch participates in a race

as the "previous" memory access, it will be wrongly filtered out.

  1. When RestoreStack returns false for a legit memory access because it

was already evicted from the thread trace, we will still remember it in
last_spurious_race. Then if there is another racing memory access from
the same thread that happened in the same epoch, but was stored in the
next thread trace part (which is still preserved in the thread trace),
we will also wrongly filter it out while RestoreStack would actually
succeed for that second memory access.

Diff Detail

Event Timeline

dvyukov created this revision.Jul 21 2022, 6:51 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2022, 6:51 AM
Herald added a subscriber: Enna1. · View Herald Transcript
dvyukov requested review of this revision.Jul 21 2022, 6:51 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2022, 6:51 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
dvyukov added inline comments.Jul 21 2022, 7:02 AM
compiler-rt/lib/tsan/rtl/tsan_rtl.h
338

Thinking if we should do an array just to be sure... I would assume the size of the array will be 0/1 in most cases, rarely 2.

340

I am not super happy about this fix, but I also don't see any other reasonable way to fix this.
I did not find any reasonable way to synchronize memory accesses with DoReset,
and I don't see an easy way to radically speed up RestoreStack. Plus I am now leaning towards
stabilizing the current algorithms rather than radically rework everything again.

Harbormaster completed remote builds in B176751: Diff 446475.Jul 21 2022, 7:12 AM
melver accepted this revision.Jul 25 2022, 12:53 AM
melver added inline comments.
compiler-rt/lib/tsan/rtl/tsan_rtl.h
338

Just one looks fine until there's evidence it needs more than 1.

340

Is the biggest problem not wanting to do more work on memory accesses?

Which, I assume means that on an access writing the shadow it cannot revalidate at the end (a'la transaction and retry).

This revision is now accepted and ready to land.Jul 25 2022, 12:53 AM
dvyukov added inline comments.Jul 25 2022, 1:09 AM
compiler-rt/lib/tsan/rtl/tsan_rtl.h
340

Yes.

The memory access part also needs to synchronize with another thread, so it either needs to use an atomic RMW/expensive fence, or use some kind of asymmetric synchronization. I've considered doing asymmetric synchronization, but that's still instructions on fast path and portability issues.
I've also tried to use signals to synchronize with fast paths. It was nightmare to develop and debug.

Closed by commit rG7ec308715c6e: tsan: prevent pathological slowdown for spurious races (authored by dvyukov). · Explain WhyJul 25 2022, 1:40 AM
This revision was automatically updated to reflect the committed changes.
dvyukov added a commit: rG7ec308715c6e: tsan: prevent pathological slowdown for spurious races.

Revision Contents

PathSize
compiler-rt/
lib/
tsan/
rtl/
35 lines
1 line
9 lines
13 lines
10 lines

Diff 447225

compiler-rt/lib/tsan/rtl/tsan_rtl.h

Show First 20 LinesShow All 308 Lines▼ Show 20 Lines#endif
int nreported; int nreported;
atomic_uint64_t last_symbolize_time_ns; atomic_uint64_t last_symbolize_time_ns;
void *background_thread; void *background_thread;
atomic_uint32_t stop_background_thread; atomic_uint32_t stop_background_thread;
ThreadRegistry thread_registry; ThreadRegistry thread_registry;
// This is used to prevent a very unlikely but very pathological behavior.
// Since memory access handling is not synchronized with DoReset,
// a thread running concurrently with DoReset can leave a bogus shadow value
// that will be later falsely detected as a race. For such false races
// RestoreStack will return false and we will not report it.
// However, consider that a thread leaves a whole lot of such bogus values
// and these values are later read by a whole lot of threads.
// This will cause massive amounts of ReportRace calls and lots of
// serialization. In very pathological cases the resulting slowdown
// can be >100x. This is very unlikely, but it was presumably observed
// in practice: https://github.com/google/sanitizers/issues/1552
// If this happens, previous access sid+epoch will be the same for all of
// these false races b/c if the thread will try to increment epoch, it will
// notice that DoReset has happened and will stop producing bogus shadow
// values. So, last_spurious_race is used to remember the last sid+epoch
// for which RestoreStack returned false. Then it is used to filter out
// races with the same sid+epoch very early and quickly.
// It is of course possible that multiple threads left multiple bogus shadow
// values and all of them are read by lots of threads at the same time.
// In such case last_spurious_race will only be able to deduplicate a few
// races from one thread, then few from another and so on. An alternative
// would be to hold an array of such sid+epoch, but we consider such scenario
dvyukovAuthorUnsubmitted
Done
ReplyInline Actions

Thinking if we should do an array just to be sure... I would assume the size of the array will be 0/1 in most cases, rarely 2.

dvyukov: Thinking if we should do an array just to be sure... I would assume the size of the array will…
melverUnsubmitted
Done
ReplyInline Actions

Just one looks fine until there's evidence it needs more than 1.

melver: Just one looks fine until there's evidence it needs more than 1.
// as even less likely.
// Note: this can lead to some rare false negatives as well:
dvyukovAuthorUnsubmitted
Done
ReplyInline Actions

I am not super happy about this fix, but I also don't see any other reasonable way to fix this.
I did not find any reasonable way to synchronize memory accesses with DoReset,
and I don't see an easy way to radically speed up RestoreStack. Plus I am now leaning towards
stabilizing the current algorithms rather than radically rework everything again.

dvyukov: I am not super happy about this fix, but I also don't see any other reasonable way to fix this.
melverUnsubmitted
Done
ReplyInline Actions

Is the biggest problem not wanting to do more work on memory accesses?

Which, I assume means that on an access writing the shadow it cannot revalidate at the end (a'la transaction and retry).

melver: Is the biggest problem not wanting to do more work on memory accesses? Which, I assume means…
dvyukovAuthorUnsubmitted
Done
ReplyInline Actions

Yes.

The memory access part also needs to synchronize with another thread, so it either needs to use an atomic RMW/expensive fence, or use some kind of asymmetric synchronization. I've considered doing asymmetric synchronization, but that's still instructions on fast path and portability issues.
I've also tried to use signals to synchronize with fast paths. It was nightmare to develop and debug.

dvyukov: Yes. The memory access part also needs to synchronize with another thread, so it either needs…
// 1. When a legit access with the same sid+epoch participates in a race
// as the "previous" memory access, it will be wrongly filtered out.
// 2. When RestoreStack returns false for a legit memory access because it
// was already evicted from the thread trace, we will still remember it in
// last_spurious_race. Then if there is another racing memory access from
// the same thread that happened in the same epoch, but was stored in the
// next thread trace part (which is still preserved in the thread trace),
// we will also wrongly filter it out while RestoreStack would actually
// succeed for that second memory access.
RawShadow last_spurious_race;
Mutex racy_mtx; Mutex racy_mtx;
Vector<RacyStacks> racy_stacks; Vector<RacyStacks> racy_stacks;
// Number of fired suppressions may be large enough. // Number of fired suppressions may be large enough.
Mutex fired_suppressions_mtx; Mutex fired_suppressions_mtx;
InternalMmapVector<FiredSuppression> fired_suppressions; InternalMmapVector<FiredSuppression> fired_suppressions;
DDetector *dd; DDetector *dd;
Flags flags; Flags flags;
▲ Show 20 LinesShow All 439 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_rtl.cpp

Show First 20 LinesShow All 198 Lines▼ Show 20 Linesstatic void DoResetImpl(uptr epoch) {
DPrintf("Resetting shadow...\n"); DPrintf("Resetting shadow...\n");
if (!MmapFixedSuperNoReserve(ShadowBeg(), ShadowEnd() - ShadowBeg(), if (!MmapFixedSuperNoReserve(ShadowBeg(), ShadowEnd() - ShadowBeg(),
"shadow")) { "shadow")) {
Printf("failed to reset shadow memory\n"); Printf("failed to reset shadow memory\n");
Die(); Die();
} }
DPrintf("Resetting meta shadow...\n"); DPrintf("Resetting meta shadow...\n");
ctx->metamap.ResetClocks(); ctx->metamap.ResetClocks();
StoreShadow(&ctx->last_spurious_race, Shadow::kEmpty);
ctx->resetting = false; ctx->resetting = false;
} }
// Clang does not understand locking all slots in the loop: // Clang does not understand locking all slots in the loop:
// error: expecting mutex 'slot.mtx' to be held at start of each loop // error: expecting mutex 'slot.mtx' to be held at start of each loop
void DoReset(ThreadState* thr, uptr epoch) SANITIZER_NO_THREAD_SAFETY_ANALYSIS { void DoReset(ThreadState* thr, uptr epoch) SANITIZER_NO_THREAD_SAFETY_ANALYSIS {
for (auto& slot : ctx->slots) { for (auto& slot : ctx->slots) {
slot.mtx.Lock(); slot.mtx.Lock();
▲ Show 20 LinesShow All 858 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_rtl_access.cpp

Show First 20 LinesShow All 139 Lines▼ Show 20 Linesvoid TraceTime(ThreadState* thr) {
ev.is_func = 0; ev.is_func = 0;
ev.type = EventType::kTime; ev.type = EventType::kTime;
ev.sid = static_cast<u64>(fast_state.sid()); ev.sid = static_cast<u64>(fast_state.sid());
ev.epoch = static_cast<u64>(fast_state.epoch()); ev.epoch = static_cast<u64>(fast_state.epoch());
ev._ = 0; ev._ = 0;
TraceEvent(thr, ev); TraceEvent(thr, ev);
} }
ALWAYS_INLINE RawShadow LoadShadow(RawShadow* p) {
return static_cast<RawShadow>(
atomic_load((atomic_uint32_t*)p, memory_order_relaxed));
}
ALWAYS_INLINE void StoreShadow(RawShadow* sp, RawShadow s) {
atomic_store((atomic_uint32_t*)sp, static_cast<u32>(s), memory_order_relaxed);
}
NOINLINE void DoReportRace(ThreadState* thr, RawShadow* shadow_mem, Shadow cur, NOINLINE void DoReportRace(ThreadState* thr, RawShadow* shadow_mem, Shadow cur,
Shadow old, Shadow old,
AccessType typ) SANITIZER_NO_THREAD_SAFETY_ANALYSIS { AccessType typ) SANITIZER_NO_THREAD_SAFETY_ANALYSIS {
// For the free shadow markers the first element (that contains kFreeSid) // For the free shadow markers the first element (that contains kFreeSid)
// triggers the race, but the second element contains info about the freeing // triggers the race, but the second element contains info about the freeing
// thread, take it. // thread, take it.
if (old.sid() == kFreeSid) if (old.sid() == kFreeSid)
old = Shadow(LoadShadow(&shadow_mem[1])); old = Shadow(LoadShadow(&shadow_mem[1]));
▲ Show 20 LinesShow All 589 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_rtl_report.cpp

Show First 20 LinesShow All 695 Lines▼ Show 20 Lines if (addr == s->pc_or_addr) {
if (s->supp) if (s->supp)
atomic_fetch_add(&s->supp->hit_count, 1, memory_order_relaxed); atomic_fetch_add(&s->supp->hit_count, 1, memory_order_relaxed);
return true; return true;
} }
} }
return false; return false;
} }
static bool SpuriousRace(Shadow old) {
Shadow last(LoadShadow(&ctx->last_spurious_race));
return last.sid() == old.sid() && last.epoch() == old.epoch();
}
void ReportRace(ThreadState *thr, RawShadow *shadow_mem, Shadow cur, Shadow old, void ReportRace(ThreadState *thr, RawShadow *shadow_mem, Shadow cur, Shadow old,
AccessType typ0) { AccessType typ0) {
CheckedMutex::CheckNoLocks(); CheckedMutex::CheckNoLocks();
// Symbolizer makes lots of intercepted calls. If we try to process them, // Symbolizer makes lots of intercepted calls. If we try to process them,
// at best it will cause deadlocks on internal mutexes. // at best it will cause deadlocks on internal mutexes.
ScopedIgnoreInterceptors ignore; ScopedIgnoreInterceptors ignore;
uptr addr = ShadowToMem(shadow_mem); uptr addr = ShadowToMem(shadow_mem);
DPrintf("#%d: ReportRace %p\n", thr->tid, (void *)addr); DPrintf("#%d: ReportRace %p\n", thr->tid, (void *)addr);
if (!ShouldReport(thr, ReportTypeRace)) if (!ShouldReport(thr, ReportTypeRace))
return; return;
uptr addr_off0, size0; uptr addr_off0, size0;
cur.GetAccess(&addr_off0, &size0, nullptr); cur.GetAccess(&addr_off0, &size0, nullptr);
uptr addr_off1, size1, typ1; uptr addr_off1, size1, typ1;
old.GetAccess(&addr_off1, &size1, &typ1); old.GetAccess(&addr_off1, &size1, &typ1);
if (!flags()->report_atomic_races && if (!flags()->report_atomic_races &&
((typ0 & kAccessAtomic) || (typ1 & kAccessAtomic)) && ((typ0 & kAccessAtomic) || (typ1 & kAccessAtomic)) &&
!(typ0 & kAccessFree) && !(typ1 & kAccessFree)) !(typ0 & kAccessFree) && !(typ1 & kAccessFree))
return; return;
if (SpuriousRace(old))
return;
const uptr kMop = 2; const uptr kMop = 2;
Shadow s[kMop] = {cur, old}; Shadow s[kMop] = {cur, old};
uptr addr0 = addr + addr_off0; uptr addr0 = addr + addr_off0;
uptr addr1 = addr + addr_off1; uptr addr1 = addr + addr_off1;
uptr end0 = addr0 + size0; uptr end0 = addr0 + size0;
uptr end1 = addr1 + size1; uptr end1 = addr1 + size1;
uptr addr_min = min(addr0, addr1); uptr addr_min = min(addr0, addr1);
Show All 23 Linesvoid ReportRace(ThreadState *thr, RawShadow *shadow_mem, Shadow cur, Shadow old,
DynamicMutexSet mset1; DynamicMutexSet mset1;
MutexSet *mset[kMop] = {&thr->mset, mset1}; MutexSet *mset[kMop] = {&thr->mset, mset1};
// We need to lock the slot during RestoreStack because it protects // We need to lock the slot during RestoreStack because it protects
// the slot journal. // the slot journal.
Lock slot_lock(&ctx->slots[static_cast<uptr>(s[1].sid())].mtx); Lock slot_lock(&ctx->slots[static_cast<uptr>(s[1].sid())].mtx);
ThreadRegistryLock l0(&ctx->thread_registry); ThreadRegistryLock l0(&ctx->thread_registry);
Lock slots_lock(&ctx->slot_mtx); Lock slots_lock(&ctx->slot_mtx);
if (SpuriousRace(old))
return;
if (!RestoreStack(EventType::kAccessExt, s[1].sid(), s[1].epoch(), addr1, if (!RestoreStack(EventType::kAccessExt, s[1].sid(), s[1].epoch(), addr1,
size1, typ1, &tids[1], &traces[1], mset[1], &tags[1])) size1, typ1, &tids[1], &traces[1], mset[1], &tags[1])) {
StoreShadow(&ctx->last_spurious_race, old.raw());
return; return;
}
if (IsFiredSuppression(ctx, rep_typ, traces[1])) if (IsFiredSuppression(ctx, rep_typ, traces[1]))
return; return;
if (HandleRacyStacks(thr, traces)) if (HandleRacyStacks(thr, traces))
return; return;
// If any of the accesses has a tag, treat this as an "external" race. // If any of the accesses has a tag, treat this as an "external" race.
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_shadow.h

Show First 20 LinesShow All 172 Lines▼ Show 20 Lines
public: public:
// .rodata shadow marker, see MapRodata and ContainsSameAccessFast. // .rodata shadow marker, see MapRodata and ContainsSameAccessFast.
static constexpr RawShadow kRodata = static constexpr RawShadow kRodata =
static_cast<RawShadow>(1 << kIsReadShift); static_cast<RawShadow>(1 << kIsReadShift);
}; };
static_assert(sizeof(Shadow) == kShadowSize, "bad Shadow size"); static_assert(sizeof(Shadow) == kShadowSize, "bad Shadow size");
ALWAYS_INLINE RawShadow LoadShadow(RawShadow *p) {
return static_cast<RawShadow>(
atomic_load((atomic_uint32_t *)p, memory_order_relaxed));
}
ALWAYS_INLINE void StoreShadow(RawShadow *sp, RawShadow s) {
atomic_store((atomic_uint32_t *)sp, static_cast<u32>(s),
memory_order_relaxed);
}
} // namespace __tsan } // namespace __tsan
#endif #endif