This is an archive of the discontinued LLVM Phabricator instance.

tsan: fix a race when assigning ThreadSignalContext
ClosedPublic

Authored by ridiculousfish on Dec 22 2022, 12:43 PM.

Download Raw Diff

Details

Reviewers

dvyukov
melver

Commits

rG35acc32b3e65: tsan: fix a race when assigning ThreadSignalContext

Summary

The SigCtx function lazily allocates a ThreadSignalContext, and stores it
in the ThreadState. This function may be called by various interceptors and
the signal handler itself.

If SigCtx itself is interrupted by a signal, then (prior to this fix) there
was a possibility of allocating two ThreadSignalContexts. This not only
leaks, it fails to deliver the signal to the program's signal handler, as
the recorded signal is overwritten by the new ThreadSignalContext.

Fix this by using a CAS to swap in the ThreadSignalContext, preventing the
race. Add a test for this case.

Diff Detail

Event Timeline

ridiculousfish created this revision.Dec 22 2022, 12:43 PM

Herald added a project: Restricted Project. · View Herald TranscriptDec 22 2022, 12:43 PM

Herald added a subscriber: Enna1. · View Herald Transcript

ridiculousfish requested review of this revision.Dec 22 2022, 12:43 PM

Herald added a subscriber: Restricted Project. · View Herald TranscriptDec 22 2022, 12:43 PM

Harbormaster completed remote builds in B204656: Diff 484935.Dec 22 2022, 1:11 PM

melver added inline comments.Jan 2 2023, 1:27 AM

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
264	A failed atomic_compare_exchange will load current value into ctx, so this additional atomic_load is unnecessary?

Address review feedback: we don't need to loop on CAS and we can elide the atomic_load.

ridiculousfish marked an inline comment as done.Jan 2 2023, 12:50 PM

ridiculousfish added inline comments.

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
264	Good call, fixed.

Harbormaster completed remote builds in B205374: Diff 485882.Jan 2 2023, 1:11 PM

LGTM, but please wait for Dmitry's review as well (he'll likely respond next week).

Thanks!

This revision is now accepted and ready to land.Jan 3 2023, 12:54 AM

dvyukov accepted this revision.Jan 9 2023, 7:02 AM

@ Peter, are you able to commit this yourself, or should we commit it for you?

In D140582#4040428, @melver wrote:

@ Peter, are you able to commit this yourself, or should we commit it for you?

Sorry but I think you got the wrong Peter. I never worked on tsan before:)

In D140582#4040513, @Peter wrote:

In D140582#4040428, @melver wrote:

@ Peter, are you able to commit this yourself, or should we commit it for you?

Sorry but I think you got the wrong Peter. I never worked on tsan before:)

Yes, I meant @ridiculousfish - sorry about that, I didn't realize @ auto-Ccs.

Thank you for the review! Please merge on my behalf.

Closed by commit rG35acc32b3e65: tsan: fix a race when assigning ThreadSignalContext (authored by ridiculousfish, committed by melver). · Explain WhyJan 10 2023, 10:33 AM

This revision was automatically updated to reflect the committed changes.

melver added a commit: rG35acc32b3e65: tsan: fix a race when assigning ThreadSignalContext.

Revision Contents

Path

Size

compiler-rt/

lib/

tsan/

rtl/

tsan_interceptors_posix.cpp

26 lines

tsan_rtl.h

2 lines

test/

tsan/

signal_thread_sigctx_race.cpp

84 lines

Diff 484935

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp

Show First 20 Lines • Show All 243 Lines • ▼ Show 20 Lines
#else		#else
SANITIZER_WEAK_CXX_DEFAULT_IMPL void OnPotentiallyBlockingRegionBegin() {}		SANITIZER_WEAK_CXX_DEFAULT_IMPL void OnPotentiallyBlockingRegionBegin() {}
SANITIZER_WEAK_CXX_DEFAULT_IMPL void OnPotentiallyBlockingRegionEnd() {}		SANITIZER_WEAK_CXX_DEFAULT_IMPL void OnPotentiallyBlockingRegionEnd() {}
#endif		#endif

} // namespace __tsan		} // namespace __tsan

static ThreadSignalContext SigCtx(ThreadState thr) {		static ThreadSignalContext SigCtx(ThreadState thr) {
ThreadSignalContext ctx = (ThreadSignalContext)thr->signal_ctx;		// This function may be called recursively if it is interrupted by a signal
if (ctx == 0 && !thr->is_dead) {		// handler. Loop with CAS to handle the race.
ctx = (ThreadSignalContext)MmapOrDie(sizeof(ctx), "ThreadSignalContext");		uptr ctx = atomic_load(&thr->signal_ctx, memory_order_relaxed);
MemoryResetRange(thr, (uptr)&SigCtx, (uptr)ctx, sizeof(*ctx));		while (ctx == 0 && !thr->is_dead) {
thr->signal_ctx = ctx;		uptr pctx =
		(uptr)MmapOrDie(sizeof(ThreadSignalContext), "ThreadSignalContext");
		MemoryResetRange(thr, (uptr)&SigCtx, pctx, sizeof(ThreadSignalContext));
		if (atomic_compare_exchange_strong(&thr->signal_ctx, &ctx, pctx,
		memory_order_relaxed)) {
		ctx = pctx;
		} else {
		UnmapOrDie((ThreadSignalContext *)pctx, sizeof(ThreadSignalContext));
		ctx = atomic_load(&thr->signal_ctx, memory_order_relaxed);
		melverUnsubmitted Done Reply Inline Actions A failed atomic_compare_exchange will load current value into ctx, so this additional atomic_load is unnecessary? melver: A failed atomic_compare_exchange will load current value into ctx, so this additional…
		ridiculousfishAuthorUnsubmitted Done Reply Inline Actions Good call, fixed. ridiculousfish: Good call, fixed.
		}
}		}
return ctx;		return (ThreadSignalContext *)ctx;
}		}

ScopedInterceptor::ScopedInterceptor(ThreadState thr, const char fname,		ScopedInterceptor::ScopedInterceptor(ThreadState thr, const char fname,
uptr pc)		uptr pc)
: thr_(thr) {		: thr_(thr) {
LazyInitialize(thr);		LazyInitialize(thr);
if (UNLIKELY(atomic_load(&thr->in_blocking_func, memory_order_relaxed))) {		if (UNLIKELY(atomic_load(&thr->in_blocking_func, memory_order_relaxed))) {
// pthread_join is marked as blocking, but it's also known to call other		// pthread_join is marked as blocking, but it's also known to call other
▲ Show 20 Lines • Show All 698 Lines • ▼ Show 20 Lines	void DestroyThreadState() {
ThreadFinish(thr);		ThreadFinish(thr);
ProcUnwire(proc, thr);		ProcUnwire(proc, thr);
ProcDestroy(proc);		ProcDestroy(proc);
DTLS_Destroy();		DTLS_Destroy();
cur_thread_finalize();		cur_thread_finalize();
}		}

void PlatformCleanUpThreadState(ThreadState *thr) {		void PlatformCleanUpThreadState(ThreadState *thr) {
ThreadSignalContext *sctx = thr->signal_ctx;		ThreadSignalContext sctx = (ThreadSignalContext )atomic_load(
		&thr->signal_ctx, memory_order_relaxed);
if (sctx) {		if (sctx) {
thr->signal_ctx = 0;		atomic_store(&thr->signal_ctx, 0, memory_order_relaxed);
UnmapOrDie(sctx, sizeof(*sctx));		UnmapOrDie(sctx, sizeof(*sctx));
}		}
}		}
} // namespace __tsan		} // namespace __tsan

#if !SANITIZER_APPLE && !SANITIZER_NETBSD && !SANITIZER_FREEBSD		#if !SANITIZER_APPLE && !SANITIZER_NETBSD && !SANITIZER_FREEBSD
static void thread_finalize(void *v) {		static void thread_finalize(void *v) {
uptr iter = (uptr)v;		uptr iter = (uptr)v;
▲ Show 20 Lines • Show All 2,137 Lines • Show Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_rtl.h

Show First 20 Lines • Show All 214 Lines • ▼ Show 20 Lines	#endif
Processor *proc1;		Processor *proc1;
#if !SANITIZER_GO		#if !SANITIZER_GO
Processor *proc() { return proc1; }		Processor *proc() { return proc1; }
#else		#else
Processor *proc();		Processor *proc();
#endif		#endif

atomic_uintptr_t in_signal_handler;		atomic_uintptr_t in_signal_handler;
ThreadSignalContext *signal_ctx;		atomic_uintptr_t signal_ctx;

#if !SANITIZER_GO		#if !SANITIZER_GO
StackID last_sleep_stack_id;		StackID last_sleep_stack_id;
VectorClock last_sleep_clock;		VectorClock last_sleep_clock;
#endif		#endif

// Set in regions of runtime that must be signal-safe and fork-safe.		// Set in regions of runtime that must be signal-safe and fork-safe.
// If set, malloc must not be called.		// If set, malloc must not be called.
▲ Show 20 Lines • Show All 581 Lines • Show Last 20 Lines

compiler-rt/test/tsan/signal_thread_sigctx_race.cpp

This file was added.

				// RUN: %clangxx_tsan %s -o %t && %run %t 2>&1 \| FileCheck %s
				// UNSUPPORTED: darwin

				#include <errno.h>
				#include <limits.h>
				#include <pthread.h>
				#include <signal.h>
				#include <stdio.h>
				#include <stdlib.h>
				#include <sys/select.h>
				#include <sys/time.h>
				#include <sys/types.h>
				#include <unistd.h>

				// This attempts to exercise a race condition where both a thread and its signal
				// handler allocate the SigCtx. If the race is allowed, it leads to a leak and
				// the first signal being dropped.
				// Spawn threads in a loop and send it SIGUSR1 concurrently with the thread
				// doing a bogus kill() call. The signal handler writes to a self-pipe which the
				// thread detects and then exits. A dropped signal results in a timeout.
				int pipes[2];
				static void handler(int sig) { write(pipes[1], "x", 1); }

				static int do_select() {
				struct timeval tvs {
				0, 1000
				};
				fd_set fds;
				FD_ZERO(&fds);
				FD_SET(pipes[0], &fds);
				return select(pipes[0] + 1, &fds, 0, 0, &tvs);
				}

				static void thr(void p) {
				// This kill() is expected to fail; it exists only to trigger a call to SigCtx
				// outside of the signal handler.
				kill(INT_MIN, 0);
				int success = 0;
				for (int i = 0; i < 1024; i++) {
				if (do_select() > 0) {
				success = 1;
				break;
				}
				}
				if (success) {
				char c;
				read(pipes[0], &c, 1);
				} else {
				fprintf(stderr, "Failed to receive signal\n");
				exit(1);
				}
				return p;
				}

				int main() {
				if (pipe(pipes)) {
				perror("pipe");
				exit(1);
				}

				struct sigaction act = {};
				act.sa_handler = &handler;
				if (sigaction(SIGUSR1, &act, 0)) {
				perror("sigaction");
				exit(1);
				}

				for (int i = 0; i < (1 << 10); i++) {
				pthread_t th{};
				if (pthread_create(&th, 0, thr, 0)) {
				perror("pthread_create");
				exit(1);
				}
				pthread_kill(th, SIGUSR1);
				pthread_join(th, 0);
				}

				fprintf(stderr, "DONE\n");
				return 0;
				}

				// CHECK-NOT: WARNING: ThreadSanitizer:
				// CHECK: DONE
				// CHECK-NOT: WARNING: ThreadSanitizer: