This is an archive of the discontinued LLVM Phabricator instance.

Differential D142117

tsan: Consider SI_TIMER signals always asynchronous
ClosedPublic

Authored by melver on Jan 19 2023, 7:41 AM.

Details

Reviewers
dvyukov
Commits
rGed9ef9b4f248: tsan: Consider SI_TIMER signals always asynchronous
Summary

POSIX timer can be configured to send any kind of signal, however, it
fundamentally does not make sense to consider a timer a synchronous
signal. Teach TSan that timers are never synchronous.

The tricky bit here is correctly defining compiler-rt's siginfo
replacement, which is a rather complex struct. Extend it in a limited
way that is mostly cross-platform compatible and add offset tests in
sanitizer_platform_limits_posix.cpp.

Diff Detail

Event Timeline

melver created this revision.Jan 19 2023, 7:41 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 19 2023, 7:41 AM
Herald added a subscriber: Enna1. · View Herald Transcript
melver requested review of this revision.Jan 19 2023, 7:41 AM
Herald added a project: Restricted Project. · View Herald TranscriptJan 19 2023, 7:41 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
melver added a reviewer: dvyukov.Jan 19 2023, 7:43 AM
Harbormaster completed remote builds in B208757: Diff 490513.Jan 19 2023, 8:12 AM
dvyukov added inline comments.Jan 19 2023, 8:14 AM
compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
2176

Should we also consider TRAP_PERF && !PERF_TYPE_BREAKPOINT as async?
I guess they can be sync as well, but maybe not in the tsan meaning (can also land inside of the tsan runtime). Esp with precise_ip>0 even these are not strictly speaking synchronous. However, with tsan signal delaying they will never land on the sampled instructions (e.g. memory accesses or calls). But delaying them is still better than corrupting memory.

melver added inline comments.Jan 20 2023, 12:54 AM
compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
2176

We could just delay all TRAP_PERF, even breakpoint. If it's the difference of corrupting and crashing TSan and at least continuing to run, then at least it won't crash. Treating breakpoints specially might just be inconsistent. (Also saves us from having to maintain siginfo_t, which is a huge pain.)

It could do a one-off VPrintf that SIGTRAP perf events are best-effort?

(For us it also won't matter since we decided to disable TSan.)

dvyukov accepted this revision.Jan 20 2023, 1:06 AM
dvyukov added inline comments.
compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
2176

OK, let's just merge you current version.

This revision is now accepted and ready to land.Jan 20 2023, 1:06 AM
This revision was landed with ongoing or failed builds.Jan 20 2023, 2:48 AM
Closed by commit rGed9ef9b4f248: tsan: Consider SI_TIMER signals always asynchronous (authored by melver). · Explain Why
This revision was automatically updated to reflect the committed changes.
melver added a commit: rGed9ef9b4f248: tsan: Consider SI_TIMER signals always asynchronous.
MaskRay mentioned this in D149309: [sanitizer] Correct alignment of x32 __sanitizer_siginfo.Apr 26 2023, 4:57 PM

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
26 lines
9 lines
tsan/
rtl/
19 lines

Diff 490766

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h

Show First 20 LinesShow All 580 Lines▼ Show 20 Lines
typedef unsigned __sanitizer_sigset_t; typedef unsigned __sanitizer_sigset_t;
#elif SANITIZER_LINUX #elif SANITIZER_LINUX
struct __sanitizer_sigset_t { struct __sanitizer_sigset_t {
// The size is determined by looking at sizeof of real sigset_t on linux. // The size is determined by looking at sizeof of real sigset_t on linux.
uptr val[128 / sizeof(uptr)]; uptr val[128 / sizeof(uptr)];
}; };
#endif #endif
struct __sanitizer_siginfo { struct __sanitizer_siginfo_pad {
// The size is determined by looking at sizeof of real siginfo_t on linux. // Require uptr, because siginfo_t is always pointer-size aligned on Linux.
u64 opaque[128 / sizeof(u64)]; uptr pad[128 / sizeof(uptr)];
}; };
#if SANITIZER_LINUX
# define SANITIZER_HAS_SIGINFO 1
union __sanitizer_siginfo {
struct {
int si_signo;
# if SANITIZER_MIPS
int si_code;
int si_errno;
# else
int si_errno;
int si_code;
# endif
};
__sanitizer_siginfo_pad pad;
};
#else
# define SANITIZER_HAS_SIGINFO 0
typedef __sanitizer_siginfo_pad __sanitizer_siginfo;
#endif
using __sanitizer_sighandler_ptr = void (*)(int sig); using __sanitizer_sighandler_ptr = void (*)(int sig);
using __sanitizer_sigactionhandler_ptr = void (*)(int sig, using __sanitizer_sigactionhandler_ptr = void (*)(int sig,
__sanitizer_siginfo *siginfo, __sanitizer_siginfo *siginfo,
void *uctx); void *uctx);
// Linux system headers define the 'sa_handler' and 'sa_sigaction' macros. // Linux system headers define the 'sa_handler' and 'sa_sigaction' macros.
#if SANITIZER_ANDROID && (SANITIZER_WORDSIZE == 64) #if SANITIZER_ANDROID && (SANITIZER_WORDSIZE == 64)
struct __sanitizer_sigaction { struct __sanitizer_sigaction {
▲ Show 20 LinesShow All 888 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cpp

Show First 20 LinesShow All 1,119 Lines▼ Show 20 Lines
// On s390x glibc 2.19 and earlier sa_flags was unsigned long, and sa_resv // On s390x glibc 2.19 and earlier sa_flags was unsigned long, and sa_resv
// didn't exist. // didn't exist.
CHECK_STRUCT_SIZE_AND_OFFSET(sigaction, sa_flags); CHECK_STRUCT_SIZE_AND_OFFSET(sigaction, sa_flags);
#endif #endif
#if SANITIZER_LINUX && (!SANITIZER_ANDROID || !SANITIZER_MIPS32) #if SANITIZER_LINUX && (!SANITIZER_ANDROID || !SANITIZER_MIPS32)
CHECK_STRUCT_SIZE_AND_OFFSET(sigaction, sa_restorer); CHECK_STRUCT_SIZE_AND_OFFSET(sigaction, sa_restorer);
#endif #endif
#if SANITIZER_HAS_SIGINFO
COMPILER_CHECK(alignof(siginfo_t) == alignof(__sanitizer_siginfo));
using __sanitizer_siginfo_t = __sanitizer_siginfo;
CHECK_TYPE_SIZE(siginfo_t);
CHECK_SIZE_AND_OFFSET(siginfo_t, si_signo);
CHECK_SIZE_AND_OFFSET(siginfo_t, si_errno);
CHECK_SIZE_AND_OFFSET(siginfo_t, si_code);
#endif
#if SANITIZER_LINUX #if SANITIZER_LINUX
CHECK_TYPE_SIZE(__sysctl_args); CHECK_TYPE_SIZE(__sysctl_args);
CHECK_SIZE_AND_OFFSET(__sysctl_args, name); CHECK_SIZE_AND_OFFSET(__sysctl_args, name);
CHECK_SIZE_AND_OFFSET(__sysctl_args, nlen); CHECK_SIZE_AND_OFFSET(__sysctl_args, nlen);
CHECK_SIZE_AND_OFFSET(__sysctl_args, oldval); CHECK_SIZE_AND_OFFSET(__sysctl_args, oldval);
CHECK_SIZE_AND_OFFSET(__sysctl_args, oldlenp); CHECK_SIZE_AND_OFFSET(__sysctl_args, oldlenp);
CHECK_SIZE_AND_OFFSET(__sysctl_args, newval); CHECK_SIZE_AND_OFFSET(__sysctl_args, newval);
CHECK_SIZE_AND_OFFSET(__sysctl_args, newlen); CHECK_SIZE_AND_OFFSET(__sysctl_args, newlen);
▲ Show 20 LinesShow All 201 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp

Show First 20 LinesShow All 122 Lines▼ Show 20 Lines
const int SIGTERM = 15; const int SIGTERM = 15;
#if defined(__mips__) || SANITIZER_FREEBSD || SANITIZER_APPLE || SANITIZER_NETBSD #if defined(__mips__) || SANITIZER_FREEBSD || SANITIZER_APPLE || SANITIZER_NETBSD
const int SIGBUS = 10; const int SIGBUS = 10;
const int SIGSYS = 12; const int SIGSYS = 12;
#else #else
const int SIGBUS = 7; const int SIGBUS = 7;
const int SIGSYS = 31; const int SIGSYS = 31;
#endif #endif
const int SI_TIMER = -2;
void *const MAP_FAILED = (void*)-1; void *const MAP_FAILED = (void*)-1;
#if SANITIZER_NETBSD #if SANITIZER_NETBSD
const int PTHREAD_BARRIER_SERIAL_THREAD = 1234567; const int PTHREAD_BARRIER_SERIAL_THREAD = 1234567;
#elif !SANITIZER_APPLE #elif !SANITIZER_APPLE
const int PTHREAD_BARRIER_SERIAL_THREAD = -1; const int PTHREAD_BARRIER_SERIAL_THREAD = -1;
#endif #endif
const int MAP_FIXED = 0x10; const int MAP_FIXED = 0x10;
typedef long long_t; typedef long long_t;
▲ Show 20 LinesShow All 2,021 Lines▼ Show 20 Linesvoid ProcessPendingSignalsImpl(ThreadState *thr) {
} }
res = REAL(pthread_sigmask)(SIG_SETMASK, &sctx->oldset, 0); res = REAL(pthread_sigmask)(SIG_SETMASK, &sctx->oldset, 0);
CHECK_EQ(res, 0); CHECK_EQ(res, 0);
atomic_fetch_add(&thr->in_signal_handler, -1, memory_order_relaxed); atomic_fetch_add(&thr->in_signal_handler, -1, memory_order_relaxed);
} }
} // namespace __tsan } // namespace __tsan
static bool is_sync_signal(ThreadSignalContext *sctx, int sig) { static bool is_sync_signal(ThreadSignalContext *sctx, int sig,
return sig == SIGSEGV || sig == SIGBUS || sig == SIGILL || sig == SIGTRAP || __sanitizer_siginfo *info) {
sig == SIGABRT || sig == SIGFPE || sig == SIGPIPE || sig == SIGSYS ||
// If we are sending signal to ourselves, we must process it now. // If we are sending signal to ourselves, we must process it now.
(sctx && sig == sctx->int_signal_send); if (sctx && sig == sctx->int_signal_send)
return true;
#if SANITIZER_HAS_SIGINFO
// POSIX timers can be configured to send any kind of signal; however, it
// doesn't make any sense to consider a timer signal as synchronous!
dvyukovUnsubmitted
Not Done
ReplyInline Actions

Should we also consider TRAP_PERF && !PERF_TYPE_BREAKPOINT as async?
I guess they can be sync as well, but maybe not in the tsan meaning (can also land inside of the tsan runtime). Esp with precise_ip>0 even these are not strictly speaking synchronous. However, with tsan signal delaying they will never land on the sampled instructions (e.g. memory accesses or calls). But delaying them is still better than corrupting memory.

dvyukov: Should we also consider TRAP_PERF && !PERF_TYPE_BREAKPOINT as async? I guess they can be sync…
melverAuthorUnsubmitted
Not Done
ReplyInline Actions

We could just delay all TRAP_PERF, even breakpoint. If it's the difference of corrupting and crashing TSan and at least continuing to run, then at least it won't crash. Treating breakpoints specially might just be inconsistent. (Also saves us from having to maintain siginfo_t, which is a huge pain.)

It could do a one-off VPrintf that SIGTRAP perf events are best-effort?

(For us it also won't matter since we decided to disable TSan.)

melver: We could just delay all TRAP_PERF, even breakpoint. If it's the difference of corrupting and…
dvyukovUnsubmitted
Not Done
ReplyInline Actions

OK, let's just merge you current version.

dvyukov: OK, let's just merge you current version.
if (info->si_code == SI_TIMER)
return false;
#endif
return sig == SIGSEGV || sig == SIGBUS || sig == SIGILL || sig == SIGTRAP ||
sig == SIGABRT || sig == SIGFPE || sig == SIGPIPE || sig == SIGSYS;
} }
void sighandler(int sig, __sanitizer_siginfo *info, void *ctx) { void sighandler(int sig, __sanitizer_siginfo *info, void *ctx) {
ThreadState *thr = cur_thread_init(); ThreadState *thr = cur_thread_init();
ThreadSignalContext *sctx = SigCtx(thr); ThreadSignalContext *sctx = SigCtx(thr);
if (sig < 0 || sig >= kSigCount) { if (sig < 0 || sig >= kSigCount) {
VPrintf(1, "ThreadSanitizer: ignoring signal %d\n", sig); VPrintf(1, "ThreadSanitizer: ignoring signal %d\n", sig);
return; return;
} }
// Don't mess with synchronous signals. // Don't mess with synchronous signals.
const bool sync = is_sync_signal(sctx, sig); const bool sync = is_sync_signal(sctx, sig, info);
if (sync || if (sync ||
// If we are in blocking function, we can safely process it now // If we are in blocking function, we can safely process it now
// (but check if we are in a recursive interceptor, // (but check if we are in a recursive interceptor,
// i.e. pthread_join()->munmap()). // i.e. pthread_join()->munmap()).
atomic_load(&thr->in_blocking_func, memory_order_relaxed)) { atomic_load(&thr->in_blocking_func, memory_order_relaxed)) {
atomic_fetch_add(&thr->in_signal_handler, 1, memory_order_relaxed); atomic_fetch_add(&thr->in_signal_handler, 1, memory_order_relaxed);
if (atomic_load(&thr->in_blocking_func, memory_order_relaxed)) { if (atomic_load(&thr->in_blocking_func, memory_order_relaxed)) {
atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed); atomic_store(&thr->in_blocking_func, 0, memory_order_relaxed);
▲ Show 20 LinesShow All 980 LinesShow Last 20 Lines