This is an archive of the discontinued LLVM Phabricator instance.

Differential D146990

asan_memory_profile: Fix for deadlock in memory profiler code.
ClosedPublic

Authored by sanjeet-karan-singh on Mar 27 2023, 10:59 AM.

Details

Reviewers
kcc
vitalybuka
Commits
rG42fc9929ab59: asan_memory_profile: Fix for deadlock in memory profiler code.
rG129394ff50ed: asan_memory_profile: Fix for deadlock in memory profiler code.
Summary

Calling symbolization directly from stopTheWorld was causing deadlock.
For libc dep systems, symbolization uses dl_iterate_phdr, which acquire a
dl write lock. It could deadlock if the lock is already acquired by one of
suspended.

Diff Detail

Event Timeline

sanjeet-karan-singh created this revision.Mar 27 2023, 10:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 27 2023, 10:59 AM
Herald added subscribers: Enna1, krytarowski. · View Herald Transcript
sanjeet-karan-singh requested review of this revision.Mar 27 2023, 10:59 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 27 2023, 10:59 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka added a comment.Mar 27 2023, 11:14 AM

How hard to reproduce this issue?

compiler-rt/lib/asan/asan_memory_profile.cpp
143

Could you please point me to that code?

Harbormaster completed remote builds in B222071: Diff 508736.Mar 27 2023, 11:27 AM
sanjeet-karan-singh added inline comments.Mar 27 2023, 11:28 AM
compiler-rt/lib/asan/asan_memory_profile.cpp
143

thanks for looking, its here
https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp#L737

This deadlock is almost similar to this one https://github.com/google/sanitizers/issues/1364

vitalybuka added inline comments.Mar 27 2023, 11:32 AM
compiler-rt/lib/asan/asan_memory_profile.cpp
143

thanks for looking, its here
https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp#L737

This deadlock is almost similar to this one https://github.com/google/sanitizers/issues/1364

Actually I want to see call stack from "Stack depot" to use dl_iterate_phdr. I didn't expect it's used from there.

sanjeet-karan-singh added inline comments.Mar 27 2023, 11:47 AM
compiler-rt/lib/asan/asan_memory_profile.cpp
143

its call stack was similar to this one:

#0  __lll_lock_wait (futex=futex@entry=0x7ff0eebae990 <_rtld_global+2352>, private=0) at lowlevellock.c:52
#1  0x00007ff0ee97e131 in __GI___pthread_mutex_lock (mutex=0x7ff0eebae990 <_rtld_global+2352>) at ../nptl/pthread_mutex_lock.c:115
#2  0x00007ff0ee6bb231 in __GI___dl_iterate_phdr (callback=0x558daa8feef0 <__sanitizer::dl_iterate_phdr_cb(dl_phdr_info*, unsigned long, void*)>, data=0x7ff082c7cca0) at dl-iteratephdr.c:40
#3  0x0000558daa8feee5 in __sanitizer::ListOfModules::init() ()
#4  0x0000558daa90515e in __sanitizer::Symbolizer::FindModuleForAddress(unsigned long) ()
#5  0x0000558daa904d18 in __sanitizer::Symbolizer::SymbolizePC(unsigned long) ()
#6  0x0000558daa9035e8 in __sanitizer::StackTrace::Print() const ()
#7  0x0000558daa8e2437 in __asan::HeapProfile::Print(unsigned long, unsigned long) ()
#8  0x0000558daa8e22d0 in __asan::MemoryProfileCB(__sanitizer::SuspendedThreadsList const&, void*) ()
#9  0x0000558daa900e16 in __sanitizer::TracerThread(void*) ()
#10 0x0000558daa8f8a03 in __sanitizer::internal_clone(int (*)(void*), void*, int, void*, int*, void*, int*) ()
vitalybuka added inline comments.Mar 27 2023, 12:26 PM
compiler-rt/lib/asan/asan_memory_profile.cpp
143

Thanks, I see, so it's StackTrace::Print() with symbolization, not the Depot.

Maybe nicer solution is to move these from here and lsan into __sanitizer::StopTheWorld?

sanjeet-karan-singh added inline comments.Mar 27 2023, 11:00 PM
compiler-rt/lib/asan/asan_memory_profile.cpp
143

Thanks, that's great idea.
But, I think these locks are specific to caller functions, like here we know we need dl-iter lock (which may not be case for other StopTheWorld use cases).

Other option I was thinking was making lsan's LockDefStuffAndStopTheWorld function more generic, accepting (void* instead of CheckForLeaksParam *), but due to lsan specific StopTheWorld implementation for fuchsia, dropped that idea as well.

Sorry, I'm still learning sanitizers code, so if I intercept anything wrong please correct me.

vitalybuka accepted this revision.Mar 31 2023, 8:36 PM
This revision is now accepted and ready to land.Mar 31 2023, 8:36 PM
vitalybuka edited the summary of this revision. (Show Details)Mar 31 2023, 8:39 PM
This revision was landed with ongoing or failed builds.Mar 31 2023, 9:11 PM
Closed by commit rG129394ff50ed: asan_memory_profile: Fix for deadlock in memory profiler code. (authored by sanjeet-karan-singh, committed by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG129394ff50ed: asan_memory_profile: Fix for deadlock in memory profiler code..
sanjeet-karan-singh added a comment.Mar 31 2023, 9:18 PM

Thankyou so much @vitalybuka

mgorny added a subscriber: mgorny.Apr 1 2023, 3:29 AM

It seems that this change causes the test suite to hang: https://lab.llvm.org/buildbot/#/builders/37/builds/21181 and later.

mgorny added a comment.Apr 1 2023, 5:57 AM
In D146990#4238280, @mgorny wrote:

It seems that this change causes the test suite to hang: https://lab.llvm.org/buildbot/#/builders/37/builds/21181 and later.

Hmm, actually, it might be a change in LLVM or Clang. I'm bisecting.

mgorny added a comment.Apr 1 2023, 6:33 AM

Ok, I've given up on bisect. I don't have the hardware to do this.

sanjeet-karan-singh added a comment.Apr 2 2023, 6:11 PM

ah, its hanging when running with internal symbolizer.
Not sure if its due to this change, if it is than possibly one of acquired locks here are causing deadlock with internal symbolizer.
Is there is any way I can try reproducing it locally? Maybe in meantime we can try by reverting this change.
I'm so sorry for this trouble.

mgorny added a comment.Apr 3 2023, 4:16 AM
This comment was removed by mgorny.
mgorny added a comment.Apr 3 2023, 4:28 AM

I'm sorry, please disregard my latest comment, I was looking at the wrong diff. I've eventually bisected the hang I was experiencing on Gentoo to https://reviews.llvm.org/rG27c4777f41d2. That said, I don't know if the buildbot failure is related to this commit or that one.

mgorny mentioned this in rG27c4777f41d2: [symbolizer] Treat invalid address as addr2line does.Apr 3 2023, 4:32 AM
kda added a subscriber: kda.Apr 3 2023, 5:23 PM

This appears to be breaking the builtbot: https://lab.llvm.org/buildbot/#/builders/37/builds/21181

I did try to reproduce the problem locally, but it seemed to pass. There may be an issue with our buildbot hosts.
I will check into that separately.

vitalybuka added a reverting change: rG56876fdd2e2a: Revert "asan_memory_profile: Fix for deadlock in memory profiler code.".Apr 3 2023, 10:59 PM
vitalybuka reopened this revision.Apr 3 2023, 11:07 PM

https://lab.llvm.org/buildbot/#/builders/37/builds/21181

We still can't safely symbolize from stop the world (and we don't symbolize in lsan as well)

We should:

  1. remove LockStuffAndStopTheWorld from here
  2. Lock allocator and call __lsan::ForEachChunk(ChunkCallback, &hp) under that lock
  3. unlock allocator and printout HeapProfile
This revision is now accepted and ready to land.Apr 3 2023, 11:07 PM
vitalybuka added a comment.Apr 3 2023, 11:16 PM

something like

diff --git a/compiler-rt/lib/asan/asan_memory_profile.cpp b/compiler-rt/lib/asan/asan_memory_profile.cpp
index 6c2b7404a279..ba2a7ecde4ef 100644
--- a/compiler-rt/lib/asan/asan_memory_profile.cpp
+++ b/compiler-rt/lib/asan/asan_memory_profile.cpp
@@ -14,7 +14,6 @@
 #include "sanitizer_common/sanitizer_common.h"
 #include "sanitizer_common/sanitizer_stackdepot.h"
 #include "sanitizer_common/sanitizer_stacktrace.h"
-#include "sanitizer_common/sanitizer_stoptheworld.h"
 #include "lsan/lsan_common.h"
 #include "asan/asan_allocator.h"
 
@@ -100,12 +99,12 @@ static void ChunkCallback(uptr chunk, void *arg) {
       FindHeapChunkByAllocBeg(chunk));
 }
 
-static void MemoryProfileCB(const SuspendedThreadsList &suspended_threads_list,
-                            void *argument) {
+static void MemoryProfileCB(uptr top_percent, uptr max_number_of_contexts) {
   HeapProfile hp;
+  __lsan::LockAllocator();
   __lsan::ForEachChunk(ChunkCallback, &hp);
-  uptr *Arg = reinterpret_cast<uptr*>(argument);
-  hp.Print(Arg[0], Arg[1]);
+  __lsan::UnlockAllocator();
+  hp.Print(top_percent, max_number_of_contexts);
 
   if (Verbosity())
     __asan_print_accumulated_stats();
@@ -122,10 +121,7 @@ SANITIZER_INTERFACE_ATTRIBUTE
 void __sanitizer_print_memory_profile(uptr top_percent,
                                       uptr max_number_of_contexts) {
 #if CAN_SANITIZE_LEAKS
-  uptr Arg[2];
-  Arg[0] = top_percent;
-  Arg[1] = max_number_of_contexts;
-  __sanitizer::StopTheWorld(__asan::MemoryProfileCB, Arg);
+  __asan::MemoryProfileCB(top_percent, max_number_of_contexts);
 #endif  // CAN_SANITIZE_LEAKS
 }
 }  // extern "C"
sanjeet-karan-singh updated this revision to Diff 510930.Apr 4 2023, 3:08 PM
sanjeet-karan-singh edited the summary of this revision. (Show Details)

Great Idea, Thankyou so much @vitalybuka, just updated diff

sanjeet-karan-singh updated this revision to Diff 510950.Apr 4 2023, 3:26 PM
Harbormaster completed remote builds in B223689: Diff 510950.Apr 4 2023, 3:46 PM
vitalybuka accepted this revision.Apr 4 2023, 4:40 PM
Closed by commit rG42fc9929ab59: asan_memory_profile: Fix for deadlock in memory profiler code. (authored by sanjeet-karan-singh, committed by vitalybuka). · Explain WhyApr 4 2023, 4:42 PM
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG42fc9929ab59: asan_memory_profile: Fix for deadlock in memory profiler code..

Revision Contents

PathSize
compiler-rt/
lib/
asan/
43 lines

Diff 508736

compiler-rt/lib/asan/asan_memory_profile.cpp

Show All 13 Lines
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_stackdepot.h" #include "sanitizer_common/sanitizer_stackdepot.h"
#include "sanitizer_common/sanitizer_stacktrace.h" #include "sanitizer_common/sanitizer_stacktrace.h"
#include "sanitizer_common/sanitizer_stoptheworld.h" #include "sanitizer_common/sanitizer_stoptheworld.h"
#include "lsan/lsan_common.h" #include "lsan/lsan_common.h"
#include "asan/asan_allocator.h" #include "asan/asan_allocator.h"
#if CAN_SANITIZE_LEAKS #if CAN_SANITIZE_LEAKS
#include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_LINUX || SANITIZER_NETBSD
#include <link.h>
#endif
namespace __asan { namespace __asan {
struct AllocationSite { struct AllocationSite {
u32 id; u32 id;
uptr total_size; uptr total_size;
uptr count; uptr count;
}; };
struct DoStopTheWorldParam {
StopTheWorldCallback callback;
void *argument;
};
class HeapProfile { class HeapProfile {
public: public:
HeapProfile() { allocations_.reserve(1024); } HeapProfile() { allocations_.reserve(1024); }
void ProcessChunk(const AsanChunkView &cv) { void ProcessChunk(const AsanChunkView &cv) {
if (cv.IsAllocated()) { if (cv.IsAllocated()) {
total_allocated_user_size_ += cv.UsedSize(); total_allocated_user_size_ += cv.UsedSize();
total_allocated_count_++; total_allocated_count_++;
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Linesstatic void MemoryProfileCB(const SuspendedThreadsList &suspended_threads_list,
__lsan::ForEachChunk(ChunkCallback, &hp); __lsan::ForEachChunk(ChunkCallback, &hp);
uptr *Arg = reinterpret_cast<uptr*>(argument); uptr *Arg = reinterpret_cast<uptr*>(argument);
hp.Print(Arg[0], Arg[1]); hp.Print(Arg[0], Arg[1]);
if (Verbosity()) if (Verbosity())
__asan_print_accumulated_stats(); __asan_print_accumulated_stats();
} }
static void LockDefStuffAndStopTheWorld(DoStopTheWorldParam *param) {
__lsan::LockThreadRegistry();
__lsan::LockAllocator();
__sanitizer::StopTheWorld(param->callback, param->argument);
__lsan::UnlockAllocator();
__lsan::UnlockThreadRegistry();
}
static int LockStuffAndStopTheWorldCallback(struct dl_phdr_info *info,
size_t size, void *data) {
DoStopTheWorldParam *param = reinterpret_cast<DoStopTheWorldParam *>(data);
LockDefStuffAndStopTheWorld(param);
return 1;
}
void LockStuffAndStopTheWorld(StopTheWorldCallback callback, void *argument) {
DoStopTheWorldParam param = {callback, argument};
#if SANITIZER_LINUX || SANITIZER_NETBSD
// For libc dep systems, Stack depot use dl_iterate_phdr (which acquire a dl
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Could you please point me to that code?

vitalybuka: Could you please point me to that code?
sanjeet-karan-singhAuthorUnsubmitted
Done
ReplyInline Actions

thanks for looking, its here
https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp#L737

This deadlock is almost similar to this one https://github.com/google/sanitizers/issues/1364

sanjeet-karan-singh: thanks for looking, its here https://github.com/llvm/llvm-project/blob/main/compiler…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

thanks for looking, its here
https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/sanitizer_common/sanitizer_linux_libcdep.cpp#L737

This deadlock is almost similar to this one https://github.com/google/sanitizers/issues/1364

Actually I want to see call stack from "Stack depot" to use dl_iterate_phdr. I didn't expect it's used from there.

vitalybuka: > thanks for looking, its here > https://github.com/llvm/llvm-project/blob/main/compiler…
sanjeet-karan-singhAuthorUnsubmitted
Done
ReplyInline Actions

its call stack was similar to this one:

#0  __lll_lock_wait (futex=futex@entry=0x7ff0eebae990 <_rtld_global+2352>, private=0) at lowlevellock.c:52
#1  0x00007ff0ee97e131 in __GI___pthread_mutex_lock (mutex=0x7ff0eebae990 <_rtld_global+2352>) at ../nptl/pthread_mutex_lock.c:115
#2  0x00007ff0ee6bb231 in __GI___dl_iterate_phdr (callback=0x558daa8feef0 <__sanitizer::dl_iterate_phdr_cb(dl_phdr_info*, unsigned long, void*)>, data=0x7ff082c7cca0) at dl-iteratephdr.c:40
#3  0x0000558daa8feee5 in __sanitizer::ListOfModules::init() ()
#4  0x0000558daa90515e in __sanitizer::Symbolizer::FindModuleForAddress(unsigned long) ()
#5  0x0000558daa904d18 in __sanitizer::Symbolizer::SymbolizePC(unsigned long) ()
#6  0x0000558daa9035e8 in __sanitizer::StackTrace::Print() const ()
#7  0x0000558daa8e2437 in __asan::HeapProfile::Print(unsigned long, unsigned long) ()
#8  0x0000558daa8e22d0 in __asan::MemoryProfileCB(__sanitizer::SuspendedThreadsList const&, void*) ()
#9  0x0000558daa900e16 in __sanitizer::TracerThread(void*) ()
#10 0x0000558daa8f8a03 in __sanitizer::internal_clone(int (*)(void*), void*, int, void*, int*, void*, int*) ()
sanjeet-karan-singh: its call stack was similar to this one: ``` #0 __lll_lock_wait…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Thanks, I see, so it's StackTrace::Print() with symbolization, not the Depot.

Maybe nicer solution is to move these from here and lsan into __sanitizer::StopTheWorld?

vitalybuka: Thanks, I see, so it's StackTrace::Print() with symbolization, not the Depot. Maybe nicer…
sanjeet-karan-singhAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, that's great idea.
But, I think these locks are specific to caller functions, like here we know we need dl-iter lock (which may not be case for other StopTheWorld use cases).

Other option I was thinking was making lsan's LockDefStuffAndStopTheWorld function more generic, accepting (void* instead of CheckForLeaksParam *), but due to lsan specific StopTheWorld implementation for fuchsia, dropped that idea as well.

Sorry, I'm still learning sanitizers code, so if I intercept anything wrong please correct me.

sanjeet-karan-singh: Thanks, that's great idea. But, I think these locks are specific to caller functions, like…
// write lock)
// It could cause deadlock if one of suspended threads aquired that lock and
// haven't released.
// So calling stopTheWorld inside dl_iterate_phdr, first wait for that lock to
// be released (if acquired)
// and than suspend all threads
dl_iterate_phdr(LockStuffAndStopTheWorldCallback, &param);
#else
LockDefStuffAndStopTheWorld(&param);
#endif
}
} // namespace __asan } // namespace __asan
#endif // CAN_SANITIZE_LEAKS #endif // CAN_SANITIZE_LEAKS
extern "C" { extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_print_memory_profile(uptr top_percent, void __sanitizer_print_memory_profile(uptr top_percent,
uptr max_number_of_contexts) { uptr max_number_of_contexts) {
#if CAN_SANITIZE_LEAKS #if CAN_SANITIZE_LEAKS
uptr Arg[2]; uptr Arg[2];
Arg[0] = top_percent; Arg[0] = top_percent;
Arg[1] = max_number_of_contexts; Arg[1] = max_number_of_contexts;
__sanitizer::StopTheWorld(__asan::MemoryProfileCB, Arg); __asan::LockStuffAndStopTheWorld(__asan::MemoryProfileCB, Arg);
#endif // CAN_SANITIZE_LEAKS #endif // CAN_SANITIZE_LEAKS
} }
} // extern "C" } // extern "C"