This is an archive of the discontinued LLVM Phabricator instance.

Differential D23107

[MSAN][MIPS] Fix fork.cc test on MIPS
ClosedPublic

Authored by slthakur on Aug 3 2016, 12:14 AM.

Details

Reviewers
kcc
samsonov
eugenis
Summary

For platforms which support slow unwinder only, we restrict the store context size to 1, basically only storing the current pc. We do this because the slow unwinder which is based on libunwind is not async signal safe and causes random freezes in forking applications as well as in signal handlers.

Diff Detail

Repository
rL LLVM

Event Timeline

slthakur updated this revision to Diff 66620.Aug 3 2016, 12:14 AM
slthakur retitled this revision from to [MSAN][MIPS] Fix fork.cc test on MIPS.
slthakur updated this object.
slthakur added reviewers: eugenis, kcc, samsonov.
slthakur set the repository for this revision to rL LLVM.
slthakur added a project: Restricted Project.
slthakur added subscribers: mohit.bhakkad, jaydeep, llvm-commits.
vkalintiris added a subscriber: vkalintiris.Aug 3 2016, 2:06 AM
eugenis requested changes to this revision.Aug 4 2016, 1:36 PM
eugenis edited edge metadata.

Sounds like a bug in msan runtime - it should not hang while reading origins. What is really happening?

This revision now requires changes to proceed.Aug 4 2016, 1:36 PM
slthakur added a comment.Nov 23 2016, 5:00 AM

Hi @eugenis

This test fails on MIPS because many threads are waiting indefinitely on a futex wait. The test pases with reduced number of child processes. Is it okay if we reduce the number of child processes of this test for MIPS?

Regards,
Sagar

eugenis added a comment.Nov 23 2016, 1:55 PM

Well, that's simply another way of saying "hangs while reading the chained origins". Reducing the number of child processes is likely to reduce the probability of the deadlock instead of eliminating it. Anyway, this sounds like a bug in the msan runtime library.

This test is for the ChainedOriginDepotLockAll() logic in msan_interceptors.cc. Could you verify that the fork interceptor is being used on MIPS? I wonder if we need to intercept something else, like vfork.

slthakur added a comment.Nov 24 2016, 3:15 AM

This test is for the ChainedOriginDepotLockAll() logic in msan_interceptors.cc. Could you verify that the fork interceptor is being used on MIPS? I wonder if we need to intercept something else, like vfork.

The fork call is being intercepted by the runtime MIPS.

In order to find the root cause of this bug I debugged fork.cc on x86 (as gdb on mips was unable to give a proper backtrace from the point of deadlock) with the fast unwinder disabled (the deadlock appears only when fast unwinder is disabled and slow unwinder is used instead). Following is the stack trace from the point of deadlock on x86:

#0 lll_lock_wait () at ../sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:135
#1 0x00007fbdeaaa7e92 in GI___pthread_mutex_lock ( mutex=0x7fbdeb56c970 <_rtld_global+2352>) at ../nptl/pthread_mutex_lock.c:115
#2 0x00007fbdea1f542f in GI_dl_iterate_phdr ( callback=0x437630 <msan_dl_iterate_phdr_cb(sanitizer::sanitizer_dl_phdr_info*, SIZE_T, void*)>, data=0x7ffdaaaaca60) at dl-iteratephdr.c:41
#3 0x00000000004269fc in interceptor_dl_iterate_phdr (callback=0x7fbdea48cdf0, data=0x7ffdaaaaca90) at /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1430
#4 0x00007fbdea48e16e in _Unwind_Find_FDE () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#5 0x00007fbdea48ab63 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#6 0x00007fbdea48bd80 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#7 0x00007fbdea48c638 in _Unwind_Backtrace () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#8 0x00000000004895c3 in sanitizer::BufferedStackTrace::SlowUnwindStack ( this=0x7ffdaaaad040, pc=pc@entry=4790675, max_depth=max_depth@entry=20) at /home/slt/LLVM/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_unwind_linux_libcdep.cc:125
#9 0x000000000048641a in sanitizer::BufferedStackTrace::Unwind ( this=this@entry=0x7ffdaaaad040, max_depth=max_depth@entry=20, pc=pc@entry=4790675, bp=bp@entry=140727466776720, context=context@entry=0x0, stack_top=stack_top@entry=0, stack_bottom=0, request_fast_unwind=true) at /home/slt/LLVM/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_libcdep.cc:76
#10 0x000000000041be78 in msan::GetStackTrace (request_fast_unwind=true, bp=140727466776720, pc=4790675, max_s=20, stack=0x7ffdaaaad040) at /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan.cc:226
#11 __msan_chain_origin (id=2147483648) at /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan.cc:562
#12 0x0000000000491993 in child () at /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/fork.cc:60
#13 test () at /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/fork.cc:80
#14 0x00000000004924b4 in main () at /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/fork.cc:91

From this backtrace, it looks like the deadlock is in libunwind where dl_interate_phdr is waiting on a lock.

eugenis added a comment.Nov 24 2016, 12:41 PM

Good catch!
So, the slow unwinder is not async signal safe. This makes _any_ store of uninit value not async signal safe with chained-origins on platforms w/o the fast unwinder (mips, sparc).

I think we should play it safe and disable the slow unwinder in __msan_chain_origin. If there is no fast unwinder for the platform, the next best thing would be reducing store_context_size to 1 (or is it 0? basically, just recording the current PC). This would not be great for the user experience, but the alternative is random freezes in forking applications as well as in signal handlers.

slthakur updated this revision to Diff 80058.Dec 2 2016, 4:29 AM
slthakur updated this object.
slthakur edited edge metadata.

As suggested, reduced store_context_size to 1 when slow unwinder is being used.

Herald added a subscriber: kubamracek. · View Herald TranscriptDec 2 2016, 4:29 AM
eugenis added a comment.Dec 2 2016, 12:09 PM

Phabricator shows lots of affected files with empty diffs for some reason.

lib/msan/msan.h
340

max(1, flags()->store_context_size)

341

and this can be just "false"

test/msan/chained_origin.cc
16

I can't find any use of CHECK-(NON-)MIPS-FRAMES-HEAP in this test.

test/msan/chained_origin_limits.cc
164

Hm, this test expects three instances of "Uninitialized value was stored to memory at" on non-mips, and only one instance on mips. Why is that?

test/msan/lit.cfg
42

fast unwinder is also unavailable on sparc, please include that here

43

i don't think these braces around "CHECK-MIPS-FRAMES" are necessary

45

Instead of mips and non-mips, let's call it something neutral, like
%short-stack -> "SHORT-STACK" on mips and sparc, and "" on other platforms.
Then any affected CHECK can be given a -%short-stack suffix.

slthakur updated this revision to Diff 80387.Dec 6 2016, 1:34 AM
slthakur edited edge metadata.
slthakur marked 5 inline comments as done.

Addressed review comments

lib/msan/msan.h
340

max(1, flags()->store_context_size) will return the value of flags()->store_context_size which is 1000 in the test case fork.cc. This will invoke the slow unwinder and cause deadlock.

test/msan/chained_origin_limits.cc
164

On architectures with short stack, due to reduced origin context, all the stacks in the chain are same because the stack trace contains only 1 frame and does not contain frames upto the functions (fn1, fn2, fn3) from where the uninitialized stores actually originate. And since origin_history_per_stack_limit is set to 1 we only get 1 instance of "Uninitialized value was stored to memory at" per stack. Therefore even though the uninitialized stores come from 3 different functions we only have one stack trace. In case of architectures having full stack, there are 3 different stacks because the uninitialized stores originate from 3 different functions in the chain and therefore we can see 1 instance (per stack) of "Uninitialized value was stored to memory at".

The full stack (for architectures with full origin context) which is different from the 2 other stacks in the chain is :

Uninitialized value was stored to memory at

#0 0xaaaef00f10 in __msan_memmove /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1480:3
#1 0xaaaef9ccd4 in line_flush /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:90:5
#2 0xaaaef9ccd4 in buffered_write /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:102
#3 0xaaaef9ccd4 in fn3 /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:115
#4 0xaaaef9ccd4 in main /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:123

Whereas the short stack (for architectures with short origin context) which is same as all other stacks in the chain is :

Uninitialized value was stored to memory at

#0 0xaab04dcf20 in __msan_memmove /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1480:3
test/msan/lit.cfg
42

Msan is not supported on sparc architecture. Do you still want me to include it ?

45

If we use "" in place of %short-stack for architectures which have full stack, then we will have to check the output lines for the full stack with the "CHECK" prefix . And these full stack frame lines will also be checked for architectures which have short stack because most of the tests have "--check-prefix=CHECK" for checking output lines other than stack frames.

Therefore it is important to distinguish between architectures having short stack and architectures having full stack context. So I have used
%short-stack -> "CHECK-FULL-STACK" substitution for architectures having full stack size. Please let me know if this should be done in a different way.

eugenis accepted this revision.Dec 6 2016, 1:59 PM
eugenis edited edge metadata.

LGTM w/ 2 minor comments

lib/msan/msan.h
340

Sorry, I meant min().
store_context_size = 0 should keep working.

test/msan/chained_origin_limits.cc
164

Yeah, I've completely forgot about this feature. Please add a short comment to the test case to avoid future questions.

test/msan/lit.cfg
42

No, that's fine.

45

agreed.

This revision is now accepted and ready to land.Dec 6 2016, 1:59 PM
slthakur updated this revision to Diff 80718.Dec 7 2016, 10:29 PM
slthakur edited edge metadata.

Addressed review comments

slthakur mentioned this in rL289027: [MSAN][MIPS] Fix fork.cc test on MIPS.Dec 7 2016, 10:41 PM
slthakur closed this revision.Dec 7 2016, 10:42 PM

Committed in rL289027.

Revision Contents

PathSize
lib/
msan/
15 lines
test/
msan/
22 lines
26 lines
18 lines
8 lines
7 lines
11 lines

Diff 80718

lib/msan/msan.h

Show First 20 LinesShow All 323 Lines▼ Show 20 Lines
#define GET_MALLOC_STACK_TRACE \ #define GET_MALLOC_STACK_TRACE \
BufferedStackTrace stack; \ BufferedStackTrace stack; \
if (__msan_get_track_origins() && msan_inited) \ if (__msan_get_track_origins() && msan_inited) \
GetStackTrace(&stack, common_flags()->malloc_context_size, \ GetStackTrace(&stack, common_flags()->malloc_context_size, \
StackTrace::GetCurrentPc(), GET_CURRENT_FRAME(), \ StackTrace::GetCurrentPc(), GET_CURRENT_FRAME(), \
common_flags()->fast_unwind_on_malloc) common_flags()->fast_unwind_on_malloc)
// For platforms which support slow unwinder only, we restrict the store context
// size to 1, basically only storing the current pc. We do this because the slow
// unwinder which is based on libunwind is not async signal safe and causes
// random freezes in forking applications as well as in signal handlers.
#define GET_STORE_STACK_TRACE_PC_BP(pc, bp) \ #define GET_STORE_STACK_TRACE_PC_BP(pc, bp) \
BufferedStackTrace stack; \ BufferedStackTrace stack; \
if (__msan_get_track_origins() > 1 && msan_inited) \ if (__msan_get_track_origins() > 1 && msan_inited) { \
if (!SANITIZER_CAN_FAST_UNWIND) \
GetStackTrace(&stack, Min(1, flags()->store_context_size), pc, bp, \
eugenisUnsubmitted
Not Done
ReplyInline Actions

max(1, flags()->store_context_size)

eugenis: max(1, flags()->store_context_size)
slthakurAuthorUnsubmitted
Not Done
ReplyInline Actions

max(1, flags()->store_context_size) will return the value of flags()->store_context_size which is 1000 in the test case fork.cc. This will invoke the slow unwinder and cause deadlock.

slthakur: max(1, flags()->store_context_size) will return the value of flags()->store_context_size which…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Sorry, I meant min().
store_context_size = 0 should keep working.

eugenis: Sorry, I meant min(). store_context_size = 0 should keep working.
false); \
eugenisUnsubmitted
Done
ReplyInline Actions

and this can be just "false"

eugenis: and this can be just "false"
else \
GetStackTrace(&stack, flags()->store_context_size, pc, bp, \ GetStackTrace(&stack, flags()->store_context_size, pc, bp, \
common_flags()->fast_unwind_on_malloc) common_flags()->fast_unwind_on_malloc); \
}
#define GET_FATAL_STACK_TRACE_PC_BP(pc, bp) \ #define GET_FATAL_STACK_TRACE_PC_BP(pc, bp) \
BufferedStackTrace stack; \ BufferedStackTrace stack; \
if (msan_inited) \ if (msan_inited) \
GetStackTrace(&stack, kStackTraceMax, pc, bp, \ GetStackTrace(&stack, kStackTraceMax, pc, bp, \
common_flags()->fast_unwind_on_fatal) common_flags()->fast_unwind_on_fatal)
#define GET_STORE_STACK_TRACE \ #define GET_STORE_STACK_TRACE \
Show All 37 Lines

test/msan/chained_origin.cc

// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t && \ // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-%short-stack --check-prefix=CHECK-STACK < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DHEAP=1 -O3 %s -o %t && \ // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DHEAP=1 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-HEAP < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-%short-stack --check-prefix=CHECK-HEAP < %t.out
// RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t && \ // RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-%short-stack --check-prefix=CHECK-STACK < %t.out
// RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DHEAP=1 -O3 %s -o %t && \ // RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DHEAP=1 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-HEAP < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-HEAP < %t.out
eugenisUnsubmitted
Done
ReplyInline Actions

I can't find any use of CHECK-(NON-)MIPS-FRAMES-HEAP in this test.

eugenis: I can't find any use of CHECK-(NON-)MIPS-FRAMES-HEAP in this test.
#include <stdio.h> #include <stdio.h>
volatile int x, y; volatile int x, y;
__attribute__((noinline)) __attribute__((noinline))
void fn_g(int a) { void fn_g(int a) {
x = a; x = a;
Show All 20 Lines#endif
fn_h(); fn_h();
return y; return y;
} }
// CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK: {{#0 .* in main.*chained_origin.cc:}}[[@LINE-4]] // CHECK: {{#0 .* in main.*chained_origin.cc:}}[[@LINE-4]]
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{#0 .* in fn_h.*chained_origin.cc:}}[[@LINE-19]] // CHECK-FULL-STACK: {{#0 .* in fn_h.*chained_origin.cc:}}[[@LINE-19]]
// CHECK: {{#1 .* in main.*chained_origin.cc:}}[[@LINE-9]] // CHECK-FULL-STACK: {{#1 .* in main.*chained_origin.cc:}}[[@LINE-9]]
// CHECK-SHORT-STACK: {{#0 .* in fn_h.*chained_origin.cc:}}[[@LINE-21]]
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{#0 .* in fn_g.*chained_origin.cc:}}[[@LINE-33]] // CHECK-FULL-STACK: {{#0 .* in fn_g.*chained_origin.cc:}}[[@LINE-34]]
// CHECK: {{#1 .* in fn_f.*chained_origin.cc:}}[[@LINE-29]] // CHECK-FULL-STACK: {{#1 .* in fn_f.*chained_origin.cc:}}[[@LINE-30]]
// CHECK: {{#2 .* in main.*chained_origin.cc:}}[[@LINE-15]] // CHECK-FULL-STACK: {{#2 .* in main.*chained_origin.cc:}}[[@LINE-16]]
// CHECK-SHORT-STACK: {{#0 .* in fn_g.*chained_origin.cc:}}[[@LINE-37]]
// CHECK-STACK: Uninitialized value was created by an allocation of 'z' in the stack frame of function 'main' // CHECK-STACK: Uninitialized value was created by an allocation of 'z' in the stack frame of function 'main'
// CHECK-STACK: {{#0 .* in main.*chained_origin.cc:}}[[@LINE-25]] // CHECK-STACK: {{#0 .* in main.*chained_origin.cc:}}[[@LINE-27]]
// CHECK-HEAP: Uninitialized value was created by a heap allocation // CHECK-HEAP: Uninitialized value was created by a heap allocation
// CHECK-HEAP: {{#1 .* in main.*chained_origin.cc:}}[[@LINE-26]] // CHECK-HEAP: {{#1 .* in main.*chained_origin.cc:}}[[@LINE-28]]

test/msan/chained_origin_limits.cc

// This test program creates a very large number of unique histories. // This test program creates a very large number of unique histories.
// Heap origin. // Heap origin.
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O3 %s -o %t
// RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK2 < %t.out
// RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK-PER-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK-PER-STACK --check-prefix=CHECK-%short-stack < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// Stack origin. // Stack origin.
// RUN: %clangxx_msan -DSTACK -fsanitize-memory-track-origins=2 -O3 %s -o %t // RUN: %clangxx_msan -DSTACK -fsanitize-memory-track-origins=2 -O3 %s -o %t
// RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK2 < %t.out
// RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK-PER-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK-PER-STACK --check-prefix=CHECK-%short-stack < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// Heap origin, with calls. // Heap origin, with calls.
// RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t // RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t
// RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK2 < %t.out
// RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK-PER-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK-PER-STACK --check-prefix=CHECK-%short-stack < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// Stack origin, with calls. // Stack origin, with calls.
// RUN: %clangxx_msan -DSTACK -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t // RUN: %clangxx_msan -DSTACK -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -O3 %s -o %t
// RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=2 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK2 < %t.out
// RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_per_stack_limit=1 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK-PER-STACK < %t.out // RUN: FileCheck %s --check-prefix=CHECK-PER-STACK --check-prefix=CHECK-%short-stack < %t.out
// RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1 // RUN: MSAN_OPTIONS=origin_history_size=7,origin_history_per_stack_limit=0 not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK7 < %t.out // RUN: FileCheck %s --check-prefix=CHECK7 < %t.out
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
▲ Show 20 LinesShow All 73 Lines▼ Show 20 Lines
// CHECK7: Uninitialized value was created // CHECK7: Uninitialized value was created
// CHECK2: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK2: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK2-NOT: Uninitialized value was stored to memory at // CHECK2-NOT: Uninitialized value was stored to memory at
// CHECK2: Uninitialized value was stored to memory at // CHECK2: Uninitialized value was stored to memory at
// CHECK2-NOT: Uninitialized value was stored to memory at // CHECK2-NOT: Uninitialized value was stored to memory at
// CHECK2: Uninitialized value was created // CHECK2: Uninitialized value was created
// For architectures with short stack all the stacks in the chain are same
// because the stack trace does not contain frames upto the functions fn1, fn2,
// fn3 from where the uninitialized stores actually originate. Since we report
// uninitialized value store once for each stack frame
// (origin_history_per_stack_limit = 1) we expect only one instance of
// "Uninitialized value was stored to memory at".
// CHECK-PER-STACK: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK-PER-STACK: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK-PER-STACK: Uninitialized value was stored to memory at // CHECK-PER-STACK: Uninitialized value was stored to memory at
// CHECK-PER-STACK: in fn3 // CHECK-SHORT-STACK: in __msan_memmove
// CHECK-PER-STACK: Uninitialized value was stored to memory at // CHECK-FULL-STACK: in fn3
// CHECK-PER-STACK: in fn2 // CHECK-FULL-STACK: Uninitialized value was stored to memory at
// CHECK-PER-STACK: Uninitialized value was stored to memory at // CHECK-FULL-STACK: in fn2
// CHECK-PER-STACK: in fn1 // CHECK-FULL-STACK: Uninitialized value was stored to memory at
// CHECK-FULL-STACK: in fn1
eugenisUnsubmitted
Not Done
ReplyInline Actions

Hm, this test expects three instances of "Uninitialized value was stored to memory at" on non-mips, and only one instance on mips. Why is that?

eugenis: Hm, this test expects three instances of "Uninitialized value was stored to memory at" on non…
slthakurAuthorUnsubmitted
Not Done
ReplyInline Actions

On architectures with short stack, due to reduced origin context, all the stacks in the chain are same because the stack trace contains only 1 frame and does not contain frames upto the functions (fn1, fn2, fn3) from where the uninitialized stores actually originate. And since origin_history_per_stack_limit is set to 1 we only get 1 instance of "Uninitialized value was stored to memory at" per stack. Therefore even though the uninitialized stores come from 3 different functions we only have one stack trace. In case of architectures having full stack, there are 3 different stacks because the uninitialized stores originate from 3 different functions in the chain and therefore we can see 1 instance (per stack) of "Uninitialized value was stored to memory at".

The full stack (for architectures with full origin context) which is different from the 2 other stacks in the chain is :

Uninitialized value was stored to memory at

#0 0xaaaef00f10 in __msan_memmove /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1480:3
#1 0xaaaef9ccd4 in line_flush /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:90:5
#2 0xaaaef9ccd4 in buffered_write /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:102
#3 0xaaaef9ccd4 in fn3 /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:115
#4 0xaaaef9ccd4 in main /home/slt/LLVM/llvm/projects/compiler-rt/test/msan/chained_origin_limits.cc:123

Whereas the short stack (for architectures with short origin context) which is same as all other stacks in the chain is :

Uninitialized value was stored to memory at

#0 0xaab04dcf20 in __msan_memmove /home/slt/LLVM/llvm/projects/compiler-rt/lib/msan/msan_interceptors.cc:1480:3
slthakur: On architectures with short stack, due to reduced origin context, all the stacks in the chain…
eugenisUnsubmitted
Not Done
ReplyInline Actions

Yeah, I've completely forgot about this feature. Please add a short comment to the test case to avoid future questions.

eugenis: Yeah, I've completely forgot about this feature. Please add a short comment to the test case to…
// CHECK-PER-STACK: Uninitialized value was created // CHECK-PER-STACK: Uninitialized value was created
// CHECK-UNLIMITED: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK-UNLIMITED: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK-UNLIMITED: Uninitialized value was stored to memory at // CHECK-UNLIMITED: Uninitialized value was stored to memory at
// CHECK-UNLIMITED: Uninitialized value was stored to memory at // CHECK-UNLIMITED: Uninitialized value was stored to memory at
// CHECK-UNLIMITED: Uninitialized value was stored to memory at // CHECK-UNLIMITED: Uninitialized value was stored to memory at
// CHECK-UNLIMITED: Uninitialized value was stored to memory at // CHECK-UNLIMITED: Uninitialized value was stored to memory at
// CHECK-UNLIMITED: Uninitialized value was stored to memory at // CHECK-UNLIMITED: Uninitialized value was stored to memory at
Show All 14 Lines

test/msan/chained_origin_memcpy.cc

// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DOFFSET=0 -O3 %s -o %t && \ // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DOFFSET=0 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z1 < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z1 --check-prefix=CHECK-%short-stack < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DOFFSET=10 -O3 %s -o %t && \ // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -DOFFSET=10 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z2 --check-prefix=CHECK-%short-stack < %t.out
// RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DOFFSET=0 -O3 %s -o %t && \ // RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DOFFSET=0 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z1 < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z1 --check-prefix=CHECK-%short-stack < %t.out
// RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DOFFSET=10 -O3 %s -o %t && \ // RUN: %clangxx_msan -mllvm -msan-instrumentation-with-call-threshold=0 -fsanitize-memory-track-origins=2 -DOFFSET=10 -O3 %s -o %t && \
// RUN: not %run %t >%t.out 2>&1 // RUN: not %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z2 < %t.out // RUN: FileCheck %s --check-prefix=CHECK --check-prefix=CHECK-Z2 --check-prefix=CHECK-%short-stack < %t.out
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
int xx[10000]; int xx[10000];
int yy[10000]; int yy[10000];
volatile int idx = 30; volatile int idx = 30;
Show All 19 Linesint main(int argc, char *argv[]) {
fn_h(); fn_h();
return yy[idx + OFFSET]; return yy[idx + OFFSET];
} }
// CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK: {{#0 .* in main .*chained_origin_memcpy.cc:}}[[@LINE-4]] // CHECK: {{#0 .* in main .*chained_origin_memcpy.cc:}}[[@LINE-4]]
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{#1 .* in fn_h.*chained_origin_memcpy.cc:}}[[@LINE-15]] // CHECK-FULL-STACK: {{#1 .* in fn_h.*chained_origin_memcpy.cc:}}[[@LINE-15]]
// CHECK-SHORT-STACK: {{#0 .* in __msan_memcpy .*msan_interceptors.cc:}}
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{#0 .* in fn_g.*chained_origin_memcpy.cc:}}[[@LINE-28]] // CHECK-FULL-STACK: {{#0 .* in fn_g.*chained_origin_memcpy.cc:}}[[@LINE-29]]
// CHECK: {{#1 .* in fn_f.*chained_origin_memcpy.cc:}}[[@LINE-24]] // CHECK-FULL-STACK: {{#1 .* in fn_f.*chained_origin_memcpy.cc:}}[[@LINE-25]]
// CHECK-SHORT-STACK: {{#0 .* in fn_g.*chained_origin_memcpy.cc:}}[[@LINE-31]]
// CHECK-Z1: Uninitialized value was created by an allocation of 'z1' in the stack frame of function 'main' // CHECK-Z1: Uninitialized value was created by an allocation of 'z1' in the stack frame of function 'main'
// CHECK-Z2: Uninitialized value was created by an allocation of 'z2' in the stack frame of function 'main' // CHECK-Z2: Uninitialized value was created by an allocation of 'z2' in the stack frame of function 'main'
// CHECK: {{#0 .* in main.*chained_origin_memcpy.cc:}}[[@LINE-20]] // CHECK: {{#0 .* in main.*chained_origin_memcpy.cc:}}[[@LINE-22]]

test/msan/lit.cfg

Show All 29 Lines
config.suffixes = ['.c', '.cc', '.cpp'] config.suffixes = ['.c', '.cc', '.cpp']
# MemorySanitizer tests are currently supported on Linux only. # MemorySanitizer tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True
if config.target_arch != 'aarch64': if config.target_arch != 'aarch64':
config.available_features.add('stable-runtime') config.available_features.add('stable-runtime')
# For mips64, mips64el we have forced store_context_size to 1 because these
# archs use slow unwinder which is not async signal safe. Therefore we only
# check the first frame since store_context size is 1.
if config.host_arch in ['mips64', 'mips64el']:
eugenisUnsubmitted
Done
ReplyInline Actions

fast unwinder is also unavailable on sparc, please include that here

eugenis: fast unwinder is also unavailable on sparc, please include that here
slthakurAuthorUnsubmitted
Not Done
ReplyInline Actions

Msan is not supported on sparc architecture. Do you still want me to include it ?

slthakur: Msan is not supported on sparc architecture. Do you still want me to include it ?
eugenisUnsubmitted
Not Done
ReplyInline Actions

No, that's fine.

eugenis: No, that's fine.
config.substitutions.append( ('CHECK-%short-stack', 'CHECK-SHORT-STACK'))
eugenisUnsubmitted
Done
ReplyInline Actions

i don't think these braces around "CHECK-MIPS-FRAMES" are necessary

eugenis: i don't think these braces around "CHECK-MIPS-FRAMES" are necessary
else:
config.substitutions.append( ('CHECK-%short-stack', 'CHECK-FULL-STACK'))
eugenisUnsubmitted
Done
ReplyInline Actions

Instead of mips and non-mips, let's call it something neutral, like
%short-stack -> "SHORT-STACK" on mips and sparc, and "" on other platforms.
Then any affected CHECK can be given a -%short-stack suffix.

eugenis: Instead of mips and non-mips, let's call it something neutral, like %short-stack -> "SHORT…
slthakurAuthorUnsubmitted
Not Done
ReplyInline Actions

If we use "" in place of %short-stack for architectures which have full stack, then we will have to check the output lines for the full stack with the "CHECK" prefix . And these full stack frame lines will also be checked for architectures which have short stack because most of the tests have "--check-prefix=CHECK" for checking output lines other than stack frames.

Therefore it is important to distinguish between architectures having short stack and architectures having full stack context. So I have used
%short-stack -> "CHECK-FULL-STACK" substitution for architectures having full stack size. Please let me know if this should be done in a different way.

slthakur: If we use "" in place of %short-stack for architectures which have full stack, then we will…
eugenisUnsubmitted
Not Done
ReplyInline Actions

agreed.

eugenis: agreed.

test/msan/msan_copy_shadow.cc

// Test that __msan_copy_shadow copies shadow, updates origin and does not touch // Test that __msan_copy_shadow copies shadow, updates origin and does not touch
// the application memory. // the application memory.
// RUN: %clangxx_msan -fsanitize-memory-track-origins=0 -O0 %s -o %t && not %run %t 2>&1 // RUN: %clangxx_msan -fsanitize-memory-track-origins=0 -O0 %s -o %t && not %run %t 2>&1
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O0 %s -o %t && not %run %t 2>&1 | FileCheck %s // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O0 %s -o %t && not %run %t 2>&1 | FileCheck --check-prefix=CHECK --check-prefix=CHECK-%short-stack %s
#include <assert.h> #include <assert.h>
#include <string.h> #include <string.h>
#include <sanitizer/msan_interface.h> #include <sanitizer/msan_interface.h>
int main() { int main() {
char *a = new char[4]; char *a = new char[4];
char *b = new char[4]; char *b = new char[4];
Show All 10 Linesint main() {
__msan_copy_shadow(b, a, 4); __msan_copy_shadow(b, a, 4);
assert(__msan_test_shadow(b, 4) == 0); assert(__msan_test_shadow(b, 4) == 0);
assert(__msan_test_shadow(b + 1, 3) == 1); assert(__msan_test_shadow(b + 1, 3) == 1);
assert(__msan_test_shadow(b + 3, 1) == -1); assert(__msan_test_shadow(b + 3, 1) == -1);
__msan_check_mem_is_initialized(b, 4); __msan_check_mem_is_initialized(b, 4);
// CHECK: use-of-uninitialized-value // CHECK: use-of-uninitialized-value
// CHECK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-2]] // CHECK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-2]]
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-8]] // CHECK-FULL-STACK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-8]]
// CHECK-SHORT-STACK: {{in __msan_copy_shadow .*msan_interceptors.cc:}}
// CHECK: Uninitialized value was created by a heap allocation // CHECK: Uninitialized value was created by a heap allocation
// CHECK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-22]] // CHECK: {{in main.*msan_copy_shadow.cc:}}[[@LINE-23]]
} }

test/msan/realloc-large-origin.cc

// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O0 %s -o %t && not %run %t >%t.out 2>&1 // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O0 %s -o %t && not %run %t >%t.out 2>&1
// RUN: FileCheck %s < %t.out // RUN: FileCheck --check-prefix=CHECK --check-prefix=CHECK-%short-stack %s < %t.out
// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O2 %s -o %t && not %run %t >%t.out 2>&1 // RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O2 %s -o %t && not %run %t >%t.out 2>&1
// RUN: FileCheck %s < %t.out // RUN: FileCheck --check-prefix=CHECK --check-prefix=CHECK-%short-stack %s < %t.out
// This is a regression test: there used to be broken "stored to memory at" // This is a regression test: there used to be broken "stored to memory at"
// stacks with // stacks with
// in __msan_memcpy // in __msan_memcpy
// in __msan::MsanReallocate // in __msan::MsanReallocate
// and nothing below that. // and nothing below that.
#include <stdlib.h> #include <stdlib.h>
int main(int argc, char **argv) { int main(int argc, char **argv) {
char *p = (char *)malloc(100); char *p = (char *)malloc(100);
p = (char *)realloc(p, 10000); p = (char *)realloc(p, 10000);
char x = p[50]; char x = p[50];
free(p); free(p);
return x; return x;
// CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value // CHECK: WARNING: MemorySanitizer: use-of-uninitialized-value
// CHECK: {{#0 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-3]] // CHECK: {{#0 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-3]]
// CHECK: Uninitialized value was stored to memory at // CHECK: Uninitialized value was stored to memory at
// CHECK: {{#0 0x.* in .*realloc}} // CHECK-FULL-STACK: {{#0 0x.* in .*realloc}}
// CHECK: {{#1 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-10]] // CHECK-FULL-STACK: {{#1 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-10]]
// CHECK-SHORT-STACK: {{#0 0x.* in .*realloc}}
// CHECK: Uninitialized value was created by a heap allocation // CHECK: Uninitialized value was created by a heap allocation
// CHECK: {{#0 0x.* in .*malloc}} // CHECK: {{#0 0x.* in .*malloc}}
// CHECK: {{#1 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-15]] // CHECK: {{#1 0x.* in main .*realloc-large-origin.cc:}}[[@LINE-16]]
} }