This is an archive of the discontinued LLVM Phabricator instance.

Differential D25889

[tsan] Unwind the shadow stack in __tsan_func_exit() if the top of the shadow stack doesn’t match
AbandonedPublic

Authored by kubamracek on Oct 21 2016, 5:06 PM.

Details

Reviewers
kcc
dvyukov
Summary

C++ exceptions currently cause the shadow stack to get corrupt, because a PC can remain on the stack when the exception mechanism skips a calls to __tsan_func_exit. Besides producing wrong backtraces in reports, this also causes enormous memory usage growth in some cases.

Instead of handling exceptions at the instrumentation level, this patch tries to “fix” the shadow stack when it detects that when calling tsan_func_exit, the top of the stack contains something else than what tsan_func_entry inserted there.

Still WIP, this fails some tests (LLVM instrumentation tests, Go test and unit tests) and is missing a testcase.

Diff Detail

Event Timeline

kubamracek updated this revision to Diff 75514.Oct 21 2016, 5:06 PM
kubamracek retitled this revision from to [tsan] Unwind the shadow stack in __tsan_func_exit() if the top of the shadow stack doesn’t match.
kubamracek updated this object.
kubamracek added reviewers: dvyukov, kcc.
kubamracek set the repository for this revision to rL LLVM.
kubamracek added a project: Restricted Project.
kubamracek added subscribers: zaks.anna, llvm-commits.
dvyukov edited edge metadata.Oct 30 2016, 6:14 PM

FTR, answered here:
https://groups.google.com/d/msg/thread-sanitizer/-8UAOllyFrk/c_mNX7MDBgAJ

kubamracek abandoned this revision.Oct 31 2016, 5:50 PM
In D25889#583152, @dvyukov wrote:

FTR, answered here:
https://groups.google.com/d/msg/thread-sanitizer/-8UAOllyFrk/c_mNX7MDBgAJ

OK, submitted https://reviews.llvm.org/D26177 instead.

Revision Contents

PathSize
lib/
Transforms/
Instrumentation/
6 lines
projects/
compiler-rt/
lib/
tsan/
rtl/
4 lines
2 lines
5 lines
5 lines
4 lines
5 lines
2 lines
11 lines

Diff 75514

lib/Transforms/Instrumentation/ThreadSanitizer.cpp

Show First 20 LinesShow All 144 Lines▼ Show 20 LinesFunctionPass *llvm::createThreadSanitizerPass() {
return new ThreadSanitizer(); return new ThreadSanitizer();
} }
void ThreadSanitizer::initializeCallbacks(Module &M) { void ThreadSanitizer::initializeCallbacks(Module &M) {
IRBuilder<> IRB(M.getContext()); IRBuilder<> IRB(M.getContext());
// Initialize the callbacks. // Initialize the callbacks.
TsanFuncEntry = checkSanitizerInterfaceFunction(M.getOrInsertFunction( TsanFuncEntry = checkSanitizerInterfaceFunction(M.getOrInsertFunction(
"__tsan_func_entry", IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); "__tsan_func_entry", IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr));
TsanFuncExit = checkSanitizerInterfaceFunction( TsanFuncExit = checkSanitizerInterfaceFunction(M.getOrInsertFunction(
M.getOrInsertFunction("__tsan_func_exit", IRB.getVoidTy(), nullptr)); "__tsan_func_exit", IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr));
OrdTy = IRB.getInt32Ty(); OrdTy = IRB.getInt32Ty();
for (size_t i = 0; i < kNumberOfAccessSizes; ++i) { for (size_t i = 0; i < kNumberOfAccessSizes; ++i) {
const unsigned ByteSize = 1U << i; const unsigned ByteSize = 1U << i;
const unsigned BitSize = ByteSize * 8; const unsigned BitSize = ByteSize * 8;
std::string ByteSizeStr = utostr(ByteSize); std::string ByteSizeStr = utostr(ByteSize);
std::string BitSizeStr = utostr(BitSize); std::string BitSizeStr = utostr(BitSize);
SmallString<32> ReadName("__tsan_read" + ByteSizeStr); SmallString<32> ReadName("__tsan_read" + ByteSizeStr);
TsanRead[i] = checkSanitizerInterfaceFunction(M.getOrInsertFunction( TsanRead[i] = checkSanitizerInterfaceFunction(M.getOrInsertFunction(
▲ Show 20 LinesShow All 279 Lines▼ Show 20 Linesbool ThreadSanitizer::runOnFunction(Function &F) {
if ((Res || HasCalls) && ClInstrumentFuncEntryExit) { if ((Res || HasCalls) && ClInstrumentFuncEntryExit) {
IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI());
Value *ReturnAddress = IRB.CreateCall( Value *ReturnAddress = IRB.CreateCall(
Intrinsic::getDeclaration(F.getParent(), Intrinsic::returnaddress), Intrinsic::getDeclaration(F.getParent(), Intrinsic::returnaddress),
IRB.getInt32(0)); IRB.getInt32(0));
IRB.CreateCall(TsanFuncEntry, ReturnAddress); IRB.CreateCall(TsanFuncEntry, ReturnAddress);
for (auto RetInst : RetVec) { for (auto RetInst : RetVec) {
IRBuilder<> IRBRet(RetInst); IRBuilder<> IRBRet(RetInst);
IRBRet.CreateCall(TsanFuncExit, {}); IRBRet.CreateCall(TsanFuncExit, ReturnAddress);
} }
Res = true; Res = true;
} }
return Res; return Res;
} }
bool ThreadSanitizer::instrumentLoadOrStore(Instruction *I, bool ThreadSanitizer::instrumentLoadOrStore(Instruction *I,
const DataLayout &DL) { const DataLayout &DL) {
▲ Show 20 LinesShow All 219 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc

Show First 20 LinesShow All 273 Lines▼ Show 20 Lines if (!thr_->is_inited)
return; return;
if (flags()->ignore_interceptors_accesses) ThreadIgnoreEnd(thr_, pc_); if (flags()->ignore_interceptors_accesses) ThreadIgnoreEnd(thr_, pc_);
if (in_ignored_lib_) { if (in_ignored_lib_) {
thr_->in_ignored_lib = false; thr_->in_ignored_lib = false;
ThreadIgnoreEnd(thr_, pc_); ThreadIgnoreEnd(thr_, pc_);
} }
if (!thr_->ignore_interceptors) { if (!thr_->ignore_interceptors) {
ProcessPendingSignals(thr_); ProcessPendingSignals(thr_);
FuncExit(thr_); FuncExit(thr_, pc_);
CheckNoLocks(thr_); CheckNoLocks(thr_);
} }
} }
void ScopedInterceptor::UserCallbackStart() { void ScopedInterceptor::UserCallbackStart() {
if (flags()->ignore_interceptors_accesses) ThreadIgnoreEnd(thr_, pc_); if (flags()->ignore_interceptors_accesses) ThreadIgnoreEnd(thr_, pc_);
if (in_ignored_lib_) { if (in_ignored_lib_) {
thr_->in_ignored_lib = false; thr_->in_ignored_lib = false;
▲ Show 20 LinesShow All 200 Lines▼ Show 20 Lines
#endif #endif
// Find the saved buf by mangled_sp. // Find the saved buf by mangled_sp.
for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) { for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) {
JmpBuf *buf = &thr->jmp_bufs[i]; JmpBuf *buf = &thr->jmp_bufs[i];
if (buf->mangled_sp == mangled_sp) { if (buf->mangled_sp == mangled_sp) {
CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos); CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos);
// Unwind the stack. // Unwind the stack.
while (thr->shadow_stack_pos > buf->shadow_stack_pos) while (thr->shadow_stack_pos > buf->shadow_stack_pos)
FuncExit(thr); FuncExit(thr, thr->shadow_stack_pos[-1]);
ThreadSignalContext *sctx = SigCtx(thr); ThreadSignalContext *sctx = SigCtx(thr);
if (sctx) { if (sctx) {
sctx->int_signal_send = buf->int_signal_send; sctx->int_signal_send = buf->int_signal_send;
atomic_store(&sctx->in_blocking_func, buf->in_blocking_func, atomic_store(&sctx->in_blocking_func, buf->in_blocking_func,
memory_order_relaxed); memory_order_relaxed);
} }
atomic_store(&thr->in_signal_handler, buf->in_signal_handler, atomic_store(&thr->in_signal_handler, buf->in_signal_handler,
memory_order_relaxed); memory_order_relaxed);
▲ Show 20 LinesShow All 2,153 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_interface.h

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
SANITIZER_INTERFACE_ATTRIBUTE void __tsan_write8_pc(void *addr, void *pc); SANITIZER_INTERFACE_ATTRIBUTE void __tsan_write8_pc(void *addr, void *pc);
SANITIZER_INTERFACE_ATTRIBUTE void __tsan_write16_pc(void *addr, void *pc); SANITIZER_INTERFACE_ATTRIBUTE void __tsan_write16_pc(void *addr, void *pc);
SANITIZER_INTERFACE_ATTRIBUTE void __tsan_vptr_read(void **vptr_p); SANITIZER_INTERFACE_ATTRIBUTE void __tsan_vptr_read(void **vptr_p);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __tsan_vptr_update(void **vptr_p, void *new_val); void __tsan_vptr_update(void **vptr_p, void *new_val);
SANITIZER_INTERFACE_ATTRIBUTE void __tsan_func_entry(void *call_pc); SANITIZER_INTERFACE_ATTRIBUTE void __tsan_func_entry(void *call_pc);
SANITIZER_INTERFACE_ATTRIBUTE void __tsan_func_exit(); SANITIZER_INTERFACE_ATTRIBUTE void __tsan_func_exit(void *call_pc);
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __tsan_read_range(void *addr, unsigned long size); // NOLINT void __tsan_read_range(void *addr, unsigned long size); // NOLINT
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE
void __tsan_write_range(void *addr, unsigned long size); // NOLINT void __tsan_write_range(void *addr, unsigned long size); // NOLINT
// User may provide function that would be called right when TSan detects // User may provide function that would be called right when TSan detects
// an error. The argument 'report' is an opaque pointer that can be used to // an error. The argument 'report' is an opaque pointer that can be used to
▲ Show 20 LinesShow All 291 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_interface_ann.cc

Show All 27 Lines
using namespace __tsan; // NOLINT using namespace __tsan; // NOLINT
namespace __tsan { namespace __tsan {
class ScopedAnnotation { class ScopedAnnotation {
public: public:
ScopedAnnotation(ThreadState *thr, const char *aname, const char *f, int l, ScopedAnnotation(ThreadState *thr, const char *aname, const char *f, int l,
uptr pc) uptr pc)
: thr_(thr) { : thr_(thr), pc_(pc) {
FuncEntry(thr_, pc); FuncEntry(thr_, pc);
DPrintf("#%d: annotation %s() %s:%d\n", thr_->tid, aname, f, l); DPrintf("#%d: annotation %s() %s:%d\n", thr_->tid, aname, f, l);
} }
~ScopedAnnotation() { ~ScopedAnnotation() {
FuncExit(thr_); FuncExit(thr_, pc_);
CheckNoLocks(thr_); CheckNoLocks(thr_);
} }
private: private:
ThreadState *const thr_; ThreadState *const thr_;
uptr pc_;
}; };
#define SCOPED_ANNOTATION(typ) \ #define SCOPED_ANNOTATION(typ) \
if (!flags()->enable_annotations) \ if (!flags()->enable_annotations) \
return; \ return; \
ThreadState *thr = cur_thread(); \ ThreadState *thr = cur_thread(); \
const uptr caller_pc = (uptr)__builtin_return_address(0); \ const uptr caller_pc = (uptr)__builtin_return_address(0); \
StatInc(thr, StatAnnotation); \ StatInc(thr, StatAnnotation); \
▲ Show 20 LinesShow All 407 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_interface_atomic.cc

Show First 20 LinesShow All 460 Lines▼ Show 20 Lines#define SCOPED_ATOMIC(func, ...) \
ScopedAtomic sa(thr, callpc, a, mo, __func__); \ ScopedAtomic sa(thr, callpc, a, mo, __func__); \
return Atomic##func(thr, pc, __VA_ARGS__); \ return Atomic##func(thr, pc, __VA_ARGS__); \
/**/ /**/
class ScopedAtomic { class ScopedAtomic {
public: public:
ScopedAtomic(ThreadState *thr, uptr pc, const volatile void *a, ScopedAtomic(ThreadState *thr, uptr pc, const volatile void *a,
morder mo, const char *func) morder mo, const char *func)
: thr_(thr) { : thr_(thr), pc_(pc) {
FuncEntry(thr_, pc); FuncEntry(thr_, pc);
DPrintf("#%d: %s(%p, %d)\n", thr_->tid, func, a, mo); DPrintf("#%d: %s(%p, %d)\n", thr_->tid, func, a, mo);
} }
~ScopedAtomic() { ~ScopedAtomic() {
ProcessPendingSignals(thr_); ProcessPendingSignals(thr_);
FuncExit(thr_); FuncExit(thr_, pc_);
} }
private: private:
ThreadState *thr_; ThreadState *thr_;
uptr pc_;
}; };
static void AtomicStatInc(ThreadState *thr, uptr size, morder mo, StatType t) { static void AtomicStatInc(ThreadState *thr, uptr size, morder mo, StatType t) {
StatInc(thr, StatAtomic); StatInc(thr, StatAtomic);
StatInc(thr, t); StatInc(thr, t);
StatInc(thr, size == 1 ? StatAtomic1 StatInc(thr, size == 1 ? StatAtomic1
: size == 2 ? StatAtomic2 : size == 2 ? StatAtomic2
: size == 4 ? StatAtomic4 : size == 4 ? StatAtomic4
▲ Show 20 LinesShow All 445 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_interface_inl.h

Show First 20 LinesShow All 98 Lines▼ Show 20 Linesvoid __tsan_vptr_read(void **vptr_p) {
MemoryRead(thr, CALLERPC, (uptr)vptr_p, kSizeLog8); MemoryRead(thr, CALLERPC, (uptr)vptr_p, kSizeLog8);
thr->is_vptr_access = false; thr->is_vptr_access = false;
} }
void __tsan_func_entry(void *pc) { void __tsan_func_entry(void *pc) {
FuncEntry(cur_thread(), (uptr)pc); FuncEntry(cur_thread(), (uptr)pc);
} }
void __tsan_func_exit() { void __tsan_func_exit(void *pc) {
FuncExit(cur_thread()); FuncExit(cur_thread(), (uptr)pc);
} }
void __tsan_read_range(void *addr, uptr size) { void __tsan_read_range(void *addr, uptr size) {
MemoryAccessRange(cur_thread(), CALLERPC, (uptr)addr, size, false); MemoryAccessRange(cur_thread(), CALLERPC, (uptr)addr, size, false);
} }
void __tsan_write_range(void *addr, uptr size) { void __tsan_write_range(void *addr, uptr size) {
MemoryAccessRange(cur_thread(), CALLERPC, (uptr)addr, size, true); MemoryAccessRange(cur_thread(), CALLERPC, (uptr)addr, size, true);
} }

projects/compiler-rt/lib/tsan/rtl/tsan_interface_java.cc

Show All 33 Lines JavaContext(jptr heap_begin, jptr heap_size)
: heap_begin(heap_begin) : heap_begin(heap_begin)
, heap_size(heap_size) { , heap_size(heap_size) {
} }
}; };
class ScopedJavaFunc { class ScopedJavaFunc {
public: public:
ScopedJavaFunc(ThreadState *thr, uptr pc) ScopedJavaFunc(ThreadState *thr, uptr pc)
: thr_(thr) { : thr_(thr), pc_(pc) {
Initialize(thr_); Initialize(thr_);
FuncEntry(thr, pc); FuncEntry(thr, pc);
} }
~ScopedJavaFunc() { ~ScopedJavaFunc() {
FuncExit(thr_); FuncExit(thr_, pc_);
// FIXME(dvyukov): process pending signals. // FIXME(dvyukov): process pending signals.
} }
private: private:
ThreadState *thr_; ThreadState *thr_;
uptr pc_;
}; };
static u64 jctx_buf[sizeof(JavaContext) / sizeof(u64) + 1]; static u64 jctx_buf[sizeof(JavaContext) / sizeof(u64) + 1];
static JavaContext *jctx; static JavaContext *jctx;
} // namespace __tsan } // namespace __tsan
#define SCOPED_JAVA_FUNC(func) \ #define SCOPED_JAVA_FUNC(func) \
▲ Show 20 LinesShow All 190 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_rtl.h

Show First 20 LinesShow All 703 Lines▼ Show 20 Lines
void MemoryRangeImitateWrite(ThreadState *thr, uptr pc, uptr addr, uptr size); void MemoryRangeImitateWrite(ThreadState *thr, uptr pc, uptr addr, uptr size);
void ThreadIgnoreBegin(ThreadState *thr, uptr pc); void ThreadIgnoreBegin(ThreadState *thr, uptr pc);
void ThreadIgnoreEnd(ThreadState *thr, uptr pc); void ThreadIgnoreEnd(ThreadState *thr, uptr pc);
void ThreadIgnoreSyncBegin(ThreadState *thr, uptr pc); void ThreadIgnoreSyncBegin(ThreadState *thr, uptr pc);
void ThreadIgnoreSyncEnd(ThreadState *thr, uptr pc); void ThreadIgnoreSyncEnd(ThreadState *thr, uptr pc);
void FuncEntry(ThreadState *thr, uptr pc); void FuncEntry(ThreadState *thr, uptr pc);
void FuncExit(ThreadState *thr); void FuncExit(ThreadState *thr, uptr pc);
int ThreadCreate(ThreadState *thr, uptr pc, uptr uid, bool detached); int ThreadCreate(ThreadState *thr, uptr pc, uptr uid, bool detached);
void ThreadStart(ThreadState *thr, int tid, uptr os_id); void ThreadStart(ThreadState *thr, int tid, uptr os_id);
void ThreadFinish(ThreadState *thr); void ThreadFinish(ThreadState *thr);
int ThreadTid(ThreadState *thr, uptr pc, uptr uid); int ThreadTid(ThreadState *thr, uptr pc, uptr uid);
void ThreadJoin(ThreadState *thr, uptr pc, int tid); void ThreadJoin(ThreadState *thr, uptr pc, int tid);
void ThreadDetach(ThreadState *thr, uptr pc, int tid); void ThreadDetach(ThreadState *thr, uptr pc, int tid);
void ThreadFinalize(ThreadState *thr); void ThreadFinalize(ThreadState *thr);
▲ Show 20 LinesShow All 96 LinesShow Last 20 Lines

projects/compiler-rt/lib/tsan/rtl/tsan_rtl.cc

Show First 20 LinesShow All 955 Lines▼ Show 20 Lines#else
if (thr->shadow_stack_pos == thr->shadow_stack_end) if (thr->shadow_stack_pos == thr->shadow_stack_end)
GrowShadowStack(thr); GrowShadowStack(thr);
#endif #endif
thr->shadow_stack_pos[0] = pc; thr->shadow_stack_pos[0] = pc;
thr->shadow_stack_pos++; thr->shadow_stack_pos++;
} }
ALWAYS_INLINE USED ALWAYS_INLINE USED
void FuncExit(ThreadState *thr) { void FuncExit(ThreadState *thr, uptr pc) {
StatInc(thr, StatFuncExit); StatInc(thr, StatFuncExit);
DPrintf2("#%d: FuncExit\n", (int)thr->fast_state.tid()); DPrintf2("#%d: FuncExit\n", (int)thr->fast_state.tid());
if (kCollectHistory) { if (kCollectHistory) {
thr->fast_state.IncrementEpoch(); thr->fast_state.IncrementEpoch();
TraceAddEvent(thr, thr->fast_state, EventTypeFuncExit, 0); TraceAddEvent(thr, thr->fast_state, EventTypeFuncExit, 0);
} }
DCHECK_GT(thr->shadow_stack_pos, thr->shadow_stack); DCHECK_GT(thr->shadow_stack_pos, thr->shadow_stack);
#ifndef SANITIZER_GO #ifndef SANITIZER_GO
DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end); DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end);
#endif #endif
// Unwind the shadow stack until we find "pc", because we could have missed
// some matching FuncExit calls, e.g. due to C++ exceptions.
while (true) {
thr->shadow_stack_pos--; thr->shadow_stack_pos--;
if (thr->shadow_stack_pos[0] == pc) break;
DCHECK_GT(thr->shadow_stack_pos, thr->shadow_stack);
}
} }
void ThreadIgnoreBegin(ThreadState *thr, uptr pc) { void ThreadIgnoreBegin(ThreadState *thr, uptr pc) {
DPrintf("#%d: ThreadIgnoreBegin\n", thr->tid); DPrintf("#%d: ThreadIgnoreBegin\n", thr->tid);
thr->ignore_reads_and_writes++; thr->ignore_reads_and_writes++;
CHECK_GT(thr->ignore_reads_and_writes, 0); CHECK_GT(thr->ignore_reads_and_writes, 0);
thr->fast_state.SetIgnoreBit(); thr->fast_state.SetIgnoreBit();
#ifndef SANITIZER_GO #ifndef SANITIZER_GO
▲ Show 20 LinesShow All 59 LinesShow Last 20 Lines