xref: /freebsd/contrib/llvm-project/compiler-rt/lib/tsan/rtl/tsan_rtl.cpp (revision cfd6422a5217410fbd66f7a7a8a64d9d85e61229)
1 //===-- tsan_rtl.cpp ------------------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of ThreadSanitizer (TSan), a race detector.
10 //
11 // Main file (entry points) for the TSan run-time.
12 //===----------------------------------------------------------------------===//
13 
14 #include "sanitizer_common/sanitizer_atomic.h"
15 #include "sanitizer_common/sanitizer_common.h"
16 #include "sanitizer_common/sanitizer_file.h"
17 #include "sanitizer_common/sanitizer_libc.h"
18 #include "sanitizer_common/sanitizer_stackdepot.h"
19 #include "sanitizer_common/sanitizer_placement_new.h"
20 #include "sanitizer_common/sanitizer_symbolizer.h"
21 #include "tsan_defs.h"
22 #include "tsan_platform.h"
23 #include "tsan_rtl.h"
24 #include "tsan_mman.h"
25 #include "tsan_suppressions.h"
26 #include "tsan_symbolize.h"
27 #include "ubsan/ubsan_init.h"
28 
29 #ifdef __SSE3__
30 // <emmintrin.h> transitively includes <stdlib.h>,
31 // and it's prohibited to include std headers into tsan runtime.
32 // So we do this dirty trick.
33 #define _MM_MALLOC_H_INCLUDED
34 #define __MM_MALLOC_H
35 #include <emmintrin.h>
36 typedef __m128i m128;
37 #endif
38 
39 volatile int __tsan_resumed = 0;
40 
41 extern "C" void __tsan_resume() {
42   __tsan_resumed = 1;
43 }
44 
45 namespace __tsan {
46 
47 #if !SANITIZER_GO && !SANITIZER_MAC
48 __attribute__((tls_model("initial-exec")))
49 THREADLOCAL char cur_thread_placeholder[sizeof(ThreadState)] ALIGNED(64);
50 #endif
51 static char ctx_placeholder[sizeof(Context)] ALIGNED(64);
52 Context *ctx;
53 
54 // Can be overriden by a front-end.
55 #ifdef TSAN_EXTERNAL_HOOKS
56 bool OnFinalize(bool failed);
57 void OnInitialize();
58 #else
59 SANITIZER_WEAK_CXX_DEFAULT_IMPL
60 bool OnFinalize(bool failed) {
61   return failed;
62 }
63 SANITIZER_WEAK_CXX_DEFAULT_IMPL
64 void OnInitialize() {}
65 #endif
66 
67 static char thread_registry_placeholder[sizeof(ThreadRegistry)];
68 
69 static ThreadContextBase *CreateThreadContext(u32 tid) {
70   // Map thread trace when context is created.
71   char name[50];
72   internal_snprintf(name, sizeof(name), "trace %u", tid);
73   MapThreadTrace(GetThreadTrace(tid), TraceSize() * sizeof(Event), name);
74   const uptr hdr = GetThreadTraceHeader(tid);
75   internal_snprintf(name, sizeof(name), "trace header %u", tid);
76   MapThreadTrace(hdr, sizeof(Trace), name);
77   new((void*)hdr) Trace();
78   // We are going to use only a small part of the trace with the default
79   // value of history_size. However, the constructor writes to the whole trace.
80   // Unmap the unused part.
81   uptr hdr_end = hdr + sizeof(Trace);
82   hdr_end -= sizeof(TraceHeader) * (kTraceParts - TraceParts());
83   hdr_end = RoundUp(hdr_end, GetPageSizeCached());
84   if (hdr_end < hdr + sizeof(Trace))
85     UnmapOrDie((void*)hdr_end, hdr + sizeof(Trace) - hdr_end);
86   void *mem = internal_alloc(MBlockThreadContex, sizeof(ThreadContext));
87   return new(mem) ThreadContext(tid);
88 }
89 
90 #if !SANITIZER_GO
91 static const u32 kThreadQuarantineSize = 16;
92 #else
93 static const u32 kThreadQuarantineSize = 64;
94 #endif
95 
96 Context::Context()
97   : initialized()
98   , report_mtx(MutexTypeReport, StatMtxReport)
99   , nreported()
100   , nmissed_expected()
101   , thread_registry(new(thread_registry_placeholder) ThreadRegistry(
102       CreateThreadContext, kMaxTid, kThreadQuarantineSize, kMaxTidReuse))
103   , racy_mtx(MutexTypeRacy, StatMtxRacy)
104   , racy_stacks()
105   , racy_addresses()
106   , fired_suppressions_mtx(MutexTypeFired, StatMtxFired)
107   , clock_alloc("clock allocator") {
108   fired_suppressions.reserve(8);
109 }
110 
111 // The objects are allocated in TLS, so one may rely on zero-initialization.
112 ThreadState::ThreadState(Context *ctx, int tid, int unique_id, u64 epoch,
113                          unsigned reuse_count,
114                          uptr stk_addr, uptr stk_size,
115                          uptr tls_addr, uptr tls_size)
116   : fast_state(tid, epoch)
117   // Do not touch these, rely on zero initialization,
118   // they may be accessed before the ctor.
119   // , ignore_reads_and_writes()
120   // , ignore_interceptors()
121   , clock(tid, reuse_count)
122 #if !SANITIZER_GO
123   , jmp_bufs()
124 #endif
125   , tid(tid)
126   , unique_id(unique_id)
127   , stk_addr(stk_addr)
128   , stk_size(stk_size)
129   , tls_addr(tls_addr)
130   , tls_size(tls_size)
131 #if !SANITIZER_GO
132   , last_sleep_clock(tid)
133 #endif
134 {
135 }
136 
137 #if !SANITIZER_GO
138 static void MemoryProfiler(Context *ctx, fd_t fd, int i) {
139   uptr n_threads;
140   uptr n_running_threads;
141   ctx->thread_registry->GetNumberOfThreads(&n_threads, &n_running_threads);
142   InternalMmapVector<char> buf(4096);
143   WriteMemoryProfile(buf.data(), buf.size(), n_threads, n_running_threads);
144   WriteToFile(fd, buf.data(), internal_strlen(buf.data()));
145 }
146 
147 static void *BackgroundThread(void *arg) {
148   // This is a non-initialized non-user thread, nothing to see here.
149   // We don't use ScopedIgnoreInterceptors, because we want ignores to be
150   // enabled even when the thread function exits (e.g. during pthread thread
151   // shutdown code).
152   cur_thread_init();
153   cur_thread()->ignore_interceptors++;
154   const u64 kMs2Ns = 1000 * 1000;
155 
156   fd_t mprof_fd = kInvalidFd;
157   if (flags()->profile_memory && flags()->profile_memory[0]) {
158     if (internal_strcmp(flags()->profile_memory, "stdout") == 0) {
159       mprof_fd = 1;
160     } else if (internal_strcmp(flags()->profile_memory, "stderr") == 0) {
161       mprof_fd = 2;
162     } else {
163       InternalScopedString filename(kMaxPathLength);
164       filename.append("%s.%d", flags()->profile_memory, (int)internal_getpid());
165       fd_t fd = OpenFile(filename.data(), WrOnly);
166       if (fd == kInvalidFd) {
167         Printf("ThreadSanitizer: failed to open memory profile file '%s'\n",
168             &filename[0]);
169       } else {
170         mprof_fd = fd;
171       }
172     }
173   }
174 
175   u64 last_flush = NanoTime();
176   uptr last_rss = 0;
177   for (int i = 0;
178       atomic_load(&ctx->stop_background_thread, memory_order_relaxed) == 0;
179       i++) {
180     SleepForMillis(100);
181     u64 now = NanoTime();
182 
183     // Flush memory if requested.
184     if (flags()->flush_memory_ms > 0) {
185       if (last_flush + flags()->flush_memory_ms * kMs2Ns < now) {
186         VPrintf(1, "ThreadSanitizer: periodic memory flush\n");
187         FlushShadowMemory();
188         last_flush = NanoTime();
189       }
190     }
191     // GetRSS can be expensive on huge programs, so don't do it every 100ms.
192     if (flags()->memory_limit_mb > 0) {
193       uptr rss = GetRSS();
194       uptr limit = uptr(flags()->memory_limit_mb) << 20;
195       VPrintf(1, "ThreadSanitizer: memory flush check"
196                  " RSS=%llu LAST=%llu LIMIT=%llu\n",
197               (u64)rss >> 20, (u64)last_rss >> 20, (u64)limit >> 20);
198       if (2 * rss > limit + last_rss) {
199         VPrintf(1, "ThreadSanitizer: flushing memory due to RSS\n");
200         FlushShadowMemory();
201         rss = GetRSS();
202         VPrintf(1, "ThreadSanitizer: memory flushed RSS=%llu\n", (u64)rss>>20);
203       }
204       last_rss = rss;
205     }
206 
207     // Write memory profile if requested.
208     if (mprof_fd != kInvalidFd)
209       MemoryProfiler(ctx, mprof_fd, i);
210 
211     // Flush symbolizer cache if requested.
212     if (flags()->flush_symbolizer_ms > 0) {
213       u64 last = atomic_load(&ctx->last_symbolize_time_ns,
214                              memory_order_relaxed);
215       if (last != 0 && last + flags()->flush_symbolizer_ms * kMs2Ns < now) {
216         Lock l(&ctx->report_mtx);
217         ScopedErrorReportLock l2;
218         SymbolizeFlush();
219         atomic_store(&ctx->last_symbolize_time_ns, 0, memory_order_relaxed);
220       }
221     }
222   }
223   return nullptr;
224 }
225 
226 static void StartBackgroundThread() {
227   ctx->background_thread = internal_start_thread(&BackgroundThread, 0);
228 }
229 
230 #ifndef __mips__
231 static void StopBackgroundThread() {
232   atomic_store(&ctx->stop_background_thread, 1, memory_order_relaxed);
233   internal_join_thread(ctx->background_thread);
234   ctx->background_thread = 0;
235 }
236 #endif
237 #endif
238 
239 void DontNeedShadowFor(uptr addr, uptr size) {
240   ReleaseMemoryPagesToOS(MemToShadow(addr), MemToShadow(addr + size));
241 }
242 
243 #if !SANITIZER_GO
244 void UnmapShadow(ThreadState *thr, uptr addr, uptr size) {
245   if (size == 0) return;
246   DontNeedShadowFor(addr, size);
247   ScopedGlobalProcessor sgp;
248   ctx->metamap.ResetRange(thr->proc(), addr, size);
249 }
250 #endif
251 
252 void MapShadow(uptr addr, uptr size) {
253   // Global data is not 64K aligned, but there are no adjacent mappings,
254   // so we can get away with unaligned mapping.
255   // CHECK_EQ(addr, addr & ~((64 << 10) - 1));  // windows wants 64K alignment
256   const uptr kPageSize = GetPageSizeCached();
257   uptr shadow_begin = RoundDownTo((uptr)MemToShadow(addr), kPageSize);
258   uptr shadow_end = RoundUpTo((uptr)MemToShadow(addr + size), kPageSize);
259   if (!MmapFixedNoReserve(shadow_begin, shadow_end - shadow_begin, "shadow"))
260     Die();
261 
262   // Meta shadow is 2:1, so tread carefully.
263   static bool data_mapped = false;
264   static uptr mapped_meta_end = 0;
265   uptr meta_begin = (uptr)MemToMeta(addr);
266   uptr meta_end = (uptr)MemToMeta(addr + size);
267   meta_begin = RoundDownTo(meta_begin, 64 << 10);
268   meta_end = RoundUpTo(meta_end, 64 << 10);
269   if (!data_mapped) {
270     // First call maps data+bss.
271     data_mapped = true;
272     if (!MmapFixedNoReserve(meta_begin, meta_end - meta_begin, "meta shadow"))
273       Die();
274   } else {
275     // Mapping continous heap.
276     // Windows wants 64K alignment.
277     meta_begin = RoundDownTo(meta_begin, 64 << 10);
278     meta_end = RoundUpTo(meta_end, 64 << 10);
279     if (meta_end <= mapped_meta_end)
280       return;
281     if (meta_begin < mapped_meta_end)
282       meta_begin = mapped_meta_end;
283     if (!MmapFixedNoReserve(meta_begin, meta_end - meta_begin, "meta shadow"))
284       Die();
285     mapped_meta_end = meta_end;
286   }
287   VPrintf(2, "mapped meta shadow for (%p-%p) at (%p-%p)\n",
288       addr, addr+size, meta_begin, meta_end);
289 }
290 
291 void MapThreadTrace(uptr addr, uptr size, const char *name) {
292   DPrintf("#0: Mapping trace at %p-%p(0x%zx)\n", addr, addr + size, size);
293   CHECK_GE(addr, TraceMemBeg());
294   CHECK_LE(addr + size, TraceMemEnd());
295   CHECK_EQ(addr, addr & ~((64 << 10) - 1));  // windows wants 64K alignment
296   if (!MmapFixedNoReserve(addr, size, name)) {
297     Printf("FATAL: ThreadSanitizer can not mmap thread trace (%p/%p)\n",
298         addr, size);
299     Die();
300   }
301 }
302 
303 static void CheckShadowMapping() {
304   uptr beg, end;
305   for (int i = 0; GetUserRegion(i, &beg, &end); i++) {
306     // Skip cases for empty regions (heap definition for architectures that
307     // do not use 64-bit allocator).
308     if (beg == end)
309       continue;
310     VPrintf(3, "checking shadow region %p-%p\n", beg, end);
311     uptr prev = 0;
312     for (uptr p0 = beg; p0 <= end; p0 += (end - beg) / 4) {
313       for (int x = -(int)kShadowCell; x <= (int)kShadowCell; x += kShadowCell) {
314         const uptr p = RoundDown(p0 + x, kShadowCell);
315         if (p < beg || p >= end)
316           continue;
317         const uptr s = MemToShadow(p);
318         const uptr m = (uptr)MemToMeta(p);
319         VPrintf(3, "  checking pointer %p: shadow=%p meta=%p\n", p, s, m);
320         CHECK(IsAppMem(p));
321         CHECK(IsShadowMem(s));
322         CHECK_EQ(p, ShadowToMem(s));
323         CHECK(IsMetaMem(m));
324         if (prev) {
325           // Ensure that shadow and meta mappings are linear within a single
326           // user range. Lots of code that processes memory ranges assumes it.
327           const uptr prev_s = MemToShadow(prev);
328           const uptr prev_m = (uptr)MemToMeta(prev);
329           CHECK_EQ(s - prev_s, (p - prev) * kShadowMultiplier);
330           CHECK_EQ((m - prev_m) / kMetaShadowSize,
331                    (p - prev) / kMetaShadowCell);
332         }
333         prev = p;
334       }
335     }
336   }
337 }
338 
339 #if !SANITIZER_GO
340 static void OnStackUnwind(const SignalContext &sig, const void *,
341                           BufferedStackTrace *stack) {
342   stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context,
343                 common_flags()->fast_unwind_on_fatal);
344 }
345 
346 static void TsanOnDeadlySignal(int signo, void *siginfo, void *context) {
347   HandleDeadlySignal(siginfo, context, GetTid(), &OnStackUnwind, nullptr);
348 }
349 #endif
350 
351 void Initialize(ThreadState *thr) {
352   // Thread safe because done before all threads exist.
353   static bool is_initialized = false;
354   if (is_initialized)
355     return;
356   is_initialized = true;
357   // We are not ready to handle interceptors yet.
358   ScopedIgnoreInterceptors ignore;
359   SanitizerToolName = "ThreadSanitizer";
360   // Install tool-specific callbacks in sanitizer_common.
361   SetCheckFailedCallback(TsanCheckFailed);
362 
363   ctx = new(ctx_placeholder) Context;
364   const char *env_name = SANITIZER_GO ? "GORACE" : "TSAN_OPTIONS";
365   const char *options = GetEnv(env_name);
366   CacheBinaryName();
367   CheckASLR();
368   InitializeFlags(&ctx->flags, options, env_name);
369   AvoidCVE_2016_2143();
370   __sanitizer::InitializePlatformEarly();
371   __tsan::InitializePlatformEarly();
372 
373 #if !SANITIZER_GO
374   // Re-exec ourselves if we need to set additional env or command line args.
375   MaybeReexec();
376 
377   InitializeAllocator();
378   ReplaceSystemMalloc();
379 #endif
380   if (common_flags()->detect_deadlocks)
381     ctx->dd = DDetector::Create(flags());
382   Processor *proc = ProcCreate();
383   ProcWire(proc, thr);
384   InitializeInterceptors();
385   CheckShadowMapping();
386   InitializePlatform();
387   InitializeMutex();
388   InitializeDynamicAnnotations();
389 #if !SANITIZER_GO
390   InitializeShadowMemory();
391   InitializeAllocatorLate();
392   InstallDeadlySignalHandlers(TsanOnDeadlySignal);
393 #endif
394   // Setup correct file descriptor for error reports.
395   __sanitizer_set_report_path(common_flags()->log_path);
396   InitializeSuppressions();
397 #if !SANITIZER_GO
398   InitializeLibIgnore();
399   Symbolizer::GetOrInit()->AddHooks(EnterSymbolizer, ExitSymbolizer);
400 #endif
401 
402   VPrintf(1, "***** Running under ThreadSanitizer v2 (pid %d) *****\n",
403           (int)internal_getpid());
404 
405   // Initialize thread 0.
406   int tid = ThreadCreate(thr, 0, 0, true);
407   CHECK_EQ(tid, 0);
408   ThreadStart(thr, tid, GetTid(), ThreadType::Regular);
409 #if TSAN_CONTAINS_UBSAN
410   __ubsan::InitAsPlugin();
411 #endif
412   ctx->initialized = true;
413 
414 #if !SANITIZER_GO
415   Symbolizer::LateInitialize();
416 #endif
417 
418   if (flags()->stop_on_start) {
419     Printf("ThreadSanitizer is suspended at startup (pid %d)."
420            " Call __tsan_resume().\n",
421            (int)internal_getpid());
422     while (__tsan_resumed == 0) {}
423   }
424 
425   OnInitialize();
426 }
427 
428 void MaybeSpawnBackgroundThread() {
429   // On MIPS, TSan initialization is run before
430   // __pthread_initialize_minimal_internal() is finished, so we can not spawn
431   // new threads.
432 #if !SANITIZER_GO && !defined(__mips__)
433   static atomic_uint32_t bg_thread = {};
434   if (atomic_load(&bg_thread, memory_order_relaxed) == 0 &&
435       atomic_exchange(&bg_thread, 1, memory_order_relaxed) == 0) {
436     StartBackgroundThread();
437     SetSandboxingCallback(StopBackgroundThread);
438   }
439 #endif
440 }
441 
442 
443 int Finalize(ThreadState *thr) {
444   bool failed = false;
445 
446   if (common_flags()->print_module_map == 1) PrintModuleMap();
447 
448   if (flags()->atexit_sleep_ms > 0 && ThreadCount(thr) > 1)
449     SleepForMillis(flags()->atexit_sleep_ms);
450 
451   // Wait for pending reports.
452   ctx->report_mtx.Lock();
453   { ScopedErrorReportLock l; }
454   ctx->report_mtx.Unlock();
455 
456 #if !SANITIZER_GO
457   if (Verbosity()) AllocatorPrintStats();
458 #endif
459 
460   ThreadFinalize(thr);
461 
462   if (ctx->nreported) {
463     failed = true;
464 #if !SANITIZER_GO
465     Printf("ThreadSanitizer: reported %d warnings\n", ctx->nreported);
466 #else
467     Printf("Found %d data race(s)\n", ctx->nreported);
468 #endif
469   }
470 
471   if (ctx->nmissed_expected) {
472     failed = true;
473     Printf("ThreadSanitizer: missed %d expected races\n",
474         ctx->nmissed_expected);
475   }
476 
477   if (common_flags()->print_suppressions)
478     PrintMatchedSuppressions();
479 #if !SANITIZER_GO
480   if (flags()->print_benign)
481     PrintMatchedBenignRaces();
482 #endif
483 
484   failed = OnFinalize(failed);
485 
486 #if TSAN_COLLECT_STATS
487   StatAggregate(ctx->stat, thr->stat);
488   StatOutput(ctx->stat);
489 #endif
490 
491   return failed ? common_flags()->exitcode : 0;
492 }
493 
494 #if !SANITIZER_GO
495 void ForkBefore(ThreadState *thr, uptr pc) {
496   ctx->thread_registry->Lock();
497   ctx->report_mtx.Lock();
498   // Ignore memory accesses in the pthread_atfork callbacks.
499   // If any of them triggers a data race we will deadlock
500   // on the report_mtx.
501   // We could ignore interceptors and sync operations as well,
502   // but so far it's unclear if it will do more good or harm.
503   // Unnecessarily ignoring things can lead to false positives later.
504   ThreadIgnoreBegin(thr, pc);
505 }
506 
507 void ForkParentAfter(ThreadState *thr, uptr pc) {
508   ThreadIgnoreEnd(thr, pc);  // Begin is in ForkBefore.
509   ctx->report_mtx.Unlock();
510   ctx->thread_registry->Unlock();
511 }
512 
513 void ForkChildAfter(ThreadState *thr, uptr pc) {
514   ThreadIgnoreEnd(thr, pc);  // Begin is in ForkBefore.
515   ctx->report_mtx.Unlock();
516   ctx->thread_registry->Unlock();
517 
518   uptr nthread = 0;
519   ctx->thread_registry->GetNumberOfThreads(0, 0, &nthread /* alive threads */);
520   VPrintf(1, "ThreadSanitizer: forked new process with pid %d,"
521       " parent had %d threads\n", (int)internal_getpid(), (int)nthread);
522   if (nthread == 1) {
523     StartBackgroundThread();
524   } else {
525     // We've just forked a multi-threaded process. We cannot reasonably function
526     // after that (some mutexes may be locked before fork). So just enable
527     // ignores for everything in the hope that we will exec soon.
528     ctx->after_multithreaded_fork = true;
529     thr->ignore_interceptors++;
530     ThreadIgnoreBegin(thr, pc);
531     ThreadIgnoreSyncBegin(thr, pc);
532   }
533 }
534 #endif
535 
536 #if SANITIZER_GO
537 NOINLINE
538 void GrowShadowStack(ThreadState *thr) {
539   const int sz = thr->shadow_stack_end - thr->shadow_stack;
540   const int newsz = 2 * sz;
541   uptr *newstack = (uptr*)internal_alloc(MBlockShadowStack,
542       newsz * sizeof(uptr));
543   internal_memcpy(newstack, thr->shadow_stack, sz * sizeof(uptr));
544   internal_free(thr->shadow_stack);
545   thr->shadow_stack = newstack;
546   thr->shadow_stack_pos = newstack + sz;
547   thr->shadow_stack_end = newstack + newsz;
548 }
549 #endif
550 
551 u32 CurrentStackId(ThreadState *thr, uptr pc) {
552   if (!thr->is_inited)  // May happen during bootstrap.
553     return 0;
554   if (pc != 0) {
555 #if !SANITIZER_GO
556     DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end);
557 #else
558     if (thr->shadow_stack_pos == thr->shadow_stack_end)
559       GrowShadowStack(thr);
560 #endif
561     thr->shadow_stack_pos[0] = pc;
562     thr->shadow_stack_pos++;
563   }
564   u32 id = StackDepotPut(
565       StackTrace(thr->shadow_stack, thr->shadow_stack_pos - thr->shadow_stack));
566   if (pc != 0)
567     thr->shadow_stack_pos--;
568   return id;
569 }
570 
571 void TraceSwitch(ThreadState *thr) {
572 #if !SANITIZER_GO
573   if (ctx->after_multithreaded_fork)
574     return;
575 #endif
576   thr->nomalloc++;
577   Trace *thr_trace = ThreadTrace(thr->tid);
578   Lock l(&thr_trace->mtx);
579   unsigned trace = (thr->fast_state.epoch() / kTracePartSize) % TraceParts();
580   TraceHeader *hdr = &thr_trace->headers[trace];
581   hdr->epoch0 = thr->fast_state.epoch();
582   ObtainCurrentStack(thr, 0, &hdr->stack0);
583   hdr->mset0 = thr->mset;
584   thr->nomalloc--;
585 }
586 
587 Trace *ThreadTrace(int tid) {
588   return (Trace*)GetThreadTraceHeader(tid);
589 }
590 
591 uptr TraceTopPC(ThreadState *thr) {
592   Event *events = (Event*)GetThreadTrace(thr->tid);
593   uptr pc = events[thr->fast_state.GetTracePos()];
594   return pc;
595 }
596 
597 uptr TraceSize() {
598   return (uptr)(1ull << (kTracePartSizeBits + flags()->history_size + 1));
599 }
600 
601 uptr TraceParts() {
602   return TraceSize() / kTracePartSize;
603 }
604 
605 #if !SANITIZER_GO
606 extern "C" void __tsan_trace_switch() {
607   TraceSwitch(cur_thread());
608 }
609 
610 extern "C" void __tsan_report_race() {
611   ReportRace(cur_thread());
612 }
613 #endif
614 
615 ALWAYS_INLINE
616 Shadow LoadShadow(u64 *p) {
617   u64 raw = atomic_load((atomic_uint64_t*)p, memory_order_relaxed);
618   return Shadow(raw);
619 }
620 
621 ALWAYS_INLINE
622 void StoreShadow(u64 *sp, u64 s) {
623   atomic_store((atomic_uint64_t*)sp, s, memory_order_relaxed);
624 }
625 
626 ALWAYS_INLINE
627 void StoreIfNotYetStored(u64 *sp, u64 *s) {
628   StoreShadow(sp, *s);
629   *s = 0;
630 }
631 
632 ALWAYS_INLINE
633 void HandleRace(ThreadState *thr, u64 *shadow_mem,
634                               Shadow cur, Shadow old) {
635   thr->racy_state[0] = cur.raw();
636   thr->racy_state[1] = old.raw();
637   thr->racy_shadow_addr = shadow_mem;
638 #if !SANITIZER_GO
639   HACKY_CALL(__tsan_report_race);
640 #else
641   ReportRace(thr);
642 #endif
643 }
644 
645 static inline bool HappensBefore(Shadow old, ThreadState *thr) {
646   return thr->clock.get(old.TidWithIgnore()) >= old.epoch();
647 }
648 
649 ALWAYS_INLINE
650 void MemoryAccessImpl1(ThreadState *thr, uptr addr,
651     int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic,
652     u64 *shadow_mem, Shadow cur) {
653   StatInc(thr, StatMop);
654   StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead);
655   StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog));
656 
657   // This potentially can live in an MMX/SSE scratch register.
658   // The required intrinsics are:
659   // __m128i _mm_move_epi64(__m128i*);
660   // _mm_storel_epi64(u64*, __m128i);
661   u64 store_word = cur.raw();
662   bool stored = false;
663 
664   // scan all the shadow values and dispatch to 4 categories:
665   // same, replace, candidate and race (see comments below).
666   // we consider only 3 cases regarding access sizes:
667   // equal, intersect and not intersect. initially I considered
668   // larger and smaller as well, it allowed to replace some
669   // 'candidates' with 'same' or 'replace', but I think
670   // it's just not worth it (performance- and complexity-wise).
671 
672   Shadow old(0);
673 
674   // It release mode we manually unroll the loop,
675   // because empirically gcc generates better code this way.
676   // However, we can't afford unrolling in debug mode, because the function
677   // consumes almost 4K of stack. Gtest gives only 4K of stack to death test
678   // threads, which is not enough for the unrolled loop.
679 #if SANITIZER_DEBUG
680   for (int idx = 0; idx < 4; idx++) {
681 #include "tsan_update_shadow_word_inl.h"
682   }
683 #else
684   int idx = 0;
685 #include "tsan_update_shadow_word_inl.h"
686   idx = 1;
687   if (stored) {
688 #include "tsan_update_shadow_word_inl.h"
689   } else {
690 #include "tsan_update_shadow_word_inl.h"
691   }
692   idx = 2;
693   if (stored) {
694 #include "tsan_update_shadow_word_inl.h"
695   } else {
696 #include "tsan_update_shadow_word_inl.h"
697   }
698   idx = 3;
699   if (stored) {
700 #include "tsan_update_shadow_word_inl.h"
701   } else {
702 #include "tsan_update_shadow_word_inl.h"
703   }
704 #endif
705 
706   // we did not find any races and had already stored
707   // the current access info, so we are done
708   if (LIKELY(stored))
709     return;
710   // choose a random candidate slot and replace it
711   StoreShadow(shadow_mem + (cur.epoch() % kShadowCnt), store_word);
712   StatInc(thr, StatShadowReplace);
713   return;
714  RACE:
715   HandleRace(thr, shadow_mem, cur, old);
716   return;
717 }
718 
719 void UnalignedMemoryAccess(ThreadState *thr, uptr pc, uptr addr,
720     int size, bool kAccessIsWrite, bool kIsAtomic) {
721   while (size) {
722     int size1 = 1;
723     int kAccessSizeLog = kSizeLog1;
724     if (size >= 8 && (addr & ~7) == ((addr + 7) & ~7)) {
725       size1 = 8;
726       kAccessSizeLog = kSizeLog8;
727     } else if (size >= 4 && (addr & ~7) == ((addr + 3) & ~7)) {
728       size1 = 4;
729       kAccessSizeLog = kSizeLog4;
730     } else if (size >= 2 && (addr & ~7) == ((addr + 1) & ~7)) {
731       size1 = 2;
732       kAccessSizeLog = kSizeLog2;
733     }
734     MemoryAccess(thr, pc, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic);
735     addr += size1;
736     size -= size1;
737   }
738 }
739 
740 ALWAYS_INLINE
741 bool ContainsSameAccessSlow(u64 *s, u64 a, u64 sync_epoch, bool is_write) {
742   Shadow cur(a);
743   for (uptr i = 0; i < kShadowCnt; i++) {
744     Shadow old(LoadShadow(&s[i]));
745     if (Shadow::Addr0AndSizeAreEqual(cur, old) &&
746         old.TidWithIgnore() == cur.TidWithIgnore() &&
747         old.epoch() > sync_epoch &&
748         old.IsAtomic() == cur.IsAtomic() &&
749         old.IsRead() <= cur.IsRead())
750       return true;
751   }
752   return false;
753 }
754 
755 #if defined(__SSE3__)
756 #define SHUF(v0, v1, i0, i1, i2, i3) _mm_castps_si128(_mm_shuffle_ps( \
757     _mm_castsi128_ps(v0), _mm_castsi128_ps(v1), \
758     (i0)*1 + (i1)*4 + (i2)*16 + (i3)*64))
759 ALWAYS_INLINE
760 bool ContainsSameAccessFast(u64 *s, u64 a, u64 sync_epoch, bool is_write) {
761   // This is an optimized version of ContainsSameAccessSlow.
762   // load current access into access[0:63]
763   const m128 access     = _mm_cvtsi64_si128(a);
764   // duplicate high part of access in addr0:
765   // addr0[0:31]        = access[32:63]
766   // addr0[32:63]       = access[32:63]
767   // addr0[64:95]       = access[32:63]
768   // addr0[96:127]      = access[32:63]
769   const m128 addr0      = SHUF(access, access, 1, 1, 1, 1);
770   // load 4 shadow slots
771   const m128 shadow0    = _mm_load_si128((__m128i*)s);
772   const m128 shadow1    = _mm_load_si128((__m128i*)s + 1);
773   // load high parts of 4 shadow slots into addr_vect:
774   // addr_vect[0:31]    = shadow0[32:63]
775   // addr_vect[32:63]   = shadow0[96:127]
776   // addr_vect[64:95]   = shadow1[32:63]
777   // addr_vect[96:127]  = shadow1[96:127]
778   m128 addr_vect        = SHUF(shadow0, shadow1, 1, 3, 1, 3);
779   if (!is_write) {
780     // set IsRead bit in addr_vect
781     const m128 rw_mask1 = _mm_cvtsi64_si128(1<<15);
782     const m128 rw_mask  = SHUF(rw_mask1, rw_mask1, 0, 0, 0, 0);
783     addr_vect           = _mm_or_si128(addr_vect, rw_mask);
784   }
785   // addr0 == addr_vect?
786   const m128 addr_res   = _mm_cmpeq_epi32(addr0, addr_vect);
787   // epoch1[0:63]       = sync_epoch
788   const m128 epoch1     = _mm_cvtsi64_si128(sync_epoch);
789   // epoch[0:31]        = sync_epoch[0:31]
790   // epoch[32:63]       = sync_epoch[0:31]
791   // epoch[64:95]       = sync_epoch[0:31]
792   // epoch[96:127]      = sync_epoch[0:31]
793   const m128 epoch      = SHUF(epoch1, epoch1, 0, 0, 0, 0);
794   // load low parts of shadow cell epochs into epoch_vect:
795   // epoch_vect[0:31]   = shadow0[0:31]
796   // epoch_vect[32:63]  = shadow0[64:95]
797   // epoch_vect[64:95]  = shadow1[0:31]
798   // epoch_vect[96:127] = shadow1[64:95]
799   const m128 epoch_vect = SHUF(shadow0, shadow1, 0, 2, 0, 2);
800   // epoch_vect >= sync_epoch?
801   const m128 epoch_res  = _mm_cmpgt_epi32(epoch_vect, epoch);
802   // addr_res & epoch_res
803   const m128 res        = _mm_and_si128(addr_res, epoch_res);
804   // mask[0] = res[7]
805   // mask[1] = res[15]
806   // ...
807   // mask[15] = res[127]
808   const int mask        = _mm_movemask_epi8(res);
809   return mask != 0;
810 }
811 #endif
812 
813 ALWAYS_INLINE
814 bool ContainsSameAccess(u64 *s, u64 a, u64 sync_epoch, bool is_write) {
815 #if defined(__SSE3__)
816   bool res = ContainsSameAccessFast(s, a, sync_epoch, is_write);
817   // NOTE: this check can fail if the shadow is concurrently mutated
818   // by other threads. But it still can be useful if you modify
819   // ContainsSameAccessFast and want to ensure that it's not completely broken.
820   // DCHECK_EQ(res, ContainsSameAccessSlow(s, a, sync_epoch, is_write));
821   return res;
822 #else
823   return ContainsSameAccessSlow(s, a, sync_epoch, is_write);
824 #endif
825 }
826 
827 ALWAYS_INLINE USED
828 void MemoryAccess(ThreadState *thr, uptr pc, uptr addr,
829     int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic) {
830   u64 *shadow_mem = (u64*)MemToShadow(addr);
831   DPrintf2("#%d: MemoryAccess: @%p %p size=%d"
832       " is_write=%d shadow_mem=%p {%zx, %zx, %zx, %zx}\n",
833       (int)thr->fast_state.tid(), (void*)pc, (void*)addr,
834       (int)(1 << kAccessSizeLog), kAccessIsWrite, shadow_mem,
835       (uptr)shadow_mem[0], (uptr)shadow_mem[1],
836       (uptr)shadow_mem[2], (uptr)shadow_mem[3]);
837 #if SANITIZER_DEBUG
838   if (!IsAppMem(addr)) {
839     Printf("Access to non app mem %zx\n", addr);
840     DCHECK(IsAppMem(addr));
841   }
842   if (!IsShadowMem((uptr)shadow_mem)) {
843     Printf("Bad shadow addr %p (%zx)\n", shadow_mem, addr);
844     DCHECK(IsShadowMem((uptr)shadow_mem));
845   }
846 #endif
847 
848   if (!SANITIZER_GO && !kAccessIsWrite && *shadow_mem == kShadowRodata) {
849     // Access to .rodata section, no races here.
850     // Measurements show that it can be 10-20% of all memory accesses.
851     StatInc(thr, StatMop);
852     StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead);
853     StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog));
854     StatInc(thr, StatMopRodata);
855     return;
856   }
857 
858   FastState fast_state = thr->fast_state;
859   if (UNLIKELY(fast_state.GetIgnoreBit())) {
860     StatInc(thr, StatMop);
861     StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead);
862     StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog));
863     StatInc(thr, StatMopIgnored);
864     return;
865   }
866 
867   Shadow cur(fast_state);
868   cur.SetAddr0AndSizeLog(addr & 7, kAccessSizeLog);
869   cur.SetWrite(kAccessIsWrite);
870   cur.SetAtomic(kIsAtomic);
871 
872   if (LIKELY(ContainsSameAccess(shadow_mem, cur.raw(),
873       thr->fast_synch_epoch, kAccessIsWrite))) {
874     StatInc(thr, StatMop);
875     StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead);
876     StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog));
877     StatInc(thr, StatMopSame);
878     return;
879   }
880 
881   if (kCollectHistory) {
882     fast_state.IncrementEpoch();
883     thr->fast_state = fast_state;
884     TraceAddEvent(thr, fast_state, EventTypeMop, pc);
885     cur.IncrementEpoch();
886   }
887 
888   MemoryAccessImpl1(thr, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic,
889       shadow_mem, cur);
890 }
891 
892 // Called by MemoryAccessRange in tsan_rtl_thread.cpp
893 ALWAYS_INLINE USED
894 void MemoryAccessImpl(ThreadState *thr, uptr addr,
895     int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic,
896     u64 *shadow_mem, Shadow cur) {
897   if (LIKELY(ContainsSameAccess(shadow_mem, cur.raw(),
898       thr->fast_synch_epoch, kAccessIsWrite))) {
899     StatInc(thr, StatMop);
900     StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead);
901     StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog));
902     StatInc(thr, StatMopSame);
903     return;
904   }
905 
906   MemoryAccessImpl1(thr, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic,
907       shadow_mem, cur);
908 }
909 
910 static void MemoryRangeSet(ThreadState *thr, uptr pc, uptr addr, uptr size,
911                            u64 val) {
912   (void)thr;
913   (void)pc;
914   if (size == 0)
915     return;
916   // FIXME: fix me.
917   uptr offset = addr % kShadowCell;
918   if (offset) {
919     offset = kShadowCell - offset;
920     if (size <= offset)
921       return;
922     addr += offset;
923     size -= offset;
924   }
925   DCHECK_EQ(addr % 8, 0);
926   // If a user passes some insane arguments (memset(0)),
927   // let it just crash as usual.
928   if (!IsAppMem(addr) || !IsAppMem(addr + size - 1))
929     return;
930   // Don't want to touch lots of shadow memory.
931   // If a program maps 10MB stack, there is no need reset the whole range.
932   size = (size + (kShadowCell - 1)) & ~(kShadowCell - 1);
933   // UnmapOrDie/MmapFixedNoReserve does not work on Windows.
934   if (SANITIZER_WINDOWS || size < common_flags()->clear_shadow_mmap_threshold) {
935     u64 *p = (u64*)MemToShadow(addr);
936     CHECK(IsShadowMem((uptr)p));
937     CHECK(IsShadowMem((uptr)(p + size * kShadowCnt / kShadowCell - 1)));
938     // FIXME: may overwrite a part outside the region
939     for (uptr i = 0; i < size / kShadowCell * kShadowCnt;) {
940       p[i++] = val;
941       for (uptr j = 1; j < kShadowCnt; j++)
942         p[i++] = 0;
943     }
944   } else {
945     // The region is big, reset only beginning and end.
946     const uptr kPageSize = GetPageSizeCached();
947     u64 *begin = (u64*)MemToShadow(addr);
948     u64 *end = begin + size / kShadowCell * kShadowCnt;
949     u64 *p = begin;
950     // Set at least first kPageSize/2 to page boundary.
951     while ((p < begin + kPageSize / kShadowSize / 2) || ((uptr)p % kPageSize)) {
952       *p++ = val;
953       for (uptr j = 1; j < kShadowCnt; j++)
954         *p++ = 0;
955     }
956     // Reset middle part.
957     u64 *p1 = p;
958     p = RoundDown(end, kPageSize);
959     UnmapOrDie((void*)p1, (uptr)p - (uptr)p1);
960     if (!MmapFixedNoReserve((uptr)p1, (uptr)p - (uptr)p1))
961       Die();
962     // Set the ending.
963     while (p < end) {
964       *p++ = val;
965       for (uptr j = 1; j < kShadowCnt; j++)
966         *p++ = 0;
967     }
968   }
969 }
970 
971 void MemoryResetRange(ThreadState *thr, uptr pc, uptr addr, uptr size) {
972   MemoryRangeSet(thr, pc, addr, size, 0);
973 }
974 
975 void MemoryRangeFreed(ThreadState *thr, uptr pc, uptr addr, uptr size) {
976   // Processing more than 1k (4k of shadow) is expensive,
977   // can cause excessive memory consumption (user does not necessary touch
978   // the whole range) and most likely unnecessary.
979   if (size > 1024)
980     size = 1024;
981   CHECK_EQ(thr->is_freeing, false);
982   thr->is_freeing = true;
983   MemoryAccessRange(thr, pc, addr, size, true);
984   thr->is_freeing = false;
985   if (kCollectHistory) {
986     thr->fast_state.IncrementEpoch();
987     TraceAddEvent(thr, thr->fast_state, EventTypeMop, pc);
988   }
989   Shadow s(thr->fast_state);
990   s.ClearIgnoreBit();
991   s.MarkAsFreed();
992   s.SetWrite(true);
993   s.SetAddr0AndSizeLog(0, 3);
994   MemoryRangeSet(thr, pc, addr, size, s.raw());
995 }
996 
997 void MemoryRangeImitateWrite(ThreadState *thr, uptr pc, uptr addr, uptr size) {
998   if (kCollectHistory) {
999     thr->fast_state.IncrementEpoch();
1000     TraceAddEvent(thr, thr->fast_state, EventTypeMop, pc);
1001   }
1002   Shadow s(thr->fast_state);
1003   s.ClearIgnoreBit();
1004   s.SetWrite(true);
1005   s.SetAddr0AndSizeLog(0, 3);
1006   MemoryRangeSet(thr, pc, addr, size, s.raw());
1007 }
1008 
1009 void MemoryRangeImitateWriteOrResetRange(ThreadState *thr, uptr pc, uptr addr,
1010                                          uptr size) {
1011   if (thr->ignore_reads_and_writes == 0)
1012     MemoryRangeImitateWrite(thr, pc, addr, size);
1013   else
1014     MemoryResetRange(thr, pc, addr, size);
1015 }
1016 
1017 ALWAYS_INLINE USED
1018 void FuncEntry(ThreadState *thr, uptr pc) {
1019   StatInc(thr, StatFuncEnter);
1020   DPrintf2("#%d: FuncEntry %p\n", (int)thr->fast_state.tid(), (void*)pc);
1021   if (kCollectHistory) {
1022     thr->fast_state.IncrementEpoch();
1023     TraceAddEvent(thr, thr->fast_state, EventTypeFuncEnter, pc);
1024   }
1025 
1026   // Shadow stack maintenance can be replaced with
1027   // stack unwinding during trace switch (which presumably must be faster).
1028   DCHECK_GE(thr->shadow_stack_pos, thr->shadow_stack);
1029 #if !SANITIZER_GO
1030   DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end);
1031 #else
1032   if (thr->shadow_stack_pos == thr->shadow_stack_end)
1033     GrowShadowStack(thr);
1034 #endif
1035   thr->shadow_stack_pos[0] = pc;
1036   thr->shadow_stack_pos++;
1037 }
1038 
1039 ALWAYS_INLINE USED
1040 void FuncExit(ThreadState *thr) {
1041   StatInc(thr, StatFuncExit);
1042   DPrintf2("#%d: FuncExit\n", (int)thr->fast_state.tid());
1043   if (kCollectHistory) {
1044     thr->fast_state.IncrementEpoch();
1045     TraceAddEvent(thr, thr->fast_state, EventTypeFuncExit, 0);
1046   }
1047 
1048   DCHECK_GT(thr->shadow_stack_pos, thr->shadow_stack);
1049 #if !SANITIZER_GO
1050   DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end);
1051 #endif
1052   thr->shadow_stack_pos--;
1053 }
1054 
1055 void ThreadIgnoreBegin(ThreadState *thr, uptr pc, bool save_stack) {
1056   DPrintf("#%d: ThreadIgnoreBegin\n", thr->tid);
1057   thr->ignore_reads_and_writes++;
1058   CHECK_GT(thr->ignore_reads_and_writes, 0);
1059   thr->fast_state.SetIgnoreBit();
1060 #if !SANITIZER_GO
1061   if (save_stack && !ctx->after_multithreaded_fork)
1062     thr->mop_ignore_set.Add(CurrentStackId(thr, pc));
1063 #endif
1064 }
1065 
1066 void ThreadIgnoreEnd(ThreadState *thr, uptr pc) {
1067   DPrintf("#%d: ThreadIgnoreEnd\n", thr->tid);
1068   CHECK_GT(thr->ignore_reads_and_writes, 0);
1069   thr->ignore_reads_and_writes--;
1070   if (thr->ignore_reads_and_writes == 0) {
1071     thr->fast_state.ClearIgnoreBit();
1072 #if !SANITIZER_GO
1073     thr->mop_ignore_set.Reset();
1074 #endif
1075   }
1076 }
1077 
1078 #if !SANITIZER_GO
1079 extern "C" SANITIZER_INTERFACE_ATTRIBUTE
1080 uptr __tsan_testonly_shadow_stack_current_size() {
1081   ThreadState *thr = cur_thread();
1082   return thr->shadow_stack_pos - thr->shadow_stack;
1083 }
1084 #endif
1085 
1086 void ThreadIgnoreSyncBegin(ThreadState *thr, uptr pc, bool save_stack) {
1087   DPrintf("#%d: ThreadIgnoreSyncBegin\n", thr->tid);
1088   thr->ignore_sync++;
1089   CHECK_GT(thr->ignore_sync, 0);
1090 #if !SANITIZER_GO
1091   if (save_stack && !ctx->after_multithreaded_fork)
1092     thr->sync_ignore_set.Add(CurrentStackId(thr, pc));
1093 #endif
1094 }
1095 
1096 void ThreadIgnoreSyncEnd(ThreadState *thr, uptr pc) {
1097   DPrintf("#%d: ThreadIgnoreSyncEnd\n", thr->tid);
1098   CHECK_GT(thr->ignore_sync, 0);
1099   thr->ignore_sync--;
1100 #if !SANITIZER_GO
1101   if (thr->ignore_sync == 0)
1102     thr->sync_ignore_set.Reset();
1103 #endif
1104 }
1105 
1106 bool MD5Hash::operator==(const MD5Hash &other) const {
1107   return hash[0] == other.hash[0] && hash[1] == other.hash[1];
1108 }
1109 
1110 #if SANITIZER_DEBUG
1111 void build_consistency_debug() {}
1112 #else
1113 void build_consistency_release() {}
1114 #endif
1115 
1116 #if TSAN_COLLECT_STATS
1117 void build_consistency_stats() {}
1118 #else
1119 void build_consistency_nostats() {}
1120 #endif
1121 
1122 }  // namespace __tsan
1123 
1124 #if !SANITIZER_GO
1125 // Must be included in this file to make sure everything is inlined.
1126 #include "tsan_interface_inl.h"
1127 #endif
1128