1 //===-- tsan_rtl.cpp ------------------------------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of ThreadSanitizer (TSan), a race detector. 10 // 11 // Main file (entry points) for the TSan run-time. 12 //===----------------------------------------------------------------------===// 13 14 #include "sanitizer_common/sanitizer_atomic.h" 15 #include "sanitizer_common/sanitizer_common.h" 16 #include "sanitizer_common/sanitizer_file.h" 17 #include "sanitizer_common/sanitizer_libc.h" 18 #include "sanitizer_common/sanitizer_stackdepot.h" 19 #include "sanitizer_common/sanitizer_placement_new.h" 20 #include "sanitizer_common/sanitizer_symbolizer.h" 21 #include "tsan_defs.h" 22 #include "tsan_platform.h" 23 #include "tsan_rtl.h" 24 #include "tsan_mman.h" 25 #include "tsan_suppressions.h" 26 #include "tsan_symbolize.h" 27 #include "ubsan/ubsan_init.h" 28 29 #ifdef __SSE3__ 30 // <emmintrin.h> transitively includes <stdlib.h>, 31 // and it's prohibited to include std headers into tsan runtime. 32 // So we do this dirty trick. 33 #define _MM_MALLOC_H_INCLUDED 34 #define __MM_MALLOC_H 35 #include <emmintrin.h> 36 typedef __m128i m128; 37 #endif 38 39 volatile int __tsan_resumed = 0; 40 41 extern "C" void __tsan_resume() { 42 __tsan_resumed = 1; 43 } 44 45 namespace __tsan { 46 47 #if !SANITIZER_GO && !SANITIZER_MAC 48 __attribute__((tls_model("initial-exec"))) 49 THREADLOCAL char cur_thread_placeholder[sizeof(ThreadState)] ALIGNED(64); 50 #endif 51 static char ctx_placeholder[sizeof(Context)] ALIGNED(64); 52 Context *ctx; 53 54 // Can be overriden by a front-end. 55 #ifdef TSAN_EXTERNAL_HOOKS 56 bool OnFinalize(bool failed); 57 void OnInitialize(); 58 #else 59 SANITIZER_WEAK_CXX_DEFAULT_IMPL 60 bool OnFinalize(bool failed) { 61 return failed; 62 } 63 SANITIZER_WEAK_CXX_DEFAULT_IMPL 64 void OnInitialize() {} 65 #endif 66 67 static char thread_registry_placeholder[sizeof(ThreadRegistry)]; 68 69 static ThreadContextBase *CreateThreadContext(u32 tid) { 70 // Map thread trace when context is created. 71 char name[50]; 72 internal_snprintf(name, sizeof(name), "trace %u", tid); 73 MapThreadTrace(GetThreadTrace(tid), TraceSize() * sizeof(Event), name); 74 const uptr hdr = GetThreadTraceHeader(tid); 75 internal_snprintf(name, sizeof(name), "trace header %u", tid); 76 MapThreadTrace(hdr, sizeof(Trace), name); 77 new((void*)hdr) Trace(); 78 // We are going to use only a small part of the trace with the default 79 // value of history_size. However, the constructor writes to the whole trace. 80 // Unmap the unused part. 81 uptr hdr_end = hdr + sizeof(Trace); 82 hdr_end -= sizeof(TraceHeader) * (kTraceParts - TraceParts()); 83 hdr_end = RoundUp(hdr_end, GetPageSizeCached()); 84 if (hdr_end < hdr + sizeof(Trace)) 85 UnmapOrDie((void*)hdr_end, hdr + sizeof(Trace) - hdr_end); 86 void *mem = internal_alloc(MBlockThreadContex, sizeof(ThreadContext)); 87 return new(mem) ThreadContext(tid); 88 } 89 90 #if !SANITIZER_GO 91 static const u32 kThreadQuarantineSize = 16; 92 #else 93 static const u32 kThreadQuarantineSize = 64; 94 #endif 95 96 Context::Context() 97 : initialized() 98 , report_mtx(MutexTypeReport, StatMtxReport) 99 , nreported() 100 , nmissed_expected() 101 , thread_registry(new(thread_registry_placeholder) ThreadRegistry( 102 CreateThreadContext, kMaxTid, kThreadQuarantineSize, kMaxTidReuse)) 103 , racy_mtx(MutexTypeRacy, StatMtxRacy) 104 , racy_stacks() 105 , racy_addresses() 106 , fired_suppressions_mtx(MutexTypeFired, StatMtxFired) 107 , clock_alloc("clock allocator") { 108 fired_suppressions.reserve(8); 109 } 110 111 // The objects are allocated in TLS, so one may rely on zero-initialization. 112 ThreadState::ThreadState(Context *ctx, int tid, int unique_id, u64 epoch, 113 unsigned reuse_count, 114 uptr stk_addr, uptr stk_size, 115 uptr tls_addr, uptr tls_size) 116 : fast_state(tid, epoch) 117 // Do not touch these, rely on zero initialization, 118 // they may be accessed before the ctor. 119 // , ignore_reads_and_writes() 120 // , ignore_interceptors() 121 , clock(tid, reuse_count) 122 #if !SANITIZER_GO 123 , jmp_bufs() 124 #endif 125 , tid(tid) 126 , unique_id(unique_id) 127 , stk_addr(stk_addr) 128 , stk_size(stk_size) 129 , tls_addr(tls_addr) 130 , tls_size(tls_size) 131 #if !SANITIZER_GO 132 , last_sleep_clock(tid) 133 #endif 134 { 135 } 136 137 #if !SANITIZER_GO 138 static void MemoryProfiler(Context *ctx, fd_t fd, int i) { 139 uptr n_threads; 140 uptr n_running_threads; 141 ctx->thread_registry->GetNumberOfThreads(&n_threads, &n_running_threads); 142 InternalMmapVector<char> buf(4096); 143 WriteMemoryProfile(buf.data(), buf.size(), n_threads, n_running_threads); 144 WriteToFile(fd, buf.data(), internal_strlen(buf.data())); 145 } 146 147 static void *BackgroundThread(void *arg) { 148 // This is a non-initialized non-user thread, nothing to see here. 149 // We don't use ScopedIgnoreInterceptors, because we want ignores to be 150 // enabled even when the thread function exits (e.g. during pthread thread 151 // shutdown code). 152 cur_thread_init(); 153 cur_thread()->ignore_interceptors++; 154 const u64 kMs2Ns = 1000 * 1000; 155 156 fd_t mprof_fd = kInvalidFd; 157 if (flags()->profile_memory && flags()->profile_memory[0]) { 158 if (internal_strcmp(flags()->profile_memory, "stdout") == 0) { 159 mprof_fd = 1; 160 } else if (internal_strcmp(flags()->profile_memory, "stderr") == 0) { 161 mprof_fd = 2; 162 } else { 163 InternalScopedString filename(kMaxPathLength); 164 filename.append("%s.%d", flags()->profile_memory, (int)internal_getpid()); 165 fd_t fd = OpenFile(filename.data(), WrOnly); 166 if (fd == kInvalidFd) { 167 Printf("ThreadSanitizer: failed to open memory profile file '%s'\n", 168 &filename[0]); 169 } else { 170 mprof_fd = fd; 171 } 172 } 173 } 174 175 u64 last_flush = NanoTime(); 176 uptr last_rss = 0; 177 for (int i = 0; 178 atomic_load(&ctx->stop_background_thread, memory_order_relaxed) == 0; 179 i++) { 180 SleepForMillis(100); 181 u64 now = NanoTime(); 182 183 // Flush memory if requested. 184 if (flags()->flush_memory_ms > 0) { 185 if (last_flush + flags()->flush_memory_ms * kMs2Ns < now) { 186 VPrintf(1, "ThreadSanitizer: periodic memory flush\n"); 187 FlushShadowMemory(); 188 last_flush = NanoTime(); 189 } 190 } 191 // GetRSS can be expensive on huge programs, so don't do it every 100ms. 192 if (flags()->memory_limit_mb > 0) { 193 uptr rss = GetRSS(); 194 uptr limit = uptr(flags()->memory_limit_mb) << 20; 195 VPrintf(1, "ThreadSanitizer: memory flush check" 196 " RSS=%llu LAST=%llu LIMIT=%llu\n", 197 (u64)rss >> 20, (u64)last_rss >> 20, (u64)limit >> 20); 198 if (2 * rss > limit + last_rss) { 199 VPrintf(1, "ThreadSanitizer: flushing memory due to RSS\n"); 200 FlushShadowMemory(); 201 rss = GetRSS(); 202 VPrintf(1, "ThreadSanitizer: memory flushed RSS=%llu\n", (u64)rss>>20); 203 } 204 last_rss = rss; 205 } 206 207 // Write memory profile if requested. 208 if (mprof_fd != kInvalidFd) 209 MemoryProfiler(ctx, mprof_fd, i); 210 211 // Flush symbolizer cache if requested. 212 if (flags()->flush_symbolizer_ms > 0) { 213 u64 last = atomic_load(&ctx->last_symbolize_time_ns, 214 memory_order_relaxed); 215 if (last != 0 && last + flags()->flush_symbolizer_ms * kMs2Ns < now) { 216 Lock l(&ctx->report_mtx); 217 ScopedErrorReportLock l2; 218 SymbolizeFlush(); 219 atomic_store(&ctx->last_symbolize_time_ns, 0, memory_order_relaxed); 220 } 221 } 222 } 223 return nullptr; 224 } 225 226 static void StartBackgroundThread() { 227 ctx->background_thread = internal_start_thread(&BackgroundThread, 0); 228 } 229 230 #ifndef __mips__ 231 static void StopBackgroundThread() { 232 atomic_store(&ctx->stop_background_thread, 1, memory_order_relaxed); 233 internal_join_thread(ctx->background_thread); 234 ctx->background_thread = 0; 235 } 236 #endif 237 #endif 238 239 void DontNeedShadowFor(uptr addr, uptr size) { 240 ReleaseMemoryPagesToOS(MemToShadow(addr), MemToShadow(addr + size)); 241 } 242 243 #if !SANITIZER_GO 244 void UnmapShadow(ThreadState *thr, uptr addr, uptr size) { 245 if (size == 0) return; 246 DontNeedShadowFor(addr, size); 247 ScopedGlobalProcessor sgp; 248 ctx->metamap.ResetRange(thr->proc(), addr, size); 249 } 250 #endif 251 252 void MapShadow(uptr addr, uptr size) { 253 // Global data is not 64K aligned, but there are no adjacent mappings, 254 // so we can get away with unaligned mapping. 255 // CHECK_EQ(addr, addr & ~((64 << 10) - 1)); // windows wants 64K alignment 256 const uptr kPageSize = GetPageSizeCached(); 257 uptr shadow_begin = RoundDownTo((uptr)MemToShadow(addr), kPageSize); 258 uptr shadow_end = RoundUpTo((uptr)MemToShadow(addr + size), kPageSize); 259 if (!MmapFixedNoReserve(shadow_begin, shadow_end - shadow_begin, "shadow")) 260 Die(); 261 262 // Meta shadow is 2:1, so tread carefully. 263 static bool data_mapped = false; 264 static uptr mapped_meta_end = 0; 265 uptr meta_begin = (uptr)MemToMeta(addr); 266 uptr meta_end = (uptr)MemToMeta(addr + size); 267 meta_begin = RoundDownTo(meta_begin, 64 << 10); 268 meta_end = RoundUpTo(meta_end, 64 << 10); 269 if (!data_mapped) { 270 // First call maps data+bss. 271 data_mapped = true; 272 if (!MmapFixedNoReserve(meta_begin, meta_end - meta_begin, "meta shadow")) 273 Die(); 274 } else { 275 // Mapping continous heap. 276 // Windows wants 64K alignment. 277 meta_begin = RoundDownTo(meta_begin, 64 << 10); 278 meta_end = RoundUpTo(meta_end, 64 << 10); 279 if (meta_end <= mapped_meta_end) 280 return; 281 if (meta_begin < mapped_meta_end) 282 meta_begin = mapped_meta_end; 283 if (!MmapFixedNoReserve(meta_begin, meta_end - meta_begin, "meta shadow")) 284 Die(); 285 mapped_meta_end = meta_end; 286 } 287 VPrintf(2, "mapped meta shadow for (%p-%p) at (%p-%p)\n", 288 addr, addr+size, meta_begin, meta_end); 289 } 290 291 void MapThreadTrace(uptr addr, uptr size, const char *name) { 292 DPrintf("#0: Mapping trace at %p-%p(0x%zx)\n", addr, addr + size, size); 293 CHECK_GE(addr, TraceMemBeg()); 294 CHECK_LE(addr + size, TraceMemEnd()); 295 CHECK_EQ(addr, addr & ~((64 << 10) - 1)); // windows wants 64K alignment 296 if (!MmapFixedNoReserve(addr, size, name)) { 297 Printf("FATAL: ThreadSanitizer can not mmap thread trace (%p/%p)\n", 298 addr, size); 299 Die(); 300 } 301 } 302 303 static void CheckShadowMapping() { 304 uptr beg, end; 305 for (int i = 0; GetUserRegion(i, &beg, &end); i++) { 306 // Skip cases for empty regions (heap definition for architectures that 307 // do not use 64-bit allocator). 308 if (beg == end) 309 continue; 310 VPrintf(3, "checking shadow region %p-%p\n", beg, end); 311 uptr prev = 0; 312 for (uptr p0 = beg; p0 <= end; p0 += (end - beg) / 4) { 313 for (int x = -(int)kShadowCell; x <= (int)kShadowCell; x += kShadowCell) { 314 const uptr p = RoundDown(p0 + x, kShadowCell); 315 if (p < beg || p >= end) 316 continue; 317 const uptr s = MemToShadow(p); 318 const uptr m = (uptr)MemToMeta(p); 319 VPrintf(3, " checking pointer %p: shadow=%p meta=%p\n", p, s, m); 320 CHECK(IsAppMem(p)); 321 CHECK(IsShadowMem(s)); 322 CHECK_EQ(p, ShadowToMem(s)); 323 CHECK(IsMetaMem(m)); 324 if (prev) { 325 // Ensure that shadow and meta mappings are linear within a single 326 // user range. Lots of code that processes memory ranges assumes it. 327 const uptr prev_s = MemToShadow(prev); 328 const uptr prev_m = (uptr)MemToMeta(prev); 329 CHECK_EQ(s - prev_s, (p - prev) * kShadowMultiplier); 330 CHECK_EQ((m - prev_m) / kMetaShadowSize, 331 (p - prev) / kMetaShadowCell); 332 } 333 prev = p; 334 } 335 } 336 } 337 } 338 339 #if !SANITIZER_GO 340 static void OnStackUnwind(const SignalContext &sig, const void *, 341 BufferedStackTrace *stack) { 342 stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context, 343 common_flags()->fast_unwind_on_fatal); 344 } 345 346 static void TsanOnDeadlySignal(int signo, void *siginfo, void *context) { 347 HandleDeadlySignal(siginfo, context, GetTid(), &OnStackUnwind, nullptr); 348 } 349 #endif 350 351 void Initialize(ThreadState *thr) { 352 // Thread safe because done before all threads exist. 353 static bool is_initialized = false; 354 if (is_initialized) 355 return; 356 is_initialized = true; 357 // We are not ready to handle interceptors yet. 358 ScopedIgnoreInterceptors ignore; 359 SanitizerToolName = "ThreadSanitizer"; 360 // Install tool-specific callbacks in sanitizer_common. 361 SetCheckFailedCallback(TsanCheckFailed); 362 363 ctx = new(ctx_placeholder) Context; 364 const char *env_name = SANITIZER_GO ? "GORACE" : "TSAN_OPTIONS"; 365 const char *options = GetEnv(env_name); 366 CacheBinaryName(); 367 CheckASLR(); 368 InitializeFlags(&ctx->flags, options, env_name); 369 AvoidCVE_2016_2143(); 370 __sanitizer::InitializePlatformEarly(); 371 __tsan::InitializePlatformEarly(); 372 373 #if !SANITIZER_GO 374 // Re-exec ourselves if we need to set additional env or command line args. 375 MaybeReexec(); 376 377 InitializeAllocator(); 378 ReplaceSystemMalloc(); 379 #endif 380 if (common_flags()->detect_deadlocks) 381 ctx->dd = DDetector::Create(flags()); 382 Processor *proc = ProcCreate(); 383 ProcWire(proc, thr); 384 InitializeInterceptors(); 385 CheckShadowMapping(); 386 InitializePlatform(); 387 InitializeMutex(); 388 InitializeDynamicAnnotations(); 389 #if !SANITIZER_GO 390 InitializeShadowMemory(); 391 InitializeAllocatorLate(); 392 InstallDeadlySignalHandlers(TsanOnDeadlySignal); 393 #endif 394 // Setup correct file descriptor for error reports. 395 __sanitizer_set_report_path(common_flags()->log_path); 396 InitializeSuppressions(); 397 #if !SANITIZER_GO 398 InitializeLibIgnore(); 399 Symbolizer::GetOrInit()->AddHooks(EnterSymbolizer, ExitSymbolizer); 400 #endif 401 402 VPrintf(1, "***** Running under ThreadSanitizer v2 (pid %d) *****\n", 403 (int)internal_getpid()); 404 405 // Initialize thread 0. 406 int tid = ThreadCreate(thr, 0, 0, true); 407 CHECK_EQ(tid, 0); 408 ThreadStart(thr, tid, GetTid(), ThreadType::Regular); 409 #if TSAN_CONTAINS_UBSAN 410 __ubsan::InitAsPlugin(); 411 #endif 412 ctx->initialized = true; 413 414 #if !SANITIZER_GO 415 Symbolizer::LateInitialize(); 416 #endif 417 418 if (flags()->stop_on_start) { 419 Printf("ThreadSanitizer is suspended at startup (pid %d)." 420 " Call __tsan_resume().\n", 421 (int)internal_getpid()); 422 while (__tsan_resumed == 0) {} 423 } 424 425 OnInitialize(); 426 } 427 428 void MaybeSpawnBackgroundThread() { 429 // On MIPS, TSan initialization is run before 430 // __pthread_initialize_minimal_internal() is finished, so we can not spawn 431 // new threads. 432 #if !SANITIZER_GO && !defined(__mips__) 433 static atomic_uint32_t bg_thread = {}; 434 if (atomic_load(&bg_thread, memory_order_relaxed) == 0 && 435 atomic_exchange(&bg_thread, 1, memory_order_relaxed) == 0) { 436 StartBackgroundThread(); 437 SetSandboxingCallback(StopBackgroundThread); 438 } 439 #endif 440 } 441 442 443 int Finalize(ThreadState *thr) { 444 bool failed = false; 445 446 if (common_flags()->print_module_map == 1) PrintModuleMap(); 447 448 if (flags()->atexit_sleep_ms > 0 && ThreadCount(thr) > 1) 449 SleepForMillis(flags()->atexit_sleep_ms); 450 451 // Wait for pending reports. 452 ctx->report_mtx.Lock(); 453 { ScopedErrorReportLock l; } 454 ctx->report_mtx.Unlock(); 455 456 #if !SANITIZER_GO 457 if (Verbosity()) AllocatorPrintStats(); 458 #endif 459 460 ThreadFinalize(thr); 461 462 if (ctx->nreported) { 463 failed = true; 464 #if !SANITIZER_GO 465 Printf("ThreadSanitizer: reported %d warnings\n", ctx->nreported); 466 #else 467 Printf("Found %d data race(s)\n", ctx->nreported); 468 #endif 469 } 470 471 if (ctx->nmissed_expected) { 472 failed = true; 473 Printf("ThreadSanitizer: missed %d expected races\n", 474 ctx->nmissed_expected); 475 } 476 477 if (common_flags()->print_suppressions) 478 PrintMatchedSuppressions(); 479 #if !SANITIZER_GO 480 if (flags()->print_benign) 481 PrintMatchedBenignRaces(); 482 #endif 483 484 failed = OnFinalize(failed); 485 486 #if TSAN_COLLECT_STATS 487 StatAggregate(ctx->stat, thr->stat); 488 StatOutput(ctx->stat); 489 #endif 490 491 return failed ? common_flags()->exitcode : 0; 492 } 493 494 #if !SANITIZER_GO 495 void ForkBefore(ThreadState *thr, uptr pc) { 496 ctx->thread_registry->Lock(); 497 ctx->report_mtx.Lock(); 498 // Ignore memory accesses in the pthread_atfork callbacks. 499 // If any of them triggers a data race we will deadlock 500 // on the report_mtx. 501 // We could ignore interceptors and sync operations as well, 502 // but so far it's unclear if it will do more good or harm. 503 // Unnecessarily ignoring things can lead to false positives later. 504 ThreadIgnoreBegin(thr, pc); 505 } 506 507 void ForkParentAfter(ThreadState *thr, uptr pc) { 508 ThreadIgnoreEnd(thr, pc); // Begin is in ForkBefore. 509 ctx->report_mtx.Unlock(); 510 ctx->thread_registry->Unlock(); 511 } 512 513 void ForkChildAfter(ThreadState *thr, uptr pc) { 514 ThreadIgnoreEnd(thr, pc); // Begin is in ForkBefore. 515 ctx->report_mtx.Unlock(); 516 ctx->thread_registry->Unlock(); 517 518 uptr nthread = 0; 519 ctx->thread_registry->GetNumberOfThreads(0, 0, &nthread /* alive threads */); 520 VPrintf(1, "ThreadSanitizer: forked new process with pid %d," 521 " parent had %d threads\n", (int)internal_getpid(), (int)nthread); 522 if (nthread == 1) { 523 StartBackgroundThread(); 524 } else { 525 // We've just forked a multi-threaded process. We cannot reasonably function 526 // after that (some mutexes may be locked before fork). So just enable 527 // ignores for everything in the hope that we will exec soon. 528 ctx->after_multithreaded_fork = true; 529 thr->ignore_interceptors++; 530 ThreadIgnoreBegin(thr, pc); 531 ThreadIgnoreSyncBegin(thr, pc); 532 } 533 } 534 #endif 535 536 #if SANITIZER_GO 537 NOINLINE 538 void GrowShadowStack(ThreadState *thr) { 539 const int sz = thr->shadow_stack_end - thr->shadow_stack; 540 const int newsz = 2 * sz; 541 uptr *newstack = (uptr*)internal_alloc(MBlockShadowStack, 542 newsz * sizeof(uptr)); 543 internal_memcpy(newstack, thr->shadow_stack, sz * sizeof(uptr)); 544 internal_free(thr->shadow_stack); 545 thr->shadow_stack = newstack; 546 thr->shadow_stack_pos = newstack + sz; 547 thr->shadow_stack_end = newstack + newsz; 548 } 549 #endif 550 551 u32 CurrentStackId(ThreadState *thr, uptr pc) { 552 if (!thr->is_inited) // May happen during bootstrap. 553 return 0; 554 if (pc != 0) { 555 #if !SANITIZER_GO 556 DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end); 557 #else 558 if (thr->shadow_stack_pos == thr->shadow_stack_end) 559 GrowShadowStack(thr); 560 #endif 561 thr->shadow_stack_pos[0] = pc; 562 thr->shadow_stack_pos++; 563 } 564 u32 id = StackDepotPut( 565 StackTrace(thr->shadow_stack, thr->shadow_stack_pos - thr->shadow_stack)); 566 if (pc != 0) 567 thr->shadow_stack_pos--; 568 return id; 569 } 570 571 void TraceSwitch(ThreadState *thr) { 572 #if !SANITIZER_GO 573 if (ctx->after_multithreaded_fork) 574 return; 575 #endif 576 thr->nomalloc++; 577 Trace *thr_trace = ThreadTrace(thr->tid); 578 Lock l(&thr_trace->mtx); 579 unsigned trace = (thr->fast_state.epoch() / kTracePartSize) % TraceParts(); 580 TraceHeader *hdr = &thr_trace->headers[trace]; 581 hdr->epoch0 = thr->fast_state.epoch(); 582 ObtainCurrentStack(thr, 0, &hdr->stack0); 583 hdr->mset0 = thr->mset; 584 thr->nomalloc--; 585 } 586 587 Trace *ThreadTrace(int tid) { 588 return (Trace*)GetThreadTraceHeader(tid); 589 } 590 591 uptr TraceTopPC(ThreadState *thr) { 592 Event *events = (Event*)GetThreadTrace(thr->tid); 593 uptr pc = events[thr->fast_state.GetTracePos()]; 594 return pc; 595 } 596 597 uptr TraceSize() { 598 return (uptr)(1ull << (kTracePartSizeBits + flags()->history_size + 1)); 599 } 600 601 uptr TraceParts() { 602 return TraceSize() / kTracePartSize; 603 } 604 605 #if !SANITIZER_GO 606 extern "C" void __tsan_trace_switch() { 607 TraceSwitch(cur_thread()); 608 } 609 610 extern "C" void __tsan_report_race() { 611 ReportRace(cur_thread()); 612 } 613 #endif 614 615 ALWAYS_INLINE 616 Shadow LoadShadow(u64 *p) { 617 u64 raw = atomic_load((atomic_uint64_t*)p, memory_order_relaxed); 618 return Shadow(raw); 619 } 620 621 ALWAYS_INLINE 622 void StoreShadow(u64 *sp, u64 s) { 623 atomic_store((atomic_uint64_t*)sp, s, memory_order_relaxed); 624 } 625 626 ALWAYS_INLINE 627 void StoreIfNotYetStored(u64 *sp, u64 *s) { 628 StoreShadow(sp, *s); 629 *s = 0; 630 } 631 632 ALWAYS_INLINE 633 void HandleRace(ThreadState *thr, u64 *shadow_mem, 634 Shadow cur, Shadow old) { 635 thr->racy_state[0] = cur.raw(); 636 thr->racy_state[1] = old.raw(); 637 thr->racy_shadow_addr = shadow_mem; 638 #if !SANITIZER_GO 639 HACKY_CALL(__tsan_report_race); 640 #else 641 ReportRace(thr); 642 #endif 643 } 644 645 static inline bool HappensBefore(Shadow old, ThreadState *thr) { 646 return thr->clock.get(old.TidWithIgnore()) >= old.epoch(); 647 } 648 649 ALWAYS_INLINE 650 void MemoryAccessImpl1(ThreadState *thr, uptr addr, 651 int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic, 652 u64 *shadow_mem, Shadow cur) { 653 StatInc(thr, StatMop); 654 StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead); 655 StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog)); 656 657 // This potentially can live in an MMX/SSE scratch register. 658 // The required intrinsics are: 659 // __m128i _mm_move_epi64(__m128i*); 660 // _mm_storel_epi64(u64*, __m128i); 661 u64 store_word = cur.raw(); 662 bool stored = false; 663 664 // scan all the shadow values and dispatch to 4 categories: 665 // same, replace, candidate and race (see comments below). 666 // we consider only 3 cases regarding access sizes: 667 // equal, intersect and not intersect. initially I considered 668 // larger and smaller as well, it allowed to replace some 669 // 'candidates' with 'same' or 'replace', but I think 670 // it's just not worth it (performance- and complexity-wise). 671 672 Shadow old(0); 673 674 // It release mode we manually unroll the loop, 675 // because empirically gcc generates better code this way. 676 // However, we can't afford unrolling in debug mode, because the function 677 // consumes almost 4K of stack. Gtest gives only 4K of stack to death test 678 // threads, which is not enough for the unrolled loop. 679 #if SANITIZER_DEBUG 680 for (int idx = 0; idx < 4; idx++) { 681 #include "tsan_update_shadow_word_inl.h" 682 } 683 #else 684 int idx = 0; 685 #include "tsan_update_shadow_word_inl.h" 686 idx = 1; 687 if (stored) { 688 #include "tsan_update_shadow_word_inl.h" 689 } else { 690 #include "tsan_update_shadow_word_inl.h" 691 } 692 idx = 2; 693 if (stored) { 694 #include "tsan_update_shadow_word_inl.h" 695 } else { 696 #include "tsan_update_shadow_word_inl.h" 697 } 698 idx = 3; 699 if (stored) { 700 #include "tsan_update_shadow_word_inl.h" 701 } else { 702 #include "tsan_update_shadow_word_inl.h" 703 } 704 #endif 705 706 // we did not find any races and had already stored 707 // the current access info, so we are done 708 if (LIKELY(stored)) 709 return; 710 // choose a random candidate slot and replace it 711 StoreShadow(shadow_mem + (cur.epoch() % kShadowCnt), store_word); 712 StatInc(thr, StatShadowReplace); 713 return; 714 RACE: 715 HandleRace(thr, shadow_mem, cur, old); 716 return; 717 } 718 719 void UnalignedMemoryAccess(ThreadState *thr, uptr pc, uptr addr, 720 int size, bool kAccessIsWrite, bool kIsAtomic) { 721 while (size) { 722 int size1 = 1; 723 int kAccessSizeLog = kSizeLog1; 724 if (size >= 8 && (addr & ~7) == ((addr + 7) & ~7)) { 725 size1 = 8; 726 kAccessSizeLog = kSizeLog8; 727 } else if (size >= 4 && (addr & ~7) == ((addr + 3) & ~7)) { 728 size1 = 4; 729 kAccessSizeLog = kSizeLog4; 730 } else if (size >= 2 && (addr & ~7) == ((addr + 1) & ~7)) { 731 size1 = 2; 732 kAccessSizeLog = kSizeLog2; 733 } 734 MemoryAccess(thr, pc, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic); 735 addr += size1; 736 size -= size1; 737 } 738 } 739 740 ALWAYS_INLINE 741 bool ContainsSameAccessSlow(u64 *s, u64 a, u64 sync_epoch, bool is_write) { 742 Shadow cur(a); 743 for (uptr i = 0; i < kShadowCnt; i++) { 744 Shadow old(LoadShadow(&s[i])); 745 if (Shadow::Addr0AndSizeAreEqual(cur, old) && 746 old.TidWithIgnore() == cur.TidWithIgnore() && 747 old.epoch() > sync_epoch && 748 old.IsAtomic() == cur.IsAtomic() && 749 old.IsRead() <= cur.IsRead()) 750 return true; 751 } 752 return false; 753 } 754 755 #if defined(__SSE3__) 756 #define SHUF(v0, v1, i0, i1, i2, i3) _mm_castps_si128(_mm_shuffle_ps( \ 757 _mm_castsi128_ps(v0), _mm_castsi128_ps(v1), \ 758 (i0)*1 + (i1)*4 + (i2)*16 + (i3)*64)) 759 ALWAYS_INLINE 760 bool ContainsSameAccessFast(u64 *s, u64 a, u64 sync_epoch, bool is_write) { 761 // This is an optimized version of ContainsSameAccessSlow. 762 // load current access into access[0:63] 763 const m128 access = _mm_cvtsi64_si128(a); 764 // duplicate high part of access in addr0: 765 // addr0[0:31] = access[32:63] 766 // addr0[32:63] = access[32:63] 767 // addr0[64:95] = access[32:63] 768 // addr0[96:127] = access[32:63] 769 const m128 addr0 = SHUF(access, access, 1, 1, 1, 1); 770 // load 4 shadow slots 771 const m128 shadow0 = _mm_load_si128((__m128i*)s); 772 const m128 shadow1 = _mm_load_si128((__m128i*)s + 1); 773 // load high parts of 4 shadow slots into addr_vect: 774 // addr_vect[0:31] = shadow0[32:63] 775 // addr_vect[32:63] = shadow0[96:127] 776 // addr_vect[64:95] = shadow1[32:63] 777 // addr_vect[96:127] = shadow1[96:127] 778 m128 addr_vect = SHUF(shadow0, shadow1, 1, 3, 1, 3); 779 if (!is_write) { 780 // set IsRead bit in addr_vect 781 const m128 rw_mask1 = _mm_cvtsi64_si128(1<<15); 782 const m128 rw_mask = SHUF(rw_mask1, rw_mask1, 0, 0, 0, 0); 783 addr_vect = _mm_or_si128(addr_vect, rw_mask); 784 } 785 // addr0 == addr_vect? 786 const m128 addr_res = _mm_cmpeq_epi32(addr0, addr_vect); 787 // epoch1[0:63] = sync_epoch 788 const m128 epoch1 = _mm_cvtsi64_si128(sync_epoch); 789 // epoch[0:31] = sync_epoch[0:31] 790 // epoch[32:63] = sync_epoch[0:31] 791 // epoch[64:95] = sync_epoch[0:31] 792 // epoch[96:127] = sync_epoch[0:31] 793 const m128 epoch = SHUF(epoch1, epoch1, 0, 0, 0, 0); 794 // load low parts of shadow cell epochs into epoch_vect: 795 // epoch_vect[0:31] = shadow0[0:31] 796 // epoch_vect[32:63] = shadow0[64:95] 797 // epoch_vect[64:95] = shadow1[0:31] 798 // epoch_vect[96:127] = shadow1[64:95] 799 const m128 epoch_vect = SHUF(shadow0, shadow1, 0, 2, 0, 2); 800 // epoch_vect >= sync_epoch? 801 const m128 epoch_res = _mm_cmpgt_epi32(epoch_vect, epoch); 802 // addr_res & epoch_res 803 const m128 res = _mm_and_si128(addr_res, epoch_res); 804 // mask[0] = res[7] 805 // mask[1] = res[15] 806 // ... 807 // mask[15] = res[127] 808 const int mask = _mm_movemask_epi8(res); 809 return mask != 0; 810 } 811 #endif 812 813 ALWAYS_INLINE 814 bool ContainsSameAccess(u64 *s, u64 a, u64 sync_epoch, bool is_write) { 815 #if defined(__SSE3__) 816 bool res = ContainsSameAccessFast(s, a, sync_epoch, is_write); 817 // NOTE: this check can fail if the shadow is concurrently mutated 818 // by other threads. But it still can be useful if you modify 819 // ContainsSameAccessFast and want to ensure that it's not completely broken. 820 // DCHECK_EQ(res, ContainsSameAccessSlow(s, a, sync_epoch, is_write)); 821 return res; 822 #else 823 return ContainsSameAccessSlow(s, a, sync_epoch, is_write); 824 #endif 825 } 826 827 ALWAYS_INLINE USED 828 void MemoryAccess(ThreadState *thr, uptr pc, uptr addr, 829 int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic) { 830 u64 *shadow_mem = (u64*)MemToShadow(addr); 831 DPrintf2("#%d: MemoryAccess: @%p %p size=%d" 832 " is_write=%d shadow_mem=%p {%zx, %zx, %zx, %zx}\n", 833 (int)thr->fast_state.tid(), (void*)pc, (void*)addr, 834 (int)(1 << kAccessSizeLog), kAccessIsWrite, shadow_mem, 835 (uptr)shadow_mem[0], (uptr)shadow_mem[1], 836 (uptr)shadow_mem[2], (uptr)shadow_mem[3]); 837 #if SANITIZER_DEBUG 838 if (!IsAppMem(addr)) { 839 Printf("Access to non app mem %zx\n", addr); 840 DCHECK(IsAppMem(addr)); 841 } 842 if (!IsShadowMem((uptr)shadow_mem)) { 843 Printf("Bad shadow addr %p (%zx)\n", shadow_mem, addr); 844 DCHECK(IsShadowMem((uptr)shadow_mem)); 845 } 846 #endif 847 848 if (!SANITIZER_GO && !kAccessIsWrite && *shadow_mem == kShadowRodata) { 849 // Access to .rodata section, no races here. 850 // Measurements show that it can be 10-20% of all memory accesses. 851 StatInc(thr, StatMop); 852 StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead); 853 StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog)); 854 StatInc(thr, StatMopRodata); 855 return; 856 } 857 858 FastState fast_state = thr->fast_state; 859 if (UNLIKELY(fast_state.GetIgnoreBit())) { 860 StatInc(thr, StatMop); 861 StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead); 862 StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog)); 863 StatInc(thr, StatMopIgnored); 864 return; 865 } 866 867 Shadow cur(fast_state); 868 cur.SetAddr0AndSizeLog(addr & 7, kAccessSizeLog); 869 cur.SetWrite(kAccessIsWrite); 870 cur.SetAtomic(kIsAtomic); 871 872 if (LIKELY(ContainsSameAccess(shadow_mem, cur.raw(), 873 thr->fast_synch_epoch, kAccessIsWrite))) { 874 StatInc(thr, StatMop); 875 StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead); 876 StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog)); 877 StatInc(thr, StatMopSame); 878 return; 879 } 880 881 if (kCollectHistory) { 882 fast_state.IncrementEpoch(); 883 thr->fast_state = fast_state; 884 TraceAddEvent(thr, fast_state, EventTypeMop, pc); 885 cur.IncrementEpoch(); 886 } 887 888 MemoryAccessImpl1(thr, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic, 889 shadow_mem, cur); 890 } 891 892 // Called by MemoryAccessRange in tsan_rtl_thread.cpp 893 ALWAYS_INLINE USED 894 void MemoryAccessImpl(ThreadState *thr, uptr addr, 895 int kAccessSizeLog, bool kAccessIsWrite, bool kIsAtomic, 896 u64 *shadow_mem, Shadow cur) { 897 if (LIKELY(ContainsSameAccess(shadow_mem, cur.raw(), 898 thr->fast_synch_epoch, kAccessIsWrite))) { 899 StatInc(thr, StatMop); 900 StatInc(thr, kAccessIsWrite ? StatMopWrite : StatMopRead); 901 StatInc(thr, (StatType)(StatMop1 + kAccessSizeLog)); 902 StatInc(thr, StatMopSame); 903 return; 904 } 905 906 MemoryAccessImpl1(thr, addr, kAccessSizeLog, kAccessIsWrite, kIsAtomic, 907 shadow_mem, cur); 908 } 909 910 static void MemoryRangeSet(ThreadState *thr, uptr pc, uptr addr, uptr size, 911 u64 val) { 912 (void)thr; 913 (void)pc; 914 if (size == 0) 915 return; 916 // FIXME: fix me. 917 uptr offset = addr % kShadowCell; 918 if (offset) { 919 offset = kShadowCell - offset; 920 if (size <= offset) 921 return; 922 addr += offset; 923 size -= offset; 924 } 925 DCHECK_EQ(addr % 8, 0); 926 // If a user passes some insane arguments (memset(0)), 927 // let it just crash as usual. 928 if (!IsAppMem(addr) || !IsAppMem(addr + size - 1)) 929 return; 930 // Don't want to touch lots of shadow memory. 931 // If a program maps 10MB stack, there is no need reset the whole range. 932 size = (size + (kShadowCell - 1)) & ~(kShadowCell - 1); 933 // UnmapOrDie/MmapFixedNoReserve does not work on Windows. 934 if (SANITIZER_WINDOWS || size < common_flags()->clear_shadow_mmap_threshold) { 935 u64 *p = (u64*)MemToShadow(addr); 936 CHECK(IsShadowMem((uptr)p)); 937 CHECK(IsShadowMem((uptr)(p + size * kShadowCnt / kShadowCell - 1))); 938 // FIXME: may overwrite a part outside the region 939 for (uptr i = 0; i < size / kShadowCell * kShadowCnt;) { 940 p[i++] = val; 941 for (uptr j = 1; j < kShadowCnt; j++) 942 p[i++] = 0; 943 } 944 } else { 945 // The region is big, reset only beginning and end. 946 const uptr kPageSize = GetPageSizeCached(); 947 u64 *begin = (u64*)MemToShadow(addr); 948 u64 *end = begin + size / kShadowCell * kShadowCnt; 949 u64 *p = begin; 950 // Set at least first kPageSize/2 to page boundary. 951 while ((p < begin + kPageSize / kShadowSize / 2) || ((uptr)p % kPageSize)) { 952 *p++ = val; 953 for (uptr j = 1; j < kShadowCnt; j++) 954 *p++ = 0; 955 } 956 // Reset middle part. 957 u64 *p1 = p; 958 p = RoundDown(end, kPageSize); 959 UnmapOrDie((void*)p1, (uptr)p - (uptr)p1); 960 if (!MmapFixedNoReserve((uptr)p1, (uptr)p - (uptr)p1)) 961 Die(); 962 // Set the ending. 963 while (p < end) { 964 *p++ = val; 965 for (uptr j = 1; j < kShadowCnt; j++) 966 *p++ = 0; 967 } 968 } 969 } 970 971 void MemoryResetRange(ThreadState *thr, uptr pc, uptr addr, uptr size) { 972 MemoryRangeSet(thr, pc, addr, size, 0); 973 } 974 975 void MemoryRangeFreed(ThreadState *thr, uptr pc, uptr addr, uptr size) { 976 // Processing more than 1k (4k of shadow) is expensive, 977 // can cause excessive memory consumption (user does not necessary touch 978 // the whole range) and most likely unnecessary. 979 if (size > 1024) 980 size = 1024; 981 CHECK_EQ(thr->is_freeing, false); 982 thr->is_freeing = true; 983 MemoryAccessRange(thr, pc, addr, size, true); 984 thr->is_freeing = false; 985 if (kCollectHistory) { 986 thr->fast_state.IncrementEpoch(); 987 TraceAddEvent(thr, thr->fast_state, EventTypeMop, pc); 988 } 989 Shadow s(thr->fast_state); 990 s.ClearIgnoreBit(); 991 s.MarkAsFreed(); 992 s.SetWrite(true); 993 s.SetAddr0AndSizeLog(0, 3); 994 MemoryRangeSet(thr, pc, addr, size, s.raw()); 995 } 996 997 void MemoryRangeImitateWrite(ThreadState *thr, uptr pc, uptr addr, uptr size) { 998 if (kCollectHistory) { 999 thr->fast_state.IncrementEpoch(); 1000 TraceAddEvent(thr, thr->fast_state, EventTypeMop, pc); 1001 } 1002 Shadow s(thr->fast_state); 1003 s.ClearIgnoreBit(); 1004 s.SetWrite(true); 1005 s.SetAddr0AndSizeLog(0, 3); 1006 MemoryRangeSet(thr, pc, addr, size, s.raw()); 1007 } 1008 1009 void MemoryRangeImitateWriteOrResetRange(ThreadState *thr, uptr pc, uptr addr, 1010 uptr size) { 1011 if (thr->ignore_reads_and_writes == 0) 1012 MemoryRangeImitateWrite(thr, pc, addr, size); 1013 else 1014 MemoryResetRange(thr, pc, addr, size); 1015 } 1016 1017 ALWAYS_INLINE USED 1018 void FuncEntry(ThreadState *thr, uptr pc) { 1019 StatInc(thr, StatFuncEnter); 1020 DPrintf2("#%d: FuncEntry %p\n", (int)thr->fast_state.tid(), (void*)pc); 1021 if (kCollectHistory) { 1022 thr->fast_state.IncrementEpoch(); 1023 TraceAddEvent(thr, thr->fast_state, EventTypeFuncEnter, pc); 1024 } 1025 1026 // Shadow stack maintenance can be replaced with 1027 // stack unwinding during trace switch (which presumably must be faster). 1028 DCHECK_GE(thr->shadow_stack_pos, thr->shadow_stack); 1029 #if !SANITIZER_GO 1030 DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end); 1031 #else 1032 if (thr->shadow_stack_pos == thr->shadow_stack_end) 1033 GrowShadowStack(thr); 1034 #endif 1035 thr->shadow_stack_pos[0] = pc; 1036 thr->shadow_stack_pos++; 1037 } 1038 1039 ALWAYS_INLINE USED 1040 void FuncExit(ThreadState *thr) { 1041 StatInc(thr, StatFuncExit); 1042 DPrintf2("#%d: FuncExit\n", (int)thr->fast_state.tid()); 1043 if (kCollectHistory) { 1044 thr->fast_state.IncrementEpoch(); 1045 TraceAddEvent(thr, thr->fast_state, EventTypeFuncExit, 0); 1046 } 1047 1048 DCHECK_GT(thr->shadow_stack_pos, thr->shadow_stack); 1049 #if !SANITIZER_GO 1050 DCHECK_LT(thr->shadow_stack_pos, thr->shadow_stack_end); 1051 #endif 1052 thr->shadow_stack_pos--; 1053 } 1054 1055 void ThreadIgnoreBegin(ThreadState *thr, uptr pc, bool save_stack) { 1056 DPrintf("#%d: ThreadIgnoreBegin\n", thr->tid); 1057 thr->ignore_reads_and_writes++; 1058 CHECK_GT(thr->ignore_reads_and_writes, 0); 1059 thr->fast_state.SetIgnoreBit(); 1060 #if !SANITIZER_GO 1061 if (save_stack && !ctx->after_multithreaded_fork) 1062 thr->mop_ignore_set.Add(CurrentStackId(thr, pc)); 1063 #endif 1064 } 1065 1066 void ThreadIgnoreEnd(ThreadState *thr, uptr pc) { 1067 DPrintf("#%d: ThreadIgnoreEnd\n", thr->tid); 1068 CHECK_GT(thr->ignore_reads_and_writes, 0); 1069 thr->ignore_reads_and_writes--; 1070 if (thr->ignore_reads_and_writes == 0) { 1071 thr->fast_state.ClearIgnoreBit(); 1072 #if !SANITIZER_GO 1073 thr->mop_ignore_set.Reset(); 1074 #endif 1075 } 1076 } 1077 1078 #if !SANITIZER_GO 1079 extern "C" SANITIZER_INTERFACE_ATTRIBUTE 1080 uptr __tsan_testonly_shadow_stack_current_size() { 1081 ThreadState *thr = cur_thread(); 1082 return thr->shadow_stack_pos - thr->shadow_stack; 1083 } 1084 #endif 1085 1086 void ThreadIgnoreSyncBegin(ThreadState *thr, uptr pc, bool save_stack) { 1087 DPrintf("#%d: ThreadIgnoreSyncBegin\n", thr->tid); 1088 thr->ignore_sync++; 1089 CHECK_GT(thr->ignore_sync, 0); 1090 #if !SANITIZER_GO 1091 if (save_stack && !ctx->after_multithreaded_fork) 1092 thr->sync_ignore_set.Add(CurrentStackId(thr, pc)); 1093 #endif 1094 } 1095 1096 void ThreadIgnoreSyncEnd(ThreadState *thr, uptr pc) { 1097 DPrintf("#%d: ThreadIgnoreSyncEnd\n", thr->tid); 1098 CHECK_GT(thr->ignore_sync, 0); 1099 thr->ignore_sync--; 1100 #if !SANITIZER_GO 1101 if (thr->ignore_sync == 0) 1102 thr->sync_ignore_set.Reset(); 1103 #endif 1104 } 1105 1106 bool MD5Hash::operator==(const MD5Hash &other) const { 1107 return hash[0] == other.hash[0] && hash[1] == other.hash[1]; 1108 } 1109 1110 #if SANITIZER_DEBUG 1111 void build_consistency_debug() {} 1112 #else 1113 void build_consistency_release() {} 1114 #endif 1115 1116 #if TSAN_COLLECT_STATS 1117 void build_consistency_stats() {} 1118 #else 1119 void build_consistency_nostats() {} 1120 #endif 1121 1122 } // namespace __tsan 1123 1124 #if !SANITIZER_GO 1125 // Must be included in this file to make sure everything is inlined. 1126 #include "tsan_interface_inl.h" 1127 #endif 1128