1 //===-- tsan_platform_mac.cpp ---------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of ThreadSanitizer (TSan), a race detector.
10 //
11 // Mac-specific code.
12 //===----------------------------------------------------------------------===//
13 
14 #include "sanitizer_common/sanitizer_platform.h"
15 #if SANITIZER_MAC
16 
17 #include "sanitizer_common/sanitizer_atomic.h"
18 #include "sanitizer_common/sanitizer_common.h"
19 #include "sanitizer_common/sanitizer_libc.h"
20 #include "sanitizer_common/sanitizer_posix.h"
21 #include "sanitizer_common/sanitizer_procmaps.h"
22 #include "sanitizer_common/sanitizer_ptrauth.h"
23 #include "sanitizer_common/sanitizer_stackdepot.h"
24 #include "tsan_platform.h"
25 #include "tsan_rtl.h"
26 #include "tsan_flags.h"
27 
28 #include <mach/mach.h>
29 #include <pthread.h>
30 #include <signal.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <stdarg.h>
35 #include <sys/mman.h>
36 #include <sys/syscall.h>
37 #include <sys/time.h>
38 #include <sys/types.h>
39 #include <sys/resource.h>
40 #include <sys/stat.h>
41 #include <unistd.h>
42 #include <errno.h>
43 #include <sched.h>
44 
45 namespace __tsan {
46 
47 #if !SANITIZER_GO
48 static void *SignalSafeGetOrAllocate(uptr *dst, uptr size) {
49   atomic_uintptr_t *a = (atomic_uintptr_t *)dst;
50   void *val = (void *)atomic_load_relaxed(a);
51   atomic_signal_fence(memory_order_acquire);  // Turns the previous load into
52                                               // acquire wrt signals.
53   if (UNLIKELY(val == nullptr)) {
54     val = (void *)internal_mmap(nullptr, size, PROT_READ | PROT_WRITE,
55                                 MAP_PRIVATE | MAP_ANON, -1, 0);
56     CHECK(val);
57     void *cmp = nullptr;
58     if (!atomic_compare_exchange_strong(a, (uintptr_t *)&cmp, (uintptr_t)val,
59                                         memory_order_acq_rel)) {
60       internal_munmap(val, size);
61       val = cmp;
62     }
63   }
64   return val;
65 }
66 
67 // On OS X, accessing TLVs via __thread or manually by using pthread_key_* is
68 // problematic, because there are several places where interceptors are called
69 // when TLVs are not accessible (early process startup, thread cleanup, ...).
70 // The following provides a "poor man's TLV" implementation, where we use the
71 // shadow memory of the pointer returned by pthread_self() to store a pointer to
72 // the ThreadState object. The main thread's ThreadState is stored separately
73 // in a static variable, because we need to access it even before the
74 // shadow memory is set up.
75 static uptr main_thread_identity = 0;
76 ALIGNED(64) static char main_thread_state[sizeof(ThreadState)];
77 static ThreadState *main_thread_state_loc = (ThreadState *)main_thread_state;
78 
79 // We cannot use pthread_self() before libpthread has been initialized.  Our
80 // current heuristic for guarding this is checking `main_thread_identity` which
81 // is only assigned in `__tsan::InitializePlatform`.
82 static ThreadState **cur_thread_location() {
83   if (main_thread_identity == 0)
84     return &main_thread_state_loc;
85   uptr thread_identity = (uptr)pthread_self();
86   if (thread_identity == main_thread_identity)
87     return &main_thread_state_loc;
88   return (ThreadState **)MemToShadow(thread_identity);
89 }
90 
91 ThreadState *cur_thread() {
92   return (ThreadState *)SignalSafeGetOrAllocate(
93       (uptr *)cur_thread_location(), sizeof(ThreadState));
94 }
95 
96 void set_cur_thread(ThreadState *thr) {
97   *cur_thread_location() = thr;
98 }
99 
100 // TODO(kuba.brecka): This is not async-signal-safe. In particular, we call
101 // munmap first and then clear `fake_tls`; if we receive a signal in between,
102 // handler will try to access the unmapped ThreadState.
103 void cur_thread_finalize() {
104   ThreadState **thr_state_loc = cur_thread_location();
105   if (thr_state_loc == &main_thread_state_loc) {
106     // Calling dispatch_main() or xpc_main() actually invokes pthread_exit to
107     // exit the main thread. Let's keep the main thread's ThreadState.
108     return;
109   }
110   internal_munmap(*thr_state_loc, sizeof(ThreadState));
111   *thr_state_loc = nullptr;
112 }
113 #endif
114 
115 void FlushShadowMemory() {
116 }
117 
118 static void RegionMemUsage(uptr start, uptr end, uptr *res, uptr *dirty) {
119   vm_address_t address = start;
120   vm_address_t end_address = end;
121   uptr resident_pages = 0;
122   uptr dirty_pages = 0;
123   while (address < end_address) {
124     vm_size_t vm_region_size;
125     mach_msg_type_number_t count = VM_REGION_EXTENDED_INFO_COUNT;
126     vm_region_extended_info_data_t vm_region_info;
127     mach_port_t object_name;
128     kern_return_t ret = vm_region_64(
129         mach_task_self(), &address, &vm_region_size, VM_REGION_EXTENDED_INFO,
130         (vm_region_info_t)&vm_region_info, &count, &object_name);
131     if (ret != KERN_SUCCESS) break;
132 
133     resident_pages += vm_region_info.pages_resident;
134     dirty_pages += vm_region_info.pages_dirtied;
135 
136     address += vm_region_size;
137   }
138   *res = resident_pages * GetPageSizeCached();
139   *dirty = dirty_pages * GetPageSizeCached();
140 }
141 
142 void WriteMemoryProfile(char *buf, uptr buf_size, u64 uptime_ns) {
143   uptr shadow_res, shadow_dirty;
144   uptr meta_res, meta_dirty;
145   uptr trace_res, trace_dirty;
146   RegionMemUsage(ShadowBeg(), ShadowEnd(), &shadow_res, &shadow_dirty);
147   RegionMemUsage(MetaShadowBeg(), MetaShadowEnd(), &meta_res, &meta_dirty);
148   RegionMemUsage(TraceMemBeg(), TraceMemEnd(), &trace_res, &trace_dirty);
149 
150 #if !SANITIZER_GO
151   uptr low_res, low_dirty;
152   uptr high_res, high_dirty;
153   uptr heap_res, heap_dirty;
154   RegionMemUsage(LoAppMemBeg(), LoAppMemEnd(), &low_res, &low_dirty);
155   RegionMemUsage(HiAppMemBeg(), HiAppMemEnd(), &high_res, &high_dirty);
156   RegionMemUsage(HeapMemBeg(), HeapMemEnd(), &heap_res, &heap_dirty);
157 #else  // !SANITIZER_GO
158   uptr app_res, app_dirty;
159   RegionMemUsage(LoAppMemBeg(), LoAppMemEnd(), &app_res, &app_dirty);
160 #endif
161 
162   StackDepotStats stacks = StackDepotGetStats();
163   uptr nthread, nlive;
164   ctx->thread_registry.GetNumberOfThreads(&nthread, &nlive);
165   internal_snprintf(
166       buf, buf_size,
167       "shadow   (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
168       "meta     (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
169       "traces   (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
170 #  if !SANITIZER_GO
171       "low app  (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
172       "high app (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
173       "heap     (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
174 #  else  // !SANITIZER_GO
175       "app      (0x%016zx-0x%016zx): resident %zd kB, dirty %zd kB\n"
176 #  endif
177       "stacks: %zd unique IDs, %zd kB allocated\n"
178       "threads: %zd total, %zd live\n"
179       "------------------------------\n",
180       ShadowBeg(), ShadowEnd(), shadow_res / 1024, shadow_dirty / 1024,
181       MetaShadowBeg(), MetaShadowEnd(), meta_res / 1024, meta_dirty / 1024,
182       TraceMemBeg(), TraceMemEnd(), trace_res / 1024, trace_dirty / 1024,
183 #  if !SANITIZER_GO
184       LoAppMemBeg(), LoAppMemEnd(), low_res / 1024, low_dirty / 1024,
185       HiAppMemBeg(), HiAppMemEnd(), high_res / 1024, high_dirty / 1024,
186       HeapMemBeg(), HeapMemEnd(), heap_res / 1024, heap_dirty / 1024,
187 #  else  // !SANITIZER_GO
188       LoAppMemBeg(), LoAppMemEnd(), app_res / 1024, app_dirty / 1024,
189 #  endif
190       stacks.n_uniq_ids, stacks.allocated / 1024, nthread, nlive);
191 }
192 
193 #  if !SANITIZER_GO
194 void InitializeShadowMemoryPlatform() { }
195 
196 // On OS X, GCD worker threads are created without a call to pthread_create. We
197 // need to properly register these threads with ThreadCreate and ThreadStart.
198 // These threads don't have a parent thread, as they are created "spuriously".
199 // We're using a libpthread API that notifies us about a newly created thread.
200 // The `thread == pthread_self()` check indicates this is actually a worker
201 // thread. If it's just a regular thread, this hook is called on the parent
202 // thread.
203 typedef void (*pthread_introspection_hook_t)(unsigned int event,
204                                              pthread_t thread, void *addr,
205                                              size_t size);
206 extern "C" pthread_introspection_hook_t pthread_introspection_hook_install(
207     pthread_introspection_hook_t hook);
208 static const uptr PTHREAD_INTROSPECTION_THREAD_CREATE = 1;
209 static const uptr PTHREAD_INTROSPECTION_THREAD_TERMINATE = 3;
210 static pthread_introspection_hook_t prev_pthread_introspection_hook;
211 static void my_pthread_introspection_hook(unsigned int event, pthread_t thread,
212                                           void *addr, size_t size) {
213   if (event == PTHREAD_INTROSPECTION_THREAD_CREATE) {
214     if (thread == pthread_self()) {
215       // The current thread is a newly created GCD worker thread.
216       ThreadState *thr = cur_thread();
217       Processor *proc = ProcCreate();
218       ProcWire(proc, thr);
219       ThreadState *parent_thread_state = nullptr;  // No parent.
220       Tid tid = ThreadCreate(parent_thread_state, 0, (uptr)thread, true);
221       CHECK_NE(tid, kMainTid);
222       ThreadStart(thr, tid, GetTid(), ThreadType::Worker);
223     }
224   } else if (event == PTHREAD_INTROSPECTION_THREAD_TERMINATE) {
225     if (thread == pthread_self()) {
226       ThreadState *thr = cur_thread();
227       if (thr->tctx) {
228         DestroyThreadState();
229       }
230     }
231   }
232 
233   if (prev_pthread_introspection_hook != nullptr)
234     prev_pthread_introspection_hook(event, thread, addr, size);
235 }
236 #endif
237 
238 void InitializePlatformEarly() {
239 #  if !SANITIZER_GO && SANITIZER_IOS
240   uptr max_vm = GetMaxUserVirtualAddress() + 1;
241   if (max_vm != HiAppMemEnd()) {
242     Printf("ThreadSanitizer: unsupported vm address limit %p, expected %p.\n",
243            (void *)max_vm, (void *)HiAppMemEnd());
244     Die();
245   }
246 #endif
247 }
248 
249 static uptr longjmp_xor_key = 0;
250 
251 void InitializePlatform() {
252   DisableCoreDumperIfNecessary();
253 #if !SANITIZER_GO
254   CheckAndProtect();
255 
256   CHECK_EQ(main_thread_identity, 0);
257   main_thread_identity = (uptr)pthread_self();
258 
259   prev_pthread_introspection_hook =
260       pthread_introspection_hook_install(&my_pthread_introspection_hook);
261 #endif
262 
263   if (GetMacosAlignedVersion() >= MacosVersion(10, 14)) {
264     // Libsystem currently uses a process-global key; this might change.
265     const unsigned kTLSLongjmpXorKeySlot = 0x7;
266     longjmp_xor_key = (uptr)pthread_getspecific(kTLSLongjmpXorKeySlot);
267   }
268 }
269 
270 #ifdef __aarch64__
271 # define LONG_JMP_SP_ENV_SLOT \
272     ((GetMacosAlignedVersion() >= MacosVersion(10, 14)) ? 12 : 13)
273 #else
274 # define LONG_JMP_SP_ENV_SLOT 2
275 #endif
276 
277 uptr ExtractLongJmpSp(uptr *env) {
278   uptr mangled_sp = env[LONG_JMP_SP_ENV_SLOT];
279   uptr sp = mangled_sp ^ longjmp_xor_key;
280   sp = (uptr)ptrauth_auth_data((void *)sp, ptrauth_key_asdb,
281                                ptrauth_string_discriminator("sp"));
282   return sp;
283 }
284 
285 #if !SANITIZER_GO
286 extern "C" void __tsan_tls_initialization() {}
287 
288 void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {
289   // The pointer to the ThreadState object is stored in the shadow memory
290   // of the tls.
291   uptr tls_end = tls_addr + tls_size;
292   uptr thread_identity = (uptr)pthread_self();
293   const uptr pc = StackTrace::GetNextInstructionPc(
294       reinterpret_cast<uptr>(__tsan_tls_initialization));
295   if (thread_identity == main_thread_identity) {
296     MemoryRangeImitateWrite(thr, pc, tls_addr, tls_size);
297   } else {
298     uptr thr_state_start = thread_identity;
299     uptr thr_state_end = thr_state_start + sizeof(uptr);
300     CHECK_GE(thr_state_start, tls_addr);
301     CHECK_LE(thr_state_start, tls_addr + tls_size);
302     CHECK_GE(thr_state_end, tls_addr);
303     CHECK_LE(thr_state_end, tls_addr + tls_size);
304     MemoryRangeImitateWrite(thr, pc, tls_addr, thr_state_start - tls_addr);
305     MemoryRangeImitateWrite(thr, pc, thr_state_end, tls_end - thr_state_end);
306   }
307 }
308 #endif
309 
310 #if !SANITIZER_GO
311 // Note: this function runs with async signals enabled,
312 // so it must not touch any tsan state.
313 int call_pthread_cancel_with_cleanup(int (*fn)(void *arg),
314                                      void (*cleanup)(void *arg), void *arg) {
315   // pthread_cleanup_push/pop are hardcore macros mess.
316   // We can't intercept nor call them w/o including pthread.h.
317   int res;
318   pthread_cleanup_push(cleanup, arg);
319   res = fn(arg);
320   pthread_cleanup_pop(0);
321   return res;
322 }
323 #endif
324 
325 }  // namespace __tsan
326 
327 #endif  // SANITIZER_MAC
328