1 //===-- ThreadSanitizer.cpp - race detector -------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of ThreadSanitizer, a race detector. 10 // 11 // The tool is under development, for the details about previous versions see 12 // http://code.google.com/p/data-race-test 13 // 14 // The instrumentation phase is quite simple: 15 // - Insert calls to run-time library before every memory access. 16 // - Optimizations may apply to avoid instrumenting some of the accesses. 17 // - Insert calls at function entry/exit. 18 // The rest is handled by the run-time library. 19 //===----------------------------------------------------------------------===// 20 21 #include "llvm/Transforms/Instrumentation/ThreadSanitizer.h" 22 #include "llvm/ADT/DenseMap.h" 23 #include "llvm/ADT/Optional.h" 24 #include "llvm/ADT/SmallString.h" 25 #include "llvm/ADT/SmallVector.h" 26 #include "llvm/ADT/Statistic.h" 27 #include "llvm/ADT/StringExtras.h" 28 #include "llvm/Analysis/CaptureTracking.h" 29 #include "llvm/Analysis/TargetLibraryInfo.h" 30 #include "llvm/Analysis/ValueTracking.h" 31 #include "llvm/IR/DataLayout.h" 32 #include "llvm/IR/Function.h" 33 #include "llvm/IR/IRBuilder.h" 34 #include "llvm/IR/Instructions.h" 35 #include "llvm/IR/IntrinsicInst.h" 36 #include "llvm/IR/Intrinsics.h" 37 #include "llvm/IR/LLVMContext.h" 38 #include "llvm/IR/Metadata.h" 39 #include "llvm/IR/Module.h" 40 #include "llvm/IR/Type.h" 41 #include "llvm/ProfileData/InstrProf.h" 42 #include "llvm/Support/CommandLine.h" 43 #include "llvm/Support/Debug.h" 44 #include "llvm/Support/MathExtras.h" 45 #include "llvm/Support/raw_ostream.h" 46 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 47 #include "llvm/Transforms/Utils/EscapeEnumerator.h" 48 #include "llvm/Transforms/Utils/Local.h" 49 #include "llvm/Transforms/Utils/ModuleUtils.h" 50 51 using namespace llvm; 52 53 #define DEBUG_TYPE "tsan" 54 55 static cl::opt<bool> ClInstrumentMemoryAccesses( 56 "tsan-instrument-memory-accesses", cl::init(true), 57 cl::desc("Instrument memory accesses"), cl::Hidden); 58 static cl::opt<bool> 59 ClInstrumentFuncEntryExit("tsan-instrument-func-entry-exit", cl::init(true), 60 cl::desc("Instrument function entry and exit"), 61 cl::Hidden); 62 static cl::opt<bool> ClHandleCxxExceptions( 63 "tsan-handle-cxx-exceptions", cl::init(true), 64 cl::desc("Handle C++ exceptions (insert cleanup blocks for unwinding)"), 65 cl::Hidden); 66 static cl::opt<bool> ClInstrumentAtomics("tsan-instrument-atomics", 67 cl::init(true), 68 cl::desc("Instrument atomics"), 69 cl::Hidden); 70 static cl::opt<bool> ClInstrumentMemIntrinsics( 71 "tsan-instrument-memintrinsics", cl::init(true), 72 cl::desc("Instrument memintrinsics (memset/memcpy/memmove)"), cl::Hidden); 73 static cl::opt<bool> ClDistinguishVolatile( 74 "tsan-distinguish-volatile", cl::init(false), 75 cl::desc("Emit special instrumentation for accesses to volatiles"), 76 cl::Hidden); 77 static cl::opt<bool> ClInstrumentReadBeforeWrite( 78 "tsan-instrument-read-before-write", cl::init(false), 79 cl::desc("Do not eliminate read instrumentation for read-before-writes"), 80 cl::Hidden); 81 static cl::opt<bool> ClCompoundReadBeforeWrite( 82 "tsan-compound-read-before-write", cl::init(false), 83 cl::desc("Emit special compound instrumentation for reads-before-writes"), 84 cl::Hidden); 85 86 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 87 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 88 STATISTIC(NumOmittedReadsBeforeWrite, 89 "Number of reads ignored due to following writes"); 90 STATISTIC(NumAccessesWithBadSize, "Number of accesses with bad size"); 91 STATISTIC(NumInstrumentedVtableWrites, "Number of vtable ptr writes"); 92 STATISTIC(NumInstrumentedVtableReads, "Number of vtable ptr reads"); 93 STATISTIC(NumOmittedReadsFromConstantGlobals, 94 "Number of reads from constant globals"); 95 STATISTIC(NumOmittedReadsFromVtable, "Number of vtable reads"); 96 STATISTIC(NumOmittedNonCaptured, "Number of accesses ignored due to capturing"); 97 98 const char kTsanModuleCtorName[] = "tsan.module_ctor"; 99 const char kTsanInitName[] = "__tsan_init"; 100 101 namespace { 102 103 /// ThreadSanitizer: instrument the code in module to find races. 104 /// 105 /// Instantiating ThreadSanitizer inserts the tsan runtime library API function 106 /// declarations into the module if they don't exist already. Instantiating 107 /// ensures the __tsan_init function is in the list of global constructors for 108 /// the module. 109 struct ThreadSanitizer { 110 ThreadSanitizer() { 111 // Check options and warn user. 112 if (ClInstrumentReadBeforeWrite && ClCompoundReadBeforeWrite) { 113 errs() 114 << "warning: Option -tsan-compound-read-before-write has no effect " 115 "when -tsan-instrument-read-before-write is set.\n"; 116 } 117 } 118 119 bool sanitizeFunction(Function &F, const TargetLibraryInfo &TLI); 120 121 private: 122 // Internal Instruction wrapper that contains more information about the 123 // Instruction from prior analysis. 124 struct InstructionInfo { 125 // Instrumentation emitted for this instruction is for a compounded set of 126 // read and write operations in the same basic block. 127 static constexpr unsigned kCompoundRW = (1U << 0); 128 129 explicit InstructionInfo(Instruction *Inst) : Inst(Inst) {} 130 131 Instruction *Inst; 132 unsigned Flags = 0; 133 }; 134 135 void initialize(Module &M); 136 bool instrumentLoadOrStore(const InstructionInfo &II, const DataLayout &DL, 137 const Function &F); 138 bool instrumentAtomic(Instruction *I, const DataLayout &DL, 139 const Function &F); 140 bool instrumentMemIntrinsic(Instruction *I); 141 void chooseInstructionsToInstrument(SmallVectorImpl<Instruction *> &Local, 142 SmallVectorImpl<InstructionInfo> &All, 143 const DataLayout &DL); 144 bool addrPointsToConstantData(Value *Addr); 145 int getMemoryAccessFuncIndex(Type *OrigTy, Value *Addr, const DataLayout &DL); 146 void InsertRuntimeIgnores(Function &F); 147 148 Type *IntptrTy; 149 FunctionCallee TsanFuncEntry; 150 FunctionCallee TsanFuncExit; 151 FunctionCallee TsanIgnoreBegin; 152 FunctionCallee TsanIgnoreEnd; 153 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 154 static const size_t kNumberOfAccessSizes = 5; 155 FunctionCallee TsanRead[kNumberOfAccessSizes]; 156 FunctionCallee TsanWrite[kNumberOfAccessSizes]; 157 FunctionCallee TsanUnalignedRead[kNumberOfAccessSizes]; 158 FunctionCallee TsanUnalignedWrite[kNumberOfAccessSizes]; 159 FunctionCallee TsanVolatileRead[kNumberOfAccessSizes]; 160 FunctionCallee TsanVolatileWrite[kNumberOfAccessSizes]; 161 FunctionCallee TsanUnalignedVolatileRead[kNumberOfAccessSizes]; 162 FunctionCallee TsanUnalignedVolatileWrite[kNumberOfAccessSizes]; 163 FunctionCallee TsanCompoundRW[kNumberOfAccessSizes]; 164 FunctionCallee TsanUnalignedCompoundRW[kNumberOfAccessSizes]; 165 FunctionCallee TsanAtomicLoad[kNumberOfAccessSizes]; 166 FunctionCallee TsanAtomicStore[kNumberOfAccessSizes]; 167 FunctionCallee TsanAtomicRMW[AtomicRMWInst::LAST_BINOP + 1] 168 [kNumberOfAccessSizes]; 169 FunctionCallee TsanAtomicCAS[kNumberOfAccessSizes]; 170 FunctionCallee TsanAtomicThreadFence; 171 FunctionCallee TsanAtomicSignalFence; 172 FunctionCallee TsanVptrUpdate; 173 FunctionCallee TsanVptrLoad; 174 FunctionCallee MemmoveFn, MemcpyFn, MemsetFn; 175 }; 176 177 void insertModuleCtor(Module &M) { 178 getOrCreateSanitizerCtorAndInitFunctions( 179 M, kTsanModuleCtorName, kTsanInitName, /*InitArgTypes=*/{}, 180 /*InitArgs=*/{}, 181 // This callback is invoked when the functions are created the first 182 // time. Hook them into the global ctors list in that case: 183 [&](Function *Ctor, FunctionCallee) { appendToGlobalCtors(M, Ctor, 0); }); 184 } 185 186 // Use to ensure the inserted instrumentation has a DebugLocation; if none is 187 // attached to the source instruction, try to use a DILocation with offset 0 188 // scoped to surrounding function (if it has a DebugLocation). 189 // 190 // Some non-call instructions may be missing debug info, but when inserting 191 // instrumentation calls, some builds (e.g. LTO) want calls to have debug info 192 // if the enclosing function does. 193 struct InstrumentationIRBuilder : IRBuilder<> { 194 static void ensureDebugInfo(IRBuilder<> &IRB, const Function &F) { 195 if (IRB.getCurrentDebugLocation()) 196 return; 197 if (DISubprogram *SP = F.getSubprogram()) 198 IRB.SetCurrentDebugLocation(DILocation::get(SP->getContext(), 0, 0, SP)); 199 } 200 201 explicit InstrumentationIRBuilder(Instruction *I, const Function &F) 202 : IRBuilder<>(I) { 203 ensureDebugInfo(*this, F); 204 } 205 }; 206 207 } // namespace 208 209 PreservedAnalyses ThreadSanitizerPass::run(Function &F, 210 FunctionAnalysisManager &FAM) { 211 ThreadSanitizer TSan; 212 if (TSan.sanitizeFunction(F, FAM.getResult<TargetLibraryAnalysis>(F))) 213 return PreservedAnalyses::none(); 214 return PreservedAnalyses::all(); 215 } 216 217 PreservedAnalyses ModuleThreadSanitizerPass::run(Module &M, 218 ModuleAnalysisManager &MAM) { 219 insertModuleCtor(M); 220 return PreservedAnalyses::none(); 221 } 222 void ThreadSanitizer::initialize(Module &M) { 223 const DataLayout &DL = M.getDataLayout(); 224 IntptrTy = DL.getIntPtrType(M.getContext()); 225 226 IRBuilder<> IRB(M.getContext()); 227 AttributeList Attr; 228 Attr = Attr.addFnAttribute(M.getContext(), Attribute::NoUnwind); 229 // Initialize the callbacks. 230 TsanFuncEntry = M.getOrInsertFunction("__tsan_func_entry", Attr, 231 IRB.getVoidTy(), IRB.getInt8PtrTy()); 232 TsanFuncExit = 233 M.getOrInsertFunction("__tsan_func_exit", Attr, IRB.getVoidTy()); 234 TsanIgnoreBegin = M.getOrInsertFunction("__tsan_ignore_thread_begin", Attr, 235 IRB.getVoidTy()); 236 TsanIgnoreEnd = 237 M.getOrInsertFunction("__tsan_ignore_thread_end", Attr, IRB.getVoidTy()); 238 IntegerType *OrdTy = IRB.getInt32Ty(); 239 for (size_t i = 0; i < kNumberOfAccessSizes; ++i) { 240 const unsigned ByteSize = 1U << i; 241 const unsigned BitSize = ByteSize * 8; 242 std::string ByteSizeStr = utostr(ByteSize); 243 std::string BitSizeStr = utostr(BitSize); 244 SmallString<32> ReadName("__tsan_read" + ByteSizeStr); 245 TsanRead[i] = M.getOrInsertFunction(ReadName, Attr, IRB.getVoidTy(), 246 IRB.getInt8PtrTy()); 247 248 SmallString<32> WriteName("__tsan_write" + ByteSizeStr); 249 TsanWrite[i] = M.getOrInsertFunction(WriteName, Attr, IRB.getVoidTy(), 250 IRB.getInt8PtrTy()); 251 252 SmallString<64> UnalignedReadName("__tsan_unaligned_read" + ByteSizeStr); 253 TsanUnalignedRead[i] = M.getOrInsertFunction( 254 UnalignedReadName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 255 256 SmallString<64> UnalignedWriteName("__tsan_unaligned_write" + ByteSizeStr); 257 TsanUnalignedWrite[i] = M.getOrInsertFunction( 258 UnalignedWriteName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 259 260 SmallString<64> VolatileReadName("__tsan_volatile_read" + ByteSizeStr); 261 TsanVolatileRead[i] = M.getOrInsertFunction( 262 VolatileReadName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 263 264 SmallString<64> VolatileWriteName("__tsan_volatile_write" + ByteSizeStr); 265 TsanVolatileWrite[i] = M.getOrInsertFunction( 266 VolatileWriteName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 267 268 SmallString<64> UnalignedVolatileReadName("__tsan_unaligned_volatile_read" + 269 ByteSizeStr); 270 TsanUnalignedVolatileRead[i] = M.getOrInsertFunction( 271 UnalignedVolatileReadName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 272 273 SmallString<64> UnalignedVolatileWriteName( 274 "__tsan_unaligned_volatile_write" + ByteSizeStr); 275 TsanUnalignedVolatileWrite[i] = M.getOrInsertFunction( 276 UnalignedVolatileWriteName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 277 278 SmallString<64> CompoundRWName("__tsan_read_write" + ByteSizeStr); 279 TsanCompoundRW[i] = M.getOrInsertFunction( 280 CompoundRWName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 281 282 SmallString<64> UnalignedCompoundRWName("__tsan_unaligned_read_write" + 283 ByteSizeStr); 284 TsanUnalignedCompoundRW[i] = M.getOrInsertFunction( 285 UnalignedCompoundRWName, Attr, IRB.getVoidTy(), IRB.getInt8PtrTy()); 286 287 Type *Ty = Type::getIntNTy(M.getContext(), BitSize); 288 Type *PtrTy = Ty->getPointerTo(); 289 SmallString<32> AtomicLoadName("__tsan_atomic" + BitSizeStr + "_load"); 290 { 291 AttributeList AL = Attr; 292 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 293 TsanAtomicLoad[i] = 294 M.getOrInsertFunction(AtomicLoadName, AL, Ty, PtrTy, OrdTy); 295 } 296 297 SmallString<32> AtomicStoreName("__tsan_atomic" + BitSizeStr + "_store"); 298 { 299 AttributeList AL = Attr; 300 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 301 AL = AL.addParamAttribute(M.getContext(), 2, Attribute::ZExt); 302 TsanAtomicStore[i] = M.getOrInsertFunction( 303 AtomicStoreName, AL, IRB.getVoidTy(), PtrTy, Ty, OrdTy); 304 } 305 306 for (unsigned Op = AtomicRMWInst::FIRST_BINOP; 307 Op <= AtomicRMWInst::LAST_BINOP; ++Op) { 308 TsanAtomicRMW[Op][i] = nullptr; 309 const char *NamePart = nullptr; 310 if (Op == AtomicRMWInst::Xchg) 311 NamePart = "_exchange"; 312 else if (Op == AtomicRMWInst::Add) 313 NamePart = "_fetch_add"; 314 else if (Op == AtomicRMWInst::Sub) 315 NamePart = "_fetch_sub"; 316 else if (Op == AtomicRMWInst::And) 317 NamePart = "_fetch_and"; 318 else if (Op == AtomicRMWInst::Or) 319 NamePart = "_fetch_or"; 320 else if (Op == AtomicRMWInst::Xor) 321 NamePart = "_fetch_xor"; 322 else if (Op == AtomicRMWInst::Nand) 323 NamePart = "_fetch_nand"; 324 else 325 continue; 326 SmallString<32> RMWName("__tsan_atomic" + itostr(BitSize) + NamePart); 327 { 328 AttributeList AL = Attr; 329 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 330 AL = AL.addParamAttribute(M.getContext(), 2, Attribute::ZExt); 331 TsanAtomicRMW[Op][i] = 332 M.getOrInsertFunction(RMWName, AL, Ty, PtrTy, Ty, OrdTy); 333 } 334 } 335 336 SmallString<32> AtomicCASName("__tsan_atomic" + BitSizeStr + 337 "_compare_exchange_val"); 338 { 339 AttributeList AL = Attr; 340 AL = AL.addParamAttribute(M.getContext(), 1, Attribute::ZExt); 341 AL = AL.addParamAttribute(M.getContext(), 2, Attribute::ZExt); 342 AL = AL.addParamAttribute(M.getContext(), 3, Attribute::ZExt); 343 AL = AL.addParamAttribute(M.getContext(), 4, Attribute::ZExt); 344 TsanAtomicCAS[i] = M.getOrInsertFunction(AtomicCASName, AL, Ty, PtrTy, Ty, 345 Ty, OrdTy, OrdTy); 346 } 347 } 348 TsanVptrUpdate = 349 M.getOrInsertFunction("__tsan_vptr_update", Attr, IRB.getVoidTy(), 350 IRB.getInt8PtrTy(), IRB.getInt8PtrTy()); 351 TsanVptrLoad = M.getOrInsertFunction("__tsan_vptr_read", Attr, 352 IRB.getVoidTy(), IRB.getInt8PtrTy()); 353 { 354 AttributeList AL = Attr; 355 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 356 TsanAtomicThreadFence = M.getOrInsertFunction("__tsan_atomic_thread_fence", 357 AL, IRB.getVoidTy(), OrdTy); 358 } 359 { 360 AttributeList AL = Attr; 361 AL = AL.addParamAttribute(M.getContext(), 0, Attribute::ZExt); 362 TsanAtomicSignalFence = M.getOrInsertFunction("__tsan_atomic_signal_fence", 363 AL, IRB.getVoidTy(), OrdTy); 364 } 365 366 MemmoveFn = 367 M.getOrInsertFunction("memmove", Attr, IRB.getInt8PtrTy(), 368 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy); 369 MemcpyFn = 370 M.getOrInsertFunction("memcpy", Attr, IRB.getInt8PtrTy(), 371 IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IntptrTy); 372 MemsetFn = 373 M.getOrInsertFunction("memset", Attr, IRB.getInt8PtrTy(), 374 IRB.getInt8PtrTy(), IRB.getInt32Ty(), IntptrTy); 375 } 376 377 static bool isVtableAccess(Instruction *I) { 378 if (MDNode *Tag = I->getMetadata(LLVMContext::MD_tbaa)) 379 return Tag->isTBAAVtableAccess(); 380 return false; 381 } 382 383 // Do not instrument known races/"benign races" that come from compiler 384 // instrumentatin. The user has no way of suppressing them. 385 static bool shouldInstrumentReadWriteFromAddress(const Module *M, Value *Addr) { 386 // Peel off GEPs and BitCasts. 387 Addr = Addr->stripInBoundsOffsets(); 388 389 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Addr)) { 390 if (GV->hasSection()) { 391 StringRef SectionName = GV->getSection(); 392 // Check if the global is in the PGO counters section. 393 auto OF = Triple(M->getTargetTriple()).getObjectFormat(); 394 if (SectionName.endswith( 395 getInstrProfSectionName(IPSK_cnts, OF, /*AddSegmentInfo=*/false))) 396 return false; 397 } 398 399 // Check if the global is private gcov data. 400 if (GV->getName().startswith("__llvm_gcov") || 401 GV->getName().startswith("__llvm_gcda")) 402 return false; 403 } 404 405 // Do not instrument acesses from different address spaces; we cannot deal 406 // with them. 407 if (Addr) { 408 Type *PtrTy = cast<PointerType>(Addr->getType()->getScalarType()); 409 if (PtrTy->getPointerAddressSpace() != 0) 410 return false; 411 } 412 413 return true; 414 } 415 416 bool ThreadSanitizer::addrPointsToConstantData(Value *Addr) { 417 // If this is a GEP, just analyze its pointer operand. 418 if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(Addr)) 419 Addr = GEP->getPointerOperand(); 420 421 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Addr)) { 422 if (GV->isConstant()) { 423 // Reads from constant globals can not race with any writes. 424 NumOmittedReadsFromConstantGlobals++; 425 return true; 426 } 427 } else if (LoadInst *L = dyn_cast<LoadInst>(Addr)) { 428 if (isVtableAccess(L)) { 429 // Reads from a vtable pointer can not race with any writes. 430 NumOmittedReadsFromVtable++; 431 return true; 432 } 433 } 434 return false; 435 } 436 437 // Instrumenting some of the accesses may be proven redundant. 438 // Currently handled: 439 // - read-before-write (within same BB, no calls between) 440 // - not captured variables 441 // 442 // We do not handle some of the patterns that should not survive 443 // after the classic compiler optimizations. 444 // E.g. two reads from the same temp should be eliminated by CSE, 445 // two writes should be eliminated by DSE, etc. 446 // 447 // 'Local' is a vector of insns within the same BB (no calls between). 448 // 'All' is a vector of insns that will be instrumented. 449 void ThreadSanitizer::chooseInstructionsToInstrument( 450 SmallVectorImpl<Instruction *> &Local, 451 SmallVectorImpl<InstructionInfo> &All, const DataLayout &DL) { 452 DenseMap<Value *, size_t> WriteTargets; // Map of addresses to index in All 453 // Iterate from the end. 454 for (Instruction *I : reverse(Local)) { 455 const bool IsWrite = isa<StoreInst>(*I); 456 Value *Addr = IsWrite ? cast<StoreInst>(I)->getPointerOperand() 457 : cast<LoadInst>(I)->getPointerOperand(); 458 459 if (!shouldInstrumentReadWriteFromAddress(I->getModule(), Addr)) 460 continue; 461 462 if (!IsWrite) { 463 const auto WriteEntry = WriteTargets.find(Addr); 464 if (!ClInstrumentReadBeforeWrite && WriteEntry != WriteTargets.end()) { 465 auto &WI = All[WriteEntry->second]; 466 // If we distinguish volatile accesses and if either the read or write 467 // is volatile, do not omit any instrumentation. 468 const bool AnyVolatile = 469 ClDistinguishVolatile && (cast<LoadInst>(I)->isVolatile() || 470 cast<StoreInst>(WI.Inst)->isVolatile()); 471 if (!AnyVolatile) { 472 // We will write to this temp, so no reason to analyze the read. 473 // Mark the write instruction as compound. 474 WI.Flags |= InstructionInfo::kCompoundRW; 475 NumOmittedReadsBeforeWrite++; 476 continue; 477 } 478 } 479 480 if (addrPointsToConstantData(Addr)) { 481 // Addr points to some constant data -- it can not race with any writes. 482 continue; 483 } 484 } 485 486 if (isa<AllocaInst>(getUnderlyingObject(Addr)) && 487 !PointerMayBeCaptured(Addr, true, true)) { 488 // The variable is addressable but not captured, so it cannot be 489 // referenced from a different thread and participate in a data race 490 // (see llvm/Analysis/CaptureTracking.h for details). 491 NumOmittedNonCaptured++; 492 continue; 493 } 494 495 // Instrument this instruction. 496 All.emplace_back(I); 497 if (IsWrite) { 498 // For read-before-write and compound instrumentation we only need one 499 // write target, and we can override any previous entry if it exists. 500 WriteTargets[Addr] = All.size() - 1; 501 } 502 } 503 Local.clear(); 504 } 505 506 static bool isTsanAtomic(const Instruction *I) { 507 // TODO: Ask TTI whether synchronization scope is between threads. 508 auto SSID = getAtomicSyncScopeID(I); 509 if (!SSID.hasValue()) 510 return false; 511 if (isa<LoadInst>(I) || isa<StoreInst>(I)) 512 return SSID.getValue() != SyncScope::SingleThread; 513 return true; 514 } 515 516 void ThreadSanitizer::InsertRuntimeIgnores(Function &F) { 517 InstrumentationIRBuilder IRB(F.getEntryBlock().getFirstNonPHI(), F); 518 IRB.CreateCall(TsanIgnoreBegin); 519 EscapeEnumerator EE(F, "tsan_ignore_cleanup", ClHandleCxxExceptions); 520 while (IRBuilder<> *AtExit = EE.Next()) { 521 InstrumentationIRBuilder::ensureDebugInfo(*AtExit, F); 522 AtExit->CreateCall(TsanIgnoreEnd); 523 } 524 } 525 526 bool ThreadSanitizer::sanitizeFunction(Function &F, 527 const TargetLibraryInfo &TLI) { 528 // This is required to prevent instrumenting call to __tsan_init from within 529 // the module constructor. 530 if (F.getName() == kTsanModuleCtorName) 531 return false; 532 // Naked functions can not have prologue/epilogue 533 // (__tsan_func_entry/__tsan_func_exit) generated, so don't instrument them at 534 // all. 535 if (F.hasFnAttribute(Attribute::Naked)) 536 return false; 537 538 // __attribute__(disable_sanitizer_instrumentation) prevents all kinds of 539 // instrumentation. 540 if (F.hasFnAttribute(Attribute::DisableSanitizerInstrumentation)) 541 return false; 542 543 initialize(*F.getParent()); 544 SmallVector<InstructionInfo, 8> AllLoadsAndStores; 545 SmallVector<Instruction*, 8> LocalLoadsAndStores; 546 SmallVector<Instruction*, 8> AtomicAccesses; 547 SmallVector<Instruction*, 8> MemIntrinCalls; 548 bool Res = false; 549 bool HasCalls = false; 550 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeThread); 551 const DataLayout &DL = F.getParent()->getDataLayout(); 552 553 // Traverse all instructions, collect loads/stores/returns, check for calls. 554 for (auto &BB : F) { 555 for (auto &Inst : BB) { 556 if (isTsanAtomic(&Inst)) 557 AtomicAccesses.push_back(&Inst); 558 else if (isa<LoadInst>(Inst) || isa<StoreInst>(Inst)) 559 LocalLoadsAndStores.push_back(&Inst); 560 else if ((isa<CallInst>(Inst) && !isa<DbgInfoIntrinsic>(Inst)) || 561 isa<InvokeInst>(Inst)) { 562 if (CallInst *CI = dyn_cast<CallInst>(&Inst)) 563 maybeMarkSanitizerLibraryCallNoBuiltin(CI, &TLI); 564 if (isa<MemIntrinsic>(Inst)) 565 MemIntrinCalls.push_back(&Inst); 566 HasCalls = true; 567 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores, 568 DL); 569 } 570 } 571 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores, DL); 572 } 573 574 // We have collected all loads and stores. 575 // FIXME: many of these accesses do not need to be checked for races 576 // (e.g. variables that do not escape, etc). 577 578 // Instrument memory accesses only if we want to report bugs in the function. 579 if (ClInstrumentMemoryAccesses && SanitizeFunction) 580 for (const auto &II : AllLoadsAndStores) { 581 Res |= instrumentLoadOrStore(II, DL, F); 582 } 583 584 // Instrument atomic memory accesses in any case (they can be used to 585 // implement synchronization). 586 if (ClInstrumentAtomics) 587 for (auto Inst : AtomicAccesses) { 588 Res |= instrumentAtomic(Inst, DL, F); 589 } 590 591 if (ClInstrumentMemIntrinsics && SanitizeFunction) 592 for (auto Inst : MemIntrinCalls) { 593 Res |= instrumentMemIntrinsic(Inst); 594 } 595 596 if (F.hasFnAttribute("sanitize_thread_no_checking_at_run_time")) { 597 assert(!F.hasFnAttribute(Attribute::SanitizeThread)); 598 if (HasCalls) 599 InsertRuntimeIgnores(F); 600 } 601 602 // Instrument function entry/exit points if there were instrumented accesses. 603 if ((Res || HasCalls) && ClInstrumentFuncEntryExit) { 604 InstrumentationIRBuilder IRB(F.getEntryBlock().getFirstNonPHI(), F); 605 Value *ReturnAddress = IRB.CreateCall( 606 Intrinsic::getDeclaration(F.getParent(), Intrinsic::returnaddress), 607 IRB.getInt32(0)); 608 IRB.CreateCall(TsanFuncEntry, ReturnAddress); 609 610 EscapeEnumerator EE(F, "tsan_cleanup", ClHandleCxxExceptions); 611 while (IRBuilder<> *AtExit = EE.Next()) { 612 InstrumentationIRBuilder::ensureDebugInfo(*AtExit, F); 613 AtExit->CreateCall(TsanFuncExit, {}); 614 } 615 Res = true; 616 } 617 return Res; 618 } 619 620 bool ThreadSanitizer::instrumentLoadOrStore(const InstructionInfo &II, 621 const DataLayout &DL, 622 const Function &F) { 623 InstrumentationIRBuilder IRB(II.Inst, F); 624 const bool IsWrite = isa<StoreInst>(*II.Inst); 625 Value *Addr = IsWrite ? cast<StoreInst>(II.Inst)->getPointerOperand() 626 : cast<LoadInst>(II.Inst)->getPointerOperand(); 627 Type *OrigTy = getLoadStoreType(II.Inst); 628 629 // swifterror memory addresses are mem2reg promoted by instruction selection. 630 // As such they cannot have regular uses like an instrumentation function and 631 // it makes no sense to track them as memory. 632 if (Addr->isSwiftError()) 633 return false; 634 635 int Idx = getMemoryAccessFuncIndex(OrigTy, Addr, DL); 636 if (Idx < 0) 637 return false; 638 if (IsWrite && isVtableAccess(II.Inst)) { 639 LLVM_DEBUG(dbgs() << " VPTR : " << *II.Inst << "\n"); 640 Value *StoredValue = cast<StoreInst>(II.Inst)->getValueOperand(); 641 // StoredValue may be a vector type if we are storing several vptrs at once. 642 // In this case, just take the first element of the vector since this is 643 // enough to find vptr races. 644 if (isa<VectorType>(StoredValue->getType())) 645 StoredValue = IRB.CreateExtractElement( 646 StoredValue, ConstantInt::get(IRB.getInt32Ty(), 0)); 647 if (StoredValue->getType()->isIntegerTy()) 648 StoredValue = IRB.CreateIntToPtr(StoredValue, IRB.getInt8PtrTy()); 649 // Call TsanVptrUpdate. 650 IRB.CreateCall(TsanVptrUpdate, 651 {IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 652 IRB.CreatePointerCast(StoredValue, IRB.getInt8PtrTy())}); 653 NumInstrumentedVtableWrites++; 654 return true; 655 } 656 if (!IsWrite && isVtableAccess(II.Inst)) { 657 IRB.CreateCall(TsanVptrLoad, 658 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy())); 659 NumInstrumentedVtableReads++; 660 return true; 661 } 662 663 const unsigned Alignment = IsWrite ? cast<StoreInst>(II.Inst)->getAlignment() 664 : cast<LoadInst>(II.Inst)->getAlignment(); 665 const bool IsCompoundRW = 666 ClCompoundReadBeforeWrite && (II.Flags & InstructionInfo::kCompoundRW); 667 const bool IsVolatile = ClDistinguishVolatile && 668 (IsWrite ? cast<StoreInst>(II.Inst)->isVolatile() 669 : cast<LoadInst>(II.Inst)->isVolatile()); 670 assert((!IsVolatile || !IsCompoundRW) && "Compound volatile invalid!"); 671 672 const uint32_t TypeSize = DL.getTypeStoreSizeInBits(OrigTy); 673 FunctionCallee OnAccessFunc = nullptr; 674 if (Alignment == 0 || Alignment >= 8 || (Alignment % (TypeSize / 8)) == 0) { 675 if (IsCompoundRW) 676 OnAccessFunc = TsanCompoundRW[Idx]; 677 else if (IsVolatile) 678 OnAccessFunc = IsWrite ? TsanVolatileWrite[Idx] : TsanVolatileRead[Idx]; 679 else 680 OnAccessFunc = IsWrite ? TsanWrite[Idx] : TsanRead[Idx]; 681 } else { 682 if (IsCompoundRW) 683 OnAccessFunc = TsanUnalignedCompoundRW[Idx]; 684 else if (IsVolatile) 685 OnAccessFunc = IsWrite ? TsanUnalignedVolatileWrite[Idx] 686 : TsanUnalignedVolatileRead[Idx]; 687 else 688 OnAccessFunc = IsWrite ? TsanUnalignedWrite[Idx] : TsanUnalignedRead[Idx]; 689 } 690 IRB.CreateCall(OnAccessFunc, IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy())); 691 if (IsCompoundRW || IsWrite) 692 NumInstrumentedWrites++; 693 if (IsCompoundRW || !IsWrite) 694 NumInstrumentedReads++; 695 return true; 696 } 697 698 static ConstantInt *createOrdering(IRBuilder<> *IRB, AtomicOrdering ord) { 699 uint32_t v = 0; 700 switch (ord) { 701 case AtomicOrdering::NotAtomic: 702 llvm_unreachable("unexpected atomic ordering!"); 703 case AtomicOrdering::Unordered: LLVM_FALLTHROUGH; 704 case AtomicOrdering::Monotonic: v = 0; break; 705 // Not specified yet: 706 // case AtomicOrdering::Consume: v = 1; break; 707 case AtomicOrdering::Acquire: v = 2; break; 708 case AtomicOrdering::Release: v = 3; break; 709 case AtomicOrdering::AcquireRelease: v = 4; break; 710 case AtomicOrdering::SequentiallyConsistent: v = 5; break; 711 } 712 return IRB->getInt32(v); 713 } 714 715 // If a memset intrinsic gets inlined by the code gen, we will miss races on it. 716 // So, we either need to ensure the intrinsic is not inlined, or instrument it. 717 // We do not instrument memset/memmove/memcpy intrinsics (too complicated), 718 // instead we simply replace them with regular function calls, which are then 719 // intercepted by the run-time. 720 // Since tsan is running after everyone else, the calls should not be 721 // replaced back with intrinsics. If that becomes wrong at some point, 722 // we will need to call e.g. __tsan_memset to avoid the intrinsics. 723 bool ThreadSanitizer::instrumentMemIntrinsic(Instruction *I) { 724 IRBuilder<> IRB(I); 725 if (MemSetInst *M = dyn_cast<MemSetInst>(I)) { 726 IRB.CreateCall( 727 MemsetFn, 728 {IRB.CreatePointerCast(M->getArgOperand(0), IRB.getInt8PtrTy()), 729 IRB.CreateIntCast(M->getArgOperand(1), IRB.getInt32Ty(), false), 730 IRB.CreateIntCast(M->getArgOperand(2), IntptrTy, false)}); 731 I->eraseFromParent(); 732 } else if (MemTransferInst *M = dyn_cast<MemTransferInst>(I)) { 733 IRB.CreateCall( 734 isa<MemCpyInst>(M) ? MemcpyFn : MemmoveFn, 735 {IRB.CreatePointerCast(M->getArgOperand(0), IRB.getInt8PtrTy()), 736 IRB.CreatePointerCast(M->getArgOperand(1), IRB.getInt8PtrTy()), 737 IRB.CreateIntCast(M->getArgOperand(2), IntptrTy, false)}); 738 I->eraseFromParent(); 739 } 740 return false; 741 } 742 743 // Both llvm and ThreadSanitizer atomic operations are based on C++11/C1x 744 // standards. For background see C++11 standard. A slightly older, publicly 745 // available draft of the standard (not entirely up-to-date, but close enough 746 // for casual browsing) is available here: 747 // http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2011/n3242.pdf 748 // The following page contains more background information: 749 // http://www.hpl.hp.com/personal/Hans_Boehm/c++mm/ 750 751 bool ThreadSanitizer::instrumentAtomic(Instruction *I, const DataLayout &DL, 752 const Function &F) { 753 InstrumentationIRBuilder IRB(I, F); 754 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 755 Value *Addr = LI->getPointerOperand(); 756 Type *OrigTy = LI->getType(); 757 int Idx = getMemoryAccessFuncIndex(OrigTy, Addr, DL); 758 if (Idx < 0) 759 return false; 760 const unsigned ByteSize = 1U << Idx; 761 const unsigned BitSize = ByteSize * 8; 762 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 763 Type *PtrTy = Ty->getPointerTo(); 764 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 765 createOrdering(&IRB, LI->getOrdering())}; 766 Value *C = IRB.CreateCall(TsanAtomicLoad[Idx], Args); 767 Value *Cast = IRB.CreateBitOrPointerCast(C, OrigTy); 768 I->replaceAllUsesWith(Cast); 769 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 770 Value *Addr = SI->getPointerOperand(); 771 int Idx = 772 getMemoryAccessFuncIndex(SI->getValueOperand()->getType(), Addr, DL); 773 if (Idx < 0) 774 return false; 775 const unsigned ByteSize = 1U << Idx; 776 const unsigned BitSize = ByteSize * 8; 777 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 778 Type *PtrTy = Ty->getPointerTo(); 779 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 780 IRB.CreateBitOrPointerCast(SI->getValueOperand(), Ty), 781 createOrdering(&IRB, SI->getOrdering())}; 782 CallInst *C = CallInst::Create(TsanAtomicStore[Idx], Args); 783 ReplaceInstWithInst(I, C); 784 } else if (AtomicRMWInst *RMWI = dyn_cast<AtomicRMWInst>(I)) { 785 Value *Addr = RMWI->getPointerOperand(); 786 int Idx = 787 getMemoryAccessFuncIndex(RMWI->getValOperand()->getType(), Addr, DL); 788 if (Idx < 0) 789 return false; 790 FunctionCallee F = TsanAtomicRMW[RMWI->getOperation()][Idx]; 791 if (!F) 792 return false; 793 const unsigned ByteSize = 1U << Idx; 794 const unsigned BitSize = ByteSize * 8; 795 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 796 Type *PtrTy = Ty->getPointerTo(); 797 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 798 IRB.CreateIntCast(RMWI->getValOperand(), Ty, false), 799 createOrdering(&IRB, RMWI->getOrdering())}; 800 CallInst *C = CallInst::Create(F, Args); 801 ReplaceInstWithInst(I, C); 802 } else if (AtomicCmpXchgInst *CASI = dyn_cast<AtomicCmpXchgInst>(I)) { 803 Value *Addr = CASI->getPointerOperand(); 804 Type *OrigOldValTy = CASI->getNewValOperand()->getType(); 805 int Idx = getMemoryAccessFuncIndex(OrigOldValTy, Addr, DL); 806 if (Idx < 0) 807 return false; 808 const unsigned ByteSize = 1U << Idx; 809 const unsigned BitSize = ByteSize * 8; 810 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 811 Type *PtrTy = Ty->getPointerTo(); 812 Value *CmpOperand = 813 IRB.CreateBitOrPointerCast(CASI->getCompareOperand(), Ty); 814 Value *NewOperand = 815 IRB.CreateBitOrPointerCast(CASI->getNewValOperand(), Ty); 816 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 817 CmpOperand, 818 NewOperand, 819 createOrdering(&IRB, CASI->getSuccessOrdering()), 820 createOrdering(&IRB, CASI->getFailureOrdering())}; 821 CallInst *C = IRB.CreateCall(TsanAtomicCAS[Idx], Args); 822 Value *Success = IRB.CreateICmpEQ(C, CmpOperand); 823 Value *OldVal = C; 824 if (Ty != OrigOldValTy) { 825 // The value is a pointer, so we need to cast the return value. 826 OldVal = IRB.CreateIntToPtr(C, OrigOldValTy); 827 } 828 829 Value *Res = 830 IRB.CreateInsertValue(UndefValue::get(CASI->getType()), OldVal, 0); 831 Res = IRB.CreateInsertValue(Res, Success, 1); 832 833 I->replaceAllUsesWith(Res); 834 I->eraseFromParent(); 835 } else if (FenceInst *FI = dyn_cast<FenceInst>(I)) { 836 Value *Args[] = {createOrdering(&IRB, FI->getOrdering())}; 837 FunctionCallee F = FI->getSyncScopeID() == SyncScope::SingleThread 838 ? TsanAtomicSignalFence 839 : TsanAtomicThreadFence; 840 CallInst *C = CallInst::Create(F, Args); 841 ReplaceInstWithInst(I, C); 842 } 843 return true; 844 } 845 846 int ThreadSanitizer::getMemoryAccessFuncIndex(Type *OrigTy, Value *Addr, 847 const DataLayout &DL) { 848 assert(OrigTy->isSized()); 849 assert( 850 cast<PointerType>(Addr->getType())->isOpaqueOrPointeeTypeMatches(OrigTy)); 851 uint32_t TypeSize = DL.getTypeStoreSizeInBits(OrigTy); 852 if (TypeSize != 8 && TypeSize != 16 && 853 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 854 NumAccessesWithBadSize++; 855 // Ignore all unusual sizes. 856 return -1; 857 } 858 size_t Idx = countTrailingZeros(TypeSize / 8); 859 assert(Idx < kNumberOfAccessSizes); 860 return Idx; 861 } 862