1 //===-- ThreadSanitizer.cpp - race detector -------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of ThreadSanitizer, a race detector. 11 // 12 // The tool is under development, for the details about previous versions see 13 // http://code.google.com/p/data-race-test 14 // 15 // The instrumentation phase is quite simple: 16 // - Insert calls to run-time library before every memory access. 17 // - Optimizations may apply to avoid instrumenting some of the accesses. 18 // - Insert calls at function entry/exit. 19 // The rest is handled by the run-time library. 20 //===----------------------------------------------------------------------===// 21 22 #include "llvm/Transforms/Instrumentation.h" 23 #include "llvm/ADT/SmallSet.h" 24 #include "llvm/ADT/SmallString.h" 25 #include "llvm/ADT/SmallVector.h" 26 #include "llvm/ADT/Statistic.h" 27 #include "llvm/ADT/StringExtras.h" 28 #include "llvm/IR/DataLayout.h" 29 #include "llvm/IR/Function.h" 30 #include "llvm/IR/IRBuilder.h" 31 #include "llvm/IR/IntrinsicInst.h" 32 #include "llvm/IR/Intrinsics.h" 33 #include "llvm/IR/LLVMContext.h" 34 #include "llvm/IR/Metadata.h" 35 #include "llvm/IR/Module.h" 36 #include "llvm/IR/Type.h" 37 #include "llvm/Support/CommandLine.h" 38 #include "llvm/Support/Debug.h" 39 #include "llvm/Support/MathExtras.h" 40 #include "llvm/Support/raw_ostream.h" 41 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 42 #include "llvm/Transforms/Utils/ModuleUtils.h" 43 44 using namespace llvm; 45 46 #define DEBUG_TYPE "tsan" 47 48 static cl::opt<bool> ClInstrumentMemoryAccesses( 49 "tsan-instrument-memory-accesses", cl::init(true), 50 cl::desc("Instrument memory accesses"), cl::Hidden); 51 static cl::opt<bool> ClInstrumentFuncEntryExit( 52 "tsan-instrument-func-entry-exit", cl::init(true), 53 cl::desc("Instrument function entry and exit"), cl::Hidden); 54 static cl::opt<bool> ClInstrumentAtomics( 55 "tsan-instrument-atomics", cl::init(true), 56 cl::desc("Instrument atomics"), cl::Hidden); 57 static cl::opt<bool> ClInstrumentMemIntrinsics( 58 "tsan-instrument-memintrinsics", cl::init(true), 59 cl::desc("Instrument memintrinsics (memset/memcpy/memmove)"), cl::Hidden); 60 61 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 62 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 63 STATISTIC(NumOmittedReadsBeforeWrite, 64 "Number of reads ignored due to following writes"); 65 STATISTIC(NumAccessesWithBadSize, "Number of accesses with bad size"); 66 STATISTIC(NumInstrumentedVtableWrites, "Number of vtable ptr writes"); 67 STATISTIC(NumInstrumentedVtableReads, "Number of vtable ptr reads"); 68 STATISTIC(NumOmittedReadsFromConstantGlobals, 69 "Number of reads from constant globals"); 70 STATISTIC(NumOmittedReadsFromVtable, "Number of vtable reads"); 71 72 namespace { 73 74 /// ThreadSanitizer: instrument the code in module to find races. 75 struct ThreadSanitizer : public FunctionPass { 76 ThreadSanitizer() : FunctionPass(ID), DL(nullptr) {} 77 const char *getPassName() const override; 78 bool runOnFunction(Function &F) override; 79 bool doInitialization(Module &M) override; 80 static char ID; // Pass identification, replacement for typeid. 81 82 private: 83 void initializeCallbacks(Module &M); 84 bool instrumentLoadOrStore(Instruction *I); 85 bool instrumentAtomic(Instruction *I); 86 bool instrumentMemIntrinsic(Instruction *I); 87 void chooseInstructionsToInstrument(SmallVectorImpl<Instruction*> &Local, 88 SmallVectorImpl<Instruction*> &All); 89 bool addrPointsToConstantData(Value *Addr); 90 int getMemoryAccessFuncIndex(Value *Addr); 91 92 const DataLayout *DL; 93 Type *IntptrTy; 94 IntegerType *OrdTy; 95 // Callbacks to run-time library are computed in doInitialization. 96 Function *TsanFuncEntry; 97 Function *TsanFuncExit; 98 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 99 static const size_t kNumberOfAccessSizes = 5; 100 Function *TsanRead[kNumberOfAccessSizes]; 101 Function *TsanWrite[kNumberOfAccessSizes]; 102 Function *TsanUnalignedRead[kNumberOfAccessSizes]; 103 Function *TsanUnalignedWrite[kNumberOfAccessSizes]; 104 Function *TsanAtomicLoad[kNumberOfAccessSizes]; 105 Function *TsanAtomicStore[kNumberOfAccessSizes]; 106 Function *TsanAtomicRMW[AtomicRMWInst::LAST_BINOP + 1][kNumberOfAccessSizes]; 107 Function *TsanAtomicCAS[kNumberOfAccessSizes]; 108 Function *TsanAtomicThreadFence; 109 Function *TsanAtomicSignalFence; 110 Function *TsanVptrUpdate; 111 Function *TsanVptrLoad; 112 Function *MemmoveFn, *MemcpyFn, *MemsetFn; 113 }; 114 } // namespace 115 116 char ThreadSanitizer::ID = 0; 117 INITIALIZE_PASS(ThreadSanitizer, "tsan", 118 "ThreadSanitizer: detects data races.", 119 false, false) 120 121 const char *ThreadSanitizer::getPassName() const { 122 return "ThreadSanitizer"; 123 } 124 125 FunctionPass *llvm::createThreadSanitizerPass() { 126 return new ThreadSanitizer(); 127 } 128 129 static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 130 if (Function *F = dyn_cast<Function>(FuncOrBitcast)) 131 return F; 132 FuncOrBitcast->dump(); 133 report_fatal_error("ThreadSanitizer interface function redefined"); 134 } 135 136 void ThreadSanitizer::initializeCallbacks(Module &M) { 137 IRBuilder<> IRB(M.getContext()); 138 // Initialize the callbacks. 139 TsanFuncEntry = checkInterfaceFunction(M.getOrInsertFunction( 140 "__tsan_func_entry", IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 141 TsanFuncExit = checkInterfaceFunction(M.getOrInsertFunction( 142 "__tsan_func_exit", IRB.getVoidTy(), nullptr)); 143 OrdTy = IRB.getInt32Ty(); 144 for (size_t i = 0; i < kNumberOfAccessSizes; ++i) { 145 const size_t ByteSize = 1 << i; 146 const size_t BitSize = ByteSize * 8; 147 SmallString<32> ReadName("__tsan_read" + itostr(ByteSize)); 148 TsanRead[i] = checkInterfaceFunction(M.getOrInsertFunction( 149 ReadName, IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 150 151 SmallString<32> WriteName("__tsan_write" + itostr(ByteSize)); 152 TsanWrite[i] = checkInterfaceFunction(M.getOrInsertFunction( 153 WriteName, IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 154 155 SmallString<64> UnalignedReadName("__tsan_unaligned_read" + 156 itostr(ByteSize)); 157 TsanUnalignedRead[i] = checkInterfaceFunction(M.getOrInsertFunction( 158 UnalignedReadName, IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 159 160 SmallString<64> UnalignedWriteName("__tsan_unaligned_write" + 161 itostr(ByteSize)); 162 TsanUnalignedWrite[i] = checkInterfaceFunction(M.getOrInsertFunction( 163 UnalignedWriteName, IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 164 165 Type *Ty = Type::getIntNTy(M.getContext(), BitSize); 166 Type *PtrTy = Ty->getPointerTo(); 167 SmallString<32> AtomicLoadName("__tsan_atomic" + itostr(BitSize) + 168 "_load"); 169 TsanAtomicLoad[i] = checkInterfaceFunction(M.getOrInsertFunction( 170 AtomicLoadName, Ty, PtrTy, OrdTy, nullptr)); 171 172 SmallString<32> AtomicStoreName("__tsan_atomic" + itostr(BitSize) + 173 "_store"); 174 TsanAtomicStore[i] = checkInterfaceFunction(M.getOrInsertFunction( 175 AtomicStoreName, IRB.getVoidTy(), PtrTy, Ty, OrdTy, 176 nullptr)); 177 178 for (int op = AtomicRMWInst::FIRST_BINOP; 179 op <= AtomicRMWInst::LAST_BINOP; ++op) { 180 TsanAtomicRMW[op][i] = nullptr; 181 const char *NamePart = nullptr; 182 if (op == AtomicRMWInst::Xchg) 183 NamePart = "_exchange"; 184 else if (op == AtomicRMWInst::Add) 185 NamePart = "_fetch_add"; 186 else if (op == AtomicRMWInst::Sub) 187 NamePart = "_fetch_sub"; 188 else if (op == AtomicRMWInst::And) 189 NamePart = "_fetch_and"; 190 else if (op == AtomicRMWInst::Or) 191 NamePart = "_fetch_or"; 192 else if (op == AtomicRMWInst::Xor) 193 NamePart = "_fetch_xor"; 194 else if (op == AtomicRMWInst::Nand) 195 NamePart = "_fetch_nand"; 196 else 197 continue; 198 SmallString<32> RMWName("__tsan_atomic" + itostr(BitSize) + NamePart); 199 TsanAtomicRMW[op][i] = checkInterfaceFunction(M.getOrInsertFunction( 200 RMWName, Ty, PtrTy, Ty, OrdTy, nullptr)); 201 } 202 203 SmallString<32> AtomicCASName("__tsan_atomic" + itostr(BitSize) + 204 "_compare_exchange_val"); 205 TsanAtomicCAS[i] = checkInterfaceFunction(M.getOrInsertFunction( 206 AtomicCASName, Ty, PtrTy, Ty, Ty, OrdTy, OrdTy, nullptr)); 207 } 208 TsanVptrUpdate = checkInterfaceFunction(M.getOrInsertFunction( 209 "__tsan_vptr_update", IRB.getVoidTy(), IRB.getInt8PtrTy(), 210 IRB.getInt8PtrTy(), nullptr)); 211 TsanVptrLoad = checkInterfaceFunction(M.getOrInsertFunction( 212 "__tsan_vptr_read", IRB.getVoidTy(), IRB.getInt8PtrTy(), nullptr)); 213 TsanAtomicThreadFence = checkInterfaceFunction(M.getOrInsertFunction( 214 "__tsan_atomic_thread_fence", IRB.getVoidTy(), OrdTy, nullptr)); 215 TsanAtomicSignalFence = checkInterfaceFunction(M.getOrInsertFunction( 216 "__tsan_atomic_signal_fence", IRB.getVoidTy(), OrdTy, nullptr)); 217 218 MemmoveFn = checkInterfaceFunction(M.getOrInsertFunction( 219 "memmove", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 220 IRB.getInt8PtrTy(), IntptrTy, nullptr)); 221 MemcpyFn = checkInterfaceFunction(M.getOrInsertFunction( 222 "memcpy", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), 223 IntptrTy, nullptr)); 224 MemsetFn = checkInterfaceFunction(M.getOrInsertFunction( 225 "memset", IRB.getInt8PtrTy(), IRB.getInt8PtrTy(), IRB.getInt32Ty(), 226 IntptrTy, nullptr)); 227 } 228 229 bool ThreadSanitizer::doInitialization(Module &M) { 230 DataLayoutPass *DLP = getAnalysisIfAvailable<DataLayoutPass>(); 231 if (!DLP) 232 report_fatal_error("data layout missing"); 233 DL = &DLP->getDataLayout(); 234 235 // Always insert a call to __tsan_init into the module's CTORs. 236 IRBuilder<> IRB(M.getContext()); 237 IntptrTy = IRB.getIntPtrTy(DL); 238 Value *TsanInit = M.getOrInsertFunction("__tsan_init", 239 IRB.getVoidTy(), nullptr); 240 appendToGlobalCtors(M, cast<Function>(TsanInit), 0); 241 242 return true; 243 } 244 245 static bool isVtableAccess(Instruction *I) { 246 if (MDNode *Tag = I->getMetadata(LLVMContext::MD_tbaa)) 247 return Tag->isTBAAVtableAccess(); 248 return false; 249 } 250 251 bool ThreadSanitizer::addrPointsToConstantData(Value *Addr) { 252 // If this is a GEP, just analyze its pointer operand. 253 if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(Addr)) 254 Addr = GEP->getPointerOperand(); 255 256 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Addr)) { 257 if (GV->isConstant()) { 258 // Reads from constant globals can not race with any writes. 259 NumOmittedReadsFromConstantGlobals++; 260 return true; 261 } 262 } else if (LoadInst *L = dyn_cast<LoadInst>(Addr)) { 263 if (isVtableAccess(L)) { 264 // Reads from a vtable pointer can not race with any writes. 265 NumOmittedReadsFromVtable++; 266 return true; 267 } 268 } 269 return false; 270 } 271 272 // Instrumenting some of the accesses may be proven redundant. 273 // Currently handled: 274 // - read-before-write (within same BB, no calls between) 275 // 276 // We do not handle some of the patterns that should not survive 277 // after the classic compiler optimizations. 278 // E.g. two reads from the same temp should be eliminated by CSE, 279 // two writes should be eliminated by DSE, etc. 280 // 281 // 'Local' is a vector of insns within the same BB (no calls between). 282 // 'All' is a vector of insns that will be instrumented. 283 void ThreadSanitizer::chooseInstructionsToInstrument( 284 SmallVectorImpl<Instruction*> &Local, 285 SmallVectorImpl<Instruction*> &All) { 286 SmallSet<Value*, 8> WriteTargets; 287 // Iterate from the end. 288 for (SmallVectorImpl<Instruction*>::reverse_iterator It = Local.rbegin(), 289 E = Local.rend(); It != E; ++It) { 290 Instruction *I = *It; 291 if (StoreInst *Store = dyn_cast<StoreInst>(I)) { 292 WriteTargets.insert(Store->getPointerOperand()); 293 } else { 294 LoadInst *Load = cast<LoadInst>(I); 295 Value *Addr = Load->getPointerOperand(); 296 if (WriteTargets.count(Addr)) { 297 // We will write to this temp, so no reason to analyze the read. 298 NumOmittedReadsBeforeWrite++; 299 continue; 300 } 301 if (addrPointsToConstantData(Addr)) { 302 // Addr points to some constant data -- it can not race with any writes. 303 continue; 304 } 305 } 306 All.push_back(I); 307 } 308 Local.clear(); 309 } 310 311 static bool isAtomic(Instruction *I) { 312 if (LoadInst *LI = dyn_cast<LoadInst>(I)) 313 return LI->isAtomic() && LI->getSynchScope() == CrossThread; 314 if (StoreInst *SI = dyn_cast<StoreInst>(I)) 315 return SI->isAtomic() && SI->getSynchScope() == CrossThread; 316 if (isa<AtomicRMWInst>(I)) 317 return true; 318 if (isa<AtomicCmpXchgInst>(I)) 319 return true; 320 if (isa<FenceInst>(I)) 321 return true; 322 return false; 323 } 324 325 bool ThreadSanitizer::runOnFunction(Function &F) { 326 if (!DL) return false; 327 initializeCallbacks(*F.getParent()); 328 SmallVector<Instruction*, 8> RetVec; 329 SmallVector<Instruction*, 8> AllLoadsAndStores; 330 SmallVector<Instruction*, 8> LocalLoadsAndStores; 331 SmallVector<Instruction*, 8> AtomicAccesses; 332 SmallVector<Instruction*, 8> MemIntrinCalls; 333 bool Res = false; 334 bool HasCalls = false; 335 bool SanitizeFunction = F.hasFnAttribute(Attribute::SanitizeThread); 336 337 // Traverse all instructions, collect loads/stores/returns, check for calls. 338 for (auto &BB : F) { 339 for (auto &Inst : BB) { 340 if (isAtomic(&Inst)) 341 AtomicAccesses.push_back(&Inst); 342 else if (isa<LoadInst>(Inst) || isa<StoreInst>(Inst)) 343 LocalLoadsAndStores.push_back(&Inst); 344 else if (isa<ReturnInst>(Inst)) 345 RetVec.push_back(&Inst); 346 else if (isa<CallInst>(Inst) || isa<InvokeInst>(Inst)) { 347 if (isa<MemIntrinsic>(Inst)) 348 MemIntrinCalls.push_back(&Inst); 349 HasCalls = true; 350 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores); 351 } 352 } 353 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores); 354 } 355 356 // We have collected all loads and stores. 357 // FIXME: many of these accesses do not need to be checked for races 358 // (e.g. variables that do not escape, etc). 359 360 // Instrument memory accesses only if we want to report bugs in the function. 361 if (ClInstrumentMemoryAccesses && SanitizeFunction) 362 for (auto Inst : AllLoadsAndStores) { 363 Res |= instrumentLoadOrStore(Inst); 364 } 365 366 // Instrument atomic memory accesses in any case (they can be used to 367 // implement synchronization). 368 if (ClInstrumentAtomics) 369 for (auto Inst : AtomicAccesses) { 370 Res |= instrumentAtomic(Inst); 371 } 372 373 if (ClInstrumentMemIntrinsics && SanitizeFunction) 374 for (auto Inst : MemIntrinCalls) { 375 Res |= instrumentMemIntrinsic(Inst); 376 } 377 378 // Instrument function entry/exit points if there were instrumented accesses. 379 if ((Res || HasCalls) && ClInstrumentFuncEntryExit) { 380 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 381 Value *ReturnAddress = IRB.CreateCall( 382 Intrinsic::getDeclaration(F.getParent(), Intrinsic::returnaddress), 383 IRB.getInt32(0)); 384 IRB.CreateCall(TsanFuncEntry, ReturnAddress); 385 for (auto RetInst : RetVec) { 386 IRBuilder<> IRBRet(RetInst); 387 IRBRet.CreateCall(TsanFuncExit); 388 } 389 Res = true; 390 } 391 return Res; 392 } 393 394 bool ThreadSanitizer::instrumentLoadOrStore(Instruction *I) { 395 IRBuilder<> IRB(I); 396 bool IsWrite = isa<StoreInst>(*I); 397 Value *Addr = IsWrite 398 ? cast<StoreInst>(I)->getPointerOperand() 399 : cast<LoadInst>(I)->getPointerOperand(); 400 int Idx = getMemoryAccessFuncIndex(Addr); 401 if (Idx < 0) 402 return false; 403 if (IsWrite && isVtableAccess(I)) { 404 DEBUG(dbgs() << " VPTR : " << *I << "\n"); 405 Value *StoredValue = cast<StoreInst>(I)->getValueOperand(); 406 // StoredValue may be a vector type if we are storing several vptrs at once. 407 // In this case, just take the first element of the vector since this is 408 // enough to find vptr races. 409 if (isa<VectorType>(StoredValue->getType())) 410 StoredValue = IRB.CreateExtractElement( 411 StoredValue, ConstantInt::get(IRB.getInt32Ty(), 0)); 412 if (StoredValue->getType()->isIntegerTy()) 413 StoredValue = IRB.CreateIntToPtr(StoredValue, IRB.getInt8PtrTy()); 414 // Call TsanVptrUpdate. 415 IRB.CreateCall2(TsanVptrUpdate, 416 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 417 IRB.CreatePointerCast(StoredValue, IRB.getInt8PtrTy())); 418 NumInstrumentedVtableWrites++; 419 return true; 420 } 421 if (!IsWrite && isVtableAccess(I)) { 422 IRB.CreateCall(TsanVptrLoad, 423 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy())); 424 NumInstrumentedVtableReads++; 425 return true; 426 } 427 const unsigned Alignment = IsWrite 428 ? cast<StoreInst>(I)->getAlignment() 429 : cast<LoadInst>(I)->getAlignment(); 430 Type *OrigTy = cast<PointerType>(Addr->getType())->getElementType(); 431 const uint32_t TypeSize = DL->getTypeStoreSizeInBits(OrigTy); 432 Value *OnAccessFunc = nullptr; 433 if (Alignment == 0 || Alignment >= 8 || (Alignment % (TypeSize / 8)) == 0) 434 OnAccessFunc = IsWrite ? TsanWrite[Idx] : TsanRead[Idx]; 435 else 436 OnAccessFunc = IsWrite ? TsanUnalignedWrite[Idx] : TsanUnalignedRead[Idx]; 437 IRB.CreateCall(OnAccessFunc, IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy())); 438 if (IsWrite) NumInstrumentedWrites++; 439 else NumInstrumentedReads++; 440 return true; 441 } 442 443 static ConstantInt *createOrdering(IRBuilder<> *IRB, AtomicOrdering ord) { 444 uint32_t v = 0; 445 switch (ord) { 446 case NotAtomic: llvm_unreachable("unexpected atomic ordering!"); 447 case Unordered: // Fall-through. 448 case Monotonic: v = 0; break; 449 // case Consume: v = 1; break; // Not specified yet. 450 case Acquire: v = 2; break; 451 case Release: v = 3; break; 452 case AcquireRelease: v = 4; break; 453 case SequentiallyConsistent: v = 5; break; 454 } 455 return IRB->getInt32(v); 456 } 457 458 // If a memset intrinsic gets inlined by the code gen, we will miss races on it. 459 // So, we either need to ensure the intrinsic is not inlined, or instrument it. 460 // We do not instrument memset/memmove/memcpy intrinsics (too complicated), 461 // instead we simply replace them with regular function calls, which are then 462 // intercepted by the run-time. 463 // Since tsan is running after everyone else, the calls should not be 464 // replaced back with intrinsics. If that becomes wrong at some point, 465 // we will need to call e.g. __tsan_memset to avoid the intrinsics. 466 bool ThreadSanitizer::instrumentMemIntrinsic(Instruction *I) { 467 IRBuilder<> IRB(I); 468 if (MemSetInst *M = dyn_cast<MemSetInst>(I)) { 469 IRB.CreateCall3(MemsetFn, 470 IRB.CreatePointerCast(M->getArgOperand(0), IRB.getInt8PtrTy()), 471 IRB.CreateIntCast(M->getArgOperand(1), IRB.getInt32Ty(), false), 472 IRB.CreateIntCast(M->getArgOperand(2), IntptrTy, false)); 473 I->eraseFromParent(); 474 } else if (MemTransferInst *M = dyn_cast<MemTransferInst>(I)) { 475 IRB.CreateCall3(isa<MemCpyInst>(M) ? MemcpyFn : MemmoveFn, 476 IRB.CreatePointerCast(M->getArgOperand(0), IRB.getInt8PtrTy()), 477 IRB.CreatePointerCast(M->getArgOperand(1), IRB.getInt8PtrTy()), 478 IRB.CreateIntCast(M->getArgOperand(2), IntptrTy, false)); 479 I->eraseFromParent(); 480 } 481 return false; 482 } 483 484 // Both llvm and ThreadSanitizer atomic operations are based on C++11/C1x 485 // standards. For background see C++11 standard. A slightly older, publicly 486 // available draft of the standard (not entirely up-to-date, but close enough 487 // for casual browsing) is available here: 488 // http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2011/n3242.pdf 489 // The following page contains more background information: 490 // http://www.hpl.hp.com/personal/Hans_Boehm/c++mm/ 491 492 bool ThreadSanitizer::instrumentAtomic(Instruction *I) { 493 IRBuilder<> IRB(I); 494 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 495 Value *Addr = LI->getPointerOperand(); 496 int Idx = getMemoryAccessFuncIndex(Addr); 497 if (Idx < 0) 498 return false; 499 const size_t ByteSize = 1 << Idx; 500 const size_t BitSize = ByteSize * 8; 501 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 502 Type *PtrTy = Ty->getPointerTo(); 503 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 504 createOrdering(&IRB, LI->getOrdering())}; 505 CallInst *C = CallInst::Create(TsanAtomicLoad[Idx], Args); 506 ReplaceInstWithInst(I, C); 507 508 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 509 Value *Addr = SI->getPointerOperand(); 510 int Idx = getMemoryAccessFuncIndex(Addr); 511 if (Idx < 0) 512 return false; 513 const size_t ByteSize = 1 << Idx; 514 const size_t BitSize = ByteSize * 8; 515 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 516 Type *PtrTy = Ty->getPointerTo(); 517 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 518 IRB.CreateIntCast(SI->getValueOperand(), Ty, false), 519 createOrdering(&IRB, SI->getOrdering())}; 520 CallInst *C = CallInst::Create(TsanAtomicStore[Idx], Args); 521 ReplaceInstWithInst(I, C); 522 } else if (AtomicRMWInst *RMWI = dyn_cast<AtomicRMWInst>(I)) { 523 Value *Addr = RMWI->getPointerOperand(); 524 int Idx = getMemoryAccessFuncIndex(Addr); 525 if (Idx < 0) 526 return false; 527 Function *F = TsanAtomicRMW[RMWI->getOperation()][Idx]; 528 if (!F) 529 return false; 530 const size_t ByteSize = 1 << Idx; 531 const size_t BitSize = ByteSize * 8; 532 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 533 Type *PtrTy = Ty->getPointerTo(); 534 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 535 IRB.CreateIntCast(RMWI->getValOperand(), Ty, false), 536 createOrdering(&IRB, RMWI->getOrdering())}; 537 CallInst *C = CallInst::Create(F, Args); 538 ReplaceInstWithInst(I, C); 539 } else if (AtomicCmpXchgInst *CASI = dyn_cast<AtomicCmpXchgInst>(I)) { 540 Value *Addr = CASI->getPointerOperand(); 541 int Idx = getMemoryAccessFuncIndex(Addr); 542 if (Idx < 0) 543 return false; 544 const size_t ByteSize = 1 << Idx; 545 const size_t BitSize = ByteSize * 8; 546 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 547 Type *PtrTy = Ty->getPointerTo(); 548 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 549 IRB.CreateIntCast(CASI->getCompareOperand(), Ty, false), 550 IRB.CreateIntCast(CASI->getNewValOperand(), Ty, false), 551 createOrdering(&IRB, CASI->getSuccessOrdering()), 552 createOrdering(&IRB, CASI->getFailureOrdering())}; 553 CallInst *C = IRB.CreateCall(TsanAtomicCAS[Idx], Args); 554 Value *Success = IRB.CreateICmpEQ(C, CASI->getCompareOperand()); 555 556 Value *Res = IRB.CreateInsertValue(UndefValue::get(CASI->getType()), C, 0); 557 Res = IRB.CreateInsertValue(Res, Success, 1); 558 559 I->replaceAllUsesWith(Res); 560 I->eraseFromParent(); 561 } else if (FenceInst *FI = dyn_cast<FenceInst>(I)) { 562 Value *Args[] = {createOrdering(&IRB, FI->getOrdering())}; 563 Function *F = FI->getSynchScope() == SingleThread ? 564 TsanAtomicSignalFence : TsanAtomicThreadFence; 565 CallInst *C = CallInst::Create(F, Args); 566 ReplaceInstWithInst(I, C); 567 } 568 return true; 569 } 570 571 int ThreadSanitizer::getMemoryAccessFuncIndex(Value *Addr) { 572 Type *OrigPtrTy = Addr->getType(); 573 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 574 assert(OrigTy->isSized()); 575 uint32_t TypeSize = DL->getTypeStoreSizeInBits(OrigTy); 576 if (TypeSize != 8 && TypeSize != 16 && 577 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 578 NumAccessesWithBadSize++; 579 // Ignore all unusual sizes. 580 return -1; 581 } 582 size_t Idx = countTrailingZeros(TypeSize / 8); 583 assert(Idx < kNumberOfAccessSizes); 584 return Idx; 585 } 586