1 //===-- ThreadSanitizer.cpp - race detector -------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file is a part of ThreadSanitizer, a race detector. 11 // 12 // The tool is under development, for the details about previous versions see 13 // http://code.google.com/p/data-race-test 14 // 15 // The instrumentation phase is quite simple: 16 // - Insert calls to run-time library before every memory access. 17 // - Optimizations may apply to avoid instrumenting some of the accesses. 18 // - Insert calls at function entry/exit. 19 // The rest is handled by the run-time library. 20 //===----------------------------------------------------------------------===// 21 22 #define DEBUG_TYPE "tsan" 23 24 #include "BlackList.h" 25 #include "llvm/Function.h" 26 #include "llvm/IRBuilder.h" 27 #include "llvm/Intrinsics.h" 28 #include "llvm/LLVMContext.h" 29 #include "llvm/Metadata.h" 30 #include "llvm/Module.h" 31 #include "llvm/Type.h" 32 #include "llvm/ADT/SmallSet.h" 33 #include "llvm/ADT/SmallString.h" 34 #include "llvm/ADT/SmallVector.h" 35 #include "llvm/ADT/Statistic.h" 36 #include "llvm/ADT/StringExtras.h" 37 #include "llvm/Support/CommandLine.h" 38 #include "llvm/Support/Debug.h" 39 #include "llvm/Support/MathExtras.h" 40 #include "llvm/Support/raw_ostream.h" 41 #include "llvm/DataLayout.h" 42 #include "llvm/Transforms/Instrumentation.h" 43 #include "llvm/Transforms/Utils/BasicBlockUtils.h" 44 #include "llvm/Transforms/Utils/ModuleUtils.h" 45 46 using namespace llvm; 47 48 static cl::opt<std::string> ClBlackListFile("tsan-blacklist", 49 cl::desc("Blacklist file"), cl::Hidden); 50 static cl::opt<bool> ClInstrumentMemoryAccesses( 51 "tsan-instrument-memory-accesses", cl::init(true), 52 cl::desc("Instrument memory accesses"), cl::Hidden); 53 static cl::opt<bool> ClInstrumentFuncEntryExit( 54 "tsan-instrument-func-entry-exit", cl::init(true), 55 cl::desc("Instrument function entry and exit"), cl::Hidden); 56 static cl::opt<bool> ClInstrumentAtomics( 57 "tsan-instrument-atomics", cl::init(true), 58 cl::desc("Instrument atomics"), cl::Hidden); 59 60 STATISTIC(NumInstrumentedReads, "Number of instrumented reads"); 61 STATISTIC(NumInstrumentedWrites, "Number of instrumented writes"); 62 STATISTIC(NumOmittedReadsBeforeWrite, 63 "Number of reads ignored due to following writes"); 64 STATISTIC(NumAccessesWithBadSize, "Number of accesses with bad size"); 65 STATISTIC(NumInstrumentedVtableWrites, "Number of vtable ptr writes"); 66 STATISTIC(NumOmittedReadsFromConstantGlobals, 67 "Number of reads from constant globals"); 68 STATISTIC(NumOmittedReadsFromVtable, "Number of vtable reads"); 69 70 namespace { 71 72 /// ThreadSanitizer: instrument the code in module to find races. 73 struct ThreadSanitizer : public FunctionPass { 74 ThreadSanitizer(); 75 const char *getPassName() const; 76 bool runOnFunction(Function &F); 77 bool doInitialization(Module &M); 78 static char ID; // Pass identification, replacement for typeid. 79 80 private: 81 bool instrumentLoadOrStore(Instruction *I); 82 bool instrumentAtomic(Instruction *I); 83 void chooseInstructionsToInstrument(SmallVectorImpl<Instruction*> &Local, 84 SmallVectorImpl<Instruction*> &All); 85 bool addrPointsToConstantData(Value *Addr); 86 int getMemoryAccessFuncIndex(Value *Addr); 87 88 DataLayout *TD; 89 OwningPtr<BlackList> BL; 90 IntegerType *OrdTy; 91 // Callbacks to run-time library are computed in doInitialization. 92 Function *TsanFuncEntry; 93 Function *TsanFuncExit; 94 // Accesses sizes are powers of two: 1, 2, 4, 8, 16. 95 static const size_t kNumberOfAccessSizes = 5; 96 Function *TsanRead[kNumberOfAccessSizes]; 97 Function *TsanWrite[kNumberOfAccessSizes]; 98 Function *TsanAtomicLoad[kNumberOfAccessSizes]; 99 Function *TsanAtomicStore[kNumberOfAccessSizes]; 100 Function *TsanVptrUpdate; 101 }; 102 } // namespace 103 104 char ThreadSanitizer::ID = 0; 105 INITIALIZE_PASS(ThreadSanitizer, "tsan", 106 "ThreadSanitizer: detects data races.", 107 false, false) 108 109 const char *ThreadSanitizer::getPassName() const { 110 return "ThreadSanitizer"; 111 } 112 113 ThreadSanitizer::ThreadSanitizer() 114 : FunctionPass(ID), 115 TD(NULL) { 116 } 117 118 FunctionPass *llvm::createThreadSanitizerPass() { 119 return new ThreadSanitizer(); 120 } 121 122 static Function *checkInterfaceFunction(Constant *FuncOrBitcast) { 123 if (Function *F = dyn_cast<Function>(FuncOrBitcast)) 124 return F; 125 FuncOrBitcast->dump(); 126 report_fatal_error("ThreadSanitizer interface function redefined"); 127 } 128 129 bool ThreadSanitizer::doInitialization(Module &M) { 130 TD = getAnalysisIfAvailable<DataLayout>(); 131 if (!TD) 132 return false; 133 BL.reset(new BlackList(ClBlackListFile)); 134 135 // Always insert a call to __tsan_init into the module's CTORs. 136 IRBuilder<> IRB(M.getContext()); 137 Value *TsanInit = M.getOrInsertFunction("__tsan_init", 138 IRB.getVoidTy(), NULL); 139 appendToGlobalCtors(M, cast<Function>(TsanInit), 0); 140 141 // Initialize the callbacks. 142 TsanFuncEntry = checkInterfaceFunction(M.getOrInsertFunction( 143 "__tsan_func_entry", IRB.getVoidTy(), IRB.getInt8PtrTy(), NULL)); 144 TsanFuncExit = checkInterfaceFunction(M.getOrInsertFunction( 145 "__tsan_func_exit", IRB.getVoidTy(), NULL)); 146 OrdTy = IRB.getInt32Ty(); 147 for (size_t i = 0; i < kNumberOfAccessSizes; ++i) { 148 const size_t ByteSize = 1 << i; 149 const size_t BitSize = ByteSize * 8; 150 SmallString<32> ReadName("__tsan_read" + itostr(ByteSize)); 151 TsanRead[i] = checkInterfaceFunction(M.getOrInsertFunction( 152 ReadName, IRB.getVoidTy(), IRB.getInt8PtrTy(), NULL)); 153 154 SmallString<32> WriteName("__tsan_write" + itostr(ByteSize)); 155 TsanWrite[i] = checkInterfaceFunction(M.getOrInsertFunction( 156 WriteName, IRB.getVoidTy(), IRB.getInt8PtrTy(), NULL)); 157 158 Type *Ty = Type::getIntNTy(M.getContext(), BitSize); 159 Type *PtrTy = Ty->getPointerTo(); 160 SmallString<32> AtomicLoadName("__tsan_atomic" + itostr(BitSize) + 161 "_load"); 162 TsanAtomicLoad[i] = checkInterfaceFunction(M.getOrInsertFunction( 163 AtomicLoadName, Ty, PtrTy, OrdTy, NULL)); 164 165 SmallString<32> AtomicStoreName("__tsan_atomic" + itostr(BitSize) + 166 "_store"); 167 TsanAtomicStore[i] = checkInterfaceFunction(M.getOrInsertFunction( 168 AtomicStoreName, IRB.getVoidTy(), PtrTy, Ty, OrdTy, 169 NULL)); 170 } 171 TsanVptrUpdate = checkInterfaceFunction(M.getOrInsertFunction( 172 "__tsan_vptr_update", IRB.getVoidTy(), IRB.getInt8PtrTy(), 173 IRB.getInt8PtrTy(), NULL)); 174 return true; 175 } 176 177 static bool isVtableAccess(Instruction *I) { 178 if (MDNode *Tag = I->getMetadata(LLVMContext::MD_tbaa)) { 179 if (Tag->getNumOperands() < 1) return false; 180 if (MDString *Tag1 = dyn_cast<MDString>(Tag->getOperand(0))) { 181 if (Tag1->getString() == "vtable pointer") return true; 182 } 183 } 184 return false; 185 } 186 187 bool ThreadSanitizer::addrPointsToConstantData(Value *Addr) { 188 // If this is a GEP, just analyze its pointer operand. 189 if (GetElementPtrInst *GEP = dyn_cast<GetElementPtrInst>(Addr)) 190 Addr = GEP->getPointerOperand(); 191 192 if (GlobalVariable *GV = dyn_cast<GlobalVariable>(Addr)) { 193 if (GV->isConstant()) { 194 // Reads from constant globals can not race with any writes. 195 NumOmittedReadsFromConstantGlobals++; 196 return true; 197 } 198 } else if (LoadInst *L = dyn_cast<LoadInst>(Addr)) { 199 if (isVtableAccess(L)) { 200 // Reads from a vtable pointer can not race with any writes. 201 NumOmittedReadsFromVtable++; 202 return true; 203 } 204 } 205 return false; 206 } 207 208 // Instrumenting some of the accesses may be proven redundant. 209 // Currently handled: 210 // - read-before-write (within same BB, no calls between) 211 // 212 // We do not handle some of the patterns that should not survive 213 // after the classic compiler optimizations. 214 // E.g. two reads from the same temp should be eliminated by CSE, 215 // two writes should be eliminated by DSE, etc. 216 // 217 // 'Local' is a vector of insns within the same BB (no calls between). 218 // 'All' is a vector of insns that will be instrumented. 219 void ThreadSanitizer::chooseInstructionsToInstrument( 220 SmallVectorImpl<Instruction*> &Local, 221 SmallVectorImpl<Instruction*> &All) { 222 SmallSet<Value*, 8> WriteTargets; 223 // Iterate from the end. 224 for (SmallVectorImpl<Instruction*>::reverse_iterator It = Local.rbegin(), 225 E = Local.rend(); It != E; ++It) { 226 Instruction *I = *It; 227 if (StoreInst *Store = dyn_cast<StoreInst>(I)) { 228 WriteTargets.insert(Store->getPointerOperand()); 229 } else { 230 LoadInst *Load = cast<LoadInst>(I); 231 Value *Addr = Load->getPointerOperand(); 232 if (WriteTargets.count(Addr)) { 233 // We will write to this temp, so no reason to analyze the read. 234 NumOmittedReadsBeforeWrite++; 235 continue; 236 } 237 if (addrPointsToConstantData(Addr)) { 238 // Addr points to some constant data -- it can not race with any writes. 239 continue; 240 } 241 } 242 All.push_back(I); 243 } 244 Local.clear(); 245 } 246 247 static bool isAtomic(Instruction *I) { 248 if (LoadInst *LI = dyn_cast<LoadInst>(I)) 249 return LI->isAtomic() && LI->getSynchScope() == CrossThread; 250 if (StoreInst *SI = dyn_cast<StoreInst>(I)) 251 return SI->isAtomic() && SI->getSynchScope() == CrossThread; 252 if (isa<AtomicRMWInst>(I)) 253 return true; 254 if (isa<AtomicCmpXchgInst>(I)) 255 return true; 256 if (FenceInst *FI = dyn_cast<FenceInst>(I)) 257 return FI->getSynchScope() == CrossThread; 258 return false; 259 } 260 261 bool ThreadSanitizer::runOnFunction(Function &F) { 262 if (!TD) return false; 263 if (BL->isIn(F)) return false; 264 SmallVector<Instruction*, 8> RetVec; 265 SmallVector<Instruction*, 8> AllLoadsAndStores; 266 SmallVector<Instruction*, 8> LocalLoadsAndStores; 267 SmallVector<Instruction*, 8> AtomicAccesses; 268 bool Res = false; 269 bool HasCalls = false; 270 271 // Traverse all instructions, collect loads/stores/returns, check for calls. 272 for (Function::iterator FI = F.begin(), FE = F.end(); 273 FI != FE; ++FI) { 274 BasicBlock &BB = *FI; 275 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 276 BI != BE; ++BI) { 277 if (isAtomic(BI)) 278 AtomicAccesses.push_back(BI); 279 else if (isa<LoadInst>(BI) || isa<StoreInst>(BI)) 280 LocalLoadsAndStores.push_back(BI); 281 else if (isa<ReturnInst>(BI)) 282 RetVec.push_back(BI); 283 else if (isa<CallInst>(BI) || isa<InvokeInst>(BI)) { 284 HasCalls = true; 285 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores); 286 } 287 } 288 chooseInstructionsToInstrument(LocalLoadsAndStores, AllLoadsAndStores); 289 } 290 291 // We have collected all loads and stores. 292 // FIXME: many of these accesses do not need to be checked for races 293 // (e.g. variables that do not escape, etc). 294 295 // Instrument memory accesses. 296 if (ClInstrumentMemoryAccesses) 297 for (size_t i = 0, n = AllLoadsAndStores.size(); i < n; ++i) { 298 Res |= instrumentLoadOrStore(AllLoadsAndStores[i]); 299 } 300 301 // Instrument atomic memory accesses. 302 if (ClInstrumentAtomics) 303 for (size_t i = 0, n = AtomicAccesses.size(); i < n; ++i) { 304 Res |= instrumentAtomic(AtomicAccesses[i]); 305 } 306 307 // Instrument function entry/exit points if there were instrumented accesses. 308 if ((Res || HasCalls) && ClInstrumentFuncEntryExit) { 309 IRBuilder<> IRB(F.getEntryBlock().getFirstNonPHI()); 310 Value *ReturnAddress = IRB.CreateCall( 311 Intrinsic::getDeclaration(F.getParent(), Intrinsic::returnaddress), 312 IRB.getInt32(0)); 313 IRB.CreateCall(TsanFuncEntry, ReturnAddress); 314 for (size_t i = 0, n = RetVec.size(); i < n; ++i) { 315 IRBuilder<> IRBRet(RetVec[i]); 316 IRBRet.CreateCall(TsanFuncExit); 317 } 318 Res = true; 319 } 320 return Res; 321 } 322 323 bool ThreadSanitizer::instrumentLoadOrStore(Instruction *I) { 324 IRBuilder<> IRB(I); 325 bool IsWrite = isa<StoreInst>(*I); 326 Value *Addr = IsWrite 327 ? cast<StoreInst>(I)->getPointerOperand() 328 : cast<LoadInst>(I)->getPointerOperand(); 329 int Idx = getMemoryAccessFuncIndex(Addr); 330 if (Idx < 0) 331 return false; 332 if (IsWrite && isVtableAccess(I)) { 333 DEBUG(dbgs() << " VPTR : " << *I << "\n"); 334 Value *StoredValue = cast<StoreInst>(I)->getValueOperand(); 335 // StoredValue does not necessary have a pointer type. 336 if (isa<IntegerType>(StoredValue->getType())) 337 StoredValue = IRB.CreateIntToPtr(StoredValue, IRB.getInt8PtrTy()); 338 // Call TsanVptrUpdate. 339 IRB.CreateCall2(TsanVptrUpdate, 340 IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy()), 341 IRB.CreatePointerCast(StoredValue, IRB.getInt8PtrTy())); 342 NumInstrumentedVtableWrites++; 343 return true; 344 } 345 Value *OnAccessFunc = IsWrite ? TsanWrite[Idx] : TsanRead[Idx]; 346 IRB.CreateCall(OnAccessFunc, IRB.CreatePointerCast(Addr, IRB.getInt8PtrTy())); 347 if (IsWrite) NumInstrumentedWrites++; 348 else NumInstrumentedReads++; 349 return true; 350 } 351 352 static ConstantInt *createOrdering(IRBuilder<> *IRB, AtomicOrdering ord) { 353 uint32_t v = 0; 354 switch (ord) { 355 case NotAtomic: assert(false); 356 case Unordered: // Fall-through. 357 case Monotonic: v = 1 << 0; break; 358 // case Consume: v = 1 << 1; break; // Not specified yet. 359 case Acquire: v = 1 << 2; break; 360 case Release: v = 1 << 3; break; 361 case AcquireRelease: v = 1 << 4; break; 362 case SequentiallyConsistent: v = 1 << 5; break; 363 } 364 // +100500 is temporal to migrate to new enum values. 365 return IRB->getInt32(v + 100500); 366 } 367 368 bool ThreadSanitizer::instrumentAtomic(Instruction *I) { 369 IRBuilder<> IRB(I); 370 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 371 Value *Addr = LI->getPointerOperand(); 372 int Idx = getMemoryAccessFuncIndex(Addr); 373 if (Idx < 0) 374 return false; 375 const size_t ByteSize = 1 << Idx; 376 const size_t BitSize = ByteSize * 8; 377 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 378 Type *PtrTy = Ty->getPointerTo(); 379 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 380 createOrdering(&IRB, LI->getOrdering())}; 381 CallInst *C = CallInst::Create(TsanAtomicLoad[Idx], 382 ArrayRef<Value*>(Args)); 383 ReplaceInstWithInst(I, C); 384 385 } else if (StoreInst *SI = dyn_cast<StoreInst>(I)) { 386 Value *Addr = SI->getPointerOperand(); 387 int Idx = getMemoryAccessFuncIndex(Addr); 388 if (Idx < 0) 389 return false; 390 const size_t ByteSize = 1 << Idx; 391 const size_t BitSize = ByteSize * 8; 392 Type *Ty = Type::getIntNTy(IRB.getContext(), BitSize); 393 Type *PtrTy = Ty->getPointerTo(); 394 Value *Args[] = {IRB.CreatePointerCast(Addr, PtrTy), 395 IRB.CreateIntCast(SI->getValueOperand(), Ty, false), 396 createOrdering(&IRB, SI->getOrdering())}; 397 CallInst *C = CallInst::Create(TsanAtomicStore[Idx], 398 ArrayRef<Value*>(Args)); 399 ReplaceInstWithInst(I, C); 400 } else if (isa<AtomicRMWInst>(I)) { 401 // FIXME: Not yet supported. 402 } else if (isa<AtomicCmpXchgInst>(I)) { 403 // FIXME: Not yet supported. 404 } else if (isa<FenceInst>(I)) { 405 // FIXME: Not yet supported. 406 } 407 return true; 408 } 409 410 int ThreadSanitizer::getMemoryAccessFuncIndex(Value *Addr) { 411 Type *OrigPtrTy = Addr->getType(); 412 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 413 assert(OrigTy->isSized()); 414 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 415 if (TypeSize != 8 && TypeSize != 16 && 416 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 417 NumAccessesWithBadSize++; 418 // Ignore all unusual sizes. 419 return -1; 420 } 421 size_t Idx = CountTrailingZeros_32(TypeSize / 8); 422 assert(Idx < kNumberOfAccessSizes); 423 return Idx; 424 } 425