[asan] experimental intercetor for __tls_get_addr. So far it does nothing interesting, actual usage will come later. See https://groups.google.com/forum/#!topic/address-sanitizer/BfwYD8HMxTM for background

llvm-svn: 200384

8 files changed, 301 insertions, 2 deletions

diff --git a/compiler-rt/lib/asan/asan_malloc_linux.cc b/compiler-rt/lib/asan/asan_malloc_linux.cc
index 24b7f697792..4490d4b0349 100644
--- a/compiler-rt/lib/asan/asan_malloc_linux.cc
+++ b/compiler-rt/lib/asan/asan_malloc_linux.cc
@@ -17,6 +17,7 @@
 #include "sanitizer_common/sanitizer_platform.h"
 #if SANITIZER_LINUX
 
+#include "sanitizer_common/sanitizer_tls_get_addr.h"
 #include "asan_allocator.h"
 #include "asan_interceptors.h"
 #include "asan_internal.h"
@@ -101,8 +102,12 @@ INTERCEPTOR(void*, memalign, uptr boundary, uptr size) {
   return asan_memalign(boundary, size, &stack, FROM_MALLOC);
 }
 
-INTERCEPTOR(void*, __libc_memalign, uptr align, uptr s)
-  ALIAS("memalign");
+INTERCEPTOR(void*, __libc_memalign, uptr boundary, uptr size) {
+  GET_STACK_TRACE_MALLOC;
+  void *res = asan_memalign(boundary, size, &stack, FROM_MALLOC);
+  DTLS_on_libc_memalign(res, size * boundary);
+  return res;
+}
 
 INTERCEPTOR(uptr, malloc_usable_size, void *ptr) {
   GET_CURRENT_PC_BP_SP;
diff --git a/compiler-rt/lib/asan/asan_thread.cc b/compiler-rt/lib/asan/asan_thread.cc
index 7aa4ede5a1f..897ff2e6c1a 100644
--- a/compiler-rt/lib/asan/asan_thread.cc
+++ b/compiler-rt/lib/asan/asan_thread.cc
@@ -20,6 +20,7 @@
 #include "sanitizer_common/sanitizer_common.h"
 #include "sanitizer_common/sanitizer_placement_new.h"
 #include "sanitizer_common/sanitizer_stackdepot.h"
+#include "sanitizer_common/sanitizer_tls_get_addr.h"
 #include "lsan/lsan_common.h"
 
 namespace __asan {
@@ -107,6 +108,7 @@ void AsanThread::Destroy() {
   DeleteFakeStack(tid);
   uptr size = RoundUpTo(sizeof(AsanThread), GetPageSizeCached());
   UnmapOrDie(this, size);
+  DTLS_Destroy();
 }
 
 // We want to create the FakeStack lazyly on the first use, but not eralier
diff --git a/compiler-rt/lib/asan/lit_tests/TestCases/Linux/stress_dtls.c b/compiler-rt/lib/asan/lit_tests/TestCases/Linux/stress_dtls.c
new file mode 100644
index 00000000000..73b106b55dd
--- /dev/null
+++ b/compiler-rt/lib/asan/lit_tests/TestCases/Linux/stress_dtls.c
@@ -0,0 +1,102 @@
+// REQUIRES: asan-64-bits
+// Stress test dynamic TLS + dlopen + threads.
+//
+// Note that glibc 2.15 seems utterly broken on this test,
+// it fails with ~17 DSOs dlopen-ed.
+// glibc 2.19 seems fine.
+//
+//
+// RUN: %clangxx_asan -x c -DSO_NAME=f0 %s -shared -o %t-f0.so -fPIC
+// RUN: %clangxx_asan -x c -DSO_NAME=f1 %s -shared -o %t-f1.so -fPIC
+// RUN: %clangxx_asan -x c -DSO_NAME=f2 %s -shared -o %t-f2.so -fPIC
+// RUN: %clangxx_asan %s -o %t
+// RUN: %t 0 3
+// RUN: %t 2 3
+// RUN: ASAN_OPTIONS=verbosity=2 %t 2 2 2>&1 | FileCheck %s
+// CHECK: __tls_get_addr
+// CHECK: __tls_get_addr
+// CHECK: __tls_get_addr
+// CHECK: __tls_get_addr
+// CHECK: __tls_get_addr
+/*
+cc=your-compiler
+
+$cc stress_dtls.c -lpthread -ldl
+for((i=0;i<100;i++)); do
+  $cc -fPIC -shared -DSO_NAME=f$i -o a.out-f$i.so stress_dtls.c;
+done
+./a.out 2 4  # <<<<<< 2 threads, 4 libs
+./a.out 3 50 # <<<<<< 3 threads, 50 libs
+*/
+#ifndef SO_NAME
+#define _GNU_SOURCE
+#include <assert.h>
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <stdint.h>
+
+typedef void **(*f_t)();
+
+__thread int my_tls;
+
+#define MAX_N_FUNCTIONS 1000
+f_t Functions[MAX_N_FUNCTIONS];
+
+void *PrintStuff(void *unused) {
+  uintptr_t stack;
+  // fprintf(stderr, "STACK: %p TLS: %p SELF: %p\n", &stack, &my_tls,
+  //        (void *)pthread_self());
+  int i;
+  for (i = 0; i < MAX_N_FUNCTIONS; i++) {
+    if (!Functions[i]) break;
+    uintptr_t dtls = (uintptr_t)Functions[i]();
+    fprintf(stderr, "  dtls[%03d]: %lx\n", i, dtls);
+    *(long*)dtls = 42;  // check that this is writable.
+  }
+  return NULL;
+}
+
+int main(int argc, char *argv[]) {
+  int num_threads = 1;
+  int num_libs = 1;
+  if (argc >= 2)
+    num_threads = atoi(argv[1]);
+  if (argc >= 3)
+    num_libs = atoi(argv[2]);
+  assert(num_libs <= MAX_N_FUNCTIONS);
+
+  int lib;
+  for (lib = 0; lib < num_libs; lib++) {
+    char buf[4096];
+    snprintf(buf, sizeof(buf), "%s-f%d.so", argv[0], lib);
+    void *handle = dlopen(buf, RTLD_LAZY);
+    if (!handle) {
+      fprintf(stderr, "%s\n", dlerror());
+      exit(1);
+    }
+    snprintf(buf, sizeof(buf), "f%d", lib);
+    Functions[lib] = (f_t)dlsym(handle, buf);
+    if (!Functions[lib]) {
+      fprintf(stderr, "%s\n", dlerror());
+      exit(1);
+    }
+    fprintf(stderr, "LIB[%03d] %s: %p\n", lib, buf, Functions[lib]);
+    PrintStuff(0);
+
+    int i;
+    for (i = 0; i < num_threads; i++) {
+      pthread_t t;
+      pthread_create(&t, 0, PrintStuff, 0);
+      pthread_join(t, 0);
+    }
+  }
+  return 0;
+}
+#else  // SO_NAME
+__thread void *huge_thread_local_array[1 << 17];
+void **SO_NAME() {
+  return &huge_thread_local_array[0];
+}
+#endif
diff --git a/compiler-rt/lib/sanitizer_common/CMakeLists.txt b/compiler-rt/lib/sanitizer_common/CMakeLists.txt
index e1d47287ff0..407c3cf62f1 100644
--- a/compiler-rt/lib/sanitizer_common/CMakeLists.txt
+++ b/compiler-rt/lib/sanitizer_common/CMakeLists.txt
@@ -22,6 +22,7 @@ set(SANITIZER_SOURCES
   sanitizer_symbolizer.cc
   sanitizer_symbolizer_libbacktrace.cc
   sanitizer_symbolizer_win.cc
+  sanitizer_tls_get_addr.cc
   sanitizer_thread_registry.cc
   sanitizer_win.cc)
 
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
index f849960b9af..12594caafcd 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
@@ -29,6 +29,7 @@
 //===----------------------------------------------------------------------===//
 #include "interception/interception.h"
 #include "sanitizer_platform_interceptors.h"
+#include "sanitizer_tls_get_addr.h"
 
 #include <stdarg.h>
 
@@ -3063,10 +3064,23 @@ INTERCEPTOR(__sanitizer_clock_t, times, void *tms) {
   return res;
 }
 #define INIT_TIMES COMMON_INTERCEPT_FUNCTION(times);
+INTERCEPTOR(void *, __tls_get_addr, void *arg) {
+  void *ctx;
+  COMMON_INTERCEPTOR_ENTER(ctx, __tls_get_addr, arg);
+  void *res = REAL(__tls_get_addr)(arg);
+  DTLS_on_tls_get_addr(arg, res);
+  return res;
+}
 #else
 #define INIT_TIMES
 #endif
 
+#if SANITIZER_INTERCEPT_TLS_GET_ADDR
+#define INIT_TLS_GET_ADDR COMMON_INTERCEPT_FUNCTION(__tls_get_addr)
+#else
+#define INIT_TLS_GET_ADDR
+#endif
+
 #define SANITIZER_COMMON_INTERCEPTORS_INIT \
   INIT_TEXTDOMAIN;                         \
   INIT_STRCMP;                             \
@@ -3182,4 +3196,5 @@ INTERCEPTOR(__sanitizer_clock_t, times, void *tms) {
   INIT_GETLINE;                            \
   INIT_ICONV;                              \
   INIT_TIMES;                              \
+  INIT_TLS_GET_ADDR;                       \
 /**/
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_interceptors.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform_interceptors.h
index 9693e192bab..c43ef8fbe9d 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_interceptors.h
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_interceptors.h
@@ -177,4 +177,6 @@
 #define SANITIZER_INTERCEPT_PTHREAD_COND SI_NOT_WINDOWS
 #define SANITIZER_INTERCEPT_PTHREAD_SETNAME_NP SI_LINUX_NOT_ANDROID
 
+#define SANITIZER_INTERCEPT_TLS_GET_ADDR SI_LINUX_NOT_ANDROID
+
 #endif  // #ifndef SANITIZER_PLATFORM_INTERCEPTORS_H
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cc b/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cc
new file mode 100644
index 00000000000..7d4663d5f08
--- /dev/null
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.cc
@@ -0,0 +1,114 @@
+//===-- sanitizer_tls_get_addr.cc -----------------------------------------===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Handle the __tls_get_addr call.
+//
+//===----------------------------------------------------------------------===//
+
+#include "sanitizer_tls_get_addr.h"
+
+#include "sanitizer_flags.h"
+#include "sanitizer_platform_interceptors.h"
+
+namespace __sanitizer {
+#if SANITIZER_INTERCEPT_TLS_GET_ADDR
+
+// The actual parameter that comes to __tls_get_addr
+// is a pointer to a struct with two words in it:
+struct TlsGetAddrParam {
+  uptr dso_id;
+  uptr offset;
+};
+
+// Glibc starting from 2.19 allocates tls using __signal_safe_memalign,
+// which has such header.
+struct Glibc_2_19_tls_header {
+  uptr size;
+  uptr start;
+};
+
+// This must be static TLS, i.e. the run-time should be build with
+// -ftls-model=initial-exec or equivalent.
+static __thread DTLS dtls;
+
+// Make sure we properly destroy the DTLS objects:
+// this counter should never get too large.
+static atomic_uintptr_t number_of_live_dtls;
+
+static const uptr kDestroyedThread = -1;
+
+static inline void DTLS_Resize(uptr new_size) {
+  if (dtls.dtv_size >= new_size) return;
+  new_size = RoundUpToPowerOfTwo(new_size);
+  new_size = Max(new_size, 4096UL / sizeof(DTLS::DTV));
+  DTLS::DTV *new_dtv =
+      (DTLS::DTV *)MmapOrDie(new_size * sizeof(DTLS::DTV), "DTLS_Resize");
+  CHECK_LT(atomic_fetch_add(&number_of_live_dtls, 1, memory_order_relaxed),
+           1 << 20);
+  if (dtls.dtv_size)
+    internal_memcpy(new_dtv, dtls.dtv, dtls.dtv_size * sizeof(DTLS::DTV));
+  DTLS_Destroy();
+  dtls.dtv = new_dtv;
+  dtls.dtv_size = new_size;
+}
+
+void DTLS_Destroy() {
+  if (!dtls.dtv_size) return;
+  UnmapOrDie(dtls.dtv, dtls.dtv_size * sizeof(DTLS::DTV));
+  atomic_fetch_sub(&number_of_live_dtls, 1, memory_order_relaxed);
+  dtls.dtv_size = kDestroyedThread;
+}
+
+void DTLS_on_tls_get_addr(void *arg_void, void *res) {
+  TlsGetAddrParam *arg = reinterpret_cast<TlsGetAddrParam *>(arg_void);
+  uptr dso_id = arg->dso_id;
+  if (dtls.dtv_size == kDestroyedThread) return;
+  DTLS_Resize(dso_id + 1);
+  if (dtls.dtv[dso_id].beg)
+    return;
+  uptr tls_size = 0;
+  uptr tls_beg = reinterpret_cast<uptr>(res) - arg->offset;
+  VPrintf(2, "__tls_get_addr: %p {%p,%p} => %p; tls_beg: %p\n", arg,
+          arg->dso_id, arg->offset, res, tls_beg);
+  if (dtls.last_memalign_ptr == tls_beg) {
+    tls_size = dtls.last_memalign_size;
+    VPrintf(2, "__tls_get_addr: glibc <=2.18 suspected; tls={%p,%p}\n", tls_beg,
+            tls_size);
+  } else if ((tls_beg % 4096) == sizeof(Glibc_2_19_tls_header)) {
+    // We may want to check gnu_get_libc_version().
+    Glibc_2_19_tls_header *header = (Glibc_2_19_tls_header *)tls_beg - 1;
+    tls_size = header->size;
+    tls_beg = header->start;
+    VPrintf(2, "__tls_get_addr: glibc >=2.19 suspected; tls={%p %p}\n", tls_beg,
+            tls_size);
+  } else {
+    VPrintf(2, "__tls_get_addr: Can't guess glibc version\n");
+    // This may happen inside the DTOR of main thread, so just ignore it.
+    tls_size = 0;
+  }
+  dtls.dtv[dso_id].beg = tls_beg;
+  dtls.dtv[dso_id].size = tls_size;
+}
+
+void DTLS_on_libc_memalign(void *ptr, uptr size) {
+  VPrintf(2, "DTLS_on_libc_memalign: %p %p\n", ptr, size);
+  dtls.last_memalign_ptr = reinterpret_cast<uptr>(ptr);
+  dtls.last_memalign_size = size;
+}
+
+DTLS *DTLS_Get() { return &dtls; }
+
+#else
+void DTLS_on_libc_memalign(void *ptr, uptr size) {}
+void DTLS_on_tls_get_addr(void *arg, void *res) {}
+DTLS *DTLS_Get() { return 0; }
+void DTLS_Destroy() {}
+#endif  // SANITIZER_INTERCEPT_TLS_GET_ADDR
+
+}  // namespace __sanitizer
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.h b/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.h
new file mode 100644
index 00000000000..68ca827a27f
--- /dev/null
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_tls_get_addr.h
@@ -0,0 +1,58 @@
+//===-- sanitizer_tls_get_addr.h --------------------------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// Handle the __tls_get_addr call.
+//
+// All this magic is specific to glibc and is required to workaround
+// the lack of interface that would tell us about the Dynamic TLS (DTLS).
+// https://sourceware.org/bugzilla/show_bug.cgi?id=16291
+//
+// The matters get worse because the glibc implementation changed between
+// 2.18 and 2.19:
+// https://groups.google.com/forum/#!topic/address-sanitizer/BfwYD8HMxTM
+//
+// Before 2.19, every DTLS chunk is allocated with __libc_memalign,
+// which we intercept and thus know where is the DTLS.
+// Since 2.19, DTLS chunks are allocated with __signal_safe_memalign,
+// which is an internal function that wraps a mmap call, neither of which
+// we can intercept. Luckily, __signal_safe_memalign has a simple parseable
+// header which we can use.
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef SANITIZER_TLS_GET_ADDR_H
+#define SANITIZER_TLS_GET_ADDR_H
+
+#include "sanitizer_common.h"
+
+namespace __sanitizer {
+
+struct DTLS {
+  // Array of DTLS chunks for the current Thread.
+  // If beg == 0, the chunk is unused.
+  struct DTV {
+    uptr beg, size;
+  };
+
+  uptr dtv_size;
+  DTV *dtv;  // dtv_size elements, allocated by MmapOrDie.
+
+  // Auxilary fields, don't access them outside sanitizer_tls_get_addr.cc
+  uptr last_memalign_size;
+  uptr last_memalign_ptr;
+};
+
+void DTLS_on_tls_get_addr(void *arg, void *res);
+void DTLS_on_libc_memalign(void *ptr, uptr size);
+DTLS *DTLS_Get();
+void DTLS_Destroy();  // Make sure to call this before the thread is destroyed.
+
+}  // namespace __sanitizer
+
+#endif  // SANITIZER_TLS_GET_ADDR_H