[PATCH] D15380: [tsan] Update dispatch_group support to avoid using a disposed group object
Kuba Brecka via llvm-commits
llvm-commits at lists.llvm.org
Wed Dec 9 08:08:34 PST 2015
kubabrecka created this revision.
kubabrecka added reviewers: dvyukov, samsonov, glider, kcc.
kubabrecka added subscribers: llvm-commits, zaks.anna.
We're using the dispatch group itself to synchronize (to call `Release()` and `Acquire()` on it), but in dispatch group notifications, the group can already be disposed/deallocated. This causes a later assertion failure at `DCHECK_EQ(*meta, 0);` in `MetaMap::AllocBlock` when the same memory is reused (note that the failure only happens in debug builds).
Fixing this by retaining the group and releasing it in the notification. Adding a stress test case that reproduces this.
http://reviews.llvm.org/D15380
Files:
lib/tsan/rtl/tsan_libdispatch_mac.cc
test/tsan/Darwin/gcd-groups-stress.mm
Index: test/tsan/Darwin/gcd-groups-stress.mm
===================================================================
--- test/tsan/Darwin/gcd-groups-stress.mm
+++ test/tsan/Darwin/gcd-groups-stress.mm
@@ -0,0 +1,43 @@
+// RUN: %clang_tsan %s -o %t -framework Foundation
+// RUN: %run %t 2>&1
+
+#import <Foundation/Foundation.h>
+
+void notify_callback(void *context) {
+ // Do nothing.
+}
+
+int main() {
+ NSLog(@"Hello world.");
+
+ dispatch_queue_t q = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0);
+
+ for (int i = 0; i < 300000; i++) {
+ dispatch_group_t g = dispatch_group_create();
+ dispatch_group_enter(g);
+ dispatch_async(q, ^{
+ dispatch_group_leave(g);
+ });
+ dispatch_group_notify(g, q, ^{
+ // Do nothing.
+ });
+ dispatch_release(g);
+ }
+
+ for (int i = 0; i < 300000; i++) {
+ dispatch_group_t g = dispatch_group_create();
+ dispatch_group_enter(g);
+ dispatch_async(q, ^{
+ dispatch_group_leave(g);
+ });
+ dispatch_group_notify_f(g, q, nullptr, ¬ify_callback);
+ dispatch_release(g);
+ }
+
+ NSLog(@"Done.");
+}
+
+// CHECK: Hello world.
+// CHECK: Done.
+// CHECK-NOT: WARNING: ThreadSanitizer
+// CHECK-NOT: CHECK failed
Index: lib/tsan/rtl/tsan_libdispatch_mac.cc
===================================================================
--- lib/tsan/rtl/tsan_libdispatch_mac.cc
+++ lib/tsan/rtl/tsan_libdispatch_mac.cc
@@ -34,6 +34,7 @@
void *orig_context;
dispatch_function_t orig_work;
uptr object_to_acquire;
+ dispatch_object_t object_to_release;
} tsan_block_context_t;
// The offsets of different fields of the dispatch_queue_t structure, exported
@@ -75,6 +76,7 @@
new_context->orig_context = orig_context;
new_context->orig_work = orig_work;
new_context->object_to_acquire = (uptr)new_context;
+ new_context->object_to_release = nullptr;
return new_context;
}
@@ -88,6 +90,7 @@
context->orig_work(context->orig_context);
if (IsQueueSerial(context->queue)) Release(thr, pc, (uptr)context->queue);
user_free(thr, pc, context);
+ if (context->object_to_release) dispatch_release(context->object_to_release);
}
static void invoke_and_release_block(void *param) {
@@ -231,6 +234,8 @@
tsan_block_context_t *new_context =
AllocContext(thr, pc, q, heap_block, &invoke_and_release_block);
new_context->object_to_acquire = (uptr)group;
+ new_context->object_to_release = group;
+ dispatch_retain(group);
Release(thr, pc, (uptr)group);
REAL(dispatch_group_notify_f)(group, q, new_context,
dispatch_callback_wrap_acquire);
@@ -241,6 +246,8 @@
SCOPED_TSAN_INTERCEPTOR(dispatch_group_notify_f, group, q, context, work);
tsan_block_context_t *new_context = AllocContext(thr, pc, q, context, work);
new_context->object_to_acquire = (uptr)group;
+ new_context->object_to_release = group;
+ dispatch_retain(group);
Release(thr, pc, (uptr)group);
REAL(dispatch_group_notify_f)(group, q, new_context,
dispatch_callback_wrap_acquire);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D15380.42300.patch
Type: text/x-patch
Size: 3070 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20151209/975ab4a3/attachment.bin>
More information about the llvm-commits
mailing list