
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 13, 2014 at 1:46 AM, Dmitry Vyukov <span dir="ltr"><<a href="mailto:dvyukov@google.com" target="_blank">dvyukov@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: dvyukov<br>

Date: Mon Oct 13 03:46:25 2014<br>

New Revision: 219600<br>

<br>

URL: <a href="http://llvm.org/viewvc/llvm-project?rev=219600&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=219600&view=rev</a><br>

Log:<br>

tsan: better reporting for virtual-call-after-free<br>

Previously we said that it's a data race, which is confusing<br>

if it happens in the same thread.<br>

<br>

<br>

<br>

Added:<br>

    compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc<br>

Modified:<br>

    compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc<br>

    compiler-rt/trunk/lib/tsan/rtl/tsan_report.h<br>

    compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc<br>

    compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc<br>

<br>

Modified: compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc?rev=219600&r1=219599&r2=219600&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc?rev=219600&r1=219599&r2=219600&view=diff</a><br>

==============================================================================<br>

--- compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc (original)<br>

+++ compiler-rt/trunk/lib/tsan/rtl/tsan_report.cc Mon Oct 13 03:46:25 2014<br>

@@ -70,6 +70,8 @@ static const char *ReportTypeString(Repo<br>

     return "data race on vptr (ctor/dtor vs virtual call)";<br>

   if (typ == ReportTypeUseAfterFree)<br>

     return "heap-use-after-free";<br>

+  if (typ == ReportTypeVptrUseAfterFree)<br>

+    return "heap-use-after-free (virtual call vs free)";<br>

   if (typ == ReportTypeThreadLeak)<br>

     return "thread leak";<br>

   if (typ == ReportTypeMutexDestroyLocked)<br>

<br>

Modified: compiler-rt/trunk/lib/tsan/rtl/tsan_report.h<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_report.h?rev=219600&r1=219599&r2=219600&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_report.h?rev=219600&r1=219599&r2=219600&view=diff</a><br>

==============================================================================<br>

--- compiler-rt/trunk/lib/tsan/rtl/tsan_report.h (original)<br>

+++ compiler-rt/trunk/lib/tsan/rtl/tsan_report.h Mon Oct 13 03:46:25 2014<br>

@@ -22,6 +22,7 @@ enum ReportType {<br>

   ReportTypeRace,<br>

   ReportTypeVptrRace,<br>

   ReportTypeUseAfterFree,<br>

+  ReportTypeVptrUseAfterFree,<br>

   ReportTypeThreadLeak,<br>

   ReportTypeMutexDestroyLocked,<br>

   ReportTypeMutexDoubleLock,<br>

<br>

Modified: compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc?rev=219600&r1=219599&r2=219600&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc?rev=219600&r1=219599&r2=219600&view=diff</a><br>

==============================================================================<br>

--- compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc (original)<br>

+++ compiler-rt/trunk/lib/tsan/rtl/tsan_rtl_report.cc Mon Oct 13 03:46:25 2014<br>

@@ -627,7 +627,9 @@ void ReportRace(ThreadState *thr) {<br>

   ThreadRegistryLock l0(ctx->thread_registry);<br>

<br>

   ReportType typ = ReportTypeRace;<br>

-  if (thr->is_vptr_access)<br>

+  if (thr->is_vptr_access && freed)<br>

+    typ = ReportTypeVptrUseAfterFree;<br>

+  else if (thr->is_vptr_access)<br>

     typ = ReportTypeVptrRace;<br>

   else if (freed)<br>

     typ = ReportTypeUseAfterFree;<br>

<br>

Modified: compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc?rev=219600&r1=219599&r2=219600&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc?rev=219600&r1=219599&r2=219600&view=diff</a><br>

==============================================================================<br>

--- compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc (original)<br>

+++ compiler-rt/trunk/lib/tsan/rtl/tsan_suppressions.cc Mon Oct 13 03:46:25 2014<br>

@@ -60,6 +60,8 @@ SuppressionType conv(ReportType typ) {<br>

     return SuppressionRace;<br>

   else if (typ == ReportTypeUseAfterFree)<br>

     return SuppressionRace;<br>

+  else if (typ == ReportTypeVptrUseAfterFree)<br>

+    return SuppressionRace;<br>

   else if (typ == ReportTypeThreadLeak)<br>

     return SuppressionThread;<br>

   else if (typ == ReportTypeMutexDestroyLocked)<br>

<br>

Added: compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc<br>

URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc?rev=219600&view=auto" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc?rev=219600&view=auto</a><br>

==============================================================================<br>

--- compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc (added)<br>

+++ compiler-rt/trunk/test/tsan/vptr_harmful_race4.cc Mon Oct 13 03:46:25 2014<br>

@@ -0,0 +1,34 @@<br>

+// RUN: %clangxx_tsan -O1 %s -o %t && %deflake %run %t | FileCheck %s<br>

+#include <pthread.h><br>

+#include <stdio.h><br>

+#include <unistd.h><br>

+<br>

+struct A {<br>

+  virtual void F() {<br>

+  }<br>

+<br>

+  virtual ~A() {<br>

+  }<br>

+};<br>

+<br>

+struct B : A {<br>

+  virtual void F() {<br>

+  }<br>

+};<br>

+<br>

+void *Thread(void *x) {<br>

+  sleep(1);<br>

+  ((A*)x)->F();<br>

+  return 0;<br>

+}<br>

+<br>

+int main() {<br>

+  A *obj = new B;<br>

+  pthread_t t;<br>

+  pthread_create(&t, 0, Thread, obj);<br>

+  delete obj;<br>

+  pthread_join(t, 0);<br>

+}<br>

+<br>

+// CHECK: WARNING: ThreadSanitizer: heap-use-after-free (virtual call vs free)<br></blockquote><div><br></div><div>Could/should we be more accurate, or at least more vague, about which kind of allocation was done? (this example uses 'delete', yet the diagnostic says 'free') "virtual call after deallocation"? Not sure, maybe free is sufficient. Just a thought.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

+<br>

<br>

<br>

_______________________________________________<br>

llvm-commits mailing list<br>

<a href="mailto:llvm-commits@cs.uiuc.edu">llvm-commits@cs.uiuc.edu</a><br>

<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>

</blockquote></div><br></div></div>