<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 8, 2014 at 2:00 AM, Alexander Potapenko <span dir="ltr"><<a href="mailto:glider@google.com" target="_blank">glider@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hope you're assuming there's always a single copy of common_flags in<br>
the process.<br></blockquote><div><br></div><div>Yes.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This isn't the case for e.g. ASan+UBSan on Mac, but that's a broken setup.<br></blockquote><div><br></div><div>Yes. I assume, we want to have dynamic UBSan runtime on Mac, don't we?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
What if we let the tools protect specific flags (by adding a bool to<br>
each flag) once they set their values (when setting the default<br>
values, parsing xSAN_OPTIONS, etc)<br>
Generally, I think we need to protect each flag when anyone's trying<br>
to read it (so we'll need getters and setters for the flags), unless<br>
the code opts out of protecting a particular flag (e.g. if we want to<br>
allow it to be changed dynamically).<br>
This way we can prevent the flags from being overridden with conflicting values.<br></blockquote><div><br></div><div>What is the purpose of making the flag values immutable? If you want to protect against the case<br></div><div>where we accidentally reset the flag value, you can just make common_flags() accessor return a const</div><div>reference. Then you'd only be able to modify the flag values explicitly via ParseCommonFlagsFromString()</div><div>and similar functions. This would certainly be a positive change.</div><div><br></div><div>IMO it would be *very* hard to distinguish between cases when we</div><div>override flags on purpose (e.g. override defaults from env var) and when we override them accidentally during</div><div>multiple tool initializatier calls (the case which I describe).</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Irrespective of whether we protect the flags or not, I think we need<br>
to distinguish between the flags that can be set once and flags that<br>
may change their values (e.g. on Android).<br></blockquote><div><br></div><div>Anyway, this suggestion is kind of orthogonal to mine. I was asking if you're ok with having "main" tool (ASan)</div><div>steal responsibility of initializing runtime flags from "plug-in" tools (LSan, UBSan).</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5"><br>
On Sat, Dec 6, 2014 at 2:51 AM, Alexey Samsonov <<a href="mailto:vonosmas@gmail.com">vonosmas@gmail.com</a>> wrote:<br>
> Hi all,<br>
><br>
> TL;DR<br>
> 1) We should change the way we parse common runtime flags in sanitizers.<br>
> 2) We should make ASan aware of the tools it can be combined with (LSan and<br>
> UBSan).<br>
> 3) We may have to restrict the tools UBSan can be combined with (currently<br>
> to ASan) (see [1])<br>
><br>
> Currently we have two kinds of sanitizer runtime flags: tool-specific flags<br>
> and "common flags", defined in sanitizer_common library and shared across<br>
> all the sanitizers. Many of these common flags are used early during tool<br>
> initialization (for example, we use "suppressions" flag to create<br>
> SuppressionContext singleton object). That's the reason why we parse both<br>
> tool-specific flags and common flags as early as possible at program<br>
> startup, before running the rest of initialization code. It all works fine<br>
> until we have a single sanitizer - e.g. for TSan or MSan.<br>
><br>
> The situation gets crazy when we combine multiple sanitizers in a single<br>
> process, for instance use ASan+LSan+UBSan (the default use case in some<br>
> setups). Each tool has its own defaults for common flag values, and each of<br>
> ASAN_OPTIONS, LSAN_OPTIONS and UBSAN_OPTIONS can define both tool-specific<br>
> and common flags. These environment variables are parsed at different time,<br>
> sometimes in undefined order. We can easily end up in situation where ASan<br>
> initializes some parts of sanitizer_common assuming certain values of common<br>
> runtime flags, but then these flags are overwritten by LSAN_OPTIONS. All<br>
> this is very complicated and fragile.<br>
><br>
> I propose to implement the following:<br>
><br>
> ASan flag parsing:<br>
> 1) Detect all sanitizers ASan is combined with (We know that we have LSan if<br>
> "CAN_SANITIZE_LEAKS" is true. We can detect if we have UBSan in the process<br>
> somehow.)<br>
> 2) Setup defaults for ASan-specific flags and override them from<br>
> ASAN_OPTIONS.<br>
> 3) Setup defaults for common flags and override them from all of<br>
> ASAN_OPTIONS, LSAN_OPTIONS and UBSAN_OPTIONS (if corresponding sanitizers<br>
> are enabled for the process).<br>
> 4) Proceed with initialization, and call LSan/UBSan initializers when<br>
> appropriate.<br>
><br>
> LSan/UBSan flag parsing:<br>
> 1) Learn if LSan/UBSan are combined with ASan (the "main" tool) or run as<br>
> standalone tool. This is already done for LSan and can be done for UBSan by<br>
> slightly modifying the way we structure runtimes.<br>
> 2) Setup defaults for tool-specific flags and override them from<br>
> LSAN/UBSAN_OPTIONS.<br>
> 3) If the tools run in standalone mode, setup the defaults for common flags<br>
> and override them from LSAN/UBSAN_OPTIONS. If the tools are combined with<br>
> "main" tool, do nothing.<br>
> 4) Proceed with initialization.<br>
><br>
> [1] Conjecture:<br>
> 1) We will have to add the hook to initialize UBSan that we would invoke<br>
> from ASan (much like we do for LSan). It means that we would have to<br>
> restrict the set of sanitizers that can be combined with UBSan (allowing it<br>
> for another sanitizers would be very easy, but manual process). The<br>
> alternative would be to make UBSan setup no-op except for parsing the flags,<br>
> so that UBSan initializer could be safely called before main tool<br>
> initializer.<br>
><br>
> Bonus:<br>
> 1) We will be able to significantly improve runtime flag parsing diagnostic.<br>
> For instance, we would be able to report conflicting flag definitions (e.g.<br>
> when one provides ASAN_OPTIONS=symbolize=0 LSAN_OPTIONS=symbolize=1).<br>
><br>
> Comments/objections?<br>
><br>
> --<br>
> Alexey Samsonov<br>
> <a href="mailto:vonosmas@gmail.com">vonosmas@gmail.com</a><br>
><br>
</div></div>> _______________________________________________<br>
> LLVM Developers mailing list<br>
> <a href="mailto:LLVMdev@cs.uiuc.edu">LLVMdev@cs.uiuc.edu</a> <a href="http://llvm.cs.uiuc.edu" target="_blank">http://llvm.cs.uiuc.edu</a><br>
> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Alexander Potapenko<br>
Software Engineer<br>
Google Moscow<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Alexey Samsonov<br><a href="mailto:vonosmas@gmail.com" target="_blank">vonosmas@gmail.com</a></div></div>
</div></div>