[all-commits] [llvm/llvm-project] 59b26a: [TSan, SanitizerBinaryMetadata] Analyze the captur...

Camsyn via All-commits all-commits at lists.llvm.org
Thu Apr 24 01:48:29 PDT 2025 

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 59b26abbbe89994c2ffd50a933654be247b68aaf
      https://github.com/llvm/llvm-project/commit/59b26abbbe89994c2ffd50a933654be247b68aaf
  Author: Camsyn <camsyn at foxmail.com>
  Date:   2025-04-24 (Thu, 24 Apr 2025)

  Changed paths:
    A compiler-rt/test/tsan/stack_race3.cpp
    M llvm/lib/Transforms/Instrumentation/SanitizerBinaryMetadata.cpp
    M llvm/lib/Transforms/Instrumentation/ThreadSanitizer.cpp
    M llvm/test/Instrumentation/ThreadSanitizer/capture.ll

  Log Message:
  -----------
  [TSan, SanitizerBinaryMetadata] Analyze the capture status for `alloca` rather than arbitrary `Addr` (#132756)

This PR is based on my last PR #132752 (the first commit of this PR),
but addressing a different issue.

This commit addresses the limitation in `PointerMayBeCaptured` analysis
when dealing with derived pointers (e.g. arr+1) as described in issue
#132739.

The current implementation of `PointerMayBeCaptured` may miss captures
of the underlying `alloca` when analyzing derived pointers, leading to
some FNs in TSan, as follows:
```cpp
void *Thread(void *a) {
  ((int*)a)[1] = 43;
  return 0;
}

int main() {
  int Arr[2] = {41, 42};
  pthread_t t;
  pthread_create(&t, 0, Thread, &Arr[0]);
  // Missed instrumentation here due to the FN of PointerMayBeCaptured
  Arr[1] = 43;
  barrier_wait(&barrier);
  pthread_join(t, 0);
}
```
Refer to this [godbolt page](https://godbolt.org/z/n67GrxdcE) to get the
compilation result of TSan.

Even when `PointerMayBeCaptured` working correctly, it should backtrack
to the original `alloca` firstly during analysis, causing redundancy to
the outer's `findAllocaForValue`.
```cpp
    const AllocaInst *AI = findAllocaForValue(Addr);
    // Instead of Addr, we should check whether its base pointer is captured.
    if (AI && !PointerMayBeCaptured(Addr, true)) ...
```

Key changes:
Directly analyze the capture status of the underlying `alloca` instead
of derived pointers to ensure accurate capture detection
```cpp
    const AllocaInst *AI = findAllocaForValue(Addr);
    // Instead of Addr, we should check whether its base pointer is captured.
    if (AI && !PointerMayBeCaptured(AI, true)) ...
```



To unsubscribe from these emails, change your notification settings at https://github.com/llvm/llvm-project/settings/notifications

More information about the All-commits mailing list