[compiler-rt] r281970 - tsan: check more addresses in CheckShadowMapping

Dmitry Vyukov via llvm-commits llvm-commits at lists.llvm.org
Tue Sep 20 08:27:12 PDT 2016 

On Tue, Sep 20, 2016 at 4:39 PM, Dmitry Vyukov <dvyukov at google.com> wrote:
> On Tue, Sep 20, 2016 at 4:29 PM, Renato Golin <renato.golin at linaro.org> wrote:
>> On 20 September 2016 at 14:30, Dmitry Vyukov via llvm-commits
>> <llvm-commits at lists.llvm.org> wrote:
>>> Author: dvyukov
>>> Date: Tue Sep 20 08:30:01 2016
>>> New Revision: 281970
>>>
>>> URL: http://llvm.org/viewvc/llvm-project?rev=281970&view=rev
>>> Log:
>>> tsan: check more addresses in CheckShadowMapping
>>
>> Hi Dmitry,
>>
>> This is an odd failure:
>>
>> http://lab.llvm.org:8011/builders/clang-cmake-aarch64-42vma/builds/12021
>>
>> The 39-bit bots haven't caught with it yet, would be good to know if
>> this is a 42-vma only issue...
>
>
> Looks like there is a bug in the shadow mapping -- it is not a
> bijection. At the very least it leads to bogus addresses in race
> reports.
> We can revert the commit for now, but I am working on a more complex
> mapping for x86_64 and this extended check would be useful (as proven
> by this failure).


ShadowToMemImpl falsely assumes that the address (0x3ea00000000)
belongs to mid app range and restores it as so, which produces a wrong
address (0x2aa00000000).
The problem is that ShadowToMemImpl assumes that the mapping is
linear, but it is not (due to xor). I've hit the same issue on x86_64
while working on some changes. I am thinking about replacing
ShadowToMemImpl with the following implementation, which does not
assume linearity of the mapping. Can you please check if it fixes
aarch64/42?


template<typename Mapping>
uptr ShadowToMemImpl(uptr s) {
  DCHECK(IsShadowMem(s));
#ifndef SANITIZER_GO
  // The shadow mapping is non-linear and we've lost some bits, so we don't have
  // an easy way to restore the original app address. But the mapping is a
  // bijection, so we try to restore the address as belonging to low/mid/high
  // range consecutively and see if shadow->app->shadow mapping gives us the
  // same address.
  uptr p = (s / kShadowCnt) ^ Mapping::kAppMemXor;
  if (MemToShadow(p) == s &&
      p >= Mapping::kLoAppMemBeg && p < Mapping::kLoAppMemEnd)
    return p;
# ifdef TSAN_MID_APP_RANGE
  p = ((s / kShadowCnt) ^ Mapping::kAppMemXor) + Mapping::kMidShadowOff;
  if (MemToShadow(p) == s &&
      p >= Mapping::kMidAppMemBeg && p < Mapping::kMidAppMemEnd)
    return p;
# endif
    return ((s / kShadowCnt) ^ Mapping::kAppMemXor) | Mapping::kAppMemMsk;
#else
# ifndef SANITIZER_WINDOWS
  return (s & ~Mapping::kShadowBeg) / kShadowCnt;
# else
  return (s - Mapping::kShadowBeg) / kShadowCnt;
# endif // SANITIZER_WINDOWS
#endif
}

More information about the llvm-commits mailing list