Skip to content

[TSan] Add support for Android #147580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[TSan] Add support for Android #147580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1287,6 +1287,22 @@ INTERCEPTOR(int, puts, char *s) {
#if SANITIZER_INTERCEPT_PRCTL
INTERCEPTOR(int, prctl, int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5) {
# if SANITIZER_ANDROID
// This is a workaround to avoid the crash by leveraging compiler
// optimizations, which convert the code into a tail call so that
// no PAC-related instructions are generated.
// The root cause of the crash is that PR_PAC_RESET_KEYS generates
// a new PAC key. As a result, paciasp and autiasp use different
// keys, leading to the crash.
// However, this workaround does not prevent the crash in debug
// builds, since compiler optimizations are disabled and the
// function is not converted into a tail call.
static const int PR_PAC_RESET_KEYS = 54;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this shouldn't be needed because it's defined in the ndk?

if (option == PR_PAC_RESET_KEYS) {
return REAL(prctl)(option, arg2, arg3, arg4, arg5);
}
# endif

void *ctx;
COMMON_INTERCEPTOR_ENTER(ctx, prctl, option, arg2, arg3, arg4, arg5);
static const int PR_SET_NAME = 15;
Expand Down
4 changes: 2 additions & 2 deletions compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2411,7 +2411,7 @@ TSAN_INTERCEPTOR(int, vfork, int fake) {
}
#endif

#if SANITIZER_LINUX
#if SANITIZER_LINUX && !SANITIZER_ANDROID
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why?

seems like we need to intercept clone() for tsan especially?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

glibc's pthread_create calls __clone_internal, however bionic's pthread_create calls clone. When enabling incept clone on Android, this check failed. https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/tsan/rtl/tsan_rtl.cpp#L1062

I'm not sure if this is the best way

https://codebrowser.dev/glibc/glibc/nptl/pthread_create.c.html#297

https://android.googlesource.com/platform/bionic/+/refs/heads/android16-release/libc/bionic/pthread_create.cpp#466

TSAN_INTERCEPTOR(int, clone, int (*fn)(void *), void *stack, int flags,
void *arg, int *parent_tid, void *tls, pid_t *child_tid) {
SCOPED_INTERCEPTOR_RAW(clone, fn, stack, flags, arg, parent_tid, tls,
Expand Down Expand Up @@ -3120,7 +3120,7 @@ void InitializeInterceptors() {

TSAN_INTERCEPT(fork);
TSAN_INTERCEPT(vfork);
#if SANITIZER_LINUX
#if SANITIZER_LINUX && !SANITIZER_ANDROID
TSAN_INTERCEPT(clone);
#endif
#if !SANITIZER_ANDROID
Expand Down
89 changes: 50 additions & 39 deletions compiler-rt/lib/tsan/rtl/tsan_platform_linux.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ void *__libc_stack_end = 0;
#endif

#if SANITIZER_LINUX && (defined(__aarch64__) || defined(__loongarch_lp64)) && \
!SANITIZER_GO
!SANITIZER_GO && !SANITIZER_ANDROID
# define INIT_LONGJMP_XOR_KEY 1
#else
# define INIT_LONGJMP_XOR_KEY 0
Expand Down Expand Up @@ -415,7 +415,7 @@ void InitializePlatform() {
// is not compiled with -pie.
#if !SANITIZER_GO
{
# if SANITIZER_LINUX && (defined(__aarch64__) || defined(__loongarch_lp64))
# if INIT_LONGJMP_XOR_KEY
// Initialize the xor key used in {sig}{set,long}jump.
InitializeLongjmpXorKey();
# endif
Expand Down Expand Up @@ -484,9 +484,55 @@ int ExtractRecvmsgFDs(void *msgp, int *fds, int nfd) {
return res;
}

#if SANITIZER_NETBSD
# ifdef __x86_64__
# define LONG_JMP_SP_ENV_SLOT 6
# else
# error unsupported
# endif
#elif defined(__powerpc__)
# define LONG_JMP_SP_ENV_SLOT 0
#elif SANITIZER_FREEBSD
# ifdef __aarch64__
# define LONG_JMP_SP_ENV_SLOT 1
# else
# define LONG_JMP_SP_ENV_SLOT 2
# endif
#elif SANITIZER_LINUX && !SANITIZER_ANDROID
# ifdef __aarch64__
# define LONG_JMP_SP_ENV_SLOT 13
# elif defined(__loongarch__)
# define LONG_JMP_SP_ENV_SLOT 1
# elif defined(__mips64)
# define LONG_JMP_SP_ENV_SLOT 1
# elif SANITIZER_RISCV64
# define LONG_JMP_SP_ENV_SLOT 13
# elif defined(__s390x__)
# define LONG_JMP_SP_ENV_SLOT 9
# else
# define LONG_JMP_SP_ENV_SLOT 6
# endif
#elif SANITIZER_ANDROID
// https://android.googlesource.com/platform/bionic/+/refs/heads/android16-release/libc/arch-arm64/bionic/setjmp.S
// https://android.googlesource.com/platform/bionic/+/refs/heads/android16-release/libc/arch-x86_64/bionic/setjmp.S
// https://android.googlesource.com/platform/bionic/+/refs/heads/android16-release/libc/arch-riscv64/bionic/setjmp.S
# if defined(__aarch64__) || SANITIZER_RISCV64
# define LONG_JMP_SP_ENV_SLOT 3
# define LONG_JMP_COOKIE_ENV_SLOT 0
# elif defined(__x86_64__)
# define LONG_JMP_SP_ENV_SLOT 6
# define LONG_JMP_COOKIE_ENV_SLOT 8
# else
# error unsupported
# endif
#endif

// Reverse operation of libc stack pointer mangling
static uptr UnmangleLongJmpSp(uptr mangled_sp) {
#if defined(__x86_64__)
uptr ExtractLongJmpSp(uptr *env) {
uptr mangled_sp = env[LONG_JMP_SP_ENV_SLOT];
# if SANITIZER_ANDROID
return mangled_sp ^ (env[LONG_JMP_COOKIE_ENV_SLOT] & ~1ULL);
# elif defined(__x86_64__)
# if SANITIZER_LINUX
// Reverse of:
// xor %fs:0x30, %rsi
Expand Down Expand Up @@ -528,41 +574,6 @@ static uptr UnmangleLongJmpSp(uptr mangled_sp) {
# endif
}

#if SANITIZER_NETBSD
# ifdef __x86_64__
# define LONG_JMP_SP_ENV_SLOT 6
# else
# error unsupported
# endif
#elif defined(__powerpc__)
# define LONG_JMP_SP_ENV_SLOT 0
#elif SANITIZER_FREEBSD
# ifdef __aarch64__
# define LONG_JMP_SP_ENV_SLOT 1
# else
# define LONG_JMP_SP_ENV_SLOT 2
# endif
#elif SANITIZER_LINUX
# ifdef __aarch64__
# define LONG_JMP_SP_ENV_SLOT 13
# elif defined(__loongarch__)
# define LONG_JMP_SP_ENV_SLOT 1
# elif defined(__mips64)
# define LONG_JMP_SP_ENV_SLOT 1
# elif SANITIZER_RISCV64
# define LONG_JMP_SP_ENV_SLOT 13
# elif defined(__s390x__)
# define LONG_JMP_SP_ENV_SLOT 9
# else
# define LONG_JMP_SP_ENV_SLOT 6
# endif
#endif

uptr ExtractLongJmpSp(uptr *env) {
uptr mangled_sp = env[LONG_JMP_SP_ENV_SLOT];
return UnmangleLongJmpSp(mangled_sp);
}

#if INIT_LONGJMP_XOR_KEY
// GLIBC mangles the function pointers in jmp_buf (used in {set,long}*jmp
// functions) by XORing them with a random key. For AArch64 it is a global
Expand Down
6 changes: 5 additions & 1 deletion compiler-rt/lib/tsan/rtl/tsan_rtl_thread.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,10 +188,14 @@ void ThreadStart(ThreadState *thr, Tid tid, ThreadID os_id,
}
#endif

#if !SANITIZER_GO
#if !SANITIZER_GO && !SANITIZER_ANDROID
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why don't we need this for android?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because ThreadState is created by MmapOrDie, so the thr object is not in tls, the pointer of thr object is in TLS_SLOT_SANITIZER slot. The check in ImitateTlsWrite will fail.

https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/tsan/rtl/tsan_platform_linux.cpp#L640

      thr = reinterpret_cast<ThreadState*>(MmapOrDie(sizeof(ThreadState),
                                                     "ThreadState"));
      *get_android_tls_ptr() = reinterpret_cast<uptr>(thr);

https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/tsan/rtl/tsan_platform_linux.cpp#L592

void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {
  // Check that the thr object is in tls;
  const uptr thr_beg = (uptr)thr;
  const uptr thr_end = (uptr)thr + sizeof(*thr);
  CHECK_GE(thr_beg, tls_addr);
  CHECK_LE(thr_beg, tls_addr + tls_size);
  CHECK_GE(thr_end, tls_addr);
  CHECK_LE(thr_end, tls_addr + tls_size);
  // Since the thr object is huge, skip it.
  const uptr pc = StackTrace::GetNextInstructionPc(
      reinterpret_cast<uptr>(__tsan_tls_initialization));
  MemoryRangeImitateWrite(thr, pc, tls_addr, thr_beg - tls_addr);
  MemoryRangeImitateWrite(thr, pc, thr_end, tls_addr + tls_size - thr_end);
}

// The Android Bionic team has allocated a TLS slot for sanitizers starting
// with Q, given that Android currently doesn't support ELF TLS. It is used to
// store sanitizer thread specific data.
static const int TLS_SLOT_SANITIZER = 6;

ALWAYS_INLINE uptr *get_android_tls_ptr() {
  return reinterpret_cast<uptr *>(&__get_tls()[TLS_SLOT_SANITIZER]);
}

// Don't imitate stack/TLS writes for the main thread,
// because its initialization is synchronized with all
// subsequent threads anyway.
// Because thr is created by MmapOrDie, the thr object
// is not in tls, the pointer of thr object is in
// TLS_SLOT_SANITIZER slot. So skip this check on
// Android platform.
if (tid != kMainTid) {
if (stk_addr && stk_size) {
const uptr pc = StackTrace::GetNextInstructionPc(
Expand Down