[Qemu-devel] [RFC 0/8] A couple of fixes for ThreadSanitizer

["Alex Bennée" <alex.bennee@linaro.org>]

Hi,

As a precursor to next set of MTTCG reviews in my inbox I had a quick
look at the current state of using ThreadSanitizer with QEMU. There
are a number of patches here:

  1,2,3: workarounds for the compiler when tsan enabled
  4,5,6,7: various fixes using atomic_set/read()
  8: defend the build in Travis

The fixes are mostly theoretical for x86 hosts as individual writes
can't fight with each other to corrupt the final value. However being
explicit about this is the correct thing to do and it reduces the
noise of reports.

With this series I'm still seeing some warnings about qht_insert
racing with tb_alloc but the fixes didn't work so we suspect this
might be a false positive from tsan. I've dropped the workaround from
the series for now.

In system-mode the big generator of warnings is coroutines which are
heavily used in the block layer, for example:

  WARNING: ThreadSanitizer: data race (pid=11820)
    Read of size 8 at 0x7d0400008fa0 by thread T2:
      #0 strlen <null> (libtsan.so.0+0x000000025f6d)
      #1 pthread_setname_np <null> (libpthread.so.0+0x000000012395)
      #2 <null> <null> (libglib-2.0.so.0+0x000000070bad)

    Previous write of size 8 at 0x7d0400008fa0 by main thread (mutexes: write M658):
      #0 malloc <null> (libtsan.so.0+0x0000000254a3)
      #1 g_malloc <null> (libglib-2.0.so.0+0x00000004f728)
      #2 qemu_coroutine_new util/coroutine-gthread.c:144 (qemu-system-aarch64+0x000000c79ad0)
      #3 qemu_coroutine_create util/qemu-coroutine.c:75 (qemu-system-aarch64+0x000000c77f9d)
      #4 bdrv_prwv_co block/io.c:590 (qemu-system-aarch64+0x000000b9dd75)

I think these are fixable with memory barriers but I'm going to need
to re-watch the KVM Forum video on the subject to remind myself of the
black magic that coroutines involves (unless anyone else wants to
tackle that).

With this series applied you can enable ThreadSanitizer with the
following command line:

  ./configure --extra-cflags="-g3 -O0 \
    -fsantize=thread \
    -fsanitize-blacklist=/home/alex/lsrc/qemu/qemu.git/blacklist.tsan" \
    --with-coroutine=gthread --disable-pie --enable-debug --enable-debug-info

breakdown:
  -fsanitize=thread - enables sanitizer
  -fsanitize-blacklist - skip things the compiler finds hard, like SSE
  --with-coroutine=gthread - tsan chokes on other forms of coroutine
  --disable-pie - tsan no longer works with PIE
   --enable-debug --enable-debug-info - better backtraces


Alex Bennée (7):
  ui/vnc-enc-tight: add abort() for unexpected default
  tcg/optimize: move default return out of if statement
  new: blacklist.tsan
  qom/object: update class cache atomically
  cpu: atomically modify cpu->exit_request
  util/qht: atomically set b->hashes
  .travis.yml: add gcc sanitizer build

Paolo Bonzini (1):
  seqlock: use atomic writes for the sequence

 .travis.yml            | 16 ++++++++++++++++
 blacklist.tsan         |  2 ++
 cpu-exec.c             |  8 ++++----
 include/qemu/seqlock.h |  4 ++--
 qom/cpu.c              |  4 ++--
 qom/object.c           | 15 ++++++++-------
 tcg/optimize.c         |  3 +--
 ui/vnc-enc-tight.c     |  2 ++
 util/qht.c             | 10 +++++-----
 9 files changed, 42 insertions(+), 22 deletions(-)
 create mode 100644 blacklist.tsan

-- 
2.9.3