AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
45ae9e0ae9
v8/tools/gcmole
History
Maya Lekova 45ae9e0ae9 Update gcmole to work with llvm 8 and the new Object design 
After introducing the new pointer-containing Object class in V8 (see
https://docs.google.com/document/d/1_w49sakC1XM1OptjTurBDqO86NE16FH8LwbeUAtrbCo/edit),
gcmole stopped finding errorneous usage of raw pointers in functions that could
trigger GC. This CL modifies the heuristics of the tool to classify Object and
MaybeObject instances as raw pointers, thus giving back the missing warnings.

Updated the gcmole implementation to support modern llvm (tested with llvm 8.0)
for which additional support for MaterializeTemporaryExpr, ExprWithCleanups and
UnaryExprOrTypeTraitExpr was needed.

Basic tests are added to make it harder to introduce such errors without
noticing in the future.

This version gives a lot of false positives when ran on the whole project, see
https://docs.google.com/document/d/1K7eJ0f6m9QX6FZIjZnt_GFtUsjEOC_LpiAwZbcAA3f8/edit

R=jkummerow@chromium.org,mstarzinger@chromium.org

Bug: v8:8813
Change-Id: Ic0190a4bc2642eda8880d9f7b30b5145a76a7d89
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1494754
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60099}
2019-03-07 15:22:22 +00:00
..
bootstrap.sh Update gcmole to a more recent clang/llvm. 2014-08-07 12:56:53 +00:00
BUILD.gn Reland "[turboassembler] Introduce hard-abort mode" 2018-07-24 15:58:46 +00:00
gccause.lua Adjust contents of kAheadOfTime to match write-barrier stub called from CompileArrayPushCall. 2011-10-04 11:38:12 +00:00
gcmole-test.cc Update gcmole to work with llvm 8 and the new Object design 2019-03-07 15:22:22 +00:00
gcmole-tools.tar.gz.sha1 [test] Upgrade gcmole plugin 2017-02-16 14:54:22 +00:00
gcmole.cc Update gcmole to work with llvm 8 and the new Object design 2019-03-07 15:22:22 +00:00
gcmole.lua Revert GC scheduling for external backing stores 2018-08-30 14:24:38 +00:00
Makefile Update gcmole to a more recent clang/llvm. 2014-08-07 12:56:53 +00:00
parallel.py Preparing v8 to use with python3 /tools 2019-02-19 09:12:07 +00:00
README Update gcmole to work with llvm 8 and the new Object design 2019-03-07 15:22:22 +00:00
run-gcmole.py Preparing v8 to use with python3 /tools 2019-02-19 09:12:07 +00:00

README 

DESCRIPTION -------------------------------------------------------------------

gcmole is a simple static analysis tool used to find possible evaluation order 
dependent GC-unsafe places in the V8 codebase.

For example the following code is GC-unsafe:

Handle<Object> Foo();  // Assume Foo can trigger a GC.
void Bar(Object*, Object*);

Handle<Object> baz;
baz->Qux(*Foo());  // (a)  
Bar(*Foo(), *baz);  // (b)

Both in cases (a) and (b) compiler is free to evaluate call arguments (that 
includes receiver) in any order. That means it can dereference baz before 
calling to Foo and save a raw pointer to a heap object in the register or 
on the stack.  

PREREQUISITES -----------------------------------------------------------------

1) Install Lua 5.1

2) Get LLVM 8.0 and Clang 8.0 sources and build them.

Follow the instructions on http://clang.llvm.org/get_started.html.

Make sure to pass --enable-optimized to configure to get Release build 
instead of a Debug one.

3) Build gcmole Clang plugin (libgcmole.so)

In the tools/gcmole execute the following command:

LLVM_SRC_ROOT=<path-to-llvm-source-root> make

USING GCMOLE ------------------------------------------------------------------

gcmole consists of driver script written in Lua and Clang plugin that does
C++ AST processing. Plugin (libgcmole.so) is expected to be in the same
folder as driver (gcmole.lua).

To start analysis cd into the root of v8 checkout and execute the following
command:

CLANG_BIN=<path-to-clang-bin-folder> lua tools/gcmole/gcmole.lua [<arch>]

where arch should be one of architectures supported by V8 (arm, ia32, x64).

Analysis will be performed in 2 stages: 

- on the first stage driver will parse all files and build a global callgraph 
approximation to find all functions that might potentially cause GC, list
of this functions will be written into gcsuspects file.

- on the second stage driver will parse all files again and will locate all 
callsites that might be GC-unsafe based on the list of functions causing GC. 
Such places are marked with a "Possible problem with evaluation order." 
warning. Messages "Failed to resolve v8::internal::Object" are benign and 
can be ignored.

If any errors were found driver exits with non-zero status.

TROUBLESHOOTING ------------------------

gcmole is tighly coupled with the AST structure that Clang produces. Therefore
when upgrading to a newer Clang version, it might start producing bogus output
or completely stop outputting warnings. In such occasion, one might start the
debugging process by checking weather a new AST node type is introduced which
is currently not supported by gcmole. Insert the following code at the end of
the FunctionAnalyzer::VisitExpr method to see the unsupported AST class(es)
and the source position which generates them:

    if (expr) {
      clang::Stmt::StmtClass stmtClass = expr->getStmtClass();
      d_.Report(clang::FullSourceLoc(expr->getExprLoc(), sm_),
        d_.getCustomDiagID(clang::DiagnosticsEngine::Remark, "%0")) << stmtClass;
    }

For instance, gcmole currently doesn't support AtomicExprClass statements
introduced for atomic operations.

A convenient way to observe the AST generated by Clang is to pass the following
flags when invoking clang++

    -Xclang -ast-dump -fsyntax-only