v8/tools/gcmole/README
Maya Lekova f8be16a0b4 [gcmole] Relax gcmole reasoning about raw pointers
This CL ensures we care only about our internal pointer types and not
about raw C++ pointers, because normally special care is taken when
storing raw pointers to the managed heap. Furthermore, checking for raw
pointers produces too many false positives in the dead variable
analysis.

Bug: v8:9680, chromium:1000635
Change-Id: Ica9ea1fe09b7456c011910a6886149b6dfdda1f5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1924357
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65174}
2019-11-26 13:55:01 +00:00

133 lines
5.2 KiB
Plaintext

DESCRIPTION -------------------------------------------------------------------
gcmole is a simple static analysis tool used to find possible evaluation order
dependent GC-unsafe places in the V8 codebase and "stale" pointers to the heap
(ones whose addresses got invalidated by the GC).
For example the following code is GC-unsafe:
Handle<Object> Foo(); // Assume Foo can trigger a GC.
void Bar(Object, Object);
Handle<Object> baz;
baz->Qux(*Foo()); // (a)
Bar(*Foo(), *baz); // (b)
Both in cases (a) and (b) compiler is free to evaluate call arguments (that
includes receiver) in any order. That means it can dereference baz before
calling to Foo and save a raw pointer to a heap object in the register or
on the stack.
In terms of the AST analysis that gcmole does, it warns about places in the
code which result in 2 subtrees, the order of execution of which is undefined
by C++, one of which causes a GC and the other dereferences a Handle to a raw
Object (or its subclasses).
The following code triggers a stale variable warning (assuming that the Foo
function was detected as potentially allocating, as in the previous example):
JSObject raw_obj = ...;
Foo();
raw_obj.Print();
Since Foo can trigger a GC, it might have moved the raw_obj. The solution is
simply to store it as a Handle.
PREREQUISITES -----------------------------------------------------------------
(1) Install Lua 5.1
$ sudo apt-get install lua5.1
(2) Get LLVM 8.0 and Clang 8.0 sources and build them.
Follow the instructions on http://clang.llvm.org/get_started.html.
Make sure to pass -DCMAKE_BUILD_TYPE=Release to cmake to get Release build
instead of a Debug one.
(3) Build gcmole Clang plugin (libgcmole.so)
In the tools/gcmole directory execute the following command:
$ BUILD_ROOT=<path> LLVM_SRC_ROOT=<path> CLANG_SRC_ROOT=<path> make
(*) Note that steps (2) and (3) can also be achieved by just using the included
bootstrapping script in this directory:
$ ./tools/gcmole/bootstrap.sh
This will use "third_party/llvm+clang-build" as a build directory and checkout
required sources in the "third_party" directory.
USING GCMOLE ------------------------------------------------------------------
gcmole consists of driver script written in Lua and Clang plugin that does
C++ AST processing. Plugin (libgcmole.so) is expected to be in the same
folder as driver (gcmole.lua).
To start analysis cd into the root of v8 checkout and execute the following
command:
CLANG_BIN=<path-to-clang-bin-folder> lua tools/gcmole/gcmole.lua [<arch>]
where arch should be one of architectures supported by V8 (arm, ia32, x64).
Analysis will be performed in 2 stages:
- on the first stage driver will parse all files and build a global callgraph
approximation to find all functions that might potentially cause GC, list
of this functions will be written into gcsuspects file.
- on the second stage driver will parse all files again and will locate all
callsites that might be GC-unsafe based on the list of functions causing GC.
Such places are marked with a "Possible problem with evaluation order."
warning. Messages "Failed to resolve v8::internal::Object" are benign and
can be ignored.
If any errors were found driver exits with non-zero status.
TESTING -----------------------------------------------------------------------
Tests are automatically run by the main lua runner. Expectations are in
test-expectations.txt and need to be updated whenever the sources of the tests
in gcmole-test.cc are modified (line numbers also count).
PACKAGING ---------------------------------------------------------------------
gcmole is deployed on V8's buildbot infrastructure to run it as part of the
continuous integration. A pre-built package of gcmole together with Clang is
hosted on Google Cloud Storage for this purpose. To update this package to a
newer version, use the provided packaging script:
$ ./tools/gcmole/package.sh
This will create a new "tools/gcmole/gcmole-tools.tar.gz" package with the
corresponding SHA1 sum suitable to be used for this purpose. It assumes that
Clang was built in "third_party/llvm+clang-build" (e.g. by the bootstrapping
script "bootstrap.sh" mentioned above).
TROUBLESHOOTING ---------------------------------------------------------------
gcmole is tighly coupled with the AST structure that Clang produces. Therefore
when upgrading to a newer Clang version, it might start producing bogus output
or completely stop outputting warnings. In such occasion, one might start the
debugging process by checking weather a new AST node type is introduced which
is currently not supported by gcmole. Insert the following code at the end of
the FunctionAnalyzer::VisitExpr method to see the unsupported AST class(es)
and the source position which generates them:
if (expr) {
clang::Stmt::StmtClass stmtClass = expr->getStmtClass();
d_.Report(clang::FullSourceLoc(expr->getExprLoc(), sm_),
d_.getCustomDiagID(clang::DiagnosticsEngine::Remark, "%0")) << stmtClass;
}
For instance, gcmole currently doesn't support AtomicExprClass statements
introduced for atomic operations.
A convenient way to observe the AST generated by Clang is to pass the following
flags when invoking clang++
-Xclang -ast-dump -fsyntax-only