Intermittent lsan failure on aarch64-linux

Hi all,

I am investigating an intermittent failure on aarch64 linux bots related to
asan, where the use_registers.cpp sometimes fails. I tried to check if it
some related issue on the test itself, but it does seems to do what the
code is trying to simulate (an thread with store the address of a leaked
allocation on the stack thread).

Instrumenting the code to dump some log (log_pointers=1:log_threads=1) the
following below (I omitted my local paths). It seems that on some runs
'use_registers=1' is really working as intended.

Any idea? It started to show when we moved ours buildbots to newer ubuntu
20.04 (with has a recent glibc 2.31), but I am not sure it is a glibc
related issue.

Probably sched_yield() clobbered x13. Can you disassemble your glibc version?

Can you try change the test to
asm(“mov x13, %0\n”
“mov x14, %0\n”
“mov x15, %0”
:
: “r”(p));

It should be fine to store value in additional registers just in case.

Probably sched_yield() clobbered x13. Can you disassemble your glibc
version?

Can you try change the test to
asm("mov x13, %0\n"
      "mov x14, %0\n"
      "mov x15, %0"
      :
      : "r"(p));

It should be fine to store value in additional registers just in case.

I though about it, but it does not seems to be the case as below (the
system default to bind-now, so no loader resolution in involved here).

I will check if adding the malloc address in extra register will improve,
the main problem is the failure is really intermittent.

(gdb) disas
Dump of assembler code for function registers_thread_func:
   0x000000000042dc18 <+0>: sub sp, sp, #0x30
   0x000000000042dc1c <+4>: stp x29, x30, [sp, #32]
   0x000000000042dc20 <+8>: add x29, sp, #0x20
   0x000000000042dc24 <+12>: stur x0, [x29, #-8]
   0x000000000042dc28 <+16>: ldur x8, [x29, #-8]
   0x000000000042dc2c <+20>: str x8, [sp, #16]
   0x000000000042dc30 <+24>: mov w8, #0x539 // #1337
   0x000000000042dc34 <+28>: mov w0, w8
   0x000000000042dc38 <+32>: bl 0x42bc18 <__interceptor_malloc(__sanitizer::uptr)>
   0x000000000042dc3c <+36>: str x0, [sp, #8]
   0x000000000042dc40 <+40>: ldr x2, [sp, #8]
   0x000000000042dc44 <+44>: adrp x0, 0x437000
   0x000000000042dc48 <+48>: add x0, x0, #0x4a4
   0x000000000042dc4c <+52>: mov w1, #0x1 // #1
   0x000000000042dc50 <+56>: str w1, [sp, #4]
   0x000000000042dc54 <+60>: bl 0x42dab8 <_Z13print_addressPKciz>
   0x000000000042dc58 <+64>: adrp x8, 0x454000 <_ZN11__sanitizer11report_fileE+7680>
   0x000000000042dc5c <+68>: ldr x0, [x8, #2752]
   0x000000000042dc60 <+72>: bl 0x4039c0 <fflush@plt>
   0x000000000042dc64 <+76>: ldr w0, [sp, #4]
   0x000000000042dc68 <+80>: ldr x8, [sp, #8]
   0x000000000042dc6c <+84>: mov x13, x8
   0x000000000042dc70 <+88>: ldr x1, [sp, #16]
   0x000000000042dc74 <+92>: bl 0x42dd20 <__aarch64_ldeor4_acq_rel>
   0x000000000042dc78 <+96>: b 0x42dc7c <registers_thread_func+100>
=> 0x000000000042dc7c <+100>: bl 0x403a20 <sched_yield@plt>
   0x000000000042dc80 <+104>: b 0x42dc7c <registers_thread_func+100>

Dump of assembler code for function __aarch64_ldeor4_acq_rel:
=> 0x000000000042dce0 <+0>: bti c
   0x000000000042dce4 <+4>: adrp x16, 0xda9000 <_ZZN6__lsan24InitializeThreadRegistryEvE27thread_registry_placeholder>
   0x000000000042dce8 <+8>: ldrb w16, [x16, #208]
   0x000000000042dcec <+12>: cbz w16, 0x42dcf8 <__aarch64_ldeor4_acq_rel+24>
   0x000000000042dcf0 <+16>: ldeoral w0, w0, [x1]
   0x000000000042dcf4 <+20>: ret
   0x000000000042dcf8 <+24>: mov w16, w0
   0x000000000042dcfc <+28>: ldaxr w0, [x1]
   0x000000000042dd00 <+32>: eor w17, w0, w16
   0x000000000042dd04 <+36>: stlxr w15, w17, [x1]
   0x000000000042dd08 <+40>: cbnz w15, 0x42dcfc <__aarch64_ldeor4_acq_rel+28>
   0x000000000042dd0c <+44>: ret

   0x403a24 <sched_yield@plt+4>: ldr x17, [x16, #336]
   0x403a28 <sched_yield@plt+8>: add x16, x16, #0x150
   0x403a2c <sched_yield@plt+12>: br x17

(gdb) x/20i $pc
=> 0xfffff7c065e0 <sched_yield>: mov x8, #0x7c // #124
   0xfffff7c065e4 <sched_yield+4>: svc #0x0
   0xfffff7c065e8 <sched_yield+8>: cmn x0, #0xfff
   0xfffff7c065ec <sched_yield+12>: b.cs 0xfffff7c065f4 <sched_yield+20> // b.hs, b.nlast
   0xfffff7c065f0 <sched_yield+16>: ret
   0xfffff7c065f4 <sched_yield+20>: b 0xfffff7b6c190 <__GI___syscall_error>
(gdb) disas __GI___syscall_error
Dump of assembler code for function __GI___syscall_error:
   0x0000fffff7b6c190 <+0>: adrp x2, 0xfffff7cb4000 <sys_sigabbrev+368>
   0x0000fffff7b6c194 <+4>: ldr x2, [x2, #3600]
   0x0000fffff7b6c198 <+8>: mrs x3, tpidr_el0
   0x0000fffff7b6c19c <+12>: mov x1, x0
   0x0000fffff7b6c1a0 <+16>: mov x0, #0xffffffffffffffff // #-1
   0x0000fffff7b6c1a4 <+20>: neg w1, w1
   0x0000fffff7b6c1a8 <+24>: str w1, [x3, x2]
   0x0000fffff7b6c1ac <+28>: ret