[vm, compiler] Add TSAN instrumentation to Dart field access.

Allows TSAN to detect data races involving Dart fields.

TEST=tsan
Cq-Include-Trybots: luci.dart.try:vm-tsan-linux-release-x64-try,vm-tsan-linux-release-arm64-try,iso-stress-linux-arm64-try,iso-stress-linux-x64-try
Change-Id: Ic7a6c7e6c1810adf79b41e5c0ae891132f368a61
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/439143
Reviewed-by: Alexander Aprelev <[email protected]>
Commit-Queue: Ryan Macnak <[email protected]>

Author: rmacnak-google

runtime/docs/pragmas.md

@@ -21,6 +21,7 @@ These pragmas are part of the VM's API and are safe for use in external code.
 | `vm:awaiter-link` | [Specifying variable to follow for awaiter stack unwinding](awaiter_stack_traces.md) |
 | `vm:deeply-immutable` | [Specifying a class and all its subtypes are deeply immutable](deeply_immutable.md) |
 | `vm:align-loops` | Tells compiler to align all loop headers inside the function to an architecture specific boundary: currently 32 bytes on X64 and ARM64 (except Apple Silicon, which explicitly discourages aligning branch targets) |
+| `vm:no-sanitize-thread` | Disable ThreadSanitizer instrumentation |
 
 ## Unsafe pragmas for general use
 

runtime/platform/thread_sanitizer.h

@@ -17,14 +17,24 @@
 
 #if defined(USING_THREAD_SANITIZER)
 #define NO_SANITIZE_THREAD __attribute__((no_sanitize("thread")))
-extern "C" void __tsan_atomic32_load(uint32_t* addr, int order);
+extern "C" uint32_t __tsan_atomic32_load(uint32_t* addr, int order);
 extern "C" void __tsan_atomic32_store(uint32_t* addr,
                                       uint32_t value,
                                       int order);
-extern "C" void __tsan_atomic64_load(uint64_t* addr, int order);
+extern "C" uint64_t __tsan_atomic64_load(uint64_t* addr, int order);
 extern "C" void __tsan_atomic64_store(uint64_t* addr,
                                       uint64_t value,
                                       int order);
+extern "C" void __tsan_read1(void* addr);
+extern "C" void __tsan_read2(void* addr);
+extern "C" void __tsan_read4(void* addr);
+extern "C" void __tsan_read8(void* addr);
+extern "C" void __tsan_read16(void* addr);
+extern "C" void __tsan_write1(void* addr);
+extern "C" void __tsan_write2(void* addr);
+extern "C" void __tsan_write4(void* addr);
+extern "C" void __tsan_write8(void* addr);
+extern "C" void __tsan_write16(void* addr);
 #else
 #define NO_SANITIZE_THREAD
 #endif

runtime/tests/vm/dart/tsan/array_data_race_test.dart

@@ -0,0 +1,66 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// VMOptions=--experimental-shared-data
+
+import "dart:io";
+import "dart:isolate";
+import "package:expect/expect.dart";
+
+@pragma("vm:shared")
+List<dynamic> box = List<dynamic>.filled(1, 0);
+
+@pragma("vm:never-inline")
+noopt() {}
+
+@pragma("vm:never-inline")
+dataRaceFromMain() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox[0] += 1;
+    noopt();
+  }
+}
+
+@pragma("vm:never-inline")
+dataRaceFromChild() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox[0] += 1;
+    noopt();
+  }
+}
+
+child(_) {
+  dataRaceFromChild();
+}
+
+main(List<String> arguments) {
+  if (arguments.contains("--testee")) {
+    print(box); // side effect initialization
+    Isolate.spawn(child, null);
+    dataRaceFromMain();
+    return;
+  }
+
+  var exec = Platform.executable;
+  var args = [
+    ...Platform.executableArguments,
+    Platform.script.toFilePath(),
+    "--testee",
+  ];
+  print("+ $exec ${args.join(' ')}");
+
+  var result = Process.runSync(exec, args);
+  print("Command stdout:");
+  print(result.stdout);
+  print("Command stderr:");
+  print(result.stderr);
+
+  Expect.notEquals(0, result.exitCode);
+  Expect.contains("ThreadSanitizer: data race", result.stderr);
+  Expect.contains("of size 8", result.stderr);
+  Expect.contains("dataRaceFromMain", result.stderr);
+  Expect.contains("dataRaceFromChild", result.stderr);
+}

runtime/tests/vm/dart/tsan/field_data_race_no_sanitize_test.dart

@@ -0,0 +1,67 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// VMOptions=--experimental-shared-data
+
+import "dart:io";
+import "dart:isolate";
+import "package:expect/expect.dart";
+
+class Box {
+  @pragma("vm:no-sanitize-thread") // __attribute__((no_sanitize("thread")))
+  int foo = 0;
+}
+
+@pragma("vm:shared")
+Box box = Box();
+
+@pragma("vm:never-inline")
+noopt() {}
+
+@pragma("vm:never-inline")
+dataRaceFromMain() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox.foo += 1;
+    noopt();
+  }
+}
+
+@pragma("vm:never-inline")
+dataRaceFromChild() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox.foo += 1;
+    noopt();
+  }
+}
+
+child(_) {
+  dataRaceFromChild();
+}
+
+main(List<String> arguments) {
+  if (arguments.contains("--testee")) {
+    print(box); // side effect initialization
+    Isolate.spawn(child, null);
+    dataRaceFromMain();
+    return;
+  }
+
+  var exec = Platform.executable;
+  var args = [
+    ...Platform.executableArguments,
+    Platform.script.toFilePath(),
+    "--testee",
+  ];
+  print("+ $exec ${args.join(' ')}");
+
+  var result = Process.runSync(exec, args);
+  print("Command stdout:");
+  print(result.stdout);
+  print("Command stderr:");
+  print(result.stderr);
+
+  Expect.equals(0, result.exitCode);
+}

runtime/tests/vm/dart/tsan/field_data_race_test.dart

@@ -0,0 +1,70 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// VMOptions=--experimental-shared-data
+
+import "dart:io";
+import "dart:isolate";
+import "package:expect/expect.dart";
+
+class Box {
+  int foo = 0;
+}
+
+@pragma("vm:shared")
+Box box = Box();
+
+@pragma("vm:never-inline")
+noopt() {}
+
+@pragma("vm:never-inline")
+dataRaceFromMain() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox.foo += 1;
+    noopt();
+  }
+}
+
+@pragma("vm:never-inline")
+dataRaceFromChild() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox.foo += 1;
+    noopt();
+  }
+}
+
+child(_) {
+  dataRaceFromChild();
+}
+
+main(List<String> arguments) {
+  if (arguments.contains("--testee")) {
+    print(box); // side effect initialization
+    Isolate.spawn(child, null);
+    dataRaceFromMain();
+    return;
+  }
+
+  var exec = Platform.executable;
+  var args = [
+    ...Platform.executableArguments,
+    Platform.script.toFilePath(),
+    "--testee",
+  ];
+  print("+ $exec ${args.join(' ')}");
+
+  var result = Process.runSync(exec, args);
+  print("Command stdout:");
+  print(result.stdout);
+  print("Command stderr:");
+  print(result.stderr);
+
+  Expect.notEquals(0, result.exitCode);
+  Expect.contains("ThreadSanitizer: data race", result.stderr);
+  Expect.contains("of size 8", result.stderr);
+  Expect.contains("dataRaceFromMain", result.stderr);
+  Expect.contains("dataRaceFromChild", result.stderr);
+}

runtime/tests/vm/dart/tsan/typed_data_race_test.dart

@@ -0,0 +1,67 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// VMOptions=--experimental-shared-data
+
+import "dart:io";
+import "dart:isolate";
+import "dart:typed_data";
+import "package:expect/expect.dart";
+
+@pragma("vm:shared")
+Uint8List box = Uint8List(1);
+
+@pragma("vm:never-inline")
+noopt() {}
+
+@pragma("vm:never-inline")
+dataRaceFromMain() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox[0] += 1;
+    noopt();
+  }
+}
+
+@pragma("vm:never-inline")
+dataRaceFromChild() {
+  final localBox = box;
+  for (var i = 0; i < 1000000; i++) {
+    localBox[0] += 1;
+    noopt();
+  }
+}
+
+child(_) {
+  dataRaceFromChild();
+}
+
+main(List<String> arguments) {
+  if (arguments.contains("--testee")) {
+    print(box); // side effect initialization
+    Isolate.spawn(child, null);
+    dataRaceFromMain();
+    return;
+  }
+
+  var exec = Platform.executable;
+  var args = [
+    ...Platform.executableArguments,
+    Platform.script.toFilePath(),
+    "--testee",
+  ];
+  print("+ $exec ${args.join(' ')}");
+
+  var result = Process.runSync(exec, args);
+  print("Command stdout:");
+  print(result.stdout);
+  print("Command stderr:");
+  print(result.stderr);
+
+  Expect.notEquals(0, result.exitCode);
+  Expect.contains("ThreadSanitizer: data race", result.stderr);
+  Expect.contains("of size 1", result.stderr);
+  Expect.contains("dataRaceFromMain", result.stderr);
+  Expect.contains("dataRaceFromChild", result.stderr);
+}

runtime/tests/vm/vm.status

@@ -392,6 +392,9 @@ dart/finalizer/finalizer_isolate_groups_run_gc_test: SkipByDesign # uses spawnUr
 dart/isolates/send_object_to_spawn_uri_isolate_test: SkipByDesign # uses spawnUri
 dart/issue32950_test: SkipByDesign # uses spawnUri.
 
+[ $runtime != dart_precompiled || $sanitizer != tsan ]
+dart/tsan/*: SkipByDesign
+
 [ $runtime != dart_precompiled || $sanitizer != msan && $sanitizer != tsan ]
 dart/sanitizer_compatibility_test: SkipByDesign
 

runtime/vm/app_snapshot.cc

@@ -2204,7 +2204,7 @@ class FieldSerializationCluster : public SerializationCluster {
         s->Write<int8_t>(field->untag()->static_type_exactness_state_);
         s->Write<uint32_t>(field->untag()->kernel_offset_);
       }
-      s->Write<uint16_t>(field->untag()->kind_bits_);
+      s->Write<uint32_t>(field->untag()->kind_bits_);
 
       // Write out either the initial static value or field offset.
       if (Field::StaticBit::decode(field->untag()->kind_bits_)) {
@@ -2267,7 +2267,7 @@ class FieldDeserializationCluster : public DeserializationCluster {
 #endif  // defined(TARGET_ARCH_X64)
       field->untag()->kernel_offset_ = d.Read<uint32_t>();
 #endif
-      field->untag()->kind_bits_ = d.Read<uint16_t>();
+      field->untag()->kind_bits_ = d.Read<uint32_t>();
 
       field->untag()->host_offset_or_field_id_ =
           static_cast<SmiPtr>(d.ReadRef());