Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CIFuzz: integrate ThreadSanitizer#4981

Draft
kleisauke wants to merge 27 commits intolibvips:masterfrom
kleisauke:cifuzz-add-tsan
Draft

CIFuzz: integrate ThreadSanitizer#4981
kleisauke wants to merge 27 commits intolibvips:masterfrom
kleisauke:cifuzz-add-tsan

Conversation

@kleisauke
Copy link
Copy Markdown
Member

@kleisauke kleisauke commented Mar 28, 2026
edited
Loading

Opened as a draft since ThreadSanitizer is not officially supported by CIFuzz.

Context: #4713 (comment).
Depends on: google/oss-fuzz#15235.

@kleisauke kleisauke force-pushed the cifuzz-add-tsan branch 2 times, most recently from 8a948f2 to 58c1cfc Compare March 29, 2026 13:40
@kleisauke
meson: fix pkg-config generation with internal dependencies
56f0d01 
Use `libraries` instead of `requires` when calling `pkg.generate()`
to make the configuration succeed with internal dependencies (i.e.
subprojects).

Non-functional change.
@kleisauke kleisauke mentioned this pull request Mar 29, 2026
Open
kleisauke added a commit to kleisauke/oss-fuzz that referenced this pull request Mar 29, 2026
@kleisauke
CIFuzz: support ThreadSanitizer
d2d26d7 
Helps: libvips/libvips#4981.
@kleisauke kleisauke mentioned this pull request Mar 29, 2026
Open
@kleisauke
Copy link
Copy Markdown
Member Author

kleisauke commented Mar 29, 2026

This is starting to take shape. I've opened PR #4985 and google/oss-fuzz#15235, which this PR depends on.

TSan is also far more reliable when GLib is built with it, which allows me to remove most of the previously needed suppressions. :)

@kleisauke kleisauke force-pushed the cifuzz-add-tsan branch 2 times, most recently from 3313b54 to 6aa50c5 Compare March 30, 2026 17:03
kleisauke added 16 commits March 31, 2026 09:52
@kleisauke
CIFuzz: built GLib with TSan instrumentation
f746a3c
@kleisauke
fuzz: ensure TSan exits after first reported error
3aed0e9
@kleisauke
fuzz: ensure TSan suppressions are applied
15f3224
@kleisauke
fuzz: disable TSan errors from non-instrumented code
8ed96ff
@kleisauke
Prefer use of g_once_init*
d59908d
@kleisauke
threadpool: make pool->stop and pool->error atomic
1e3d57b
@kleisauke
Simplify previous commit
af66c63
@kleisauke
threadpool: avoid double check
5fd1b69 
Instead, exit the loop when `progress()` returns an error.
@kleisauke
image: make ->kill atomic
284d5cd
@kleisauke
image: avoid attaching/updating the time struct to ->progress_signal
bbd9207 
Do this only when building with `-Ddeprecated=true`.
@kleisauke
region: skip FALSE assignment if region is already valid
5e822b4
@kleisauke
region: hoist VIPS_IMAGE_SIZEOF_PEL calculation to avoid race
6a9fdb9
@kleisauke
sink: fix ->processed data race on 64-bit platforms
e13d378
@kleisauke
sinkdisc: skip error check if operation already failed
dac8deb
@kleisauke
sinkdisc: make ->kill atomic
610f507
@kleisauke
cgifsave: avoid triggering eval callbacks
6967b16
@kleisauke
Copy link
Copy Markdown
Member Author

kleisauke commented Mar 31, 2026

The changeset at kleisauke/libvips@8ed96ff...6967b16 (which I'll split out later) fixes all known data races found in this PR. The TSan suppressions now apply only to GLib:

libvips/suppressions/tsan.supp

Lines 3 to 16 in 6967b16

## The suppressions below match only the top frame of report stacks
# GClosure mixes atomic compare and exchange with non atomic reads
# (read of cl->n_guards and cl->derivative_flag is non atomic)
# https://gitlab.gnome.org/GNOME/glib/-/issues/1672
race_top:closure_invoke_notifiers
race_top:g_cclosure_marshal_VOID__POINTER
race_top:vips_INT__VOID
## The suppressions below match all frames of report stacks
# Unsynchronized read of once->status from g_once
# https://gitlab.gnome.org/GNOME/glib/-/issues/1672
race:g_once_impl

Note that accessing a shared variable from multiple threads without synchronization (where at least one access is a write) is always a data race and causes UB.

@dloebl
Copy link
Copy Markdown
Contributor

dloebl commented Mar 31, 2026

That's awesome! Thanks Kleis!
How severe were the TSan findings so far? I'm asking because we still are on libvips v8.16.0 because of #4622

@kleisauke
Copy link
Copy Markdown
Member Author

kleisauke commented Mar 31, 2026

I think(?) the only severe issue was the one fixed in commit 6967b16 (the code was introduced in v8.16.1), where the eval callback could race with the one in vips_sink_base_progress(). However, this would likely only affect cases where vips_image_set_progress() is enabled and the eval signal is connected via g_signal_connect().

Other than that, the remaining data races involved only flags, which are likely not severe.

@jcupitt
Copy link
Copy Markdown
Member

jcupitt commented Mar 31, 2026

Note that accessing a shared variable from multiple threads without synchronization (where at least one access is a write) is always a data race and causes UB.

libvips does that quite often for events which are not time-critical. Do we need to lock all these, or can we just suppress them?

@kleisauke
Copy link
Copy Markdown
Member Author

kleisauke commented Mar 31, 2026

Note that accessing a shared variable from multiple threads without synchronization (where at least one access is a write) is always a data race and causes UB.

libvips does that quite often for events which are not time-critical. Do we need to lock all these, or can we just suppress them?

I think this falls under what are referred to as "Benign" data races. This blog post also discusses why such races can still be problematic:
https://bartoszmilewski.com/2020/08/11/benign-data-races-considered-harmful/

I'm aware that GLib uses __ATOMIC_SEQ_CST semantics for its g_atomic API, so it's not using weak atomics. Let me run benchmarks on the previously mentioned changeset using https://github.com/kleisauke/vips-microbench, to see whether it has a measurable impact on performance.

@jcupitt
Copy link
Copy Markdown
Member

jcupitt commented Mar 31, 2026

https://bartoszmilewski.com/2020/08/11/benign-data-races-considered-harmful/

Ah interesting, I guess that's true. Then I suppose we should use glib atomics for these cross-thread "signal" variables.

It'd be good to avoid mutexes or cond vars if possible, they can limit SMP scaling.

kleisauke added 7 commits April 1, 2026 13:18
@kleisauke
webpsave: trigger eval callbacks on save->ready
6fa9d66 
Ensure it corresponds to the image passed to `vips_sink_disc()`.

This fixes a regression introduced in bbd9207 where eval callbacks
failed to propagate to the image that was originally marked with
`vips_image_set_progress()`.
@kleisauke
Merge branch 'master' into cifuzz-add-tsan
64ff522
@kleisauke
dzsave: check cancellation on save->ready
3a992e7
@kleisauke
threadpool: guard progress reporting with allocate_lock mutex
8154442
@kleisauke
Revert "sink: fix ->processed data race on 64-bit platforms"
14e2839 
This reverts commit e13d378,
no longer needed after 8154442.
@kleisauke
Revert "cgifsave: avoid triggering eval callbacks"
be55e48 
This reverts commit 6967b16,
no longer needed after 8154442.
@kleisauke
Simplify 8154442
44cd859
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kleisauke @dloebl @jcupitt