The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8e6253caa689d2c20f5173406f1e7cb64d7f9b0f

commit 8e6253caa689d2c20f5173406f1e7cb64d7f9b0f
Author: krasin <krasin@chromium.org>
Date: Mon Sep 12 23:16:47 2016

Add use_thin_lto switch to start evaluating ThinLTO.

Local experiments show that it's possible to compile
Chrome and tests with ThinLTO, and the linking time is 3.5x smaller
compared to the full LTO. With additional profiling it might reach 10x,
as there're hints that Chrome is hitting some corner cases, which can be
optimized.

The plan is to setup ThinLTO / Clang ToT buildbot, then port
whole program devirtualization, then CFI, then get rid of
full LTO completely.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2333843002
Cr-Commit-Position: refs/heads/master@{#418098}

[modify] https://crrev.com/8e6253caa689d2c20f5173406f1e7cb64d7f9b0f/build/config/compiler/BUILD.gn
[modify] https://crrev.com/8e6253caa689d2c20f5173406f1e7cb64d7f9b0f/build/toolchain/toolchain.gni

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/tools/build.git/+/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb

commit 31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb
Author: krasin <krasin@chromium.org>
Date: Tue Sep 13 01:53:37 2016

Add 'ThinLTO Linux ToT' buildbot (recipes part).

See the src part for more details:
https://codereview.chromium.org/2331323003/

BUG= 645295 

Review-Url: https://codereview.chromium.org/2336933002

[modify] https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb/masters/master.chromium.fyi/master.cfg
[modify] https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb/masters/master.chromium.fyi/slaves.cfg
[modify] https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb/scripts/slave/recipe_modules/chromium_tests/chromium_fyi.py
[add] https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb/scripts/slave/recipes/chromium.expected/full_chromium_fyi_ThinLTO_Linux_ToT.json

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/build_limited/scripts/slave/+/78c846a5e4739793a8e19d8f12fd5d555276a7e6

commit 78c846a5e4739793a8e19d8f12fd5d555276a7e6
Author: recipe-roller <recipe-roller@chromium.org>
Date: Tue Sep 13 02:05:02 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/infra/infra.git/+/071e192d31c6f8c6cd64cfe8496d03123b5e333d

commit 071e192d31c6f8c6cd64cfe8496d03123b5e333d
Author: recipe-roller <recipe-roller@chromium.org>
Date: Tue Sep 13 02:15:09 2016

Roll recipe dependencies (trivial).

This is an automated CL created by the recipe roller. This CL rolls recipe
changes from upstream projects (e.g. depot_tools) into downstream projects
(e.g. tools/build).

More info is at https://goo.gl/zkKdpD. Use https://goo.gl/noib3a to file a bug
(or complain)

build:
  https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb Add 'ThinLTO Linux ToT' buildbot (recipes part). (krasin@chromium.org)

TBR=martiniss@chromium.org,phajdan.jr@chromium.org
BUG= 645295 

Recipe-Tryjob-Bypass-Reason: Autoroller
Bugdroid-Send-Email: False
Review-Url: https://codereview.chromium.org/2333033003

[modify] https://crrev.com/071e192d31c6f8c6cd64cfe8496d03123b5e333d/infra/config/recipes.cfg

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/407c5db55e55f03645207928b6b91fd8951d3acf

commit 407c5db55e55f03645207928b6b91fd8951d3acf
Author: recipe-roller <recipe-roller@chromium.org>
Date: Tue Sep 13 02:13:37 2016

Roll recipe dependencies (trivial).

This is an automated CL created by the recipe roller. This CL rolls recipe
changes from upstream projects (e.g. depot_tools) into downstream projects
(e.g. tools/build).

More info is at https://goo.gl/zkKdpD. Use https://goo.gl/noib3a to file a bug
(or complain)

build:
  https://crrev.com/31bb1c799fdfdfe74baa167ffbdbf354f23ef4fb Add 'ThinLTO Linux ToT' buildbot (recipes part). (krasin@chromium.org)

TBR=martiniss@chromium.org,phajdan.jr@chromium.org
BUG= 645295 

Recipe-Tryjob-Bypass-Reason: Autoroller
Bugdroid-Send-Email: False
Review-Url: https://codereview.chromium.org/2331323004
Cr-Commit-Position: refs/heads/master@{#418143}

[modify] https://crrev.com/407c5db55e55f03645207928b6b91fd8951d3acf/infra/config/recipes.cfg

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0ad700ec399c678e579f4c55a0ef25422589ace

commit e0ad700ec399c678e579f4c55a0ef25422589ace
Author: krasin <krasin@chromium.org>
Date: Tue Sep 13 02:53:08 2016

Add 'ThinLTO Linux ToT' buildbot (src part).

ThinLTO is a promising scalable approach to LinkTimeOptimization,
that is quickly reaching the production quality:
http://blog.llvm.org/2016/06/thinlto-scalable-and-incremental-lto.html

We would like to evaluate its current state and potentially deploy it
on the platforms where we currently use Full LTO, and potentially on
others platforms too (for which Full LTO was impractical)

This bot will give us a target to hit: when it's green, we'll know that
the remaining parts is to port features we need from full LTO to ThinLTO,
in particular, whole program devirtualization and CFI.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2331323003
Cr-Commit-Position: refs/heads/master@{#418150}

[modify] https://crrev.com/e0ad700ec399c678e579f4c55a0ef25422589ace/testing/buildbot/chromium.fyi.json
[modify] https://crrev.com/e0ad700ec399c678e579f4c55a0ef25422589ace/tools/mb/mb_config.pyl

The bot is online, but currently fails, because it (for some reason) thinks it's okay to use goma (and with Clang ToT, it's not, because goma does not have the packages):

https://build.chromium.org/p/chromium.fyi/builders/ThinLTO%20Linux%20ToT/builds/0

I will investigate tomorrow.

It's because of this snippet in tools/mb/mb_config.pyl:

    'gn_thin_lto_clang_tot_release_bot': [
      'gn', 'thin_lto', 'clang_tot', 'release_bot',
    ],

release_bot includes goma (also in that file):

    'release_bot': {
      'mixins': ['release', 'static', 'goma'],
    },

So replace 'release_bot' with 'release', 'static' and the bot should stop using goma.

Thanks for looking into this, but I think the fix will have to be on the recipes side, because recipes don't directly know about mb_config.pyl and ensure_goma step got into .json expectations for the bot.

My current best guess on how to fix that is https://codereview.chromium.org/2341633002/ -- it removes ensure_goma step from .json, and while the bot will be goma-ready, it won't actually use it.

Actually, I think you need both :-(

The mb_config.pyl change ensures that is_goma isn't passed as a gn arg. If that's passed, then compiles go through gomacc and end up remotely.

The recipe change controls if goma is provisioned on the bot, and if -j200 is passed to compile.py.

It's a bit of a mess (caused by the gn transition; previously it was all recipe-side).

Thanks for the explanation. https://codereview.chromium.org/2338013006/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/tools/build.git/+/6d930dea23eeab6d0d2b30e71e4b4b84ff01c70d

commit 6d930dea23eeab6d0d2b30e71e4b4b84ff01c70d
Author: krasin <krasin@chromium.org>
Date: Wed Sep 14 17:14:15 2016

Disable goma on 'ThinLTO Linux ToT'.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2341633002

[modify] https://crrev.com/6d930dea23eeab6d0d2b30e71e4b4b84ff01c70d/scripts/slave/recipe_modules/chromium_tests/chromium_fyi.py
[modify] https://crrev.com/6d930dea23eeab6d0d2b30e71e4b4b84ff01c70d/scripts/slave/recipes/chromium.expected/full_chromium_fyi_ThinLTO_Linux_ToT.json

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/build_limited/scripts/slave/+/cf063b986ea2dcf6ed4e3788e6f3ce9b3418f7f1

commit cf063b986ea2dcf6ed4e3788e6f3ce9b3418f7f1
Author: recipe-roller <recipe-roller@chromium.org>
Date: Wed Sep 14 17:16:36 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/11eae7734e367a07c3841200b00bebd434629594

commit 11eae7734e367a07c3841200b00bebd434629594
Author: krasin <krasin@chromium.org>
Date: Wed Sep 14 18:20:51 2016

Don't use goma on 'ThinLTO Linux ToT' bot.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2338013006
Cr-Commit-Position: refs/heads/master@{#418615}

[modify] https://crrev.com/11eae7734e367a07c3841200b00bebd434629594/tools/mb/mb_config.pyl

Documenting issues I have encountered so far, while playing with ThinLTO + Chrome locally:

1. I could not link the official Chrome, because 14 GB on /tmp is not enough. Chromium needs are smaller, and it works for me.

2. ThinLTO would occasionally fail with errors like:

../../third_party/binutils/Linux_x64/Release/bin/ld.gold: error: /tmp/lto-llvm-b7b5f5.o: multiple definition of 'net::ProxyService::CreateDirect()'
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: /tmp/lto-llvm-b7b5f5.o: previous definition here
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: error: /tmp/lto-llvm-b7b5f5.o: multiple definition of 'net::ProxyService::ResolveProxy(GURL const&, std::string const&, net::ProxyInfo*, base::Callback<
void (int), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, net::ProxyService::PacRequest**, net::ProxyDelegate*, net::BoundNetLog const&)'
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: /tmp/lto-llvm-b7b5f5.o: previous definition here
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: error: /tmp/lto-llvm-b7b5f5.o: multiple definition of 'net::ProxyService::ReportSuccess(net::ProxyInfo const&, net::ProxyDelegate*)'
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: /tmp/lto-llvm-b7b5f5.o: previous definition here
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: error: /tmp/lto-llvm-b7b5f5.o: multiple definition of 'net::ProxyService::CancelPacRequest(net::ProxyService::PacRequest*)'
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: /tmp/lto-llvm-b7b5f5.o: previous definition here
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: error: /tmp/lto-llvm-b7b5f5.o: multiple definition of 'net::ProxyService::ResetProxyConfig(bool)'
../../third_party/binutils/Linux_x64/Release/bin/ld.gold: /tmp/lto-llvm-b7b5f5.o: previous definition here

3. I have to manually clean tons of .o files left by ThinLTO (possibly, from failed runs). Otherwise, I run out of space there.

4. By default, ThinLTO has Parallelism=0, which effectively means thread::hardware_concurrency (48 in case of my desktop). That's a very poor choice. In fact, my measurements show that ThinLTO scales well for up to 8 cores, acceptable at 16 cores, and wastes tons of cycles beyond that, see
https://docs.google.com/spreadsheets/d/18vi9p8ffIYNVPTyxtJwr-YrP4WJRbaQr_2nZ1AKKBs4/edit?usp=sharing

I look at the CPU profiles, but currently too far from any conclusions to share.

Does Chrome with full LTO link ok with your /tmp? The sum of the .o files
from ThinLTO can be higher though, with some duplication due to
importing+inlining.

I haven't seen an error like that, can you send me a reproducer?

Yeah, I've seen that happen when it fails. Let me see if there is any
obvious way we can get the plugin to cleanup even on link failures, it
seems like that should happen, I will look again.

Yep, I realized recently that we shouldn't go beyond the number of physical
cpus. I started looking into how to get that programmatically on Linux, but
have been distracted by other things for past few weeks - I should have the
bandwidth to get back to that tomorrow and will prioritize it. In the
meantime I have been using -Wl,-plugin-opt,jobs=N.

Thanks for the feedback!
Teresa

>Does Chrome with full LTO link ok with your /tmp? The sum of the .o files
from ThinLTO can be higher though, with some duplication due to
importing+inlining.
Yes, always. I expect that ThinLTO uses 2x-3x more space, and it does not seem critical, at least, now.

>I haven't seen an error like that, can you send me a reproducer?
I plan to file an LLVM bug soon. Most likely, the reproducer would be to build a TSAN-enabled Gold plugin, and see what happens.

>Yeah, I've seen that happen when it fails. Let me see if there is any
>obvious way we can get the plugin to cleanup even on link failures, it
>seems like that should happen, I will look again.
At this time, I am not super worried. Right now, I only look for the most critical issues. This one is not.

>Yep, I realized recently that we shouldn't go beyond the number of physical
>cpus. I started looking into how to get that programmatically on Linux, but
>have been distracted by other things for past few weeks - I should have the
>bandwidth to get back to that tomorrow and will prioritize it. In the
>meantime I have been using -Wl,-plugin-opt,jobs=N.

Yes, -Wl,-plugin-opt,jobs=N is exactly what I used to collect the data, and it's trivial to add to the build config for Chrome. I feel that we'll settle on -jobs=16.

>Thanks for the feedback!
No, thank *you* for developing such a promising technology. :)

As another non-critical issue: PMTopLevelManager::findAnalysisPass / PMDataManager:findAnalysisPass take up to 2.5% of the time. It has a linear cost, and with ThinLTO it starts to show up.

The bot now fails on a later stage:

[639/40434] LINK ./libc_free_x86_64.nexe
FAILED: libc_free_x86_64.nexe 
../../third_party/llvm-build/Release+Asserts/bin/clang++ -nostdlib -shared -Wl,--no-undefined -Qunused-arguments -Wl,--fatal-warnings -fPIC -Wl,-z,noexecstack -Wl,-z,now -Wl,-z,relro -Wl,-z,defs -Wl,--no-as-needed -lpthread -Wl,--as-needed -fuse-ld=gold -B../../third_party/binutils/Linux_x64/Release/bin -Wl,--threads -Wl,--thread-count=4 -Wl,--icf=all -flto=thin -Wl,-plugin-opt,-function-sections -pthread -m64 -Wl,-O1 -Wl,--gc-sections --sysroot=../../build/linux/debian_wheezy_amd64-sysroot -L/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/lib/x86_64-linux-gnu -Wl,-rpath-link=/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/lib/x86_64-linux-gnu -L/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/x86_64-linux-gnu -Wl,-rpath-link=/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/x86_64-linux-gnu -L/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6 -Wl,-rpath-link=/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6 -L/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib -Wl,-rpath-link=/b/c/b/ThinLTO_Linux_ToT/src/build/linux/debian_wheezy_amd64-sysroot/usr/lib -Wl,-rpath-link=../Release -Wl,--disable-new-dtags -o "./libc_free_x86_64.nexe" -Wl,--start-group @"./libc_free_x86_64.nexe.rsp"  -Wl,--end-group  -ldl -lrt 
Warning: request a ThreadPool with 1 threads, but LLVM_ENABLE_THREADS has been turned off
/tmp/lto-llvm-b707e9.o:obj/chrome/test/data/nacl/nonsfi_libc_free_nexe/libc_free.o:function HandleMessage.llvm.24CB650A: error: undefined reference to 'memset'
clang-4.0: error: linker command failed with exit code 1 (use -v to see invocation)

Here's two issues actually:

1) The ToT toolchain (just like the stable one) was build with LLVM_ENABLE_THREADS has been turned off -- that will need to be fixed, but it's not the immediate reason for the bot to fail
2) Some strange error with nacl + memset. I am not sure why I don't see it locally anymore. Will take a closer look tomorrow.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a769e96dbeb3c566fb34f91185095cbfb0de36b4

commit a769e96dbeb3c566fb34f91185095cbfb0de36b4
Author: krasin <krasin@chromium.org>
Date: Thu Sep 15 05:20:50 2016

ThinLTO: limit link / codegen parallelism to 16.

Based on the experiments, ThinLTO does not scale beyond that,
and the default setting is the number of cores on a machine, which
is often 32 or more for Chrome devs, where ThinLTO is slower than at 16:
https://docs.google.com/spreadsheets/d/18vi9p8ffIYNVPTyxtJwr-YrP4WJRbaQr_2nZ1AKKBs4/edit?usp=sharing

BUG= 645295 

Review-Url: https://codereview.chromium.org/2341983002
Cr-Commit-Position: refs/heads/master@{#418789}

[modify] https://crrev.com/a769e96dbeb3c566fb34f91185095cbfb0de36b4/build/config/compiler/BUILD.gn

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c7eb1656441770284f79b296b4623a5152db18cf

commit c7eb1656441770284f79b296b4623a5152db18cf
Author: krasin <krasin@chromium.org>
Date: Thu Sep 15 08:18:53 2016

ThinLTO Linux ToT bot: fix a typo, cfi -> lto.

I have mistyped the mixin name. Sorry.

BUG= 645295 
TBR=dpranke@chromium.org

Review-Url: https://codereview.chromium.org/2331423007
Cr-Commit-Position: refs/heads/master@{#418806}

[modify] https://crrev.com/c7eb1656441770284f79b296b4623a5152db18cf/tools/mb/mb_config.pyl

Reproduced the "error: undefined reference to 'memset'" locally. Looking...

Minimal reproducer for memset issue:

libc_free.c:

__attribute__((noinline))
void touch(char *random_buffer) {
  random_buffer[0] = 17;
}

void _start(void* info) {
  char buf[512];
  int i;
  for (i = 0; i < 512; ++i) {
    buf[i] = 0;
  }
  touch(buf);
}

$ clang -flto=thin -fno-builtin -c libc_free.c -o libc_free.o
$ clang -nostdlib -Wl,--no-undefined -fuse-ld=gold -flto=thin -o libc_free libc_free.o
/tmp/lto-llvm-e32074.o:libc_free.o:function _start: error: undefined reference to 'memset'
clang-3.9: error: linker command failed with exit code 1 (use -v to see invocation)

What happens here is the optimizer converts the loop into memset and then could not find the symbol, because we're linking w/o libc. Originally, the first command line didn't have -fno-builtin, and libc_free.o contained a reference to memset. After adding -fno-builtin, the issue migrated into the linker invocation.

I am currently confused and can't find a way to pass -fno-builtin into Gold plugin.

Okay, I now see that the first command line ought to insert 'nobuiltin' attributes, which will then be respected by the Gold plugin.

To be more specific, it does insert nobuiltin in one case (for touch function), but drops it for _start:

; ModuleID = '<stdin>'
source_filename = "libc_free.c"
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"

; Function Attrs: noinline nounwind uwtable
define void @touch(i8* %random_buffer) #0 {
entry:
  %random_buffer.addr = alloca i8*, align 8
  store i8* %random_buffer, i8** %random_buffer.addr, align 8
  %0 = load i8*, i8** %random_buffer.addr, align 8
  %arrayidx = getelementptr inbounds i8, i8* %0, i64 0
  store i8 17, i8* %arrayidx, align 1
  ret void
}

; Function Attrs: nounwind uwtable
define void @_start(i8* %info) #1 {
entry:
  %info.addr = alloca i8*, align 8
  %buf = alloca [512 x i8], align 16
  %i = alloca i32, align 4
  store i8* %info, i8** %info.addr, align 8
  store i32 0, i32* %i, align 4
  br label %for.cond

for.cond:                                         ; preds = %for.inc, %entry
  %0 = load i32, i32* %i, align 4
  %cmp = icmp slt i32 %0, 512
  br i1 %cmp, label %for.body, label %for.end

for.body:                                         ; preds = %for.cond
  %1 = load i32, i32* %i, align 4
  %idxprom = sext i32 %1 to i64
  %arrayidx = getelementptr inbounds [512 x i8], [512 x i8]* %buf, i64 0, i64 %idxprom
  store i8 0, i8* %arrayidx, align 1
  br label %for.inc

for.inc:                                          ; preds = %for.body
  %2 = load i32, i32* %i, align 4
  %inc = add nsw i32 %2, 1
  store i32 %inc, i32* %i, align 4
  br label %for.cond

for.end:                                          ; preds = %for.cond
  %arraydecay = getelementptr inbounds [512 x i8], [512 x i8]* %buf, i32 0, i32 0
  call void @touch(i8* %arraydecay) #2
  ret void
}

attributes #0 = { noinline nounwind uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #1 = { nounwind uwtable "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-jump-tables"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+fxsr,+mmx,+sse,+sse2,+x87" "unsafe-fp-math"="false" "use-soft-float"="false" }
attributes #2 = { nobuiltin }

!llvm.ident = !{!0}

!0 = !{!"clang version 4.0.0 (trunk 281246)"}

I guess it's time to file an LLVM bug.

https://llvm.org/bugs/show_bug.cgi?id=30403

Teresa, this issue is a blocker.

I will now also try to find and file a reproducer for the crashes reported in #15.

A workaround for the builtin issue: https://codereview.chromium.org/2343063002/

I have failed to make a reproducer to the crashes. Mostly, because gold plugin is a shared object, so I realized (too late), that I will also need to build Gold with tsan to profile that. And because lld does not currently support ThinLTO, it just goes Full LTO route.

I guess, I will build gold with TSAN tomorrow...

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/538cb2b112587d65560fa818d6e707ac54bf553c

commit 538cb2b112587d65560fa818d6e707ac54bf553c
Author: krasin <krasin@chromium.org>
Date: Fri Sep 16 18:47:08 2016

ThinLTO: workaround an LLVM bug related to -nostdlib.

In short, an LTO optimization pass might recognize
naive implementations of builtins (such as memset)
and replace them with references to the real builtins,
which, in the case of -nostdlib, might cause the binary
to get undefined references to those symbols.

See more details:
https://llvm.org/bugs/show_bug.cgi?id=30403

BUG= 645295 

Review-Url: https://codereview.chromium.org/2343063002
Cr-Commit-Position: refs/heads/master@{#419233}

[modify] https://crrev.com/538cb2b112587d65560fa818d6e707ac54bf553c/chrome/test/data/nacl/BUILD.gn

I was able to build Gold and LLVM Gold plugin with TSAN. Linking base_unittests with ThinLTO gathered this data race report. Note: it seems that it's a data race inside Gold itself, and it's possibly not the reason for the crash I described in #15.

The report:

==================
WARNING: ThreadSanitizer: data race (pid=45169)
  Read of size 1 at 0x0000021bad10 by thread T2:
    #0 gold::Once::run_once(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:379:24 (ld.gold+0x000000a2d908)
    #1 gold::Initialize_lock::initialize() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:437:13 (ld.gold+0x000000a2dc37)
    #2 gold::Descriptors::open(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.cc:81:50 (ld.gold+0x000000d5c544)
    #3 gold::open_descriptor(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.h:105:22 (ld.gold+0x000000a05ca9)
    #4 gold::File_read::open(gold::Task const*, std::string const&) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:200:23 (ld.gold+0x000000a01076)
    #5 gold::Input_file::open(gold::Dirsearch const&, gold::Task const*, int*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:1099:24 (ld.gold+0x000000a0567f)
    #6 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:276:20 (ld.gold+0x000000c3727e)
    #7 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #8 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #9 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #10 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #11 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Previous write of size 1 at 0x0000021bad10 by thread T3 (mutexes: write M1043):
    #0 gold::Once::internal_run(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:422:18 (ld.gold+0x000000a2db52)
    #1 gold::c_run_once() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:328:17 (ld.gold+0x000000a2dbbb)
    #2 pthread_once /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:1332 (ld.gold+0x00000047049a)
    #3 gold::Once::run_once(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:401:9 (ld.gold+0x000000a2da27)
    #4 gold::Initialize_lock::initialize() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:437:13 (ld.gold+0x000000a2dc37)
    #5 gold::Descriptors::open(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.cc:81:50 (ld.gold+0x000000d5c544)
    #6 gold::open_descriptor(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.h:105:22 (ld.gold+0x000000a05ca9)
    #7 gold::File_read::open(gold::Task const*, std::string const&) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:200:23 (ld.gold+0x000000a01076)
    #8 gold::Input_file::open(gold::Dirsearch const&, gold::Task const*, int*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:1099:24 (ld.gold+0x000000a0567f)
    #9 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:276:20 (ld.gold+0x000000c3727e)
    #10 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #11 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #12 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #13 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #14 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Location is global 'gold::descriptors' of size 80 at 0x0000021bad00 (ld.gold+0x0000021bad10)

  Mutex M1043 (0x0000021b4820) created at:
    #0 pthread_mutex_lock /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/../sanitizer_common/sanitizer_common_interceptors.inc:3609 (ld.gold+0x00000045be40)
    #1 gold::Once::run_once(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:394:13 (ld.gold+0x000000a2d97e)
    #2 gold::Initialize_lock::initialize() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:437:13 (ld.gold+0x000000a2dc37)
    #3 gold::Descriptors::open(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.cc:81:50 (ld.gold+0x000000d5c544)
    #4 gold::open_descriptor(int, char const*, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/descriptors.h:105:22 (ld.gold+0x000000a05ca9)
    #5 gold::File_read::open(gold::Task const*, std::string const&) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:200:23 (ld.gold+0x000000a01076)
    #6 gold::Input_file::open(gold::Dirsearch const&, gold::Task const*, int*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/fileread.cc:1099:24 (ld.gold+0x000000a0567f)
    #7 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:276:20 (ld.gold+0x000000c3727e)
    #8 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #9 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #10 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #11 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #12 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Thread T2 (tid=45172, running) created by main thread at:
    #0 pthread_create /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:902 (ld.gold+0x000000448636)
    #1 gold::Workqueue_thread::Workqueue_thread(gold::Workqueue_threader_threadpool*, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:86:9 (ld.gold+0x000000d402a8)
    #2 gold::Workqueue_threader_threadpool::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:168:8 (ld.gold+0x000000d407f0)
    #3 gold::Workqueue::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:507:20 (ld.gold+0x000000d3f117)
    #4 gold::queue_initial_tasks(gold::General_options const&, gold::Dirsearch&, gold::Command_line const&, gold::Workqueue*, gold::Input_objects*, gold::Symbol_table*, gold::Layout*, gold::Mapfile*) /usr/local/
google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold.cc:196:14 (ld.gold+0x000000a24bec)
    #5 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:247:3 (ld.gold+0x0000004b1608)

  Thread T3 (tid=45173, running) created by main thread at:
    #0 pthread_create /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:902 (ld.gold+0x000000448636)
    #1 gold::Workqueue_thread::Workqueue_thread(gold::Workqueue_threader_threadpool*, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:86:9 (ld.gold+0x000
000d402a8)
    #2 gold::Workqueue_threader_threadpool::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:168:8 (ld.gold+0x000000d407f0)
    #3 gold::Workqueue::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:507:20 (ld.gold+0x000000d3f117)
    #4 gold::queue_initial_tasks(gold::General_options const&, gold::Dirsearch&, gold::Command_line const&, gold::Workqueue*, gold::Input_objects*, gold::Symbol_table*, gold::Layout*, gold::Mapfile*) /usr/local/
google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold.cc:196:14 (ld.gold+0x000000a24bec)
    #5 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:247:3 (ld.gold+0x0000004b1608)

SUMMARY: ThreadSanitizer: data race /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:379:24 in gold::Once::run_once(void*)
==================
==================
WARNING: ThreadSanitizer: data race (pid=45169)
  Write of size 1 at 0x0000021b37b0 by thread T2:
    #0 gold::Target_selector_nacl<(anonymous namespace)::Target_selector_x86_64<64>, (anonymous namespace)::Target_x86_64_nacl<64> >::do_recognize(gold::Input_file*, long, int, int, int) /usr/local/google/home/k
rasin/src/sourceware.org/binutils/build/gold/../../gold/nacl.h:116:20 (ld.gold+0x0000005300c0)
    #1 gold::Target_selector::recognize(gold::Input_file*, long, int, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/target-select.h:82:18 (ld.gold+0x000000d3cee2)
    #2 gold::select_target(gold::Input_file*, long, int, int, bool, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/target-select.cc:112:21 (ld.gold+0x000000d3c802)
    #3 gold::Object* (anonymous namespace)::make_elf_sized_object<64, false>(std::string const&, gold::Input_file*, long, elfcpp::Ehdr<64, false> const&, bool*) /usr/local/google/home/krasin/src/sourceware.org/b
inutils/build/gold/../../gold/object.cc:3158:20 (ld.gold+0x000000af5c9e)
    #4 gold::make_elf_object(std::string const&, gold::Input_file*, long, unsigned char const*, long, bool*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/object.cc:3282:11 (ld.
gold+0x000000af539c)
    #5 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:336:17 (ld.gold+0x000000c37820)
    #6 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #7 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #8 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #9 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #10 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Previous write of size 1 at 0x0000021b37b0 by main thread:
    #0 gold::Target_selector_nacl<(anonymous namespace)::Target_selector_x86_64<64>, (anonymous namespace)::Target_x86_64_nacl<64> >::do_recognize(gold::Input_file*, long, int, int, int) /usr/local/google/home/k
rasin/src/sourceware.org/binutils/build/gold/../../gold/nacl.h:116:20 (ld.gold+0x0000005300c0)
    #1 gold::Target_selector::recognize(gold::Input_file*, long, int, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/target-select.h:82:18 (ld.gold+0x000000d3cee2)
    #2 gold::select_target(gold::Input_file*, long, int, int, bool, int, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/target-select.cc:112:21 (ld.gold+0x000000d3c802)
    #3 gold::Object* (anonymous namespace)::make_elf_sized_object<64, false>(std::string const&, gold::Input_file*, long, elfcpp::Ehdr<64, false> const&, bool*) /usr/local/google/home/krasin/src/sourceware.org/b
inutils/build/gold/../../gold/object.cc:3158:20 (ld.gold+0x000000af5c9e)
    #4 gold::make_elf_object(std::string const&, gold::Input_file*, long, unsigned char const*, long, bool*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/object.cc:3282:11 (ld.
gold+0x000000af539c)
    #5 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:336:17 (ld.gold+0x000000c37820)
    #6 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #7 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #8 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #9 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:252:13 (ld.gold+0x0000004b161b)

  Location is global '(anonymous namespace)::target_selector_x86_64' of size 136 at 0x0000021b3748 (ld.gold+0x0000021b37b0)

  Thread T2 (tid=45172, running) created by main thread at:
    #0 pthread_create /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:902 (ld.gold+0x000000448636)
    #1 gold::Workqueue_thread::Workqueue_thread(gold::Workqueue_threader_threadpool*, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:86:9 (ld.gold+0x000
000d402a8)
    #2 gold::Workqueue_threader_threadpool::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:168:8 (ld.gold+0x000000d407f0)
    #3 gold::Workqueue::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:507:20 (ld.gold+0x000000d3f117)
    #4 gold::queue_initial_tasks(gold::General_options const&, gold::Dirsearch&, gold::Command_line const&, gold::Workqueue*, gold::Input_objects*, gold::Symbol_table*, gold::Layout*, gold::Mapfile*) /usr/local/
google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold.cc:196:14 (ld.gold+0x000000a24bec)
    #5 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:247:3 (ld.gold+0x0000004b1608)

SUMMARY: ThreadSanitizer: data race /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/nacl.h:116:20 in gold::Target_selector_nacl<(anonymous namespace)::Target_selector_x86_64<64>, 
(anonymous namespace)::Target_x86_64_nacl<64> >::do_recognize(gold::Input_file*, long, int, int, int)
==================
==================
WARNING: ThreadSanitizer: data race (pid=45169)
  Write of size 1 at 0x7d4400000328 by thread T3 (mutexes: write M1051):
    #0 gold::Plugin_manager::claim_file(gold::Input_file*, long, long, gold::Object*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/plugin.cc:499:23 (ld.gold+0x000000c263cf)
    #1 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:343:57 (ld.gold+0x000000c37897)
    #2 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #3 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #4 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #5 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #6 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Previous read of size 1 at 0x7d4400000328 by thread T2:
    #0 gold::Plugin_manager::should_defer_layout() const /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/plugin.h:247:18 (ld.gold+0x000000affe09)
    #1 gold::Sized_relobj_file<64, false>::do_layout(gold::Symbol_table*, gold::Layout*, gold::Read_symbols_data*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/object.cc:1437:4
4 (ld.gold+0x000000b18bad)
    #2 gold::Object::layout(gold::Symbol_table*, gold::Layout*, gold::Read_symbols_data*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/object.h:651:11 (ld.gold+0x00000099e6c6)
    #3 gold::Add_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:634:22 (ld.gold+0x000000c39fba)
    #4 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #5 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #6 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #7 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Location is heap block of size 296 at 0x7d4400000280 allocated by main thread:
    #0 operator new(unsigned long) /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_new_delete.cc:41 (ld.gold+0x0000004b06f3)
    #1 gold::General_options::add_plugin(char const*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/options.cc:1018:22 (ld.gold+0x000000b52ad3)
    #2 gold::General_options::parse_plugin(char const*, char const*, gold::Command_line*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/options.cc:454:9 (ld.gold+0x000000b52a60)
    #3 gold::options::Struct_special::parse_to_value(char const*, char const*, gold::Command_line*, gold::General_options*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/options
.h:243:5 (ld.gold+0x0000004dbfb9)
    #4 gold::Command_line::process_one_option(int, char const**, int, bool*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/options.cc:1458:23 (ld.gold+0x000000b6017e)
    #5 gold::Command_line::process(int, char const**) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/options.cc:1500:6 (ld.gold+0x000000b61411)
    #6 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:165:16 (ld.gold+0x0000004b0d65)

  Mutex M1051 (0x7d0c0001a3a8) created at:
    #0 pthread_mutex_init /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:1119 (ld.gold+0x00000045a465)
    #1 gold::Lock_impl_threads::Lock_impl_threads() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:110:9 (ld.gold+0x000000a2ccc5)
    #2 gold::Lock::Lock() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:153:25 (ld.gold+0x000000a2d08a)
    #3 gold::Initialize_lock::do_run_once(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:447:24 (ld.gold+0x000000a2dcb8)
    #4 gold::Once::internal_run(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:421:9 (ld.gold+0x000000a2db42)
    #5 gold::c_run_once() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:328:17 (ld.gold+0x000000a2dbbb)
    #6 pthread_once /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:1332 (ld.gold+0x00000047049a)
    #7 gold::Once::run_once(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:401:9 (ld.gold+0x000000a2da27)
    #8 gold::Initialize_lock::initialize() /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold-threads.cc:437:13 (ld.gold+0x000000a2dc37)
    #9 gold::Plugin_manager::claim_file(gold::Input_file*, long, long, gold::Object*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/plugin.cc:475:50 (ld.gold+0x000000c2600d)
    #10 gold::Read_symbols::do_read_symbols(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:343:57 (ld.gold+0x000000c37897)
    #11 gold::Read_symbols::run(gold::Workqueue*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/readsyms.cc:167:14 (ld.gold+0x000000c36fdc)
    #12 gold::Workqueue::find_and_run_task(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:319:10 (ld.gold+0x000000d3e77e)
    #13 gold::Workqueue::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:495:16 (ld.gold+0x000000d3f07c)
    #14 gold::Workqueue_threader_threadpool::process(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-internal.h:92:28 (ld.gold+0x000000d40a1c)
    #15 gold::Workqueue_thread::thread_body(void*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:117:21 (ld.gold+0x000000d403ec)

  Thread T3 (tid=45173, running) created by main thread at:
    #0 pthread_create /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:902 (ld.gold+0x000000448636)
    #1 gold::Workqueue_thread::Workqueue_thread(gold::Workqueue_threader_threadpool*, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:86:9 (ld.gold+0x000000d402a8)
    #2 gold::Workqueue_threader_threadpool::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:168:8 (ld.gold+0x000000d407f0)
    #3 gold::Workqueue::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:507:20 (ld.gold+0x000000d3f117)
    #4 gold::queue_initial_tasks(gold::General_options const&, gold::Dirsearch&, gold::Command_line const&, gold::Workqueue*, gold::Input_objects*, gold::Symbol_table*, gold::Layout*, gold::Mapfile*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold.cc:196:14 (ld.gold+0x000000a24bec)
    #5 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:247:3 (ld.gold+0x0000004b1608)

  Thread T2 (tid=45172, running) created by main thread at:
    #0 pthread_create /usr/local/google/home/krasin/src/llvm.org/libcxx/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:902 (ld.gold+0x000000448636)
    #1 gold::Workqueue_thread::Workqueue_thread(gold::Workqueue_threader_threadpool*, int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:86:9 (ld.gold+0x000000d402a8)
    #2 gold::Workqueue_threader_threadpool::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue-threads.cc:168:8 (ld.gold+0x000000d407f0)
    #3 gold::Workqueue::set_thread_count(int) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/workqueue.cc:507:20 (ld.gold+0x000000d3f117)
    #4 gold::queue_initial_tasks(gold::General_options const&, gold::Dirsearch&, gold::Command_line const&, gold::Workqueue*, gold::Input_objects*, gold::Symbol_table*, gold::Layout*, gold::Mapfile*) /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/gold.cc:196:14 (ld.gold+0x000000a24bec)
    #5 main /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/main.cc:247:3 (ld.gold+0x0000004b1608)

SUMMARY: ThreadSanitizer: data race /usr/local/google/home/krasin/src/sourceware.org/binutils/build/gold/../../gold/plugin.cc:499:23 in gold::Plugin_manager::claim_file(gold::Input_file*, long, long, gold::Object*)
==================
ThreadSanitizer: reported 3 warnings

This is ToT gold, revision 8193adea2f86e37423a5d0acffb69b80bde05d52.

The following revision refers to this bug:
  https://chromium.googlesource.com/infra/infra.git/+/2e4f26a02858c01ad39da12ea0a675f4013783d7

commit 2e4f26a02858c01ad39da12ea0a675f4013783d7
Author: recipe-roller <recipe-roller@chromium.org>
Date: Fri Sep 16 21:50:47 2016

Roll recipe dependencies (trivial).

This is an automated CL created by the recipe roller. This CL rolls recipe
changes from upstream projects (e.g. depot_tools) into downstream projects
(e.g. tools/build).

More info is at https://goo.gl/zkKdpD. Use https://goo.gl/noib3a to file a bug
(or complain)

build:
  https://crrev.com/0fc6b2e65ce4651c7b70239c4b7cc36489fa0c97 Use api.chromium.compile() in client.nacl.sdk.recipe_autogen.py (sbc@chromium.org)
  https://crrev.com/f683608de4fe82d85451dff456b9228bab7e4090 Roll recipe dependencies (trivial). (recipe-roller@chromium.org)
  https://crrev.com/6fd7041208f42a8c4592d701d79d11a943327790 chromium.android: Enable swarming on Marshmallow 64 bit Tester (bpastene@chromium.org)
  https://crrev.com/b46e0087c2dbf12ecd9e3a1452e781d6d6153e9c Cleanup NaCl SDK recipes (sbc@chromium.org)
  https://crrev.com/15faceb9c15002050acc274c7773cb8537b91706 Merge recipes in client.nacl.sdk.recipe_autogen (sbc@chromium.org)
  https://crrev.com/c3e75a171aae1f581d8664044aa3e0ded2f40800 LogDog: bump canary BuildBot CIPD pin. (dnj@chromium.org)
  https://crrev.com/50d0e85c51db4fa62b1b5bb4e0b8529027edb620 Enable LogDog on chromium.gatekeeper. (dnj@chromium.org)
  https://crrev.com/5d9a4bb87b9ee698554ac2a76c77eec5ee0ba074 Roll recipe dependencies (trivial). (recipe-roller@chromium.org)
  https://crrev.com/6e947e576ddf9e45034fbc2b2c4275f3bad252d3 Bump LogDog pin for fleet. (dnj@chromium.org)
  https://crrev.com/efcfa093c953d2e690e6c1493def054f8ad00bea When retrying a failing swarming gtest without the patch, don't pass on the original --test-launcher-filter-file argument. (jam@chromium.org)
  https://crrev.com/ac3894c8293b42e21b891722965f982118bf6a5a libyuv: Add Android Testers (kjellander@chromium.org)
  https://crrev.com/741d9d458adf84901bbdfecb492276b98201c29a V8: Fix gn args for non-MB arm builders (machenbach@chromium.org)
  https://crrev.com/9c621ef2f19500a63fd2503eb9f73a71443563a0 adding attributes to builders that build chromium for swarming bots. (eyaich@chromium.org)
  https://crrev.com/6d930dea23eeab6d0d2b30e71e4b4b84ff01c70d Disable goma on 'ThinLTO Linux ToT'. (krasin@chromium.org)
  https://crrev.com/470dc77a00270b6227facfdc781a468efb538769 Enable LogDog for dart. (dnj@chromium.org)
  https://crrev.com/9ef12eb44ae227823398dc0604213fadae4e1655 Enable the ninja up-to-date check for Android builders (agrieve@chromium.org)
  https://crrev.com/a30a2b57591752fd9b05589209a88b20d7114248 Windows 64-bit builder for chromium.perf.fyi. (dtu@chromium.org)
  https://crrev.com/c97a211b5b7815d9d601760f6119a3156c7e458d Revert of Enable the ninja up-to-date check for Android builders (patchset #1 id:1 of https://codereview.chromium.org/2338203004/ ) (agrieve@chromium.org)
depot_tools:
  https://crrev.com/65cc5b1918d61bbb7a26c78364414fdf264198fe Roll recipe dependencies (trivial). (recipe-roller@chromium.org)
  https://crrev.com/33061f78a10a7e44537a4c0384c5dab68d61f1ec Add recipe-roller as an OWNER of recipe modules. (martiniss@chromium.org)
recipe_engine:
  https://crrev.com/ca75ca80dcfcc2a2dc38096ba0522065ebd347ec Revert of Require recipe tryjob for CQ. (patchset #1 id:1 of https://codereview.chromium.org/2153303002/ ) (martiniss@chromium.org)

TBR=martiniss@chromium.org,phajdan.jr@chromium.org
BUG= chromium:474921 ,646165, chromium:646370 , 643144 , 645295 , 628801 , chromium:643226 ,chromium:633253, 646185 , 587527 ,chromium:646343,589180,644212,644609,633253

Recipe-Tryjob-Bypass-Reason: Autoroller
Bugdroid-Send-Email: False
Review-Url: https://codereview.chromium.org/2345303003

[modify] https://crrev.com/2e4f26a02858c01ad39da12ea0a675f4013783d7/infra/config/recipes.cfg

The build succeeded: https://build.chromium.org/p/chromium.fyi/builders/ThinLTO%20Linux%20ToT/builds/15
Some tests failed, but most (all?) of the failures are not related to ThinLTO, but rather to ToT. See  https://crbug.com/646539 

Many of the failing tests went red after the miscompile was fixed, but a few of them still fail, only on the thinlto bot: https://build.chromium.org/p/chromium.fyi/builders/ThinLTO%20Linux%20ToT

Yep, I am looking into them right now:

Program received signal SIGSEGV, Segmentation fault.
0x00007fffffffd1f0 in ?? ()
(gdb) bt
#0  0x00007fffffffd1f0 in ?? ()
#1  0x00000000038a9bde in collectMatchingRules () at ../../third_party/WebKit/Source/core/css/ElementRuleCollector.cpp:186
#2  0x00000000038ab197 in hasAnyMatchingRules () at ../../third_party/WebKit/Source/core/css/ElementRuleCollector.cpp:333
#3  0x00000000009c861d in matchesRuleSet () at ../../third_party/WebKit/Source/core/css/resolver/SharedStyleFinder.cpp:318
#4  matchesRuleSet () at ../../third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:77
#5  matchesUncommonAttributeRuleSet () at ../../third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:46
#6  TestBody () at ../../third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:108
#7  0x0000000001dd2c17 in HandleExceptionsInMethodIfSupported<testing::Test, void> () at ../../testing/gtest/src/gtest.cc:2458
#8  Run () at ../../testing/gtest/src/gtest.cc:2474
#9  Run () at ../../testing/gtest/src/gtest.cc:2656
#10 Run () at ../../testing/gtest/src/gtest.cc:2774
#11 RunAllTests () at ../../testing/gtest/src/gtest.cc:4647
#12 0x0000000001dd17f6 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> () at ../../testing/gtest/src/gtest.cc:2458
#13 Run () at ../../testing/gtest/src/gtest.cc:4255
#14 0x0000000001d869f4 in RUN_ALL_TESTS () at ../../testing/gtest/include/gtest/gtest.h:2237
#15 Run () at ../../base/test/test_suite.cc:246
#16 0x00000000005e13ac in runHelper () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:50
#17 0x0000000001d883cf in Run () at ../../base/callback.h:64
#18 LaunchUnitTestsInternal () at ../../base/test/launcher/unit_test_launcher.cc:206
#19 0x0000000001d881e6 in LaunchUnitTests () at ../../base/test/launcher/unit_test_launcher.cc:445
#20 0x00000000005e12f4 in main () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:74

Still a mystery.

(meant to say "Many of the failing tests went _green_ ...")

A non update: I am still looking into the bug, and, since it's proved to be harder than anticipated, I am focusing exclusively on it until it's solved.

After all, it's just a miscompilation, which can be suppressed by __attribute__((noinline)) on SharedStyleFinder::matchesRuleSet:

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/resolver/SharedStyleFinder.cpp?cl=GROK&gsn=AtomicString&q=SharedStyleFinder.cpp:318&sq=package:chromium&rcl=1474629705&l=313

Let's see in the code:

if (!ruleSet)
  return false;

ElementRuleCollector collector(m_context, m_styleResolver->selectorFilter());
return collector.hasAnyMatchingRules(ruleSet);

In the place, where it's incorrectly inlined (into SharedStyleFinderTest.cpp:77), the code ends up writing m_context address into the first 8 bytes of m_context, corrupting m_context.element, which later causes the code to crash on invalid virtual call.

I am not sure why does not CFI catches this. Most likely the method isn't inlined under CFI (the last claim is not verified).

I am now looking into a standalone reproducer to report the bug, as well as might try to bisect LLVM in a hope that it's a recently introduced issue.

So, it's just a use-after-scope in https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp?cl=GROK&gsn=m_context&q=file:Test.cpp+AttributeAffectedByHover&sq=package:chromium&rcl=1474629705&l=71

This should be detectable by ASAN with -fsanitize-address-use-after-scope. I will verify that on Monday, as well as explore the option to deploy this flag in Chrome. 

The fix is sent out for a review: https://codereview.chromium.org/2354333008/

Filed  https://crbug.com/649897  to deploy -fsanitize-address-use-after-scope in Chrome.

And this is the report ASAN trybot would have generated before the bug is even introduced to the code base:

[ RUN      ] SharedStyleFinderTest.AttributeAffectedByHover
=================================================================
==109299==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f616e1e6108 at pc 0x00000ee02dbe bp 0x7ffda841b8b0 sp 0x7ffda841b8a8
READ of size 8 at 0x7f616e1e6108 thread T0
    #0 0xee02dbd in operator blink::ContainerNode * third_party/WebKit/Source/platform/heap/Member.h:84:34
    #1 0xee02dbd in parentNode third_party/WebKit/Source/core/css/resolver/ElementResolveContext.h:44
    #2 0xee02dbd in blink::ElementRuleCollector::ElementRuleCollector(blink::ElementResolveContext const&, blink::SelectorFilter const&, blink::ComputedStyle*) third_party/WebKit/Source/core/css/ElementRuleColle
ctor.cpp:56
    #3 0xa1f5eea in blink::SharedStyleFinder::matchesRuleSet(blink::RuleSet*) third_party/WebKit/Source/core/css/resolver/SharedStyleFinder.cpp:317:26
    #4 0x124f726 in matchesRuleSet third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:77:23
    #5 0x124f726 in matchesUncommonAttributeRuleSet third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:46
    #6 0x124f726 in blink::SharedStyleFinderTest_AttributeAffectedByHover_Test::TestBody() third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:108
    #7 0x6daa43b in HandleExceptionsInMethodIfSupported<testing::Test, void> testing/gtest/src/gtest.cc:2458:12
    #8 0x6daa43b in testing::Test::Run() testing/gtest/src/gtest.cc:2474
    #9 0x6dabe00 in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:11
    #10 0x6dad0a6 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
    #11 0x6dc0186 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
    #12 0x6dbf795 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
    #13 0x6dbf795 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255
    #14 0x6c9f0a1 in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #15 0x6c9f0a1 in base::TestSuite::Run() base/test/test_suite.cc:246
    #16 0x81f15a in (anonymous namespace)::runHelper(base::TestSuite*) third_party/WebKit/Source/web/tests/RunAllTests.cpp:50:29
    #17 0x6ca220e in Run base/callback.h:64:12
    #18 0x6ca220e in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base:
:internal::CopyMode)1, (base::internal::RepeatMode)1> const&) base/test/launcher/unit_test_launcher.cc:206
    #19 0x6ca1e2e in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) base/test/launcher/unit_test_launcher.cc:445:10
    #20 0x81ef93 in main third_party/WebKit/Source/web/tests/RunAllTests.cpp:74:12
    #21 0x7f61742bef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

Address 0x7f616e1e6108 is located in stack of thread T0 at offset 264 in frame
    #0 0x124e69f in blink::SharedStyleFinderTest_AttributeAffectedByHover_Test::TestBody() third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:93

  This frame has 33 object(s):
    [32, 80) 'finder.i.i279'
    [112, 144) 'ref.tmp.i.i280'
    [176, 224) 'finder.i.i'
    [256, 288) 'ref.tmp.i.i' <== Memory access at offset 264 is inside this variable
    [320, 376) 'temp.lvalue.i'
    [416, 424) 'ref.tmp'
    [448, 456) 'ref.tmp2'
    [480, 488) 'ref.tmp3'
    [512, 520) 'ref.tmp7'
    [544, 560) 'gtest_ar_'
    [576, 584) 'temp.lvalue'
    [608, 632) 'temp.lvalue10'
    [672, 680) 'ref.tmp12'
    [704, 720) 'gtest_ar_14'
    [736, 744) 'temp.lvalue18'
    [768, 792) 'temp.lvalue19'
    [832, 840) 'ref.tmp21'
    [864, 880) 'gtest_ar_27'
    [896, 904) 'temp.lvalue33'
    [928, 952) 'temp.lvalue34'
    [992, 1000) 'ref.tmp36'
    [1024, 1040) 'gtest_ar_38'
    [1056, 1064) 'temp.lvalue46'
    [1088, 1112) 'temp.lvalue47'
    [1152, 1160) 'ref.tmp49'
    [1184, 1200) 'gtest_ar_51'
    [1216, 1224) 'temp.lvalue58'
    [1248, 1272) 'temp.lvalue59'
    [1312, 1320) 'ref.tmp61'
    [1344, 1360) 'gtest_ar_63'
    [1376, 1384) 'temp.lvalue71'
    [1408, 1432) 'temp.lvalue72'
    [1472, 1480) 'ref.tmp74'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope third_party/WebKit/Source/platform/heap/Member.h:84:34 in operator blink::ContainerNode *
Shadow bytes around the buggy address:
  0x0fecadc34bd0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fecadc34be0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fecadc34bf0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x0fecadc34c00: f1 f1 f1 f1 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8
  0x0fecadc34c10: f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2
=>0x0fecadc34c20: f8[f8]f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f2
  0x0fecadc34c30: f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
  0x0fecadc34c40: f8 f2 f2 f2 f8 f8 f2 f2 00 f2 f2 f2 00 00 00 f2
  0x0fecadc34c50: f2 f2 f2 f2 f8 f2 f2 f2 f8 f8 f2 f2 00 f2 f2 f2
  0x0fecadc34c60: 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f8 f2 f2
  0x0fecadc34c70: 00 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==109299==ABORTING
[1/1] SharedStyleFinderTest.AttributeAffectedByHover (CRASHED)
1 test crashed:
    SharedStyleFinderTest.AttributeAffectedByHover (../../third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp:92)

Unfortunately, three other failures reported by 'ThinLTO Linux ToT' are not use-after-scope:

WebFrameSwapTest.RemoteWindowNamedAccess
All/ParameterizedWebFrameTest.CrossDomainAccessErrorsUseCallingWindow/0
All/ParameterizedWebFrameTest.CrossDomainAccessErrorsUseCallingWindow/1

I will continue to look into them on Monday.

Valgrind would've caught this, right?

>> Valgrind would've caught this, right?
I don't think so. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25782de6522c605860d6e0fc265b164f3d567442

commit 25782de6522c605860d6e0fc265b164f3d567442
Author: krasin <krasin@chromium.org>
Date: Mon Sep 26 10:39:55 2016

Fix use-after-scope in SharedStyleFinderTest.

SharedStyleFinderTest::matchesRuleSet created a
ElementResolveContext instance and passed a reference
to SharedStyleFinder. Then the scope of the context
is ended, and finder retains a reference to an address
on stack that ends up being reused.

It was detected by 'ThinLTO Linux ToT' bot, but it
seems to be just a coincedence.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2354333008
Cr-Commit-Position: refs/heads/master@{#420879}

[modify] https://crrev.com/25782de6522c605860d6e0fc265b164f3d567442/third_party/WebKit/Source/core/css/resolver/SharedStyleFinderTest.cpp

I am now looking into All/ParameterizedWebFrameTest.CrossDomainAccessErrorsUseCallingWindow/0 failure.

It fails with the error:
../../third_party/WebKit/Source/web/tests/WebFrameTest.cpp:7953: Failure
Value of: std::string::npos != popupWebFrameClient.messages[1].text.utf8().find("Blocked a frame")
  Actual: false
Expected: true

I have printed the text of these messages for asan and for thinlto cases.

asan (test passes):
Uncaught SecurityError: Blocked a frame with origin "chrome://" from accessing a frame with origin "http://internal.test".  The frame requesting access has a protocol of "chrome", the frame being accessed has a protocol of "http". Protocols must match.

thinlto (test fails):
Uncaught TypeError: Cannot read property 'querySelectorAll' of undefined

This error comes from the follow javascript submitted by the test:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/web/tests/WebFrameTest.cpp?q=popupWebFrameClient&sq=package:chromium&ssfr=1&l=7949

popupView->mainFrame()->executeScript(WebScriptSource("opener.document.querySelectorAll('iframe')[1].src='javascript:alert()'"));

So, opener.document === undefined in ThinLTO case. Looking deeper...

I have filed a separate bug for these three failures: https://crbug.com/650718.

While I was unable to fix or isolate the bug (likely the same in both cases), it feels like a bug in the test code, not a ThinLTO bug. I will remove webkit_unit_tests from ThinLTO Linux ToT bot for now.

Evaluation is complete.

1. We have a green bot:
https://build.chromium.org/p/chromium.fyi/builders/ThinLTO%20Linux%20ToT

2. It has webkit_unit_tests disabled, bug filed: https://crbug.com/650718
The issue seem to be test-specific rather than ThinLTO-specific.

3. While linking with multiple threads (up to 16) works and makes it faster, it's not currently enabled due to race conditions in Gold reported by TSAN which cause the build to fail non-deterministically sometimes.

This might be resolved by either moving to lld, or fixing the issue in Gold. At this point, I would rather hope for lld, as dealing with fixes to Gold is expected to be painful.

No further work in this direction is planned until whole-program devirtualization and CFI are implemented in LLVM (Peter is working on this).

Closing this issue. Once LLVM side is ready, we'll likely file a "deploy ThinLTO" issue.

> This might be resolved by either moving to lld, or fixing the issue in Gold. At this point, I would rather hope for lld, as dealing with fixes to Gold is expected to be painful.

ThinLTO support just landed in lld (https://reviews.llvm.org/D24492), so this should now be more feasible after that gets rolled in.

For that we'll also need to package lld + llvm-ar with the Clang toolchain.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5bbd5649b5e027d4f61e2166c83a656bcb003c71

commit 5bbd5649b5e027d4f61e2166c83a656bcb003c71
Author: krasin <krasin@chromium.org>
Date: Fri Sep 30 02:18:48 2016

Increase link concurrency for ThinLTO.

Unlike full LTO, ThinLTO is significantly less memory-hungry,
and there's no need to artificially starve ThinLTO builds.

BUG= 645295 

Review-Url: https://codereview.chromium.org/2380213002
Cr-Commit-Position: refs/heads/master@{#422015}

[modify] https://crrev.com/5bbd5649b5e027d4f61e2166c83a656bcb003c71/build/toolchain/concurrent_links.gni