| Message ID | 20190815211843.22799-2-adhemerval.zanella@linaro.org |
|---|---|
| State | Dropped |
| Headers |
Received: (qmail 51822 invoked by alias); 15 Aug 2019 21:18:53 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <libc-alpha.sourceware.org> List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org> List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org> List-Archive: <http://sourceware.org/ml/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs> Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 51747 invoked by uid 89); 15 Aug 2019 21:18:52 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-16.1 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_NUMSUBJECT, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.1 spammy=H*RU:209.85.160.195, HX-Spam-Relays-External:209.85.160.195, HX-Languages-Length:947 X-HELO: mail-qt1-f195.google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references; bh=USb0e92xrMdwjFjt4UMhe9YbsXTiBYfRmilHa6bkkiM=; b=JmPdFYcc+ARTx07ZcddU7huY21vzaI5reyJbNVNB8ZlpkgepVYE/VY0m4OAmjNcDeC 5Vhij1X2i9BkaSXZnBzpSWCTIhxib/sgtx/XBOPlmJhckKM5tJgJay05VaL6TBuPP7iy Sw1eL7y2T8vdY+AeYqJ3ZzEdOf4HG/dUJZlBDkeMhHvFNWdRSo8oZ+E+ySZfC8kUvv6+ RJigGy+Gfec2hzX4NDiAo9uVB5GnkQi8DxK/GRNZ2+IC0sXIW2r4WNSGUZZOEqr+LuLv D6q9WbpVxfRXiW6STQkc2IPpjSVgGAPpvynNK3SSOXjxaH52Z1GxWy9z7DNGckNlKbGZ LB4g== Return-Path: <adhemerval.zanella@linaro.org> From: Adhemerval Zanella <adhemerval.zanella@linaro.org> To: libc-alpha@sourceware.org Subject: [PATCH 2/4] nptl: Handle EPIPE on tst-cancel2 Date: Thu, 15 Aug 2019 18:18:41 -0300 Message-Id: <20190815211843.22799-2-adhemerval.zanella@linaro.org> In-Reply-To: <20190815211843.22799-1-adhemerval.zanella@linaro.org> References: <20190815211843.22799-1-adhemerval.zanella@linaro.org> |
Commit Message
Adhemerval Zanella Netto
Aug. 15, 2019, 9:18 p.m. UTC
The SIGPIPE can be handled before SIGCANCEL, which makes write fail and the thread return a non expected result. Checked on x86_64-linux-gnu. * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. --- nptl/tst-cancel2.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
Comments
I will push shortly if no one opposes it. On 15/08/2019 18:18, Adhemerval Zanella wrote: > The SIGPIPE can be handled before SIGCANCEL, which makes write fail > and the thread return a non expected result. > > Checked on x86_64-linux-gnu. > > * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. > --- > nptl/tst-cancel2.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c > index 1f0429d343..632ea4e0ae 100644 > --- a/nptl/tst-cancel2.c > +++ b/nptl/tst-cancel2.c > @@ -20,6 +20,7 @@ > #include <signal.h> > #include <stdio.h> > #include <unistd.h> > +#include <errno.h> > > > static int fd[2]; > @@ -32,7 +33,14 @@ tf (void *arg) > write blocks. */ > char buf[100000]; > > - while (write (fd[1], buf, sizeof (buf)) > 0); > + while (1) > + { > + /* Ignore EPIPE errors for case the SIGPIPE is handle before > + SIGCANCEL. */ > + ssize_t ret = write (fd[1], buf, sizeof (buf)); > + if (ret == 0 || (ret == -1 && errno != EPIPE)) > + break; > + } > > return (void *) 42l; > } >
* Adhemerval Zanella: > The SIGPIPE can be handled before SIGCANCEL, which makes write fail > and the thread return a non expected result. > > Checked on x86_64-linux-gnu. > > * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. > --- > nptl/tst-cancel2.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c > index 1f0429d343..632ea4e0ae 100644 > --- a/nptl/tst-cancel2.c > +++ b/nptl/tst-cancel2.c > @@ -20,6 +20,7 @@ > #include <signal.h> > #include <stdio.h> > #include <unistd.h> > +#include <errno.h> > > > static int fd[2]; > @@ -32,7 +33,14 @@ tf (void *arg) > write blocks. */ > char buf[100000]; > > - while (write (fd[1], buf, sizeof (buf)) > 0); > + while (1) > + { > + /* Ignore EPIPE errors for case the SIGPIPE is handle before > + SIGCANCEL. */ > + ssize_t ret = write (fd[1], buf, sizeof (buf)); > + if (ret == 0 || (ret == -1 && errno != EPIPE)) > + break; > + } > > return (void *) 42l; > } I disagree with this change. SIGPIPE does not appear to be a valid error from write in this test because the thread is canceled before the read end of the pipe is closed. POSIX says this: | The cancellation processing in the target thread shall run | asynchronously with respect to the calling thread returning from | pthread_cancel(). But that doesn't mean that the thread can observe actions in its uncanceled state that happen after the cancellation, which is the case when the write fails with SIGPIPE. Thanks, Florian
On 20/08/2019 07:23, Florian Weimer wrote: > * Adhemerval Zanella: > >> The SIGPIPE can be handled before SIGCANCEL, which makes write fail >> and the thread return a non expected result. >> >> Checked on x86_64-linux-gnu. >> >> * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. >> --- >> nptl/tst-cancel2.c | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >> >> diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c >> index 1f0429d343..632ea4e0ae 100644 >> --- a/nptl/tst-cancel2.c >> +++ b/nptl/tst-cancel2.c >> @@ -20,6 +20,7 @@ >> #include <signal.h> >> #include <stdio.h> >> #include <unistd.h> >> +#include <errno.h> >> >> >> static int fd[2]; >> @@ -32,7 +33,14 @@ tf (void *arg) >> write blocks. */ >> char buf[100000]; >> >> - while (write (fd[1], buf, sizeof (buf)) > 0); >> + while (1) >> + { >> + /* Ignore EPIPE errors for case the SIGPIPE is handle before >> + SIGCANCEL. */ >> + ssize_t ret = write (fd[1], buf, sizeof (buf)); >> + if (ret == 0 || (ret == -1 && errno != EPIPE)) >> + break; >> + } >> >> return (void *) 42l; >> } > > I disagree with this change. SIGPIPE does not appear to be a valid > error from write in this test because the thread is canceled before the > read end of the pipe is closed. POSIX says this: > > | The cancellation processing in the target thread shall run > | asynchronously with respect to the calling thread returning from > | pthread_cancel(). > > But that doesn't mean that the thread can observe actions in its > uncanceled state that happen after the cancellation, which is the case > when the write fails with SIGPIPE. My understanding is since thread cancellation is implemented with an asynchronous signal and there is no *extra* synchronization between the pthread_cancel from main thread and write call on the create one, there is no happens before order between them. It might the case where, due scheduling, the cancellation signal is triggered on the test during the write call and it is a side effect that should be handled. This is exactly the kind of race conditions BZ#12683 make more explicit.
* Adhemerval Zanella: > On 20/08/2019 07:23, Florian Weimer wrote: >> * Adhemerval Zanella: >> >>> The SIGPIPE can be handled before SIGCANCEL, which makes write fail >>> and the thread return a non expected result. >>> >>> Checked on x86_64-linux-gnu. >>> >>> * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. >>> --- >>> nptl/tst-cancel2.c | 10 +++++++++- >>> 1 file changed, 9 insertions(+), 1 deletion(-) >>> >>> diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c >>> index 1f0429d343..632ea4e0ae 100644 >>> --- a/nptl/tst-cancel2.c >>> +++ b/nptl/tst-cancel2.c >>> @@ -20,6 +20,7 @@ >>> #include <signal.h> >>> #include <stdio.h> >>> #include <unistd.h> >>> +#include <errno.h> >>> >>> >>> static int fd[2]; >>> @@ -32,7 +33,14 @@ tf (void *arg) >>> write blocks. */ >>> char buf[100000]; >>> >>> - while (write (fd[1], buf, sizeof (buf)) > 0); >>> + while (1) >>> + { >>> + /* Ignore EPIPE errors for case the SIGPIPE is handle before >>> + SIGCANCEL. */ >>> + ssize_t ret = write (fd[1], buf, sizeof (buf)); >>> + if (ret == 0 || (ret == -1 && errno != EPIPE)) >>> + break; >>> + } >>> >>> return (void *) 42l; >>> } >> >> I disagree with this change. SIGPIPE does not appear to be a valid >> error from write in this test because the thread is canceled before the >> read end of the pipe is closed. POSIX says this: >> >> | The cancellation processing in the target thread shall run >> | asynchronously with respect to the calling thread returning from >> | pthread_cancel(). >> >> But that doesn't mean that the thread can observe actions in its >> uncanceled state that happen after the cancellation, which is the case >> when the write fails with SIGPIPE. > > My understanding is since thread cancellation is implemented with an > asynchronous signal and there is no *extra* synchronization between the > pthread_cancel from main thread and write call on the create one, there > is no happens before order between them. > > It might the case where, due scheduling, the cancellation signal is > triggered on the test during the write call and it is a side effect that > should be handled. This is exactly the kind of race conditions BZ#12683 > make more explicit. Hmm. What are the write call sequences for this test? I can think of the following scenarios: (A) The write call is canceled immediately and never returns. (B) The write call returns a positive value. The second write call is canceled. (C) The first write call returns a positive value. The second write call fails with with EPIPE. The third write call is canceled. I have serious doubts that that (C) is a valid sequence. Practically speaking, I think it will lead to regressions because threads may fail to act upon cancellation compared to what we have today. This works out for the test because there is an infinite number of write calls. Looking at the actual cancellation change, I see this: + /* Call the arch-specific entry points that contains the globals markers + to be checked by SIGCANCEL handler. */ + result = __syscall_cancel_arch (&pd->cancelhandling, nr, a1, a2, a3, a4, a5, + a6); + + if ((result == -EINTR) + && (pd->cancelhandling & CANCELED_BITMASK) + && !(pd->cancelhandling & CANCELSTATE_BITMASK)) + __do_cancel (); Why the restriction to EINTR? Any signal can result in EINTR. And with SA_RESTART, the SIGCANCEL handler will not even result in EINTR. Thanks, Florian
On 20/08/2019 09:59, Florian Weimer wrote: > * Adhemerval Zanella: > >> On 20/08/2019 07:23, Florian Weimer wrote: >>> * Adhemerval Zanella: >>> >>>> The SIGPIPE can be handled before SIGCANCEL, which makes write fail >>>> and the thread return a non expected result. >>>> >>>> Checked on x86_64-linux-gnu. >>>> >>>> * nptl/tst-cancel2.c (tf): Do not abort with EPIPE. >>>> --- >>>> nptl/tst-cancel2.c | 10 +++++++++- >>>> 1 file changed, 9 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c >>>> index 1f0429d343..632ea4e0ae 100644 >>>> --- a/nptl/tst-cancel2.c >>>> +++ b/nptl/tst-cancel2.c >>>> @@ -20,6 +20,7 @@ >>>> #include <signal.h> >>>> #include <stdio.h> >>>> #include <unistd.h> >>>> +#include <errno.h> >>>> >>>> >>>> static int fd[2]; >>>> @@ -32,7 +33,14 @@ tf (void *arg) >>>> write blocks. */ >>>> char buf[100000]; >>>> >>>> - while (write (fd[1], buf, sizeof (buf)) > 0); >>>> + while (1) >>>> + { >>>> + /* Ignore EPIPE errors for case the SIGPIPE is handle before >>>> + SIGCANCEL. */ >>>> + ssize_t ret = write (fd[1], buf, sizeof (buf)); >>>> + if (ret == 0 || (ret == -1 && errno != EPIPE)) >>>> + break; >>>> + } >>>> >>>> return (void *) 42l; >>>> } >>> >>> I disagree with this change. SIGPIPE does not appear to be a valid >>> error from write in this test because the thread is canceled before the >>> read end of the pipe is closed. POSIX says this: >>> >>> | The cancellation processing in the target thread shall run >>> | asynchronously with respect to the calling thread returning from >>> | pthread_cancel(). >>> >>> But that doesn't mean that the thread can observe actions in its >>> uncanceled state that happen after the cancellation, which is the case >>> when the write fails with SIGPIPE. >> >> My understanding is since thread cancellation is implemented with an >> asynchronous signal and there is no *extra* synchronization between the >> pthread_cancel from main thread and write call on the create one, there >> is no happens before order between them. >> >> It might the case where, due scheduling, the cancellation signal is >> triggered on the test during the write call and it is a side effect that >> should be handled. This is exactly the kind of race conditions BZ#12683 >> make more explicit. > > Hmm. What are the write call sequences for this test? > > I can think of the following scenarios: > > (A) The write call is canceled immediately and never returns. > > (B) The write call returns a positive value. The second write call is > canceled. > > (C) The first write call returns a positive value. The second write > call fails with with EPIPE. The third write call is canceled. > > I have serious doubts that that (C) is a valid sequence. Practically > speaking, I think it will lead to regressions because threads may fail > to act upon cancellation compared to what we have today. This works out > for the test because there is an infinite number of write calls. The idea of using a large buffer is exactly to force the write to block indefinitely. Ideally the test should use F_SETPIPE_SZ to make it sure it would block on first call, but current scheme might issue multiple calls until buffer is full (which usually does not trigger because SIGCANCEL is usually triggered beforehand). What happens for current asynchronous handling is if the syscall is indeed interrupted, it will call __pthread_disable_asynccancel and then it will wait on futex_wait_simple (line 97) until the cancellation handling is done. It waits on the futex because the pthread_cancel sets the CANCELING_BITMASK | CANCELED_BITMASK. The sigcancel_handler then acts upon cancellation and finishes the thread. That's the *very* racy issue BZ#12683 aims to fix, since current cancellation does not give the information back to program that a side-effect of the sycall has happens (in this case EPIPE). For tst-cancel2.c, if I add a sleep (1) between pthread_create and pthread_cancel you can see this issue more clearly (dump with strace): [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 ########### Cancellation start to act here, by loading the libgcc to unwinding [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 [pid 2586] close(5) = 0 [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 [pid 2586] close(5) = 0 [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 [pid 2586] munmap(0x7fffabf00000, 63776) = 0 [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 [pid 2586] close(3) = 0 [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 ########### No side-effects reported back to program [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 [pid 2587] exit(0) = ? With BZ#12683 fix the cancellation is not acted upon and the testcase then fails depending whether the write is interrupted or not by the cancellation signal. > > Looking at the actual cancellation change, I see this: > > + /* Call the arch-specific entry points that contains the globals markers > + to be checked by SIGCANCEL handler. */ > + result = __syscall_cancel_arch (&pd->cancelhandling, nr, a1, a2, a3, a4, a5, > + a6); > + > + if ((result == -EINTR) > + && (pd->cancelhandling & CANCELED_BITMASK) > + && !(pd->cancelhandling & CANCELSTATE_BITMASK)) > + __do_cancel (); > > Why the restriction to EINTR? Any signal can result in EINTR. And with > SA_RESTART, the SIGCANCEL handler will not even result in EINTR. The EINTR was a special case for __NR_close from original Rich suggestion, which I think we will need to discuss further it is indeed make sense for glibc (it is the long-standing issue regarding of close failure and how to handle it). I removed it in the current version.
* Adhemerval Zanella: > For tst-cancel2.c, if I add a sleep (1) between pthread_create and > pthread_cancel you can see this issue more clearly (dump with strace): > > [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 > [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> > [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 > > ########### Cancellation start to act here, by loading the libgcc to unwinding > [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 > [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 > [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 > [pid 2586] close(5) = 0 > [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 > [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 > [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 > [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 > [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 > [pid 2586] close(5) = 0 > [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 > [pid 2586] munmap(0x7fffabf00000, 63776) = 0 > [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 > [pid 2586] close(3) = 0 > [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> > > ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called > [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) > [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- > [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- > [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > ########### No side-effects reported back to program > [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 > [pid 2587] exit(0) = ? > > With BZ#12683 fix the cancellation is not acted upon and the testcase then fails > depending whether the write is interrupted or not by the cancellation signal. Hmm. Which cancellation implementation is this? At which point in the trace do we start unwinding? I'm surprised that strace reports the EPIPE before the SIGPIPE, but maybe that's just a kernel race. My expectation is that the current code unwinds after the system call returns with the EPIPE error, never returning it to the application. I think this is the right behavior for the write system call. Thanks, Florian
On 20/08/2019 12:30, Florian Weimer wrote: > * Adhemerval Zanella: > >> For tst-cancel2.c, if I add a sleep (1) between pthread_create and >> pthread_cancel you can see this issue more clearly (dump with strace): >> >> [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> >> [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 >> >> ########### Cancellation start to act here, by loading the libgcc to unwinding >> [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 >> [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 >> [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 >> [pid 2586] close(5) = 0 >> [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 >> [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 >> [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 >> [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 >> [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 >> [pid 2586] close(5) = 0 >> [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 >> [pid 2586] munmap(0x7fffabf00000, 63776) = 0 >> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 >> [pid 2586] close(3) = 0 >> [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> >> >> ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called >> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- >> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- >> [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 >> >> ########### No side-effects reported back to program >> [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 >> [pid 2587] exit(0) = ? >> >> With BZ#12683 fix the cancellation is not acted upon and the testcase then fails >> depending whether the write is interrupted or not by the cancellation signal. > > Hmm. Which cancellation implementation is this? At which point in the > trace do we start unwinding? I'm surprised that strace reports the > EPIPE before the SIGPIPE, but maybe that's just a kernel race. My > expectation is that the current code unwinds after the system call > returns with the EPIPE error, never returning it to the application. I > think this is the right behavior for the write system call. This is current implement, more specifically glibc 2.17, CentOS 7.6 on powerpc64le. From the trace : >> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 This where pthread_cancel sends the SIGCANCEL signal to thread. >> [pid 2586] close(3) = 0 This is the /* This will cause the write in the child to return. */ close (fd[0]); In tst-cancel2.c. And finally: >> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- SIGPIPE is receives, making the write fail with EPIPE and then >> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- sigcancel_handler is issued. And the implementation *does* unwind after the syscall is done, the problem is it ignores -1/EPIPE (and it is BZ#12683).
On 20/08/2019 13:46, Adhemerval Zanella wrote: > > > On 20/08/2019 12:30, Florian Weimer wrote: >> * Adhemerval Zanella: >> >>> For tst-cancel2.c, if I add a sleep (1) between pthread_create and >>> pthread_cancel you can see this issue more clearly (dump with strace): >>> >>> [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> >>> [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 >>> >>> ########### Cancellation start to act here, by loading the libgcc to unwinding >>> [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 >>> [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 >>> [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 >>> [pid 2586] close(5) = 0 >>> [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 >>> [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 >>> [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 >>> [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 >>> [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 >>> [pid 2586] close(5) = 0 >>> [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 >>> [pid 2586] munmap(0x7fffabf00000, 63776) = 0 >>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 >>> [pid 2586] close(3) = 0 >>> [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> >>> >>> ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called >>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- >>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- >>> [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 >>> >>> ########### No side-effects reported back to program >>> [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 >>> [pid 2587] exit(0) = ? >>> >>> With BZ#12683 fix the cancellation is not acted upon and the testcase then fails >>> depending whether the write is interrupted or not by the cancellation signal. >> >> Hmm. Which cancellation implementation is this? At which point in the >> trace do we start unwinding? I'm surprised that strace reports the >> EPIPE before the SIGPIPE, but maybe that's just a kernel race. My >> expectation is that the current code unwinds after the system call >> returns with the EPIPE error, never returning it to the application. I >> think this is the right behavior for the write system call. > > This is current implement, more specifically glibc 2.17, CentOS 7.6 on > powerpc64le. From the trace : > >>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 > > This where pthread_cancel sends the SIGCANCEL signal to thread. > >>> [pid 2586] close(3) = 0 > > This is the > > /* This will cause the write in the child to return. */ > close (fd[0]); > > In tst-cancel2.c. > > And finally: > >>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- > > SIGPIPE is receives, making the write fail with EPIPE and then > >>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- > > sigcancel_handler is issued. And the implementation *does* unwind after the > syscall is done, the problem is it ignores -1/EPIPE (and it is BZ#12683). > Florian, do still disagree with this change?
* Adhemerval Zanella:
> Florian, do still disagree with this change?
Sorry, I need to run more experiments, hopefully today.
Thanks,
Florian
* Adhemerval Zanella: > On 20/08/2019 12:30, Florian Weimer wrote: >> * Adhemerval Zanella: >> >>> For tst-cancel2.c, if I add a sleep (1) between pthread_create and >>> pthread_cancel you can see this issue more clearly (dump with strace): >>> >>> [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> >>> [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 >>> >>> ########### Cancellation start to act here, by loading the libgcc to unwinding >>> [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 >>> [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 >>> [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 >>> [pid 2586] close(5) = 0 >>> [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 >>> [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 >>> [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 >>> [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 >>> [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 >>> [pid 2586] close(5) = 0 >>> [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 >>> [pid 2586] munmap(0x7fffabf00000, 63776) = 0 >>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 >>> [pid 2586] close(3) = 0 >>> [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> >>> >>> ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called >>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- >>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- >>> [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 >>> >>> ########### No side-effects reported back to program >>> [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 >>> [pid 2587] exit(0) = ? >>> >>> With BZ#12683 fix the cancellation is not acted upon and the testcase then fails >>> depending whether the write is interrupted or not by the cancellation signal. >> >> Hmm. Which cancellation implementation is this? At which point in the >> trace do we start unwinding? I'm surprised that strace reports the >> EPIPE before the SIGPIPE, but maybe that's just a kernel race. My >> expectation is that the current code unwinds after the system call >> returns with the EPIPE error, never returning it to the application. I >> think this is the right behavior for the write system call. > > This is current implement, more specifically glibc 2.17, CentOS 7.6 on > powerpc64le. From the trace : > >>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 > > This where pthread_cancel sends the SIGCANCEL signal to thread. > >>> [pid 2586] close(3) = 0 > > This is the > > /* This will cause the write in the child to return. */ > close (fd[0]); > > In tst-cancel2.c. > > And finally: > >>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- > > SIGPIPE is receives, making the write fail with EPIPE and then > >>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- > > sigcancel_handler is issued. And the implementation *does* unwind after the > syscall is done, the problem is it ignores -1/EPIPE (and it is BZ#12683). I looked at this some more. It seems that in theory, we could also see EPIPE in the old implementation or at least observe execution of a signal handler, and the asynchronous cancel hides that. In the new implementation, if there is a signal handler and a signal for it is delivered before SIGCANCEL (even if the signal was sent *after* pthread_cancel, from the same thread), I do not think there is any chance whatsoever that we can hide the behavior difference. After all, SIGCANCEL may not trigger an asynchronous cancellation from the signal handler. System calls that are cancellation points appear to fall into these categories: (A) Those that do not perform any resource allocation (write, read). (B) Those that perform resource allocation, but the allocation can be easily reverted (openat, accept4). (C) Those that perform resource allocation, but the allocation is difficult to undo (recvmsg with descriptor passing). (D) close. For (A), I think POSIX allows sufficient wiggle room so that we can exhibit a partial side effect and still act on the cancellation (without reporting a partial write first to the application). For (B), maybe we should undo the resource allocation and then proceed to act on the cancellation. For (C), the complexity may not be worth it. For (A), (B), (C), we can act on the cancellation in the error case, after we observe the cancellation flag in the signal handler trampoline. (I think dropping the EINTR restriction from there achieves that.) If we do that, we do not need to change the test case. (D) is very special. Ideally, we would specify what happens with the descriptor if the close call is canceled. POSIX does not even specify what the state of file descriptor is after an EINTR error, so it doesn't say what happens with cancellation, either. Maybe we have to leave that undefined. Thanks, Florian
On 23/08/2019 09:47, Florian Weimer wrote: > * Adhemerval Zanella: > >> On 20/08/2019 12:30, Florian Weimer wrote: >>> * Adhemerval Zanella: >>> >>>> For tst-cancel2.c, if I add a sleep (1) between pthread_create and >>>> pthread_cancel you can see this issue more clearly (dump with strace): >>>> >>>> [pid 2587] set_robust_list(0x7fffabccf290, 24) = 0 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000) = 100000 >>>> [pid 2587] write(4, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 100000 <unfinished ...> >>>> [pid 2586] <... nanosleep resumed>0x7ffff0c9e7f0) = 0 >>>> >>>> ########### Cancellation start to act here, by loading the libgcc to unwinding >>>> [pid 2586] open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5 >>>> [pid 2586] fstat(5, {st_mode=S_IFREG|0644, st_size=63776, ...}) = 0 >>>> [pid 2586] mmap(NULL, 63776, PROT_READ, MAP_PRIVATE, 5, 0) = 0x7fffabf00000 >>>> [pid 2586] close(5) = 0 >>>> [pid 2586] open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 5 >>>> [pid 2586] read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\25\0\1\0\0\0\340+\0\0\0\0\0\0"..., 832) = 832 >>>> [pid 2586] fstat(5, {st_mode=S_IFREG|0755, st_size=133696, ...}) = 0 >>>> [pid 2586] mmap(NULL, 197688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fffab480000 >>>> [pid 2586] mmap(0x7fffab4a0000, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x10000) = 0x7fffab4a0000 >>>> [pid 2586] close(5) = 0 >>>> [pid 2586] mprotect(0x7fffab4a0000, 65536, PROT_READ) = 0 >>>> [pid 2586] munmap(0x7fffabf00000, 63776) = 0 >>>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 >>>> [pid 2586] close(3) = 0 >>>> [pid 2586] futex(0x7fffabccf280, FUTEX_WAIT, 2587, NULL <unfinished ...> >>>> >>>> ########### Write returns with broken PIPE and __pthread_disable_asynccancel is called >>>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- >>>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- >>>> [pid 2587] futex(0x7fffab4b0224, FUTEX_WAKE_PRIVATE, 2147483647) = 0 >>>> >>>> ########### No side-effects reported back to program >>>> [pid 2587] madvise(0x7fffab4c0000, 8257536, MADV_DONTNEED) = 0 >>>> [pid 2587] exit(0) = ? >>>> >>>> With BZ#12683 fix the cancellation is not acted upon and the testcase then fails >>>> depending whether the write is interrupted or not by the cancellation signal. >>> >>> Hmm. Which cancellation implementation is this? At which point in the >>> trace do we start unwinding? I'm surprised that strace reports the >>> EPIPE before the SIGPIPE, but maybe that's just a kernel race. My >>> expectation is that the current code unwinds after the system call >>> returns with the EPIPE error, never returning it to the application. I >>> think this is the right behavior for the write system call. >> >> This is current implement, more specifically glibc 2.17, CentOS 7.6 on >> powerpc64le. From the trace : >> >>>> [pid 2586] tgkill(2586, 2587, SIGRTMIN) = 0 >> >> This where pthread_cancel sends the SIGCANCEL signal to thread. >> >>>> [pid 2586] close(3) = 0 >> >> This is the >> >> /* This will cause the write in the child to return. */ >> close (fd[0]); >> >> In tst-cancel2.c. >> >> And finally: >> >>>> [pid 2587] <... write resumed>) = -1 EPIPE (Broken pipe) >>>> [pid 2587] --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2586, si_uid=61684} --- >> >> SIGPIPE is receives, making the write fail with EPIPE and then >> >>>> [pid 2587] --- SIGRTMIN {si_signo=SIGRTMIN, si_code=SI_TKILL, si_pid=2586, si_uid=61684} --- >> >> sigcancel_handler is issued. And the implementation *does* unwind after the >> syscall is done, the problem is it ignores -1/EPIPE (and it is BZ#12683). > > I looked at this some more. It seems that in theory, we could also see > EPIPE in the old implementation or at least observe execution of a > signal handler, and the asynchronous cancel hides that. > > In the new implementation, if there is a signal handler and a signal for > it is delivered before SIGCANCEL (even if the signal was sent *after* > pthread_cancel, from the same thread), I do not think there is any > chance whatsoever that we can hide the behavior difference. After all, > SIGCANCEL may not trigger an asynchronous cancellation from the signal > handler. Yes, although SIGCANCEL would be set as SA_RESTART, it is explicit disabled by the signal handle by removing it from ucontext_t signal mask. > > System calls that are cancellation points appear to fall into these > categories: > > (A) Those that do not perform any resource allocation (write, read). > > (B) Those that perform resource allocation, but the allocation can be > easily reverted (openat, accept4). > > (C) Those that perform resource allocation, but the allocation is > difficult to undo (recvmsg with descriptor passing). > > (D) close. > > For (A), I think POSIX allows sufficient wiggle room so that we can > exhibit a partial side effect and still act on the cancellation (without > reporting a partial write first to the application). I agree, the side-effects for such syscalls should not lead to possible resources leakage. > > For (B), maybe we should undo the resource allocation and then proceed > to act on the cancellation. Besides this requires a lot of more complexity by mapping what kind of resources each syscall would require to free and when to free based on returned codes, it would hide it from the application. My view we just need to return that the syscall has visible side-effects that may result in system resources leaks and let the application deal with. > > For (C), the complexity may not be worth it. > > For (A), (B), (C), we can act on the cancellation in the error case, > after we observe the cancellation flag in the signal handler trampoline. > (I think dropping the EINTR restriction from there achieves that.) If > we do that, we do not need to change the test case. I don't see a real net gain in adding such complexity. It is not on the error case, but rather when visible side-effects has happened and we should alert the program to act upon that. The tst-cancel2 case is an error case because of the EPIPE semantic, but the new tst-cancel28 (based on the leak example from BZ#12683) is a case where the open call returns a valid file descriptor that should be freed. If glibc starts to add extra semantics for cancellation, we will have a standard extensions since now 'open', for instance, would close the file descriptor if the cancellation signal is delivered after the OS allocates the file descriptor resource. IMHO this is clearly what the program itself should be handling, because it might the case where it is prepared to close itself the file descriptor in a different thread. This would lead to possible another incompatibilities regarding libc system implementation, besides adding more complexity. I would like to make cancellation racy-free with minimal semantic change as possible. > > (D) is very special. Ideally, we would specify what happens with the > descriptor if the close call is canceled. POSIX does not even specify > what the state of file descriptor is after an EINTR error, so it doesn't > say what happens with cancellation, either. Maybe we have to leave that > undefined. Indeed even after the POSIX close language clarification [1], the specification is messy (it really does not help that some system does have interruptible close implementation that might return -1). However my understanding is we can assume POSIX_CLOSE_RESTART 0 for Linux since it shouldn't return -1/EINTR in any case (and I don't know if/when there are kernels that actually does it) [2]. So assuming the nptl is Linux specific, we can assume that, although close is specified as a cancellable entrypoint, it won't happen in practice. [1] http://austingroupbugs.net/view.php?id=529 [2] https://lwn.net/Articles/576478/
* Adhemerval Zanella: >> In the new implementation, if there is a signal handler and a signal for >> it is delivered before SIGCANCEL (even if the signal was sent *after* >> pthread_cancel, from the same thread), I do not think there is any >> chance whatsoever that we can hide the behavior difference. After all, >> SIGCANCEL may not trigger an asynchronous cancellation from the signal >> handler. > > Yes, although SIGCANCEL would be set as SA_RESTART, it is explicit disabled > by the signal handle by removing it from ucontext_t signal mask. Does this mean a thread would lose its ability to be canceled in blocking system calls if it setjmps out of a signal handler? (Where as sigsetjmp would keep cancellation working.) >> System calls that are cancellation points appear to fall into these >> categories: >> >> (A) Those that do not perform any resource allocation (write, read). >> >> (B) Those that perform resource allocation, but the allocation can be >> easily reverted (openat, accept4). >> >> (C) Those that perform resource allocation, but the allocation is >> difficult to undo (recvmsg with descriptor passing). >> >> (D) close. >> For (B), maybe we should undo the resource allocation and then proceed >> to act on the cancellation. > > Besides this requires a lot of more complexity by mapping what kind of > resources each syscall would require to free and when to free based on > returned codes, it would hide it from the application. My view we just > need to return that the syscall has visible side-effects that may result > in system resources leaks and let the application deal with. My concern is that there might be no further cancellation point, and if we do not cancel in the case of (B), we might fail to act on the cancellation even though the canceled thread was blocked at a cancellation point when pthread_cancel was called. >> For (C), the complexity may not be worth it. >> >> For (A), (B), (C), we can act on the cancellation in the error case, >> after we observe the cancellation flag in the signal handler trampoline. >> (I think dropping the EINTR restriction from there achieves that.) If >> we do that, we do not need to change the test case. > > I don't see a real net gain in adding such complexity. It is not on the > error case, but rather when visible side-effects has happened and we should > alert the program to act upon that. The tst-cancel2 case is an error case > because of the EPIPE semantic, but the new tst-cancel28 (based on the leak > example from BZ#12683) is a case where the open call returns a valid file > descriptor that should be freed. I totally agree that the descriptor must not leak. However, tst-cancel28 is written in such a way that it does not expect an error from open: static void * leaker (void *arg) { int fd = open (arg, O_RDONLY); pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, 0); close (fd); return NULL; } It would be clearer if it actually used error checking, but we call close (-1) on error, which is invalid. If this test represents how application code is actually written, I think we really need to check for cancellation before returning the file descriptor. > If glibc starts to add extra semantics for cancellation, we will have > a standard extensions since now 'open', for instance, would close the > file descriptor if the cancellation signal is delivered after the OS > allocates the file descriptor resource. IMHO this is clearly what the > program itself should be handling, because it might the case where it > is prepared to close itself the file descriptor in a different thread. open is a cancellation point, so according to POSIX, the thread is canceled if the open call completes after pthread_cancel returns. (Due to integration with the memory model, thread ordering issues are difficult to reason about in POSIX, though.) I do not think we should return a descriptor to the application that can only exist because of something that happened *after* the pthread_cancel call. > This would lead to possible another incompatibilities regarding libc > system implementation, besides adding more complexity. I think we would just implement POSIX behavior more closely because open is required to be a cancellation point. It's unfortunate that we do not have kernel support for this. Other systems can likely implement cancellation semantics correctly more easily. >> (D) is very special. Ideally, we would specify what happens with the >> descriptor if the close call is canceled. POSIX does not even specify >> what the state of file descriptor is after an EINTR error, so it doesn't >> say what happens with cancellation, either. Maybe we have to leave that >> undefined. > > Indeed even after the POSIX close language clarification [1], the specification > is messy (it really does not help that some system does have interruptible > close implementation that might return -1). > > However my understanding is we can assume POSIX_CLOSE_RESTART 0 for Linux > since it shouldn't return -1/EINTR in any case (and I don't know if/when > there are kernels that actually does it) [2]. So assuming the nptl is Linux > specific, we can assume that, although close is specified as a cancellable > entrypoint, it won't happen in practice. > > [1] http://austingroupbugs.net/view.php?id=529 > [2] https://lwn.net/Articles/576478/ I think this is slightly different from the EINTR case. With SA_RESTART, perhaps the signal handler can run *before* the descriptor is closed, so if we never return from the handler, the descriptor leaks? Thanks, Florian
On 26/08/2019 07:06, Florian Weimer wrote: > * Adhemerval Zanella: > >>> In the new implementation, if there is a signal handler and a signal for >>> it is delivered before SIGCANCEL (even if the signal was sent *after* >>> pthread_cancel, from the same thread), I do not think there is any >>> chance whatsoever that we can hide the behavior difference. After all, >>> SIGCANCEL may not trigger an asynchronous cancellation from the signal >>> handler. >> >> Yes, although SIGCANCEL would be set as SA_RESTART, it is explicit disabled >> by the signal handle by removing it from ucontext_t signal mask. > > Does this mean a thread would lose its ability to be canceled in > blocking system calls if it setjmps out of a signal handler? (Where as > sigsetjmp would keep cancellation working.) The setjmp does not really matter here, once the async-cancellation fails to act due side-effects SIGCANCEL is removed from thread signal mask. The idea of making it sticky is always allow the thread to act on such cases regardless whether it calls another cancellation entrypoint. The thread will still be cancelled in the next cancellation entrypoint due it is marked as CANCELED_BIT. The __syscall_cancel_arch will check for the bit and call __do_cancel before issuing the syscall. > >>> System calls that are cancellation points appear to fall into these >>> categories: >>> >>> (A) Those that do not perform any resource allocation (write, read). >>> >>> (B) Those that perform resource allocation, but the allocation can be >>> easily reverted (openat, accept4). >>> >>> (C) Those that perform resource allocation, but the allocation is >>> difficult to undo (recvmsg with descriptor passing). >>> >>> (D) close. > >>> For (B), maybe we should undo the resource allocation and then proceed >>> to act on the cancellation. >> >> Besides this requires a lot of more complexity by mapping what kind of >> resources each syscall would require to free and when to free based on >> returned codes, it would hide it from the application. My view we just >> need to return that the syscall has visible side-effects that may result >> in system resources leaks and let the application deal with. > > My concern is that there might be no further cancellation point, and if > we do not cancel in the case of (B), we might fail to act on the > cancellation even though the canceled thread was blocked at a > cancellation point when pthread_cancel was called. I shared your concern, but my understanding of the whole BZ#12683 issue is we can't really cancel the thread for the (B) case. > >>> For (C), the complexity may not be worth it. >>> >>> For (A), (B), (C), we can act on the cancellation in the error case, >>> after we observe the cancellation flag in the signal handler trampoline. >>> (I think dropping the EINTR restriction from there achieves that.) If >>> we do that, we do not need to change the test case. >> >> I don't see a real net gain in adding such complexity. It is not on the >> error case, but rather when visible side-effects has happened and we should >> alert the program to act upon that. The tst-cancel2 case is an error case >> because of the EPIPE semantic, but the new tst-cancel28 (based on the leak >> example from BZ#12683) is a case where the open call returns a valid file >> descriptor that should be freed. > > I totally agree that the descriptor must not leak. However, > tst-cancel28 is written in such a way that it does not expect an error > from open: > > static void * > leaker (void *arg) > { > int fd = open (arg, O_RDONLY); > pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, 0); > close (fd); > return NULL; > } > > It would be clearer if it actually used error checking, but we call > close (-1) on error, which is invalid. We can hardness the test to check for open failures (due file descriptor exhaustion or other arcane issue), but the point of the test is fd is always for the *close* call. If the open syscall is interrupted before the file descriptor is actually opened, the thread will be cancelled before close call. Otherwise, the kernel will have to return a valid value and indicate on the PC from the ucontext_t that the syscall has side-effect. > > If this test represents how application code is actually written, I > think we really need to check for cancellation before returning the file > descriptor. > >> If glibc starts to add extra semantics for cancellation, we will have >> a standard extensions since now 'open', for instance, would close the >> file descriptor if the cancellation signal is delivered after the OS >> allocates the file descriptor resource. IMHO this is clearly what the >> program itself should be handling, because it might the case where it >> is prepared to close itself the file descriptor in a different thread. > > open is a cancellation point, so according to POSIX, the thread is > canceled if the open call completes after pthread_cancel returns. (Due > to integration with the memory model, thread ordering issues are > difficult to reason about in POSIX, though.) I do not think we should > return a descriptor to the application that can only exist because of > something that happened *after* the pthread_cancel call. That's not the interpretation I see, the cancellation description for such cases is afaiu: "The side-effects of acting upon a cancellation request while suspended during a call of a function are the same as the side-effects that may be seen in a single-threaded program when a call to a function is interrupted by a signal and the given function returns [EINTR]" And on signal concepts: "[EINTR] Interrupted function call. An asynchronous signal was caught by the process during the execution of an interruptible function. If the signal handler performs a normal return, the interrupted function call may return this condition (see the Base Definitions volume of POSIX.1-2017, <signal.h>)." And my understanding is, since glibc implemented cancellation using signals and it requires to use SA_RESTART we can actually return to user if the syscall has side-effects visible to caller. It follows the same interpretation Rich used in explaining the semantic required for the a possible kernel helper for cancellation [1] > >> This would lead to possible another incompatibilities regarding libc >> system implementation, besides adding more complexity. > > I think we would just implement POSIX behavior more closely because open > is required to be a cancellation point. It's unfortunate that we do not > have kernel support for this. Other systems can likely implement > cancellation semantics correctly more easily. I don't think there is an easy solution that kernel can provide to help cancellation to be standard conformant *and* race free. On the same kernel thread [2], Rich discuss some option with kernel developers and although the conclusion is open the ideas are either no conformant (the 'stick signal') or feasible (a new set of syscalls with an extra sigmak mask). > >>> (D) is very special. Ideally, we would specify what happens with the >>> descriptor if the close call is canceled. POSIX does not even specify >>> what the state of file descriptor is after an EINTR error, so it doesn't >>> say what happens with cancellation, either. Maybe we have to leave that >>> undefined. >> >> Indeed even after the POSIX close language clarification [1], the specification >> is messy (it really does not help that some system does have interruptible >> close implementation that might return -1). >> >> However my understanding is we can assume POSIX_CLOSE_RESTART 0 for Linux >> since it shouldn't return -1/EINTR in any case (and I don't know if/when >> there are kernels that actually does it) [2]. So assuming the nptl is Linux >> specific, we can assume that, although close is specified as a cancellable >> entrypoint, it won't happen in practice. >> >> [1] http://austingroupbugs.net/view.php?id=529 >> [2] https://lwn.net/Articles/576478/ > > I think this is slightly different from the EINTR case. With > SA_RESTART, perhaps the signal handler can run *before* the descriptor > is closed, so if we never return from the handler, the descriptor leaks? My understanding is the cancellation handler for close won't interrupt the syscall, regardless SA_RESTART. But indeed it might be the case where the signal is acted just before the syscall is issue and after the test for CANCELED_BITMASK is done. In this case the thread will be cancelled and the descriptor leaked. The musl handler SYS_close differently by not using the syscall bridge, so cancellation can't be acted upon and so close always succeed. On the tst-cancel28.c, pthread cancellation is explicit disable before calling close. [1] https://lkml.org/lkml/2016/3/9/1065 [2] https://lkml.org/lkml/2016/3/10/424
* Adhemerval Zanella: > On 26/08/2019 07:06, Florian Weimer wrote: >> * Adhemerval Zanella: >> >>>> In the new implementation, if there is a signal handler and a signal for >>>> it is delivered before SIGCANCEL (even if the signal was sent *after* >>>> pthread_cancel, from the same thread), I do not think there is any >>>> chance whatsoever that we can hide the behavior difference. After all, >>>> SIGCANCEL may not trigger an asynchronous cancellation from the signal >>>> handler. >>> >>> Yes, although SIGCANCEL would be set as SA_RESTART, it is explicit disabled >>> by the signal handle by removing it from ucontext_t signal mask. >> >> Does this mean a thread would lose its ability to be canceled in >> blocking system calls if it setjmps out of a signal handler? (Where as >> sigsetjmp would keep cancellation working.) > The setjmp does not really matter here, once the async-cancellation fails > to act due side-effects SIGCANCEL is removed from thread signal mask. The > idea of making it sticky is always allow the thread to act on such cases > regardless whether it calls another cancellation entrypoint. I see. But why are we doing this? Can't we suppress the cancel signal inside pthread_cancel. Then we don't have to worry about the location of the signal mask in the signal context. > The thread will still be cancelled in the next cancellation entrypoint > due it is marked as CANCELED_BIT. The __syscall_cancel_arch will check > for the bit and call __do_cancel before issuing the syscall. Sure, but we can exit the SIGCANCEL handler if we detect that cancellation is already in progress. >>>> System calls that are cancellation points appear to fall into these >>>> categories: >>>> >>>> (A) Those that do not perform any resource allocation (write, read). >>>> >>>> (B) Those that perform resource allocation, but the allocation can be >>>> easily reverted (openat, accept4). >>>> >>>> (C) Those that perform resource allocation, but the allocation is >>>> difficult to undo (recvmsg with descriptor passing). >>>> >>>> (D) close. >> >>>> For (B), maybe we should undo the resource allocation and then proceed >>>> to act on the cancellation. >>> >>> Besides this requires a lot of more complexity by mapping what kind of >>> resources each syscall would require to free and when to free based on >>> returned codes, it would hide it from the application. My view we just >>> need to return that the syscall has visible side-effects that may result >>> in system resources leaks and let the application deal with. >> >> My concern is that there might be no further cancellation point, and if >> we do not cancel in the case of (B), we might fail to act on the >> cancellation even though the canceled thread was blocked at a >> cancellation point when pthread_cancel was called. > > I shared your concern, but my understanding of the whole BZ#12683 > issue is we can't really cancel the thread for the (B) case. Even if we undo the resource allocation before that? That is, check that a cancellation has occurred on the system call return path, and if it has, close the descriptor and start unwinding. >> I totally agree that the descriptor must not leak. However, >> tst-cancel28 is written in such a way that it does not expect an error >> from open: >> >> static void * >> leaker (void *arg) >> { >> int fd = open (arg, O_RDONLY); >> pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, 0); >> close (fd); >> return NULL; >> } >> >> It would be clearer if it actually used error checking, but we call >> close (-1) on error, which is invalid. > > We can hardness the test to check for open failures (due file descriptor > exhaustion or other arcane issue), but the point of the test is fd is > always for the *close* call. If the open syscall is interrupted before the > file descriptor is actually opened, the thread will be cancelled before > close call. Otherwise, the kernel will have to return a valid value > and indicate on the PC from the ucontext_t that the syscall has side-effect. My point is that the test should still be valid without the close call because the open is always canceled according to POSIX. >> If this test represents how application code is actually written, I >> think we really need to check for cancellation before returning the file >> descriptor. >> >>> If glibc starts to add extra semantics for cancellation, we will have >>> a standard extensions since now 'open', for instance, would close the >>> file descriptor if the cancellation signal is delivered after the OS >>> allocates the file descriptor resource. IMHO this is clearly what the >>> program itself should be handling, because it might the case where it >>> is prepared to close itself the file descriptor in a different thread. >> >> open is a cancellation point, so according to POSIX, the thread is >> canceled if the open call completes after pthread_cancel returns. (Due >> to integration with the memory model, thread ordering issues are >> difficult to reason about in POSIX, though.) I do not think we should >> return a descriptor to the application that can only exist because of >> something that happened *after* the pthread_cancel call. > > That's not the interpretation I see, the cancellation description for > such cases is afaiu: > > "The side-effects of acting upon a cancellation request while suspended > during a call of a function are the same as the side-effects that may be > seen in a single-threaded program when a call to a function is interrupted > by a signal and the given function returns [EINTR]" > > And on signal concepts: > > "[EINTR] > Interrupted function call. An asynchronous signal was caught by the process > during the execution of an interruptible function. If the signal handler > performs a normal return, the interrupted function call may return this > condition (see the Base Definitions volume of POSIX.1-2017, <signal.h>)." > > And my understanding is, since glibc implemented cancellation using signals > and it requires to use SA_RESTART we can actually return to user if the > syscall has side-effects visible to caller. The open function cannot allocate a new file descriptor and fail with EINTR. So I don't see how this case applies here. Sorry. >>>> (D) is very special. Ideally, we would specify what happens with the >>>> descriptor if the close call is canceled. POSIX does not even specify >>>> what the state of file descriptor is after an EINTR error, so it doesn't >>>> say what happens with cancellation, either. Maybe we have to leave that >>>> undefined. >>> >>> Indeed even after the POSIX close language clarification [1], the specification >>> is messy (it really does not help that some system does have interruptible >>> close implementation that might return -1). >>> >>> However my understanding is we can assume POSIX_CLOSE_RESTART 0 for Linux >>> since it shouldn't return -1/EINTR in any case (and I don't know if/when >>> there are kernels that actually does it) [2]. So assuming the nptl is Linux >>> specific, we can assume that, although close is specified as a cancellable >>> entrypoint, it won't happen in practice. >>> >>> [1] http://austingroupbugs.net/view.php?id=529 >>> [2] https://lwn.net/Articles/576478/ >> >> I think this is slightly different from the EINTR case. With >> SA_RESTART, perhaps the signal handler can run *before* the descriptor >> is closed, so if we never return from the handler, the descriptor leaks? > > My understanding is the cancellation handler for close won't interrupt the > syscall, regardless SA_RESTART. What do you mean by “interrupt” here? That close will not return with EINTR? Or that the signal handler does not run? > But indeed it might be the case where the > signal is acted just before the syscall is issue and after the test for > CANCELED_BITMASK is done. In this case the thread will be cancelled and > the descriptor leaked. The musl handler SYS_close differently by not using > the syscall bridge, so cancellation can't be acted upon and so close always > succeed. That seems reasonable. If we check for cancellation after the close system call (successful or not), then I think we have a compliant, leak-free close implementation. Thanks, Florian
On Fri, Aug 23, 2019 at 02:47:39PM +0200, Florian Weimer wrote: > I looked at this some more. It seems that in theory, we could also see > EPIPE in the old implementation or at least observe execution of a > signal handler, and the asynchronous cancel hides that. > > In the new implementation, if there is a signal handler and a signal for > it is delivered before SIGCANCEL (even if the signal was sent *after* > pthread_cancel, from the same thread), I do not think there is any > chance whatsoever that we can hide the behavior difference. After all, > SIGCANCEL may not trigger an asynchronous cancellation from the signal > handler. > > System calls that are cancellation points appear to fall into these > categories: > > (A) Those that do not perform any resource allocation (write, read). > > (B) Those that perform resource allocation, but the allocation can be > easily reverted (openat, accept4). > > (C) Those that perform resource allocation, but the allocation is > difficult to undo (recvmsg with descriptor passing). > > (D) close. > > For (A), I think POSIX allows sufficient wiggle room so that we can > exhibit a partial side effect and still act on the cancellation (without > reporting a partial write first to the application). No. POSIX is very clear that cancellation is only permitted to be acted on when the side effects are the same as EINTR, which can only happen for read/write when no data has been transferred yet. If data has already been transferred, the only option not ruled out by one or more constraints is to return successfully with a short read or write; pending cancellation will then be handled on a subsequent call to a cancellation point. (If you're doing a retry loop until the total length n is transferred, then in the next iteration of the loop.) Of course this case of non-conformance would be less severe than UAF or resource leak errors in most cases, but it's still not good. > For (B), maybe we should undo the resource allocation and then proceed > to act on the cancellation. No, why would you do that? In general it's not possible (think of things like O_TRUNC), and even if it were it's more work. You just don't act on the cancellation if success has already happened. I don't see how/why you're characterizing "accept4" as "can easily be reverted". Closing the accepted socket would *drop a connection* rather than leaving the connection pending for another thread calling accept to receive. > For (C), the complexity may not be worth it. > > For (A), (B), (C), we can act on the cancellation in the error case, > after we observe the cancellation flag in the signal handler trampoline. > (I think dropping the EINTR restriction from there achieves that.) If > we do that, we do not need to change the test case. > > (D) is very special. Ideally, we would specify what happens with the > descriptor if the close call is canceled. POSIX does not even specify > what the state of file descriptor is after an EINTR error, so it doesn't > say what happens with cancellation, either. Maybe we have to leave that > undefined. Failure to specify EINTR was an error in POSIX that's been fixed for the next issue. Leaving it undefined is atrociously bad and results in UAF type errors. Even if glibc doesn't want to apply the fix for EINTR, cancellation of close absolutely needs to behave *as if* by the newly-specified behavior for close with EINTR. Rich
On 30/08/2019 08:51, Florian Weimer wrote: > * Adhemerval Zanella: > >> On 26/08/2019 07:06, Florian Weimer wrote: >>> * Adhemerval Zanella: >>> >>>>> In the new implementation, if there is a signal handler and a signal for >>>>> it is delivered before SIGCANCEL (even if the signal was sent *after* >>>>> pthread_cancel, from the same thread), I do not think there is any >>>>> chance whatsoever that we can hide the behavior difference. After all, >>>>> SIGCANCEL may not trigger an asynchronous cancellation from the signal >>>>> handler. >>>> >>>> Yes, although SIGCANCEL would be set as SA_RESTART, it is explicit disabled >>>> by the signal handle by removing it from ucontext_t signal mask. >>> >>> Does this mean a thread would lose its ability to be canceled in >>> blocking system calls if it setjmps out of a signal handler? (Where as >>> sigsetjmp would keep cancellation working.) > >> The setjmp does not really matter here, once the async-cancellation fails >> to act due side-effects SIGCANCEL is removed from thread signal mask. The >> idea of making it sticky is always allow the thread to act on such cases >> regardless whether it calls another cancellation entrypoint. > > I see. But why are we doing this? Can't we suppress the cancel signal > inside pthread_cancel. Then we don't have to worry about the location > of the signal mask in the signal context. I guess we can, it would require a sigprocmask to obtain the current mask, and another one to remove the cancellation signal. I still think it cleaner to just sets on the signal handler, since the kernel will restore the signal handler after the userspace returns. > >> The thread will still be cancelled in the next cancellation entrypoint >> due it is marked as CANCELED_BIT. The __syscall_cancel_arch will check >> for the bit and call __do_cancel before issuing the syscall. > > Sure, but we can exit the SIGCANCEL handler if we detect that > cancellation is already in progress. I think it is possible, but I see that enforcing it using the kernel facilities to avoid extra code in userspace is cleaner. > >>>>> System calls that are cancellation points appear to fall into these >>>>> categories: >>>>> >>>>> (A) Those that do not perform any resource allocation (write, read). >>>>> >>>>> (B) Those that perform resource allocation, but the allocation can be >>>>> easily reverted (openat, accept4). >>>>> >>>>> (C) Those that perform resource allocation, but the allocation is >>>>> difficult to undo (recvmsg with descriptor passing). >>>>> >>>>> (D) close. >>> >>>>> For (B), maybe we should undo the resource allocation and then proceed >>>>> to act on the cancellation. >>>> >>>> Besides this requires a lot of more complexity by mapping what kind of >>>> resources each syscall would require to free and when to free based on >>>> returned codes, it would hide it from the application. My view we just >>>> need to return that the syscall has visible side-effects that may result >>>> in system resources leaks and let the application deal with. >>> >>> My concern is that there might be no further cancellation point, and if >>> we do not cancel in the case of (B), we might fail to act on the >>> cancellation even though the canceled thread was blocked at a >>> cancellation point when pthread_cancel was called. >> >> I shared your concern, but my understanding of the whole BZ#12683 >> issue is we can't really cancel the thread for the (B) case. > > Even if we undo the resource allocation before that? That is, check > that a cancellation has occurred on the system call return path, and if > it has, close the descriptor and start unwinding. What if the application requires extra steps for the case the syscall returns a side-effects? What about some specific syscalls, such as passing file descriptor using recvmsg? It would need the libc to map *all* possible side-effects for each syscall, determine which might leak side-effect and acts uppon then. What if the kernel, at some version, added another feature to share resources that might create side-effects? We will need to constantly map such cases, adding even more arch-specific glue code to handle it. I really think we should not go on this path. > >>> I totally agree that the descriptor must not leak. However, >>> tst-cancel28 is written in such a way that it does not expect an error >>> from open: >>> >>> static void * >>> leaker (void *arg) >>> { >>> int fd = open (arg, O_RDONLY); >>> pthread_setcancelstate (PTHREAD_CANCEL_DISABLE, 0); >>> close (fd); >>> return NULL; >>> } >>> >>> It would be clearer if it actually used error checking, but we call >>> close (-1) on error, which is invalid. >> >> We can hardness the test to check for open failures (due file descriptor >> exhaustion or other arcane issue), but the point of the test is fd is >> always for the *close* call. If the open syscall is interrupted before the >> file descriptor is actually opened, the thread will be cancelled before >> close call. Otherwise, the kernel will have to return a valid value >> and indicate on the PC from the ucontext_t that the syscall has side-effect. > > My point is that the test should still be valid without the close call > because the open is always canceled according to POSIX. > >>> If this test represents how application code is actually written, I >>> think we really need to check for cancellation before returning the file >>> descriptor. >>> >>>> If glibc starts to add extra semantics for cancellation, we will have >>>> a standard extensions since now 'open', for instance, would close the >>>> file descriptor if the cancellation signal is delivered after the OS >>>> allocates the file descriptor resource. IMHO this is clearly what the >>>> program itself should be handling, because it might the case where it >>>> is prepared to close itself the file descriptor in a different thread. >>> >>> open is a cancellation point, so according to POSIX, the thread is >>> canceled if the open call completes after pthread_cancel returns. (Due >>> to integration with the memory model, thread ordering issues are >>> difficult to reason about in POSIX, though.) I do not think we should >>> return a descriptor to the application that can only exist because of >>> something that happened *after* the pthread_cancel call. >> >> That's not the interpretation I see, the cancellation description for >> such cases is afaiu: >> >> "The side-effects of acting upon a cancellation request while suspended >> during a call of a function are the same as the side-effects that may be >> seen in a single-threaded program when a call to a function is interrupted >> by a signal and the given function returns [EINTR]" >> >> And on signal concepts: >> >> "[EINTR] >> Interrupted function call. An asynchronous signal was caught by the process >> during the execution of an interruptible function. If the signal handler >> performs a normal return, the interrupted function call may return this >> condition (see the Base Definitions volume of POSIX.1-2017, <signal.h>)." >> >> And my understanding is, since glibc implemented cancellation using signals >> and it requires to use SA_RESTART we can actually return to user if the >> syscall has side-effects visible to caller. > > The open function cannot allocate a new file descriptor and fail with > EINTR. So I don't see how this case applies here. Sorry. But that is *exactly* the point. The open *does not* fail, but cancellation acts *before* it can return to the callee. We can't really make it fail with EINTR and acts on the cancellation. The idea is "the interrupted function call may return this condition". > >>>>> (D) is very special. Ideally, we would specify what happens with the >>>>> descriptor if the close call is canceled. POSIX does not even specify >>>>> what the state of file descriptor is after an EINTR error, so it doesn't >>>>> say what happens with cancellation, either. Maybe we have to leave that >>>>> undefined. >>>> >>>> Indeed even after the POSIX close language clarification [1], the specification >>>> is messy (it really does not help that some system does have interruptible >>>> close implementation that might return -1). >>>> >>>> However my understanding is we can assume POSIX_CLOSE_RESTART 0 for Linux >>>> since it shouldn't return -1/EINTR in any case (and I don't know if/when >>>> there are kernels that actually does it) [2]. So assuming the nptl is Linux >>>> specific, we can assume that, although close is specified as a cancellable >>>> entrypoint, it won't happen in practice. >>>> >>>> [1] http://austingroupbugs.net/view.php?id=529 >>>> [2] https://lwn.net/Articles/576478/ >>> >>> I think this is slightly different from the EINTR case. With >>> SA_RESTART, perhaps the signal handler can run *before* the descriptor >>> is closed, so if we never return from the handler, the descriptor leaks? >> >> My understanding is the cancellation handler for close won't interrupt the >> syscall, regardless SA_RESTART. > > What do you mean by “interrupt” here? That close will not return with > EINTR? Or that the signal handler does not run? My understanding on the discussions is Linux close implementation does not return EINTR/-1 in any case (and if it did in the past it was a bug). > >> But indeed it might be the case where the >> signal is acted just before the syscall is issue and after the test for >> CANCELED_BITMASK is done. In this case the thread will be cancelled and >> the descriptor leaked. The musl handler SYS_close differently by not using >> the syscall bridge, so cancellation can't be acted upon and so close always >> succeed. > > That seems reasonable. > > If we check for cancellation after the close system call (successful or > not), then I think we have a compliant, leak-free close implementation. In my understanding musl does this to prevent possible problematic cancel syscall implementation that might return -1/EINTR (since for this case syscall will be restart due SA_RESTART and cancellation won't acted upon).
* Rich Felker: > On Fri, Aug 23, 2019 at 02:47:39PM +0200, Florian Weimer wrote: >> I looked at this some more. It seems that in theory, we could also see >> EPIPE in the old implementation or at least observe execution of a >> signal handler, and the asynchronous cancel hides that. >> >> In the new implementation, if there is a signal handler and a signal for >> it is delivered before SIGCANCEL (even if the signal was sent *after* >> pthread_cancel, from the same thread), I do not think there is any >> chance whatsoever that we can hide the behavior difference. After all, >> SIGCANCEL may not trigger an asynchronous cancellation from the signal >> handler. >> >> System calls that are cancellation points appear to fall into these >> categories: >> >> (A) Those that do not perform any resource allocation (write, read). >> >> (B) Those that perform resource allocation, but the allocation can be >> easily reverted (openat, accept4). >> >> (C) Those that perform resource allocation, but the allocation is >> difficult to undo (recvmsg with descriptor passing). >> >> (D) close. >> >> For (A), I think POSIX allows sufficient wiggle room so that we can >> exhibit a partial side effect and still act on the cancellation (without >> reporting a partial write first to the application). > > No. POSIX is very clear that cancellation is only permitted to be > acted on when the side effects are the same as EINTR, which can only > happen for read/write when no data has been transferred yet. If data > has already been transferred, the only option not ruled out by one or > more constraints is to return successfully with a short read or write; > pending cancellation will then be handled on a subsequent call to a > cancellation point. (If you're doing a retry loop until the total > length n is transferred, then in the next iteration of the loop.) This seems to be a backwards interpretation to me. I think POSIX wants to describe what can happen during cancellation, and not say that any cancellation point can be skipped if some side effect happens that cannot happen before EINTR. > Of course this case of non-conformance would be less severe than UAF > or resource leak errors in most cases, but it's still not good. Agreed. And I think not acting on the cancellation and returning success is also not conforming. The main problem is that POSIX would need to specify a memory model in order to make the current language (“side-effects occur before any cancellation cleanup handlers are called”, “a thread is canceled while executing the function”, “a cancellation request has been made”, etc.). >> For (B), maybe we should undo the resource allocation and then proceed >> to act on the cancellation. > > No, why would you do that? In general it's not possible (think of > things like O_TRUNC), and even if it were it's more work. You just > don't act on the cancellation if success has already happened. The problem is that the implementation reorders cancellation requests fairly arbitrarily. I don't think that's what the authors of POSIX had in mind when they said that the cancellation itself progresses asynchronously. I don't think that can be fixed without kernel support, though. We'll see eventually how this impacts existing applications. > I don't see how/why you're characterizing "accept4" as "can easily be > reverted". Closing the accepted socket would *drop a connection* > rather than leaving the connection pending for another thread calling > accept to receive. And this is true for open as well. For FIFOs, there is an observable side effect, likewise for rewinding tape devices, and even for regular files, the close call affects POSIX advisory locks on the file. Oh well. So it's just not possible to unwind directly after file descriptor allocation. >> For (C), the complexity may not be worth it. >> >> For (A), (B), (C), we can act on the cancellation in the error case, >> after we observe the cancellation flag in the signal handler trampoline. >> (I think dropping the EINTR restriction from there achieves that.) If >> we do that, we do not need to change the test case. >> >> (D) is very special. Ideally, we would specify what happens with the >> descriptor if the close call is canceled. POSIX does not even specify >> what the state of file descriptor is after an EINTR error, so it doesn't >> say what happens with cancellation, either. Maybe we have to leave that >> undefined. > > Failure to specify EINTR was an error in POSIX that's been fixed for > the next issue. Leaving it undefined is atrociously bad and results in > UAF type errors. Even if glibc doesn't want to apply the fix for > EINTR, cancellation of close absolutely needs to behave *as if* by the > newly-specified behavior for close with EINTR. Can we even make sure we act on the cancellation only if the descriptor has been closed? Thanks, Florian
* Adhemerval Zanella: > I think it is possible, but I see that enforcing it using the kernel > facilities to avoid extra code in userspace is cleaner. Okay. >> Even if we undo the resource allocation before that? That is, check >> that a cancellation has occurred on the system call return path, and if >> it has, close the descriptor and start unwinding. > > What if the application requires extra steps for the case the syscall > returns a side-effects? What about some specific syscalls, such as > passing file descriptor using recvmsg? It would need the libc to map > *all* possible side-effects for each syscall, determine which might > leak side-effect and acts uppon then. What if the kernel, at some version, > added another feature to share resources that might create side-effects? > We will need to constantly map such cases, adding even more arch-specific > glue code to handle it. > > I really think we should not go on this path. I agree now, given what we've got from the kernel. See my response to Rich. >>> That's not the interpretation I see, the cancellation description for >>> such cases is afaiu: >>> >>> "The side-effects of acting upon a cancellation request while suspended >>> during a call of a function are the same as the side-effects that may be >>> seen in a single-threaded program when a call to a function is interrupted >>> by a signal and the given function returns [EINTR]" >>> >>> And on signal concepts: >>> >>> "[EINTR] >>> Interrupted function call. An asynchronous signal was caught by the process >>> during the execution of an interruptible function. If the signal handler >>> performs a normal return, the interrupted function call may return this >>> condition (see the Base Definitions volume of POSIX.1-2017, <signal.h>)." >>> >>> And my understanding is, since glibc implemented cancellation using signals >>> and it requires to use SA_RESTART we can actually return to user if the >>> syscall has side-effects visible to caller. >> >> The open function cannot allocate a new file descriptor and fail with >> EINTR. So I don't see how this case applies here. Sorry. > > But that is *exactly* the point. The open *does not* fail, but > cancellation acts *before* it can return to the callee. We can't > really make it fail with EINTR and acts on the cancellation. The idea > is "the interrupted function call may return this condition". My uneasiness stems from the fact that we're reading POSIX backwards, i.e., our interpretation (necessarily, given the kernel interfaces) behaves in a way that is obviously to complying with a direct reading of POSIX (a to-be-canceled thread synchronizing with the canceling thread, when the pthread_cancel call happened before the synchronization in program order in the canceling thread), and we then proceed to find reasons why this not totally broken. So, back to the start of the thread: Can we avoid the EPIPE error in an other way? Can we remove this line? /* This will cause the write in the child to return. */ close (fd[0]); Cancellation should still happen if the write is blocked, right? It's not really clear to me what the intent of the test was. Thanks, Florian
On 02/09/2019 13:37, Florian Weimer wrote: > * Rich Felker: >> No. POSIX is very clear that cancellation is only permitted to be >> acted on when the side effects are the same as EINTR, which can only >> happen for read/write when no data has been transferred yet. If data >> has already been transferred, the only option not ruled out by one or >> more constraints is to return successfully with a short read or write; >> pending cancellation will then be handled on a subsequent call to a >> cancellation point. (If you're doing a retry loop until the total >> length n is transferred, then in the next iteration of the loop.) > > This seems to be a backwards interpretation to me. I think POSIX wants > to describe what can happen during cancellation, and not say that any > cancellation point can be skipped if some side effect happens that > cannot happen before EINTR. > >> Of course this case of non-conformance would be less severe than UAF >> or resource leak errors in most cases, but it's still not good. > > Agreed. And I think not acting on the cancellation and returning > success is also not conforming. how is that non-conformance observable? the user cannot know if the cancellation request arrived in time or not if io error (short write) can happen for other reasons than the cancellation signal.
On Mon, Sep 02, 2019 at 02:37:17PM +0200, Florian Weimer wrote: > * Rich Felker: > > > On Fri, Aug 23, 2019 at 02:47:39PM +0200, Florian Weimer wrote: > >> I looked at this some more. It seems that in theory, we could also see > >> EPIPE in the old implementation or at least observe execution of a > >> signal handler, and the asynchronous cancel hides that. > >> > >> In the new implementation, if there is a signal handler and a signal for > >> it is delivered before SIGCANCEL (even if the signal was sent *after* > >> pthread_cancel, from the same thread), I do not think there is any > >> chance whatsoever that we can hide the behavior difference. After all, > >> SIGCANCEL may not trigger an asynchronous cancellation from the signal > >> handler. > >> > >> System calls that are cancellation points appear to fall into these > >> categories: > >> > >> (A) Those that do not perform any resource allocation (write, read). > >> > >> (B) Those that perform resource allocation, but the allocation can be > >> easily reverted (openat, accept4). > >> > >> (C) Those that perform resource allocation, but the allocation is > >> difficult to undo (recvmsg with descriptor passing). > >> > >> (D) close. > >> > >> For (A), I think POSIX allows sufficient wiggle room so that we can > >> exhibit a partial side effect and still act on the cancellation (without > >> reporting a partial write first to the application). > > > > No. POSIX is very clear that cancellation is only permitted to be > > acted on when the side effects are the same as EINTR, which can only > > happen for read/write when no data has been transferred yet. If data > > has already been transferred, the only option not ruled out by one or > > more constraints is to return successfully with a short read or write; > > pending cancellation will then be handled on a subsequent call to a > > cancellation point. (If you're doing a retry loop until the total > > length n is transferred, then in the next iteration of the loop.) > > This seems to be a backwards interpretation to me. I think POSIX wants > to describe what can happen during cancellation, and not say that any > cancellation point can be skipped if some side effect happens that > cannot happen before EINTR. The exact text is: "The side-effects of acting upon a cancellation request while suspended during a call of a function are the same as the side-effects that may be seen in a single-threaded program when a call to a function is interrupted by a signal and the given function returns [EINTR]." Admittedly it took me a while to understand this back when I first started investigating the problem in 2010, but based on both careful reading of this text, and on reasoning about what conditions are *absolutely necessary* to make the cancellation functionality usable in any meaningful way (without race conditions), yes it means that if you act on cancellation, the [only] side effects the cancelled function can have are side effects that would be allowed if the function had failed with EINTR. In hindsight, the main obstacle to my understanding this was bias based on how badly wrong all existing implementations I'd seen were, and resistance to believing they were all so badly wrong. But they were/are. Moreover, the specification gives the implementation liberty *not* to act on cancellation in certain conditions (very end of XSH 2.9.5 Thread Cancellation, subheading Cancellation points): "It is unspecified whether the cancellation request is acted upon or whether the cancellation request remains pending and the thread resumes normal execution if: - The thread is suspended at a cancellation point and the event for which it is waiting occurs - A specified timeout expired before the cancellation request is acted upon." The way I read this is that, if you start processing a cancellation request, but see that the timeout has already expired or that whatever the function was blocked waiting for has already happened, you can abort cancellation and leave it pending and return the result. In an implementation where libc/libpthread cancellation and the kernel are tightly coupled, this is really a choice -- for example the kernel could check at the last point before success during SYS_read to see that cancellation is pending, and *not actually transfer the data*, but instead initiate cancellation with no side effects on the open file. But on an implementation like Linux where libc/libpthread and the cancellation implementation is completely decoupled from the kernel and implemented via signals (which is a hack!), you don't actually have this freedom. By the time you see the signal, it's possible that the syscall *already succeeded* with (potentially serious) side effects, and in that case you have to use the option POSIX gives you here to defer cancellation until the next cancellation point. (If POSIX did not give you this option, then it may not even be possible to do a conforming implementation based on the signal hack). > > Of course this case of non-conformance would be less severe than UAF > > or resource leak errors in most cases, but it's still not good. > > Agreed. And I think not acting on the cancellation and returning > success is also not conforming. It is conforming, by the above-quoted passage. > >> For (C), the complexity may not be worth it. > >> > >> For (A), (B), (C), we can act on the cancellation in the error case, > >> after we observe the cancellation flag in the signal handler trampoline. > >> (I think dropping the EINTR restriction from there achieves that.) If > >> we do that, we do not need to change the test case. > >> > >> (D) is very special. Ideally, we would specify what happens with the > >> descriptor if the close call is canceled. POSIX does not even specify > >> what the state of file descriptor is after an EINTR error, so it doesn't > >> say what happens with cancellation, either. Maybe we have to leave that > >> undefined. > > > > Failure to specify EINTR was an error in POSIX that's been fixed for > > the next issue. Leaving it undefined is atrociously bad and results in > > UAF type errors. Even if glibc doesn't want to apply the fix for > > EINTR, cancellation of close absolutely needs to behave *as if* by the > > newly-specified behavior for close with EINTR. > > Can we even make sure we act on the cancellation only if the descriptor > has been closed? If the descriptor has been closed, you *can't* act on cancellation. On Linux, SYS_close *never* returns to userspace without the fd having been closed. It can return EINTR, indicating that the fd has been closed but the underlying open file description (if this was the last reference to it) has not, but this EINTR is not POSIX conforming with the new changes to POSIX, and it was always inconsistent with the semantics implied by EINTR ("no nontrivial side effects have happened yet"). See https://sourceware.org/bugzilla/show_bug.cgi?id=14627 In any case, this is easy to deal with for cancellation, even if fixing the EINTR issue is controversial. If PC is before or at the syscall instruction, nothing has happened yet (fd is still open) and you can act on cancellation. If PC is after the syscall instruction, you can't act on it. This is actually the same as all other syscalls, in some sense, except that for (at least a few) other syscalls you want to also act on cancellation if EINTR is returned, because a few of them EINTR on receipt of any signal, including SA_RESTART ones like SIGCANCEL. Historically there were lots like this, but most of them were conformance bugs and fixed. I think select and/or poll is still like that intentionally, but I may be misremembering. Rich
On 02/09/2019 20:26, Rich Felker wrote: > If the descriptor has been closed, you *can't* act on cancellation. On > Linux, SYS_close *never* returns to userspace without the fd having > been closed. It can return EINTR, indicating that the fd has been > closed but the underlying open file description (if this was the last > reference to it) has not, but this EINTR is not POSIX conforming with > the new changes to POSIX, and it was always inconsistent with the > semantics implied by EINTR ("no nontrivial side effects have happened > yet"). See https://sourceware.org/bugzilla/show_bug.cgi?id=14627 So is it true even for newer version? I had the impression from the lwn article [1] that this is driver dependent and this behaviour will eventually be removed from kernel to not allow close to return EINTR. About BZ#14627, does it still make sense for *Linux* to map EINTR to EINPROGRESS? [1] https://lwn.net/Articles/576478/
On Tue, Sep 03, 2019 at 09:15:58AM -0300, Adhemerval Zanella wrote: > > > On 02/09/2019 20:26, Rich Felker wrote: > > If the descriptor has been closed, you *can't* act on cancellation. On > > Linux, SYS_close *never* returns to userspace without the fd having > > been closed. It can return EINTR, indicating that the fd has been > > closed but the underlying open file description (if this was the last > > reference to it) has not, but this EINTR is not POSIX conforming with > > the new changes to POSIX, and it was always inconsistent with the > > semantics implied by EINTR ("no nontrivial side effects have happened > > yet"). See https://sourceware.org/bugzilla/show_bug.cgi?id=14627 > > So is it true even for newer version? I had the impression from the lwn > article [1] that this is driver dependent and this behaviour will eventually > be removed from kernel to not allow close to return EINTR. > > About BZ#14627, does it still make sense for *Linux* to map EINTR to > EINPROGRESS? > > [1] https://lwn.net/Articles/576478/ The kernel folks are adamantly opposed to changing SYS_close to match the POSIX requirement here, which is the right thing to do but for the wrong reasons -- if it were changed, libc could not safely handle the situation because it couldn't know what meaning the kernel was assigning to EINTR. Hopefully they will just stop returning EINTR entirely. That would not break any of the behavior discussed above. Returning EINPROGRESS may be a problem though because applications may not know to expect it and may treat it as a hard error rather than a reasonable condition (discussed in https://sourceware.org/bugzilla/show_bug.cgi?id=14627). The ideal behavior is probably just returning 0. Rich
On 02/09/2019 09:51, Florian Weimer wrote: > * Adhemerval Zanella: > >> I think it is possible, but I see that enforcing it using the kernel >> facilities to avoid extra code in userspace is cleaner. > > Okay. > >>> Even if we undo the resource allocation before that? That is, check >>> that a cancellation has occurred on the system call return path, and if >>> it has, close the descriptor and start unwinding. >> >> What if the application requires extra steps for the case the syscall >> returns a side-effects? What about some specific syscalls, such as >> passing file descriptor using recvmsg? It would need the libc to map >> *all* possible side-effects for each syscall, determine which might >> leak side-effect and acts uppon then. What if the kernel, at some version, >> added another feature to share resources that might create side-effects? >> We will need to constantly map such cases, adding even more arch-specific >> glue code to handle it. >> >> I really think we should not go on this path. > > I agree now, given what we've got from the kernel. See my response to > Rich. > >>>> That's not the interpretation I see, the cancellation description for >>>> such cases is afaiu: >>>> >>>> "The side-effects of acting upon a cancellation request while suspended >>>> during a call of a function are the same as the side-effects that may be >>>> seen in a single-threaded program when a call to a function is interrupted >>>> by a signal and the given function returns [EINTR]" >>>> >>>> And on signal concepts: >>>> >>>> "[EINTR] >>>> Interrupted function call. An asynchronous signal was caught by the process >>>> during the execution of an interruptible function. If the signal handler >>>> performs a normal return, the interrupted function call may return this >>>> condition (see the Base Definitions volume of POSIX.1-2017, <signal.h>)." >>>> >>>> And my understanding is, since glibc implemented cancellation using signals >>>> and it requires to use SA_RESTART we can actually return to user if the >>>> syscall has side-effects visible to caller. >>> >>> The open function cannot allocate a new file descriptor and fail with >>> EINTR. So I don't see how this case applies here. Sorry. >> >> But that is *exactly* the point. The open *does not* fail, but >> cancellation acts *before* it can return to the callee. We can't >> really make it fail with EINTR and acts on the cancellation. The idea >> is "the interrupted function call may return this condition". > > My uneasiness stems from the fact that we're reading POSIX backwards, > i.e., our interpretation (necessarily, given the kernel interfaces) > behaves in a way that is obviously to complying with a direct reading of > POSIX (a to-be-canceled thread synchronizing with the canceling thread, > when the pthread_cancel call happened before the synchronization in > program order in the canceling thread), and we then proceed to find > reasons why this not totally broken. > > So, back to the start of the thread: Can we avoid the EPIPE error in an > other way? > > Can we remove this line? > > /* This will cause the write in the child to return. */ > close (fd[0]); > > Cancellation should still happen if the write is blocked, right? It's > not really clear to me what the intent of the test was. I think Rich has answered it better than me that using signals to implement thread cancellation is an implementation detail and POSIX allows us for this case to not act on some cancellation signals if it leads to visible side-effects that might lead to resource leakage. Said that, it would be possible to just remove the close call to avoid the EPIPE error on write. The cancellation should still happen because the write is called on a loop, so since it might return with a visible side-effect (partial write), it would be cancelled in the next write call due the thread being marked as cancelled. I really don't have a strong opinion which change is the better, my point is the current code is racy and it will start to fail more often once we fix BZ#12683.
diff --git a/nptl/tst-cancel2.c b/nptl/tst-cancel2.c index 1f0429d343..632ea4e0ae 100644 --- a/nptl/tst-cancel2.c +++ b/nptl/tst-cancel2.c @@ -20,6 +20,7 @@ #include <signal.h> #include <stdio.h> #include <unistd.h> +#include <errno.h> static int fd[2]; @@ -32,7 +33,14 @@ tf (void *arg) write blocks. */ char buf[100000]; - while (write (fd[1], buf, sizeof (buf)) > 0); + while (1) + { + /* Ignore EPIPE errors for case the SIGPIPE is handle before + SIGCANCEL. */ + ssize_t ret = write (fd[1], buf, sizeof (buf)); + if (ret == 0 || (ret == -1 && errno != EPIPE)) + break; + } return (void *) 42l; }