From patchwork Wed Sep 20 15:52:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 22975 Received: (qmail 21842 invoked by alias); 20 Sep 2017 15:52:43 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 21815 invoked by uid 89); 20 Sep 2017 15:52:41 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.0 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 spammy=4414 X-HELO: mail-ua0-f174.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7F5qkp17T7xW6R7KFLti0MWpFfAWgAsEUxM3cvPfeR8=; b=FGUx+lRcq//GqRUFqckPzHnaMy4Jm36b/H8yZ2H7E2oWCrcVmZVpJI7OFkRQ9b1zz9 NIO91+Lpmlr2Ve9lvX9YsMG6Px7JKL1TFa2ChjHAnj02ds1y4lhCcJVtMbVbszb6VZy1 uVqacBf2NYNRLaaAauINYcxUewT30Xq2xgltq2v6jLHVavMoDEhydxedjxQ3mH6/ubxQ vJVvUYX/o3da5jgSHi8Y3ujCwMR8T08spAe4VG4Dqz57S2xybkS6S2r548Ve8Qj0TTQ1 DJuh+jX675g3tozqV2aLkHRDiaqjTk1zno1MdkqjRS1Ctr/Do600/14bQfxIlWiFd/2I p5Mw== X-Gm-Message-State: AHPjjUhNC7rODAK9ZsMHHE4WHMhik5828xR3HefQXKa3x3X/7uD4kn7w ANKoEQaH/JtiqNpNJfD+xFhUoFEqiqzOyThxIPr23RA6 X-Google-Smtp-Source: AOwi7QDcuRyGcWpH4/A5UfYTmP6McLnp+Kg2aD9/tFo1LsQpqtbhKUUho1kJ56mPUHekmU1mHjoVpKn+NSUBOOo0yOw= X-Received: by 10.176.24.99 with SMTP id j35mr4934322uag.155.1505922755376; Wed, 20 Sep 2017 08:52:35 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <6f5edc0d-ede5-d9d3-4c26-3776fd5c41ff@redhat.com> References: <1500467179.27895.55.camel@redhat.com> <1500926864.30433.42.camel@redhat.com> <2d7b1ff8-a87e-657d-4047-57ea99d40918@redhat.com> <6f5edc0d-ede5-d9d3-4c26-3776fd5c41ff@redhat.com> From: Paul Pluzhnikov Date: Wed, 20 Sep 2017 08:52:04 -0700 Message-ID: Subject: Re: [patch] Fix for bz14333 -- race between atexit() and exit() To: "Carlos O'Donell" Cc: Torvald Riegel , Andreas Schwab , Joseph Myers , GLIBC Devel , Ricky Zhou On Tue, Sep 19, 2017 at 6:42 PM, Carlos O'Donell wrote: > On 09/19/2017 04:33 PM, Paul Pluzhnikov wrote: >> I'll add your test to the set of tests and send updated patch. > > My test has an implicit timing dependency. We wait 10 seconds to allow > the other thread to make progress against the exit() call, we should > change that to use another semaphore so it proceeds in a tick-tock > fashion without any timing requirement. I decided to keep the fix for this newly-discovered problem and the new test to a separate patch, which I'll mail after this one is committed. Attached is the current patch with comments updated per above discussion. Thanks, diff --git a/stdlib/Makefile b/stdlib/Makefile index 2da39e067c..2fb08342e0 100644 --- a/stdlib/Makefile +++ b/stdlib/Makefile @@ -81,7 +81,9 @@ tests := tst-strtol tst-strtod testmb testrand testsort testdiv \ tst-quick_exit tst-thread-quick_exit tst-width \ tst-width-stdint tst-strfrom tst-strfrom-locale \ tst-getrandom tst-atexit tst-at_quick_exit \ - tst-cxa_atexit tst-on_exit + tst-cxa_atexit tst-on_exit test-atexit-race \ + test-at_quick_exit-race test-cxa_atexit-race \ + test-on_exit-race tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ tst-tls-atexit tst-tls-atexit-nodelete @@ -91,6 +93,11 @@ ifeq ($(build-hardcoded-path-in-tests),yes) tests += tst-empty-env endif +LDLIBS-test-atexit-race = $(shared-thread-library) +LDLIBS-test-at_quick_exit-race = $(shared-thread-library) +LDLIBS-test-cxa_atexit-race = $(shared-thread-library) +LDLIBS-test-on_exit-race = $(shared-thread-library) + ifeq ($(have-cxx-thread_local),yes) CFLAGS-tst-quick_exit.o = -std=c++11 LDLIBS-tst-quick_exit = -lstdc++ diff --git a/stdlib/cxa_atexit.c b/stdlib/cxa_atexit.c index ce5d9f22b4..beb31691d5 100644 --- a/stdlib/cxa_atexit.c +++ b/stdlib/cxa_atexit.c @@ -21,21 +21,29 @@ #include #include "exit.h" -#include #include #undef __cxa_atexit +/* See concurrency notes in stdlib/exit.h where this lock is declared. */ +__libc_lock_define_initialized (, __exit_funcs_lock) + int attribute_hidden __internal_atexit (void (*func) (void *), void *arg, void *d, struct exit_function_list **listp) { - struct exit_function *new = __new_exitfn (listp); + struct exit_function *new; + + __libc_lock_lock (__exit_funcs_lock); + new = __new_exitfn (listp); if (new == NULL) - return -1; + { + __libc_lock_unlock (__exit_funcs_lock); + return -1; + } #ifdef PTR_MANGLE PTR_MANGLE (func); @@ -43,8 +51,8 @@ __internal_atexit (void (*func) (void *), void *arg, void *d, new->func.cxa.fn = (void (*) (void *, int)) func; new->func.cxa.arg = arg; new->func.cxa.dso_handle = d; - atomic_write_barrier (); new->flavor = ef_cxa; + __libc_lock_unlock (__exit_funcs_lock); return 0; } @@ -60,14 +68,11 @@ __cxa_atexit (void (*func) (void *), void *arg, void *d) libc_hidden_def (__cxa_atexit) -/* We change global data, so we need locking. */ -__libc_lock_define_initialized (static, lock) - - static struct exit_function_list initial; struct exit_function_list *__exit_funcs = &initial; uint64_t __new_exitfn_called; +/* Must be called with __exit_funcs_lock held. */ struct exit_function * __new_exitfn (struct exit_function_list **listp) { @@ -76,7 +81,10 @@ __new_exitfn (struct exit_function_list **listp) struct exit_function *r = NULL; size_t i = 0; - __libc_lock_lock (lock); + if (__exit_funcs_done) + /* Exit code is finished processing all registered exit functions, + therefore we fail this registration. */ + return NULL; for (l = *listp; l != NULL; p = l, l = l->next) { @@ -127,7 +135,5 @@ __new_exitfn (struct exit_function_list **listp) ++__new_exitfn_called; } - __libc_lock_unlock (lock); - return r; } diff --git a/stdlib/cxa_finalize.c b/stdlib/cxa_finalize.c index aa0a70cb58..23fc6dcafb 100644 --- a/stdlib/cxa_finalize.c +++ b/stdlib/cxa_finalize.c @@ -17,7 +17,6 @@ #include #include -#include #include "exit.h" #include #include @@ -31,36 +30,64 @@ __cxa_finalize (void *d) { struct exit_function_list *funcs; + __libc_lock_lock (__exit_funcs_lock); + restart: for (funcs = __exit_funcs; funcs; funcs = funcs->next) { struct exit_function *f; for (f = &funcs->fns[funcs->idx - 1]; f >= &funcs->fns[0]; --f) - { - void (*cxafn) (void *arg, int status); - void *cxaarg; + if ((d == NULL || d == f->func.cxa.dso_handle) && f->flavor == ef_cxa) + { + const uint64_t check = __new_exitfn_called; + void (*cxafn) (void *arg, int status) = f->func.cxa.fn; + void *cxaarg = f->func.cxa.arg; + + /* We don't want to run this cleanup more than once. The Itanium + C++ ABI requires that multiple calls to __cxa_finalize not + result in calling termination functions more than once. One + potential scenario where that could happen is with a concurrent + dlclose and exit, where the running dlclose must at some point + release the list lock, an exiting thread may acquire it, and + without setting flavor to ef_free, might re-run this destructor + which could result in undefined behaviour. Therefore we must + set flavor to ef_free to avoid calling this destructor again. + Note that the concurrent exit must also take the dynamic loader + lock (for library finalizer processing) and therefore will + block while dlclose completes the processing of any in-progress + exit functions. Lastly, once we release the list lock for the + entry marked ef_free, we must not read from that entry again + since it may have been reused by the time we take the list lock + again. Lastly the detection of new registered exit functions is + based on a monotonically incrementing counter, and there is an + ABA if between the unlock to run the exit function and the + re-lock after completion the user registers 2^64 exit functions, + the implementation will not detect this and continue without + executing any more functions. - if ((d == NULL || d == f->func.cxa.dso_handle) - /* We don't want to run this cleanup more than once. */ - && (cxafn = f->func.cxa.fn, - cxaarg = f->func.cxa.arg, - ! catomic_compare_and_exchange_bool_acq (&f->flavor, ef_free, - ef_cxa))) - { - uint64_t check = __new_exitfn_called; + One minor issue remains: A registered exit function that is in + progress by a call to dlclose() may not completely finish before + the next registered exit function is run. This may, according to + some readings of POSIX violate the requirement that functions + run in effective LIFO order. This should probably be fixed in a + future implementation to ensure the functions do not run in + parallel. */ + f->flavor = ef_free; #ifdef PTR_DEMANGLE - PTR_DEMANGLE (cxafn); + PTR_DEMANGLE (cxafn); #endif - cxafn (cxaarg, 0); + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); + cxafn (cxaarg, 0); + __libc_lock_lock (__exit_funcs_lock); - /* It is possible that that last exit function registered - more exit functions. Start the loop over. */ - if (__glibc_unlikely (check != __new_exitfn_called)) - goto restart; - } - } + /* It is possible that that last exit function registered + more exit functions. Start the loop over. */ + if (__glibc_unlikely (check != __new_exitfn_called)) + goto restart; + } } /* Also remove the quick_exit handlers, but do not call them. */ @@ -79,4 +106,5 @@ __cxa_finalize (void *d) if (d != NULL) UNREGISTER_ATFORK (d); #endif + __libc_lock_unlock (__exit_funcs_lock); } diff --git a/stdlib/exit.c b/stdlib/exit.c index c0b6d666c7..b74f1825f0 100644 --- a/stdlib/exit.c +++ b/stdlib/exit.c @@ -19,11 +19,16 @@ #include #include #include +#include #include "exit.h" #include "set-hooks.h" DEFINE_HOOK (__libc_atexit, (void)) +/* Initialize the flag that indicates exit function processing + is complete. See concurrency notes in stdlib/exit.h where + __exit_funcs_lock is declared. */ +bool __exit_funcs_done = false; /* Call all functions registered with `atexit' and `on_exit', in the reverse of the order in which they were registered @@ -44,14 +49,32 @@ __run_exit_handlers (int status, struct exit_function_list **listp, the functions registered with `atexit' and `on_exit'. We call everyone on the list and use the status value in the last exit (). */ - while (*listp != NULL) + while (true) { - struct exit_function_list *cur = *listp; + struct exit_function_list *cur; + + __libc_lock_lock (__exit_funcs_lock); + + restart: + cur = *listp; + + if (cur == NULL) + { + /* Exit processing complete. We will not allow any more + atexit/on_exit registrations. */ + __exit_funcs_done = true; + __libc_lock_unlock (__exit_funcs_lock); + break; + } while (cur->idx > 0) { const struct exit_function *const f = &cur->fns[--cur->idx]; + const uint64_t new_exitfn_called = __new_exitfn_called; + + /* Unlock the list while we call a foreign function. */ + __libc_lock_unlock (__exit_funcs_lock); switch (f->flavor) { void (*atfct) (void); @@ -83,6 +106,13 @@ __run_exit_handlers (int status, struct exit_function_list **listp, cxafct (f->func.cxa.arg, status); break; } + /* Re-lock again before looking at global state. */ + __libc_lock_lock (__exit_funcs_lock); + + if (__glibc_unlikely (new_exitfn_called != __new_exitfn_called)) + /* The last exit function, or another thread, has registered + more exit functions. Start the loop over. */ + goto restart; } *listp = cur->next; @@ -90,6 +120,8 @@ __run_exit_handlers (int status, struct exit_function_list **listp, /* Don't free the last element in the chain, this is the statically allocate element. */ free (cur); + + __libc_lock_unlock (__exit_funcs_lock); } if (run_list_atexit) diff --git a/stdlib/exit.h b/stdlib/exit.h index 7f2e679246..dbf9f2d01f 100644 --- a/stdlib/exit.h +++ b/stdlib/exit.h @@ -20,6 +20,7 @@ #include #include +#include enum { @@ -57,11 +58,27 @@ struct exit_function_list size_t idx; struct exit_function fns[32]; }; + extern struct exit_function_list *__exit_funcs attribute_hidden; extern struct exit_function_list *__quick_exit_funcs attribute_hidden; +extern uint64_t __new_exitfn_called attribute_hidden; + +/* True once all registered atexit/at_quick_exit/onexit handlers have been + called */ +extern bool __exit_funcs_done attribute_hidden; + +/* This lock protects __exit_funcs, __quick_exit_funcs, __exit_funcs_done + and __new_exitfn_called globals against simultaneous access from + atexit/on_exit/at_quick_exit in multiple threads, and also from + simultaneous access while another thread is in the middle of calling + exit handlers. See BZ#14333. Note: for lists, the entire list, and + each associated entry in the list, is protected for all access by this + lock. */ +__libc_lock_define (extern, __exit_funcs_lock); + extern struct exit_function *__new_exitfn (struct exit_function_list **listp); -extern uint64_t __new_exitfn_called attribute_hidden; + extern void __run_exit_handlers (int status, struct exit_function_list **listp, diff --git a/stdlib/on_exit.c b/stdlib/on_exit.c index 83845e76d8..f4ede2b1a7 100644 --- a/stdlib/on_exit.c +++ b/stdlib/on_exit.c @@ -17,25 +17,30 @@ #include #include "exit.h" -#include #include /* Register a function to be called by exit. */ int __on_exit (void (*func) (int status, void *arg), void *arg) { - struct exit_function *new = __new_exitfn (&__exit_funcs); + struct exit_function *new; + + __libc_lock_lock (__exit_funcs_lock); + new = __new_exitfn (&__exit_funcs); if (new == NULL) - return -1; + { + __libc_lock_unlock (__exit_funcs_lock); + return -1; + } #ifdef PTR_MANGLE PTR_MANGLE (func); #endif new->func.on.fn = func; new->func.on.arg = arg; - atomic_write_barrier (); new->flavor = ef_on; + __libc_lock_unlock (__exit_funcs_lock); return 0; } weak_alias (__on_exit, on_exit) diff --git a/stdlib/test-at_quick_exit-race.c b/stdlib/test-at_quick_exit-race.c new file mode 100644 index 0000000000..f93fb852a2 --- /dev/null +++ b/stdlib/test-at_quick_exit-race.c @@ -0,0 +1,32 @@ +/* Bug 14333: a test for at_quick_exit/quick_exit race. + + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +/* See stdlib/test-atexit-race-common.c for details on this test. */ + +#define CALL_ATEXIT at_quick_exit (&no_op) +#define CALL_EXIT quick_exit (0) + +static void +no_op (void) +{ +} + +#include diff --git a/stdlib/test-atexit-race-common.c b/stdlib/test-atexit-race-common.c new file mode 100644 index 0000000000..365c9d9c5a --- /dev/null +++ b/stdlib/test-atexit-race-common.c @@ -0,0 +1,70 @@ +/* Bug 14333: Support file for atexit/exit, etc. race tests. + + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +/* The atexit/exit, at_quick_exit/quick_exit, __cxa_atexit/exit, etc. + exhibited data race while accessing destructor function list (Bug 14333). + + This test spawns large number of threads, which all race to register + large number of destructors. + + Before the fix, running this test resulted in a SIGSEGV. + After the fix, we expect clean process termination. */ + +#if !defined(CALL_EXIT) || !defined(CALL_ATEXIT) +#error Must define CALL_EXIT and CALL_ATEXIT before using this file. +#endif + +#include +#include +#include + +const size_t kNumThreads = 1024; +const size_t kNumHandlers = 1024; + +static void * +threadfunc (void *unused) +{ + size_t i; + for (i = 0; i < kNumHandlers; ++i) { + CALL_ATEXIT; + } + return NULL; +} + +static int +do_test (void) +{ + size_t i; + pthread_attr_t attr; + + xpthread_attr_init (&attr); + xpthread_attr_setdetachstate (&attr, 1); + + for (i = 0; i < kNumThreads; ++i) { + xpthread_create (&attr, threadfunc, NULL); + } + xpthread_attr_destroy (&attr); + + CALL_EXIT; +} + +#define TEST_FUNCTION do_test +#include diff --git a/stdlib/test-atexit-race.c b/stdlib/test-atexit-race.c new file mode 100644 index 0000000000..a4df532ce5 --- /dev/null +++ b/stdlib/test-atexit-race.c @@ -0,0 +1,32 @@ +/* Bug 14333: a test for atexit/exit race. + + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +/* See stdlib/test-atexit-race-common.c for details on this test. */ + +#define CALL_ATEXIT atexit (&no_op) +#define CALL_EXIT exit (0) + +static void +no_op (void) +{ +} + +#include diff --git a/stdlib/test-cxa_atexit-race.c b/stdlib/test-cxa_atexit-race.c new file mode 100644 index 0000000000..670f67538e --- /dev/null +++ b/stdlib/test-cxa_atexit-race.c @@ -0,0 +1,36 @@ +/* Bug 14333: a test for __cxa_atexit/exit race. + + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +/* See stdlib/test-atexit-race-common.c for details on this test. */ + +#include + +#define CALL_ATEXIT __cxa_atexit (&no_op, NULL, NULL) +#define CALL_EXIT exit (0) + +int __cxa_atexit (void (*func) (void *), void *arg, void *d); + +static void +no_op (void *ignored) +{ +} + +#include diff --git a/stdlib/test-on_exit-race.c b/stdlib/test-on_exit-race.c new file mode 100644 index 0000000000..fce0fa7492 --- /dev/null +++ b/stdlib/test-on_exit-race.c @@ -0,0 +1,32 @@ +/* Bug 14333: a test for on_exit/exit race. + + Copyright (C) 2017 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "stdlib". */ + +/* See stdlib/test-atexit-race-common.c for details on this test. */ + +#define CALL_ATEXIT on_exit (&no_op, (void *) 0) +#define CALL_EXIT exit (0) + +static void +no_op (int exit_code, void *ignored) +{ +} + +#include