about summary refs log tree commit diff
path: root/src/thread
Commit message (Collapse)AuthorAgeFilesLines
* further debloat cancellation handlersRich Felker2011-08-034-17/+30
| | | | | | | cleanup push and pop are also no-ops if pthread_exit is not reachable. this can make a big difference for library code which needs to protect itself against cancellation, but which is unlikely to actually be used in programs with threads/cancellation.
* missed detail in cancellation bloat fixRich Felker2011-08-031-1/+1
|
* fix static linking dependency bloat with cancellationRich Felker2011-08-035-14/+21
| | | | | | | previously, pthread_cleanup_push/pop were pulling in all of pthread_create due to dependency on the __pthread_unwind_next function. this was not needed, as cancellation cleanup handlers can never be called unless pthread_exit or pthread_cancel is reachable.
* overhaul rwlocks to address several issuesRich Felker2011-08-037-56/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | like mutexes and semaphores, rwlocks suffered from a race condition where the unlock operation could access the lock memory after another thread successfully obtained the lock (and possibly destroyed or unmapped the object). this has been fixed in the same way it was fixed for other lock types. in addition, the previous implementation favored writers over readers. in the absence of other considerations, that is the best behavior for rwlocks, and posix explicitly allows it. however posix also requires read locks to be recursive. if writers are favored, any attempt to obtain a read lock while a writer is waiting for the lock will fail, causing "recursive" read locks to deadlock. this can be avoided by keeping track of which threads already hold read locks, but doing so requires unbounded memory usage, and there must be a fallback case that favors readers in case memory allocation failed. and all of this must be synchronized. the cost, complexity, and risk of errors in getting it right is too great, so we simply favor readers. tracking of the owner of write locks has been removed, as it was not useful for anything. it could allow deadlock detection, but it's not clear to me that returning EDEADLK (which a buggy program is likely to ignore) is better than deadlocking; at least the latter behavior prevents further data corruption. a correct program cannot invoke this situation anyway. the reader count and write lock state, as well as the "last minute" waiter flag have all been combined into a single atomic lock. this means all state transitions for the lock are atomic compare-and-swap operations. this makes establishing correctness much easier and may improve performance. finally, some code duplication has been cleaned up. more is called for, especially the standard __timedwait idiom repeated in all locks.
* timedwait: play it safe for nowRich Felker2011-08-031-1/+1
| | | | | it's unclear whether EINVAL or ENOSYS is used when the operation is not supported, so check for both...
* correctly handle old kernels without FUTEX_WAIT_BITSETRich Felker2011-08-021-1/+1
| | | | | | | | futex returns EINVAL, not ENOSYS, when op is not supported. unfortunately this looks just like EINVAL from other causes, and we end up running the fallback code and getting EINVAL again. fortunately this case should be rare since correct code should not generate EINVAL anyway.
* fix sem_timedwait bug introduced in timedwait unificationRich Felker2011-08-021-0/+1
| | | | | this dec used to be performed by the cancellation handler, which was called when popped.
* unify and overhaul timed futex waitsRich Felker2011-08-028-51/+52
| | | | | | | | | | | | | | new features: - FUTEX_WAIT_BITSET op will be used for timed waits if available. this saves a call to clock_gettime. - error checking for the timespec struct is now inside __timedwait so it doesn't need to be duplicated everywhere. cond_timedwait still needs to duplicate it to avoid unlocking the mutex, though. - pushing and popping the cancellation handler is delegated to __timedwait, and cancellable/non-cancellable waits are unified.
* avoid accessing mutex memory after atomic unlockRich Felker2011-08-024-34/+31
| | | | | | | this change is needed to fix a race condition and ensure that it's possible to unlock and destroy or unmap the mutex as soon as pthread_mutex_lock succeeds. POSIX explicitly gives such an example in the rationale and requires an implementation to allow such usage.
* fix breakage in cancellation due to signal functions overhaulRich Felker2011-08-021-1/+7
| | | | sigaddset was not accepting SIGCANCEL as a valid signal number.
* overhaul posix semaphores to fix destructability raceRich Felker2011-08-023-27/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the race condition these changes address is described in glibc bug report number 12674: http://sourceware.org/bugzilla/show_bug.cgi?id=12674 up until now, musl has shared the bug, and i had not been able to figure out how to eliminate it. in short, the problem is that it's not valid for sem_post to inspect the waiters count after incrementing the semaphore value, because another thread may have already successfully returned from sem_wait, (rightly) deemed itself the only remaining user of the semaphore, and chosen to destroy and free it (or unmap the shared memory it's stored in). POSIX is not explicit in blessing this usage, but it gives a very explicit analogous example with mutexes (which, in musl and glibc, also suffer from the same race condition bug) in the rationale for pthread_mutex_destroy. the new semaphore implementation augments the waiter count with a redundant waiter indication in the semaphore value itself, representing the presence of "last minute" waiters that may have arrived after sem_post read the waiter count. this allows sem_post to read the waiter count prior to incrementing the semaphore value, rather than after incrementing it, so as to avoid accessing the semaphore memory whatsoever after the increment takes place. a similar, but much simpler, fix should be possible for mutexes and other locking primitives whose usage rules are stricter than semaphores.
* clean up pthread_sigmask/sigprocmask dependency orderRich Felker2011-07-301-3/+3
| | | | | | it's nicer for the function that doesn't use errno to be independent, and have the other one call it. saves some time and avoids clobbering errno.
* add proper fuxed-based locking for stdioRich Felker2011-07-303-1/+19
| | | | | | | | | | | | | | | | | | | | | | previously, stdio used spinlocks, which would be unacceptable if we ever add support for thread priorities, and which yielded pathologically bad performance if an application attempted to use flockfile on a key file as a major/primary locking mechanism. i had held off on making this change for fear that it would hurt performance in the non-threaded case, but actually support for recursive locking had already inflicted that cost. by having the internal locking functions store a flag indicating whether they need to perform unlocking, rather than using the actual recursive lock counter, i was able to combine the conditionals at unlock time, eliminating any additional cost, and also avoid a nasty corner case where a huge number of calls to ftrylockfile could cause deadlock later at the point of internal locking. this commit also fixes some issues with usage of pthread_self conflicting with __attribute__((const)) which resulted in crashes with some compiler versions/optimizations, mainly in flockfile prior to pthread_create.
* fix bug in synccall with no threads: lock was taken but never releasedRich Felker2011-07-301-4/+4
|
* new attempt at making set*id() safe and robustRich Felker2011-07-293-118/+113
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | changing credentials in a multi-threaded program is extremely difficult on linux because it requires synchronizing the change between all threads, which have their own thread-local credentials on the kernel side. this is further complicated by the fact that changing the real uid can fail due to exceeding RLIMIT_NPROC, making it possible that the syscall will succeed in some threads but fail in others. the old __rsyscall approach being replaced was robust in that it would report failure if any one thread failed, but in this case, the program would be left in an inconsistent state where individual threads might have different uid. (this was not as bad as glibc, which would sometimes even fail to report the failure entirely!) the new approach being committed refuses to change real user id when it cannot temporarily set the rlimit to infinity. this is completely POSIX conformant since POSIX does not require an implementation to allow real-user-id changes for non-privileged processes whatsoever. still, setting the real uid can fail due to memory allocation in the kernel, but this can only happen if there is not already a cached object for the target user. thus, we forcibly serialize the syscalls attempts, and fail the entire operation on the first failure. this *should* lead to an all-or-nothing success/failure result, but it's still fragile and highly dependent on kernel developers not breaking things worse than they're already broken. ideally linux will eventually add a CLONE_USERCRED flag that would give POSIX conformant credential changes without any hacks from userspace, and all of this code would become redundant and could be removed ~10 years down the line when everyone has abandoned the old broken kernels. i'm not holding my breath...
* fix useless use of potentially-uninitialized mode variable in sem_openRich Felker2011-06-261-1/+1
|
* restore use of .type in asm, but use modern @function (vs %function)Rich Felker2011-06-1410-0/+11
| | | | | | | | this seems to be necessary to make the linker accept the functions in a shared library (perhaps to generate PLT entries?) strictly speaking libc-internal asm should not need it. i might clean that up later.
* fix race condition in pthread_killRich Felker2011-06-142-1/+7
| | | | | | | | | | | | | | if thread id was reused by the kernel between the time pthread_kill read it from the userspace pthread_t object and the time of the tgkill syscall, a signal could be sent to the wrong thread. the tgkill syscall was supposed to prevent this race (versus the old tkill syscall) but it can't; it can only help in the case where the tid is reused in a different process, but not when the tid is reused in the same process. the only solution i can see is an extra lock to prevent threads from exiting while another thread is trying to pthread_kill them. it should be very very cheap in the non-contended case.
* run dtors before taking the exit-lock in pthread exitRich Felker2011-06-141-2/+2
| | | | previously a long-running dtor could cause pthread_detach to block.
* minor locking optimizationsRich Felker2011-06-142-2/+2
|
* remove all .size and .type directives for functions from the asmRich Felker2011-06-1310-18/+0
| | | | | these are useless and have caused problems for users trying to build with non-gnu tools like tcc's assembler.
* implement pthread_[sg]etconcurrency.Rich Felker2011-05-302-0/+15
| | | | | | there is a resource limit of 0 bits to store the concurrency level requested. thus any positive level exceeds a resource limit, resulting in EAGAIN. :-)
* optimize out useless default-attribute object in pthread_createRich Felker2011-05-071-7/+7
|
* optimize compound-literal sigset_t's not to contain useless hurd bitsRich Felker2011-05-071-2/+2
|
* overhaul implementation-internal signal protectionsRich Felker2011-05-072-15/+6
| | | | | | | | | | | | | | | | | | | the new approach relies on the fact that the only ways to create sigset_t objects without invoking UB are to use the sig*set() functions, or from the masks returned by sigprocmask, sigaction, etc. or in the ucontext_t argument to a signal handler. thus, as long as sigfillset and sigaddset avoid adding the "protected" signals, there is no way the application will ever obtain a sigset_t including these bits, and thus no need to add the overhead of checking/clearing them when sigprocmask or sigaction is called. note that the old code actually *failed* to remove the bits from sa_mask when sigaction was called. the new implementations are also significantly smaller, simpler, and faster due to ignoring the useless "GNU HURD signals" 65-1024, which are not used and, if there's any sanity in the world, never will be used.
* reduce some ridiculously large spin countsRich Felker2011-05-061-1/+1
| | | | | | these should be tweaked according to testing. offhand i know 1000 is too low and 5000 is likely to be sufficiently high. consider trying to add futexes to file locking, too...
* remove debug code that was missed in barrier commitRich Felker2011-05-061-1/+0
|
* completely new barrier implementation, addressing major correctness issuesRich Felker2011-05-061-16/+44
| | | | | | | | | | | | | | | | | | | | the previous implementation had at least 2 problems: 1. the case where additional threads reached the barrier before the first wave was finished leaving the barrier was untested and seemed not to be working. 2. threads leaving the barrier continued to access memory within the barrier object after other threads had successfully returned from pthread_barrier_wait. this could lead to memory corruption or crashes if the barrier object had automatic storage in one of the waiting threads and went out of scope before all threads finished returning, or if one thread unmapped the memory in which the barrier object lived. the new implementation avoids both problems by making the barrier state essentially local to the first thread which enters the barrier wait, and forces that thread to be the last to return.
* fix initial stack alignment in new threads on x86_64Rich Felker2011-04-221-1/+1
|
* fix minor bugs due to incorrect threaded-predicate semanticsRich Felker2011-04-202-5/+3
| | | | | | | | | | | | some functions that should have been testing whether pthread_self() had been called and initialized the thread pointer were instead testing whether pthread_create() had been called and actually made the program "threaded". while it's unlikely any mismatch would occur in real-world problems, this could have introduced subtle bugs. now, we store the address of the main thread's thread descriptor in the libc structure and use its presence as a flag that the thread register is initialized. note that after fork, the calling thread (not necessarily the original main thread) is the new main thread.
* move some more code out of pthread_create.cRich Felker2011-04-192-7/+4
| | | | this also de-uglifies the dummy function aliasing a bit.
* fix uninitialized waiters field in semaphoresRich Felker2011-04-191-0/+1
|
* recheck cancellation disabled flag after syscall returns EINTRRich Felker2011-04-181-1/+1
| | | | | | | we already checked before making the syscall, but it's possible that a signal handler interrupted the blocking syscall and disabled cancellation, and that this is the cause of EINTR. in this case, the old behavior was testably wrong.
* fix typo in x86_64 cancellable syscall asmRich Felker2011-04-171-1/+1
|
* pthread_exit is not supposed to affect cancellabilityRich Felker2011-04-171-2/+0
| | | | | if the exit was caused by cancellation, __cancel has already set these flags anyway.
* fix pthread_exit from cancellation handlerRich Felker2011-04-171-5/+5
| | | | | cancellation frames were not correctly popped, so this usage would not only loop, but also reuse discarded and invalid parts of the stack.
* clean up handling of thread/nothread mode, lockingRich Felker2011-04-173-16/+10
|
* debloat: use __syscall instead of syscall where possibleRich Felker2011-04-172-2/+2
| | | | | | don't waste time (and significant code size due to function call overhead!) setting errno when the result of a syscall does not matter or when it can't fail.
* fix bugs in cancellable syscall asmRich Felker2011-04-173-11/+12
| | | | | | | | | | | | | | | | x86_64 was just plain wrong in the cancel-flag-already-set path, and crashing. the more subtle error was not clearing the saved stack pointer before returning to c code. this could result in the signal handler misidentifying c code as the pre-syscall part of the asm, and acting on cancellation at the wrong time, and thus resource leak race conditions. also, now __cancel (in the c code) is responsible for clearing the saved sp in the already-cancelled branch. this means we have to use call rather than jmp to ensure the stack pointer in the c will never match what the asm saved.
* optimize cancellation enable/disable codeRich Felker2011-04-173-4/+10
| | | | | | | | | | | | | | | | | | the goal is to be able to use pthread_setcancelstate internally in the implementation, whenever a function might want to use functions which are cancellation points but avoid becoming a cancellation point itself. i could have just used a separate internal function for temporarily inhibiting cancellation, but the solution in this commit is better because (1) it's one less implementation-specific detail in functions that need to use it, and (2) application code can also get the same benefit. previously, pthread_setcancelstate dependend on pthread_self, which would pull in unwanted thread setup overhead for non-threaded programs. now, it temporarily stores the state in the global libc struct if threads have not been initialized, and later moves it if needed. this way we can instead use __pthread_self, which has no dependencies and assumes that the thread register is already valid.
* don't use pthread_once when there is no danger in raceRich Felker2011-04-171-2/+5
|
* fix some minor issues in cancellation handling patchRich Felker2011-04-173-11/+19
| | | | | signals were wrongly left masked, and cancellability state was not switched to disabled, during the execution of cleanup handlers.
* overhaul pthread cancellationRich Felker2011-04-1713-59/+182
| | | | | | | | | | | | | | | | | | | | | | this patch improves the correctness, simplicity, and size of cancellation-related code. modulo any small errors, it should now be completely conformant, safe, and resource-leak free. the notion of entering and exiting cancellation-point context has been completely eliminated and replaced with alternative syscall assembly code for cancellable syscalls. the assembly is responsible for setting up execution context information (stack pointer and address of the syscall instruction) which the cancellation signal handler can use to determine whether the interrupted code was in a cancellable state. these changes eliminate race conditions in the previous generation of cancellation handling code (whereby a cancellation request received just prior to the syscall would not be processed, leaving the syscall to block, potentially indefinitely), and remedy an issue where non-cancellable syscalls made from signal handlers became cancellable if the signal handler interrupted a cancellation point. x86_64 asm is untested and may need a second try to get it right.
* change sem_trywait algorithm so it never has to call __wakeRich Felker2011-04-141-3/+2
|
* cheap trick to further optimize locking normal mutexesRich Felker2011-04-142-2/+2
|
* use a separate signal from SIGCANCEL for SIGEV_THREAD timersRich Felker2011-04-141-2/+0
| | | | | | otherwise we cannot support an application's desire to use asynchronous cancellation within the callback function. this change also slightly debloats pthread_create.c.
* simplify cancellation point handlingRich Felker2011-04-132-16/+5
| | | | | | we take advantage of the fact that unless self->cancelpt is 1, cancellation cannot happen. so just increment it by 2 to temporarily block cancellation. this drops pthread_create.o well under 1k.
* fixed crash in new rsyscall (failure to set sa_flags for signal handler)Rich Felker2011-04-061-0/+2
|
* consistency: change all remaining syscalls to use SYS_ rather than __NR_ prefixRich Felker2011-04-067-8/+8
|
* move rsyscall out of pthread_create moduleRich Felker2011-04-062-96/+122
| | | | | | | | | | | | | | this is something of a tradeoff, as now set*id() functions, rather than pthread_create, are what pull in the code overhead for dealing with linux's refusal to implement proper POSIX thread-vs-process semantics. my motivations are: 1. it's cleaner this way, especially cleaner to optimize out the rsyscall locking overhead from pthread_create when it's not needed. 2. it's expected that only a tiny number of core system programs will ever use set*id() functions, whereas many programs may want to use threads, and making thread overhead tiny is an incentive for "light" programs to try threads.