summaryrefslogtreecommitdiff
path: root/src/thread
AgeCommit message (Collapse)AuthorLines
2011-09-26another cond var fix: requeue count race conditionRich Felker-15/+13
lock out new waiters during the broadcast. otherwise the wait count added to the mutex might be lower than the actual number of waiters moved, and wakeups may be lost. this issue could also be solved by temporarily setting the mutex waiter count higher than any possible real count, then relying on the kernel to tell us how many waiters were requeued, and updating the counts afterwards. however the logic is more complex, and i don't really trust the kernel. the solution here is also nice in that it replaces some atomic cas loops with simple non-atomic ops under lock.
2011-09-26fix lost signals in cond varsRich Felker-14/+16
due to moving waiters from the cond var to the mutex in bcast, these waiters upon wakeup would steal slots in the count from newer waiters that had not yet been signaled, preventing the signal function from taking any action. to solve the problem, we simply use two separate waiter counts, and so that the original "total" waiters count is undisturbed by broadcast and still available for signal.
2011-09-26redo cond vars again, use sequence numbersRich Felker-45/+49
testing revealed that the old implementation, while correct, was giving way too many spurious wakeups due to races changing the value of the condition futex. in a test program with 5 threads receiving broadcast signals, the number of returns from pthread_cond_wait was roughly 3 times what it should have been (2 spurious wakeups for every legitimate wakeup). moreover, the magnitude of this effect seems to grow with the number of threads. the old implementation may also have had some nasty race conditions with reuse of the cond var with a new mutex. the new implementation is based on incrementing a sequence number with each signal event. this sequence number has nothing to do with the number of threads intended to be woken; it's only used to provide a value for the futex wait to avoid deadlock. in theory there is a danger of race conditions due to the value wrapping around after 2^32 signals. it would be nice to eliminate that, if there's a way. testing showed no spurious wakeups (though they are of course possible) with the new implementation, as well as slightly improved performance.
2011-09-25revert previous change in cond var waiter moveRich Felker-2/+6
using swap has a race condition: the waiters must be added to the mutex waiter count *before* they are taken off the cond var waiter count, or wake events can be lost.
2011-09-25optimize cond waiter move using atomic swap instead of cas loopRich Felker-6/+2
2011-09-25fix logic for when wakeup is not desired on cond bcastRich Felker-3/+4
somehow i forgot that normal-type mutexes don't store the owner tid.
2011-09-25new futex-requeue-based pthread_cond_broadcast implementationRich Felker-4/+63
this avoids the "stampede effect" where pthread_cond_broadcast would result in all waiters waking up simultaneously, only to immediately contend for the mutex and go back to sleep.
2011-09-23fix ABA race in cond vars, improve them overallRich Felker-11/+12
previously, a waiter could miss the 1->0 transition of block if another thread set block to 1 again after the signal function set block to 0. we now use the caller's thread id as a unique token to store in block, which no other thread will ever write there. this ensures that if block still contains the tid, no signal has occurred. spurious wakeups will of course occur whenever there is a spurious return from the futex wait and another thread has begun waiting on the cond var. this should be a rare occurrence except perhaps in the presence of interrupting signal handlers. signal/bcast operations have been improved by noting that they need not avoid inspecting the cond var's memory after changing the futex value. because the standard allows spurious wakeups, there is no way for an application to distinguish between a spurious wakeup just before another thread called signal/bcast, and the deliberate wakeup resulting from the signal/bcast call. thus the woken thread must assume that the signalling thread may still be waiting to act on the cond var, and therefore it cannot destroy/unmap the cond var.
2011-09-22fix deadlock in condition wait whenever there are multiple waitersRich Felker-5/+17
it's amazing none of the conformance tests i've run even bothered to check whether something so basic works...
2011-09-18initial commit of the arm portRich Felker-0/+78
this port assumes eabi calling conventions, eabi linux syscall convention, and presence of the kernel helpers at 0xffff0f?0 needed for threads support. otherwise it makes very few assumptions, and the code should work even on armv4 without thumb support, as well as on systems with thumb interworking. the bits headers declare this a little endian system, but as far as i can tell the code should work equally well on big endian. some small details are probably broken; so far, testing has been limited to qemu/aboriginal linux.
2011-09-18overhaul clone syscall wrappingRich Felker-60/+107
several things are changed. first, i have removed the old __uniclone function signature and replaced it with the "standard" linux __clone/clone signature. this was necessary to expose clone to applications anyway, and it makes it easier to port __clone to new archs, since it's now testable independently of pthread_create. secondly, i have removed all references to the ugly ldt descriptor structure (i386 only) from the c code and pthread structure. in places where it is needed, it is now created on the stack just when it's needed, in assembly code. thus, the i386 __clone function takes the desired thread pointer as its argument, rather than an ldt descriptor pointer, just like on all other sane archs. this should not affect applications since there is really no way an application can use clone with threads/tls in a way that doesn't horribly conflict with and clobber the underlying implementation's use. applications are expected to use clone only for creating actual processes, possibly with new namespace features and whatnot.
2011-09-17dummy implementation of set_thread_areaRich Felker-0/+6
eventually we may have a working "generic" implementation for archs that don't need anything special. in any case, the goal of having stubs like this is to allow early testing of new ports before all the details needed for threads have been filled in. more functions like this will follow.
2011-09-16fix more instances of old a_xchg (use new a_swap name)Rich Felker-3/+3
2011-09-16use a_swap rather than old name a_xchgRich Felker-1/+1
2011-09-13remove some stray trailing space charactersRich Felker-1/+1
2011-09-11fix serious bug in pthread_joinRich Felker-2/+2
on spurious wakeups/returns from __timedwait, pthread_join would "succeed" and unmap the thread's stack while it was still running. at best this would lead to SIGSEGV when the thread resumed execution, but in the worst case, the thread would later resume executing on top of another new thread's stack mapped at the same address. spent about 4 hours tracking this bug down, chasing rare difficult-to-reproduce stack corruption in a stress test program. still no idea *what* caused the spurious wakeups; i suspect it's a kernel bug.
2011-09-09fix pthread_join wait call: thread termination tid futex is not privateRich Felker-1/+1
this seeme to be the bug that prevented enabling of private futex support. i'm going to hold off on switching to private futexes until after the next release, and until i get a chance to audit all wait/wake calls to make sure they're using the correct private argument, but with this change it should be safe to enable private futex support.
2011-09-04handle pending cancellation when enabling async cancellationRich Felker-0/+1
this is not strictly required by the standard, but without it, there is a race condition where cancellation arriving just before async cancellation is enabled might not be acted upon. it is impossible for a conforming application to work around this race condition since calling pthread_testcancel after setting async cancellation mode is not allowed (pthread_testcancel is not specified to be async-cancel-safe). thus the implementation should be responsible for eliminating the race, from a quality-of-implementation standpoint.
2011-08-14macro for pthread_equalRich Felker-1/+1
no sense bloating apps with a function call for an equality comparison...
2011-08-12implement forkallRich Felker-0/+66
this is a "nonstandard" function that was "rejected" by POSIX, but nonetheless had its behavior documented in the POSIX rationale for fork. it's present on solaris and possibly some other systems, and duplicates the whole calling process, not just a single thread. glibc does not have this function. it should not be used in programs intending to be portable, but may be useful for testing, checkpointing, etc. and it's an interesting (and quite small) example of the usefulness of the __synccall framework originally written to work around deficiencies in linux's setuid syscall.
2011-08-12pthread and synccall cleanup, new __synccall_wait opRich Felker-7/+11
fix up clone signature to match the actual behavior. the new __syncall_wait function allows a __synccall callback to wait for other threads to continue without returning, so that it can resume action after the caller finishes. this interface could be made significantly more general/powerful with minimal effort, but i'll wait to do that until it's actually useful for something.
2011-08-07condition variable signal/bcast need not wake unless there are waitersRich Felker-4/+4
2011-08-07simplify unified timed wait code, drop support for newer methodRich Felker-31/+28
the new absolute-time-based wait kernelside was hard to get right and basically just code duplication. it could only improve "performance" when waiting, and even then, the improvement was just slight drop in cpu usage during a wait. actually, with vdso clock_gettime, the "old" way will be even faster than the "new" way if the time has already expired, since it will not invoke any syscalls. it can determine entirely in userspace that it needs to return ETIMEDOUT.
2011-08-07add fast path for normal mutexes back to pthread_mutex_lockRich Felker-0/+3
2011-08-07close should not be cancellable after "failing" with EINTRRich Felker-1/+2
normally we allow cancellation to be acted upon when a syscall fails with EINTR, since there is no useful status to report to the caller in this case, and the signal that caused the interruption was almost surely the cancellation request, anyway. however, unlike all other syscalls, close has actually performed its resource-deallocation function whenever it returns, even when it returned an error. if we allow cancellation at this point, the caller has no way of informing the program that the file descriptor was closed, and the program may later try to close the file descriptor again, possibly closing a different, newly-opened file. the workaround looks ugly (special-casing one syscall), but it's actually the case that close is the one and only syscall (at least among cancellation points) with this ugly property.
2011-08-06simplify multi-threaded errno, eliminate useless function pointerRich Felker-7/+2
2011-08-06use weak aliases rather than function pointers to simplify some codeRich Felker-5/+12
2011-08-03further debloat cancellation handlersRich Felker-17/+30
cleanup push and pop are also no-ops if pthread_exit is not reachable. this can make a big difference for library code which needs to protect itself against cancellation, but which is unlikely to actually be used in programs with threads/cancellation.
2011-08-03missed detail in cancellation bloat fixRich Felker-1/+1
2011-08-03fix static linking dependency bloat with cancellationRich Felker-14/+21
previously, pthread_cleanup_push/pop were pulling in all of pthread_create due to dependency on the __pthread_unwind_next function. this was not needed, as cancellation cleanup handlers can never be called unless pthread_exit or pthread_cancel is reachable.
2011-08-03overhaul rwlocks to address several issuesRich Felker-56/+42
like mutexes and semaphores, rwlocks suffered from a race condition where the unlock operation could access the lock memory after another thread successfully obtained the lock (and possibly destroyed or unmapped the object). this has been fixed in the same way it was fixed for other lock types. in addition, the previous implementation favored writers over readers. in the absence of other considerations, that is the best behavior for rwlocks, and posix explicitly allows it. however posix also requires read locks to be recursive. if writers are favored, any attempt to obtain a read lock while a writer is waiting for the lock will fail, causing "recursive" read locks to deadlock. this can be avoided by keeping track of which threads already hold read locks, but doing so requires unbounded memory usage, and there must be a fallback case that favors readers in case memory allocation failed. and all of this must be synchronized. the cost, complexity, and risk of errors in getting it right is too great, so we simply favor readers. tracking of the owner of write locks has been removed, as it was not useful for anything. it could allow deadlock detection, but it's not clear to me that returning EDEADLK (which a buggy program is likely to ignore) is better than deadlocking; at least the latter behavior prevents further data corruption. a correct program cannot invoke this situation anyway. the reader count and write lock state, as well as the "last minute" waiter flag have all been combined into a single atomic lock. this means all state transitions for the lock are atomic compare-and-swap operations. this makes establishing correctness much easier and may improve performance. finally, some code duplication has been cleaned up. more is called for, especially the standard __timedwait idiom repeated in all locks.
2011-08-03timedwait: play it safe for nowRich Felker-1/+1
it's unclear whether EINVAL or ENOSYS is used when the operation is not supported, so check for both...
2011-08-02correctly handle old kernels without FUTEX_WAIT_BITSETRich Felker-1/+1
futex returns EINVAL, not ENOSYS, when op is not supported. unfortunately this looks just like EINVAL from other causes, and we end up running the fallback code and getting EINVAL again. fortunately this case should be rare since correct code should not generate EINVAL anyway.
2011-08-02fix sem_timedwait bug introduced in timedwait unificationRich Felker-0/+1
this dec used to be performed by the cancellation handler, which was called when popped.
2011-08-02unify and overhaul timed futex waitsRich Felker-51/+52
new features: - FUTEX_WAIT_BITSET op will be used for timed waits if available. this saves a call to clock_gettime. - error checking for the timespec struct is now inside __timedwait so it doesn't need to be duplicated everywhere. cond_timedwait still needs to duplicate it to avoid unlocking the mutex, though. - pushing and popping the cancellation handler is delegated to __timedwait, and cancellable/non-cancellable waits are unified.
2011-08-02avoid accessing mutex memory after atomic unlockRich Felker-34/+31
this change is needed to fix a race condition and ensure that it's possible to unlock and destroy or unmap the mutex as soon as pthread_mutex_lock succeeds. POSIX explicitly gives such an example in the rationale and requires an implementation to allow such usage.
2011-08-02fix breakage in cancellation due to signal functions overhaulRich Felker-1/+7
sigaddset was not accepting SIGCANCEL as a valid signal number.
2011-08-02overhaul posix semaphores to fix destructability raceRich Felker-27/+23
the race condition these changes address is described in glibc bug report number 12674: http://sourceware.org/bugzilla/show_bug.cgi?id=12674 up until now, musl has shared the bug, and i had not been able to figure out how to eliminate it. in short, the problem is that it's not valid for sem_post to inspect the waiters count after incrementing the semaphore value, because another thread may have already successfully returned from sem_wait, (rightly) deemed itself the only remaining user of the semaphore, and chosen to destroy and free it (or unmap the shared memory it's stored in). POSIX is not explicit in blessing this usage, but it gives a very explicit analogous example with mutexes (which, in musl and glibc, also suffer from the same race condition bug) in the rationale for pthread_mutex_destroy. the new semaphore implementation augments the waiter count with a redundant waiter indication in the semaphore value itself, representing the presence of "last minute" waiters that may have arrived after sem_post read the waiter count. this allows sem_post to read the waiter count prior to incrementing the semaphore value, rather than after incrementing it, so as to avoid accessing the semaphore memory whatsoever after the increment takes place. a similar, but much simpler, fix should be possible for mutexes and other locking primitives whose usage rules are stricter than semaphores.
2011-07-30clean up pthread_sigmask/sigprocmask dependency orderRich Felker-3/+3
it's nicer for the function that doesn't use errno to be independent, and have the other one call it. saves some time and avoids clobbering errno.
2011-07-30add proper fuxed-based locking for stdioRich Felker-1/+19
previously, stdio used spinlocks, which would be unacceptable if we ever add support for thread priorities, and which yielded pathologically bad performance if an application attempted to use flockfile on a key file as a major/primary locking mechanism. i had held off on making this change for fear that it would hurt performance in the non-threaded case, but actually support for recursive locking had already inflicted that cost. by having the internal locking functions store a flag indicating whether they need to perform unlocking, rather than using the actual recursive lock counter, i was able to combine the conditionals at unlock time, eliminating any additional cost, and also avoid a nasty corner case where a huge number of calls to ftrylockfile could cause deadlock later at the point of internal locking. this commit also fixes some issues with usage of pthread_self conflicting with __attribute__((const)) which resulted in crashes with some compiler versions/optimizations, mainly in flockfile prior to pthread_create.
2011-07-30fix bug in synccall with no threads: lock was taken but never releasedRich Felker-4/+4
2011-07-29new attempt at making set*id() safe and robustRich Felker-118/+113
changing credentials in a multi-threaded program is extremely difficult on linux because it requires synchronizing the change between all threads, which have their own thread-local credentials on the kernel side. this is further complicated by the fact that changing the real uid can fail due to exceeding RLIMIT_NPROC, making it possible that the syscall will succeed in some threads but fail in others. the old __rsyscall approach being replaced was robust in that it would report failure if any one thread failed, but in this case, the program would be left in an inconsistent state where individual threads might have different uid. (this was not as bad as glibc, which would sometimes even fail to report the failure entirely!) the new approach being committed refuses to change real user id when it cannot temporarily set the rlimit to infinity. this is completely POSIX conformant since POSIX does not require an implementation to allow real-user-id changes for non-privileged processes whatsoever. still, setting the real uid can fail due to memory allocation in the kernel, but this can only happen if there is not already a cached object for the target user. thus, we forcibly serialize the syscalls attempts, and fail the entire operation on the first failure. this *should* lead to an all-or-nothing success/failure result, but it's still fragile and highly dependent on kernel developers not breaking things worse than they're already broken. ideally linux will eventually add a CLONE_USERCRED flag that would give POSIX conformant credential changes without any hacks from userspace, and all of this code would become redundant and could be removed ~10 years down the line when everyone has abandoned the old broken kernels. i'm not holding my breath...
2011-06-26fix useless use of potentially-uninitialized mode variable in sem_openRich Felker-1/+1
2011-06-14restore use of .type in asm, but use modern @function (vs %function)Rich Felker-0/+11
this seems to be necessary to make the linker accept the functions in a shared library (perhaps to generate PLT entries?) strictly speaking libc-internal asm should not need it. i might clean that up later.
2011-06-14fix race condition in pthread_killRich Felker-1/+7
if thread id was reused by the kernel between the time pthread_kill read it from the userspace pthread_t object and the time of the tgkill syscall, a signal could be sent to the wrong thread. the tgkill syscall was supposed to prevent this race (versus the old tkill syscall) but it can't; it can only help in the case where the tid is reused in a different process, but not when the tid is reused in the same process. the only solution i can see is an extra lock to prevent threads from exiting while another thread is trying to pthread_kill them. it should be very very cheap in the non-contended case.
2011-06-14run dtors before taking the exit-lock in pthread exitRich Felker-2/+2
previously a long-running dtor could cause pthread_detach to block.
2011-06-14minor locking optimizationsRich Felker-2/+2
2011-06-13remove all .size and .type directives for functions from the asmRich Felker-18/+0
these are useless and have caused problems for users trying to build with non-gnu tools like tcc's assembler.
2011-05-30implement pthread_[sg]etconcurrency.Rich Felker-0/+15
there is a resource limit of 0 bits to store the concurrency level requested. thus any positive level exceeds a resource limit, resulting in EAGAIN. :-)
2011-05-07optimize out useless default-attribute object in pthread_createRich Felker-7/+7