This is an archive of the discontinued LLVM Phabricator instance.

Differential D20903

Make system_error::message() thread safe. Fixes PR25598.
ClosedPublic

Authored by EricWF on Jun 2 2016, 3:29 AM.

Details

Reviewers
mclow.lists
majnemer
Commits
rG9778a6d811c3: Make system_error::message() thread safe. Fixes PR25598.
rCXX272633: Make system_error::message() thread safe. Fixes PR25598.
rL272633: Make system_error::message() thread safe. Fixes PR25598.
Summary

system_error::message() uses strerror for the generic and system categories. This function is not thread safe.

The fix is to use strerror_r. It has been available since 2001 for GNU libc and since BSD 4.4 on FreeBSD/OS X.
On platforms with GNU libc the extended version is used which always returns a valid string, even if an error occurs.

In single-threaded builds strerror is still used.

See https://llvm.org/bugs/show_bug.cgi?id=25598

Diff Detail

Event Timeline

EricWF updated this revision to Diff 59356.Jun 2 2016, 3:29 AM
EricWF retitled this revision from to Make system_error::message() thread safe. Fixes PR25598..
EricWF updated this object.
EricWF added reviewers: mclow.lists, majnemer.
EricWF added a subscriber: cfe-commits.
Herald added a subscriber: emaste. · View Herald TranscriptJun 2 2016, 3:29 AM
mclow.lists edited edge metadata.Jun 2 2016, 8:22 AM

In general, I'm OK with this - but I'm concerned about that there's not really any provision for the case where strerror_r does not exist.

Also, there's no reason to have a thread local static array here, if you're going to immediately copy it into a std::string.

erik65536 added a subscriber: erik65536.Jun 2 2016, 4:29 PM

The C++ spec states that error_category::message() shall not change the value of errno (See section 19.5). So errno will have to be saved and restored if strerror_r() fails.

The POSIX version of strerror_r() returns 0 on success, and any other value indicates an error (Reference).

The function may return uninitialized memory if std::snprintf() fails.

You may want to a version for Windows that calls strerror_s().

EricWF added a comment.Jun 13 2016, 7:43 PM
In D20903#446922, @mclow.lists wrote:

In general, I'm OK with this - but I'm concerned about that there's not really any provision for the case where strerror_r does not exist.

Also, there's no reason to have a thread local static array here, if you're going to immediately copy it into a std::string.

Ack. I changed the arrays to be neither static nor thread_local.

In D20903#447650, @erik65536 wrote:

The C++ spec states that error_category::message() shall not change the value of errno (See section 19.5). So errno will have to be saved and restored if strerror_r() fails.

Good catch. I only have to do this for the POSIX version. I'll make the change.

The POSIX version of strerror_r() returns 0 on success, and any other value indicates an error (Reference).

The function may return uninitialized memory if std::snprintf() fails.

I don't see how snprintf could possible fail.

You may want to a version for Windows that calls strerror_s().

Libc++ provides no windows support.

EricWF updated this revision to Diff 60642.Jun 13 2016, 7:44 PM
EricWF edited edge metadata.
  • Use a local buffer instead of a static thread_local one.
  • Save and restore errno in the POSIX implementation.
mclow.lists accepted this revision.Jun 13 2016, 8:45 PM
mclow.lists edited edge metadata.

LGTM.

This revision is now accepted and ready to land.Jun 13 2016, 8:45 PM
EricWF updated this revision to Diff 60649.Jun 13 2016, 8:50 PM
EricWF edited edge metadata.

Use named variable strerror_buff_size variable instead of literal 1024.

EricWF closed this revision.Jun 13 2016, 8:52 PM
erik65536 added a comment.Jun 13 2016, 11:01 PM

The POSIX version of strerror_r() returns 0 on success, and any other value indicates an error (Reference).

I should have been more explicit when I wrote this recommendation. Checking if strerror_r returns -1 is not portable. For example, OSX and FreeBSD return an error code from strerror_r without setting errno. The POSIX version should check for success by checking to see if strerror_r returns 0. If the function fails and the return value is not -1, assume that the return value is an error code.

EricWF added a comment.Jun 13 2016, 11:10 PM
In D20903#457252, @erik65536 wrote:

The POSIX version of strerror_r() returns 0 on success, and any other value indicates an error (Reference).

I should have been more explicit when I wrote this recommendation. Checking if strerror_r returns -1 is not portable. For example, OSX and FreeBSD return an error code from strerror_r without setting errno. The POSIX version should check for success by checking to see if strerror_r returns 0. If the function fails and the return value is not -1, assume that the return value is an error code.

Urg IDK how I missed that in the docs. Thanks for pointing this out.

I fixed it in r272640. I'll follow up with some tests for the FreeBSD and OS X implementations.

EricWF added a comment.Jun 13 2016, 11:45 PM

I checked in tests for the reported bug in r272642. They aren't the most portable so hopefully the pass on all supported platforms.

erik65536 added a comment.Jun 14 2016, 12:24 AM

I don't see any other issues. Thanks for fixing this.

Revision Contents

PathSize
src/
49 lines
test/
std/
diagnostics/
syserr/
syserr.errcat/
syserr.errcat.objects/
11 lines
12 lines

Diff 60649

src/system_error.cpp

//===---------------------- system_error.cpp ------------------------------===// //===---------------------- system_error.cpp ------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is dual licensed under the MIT and the University of Illinois Open // This file is dual licensed under the MIT and the University of Illinois Open
// Source Licenses. See LICENSE.TXT for details. // Source Licenses. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "__config" #include "__config"
#define _LIBCPP_BUILDING_SYSTEM_ERROR #define _LIBCPP_BUILDING_SYSTEM_ERROR
#include "system_error" #include "system_error"
#include "include/config_elast.h" #include "include/config_elast.h"
#include "cerrno"
#include "cstring" #include "cstring"
#include "cstdio"
#include "cstdlib"
#include "cassert"
#include "string" #include "string"
#include "string.h"
_LIBCPP_BEGIN_NAMESPACE_STD _LIBCPP_BEGIN_NAMESPACE_STD
// class error_category // class error_category
error_category::error_category() _NOEXCEPT error_category::error_category() _NOEXCEPT
{ {
} }
Show All 15 Lines
} }
bool bool
error_category::equivalent(const error_code& code, int condition) const _NOEXCEPT error_category::equivalent(const error_code& code, int condition) const _NOEXCEPT
{ {
return *this == code.category() && code.value() == condition; return *this == code.category() && code.value() == condition;
} }
namespace {
// GLIBC also uses 1024 as the maximum buffer size internally.
constexpr size_t strerror_buff_size = 1024;
string do_strerror_r(int ev);
#if defined(__linux__) && !defined(_LIBCPP_HAS_MUSL_LIBC)
// GNU Extended version
string do_strerror_r(int ev) {
char buffer[strerror_buff_size];
char* ret = ::strerror_r(ev, buffer, strerror_buff_size);
return string(ret);
}
#else
// POSIX version
string do_strerror_r(int ev) {
char buffer[strerror_buff_size];
const int old_errno = errno;
if (::strerror_r(ev, buffer, strerror_buff_size) == -1) {
const int new_errno = errno;
errno = old_errno;
if (new_errno == EINVAL) {
std::snprintf(buffer, strerror_buff_size, "Unknown error %d", ev);
return string(buffer);
} else {
assert(new_errno == ERANGE);
// FIXME maybe? 'strerror_buff_size' is likely to exceed the
// maximum error size so ERANGE shouldn't be returned.
std::abort();
}
}
return string(buffer);
}
#endif
} // end namespace
string string
__do_message::message(int ev) const __do_message::message(int ev) const
{ {
return string(strerror(ev)); #if defined(_LIBCPP_HAS_NO_THREADS)
return string(::strerror(ev));
#else
return do_strerror_r(ev);
#endif
} }
class _LIBCPP_HIDDEN __generic_error_category class _LIBCPP_HIDDEN __generic_error_category
: public __do_message : public __do_message
{ {
public: public:
virtual const char* name() const _NOEXCEPT; virtual const char* name() const _NOEXCEPT;
virtual string message(int ev) const; virtual string message(int ev) const;
▲ Show 20 LinesShow All 149 LinesShow Last 20 Lines

test/std/diagnostics/syserr/syserr.errcat/syserr.errcat.objects/generic_category.pass.cpp

Show All 10 Lines
// class error_category // class error_category
// const error_category& generic_category(); // const error_category& generic_category();
#include <system_error> #include <system_error>
#include <cassert> #include <cassert>
#include <string> #include <string>
#include <cerrno>
void test_message_leaves_errno_unchanged() {
errno = E2BIG; // something that message will never generate
const std::error_category& e_cat1 = std::generic_category();
e_cat1.message(-1);
assert(errno == E2BIG);
}
int main() int main()
{ {
const std::error_category& e_cat1 = std::generic_category(); const std::error_category& e_cat1 = std::generic_category();
std::string m1 = e_cat1.name(); std::string m1 = e_cat1.name();
assert(m1 == "generic"); assert(m1 == "generic");
{
test_message_leaves_errno_unchanged();
}
} }

test/std/diagnostics/syserr/syserr.errcat/syserr.errcat.objects/system_category.pass.cpp

Show All 10 Lines
// class error_category // class error_category
// const error_category& system_category(); // const error_category& system_category();
#include <system_error> #include <system_error>
#include <cassert> #include <cassert>
#include <string> #include <string>
#include <cerrno>
void test_message_leaves_errno_unchanged() {
errno = E2BIG; // something that message will never generate
const std::error_category& e_cat1 = std::system_category();
e_cat1.message(-1);
assert(errno == E2BIG);
}
int main() int main()
{ {
const std::error_category& e_cat1 = std::system_category(); const std::error_category& e_cat1 = std::system_category();
std::error_condition e_cond = e_cat1.default_error_condition(5); std::error_condition e_cond = e_cat1.default_error_condition(5);
assert(e_cond.value() == 5); assert(e_cond.value() == 5);
assert(e_cond.category() == std::generic_category()); assert(e_cond.category() == std::generic_category());
e_cond = e_cat1.default_error_condition(5000); e_cond = e_cat1.default_error_condition(5000);
assert(e_cond.value() == 5000); assert(e_cond.value() == 5000);
assert(e_cond.category() == std::system_category()); assert(e_cond.category() == std::system_category());
{
test_message_leaves_errno_unchanged();
}
} }