This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libc/src/
-
src/
-
__support/threads/linux/
-
threads/
-
linux/
4/9
thread.cpp
-
pthread/
-
pthread_detach.cpp

Differential D148294

[LIBC] Handle multiple calls to `detach` more gracefully
AbandonedPublic

Authored by goldstein.w.n on Apr 13 2023, 8:05 PM.

Download Raw Diff

Details

Reviewers

michaelrj
sivachandra

Summary

Just return an error for incorrect use rather than almost certainly
creating an inf loop.

Its UB either way, but there is no reason to make the bugs more costly
than they need to be.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

goldstein.w.n created this revision.Apr 13 2023, 8:05 PM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 13 2023, 8:05 PM

Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript

goldstein.w.n requested review of this revision.Apr 13 2023, 8:05 PM

Harbormaster completed remote builds in B225488: Diff 513420.Apr 13 2023, 8:06 PM

goldstein.w.n added a parent revision: D148293: [LIBC] Fix incorrect handling of `pthread_join(tid, nullptr)`.Apr 13 2023, 8:07 PM

sivachandra added inline comments.Apr 13 2023, 9:58 PM

libc/src/__support/threads/linux/thread.cpp
355	A joinable but exiting thread will not cleanup its resources if we remove this. What problem is your patch trying to address?

goldstein.w.n added inline comments.Apr 13 2023, 11:06 PM

libc/src/__support/threads/linux/thread.cpp
355	Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup.

sivachandra added inline comments.Apr 13 2023, 11:39 PM

libc/src/__support/threads/linux/thread.cpp
355	Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup. Consider this: A joinable thread has finished so its status has changed to `EXITING` but no other thread has called `join` or `detach` yet. In this case, `thread_exit` will not cleanup thread's resources as the call to one of `join` or `detach` will have to succeed. If `detach` is called, then cleanup becomes its responsibility. Likewise, if `join` is called, then cleanup becomes its responsibility. So, this cleanup here is for the case when `detach` is called on an already finished thread.

goldstein.w.n added inline comments.Apr 14 2023, 9:26 AM

libc/src/__support/threads/linux/thread.cpp
355	Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup. Consider this: A joinable thread has finished so its status has changed to `EXITING` but no other thread has called `join` or `detach` yet. In this case, `thread_exit` will not cleanup thread's resources as the call to one of `join` or `detach` will have to succeed. If `detach` is called, then cleanup becomes its responsibility. Likewise, if `join` is called, then cleanup becomes its responsibility. So, this cleanup here is for the case when `detach` is called on an already finished thread. Okay, thats fair. Was thinking of detached as only on `pthread_self()`. How about just return `EINVAL` if current state is `DETACHED`? The thing is this is a not super uncommon race and failing with infinite loop just seems unpleasant / harder to detect for the user.

sivachandra added inline comments.Apr 14 2023, 11:17 AM

libc/src/__support/threads/linux/thread.cpp
355	So, IIUC, what you are saying is that, before the call to `wait`, you want to add something like this: if (joinable_state == uint32_t(DetachState::DETACHED)) return EINVAL; I think it is OK but I am not sure it would be the cleanest thing to do. Consider a case where user code is calling `detach` twice on a thread. If the second `detach` happens after the thread has finished and cleaned up itself, then what you read into `joinable_state` is garbage. In fact, the program should crash because thread attrib's are on the thread stack which was likely already unmaped. So, that conditional is assuming that the thread was still running when the attribs were read. I am not sure making such assumptions is the correct thing to do.

goldstein.w.n added inline comments.Apr 14 2023, 11:36 AM

libc/src/__support/threads/linux/thread.cpp
355	So, IIUC, what you are saying is that, before the call to `wait`, you want to add something like this: if (joinable_state == uint32_t(DetachState::DETACHED)) return EINVAL; I think it is OK but I am not sure it would be the cleanest thing to do. Consider a case where user code is calling `detach` twice on a thread. If the second `detach` happens after the thread has finished and cleaned up itself, then what you read into `joinable_state` is garbage. In fact, the program should crash because thread attrib's are on the thread stack which was likely already unmaped. So, that conditional is assuming that the thread was still running when the attribs were read. I am not sure making such assumptions is the correct thing to do. Well its UB either way. We are still reading from attribs on the second detach when we try the cas from `JOINABLE`. In the UB case we aren't making string guarantees about whats going to happen, but we can at least try and handle it gracefully. I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well.

sivachandra added inline comments.Apr 14 2023, 12:11 PM

libc/src/__support/threads/linux/thread.cpp
355	I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well. If a joinable thread is calling `detach` on itself just once, it should work just fine (there will be no call to `wait`). But, if a detached thread is calling `detach` on itself, it is UB. Are you trying to address the latter case? All of this boils down to user code discipline. If a library has to support incorrect user code, then we need evidence (like bug reports et al.) to facilitate widespread reliance on a particular behavior.

goldstein.w.n added inline comments.Apr 14 2023, 12:32 PM

libc/src/__support/threads/linux/thread.cpp
355	I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well. If a joinable thread is calling `detach` on itself just once, it should work just fine (there will be no call to `wait`). But, if a detached thread is calling `detach` on itself, it is UB. Are you trying to address the latter case? All of this boils down to user code discipline. If a library has to support incorrect user code, then we need evidence (like bug reports et al.) to facilitate widespread reliance on a particular behavior. The goal is not the support the UB case, its to make the UB case throw a more explicit error when its obviously detectable. Its like the `ESRCH`. Libraries are not required to return `ESRCH` if a user passes an invalid tid, but if it can easily detect it why not? There is a sense of prefered behavior in some UB cases. You can't rely on it, but its still useful.

sivachandra added inline comments.Apr 14 2023, 12:38 PM

libc/src/__support/threads/linux/thread.cpp
355	Its like the `ESRCH`. Libraries are not required to return `ESRCH` if a user passes an invalid tid, but if it can easily detect it why not? There is a sense of prefered behavior in some UB cases. You can't rely on it, but its still useful. If that "preferred behavior" is reliably reliable (yes, reliably reliable), then we can support those "why not" cases. In this case, it is not a reliably reliable behavior. It is more of a hopeful attempt with no guarantees of repeatability.

goldstein.w.n abandoned this revision.Apr 16 2023, 4:04 PM

Revision Contents

Path

Size

libc/

src/

__support/

threads/

linux/

thread.cpp

12 lines

pthread/

pthread_detach.cpp

3 lines

Diff 513420

libc/src/__support/threads/linux/thread.cpp

Show First 20 Lines • Show All 337 Lines • ▼ Show 20 Lines	int Thread::join(ThreadReturnValue &retval) {

return 0;		return 0;
}		}

int Thread::detach() {		int Thread::detach() {
uint32_t joinable_state = uint32_t(DetachState::JOINABLE);		uint32_t joinable_state = uint32_t(DetachState::JOINABLE);
if (attrib->detach_state.compare_exchange_strong(		if (attrib->detach_state.compare_exchange_strong(
joinable_state, uint32_t(DetachState::DETACHED))) {		joinable_state, uint32_t(DetachState::DETACHED))) {
return int(DetachType::SIMPLE);		return 0;
}		}

// If the thread was already detached, then the detach method should not		return EINVAL;
// be called at all. If the thread is exiting, then we wait for it to exit
// and free up resources.
// TODO: Should we handle this less destructively? Maybe just return EINVAL?
wait();

cleanup_thread_resources(attrib);
sivachandraUnsubmitted Not Done Reply Inline Actions A joinable but exiting thread will not cleanup its resources if we remove this. What problem is your patch trying to address? sivachandra: A joinable but exiting thread will not cleanup its resources if we remove this. What problem is…
goldstein.w.nAuthorUnsubmitted Done Reply Inline Actions Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup. goldstein.w.n: Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup…
sivachandraUnsubmitted Not Done Reply Inline Actions Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup. Consider this: A joinable thread has finished so its status has changed to `EXITING` but no other thread has called `join` or `detach` yet. In this case, `thread_exit` will not cleanup thread's resources as the call to one of `join` or `detach` will have to succeed. If `detach` is called, then cleanup becomes its responsibility. Likewise, if `join` is called, then cleanup becomes its responsibility. So, this cleanup here is for the case when `detach` is called on an already finished thread. sivachandra: > Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup…
goldstein.w.nAuthorUnsubmitted Done Reply Inline Actions Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup routine? Its just handling the UB case of multiple calls to `pthread_detach ()` without almost certainty causing an infinite loop. If thread is joinable then `Thread::join()` does cleanup. If thread is not joinable then `thread_exist()` does cleanup. Consider this: A joinable thread has finished so its status has changed to `EXITING` but no other thread has called `join` or `detach` yet. In this case, `thread_exit` will not cleanup thread's resources as the call to one of `join` or `detach` will have to succeed. If `detach` is called, then cleanup becomes its responsibility. Likewise, if `join` is called, then cleanup becomes its responsibility. So, this cleanup here is for the case when `detach` is called on an already finished thread. Okay, thats fair. Was thinking of detached as only on `pthread_self()`. How about just return `EINVAL` if current state is `DETACHED`? The thing is this is a not super uncommon race and failing with infinite loop just seems unpleasant / harder to detect for the user. goldstein.w.n: > > Hmm? AFAICT this is only the handle for `pthread_detach ()`, how does it affect the cleanup…
sivachandraUnsubmitted Not Done Reply Inline Actions So, IIUC, what you are saying is that, before the call to `wait`, you want to add something like this: if (joinable_state == uint32_t(DetachState::DETACHED)) return EINVAL; I think it is OK but I am not sure it would be the cleanest thing to do. Consider a case where user code is calling `detach` twice on a thread. If the second `detach` happens after the thread has finished and cleaned up itself, then what you read into `joinable_state` is garbage. In fact, the program should crash because thread attrib's are on the thread stack which was likely already unmaped. So, that conditional is assuming that the thread was still running when the attribs were read. I am not sure making such assumptions is the correct thing to do. sivachandra: So, IIUC, what you are saying is that, before the call to `wait`, you want to add something…
goldstein.w.nAuthorUnsubmitted Done Reply Inline Actions So, IIUC, what you are saying is that, before the call to `wait`, you want to add something like this: if (joinable_state == uint32_t(DetachState::DETACHED)) return EINVAL; I think it is OK but I am not sure it would be the cleanest thing to do. Consider a case where user code is calling `detach` twice on a thread. If the second `detach` happens after the thread has finished and cleaned up itself, then what you read into `joinable_state` is garbage. In fact, the program should crash because thread attrib's are on the thread stack which was likely already unmaped. So, that conditional is assuming that the thread was still running when the attribs were read. I am not sure making such assumptions is the correct thing to do. Well its UB either way. We are still reading from attribs on the second detach when we try the cas from `JOINABLE`. In the UB case we aren't making string guarantees about whats going to happen, but we can at least try and handle it gracefully. I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well. goldstein.w.n: > So, IIUC, what you are saying is that, before the call to `wait`, you want to add something…
sivachandraUnsubmitted Not Done Reply Inline Actions I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well. If a joinable thread is calling `detach` on itself just once, it should work just fine (there will be no call to `wait`). But, if a detached thread is calling `detach` on itself, it is UB. Are you trying to address the latter case? All of this boils down to user code discipline. If a library has to support incorrect user code, then we need evidence (like bug reports et al.) to facilitate widespread reliance on a particular behavior. sivachandra: > I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I…
goldstein.w.nAuthorUnsubmitted Done Reply Inline Actions I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`, I just think `wait` which can cause an infinite loop (if the thread is calling detach on itself) is not really a great way to handle a not too uncommon bug. I tend towards `EINVAL` so its up to the user if they want to `abort` or handle however, but `abort` seems perfectly reasonable as well. If a joinable thread is calling `detach` on itself just once, it should work just fine (there will be no call to `wait`). But, if a detached thread is calling `detach` on itself, it is UB. Are you trying to address the latter case? All of this boils down to user code discipline. If a library has to support incorrect user code, then we need evidence (like bug reports et al.) to facilitate widespread reliance on a particular behavior. The goal is not the support the UB case, its to make the UB case throw a more explicit error when its obviously detectable. Its like the `ESRCH`. Libraries are not required to return `ESRCH` if a user passes an invalid tid, but if it can easily detect it why not? There is a sense of prefered behavior in some UB cases. You can't rely on it, but its still useful. goldstein.w.n: > > I don't have any strong opinion about whether we handle the case with `abort` or `EINVAL`…
sivachandraUnsubmitted Not Done Reply Inline Actions Its like the `ESRCH`. Libraries are not required to return `ESRCH` if a user passes an invalid tid, but if it can easily detect it why not? There is a sense of prefered behavior in some UB cases. You can't rely on it, but its still useful. If that "preferred behavior" is reliably reliable (yes, reliably reliable), then we can support those "why not" cases. In this case, it is not a reliably reliable behavior. It is more of a hopeful attempt with no guarantees of repeatability. sivachandra: > Its like the `ESRCH`. Libraries are not required to return `ESRCH` if a user passes an…

return int(DetachType::CLEANUP);
}		}

void Thread::wait() {		void Thread::wait() {
// The kernel should set the value at the clear tid address to zero.		// The kernel should set the value at the clear tid address to zero.
// If not, it is a spurious wake and we should continue to wait on		// If not, it is a spurious wake and we should continue to wait on
// the futex.		// the futex.
auto *clear_tid =		auto *clear_tid =
reinterpret_cast<cpp::Atomic<FutexWordType> *>(attrib->platform_data);		reinterpret_cast<cpp::Atomic<FutexWordType> *>(attrib->platform_data);
▲ Show 20 Lines • Show All 139 Lines • Show Last 20 Lines

libc/src/pthread/pthread_detach.cpp

	Show All 14 Lines

	namespace __llvm_libc {			namespace __llvm_libc {

	static_assert(sizeof(pthread_t) == sizeof(__llvm_libc::Thread),			static_assert(sizeof(pthread_t) == sizeof(__llvm_libc::Thread),
	"Mismatch between pthread_t and internal Thread.");			"Mismatch between pthread_t and internal Thread.");

	LLVM_LIBC_FUNCTION(int, pthread_detach, (pthread_t th)) {			LLVM_LIBC_FUNCTION(int, pthread_detach, (pthread_t th)) {
	auto thread = reinterpret_cast<Thread >(&th);			auto thread = reinterpret_cast<Thread >(&th);
	thread->detach();			return thread->detach();
	return 0;
	}			}

	} // namespace __llvm_libc			} // namespace __llvm_libc