This is an archive of the discontinued LLVM Phabricator instance.

Differential D154425

[libc++] add basic runtime assertions to <latch>
ClosedPublic

Authored by diamante0018 on Jul 4 2023, 2:43 AM.

Details

Reviewers
ldionne
Group Reviewers
Restricted Project
Commits
rG5e807c38bf9b: [libc++] add basic runtime assertions to <latch>
Summary

Adding assertions will aid users that have bugs in their code to receive better error messages.

Diff Detail

Event Timeline

diamante0018 created this revision.Jul 4 2023, 2:43 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 4 2023, 2:43 AM
diamante0018 requested review of this revision.Jul 4 2023, 2:43 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 4 2023, 2:43 AM
Herald added a reviewer: Restricted Project. · View Herald Transcript
Herald added a subscriber: libcxx-commits. · View Herald Transcript
diamante0018 updated this revision to Diff 537012.Jul 4 2023, 2:49 AM

I have undone an unrelated code formatting change.

Harbormaster completed remote builds in B242980: Diff 537012.Jul 4 2023, 2:49 AM
diamante0018 updated this revision to Diff 537014.EditedJul 4 2023, 2:51 AM

I am learning how to use this differential tool and it appears the previous patch undid the changes I actually intended to commit instead of removing just the "one" offending line in regards to unrelated formatting changes.
I should have fixed the issue and now the actual diff file should be complete.
Sorry

diamante0018 added a reviewer: ldionne.Jul 4 2023, 4:10 AM
diamante0018 edited the summary of this revision. (Show Details)Jul 4 2023, 4:28 AM
Harbormaster completed remote builds in B242982: Diff 537014.Jul 4 2023, 6:47 AM
momo5502 added a subscriber: momo5502.Jul 4 2023, 6:58 AM
ldionne requested changes to this revision.Jul 4 2023, 12:03 PM

Thanks for the patch! If you upload the patch with arc, it should also include some context in the diff, which is useful. Let us know if you run into issues with that.

libcxx/include/latch
75

Not attached: Can you please add some tests for these assertions? To see how we do this for other assertions: libcxx/test/libcxx/containers/views/views.span/span.elem/assert.back.pass.cpp.

80–81

I think it is also UB if __expected > max(), right? If so, let's add an assertion.

91–92

I read:

If n is greater than the value of the internal counter or is negative, the behavior is undefined.

So we can actually check more than just __update >= 0.

112–113

Same here:

If n is greater than the value of the internal counter or is negative, the behavior is undefined.

This revision now requires changes to proceed.Jul 4 2023, 12:03 PM
diamante0018 added inline comments.Jul 4 2023, 12:35 PM
libcxx/include/latch
80–81

You are right but in this implementation because max is equivalent to std::numeric_limits<ptrdiff_t>::max() it should not be possible

ldionne added inline comments.Jul 4 2023, 1:28 PM
libcxx/include/latch
80–81

Then the compiler can probably elide the check, but we should still have the check!

diamante0018 updated this revision to Diff 537166.EditedJul 4 2023, 1:28 PM
diamante0018 edited the summary of this revision. (Show Details)

I addressed the review.

Please note the following:
Because in the llvm's implementation max() returns the max value of ptrdiff_t" (numeric_limits<ptrdiff_t>::max();) It should not be possible to check for that in an assertion.

Note that I used memory_order_relaxed in the assertions as that seems to be the memory order that has the potential to cause less collateral damage. Let me know if it's fine please.

Thanks

diamante0018 added inline comments.Jul 4 2023, 1:30 PM
libcxx/include/latch
80–81

I see, I just saw your comment. I will add the check right away.

diamante0018 updated this revision to Diff 537167.Jul 4 2023, 1:34 PM

Added an assertions to check that when the latch object is constructed "n" is not greater than max

diamante0018 added inline comments.Jul 4 2023, 1:36 PM
libcxx/include/latch
80–81

I added the check. That should be the last point to address from your previous review. I hope all is good now. Thanks 🐱

diamante0018 added a comment.Jul 4 2023, 1:40 PM

I added the check for "n is greater than max()". That should be the last point to address from your previous review. I hope all is good now. Thanks 🐱

diamante0018 marked 5 inline comments as done.Jul 4 2023, 1:59 PM
ldionne added inline comments.Jul 4 2023, 2:17 PM
libcxx/include/latch
95–99

Could we instead move the _LIBCPP_ASSERT after the fetch_sub, i.e. do:

_LIBCPP_ASSERT_UNCATEGORIZED(
            __update >= 0, "latch::count_down called with a negative value");
auto const __old = __a_.fetch_sub(__update, memory_order_release);
_LIBCPP_ASSERT_UNCATEGORIZED(
            __update > __old,
            "__update is greater than the value of the internal counter");

This would not require an additional atomic load, yet we would catch that we just did something really really bad (i.e. that __a_ is now negative and who knows what will happen next).

libcxx/test/libcxx/thread/thread.latch/assert.arrive_and_wait.pass.cpp
2

Let's also add a assert.ctor.pass.cpp test to test the assertion you added in the constructor!

Harbormaster completed remote builds in B243084: Diff 537167.Jul 4 2023, 2:18 PM
diamante0018 updated this revision to Diff 537227.Jul 4 2023, 11:28 PM

Added ctor unit test.
Correct assertion placement.
Remove one assertion as I realized that immediately after we are calling a function with the same kind of assertion. So perhaps it's not worth it to call .load() to check for the internal counter when we have a similar test right after that is checked without calling any extra operations

diamante0018 marked an inline comment as done.Jul 4 2023, 11:30 PM

I am a bit concerned about these new tests apparently failing because I, unfortunately, I don't know why they are failing despite me checking them over and over again for mistakes. I need to learn all of this.

diamante0018 marked an inline comment as done.Jul 4 2023, 11:30 PM
diamante0018 added a comment.Jul 4 2023, 11:53 PM

I realized by looking at already existing tests that my ctor.pass is incorrect. I will try to fix it in a few hours

Harbormaster completed remote builds in B243135: Diff 537227.Jul 5 2023, 1:49 AM
diamante0018 updated this revision to Diff 537276.Jul 5 2023, 2:58 AM

Correct the tests files (hopefully)

diamante0018 updated this revision to Diff 537281.Jul 5 2023, 3:09 AM

Correct syntax in a test cpp file

diamante0018 updated this revision to Diff 537285.Jul 5 2023, 3:22 AM

Make sure the tests messages match the assertions messages from libcxx (should fix the tests)

Harbormaster completed remote builds in B243171: Diff 537285.Jul 5 2023, 4:22 AM
diamante0018 updated this revision to Diff 537300.Jul 5 2023, 4:55 AM

Fix logic in the assertions I added

diamante0018 updated this revision to Diff 537303.Jul 5 2023, 5:04 AM

Add // class latch comment to all test files

diamante0018 updated this revision to Diff 537325.Jul 5 2023, 5:50 AM

Fix the test

ldionne added inline comments.Jul 5 2023, 5:51 AM
libcxx/include/latch
117–118

To avoid being inconsistent, I think I would remove this assertion and add a comment saying // preconditions on __update are checked in count_down().

libcxx/test/libcxx/thread/thread.latch/assert.ctor.pass.cpp
34

You should do this instead:

TEST_LIBCPP_ASSERT_FAILURE([]{ std::latch foo(-1); }(), "assertion message");
// and add a comment that we can't check the precondition for max() because there's no value that would violate the precondition (in our implementation)
diamante0018 updated this revision to Diff 537332.Jul 5 2023, 6:18 AM

Address review

diamante0018 marked 2 inline comments as done.Jul 5 2023, 6:19 AM
diamante0018 added a comment.Jul 5 2023, 6:25 AM

Hopefully, that should do it. I am happy I made progress with these tests earlier today. Was a bit hard to figure out but now they should turn green.

diamante0018 updated this revision to Diff 537335.Jul 5 2023, 6:27 AM

Apply clang-format on the lambda function

diamante0018 updated this revision to Diff 537340.Jul 5 2023, 6:37 AM

Fix format of my patch

diamante0018 updated this revision to Diff 537385.Jul 5 2023, 9:10 AM

Update tests

diamante0018 updated this revision to Diff 537390.Jul 5 2023, 9:18 AM

Fix logic in my assertions

diamante0018 updated this revision to Diff 537397.Jul 5 2023, 9:38 AM

Change "<" to "<=" in assert call

diamante0018 added a comment.Jul 5 2023, 12:08 PM

Test CI finally turned green woot woot. Thanks @Idionne 🥳

Harbormaster completed remote builds in B243248: Diff 537397.Jul 5 2023, 1:36 PM
ldionne accepted this revision.Jul 5 2023, 2:17 PM

LGTM, thanks! If you need someone to commit this on your behalf, please let us know Author Name <email@domain> to use for attribution.

This revision is now accepted and ready to land.Jul 5 2023, 2:17 PM
diamante0018 added a comment.EditedJul 5 2023, 2:18 PM

Yes please:

Edoardo Sanguineti edoardo.sanguineti222@gmail.com

Thanks again

ldionne added a comment.Jul 5 2023, 2:35 PM

Thank *you* for the patch!

Closed by commit rG5e807c38bf9b: [libc++] add basic runtime assertions to <latch> (authored by Edoardo Sanguineti <edoardo.sanguineti222@gmail.com>, committed by ldionne). · Explain WhyJul 5 2023, 2:35 PM
This revision was automatically updated to reflect the committed changes.
ldionne added a commit: rG5e807c38bf9b: [libc++] add basic runtime assertions to <latch>.
diamante0018 mentioned this in D155399: [libc++] add basic runtime assertions to <semaphore>.Jul 17 2023, 11:24 AM

Revision Contents

PathSize
libcxx/
include/
21 lines
test/
libcxx/
thread/
thread.latch/
37 lines
45 lines
38 lines

Diff 537505

libcxx/include/latch

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines
class latch class latch
{ {
__atomic_base<ptrdiff_t> __a_; __atomic_base<ptrdiff_t> __a_;
public: public:
static _LIBCPP_HIDE_FROM_ABI constexpr ptrdiff_t max() noexcept { static _LIBCPP_HIDE_FROM_ABI constexpr ptrdiff_t max() noexcept {
return numeric_limits<ptrdiff_t>::max(); return numeric_limits<ptrdiff_t>::max();
} }
ldionneUnsubmitted
Done
ReplyInline Actions

Not attached: Can you please add some tests for these assertions? To see how we do this for other assertions: libcxx/test/libcxx/containers/views/views.span/span.elem/assert.back.pass.cpp.

ldionne: Not attached: Can you please add some tests for these assertions? To see how we do this for…
inline _LIBCPP_INLINE_VISIBILITY inline _LIBCPP_INLINE_VISIBILITY
constexpr explicit latch(ptrdiff_t __expected) : __a_(__expected) { } constexpr explicit latch(ptrdiff_t __expected) : __a_(__expected)
{
_LIBCPP_ASSERT_UNCATEGORIZED(__expected >= 0,
"latch::latch(ptrdiff_t): latch cannot be "
ldionneUnsubmitted
Done
ReplyInline Actions

I think it is also UB if __expected > max(), right? If so, let's add an assertion.

ldionne: I think it is also UB if `__expected > max()`, right? If so, let's add an assertion.
diamante0018AuthorUnsubmitted
Done
ReplyInline Actions

You are right but in this implementation because max is equivalent to std::numeric_limits<ptrdiff_t>::max() it should not be possible

diamante0018: You are right but in this implementation because max is equivalent to std…
ldionneUnsubmitted
Done
ReplyInline Actions

Then the compiler can probably elide the check, but we should still have the check!

ldionne: Then the compiler can probably elide the check, but we should still have the check!
diamante0018AuthorUnsubmitted
Done
ReplyInline Actions

I see, I just saw your comment. I will add the check right away.

diamante0018: I see, I just saw your comment. I will add the check right away.
diamante0018AuthorUnsubmitted
Done
ReplyInline Actions

I added the check. That should be the last point to address from your previous review. I hope all is good now. Thanks 🐱

diamante0018: I added the check. That should be the last point to address from your previous review. I hope…
"initialized with a negative value");
_LIBCPP_ASSERT_UNCATEGORIZED(__expected <= max(),
"latch::latch(ptrdiff_t): latch cannot be "
"initialized with a value greater than max()");
}
_LIBCPP_HIDE_FROM_ABI ~latch() = default; _LIBCPP_HIDE_FROM_ABI ~latch() = default;
latch(const latch&) = delete; latch(const latch&) = delete;
latch& operator=(const latch&) = delete; latch& operator=(const latch&) = delete;
inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY
ldionneUnsubmitted
Done
ReplyInline Actions

I read:

If n is greater than the value of the internal counter or is negative, the behavior is undefined.

So we can actually check more than just __update >= 0.

ldionne: I read: > If n is greater than the value of the internal counter or is negative, the behavior…
void count_down(ptrdiff_t __update = 1) void count_down(ptrdiff_t __update = 1)
{ {
_LIBCPP_ASSERT_UNCATEGORIZED(
__update >= 0, "latch::count_down called with a negative value");
auto const __old = __a_.fetch_sub(__update, memory_order_release); auto const __old = __a_.fetch_sub(__update, memory_order_release);
_LIBCPP_ASSERT_UNCATEGORIZED(
__update <= __old, "latch::count_down called with a value greater "
ldionneUnsubmitted
Done
ReplyInline Actions

Could we instead move the _LIBCPP_ASSERT after the fetch_sub, i.e. do:

_LIBCPP_ASSERT_UNCATEGORIZED(
            __update >= 0, "latch::count_down called with a negative value");
auto const __old = __a_.fetch_sub(__update, memory_order_release);
_LIBCPP_ASSERT_UNCATEGORIZED(
            __update > __old,
            "__update is greater than the value of the internal counter");

This would not require an additional atomic load, yet we would catch that we just did something really really bad (i.e. that __a_ is now negative and who knows what will happen next).

ldionne: Could we instead move the `_LIBCPP_ASSERT` after the `fetch_sub`, i.e. do: ```…
"than the internal counter");
if(__old == __update) if (__old == __update)
__a_.notify_all(); __a_.notify_all();
} }
inline _LIBCPP_INLINE_VISIBILITY inline _LIBCPP_INLINE_VISIBILITY
bool try_wait() const noexcept bool try_wait() const noexcept
{ {
return 0 == __a_.load(memory_order_acquire); return 0 == __a_.load(memory_order_acquire);
} }
inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY
void wait() const void wait() const
{ {
__cxx_atomic_wait(&__a_.__a_, [this]() -> bool { __cxx_atomic_wait(&__a_.__a_, [this]() -> bool {
return try_wait(); return try_wait();
ldionneUnsubmitted
Done
ReplyInline Actions

Same here:

If n is greater than the value of the internal counter or is negative, the behavior is undefined.

ldionne: Same here: > If n is greater than the value of the internal counter or is negative, the…
}); });
} }
inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY inline _LIBCPP_AVAILABILITY_SYNC _LIBCPP_INLINE_VISIBILITY
void arrive_and_wait(ptrdiff_t __update = 1) void arrive_and_wait(ptrdiff_t __update = 1)
{ {
ldionneUnsubmitted
Done
ReplyInline Actions

To avoid being inconsistent, I think I would remove this assertion and add a comment saying // preconditions on __update are checked in count_down().

ldionne: To avoid being inconsistent, I think I would remove this assertion and add a comment saying `//…
_LIBCPP_ASSERT_UNCATEGORIZED(
__update >= 0, "latch::arrive_and_wait called with a negative value");
// other preconditions on __update are checked in count_down()
count_down(__update); count_down(__update);
wait(); wait();
} }
}; };
_LIBCPP_END_NAMESPACE_STD _LIBCPP_END_NAMESPACE_STD
#endif // _LIBCPP_STD_VER >= 14 #endif // _LIBCPP_STD_VER >= 14
_LIBCPP_POP_MACROS _LIBCPP_POP_MACROS
#if !defined(_LIBCPP_REMOVE_TRANSITIVE_INCLUDES) && _LIBCPP_STD_VER <= 20 #if !defined(_LIBCPP_REMOVE_TRANSITIVE_INCLUDES) && _LIBCPP_STD_VER <= 20
# include <atomic> # include <atomic>
#endif #endif
#endif //_LIBCPP_LATCH #endif //_LIBCPP_LATCH

libcxx/test/libcxx/thread/thread.latch/assert.arrive_and_wait.pass.cpp

  • This file was added.
//===----------------------------------------------------------------------===//
//
ldionneUnsubmitted
Done
ReplyInline Actions

Let's also add a assert.ctor.pass.cpp test to test the assertion you added in the constructor!

ldionne: Let's also add a `assert.ctor.pass.cpp` test to test the assertion you added in the constructor!
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// UNSUPPORTED: no-threads
// UNSUPPORTED: c++03, c++11, c++14, c++17
// <latch>
// class latch;
// void arrive_and_wait(ptrdiff_t __update = 1);
// Make sure that calling arrive_and_wait with a negative value triggers an assertion.
// REQUIRES: has-unix-headers
// XFAIL: availability-verbose_abort-missing
// ADDITIONAL_COMPILE_FLAGS: -D_LIBCPP_ENABLE_ASSERTIONS=1
#include <latch>
#include "check_assertion.h"
int main(int, char **) {
{
std::latch l(5);
TEST_LIBCPP_ASSERT_FAILURE(
l.arrive_and_wait(-10),
"latch::arrive_and_wait called with a negative value");
}
return 0;
}

libcxx/test/libcxx/thread/thread.latch/assert.count_down.pass.cpp

  • This file was added.
//===----------------------------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// UNSUPPORTED: no-threads
// UNSUPPORTED: c++03, c++11, c++14, c++17
// <latch>
// class latch;
// void count_down(ptrdiff_t __update = 1);
// Make sure that calling count_down with a negative value or a value
// higher than the internal counter triggers an assertion.
// REQUIRES: has-unix-headers
// XFAIL: availability-verbose_abort-missing
// ADDITIONAL_COMPILE_FLAGS: -D_LIBCPP_ENABLE_ASSERTIONS=1
#include <latch>
#include "check_assertion.h"
int main(int, char **) {
{
std::latch l(5);
TEST_LIBCPP_ASSERT_FAILURE(
l.count_down(-10), "latch::count_down called with a negative value");
}
{
std::latch l(5);
TEST_LIBCPP_ASSERT_FAILURE(l.count_down(10),
"latch::count_down called with a value greater "
"than the internal counter");
}
return 0;
}

libcxx/test/libcxx/thread/thread.latch/assert.ctor.pass.cpp

  • This file was added.
//===----------------------------------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// UNSUPPORTED: no-threads
// UNSUPPORTED: c++03, c++11, c++14, c++17
// <latch>
// class latch;
// constexpr explicit latch(ptrdiff_t __expected);
// Make sure that calling latch with a negative value triggers an assertion
// REQUIRES: has-unix-headers
// XFAIL: availability-verbose_abort-missing
// ADDITIONAL_COMPILE_FLAGS: -D_LIBCPP_ENABLE_ASSERTIONS=1
#include <latch>
#include "check_assertion.h"
int main(int, char **) {
{
TEST_LIBCPP_ASSERT_FAILURE([]{ std::latch l(-1); }(),
"latch::latch(ptrdiff_t): latch cannot be "
"initialized with a negative value");
}
// We can't check the precondition for max() because there's no value
ldionneUnsubmitted
Done
ReplyInline Actions

You should do this instead:

TEST_LIBCPP_ASSERT_FAILURE([]{ std::latch foo(-1); }(), "assertion message");
// and add a comment that we can't check the precondition for max() because there's no value that would violate the precondition (in our implementation)
ldionne: You should do this instead: ``` TEST_LIBCPP_ASSERT_FAILURE([]{ std::latch foo(-1); }()…
// that would violate the precondition (in our implementation)
return 0;
}