[PATCH] Also use l_tls_dtor_count to decide on object unload

[Siddhesh Poyarekar <siddhesh@redhat.com>]

When an TLS destructor is registered, we set the DF_1_NODELETE flag to
signal that the object should not be destroyed.  We then clear the
DF_1_NODELETE flag when all destructors are called, which is wrong -
the flag could have been set by other means too.

This patch replaces this use of the flag by using l_tls_dtor_count
directly to determine whether it is safe to unload the object.  This
change has the added advantage of eliminating the lock taking when
calling the destructors, which could result in a deadlock.  The patch
also fixes the test case tst-tls-atexit - it was making an invalid
dlclose call, which would just return an error silently.

Change verified on x86_64; the test suite does not show any
regressions due to the patch.

ChangeLog:

	* elf/dl-close.c (_dl_close_worker): Don't unload DSO if there
	are pending TLS destructor calls.
	* stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
	Don't touch the link map flag.  Atomically increment
	l_tls_dtor_count.
	(__call_tls_dtors): Atomically decrement l_tls_dtor_count.
	Avoid taking the load lock and don't touch the link map flag.
	* stdlib/tst-tls-atexit.c (do_test): dlopen
	tst-tls-atexit-lib.so again before dlclose.
---
 elf/dl-close.c                  |  9 ++++++++-
 stdlib/cxa_thread_atexit_impl.c | 25 +++++++------------------
 stdlib/tst-tls-atexit.c         |  9 ++++++++-
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/elf/dl-close.c b/elf/dl-close.c
index 2104674..30e30e2 100644
--- a/elf/dl-close.c
+++ b/elf/dl-close.c
@@ -153,7 +153,11 @@ _dl_close_worker (struct link_map *map, bool force)
       maps[idx] = l;
       ++idx;
 
-      /* Clear DF_1_NODELETE to force object deletion.  */
+      /* Clear DF_1_NODELETE to force object deletion.  We don't need to touch
+	 l_tls_dtor_count because forced object deletion only happens when an
+	 error occurs during object load.  Destructor registration for TLS
+	 non-POD objects should not have happened till then for this
+	 object.  */
       if (force)
 	l->l_flags_1 &= ~DF_1_NODELETE;
     }
@@ -173,10 +177,13 @@ _dl_close_worker (struct link_map *map, bool force)
 	/* Already handled.  */
 	continue;
 
+      size_t tls_dtor_count = atomic_load_relaxed (&l->l_tls_dtor_count);
+
       /* Check whether this object is still used.  */
       if (l->l_type == lt_loaded
 	  && l->l_direct_opencount == 0
 	  && (l->l_flags_1 & DF_1_NODELETE) == 0
+	  && tls_dtor_count == 0
 	  && !used[done_index])
 	continue;
 
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index 9120162..fac2cc9 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -50,27 +50,25 @@ __cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
   tls_dtor_list = new;
 
   /* See if we already encountered the DSO.  */
-  __rtld_lock_lock_recursive (GL(dl_load_lock));
-
   if (__glibc_unlikely (dso_symbol_cache != dso_symbol))
     {
       ElfW(Addr) caller = (ElfW(Addr)) dso_symbol;
 
+      /* _dl_find_dso_for_object assumes that we have the dl_load_lock.  */
+      __rtld_lock_lock_recursive (GL(dl_load_lock));
       struct link_map *l = _dl_find_dso_for_object (caller);
+      __rtld_lock_unlock_recursive (GL(dl_load_lock));
 
       /* If the address is not recognized the call comes from the main
          program (we hope).  */
       lm_cache = l ? l : GL(dl_ns)[LM_ID_BASE]._ns_loaded;
     }
+
   /* A destructor could result in a thread_local construction and the former
      could have cleared the flag.  */
-  if (lm_cache->l_type == lt_loaded && lm_cache->l_tls_dtor_count == 0)
-    lm_cache->l_flags_1 |= DF_1_NODELETE;
+  atomic_increment (&lm_cache->l_tls_dtor_count);
 
   new->map = lm_cache;
-  new->map->l_tls_dtor_count++;
-
-  __rtld_lock_unlock_recursive (GL(dl_load_lock));
 
   return 0;
 }
@@ -83,19 +81,10 @@ __call_tls_dtors (void)
   while (tls_dtor_list)
     {
       struct dtor_list *cur = tls_dtor_list;
-      tls_dtor_list = tls_dtor_list->next;
 
+      tls_dtor_list = tls_dtor_list->next;
       cur->func (cur->obj);
-
-      __rtld_lock_lock_recursive (GL(dl_load_lock));
-
-      /* Allow DSO unload if count drops to zero.  */
-      cur->map->l_tls_dtor_count--;
-      if (cur->map->l_tls_dtor_count == 0 && cur->map->l_type == lt_loaded)
-        cur->map->l_flags_1 &= ~DF_1_NODELETE;
-
-      __rtld_lock_unlock_recursive (GL(dl_load_lock));
-
+      atomic_decrement (&cur->map->l_tls_dtor_count);
       free (cur);
     }
 }
diff --git a/stdlib/tst-tls-atexit.c b/stdlib/tst-tls-atexit.c
index 68247d1..ba70790 100644
--- a/stdlib/tst-tls-atexit.c
+++ b/stdlib/tst-tls-atexit.c
@@ -82,7 +82,14 @@ do_test (void)
   if (thr_ret != NULL)
     return 1;
 
-  /* Now this should unload the DSO.  */
+  /* Now this sequence should unload the DSO.  */
+  handle = dlopen ("$ORIGIN/tst-tls-atexit-lib.so", RTLD_LAZY);
+  if (!handle)
+    {
+      printf ("main thread: Unable to load DSO: %s\n", dlerror ());
+      return 1;
+    }
+
   dlclose (handle);
 
   /* Run through our maps and ensure that the DSO is unloaded.  */
-- 
2.1.0