From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by sourceware.org (Postfix) with ESMTP id B8BAE3851C0C for ; Fri, 22 May 2020 17:02:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org B8BAE3851C0C Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-214-woO4NqzyN22KoVfhMDRUfQ-1; Fri, 22 May 2020 13:02:04 -0400 X-MC-Unique: woO4NqzyN22KoVfhMDRUfQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B455D872FE0; Fri, 22 May 2020 17:02:03 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-112-155.ams2.redhat.com [10.36.112.155]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A4F4C5C1D0; Fri, 22 May 2020 17:02:02 +0000 (UTC) From: Florian Weimer To: Rich Felker Cc: Szabolcs Nagy , libc-alpha@sourceware.org Subject: Re: [PATCH 2/2] manual: Document __libc_single_threaded References: <2c218c9ed9586ed5491f6fa08045d1e883b126c3.1589998207.git.fweimer@redhat.com> <724ecd59-d6e4-9f52-f425-8a4ff795114f@linaro.org> <20200521130927.GF14130@arm.com> <39687760-f8b1-4209-8798-ed8a16b87b57@linaro.org> <20200521133046.GH14130@arm.com> <87k115768f.fsf@oldenburg2.str.redhat.com> <20200522100146.GA29518@arm.com> <877dx45low.fsf@oldenburg2.str.redhat.com> <20200522105458.GB29518@arm.com> <20200522150720.GR1079@brightrain.aerifal.cx> <20200522161413.GU1079@brightrain.aerifal.cx> Date: Fri, 22 May 2020 19:02:01 +0200 In-Reply-To: <20200522161413.GU1079@brightrain.aerifal.cx> (Rich Felker's message of "Fri, 22 May 2020 12:14:14 -0400") Message-ID: <871rnb3nue.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-8.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 May 2020 17:02:08 -0000 * Rich Felker: >> This still has consequences for setxid safety which is why musl now >> fully synchronizes the existing threads list. But if you're not using >> the thread count for that, it's not an issue. Indeed I think >> SYS_membarrier is a solution here, but if it's not supported or >> blocked by seccomp then __libc_single_threaded must not be made true >> again at this time. > > Uhg, SYS_membarrier is *not* a solution here. The problem is far > worse, because the user of __libc_single_threaded potentially lacks > *compiler barriers* too. > > Consider something like: > > if (!__libc_single_threaded) { lock(); need_unlock=1; } > x = *p; > if (need_unlock) unlock(); > /* ... */ > if (!__libc_single_threaded) { lock(); need_unlock=1; } > x = *p; > if (need_unlock) unlock(); > > Here, in the case where __libc_single_threaded is true the second time > around, there is no (memory or compiler) acquire barrier between the > first access to *p and the second. Thus the compiler can (and actually > does! I don't have a minimal PoC but musl actually just hit a bug very > close to this) omit the second load from memory, and uses the cached > value, which may be incorrect because the exiting thread modified it. > > This could potentially be avoided with complex contracts about > barriers needed to use __libc_single_threaded, but it seems highly > error-prone. Well, yes. It's clearly a data race if the implementation sets __libc_single_threaded directly from an exiting thread. I don't see a way around that. Our discussion focused on the problem that observing a thread count of 1 in pthread_join does not necessarily mean that it is safe to assume at this point that the process is single-threaded, in glibc's implementation that uses a simple __nptl_nthreads counter decremented on the thread itself. This does not cause a low-level data race directly, but is potentially still incorrect (I'm not quite sure yet). In glibc, we annotate many functions with __attribute__ ((leaf)), implicitly via __THROW. None of these functions may reset __libc_single_threaded. I expect that many compilers have a built-in list of standard functions they treat as leaf functions. This means that these functions cannot write in practice to __libc_single_threaded (or any other global variable apart from errno). Not following this rule would result in undefined behavior, similar to an actual data race in the memory model. A compiler cannot treat pthread_create as a leaf function, so the simple implementation of __libc_single_threaded I posted should be fine in this regard. Thanjs, Florian