[gcc r11-5008] libstdc++: Avoid more 32-bit time_t overflows in futex calls

[Jonathan Wakely <redi@gcc.gnu.org>]

https://gcc.gnu.org/g:91004436daaf8d54daa467908d1b634a1a352707

commit r11-5008-g91004436daaf8d54daa467908d1b634a1a352707
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Fri Nov 13 19:11:02 2020 +0000

    libstdc++: Avoid more 32-bit time_t overflows in futex calls
    
    This fixes another overflow in code converting a std::chrono::seconds
    duration to a time_t. This time in the new code using a futex wait with
    an absolute timeout (so this one doesn't need to be backported to the
    release branches).
    
    A timeout after the epochalypse would overflow the tv_sec field,
    producing an incorrect value. If that incorrect value happened to be
    negative, the syscall would return with EINVAL and then the caller would
    keep retrying, spinning until the timeout was reached.  If the value
    happened to be positive, we would wake up too soon and incorrectly
    report a timeout
    
    libstdc++-v3/ChangeLog:
    
            * src/c++11/futex.cc (relative_timespec): Add [[unlikely]]
            attributes.
            (__atomic_futex_unsigned_base::_M_futex_wait_until)
            (__atomic_futex_unsigned_base::_M_futex_wait_until_steady):
            Check for overflow.
            * testsuite/30_threads/future/members/wait_until_overflow.cc:
            New test.

Diff:
---
 libstdc++-v3/src/c++11/futex.cc                    | 36 +++++++++-------
 .../future/members/wait_until_overflow.cc          | 48 ++++++++++++++++++++++
 2 files changed, 70 insertions(+), 14 deletions(-)

diff --git a/libstdc++-v3/src/c++11/futex.cc b/libstdc++-v3/src/c++11/futex.cc
index c2b2d32e8c4..15959cebee5 100644
--- a/libstdc++-v3/src/c++11/futex.cc
+++ b/libstdc++-v3/src/c++11/futex.cc
@@ -51,6 +51,8 @@ namespace std _GLIBCXX_VISIBILITY(default)
 {
 _GLIBCXX_BEGIN_NAMESPACE_VERSION
 
+  using __gnu_cxx::__int_traits;
+
 namespace
 {
   std::atomic<bool> futex_clock_realtime_unavailable;
@@ -74,10 +76,10 @@ namespace
     auto rel_s = abs_s.count() - now_s;
 
     // Avoid overflows
-    if (rel_s > __gnu_cxx::__int_traits<time_t>::__max)
-      rel_s = __gnu_cxx::__int_traits<time_t>::__max;
-    else if (rel_s < __gnu_cxx::__int_traits<time_t>::__min)
-      rel_s = __gnu_cxx::__int_traits<time_t>::__min;
+    if (rel_s > __int_traits<time_t>::__max) [[unlikely]]
+      rel_s = __int_traits<time_t>::__max;
+    else if (rel_s < __int_traits<time_t>::__min) [[unlikely]]
+      rel_s = __int_traits<time_t>::__min;
 
     // Convert the absolute timeout value to a relative timeout
     rt.tv_sec = rel_s;
@@ -111,14 +113,17 @@ namespace
       {
 	if (!futex_clock_realtime_unavailable.load(std::memory_order_relaxed))
 	  {
-	    struct timespec rt;
-	    rt.tv_sec = __s.count();
-	    rt.tv_nsec = __ns.count();
-
 	    // futex sets errno=EINVAL for absolute timeouts before the epoch.
-	    if (__builtin_expect(rt.tv_sec < 0, false))
+	    if (__s.count() < 0)
 	      return false;
 
+	    struct timespec rt;
+	    if (__s.count() > __int_traits<time_t>::__max) [[unlikely]]
+	      rt.tv_sec = __int_traits<time_t>::__max;
+	    else
+	      rt.tv_sec = __s.count();
+	    rt.tv_nsec = __ns.count();
+
 	    if (syscall (SYS_futex, __addr,
 			 futex_wait_bitset_op | futex_clock_realtime_flag,
 			 __val, &rt, nullptr, futex_bitset_match_any) == -1)
@@ -184,14 +189,17 @@ namespace
       {
 	if (!futex_clock_monotonic_unavailable.load(std::memory_order_relaxed))
 	  {
-	    struct timespec rt;
-	    rt.tv_sec = __s.count();
-	    rt.tv_nsec = __ns.count();
-
 	    // futex sets errno=EINVAL for absolute timeouts before the epoch.
-	    if (__builtin_expect(rt.tv_sec < 0, false))
+	    if (__s.count() < 0) [[unlikely]]
 	      return false;
 
+	    struct timespec rt;
+	    if (__s.count() > __int_traits<time_t>::__max) [[unlikely]]
+	      rt.tv_sec = __int_traits<time_t>::__max;
+	    else
+	      rt.tv_sec = __s.count();
+	    rt.tv_nsec = __ns.count();
+
 	    if (syscall (SYS_futex, __addr,
 			 futex_wait_bitset_op | futex_clock_monotonic_flag,
 			 __val, &rt, nullptr, futex_bitset_match_any) == -1)
diff --git a/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc
new file mode 100644
index 00000000000..8d6a5148ce3
--- /dev/null
+++ b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc
@@ -0,0 +1,48 @@
+// { dg-do run }
+// { dg-additional-options "-pthread" { target pthread } }
+// { dg-require-effective-target c++11 }
+// { dg-require-gthreads "" }
+
+// Copyright (C) 2020 Free Software Foundation, Inc.
+//
+// This file is part of the GNU ISO C++ Library.  This library is free
+// software; you can redistribute it and/or modify it under the
+// terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3, or (at your option)
+// any later version.
+
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License along
+// with this library; see the file COPYING3.  If not see
+// <http://www.gnu.org/licenses/>.
+
+
+#include <future>
+#include <chrono>
+#include <climits>
+#include <testsuite_hooks.h>
+
+namespace chrono = std::chrono;
+
+void test01()
+{
+  std::future<void> fut = std::async(std::launch::async, [] {
+    std::this_thread::sleep_for(chrono::seconds(4));
+  });
+
+  // A time in the distant future, but which overflows 32-bit time_t:
+  auto then = chrono::system_clock::now() + chrono::seconds(UINT_MAX + 2LL);
+  auto status = fut.wait_until(then);
+  // The wait_until call should have waited for the result to be ready.
+  // If converting the time_point to time_t overflows, it will timeout.
+  VERIFY(status == std::future_status::ready);
+}
+
+int main()
+{
+  test01();
+}