From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jwakely@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by sourceware.org (Postfix) with ESMTP id EC2EF3854802
 for <libstdc++@gcc.gnu.org>; Fri, 13 Nov 2020 19:16:25 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org EC2EF3854802
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-217-ap8UgVn8MU6BOZ-ol_sC7A-1; Fri, 13 Nov 2020 14:16:23 -0500
X-MC-Unique: ap8UgVn8MU6BOZ-ol_sC7A-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1F77287950B;
 Fri, 13 Nov 2020 19:16:22 +0000 (UTC)
Received: from localhost (unknown [10.33.36.92])
 by smtp.corp.redhat.com (Postfix) with ESMTP id B7B0376642;
 Fri, 13 Nov 2020 19:16:21 +0000 (UTC)
Date: Fri, 13 Nov 2020 19:16:20 +0000
From: Jonathan Wakely <jwakely@redhat.com>
To: libstdc++@gcc.gnu.org, gcc-patches@gcc.gnu.org
Subject: Re: [committed] libstdc++: Optimise std::future::wait_for and fix
 futex polling
Message-ID: <20201113191620.GA592120@redhat.com>
MIME-Version: 1.0
In-Reply-To: <20201113172522.GI503596@redhat.com>
X-Clacks-Overhead: GNU Terry Pratchett
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/mixed; boundary="45Z9DzgjV8m4Oswq"
Content-Disposition: inline
X-Spam-Status: No, score=-14.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libstdc++@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libstdc++ mailing list <libstdc++.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/libstdc++>,
 <mailto:libstdc++-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/libstdc++/>
List-Post: <mailto:libstdc++@gcc.gnu.org>
List-Help: <mailto:libstdc++-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/libstdc++>,
 <mailto:libstdc++-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2020 19:16:27 -0000

--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

>Backporting the change to gcc-10 revealed an overflow bug in the
>existing code, resulting in blocking for years when given an absolute
>timeout in the distant past. There's still a similar bug in the new
>code (using futexes with absolute timeouts against clocks) where a
>large chrono::seconds value can overflow and produce an incorrect
>tv_sec value. Apart from the overflow itself being UB, the result in
>that case is just a spurious wakeup (the call says it timed out when
>it didn't reach the specified time). That should still be fixed, but
>I'll do it separately.

And here's the separate fix for that other overflow. In fact it
doesn't just produce spurious wakeups. It either spins forever
(instead of sleeping gently) or incorrectly reports a timeout when it
should keep blocking. Either way, it's fixed now.

Tested x86_64-linux && powerpc64le-linux. Committed to trunk.



--45Z9DzgjV8m4Oswq
Content-Type: text/x-patch; charset=us-ascii
Content-Disposition: attachment; filename="patch.txt"

commit 91004436daaf8d54daa467908d1b634a1a352707
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Fri Nov 13 19:11:02 2020

    libstdc++: Avoid more 32-bit time_t overflows in futex calls
    
    This fixes another overflow in code converting a std::chrono::seconds
    duration to a time_t. This time in the new code using a futex wait with
    an absolute timeout (so this one doesn't need to be backported to the
    release branches).
    
    A timeout after the epochalypse would overflow the tv_sec field,
    producing an incorrect value. If that incorrect value happened to be
    negative, the syscall would return with EINVAL and then the caller would
    keep retrying, spinning until the timeout was reached.  If the value
    happened to be positive, we would wake up too soon and incorrectly
    report a timeout
    
    libstdc++-v3/ChangeLog:
    
            * src/c++11/futex.cc (relative_timespec): Add [[unlikely]]
            attributes.
            (__atomic_futex_unsigned_base::_M_futex_wait_until)
            (__atomic_futex_unsigned_base::_M_futex_wait_until_steady):
            Check for overflow.
            * testsuite/30_threads/future/members/wait_until_overflow.cc:
            New test.

diff --git a/libstdc++-v3/src/c++11/futex.cc b/libstdc++-v3/src/c++11/futex.cc
index c2b2d32e8c43..15959cebee57 100644
--- a/libstdc++-v3/src/c++11/futex.cc
+++ b/libstdc++-v3/src/c++11/futex.cc
@@ -51,6 +51,8 @@ namespace std _GLIBCXX_VISIBILITY(default)
 {
 _GLIBCXX_BEGIN_NAMESPACE_VERSION
 
+  using __gnu_cxx::__int_traits;
+
 namespace
 {
   std::atomic<bool> futex_clock_realtime_unavailable;
@@ -74,10 +76,10 @@ namespace
     auto rel_s = abs_s.count() - now_s;
 
     // Avoid overflows
-    if (rel_s > __gnu_cxx::__int_traits<time_t>::__max)
-      rel_s = __gnu_cxx::__int_traits<time_t>::__max;
-    else if (rel_s < __gnu_cxx::__int_traits<time_t>::__min)
-      rel_s = __gnu_cxx::__int_traits<time_t>::__min;
+    if (rel_s > __int_traits<time_t>::__max) [[unlikely]]
+      rel_s = __int_traits<time_t>::__max;
+    else if (rel_s < __int_traits<time_t>::__min) [[unlikely]]
+      rel_s = __int_traits<time_t>::__min;
 
     // Convert the absolute timeout value to a relative timeout
     rt.tv_sec = rel_s;
@@ -111,14 +113,17 @@ namespace
       {
 	if (!futex_clock_realtime_unavailable.load(std::memory_order_relaxed))
 	  {
-	    struct timespec rt;
-	    rt.tv_sec = __s.count();
-	    rt.tv_nsec = __ns.count();
-
 	    // futex sets errno=EINVAL for absolute timeouts before the epoch.
-	    if (__builtin_expect(rt.tv_sec < 0, false))
+	    if (__s.count() < 0)
 	      return false;
 
+	    struct timespec rt;
+	    if (__s.count() > __int_traits<time_t>::__max) [[unlikely]]
+	      rt.tv_sec = __int_traits<time_t>::__max;
+	    else
+	      rt.tv_sec = __s.count();
+	    rt.tv_nsec = __ns.count();
+
 	    if (syscall (SYS_futex, __addr,
 			 futex_wait_bitset_op | futex_clock_realtime_flag,
 			 __val, &rt, nullptr, futex_bitset_match_any) == -1)
@@ -184,14 +189,17 @@ namespace
       {
 	if (!futex_clock_monotonic_unavailable.load(std::memory_order_relaxed))
 	  {
-	    struct timespec rt;
-	    rt.tv_sec = __s.count();
-	    rt.tv_nsec = __ns.count();
-
 	    // futex sets errno=EINVAL for absolute timeouts before the epoch.
-	    if (__builtin_expect(rt.tv_sec < 0, false))
+	    if (__s.count() < 0) [[unlikely]]
 	      return false;
 
+	    struct timespec rt;
+	    if (__s.count() > __int_traits<time_t>::__max) [[unlikely]]
+	      rt.tv_sec = __int_traits<time_t>::__max;
+	    else
+	      rt.tv_sec = __s.count();
+	    rt.tv_nsec = __ns.count();
+
 	    if (syscall (SYS_futex, __addr,
 			 futex_wait_bitset_op | futex_clock_monotonic_flag,
 			 __val, &rt, nullptr, futex_bitset_match_any) == -1)
diff --git a/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc
new file mode 100644
index 000000000000..8d6a5148ce3c
--- /dev/null
+++ b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc
@@ -0,0 +1,48 @@
+// { dg-do run }
+// { dg-additional-options "-pthread" { target pthread } }
+// { dg-require-effective-target c++11 }
+// { dg-require-gthreads "" }
+
+// Copyright (C) 2020 Free Software Foundation, Inc.
+//
+// This file is part of the GNU ISO C++ Library.  This library is free
+// software; you can redistribute it and/or modify it under the
+// terms of the GNU General Public License as published by the
+// Free Software Foundation; either version 3, or (at your option)
+// any later version.
+
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License along
+// with this library; see the file COPYING3.  If not see
+// <http://www.gnu.org/licenses/>.
+
+
+#include <future>
+#include <chrono>
+#include <climits>
+#include <testsuite_hooks.h>
+
+namespace chrono = std::chrono;
+
+void test01()
+{
+  std::future<void> fut = std::async(std::launch::async, [] {
+    std::this_thread::sleep_for(chrono::seconds(4));
+  });
+
+  // A time in the distant future, but which overflows 32-bit time_t:
+  auto then = chrono::system_clock::now() + chrono::seconds(UINT_MAX + 2LL);
+  auto status = fut.wait_until(then);
+  // The wait_until call should have waited for the result to be ready.
+  // If converting the time_point to time_t overflows, it will timeout.
+  VERIFY(status == std::future_status::ready);
+}
+
+int main()
+{
+  test01();
+}

--45Z9DzgjV8m4Oswq--