From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTP id EC2EF3854802 for ; Fri, 13 Nov 2020 19:16:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org EC2EF3854802 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-217-ap8UgVn8MU6BOZ-ol_sC7A-1; Fri, 13 Nov 2020 14:16:23 -0500 X-MC-Unique: ap8UgVn8MU6BOZ-ol_sC7A-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1F77287950B; Fri, 13 Nov 2020 19:16:22 +0000 (UTC) Received: from localhost (unknown [10.33.36.92]) by smtp.corp.redhat.com (Postfix) with ESMTP id B7B0376642; Fri, 13 Nov 2020 19:16:21 +0000 (UTC) Date: Fri, 13 Nov 2020 19:16:20 +0000 From: Jonathan Wakely To: libstdc++@gcc.gnu.org, gcc-patches@gcc.gnu.org Subject: Re: [committed] libstdc++: Optimise std::future::wait_for and fix futex polling Message-ID: <20201113191620.GA592120@redhat.com> MIME-Version: 1.0 In-Reply-To: <20201113172522.GI503596@redhat.com> X-Clacks-Overhead: GNU Terry Pratchett X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/mixed; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline X-Spam-Status: No, score=-14.1 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libstdc++@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libstdc++ mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2020 19:16:27 -0000 --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline >Backporting the change to gcc-10 revealed an overflow bug in the >existing code, resulting in blocking for years when given an absolute >timeout in the distant past. There's still a similar bug in the new >code (using futexes with absolute timeouts against clocks) where a >large chrono::seconds value can overflow and produce an incorrect >tv_sec value. Apart from the overflow itself being UB, the result in >that case is just a spurious wakeup (the call says it timed out when >it didn't reach the specified time). That should still be fixed, but >I'll do it separately. And here's the separate fix for that other overflow. In fact it doesn't just produce spurious wakeups. It either spins forever (instead of sleeping gently) or incorrectly reports a timeout when it should keep blocking. Either way, it's fixed now. Tested x86_64-linux && powerpc64le-linux. Committed to trunk. --45Z9DzgjV8m4Oswq Content-Type: text/x-patch; charset=us-ascii Content-Disposition: attachment; filename="patch.txt" commit 91004436daaf8d54daa467908d1b634a1a352707 Author: Jonathan Wakely Date: Fri Nov 13 19:11:02 2020 libstdc++: Avoid more 32-bit time_t overflows in futex calls This fixes another overflow in code converting a std::chrono::seconds duration to a time_t. This time in the new code using a futex wait with an absolute timeout (so this one doesn't need to be backported to the release branches). A timeout after the epochalypse would overflow the tv_sec field, producing an incorrect value. If that incorrect value happened to be negative, the syscall would return with EINVAL and then the caller would keep retrying, spinning until the timeout was reached. If the value happened to be positive, we would wake up too soon and incorrectly report a timeout libstdc++-v3/ChangeLog: * src/c++11/futex.cc (relative_timespec): Add [[unlikely]] attributes. (__atomic_futex_unsigned_base::_M_futex_wait_until) (__atomic_futex_unsigned_base::_M_futex_wait_until_steady): Check for overflow. * testsuite/30_threads/future/members/wait_until_overflow.cc: New test. diff --git a/libstdc++-v3/src/c++11/futex.cc b/libstdc++-v3/src/c++11/futex.cc index c2b2d32e8c43..15959cebee57 100644 --- a/libstdc++-v3/src/c++11/futex.cc +++ b/libstdc++-v3/src/c++11/futex.cc @@ -51,6 +51,8 @@ namespace std _GLIBCXX_VISIBILITY(default) { _GLIBCXX_BEGIN_NAMESPACE_VERSION + using __gnu_cxx::__int_traits; + namespace { std::atomic futex_clock_realtime_unavailable; @@ -74,10 +76,10 @@ namespace auto rel_s = abs_s.count() - now_s; // Avoid overflows - if (rel_s > __gnu_cxx::__int_traits::__max) - rel_s = __gnu_cxx::__int_traits::__max; - else if (rel_s < __gnu_cxx::__int_traits::__min) - rel_s = __gnu_cxx::__int_traits::__min; + if (rel_s > __int_traits::__max) [[unlikely]] + rel_s = __int_traits::__max; + else if (rel_s < __int_traits::__min) [[unlikely]] + rel_s = __int_traits::__min; // Convert the absolute timeout value to a relative timeout rt.tv_sec = rel_s; @@ -111,14 +113,17 @@ namespace { if (!futex_clock_realtime_unavailable.load(std::memory_order_relaxed)) { - struct timespec rt; - rt.tv_sec = __s.count(); - rt.tv_nsec = __ns.count(); - // futex sets errno=EINVAL for absolute timeouts before the epoch. - if (__builtin_expect(rt.tv_sec < 0, false)) + if (__s.count() < 0) return false; + struct timespec rt; + if (__s.count() > __int_traits::__max) [[unlikely]] + rt.tv_sec = __int_traits::__max; + else + rt.tv_sec = __s.count(); + rt.tv_nsec = __ns.count(); + if (syscall (SYS_futex, __addr, futex_wait_bitset_op | futex_clock_realtime_flag, __val, &rt, nullptr, futex_bitset_match_any) == -1) @@ -184,14 +189,17 @@ namespace { if (!futex_clock_monotonic_unavailable.load(std::memory_order_relaxed)) { - struct timespec rt; - rt.tv_sec = __s.count(); - rt.tv_nsec = __ns.count(); - // futex sets errno=EINVAL for absolute timeouts before the epoch. - if (__builtin_expect(rt.tv_sec < 0, false)) + if (__s.count() < 0) [[unlikely]] return false; + struct timespec rt; + if (__s.count() > __int_traits::__max) [[unlikely]] + rt.tv_sec = __int_traits::__max; + else + rt.tv_sec = __s.count(); + rt.tv_nsec = __ns.count(); + if (syscall (SYS_futex, __addr, futex_wait_bitset_op | futex_clock_monotonic_flag, __val, &rt, nullptr, futex_bitset_match_any) == -1) diff --git a/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc new file mode 100644 index 000000000000..8d6a5148ce3c --- /dev/null +++ b/libstdc++-v3/testsuite/30_threads/future/members/wait_until_overflow.cc @@ -0,0 +1,48 @@ +// { dg-do run } +// { dg-additional-options "-pthread" { target pthread } } +// { dg-require-effective-target c++11 } +// { dg-require-gthreads "" } + +// Copyright (C) 2020 Free Software Foundation, Inc. +// +// This file is part of the GNU ISO C++ Library. This library is free +// software; you can redistribute it and/or modify it under the +// terms of the GNU General Public License as published by the +// Free Software Foundation; either version 3, or (at your option) +// any later version. + +// This library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. + +// You should have received a copy of the GNU General Public License along +// with this library; see the file COPYING3. If not see +// . + + +#include +#include +#include +#include + +namespace chrono = std::chrono; + +void test01() +{ + std::future fut = std::async(std::launch::async, [] { + std::this_thread::sleep_for(chrono::seconds(4)); + }); + + // A time in the distant future, but which overflows 32-bit time_t: + auto then = chrono::system_clock::now() + chrono::seconds(UINT_MAX + 2LL); + auto status = fut.wait_until(then); + // The wait_until call should have waited for the result to be ready. + // If converting the time_point to time_t overflows, it will timeout. + VERIFY(status == std::future_status::ready); +} + +int main() +{ + test01(); +} --45Z9DzgjV8m4Oswq--