fluencelabs/musl
1
0
Fork 0
mirror of https://github.com/fluencelabs/musl synced 2025-04-26 07:42:13 +00:00
Code Issues Projects Releases Wiki Activity
musl/src/thread/pthread_create.c

125 lines
3.0 KiB
C
Raw Normal View History

initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
#include "pthread_impl.h"
move rsyscall out of pthread_create module this is something of a tradeoff, as now set*id() functions, rather than pthread_create, are what pull in the code overhead for dealing with linux's refusal to implement proper POSIX thread-vs-process semantics. my motivations are: 1. it's cleaner this way, especially cleaner to optimize out the rsyscall locking overhead from pthread_create when it's not needed. 2. it's expected that only a tiny number of core system programs will ever use set*id() functions, whereas many programs may want to use threads, and making thread overhead tiny is an incentive for "light" programs to try threads.
2011-04-06 20:27:07 -04:00
static void dummy_0()
{
}
new attempt at making set*id() safe and robust changing credentials in a multi-threaded program is extremely difficult on linux because it requires synchronizing the change between all threads, which have their own thread-local credentials on the kernel side. this is further complicated by the fact that changing the real uid can fail due to exceeding RLIMIT_NPROC, making it possible that the syscall will succeed in some threads but fail in others. the old __rsyscall approach being replaced was robust in that it would report failure if any one thread failed, but in this case, the program would be left in an inconsistent state where individual threads might have different uid. (this was not as bad as glibc, which would sometimes even fail to report the failure entirely!) the new approach being committed refuses to change real user id when it cannot temporarily set the rlimit to infinity. this is completely POSIX conformant since POSIX does not require an implementation to allow real-user-id changes for non-privileged processes whatsoever. still, setting the real uid can fail due to memory allocation in the kernel, but this can only happen if there is not already a cached object for the target user. thus, we forcibly serialize the syscalls attempts, and fail the entire operation on the first failure. this *should* lead to an all-or-nothing success/failure result, but it's still fragile and highly dependent on kernel developers not breaking things worse than they're already broken. ideally linux will eventually add a CLONE_USERCRED flag that would give POSIX conformant credential changes without any hacks from userspace, and all of this code would become redundant and could be removed ~10 years down the line when everyone has abandoned the old broken kernels. i'm not holding my breath...
2011-07-29 22:59:44 -04:00
weak_alias(dummy_0, __synccall_lock);
weak_alias(dummy_0, __synccall_unlock);
move some more code out of pthread_create.c this also de-uglifies the dummy function aliasing a bit.
2011-04-19 23:09:14 -04:00
weak_alias(dummy_0, __pthread_tsd_run_dtors);
omit pthread tsd dtor code if tsd is not used
2011-04-03 02:33:50 -04:00
match glibc/lsb cancellation abi on i386 glibc made the ridiculous choice to use pass-by-register calling convention for these functions, which is impossible to duplicate directly on non-gcc compilers. instead, we use ugly asm to wrap and convert the calling convention. presumably this works with every compiler anyone could potentially want to use.
2011-03-25 22:13:57 -04:00
#ifdef __pthread_unwind_next
#undef __pthread_unwind_next
#define __pthread_unwind_next __pthread_unwind_next_3
#endif
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
void __pthread_unwind_next(struct __ptcb *cb)
{
fix pthread_exit from cancellation handler cancellation frames were not correctly popped, so this usage would not only loop, but also reuse discarded and invalid parts of the stack.
2011-04-17 17:06:05 -04:00
pthread_t self = pthread_self();
overhaul pthread cancellation this patch improves the correctness, simplicity, and size of cancellation-related code. modulo any small errors, it should now be completely conformant, safe, and resource-leak free. the notion of entering and exiting cancellation-point context has been completely eliminated and replaced with alternative syscall assembly code for cancellable syscalls. the assembly is responsible for setting up execution context information (stack pointer and address of the syscall instruction) which the cancellation signal handler can use to determine whether the interrupted code was in a cancellable state. these changes eliminate race conditions in the previous generation of cancellation handling code (whereby a cancellation request received just prior to the syscall would not be processed, leaving the syscall to block, potentially indefinitely), and remedy an issue where non-cancellable syscalls made from signal handlers became cancellable if the signal handler interrupted a cancellation point. x86_64 asm is untested and may need a second try to get it right.
2011-04-17 11:43:03 -04:00
int n;
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
fix pthread_exit from cancellation handler cancellation frames were not correctly popped, so this usage would not only loop, but also reuse discarded and invalid parts of the stack.
2011-04-17 17:06:05 -04:00
if (cb->__next) {
self->cancelbuf = cb->__next->__next;
longjmp((void *)cb->__next->__jb, 1);
}
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
move some more code out of pthread_create.c this also de-uglifies the dummy function aliasing a bit.
2011-04-19 23:09:14 -04:00
__pthread_tsd_run_dtors();
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
run dtors before taking the exit-lock in pthread exit previously a long-running dtor could cause pthread_detach to block.
2011-06-14 01:25:17 -04:00
__lock(&self->exitlock);
optimize pthread termination in the non-detached case we can avoid blocking signals by simply using a flag to mark that the thread has exited and prevent it from getting counted in the rsyscall signal-pingpong. this restores the original pthread create/join throughput from before the sigprocmask call was added.
2011-03-10 18:31:37 -05:00
/* Mark this thread dead before decrementing count */
fix race condition in pthread_kill if thread id was reused by the kernel between the time pthread_kill read it from the userspace pthread_t object and the time of the tgkill syscall, a signal could be sent to the wrong thread. the tgkill syscall was supposed to prevent this race (versus the old tkill syscall) but it can't; it can only help in the case where the tid is reused in a different process, but not when the tid is reused in the same process. the only solution i can see is an extra lock to prevent threads from exiting while another thread is trying to pthread_kill them. it should be very very cheap in the non-contended case.
2011-06-14 01:35:51 -04:00
__lock(&self->killlock);
optimize pthread termination in the non-detached case we can avoid blocking signals by simply using a flag to mark that the thread has exited and prevent it from getting counted in the rsyscall signal-pingpong. this restores the original pthread create/join throughput from before the sigprocmask call was added.
2011-03-10 18:31:37 -05:00
self->dead = 1;
fix race condition in pthread_kill if thread id was reused by the kernel between the time pthread_kill read it from the userspace pthread_t object and the time of the tgkill syscall, a signal could be sent to the wrong thread. the tgkill syscall was supposed to prevent this race (versus the old tkill syscall) but it can't; it can only help in the case where the tid is reused in a different process, but not when the tid is reused in the same process. the only solution i can see is an extra lock to prevent threads from exiting while another thread is trying to pthread_kill them. it should be very very cheap in the non-contended case.
2011-06-14 01:35:51 -04:00
a_store(&self->killlock, 0);
race condition fix: block all signals before decrementing thread count the existence of a (kernelspace) thread must never have observable effects after the thread count is decremented. if signals are not blocked, it could end up handling the signal for rsyscall and contributing towards the count of threads which have changed ids, causing a thread to be missed. this could lead to one thread retaining unwanted privilege level. this change may also address other subtle race conditions in application code that uses signals.
2011-02-19 11:04:36 -05:00
overhaul pthread cancellation this patch improves the correctness, simplicity, and size of cancellation-related code. modulo any small errors, it should now be completely conformant, safe, and resource-leak free. the notion of entering and exiting cancellation-point context has been completely eliminated and replaced with alternative syscall assembly code for cancellable syscalls. the assembly is responsible for setting up execution context information (stack pointer and address of the syscall instruction) which the cancellation signal handler can use to determine whether the interrupted code was in a cancellable state. these changes eliminate race conditions in the previous generation of cancellation handling code (whereby a cancellation request received just prior to the syscall would not be processed, leaving the syscall to block, potentially indefinitely), and remedy an issue where non-cancellable syscalls made from signal handlers became cancellable if the signal handler interrupted a cancellation point. x86_64 asm is untested and may need a second try to get it right.
2011-04-17 11:43:03 -04:00
do n = libc.threads_minus_1;
while (n && a_cas(&libc.threads_minus_1, n, n-1)!=n);
if (!n) exit(0);
make pthread_exit run dtors for last thread, wait to decrement thread count
2011-02-19 10:38:57 -05:00
optimize pthread termination in the non-detached case we can avoid blocking signals by simply using a flag to mark that the thread has exited and prevent it from getting counted in the rsyscall signal-pingpong. this restores the original pthread create/join throughput from before the sigprocmask call was added.
2011-03-10 18:31:37 -05:00
if (self->detached && self->map_base) {
overhaul implementation-internal signal protections the new approach relies on the fact that the only ways to create sigset_t objects without invoking UB are to use the sig*set() functions, or from the masks returned by sigprocmask, sigaction, etc. or in the ucontext_t argument to a signal handler. thus, as long as sigfillset and sigaddset avoid adding the "protected" signals, there is no way the application will ever obtain a sigset_t including these bits, and thus no need to add the overhead of checking/clearing them when sigprocmask or sigaction is called. note that the old code actually *failed* to remove the bits from sa_mask when sigaction was called. the new implementations are also significantly smaller, simpler, and faster due to ignoring the useless "GNU HURD signals" 65-1024, which are not used and, if there's any sanity in the world, never will be used.
2011-05-07 23:23:58 -04:00
__syscall(SYS_rt_sigprocmask, SIG_BLOCK, (uint64_t[]){-1},0,8);
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
__unmapself(self->map_base, self->map_size);
optimize pthread termination in the non-detached case we can avoid blocking signals by simply using a flag to mark that the thread has exited and prevent it from getting counted in the rsyscall signal-pingpong. this restores the original pthread create/join throughput from before the sigprocmask call was added.
2011-03-10 18:31:37 -05:00
}
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
pthread exit stuff: don't bother setting errno when we won't check it.
2011-04-06 19:47:50 -04:00
__syscall(SYS_exit, 0);
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
}
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
static int start(void *p)
{
struct pthread *self = p;
overhaul implementation-internal signal protections the new approach relies on the fact that the only ways to create sigset_t objects without invoking UB are to use the sig*set() functions, or from the masks returned by sigprocmask, sigaction, etc. or in the ucontext_t argument to a signal handler. thus, as long as sigfillset and sigaddset avoid adding the "protected" signals, there is no way the application will ever obtain a sigset_t including these bits, and thus no need to add the overhead of checking/clearing them when sigprocmask or sigaction is called. note that the old code actually *failed* to remove the bits from sa_mask when sigaction was called. the new implementations are also significantly smaller, simpler, and faster due to ignoring the useless "GNU HURD signals" 65-1024, which are not used and, if there's any sanity in the world, never will be used.
2011-05-07 23:23:58 -04:00
if (self->unblock_cancel)
optimize compound-literal sigset_t's not to contain useless hurd bits
2011-05-07 23:37:10 -04:00
__syscall(SYS_rt_sigprocmask, SIG_UNBLOCK, SIGPT_SET, 0, 8);
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
pthread_exit(self->start(self->start_arg));
return 0;
}
begin unifying clone/thread management interface in preparation for porting
2011-02-15 03:24:58 -05:00
int __uniclone(void *, int (*)(), void *);
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
#define ROUND(x) (((x)+PAGE_SIZE-1)&-PAGE_SIZE)
/* pthread_key_create.c overrides this */
static const size_t dummy = 0;
weak_alias(dummy, __pthread_tsd_size);
int pthread_create(pthread_t *res, const pthread_attr_t *attr, void *(*entry)(void *), void *arg)
{
int ret;
optimize out useless default-attribute object in pthread_create
2011-05-07 23:39:48 -04:00
size_t size = DEFAULT_STACK_SIZE + DEFAULT_GUARD_SIZE;
size_t guard = DEFAULT_GUARD_SIZE;
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
struct pthread *self = pthread_self(), *new;
unsigned char *map, *stack, *tsd;
pthread_create need not set errno
2011-04-03 16:15:15 -04:00
if (!self) return ENOSYS;
clean up handling of thread/nothread mode, locking
2011-04-17 16:53:54 -04:00
if (!libc.threaded) {
optimize compound-literal sigset_t's not to contain useless hurd bits
2011-05-07 23:37:10 -04:00
__syscall(SYS_rt_sigprocmask, SIG_UNBLOCK, SIGPT_SET, 0, 8);
clean up handling of thread/nothread mode, locking
2011-04-17 16:53:54 -04:00
libc.threaded = 1;
}
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
optimize out useless default-attribute object in pthread_create
2011-05-07 23:39:48 -04:00
if (attr) {
guard = ROUND(attr->_a_guardsize + DEFAULT_GUARD_SIZE);
size = guard + ROUND(attr->_a_stacksize + DEFAULT_STACK_SIZE);
}
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
size += __pthread_tsd_size;
map = mmap(0, size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0);
if (!map) return EAGAIN;
cut out a syscall on thread creation in the case where guard size is 0
2011-03-16 11:36:21 -04:00
if (guard) mprotect(map, guard, PROT_NONE);
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
tsd = map + size - __pthread_tsd_size;
new = (void *)(tsd - sizeof *new - PAGE_SIZE%sizeof *new);
new->map_base = map;
new->map_size = size;
new->pid = self->pid;
new->errno_ptr = &new->errno_val;
new->start = entry;
new->start_arg = arg;
new->self = new;
new->tsd = (void *)tsd;
optimize out useless default-attribute object in pthread_create
2011-05-07 23:39:48 -04:00
if (attr) new->detached = attr->_a_detach;
major improvements to cancellation handling - there is no longer any risk of spoofing cancellation requests, since the cancel flag is set in pthread_cancel rather than in the signal handler. - cancellation signal is no longer unblocked when running the cancellation handlers. instead, pthread_create will cause any new threads created from a cancellation handler to unblock their own cancellation signal. - various tweaks in preparation for POSIX timer support.
2011-03-29 12:58:22 -04:00
new->unblock_cancel = self->cancel;
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
memcpy(new->tlsdesc, self->tlsdesc, sizeof new->tlsdesc);
new->tlsdesc[1] = (uintptr_t)new;
stack = (void *)((uintptr_t)new-1 & ~(uintptr_t)15);
new attempt at making set*id() safe and robust changing credentials in a multi-threaded program is extremely difficult on linux because it requires synchronizing the change between all threads, which have their own thread-local credentials on the kernel side. this is further complicated by the fact that changing the real uid can fail due to exceeding RLIMIT_NPROC, making it possible that the syscall will succeed in some threads but fail in others. the old __rsyscall approach being replaced was robust in that it would report failure if any one thread failed, but in this case, the program would be left in an inconsistent state where individual threads might have different uid. (this was not as bad as glibc, which would sometimes even fail to report the failure entirely!) the new approach being committed refuses to change real user id when it cannot temporarily set the rlimit to infinity. this is completely POSIX conformant since POSIX does not require an implementation to allow real-user-id changes for non-privileged processes whatsoever. still, setting the real uid can fail due to memory allocation in the kernel, but this can only happen if there is not already a cached object for the target user. thus, we forcibly serialize the syscalls attempts, and fail the entire operation on the first failure. this *should* lead to an all-or-nothing success/failure result, but it's still fragile and highly dependent on kernel developers not breaking things worse than they're already broken. ideally linux will eventually add a CLONE_USERCRED flag that would give POSIX conformant credential changes without any hacks from userspace, and all of this code would become redundant and could be removed ~10 years down the line when everyone has abandoned the old broken kernels. i'm not holding my breath...
2011-07-29 22:59:44 -04:00
__synccall_lock();
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
a_inc(&libc.threads_minus_1);
begin unifying clone/thread management interface in preparation for porting
2011-02-15 03:24:58 -05:00
ret = __uniclone(stack, start, new);
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
new attempt at making set*id() safe and robust changing credentials in a multi-threaded program is extremely difficult on linux because it requires synchronizing the change between all threads, which have their own thread-local credentials on the kernel side. this is further complicated by the fact that changing the real uid can fail due to exceeding RLIMIT_NPROC, making it possible that the syscall will succeed in some threads but fail in others. the old __rsyscall approach being replaced was robust in that it would report failure if any one thread failed, but in this case, the program would be left in an inconsistent state where individual threads might have different uid. (this was not as bad as glibc, which would sometimes even fail to report the failure entirely!) the new approach being committed refuses to change real user id when it cannot temporarily set the rlimit to infinity. this is completely POSIX conformant since POSIX does not require an implementation to allow real-user-id changes for non-privileged processes whatsoever. still, setting the real uid can fail due to memory allocation in the kernel, but this can only happen if there is not already a cached object for the target user. thus, we forcibly serialize the syscalls attempts, and fail the entire operation on the first failure. this *should* lead to an all-or-nothing success/failure result, but it's still fragile and highly dependent on kernel developers not breaking things worse than they're already broken. ideally linux will eventually add a CLONE_USERCRED flag that would give POSIX conformant credential changes without any hacks from userspace, and all of this code would become redundant and could be removed ~10 years down the line when everyone has abandoned the old broken kernels. i'm not holding my breath...
2011-07-29 22:59:44 -04:00
__synccall_unlock();
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
if (ret < 0) {
a_dec(&libc.threads_minus_1);
munmap(map, size);
make pthread_create return EAGAIN on resource failure, as required by POSIX
2011-02-15 02:20:21 -05:00
return EAGAIN;
initial check-in, version 0.5.0
2011-02-12 00:22:29 -05:00
}
*res = new;
return 0;
}
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
void pthread_exit(void *result)
{
struct pthread *self = pthread_self();
overhaul pthread cancellation this patch improves the correctness, simplicity, and size of cancellation-related code. modulo any small errors, it should now be completely conformant, safe, and resource-leak free. the notion of entering and exiting cancellation-point context has been completely eliminated and replaced with alternative syscall assembly code for cancellable syscalls. the assembly is responsible for setting up execution context information (stack pointer and address of the syscall instruction) which the cancellation signal handler can use to determine whether the interrupted code was in a cancellable state. these changes eliminate race conditions in the previous generation of cancellation handling code (whereby a cancellation request received just prior to the syscall would not be processed, leaving the syscall to block, potentially indefinitely), and remedy an issue where non-cancellable syscalls made from signal handlers became cancellable if the signal handler interrupted a cancellation point. x86_64 asm is untested and may need a second try to get it right.
2011-04-17 11:43:03 -04:00
struct __ptcb cb = { .__next = self->cancelbuf };
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
self->result = result;
overhaul pthread cancellation this patch improves the correctness, simplicity, and size of cancellation-related code. modulo any small errors, it should now be completely conformant, safe, and resource-leak free. the notion of entering and exiting cancellation-point context has been completely eliminated and replaced with alternative syscall assembly code for cancellable syscalls. the assembly is responsible for setting up execution context information (stack pointer and address of the syscall instruction) which the cancellation signal handler can use to determine whether the interrupted code was in a cancellable state. these changes eliminate race conditions in the previous generation of cancellation handling code (whereby a cancellation request received just prior to the syscall would not be processed, leaving the syscall to block, potentially indefinitely), and remedy an issue where non-cancellable syscalls made from signal handlers became cancellable if the signal handler interrupted a cancellation point. x86_64 asm is untested and may need a second try to get it right.
2011-04-17 11:43:03 -04:00
__pthread_unwind_next(&cb);
reorganize thread exit code, make pthread_exit call cancellation handlers (pt2)
2011-02-13 19:58:30 -05:00
}
Reference in New Issue Copy Permalink