- 
                Notifications
    You must be signed in to change notification settings 
- Fork 13.9k
std: stop using TLS in signal handler #140628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| rustbot has assigned @Mark-Simulacrum. Use  | 
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
| 
 well, that doesn't seem good | 
| The Miri subtree was changed cc @rust-lang/miri | 
| 
 That's no cause for concern, these miri tests just assumed that there is no synchronisation between threads created independently from each other. That's no longer true however as the threads all acquire the thread info lock. I've fixed this now by moving the operations around a bit and by using  | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the Miri test changes are right, but I find these tests a lot harder to read now. We should stop using thread::spawn and instead directly call pthread_create or so to avoid the spurious synchronization that std incurs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
General approach seems fine to me.
| //! Unfortunately, because thread local storage isn't async-signal-safe, we | ||
| //! cannot soundly use it in our stack overflow handler. While this works | ||
| //! without problems on most platforms, it can lead to undefined behaviour | ||
| //! on others (such as GNU/Linux). Luckily, the POSIX specification documents | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we expect that all cfg(unix) platforms satisfy POSIX? Is that a safe assumption to make?
It seems a little odd to me that errno is somehow special (vs arbitrary thread-locals)...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems a little odd to me that
errnois somehow special (vs arbitrary thread-locals)...
The C runtime can rely on the fact that it's always loaded and use e.g. the initial-exec TLS model – which is async-signal-safe – for errno (that's what glibc does). Or they embed errno into the thread control block, which is accessible through the thread pointer (that's what musl does).
I guess we expect that all cfg(unix) platforms satisfy POSIX? Is that a safe assumption to make?
The expectation must only hold for platforms that enable the stack overflow handler.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not a safe assumption to make on various niche cases, however if they implement any threading, have signals, yet do not implement POSIX correctly-enough for this, they will have a lot of problems that we will immediately notice. In particular, this is a very mild demand: "implement errno in a POSIX-conforming way". If you have threads and signals AND want to run C code, you pretty much have to do this. Your only choice with being non-conformant in that case is to deliberately pick a non-conforming implementation that still somehow doesn't get stomped by C code running concurrently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In practice the only other implementation of errno I would expect to see is the global version that gets stomped by running concurrently and thus cannot support threading.
| // This uses a `BTreeMap` instead of a hashmap since it supports constant | ||
| // initialization and automatically reduces the amount of memory used when | ||
| // items are removed. | ||
| static mut THREAD_INFO: BTreeMap<usize, ThreadInfo> = BTreeMap::new(); | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe s/static mut/ with a SyncUnsafeCell or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't feel strongly about this, but I didn't think it any clearer...
| // items are removed. | ||
| static mut THREAD_INFO: BTreeMap<usize, ThreadInfo> = BTreeMap::new(); | ||
|  | ||
| struct UnlockOnDrop; | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we make this be SpinGuard<'a, BTreeMap<usize, ThreadInfo>> or so?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would necessitate Deref and DerefMut implementations that aren't really adding any clarity.
| } | ||
| } | ||
|  | ||
| pub fn set_current_info(guard_page_range: Range<usize>, thread_name: Option<Box<str>>) { | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: why not take the ThreadInfo struct as the argument?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the struct creation to be unnecessary clutter at the call site.
| 
 Are we OK with that guarantee propagating out to "userspace"? I guess it's sort of unavoidable if we want some kind of lock at thread creation/death but it feels a bit like that should be a more intentional decision? I guess it's undocumented but might still be a bit hard to claw back if we found a way to eliminate the lock later. | 
| 
 I've added a helper function that abstracts all of the  | 
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
| Hm, I guess that is the other option. It'd also let us remove some other hacks from Miri probably, since we don't really support the functions that code uses. OTOH it does leave some code without our usual UB test coverage. | 
TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. rust-lang#133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current `pthread_t` and the address of `errno`. Since `pthread_equal` is not AS-safe, `pthread_t` should be considered opaque, so for our purposes, `&errno` is the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses a `BTreeMap` protected by a spin lock to hold the guard page address and thread name and thus fixes rust-lang#133698.
| mod thread_info; | ||
|  | ||
| // miri doesn't model signals, and this code has some synchronization properties | ||
| // that we don't want to expose to user code. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| // that we don't want to expose to user code. | |
| // that we don't want to expose to user code. Also, Miri fundamentally cannot even have a stack overflow. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Miri could definitely have stack overflows. It's just that random aborts aren't a useful think to emulate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How could Miri have stack overflows? The stack is a Vec<Frame>. We can have a push fail due to OOM, but that will just abort the interpreter aprubtly in a well-defined way.
| r=me modulo Ralf's suggestion. No strong opinion on the remaining unresolved threads, seems fine to leave as-is. | 
…imulacrum std: stop using TLS in signal handler TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. rust-lang#133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current `pthread_t` and the address of `errno`. Since `pthread_equal` is not AS-safe, `pthread_t` should be considered opaque, so for our purposes, `&errno` is the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses a `BTreeMap` protected by a spin lock to hold the guard page address and thread name and thus fixes rust-lang#133698.
Rollup of 6 pull requests Successful merges: - rust-lang#127013 (Add `f16` formatting and parsing) - rust-lang#140154 (Cygwin support in rustc) - rust-lang#140628 (std: stop using TLS in signal handler) - rust-lang#140966 (Remove #![feature(let_chains)] from library and src/librustdoc) - rust-lang#140994 (replace `cc_detect::cc2ar` with `cc::try_get_archiver`) - rust-lang#141127 (bump windows crate for compiler,bootstrap and tools) r? `@ghost` `@rustbot` modify labels: rollup
…imulacrum std: stop using TLS in signal handler TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. rust-lang#133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current `pthread_t` and the address of `errno`. Since `pthread_equal` is not AS-safe, `pthread_t` should be considered opaque, so for our purposes, `&errno` is the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses a `BTreeMap` protected by a spin lock to hold the guard page address and thread name and thus fixes rust-lang#133698.
Rollup of 10 pull requests Successful merges: - rust-lang#127013 (Add `f16` formatting and parsing) - rust-lang#138940 (Stabilize the avx512 target features) - rust-lang#140154 (Cygwin support in rustc) - rust-lang#140490 (split `asm!` parsing and validation) - rust-lang#140628 (std: stop using TLS in signal handler) - rust-lang#140746 (name resolution for guard patterns) - rust-lang#140926 (Return value of coroutine_layout fn changed to Result with LayoutError) - rust-lang#141127 (bump windows crate for compiler,bootstrap and tools) - rust-lang#141214 (Miri subtree update) - rust-lang#141218 (gvn: avoid creating overlapping assignments) r? `@ghost` `@rustbot` modify labels: rollup
Rollup of 8 pull requests Successful merges: - rust-lang#138940 (Stabilize the avx512 target features) - rust-lang#140490 (split `asm!` parsing and validation) - rust-lang#140628 (std: stop using TLS in signal handler) - rust-lang#140746 (name resolution for guard patterns) - rust-lang#140926 (Return value of coroutine_layout fn changed to Result with LayoutError) - rust-lang#141127 (bump windows crate for compiler,bootstrap and tools) - rust-lang#141214 (Miri subtree update) - rust-lang#141218 (gvn: avoid creating overlapping assignments) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#140628 - joboet:async_signal_safe, r=Mark-Simulacrum std: stop using TLS in signal handler TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. rust-lang#133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current `pthread_t` and the address of `errno`. Since `pthread_equal` is not AS-safe, `pthread_t` should be considered opaque, so for our purposes, `&errno` is the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses a `BTreeMap` protected by a spin lock to hold the guard page address and thread name and thus fixes rust-lang#133698.
| @rust-timer build 9233687 | 
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
| Finished benchmarking commit (9233687): comparison URL. Overall result: ❌✅ regressions and improvements - please read the text belowBenchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf. Next Steps: If you can justify the regressions found in this try perf run, please indicate this with  @bors rollup=never Instruction countThis is the most reliable metric that we have; it was used to determine the overall result at the top of this comment. However, even this metric can sometimes exhibit noise. 
 Max RSS (memory usage)Results (secondary -0.4%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment. 
 CyclesResults (primary 0.6%, secondary 0.1%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment. 
 Binary sizeResults (primary 1.3%, secondary 3.5%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment. 
 Bootstrap: 776.543s -> 777.462s (0.12%) | 
| It looks like this is the source of the binary size regressions from #141232. The larger binary size is probably enough to also cause a small amount of icount regressions on the smallest benchmarks. | 
| The binary size regression is pretty much unavoidable, we'll always need some kind of dictionary to store the data. The only solution I see would be to revert this entirely and go back to the previous unsound-but-working-in-practice method of relying on TLS. | 
…imulacrum std: stop using TLS in signal handler TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. rust-lang#133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current `pthread_t` and the address of `errno`. Since `pthread_equal` is not AS-safe, `pthread_t` should be considered opaque, so for our purposes, `&errno` is the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses a `BTreeMap` protected by a spin lock to hold the guard page address and thread name and thus fixes rust-lang#133698.
| I see, thanks. Well, making something be no longer unsound is probably a good reason for binary size regressions. @rustbot label: +perf-regression-triaged | 
| I feel a bit crazy given that this passed tests, but this new implementation does not, in fact, seem to manage to get the thread name into the error message? Filed a bug at #144481. | 
… r=ChrisDenton thread name in stack overflow message Fixes rust-lang#144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing rust-lang#140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. `@rustbot` label +beta-nominated
… r=ChrisDenton thread name in stack overflow message Fixes rust-lang#144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing rust-lang#140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. `@rustbot` label +beta-nominated
… r=ChrisDenton thread name in stack overflow message Fixes rust-lang#144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing rust-lang#140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. ``@rustbot`` label +beta-nominated
Rollup merge of #144500 - joboet:thread-name-stack-overflow, r=ChrisDenton thread name in stack overflow message Fixes #144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing #140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. ``@rustbot`` label +beta-nominated
… r=ChrisDenton thread name in stack overflow message Fixes rust-lang#144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing rust-lang#140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. ``@rustbot`` label +beta-nominated
…enton thread name in stack overflow message Fixes rust-lang/rust#144481, which is caused by the thread name not being initialised yet when setting up the stack overflow information. Unfortunately, the stack overflow UI test did not test for the correct thread name being present, and testing this separately didn't occur to me when writing rust-lang/rust#140628. This PR contains the smallest possible fix I could think of: passing the thread name explicitly to the platform thread creation function. In the future I'd very much like to explore some possibilities around merging the thread packet and thread handle into one structure and using that in the platform code instead – but that's best left for another PR. This PR also amends the stack overflow test to check for thread names, so we don't run into this again. ``@rustbot`` label +beta-nominated
TLS is not async-signal-safe, making its use in the signal handler used to detect stack overflows unsound (c.f. #133698). POSIX however lists two thread-specific identifiers that can be obtained in a signal handler: the current
pthread_tand the address oferrno. Sincepthread_equalis not AS-safe,pthread_tshould be considered opaque, so for our purposes,&errnois the only option. This however works nicely: we can use the address as a key into a map that stores information for each thread. This PR uses aBTreeMapprotected by a spin lock to hold the guard page address and thread name and thus fixes #133698.