Detect when pthread_mutex_t is moved

[Mandragorian]

What I am not sure about this PR is how to support storing the additional mutex data like its address and kind. If I understand correctly the concurrency::sync::Mutex struct is to be used by any mutex implementation. This possibly means that different implementation might want to store different data in the mutex. So any additional data should be implementation defined somehow. Solutions that come to mind:

• Store the additional data as Box<dyn Any> and the implementations can downcast their data when they fetch them.
• Have each shim implementation define a static mut map between MutexIDs and the additional data.

Let me know

Fixes #3749

[Mandragorian]

@rustbot ready

[Mandragorian]

Hi!

Just wanted to quickly check if this fell through the cracks. (But no pressure if you are busy!). Thanks!

[RalfJung]

It's in my list. :) Sorry for the slow reply. Too many things that need to be done...

[RalfJung]

Thanks for giving this a shot! I like the AdditionalMutexData part, but the way it gets used in unix/sync should be changed a bit -- see the comments in the review.

[RalfJung]

Instead of initializing with default values and then changing them, please immediately push the right values.

[RalfJung]

Since we really only care about the address, this should be a u64. Currently you are also storing provenance but we don't actually care about that.

[RalfJung]

Suggested change

	let address = ecx.deref_pointer_as(mutex_op, ecx.libc_ty_layout("pthread_mutex_t"))?.ptr();
	// FIXME: might be worth changing mutex_get_or_create_id to take the mplace
	// rather than the `OpTy`.
	let address = ecx.deref_pointer_as(mutex_op, ecx.libc_ty_layout("pthread_mutex_t"))?.ptr();

[bors]

☔ The latest upstream changes (presumably #3823) made this pull request unmergeable. Please resolve the merge conflicts.

[RalfJung]

@rustbot author

[RalfJung]

(please write @rustbot ready when this is ready for review again)

[Mandragorian]

Yeah, I wanted to post a comment first with a few things I am not sure are correct. I realized it was late after I pushed the changes so I decided to do that today. sorry if it caused confusion. Here is what I wanted to say:

To check for the static initializers I have to ignore a "header" in the pthread_mutex_t where miri stores the MutexId. The way the code works now, initialization of the additional data happens lazily, after the compare exchange operation. So at that point the mutex id is stored, and doing a bitwise comparison with the static initializers will fail. I could call the closure before checking for initialization in get_or_create_id, but then this would happen every time a mutex is locked/unlocked which could be slow. So i decided to ignore 4 + mutex_id_offset bytes from the contents of a mutex when checking if it is equal to a static initializer.

This also solves another issue. When i was reading the full contents of the mutex, miri thought there was a race condition. I did not spend too much time debugging this. But I believe it is because when trying to lock, for example, a mutex that was initialized with a static initializer, in thread A, all the bytes of pthread_mutex_t (including the id) would be read. Then thread B would try to also lock the mutex, and call get_or_create_id. The previous unsynchronized read then clashed with the atomic read in compare_exchange. I couldn't find the proper way to fix this. I think I might need to somehow use acquire_clock but I couldn't exactly understand how it works. Since I am now ignoring the mutex id part, I think this sidesteps the issue.

Finally, instead of adding a forece_create boolean argument, I opted for defining a new function that creates the mutex eagerly. I thought that adding more logic in get_or_create_id might make it too complex. But I a have no strong feelings about this. The current way also removes the need for mutex_reset_id. Otherwise, I think we need to call it to initialize the mutex id memory, otherwise miri complains that there was a read of uninit data, I am assuming at compare_exchange.

@rustbot ready

[RalfJung]

To check for the static initializers I have to ignore a "header" in the pthread_mutex_t where miri stores the MutexId. The way the code works now, initialization of the additional data happens lazily, after the compare exchange operation. So at that point the mutex id is stored, and doing a bitwise comparison with the static initializers will fail. I could call the closure before checking for initialization in get_or_create_id, but then this would happen every time a mutex is locked/unlocked which could be slow. So i decided to ignore 4 + mutex_id_offset bytes from the contents of a mutex when checking if it is equal to a static initializer.

Ah yes, this has to be done quite carefully to avoid races.

I'd say for now just scratch this sanity check. Checking just some of the bytes is a bit too ugly IMO, after all we don't have to catch these kinds of bugs anyway. So let's just use the "zero ID" as indicator that this must be initialized and not do a separate check for now; we can explore how to add such a check separately in the future.

[RalfJung]

Having a separate create_id leads to some duplication in the API surface -- we'll need this for all types that have static and explicit initializers. But on the other hand, having the "explicit initialization" separate from "initialize from static initializer" is also nice, so yeah let's go with that.

[RalfJung]

This is only called once, please inline it at the call site.

[RalfJung]

kind_from_static_initializer or so would be better IMO, making it clear that we're parsing target-specific constants here but never our own data.

[RalfJung]

Can you add a FIXME to the sanity check logic above that we should also check the other static initializers for platforms where they exist?

[Mandragorian]

Is this still needed after you checked that there are no other other initializers?

[RalfJung]

Yeah it needs to be checked for Linux.

[RalfJung]

This still makes the assumption that the platform-specific field that encodes the mutex kind in the static initializer is after the "header". So it's not enough to be sure we are matching platform behavior, and it's not clean enough IMO to keep it as a half-measure.

I also just realized that this function is also called after the new ID has been written, so a full comparison with pthread_mutex_t would anyway not work.

So I think the best option is to have a match &*ecx.tcx.sess.target.os inside this function and then determine for each platform what we have to read to find the initial mutex kind -- basically exactly what mutex_get_kind did before this PR, but only doing it here when we "parse" a static initializer, rather than doing it each time the mutex is used. On Linux this would read 4 bytes at offset if ecx.pointer_size().bytes() == 8 { 16 } else { 12 }. For the other supported targets we'll have to check whether they have any static initializers other than PTHREAD_MUTEX_DEFAULT. And if any platform adds such initializers in the future, Miri will just ignore them until we realize that... maybe one day we can do the comparison with PTHREAD_MUTEX_DEFAULT but it will require reworking get_or_create_id a bit more so that create_obj is called before the new ID is written.

[RalfJung]

I checked and none of the other targets has any other static initializers.

[Mandragorian]

done. I am not sure I interpreted all of your comment correctly, so let me know.

[RalfJung]

Please preserve this comment, it is still relevant.

[RalfJung]

@rustbot author

[RalfJung]

I checked and none of the other targets has any other static initializers.

[Mandragorian]

@rustbot ready

[RalfJung]

Please make this an exhaustive match, like the old mutex_get_kind. When we add a new target we need to check that this is still true.

[RalfJung]

Please check that kind is a valid mutex kind.

In fact, probably it would make sense to make this an enum? Then all the other mutex functions won't have to compare this with libc constants any more...

[Mandragorian]

re making this an enum:

I don't disagree, but I am a bit unsure on how to do this. In my mind ideally the MutexKind would be a type known only to the pthreads implementation, but currently it lives with the generic mutex implementation. At least by making this an i32 it would allow other mutex APIs other than pthreads to possibly reuse it. However if we make it an enum it might be too coupled with pthreads terminology.

As the code is now, we can't make the AdditionalMutexData generic so that each mutex implementation can define its own type to hold whatever data they want.

On the other hand this might be abstracting way to soon since there is no other implementation that needs additional data. What do you think?

[RalfJung]

As the code is now, we can't make the AdditionalMutexData generic so that each mutex implementation can define its own type to hold whatever data they want.

We could use dyn Any trickery.

But IMO it's not worth it. We can just say the enum lists all mutex kinds of all implementations. 🤷 You can mark the enum #[non_exhaustive] to drive home that point, and force all matches to end with _ => panic!("pthread mutex with invalid mutex kind") or so.

[Mandragorian]

@rustbot ready

[RalfJung]

That line of the comment seems outdated now.

[RalfJung]

Please declare the revisions before using them.

Also, I am confused by the names. lock really is static_initializer, right? init is initializer_function. And why is unlock_register only for Linux? Recursive mutexes exist on all platforms, they just don't have a static initializer on non-Linux.

Maybe it just needs comments explaining what these variants are testing, but currently I am quite confused. I expected only 2 tests -- one that uses the static initializer and one that uses pthread_mutex_init.

[Mandragorian]

Regarding the tests:

In my mind what needs to be tested is the ability of the pthread_mutex_* functions to record and then later detect a moved pthread_mutex_t. So for each such function I call it two times. If the move is caught it means that the function both recorded the original address and detected the move. At least that's the intention.

For the unlock function however I needed a slight different approach. Static initializers are only supported on linux, and unlock can only be called on recursive mutexes if they are unlocked. So I used two different revisions, one to test that unlock correctly registers the address (with a static initializer), and one to test that it detects a move, when called after init.

[RalfJung]

I see, thanks.

However, given our implementation, we know this is all the same codepath, so it doesn't seem worth testing all combinations.

[Mandragorian]

ack, removed the extra tests.

[Mandragorian]

@rustbot ready

[RalfJung]

Thanks! LGTM, just two comment nits. Then please squash the commits.

[Mandragorian]

Thanks! LGTM, just two comment nits. Then please squash the commits.

done thanks!

[RalfJung]

Thanks. :-)

@bors r+

[bors]

📌 Commit aba9bb2 has been approved by RalfJung

It is now in the queue for this repository.

[bors]

⌛ Testing commit aba9bb2 with merge 7b422fe...

[RalfJung]

I only just noticed that you even suggested this initially. :D

Store the additional data as Box<dyn Any> and the implementations can downcast their data when they fetch them.

If you want to do this in a follow-up PR, let me know. :)

[bors]

☀️ Test successful - checks-actions
Approved by: RalfJung
Pushing 7b422fe to master...