Changeset 274608 in webkit

Timestamp:

Mar 17, 2021 7:40:00 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Fix race condition in ConcurrentPtrHashSet.
​https://bugs.webkit.org/show_bug.cgi?id=223241
rdar://74637896

Reviewed by Yusuke Suzuki.

JSTests:

• stress/race-to-add-opaque-roots-in-ConcurrentPtrHashSet.js: Added.

Source/WTF:

There exists a race condition where ConcurrentPtrHashSet::resizeIfNecessary() may
not capture an entry added by ConcurrentPtrHashSet::addSlow() concurrently.

ConcurrentPtrHashSet::addSlow() currently does the following:

{

if (table->load.exchangeAdd(1) >= table->maxLoad()) (a1)

return resizeAndAdd(ptr); (a2)

for (;;) {

void* oldEntry = table->array[index].compareExchangeStrong(nullptr, ptr); (a3)
if (!oldEntry) {

if (m_table.load() != table) { (a4)

We added an entry to an old table! We need to reexecute the add on the new table.
return add(ptr); (a5)

}
return true; (a6)

}
if (oldEntry == ptr)

return false;

... set index to next entry slot to try.

}

}

ConcurrentPtrHashSet::resizeIfNecessary() currently does the following:

{

auto locker = holdLock(m_lock); (r1)
Table* table = m_table.loadRelaxed();
if (table->load.loadRelaxed() < table->maxLoad())

return;

(r2)

std::unique_ptr<Table> newTable = Table::create(table->size * 2);
...
for (unsigned i = 0; i < table->size; ++i) { (r3)

void* ptr = table->array[i].loadRelaxed();
if (!ptr)

continue;

... copy ptr to newTable. (r4)

}

...
m_table.store(newTable.get()); (r5)
...

}

Let's say thread T1 is executing addSlow(), and thread T2 is concurrently executing
resizeIfNecessary().

Consider the following scenario (in chronological order):

1. T2 has arrived at just before (r5) i.e. it is already done copying the entries in the old m_table.
2. T1 executes (a3) and writes a new entry into m_table.
3. T1 checks that the table hasn't been replaced at (a4), and sees that it has not.
4. T1 returns at (a6), thinking that its new entry is committed.
5. T2 sets the new m_table at (r5), thereby discarding the new entry that T1 has just written.

The fix is to set m_table to a newly introduced m_stubTable at (r2). m_stubTable
is set up with a size of 0, and load value of 10. This means it is always full.
With this, the following scenarios can play out:

Scenario 1: T2 installs m_stubTable before T1 reaches (a1)

1. At (a1), T1 sees that m_table (which is m_stubTable) is full.
2. T1 calls resizeAndAdd() at (a2), which ends up calling resizeIfNecessary() and blocking on the lock at (r1).

Scenario 2: T2 installs m_stubTable after T1 reaches just before (a3)

1. T1 writes the new entry at (a3).
2. T1 checks m_table at (a4), and sees that it has changed (now pointing to m_stubTable).
3. T1 calls add() again at (a5) to redo the operation, and ends with scenario 1.

Scenario 3: T2 installs m_stubTable after T1 reaches (a3), but before (a4)

1. The new entry has already been added, but we don't know if it made the cut off for T2 to copy it or not. But, it doesn't matter because ...
2. T1 checks m_table at (a4), and sees that it has changed (now pointing to m_stubTable).
3. T1 calls add() again at (a5) to redo the operation, and ends with scenario 1.

Scenario 4: T2 installs m_stubTable after T1 reaches (a4)

1. The new entry has already been added.
2. T1 checks m_table at (a4), and sees that it has NOT changed (because T2 hasn't installed m_stubTable yet). This means T2's copy loop is guaranteed to not have started yet i.e. the new entry will definitely be picked up by the copy loop.
3. T1 returns at (a6), and all is well.

• wtf/ConcurrentPtrHashSet.cpp:

(WTF::ConcurrentPtrHashSet::deleteOldTables):
(WTF::ConcurrentPtrHashSet::initialize):
(WTF::ConcurrentPtrHashSet::containsImplSlow const):
(WTF::ConcurrentPtrHashSet::sizeSlow const):
(WTF::ConcurrentPtrHashSet::resizeIfNecessary):
(WTF::ConcurrentPtrHashSet::Table::initializeStub):

• wtf/ConcurrentPtrHashSet.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/race-to-add-opaque-roots-in-ConcurrentPtrHashSet.js (added)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/ConcurrentPtrHashSet.cpp (modified) (6 diffs)
• Source/WTF/wtf/ConcurrentPtrHashSet.h (modified) (4 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-03-17  Mark Lam  <mark.lam@apple.com>
+
+        Fix race condition in ConcurrentPtrHashSet.
+        https://bugs.webkit.org/show_bug.cgi?id=223241
+        rdar://74637896
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/race-to-add-opaque-roots-in-ConcurrentPtrHashSet.js: Added.
+
 2021-03-16  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2021-03-17  Mark Lam  <mark.lam@apple.com>
+
+        Fix race condition in ConcurrentPtrHashSet.
+        https://bugs.webkit.org/show_bug.cgi?id=223241
+        rdar://74637896
+
+        Reviewed by Yusuke Suzuki.
+
+        There exists a race condition where ConcurrentPtrHashSet::resizeIfNecessary() may
+        not capture an entry added by ConcurrentPtrHashSet::addSlow() concurrently.
+
+        ConcurrentPtrHashSet::addSlow() currently does the following:
+
+            {
+                if (table->load.exchangeAdd(1) >= table->maxLoad())     // (a1)
+                    return resizeAndAdd(ptr);                           // (a2)
+    
+                for (;;) {
+                    void* oldEntry = table->array[index].compareExchangeStrong(nullptr, ptr);   // (a3)
+                    if (!oldEntry) {
+                        if (m_table.load() != table) {                  // (a4)
+                            // We added an entry to an old table! We need to reexecute the add on the new table.
+                            return add(ptr);                            // (a5)
+                        }
+                        return true;                                    // (a6)
+                    }
+                    if (oldEntry == ptr)
+                        return false;
+
+                    ... // set index to next entry slot to try.
+                }
+            }
+
+        ConcurrentPtrHashSet::resizeIfNecessary() currently does the following:
+
+            {
+                auto locker = holdLock(m_lock);                         // (r1)
+                Table* table = m_table.loadRelaxed();
+                if (table->load.loadRelaxed() < table->maxLoad())
+                    return;
+
+                // (r2)
+
+                std::unique_ptr<Table> newTable = Table::create(table->size * 2);
+                ...
+                for (unsigned i = 0; i < table->size; ++i) {            // (r3)
+                    void* ptr = table->array[i].loadRelaxed();
+                    if (!ptr)
+                        continue;
+        
+                    ... // copy ptr to newTable.                        // (r4)
+                }
+    
+                ...
+                m_table.store(newTable.get());                          // (r5)
+                ...
+            }
+
+        Let's say thread T1 is executing addSlow(), and thread T2 is concurrently executing
+        resizeIfNecessary().
+
+        Consider the following scenario (in chronological order):
+        1. T2 has arrived at just before (r5) i.e. it is already done copying the entries
+           in the old m_table.  
+        2. T1 executes (a3) and writes a new entry into m_table.
+        3. T1 checks that the table hasn't been replaced at (a4), and sees that it has
+           not.
+        4. T1 returns at (a6), thinking that its new entry is committed.
+        5. T2 sets the new m_table at (r5), thereby discarding the new entry that T1 has
+           just written.
+
+        The fix is to set m_table to a newly introduced m_stubTable at (r2).  m_stubTable
+        is set up with a size of 0, and load value of 10.  This means it is always full.
+        With this, the following scenarios can play out:
+
+        Scenario 1: T2 installs m_stubTable before T1 reaches (a1)
+
+        1. At (a1), T1 sees that m_table (which is m_stubTable) is full.
+        2. T1 calls resizeAndAdd() at (a2), which ends up calling resizeIfNecessary()
+           and blocking on the lock at (r1).
+
+        Scenario 2: T2 installs m_stubTable after T1 reaches just before (a3)
+
+        1. T1 writes the new entry at (a3).
+        2. T1 checks m_table at (a4), and sees that it has changed (now pointing to
+           m_stubTable).
+        3. T1 calls add() again at (a5) to redo the operation, and ends with scenario 1.
+
+        Scenario 3: T2 installs m_stubTable after T1 reaches (a3), but before (a4)
+
+        1. The new entry has already been added, but we don't know if it made the cut off
+           for T2 to copy it or not.  But, it doesn't matter because ...
+        2. T1 checks m_table at (a4), and sees that it has changed (now pointing to
+           m_stubTable).
+        3. T1 calls add() again at (a5) to redo the operation, and ends with scenario 1.
+
+        Scenario 4: T2 installs m_stubTable after T1 reaches (a4)
+
+        1. The new entry has already been added.
+        2. T1 checks m_table at (a4), and sees that it has NOT changed (because T2 hasn't
+           installed m_stubTable yet).  This means T2's copy loop is guaranteed to not
+           have started yet i.e. the new entry will definitely be picked up by the copy
+           loop.
+        3. T1 returns at (a6), and all is well.
+
+        * wtf/ConcurrentPtrHashSet.cpp:
+        (WTF::ConcurrentPtrHashSet::deleteOldTables):
+        (WTF::ConcurrentPtrHashSet::initialize):
+        (WTF::ConcurrentPtrHashSet::containsImplSlow const):
+        (WTF::ConcurrentPtrHashSet::sizeSlow const):
+        (WTF::ConcurrentPtrHashSet::resizeIfNecessary):
+        (WTF::ConcurrentPtrHashSet::Table::initializeStub):
+        * wtf/ConcurrentPtrHashSet.h:
+
 2021-03-17  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WTF/wtf/ConcurrentPtrHashSet.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43 +43 @@
     // some bad crashes if we did make that mistake.
     auto locker = holdLock(m_lock); 
-    
+
+    ASSERT(m_table.loadRelaxed() != &m_stubTable);
     m_allTables.removeAllMatching(
         [&] (std::unique_ptr<Table>& table) -> bool {
@@ -66 +67 @@
     m_table.storeRelaxed(table.get());
     m_allTables.append(WTFMove(table));
+    m_stubTable.initializeStub();
 }
 
@@ -89 +91 @@
 }
 
+bool ConcurrentPtrHashSet::containsImplSlow(void* ptr) const
+{
+    auto locker = holdLock(m_lock);
+    ASSERT(m_table.loadRelaxed() != &m_stubTable);
+    return containsImpl(ptr);
+}
+
+size_t ConcurrentPtrHashSet::sizeSlow() const
+{
+    auto locker = holdLock(m_lock);
+    ASSERT(m_table.loadRelaxed() != &m_stubTable);
+    return size();
+}
+
 void ConcurrentPtrHashSet::resizeIfNecessary()
 {
     auto locker = holdLock(m_lock);
     Table* table = m_table.loadRelaxed();
+    ASSERT(table != &m_stubTable);
     if (table->load.loadRelaxed() < table->maxLoad())
         return;
-    
+
+    // Stubbing out m_table with m_stubTable here is necessary to ensure that
+    // we don't miss copying any entries that may be concurrently be added.
+    //
+    // If addSlow() completes before this stubbing, the new entry is guaranteed
+    // to be copied below.
+    //
+    // If addSlow() completes after this stubbing, addSlow()  will check m_table
+    // before it finishes, and detect that its newly added entry may not have
+    // made it in. As a result, it will try to re-add the entry, and end up
+    // blocking on resizeIfNecessary() until the resizing is donw. This is
+    // because m_stubTable will tell addSlow() think that the table is out of
+    // space and it needs to resize. NOTE: m_stubTable always says it is out of
+    // space.
+    m_table.store(&m_stubTable);
+
     std::unique_ptr<Table> newTable = Table::create(table->size * 2);
     unsigned mask = newTable->mask;
@@ -122 +154 @@
     
     newTable->load.storeRelaxed(load);
-    
+
     m_table.store(newTable.get());
+
+    // addSlow() will always start by exchangeAdd'ing 1 to the current m_table's
+    // load value before checking if it exceeds its max allowed load. For the
+    // real m_table, this is not an issue because at most, it will accummulate
+    // up to N extra adds above max load, where N is the number of threads
+    // concurrrently adding entries.
+    //
+    // However, m_table may be replaced with m_stubTable for each resize
+    // operation. As a result, the cummulative error on its load value
+    // may far exceed N (as specified above). To fix this, we always reset it
+    // here to prevent an overflow. Note: a load of stubDefaultLoadValue means
+    // that m_stubTable is full since its size is 0.
+    //
+    // In practice, this won't matter because we most likely won't do so many
+    // resize operations such that this will get to the point of overflowing.
+    // However, since resizing is not in the fast path, let's just be pedantic
+    // and reset it for correctness.
+    m_stubTable.load.store(Table::stubDefaultLoadValue);
+
     m_allTables.append(WTFMove(newTable));
 }
@@ -144 +195 @@
 }
 
+void ConcurrentPtrHashSet::Table::initializeStub()
+{
+    // The stub table is set up to look like it is already filled up. This is
+    // so that it can be used during resizing to force all attempts to add to
+    // be routed to resizeAndAdd() where it will block until the resizing is
+    // done.
+    size = 0;
+    mask = 0;
+    load.storeRelaxed(stubDefaultLoadValue);
+    array[0].storeRelaxed(nullptr);
+}
+
 } // namespace WTF
 

trunk/Source/WTF/wtf/ConcurrentPtrHashSet.h

@@ -75 +75 @@
     size_t size() const
     {
-        return m_table.loadRelaxed()->load.loadRelaxed();
+        Table* table = m_table.loadRelaxed();
+        if (table == &m_stubTable)
+            return sizeSlow();
+        return table->load.loadRelaxed();
     }
     
@@ -91 +94 @@
         
         static std::unique_ptr<Table> create(unsigned size);
-        
+        void initializeStub();
+
         unsigned maxLoad() const { return size / 2; }
-        
+
+        // This can be any value >= 1 because the stub's size is 0, ensuring that
+        // m_stubTable is always seen as "full". We choose 10 for no reason other
+        // than it gives some warm fuzzies since it is greater than 1.
+        static constexpr unsigned stubDefaultLoadValue = 10;
+
         unsigned size; // This is immutable.
         unsigned mask; // This is immutable.
@@ -123 +132 @@
     {
         Table* table = m_table.loadRelaxed();
+        if (table == &m_stubTable)
+            return containsImplSlow(ptr);
+
         unsigned mask = table->mask;
         unsigned startIndex = hash(ptr) & mask;
@@ -156 +168 @@
     
     WTF_EXPORT_PRIVATE bool addSlow(Table* table, unsigned mask, unsigned startIndex, unsigned index, void* ptr);
+    WTF_EXPORT_PRIVATE bool containsImplSlow(void* ptr) const;
+    WTF_EXPORT_PRIVATE size_t sizeSlow() const;
 
     void resizeIfNecessary();
     bool resizeAndAdd(void* ptr);
-    
+
     Vector<std::unique_ptr<Table>, 4> m_allTables;
     Atomic<Table*> m_table; // This is never null.
-    Lock m_lock; // We just use this to control resize races.
+    Table m_stubTable;
+    mutable Lock m_lock; // We just use this to control resize races.
 };