Re: Avoiding concurrent calls to bindtextdomain() - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Avoiding concurrent calls to bindtextdomain()
Date
Msg-id 1058465.1707415701@sss.pgh.pa.us
Whole thread Raw
In response to Avoiding concurrent calls to bindtextdomain()  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
I wrote:
> 0001 also gets rid of the possibility that pthread_mutex_init/
> pthread_mutex_lock could fail due to malloc failure.  This seems
> important since default_threadlock() assumes that pthread_mutex_lock
> cannot fail in practice.  I observe that ecpglib also assumes that,
> although it's using CreateMutex() which has documented failure
> conditions.  So I wonder if we ought to copy this implementation
> back into ecpglib; but I've not done that here.

The cfbot seemed happy with v1, so here's a v2 that does copy that
code back into ecpglib.  (I kind of wonder why this code exists in
libpq + ecpglib at all, rather than in src/port/; but that seems
like a refactoring exercise for another day.)

I double-checked that all the pthread_mutex_t variables in libpq
and ecpglib are static, so the change in that struct should not
pose an ABI hazard for back-patching.

Barring objections, I plan to push this pretty soon.

            regards, tom lane

From 8d7ebd1fc5b556850fcbe117f44f1e0918edf4b9 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Thu, 8 Feb 2024 12:54:08 -0500
Subject: [PATCH v2 1/2] Clean up unnecessarily Windows-dependent code in
 libpq.

Fix pthread-win32.h and pthread-win32.c to provide a more complete
emulation of POSIX pthread mutexes: define PTHREAD_MUTEX_INITIALIZER
and make sure that pthread_mutex_lock() can operate on a mutex
object that's been initialized that way.  Then we don't need the
duplicative platform-specific logic in default_threadlock() and
pgtls_init(), which we'd otherwise need yet a third copy of for
an upcoming bug fix.

Also, since default_threadlock() supposes that pthread_mutex_lock()
cannot fail, try to ensure that that's actually true, by getting
rid of the malloc call that was formerly involved in initializing
an emulated mutex.  We can define an extra state for the spinlock
field instead.

Also, replace the similar code in ecpglib/misc.c with this version.
While ecpglib's version had at least a POSIX-compliant API, it
likewise had the potential of failing during mutex init (but here,
because of CreateMutex failure rather than malloc failure).  Since
all of misc.c's callers ignore failures, it seems like a wise idea
to avoid failures here too.

A further improvement in this area could be to unify libpq's and
ecpglib's implementations into a src/port/pthread-win32.c file.
But that doesn't seem like a bug fix, so I'll desist for now.

Discussion: https://postgr.es/m/264860.1707163416@sss.pgh.pa.us
---
 src/interfaces/ecpg/ecpglib/misc.c            | 37 +++++++++++++++----
 .../ecpg/include/ecpg-pthread-win32.h         | 22 ++++-------
 src/interfaces/libpq/fe-connect.c             | 16 --------
 src/interfaces/libpq/fe-secure-openssl.c      | 20 ----------
 src/interfaces/libpq/pthread-win32.c          | 26 ++++++++-----
 src/port/pthread-win32.h                      | 11 +++++-
 6 files changed, 63 insertions(+), 69 deletions(-)

diff --git a/src/interfaces/ecpg/ecpglib/misc.c b/src/interfaces/ecpg/ecpglib/misc.c
index 2b78caeaf5..58fff10697 100644
--- a/src/interfaces/ecpg/ecpglib/misc.c
+++ b/src/interfaces/ecpg/ecpglib/misc.c
@@ -407,17 +407,38 @@ ECPGis_noind_null(enum ECPGttype type, const void *ptr)

 #ifdef WIN32

-void
-win32_pthread_mutex(volatile pthread_mutex_t *mutex)
+int
+pthread_mutex_init(pthread_mutex_t *mp, void *attr)
+{
+    mp->initstate = 0;
+    return 0;
+}
+
+int
+pthread_mutex_lock(pthread_mutex_t *mp)
 {
-    if (mutex->handle == NULL)
+    /* Initialize the csection if not already done */
+    if (mp->initstate != 1)
     {
-        while (InterlockedExchange((LONG *) &mutex->initlock, 1) == 1)
-            Sleep(0);
-        if (mutex->handle == NULL)
-            mutex->handle = CreateMutex(NULL, FALSE, NULL);
-        InterlockedExchange((LONG *) &mutex->initlock, 0);
+        LONG        istate;
+
+        while ((istate = InterlockedExchange(&mp->initstate, 2)) == 2)
+            Sleep(0);            /* wait, another thread is doing this */
+        if (istate != 1)
+            InitializeCriticalSection(&mp->csection);
+        InterlockedExchange(&mp->initstate, 1);
     }
+    EnterCriticalSection(&mp->csection);
+    return 0;
+}
+
+int
+pthread_mutex_unlock(pthread_mutex_t *mp)
+{
+    if (mp->initstate != 1)
+        return EINVAL;
+    LeaveCriticalSection(&mp->csection);
+    return 0;
 }

 static pthread_mutex_t win32_pthread_once_lock = PTHREAD_MUTEX_INITIALIZER;
diff --git a/src/interfaces/ecpg/include/ecpg-pthread-win32.h b/src/interfaces/ecpg/include/ecpg-pthread-win32.h
index 8252a17809..7b6ba46b34 100644
--- a/src/interfaces/ecpg/include/ecpg-pthread-win32.h
+++ b/src/interfaces/ecpg/include/ecpg-pthread-win32.h
@@ -12,28 +12,22 @@

 typedef struct pthread_mutex_t
 {
-    HANDLE        handle;
-    LONG        initlock;
+    /* initstate = 0: not initialized; 1: init done; 2: init in progress */
+    LONG        initstate;
+    CRITICAL_SECTION csection;
 } pthread_mutex_t;

 typedef DWORD pthread_key_t;
 typedef bool pthread_once_t;

-#define PTHREAD_MUTEX_INITIALIZER    { NULL, 0 }
+#define PTHREAD_MUTEX_INITIALIZER    { 0 }
 #define PTHREAD_ONCE_INIT            false

-void        win32_pthread_mutex(volatile pthread_mutex_t *mutex);
-void        win32_pthread_once(volatile pthread_once_t *once, void (*fn) (void));
+int            pthread_mutex_init(pthread_mutex_t *, void *attr);
+int            pthread_mutex_lock(pthread_mutex_t *);
+int            pthread_mutex_unlock(pthread_mutex_t *);

-#define pthread_mutex_lock(mutex) \
-    do { \
-        if ((mutex)->handle == NULL) \
-            win32_pthread_mutex((mutex)); \
-        WaitForSingleObject((mutex)->handle, INFINITE); \
-    } while(0)
-
-#define pthread_mutex_unlock(mutex) \
-    ReleaseMutex((mutex)->handle)
+void        win32_pthread_once(volatile pthread_once_t *once, void (*fn) (void));

 #define pthread_getspecific(key) \
     TlsGetValue((key))
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 64c0b628b3..d4e10a0c4f 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -7426,24 +7426,8 @@ error:
 static void
 default_threadlock(int acquire)
 {
-#ifndef WIN32
     static pthread_mutex_t singlethread_lock = PTHREAD_MUTEX_INITIALIZER;
-#else
-    static pthread_mutex_t singlethread_lock = NULL;
-    static long mutex_initlock = 0;

-    if (singlethread_lock == NULL)
-    {
-        while (InterlockedExchange(&mutex_initlock, 1) == 1)
-             /* loop, another thread own the lock */ ;
-        if (singlethread_lock == NULL)
-        {
-            if (pthread_mutex_init(&singlethread_lock, NULL))
-                Assert(false);
-        }
-        InterlockedExchange(&mutex_initlock, 0);
-    }
-#endif
     if (acquire)
     {
         if (pthread_mutex_lock(&singlethread_lock))
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 6bc216956d..8110882262 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -91,12 +91,7 @@ static bool ssl_lib_initialized = false;

 static long crypto_open_connections = 0;

-#ifndef WIN32
 static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER;
-#else
-static pthread_mutex_t ssl_config_mutex = NULL;
-static long win32_ssl_create_mutex = 0;
-#endif

 static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL;
 static int    ssl_protocol_version_to_openssl(const char *protocol);
@@ -773,20 +768,6 @@ pq_lockingcallback(int mode, int n, const char *file, int line)
 int
 pgtls_init(PGconn *conn, bool do_ssl, bool do_crypto)
 {
-#ifdef WIN32
-    /* Also see similar code in fe-connect.c, default_threadlock() */
-    if (ssl_config_mutex == NULL)
-    {
-        while (InterlockedExchange(&win32_ssl_create_mutex, 1) == 1)
-             /* loop, another thread own the lock */ ;
-        if (ssl_config_mutex == NULL)
-        {
-            if (pthread_mutex_init(&ssl_config_mutex, NULL))
-                return -1;
-        }
-        InterlockedExchange(&win32_ssl_create_mutex, 0);
-    }
-#endif
     if (pthread_mutex_lock(&ssl_config_mutex))
         return -1;

@@ -874,7 +855,6 @@ static void
 destroy_ssl_system(void)
 {
 #if defined(HAVE_CRYPTO_LOCK)
-    /* Mutex is created in pgtls_init() */
     if (pthread_mutex_lock(&ssl_config_mutex))
         return;

diff --git a/src/interfaces/libpq/pthread-win32.c b/src/interfaces/libpq/pthread-win32.c
index e607bee89a..b40872898d 100644
--- a/src/interfaces/libpq/pthread-win32.c
+++ b/src/interfaces/libpq/pthread-win32.c
@@ -34,27 +34,33 @@ pthread_getspecific(pthread_key_t key)
 int
 pthread_mutex_init(pthread_mutex_t *mp, void *attr)
 {
-    *mp = (CRITICAL_SECTION *) malloc(sizeof(CRITICAL_SECTION));
-    if (!*mp)
-        return 1;
-    InitializeCriticalSection(*mp);
+    mp->initstate = 0;
     return 0;
 }

 int
 pthread_mutex_lock(pthread_mutex_t *mp)
 {
-    if (!*mp)
-        return 1;
-    EnterCriticalSection(*mp);
+    /* Initialize the csection if not already done */
+    if (mp->initstate != 1)
+    {
+        LONG        istate;
+
+        while ((istate = InterlockedExchange(&mp->initstate, 2)) == 2)
+            Sleep(0);            /* wait, another thread is doing this */
+        if (istate != 1)
+            InitializeCriticalSection(&mp->csection);
+        InterlockedExchange(&mp->initstate, 1);
+    }
+    EnterCriticalSection(&mp->csection);
     return 0;
 }

 int
 pthread_mutex_unlock(pthread_mutex_t *mp)
 {
-    if (!*mp)
-        return 1;
-    LeaveCriticalSection(*mp);
+    if (mp->initstate != 1)
+        return EINVAL;
+    LeaveCriticalSection(&mp->csection);
     return 0;
 }
diff --git a/src/port/pthread-win32.h b/src/port/pthread-win32.h
index 97ccc17a12..5f33269057 100644
--- a/src/port/pthread-win32.h
+++ b/src/port/pthread-win32.h
@@ -5,7 +5,16 @@
 #define __PTHREAD_H

 typedef ULONG pthread_key_t;
-typedef CRITICAL_SECTION *pthread_mutex_t;
+
+typedef struct pthread_mutex_t
+{
+    /* initstate = 0: not initialized; 1: init done; 2: init in progress */
+    LONG        initstate;
+    CRITICAL_SECTION csection;
+} pthread_mutex_t;
+
+#define PTHREAD_MUTEX_INITIALIZER    { 0 }
+
 typedef int pthread_once_t;

 DWORD        pthread_self(void);
--
2.39.3

From 89862c5c145d5f66f284098abf0ef6384a96a8d7 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Thu, 8 Feb 2024 12:59:44 -0500
Subject: [PATCH v2 2/2] Avoid concurrent calls to bindtextdomain().

We previously supposed that it was okay for different threads to
call bindtextdomain() concurrently (cf. commit 1f655fdc3).
It now emerges that there's at least one gettext implementation
in which that triggers an abort() crash, so let's stop doing that.
Add mutexes guarding libpq's and ecpglib's calls, which are the
only ones that need worry about multithreaded callers.

Note: in libpq, we could perhaps have piggybacked on
default_threadlock() to avoid defining a new mutex variable.
I judge that not terribly safe though, since libpq_gettext could
be called from code that is holding the default mutex.  If that
were the first such call in the process, it'd fail.  An extra
mutex is cheap insurance against unforeseen interactions.

Per bug #18312 from Christian Maurer.  Back-patch to all
supported versions.

Discussion: https://postgr.es/m/18312-bbbabc8113592b78@postgresql.org
Discussion: https://postgr.es/m/264860.1707163416@sss.pgh.pa.us
---
 src/interfaces/ecpg/ecpglib/misc.c | 39 ++++++++++++++++++++----------
 src/interfaces/libpq/fe-misc.c     | 39 ++++++++++++++++++++----------
 2 files changed, 52 insertions(+), 26 deletions(-)

diff --git a/src/interfaces/ecpg/ecpglib/misc.c b/src/interfaces/ecpg/ecpglib/misc.c
index 58fff10697..8b9aefcd9c 100644
--- a/src/interfaces/ecpg/ecpglib/misc.c
+++ b/src/interfaces/ecpg/ecpglib/misc.c
@@ -465,13 +465,14 @@ char *
 ecpg_gettext(const char *msgid)
 {
     /*
-     * If multiple threads come through here at about the same time, it's okay
-     * for more than one of them to call bindtextdomain().  But it's not okay
-     * for any of them to reach dgettext() before bindtextdomain() is
-     * complete, so don't set the flag till that's done.  Use "volatile" just
-     * to be sure the compiler doesn't try to get cute.
+     * At least on Windows, there are gettext implementations that fail if
+     * multiple threads call bindtextdomain() concurrently.  Use a mutex and
+     * flag variable to ensure that we call it just once per process.  It is
+     * not known that similar bugs exist on non-Windows platforms, but we
+     * might as well do it the same way everywhere.
      */
     static volatile bool already_bound = false;
+    static pthread_mutex_t binddomain_mutex = PTHREAD_MUTEX_INITIALIZER;

     if (!already_bound)
     {
@@ -481,14 +482,26 @@ ecpg_gettext(const char *msgid)
 #else
         int            save_errno = errno;
 #endif
-        const char *ldir;
-
-        /* No relocatable lookup here because the binary could be anywhere */
-        ldir = getenv("PGLOCALEDIR");
-        if (!ldir)
-            ldir = LOCALEDIR;
-        bindtextdomain(PG_TEXTDOMAIN("ecpglib"), ldir);
-        already_bound = true;
+
+        (void) pthread_mutex_lock(&binddomain_mutex);
+
+        if (!already_bound)
+        {
+            const char *ldir;
+
+            /*
+             * No relocatable lookup here because the calling executable could
+             * be anywhere
+             */
+            ldir = getenv("PGLOCALEDIR");
+            if (!ldir)
+                ldir = LOCALEDIR;
+            bindtextdomain(PG_TEXTDOMAIN("ecpglib"), ldir);
+            already_bound = true;
+        }
+
+        (void) pthread_mutex_unlock(&binddomain_mutex);
+
 #ifdef WIN32
         SetLastError(save_errno);
 #else
diff --git a/src/interfaces/libpq/fe-misc.c b/src/interfaces/libpq/fe-misc.c
index 47a28b0a3a..f2fc78a481 100644
--- a/src/interfaces/libpq/fe-misc.c
+++ b/src/interfaces/libpq/fe-misc.c
@@ -1225,13 +1225,14 @@ static void
 libpq_binddomain(void)
 {
     /*
-     * If multiple threads come through here at about the same time, it's okay
-     * for more than one of them to call bindtextdomain().  But it's not okay
-     * for any of them to return to caller before bindtextdomain() is
-     * complete, so don't set the flag till that's done.  Use "volatile" just
-     * to be sure the compiler doesn't try to get cute.
+     * At least on Windows, there are gettext implementations that fail if
+     * multiple threads call bindtextdomain() concurrently.  Use a mutex and
+     * flag variable to ensure that we call it just once per process.  It is
+     * not known that similar bugs exist on non-Windows platforms, but we
+     * might as well do it the same way everywhere.
      */
     static volatile bool already_bound = false;
+    static pthread_mutex_t binddomain_mutex = PTHREAD_MUTEX_INITIALIZER;

     if (!already_bound)
     {
@@ -1241,14 +1242,26 @@ libpq_binddomain(void)
 #else
         int            save_errno = errno;
 #endif
-        const char *ldir;
-
-        /* No relocatable lookup here because the binary could be anywhere */
-        ldir = getenv("PGLOCALEDIR");
-        if (!ldir)
-            ldir = LOCALEDIR;
-        bindtextdomain(PG_TEXTDOMAIN("libpq"), ldir);
-        already_bound = true;
+
+        (void) pthread_mutex_lock(&binddomain_mutex);
+
+        if (!already_bound)
+        {
+            const char *ldir;
+
+            /*
+             * No relocatable lookup here because the calling executable could
+             * be anywhere
+             */
+            ldir = getenv("PGLOCALEDIR");
+            if (!ldir)
+                ldir = LOCALEDIR;
+            bindtextdomain(PG_TEXTDOMAIN("libpq"), ldir);
+            already_bound = true;
+        }
+
+        (void) pthread_mutex_unlock(&binddomain_mutex);
+
 #ifdef WIN32
         SetLastError(save_errno);
 #else
--
2.39.3


pgsql-hackers by date:

Previous
From: Alexander Lakhin
Date:
Subject: Re: Race condition in FetchTableStates() breaks synchronization of subscription tables
Next
From: Bernd Helmle
Date:
Subject: Re: [PATCH] Add sortsupport for range types and btree_gist