| blob | 311e5111953012eaef860af5a1f2a813a3b00df4 |
1 /* sem_waitcommon -- wait on a semaphore, shared code.
2 Copyright (C) 2003-2015 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Paul Mackerras <paulus@au.ibm.com>, 2003.
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
20 #include <errno.h>
21 #include <sysdep.h>
22 #include <lowlevellock.h>
23 #include <internaltypes.h>
24 #include <semaphore.h>
25 #include <sys/time.h>
27 #include <pthreadP.h>
28 #include <shlib-compat.h>
29 #include <atomic.h>
31 /* Wrapper for lll_futex_wait with absolute timeout and error checking.
32 TODO Remove when cleaning up the futex API throughout glibc. */
36 {
39 {
45 }
46 else
47 {
52 /* Get the current time. */
55 /* Compute relative timeout. */
59 {
62 }
64 /* Already timed out? */
68 /* Do wait. */
76 }
78 {
87 being normalized. Must have been caused by a glibc or
88 application bug. */
90 /* No other errors are documented at this time. */
93 }
94 }
96 /* Wrapper for lll_futex_wake, with error checking.
97 TODO Remove when cleaning up the futex API throughout glibc. */
100 {
102 /* No error. Ignore the number of woken processes. */
106 {
109 glibc or in the application) or due to memory being
110 reused for a PI futex. We cannot distinguish between the
111 two causes, and one of them is correct use, so we do not
112 act in this case. */
115 /* No other errors are documented at this time. */
118 }
119 }
122 /* The semaphore provides two main operations: sem_post adds a token to the
123 semaphore; sem_wait grabs a token from the semaphore, potentially waiting
124 until there is a token available. A sem_wait needs to synchronize with
125 the sem_post that provided the token, so that whatever lead to the sem_post
126 happens before the code after sem_wait.
128 Conceptually, available tokens can simply be counted; let's call that the
129 value of the semaphore. However, we also want to know whether there might
130 be a sem_wait that is blocked on the value because it was zero (using a
131 futex with the value being the futex variable); if there is no blocked
132 sem_wait, sem_post does not need to execute a futex_wake call. Therefore,
133 we also need to count the number of potentially blocked sem_wait calls
134 (which we call nwaiters).
136 What makes this tricky is that POSIX requires that a semaphore can be
137 destroyed as soon as the last remaining sem_wait has returned, and no
138 other sem_wait or sem_post calls are executing concurrently. However, the
139 sem_post call whose token was consumed by the last sem_wait is considered
140 to have finished once it provided the token to the sem_wait.
141 Thus, sem_post must not access the semaphore struct anymore after it has
142 made a token available; IOW, it needs to be able to atomically provide
143 a token and check whether any blocked sem_wait calls might exist.
145 This is straightforward to do if the architecture provides 64b atomics
146 because we can just put both the value and nwaiters into one variable that
147 we access atomically: This is the data field, the value is in the
148 least-significant 32 bits, and nwaiters in the other bits. When sem_post
149 makes a value available, it can atomically check nwaiters.
151 If we have only 32b atomics available, we cannot put both nwaiters and
152 value into one 32b value because then we might have too few bits for both
153 of those counters. Therefore, we need to use two distinct fields.
155 To allow sem_post to atomically make a token available and check for
156 blocked sem_wait calls, we use one bit in value to indicate whether
157 nwaiters is nonzero. That allows sem_post to use basically the same
158 algorithm as with 64b atomics, but requires sem_wait to update the bit; it
159 can't do this atomically with another access to nwaiters, but it can compute
160 a conservative value for the bit because it's benign if the bit is set
161 even if nwaiters is zero (all we get is an unnecessary futex wake call by
162 sem_post).
163 Specifically, sem_wait will unset the bit speculatively if it believes that
164 there is no other concurrently executing sem_wait. If it misspeculated,
165 it will have to clean up by waking any other sem_wait call (i.e., what
166 sem_post would do otherwise). This does not conflict with the destruction
167 requirement because the semaphore must not be destructed while any sem_wait
168 is still executing. */
170 /* Set this to true if you assume that, in contrast to current Linux futex
171 documentation, lll_futex_wake can return -EINTR only if interrupted by a
172 signal, not spuriously due to some other reason.
173 TODO Discuss EINTR conditions with the Linux kernel community. For
174 now, we set this to true to not change behavior of semaphores compared
175 to previous glibc builds. */
178 #if !__HAVE_64B_ATOMICS
179 static void
181 #endif
183 static void
185 {
188 #if __HAVE_64B_ATOMICS
189 /* Stop being registered as a waiter. See below for MO. */
191 #else
193 #endif
194 }
196 /* Wait until at least one token is available, possibly with a timeout.
197 This is in a separate function in order to make sure gcc
198 puts the call site into an exception region, and thus the
199 cleanups get properly run. TODO still necessary? Other futex_wait
200 users don't seem to need it. */
201 static int
204 {
207 #if __HAVE_64B_ATOMICS
210 #else
213 #endif
216 }
218 /* Fast path: Try to grab a token without blocking. */
219 static int
221 {
222 /* We need acquire MO if we actually grab a token, so that this
223 synchronizes with all token providers (i.e., the RMW operation we read
224 from or all those before it in modification order; also see sem_post).
225 We do not need to guarantee any ordering if we observed that there is
226 no token (POSIX leaves it unspecified whether functions that fail
227 synchronize memory); thus, relaxed MO is sufficient for the initial load
228 and the failure path of the CAS. If the weak CAS fails and we need a
229 definitive result, retry. */
230 #if __HAVE_64B_ATOMICS
232 do
233 {
238 }
241 #else
243 do
244 {
250 }
253 #endif
254 }
256 /* Slow path that blocks. */
257 static int
260 {
263 #if __HAVE_64B_ATOMICS
264 /* Add a waiter. Relaxed MO is sufficient because we can rely on the
265 ordering provided by the RMW operations we use. */
271 /* Wait for a token to be available. Retry until we can grab one. */
273 {
274 /* If there is no token available, sleep until there is. */
276 {
278 /* A futex return value of 0 or EAGAIN is due to a real or spurious
279 wake-up, or due to a change in the number of tokens. We retry in
280 these cases.
281 If we timed out, forward this to the caller.
282 EINTR could be either due to being interrupted by a signal, or
283 due to a spurious wake-up. Thus, we cannot distinguish between
284 both, and are not allowed to return EINTR to the caller but have
285 to retry; this is because we may not have been interrupted by a
286 signal. However, if we assume that only signals cause a futex
287 return of EINTR, we forward EINTR to the caller.
289 Retrying on EINTR is technically always allowed because to
290 reliably interrupt sem_wait with a signal, the signal handler
291 must call sem_post (which is AS-Safe). In executions where the
292 signal handler does not do that, the implementation can correctly
293 claim that sem_wait hadn't actually started to execute yet, and
294 thus the signal never actually interrupted sem_wait. We make no
295 timing guarantees, so the program can never observe that sem_wait
296 actually did start to execute. Thus, in a correct program, we
297 can expect a signal that wanted to interrupt the sem_wait to have
298 provided a token, and can just try to grab this token if
299 futex_wait returns EINTR. */
302 {
305 /* Stop being registered as a waiter. */
309 }
310 /* Relaxed MO is sufficient; see below. */
312 }
313 else
314 {
315 /* Try to grab both a token and stop being a waiter. We need
316 acquire MO so this synchronizes with all token providers (i.e.,
317 the RMW operation we read from or all those before it in
318 modification order; also see sem_post). On the failure path,
319 relaxed MO is sufficient because we only eventually need the
320 up-to-date value; the futex_wait or the CAS perform the real
321 work. */
324 {
327 }
328 }
329 }
332 #else
333 /* The main difference to the 64b-atomics implementation is that we need to
334 access value and nwaiters in separate steps, and that the nwaiters bit
335 in the value can temporarily not be set even if nwaiters is nonzero.
336 We work around incorrectly unsetting the nwaiters bit by letting sem_wait
337 set the bit again and waking the number of waiters that could grab a
338 token. There are two additional properties we need to ensure:
339 (1) We make sure that whenever unsetting the bit, we see the increment of
340 nwaiters by the other thread that set the bit. IOW, we will notice if
341 we make a mistake.
342 (2) When setting the nwaiters bit, we make sure that we see the unsetting
343 of the bit by another waiter that happened before us. This avoids having
344 to blindly set the bit whenever we need to block on it. We set/unset
345 the bit while having incremented nwaiters (i.e., are a registered
346 waiter), and the problematic case only happens when one waiter indeed
347 followed another (i.e., nwaiters was never larger than 1); thus, this
348 works similarly as with a critical section using nwaiters (see the MOs
349 and related comments below).
351 An alternative approach would be to unset the bit after decrementing
352 nwaiters; however, that would result in needing Dekker-like
353 synchronization and thus full memory barriers. We also would not be able
354 to prevent misspeculation, so this alternative scheme does not seem
355 beneficial. */
358 /* Add a waiter. We need acquire MO so this synchronizes with the release
359 MO we use when decrementing nwaiters below; it ensures that if another
360 waiter unset the bit before us, we see that and set it again. Also see
361 property (2) above. */
366 /* Wait for a token to be available. Retry until we can grab one. */
367 /* We do not need any ordering wrt. to this load's reads-from, so relaxed
368 MO is sufficient. The acquire MO above ensures that in the problematic
369 case, we do see the unsetting of the bit by another waiter. */
371 do
372 {
373 do
374 {
375 /* We are about to block, so make sure that the nwaiters bit is
376 set. We need release MO on the CAS to ensure that when another
377 waiter unsets the nwaiters bit, it will also observe that we
378 incremented nwaiters in the meantime (also see the unsetting of
379 the bit below). Relaxed MO on CAS failure is sufficient (see
380 above). */
381 do
382 {
385 }
388 /* If there is no token, wait. */
390 {
391 /* See __HAVE_64B_ATOMICS variant. */
395 {
399 }
401 /* We blocked, so there might be a token now. Relaxed MO is
402 sufficient (see above). */
404 }
405 }
406 /* If there is no token, we must not try to grab one. */
408 }
409 /* Try to grab a token. We need acquire MO so this synchronizes with
410 all token providers (i.e., the RMW operation we read from or all those
411 before it in modification order; also see sem_post). */
415 error:
419 #endif
422 }
424 /* Stop being a registered waiter (non-64b-atomics code only). */
425 #if !__HAVE_64B_ATOMICS
426 static void
428 {
429 /* The nwaiters bit is still set, try to unset it now if this seems
430 necessary. We do this before decrementing nwaiters so that the unsetting
431 is visible to other waiters entering after us. Relaxed MO is sufficient
432 because we are just speculating here; a stronger MO would not prevent
433 misspeculation. */
436 /* We might be the last waiter, so unset. This needs acquire MO so that
437 it syncronizes with the release MO when setting the bit above; if we
438 overwrite someone else that set the bit, we'll read in the following
439 decrement of nwaiters at least from that release sequence, so we'll
440 see if the other waiter is still active or if another writer entered
441 in the meantime (i.e., using the check below). */
444 /* Now stop being a waiter, and see whether our guess was correct.
445 This needs release MO so that it synchronizes with the acquire MO when
446 a waiter increments nwaiters; this makes sure that newer writers see that
447 we reset the waiters_present bit. */
450 {
451 /* We guessed wrong, and so need to clean up after the mistake and
452 unblock any waiters that could have not been woken. There is no
453 additional ordering that we need to set up, so relaxed MO is
454 sufficient. */
456 SEM_NWAITERS_MASK);
457 /* If there are available tokens, then wake as many waiters. If there
458 aren't any, then there is no need to wake anyone because there is
459 none to grab for another waiter. If tokens become available
460 subsequently, then the respective sem_post calls will do the wake-up
461 due to us having set the nwaiters bit again. */
465 }
466 }
467 #endif