These have been found to be practically useless. We were actually
following the Android bionic library and had some interest in replicating
the same warnings and behaviour but Android has since removed them.
We are still keeping some uses of nullability attributes in other headers,
somewhat in line with Apple's libc.
MFC after: 1 week
Hinted by: bionic (git 3f66e74b903905e763e104396aff52a81718cfde)
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.
The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
Replace uses of the GCC __nonnull__ attribute with the clang nullability
qualifiers. The replacement should be transparent for clang developers as
the new qualifiers will produce the same warnings and will be useful for
static checkers but will not cause aggressive optimizations.
GCC will not produce such warnings and developers will have to use
upgraded GCC ports built with the system headers from r312538.
Hinted by: Apple's Libc-1158.20.4, Bionic libc
MFC after: 11.1 Release
Differential Revision: https://reviews.freebsd.org/D9004
While the checks are considered useful, the attribute does dangerous
optimizations, removing NULL checks where they can be needed. Remove the
uses of this attribute introduced in r281130: the changes were inspired on
Google's bionic where this attribute is not used anymore.
The __nonnull() attribute will be deprecrated from our headers and
replaced with the Clang _Nonnull qualifier in the future.
MFC after: 3 days
intention of the POSIX IEEE Std 1003.1TM-2008/Cor 1-2013.
A robust mutex is guaranteed to be cleared by the system upon either
thread or process owner termination while the mutex is held. The next
mutex locker is then notified about inconsistent mutex state and can
execute (or abandon) corrective actions.
The patch mostly consists of small changes here and there, adding
neccessary checks for the inconsistent and abandoned conditions into
existing paths. Additionally, the thread exit handler was extended to
iterate over the userspace-maintained list of owned robust mutexes,
unlocking and marking as terminated each of them.
The list of owned robust mutexes cannot be maintained atomically
synchronous with the mutex lock state (it is possible in kernel, but
is too expensive). Instead, for the duration of lock or unlock
operation, the current mutex is remembered in a special slot that is
also checked by the kernel at thread termination.
Kernel must be aware about the per-thread location of the heads of
robust mutex lists and the current active mutex slot. When a thread
touches a robust mutex for the first time, a new umtx op syscall is
issued which informs about location of lists heads.
The umtx sleep queues for PP and PI mutexes are split between
non-robust and robust.
Somewhat unrelated changes in the patch:
1. Style.
2. The fix for proper tdfind() call use in umtxq_sleep_pi() for shared
pi mutexes.
3. Removal of the userspace struct pthread_mutex m_owner field.
4. The sysctl kern.ipc.umtx_vnode_persistent is added, which controls
the lifetime of the shared mutex associated with a vnode' page.
Reviewed by: jilles (previous version, supposedly the objection was fixed)
Discussed with: brooks, Martin Simmons <martin@lispworks.com> (some aspects)
Tested by: pho
Sponsored by: The FreeBSD Foundation
breaking the ABI. Special value is stored in the lock pointer to
indicate shared lock, and offline page in the shared memory is
allocated to store the actual lock.
Reviewed by: vangyzen (previous version)
Discussed with: deischen, emaste, jhb, rwatson,
Martin Simmons <martin@lispworks.com>
Tested by: pho
Sponsored by: The FreeBSD Foundation
The `nonnull' attribute specifies that some function parameters should be
non-null pointers. This is very useful as it helps the compiler generate
warnings on suspicious code and can also enable some small optimizations.
Also start using 'alloc_size' attribute in the allocator functions.
This is an initial step to better integrate our libc with the compiler:
these attributes are fully supported by clang and they are also useful
for the static analyzer.
Note that due to some bogus internal procedure in the way gcc ports
are built they may require updating if they were built before r280801.
Relnotes: yes
Hinted by: Android's bionic libc
Differential Revision: https://reviews.freebsd.org/D2107
GCC is still carries an old version of cdefs.h which doesn't
accept multiple parameters for the nonnull attribute.
Since this issue probably affects many ports in the tree
we will revert it for now until gcc gets fixed.
The `nonnull' attribute specifies that some function parameters should be
non-null pointers. This is very useful as it helps the compiler generate
warnings on suspicious code and can also enable some small optimizations.
In clang this is also useful for the static analyzer.
While we could go on defining this all over the tree, it only
makes sense to annotate a subset of critical functions.
Hinted by: Android's bionic libc
Differential Revision: https://reviews.freebsd.org/D2101
This change extends all of the functions present in the <pthread.h> and
<threads.h> headers to have lock annotations. This will allow Clang to
warn about the following:
- Locking a function twice,
- Unlocking a function without a mutex being locked,
- Forgetting to unlock a mutex before returning,
- Destroying or reinitializing a mutex that is currenty locked,
- Using an unlocked mutex in combination with a condition variable.
Enabling these annotations already allowed me to catch a bug in one of
our userspace tools (r270749).
functions set or get pthread_rwlock type, current supported types are:
PTHREAD_RWLOCK_PREFER_READER_NP,
PTHREAD_RWLOCK_PREFER_WRITER_NONRECURSIVE_NP,
PTHREAD_RWLOCK_PREFER_WRITER_NP,
default is PTHREAD_RWLOCK_PREFER_WRITER_NONCECURSIVE_NP, this maintains
binary compatible with old code.
same null value, the code can not distinguish between them, to
fix the problem, now a destroyed object is assigned to a non-null
value, and it will be rejected by some pthread functions.
PTHREAD_ADAPTIVE_MUTEX_INITIALIZER_NP is changed to number 1, so that
adaptive mutex can be statically initialized correctly.
pthread_sigmask() to signal.h. In principle, this shouldn't break anything,
since they're already in signal.h on other systems, and the FreeBSD
manpage says that both pthread.h and signal.h need to be included to
get these functions.
Add a hack to declare pthread_t in the P1003.1-2008 namespace
in signal.h.
is also implemented in glibc and is used by a number of existing
applications (mysql, firefox, etc).
This mutex type is a default mutex with the additional property that
it spins briefly when attempting to acquire a contested lock, doing
trylock operations in userland before entering the kernel to block if
eventually unsuccessful.
The expectation is that applications requesting this mutex type know
that the mutex is likely to be only held for very brief periods, so it
is faster to spin in userland and probably succeed in acquiring the
mutex, than to enter the kernel and sleep, only to be woken up almost
immediately. This can help significantly in certain cases when
pthread mutexes are heavily contended and held for brief durations
(such as mysql).
Spin up to 200 times before entering the kernel, which represents only
a few us on modern CPUs. No performance degradation was observed with
this value and it is sufficient to avoid a large performance drop in
mysql performance in the heavily contended pthread mutex case.
The libkse implementation is a NOP.
Reviewed by: jeff
MFC after: 3 days
- Don't pollute the namespace by including <sys/types.h>, <sys/time.h>,
<sys/signal.h> and <limits.h>. Use __MINSIGSTKSZ and __ULONG_MAX from
<machine/_limits.h>, __sigset_t from <sys/_sigset.h> instead.
- Include <time.h> because POSIX says we have to.
PTHREAD_{DESTRUCTOR_ITERATIONS,KEYS_MAX,STACK_MIN,THREADS_MAX} should
eventually move to <limits.h> but are left here for now.
Discussed on: standards@, threads@
libthr. No changes were made to libpthread by request of deischen,
who will soon commit a real implementation for that library.
PR: standards/50848
Submitted by: Sergey A. Osokin <osa@freebsd.org.ru>
MFC after: 1 week
routines, remove their declarations. Even though rwlocks have the same
functions, XBDft does not shade those declarations so I am leaving them in.
(This is probably a bug in the Standard.)
# This appears to not break X11, but I'm having problems compiling the
# glide part of the server with or without this patch, so I can't tell
# for sure.
be malloc()ed, but they are now allocated using mmap(), just as the
default-size stacks are. A separate cache of stacks is kept for
non-default-size stacks.
Collaboration with: deischen
1003.1c-1995.
Undefine _POSIX_THREAD_SAFE_FUNCTIONS, since we do not implement all of the
necessary interfaces. At least getgrgid_r(), getrnam_r(), getpwuid_r(),
getpwnam_r(), getc_unlocked(), getchar_unlocked(), putc_unlocked(),
and putchar_unlocked() are missing. Due to a likely typo in 1003.1c-1995,
we are not technically allowed to define _POSIX_THREADS without defining
_POSIX_THREAD_SAFE_FUNCTIONS, but either way we're non-compliant, so I'm
leaving _POSIX_THREADS defined.
PR: bin/8281
eischen (Daniel Eischen) added wrappers to protect against cancled
threads orphaning internal resources.
the cancelability code is still a bit fuzzy but works for test
programs of my own, OpenBSD's and some examples from ORA's books.
add readdir_r to both libc and libc_r
add some 'const' attributes to function parameters
Reviewed by: eischen, jasone
not currently supported. Also corrected the declaration for
pthread_testcancel which incorrectly returned int when POSIX and
SUSv2 both say it should be void.
Submitted by: Ralf S. Engelschall <rse@engelschall.com>
Reviewed by: John Birrell <jb@freebsd.org>
implementation requires two things:
1.) The priority queues must be protected during insertion
and removal of threads. Since the kernel scheduler
must modify the priority queues, a spinlock for
protection cannot be used. The functions
_thread_kern_sched_defer() and _thread_kern_sched_undefer()
were added to {un}defer kernel scheduler activation.
2.) A thread (active) priority change can be performed only
when the thread is removed from the priority queue. The
implementation uses a threads active priority when
inserting it into the queue.
A by-product is that thread switches are much faster. A
separate queue is used for waiting and/or blocked threads,
and it is searched at most 2 times in the kernel scheduler
when there are active threads. It should be possible to
reduce this to once by combining polling of threads waiting
on I/O with the loop that looks for timed out threads and
the minimum timeout value.
o Functions to defer kernel scheduler activation were added. These
are _thread_kern_sched_defer() and _thread_kern_sched_undefer()
and may be called recursively. These routines do not block the
scheduling signal, but latch its occurrence. The signal handler
will not call the kernel scheduler when the running thread has
deferred scheduling, but it will be called when running thread
undefers scheduling.
o Added support for _POSIX_THREAD_PRIORITY_SCHEDULING. All the
POSIX routines required by this should now be implemented.
One note, SCHED_OTHER, SCHED_FIFO, and SCHED_RR are required
to be defined by including pthread.h. These defines are currently
in sched.h. I modified pthread.h to include sched.h but don't
know if this is the proper thing to do.
o Added support for priority protection and inheritence mutexes.
This allows definition of _POSIX_THREAD_PRIO_PROTECT and
_POSIX_THREAD_PRIO_INHERIT.
o Added additional error checks required by POSIX for mutexes and
condition variables.
o Provided a wrapper for sigpending which is marked as a hidden
syscall.
o Added a non-portable function as a debugging aid to allow an
application to monitor thread context switches. An application
can install a routine that gets called everytime a thread
(explicitly created by the application) gets context switched.
The routine gets passed the pthread IDs of the threads that are
being switched in and out. I found this useful, but we can
get rid of it if you want.
Submitted by: Dan Eischen <eischen@vigrid.com>