From: Elad Lahav <e2lahav@gmail.com>
To: paulmck@kernel.org
Cc: Guilherme Janczak <guilherme.janczak@yandex.com>,
perfbook@vger.kernel.org
Subject: Re: [PATCH] signal handlers: volatile sigatomic_t, not volatile OR sigatomic_t
Date: Thu, 28 Mar 2024 12:30:26 -0400 [thread overview]
Message-ID: <CAJbg=FXkTO1KObfi-K6fxHb5nh3CaMHXR9FcPLO5hGf=3eGX_Q@mail.gmail.com> (raw)
In-Reply-To: <36283212-fc58-4bb9-9768-e5f8cea12487@paulmck-laptop>
Looks like this patch wasn't merged. Regardless of my
questions/observations, Guilherme is absolutely right that volatile is
required for sig_atomic_t by the standard. It may also need to be
mentioned that, despite its name, the only operations that can be
safely done on sig_atomic_t are store and load - it does not provide
read/modify/write atomicity, unlike the lock-free atomic types. The
standard says so, but it's easy to miss:
"the signal handler refers to an object with static or thread storage
duration that is not a
lock-free atomic object other than by *assigning* a value to an object
declared as
volatile sig_atomic_t"
--Elad
On Wed, Mar 20, 2024 at 7:07 PM Paul E. McKenney <paulmck@kernel.org> wrote:
>
> On Wed, Mar 20, 2024 at 10:26:04PM +0000, Guilherme Janczak wrote:
> > The standard says it's necessary.
> > If you have a `volatile long long` on a 32-bit architecture, the
> > compiler will have to compile it to some bignum code (meaning multiple
> > instructions), and the signal can come in between them.
>
> Agreed, because in this case the variable is not machine-word sized.
>
> What happens if you instead use a 32-bit aligned volatile quantity?
> (Or 16 or 8 bits, for that matter, at least on PowerPC [1].)
>
> I would hope that these smaller sizes would work, otherwise, again,
> device drivers become problematic on that platform.
>
> Thanx, Paul
>
> [1] There have been some platforms without 16-bit or 8-bit loads,
> and on such platforms, you could also see failures of one sort
> or another.
>
> > I can quickly make it happen on a Nintendo Wii (32-bit powerpc) as
> > well as an i386 laptop using this test program:
> > ```
> > #define _POSIX_C_SOURCE 200809L
> >
> > #include <sys/time.h>
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <signal.h>
> > #include <string.h>
> >
> > static void catch_sigalrm(int);
> >
> > volatile unsigned long long longword;
> > volatile sig_atomic_t partial_update;
> >
> > int
> > main(void)
> > {
> > const struct sigaction act = { .sa_handler = catch_sigalrm };
> > const struct itimerval timer = {
> > .it_value.tv_usec = 1,
> > .it_interval.tv_usec = 1,
> > };
> > unsigned long long n;
> >
> > sigaction(SIGALRM, &act, NULL);
> > setitimer(ITIMER_REAL, &timer, NULL);
> > for (unsigned char i = 0;; i++) {
> > memset(&n, i, sizeof(n));
> > longword = n;
> > if (partial_update) {
> > fprintf(stderr, "longword partially updated\n");
> > exit(1);
> > }
> > }
> > }
> >
> > static void
> > catch_sigalrm(int unused)
> > {
> > union multibyte {
> > long long n;
> > unsigned char bytes[sizeof(long long)];
> > } window;
> > (void)unused;
> > window.n = longword;
> >
> > for (size_t i = 1; i < sizeof(window.bytes); i++) {
> > if (window.bytes[i] != window.bytes[0])
> > partial_update = 1;
> > }
> > }
> > ```
> >
> > Output:
> > ```
> > $ cc -O2 test.c && ./a.out
> > longword partially updated
> > ```
> >
> > The program runs (apparently) forever on my amd64 desktop.
> >
> > If you look at the powerpc assembly version of the program in Godbolt:
> > https://godbolt.org/z/Pc8q7E5ej
> > Lines 69 and 70 of the assembly use 2 STW instructions to store each
> > 32-bit half of the bignum.
> >
> > On Wed, Mar 20, 2024 at 04:44:33PM -0400, Elad Lahav wrote:
> > > Do you really need volatile?
> > > There are two cases to consider. Either your code synchronizes updates
> > > to the shared value with the signal handler (e.g., by blocking and
> > > then unblocking the signal), in which case I believe the compiler
> > > cannot ignore updates to the value; or you don't, and you can't depend
> > > on the variable having any specific value in the signal handler. The
> > > only thing you want to prevent in the latter case is the handler
> > > observing a partial update to the variable, which I presume is where
> > > the other requirements originate. (In practice, there should be little
> > > or no concern with any primitive type on modern hardware).
> > >
> > > --Elad
> > >
> > > On Wed, Mar 20, 2024 at 4:32 PM Guilherme Janczak
> > > <guilherme.janczak@yandex.com> wrote:
> > > >
> > > > Variables shared with signal handlers must be of type `volatile
> > > > sigatomic_t`, not `volatile` or `sigatomic_t` as the current text says,
> > > > according to a C11 draft:
> > > >
> > > > When ... interrupted by ... a signal, values of objects that are
> > > > neither lock-free atomic objects nor of type volatile sig_atomic_t
> > > > are unspecified.
> > > >
> > > > Ref: https://www.iso-9899.info/n1570.html#5.1.2.3p5
> > > > Signed-off-by: Guilherme Janczak <guilherme.janczak@yandex.com>
> > > > ---
> > > > memorder/memorder.tex | 4 ++--
> > > > 1 file changed, 2 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/memorder/memorder.tex b/memorder/memorder.tex
> > > > index 5c50d42d..873c3424 100644
> > > > --- a/memorder/memorder.tex
> > > > +++ b/memorder/memorder.tex
> > > > @@ -1317,8 +1317,8 @@ from the viewpoint of the interrupted thread, at least at the
> > > > assembly-language level.
> > > > However, the C and C++ languages do not define the results of handlers
> > > > and interrupted threads sharing plain variables.
> > > > -Instead, such shared variables must be \co{sig_atomic_t}, lock-free
> > > > -atomics, or \co{volatile}.
> > > > +Instead, such shared variables must be \co{volatile sig_atomic_t} or
> > > > +lock-free atomics.
> > > >
> > > > On the other hand, because the handler executes within the interrupted
> > > > thread's context, the memory ordering used to synchronize communication
> > > > --
> > > > 2.42.0
> > > >
> > > >
> >
next prev parent reply other threads:[~2024-03-28 16:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-20 20:25 [PATCH] signal handlers: volatile sigatomic_t, not volatile OR sigatomic_t Guilherme Janczak
2024-03-20 20:44 ` Elad Lahav
2024-03-20 22:26 ` Guilherme Janczak
2024-03-20 23:07 ` Paul E. McKenney
2024-03-28 16:30 ` Elad Lahav [this message]
2024-03-29 1:23 ` Akira Yokosawa
[not found] ` <r63f5f54bb6cilp542vw52ctpjnjbik5pbfrsswvjzccipokgg@c2kdkpmxbfue>
2024-03-20 23:05 ` Elad Lahav
2024-03-20 23:20 ` Elad Lahav
2024-03-21 0:34 ` Guilherme Janczak
2024-03-21 1:03 ` Elad Lahav
2024-03-21 1:19 ` Elad Lahav
2024-03-20 23:02 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJbg=FXkTO1KObfi-K6fxHb5nh3CaMHXR9FcPLO5hGf=3eGX_Q@mail.gmail.com' \
--to=e2lahav@gmail.com \
--cc=guilherme.janczak@yandex.com \
--cc=paulmck@kernel.org \
--cc=perfbook@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).