diff options
author | Austin Clements <austin@google.com> | 2020-01-08 09:58:42 -0500 |
---|---|---|
committer | Austin Clements <austin@google.com> | 2020-01-09 17:28:58 +0000 |
commit | 957259b7e2c40cf9955469ce93b35bdc0289e942 (patch) | |
tree | 2945092dc13f5c44048810b4468661fd0e0d84e6 /src/runtime/race.go | |
parent | 6dbcc8b8651909442ff823231daba096f447a163 (diff) | |
download | go-git-957259b7e2c40cf9955469ce93b35bdc0289e942.tar.gz |
runtime: protect against external code calling ExitProcess
On Windows, we implement asynchronous preemption using SuspendThread
to suspend other threads in our process. However, SuspendThread is
itself actually asynchronous (it enqueues a kernel "asynchronous
procedure call" and returns). Unfortunately, Windows' ExitProcess API
kills all threads except the calling one and then runs APCs. As a
result, if SuspendThread and ExitProcess are called simultaneously,
the exiting thread can be suspended and the suspending thread can be
exited, leaving behind a ghost process consisting of a single thread
that's suspended.
We've already protected against the runtime's own calls to
ExitProcess, but if Go code calls external code, there's nothing
stopping that code from calling ExitProcess. For example, in #35775,
our own call to racefini leads to C code calling ExitProcess and
occasionally causing a deadlock.
This CL fixes this by introducing synchronization between calling
external code on Windows and preemption. It adds an atomic field to
the M that participates in a simple CAS-based synchronization protocol
to prevent suspending a thread running external code. We use this to
protect cgocall (which is used for both cgo calls and system calls on
Windows) and racefini.
Tested by running the flag package's TestParse test compiled in race
mode in a loop. Before this change, this would reliably deadlock after
a few minutes.
Fixes #35775.
Updates #10958, #24543.
Change-Id: I50d847abcdc2688b4f71eee6a75eca0f2fee892c
Reviewed-on: https://go-review.googlesource.com/c/go/+/213837
Run-TryBot: Austin Clements <austin@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Reviewed-by: David Chase <drchase@google.com>
Diffstat (limited to 'src/runtime/race.go')
-rw-r--r-- | src/runtime/race.go | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/runtime/race.go b/src/runtime/race.go index 52c9bd8201..53910f991c 100644 --- a/src/runtime/race.go +++ b/src/runtime/race.go @@ -403,6 +403,9 @@ func racefini() { // already held it's assumed that the first caller exits the program // so other calls can hang forever without an issue. lock(&raceFiniLock) + // We're entering external code that may call ExitProcess on + // Windows. + osPreemptExtEnter(getg().m) racecall(&__tsan_fini, 0, 0, 0, 0) } |