std: refactor pthread-based synchronization

library/std/src/sys/pal/teeos/mod.rs

@@ -27,6 +27,14 @@ pub mod thread;
 #[path = "../unix/time.rs"]
 pub mod time;
 
+#[path = "../unix/sync"]
+pub mod sync {
+    mod condvar;
+    mod mutex;
+    pub use condvar::Condvar;
+    pub use mutex::Mutex;
+}
+
 use crate::io::ErrorKind;
 
 pub fn abort_internal() -> ! {

library/std/src/sys/pal/unix/mod.rs

@@ -27,6 +27,7 @@ pub mod pipe;
 pub mod process;
 pub mod stack_overflow;
 pub mod stdio;
+pub mod sync;
 pub mod thread;
 pub mod thread_parking;
 pub mod time;

library/std/src/sys/pal/unix/sync/condvar.rs

@@ -0,0 +1,172 @@
+use super::Mutex;
+use crate::cell::UnsafeCell;
+use crate::pin::Pin;
+#[cfg(not(target_os = "nto"))]
+use crate::sys::pal::time::TIMESPEC_MAX;
+#[cfg(target_os = "nto")]
+use crate::sys::pal::time::TIMESPEC_MAX_CAPPED;
+use crate::sys::pal::time::Timespec;
+use crate::time::Duration;
+
+pub struct Condvar {
+    inner: UnsafeCell<libc::pthread_cond_t>,
+}
+
+impl Condvar {
+    pub fn new() -> Condvar {
+        Condvar { inner: UnsafeCell::new(libc::PTHREAD_COND_INITIALIZER) }
+    }
+
+    #[inline]
+    fn raw(&self) -> *mut libc::pthread_cond_t {
+        self.inner.get()
+    }
+
+    /// # Safety
+    /// `init` must have been called.
+    #[inline]
+    pub unsafe fn notify_one(self: Pin<&Self>) {
+        let r = unsafe { libc::pthread_cond_signal(self.raw()) };
+        debug_assert_eq!(r, 0);
+    }
+
+    /// # Safety
+    /// `init` must have been called.
+    #[inline]
+    pub unsafe fn notify_all(self: Pin<&Self>) {
+        let r = unsafe { libc::pthread_cond_broadcast(self.raw()) };
+        debug_assert_eq!(r, 0);
+    }
+
+    /// # Safety
+    /// * `init` must have been called.
+    /// * `mutex` must be locked by the current thread.
+    /// * This condition variable may only be used with the same mutex.
+    #[inline]
+    pub unsafe fn wait(self: Pin<&Self>, mutex: Pin<&Mutex>) {
+        let r = unsafe { libc::pthread_cond_wait(self.raw(), mutex.raw()) };
+        debug_assert_eq!(r, 0);
+    }
+
+    /// # Safety
+    /// * `init` must have been called.
+    /// * `mutex` must be locked by the current thread.
+    /// * This condition variable may only be used with the same mutex.
+    pub unsafe fn wait_timeout(&self, mutex: Pin<&Mutex>, dur: Duration) -> bool {
+        let mutex = mutex.raw();
+
+        // OSX implementation of `pthread_cond_timedwait` is buggy
+        // with super long durations. When duration is greater than
+        // 0x100_0000_0000_0000 seconds, `pthread_cond_timedwait`
+        // in macOS Sierra returns error 316.
+        //
+        // This program demonstrates the issue:
+        // https://gist.github.com/stepancheg/198db4623a20aad2ad7cddb8fda4a63c
+        //
+        // To work around this issue, the timeout is clamped to 1000 years.
+        #[cfg(target_vendor = "apple")]
+        let dur = Duration::min(dur, Duration::from_secs(1000 * 365 * 86400));
+
+        let timeout = Timespec::now(Self::CLOCK).checked_add_duration(&dur);
+
+        #[cfg(not(target_os = "nto"))]
+        let timeout = timeout.and_then(|t| t.to_timespec()).unwrap_or(TIMESPEC_MAX);
+
+        #[cfg(target_os = "nto")]
+        let timeout = timeout.and_then(|t| t.to_timespec_capped()).unwrap_or(TIMESPEC_MAX_CAPPED);
+
+        let r = unsafe { libc::pthread_cond_timedwait(self.raw(), mutex, &timeout) };
+        assert!(r == libc::ETIMEDOUT || r == 0);
+        r == 0
+    }
+}
+
+#[cfg(not(any(
+    target_os = "android",
+    target_vendor = "apple",
+    target_os = "espidf",
+    target_os = "horizon",
+    target_os = "l4re",
+    target_os = "redox",
+    target_os = "teeos",
+)))]
+impl Condvar {
+    pub const PRECISE_TIMEOUT: bool = true;
+    const CLOCK: libc::clockid_t = libc::CLOCK_MONOTONIC;
+
+    /// # Safety
+    /// May only be called once.
+    pub unsafe fn init(self: Pin<&mut Self>) {
+        use crate::mem::MaybeUninit;
+
+        struct AttrGuard<'a>(pub &'a mut MaybeUninit<libc::pthread_condattr_t>);
+        impl Drop for AttrGuard<'_> {
+            fn drop(&mut self) {
+                unsafe {
+                    let result = libc::pthread_condattr_destroy(self.0.as_mut_ptr());
+                    assert_eq!(result, 0);
+                }
+            }
+        }
+
+        unsafe {
+            let mut attr = MaybeUninit::<libc::pthread_condattr_t>::uninit();
+            let r = libc::pthread_condattr_init(attr.as_mut_ptr());
+            assert_eq!(r, 0);
+            let attr = AttrGuard(&mut attr);
+            let r = libc::pthread_condattr_setclock(attr.0.as_mut_ptr(), Self::CLOCK);
+            assert_eq!(r, 0);
+            let r = libc::pthread_cond_init(self.raw(), attr.0.as_ptr());
+            assert_eq!(r, 0);
+        }
+    }
+}
+
+// `pthread_condattr_setclock` is unfortunately not supported on these platforms.
+#[cfg(any(
+    target_os = "android",
+    target_vendor = "apple",
+    target_os = "espidf",
+    target_os = "horizon",
+    target_os = "l4re",
+    target_os = "redox",
+    target_os = "teeos",
+))]
+impl Condvar {
+    pub const PRECISE_TIMEOUT: bool = false;
+    const CLOCK: libc::clockid_t = libc::CLOCK_REALTIME;
+
+    /// # Safety
+    /// May only be called once.
+    pub unsafe fn init(self: Pin<&mut Self>) {
+        if cfg!(any(target_os = "espidf", target_os = "horizon", target_os = "teeos")) {
+            // NOTE: ESP-IDF's PTHREAD_COND_INITIALIZER support is not released yet
+            // So on that platform, init() should always be called.
+            //
+            // Similar story for the 3DS (horizon) and for TEEOS.
+            let r = unsafe { libc::pthread_cond_init(self.raw(), crate::ptr::null()) };
+            assert_eq!(r, 0);
+        }
+    }
+}
+
+impl !Unpin for Condvar {}
+
+unsafe impl Sync for Condvar {}
+unsafe impl Send for Condvar {}
+
+impl Drop for Condvar {
+    #[inline]
+    fn drop(&mut self) {
+        let r = unsafe { libc::pthread_cond_destroy(self.raw()) };
+        if cfg!(target_os = "dragonfly") {
+            // On DragonFly pthread_cond_destroy() returns EINVAL if called on
+            // a condvar that was just initialized with
+            // libc::PTHREAD_COND_INITIALIZER. Once it is used or
+            // pthread_cond_init() is called, this behaviour no longer occurs.
+            debug_assert!(r == 0 || r == libc::EINVAL);
+        } else {
+            debug_assert_eq!(r, 0);
+        }
+    }
+}

library/std/src/sys/pal/unix/sync/mod.rs

@@ -0,0 +1,16 @@
+#![cfg(not(any(
+    target_os = "linux",
+    target_os = "android",
+    all(target_os = "emscripten", target_feature = "atomics"),
+    target_os = "freebsd",
+    target_os = "openbsd",
+    target_os = "dragonfly",
+    target_os = "fuchsia",
+)))]
+#![forbid(unsafe_op_in_unsafe_fn)]
+
+mod condvar;
+mod mutex;
+
+pub use condvar::Condvar;
+pub use mutex::Mutex;

library/std/src/sys/pal/unix/sync/mutex.rs

@@ -0,0 +1,133 @@
+use super::super::cvt_nz;
+use crate::cell::UnsafeCell;
+use crate::io::Error;
+use crate::mem::MaybeUninit;
+use crate::pin::Pin;
+
+pub struct Mutex {
+    inner: UnsafeCell<libc::pthread_mutex_t>,
+}
+
+impl Mutex {
+    pub fn new() -> Mutex {
+        Mutex { inner: UnsafeCell::new(libc::PTHREAD_MUTEX_INITIALIZER) }
+    }
+
+    pub(super) fn raw(&self) -> *mut libc::pthread_mutex_t {
+        self.inner.get()
+    }
+
+    /// # Safety
+    /// Must only be called once.
+    pub unsafe fn init(self: Pin<&mut Self>) {
+        // Issue #33770
+        //
+        // A pthread mutex initialized with PTHREAD_MUTEX_INITIALIZER will have
+        // a type of PTHREAD_MUTEX_DEFAULT, which has undefined behavior if you
+        // try to re-lock it from the same thread when you already hold a lock
+        // (https://pubs.opengroup.org/onlinepubs/9699919799/functions/pthread_mutex_init.html).
+        // This is the case even if PTHREAD_MUTEX_DEFAULT == PTHREAD_MUTEX_NORMAL
+        // (https://github.com/rust-lang/rust/issues/33770#issuecomment-220847521) -- in that
+        // case, `pthread_mutexattr_settype(PTHREAD_MUTEX_DEFAULT)` will of course be the same
+        // as setting it to `PTHREAD_MUTEX_NORMAL`, but not setting any mode will result in
+        // a Mutex where re-locking is UB.
+        //
+        // In practice, glibc takes advantage of this undefined behavior to
+        // implement hardware lock elision, which uses hardware transactional
+        // memory to avoid acquiring the lock. While a transaction is in
+        // progress, the lock appears to be unlocked. This isn't a problem for
+        // other threads since the transactional memory will abort if a conflict
+        // is detected, however no abort is generated when re-locking from the
+        // same thread.
+        //
+        // Since locking the same mutex twice will result in two aliasing &mut
+        // references, we instead create the mutex with type
+        // PTHREAD_MUTEX_NORMAL which is guaranteed to deadlock if we try to
+        // re-lock it from the same thread, thus avoiding undefined behavior.
+        unsafe {
+            let mut attr = MaybeUninit::<libc::pthread_mutexattr_t>::uninit();
+            cvt_nz(libc::pthread_mutexattr_init(attr.as_mut_ptr())).unwrap();
+            let attr = AttrGuard(&mut attr);
+            cvt_nz(libc::pthread_mutexattr_settype(
+                attr.0.as_mut_ptr(),
+                libc::PTHREAD_MUTEX_NORMAL,
+            ))
+            .unwrap();
+            cvt_nz(libc::pthread_mutex_init(self.raw(), attr.0.as_ptr())).unwrap();
+        }
+    }
+
+    /// # Safety
+    /// * If `init` was not called, reentrant locking causes undefined behaviour.
+    /// * Destroying a locked mutex causes undefined behaviour.
+    pub unsafe fn lock(self: Pin<&Self>) {
+        #[cold]
+        #[inline(never)]
+        fn fail(r: i32) -> ! {
+            let error = Error::from_raw_os_error(r);
+            panic!("failed to lock mutex: {error}");
+        }
+
+        let r = unsafe { libc::pthread_mutex_lock(self.raw()) };
+        // As we set the mutex type to `PTHREAD_MUTEX_NORMAL` above, we expect
+        // the lock call to never fail. Unfortunately however, some platforms
+        // (Solaris) do not conform to the standard, and instead always provide
+        // deadlock detection. How kind of them! Unfortunately that means that
+        // we need to check the error code here. To save us from UB on other
+        // less well-behaved platforms in the future, we do it even on "good"
+        // platforms like macOS. See #120147 for more context.
+        if r != 0 {
+            fail(r)
+        }
+    }
+
+    /// # Safety
+    /// * If `init` was not called, reentrant locking causes undefined behaviour.
+    /// * Destroying a locked mutex causes undefined behaviour.
+    pub unsafe fn try_lock(self: Pin<&Self>) -> bool {
+        unsafe { libc::pthread_mutex_trylock(self.raw()) == 0 }
+    }
+
+    /// # Safety
+    /// The mutex must be locked by the current thread.
+    pub unsafe fn unlock(self: Pin<&Self>) {
+        let r = unsafe { libc::pthread_mutex_unlock(self.raw()) };
+        debug_assert_eq!(r, 0);
+    }
+}
+
+impl !Unpin for Mutex {}
+
+unsafe impl Send for Mutex {}
+unsafe impl Sync for Mutex {}
+
+impl Drop for Mutex {
+    fn drop(&mut self) {
+        // SAFETY:
+        // If `lock` or `init` was called, the mutex must have been pinned, so
+        // it is still at the same location. Otherwise, `inner` must contain
+        // `PTHREAD_MUTEX_INITIALIZER`, which is valid at all locations. Thus,
+        // this call always destroys a valid mutex.
+        let r = unsafe { libc::pthread_mutex_destroy(self.raw()) };
+        if cfg!(target_os = "dragonfly") {
+            // On DragonFly pthread_mutex_destroy() returns EINVAL if called on a
+            // mutex that was just initialized with libc::PTHREAD_MUTEX_INITIALIZER.
+            // Once it is used (locked/unlocked) or pthread_mutex_init() is called,
+            // this behaviour no longer occurs.
+            debug_assert!(r == 0 || r == libc::EINVAL);
+        } else {
+            debug_assert_eq!(r, 0);
+        }
+    }
+}
+
+struct AttrGuard<'a>(pub &'a mut MaybeUninit<libc::pthread_mutexattr_t>);
+
+impl Drop for AttrGuard<'_> {
+    fn drop(&mut self) {
+        unsafe {
+            let result = libc::pthread_mutexattr_destroy(self.0.as_mut_ptr());
+            assert_eq!(result, 0);
+        }
+    }
+}