Re: [Patch, libstdc++] Fix data races in basic_string implementation

On 01/09/15 14:51 +0200, Dmitry Vyukov wrote:

The refcounted basic_string implementation contains several data races
on _M_refcount:
1. _M_is_leaked loads _M_refcount concurrently with mutations of
_M_refcount. This loads needs to be memory_order_relaxed load, as
_M_is_leaked predicate does not change under the feet.
2. _M_is_shared loads _M_refcount concurrently with mutations of
_M_refcount. This loads needs to be memory_order_acquire, as another
thread can drop _M_refcount to zero concurrently which makes the
string non-shared and so the current thread can mutate the string. We
need reads of the string in another thread (while it was shared) to
happen-before the writes to the string in this thread (now that it is

This patch adds __gnu_cxx::__atomic_load_dispatch function to do the
loads of _M_refcount. The function does an acquire load. Acquire is
non needed for _M_is_leaked, but for simplicity as still do acquire
(hopefully the refcounted impl will go away in future).

It's unlikely to go away for a long time.

This patch also uses the new function to do loads of _M_refcount in
string implementation.

I did non update doc/xml/manual/concurrency_extensions.xml to document
__gnu_cxx::__atomic_load_dispatch, because I am not sure we want to
extend that api now that we have language-level atomics. If you still
want me to update it, please say how to regenerate

I don't know if we need the new __atomic_load_dispatch function at all,
we could just use atomic loads directly e.g.

	_M_is_leaked() const _GLIBCXX_NOEXCEPT
#if defined(__GTHREADS) && defined(_GLIBCXX_ATOMIC_BUILTINS)
+       { return __atomic_load_n(&this->_M_refcount, __ATOMIC_RELAXED) < 0; }
       { return this->_M_refcount > 0; }

	_M_is_shared() const _GLIBCXX_NOEXCEPT
#if defined(__GTHREADS) && defined(_GLIBCXX_ATOMIC_BUILTINS)
+        { return __atomic_load(&this->_M_refcount, __ATOMIC_ACQUIRE) > 0; }
        { return this->_M_refcount > 0; }

The __atomic_xxx_dispatch functions check __gthread_active_p() as an
optimisation to avoid potentially expensive atomic stores, but I don't
think we need that for atomic loads here, especially the relaxed load.
We could always add the dispatch in later if we get complaints about
single-threaded performance on targets where the loads are expensive.

This doesn't fix the problem for targets that don't define
_GLIBCXX_ATOMIC_BUILTINS but I don't know how many of them there are.
We could make it work on more targets by adding a new configure check
just for __atomic_load(int*, ...), because _GLIBCXX_ATOMIC_BUILTINS
requires several builtins to support various object sizes, but here we
don't need all of that.

The race was detected with ThreadSanitizer on the following program:

#define _GLIBCXX_USE_CXX11_ABI 0
#include <string>
#include <thread>
#include <iostream>
#include <chrono>

int main() {
 std::string s = "foo";
 std::thread t([=](){
   std::string x = s;
   std::cout << &x << std::endl;
 std::cout << &s[0] << std::endl;

$ g++ -std=c++11 -pthread -O1 -g -fsanitize=thread
$ ./a.out

WARNING: ThreadSanitizer: data race (pid=98135)
 Read of size 4 at 0x7d080000efd0 by main thread:
   #0 std::string::_Rep::_M_is_leaked() const
include/c++/6.0.0/bits/basic_string.h:2605 (a.out+0x000000401d7c)
   #1 std::string::_M_leak()
include/c++/6.0.0/bits/basic_string.h:2730 (a.out+0x000000401d7c)
   #2 std::string::operator[](unsigned long)
include/c++/6.0.0/bits/basic_string.h:3274 (a.out+0x000000401d7c)
   #3 main /tmp/ (a.out+0x000000401d7c)

 Previous atomic write of size 4 at 0x7d080000efd0 by thread T1:
   #0 __tsan_atomic32_fetch_add
   #1 __exchange_and_add include/c++/6.0.0/ext/atomicity.h:59
   #2 __exchange_and_add_dispatch
include/c++/6.0.0/ext/atomicity.h:92 (a.out+0x000000401a19)
   #3 std::string::_Rep::_M_dispose(std::allocator<char> const&)
include/c++/6.0.0/bits/basic_string.h:2659 (a.out+0x000000401a19)
   #4 std::basic_string<char, std::char_traits<char>,
std::allocator<char> >::~basic_string()
include/c++/6.0.0/bits/basic_string.h:2961 (a.out+0x000000401a19)
   #5 ~<lambda> /tmp/ (a.out+0x000000401a19)
   #6 ~_Head_base include/c++/6.0.0/tuple:102 (a.out+0x000000401a19)
   #7 ~_Tuple_impl include/c++/6.0.0/tuple:338 (a.out+0x000000401a19)
   #8 ~tuple include/c++/6.0.0/tuple:521 (a.out+0x000000401a19)
   #9 ~_Bind_simple include/c++/6.0.0/functional:1503 (a.out+0x000000401a19)
   #10 ~_Impl include/c++/6.0.0/thread:107 (a.out+0x000000401a19)
   #11 destroy<std::thread::_Impl<std::_Bind_simple<main()::<lambda()>()>
> include/c++/6.0.0/ext/new_allocator.h:124 (a.out+0x0000004015c7)
   #12 _S_destroy<std::allocator<std::thread::_Impl<std::_Bind_simple<main()::<lambda()>()>
>, std::thread::_Impl<std::_Bind_simple<main()::<lambda()>()> > >
include/c++/6.0.0/bits/alloc_traits.h:236 (a.out+0x0000004015c7)
   #13 destroy<std::thread::_Impl<std::_Bind_simple<main()::<lambda()>()>
> include/c++/6.0.0/bits/alloc_traits.h:336 (a.out+0x0000004015c7)
   #14 _M_dispose include/c++/6.0.0/bits/shared_ptr_base.h:529
   #15 std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
   #16 std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
   #17 std::__shared_ptr<std::thread::_Impl_base,
   #18 std::shared_ptr<std::thread::_Impl_base>::~shared_ptr()
   #19 execute_native_thread_routine
libstdc++-v3/src/c++11/ (

 Location is heap block of size 28 at 0x7d080000efc0 allocated by main thread:
   #0 operator new(unsigned long)
   #1 __gnu_cxx::new_allocator<char>::allocate(unsigned long, void
const*) /usr/local/google/home/dvyukov/src/gcc/build/x86_64-pc-linux-gnu/libstdc++-v3/include/ext/new_allocator.h:104
   #2 std::string::_Rep::_S_create(unsigned long, unsigned long,
std::allocator<char> const&)
   #3 __libc_start_main <null> (

 Thread T1 (tid=98137, finished) created by main thread at:
   #0 pthread_create
   #1 __gthread_create
   #2 std::thread::_M_start_thread(std::shared_ptr<std::thread::_Impl_base>,
void (*)()) libstdc++-v3/src/c++11/
   #3 __libc_start_main <null> (

OK for trunk?

Index: include/bits/basic_string.h
--- include/bits/basic_string.h	(revision 227363)
+++ include/bits/basic_string.h	(working copy)
@@ -2601,11 +2601,11 @@

	_M_is_leaked() const _GLIBCXX_NOEXCEPT
-        { return this->_M_refcount < 0; }
+        { return __gnu_cxx::__atomic_load_dispatch(&this->_M_refcount) < 0; }

	_M_is_shared() const _GLIBCXX_NOEXCEPT
-        { return this->_M_refcount > 0; }
+        { return __gnu_cxx::__atomic_load_dispatch(&this->_M_refcount) > 0; }

	_M_set_leaked() _GLIBCXX_NOEXCEPT
Index: include/ext/atomicity.h
--- include/ext/atomicity.h	(revision 227363)
+++ include/ext/atomicity.h	(working copy)
@@ -35,6 +35,16 @@
#include <bits/gthr.h>
#include <bits/atomic_word.h>

+// Even if the CPU doesn't need a memory barrier, we need to ensure
+// that the compiler doesn't reorder memory accesses across the
+// barriers.
+#define _GLIBCXX_READ_MEM_BARRIER __atomic_thread_fence (__ATOMIC_ACQUIRE)
+#define _GLIBCXX_WRITE_MEM_BARRIER __atomic_thread_fence (__ATOMIC_RELEASE)
namespace __gnu_cxx _GLIBCXX_VISIBILITY(default)
@@ -50,7 +60,7 @@

  static inline void
  __atomic_add(volatile _Atomic_word* __mem, int __val)
-  { __atomic_fetch_add(__mem, __val, __ATOMIC_ACQ_REL); }
+  { __atomic_fetch_add(__mem, __val, __ATOMIC_RELEASE); }
  __attribute__ ((__unused__))
@@ -101,17 +111,27 @@

+  static inline _Atomic_word
+  __attribute__ ((__unused__))
+  __atomic_load_dispatch(const _Atomic_word* __mem)
+  {
+#ifdef __GTHREADS
+    if (__gthread_active_p())
+      {
+        return __atomic_load_n(__mem, __ATOMIC_ACQUIRE);
+        // The best we can get with an old compiler.

We don't support old compilers in libstdc++ trunk, so this comment is
misleading. The fallback is needed for targets without support for all
the builtins, not for old compilers.

+        _Atomic_word v = *(volatile _Atomic_word*)__mem;

If a target doesn't define _GLIBCXX_ATOMIC_BUILTINS do we know it will
define __atomic_thread_fence ?

I guess those targets should be redefining _GLIBCXX_READ_MEM_BARRIER

+        return v;
+      }
+    return *__mem;
+  }
} // namespace

-// Even if the CPU doesn't need a memory barrier, we need to ensure
-// that the compiler doesn't reorder memory accesses across the
-// barriers.
-#define _GLIBCXX_READ_MEM_BARRIER __atomic_thread_fence (__ATOMIC_ACQUIRE)
-#define _GLIBCXX_WRITE_MEM_BARRIER __atomic_thread_fence (__ATOMIC_RELEASE)

