Be more strict about using invalid `pthread_t`s.
Another release, another attempt to remove the global thread list.
But this time, let's admit that it's not going away. We can switch to using
a read/write lock for the global thread list, and to aborting rather than
quietly returning ESRCH if we're given an invalid pthread_t.
This change affects pthread_detach, pthread_getcpuclockid,
pthread_getschedparam/pthread_setschedparam, pthread_join, and pthread_kill:
instead of returning ESRCH when passed an invalid pthread_t, if you're
targeting O or above, they'll abort with the message "attempt to use
invalid pthread_t".
Note that this doesn't change behavior as much as you might think: the old
lookup only held the global thread list lock for the duration of the lookup,
so there was still a race between that and the dereference in the caller,
given that callers actually need the tid to pass to some syscall or other,
and sometimes update fields in the pthread_internal_t struct too.
(This patch replaces such users with calls to pthread_gettid_np, which
at least makes the TOCTOU window smaller.)
We can't check thread->tid against 0 to see whether a pthread_t is still
valid because a dead thread gets its thread struct unmapped along with its
stack, so the dereference isn't safe.
Taking the affected functions one by one:
* pthread_getcpuclockid and pthread_getschedparam/pthread_setschedparam
should be fine. Unsafe calls to those seem highly unlikely.
* Unsafe pthread_detach callers probably want to switch to
pthread_attr_setdetachstate instead, or using
pthread_detach(pthread_self()) from the new thread's start routine
rather than doing the detach in the parent.
* pthread_join calls should be safe anyway, because a joinable thread
won't actually exit and unmap until it's joined. If you're joining an
unjoinable thread, the fix is to stop marking it detached. If you're
joining an already-joined thread, you need to rethink your design.
* Unsafe pthread_kill calls aren't portably fixable. (And are obviously
inherently non-portable as-is.) The best alternative on Android is to
use pthread_gettid_np at some point that you know the thread to be
alive, and then call kill/tgkill directly.
That's still not completely safe because if you're too late, the tid
may have been reused, but then your code is inherently unsafe anyway.
Bug: http://b/19636317
Test: ran tests
Change-Id: I0372c4428e8a7f1c3af5c9334f5d9c25f2c73f21
diff --git a/tests/time_test.cpp b/tests/time_test.cpp
index 8c4a8a9..4e3fa83 100644
--- a/tests/time_test.cpp
+++ b/tests/time_test.cpp
@@ -509,14 +509,14 @@
struct TimerDeleteData {
timer_t timer_id;
- pthread_t thread_id;
+ pid_t tid;
volatile bool complete;
};
static void TimerDeleteCallback(sigval_t value) {
TimerDeleteData* tdd = reinterpret_cast<TimerDeleteData*>(value.sival_ptr);
- tdd->thread_id = pthread_self();
+ tdd->tid = gettid();
timer_delete(tdd->timer_id);
tdd->complete = true;
}
@@ -548,8 +548,9 @@
// Since bionic timers are implemented by creating a thread to handle the
// callback, verify that the thread actually completes.
cur_time = time(NULL);
- while (pthread_detach(tdd.thread_id) != ESRCH && (time(NULL) - cur_time) < 5);
- ASSERT_EQ(ESRCH, pthread_detach(tdd.thread_id));
+ while ((kill(tdd.tid, 0) != -1 || errno != ESRCH) && (time(NULL) - cur_time) < 5);
+ ASSERT_EQ(-1, kill(tdd.tid, 0));
+ ASSERT_EQ(ESRCH, errno);
#endif
}