Commit 6ac7facd authored by Tom Lane's avatar Tom Lane

Improve signal-handler lockout mechanism in timeout.c.

Rather than doing a fairly-expensive setitimer() call to prevent interrupts
from happening, let's just invent a simple boolean flag that the signal
handler is required to check.  This is not only faster but considerably
more robust than before, since the previous code effectively assumed that
only ITIMER_REAL events would ever fire the SIGALRM handler, which is
obviously something that can be broken easily by third-party code.

Zoltán Böszörményi and Tom Lane
parent 3c07fbf4
...@@ -49,6 +49,20 @@ static bool all_timeouts_initialized = false; ...@@ -49,6 +49,20 @@ static bool all_timeouts_initialized = false;
static volatile int num_active_timeouts = 0; static volatile int num_active_timeouts = 0;
static timeout_params *volatile active_timeouts[MAX_TIMEOUTS]; static timeout_params *volatile active_timeouts[MAX_TIMEOUTS];
/*
* Flag controlling whether the signal handler is allowed to do anything.
* We leave this "false" when we're not expecting interrupts, just in case.
*
* Note that we don't bother to reset any pending timer interrupt when we
* disable the signal handler; it's not really worth the cycles to do so,
* since the probability of the interrupt actually occurring while we have
* it disabled is low. See comments in schedule_alarm() about that.
*/
static volatile sig_atomic_t alarm_enabled = false;
#define disable_alarm() (alarm_enabled = false)
#define enable_alarm() (alarm_enabled = true)
/***************************************************************************** /*****************************************************************************
* Internal helper functions * Internal helper functions
...@@ -56,46 +70,9 @@ static timeout_params *volatile active_timeouts[MAX_TIMEOUTS]; ...@@ -56,46 +70,9 @@ static timeout_params *volatile active_timeouts[MAX_TIMEOUTS];
* For all of these, it is caller's responsibility to protect them from * For all of these, it is caller's responsibility to protect them from
* interruption by the signal handler. Generally, call disable_alarm() * interruption by the signal handler. Generally, call disable_alarm()
* first to prevent interruption, then update state, and last call * first to prevent interruption, then update state, and last call
* schedule_alarm(), which will re-enable the interrupt if needed. * schedule_alarm(), which will re-enable the signal handler if needed.
*****************************************************************************/ *****************************************************************************/
/*
* Disable alarm interrupts
*
* multi_insert must be true if the caller intends to activate multiple new
* timeouts. Otherwise it should be false.
*/
static void
disable_alarm(bool multi_insert)
{
struct itimerval timeval;
/*
* If num_active_timeouts is zero, and multi_insert is false, we don't
* have to call setitimer. There should not be any pending interrupt, and
* even if there is, the worst possible case is that the signal handler
* fires during schedule_alarm. (If it fires at any point before
* insert_timeout has incremented num_active_timeouts, it will do nothing,
* since it sees no active timeouts.) In that case we could end up
* scheduling a useless interrupt ... but when the extra interrupt does
* happen, the signal handler will do nothing, so it's all good.
*
* However, if the caller intends to do anything more after first calling
* insert_timeout, the above argument breaks down, since the signal
* handler could interrupt the subsequent operations leading to corrupt
* state. Out of an abundance of caution, we forcibly disable the timer
* even though it should be off already, just to be sure. Even though
* this setitimer call is probably useless, we're still ahead of the game
* compared to scheduling two or more timeouts independently.
*/
if (multi_insert || num_active_timeouts > 0)
{
MemSet(&timeval, 0, sizeof(struct itimerval));
if (setitimer(ITIMER_REAL, &timeval, NULL) != 0)
elog(FATAL, "could not disable SIGALRM timer: %m");
}
}
/* /*
* Find the index of a given timeout reason in the active array. * Find the index of a given timeout reason in the active array.
* If it's not there, return -1. * If it's not there, return -1.
...@@ -132,7 +109,6 @@ insert_timeout(TimeoutId id, int index) ...@@ -132,7 +109,6 @@ insert_timeout(TimeoutId id, int index)
active_timeouts[index] = &all_timeouts[id]; active_timeouts[index] = &all_timeouts[id];
/* NB: this must be the last step, see comments in disable_alarm */
num_active_timeouts++; num_active_timeouts++;
} }
...@@ -194,6 +170,7 @@ enable_timeout(TimeoutId id, TimestampTz now, TimestampTz fin_time) ...@@ -194,6 +170,7 @@ enable_timeout(TimeoutId id, TimestampTz now, TimestampTz fin_time)
all_timeouts[id].indicator = false; all_timeouts[id].indicator = false;
all_timeouts[id].start_time = now; all_timeouts[id].start_time = now;
all_timeouts[id].fin_time = fin_time; all_timeouts[id].fin_time = fin_time;
insert_timeout(id, i); insert_timeout(id, i);
} }
...@@ -228,6 +205,38 @@ schedule_alarm(TimestampTz now) ...@@ -228,6 +205,38 @@ schedule_alarm(TimestampTz now)
timeval.it_value.tv_sec = secs; timeval.it_value.tv_sec = secs;
timeval.it_value.tv_usec = usecs; timeval.it_value.tv_usec = usecs;
/*
* We must enable the signal handler before calling setitimer(); if we
* did it in the other order, we'd have a race condition wherein the
* interrupt could occur before we can set alarm_enabled, so that the
* signal handler would fail to do anything.
*
* Because we didn't bother to reset the timer in disable_alarm(),
* it's possible that a previously-set interrupt will fire between
* enable_alarm() and setitimer(). This is safe, however. There are
* two possible outcomes:
*
* 1. The signal handler finds nothing to do (because the nearest
* timeout event is still in the future). It will re-set the timer
* and return. Then we'll overwrite the timer value with a new one.
* This will mean that the timer fires a little later than we
* intended, but only by the amount of time it takes for the signal
* handler to do nothing useful, which shouldn't be much.
*
* 2. The signal handler executes and removes one or more timeout
* events. When it returns, either the queue is now empty or the
* frontmost event is later than the one we looked at above. So we'll
* overwrite the timer value with one that is too soon (plus or minus
* the signal handler's execution time), causing a useless interrupt
* to occur. But the handler will then re-set the timer and
* everything will still work as expected.
*
* Since these cases are of very low probability (the window here
* being quite narrow), it's not worth adding cycles to the mainline
* code to prevent occasional wasted interrupts.
*/
enable_alarm();
/* Set the alarm timer */ /* Set the alarm timer */
if (setitimer(ITIMER_REAL, &timeval, NULL) != 0) if (setitimer(ITIMER_REAL, &timeval, NULL) != 0)
elog(FATAL, "could not enable SIGALRM timer: %m"); elog(FATAL, "could not enable SIGALRM timer: %m");
...@@ -259,8 +268,17 @@ handle_sig_alarm(SIGNAL_ARGS) ...@@ -259,8 +268,17 @@ handle_sig_alarm(SIGNAL_ARGS)
SetLatch(&MyProc->procLatch); SetLatch(&MyProc->procLatch);
/* /*
* Fire any pending timeouts. * Fire any pending timeouts, but only if we're enabled to do so.
*/
if (alarm_enabled)
{
/*
* Disable alarms, just in case this platform allows signal handlers
* to interrupt themselves. schedule_alarm() will re-enable if
* appropriate.
*/ */
disable_alarm();
if (num_active_timeouts > 0) if (num_active_timeouts > 0)
{ {
TimestampTz now = GetCurrentTimestamp(); TimestampTz now = GetCurrentTimestamp();
...@@ -281,9 +299,9 @@ handle_sig_alarm(SIGNAL_ARGS) ...@@ -281,9 +299,9 @@ handle_sig_alarm(SIGNAL_ARGS)
(*this_timeout->timeout_handler) (); (*this_timeout->timeout_handler) ();
/* /*
* The handler might not take negligible time (CheckDeadLock for * The handler might not take negligible time (CheckDeadLock
* instance isn't too cheap), so let's update our idea of "now" * for instance isn't too cheap), so let's update our idea of
* after each one. * "now" after each one.
*/ */
now = GetCurrentTimestamp(); now = GetCurrentTimestamp();
} }
...@@ -291,6 +309,7 @@ handle_sig_alarm(SIGNAL_ARGS) ...@@ -291,6 +309,7 @@ handle_sig_alarm(SIGNAL_ARGS)
/* Done firing timeouts, so reschedule next interrupt if any */ /* Done firing timeouts, so reschedule next interrupt if any */
schedule_alarm(now); schedule_alarm(now);
} }
}
errno = save_errno; errno = save_errno;
} }
...@@ -315,6 +334,8 @@ InitializeTimeouts(void) ...@@ -315,6 +334,8 @@ InitializeTimeouts(void)
int i; int i;
/* Initialize, or re-initialize, all local state */ /* Initialize, or re-initialize, all local state */
disable_alarm();
num_active_timeouts = 0; num_active_timeouts = 0;
for (i = 0; i < MAX_TIMEOUTS; i++) for (i = 0; i < MAX_TIMEOUTS; i++)
...@@ -345,6 +366,8 @@ RegisterTimeout(TimeoutId id, timeout_handler_proc handler) ...@@ -345,6 +366,8 @@ RegisterTimeout(TimeoutId id, timeout_handler_proc handler)
{ {
Assert(all_timeouts_initialized); Assert(all_timeouts_initialized);
/* There's no need to disable the signal handler here. */
if (id >= USER_TIMEOUT) if (id >= USER_TIMEOUT)
{ {
/* Allocate a user-defined timeout reason */ /* Allocate a user-defined timeout reason */
...@@ -376,7 +399,7 @@ enable_timeout_after(TimeoutId id, int delay_ms) ...@@ -376,7 +399,7 @@ enable_timeout_after(TimeoutId id, int delay_ms)
TimestampTz fin_time; TimestampTz fin_time;
/* Disable timeout interrupts for safety. */ /* Disable timeout interrupts for safety. */
disable_alarm(false); disable_alarm();
/* Queue the timeout at the appropriate time. */ /* Queue the timeout at the appropriate time. */
now = GetCurrentTimestamp(); now = GetCurrentTimestamp();
...@@ -400,7 +423,7 @@ enable_timeout_at(TimeoutId id, TimestampTz fin_time) ...@@ -400,7 +423,7 @@ enable_timeout_at(TimeoutId id, TimestampTz fin_time)
TimestampTz now; TimestampTz now;
/* Disable timeout interrupts for safety. */ /* Disable timeout interrupts for safety. */
disable_alarm(false); disable_alarm();
/* Queue the timeout at the appropriate time. */ /* Queue the timeout at the appropriate time. */
now = GetCurrentTimestamp(); now = GetCurrentTimestamp();
...@@ -424,7 +447,7 @@ enable_timeouts(const EnableTimeoutParams *timeouts, int count) ...@@ -424,7 +447,7 @@ enable_timeouts(const EnableTimeoutParams *timeouts, int count)
int i; int i;
/* Disable timeout interrupts for safety. */ /* Disable timeout interrupts for safety. */
disable_alarm(count > 1); disable_alarm();
/* Queue the timeout(s) at the appropriate times. */ /* Queue the timeout(s) at the appropriate times. */
now = GetCurrentTimestamp(); now = GetCurrentTimestamp();
...@@ -476,7 +499,7 @@ disable_timeout(TimeoutId id, bool keep_indicator) ...@@ -476,7 +499,7 @@ disable_timeout(TimeoutId id, bool keep_indicator)
Assert(all_timeouts[id].timeout_handler != NULL); Assert(all_timeouts[id].timeout_handler != NULL);
/* Disable timeout interrupts for safety. */ /* Disable timeout interrupts for safety. */
disable_alarm(false); disable_alarm();
/* Find the timeout and remove it from the active list. */ /* Find the timeout and remove it from the active list. */
i = find_active_timeout(id); i = find_active_timeout(id);
...@@ -510,7 +533,7 @@ disable_timeouts(const DisableTimeoutParams *timeouts, int count) ...@@ -510,7 +533,7 @@ disable_timeouts(const DisableTimeoutParams *timeouts, int count)
Assert(all_timeouts_initialized); Assert(all_timeouts_initialized);
/* Disable timeout interrupts for safety. */ /* Disable timeout interrupts for safety. */
disable_alarm(false); disable_alarm();
/* Cancel the timeout(s). */ /* Cancel the timeout(s). */
for (i = 0; i < count; i++) for (i = 0; i < count; i++)
...@@ -540,18 +563,28 @@ disable_timeouts(const DisableTimeoutParams *timeouts, int count) ...@@ -540,18 +563,28 @@ disable_timeouts(const DisableTimeoutParams *timeouts, int count)
void void
disable_all_timeouts(bool keep_indicators) disable_all_timeouts(bool keep_indicators)
{ {
disable_alarm();
/*
* Only bother to reset the timer if we think it's active. We could just
* let the interrupt happen anyway, but it's probably a bit cheaper to do
* setitimer() than to let the useless interrupt happen.
*/
if (num_active_timeouts > 0)
{
struct itimerval timeval; struct itimerval timeval;
int i;
/* Forcibly reset the timer, whether we think it's active or not */
MemSet(&timeval, 0, sizeof(struct itimerval)); MemSet(&timeval, 0, sizeof(struct itimerval));
if (setitimer(ITIMER_REAL, &timeval, NULL) != 0) if (setitimer(ITIMER_REAL, &timeval, NULL) != 0)
elog(FATAL, "could not disable SIGALRM timer: %m"); elog(FATAL, "could not disable SIGALRM timer: %m");
}
num_active_timeouts = 0; num_active_timeouts = 0;
if (!keep_indicators) if (!keep_indicators)
{ {
int i;
for (i = 0; i < MAX_TIMEOUTS; i++) for (i = 0; i < MAX_TIMEOUTS; i++)
all_timeouts[i].indicator = false; all_timeouts[i].indicator = false;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment