# HG changeset patch
# User Taylor R Campbell <riastradh@NetBSD.org>
# Date 1741198759 0
#      Wed Mar 05 18:19:19 2025 +0000
# Branch trunk
# Node ID db0cae397ecdf2795f54954e2009a3d06fdb95ef
# Parent  cd6b61c1b621c4bb80fbe22e714ba188467be421
# EXP-Topic riastradh-pr59125-oncefork
WIP: pthread_once(3): Try to avoid fork races with futexes.

Turns out, this doesn't work!  It is still possible for a fork
concurrent with pthread_once to cause the child to see the
initialization action run twice.

PR lib/59125: pthread_once(3) races with concurrent fork

diff -r cd6b61c1b621 -r db0cae397ecd lib/libc/gen/pthread_atfork.c
--- a/lib/libc/gen/pthread_atfork.c	Wed Mar 05 15:29:16 2025 +0000
+++ b/lib/libc/gen/pthread_atfork.c	Wed Mar 05 18:19:19 2025 +0000
@@ -175,6 +175,8 @@ out:	mutex_unlock(&atfork_lock);
 	return error;
 }
 
+uint64_t __libc_forkgen;
+
 pid_t
 fork(void)
 {
@@ -199,6 +201,7 @@ fork(void)
 		mutex_unlock(&atfork_lock);
 	} else {
 		/* We are the child */
+		__libc_forkgen++;
 		_malloc_postfork_child();
 		SIMPLEQ_FOREACH(iter, &childq, next)
 			(*iter->fn)();
diff -r cd6b61c1b621 -r db0cae397ecd lib/libc/include/forkgen.h
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libc/include/forkgen.h	Wed Mar 05 18:19:19 2025 +0000
@@ -0,0 +1,36 @@
+/*	$NetBSD$	*/
+
+/*-
+ * Copyright (c) 2025 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef	_LIB_LIBC_FORKGEN_H_
+#define	_LIB_LIBC_FORKGEN_H_
+
+#include <stdint.h>
+
+extern uint64_t __libc_forkgen;
+
+#endif	/* _LIB_LIBC_FORKGEN_H_ */
diff -r cd6b61c1b621 -r db0cae397ecd lib/libpthread/pthread_once.c
--- a/lib/libpthread/pthread_once.c	Wed Mar 05 15:29:16 2025 +0000
+++ b/lib/libpthread/pthread_once.c	Wed Mar 05 18:19:19 2025 +0000
@@ -1,12 +1,9 @@
-/*	$NetBSD: pthread_once.c,v 1.5 2025/03/04 00:41:00 riastradh Exp $	*/
+/*	$NetBSD$	*/
 
 /*-
- * Copyright (c) 2001, 2003 The NetBSD Foundation, Inc.
+ * Copyright (c) 2025 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Nathan J. Williams, and by Jason R. Thorpe.
- *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -15,13 +12,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *        This product includes software developed by the NetBSD
- *        Foundation, Inc. and its contributors.
- * 4. Neither the name of The NetBSD Foundation nor the names of its
- *    contributors may be used to endorse or promote products derived
- *    from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
@@ -37,41 +27,226 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: pthread_once.c,v 1.5 2025/03/04 00:41:00 riastradh Exp $");
+__RCSID("$NetBSD");
 
 /* Need to use libc-private names for atomic operations. */
 #include "../../common/lib/libc/atomic/atomic_op_namespace.h"
 
+#include <sys/futex.h>
+#include <sys/syscall.h>
+
+#include <limits.h>
+#include <stdatomic.h>
+#include <unistd.h>
+
+#include "../../lib/libc/include/forkgen.h"
+
 #include "pthread.h"
 #include "pthread_int.h"
 #include "reentrant.h"
 
-static void
-once_cleanup(void *closure)
+/*****************************************************************************/
+/*
+ * BEGIN MOVE ME ELSEWEHRE
+ */
+
+#define	atomic_store_relaxed(p, v)					      \
+	atomic_store_explicit(p, v, memory_order_relaxed)
+
+#define	atomic_store_release(p, v)					      \
+	atomic_store_explicit(p, v, memory_order_release)
+
+#define	atomic_load_relaxed(p)						      \
+	atomic_load_explicit(p, memory_order_relaxed)
+
+#define	atomic_load_acquire(p)						      \
+	atomic_load_explicit(p, memory_order_acquire)
+
+static int
+atomic_cas_int(volatile int *p, int o, int n)
+{
+
+	(void)atomic_compare_exchange_strong_explicit(p, &o, n,
+	    memory_order_relaxed, memory_order_relaxed);
+	return o;
+}
+
+static int
+futex(volatile int *uaddr, int op, int val, const struct timespec *timeout,
+    volatile int *uaddr2, int val2, int val3)
+{
+	return syscall(SYS___futex, uaddr, op, val, timeout, uaddr2,
+	    val2, val3);
+}
+
+static int
+futex_wait(volatile int *uaddr, int cmpval, const struct timespec *timeout)
+{
+
+	return futex(uaddr, FUTEX_WAIT, /*val*/cmpval, timeout, /*uaddr2*/NULL,
+	    /*val2*/0, /*val3*/0);
+}
+
+static int
+futex_wake(volatile int *uaddr, int nwake)
 {
 
-       pthread_mutex_unlock((pthread_mutex_t *)closure);
+	return futex(uaddr, FUTEX_WAKE, /*val*/nwake, /*timeout*/NULL,
+	    /*uaddr2*/NULL, /*val2*/0, /*val3*/0);
+}
+
+static int
+futex_wake_all(volatile int *uaddr)
+{
+
+	return futex_wake(uaddr, INT_MAX);
+}
+
+/*
+ * END MOVE ME ELSEWEHRE
+ */
+/*****************************************************************************/
+
+#define	ONCE_LOCKED	((int)__BIT(31))
+#define	ONCE_WAITING	((int)__BIT(30))
+#define	ONCE_FORKGEN	((int)__BITS(29,0))
+#define	ONCE_INIT	0
+#define	ONCE_DONE	1
+
+static int
+once_forkgen(void)
+{
+
+	/*
+	 * This algorithm is limited to 2^30 - 1 nested forks before it
+	 * may deadlock in the event of a race.
+	 */
+	return __libc_forkgen & ONCE_FORKGEN;
+}
+
+static void
+once_cleanup(void *cookie)
+{
+	pthread_once_t *once = cookie;
+
+	/*
+	 * Clear the state and wake other callers so someone else can
+	 * try in ourstead.
+	 *
+	 * If concurrent fork happens before the store, the child will
+	 * see a stale fork generation and restore it to the initial
+	 * state.  If concurrent fork happens after the store, the
+	 * child will see the initial state.  Either way, the wakeups
+	 * don't matter for the child -- the thread calling fork won't
+	 * be woken up, and any other threads won't be in the child, so
+	 * it's all moot.
+	 *
+	 * Don't worry about micro-optimizing this with the
+	 * ONCE_WAITING bit -- cancellation is an unlikely scenario
+	 * that's not worth optimizing; let's keep it simple and
+	 * reliable.
+	 */
+	pthread__assert((atomic_load_relaxed(&once->pto_done) &
+		~ONCE_WAITING) == (ONCE_LOCKED|once_forkgen()));
+	atomic_store_relaxed(&once->pto_done, ONCE_INIT);
+	(void)futex_wake_all(&once->pto_done);
 }
 
 int
-pthread_once(pthread_once_t *once_control, void (*routine)(void))
+pthread_once(pthread_once_t *once, void (*init)(void))
 {
+	const int forkgen = once_forkgen();
+	int done, cancelstate;
+
 	if (__predict_false(__uselibcstub))
-		return __libc_thr_once_stub(once_control, routine);
+		return __libc_thr_once_stub(once, init);
+
+	/*
+	 * Optimistically check whether it's already done, with a
+	 * load-acquire to synchronize with the store-release in
+	 * whatever thread did the initialization.
+	 */
+	if (__predict_true(atomic_load_acquire(&once->pto_done) ==
+		ONCE_DONE))
+		return 0;
 
-	if (once_control->pto_done == 0) {
-		pthread_mutex_lock(&once_control->pto_mutex);
-		pthread_cleanup_push(&once_cleanup, &once_control->pto_mutex);
-		if (once_control->pto_done == 0) {
-			routine();
-			membar_release();
-			once_control->pto_done = 1;
-		}
-		pthread_cleanup_pop(1);
-	} else {
+	/*
+	 * Defer cancellation while we synchronize in case the caller
+	 * is configured as PTHREAD_CANCEL_ASYNCHRONOUS.
+	 */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cancelstate);
+top:
+	/*
+	 * Try to claim it, marked with the current fork generation.
+	 * If it was done in the interim (unlikely, only if we lose a
+	 * race to another thread), great -- issue an acquire barrier
+	 * to synchronize with the other thread's initialization,
+	 * restore the cancellation state, and we're done.
+	 */
+	done = atomic_cas_int(&once->pto_done, ONCE_INIT,
+	    ONCE_LOCKED|forkgen);
+	if (__predict_false(done == ONCE_DONE)) {
 		membar_acquire();
+		goto out;
 	}
 
+	/*
+	 * If is held by a another thread in this process, that thread
+	 * is presumably still running -- even if it has been
+	 * cancelled, the once_cleanup routine will handle it.  Wait
+	 * for that thread to release it.
+	 *
+	 * If it was held by another thread in an ancestor of this
+	 * process, from a different fork generation, try to clear it
+	 * and start over.  We have to use atomic_cas_* to clear it
+	 * because another thread might be doing the same thing -- it
+	 * doesn't matter which of us wins, but the transition to clear
+	 * must happen only once (otherwise another thread might have
+	 * finished initialization first, at which point we must not
+	 * clear it).
+	 */
+	if (__predict_false(done != ONCE_INIT)) {
+		if ((done & ~ONCE_WAITING) == (ONCE_LOCKED|forkgen)) {
+			(void)futex_wait(&once->pto_done, done, NULL);
+		} else {
+			(void)atomic_cas_int(&once->pto_done, done,
+			    ONCE_INIT);
+		}
+		goto top;
+	}
+
+	/*
+	 * Acquired at the current fork generation.  Arrange to back
+	 * out if cancelled, and then run the init routine with the
+	 * cancellation state restored to the caller's.
+	 */
+	pthread_cleanup_push(&once_cleanup, once);
+	pthread_setcancelstate(cancelstate, NULL);
+	(*init)();
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &cancelstate);
+	pthread_cleanup_pop(/*execute*/0);
+
+	/*
+	 * Mark it done with a store-release, to synchronize with other
+	 * users' load-acquire.  If there were other waiters, notify
+	 * other callers that we are done -- but avoid a futex syscall
+	 * if not.
+	 */
+	membar_release();
+	done = atomic_cas_int(&once->pto_done, ONCE_LOCKED|forkgen,
+	    ONCE_DONE);
+	if (__predict_false(done != (ONCE_LOCKED|forkgen))) {
+		pthread__assert(done == (ONCE_LOCKED|ONCE_WAITING|forkgen));
+		atomic_store_relaxed(&once->pto_done, ONCE_DONE);
+		(void)futex_wake_all(&once->pto_done);
+	}
+out:
+	/*
+	 * Restore the cancellation state now that we are done
+	 * synchronizing and no longer need to clean up after
+	 * ourselves.
+	 */
+	pthread_setcancelstate(cancelstate, NULL);
 	return 0;
 }