libpq thread safety
libpq needs additional changes for complete thread safety:
- openssl needs different initialization.
- kerberos is not thread safe.
- functions such as gethostbyname are not thread safe, and could be used
by kerberos. Right now protected with a libpq specific mutex.
- dito for getpwuid and stderror.
openssl is trivial: just proper flags are needed for the init function.
But what about kerberos: I'm a bit reluctant to add a forth mutex: what
if kerberos calls gethostbyname or getpwuid internally?
Usually I would use one single_thread mutex and use that mutex for all
operations - races are just too difficult to debug. Any better ideas?
Otherwise I'd start searching for the non-threadsafe functions and add
pthread_lock around them.
Actually I'm not even sure if it should be a libpq specific mutex: what
if the calling app needs to access openssl or kerberos as well? Perhaps
libpq should use a system similar to openssl:
http://www.openssl.org/docs/crypto/threads.html
--
Manfred
Manfred Spraul <manfred@colorfullife.com> writes:
But what about kerberos: I'm a bit reluctant to add a forth mutex: what
if kerberos calls gethostbyname or getpwuid internally?
Wouldn't help anyway, if some other part of the app also calls kerberos.
I think we should just state that kerberos isn't thread safe and it
isn't our problem.
For the same reason, the mutex in (eg) pqGethostbyname is an utter waste
of code space. It guarantees nothing. Furthermore, any machine that
claims to have a thread-safe libc will have either gethostbyname_r()
or a thread-safe implementation of gethostbyname(). There is no value
in our second-guessing this.
regards, tom lane
Tom Lane wrote:
Manfred Spraul <manfred@colorfullife.com> writes:
But what about kerberos: I'm a bit reluctant to add a forth mutex: what
if kerberos calls gethostbyname or getpwuid internally?Wouldn't help anyway, if some other part of the app also calls kerberos.
That's why I've proposed to use the system from openssl: The libpq user
must implement a lock callback, and libpq calls it around the critical
sections.
Attached is an untested prototype patch. What do you think?
--
Manfred
Attachments:
patch-proposaltext/plain; name=patch-proposalDownload+104-89
Manfred Spraul <manfred@colorfullife.com> writes:
Tom Lane wrote:
Wouldn't help anyway, if some other part of the app also calls kerberos.
That's why I've proposed to use the system from openssl: The libpq user
must implement a lock callback, and libpq calls it around the critical
sections.
... and if the rest of the app doesn't all adopt the same rule, you're
still screwed. Not a big step forward.
I'd also expect that anytime someone gets their callback wrong, we will
get the bug report. I don't think that a system in which people "must"
implement their own locking primitives is desirable.
Attached is an untested prototype patch. What do you think?
Personally I find diff -u format completely unreadable :-(. Send
"diff -c" if you want useful commentary.
regards, tom lane
Tom Lane wrote:
Personally I find diff -u format completely unreadable :-(. Send
"diff -c" if you want useful commentary.
diff -c is attached. I've removed the signal changes, they are
unrelated. I'll resent them separately.--
Manfred
Attachments:
patch-p2text/plain; name=patch-p2Download+74-15
Manfred Spraul <manfred@colorfullife.com> writes:
+ * Used to set callback that prevents concurrent access to + * non-thread safe functions that libpq needs. + * The default implementation uses a libpq internal mutex. + * Only required for multithreaded apps on platforms that + * do not support the thread-safe equivalents and that want + * to use the functions, too. + * List of functions: + * - stderror, getpwuid, gethostbyname.
Wait a minute. I am *not* buying into any proposal that we need to
support ENABLE_THREAD_SAFETY on machines where libc is not thread-safe.
We have other things to do than adopt an open-ended commitment to work
around threading bugs on obsolete platforms. I don't believe that any
sane application programmer is going to try to implement a
multi-threaded app on such a platform anyway.
As I said before, I think we should rip out the useless mutex code that
is already there, not introduce a "better" solution to a non-problem.
regards, tom lane
Tom Lane wrote:
Wait a minute. I am *not* buying into any proposal that we need to
support ENABLE_THREAD_SAFETY on machines where libc is not thread-safe.
We have other things to do than adopt an open-ended commitment to work
around threading bugs on obsolete platforms. I don't believe that any
sane application programmer is going to try to implement a
multi-threaded app on such a platform anyway.
I'd agree - convince Bruce and I'll replace the mutexes in thread.c with
#error. But I think libpq should support a mutex around kerberos (or at
least fail at runtime) - right now it's too easy to corrupt the kerberos
authentication state.
--
Manfred
Manfred Spraul <manfred@colorfullife.com> writes:
I'd agree - convince Bruce and I'll replace the mutexes in thread.c with
#error.
Most of what I said before was aimed at Bruce ;-)
But I think libpq should support a mutex around kerberos (or at
least fail at runtime) - right now it's too easy to corrupt the kerberos
authentication state.
As to the first - if an app wants to support multithreaded use of
kerberos, it will have to put a mutex around uses of kerberos. But then
it can simply extend that same mutex to uses of PQconnect. This isn't
noticeably harder from the app's point of view than what you suggest, so
I don't see the value of cluttering our API for it.
As to the second - if there were a way to detect that the app was
actually using multiple threads, I'd agree with failing at runtime
in that case. But otherwise this amounts to decreeing that you can't
compile with both --enable-thread-safety and --enable-kerberos, which
seems a tad too anal-retentive for my tastes. It seems unlikely that
there'd actually be any problem with re-entrant use of kerberos, at
least compared to common libc routines like strerror.
regards, tom lane
Manfred Spraul wrote:
Tom Lane wrote:
Wait a minute. I am *not* buying into any proposal that we need to
support ENABLE_THREAD_SAFETY on machines where libc is not thread-safe.
We have other things to do than adopt an open-ended commitment to work
around threading bugs on obsolete platforms. I don't believe that any
sane application programmer is going to try to implement a
multi-threaded app on such a platform anyway.I'd agree - convince Bruce and I'll replace the mutexes in thread.c with
#error. But I think libpq should support a mutex around kerberos (or at
least fail at runtime) - right now it's too easy to corrupt the kerberos
authentication state.
Let me tell you where I think we are with this thread stuff, when we can
discuss where to go from here.
I think we are doing well with 7.4.X on threads. All platforms that
have asked for threads have it working with minimal fuss, and I have
gotten help on various OS/compiler combinations. We don't have any
outstanding thread issues except the unreliable ignoring if send
SIGPIPE, but that only happens on a backend crash, which hopefully
doesn't happen too often, and we have that fixed in CVS.
Now, were do we need to go? Right now we have a very course
NEED_REENTRANT_FUNCS variable that says either all libc functions we
call are thread-safe, or they are not. (See src/tools/thread for the
test program.) However, we really have two types of function tested.
The first, strerror, can be thread safe by using thread-local storage
_or_ by returning pointers to static strings. The other two function
tests require thread-local storage to be thread-safe.
One idea I have is to add the thread test compile/link/run test into
configure, to be run when you ask for threads. That way, we eliminate
per-platform test reports (with the possibility that different OS
versions have different thread safety characteristics), and we can throw
an error if we don't find the function threadsafe or don't find the *_r
version.
Another idea is to change the test program to set three variables, one
for each function tested, and throw an #error in the code if the
function isn't thread-safe and if there is no *_r. I think in those
cases we can remove the thread.c code that handles non-thread-safe libc
with no *_r function.
Basically, I was too coarse-grained with NEED_REENTRANT_FUNCS to throw
an error if there isn't a thread-safe function because we might have
platforms that have a thread-safe strerror, but not strerror_r, and *_r
versions of the other functions. In that case, we would have
NEED_REENTRANT_FUNCS=yes, and without strerror_r, we would fail, even
though strerror itself might be thread-safe.
I will start working on spliting NEED_REENTRANT_FUNCS up into three
variables and we can add a configure test later if folks think that is a
good idea.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Bruce Momjian wrote:
However, we really have two types of function tested.
The first, strerror, can be thread safe by using thread-local storage
_or_ by returning pointers to static strings. The other two function
tests require thread-local storage to be thread-safe.
You are completely ignoring that libpq is a library: what if the app
itself wants to call gethostbyname or stderror, too?
Right now libpq has it's own private mutex. This doesn't work - the
locking must be process-wide. The current implementation could be the
default, and apps that want to use gethostbyname [or kerberos
authentication, etc.] outside libpq must fill in appropriate callbacks.
--
Manfred
Manfred Spraul wrote:
Bruce Momjian wrote:
However, we really have two types of function tested.
The first, strerror, can be thread safe by using thread-local storage
_or_ by returning pointers to static strings. The other two function
tests require thread-local storage to be thread-safe.You are completely ignoring that libpq is a library: what if the app
itself wants to call gethostbyname or stderror, too?
Right now libpq has it's own private mutex. This doesn't work - the
locking must be process-wide. The current implementation could be the
default, and apps that want to use gethostbyname [or kerberos
authentication, etc.] outside libpq must fill in appropriate callbacks.
I never thought that far. I have applied a patch to remove the thread
locking and throw an error in case a thread-safe function can not be
found.
I also changed the thread-safe variable to have a separate variable for
each function so that *_r functions can be better selected.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Tom Lane wrote:
Manfred Spraul <manfred@colorfullife.com> writes:
But what about kerberos: I'm a bit reluctant to add a forth mutex: what
if kerberos calls gethostbyname or getpwuid internally?Wouldn't help anyway, if some other part of the app also calls kerberos.
I think we should just state that kerberos isn't thread safe and it
isn't our problem.For the same reason, the mutex in (eg) pqGethostbyname is an utter waste
of code space. It guarantees nothing. Furthermore, any machine that
claims to have a thread-safe libc will have either gethostbyname_r()
or a thread-safe implementation of gethostbyname(). There is no value
in our second-guessing this.
I have implemented this in CVS.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Manfred Spraul wrote:
libpq needs additional changes for complete thread safety:
- openssl needs different initialization.
- kerberos is not thread safe.
- functions such as gethostbyname are not thread safe, and could be used
by kerberos. Right now protected with a libpq specific mutex.
- dito for getpwuid and stderror.openssl is trivial: just proper flags are needed for the init function.
But what about kerberos: I'm a bit reluctant to add a forth mutex: what
if kerberos calls gethostbyname or getpwuid internally?
Usually I would use one single_thread mutex and use that mutex for all
operations - races are just too difficult to debug. Any better ideas?
Otherwise I'd start searching for the non-threadsafe functions and add
pthread_lock around them.
Actually I'm not even sure if it should be a libpq specific mutex: what
if the calling app needs to access openssl or kerberos as well? Perhaps
libpq should use a system similar to openssl:
What else needs to be done/documented?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073