This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
Posted Apr 15, 2016 19:40 UTC (Fri) by nix (subscriber, #2304)In reply to: This is why we can't have safe cancellation points by luto
Parent article: This is why we can't have safe cancellation points
Changing longstanding defaults like this constitutes a break of userspace. You need a new -D flag (which, perhaps, sets a new ELF note, or simply triggers the linking in of a new crt1.o which flips the default) to ensure that this only happens to programs that are prepared for it.
Posted Apr 15, 2016 19:49 UTC (Fri)
by luto (guest, #39314)
[Link] (9 responses)
Posted Apr 15, 2016 20:19 UTC (Fri)
by nix (subscriber, #2304)
[Link] (8 responses)
(Now I'd agree that *asynchronous* cancellation is nearly impossible to program to and has an even smaller use case than synchronous cancellation, but even *it* is useful sometimes, particularly as a transient thing; e.g. when a thread that otherwise is synchronously cancellable is doing a long-running computation that it knows does no syscalls and can be safely unwound from the cleanup handler.)
Posted Apr 15, 2016 20:34 UTC (Fri)
by luto (guest, #39314)
[Link] (7 responses)
Posted Apr 17, 2016 23:12 UTC (Sun)
by nix (subscriber, #2304)
[Link] (6 responses)
Given that syscall inlining isn't something you can possibly turn on and off at runtime -- the inlining is, after all, into glibc, so you'd need multiple copies of glibc via hwcaps, which seems total overkill for this and would totally negate any saving via massive icache bloat -- you'd not be able to fix this by changing a *default*. You'd need to basically give up on fixing this race, or give up on fixing it this way, or break cancellation completely for everyone (a total non-starter).
Hmm. Too late at night, but I'll think on this. Either I have a niggling germ of a possible idea for a fix for this at the edge of my brain, or I'm just tired and hallucinating. (Or both!)
Posted Apr 18, 2016 0:21 UTC (Mon)
by luto (guest, #39314)
[Link] (1 responses)
But you could do it by flipping the default if you're willing to accept a branch: just test the cancellable flag and jump out of line if needed. This is no worse than the existing musl thing in which each cancellable syscall needs to test the cancallable flag anyway to see if it needs to cancel even without a signal being sent.
Posted Apr 18, 2016 10:28 UTC (Mon)
by nix (subscriber, #2304)
[Link]
Posted Apr 18, 2016 4:20 UTC (Mon)
by neilbrown (subscriber, #359)
[Link] (3 responses)
No, but you probably have one sequence of op-codes to compare.
Posted Apr 18, 2016 10:27 UTC (Mon)
by nix (subscriber, #2304)
[Link] (2 responses)
If you can get away with scanning for this only when cancellation is actually detected, it seems that the cost would be very low, though the complexity would obviously be higher than a simple address comparison, and it would tie that part of the kernel to these fairly fine and arch-dependent details of glibc's implementation, in a way that would probably not be spotted fast if it broke :(
Posted Apr 18, 2016 11:10 UTC (Mon)
by itvirta (guest, #49997)
[Link] (1 responses)
Stupid question: Does the instruction cache help if you're reading the instruction bytes as data?
Posted Apr 20, 2016 16:56 UTC (Wed)
by nix (subscriber, #2304)
[Link]
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
The comparisons might be a little more complex than "memcmp" but could you not test "is this EIP value within a thunk" by comparing surrounding bytes against the standard thunk at each of the (very few) possible offsets?
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points
This is why we can't have safe cancellation points