Georgy Moshkin authored 1 year ago and Maksim Kaitmazian committed 1 year ago

NO_DOC=picodata internal patch
NO_CHANGELOG=picodata internal patch
NO_TEST=picodata internal patch

It is a wrapper around pthread cancel and join. It was repeated
many times and was dangerous, because left cord.id set. An
accidental attempt to cord_join/cojoin() such cord would lead to
UB then.

The patch introduces a function which encapsulates the blocking
cancellation. It is going to be used in a next patch to count the
number of cords in the process. Which in turn is needed for a new
test.

The counter is atomic in case some cords would be created not by
the main cord.

There are now also more sanity checks against accidental attempts
to join the same cord twice.

Needed for #7743

NO_DOC=internal
NO_CHANGELOG=internal

This feature was disabled due to a crash in libunwind. After commit
5b08d71a ("libunwind: use latest release v1.6.2 as a base") the
crash is gone.

Closes #7960

NO_DOC=internal
NO_CHANGELOG=internal
NO_TEST=<Leak backtraces are tested by test/unit/fiber.cc; the crash in
libunwind is observable on test/box-luatest/gh_6310_grant_rw_access_on_
_session_settings_space_to_public_role_test.lua>

As it breaks sane usage of region as a data stack:

	size_t region_svp = region_used(&fiber()->gc);
	/* some allocation on fiber gc and usage of allocated memory. */
	region_truncate(&fiber()->gc, region_svp);

If in the above snippet one calls a function that in turn calls
`fiber_gc` then the snippet code may have use-after-free and later UB
on truncation.

For this reason let's get read of fiber_gc. However we need to make sure
we won't introduce leaks this way. So before actually removing
fiber_gc we make it perform leak check instead and only after fixing
all the leaks the fiber_gc was removed.

In order to find the leak easily the backtrace of the first fiber gc
allocation that is not truncated is saved and then reported.

In order to catch leaks that are not triggered by the current test suit
and to prevent introducing leaks in future patches the leak check is
added on fiber exit/recycle and for long living system fibers on every loop
iteration.

Leak check in release build is on but without leak backtrace info by
default for performance reasons. Backtrace can be provided by using
`fiber.leak_backtrace_enable()` knob before starting leaking fiber.

Regularly leaks are only reported in log but it will not help to
catch errors when running test suits so build option ABORT_ON_LEAK
is added. When it is on we abort on leak. This option is turned off
for all builds that used in CI.

Closes #5665

NO_CHANGELOG=internal
NO_DOC=internal

Currently this function is not used inside Tarantool, however it is
available via C module API. Deprecate it, because it is very confusing
and has nothing to do with the fiber cancellation.

Closes #7166

@TarantoolBot document
Title: fiber: get rid of fiber_set_cancellable
Product: Tarantool
Since: 2.11
Audience/target: dev
Root document: https://www.tarantool.io/en/doc/latest/dev_guide/reference_capi/fiber/#c.fiber_set_cancellable
SME: @Gumix

This function is a no-op since 2.11 and should be dropped from the
documentation.

It is separated from fiber_join_timeout(), and will be used
in lbox_fiber_join() too.

Part of #7489
Part of #7531

NO_DOC=internal
NO_CHANGELOG=internal

When fiber has finished its work it ended up in two cases:
1) If no "joinable" attribute set then the fiber is
   simply recycled
2) Otherwise it continue hanging around waiting to be
   joined.

Our API allows to call fiber_wakeup() for dead but joinable
fibers (2) in release builds without any side effects, such
fibers are simply ignored, in turn for debug builds this
causes assertion to trigger. We can't change our API for
backward compatibility sake but same time we must not
preserve different behaviour between release and debug
builds since this brings inconsistency. Thus lets get
rid of assertion call and allow to call fiber_wakeup
in debug build as well.

Fixes #5843

NO_DOC=bug fix

Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>

Currently it's possible to wakeup a fiber, which is waiting for task
completion, using Tarantool C API. This will cause a "wrong fiber woken"
panic. This patch reworks `cord_cojoin` in such a way that it yields
until a completion flag is set.

Part of #7166

NO_DOC=refactoring
NO_CHANGELOG=refactoring

fiber_new_ex() used to ignore fiber_attr flags when the fiber was
taken from the cache, not created anew.

It didn't matter much though for the public API, because the only
public flag in fiber_attr was FIBER_CUSTOM_STACK (which can be
set via fiber_attr_setstacksize()).

Anyway that was a bug for internal API and would lead to issues in
the future when more public flags are added. The patch fixes it.

NO_DOC=Bugfix
NO_CHANGELOG=No reproducer via public API

There was a user who complained about this code crashing:

    f = fiber_new_ex(...);
    fiber_start(f);
    fiber_cancel(f);

The crash was at cancel. It happened because the fiber finished
immediately. It was already recycled after fiber_start() return.

Recycled fiber didn't have any flags, so fiber_cancel() didn't
see the fiber was already dead and tried to wake it up. It crashed
when the fiber tried to call its 'fiber->f' function which was
NULL.

In debug build the process fails earlier with an assertion on
'fiber->fid != 0'.

It can't be really fixed because the problem is the same as with
use-after-free. The fiber could be not recycled but already freed
completely, returned back to the mempool.

This patch tries to help the users by a panic with a message
saying that it wasn't just a crash, it is a bug in user's code.

There is an alternative - make fibers never return to the mempool.
Then fiber_cancel() could ignore recycled fibers. But it would
lead to another problem that if the fiber is already reused, then
fiber_cancel() would hit a totally irrelevant fiber who was
unlucky to reuse that fiber pointer. It seems worse than panic.

Same problem exists for `fiber_wakeup()`, but I couldn't figure
out how to add a panic there and not add an `if` on the normal
execution path (which includes 'ready' and 'running' fibers).

Closes #6837

NO_CHANGELOG=The same crash remains, but happens a bit earlier and
  with a message.

@TarantoolBot document
Title: `fiber_cancel()` C API clarification

The documentation must warn that the fiber passed to
`fiber_cancel()` must not be already dead unless it was set to be
joinable. Same for `fiber_wakeup()` and all the other fiber
functions. A dead non-joinable fiber could already be freed or
reused.

Fibers with custom stack couldn't be reused via cord->dead list,
but neither were ever deleted via mempool_free(). They just leaked
until the cord was destroyed. Their custom stack also leaked.

It happened for all non-joinable custom-stack fibers. That was
because fiber_destroy() simply skipped the destruction if the
fiber is the current one.

It didn't affect joinable fibers because their fiber_destroy() is
done in another fiber. Their stack was deleted, but the fiber
itself still leaked.

The fix makes so fiber_destroy() is never called for the current
fiber. Instead, cord uses an approach like in pthread library -
the fiber who wants to be deleted is saved into cord->garbage
member. When some other fiber will want to be deleted in the
future, it will firstly cleanup the previous one and put self into
its place. And so on - fibers cleanup each other.

The process is optimized for the case when the fiber to delete is
not the current one - can delete it right away then.

NO_DOC=Bugfix

fiber.wakeup() in Lua and fiber_wakeup() in C could lead to a
crash or undefined behaviour when called on the currently running
fiber.

In particular, if after wakeup was started a new fiber in a
blocking way (fiber.create() and fiber_start()) it would crash in
debug build, and lead to unknown results in release.

If after wakeup was made a sleep with non-zero timeout or an
infinite yield (fiber_yield()), the fiber woke up in the same
event loop iteration regardless of any timeout or other wakeups.
It was a spurious wakeup, which is not expected in most of the
places internally.

The patch makes the wakeup nop on the current fiber making it safe
to use anywhere.

Closes #5292
Closes #6043

@TarantoolBot document
Title: fiber.wakeup() in Lua and fiber_wakeup() in C are nop on self
In Lua `fiber.wakeup()` being called on the current fiber does not
do anything, safe to use. The same for `fiber_wakeup()` in C.

When optimization level increased we've found that
memset calls might be optimized, moreover there
were no check if calls themselves would override
the stack.

Lets rework and use number of calls instead. Strictly
speaking the test is still a bit fragile and precise
testing would rather require asm level code.

Repored-by: "Alexander V. Tikhonov" <avtikhon@tarantool.org>
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>

Users keep complaining about too short fiber name. New limit is
255, should be enough for any sane name.

Closes #4394

Reviewed-by: Cyrill Gorcunov <gorcunov@gmail.com>
Reviewed-by: Nikita Pettik <korablev@tarantool.org>

@TarantoolBot document
Title: fiber.name length limit.

It was 32, now it is 255. Besides, it seems like `fiber.name`
`{truncate = true}` option is not documented.

By default, if a new name is too long, `fiber.name(new_name)`
fails with an exception. To make it always succeed there is an
option 'truncate': `fiber.name(new_name, {truncate = true})`. It
truncates the name to the max length if it is too long.

We want to detect a situation where task in fiber is too eager for
stack memory and relax rss usage in such case. For this sake upon
stack creation we put 8 marks near 64K bound (such params allows us
to fill ~1/4 of a page, which seem reasonable but we might change
this params with time).

Once stack get recycled we investigate the marks and if they were
overwritten we drop all pages behind to relax memory usage (if OS
supports madvise syscall).

Another important moment is that we're marking the whole stack
as not present thus if fiber never stepped over 64K limit the
marks will be in tact and it means the fibers are light ones
there won't be much #pf in future.

Later we plan to implement an intelligent fiber scheduling
considering how many memory fibers consume in average.

@locker:
 - fix watermark page alignment for grow-up stack
 - improve MADV_DONTNEED check
 - clean up code and elaborate comments
 - add test case to unit/fiber
 - fix unit/guard test

Follow-up #3418

Throw error, if a new name for a fiber in Lua is too long.

Closes #2622

* Disable code optimization for fiber unit test
* Get rid of abs() usge

Follow up #2438

Fiber attributes are a way to specify parameters that is different
from the default. When a fiber is created using fiber_new_ex(),
an attribute object can be specified to configure custom values for
some options. Attributes are specified only at fiber creation time;
they cannot be altered while the fiber is being used.

Currently only stack_size attribute is supported. Fibers with
non-default stack size won't be recycled via fiber pool.

API overview:

* fiber_new_ex() creates a fiber with custom attributes.
* fiber_attr_new()/fiber_attr_delete() creates/destroys attributes.
* fiber_attr_setstacksize()/fiber_attr_getstacksize() sets/gets
  the fiber stack size.
* fiber_self() returns current running fiber.

All new functions are available from public C API for modules.

See #2438

To be used as an indicator of exception. From now on one should write

  if (fiber_join(...)) // or cord_join(...)
    diag_raise();

instead of

  fiber_join(...);
  diag_raise();

Now we can make diag_raise() assert that diag is not empty.

Closes #1847

Add exception methods to plain C.
Add an error factory to raise exceptions from plain C.

Avoid throwing exceptions from most fiber functions.

Extract Exception::clear(), Exception::move(), fiber()->exception
into struct diag methods. This refactoring makes desired logic
to be more clear.

* implement two new calls:
  box.error.last() - returns last error, if any, as a Lua table
  box.error.clear() - clears the last error

* add an alias for box.error(), box.error.raise()

Add replication status to box.info().
When replication is off, box.info.replication.status is 'off'.
Other allowed statuses are:
    - 'connecting' - trying to connect to the master
    - 'connected' - connected, but nothing read yet,
    - 'running' - successfully received first rows
    - 'failed' - network error
    - 'stopped' - apply conflict, replication needs to be restarted

Move recovery_last_update and recovery_delay to section 'replication'
in box.info(), replace the first with 'lag' variable, indicating
the time difference between the currnet time and row time of the last
row, and 'idle' variable, indicating the difference between the
current time and the time of last event from the master.

Also output the text of the last error when it happens and
stops replication.

Make vclock output in box.info more compact.

Remove 'sophia' section from box.info, it's big, and we need
to solve the problem of status systematically for all engines.

Fix crashes when trying to stop failed replication: fiber_cancel()
of a dead cancellable fiber would try to schedule it and crash.

Add a test case.
Rename fiber.test to fiber_stress.test
Change cxception propagation so that exception is fiber-local,
not thread local.
Added exception propagation to fiber_join().

Remove explicit fiber call stack from the cord.

Fix backtrace() to work correclty with an optimized (-O2) build.

libcore is a thick a thick bundle with almost everything.
Rename it to libserver.

Extract the minimal server core with fibers & exceptions into libcore.

Add a prototype unit test for fibers.