bug#31878: Module autoloading is not thread safe

unofficial mirror of bug-guile@gnu.org 
 help / color / mirror / Atom feed

From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: 31878@debbugs.gnu.org
Subject: bug#31878: Module autoloading is not thread safe
Date: Thu, 23 Aug 2018 15:51:44 +0200	[thread overview]
Message-ID: <8736v5qjgv.fsf@gnu.org> (raw)
In-Reply-To: <876002dm18.fsf@netris.org> (Mark H. Weaver's message of "Wed, 22 Aug 2018 19:22:27 -0400")

Hi Mark,

Mark H Weaver <mhw@netris.org> skribis:

> reopen 31878
> thanks
>
> Hi Ludovic,
>
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> ludo@gnu.org (Ludovic Courtès) skribis:
>>
>>> ludo@gnu.org (Ludovic Courtès) skribis:
>>>
>>>> I believe this comes from the fact that ‘autoloads-done’ and related
>>>> alists in (ice-9 boot-9) are manipulated in a non-thread-safe fashion.
>>>
>>> Here’s a proposed fix for ‘stable-2.2’ as discussed on #guile, Andy:
>>
>> After further discussion on IRC, I pushed a variant of this patch as
>> commit 761cf0fb8c364e885e4c6fced34563f8157c3b84.
>
> There are problems with this fix, e.g. <https://bugs.gnu.org/32367>.
>
> More generally, nearly arbitrary code can be run in the top-level
> expressions of a module.  It could launch other threads which try to
> load modules, or even send messages to other existing threads asking
> them to do work.  In some cases, the body of the module might never
> terminate.  The entire main program might be run from there.  I suspect
> that's not unusual.

Indeed, good catch.  :-/

> I can see another problem as well: while the module is in the process of
> loading, the partially-loaded module is globally visible and accessible
> to other threads.  If I'm not mistaken, with this patch, there's nothing
> preventing other threads from attempting to use the partially-loaded
> module.

The module is not reachable until ‘set-module-name!’ has been called on
it, but ‘process-define-module’ does that right away IIRC, i.e., before
the whole body has been evaluated.  So I guess you’re right: other
threads could stumble upon partially-loaded modules.

If the ‘define-module’ scoped encompassed the whole body like the R6
‘library’ form, it would be easy to determine when the whole module
top-level has been loaded.  Right now, I suppose we have to determine
the end-of-module-top-level “from the outside”, i.e., from
‘resolve-module’ or similar, no?

> I thought about how to fix this thread-safety problem a long time ago,
> and came up with a rough outline of a solution.  The idea is that the
> module should not be added to the global module table until the module
> has finished loading.  While the module is being loaded, it would be
> made visible only to the loading thread, and to any other threads
> spawned during the loading process, by adding the module to a local list
> of modules-being-loaded referenced by a fluid variable.  If any other
> threads attempt to access the module, it would not be found in the
> global module table, and thus trigger an auto-load, which would wait for
> the lock to be released before proceeding.
>
> What do you think?

It sounds like a good idea.

Thanks,
Ludo’.

next prev parent reply	other threads:[~2018-08-23 13:51 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-18  9:43 bug#31878: Module autoloading is not thread safe Ludovic Courtès
2018-06-18 11:11 ` Ludovic Courtès
2018-06-18 12:17   ` Ludovic Courtès
2018-08-22 23:22     ` Mark H Weaver
2018-08-23  2:18       ` Mark H Weaver
2018-08-23 13:54         ` Ludovic Courtès
2018-08-23 19:40           ` Mark H Weaver
2018-08-24  8:45             ` Ludovic Courtès
2018-10-21 18:16             ` Mark H Weaver
2018-10-22 10:10               ` Ludovic Courtès
     [not found]     ` <876002dm18.fsf@netris.org>
2018-08-23 13:51       ` Ludovic Courtès [this message]
2022-04-04 11:47 ` Calvin Heim

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/guile/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8736v5qjgv.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=31878@debbugs.gnu.org \
    --cc=mhw@netris.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).