[llvm-bugs] [Bug 43984] New: ThreadSanitizer detects race between std::promise and its std::future

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Nov 12 14:17:14 PST 2019 

https://bugs.llvm.org/show_bug.cgi?id=43984

            Bug ID: 43984
           Summary: ThreadSanitizer detects race between std::promise and
                    its std::future
           Product: libc++
           Version: 9.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: jacob at bandes-stor.ch
                CC: llvm-bugs at lists.llvm.org, mclow.lists at gmail.com

It's possible that I misunderstand the thread-safety guarantees of std::promise
and std::future, but because the documentation claims they have a "shared
state" which I understand to be thread-safe, I *think* the following code
should be race-free:

  #include <future>
  #include <vector>

  int main() {
      for (size_t i = 0; i < 100000; i++) {
          std::promise<void> p;
          std::future<void> f = p.get_future();

          // The promise is *moved* into the new thread.
          std::thread t = std::thread([p = std::move(p)]() mutable {
              p.set_value();
          });

          // Because of the order of these calls,
          // the promise may be destroyed before/during the future::get().
          f.get();
          t.join();
      }
      return 0;
  }


However, compiled with ThreadSanitizer, a race is detected (see below). Note
that:
- No errors seem to occur at runtime if TSan is not enabled
- If t.join() is called *before* f.get(), no race is detected.
- If the move capture "p = std::move(p)" is changed to just "&p", no race is
detected.
- The loop is not actually necessary to trigger the race, it just makes it
easier.

This is either:
- A misunderstanding on my part of the thread safety guarantees of this API
(cppreference.com doesn't seem to explain much about the "shared state")
- A ThreadSanitizer false positive
- An actual bug in libc++

$ clang++-10 -fsanitize=thread -lpthread -std=c++17 -stdlib=libc++ -O0 -g
testrace.cpp -o testrace
$ ./testrace

==================
WARNING: ThreadSanitizer: data race (pid=4806)
  Write of size 8 at 0x7b2000000018 by thread T14:
    #0 operator delete(void*) <null> (testrace+0x4b541e)
    #1 std::__1::__shared_count::__release_shared() <null>
(libc++.so.1+0x844ac)
    #2 std::__1::__tuple_leaf<1ul, main::$_0, false>::~__tuple_leaf()
/usr/lib/llvm-10/bin/../include/c++/v1/tuple:181:7 (testrace+0x4b8228)
    #3 std::__1::__tuple_impl<std::__1::__tuple_indices<0ul, 1ul>,
std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >,
main::$_0>::~__tuple_impl() /usr/lib/llvm-10/bin/../include/c++/v1/tuple:372:37
(testrace+0x4b81d9)
    #4 std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>::~tuple()
/usr/lib/llvm-10/bin/../include/c++/v1/tuple:477:28 (testrace+0x4b8188)
    #5
std::__1::default_delete<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>
>::operator()(std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>*) const
/usr/lib/llvm-10/bin/../include/c++/v1/memory:2378:5 (testrace+0x4b8106)
    #6
std::__1::unique_ptr<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>,
std::__1::default_delete<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0> >
>::reset(std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>*)
/usr/lib/llvm-10/bin/../include/c++/v1/memory:2633:7 (testrace+0x4b8070)
    #7
std::__1::unique_ptr<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0>,
std::__1::default_delete<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0> >
>::~unique_ptr() /usr/lib/llvm-10/bin/../include/c++/v1/memory:2587:19
(testrace+0x4b79dc)
    #8 void*
std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__thread_struct,
std::__1::default_delete<std::__1::__thread_struct> >, main::$_0> >(void*)
/usr/lib/llvm-10/bin/../include/c++/v1/thread:285:1 (testrace+0x4b7887)

  Previous atomic read of size 1 at 0x7b2000000018 by main thread:
    #0 pthread_cond_wait <null> (testrace+0x426748)
    #1
std::__1::condition_variable::wait(std::__1::unique_lock<std::__1::mutex>&)
<null> (libc++.so.1+0x422de)
    #2 __libc_start_main <null> (libc.so.6+0x271e2)

  Thread T14 (tid=13457, running) created by main thread at:
    #0 pthread_create <null> (testrace+0x425adb)
    #1 std::__1::__libcpp_thread_create(unsigned long*, void* (*)(void*),
void*) /usr/lib/llvm-10/bin/../include/c++/v1/__threading_support:336:10
(testrace+0x4b9a7c)
    #2 std::__1::thread::thread<main::$_0, void>(main::$_0&&)
/usr/lib/llvm-10/bin/../include/c++/v1/thread:299:16 (testrace+0x4b7504)
    #3 main /testrace/testrace.cpp:11:25 (testrace+0x4b72d4)

SUMMARY: ThreadSanitizer: data race (/testrace/testrace+0x4b541e) in operator
delete(void*)
==================

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191112/12be9993/attachment-0001.html>

More information about the llvm-bugs mailing list