SemaphoreSlim instances should be disposed in a thread-safe manner

[ArtemSerostanov]

The issue

Currently SemaphoreSlim instances are disposed in a non thread-safe manner. which can lead to major issues. I've encountered the following scenario:

1. NpgsqlDataSource.Bootstrap() is called, which in turn invokes _setupMappingsSemaphore.WaitAsync()
2. At the same time this instance of NpgsqlDataSource is disposed, which in turn disposes _setupMappingsSemaphore.
3. The problem is, SemaphoreSlim.Dipose() is not thread-safe. In fact, it is entirely possible to dispose a semaphore in such a way that WaitAsync hangs indefinitely. Right here the code awaits a task that could never start if somebody disposes the semaphore in this exact moment.

The unfortunate reality of this scenario is that it's very difficult to determine when an NpgsqlDataSource instance can be safely disposed from a client code due to the fact that some of its methods are internal and invoked indirectly (for example, Bootstrap can be invoked by calling ReloadTypes on an NpgsqlConnection instance).

The proposal

I ask to implement some sort of thread-safe disposal mechanism for SemaphoreSlim instances. I would consider implementing some sort of mechanism that "marks" semaphore instances for disposal and ensures no one can use it while it's being disposed.

The naïve approach would look something like this:

var semaphore = new SemaphoreSlim(1);
if (semaphore.Wait(0))
{
    semaphore.Dispose();
}

Unfortunately, this code only mitigates the problem and does not solve it entirely. Somebody can call Release + Wait right after we've blocked the semaphore for disposal.

[roji]

As its name implies, _setupMappingsSemaphore is only used during setup/bootstrapping (or ReloadTypes) - these are generally one-time startup things.

However, you're right that if the application performs ReloadTypes after the data source has been set up, that could occur concurrently with another thread disposing the data source; probably not a frequent case, but possible.

It should be pretty trivial to simply add a plain lock around operations which use the SemaphoreSlim.

[vonzshik]

It should be pretty trivial to simply add a plain lock around operations which use the SemaphoreSlim.

Bootstrap is asynchronous (due to loading database info), so probably not that trivial.

[kalduzov]

Hi.

We have a dirty workaround (WA) — remove the _setupMappingsSemaphore.Dispose() call and rely on non-deterministic finalization of the semaphore’s internal references to unmanaged resources.

The current code for Bootstrap is structured such that the solution proposed above by @ArtemSerostanov should fully resolve this issue. We cannot call Dispose until the Release in Bootstrap has completed.

[vonzshik]

The current code for Bootstrap is structured such that the solution proposed above by @ArtemSerostanov should fully resolve this issue. We cannot call Dispose until the Release in Bootstrap has completed.

It's not enough because Bootstrap can still be called concurrently with Dispose, resulting in concurrent Dispose and Wait.

[xeromorph]

@vonzshik Hello, I wonder if we can see a fix anytime soon, perhaps under AppContext switch or otherwise exposed opt-in, if possible compatibility issues are of concern?

[vonzshik]

@xeromorph the pr is waiting for a review from other team members who are busy at the moment. Most likely we'll merge (and then do a release) sometime in september.