NULL pointer dereferencing and use-after-free in systhreads due to delayed init

[gadmm]

This is a follow-up to #11403, which noticed that the domain threads initialization code runs from OCaml code. Thus there is an interval during which arbitrary OCaml code can run before initialization (e.g. GC, async callbacks and at_each_spawn callbacks). This can cause NULL pointer dereferencing and use-after-free inside caml_thread_self and caml_enter_blocking_section. Following the discussion at #11403, it appears that the best solution is:

• Replace the use of Domain.at_each_spawn to call caml_thread_initialize_domain with a C hook caml_domain_at_each_spawn similar to caml_domain_stop_hook (internal, non-atomic).
• Optionally remove the API Domain.at_each_spawn, which is a bad API for other reasons discussed somewhere else.

Targets 5.0.

[gasche]

Replace the use of Domain.at_each_spawn to call caml_thread_initialize_domain with a C hook caml_domain_at_each_spawn similar to caml_domain_stop_hook (internal, non-atomic).

When should the hook run during domain initialization?
(My guess: before the runtime is available, and before registration with the Stop-The-World mechanism. So I guess Caml_state is not available either at this point.)

Optionally remove the API Domain.at_each_spawn, which is a bad API for other reasons discussed somewhere else.

I'm not sure where this discussion happened anymore, would you have a pointer?

[gadmm]

I'm not sure where this discussion happened anymore, would you have a pointer?

Same reasoning as in the "frequently asked (future) questions" regarding a potential caml_domain_start_hook.

[kayceesrk]

Optionally remove the API Domain.at_each_spawn, which is a bad API for other reasons discussed somewhere else.

I am failing at finding the reasoning as the discussion is spread across several issues and PRs with unrelated discussions. Is there a short and self-contained answer to why Domain.at_each_spawn is a bad API?

If Domain.at_each_spawn is to be removed, what is the alternative for its use in Format?

ocaml/stdlib/format.ml

Line 1490 in 972deae

Domain.at_each_spawn (fun _ -> Domain.at_exit flush_standard_formatters))

[gadmm]

Thanks for the Format example. I had forgotten this one and stayed with the memory that it had been introduced solely threads init, which is why this PR mentioned the possibility of removing it.

Copy-pasting and adapting my rationale: you do not use Domain.at_each_spawn for domain-local resource initialization because this does not initialise the DLS on previous domains, and initializes it on domains where the resource is not used. Instead it should be initialized according to first usage.

Here with Format this function is only appropriate because, as we had reasoned, you are sure that you can register it before the first spawn. This pretty strong constraint on usage can easily be guaranteed for the stdlib, but I am not sure (in the litteral, non-British sense) that it is a realistic constraint for users. (My own library-writing experience is that I do not want to have to struggle with library initialization order issues.)

Here you can see flushing as the clean-up of DLS, and the solution proposed with my rationale works: you can register the clean-up of DLS when the DLS is set for the first time on a domain (by calling at_exit flush inside the standard formatter's DLS init functions). Actually it makes good sense and avoids creating the buffers at domain exit if no-one used the standard formatters on a domain, unlike with the current implementation (IIUC). (And sorry to reduce everything to resource-management, but this proves to be the appropriate conceptual tool for many state-related situations!)

Reading the DLS doc made me wonder about the precise semantics, as a side-note here is what I understood from the implementation that I missed from the doc: the initialization function is called to build a default value on-demand on each domain, and thus only when such a value has not been obtained via set or ?split_from_parent prior to the first call to get. This looks like a robust API but it would be nice to have this in the doc.

[kayceesrk]

but I am not sure (in the litteral, non-British sense) that it is a realistic constraint for users. (My own library-writing experience is that I do not want to have to struggle with library initialization order issues.)

I'm still missing the issue. What goes wrong if at_each_spawn is called after the first spawn?

[gadmm]

What goes right? I don't have examples where this is useful API after the first spawn.

[kayceesrk]

What goes right? I don't have examples where this is useful API after the first spawn.

Right. If that is the case, should we consider raising an exception if at_each_spawn is called after the first spawn so that the use of at_each_spawn in Format continues to work? Or do you have some other API in mind?

[gadmm]

How about simply moving the calls to register to flush each std formatter to the init functions of the standard formatter DLS keys (and so avoid creating the buffers on domain exit)?

[kayceesrk]

How about simply moving the calls to flush each std formatter to the init functions of the standard formatter DLS keys (and so avoid creating the buffers on domain exit)?

I understand your original proposal:

you can register the clean-up of DLS when the DLS is set for the first time on a domain (by calling at_exit flush inside the standard formatter's DLS init functions

now. This should avoid the need for at_each_spawn.

[gadmm]

@Octachron I think one should keep an eye on this one for 5.0 (the first item because the risk with async callbacks running on a fresh domain is real, and the second item to a lesser extent because it is about public API, though Domain is indeed marked as subject to change).

[Octachron]

In fact, the idea of removing Domain.at_each_spawn from Format is quite compelling too since it is better to not expose a function with a single use case. I am adding this issue to my 5.0 sweep for next week.