core fastMalloc(), fastFree() memory allocators not thread-safe on startup

[diablodale]

The core memory allocation routines fastMalloc() and fastFree() are not thread-safe on startup due to a bug in a dependent function isAlignedAllocationEnabled() called by both.

I have a PR to fix this. Earlier attempts to fix memory allocator startup behavior like issue #15691 and its PR are not themselves thread-safe. I request the team review my analysis below. When we agree the code is errant and undesired behavior, I will submit my fix PR. 👍

I found this issue when I implemented native aligned memory on Windows. The fix for this issue is distinct from the native Windows aligned memory feature update. However, there is benefit both in reliability and speed to deploy this fix before native Windows aligned memory.

This is a fail of the "static initialization order problem" https://isocpp.org/wiki/faq/ctors#static-init-order and can be fixed with the "use construct on first use idiom" https://isocpp.org/wiki/faq/ctors#static-init-order-on-first-use

System information (version)

• OpenCV => 4.5.0 or newer like master e726ff3
• Operating System / Platform => Windows 10 64-Bit
• Compiler => Visual Studio Community 2019 v16.8.2

Steps to reproduce

It is more reliable to reproduce through code review. This is due to thread race conditions and that the errant code has few bad side-affects on Linux. On Windows it will crash (but you would need my native aligned memory update to expose this issue).

Below I provide two scenarios and walk readers through them. Important things to remember...

• C++ compilation units (.cpp files) are initialized at runtime in an undetermined order. There is no promise by the C++ runtime for order.
• The thread names I give below do not imply any order. Thread A does not necessarily start before Thread B.
• These threads are running in a multi-threaded OS on a CPU that has multiple cores which allows for simultaneous thread activity. This is normal for all modern OS and CPUs.
• The rows do imply sequences. Top to bottom is the passage of time. Activities on the same row are happening at exactly the same time. This is possible because of multiple CPU cores on a multi-threaded OS.
• The errant code is in the file modules\core\src\alloc.cpp. Refer to that file to follow the scenarios below.
• For these scenarios, I declare that the runtime did not chose alloc.cpp compilation unit to initialize first. This means that static const bool g_force_initialization_memalign_flag = isAlignedAllocationEnabled(); does not run in these scenarios.

Scenario 1

Time	thread A	thread B
1		fastMalloc()
2		isAlignedAllocationEnabled()
3	fastMalloc()	static bool initialized = false
4	isAlignedAllocationEnabled()	static bool useMemalign = true
5	if (!initialized)	if (!initialized)
6	initialized = true	initialized = true
7	useMemalign = readMemoryAlignmentParameter();	useMemalign = readMemoryAlignmentParameter();
8	…	…

You can see that there are two threads that are both in the initialization block of code. This is itself undesired. Next, both threads are calling readMemoryAlignmentParameter() and its many dependent functions. It is technically possible for readMemoryAlignmentParameter() and its dependencies to return different results. And therefore, it is possible useMemalign has different values in memory. Even the timing of the write to the memory location of useMemalign could lead to one thread overwriting the other thread's value.

This is a coding error that probably has few bad side-affects. readMemoryAlignmentParameter() probably has no problems being called at the same time with the same parameters, and probably returns the same value. It is unlikely the environment variable it is reading is changed by a third thread while threads A and B are reading it. So in this scenario there is duplicate work but likely no critically bad side-affects.

Scenario 2

time	thread C	thread D
1		fastMalloc()
2		isAlignedAllocationEnabled()
3		static bool initialized = false
4		static bool useMemalign = true
5	fastMalloc()	if (!initialized)
6	isAlignedAllocationEnabled()	initialized = true
7	if (!initialized)	thread delayed
8	return useMemalign true	thread delayed
9	… memory is allocated using the aligned codepath	thread delayed
10	…	useMemalign = readMemoryAlignmentParameter() false due to conditions or envvar
11	…	return useMemalign false
12	…	… memory is allocated using the un-aligned codepath
13	fastFree()	fastFree()
14	if (isAlignedAllocationEnabled()) this is false	if (isAlignedAllocationEnabled()) this is false
15	… 💥unalignedfree(aligned memory pointer)	… unalignedfree(un-aligned memory pointer)

This scenario has bad side-affects and potentially program crashes. The current codebase often hides this errant code because free() is used both for native-aligned and native-unaligned memory. Also, the timing (like scenario 1) may be such that the fallback aligning index[-1] approach isn't allocating/free incompatible blocks of memory while initialization is occuring. But this more likely to fail on Windows because Windows has distinct functions free() and _aligned_free().

Follow this...

• time 8: thread C gets true from isAlignedAllocationEnabled() because thread D set useMemalign=true and has not yet completed the initialization block that will eventually set it to false
• time 9: thread C gets memory allocated using the aligned codepath
• time 11: thread D gets false from isAlignedAllocationEnabled()
• time 12: thread D gets memory allocated using un-aligned codepath
• time 14: both threads get false from isAlignedAllocationEnabled()
• time 15: both threads use the un-aligned memory deallocator

The fault occurs at time 15.
Thread C uses the un-aligned memory deallocator on aligned memory. ☹
Thread D uses the un-aligned memory deallocator on un-aligned memory.

Fix

The fix is to use the classic "Construct On First Use Idiom" as documented by our ISO friends at https://isocpp.org/wiki/faq/ctors#static-init-order-on-first-use. The specific approach in my PR might also be unmeasurably faster as it has fewer if() tests and fewer variables.

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues,
  answers.opencv.org, Stack Overflow, etc and have not found solution
• I updated to latest OpenCV version and the issue is still there
• There is reproducer code and related data files: videos, images, onnx, etc

[alalek]

Thoughts:

1. There is no issue with single-threaded environment.
2. static const bool g_force_initialization_memalign_flag is called before the main() entry in a single-threaded environment.
   isAlignedAllocationEnabled() is called and its "static" variables are initialized.
3. Main assumption: there are no created threads before the "main()" call.
   A lot of stuff may be still uninitialized.

---

BTW, On Windows DllMain is supposed to deadlock if you try to create threads during the PROCESS_ATTACH event: https://stackoverflow.com/questions/32252143/stdthread-cause-deadlock-in-dllmain

[diablodale]

I don't see that you disagree with my analysis to identify the errant code. I do see that you focus on single-threaded applications. My perspective is that OpenCV needs to support multi-threaded in all forms. Today's applications and libraries are multi-threaded. Today's CPUs are wide with multiple cores...each core itself isn't much faster. Therefore, everyone is moving wider and multi-threaded.

Often this move to multiple threads is automatically with no direct involvement of the developer (like OpenCVs automatic multithreaded operations, Kinect SDK, Eigen, Mango jpeg decoder, etc.). Therefore, I believe it very important that critical core functionality (like memory allocation) support single and multithreaded scenarios...and work/reliable across all platforms. Linux should be as reliable as Windows as MacOsx as Android as all.

main() is not relevant to the errant code or these scenarios. This is because static variables (both global and local) are initialized and allocated before main() runs. This is very easy to cause...like putting a static cv::Mat(...) inside a function or static cv::Mat = [](){cv::Mat(...); /* write some values; */ return Mat}. That memory (or some other OpenCV object which needs memory from fastMalloc()) will be allocated before main() runs. So says the C++ specification -- OpenCV can not avoid this. OpenCV can not require that it not be used until main() runs.

Dllmain is interesting for its reentrant limitations, but not relevant here. Because apps and OpenCV can be all static. OpenCV can be a static library. And developers can create EXEs (not DLLs). In this static EXE scenario, there is no Dllmain() because there is no DLL. Which means threads can be created during initialization and before main(). And I don't believe Linux, Mac, or Android has Dllmain.

The errant code leads to symptoms, bugs, or crashes in other components and happens at an unknown time in the future. It also affect the perception of reliability for both the OpenCV library and all the apps that use it. Imagine an app is written that allocates many blocks on startup using static variables. And this memory is kept/used for minutes or hours as the applications runs and then that one block that was wrongly-allocated on startup is deallocated out of the pool. 💥Crash. Now the app dev is trying to find why their app randomly crashes and opens an issue here. I see many issues in this repo of crashes that are closed-not-enough-info. I'm not suggesting this errant code is the cause of all those. Instead, thread-unsafe code like this is a contributor into them and overall perceptions. I think it is wonderful the reporting developer of issue #15691 created a small repo case. And we all are lucky 🍀 they were able to isolate.

I will acknowledge that I could not find clarity with the C++ standard as it relates to runtime thread(s) used during startup. The runtime's thread(s) not user threads. I can't definitely say that the C++11 standard requires that only one thread is used to initialize all compilation units and that it will never now (or in C++14, 17, 20, or the future) use multiple threads to initialize multiple compilation units in parallel. Personally, I say fix it now so that it supports both single+multi-threaded and the OpenCV project doesn't have to worry about how individual vendors implement their runtime or the C++ standard changes.

The approach in my PR will work in C++11. The fix is for the 4.x branch, small, and easy to understand.

A fix for the old 3.x branch (C++98) is different as the C++ standard/runtime is significantly different with respect to initialization. I have not written this code but I know what needs to happen. As is written https://opencv.org/opencv-4-0/ the old 3.x branch is in maintenance. It is unclear to me the criticality bar to fix bugs in 3.x. If the team wants to also fix it in 3.x, please request that of me and I'll start working on it. This will take many days because I don't have any dev/test harness that is so old. I'll need to setup some old linux docker containers to do the work.

Thanks for the conversation on this. I appreciate the technical review of my analysis and the rigor. 👍
Would you like me to submit the PR for the 4.x branch so you can see the code?

[alalek]

I do see that you focus on single-threaded applications.

Not exactly.
I mean that application should stay single-threaded until the main() function entry.

After that all libraries are properly initialized (including g_force_initialization_memalign_flag) and application is free to create threads in the main() function body.

BTW, "dlopen()" / "LoadLibrary" guarantee single-threaded library usage during loading/initialization (however it is not a common case to load .so/.dll dynamically)

Would you like me to submit the PR for the 4.x branch so you can see the code?

Sure 👍

[alalek]

Allowing threads before the main() entry looks like opening Pandora's box.
Patch fixes a single place, but there are other code left in OpenCV or in other external dependencies. No issues are expected with external shared libraries (they are initialized before any OpenCV code runs).
But problem may appear with libraries which are statically linked (especially if they don't use C++11).

Refs:

• https://stackoverflow.com/questions/21771066/is-the-main-thread-allowed-to-spawn-a-posix-thread-before-it-enters-main
• https://stackoverflow.com/questions/29775826/does-the-c-standard-require-that-dynamic-initialization-of-static-variables-be
• https://stackoverflow.com/questions/18542804/global-static-initialization-threading

BTW, please note that initialization is a only a half of the problem.
There is also a shutdown phase, which has many questions too.
Recent fixes about that:

• logger "incomplete" initialization: core(logger): complete initialization of logger structures #17617 (shutdown phase doesn't allow dynamic initialization)
• shutdown issue with logger: core(logger): avoid destruction of GlobalLoggingInitStruct object #18522 (atexit() order is not correct)

[diablodale]

This issue and its associated PR make no feature changes. They add no new functionality. They make no declaration that OpenCV is "safe for use before main()" or "OpenCV is thread-safe". Their only goal is to fix errant fastMalloc() code which is within itself thread-unsafe...and...I have newly discovered it is also exception unsafe. This 3rd fail scenario is below.

Readers keep in mind, OpenCV can not avoid being used before main(). It is already happening in code devs/students/anyone that uses OpenCV.

#include <...>
Mat a {Mat::eye(100,100,CV_16U)};
// ...or other code, e.g. allocate a Mat, filing cells with random numbers iterate over cells and sum all numbers to a single int

int main()
{}

Mat a will be allocated and calculations done on it before main(). The standards you linked also caution that vendors can choose to delay dynamic initialization of static locals before or after main()...but they must also follow the C++11 rule of "thread safe init when control first passes over it".

My focus is on fastMalloc() -- not the higher-level classes of OpenCV. I use those classes as examples because they use this underlying fastMalloc(). I believe that fastMalloc() needs to be as reliable and consistent as malloc(). Developers don't think about "can I use malloc here?" No, instead devs know they can always call malloc() and that call is thread-safe. C++11 mandates it is thread-safe. If malloc() has memory available, it will return an address. Otherwise, it will consistently return an error value which can checked and handled. It doesn't crash. And the memory address it provides can later be free() with no crash.

Exception unsafe scenario

The new exception unsafe scenario is single-threaded and can happen before or after main().

Time	Activity	Note
1	fastMalloc()
2	isAlignedAllocationEnabled()
3	initialized = false
4	useMemalign = true
5	if (!initialized)	is false, therefore runs clause
6	initialized = true
7	useMemalign = readMemoryAlignmentParameter()
8	value = true	or value=false, it doesn't matter
9	value = cv::utils::getConfigurationParameterBool(...)
10	read<bool>()
11	exception thrown, caught, and new exception thrown with CV_Error()
12	…	some higher level code caught and managed CV_Error() exception
13	fastMalloc()
14	isAlignedAllocationEnabled()
15	if (!initialized)	is true due to timerow=6
16	return useMemalign	is true due to timerow=4
17	…all code now uses aligned fastMalloc() codepath

Naturally, this is errant. All of OpenCV that uses fastMalloc() will use the native aligned memory codepath. This ignores the intention of the GLIBC workaround in code and ignores any environment variable settings. 😥

[alalek]

Readers keep in mind, OpenCV can not avoid being used before main().

Mentioned code is fine (all work is done in the initialization thread, no extra threads created or used OpenCV during this initialization).

---

Exceptions

Probably it make sense to wrap into try-catch this line (to return value):

value = cv::utils::getConfigurationParameterBool("OPENCV_ENABLE_MEMALIGN", value)

[diablodale]

Its more a PR note, but no need for a try/catch there.
C++11 also mandates that static local variable initialization is exception-safe. The PR's approach handles an exception within its initialization correctly. If exception thrown during the initialization, it is cascaded up as normal. The runtime knows the initialization is not complete, therefore, the next thread blocks (or some other thread in the future) will again run the initialization.

[diablodale]

issue is resolved with pr #19029