Nondeterminism in chutney+tor+arti

[sporksmith]

chutney tests involving arti hidden services appear to be non-deterministic under shadow. I haven't narrowed down yet whether the non-determinism extends to other chutney networks (e.g. not involving arti or not involving hidden services). It's more obvious in the (arti) hidden service case since those transfers are flaky, resulting in corresponding tests run under shadow also being flaky. (instead of always passing or always failing with a given simulation seed)

Locally running a slightly modified version of arti's "shadow-test-networks" CI job, extracted to this script:

set -xeuo pipefail

for flavor in \
      hs-v3-arti \
      ; do
  shadow-exec \
    --preserve=always \
    --shadow-args="--model-unblocked-syscall-latency=true --max-unapplied-cpu-latency=10ms --strace-logging-mode=deterministic" \
    -- \
  bash -c \
  "
    set -x
    set -euo pipefail
    export CHUTNEY_ARTI=\"$CHUTNEY_ARTI\"
    # Too noisy
    export CHUTNEY_DEBUG=0
    # Tell the "verify" test to connect to hidden services with *every*
    # client. We want this to e.g. validate cross-compatibility between tor
    # and arti clients and servers.
    export CHUTNEY_HS_MULTI_CLIENT=1
    export PATH=\"$PATH\"
    tools/test-network.sh \
    --chutney-path \"$CHUTNEY_PATH\" \
    --net-dir \"$CHUTNEY_DATA_DIR\" \
    --sandbox 0 \
    --no-controlsocket \
    --no-ipv6 \
    --tor \"$(which tor)\" \
    --tor-gencert \"$(which tor-gencert)\" \
    --stop-time 0 \
    --flavor \"$flavor\" || \"$CHUTNEY_PATH\"/chutney stop \"$flavor\""
done

I eliminated some sources of nondeterminism by setting the output directory (CHUTNEY_DATA_DIR) to the same fresh empty directory between runs (and moving previous results out of the way).

I still get substantial diffs using:
git diff --no-index --text --word-diff -- ~/tmp/net[01]/shadow-exec-*/shadow.data/hosts/host/bash.1000.strace

Going roughly in order:

There are a few of these sched_getaffinity calls using different PIDs (in arti). I think this is the native PID that the dynamic linker gets hold of before we get control. The result is the same in both cases ESRCH, so it doesn't seem likely to itself cause further divergence.

@@ -72207,7 +72207,7 @@
00:00:01.000000000 [tid 1051] read(3, <pointer>, 1024) = 1024
00:00:01.000000000 [tid 1051] read(3, <pointer>, 1024) = 125
00:00:01.000000000 [tid 1051] close(3) = 0
00:00:01.000000000 [tid 1051] [-sched_getaffinity(1570339,-]{+sched_getaffinity(1570910,+} 32, <pointer>) = -3 (ESRCH)
00:00:01.000000000 [tid 1051] rt_sigaction(11, <pointer>, <pointer>, 8) = 0
00:00:01.000000000 [tid 1051] sigaltstack(<pointer>, <pointer>) = 0
00:00:01.000000000 [tid 1051] mmap(<pointer>, 12288, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_STACK | MAP_PRIVATE, 4294967295, 0) = <pointer>

Next we have a sequence of syscalls on a file descriptor (EDIT: in a tor relay process), with different descriptor numbers in the runs. That shouldn't happen; something has gone wrong by this point.

@@ -1589285,10 +1589285,10 @@
000000087654062000 [tid 1087] time(...) = 946684887
000000087654062000 [tid 1087] clock_gettime(...) = 0
000000087654062000 [tid 1087] time(...) = 946684887
00:01:27.654062000 [tid 1087] [-getsockopt(16,-]{+getsockopt(24,+} 6, 11, <pointer>, <pointer>) = 0
00:01:27.654062000 [tid 1087] [-ioctl(16,-]{+ioctl(24,+} 35147, <non-deterministic>) = 0
00:01:27.654062000 [tid 1087] [-getsockopt(17,-]{+getsockopt(18,+} 6, 11, <pointer>, <pointer>) = 0
00:01:27.654062000 [tid 1087] [-ioctl(17,-]{+ioctl(18,+} 35147, <non-deterministic>) = 0
000000087654062000 [tid 1087] clock_gettime(...) = 0
000000087654062000 [tid 1087] clock_gettime(...) = 0
000000087654062000 [tid 1087] time(...) = 946684887

A little later we see sequences of syscalls that are identical but with a different PID.

EDIT: these are tor authority threads

EDIT: these happen after a blocked epoll_wait. In one case the original thread (1067) is run next (why did it get blocked at all??), and in the second case a different thread runs instead. Because both threads were blocked in the same place in the same code, we get the same sequence of syscalls, but with different pids. But of course this will lead to further divergence.

00:01:27.654062000 [tid 1067] epoll_wait(3, <pointer>, 32, 2) = <blocked>
00:01:27.654062000 [tid [-1067]-]{+1072]+} epoll_wait(3, <pointer>, 32, [-2)-]{+376)+} = 1
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} time(...) = 946684887
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
00:01:27.654062000 [tid [-1067]-]{+1072]+} read(19, <pointer>, 5) = 5
00:01:27.654062000 [tid [-1067]-]{+1072]+} read(19, <pointer>, 531) = 531
00:01:27.654062000 [tid [-1067]-]{+1072]+} read(19, <pointer>, 5) = -11 (EWOULDBLOCK)
000000087654062000 [tid [-1067]-]{+1072]+} time(...) = 946684887
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} time(...) = 946684887
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} clock_gettime(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} gettimeofday(...) = 0
000000087654062000 [tid [-1067]-]{+1072]+} gettimeofday(...) = 0
00:01:27.654062000 [tid [-1067]-]{+1072]+} futex(<pointer>, 129, 1, <pointer>, <pointer>, <non-deterministic>) = 1
000000087654062000 [tid [-1067]-]{+1072]+} time(...) = 946684887
00:01:27.654062000 [tid [-1067]-]{+1072]+} epoll_wait(3, <pointer>, 32, [-2)-]{+346)+} = <blocked>
00:01:27.654062000 [tid [-1057]-]{+1077]+} epoll_wait(3, <pointer>, 32, [-350)-]{+354)+} = 1
000000087654062000 [tid [-1057]-]{+1077]+} clock_gettime(...) = 0
000000087654062000 [tid [-1057]-]{+1077]+} time(...) = 946684887
000000087654062000 [tid [-1057]-]{+1077]+} clock_gettime(...) = 0
000000087654062000 [tid [-1057]-]{+1077]+} clock_gettime(...) = 0

I'll stop here; the traces continue to diverge further and further by this point.

[sporksmith]

I suspected the trouble might be in python's async/await runtime scheduler, similar to what we've seen before in golang's scheduler. I tried a similar test with a small python script involving a little bit of async/await, analogous to what chutney is doing. The strace logs were completely identical, so this doesn't seem to be the source of the problem.

Here's the test script:

#!/usr/bin/env python3

import asyncio

HOST="127.0.0.1"
PORT=8080

DATA=b"Here is some data"
REPS=100000

async def handle_client(reader, writer):
    print("client handler starting")
    while True:
        data = await reader.read(1024)
        if not data:
            writer.close()
            break
        await writer.drain()
        writer.write(data)
    print("client handler done")

async def client_write_output(writer):
    for _ in range(REPS):
        await writer.drain()
        writer.write(DATA)
    writer.write_eof()

async def client_handle_input(reader):
    for _ in range(REPS):
        data_in = await reader.readexactly(len(DATA))
        assert data_in == DATA, "data didn't match"
    print("client got expected data")
    data_in = await reader.read()
    print("client got expected EOF")

async def client():
    print("client starting")
    reader, writer = await asyncio.open_connection(host=HOST, port=PORT)

    t1 = asyncio.create_task(client_write_output(writer))
    t2 = asyncio.create_task(client_handle_input(reader))
    await asyncio.wait([t1, t2])
    writer.close()
    print("client done")

async def main():
    server = await asyncio.start_server(handle_client, host=HOST, port=PORT)

    await client()

    server.close()
    await server.wait_closed()


asyncio.run(main())

[sporksmith]

I'm stopping here for now; just wanted to do a brain-dump before I context-switch.

I think the next step is to get some smaller repro to help isolate the source; maybe by trying with other/simpler chutney networks (e.g. without arti; without hidden services).

Fixing strace logging of execve (#3611) might also be helpful, so we could more easily tell in which programs the divergence is starting. EDIT: strace logging of execve does work. The original description has been updated.

[sporksmith]

Actually I just remembered that the chutney traffic tester has a standalone test that exercises the same client-server bits I was trying to check in my bespoke python example above. In the chutney repo it's run via the wrapper script tests/unit-tests.sh

Running that with shadow-exec, the only diff I see is due to a mktemp usage in that wrapper script; in the second run the deterministic RNG tries to create the same directory again and gets EEXISTS, then creates a different temp directory.

So yeah, this seems to further confirm that the issue isn't in chutney/python itself.

$ git diff --no-index --text --word-diff -- /tmp/shadow-exec-i2tan4b2/shadow.data/hosts/host/bash.1000.strace /tmp/shadow-exec-o_kyyrc3/shadow.data/hosts/host/bash.1000.strace
diff --git a/tmp/shadow-exec-i2tan4b2/shadow.data/hosts/host/bash.1000.strace b/tmp/shadow-exec-o_kyyrc3/shadow.data/hosts/host/bash.1000.strace
index cbb14f2..051590a 100644
--- a/tmp/shadow-exec-i2tan4b2/shadow.data/hosts/host/bash.1000.strace
+++ b/tmp/shadow-exec-o_kyyrc3/shadow.data/hosts/host/bash.1000.strace
@@ -282,7 +282,8 @@
00:00:00.000000000 [tid 1004] ^^^ = SyscallReg { as_i64: 1000, as_u64: 1000, as_ptr: 0x3e8 }
00:00:00.000000000 [tid 1004] getgid(...) = <native>
00:00:00.000000000 [tid 1004] ^^^ = SyscallReg { as_i64: 1000, as_u64: 1000, as_ptr: 0x3e8 }
00:00:00.000000000 [tid 1004] open("/tmp/tmp.IqEmkT7dc0", O_RDWR | O_CREAT | O_EXCL, Mode(S_IRUSR | S_IWUSR)) = {+-17 (EEXIST)+}
{+00:00:00.000000000 [tid 1004] open("/tmp/tmp.YnaAwBt7L3", O_RDWR | O_CREAT | O_EXCL, Mode(S_IRUSR | S_IWUSR)) =+} 3
00:00:00.000000000 [tid 1004] close(3) = 0
00:00:00.000000000 [tid 1004] newfstatat(1, "", <pointer>, 4096) = -9 (EBADF)
00:00:00.000000000 [tid 1004] write(1, <pointer>, 20) = 20
@@ -4253,7 +4254,7 @@
000000000000000000 [tid 1006] gettimeofday(...) = 0
000000000000000000 [tid 1006] time(...) = 946684800
00:00:00.000000000 [tid 1006] fadvise64(0, 0, 0) = -9 (EBADF)
00:00:00.000000000 [tid 1006] openat(-100, [-"/tmp/tmp.IqEmkT7dc0",-]{+"/tmp/tmp.YnaAwBt7L3",+} O_WRONLY | O_CREAT | O_TRUNC, Mode(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)) = 3
00:00:00.000000000 [tid 1006] read(0, <pointer>, 8192) = <blocked>
00:00:00.000000000 [tid 1007] rseq(<pointer>, 32, 0, 1392848979) = 0
00:00:00.000000000 [tid 1007] set_robust_list(<pointer>, 24) = -38 (ENOSYS)
@@ -4564,7 +4565,7 @@
00:00:00.000000001 [tid 1009] close(3) = 0
00:00:00.000000001 [tid 1009] dup2(4, 1) = 1
00:00:00.000000001 [tid 1009] close(4) = 0
00:00:00.000000001 [tid 1009] [-open("/tmp/tmp.IqEmkT7dc0",-]{+open("/tmp/tmp.YnaAwBt7L3",+} (empty), Mode(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)) = 3
00:00:00.000000001 [tid 1009] fcntl(0, 0, <non-deterministic>) = 10
00:00:00.000000001 [tid 1009] close(0) = 0
00:00:00.000000001 [tid 1009] fcntl(10, 2, <non-deterministic>) = 0
@@ -4600,7 +4601,7 @@
00:00:00.000000001 [tid 1010] close(3) = 0
00:00:00.000000001 [tid 1010] dup2(4, 1) = 1
00:00:00.000000001 [tid 1010] close(4) = 0
00:00:00.000000001 [tid 1010] [-open("/tmp/tmp.IqEmkT7dc0",-]{+open("/tmp/tmp.YnaAwBt7L3",+} (empty), Mode(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH)) = 3
00:00:00.000000001 [tid 1010] fcntl(0, 0, <non-deterministic>) = 10
00:00:00.000000001 [tid 1010] close(0) = 0
00:00:00.000000001 [tid 1010] fcntl(10, 2, <non-deterministic>) = 0

[sporksmith]

Fixing strace logging of execve (#3611) might also be helpful, so we could more easily tell in which programs the divergence is starting.

I misremembered about execve strace logging not working.

I edited the original description to note which processes the discrepancies were in. The first sched_getaffiinity difference was in arti, but I doubt that leads to further divergence. The others were in tor authority threads.

[sporksmith]

I tried the original test and comparison again with some more network configurations.

basic-min

With the basic-min network (tor relays and a single tor client), I get a clean strace diff.

hs-v3-min

With the hs-v3-min network (tor relays, a tor client, and a tor hidden service), I get a clean strace diff.

basic-arti

In the basic-arti network, which includes both arti and tor clients, after thread 1077 (a tor thread) gets blocked on epoll_wait, we have different threads (1052 (a tor thread of a different process) vs 1062 (a tor thread of another process)) start executing next. This seems like some kind of non-determinism in shadow's scheduling/epoll-handling. Only tor processes are involved in this case. I'm not sure if arti is still somehow causing this to happen "from a distance", or this is "sometimes deterministic", or it has something to do with the size of the network ...

This looks like the same epoll_wait difference as in the first example of this issue, though that one also still has an even-earlier difference that still isn't explained or narrowed down.

diff --git a/home/jnewsome/tmp/basic-arti0/shadow-exec-9nldry2w/shadow.data/hosts/host/bash.1000.strace b/home/jnewsome/tmp/basic-arti1/shadow-exec-uv_7bh89/shadow.data/hosts/host/bash.1000.strace
index f5f75df..ed67a91 100644
--- a/home/jnewsome/tmp/basic-arti0/shadow-exec-9nldry2w/shadow.data/hosts/host/bash.1000.strace
+++ b/home/jnewsome/tmp/basic-arti1/shadow-exec-uv_7bh89/shadow.data/hosts/host/bash.1000.strace
@@ -132795,7 +132795,7 @@
00:00:01.000000000 [tid 1101] read(3, <pointer>, 1024) = 1024
00:00:01.000000000 [tid 1101] read(3, <pointer>, 1024) = 125
00:00:01.000000000 [tid 1101] close(3) = 0
00:00:01.000000000 [tid 1101] [-sched_getaffinity(1633643,-]{+sched_getaffinity(1633995,+} 32, <pointer>) = -3 (ESRCH)
00:00:01.000000000 [tid 1101] rt_sigaction(11, <pointer>, <pointer>, 8) = 0
00:00:01.000000000 [tid 1101] sigaltstack(<pointer>, <pointer>) = 0
00:00:01.000000000 [tid 1101] mmap(<pointer>, 12288, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_STACK | MAP_PRIVATE, 4294967295, 0) = <pointer>
@@ -4299290,30 +4299290,6 @@
000000153469130014 [tid 1077] time(...) = 946684953
00:02:33.469130014 [tid 1077] epoll_ctl(3, 3, 15, <pointer>) = 0
00:02:33.469130014 [tid 1077] epoll_wait(3, <pointer>, 32, 2) = <blocked>
[-00:02:33.469130014 [tid 1052] epoll_wait(3, <pointer>, 32, 531) = 1-]
[-000000153469130014 [tid 1052] clock_gettime(...) = 0-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] clock_gettime(...) = 0-]
[-000000153469130014 [tid 1052] clock_gettime(...) = 0-]
[-00:02:33.469130014 [tid 1052] read(16, <pointer>, 5) = 0-]
[-00:02:33.469130014 [tid 1052] write(16, <pointer>, 24) = 24-]
[-00:02:33.469130014 [tid 1052] close(16) = 0-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] gettimeofday(...) = 0-]
[-00:02:33.469130014 [tid 1052] write(9, <pointer>, 155) = 155-]
[-000000153469130014 [tid 1052] gettimeofday(...) = 0-]
[-00:02:33.469130014 [tid 1052] write(9, <pointer>, 84) = 84-]
[-000000153469130014 [tid 1052] gettimeofday(...) = 0-]
[-00:02:33.469130014 [tid 1052] write(9, <pointer>, 78) = 78-]
[-000000153469130014 [tid 1052] time(...) = 946684953-]
[-000000153469130014 [tid 1052] clock_gettime(...) = 0-]
[-00:02:33.469130014 [tid 1052] epoll_ctl(3, 2, 16, <pointer>) = -9 (EBADF)-]
[-00:02:33.469130014 [tid 1052] epoll_wait(3, <pointer>, 32, 531) = <blocked>-]
00:02:33.469130014 [tid 1062] epoll_wait(3, <pointer>, 32, 531) = 1
000000153469130014 [tid 1062] clock_gettime(...) = 0
000000153469130014 [tid 1062] time(...) = 946684953
@@ -4299338,6 +4299314,30 @@
000000153469130014 [tid 1062] clock_gettime(...) = 0
00:02:33.469130014 [tid 1062] epoll_ctl(3, 2, 16, <pointer>) = -9 (EBADF)
00:02:33.469130014 [tid 1062] epoll_wait(3, <pointer>, 32, 531) = <blocked>
{+00:02:33.469130014 [tid 1052] epoll_wait(3, <pointer>, 32, 531) = 1+}
{+000000153469130014 [tid 1052] clock_gettime(...) = 0+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] clock_gettime(...) = 0+}
{+000000153469130014 [tid 1052] clock_gettime(...) = 0+}
{+00:02:33.469130014 [tid 1052] read(16, <pointer>, 5) = 0+}
{+00:02:33.469130014 [tid 1052] write(16, <pointer>, 24) = 24+}
{+00:02:33.469130014 [tid 1052] close(16) = 0+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] gettimeofday(...) = 0+}
{+00:02:33.469130014 [tid 1052] write(9, <pointer>, 155) = 155+}
{+000000153469130014 [tid 1052] gettimeofday(...) = 0+}
{+00:02:33.469130014 [tid 1052] write(9, <pointer>, 84) = 84+}
{+000000153469130014 [tid 1052] gettimeofday(...) = 0+}
{+00:02:33.469130014 [tid 1052] write(9, <pointer>, 78) = 78+}
{+000000153469130014 [tid 1052] time(...) = 946684953+}
{+000000153469130014 [tid 1052] clock_gettime(...) = 0+}
{+00:02:33.469130014 [tid 1052] epoll_ctl(3, 2, 16, <pointer>) = -9 (EBADF)+}
{+00:02:33.469130014 [tid 1052] epoll_wait(3, <pointer>, 32, 531) = <blocked>+}
00:02:33.469130014 [tid 1062] epoll_wait(3, <pointer>, 32, 531) = 1
000000153469130014 [tid 1062] clock_gettime(...) = 0
000000153469130014 [tid 1062] time(...) = 946684953

[sporksmith]

I should note that all of the above are with a branch that adds some additional strace logging and has a fix for #3541 : https://github.com/sporksmith/shadow/tree/proc-self-and-more-strace

I don't think the strace logging change makes a difference, but without the proc-self fix there are some other differences when reading /proc/self/maps from arti processes (just different read sizes; it doesn't seem to cascade into further nondeterminism)

[sporksmith]

I wrote a script to more-quickly iterate on running the test twice and diffing the straces, and have experimented with doing more repetitions and networks.

I haven't been able to repro with any chutney networks that don't include arti, including hs-v3 (a network that includes tor hidden services and tor clients, but not arti instances of either).

I have been able to reproduce the strace nondeterminism in the basic-arti network, which doesn't include any hidden services but does include an arti client.

So it does seem like the epoll_wait scheduling nondeterminism is somehow triggered by the presence of an arti client, even though the diff always seems to involve tor processes.

[sporksmith]

"Self-contained" repro script for posterity (requires chutney, shadow, shadow-tools, tor, and arti). Also verified that it reproduces with a "vanilla" arti build without any extra features (e.g. hidden-service-service) enabled.

#!/bin/bash

set -xeuo pipefail

FLAVOR=basic-arti
RUN_ROOT=/tmp/chutney-dettest
RES_ROOT=$(mktemp -d)

CHUTNEY_DATA_DIR="$RUN_ROOT"/net

do_shadow_exec() {
  N=$1

  mkdir $RUN_ROOT
  shadow-exec \
    --preserve=always \
    --shadow-args="--stop-time 600 --model-unblocked-syscall-latency=true --max-unapplied-cpu-latency=10ms --strace-logging-mode=deterministic" \
    --temp-dir="$RUN_ROOT" \
    -- \
  bash -c \
  "
    set -x
    set -euo pipefail
    export CHUTNEY_ARTI=\"$CHUTNEY_ARTI\"

    export CHUTNEY_HS_MULTI_CLIENT=1
    export PATH=\"$PATH\"
    export CHUTNEY_ENABLE_CONTROLSOCKET=0
    export CHUTNEY_TOR_SANDBOX=0
    export CHUTNEY_DISABLE_IPV6=1
    export CHUTNEY_DATA_DIR=\"$CHUTNEY_DATA_DIR\"
    chutney bootstrap "$FLAVOR"
    # don't bail out on failure
    chutney verify "$FLAVOR" || true
    chutney stop "$FLAVOR"
  "

  mv "$RUN_ROOT" "$RES_ROOT"/"$N"
} 

do_shadow_exec 0
do_shadow_exec 1

git diff --no-index --text --word-diff -- "$RES_ROOT"/[01]/shadow-exec-*/shadow.data/hosts/host/bash.1000.strace

[sporksmith]

While running the repro script over some more variations, I came across another instance of different file descriptor numbers being assigned, this time while opening a regular file:

@@ -14820,15 +14820,15 @@
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] openat(-100, "/usr/lib/ssl/openssl.cnf", (empty), Mode(0x0)) = [-3-]{+10+}
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] [-newfstatat(3,-]{+newfstatat(10,+} "", <pointer>, 4096) = 0
00:00:00.000000000 [tid 1005] [-read(3,-]{+read(10,+} <pointer>, 4096) = 4096
00:00:00.000000000 [tid 1005] [-read(3,-]{+read(10,+} <pointer>, 4096) = 4096
00:00:00.000000000 [tid 1005] [-read(3,-]{+read(10,+} <pointer>, 4096) = 4096
00:00:00.000000000 [tid 1005] [-read(3,-]{+read(10,+} <pointer>, 4096) = 131
00:00:00.000000000 [tid 1005] [-read(3,-]{+read(10,+} <pointer>, 4096) = 0
00:00:00.000000000 [tid 1005] [-close(3)-]{+close(10)+} = 0
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0
00:00:00.000000000 [tid 1005] futex(<pointer>, 129, 2147483647, <pointer>, <pointer>, <non-deterministic>) = 0

I started tracing through to find how descriptor numbers are assigned, and found that the DescriptorTable uses an internal hash map that looks like it can end up cascading into callbacks being called in different orders. Changing it to use a sorted data structure (#3614) seems to solve this bug. I haven't been able to reproduce the different scheduling orders nor file descriptor assignments when including that fix (and the /proc/self/maps fix in #3613, though that one usually doesn't cascade into further nondeterminism).