tokio issueshttps://gitlab.redox-os.org/redox-os/tokio/-/issues2019-11-21T03:04:07Zhttps://gitlab.redox-os.org/redox-os/tokio/-/issues/2Possible Atomicity Violation in poll_evented poll_ready2019-11-21T03:04:07ZBoqin QinPossible Atomicity Violation in poll_evented poll_readyhttps://gitlab.redox-os.org/redox-os/tokio/blob/master/tokio-reactor/src/poll_evented.rs#L105-144
```
macro_rules! poll_ready {
($me:expr, $mask:expr, $cache:ident, $take:ident, $poll:expr) => {{
$me.register()?;
//...https://gitlab.redox-os.org/redox-os/tokio/blob/master/tokio-reactor/src/poll_evented.rs#L105-144
```
macro_rules! poll_ready {
($me:expr, $mask:expr, $cache:ident, $take:ident, $poll:expr) => {{
$me.register()?;
// Load cached & encoded readiness.
let mut cached = $me.inner.$cache.load(Relaxed); // 1
let mask = $mask | ::platform::hup();
// See if the current readiness matches any bits.
let mut ret = mio::Ready::from_usize(cached) & $mask;
if ret.is_empty() { // 2
...
} else {
// Check what's new with the registration stream. This will not
// request to be notified
if let Some(ready) = $me.inner.registration.$take()? {
cached |= ready.as_usize();
$me.inner.$cache.store(cached, Relaxed); // 3
}
Ok(mio::Ready::from_usize(cached).into()) // 4
}
}};
}
```
$cache is an Atomic Variable. In the buggy code:
1. cache.load().
2. check ret that is data dependent on 1.
3. if not, update cached based on old value
4. then return cached.
The function may be executed in the following patterns:
| T1 | T2 |
| ------ | ------ |
| cached.load() | |
| check ret (false) | |
| | cached.load() |
| | check ret (false) |
| | update cached based on old value |
|update cached based on new value||
But originally T1 should update cached on the old value.https://gitlab.redox-os.org/redox-os/tokio/-/issues/1Possbile data race in tokio-timer Entry2019-11-18T23:37:04ZBoqin QinPossbile data race in tokio-timer Entryhttps://gitlab.redox-os.org/redox-os/tokio/blob/master/tokio-timer/src/timer/entry.rs#L31
Struct Entry implements Sync trait so as to be shared across threads by reference. It contains UnsafeCell, and its methods will return a mutable r...https://gitlab.redox-os.org/redox-os/tokio/blob/master/tokio-timer/src/timer/entry.rs#L31
Struct Entry implements Sync trait so as to be shared across threads by reference. It contains UnsafeCell, and its methods will return a mutable reference to the inner data.
This may cause a crash if one thread writes the data while another is accessing it, all by immutable reference of the struct and will bypass compiler checking. It is rather unsafe but we marked it as safe!!!
In fact, tokio-timer has a number of problems.
I think the misuse of interior mutability may be the root cause of the crashes.
I searched for a newer version of the same functionality, but much safer.
https://github.com/tokio-rs/tokio/pull/249
My suggestion is to replace the current buggy one with this version.