Bug #30837136 RW_LOCK_X_LOCK_LOW: CONDITIONAL JUMP OR MOVE

Valgrind identified a "problem" (present since 2013) that we sometimes
read "invalid" value of writer_thread.

A thread which releases the latch does:
1. set lock->recursive to false
2. mark lock->writer_thread as invalid

A thread which tries to check if it already owns the latch does:
0. check lock->recursive is true
3. check lock->writer_thread is myself

Note that if they are executed in order 0,1,2,3 even with full memory
barriers etc. you will end up in a situation where the "invalid" value of
writer_thread is being inspected.

This is not really a bug, because if the value is "invalid" it still can not
be equal to our thread's id, unless a torn read happened (quite unlikely on
modern architectures) and the mixture of old and new bytes looks like our id.

Another (unlikely?) possibility would be that the `0x0` value we used for
initialization of `writer_thread` field is somehow our thread's id (which
anyway shouldn't matter because of initially setting `recursive` to `false`).
To remove any doubt here, instead of `0`, we will use
`std::thread().native_handle()` which is the official "invalid" value for a
thread handle - no real thread can have such a native handle.

To avoid "torn" values, this patch declares `writer_thread` as `std::atomic`,
but uses `std::memory_order_relaxed` for accesses to it, so that it does not
introduce any new ordering constraints - just makes sure operations are
atomic (so, no "torn" read is possible).

Rather than adding another supression for Valgrind, this patch simply removes
the "2." step.

What *is* important (and was recently fixed) is to make sure that IF we
loaded `recursive==true`, THEN we will see `writer_thread` value set by the
thread which set `recursive` to `true`, or some LATER value. In particular this
is important, if our thread was recently owning the latch, and our thread id
was left in `writer_thread` - we need to make sure that it gets overwritten by
next thread before we look at it.

In other words, we need a guarantee that
```
recursive.load(acquire) && writer_thread==me
```
happens if and only if, my thread is indeed the one who already owns the latch.

And for that it suffices to follow the simple protocol:

When acquiring the latch for yourself:
```
  writer_thread = me
  recursive.store(true, release)
```

When acquiring the latch for someone else (pass=true):
```
  writer_thread = me
  recursive.store(false, release)
```
(this recursive=false will prevent me from wrongly believe I can latch it
recursively, while my intention was to pass the ownership to another thread).

When recieving ownership from someone else, do the same thing as when acquiring
the latch.

Before releasing the latch do:
```
  recursive.store(false, relaxed)
```

When checking if you already own the latch do:
```
if(recursive.load(acquire) && writer_thread.load(relaxed)==me)
```

The guarantee holds, because:

(=>) If we indeed hold the latch we set writer_thread = me and recursive to true
     and nobody else have modified it since, so the `if`'s condition is true.

(<=) If the `if` condition was evaluated to `true` then it means that our
     `recursive.load` has read `true`, so it synchronizes with a thread which
     performed `recursive.store(true, release)`, so the value of `writer_thread`
     we read, is (A) either the one it has stored, or (B) some even fresher one.
     (A) As we saw `writer_thread == me` and we are the only thread which could
         write this particular value to this field, it must mean that we are the
         thread which performed `recursive.store(true, release)` most recently,
         so we own the latch.
     (B) As we are now in a source code line which does `if` (as opposed to a
         source code line between write to `writer_thread` and
         `recursive.store`) we had to perform some `recursive.store` (`true`, or
         `false`) before getting here. So our `recursive.load` has to happen
         after our own `store` to it. But this contradicts the premise of (B),
         as we get a cycle: our write to `writer_thread` is before our `store`,
         which is before or the same `store` we synchronize with, which is, by
         premise of (B), before our write to writer_thread.
         So, case B is impossible.

RB:23954
Reviewed by : Kevin Lewis <kevin.lewis@oracle.com>
Reviewed by : Nikša Skeledžija <niksa.skeledzija@oracle.com>

Author: Jakub Łopuszański

storage/innobase/include/sync0rw.h

@@ -494,11 +494,10 @@ bool rw_lock_lock_word_decr(rw_lock_t *lock, ulint amount, lint threshold);
 UNIV_INLINE
 lint rw_lock_lock_word_incr(rw_lock_t *lock, ulint amount);
 
-/** This function sets the lock->writer_thread and lock->recursive fields. For
-platforms where INNODB_RW_LOCKS_USE_ATOMICS is defined we set the
+/** This function sets the lock->writer_thread and lock->recursive fields. Sets
 lock->recursive field using atomic release after setting lock->writer thread to
-ensure proper memory ordering of the two. Otherwise we use lock->mutex to ensure
-this. Note that it is assumed that the caller of this function effectively owns
+ensure proper memory ordering of the two.
+Note that it is assumed that the caller of this function effectively owns
 the lock i.e.: nobody else is allowed to modify lock->writer_thread at this
 point in time. The protocol is that lock->writer_thread MUST be updated BEFORE
 the lock->recursive flag is set.
@@ -595,9 +594,10 @@ struct rw_lock_t
   causing much memory bus traffic */
   bool writer_is_wait_ex;
 
-  /** Thread id of writer thread. Is only guaranteed to have sane
-  and non-stale value iff recursive flag is set. */
-  os_thread_id_t writer_thread;
+  /** Thread id of writer thread. Is only guaranteed to have non-stale value if
+  recursive flag is set, otherwise it may contain native thread handle of a
+  thread which already released or passed the lock. */
+  std::atomic<os_thread_id_t> writer_thread;
 
   /** Used by sync0arr.cc for thread queueing */
   os_event_t event;

storage/innobase/include/sync0rw.ic

@@ -276,21 +276,8 @@ lint rw_lock_lock_word_incr(rw_lock_t *lock, /*!< in/out: rw-lock */
 
 UNIV_INLINE
 void rw_lock_set_writer_id_and_recursion_flag(rw_lock_t *lock, bool recursive) {
-  os_thread_id_t curr_thread = os_thread_get_curr_id();
-
-#ifdef INNODB_RW_LOCKS_USE_ATOMICS
-
-  lock->writer_thread = curr_thread;
-  lock->recursive.store(recursive, std::memory_order_release);
-
-#else /* INNODB_RW_LOCKS_USE_ATOMICS */
-
-  mutex_enter(&lock->mutex);
-  lock->writer_thread = curr_thread;
+  lock->writer_thread.store(os_thread_get_curr_id(), std::memory_order_relaxed);
   lock->recursive.store(recursive, std::memory_order_release);
-  mutex_exit(&lock->mutex);
-
-#endif /* INNODB_RW_LOCKS_USE_ATOMICS */
 }
 
 /** Low-level function which tries to lock an rw-lock in s-mode. Performs no
@@ -382,7 +369,8 @@ ibool rw_lock_x_lock_func_nowait(
   if (success) {
     rw_lock_set_writer_id_and_recursion_flag(lock, true);
   } else if (lock->recursive.load(std::memory_order_acquire) &&
-             os_thread_eq(lock->writer_thread, os_thread_get_curr_id())) {
+             os_thread_eq(lock->writer_thread.load(std::memory_order_relaxed),
+                          os_thread_get_curr_id())) {
     /* Relock: this lock_word modification is safe since no other
     threads can modify (lock, unlock, or reserve) lock_word while
     there is an exclusive writer and this is the writer thread. */
@@ -455,12 +443,13 @@ void rw_lock_x_unlock_func(
   ut_ad(lock->lock_word == 0 || lock->lock_word == -X_LOCK_HALF_DECR ||
         lock->lock_word <= -X_LOCK_DECR);
 
-  /* lock->recursive flag also indicates if lock->writer_thread is
-  valid or stale. If we are the last of the recursive callers
-  then we must unset lock->recursive flag to indicate that the
-  lock->writer_thread is now stale.
-  Note that since we still hold the x-lock we can safely read the
-  lock_word. */
+  /* lock->recursive == true implies that the lock->writer_thread is the
+  current writer. If we are the last of the recursive callers then we must unset
+  lock->recursive flag (or reset lock->writer_thread to the impossible
+  std::thread().native_handle()) to indicate that the lock->writer_thread is now
+  stale. Otherwise if our thread tried to reacquire the lock it would wrongly
+  believe it already has it.
+  Note that since we still hold the x-lock we can safely read the lock_word. */
   if (lock->lock_word == 0) {
     /* Last caller in a possible recursive chain. */
     lock->recursive.store(false, std::memory_order_relaxed);
@@ -518,7 +507,6 @@ void rw_lock_sx_unlock_func(
     /* Last caller in a possible recursive chain. */
     if (lock->lock_word > 0) {
       lock->recursive.store(false, std::memory_order_relaxed);
-      UNIV_MEM_INVALID(&lock->writer_thread, sizeof lock->writer_thread);
 
       if (rw_lock_lock_word_incr(lock, X_LOCK_HALF_DECR) <= X_LOCK_HALF_DECR) {
         ut_error;

storage/innobase/sync/sync0arr.cc

@@ -530,13 +530,11 @@ static void sync_array_cell_print(FILE *file, /*!< in: file where to print */
 
     if (writer != RW_LOCK_NOT_LOCKED) {
       fprintf(file,
-              "a writer (thread id " UINT64PF
-              ") has"
-              " reserved it in mode %s",
-              (uint64_t)(rwlock->writer_thread),
+              "a writer (thread id " UINT64PF ") has reserved it in mode %s\n",
+              (uint64_t)(rwlock->writer_thread.load()),
               writer == RW_LOCK_X
-                  ? " exclusive\n"
-                  : writer == RW_LOCK_SX ? " SX\n" : " wait exclusive\n");
+                  ? "exclusive"
+                  : (writer == RW_LOCK_SX ? "SX" : "wait exclusive"));
     }
 
     fprintf(file,

storage/innobase/sync/sync0rw.cc

@@ -106,31 +106,31 @@ sx-lock holder.
 
 The other members of the lock obey the following rules to remain consistent:
 
-recursive:	This and the writer_thread field together control the
-                behaviour of recursive x-locking or sx-locking.
-                lock->recursive must be FALSE in following states:
-                        1) The writer_thread contains garbage i.e.: the
-                        lock has just been initialized.
-                        2) The lock is not x-held and there is no
-                        x-waiter waiting on WAIT_EX event.
-                        3) The lock is x-held or there is an x-waiter
-                        waiting on WAIT_EX event but the 'pass' value
-                        is non-zero.
-                lock->recursive is TRUE iff:
-                        1) The lock is x-held or there is an x-waiter
-                        waiting on WAIT_EX event and the 'pass' value
-                        is zero.
-                This flag must be set after the writer_thread field
-                has been updated with a memory ordering barrier.
-                It is unset before the lock_word has been incremented.
-writer_thread:	Is used only in recursive x-locking. Can only be safely
-                read iff lock->recursive flag is TRUE.
-                This field is uninitialized at lock creation time and
-                is updated atomically when x-lock is acquired or when
-                move_ownership is called. A thread is only allowed to
-                set the value of this field to it's thread_id i.e.: a
-                thread cannot set writer_thread to some other thread's
-                id.
+recursive:	This flag is true iff the lock->writer_thread is allowed to take
+                the x or sx lock recursively.
+
+                In particular you should follow these rules:
+                - make sure to change recursive to `false` (or reset the
+                  `writer_thread` to `std::thread().native_handle()`) before
+                  releasing the lock
+                - make sure to change recursive to `false` (but do not reset the
+                  `writer_thread` as it will remove debug info) before passing
+                  the lock to other thread
+                - make sure to put your thread's native handle before setting
+                  recursive to `true`
+                - make sure that when you want to read both `recursive` and
+                  `writer_thread` you do this in this precise order
+writer_thread:	Is used only in recursive x-locking.
+                This field is initialized to an impossible thread native handle
+                value at lock creation time and is updated atomically when sx or
+                x-lock is being acquired or when move_ownership is called.
+                A thread is only allowed to set the value of this field to its
+                thread_id i.e.: a thread cannot set writer_thread to some other
+                thread's id.
+                The only reasonable way (except reporting in debug info) to use
+                this field is to compare it to own thread's native handle
+                AFTER checking that lock->recursive flag is set, to see if we
+                are the current writer.
 waiters:	May be set to 1 anytime, but to avoid unnecessary wake-up
                 signals, it should only be set to 1 when there are threads
                 waiting on event. Must be 1 when a writer starts waiting to
@@ -222,14 +222,9 @@ void rw_lock_create_func(
   lock->lock_word = X_LOCK_DECR;
   lock->waiters = 0;
 
-  /* We set this value to signify that lock->writer_thread
-  contains garbage at initialization and cannot be used for
-  recursive x-locking. */
   lock->recursive.store(false, std::memory_order_relaxed);
   lock->sx_recursive = 0;
-  /* Silence Valgrind when UNIV_DEBUG_VALGRIND is not enabled. */
-  memset((void *)&lock->writer_thread, 0, sizeof lock->writer_thread);
-  UNIV_MEM_INVALID(&lock->writer_thread, sizeof lock->writer_thread);
+  lock->writer_thread = std::thread().native_handle();
 
 #ifdef UNIV_DEBUG
   lock->m_rw_lock = true;
@@ -499,10 +494,10 @@ ibool rw_lock_x_lock_low(
     ulint line)            /*!< in: line where requested */
 {
   if (rw_lock_lock_word_decr(lock, X_LOCK_DECR, X_LOCK_HALF_DECR)) {
-    /* lock->recursive also tells us if the writer_thread
-    field is stale or active. As we are going to write
-    our own thread id in that field it must be that the
-    current writer_thread value is not active. */
+    /* lock->recursive == true implies that the lock->writer_thread is the
+    current writer. As we are going to write our own thread id in that field it
+    must be the case that the current writer_thread value is not the current
+    writer anymore, thus recursive flag must be false.  */
     ut_a(!lock->recursive.load(std::memory_order_relaxed));
 
     /* Decrement occurred: we are writer or next-writer. */
@@ -512,7 +507,8 @@ ibool rw_lock_x_lock_low(
 
   } else {
     if (!pass && lock->recursive.load(std::memory_order_acquire) &&
-        os_thread_eq(lock->writer_thread, os_thread_get_curr_id())) {
+        os_thread_eq(lock->writer_thread.load(std::memory_order_relaxed),
+                     os_thread_get_curr_id())) {
       /* Decrement failed: An X or SX lock is held by either
       this thread or another. Try to relock. */
       /* Other s-locks can be allowed. If it is request x
@@ -562,10 +558,10 @@ ibool rw_lock_sx_lock_low(
     ulint line)            /*!< in: line where requested */
 {
   if (rw_lock_lock_word_decr(lock, X_LOCK_HALF_DECR, X_LOCK_HALF_DECR)) {
-    /* lock->recursive also tells us if the writer_thread
-    field is stale or active. As we are going to write
-    our own thread id in that field it must be that the
-    current writer_thread value is not active. */
+    /* lock->recursive == true implies that the lock->writer_thread is the
+    current writer. As we are going to write our own thread id in that field it
+    must be the case that the current writer_thread value is not the current
+    writer anymore, thus recursive flag must be false.  */
     ut_a(!lock->recursive.load(std::memory_order_relaxed));
 
     /* Decrement occurred: we are the SX lock owner. */
@@ -578,7 +574,8 @@ ibool rw_lock_sx_lock_low(
     thread or another thread. If it is this thread, relock,
     else fail. */
     if (!pass && lock->recursive.load(std::memory_order_acquire) &&
-        os_thread_eq(lock->writer_thread, os_thread_get_curr_id())) {
+        os_thread_eq(lock->writer_thread.load(std::memory_order_relaxed),
+                     os_thread_get_curr_id())) {
       /* This thread owns an X or SX lock */
       if (lock->sx_recursive++ == 0) {
         /* This thread is making first SX-lock request