// Copyright 2020 The gVisor Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package tcpip import ( "sync" "time" ) // cancellableTimerInstance is a specific instance of CancellableTimer. // // Different instances are created each time CancellableTimer is Reset so each // timer has its own earlyReturn signal. This is to address a bug when a // CancellableTimer is stopped and reset in quick succession resulting in a // timer instance's earlyReturn signal being affected or seen by another timer // instance. // // Consider the following sceneario where timer instances share a common // earlyReturn signal (T1 creates, stops and resets a Cancellable timer under a // lock L; T2, T3, T4 and T5 are goroutines that handle the first (A), second // (B), third (C), and fourth (D) instance of the timer firing, respectively): // T1: Obtain L // T1: Create a new CancellableTimer w/ lock L (create instance A) // T2: instance A fires, blocked trying to obtain L. // T1: Attempt to stop instance A (set earlyReturn = true) // T1: Reset timer (create instance B) // T3: instance B fires, blocked trying to obtain L. // T1: Attempt to stop instance B (set earlyReturn = true) // T1: Reset timer (create instance C) // T4: instance C fires, blocked trying to obtain L. // T1: Attempt to stop instance C (set earlyReturn = true) // T1: Reset timer (create instance D) // T5: instance D fires, blocked trying to obtain L. // T1: Release L // // Now that T1 has released L, any of the 4 timer instances can take L and check // earlyReturn. If the timers simply check earlyReturn and then do nothing // further, then instance D will never early return even though it was not // requested to stop. If the timers reset earlyReturn before early returning, // then all but one of the timers will do work when only one was expected to. // If CancellableTimer resets earlyReturn when resetting, then all the timers // will fire (again, when only one was expected to). // // To address the above concerns the simplest solution was to give each timer // its own earlyReturn signal. type cancellableTimerInstance struct { timer *time.Timer // Used to inform the timer to early return when it gets stopped while the // lock the timer tries to obtain when fired is held (T1 is a goroutine that // tries to cancel the timer and T2 is the goroutine that handles the timer // firing): // T1: Obtain the lock, then call StopLocked() // T2: timer fires, and gets blocked on obtaining the lock // T1: Releases lock // T2: Obtains lock does unintended work // // To resolve this, T1 will check to see if the timer already fired, and // inform the timer using earlyReturn to return early so that once T2 obtains // the lock, it will see that it is set to true and do nothing further. earlyReturn *bool } // stop stops the timer instance t from firing if it hasn't fired already. If it // has fired and is blocked at obtaining the lock, earlyReturn will be set to // true so that it will early return when it obtains the lock. func (t *cancellableTimerInstance) stop() { if t.timer != nil { t.timer.Stop() *t.earlyReturn = true } } // CancellableTimer is a timer that does some work and can be safely cancelled // when it fires at the same time some "related work" is being done. // // The term "related work" is defined as some work that needs to be done while // holding some lock that the timer must also hold while doing some work. // // Note, it is not safe to copy a CancellableTimer as its timer instance creates // a closure over the address of the CancellableTimer. type CancellableTimer struct { // The active instance of a cancellable timer. instance cancellableTimerInstance // locker is the lock taken by the timer immediately after it fires and must // be held when attempting to stop the timer. // // Must never change after being assigned. locker sync.Locker // fn is the function that will be called when a timer fires and has not been // signaled to early return. // // fn MUST NOT attempt to lock locker. // // Must never change after being assigned. fn func() } // StopLocked prevents the Timer from firing if it has not fired already. // // If the timer is blocked on obtaining the t.locker lock when StopLocked is // called, it will early return instead of calling t.fn. // // Note, t will be modified. // // t.locker MUST be locked. func (t *CancellableTimer) StopLocked() { t.instance.stop() // Nothing to do with the stopped instance anymore. t.instance = cancellableTimerInstance{} } // Reset changes the timer to expire after duration d. // // Note, t will be modified. // // Reset should only be called on stopped or expired timers. To be safe, callers // should always call StopLocked before calling Reset. func (t *CancellableTimer) Reset(d time.Duration) { // Create a new instance. earlyReturn := false // Capture the locker so that updating the timer does not cause a data race // when a timer fires and tries to obtain the lock (read the timer's locker). locker := t.locker t.instance = cancellableTimerInstance{ timer: time.AfterFunc(d, func() { locker.Lock() defer locker.Unlock() if earlyReturn { // If we reach this point, it means that the timer fired while another // goroutine called StopLocked while it had the lock. Simply return // here and do nothing further. earlyReturn = false return } t.fn() }), earlyReturn: &earlyReturn, } } // Lock is a no-op used by the copylocks checker from go vet. // // See CancellableTimer for details about why it shouldn't be copied. // // See https://github.com/golang/go/issues/8005#issuecomment-190753527 for more // details about the copylocks checker. func (*CancellableTimer) Lock() {} // Unlock is a no-op used by the copylocks checker from go vet. // // See CancellableTimer for details about why it shouldn't be copied. // // See https://github.com/golang/go/issues/8005#issuecomment-190753527 for more // details about the copylocks checker. func (*CancellableTimer) Unlock() {} // NewCancellableTimer returns an unscheduled CancellableTimer with the given // locker and fn. // // fn MUST NOT attempt to lock locker. // // Callers must call Reset to schedule the timer to fire. func NewCancellableTimer(locker sync.Locker, fn func()) *CancellableTimer { return &CancellableTimer{locker: locker, fn: fn} }