thread: Set up MainThread and TestThread contexts as RAII for more robust isMainThread checking (#18200)

jmarantz · web-flow · commit bcf672904126 · 2021-10-04T10:57:05.000-06:00
Resolves an issue where people were adding ASSERT(Thread::MainThread::isMainThread()) into their systems, when in at least some cases that test was not detecting anything (failed open). This change enforces that we always create the singleton. It also protects (somewhat) against inter-test leakage (I hate singletons) by using RAII to declare threads, and tracking nested instantiations of TestThread and MainThread, forcing them to be consistent.

I don't actually anticipate TestThread ever changing, or needing this nested behavior, since we can declare that in main(). However, the main thread can be re-spawned between tests, and I suspect that some tests (fuzzing?) don't block till the previous test is completely quiesced. Previous to this PR that would lead to undefined behavior, and in this PR due to the nested tracking, it should ASSERT so that if such a leakage does occur, we'll learn about it.

Signed-off-by: Joshua Marantz &lt;jmarantz@google.com&gt;
diff --git a/source/common/common/BUILD b/source/common/common/BUILD
@@ -372,8 +372,8 @@ envoy_cc_library(
     hdrs = ["thread.h"],
     external_deps = ["abseil_synchronization"],
     deps = envoy_cc_platform_dep("thread_impl_lib") + [
+        ":macros",
         ":non_copyable",
-        "//source/common/singleton:threadsafe_singleton",
     ],
 )
 
diff --git a/source/common/common/thread.cc b/source/common/common/thread.cc
@@ -1,36 +1,113 @@
 #include "source/common/common/thread.h"
 
+#include <thread>
+
+#include "source/common/common/assert.h"
+#include "source/common/common/macros.h"
+
 namespace Envoy {
 namespace Thread {
 
-bool MainThread::isMainThread() {
-  // If threading is off, only main thread is running.
-  auto main_thread_singleton = MainThreadSingleton::getExisting();
-  if (main_thread_singleton == nullptr) {
-    return true;
+namespace {
+
+// Singleton structure capturing which thread is the main dispatcher thread, and
+// which is the test thread. This info is used for assertions around catching
+// exceptions and accessing data structures which are not mutex-protected, and
+// are expected only from the main thread.
+//
+// TODO(jmarantz): avoid the singleton and instead have this object owned
+// by the ThreadFactory. That will require plumbing the API::API into all
+// call-sites for isMainThread(), which might be a bit of work, but will make
+// tests more hermetic.
+struct ThreadIds {
+  // Determines whether we are currently running on the main-thread or
+  // test-thread. We need to allow for either one because we don't establish
+  // the full threading model in all unit tests.
+  bool inMainOrTestThread() const {
+    // We don't take the lock when testing the thread IDs, as they are atomic,
+    // and are cleared when being released. All possible thread orderings
+    // result in the correct result even without a lock.
+    std::thread::id id = std::this_thread::get_id();
+    return main_thread_id_ == id || test_thread_id_ == id;
   }
-  // When threading is on, compare thread id with main thread id.
-  return main_thread_singleton->inMainThread() || main_thread_singleton->inTestThread();
-}
-
-void MainThread::clear() {
-  delete MainThreadSingleton::getExisting();
-  MainThreadSingleton::clear();
-}
-
-void MainThread::initTestThread() {
-  if (!initialized()) {
-    MainThreadSingleton::initialize(new MainThread());
+
+  // Returns a singleton instance of this. The instance is never freed.
+  static ThreadIds& get() { MUTABLE_CONSTRUCT_ON_FIRST_USE(ThreadIds); }
+
+  // Call this when the MainThread exits. Nested semantics are supported, so
+  // that if multiple MainThread instances are declared, we unwind them
+  // properly.
+  void releaseMainThread() {
+    absl::MutexLock lock(&mutex_);
+    ASSERT(main_thread_use_count_ > 0);
+    ASSERT(std::this_thread::get_id() == main_thread_id_);
+    if (--main_thread_use_count_ == 0) {
+      // Clearing the thread ID when its use-count goes to zero allows us
+      // to read the atomic without taking a lock.
+      main_thread_id_ = std::thread::id{};
+    }
+  }
+
+  // Call this when the TestThread exits. Nested semantics are supported, so
+  // that if multiple TestThread instances are declared, we unwind them
+  // properly.
+  void releaseTestThread() {
+    absl::MutexLock lock(&mutex_);
+    ASSERT(test_thread_use_count_ > 0);
+    ASSERT(std::this_thread::get_id() == test_thread_id_);
+    if (--test_thread_use_count_ == 0) {
+      // Clearing the thread ID when its use-count goes to zero allows us
+      // to read the atomic without taking a lock.
+      test_thread_id_ = std::thread::id{};
+    }
+  }
+
+  // Declares current thread as the main one, or verifies that the current
+  // thread matches any previous declarations.
+  void registerMainThread() {
+    absl::MutexLock lock(&mutex_);
+    if (++main_thread_use_count_ > 1) {
+      ASSERT(std::this_thread::get_id() == main_thread_id_);
+    } else {
+      main_thread_id_ = std::this_thread::get_id();
+    }
   }
-  MainThreadSingleton::get().registerTestThread();
-}
 
-void MainThread::initMainThread() {
-  if (!initialized()) {
-    MainThreadSingleton::initialize(new MainThread());
+  // Declares current thread as the test thread, or verifies that the current
+  // thread matches any previous declarations.
+  void registerTestThread() {
+    absl::MutexLock lock(&mutex_);
+    if (++test_thread_use_count_ > 1) {
+      ASSERT(std::this_thread::get_id() == test_thread_id_);
+    } else {
+      test_thread_id_ = std::this_thread::get_id();
+    }
   }
-  MainThreadSingleton::get().registerMainThread();
-}
+
+private:
+  // The atomic thread IDs can be read without a mutex, but they are written
+  // under a mutex so that they are consistent with their use_counts. this
+  // avoids the possibility of two threads racing to claim being the main/test
+  // thread.
+  std::atomic<std::thread::id> main_thread_id_;
+  std::atomic<std::thread::id> test_thread_id_;
+
+  int32_t main_thread_use_count_ GUARDED_BY(mutex_) = 0;
+  int32_t test_thread_use_count_ GUARDED_BY(mutex_) = 0;
+  mutable absl::Mutex mutex_;
+};
+
+} // namespace
+
+bool MainThread::isMainThread() { return ThreadIds::get().inMainOrTestThread(); }
+
+TestThread::TestThread() { ThreadIds::get().registerTestThread(); }
+
+TestThread::~TestThread() { ThreadIds::get().releaseTestThread(); }
+
+MainThread::MainThread() { ThreadIds::get().registerMainThread(); }
+
+MainThread::~MainThread() { ThreadIds::get().releaseMainThread(); }
 
 } // namespace Thread
 } // namespace Envoy
diff --git a/source/common/common/thread.h b/source/common/common/thread.h
@@ -8,7 +8,6 @@
 #include "envoy/thread/thread.h"
 
 #include "source/common/common/non_copyable.h"
-#include "source/common/singleton/threadsafe_singleton.h"
 
 #include "absl/synchronization/mutex.h"
 
@@ -169,35 +168,40 @@ class AtomicPtr : private AtomicPtrArray<T, 1, alloc_mode> {
   T* get(const MakeObject& make_object) { return BaseClass::get(0, make_object); }
 };
 
-struct MainThread {
-  using MainThreadSingleton = InjectableSingleton<MainThread>;
-  bool inMainThread() const { return main_thread_id_ == std::this_thread::get_id(); }
-  bool inTestThread() const {
-    return test_thread_id_.has_value() && (test_thread_id_.value() == std::this_thread::get_id());
-  }
-  void registerTestThread() { test_thread_id_ = std::this_thread::get_id(); }
-  void registerMainThread() { main_thread_id_ = std::this_thread::get_id(); }
-  static bool initialized() { return MainThreadSingleton::getExisting() != nullptr; }
-  /*
-   * Register the main thread id, should be called in main thread before threading is on. Currently
-   * called in ThreadLocal::InstanceImpl().
-   */
-  static void initMainThread();
-  /*
-   * Register the test thread id, should be called in test thread before threading is on. Allow
-   * some main thread only code to be executed on test thread.
-   */
-  static void initTestThread();
-  /*
-   * Delete the main thread singleton, should be called in main thread after threading
-   * has been shut down. Currently called in ~ThreadLocal::InstanceImpl().
+// RAII object to declare the TestThread. This should be declared in main() or
+// equivalent for any test binaries.
+//
+// Generally we expect TestThread to be instantiated only once on main() for
+// each test binary, though nested instantiations are allowed as long as the
+// thread ID does not change.
+class TestThread {
+public:
+  TestThread();
+  ~TestThread();
+};
+
+// RAII object to declare the MainThread. This should be declared in the thread
+// function or equivalent.
+//
+// Generally we expect MainThread to be instantiated only once or twice. It has
+// to be instantiated prior to OptionsImpl being created, so it needs to be in
+// instantiated from main_common(). In addition, it is instantiated by
+// ThreadLocal implementation to get the correct behavior for tests that do not
+// instantiate main.
+//
+// In general, nested instantiations are allowed as long as the thread ID does
+// not change.
+class MainThread {
+public:
+  MainThread();
+  ~MainThread();
+
+  /**
+   * Returns whether the current thread is the main thread or test thread.
+   *
+   * TODO(jmarantz): rename to isMainOrTestThread().
    */
-  static void clear();
   static bool isMainThread();
-
-private:
-  std::thread::id main_thread_id_;
-  absl::optional<std::thread::id> test_thread_id_;
 };
 
 // To improve exception safety in data plane, we plan to forbid the use of raw try in the core code
diff --git a/source/common/thread_local/thread_local_impl.cc b/source/common/thread_local/thread_local_impl.cc
@@ -19,7 +19,6 @@ InstanceImpl::~InstanceImpl() {
   ASSERT(Thread::MainThread::isMainThread());
   ASSERT(shutdown_);
   thread_local_data_.data_.clear();
-  Thread::MainThread::clear();
 }
 
 SlotPtr InstanceImpl::allocateSlot() {
diff --git a/source/common/thread_local/thread_local_impl.h b/source/common/thread_local/thread_local_impl.h
@@ -19,7 +19,6 @@ namespace ThreadLocal {
  */
 class InstanceImpl : Logger::Loggable<Logger::Id::main>, public NonCopyable, public Instance {
 public:
-  InstanceImpl() { Thread::MainThread::initMainThread(); }
   ~InstanceImpl() override;
 
   // ThreadLocal::Instance
@@ -78,6 +77,7 @@ class InstanceImpl : Logger::Loggable<Logger::Id::main>, public NonCopyable, pub
 
   static thread_local ThreadLocalData thread_local_data_;
 
+  Thread::MainThread main_thread_;
   std::vector<Slot*> slots_;
   // A list of index of freed slots.
   std::list<uint32_t> free_slot_indexes_;
diff --git a/source/exe/main_common.cc b/source/exe/main_common.cc
@@ -225,6 +225,7 @@ int MainCommon::main(int argc, char** argv, PostServerHook hook) {
   // handling, such as running in a chroot jail.
   absl::InitializeSymbolizer(argv[0]);
 #endif
+  Thread::MainThread main_thread;
   std::unique_ptr<Envoy::MainCommon> main_common;
 
   // Initialize the server's main context under a try/catch loop and simply return EXIT_FAILURE
diff --git a/source/exe/main_common.h b/source/exe/main_common.h
@@ -138,6 +138,8 @@ class MainCommon {
   static int main(int argc, char** argv, PostServerHook hook = nullptr);
 
 private:
+  Thread::MainThread main_thread_;
+
 #ifdef ENVOY_HANDLE_SIGNALS
   Envoy::SignalAction handle_sigs_;
   Envoy::TerminateHandler log_on_terminate_;
diff --git a/source/extensions/grpc_credentials/file_based_metadata/config.cc b/source/extensions/grpc_credentials/file_based_metadata/config.cc
@@ -69,11 +69,12 @@ FileBasedMetadataAuthenticator::GetMetadata(grpc::string_ref, grpc::string_ref,
   if (!config_.header_key().empty()) {
     header_key = config_.header_key();
   }
-  TRY_ASSERT_MAIN_THREAD {
+  // TODO(#14320): avoid using an exception here or find some way of doing this
+  // in the main thread.
+  TRY_NEEDS_AUDIT {
     std::string header_value = Envoy::Config::DataSource::read(config_.secret_data(), true, api_);
     metadata->insert(std::make_pair(header_key, header_prefix + header_value));
   }
-  END_TRY
   catch (const EnvoyException& e) {
     return grpc::Status(grpc::StatusCode::NOT_FOUND, e.what());
   }
diff --git a/test/benchmark/main.cc b/test/benchmark/main.cc
@@ -43,6 +43,7 @@ int main(int argc, char** argv) {
   }
 
   TestEnvironment::initializeTestMain(argv[0]);
+  Thread::TestThread test_thread;
 
   // Suppressing non-error messages in benchmark tests. This hides warning
   // messages that appear when using a runtime feature when there isn't an initialized
diff --git a/test/fuzz/main.cc b/test/fuzz/main.cc
@@ -14,6 +14,7 @@
 
 #include "source/common/common/assert.h"
 #include "source/common/common/logger.h"
+#include "source/common/common/thread.h"
 
 #include "test/fuzz/fuzz_runner.h"
 #include "test/test_common/environment.h"
@@ -55,6 +56,7 @@ INSTANTIATE_TEST_SUITE_P(CorpusExamples, FuzzerCorpusTest, testing::ValuesIn(tes
 
 int main(int argc, char** argv) {
   Envoy::TestEnvironment::initializeTestMain(argv[0]);
+  Envoy::Thread::TestThread test_thread;
 
   // Expected usage: <test path> <corpus paths..> [other gtest flags]
   RELEASE_ASSERT(argc >= 2, "");
diff --git a/test/integration/BUILD b/test/integration/BUILD
@@ -765,6 +765,7 @@ envoy_cc_test_library(
         ":fake_upstream_lib",
         ":integration_tcp_client_lib",
         ":utility_lib",
+        "//source/common/common:thread_lib",
         "//source/common/config:api_version_lib",
         "//source/extensions/transport_sockets/tls:context_config_lib",
         "//source/extensions/transport_sockets/tls:context_lib",
diff --git a/test/integration/base_integration_test.cc b/test/integration/base_integration_test.cc
@@ -17,7 +17,6 @@
 
 #include "source/common/common/assert.h"
 #include "source/common/common/fmt.h"
-#include "source/common/common/thread.h"
 #include "source/common/config/api_version.h"
 #include "source/common/event/libevent.h"
 #include "source/common/network/utility.h"
@@ -94,7 +93,6 @@ Network::ClientConnectionPtr BaseIntegrationTest::makeClientConnectionWithOption
 }
 
 void BaseIntegrationTest::initialize() {
-  Thread::MainThread::initTestThread();
   RELEASE_ASSERT(!initialized_, "");
   RELEASE_ASSERT(Event::Libevent::Global::initialized(), "");
   initialized_ = true;
diff --git a/test/integration/base_integration_test.h b/test/integration/base_integration_test.h
@@ -9,6 +9,7 @@
 #include "envoy/server/process_context.h"
 #include "envoy/service/discovery/v3/discovery.pb.h"
 
+#include "source/common/common/thread.h"
 #include "source/common/config/api_version.h"
 #include "source/extensions/transport_sockets/tls/context_manager_impl.h"
 
@@ -363,6 +364,8 @@ class BaseIntegrationTest : protected Logger::Loggable<Logger::Id::testing> {
 
   std::unique_ptr<Stats::Scope> upstream_stats_store_;
 
+  Thread::TestThread test_thread_;
+
   // Make sure the test server will be torn down after any fake client.
   // The test server owns the runtime, which is often accessed by client and
   // fake upstream codecs and must outlast them.
diff --git a/test/test_runner.cc b/test/test_runner.cc
@@ -73,6 +73,8 @@ class RuntimeManagingListener : public ::testing::EmptyTestEventListener {
 } // namespace
 
 int TestRunner::RunTests(int argc, char** argv) {
+  Thread::TestThread test_thread;
+
   ::testing::InitGoogleMock(&argc, argv);
   // We hold on to process_wide to provide RAII cleanup of process-wide
   // state.
diff --git a/test/tools/router_check/router_check.cc b/test/tools/router_check/router_check.cc
@@ -2,12 +2,14 @@
 #include <iostream>
 #include <string>
 
+#include "source/common/common/thread.h"
 #include "source/exe/platform_impl.h"
 
 #include "test/test_common/test_runtime.h"
 #include "test/tools/router_check/router.h"
 
 int main(int argc, char* argv[]) {
+  Envoy::Thread::TestThread test_thread;
   Envoy::Options options(argc, argv);
 
   const bool enforce_coverage = options.failUnder() != 0.0;

Original file line number	Diff line number	Diff line change
`@@ -372,8 +372,8 @@ envoy_cc_library(`
`372`	`372`	`hdrs = ["thread.h"],`
`373`	`373`	`external_deps = ["abseil_synchronization"],`
`374`	`374`	`deps = envoy_cc_platform_dep("thread_impl_lib") + [`
	`375`	`+ ":macros",`
`375`	`376`	`":non_copyable",`
`376`		`- "//source/common/singleton:threadsafe_singleton",`
`377`	`377`	`],`
`378`	`378`	`)`
`379`	`379`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,6 @@ InstanceImpl::~InstanceImpl() {`
`19`	`19`	`ASSERT(Thread::MainThread::isMainThread());`
`20`	`20`	`ASSERT(shutdown_);`
`21`	`21`	`thread_local_data_.data_.clear();`
`22`		`- Thread::MainThread::clear();`
`23`	`22`	`}`
`24`	`23`
`25`	`24`	`SlotPtr InstanceImpl::allocateSlot() {`
Original file line number	Diff line number	Diff line change
`@@ -69,11 +69,12 @@ FileBasedMetadataAuthenticator::GetMetadata(grpc::string_ref, grpc::string_ref,`
`69`	`69`	`if (!config_.header_key().empty()) {`
`70`	`70`	`header_key = config_.header_key();`
`71`	`71`	`}`
`72`		`- TRY_ASSERT_MAIN_THREAD {`
	`72`	`+ // TODO(#14320): avoid using an exception here or find some way of doing this`
	`73`	`+ // in the main thread.`
	`74`	`+ TRY_NEEDS_AUDIT {`
`73`	`75`	`std::string header_value = Envoy::Config::DataSource::read(config_.secret_data(), true, api_);`
`74`	`76`	`metadata->insert(std::make_pair(header_key, header_prefix + header_value));`
`75`	`77`	`}`
`76`		`- END_TRY`
`77`	`78`	`catch (const EnvoyException& e) {`
`78`	`79`	`return grpc::Status(grpc::StatusCode::NOT_FOUND, e.what());`
`79`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ int main(int argc, char** argv) {`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`TestEnvironment::initializeTestMain(argv[0]);`
	`46`	`+ Thread::TestThread test_thread;`
`46`	`47`
`47`	`48`	`// Suppressing non-error messages in benchmark tests. This hides warning`
`48`	`49`	`// messages that appear when using a runtime feature when there isn't an initialized`