Additional thread safety annotations for CNode/Peer members accessed via the message processing thread #24474
Conversation
|
I've pulled the |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
ajtowns
force-pushed
the
202203-msgproc-mutex
branch
from
62205d3 to
c5dd02f
Compare
|
Rebased on top of #24427 |
|
Concept ACK. |
|
Will have a look soon. |
ajtowns
force-pushed
the
202203-msgproc-mutex
branch
from
c5dd02f to
69df619
Compare
|
Rebased past #21160 |
ajtowns
force-pushed
the
202203-msgproc-mutex
branch
from
69df619 to
02b3339
Compare
ajtowns
force-pushed
the
202203-msgproc-mutex
branch
from
02b3339 to
b710ddf
Compare
|
Rebased past #25109 |
The (V1)TransportSerializer instance CNode::m_serializer is used from multiple threads via PushMessage without protection by a mutex. This is only thread safe because the class does not have any mutable state, so document that by marking the methods and the object as "const".
Dereferencing a unique_ptr is not necessarily thread safe. The reason these are safe is because their values are set at construction and do not change later; so mark them as const and set them via the initializer list to guarantee that.
m_permissionFlags and m_prefer_evict are treated as const -- they're only set immediately after construction before any other thread has access to the object, and not changed again afterwards. As such they don't need to be marked atomic or guarded by a mutex; though it would probably be better to actually mark them as const...
There are many cases where we asssume message processing is single-threaded in order for how we access node-related memory to be safe. Add an explicit mutex that we can use to document this, which allows the compiler to catch any cases where we try to access that memory from other threads and break that assumption.
SendMessages() is now protected g_mutex_msgproc_thread; so this additional per-node mutex is redundant.
This allows CNode members to be marked as guarded by the g_mutex_msgproc_thread mutex.
…ly via the msgproc thread
…ed only via the msgproc thread
…proc thread Previously vExtraTxnForCompact and vExtraTxnForCompactIt were protected by g_cs_orphans; protect them by g_mutex_msgproc_thread instead, as they are only used during message processing.
ajtowns
force-pushed
the
202203-msgproc-mutex
branch
from
b710ddf to
49c3b28
Compare
|
Rebased past #22778 |
|
See #25174 for the first few patches from this. |
|
🐙 This pull request conflicts with the target branch and needs rebase. Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft". |
ajtowns
changed the title
|
Closing this. If you'd like it resurrected please help #25174 make progress. |
|
Replaced by #26036 |
Documents why the existing accesses of elements in net.h's CNode and net_processing.cpp's Peer objects is thread safe, generally by making it so that the compiler will complain if the non-safe accesses are added. Only leaves CNode's
m_permissionFlagsandm_prefer_evictunenforced by the compiler.Adds a global mutex
NetEventsInterface::g_mutex_msgproc_threadwhich is used to document the contract between net_processing and net that ProcessMessages and SendMessages are only invoked from a single thread, and which replaces the per-peercs_sendProcessingmutex.