Skip to content

Use trylock to eliminate the remaining race condition in Test.cancel(). #1415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Nov 12, 2025
Merged

Use trylock to eliminate the remaining race condition in Test.cancel(). #1415

merged 13 commits into from
Nov 12, 2025

Conversation

@grynspan
Copy link
Contributor

@grynspan grynspan commented Nov 11, 2025
edited
Loading

This PR fixes the race condition in Test.cancel() that could occur if an unstructured task, created from within a test's task, called Test.cancel() at just the right moment. The order of events for the race is:

  • Unstructured task is created and inherits task-locals including the reference to the test's unsafe current task;
  • Test's task starts tearing down;
  • Unstructured task calls takeUnsafeCurrentTask() and gets a reference to the unsafe current task;
  • Test's task finishes tearing down;
  • Unstructured task calls UnsafeCurrentTask.cancel().

The fix is to use trylock semantics when cancelling the unsafe current task. If the test's task is still alive, the task is cancelled while the lock is held, which will block the test's task from being torn down as it has a lock-guarded call to clear the unsafe current task reference. If the test's task is no longer alive, the reference is already nil by the time the unstructured task acquires the lock and it bails early. If we recursively call cancel() (which can happen via the concurrency-level cancellation handler), the trylock means we won't acquire the lock a second time, so we won't end up deadlocking or aborting (which is what prevents calling cancel() while holding the lock in the current implementation).

It is possible for cancel() to trigger user code, especially if the user has set up a cancellation handler, but there is no code path that can then lead to a deadlock because the only user-accessible calls that might touch this lock use trylock.

I hope some part of that made sense.

Checklist:

  • Code and documentation should follow the style of the Style Guide.
  • If public symbols are renamed or modified, DocC references should be updated.

@grynspan
Use trylock to eliminate the remaining race condition in `Test.canc…
59165d2 
…el()`.

This PR fixes the race condition in `Test.cancel()` that could occur if an
unstructured task, created from within a test's task, called `Test.cancel()` at
just the right moment. The order of events for the race is:

- Unstructured task is created and inherits task-locals including the reference
  to the test's unsafe current task;
- Test's task starts tearing down;
- Unstructured task calls `takeUnsafeCurrentTask()` and gets a reference to the
  unsafe current task;
- Test's task finishes tearing down;
- Unstructured task calls `UnsafeCurrentTask.cancel()`.

The fix is to use `trylock` semantics when cancelling the unsafe current task.
If the test's task is still alive, the task is cancelled while the lock is held,
which will block the test's task from being torn down as it has a lock-guarded
call to clear the unsafe current task reference. If the test's task is no longer
alive, the reference is already `nil` by the time the unstructured task acquires
the lock and it bails early. If we recursively call `cancel()` (which can happen
via the concurrency-level cancellation handler), the `trylock` means we won't
acquire the lock a second time, so we won't end up deadlocking or aborting
(which is what prevents calling `cancel()` while holding the lock in the current
implementation).

I hope some part of that made sense.
@grynspan grynspan added this to the Swift 6.3.0 milestone Nov 11, 2025
@grynspan grynspan self-assigned this Nov 11, 2025
@grynspan grynspan added the bug 🪲 Something isn't working label Nov 11, 2025
@grynspan grynspan added the concurrency 🔀 Swift concurrency/sendability issues label Nov 11, 2025
@grynspan
Copy link
Contributor Author

grynspan commented Nov 11, 2025

Sigh. The Linux implementation treats EDEADLK as fatal, when it should just return false.

@grynspan
Copy link
Contributor Author

grynspan commented Nov 11, 2025

See swiftlang/swift#85448

ktoso
ktoso approved these changes Nov 12, 2025
View reviewed changes
Copy link

@ktoso ktoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks reasonable enough, thanks for looking into the safety of this approach.

@grynspan
Copy link
Contributor Author

grynspan commented Nov 12, 2025

Related: https://forums.swift.org/t/should-we-document-the-behavior-of-mutex-withlockifavailable/83166

@grynspan grynspan merged commit fd350e4 into main Nov 12, 2025
52 of 54 checks passed
@grynspan grynspan deleted the jgrynspan/test-cancel-race branch November 12, 2025 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stmontgomery stmontgomery stmontgomery approved these changes

@ktoso ktoso ktoso approved these changes

@briancroom briancroom briancroom approved these changes

@jerryjrchen jerryjrchen Awaiting requested review from jerryjrchen jerryjrchen is a code owner

Assignees

@grynspan grynspan

Labels

bug 🪲 Something isn't working concurrency 🔀 Swift concurrency/sendability issues

Projects

None yet

Milestone

Swift 6.3.0

Development

Successfully merging this pull request may close these issues.

5 participants

@grynspan @stmontgomery @ktoso @briancroom