wgpu_core/lock/ranked.rs
1//! Lock types that enforce well-ranked lock acquisition order.
2//!
3//! This module's [`Mutex`] and [`RwLock` types are instrumented to check that
4//! `wgpu-core` acquires locks according to their rank, to prevent deadlocks. To
5//! use it, put `--cfg wgpu_validate_locks` in `RUSTFLAGS`.
6//!
7//! The [`LockRank`] constants in the [`lock::rank`] module describe edges in a
8//! directed graph of lock acquisitions: each lock's rank says, if this is the most
9//! recently acquired lock that you are still holding, then these are the locks you
10//! are allowed to acquire next.
11//!
12//! As long as this graph doesn't have cycles, any number of threads can acquire
13//! locks along paths through the graph without deadlock:
14//!
15//! - Assume that if a thread is holding a lock, then it will either release it,
16//! or block trying to acquire another one. No thread just sits on its locks
17//! forever for unrelated reasons. If it did, then that would be a source of
18//! deadlock "outside the system" that we can't do anything about.
19//!
20//! - This module asserts that threads acquire and release locks in a stack-like
21//! order: a lock is dropped only when it is the *most recently acquired* lock
22//! *still held* - call this the "youngest" lock. This stack-like ordering
23//! isn't a Rust requirement; Rust lets you drop guards in any order you like.
24//! This is a restriction we impose.
25//!
26//! - Consider the directed graph whose nodes are locks, and whose edges go from
27//! each lock to its permitted followers, the locks in its [`LockRank::followers`]
28//! set. The definition of the [`lock::rank`] module's [`LockRank`] constants
29//! ensures that this graph has no cycles, including trivial cycles from a node to
30//! itself.
31//!
32//! - This module then asserts that each thread attempts to acquire a lock only if
33//! it is among its youngest lock's permitted followers. Thus, as a thread
34//! acquires locks, it must be traversing a path through the graph along its
35//! edges.
36//!
37//! - Because there are no cycles in the graph, whenever one thread is blocked
38//! waiting to acquire a lock, that lock must be held by a different thread: if
39//! you were allowed to acquire a lock you already hold, that would be a cycle in
40//! the graph.
41//!
42//! - Furthermore, because the graph has no cycles, as we work our way from each
43//! thread to the thread it is blocked waiting for, we must eventually reach an
44//! end point: there must be some thread that is able to acquire its next lock, or
45//! that is about to release a lock.
46//!
47//! Thus, the system as a whole is always able to make progress: it is free of
48//! deadlocks.
49//!
50//! Note that this validation only monitors each thread's behavior in isolation:
51//! there's only thread-local state, nothing communicated between threads. So we
52//! don't detect deadlocks, per se, only the potential to cause deadlocks. This
53//! means that the validation is conservative, but more reproducible, since it's not
54//! dependent on any particular interleaving of execution.
55//!
56//! [`lock::rank`]: crate::lock::rank
57
58use core::{cell::Cell, fmt, ops, panic::Location};
59
60use super::rank::LockRank;
61
62pub use LockState as RankData;
63
64/// A `Mutex` instrumented for deadlock prevention.
65///
66/// This is just a wrapper around a [`parking_lot::Mutex`], along with
67/// its rank in the `wgpu_core` lock ordering.
68///
69/// For details, see [the module documentation][self].
70pub struct Mutex<T> {
71 inner: parking_lot::Mutex<T>,
72 rank: LockRank,
73}
74
75/// A guard produced by locking [`Mutex`].
76///
77/// This is just a wrapper around a [`parking_lot::MutexGuard`], along
78/// with the state needed to track lock acquisition.
79///
80/// For details, see [the module documentation][self].
81pub struct MutexGuard<'a, T> {
82 inner: parking_lot::MutexGuard<'a, T>,
83 #[cfg_attr(not(miri), expect(unused))] // but `Drop` has important side effects
84 saved: LockStateGuard,
85}
86
87std::thread_local! {
88 static LOCK_STATE: Cell<LockState> = const { Cell::new(LockState::INITIAL) };
89}
90
91/// Per-thread state for the deadlock checker.
92#[derive(Debug, Copy, Clone)]
93pub struct LockState {
94 /// The last lock we acquired, and where.
95 last_acquired: Option<(LockRank, &'static Location<'static>)>,
96
97 /// The number of locks currently held.
98 ///
99 /// This is used to enforce stack-like lock acquisition and release.
100 depth: u32,
101}
102
103impl LockState {
104 const INITIAL: LockState = LockState {
105 last_acquired: None,
106 depth: 0,
107 };
108}
109
110/// A container that restores a [`LockState`] when dropped.
111///
112/// This type serves two purposes:
113///
114/// - Operations would like to be able to destructure lock guards and
115/// reassemble their pieces into new guards, but if the guard type
116/// itself implements `Drop`, we can't destructure it without unsafe
117/// code or pointless `Option`s whose state is almost always statically
118/// known.
119///
120/// - We can just implement `Drop` for this type once, and then use it in lock
121/// guards, rather than implementing `Drop` separately for each guard type.
122struct LockStateGuard(LockState);
123
124impl Drop for LockStateGuard {
125 fn drop(&mut self) {
126 release(self.0)
127 }
128}
129
130/// Check and record the acquisition of a lock with `new_rank`.
131///
132/// Check that acquiring a lock with `new_rank` is permitted at this point, and
133/// update the per-thread state accordingly.
134///
135/// Return the `LockState` that must be restored when this thread is released.
136fn acquire(new_rank: LockRank, location: &'static Location<'static>) -> LockState {
137 let state = LOCK_STATE.get();
138 // Initially, it's fine to acquire any lock. So we only
139 // need to check when `last_acquired` is `Some`.
140 if let Some((ref last_rank, ref last_location)) = state.last_acquired {
141 assert!(
142 last_rank.followers.contains(new_rank.bit),
143 "Attempt to acquire nested mutexes in wrong order:\n\
144 last locked {:<35} at {}\n\
145 now locking {:<35} at {}\n\
146 Locking {} after locking {} is not permitted.",
147 last_rank.bit.member_name(),
148 last_location,
149 new_rank.bit.member_name(),
150 location,
151 new_rank.bit.member_name(),
152 last_rank.bit.member_name(),
153 );
154 }
155 LOCK_STATE.set(LockState {
156 last_acquired: Some((new_rank, location)),
157 depth: state.depth + 1,
158 });
159 state
160}
161
162/// Record the release of a lock whose saved state was `saved`.
163///
164/// Check that locks are being acquired in stacking order, and update the
165/// per-thread state accordingly.
166fn release(saved: LockState) {
167 let saved_info = saved.last_acquired;
168
169 let prior = LOCK_STATE.replace(saved);
170
171 let (prior_rank, prior_location) = prior
172 .last_acquired
173 .expect("Releasing a lock, but no acquisition recorded");
174
175 // Although Rust allows mutex guards to be dropped in any
176 // order, this analysis requires that locks be acquired and
177 // released in stack order: the next lock to be released must be
178 // the most recently acquired lock still held.
179
180 match (saved.depth, saved_info) {
181 (saved_depth @ 0, None) => {
182 assert_eq!(
183 prior.depth,
184 saved_depth + 1,
185 "Lock not released in stacking order\n\
186 released {:<35} locked at {:?}\n\
187 when not expecting any locks to be held\n",
188 prior_rank.bit.member_name(),
189 prior_location,
190 );
191 }
192 (0, Some(_)) => {
193 panic!("Found previous lock acquisition information, but saved.depth = 0");
194 }
195 (saved_depth, Some((saved_rank, saved_location))) => {
196 assert_eq!(
197 prior.depth,
198 saved_depth + 1,
199 "Lock not released in stacking order\n\
200 expecting release of {:<35} locked at {:?}\n\
201 but instead released {:<35} locked at {:?}\n",
202 saved_rank.bit.member_name(),
203 saved_location,
204 prior_rank.bit.member_name(),
205 prior_location,
206 );
207 }
208 (saved_depth, None) => {
209 panic!(
210 "Found saved.depth = {saved_depth}, but no previous lock acquisition information"
211 );
212 }
213 }
214}
215
216impl<T> Mutex<T> {
217 pub fn new(rank: LockRank, value: T) -> Mutex<T> {
218 Mutex {
219 inner: parking_lot::Mutex::new(value),
220 rank,
221 }
222 }
223
224 #[track_caller]
225 pub fn lock(&self) -> MutexGuard<'_, T> {
226 let saved = acquire(self.rank, Location::caller());
227 MutexGuard {
228 inner: self.inner.lock(),
229 saved: LockStateGuard(saved),
230 }
231 }
232
233 pub fn into_inner(self) -> T {
234 self.inner.into_inner()
235 }
236}
237
238impl<'a, T> ops::Deref for MutexGuard<'a, T> {
239 type Target = T;
240
241 fn deref(&self) -> &Self::Target {
242 self.inner.deref()
243 }
244}
245
246impl<'a, T> ops::DerefMut for MutexGuard<'a, T> {
247 fn deref_mut(&mut self) -> &mut Self::Target {
248 self.inner.deref_mut()
249 }
250}
251
252impl<T: fmt::Debug> fmt::Debug for Mutex<T> {
253 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
254 self.inner.fmt(f)
255 }
256}
257
258/// An `RwLock` instrumented for deadlock prevention.
259///
260/// This is just a wrapper around a [`parking_lot::RwLock`], along with
261/// its rank in the `wgpu_core` lock ordering.
262///
263/// For details, see [the module documentation][self].
264pub struct RwLock<T> {
265 inner: parking_lot::RwLock<T>,
266 rank: LockRank,
267}
268
269/// A read guard produced by locking [`RwLock`] for reading.
270///
271/// This is just a wrapper around a [`parking_lot::RwLockReadGuard`], along with
272/// the state needed to track lock acquisition.
273///
274/// For details, see [the module documentation][self].
275pub struct RwLockReadGuard<'a, T> {
276 inner: parking_lot::RwLockReadGuard<'a, T>,
277 saved: LockStateGuard,
278}
279
280/// A write guard produced by locking [`RwLock`] for writing.
281///
282/// This is just a wrapper around a [`parking_lot::RwLockWriteGuard`], along
283/// with the state needed to track lock acquisition.
284///
285/// For details, see [the module documentation][self].
286pub struct RwLockWriteGuard<'a, T> {
287 inner: parking_lot::RwLockWriteGuard<'a, T>,
288 saved: LockStateGuard,
289}
290
291impl<T> RwLock<T> {
292 pub fn new(rank: LockRank, value: T) -> RwLock<T> {
293 RwLock {
294 inner: parking_lot::RwLock::new(value),
295 rank,
296 }
297 }
298
299 #[track_caller]
300 pub fn read(&self) -> RwLockReadGuard<'_, T> {
301 let saved = acquire(self.rank, Location::caller());
302 RwLockReadGuard {
303 inner: self.inner.read(),
304 saved: LockStateGuard(saved),
305 }
306 }
307
308 #[track_caller]
309 pub fn write(&self) -> RwLockWriteGuard<'_, T> {
310 let saved = acquire(self.rank, Location::caller());
311 RwLockWriteGuard {
312 inner: self.inner.write(),
313 saved: LockStateGuard(saved),
314 }
315 }
316
317 /// Force an read-unlock operation on this lock.
318 ///
319 /// Safety:
320 /// - A read lock must be held which is not held by a guard.
321 pub unsafe fn force_unlock_read(&self, data: RankData) {
322 release(data);
323 unsafe { self.inner.force_unlock_read() };
324 }
325}
326
327impl<'a, T> RwLockReadGuard<'a, T> {
328 // Forget the read guard, leaving the lock in a locked state with no guard.
329 //
330 // Equivalent to std::mem::forget, but preserves the information about the lock
331 // rank.
332 pub fn forget(this: Self) -> RankData {
333 core::mem::forget(this.inner);
334
335 this.saved.0
336 }
337}
338
339impl<T: fmt::Debug> fmt::Debug for RwLock<T> {
340 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
341 self.inner.fmt(f)
342 }
343}
344
345impl<'a, T> ops::Deref for RwLockReadGuard<'a, T> {
346 type Target = T;
347
348 fn deref(&self) -> &Self::Target {
349 self.inner.deref()
350 }
351}
352
353impl<'a, T> ops::Deref for RwLockWriteGuard<'a, T> {
354 type Target = T;
355
356 fn deref(&self) -> &Self::Target {
357 self.inner.deref()
358 }
359}
360
361impl<'a, T> ops::DerefMut for RwLockWriteGuard<'a, T> {
362 fn deref_mut(&mut self) -> &mut Self::Target {
363 self.inner.deref_mut()
364 }
365}
366
367/// Locks can be acquired in the order indicated by their ranks.
368#[test]
369fn permitted() {
370 use super::rank;
371
372 let lock1 = Mutex::new(rank::PAWN, ());
373 let lock2 = Mutex::new(rank::ROOK, ());
374
375 let _guard1 = lock1.lock();
376 let _guard2 = lock2.lock();
377}
378
379/// Locks can only be acquired in the order indicated by their ranks.
380#[test]
381#[should_panic(expected = "Locking pawn after locking rook")]
382fn forbidden_unrelated() {
383 use super::rank;
384
385 let lock1 = Mutex::new(rank::ROOK, ());
386 let lock2 = Mutex::new(rank::PAWN, ());
387
388 let _guard1 = lock1.lock();
389 let _guard2 = lock2.lock();
390}
391
392/// Lock acquisitions can't skip ranks.
393///
394/// These two locks *could* be acquired in this order, but only if other locks
395/// are acquired in between them. Skipping ranks isn't allowed.
396#[test]
397#[should_panic(expected = "Locking knight after locking pawn")]
398fn forbidden_skip() {
399 use super::rank;
400
401 let lock1 = Mutex::new(rank::PAWN, ());
402 let lock2 = Mutex::new(rank::KNIGHT, ());
403
404 let _guard1 = lock1.lock();
405 let _guard2 = lock2.lock();
406}
407
408/// Locks can be acquired and released in a stack-like order.
409#[test]
410fn stack_like() {
411 use super::rank;
412
413 let lock1 = Mutex::new(rank::PAWN, ());
414 let lock2 = Mutex::new(rank::ROOK, ());
415 let lock3 = Mutex::new(rank::BISHOP, ());
416
417 let guard1 = lock1.lock();
418 let guard2 = lock2.lock();
419 drop(guard2);
420
421 let guard3 = lock3.lock();
422 drop(guard3);
423 drop(guard1);
424}
425
426/// Locks can only be acquired and released in a stack-like order.
427#[test]
428#[should_panic(expected = "Lock not released in stacking order")]
429fn non_stack_like() {
430 use super::rank;
431
432 let lock1 = Mutex::new(rank::PAWN, ());
433 let lock2 = Mutex::new(rank::ROOK, ());
434
435 let guard1 = lock1.lock();
436 let guard2 = lock2.lock();
437
438 // Avoid a double panic from dropping this while unwinding due to the panic
439 // we're testing for.
440 core::mem::forget(guard2);
441
442 drop(guard1);
443}