| blob | ec7e570920a5d8c1179be51a8461cbef121fa9b7 |
1 /*-------------------------------------------------------------------------
2 *
3 * timeout.c
4 * Routines to multiplex SIGALRM interrupts for multiple timeout reasons.
5 *
6 * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 *
10 * IDENTIFICATION
11 * src/backend/utils/misc/timeout.c
12 *
13 *-------------------------------------------------------------------------
14 */
17 #include <sys/time.h>
25 /* Data about any one timeout reason */
27 {
30 /* volatile because these may be changed from the signal handler */
34 /* callback function for timeout, or NULL if timeout not registered */
35 timeout_handler_proc timeout_handler;
42 /*
43 * List of possible timeout reasons in the order of enum TimeoutId.
44 */
48 /*
49 * List of active timeouts ordered by their fin_time and priority.
50 * This list is subject to change by the interrupt handler, so it's volatile.
51 */
55 /*
56 * Flag controlling whether the signal handler is allowed to do anything.
57 * This is useful to avoid race conditions with the handler. Note in
58 * particular that this lets us make changes in the data structures without
59 * tediously disabling and re-enabling the timer signal. Most of the time,
60 * no interrupt would happen anyway during such critical sections, but if
61 * one does, this rule ensures it's safe. Leaving the signal enabled across
62 * multiple operations can greatly reduce the number of kernel calls we make,
63 * too. See comments in schedule_alarm() about that.
64 *
65 * We leave this "false" when we're not expecting interrupts, just in case.
66 */
69 #define disable_alarm() (alarm_enabled = false)
70 #define enable_alarm() (alarm_enabled = true)
72 /*
73 * State recording if and when we next expect the interrupt to fire.
74 * (signal_due_at is valid only when signal_pending is true.)
75 * Note that the signal handler will unconditionally reset signal_pending to
76 * false, so that can change asynchronously even when alarm_enabled is false.
77 */
82 /*****************************************************************************
83 * Internal helper functions
84 *
85 * For all of these, it is caller's responsibility to protect them from
86 * interruption by the signal handler. Generally, call disable_alarm()
87 * first to prevent interruption, then update state, and last call
88 * schedule_alarm(), which will re-enable the signal handler if needed.
89 *****************************************************************************/
91 /*
92 * Find the index of a given timeout reason in the active array.
93 * If it's not there, return -1.
94 */
95 static int
97 {
101 {
104 }
107 }
109 /*
110 * Insert specified timeout reason into the list of active timeouts
111 * at the given index.
112 */
113 static void
115 {
120 num_active_timeouts);
130 num_active_timeouts++;
131 }
133 /*
134 * Remove the index'th element from the timeout list.
135 */
136 static void
138 {
151 num_active_timeouts--;
152 }
154 /*
155 * Enable the specified timeout reason
156 */
157 static void
160 {
163 /* Assert request is sane */
167 /*
168 * If this timeout was already active, momentarily disable it. We
169 * interpret the call as a directive to reschedule the timeout.
170 */
174 /*
175 * Find out the index where to insert the new timeout. We sort by
176 * fin_time, and for equal fin_time by priority.
177 */
179 {
186 }
188 /*
189 * Mark the timeout active, and insert it into the active list.
190 */
197 }
199 /*
200 * Schedule alarm for the next active timeout, if any
201 *
202 * We assume the caller has obtained the current time, or a close-enough
203 * approximation. (It's okay if a tick or two has passed since "now", or
204 * if a little more time elapses before we reach the kernel call; that will
205 * cause us to ask for an interrupt a tick or two later than the nearest
206 * timeout, which is no big deal. Passing a "now" value that's in the future
207 * would be bad though.)
208 */
209 static void
211 {
213 {
215 TimestampTz nearest_timeout;
221 /*
222 * If we think there's a signal pending, but current time is more than
223 * 10ms past when the signal was due, then assume that the timeout
224 * request got lost somehow; clear signal_pending so that we'll reset
225 * the interrupt request below. (10ms corresponds to the worst-case
226 * timeout granularity on modern systems.) It won't hurt us if the
227 * interrupt does manage to fire between now and when we reach the
228 * setitimer() call.
229 */
233 /*
234 * Get the time remaining till the nearest pending timeout. If it is
235 * negative, assume that we somehow missed an interrupt, and clear
236 * signal_pending. This gives us another chance to recover if the
237 * kernel drops a timeout request for some reason.
238 */
241 {
243 /* force an interrupt as soon as possible */
246 }
247 else
248 {
252 /*
253 * It's possible that the difference is less than a microsecond;
254 * ensure we don't cancel, rather than set, the interrupt.
255 */
258 }
263 /*
264 * We must enable the signal handler before calling setitimer(); if we
265 * did it in the other order, we'd have a race condition wherein the
266 * interrupt could occur before we can set alarm_enabled, so that the
267 * signal handler would fail to do anything.
268 *
269 * Because we didn't bother to disable the timer in disable_alarm(),
270 * it's possible that a previously-set interrupt will fire between
271 * enable_alarm() and setitimer(). This is safe, however. There are
272 * two possible outcomes:
273 *
274 * 1. The signal handler finds nothing to do (because the nearest
275 * timeout event is still in the future). It will re-set the timer
276 * and return. Then we'll overwrite the timer value with a new one.
277 * This will mean that the timer fires a little later than we
278 * intended, but only by the amount of time it takes for the signal
279 * handler to do nothing useful, which shouldn't be much.
280 *
281 * 2. The signal handler executes and removes one or more timeout
282 * events. When it returns, either the queue is now empty or the
283 * frontmost event is later than the one we looked at above. So we'll
284 * overwrite the timer value with one that is too soon (plus or minus
285 * the signal handler's execution time), causing a useless interrupt
286 * to occur. But the handler will then re-set the timer and
287 * everything will still work as expected.
288 *
289 * Since these cases are of very low probability (the window here
290 * being quite narrow), it's not worth adding cycles to the mainline
291 * code to prevent occasional wasted interrupts.
292 */
295 /*
296 * If there is already an interrupt pending that's at or before the
297 * needed time, we need not do anything more. The signal handler will
298 * do the right thing in the first case, and re-schedule the interrupt
299 * for later in the second case. It might seem that the extra
300 * interrupt is wasted work, but it's not terribly much work, and this
301 * method has very significant advantages in the common use-case where
302 * we repeatedly set a timeout that we don't expect to reach and then
303 * cancel it. Instead of invoking setitimer() every time the timeout
304 * is set or canceled, we perform one interrupt and a re-scheduling
305 * setitimer() call at intervals roughly equal to the timeout delay.
306 * For example, with statement_timeout = 1s and a throughput of
307 * thousands of queries per second, this method requires an interrupt
308 * and setitimer() call roughly once a second, rather than thousands
309 * of setitimer() calls per second.
310 *
311 * Because of the possible passage of time between when we obtained
312 * "now" and when we reach setitimer(), the kernel's opinion of when
313 * to trigger the interrupt is likely to be a bit later than
314 * signal_due_at. That's fine, for the same reasons described above.
315 */
319 /*
320 * As with calling enable_alarm(), we must set signal_pending *before*
321 * calling setitimer(); if we did it after, the signal handler could
322 * trigger before we set it, leaving us with a false opinion that a
323 * signal is still coming.
324 *
325 * Other race conditions involved with setting/checking signal_pending
326 * are okay, for the reasons described above. One additional point is
327 * that the signal handler could fire after we set signal_due_at, but
328 * still before the setitimer() call. Then the handler could
329 * overwrite signal_due_at with a value it computes, which will be the
330 * same as or perhaps later than what we just computed. After we
331 * perform setitimer(), the net effect would be that signal_due_at
332 * gives a time later than when the interrupt will really happen;
333 * which is a safe situation.
334 */
338 /* Set the alarm timer */
340 {
341 /*
342 * Clearing signal_pending here is a bit pro forma, but not
343 * entirely so, since something in the FATAL exit path could try
344 * to use timeout facilities.
345 */
348 }
349 }
350 }
353 /*****************************************************************************
354 * Signal handler
355 *****************************************************************************/
357 /*
358 * Signal handler for SIGALRM
359 *
360 * Process any active timeout reasons and then reschedule the interrupt
361 * as needed.
362 */
363 static void
365 {
366 /*
367 * Bump the holdoff counter, to make sure nothing we call will process
368 * interrupts directly. No timeout handler should do that, but these
369 * failures are hard to debug, so better be sure.
370 */
373 /*
374 * SIGALRM is always cause for waking anything waiting on the process
375 * latch.
376 */
379 /*
380 * Always reset signal_pending, even if !alarm_enabled, since indeed no
381 * signal is now pending.
382 */
385 /*
386 * Fire any pending timeouts, but only if we're enabled to do so.
387 */
389 {
390 /*
391 * Disable alarms, just in case this platform allows signal handlers
392 * to interrupt themselves. schedule_alarm() will re-enable if
393 * appropriate.
394 */
398 {
401 /* While the first pending timeout has been reached ... */
404 {
407 /* Remove it from the active list */
410 /* Mark it as fired */
413 /* And call its handler function */
416 /* If it should fire repeatedly, re-enable it. */
418 {
419 TimestampTz new_fin_time;
421 /*
422 * To guard against drift, schedule the next instance of
423 * the timeout based on the intended firing time rather
424 * than the actual firing time. But if the timeout was so
425 * late that we missed an entire cycle, fall back to
426 * scheduling based on the actual firing time.
427 */
428 new_fin_time =
432 new_fin_time =
437 }
439 /*
440 * The handler might not take negligible time (CheckDeadLock
441 * for instance isn't too cheap), so let's update our idea of
442 * "now" after each one.
443 */
445 }
447 /* Done firing timeouts, so reschedule next interrupt if any */
449 }
450 }
453 }
456 /*****************************************************************************
457 * Public API
458 *****************************************************************************/
460 /*
461 * Initialize timeout module.
462 *
463 * This must be called in every process that wants to use timeouts.
464 *
465 * If the process was forked from another one that was also using this
466 * module, be sure to call this before re-enabling signals; else handlers
467 * meant to run in the parent process might get invoked in this one.
468 */
469 void
471 {
474 /* Initialize, or re-initialize, all local state */
480 {
488 }
492 /* Now establish the signal handler */
494 }
496 /*
497 * Register a timeout reason
498 *
499 * For predefined timeouts, this just registers the callback function.
500 *
501 * For user-defined timeouts, pass id == USER_TIMEOUT; we then allocate and
502 * return a timeout ID.
503 */
504 TimeoutId
506 {
509 /* There's no need to disable the signal handler here. */
512 {
513 /* Allocate a user-defined timeout reason */
521 }
528 }
530 /*
531 * Reschedule any pending SIGALRM interrupt.
532 *
533 * This can be used during error recovery in case query cancel resulted in loss
534 * of a SIGALRM event (due to longjmp'ing out of handle_sig_alarm before it
535 * could do anything). But note it's not necessary if any of the public
536 * enable_ or disable_timeout functions are called in the same area, since
537 * those all do schedule_alarm() internally if needed.
538 */
539 void
541 {
542 /* For flexibility, allow this to be called before we're initialized. */
546 /* Disable timeout interrupts for safety. */
549 /* Reschedule the interrupt, if any timeouts remain active. */
552 }
554 /*
555 * Enable the specified timeout to fire after the specified delay.
556 *
557 * Delay is given in milliseconds.
558 */
559 void
561 {
562 TimestampTz now;
563 TimestampTz fin_time;
565 /* Disable timeout interrupts for safety. */
568 /* Queue the timeout at the appropriate time. */
573 /* Set the timer interrupt. */
575 }
577 /*
578 * Enable the specified timeout to fire periodically, with the specified
579 * delay as the time between firings.
580 *
581 * Delay is given in milliseconds.
582 */
583 void
585 {
586 TimestampTz now;
588 /* Disable timeout interrupts for safety. */
591 /* Queue the timeout at the appropriate time. */
595 /* Set the timer interrupt. */
597 }
599 /*
600 * Enable the specified timeout to fire at the specified time.
601 *
602 * This is provided to support cases where there's a reason to calculate
603 * the timeout by reference to some point other than "now". If there isn't,
604 * use enable_timeout_after(), to avoid calling GetCurrentTimestamp() twice.
605 */
606 void
608 {
609 TimestampTz now;
611 /* Disable timeout interrupts for safety. */
614 /* Queue the timeout at the appropriate time. */
618 /* Set the timer interrupt. */
620 }
622 /*
623 * Enable multiple timeouts at once.
624 *
625 * This works like calling enable_timeout_after() and/or enable_timeout_at()
626 * multiple times. Use this to reduce the number of GetCurrentTimestamp()
627 * and setitimer() calls needed to establish multiple timeouts.
628 */
629 void
631 {
632 TimestampTz now;
635 /* Disable timeout interrupts for safety. */
638 /* Queue the timeout(s) at the appropriate times. */
642 {
644 TimestampTz fin_time;
647 {
668 }
669 }
671 /* Set the timer interrupt. */
673 }
675 /*
676 * Cancel the specified timeout.
677 *
678 * The timeout's I've-been-fired indicator is reset,
679 * unless keep_indicator is true.
680 *
681 * When a timeout is canceled, any other active timeout remains in force.
682 * It's not an error to disable a timeout that is not enabled.
683 */
684 void
686 {
687 /* Assert request is sane */
691 /* Disable timeout interrupts for safety. */
694 /* Find the timeout and remove it from the active list. */
698 /* Mark it inactive, whether it was active or not. */
702 /* Reschedule the interrupt, if any timeouts remain active. */
705 }
707 /*
708 * Cancel multiple timeouts at once.
709 *
710 * The timeouts' I've-been-fired indicators are reset,
711 * unless timeouts[i].keep_indicator is true.
712 *
713 * This works like calling disable_timeout() multiple times.
714 * Use this to reduce the number of GetCurrentTimestamp()
715 * and setitimer() calls needed to cancel multiple timeouts.
716 */
717 void
719 {
724 /* Disable timeout interrupts for safety. */
727 /* Cancel the timeout(s). */
729 {
739 }
741 /* Reschedule the interrupt, if any timeouts remain active. */
744 }
746 /*
747 * Disable the signal handler, remove all timeouts from the active list,
748 * and optionally reset their timeout indicators.
749 */
750 void
752 {
757 /*
758 * We used to disable the timer interrupt here, but in common usage
759 * patterns it's cheaper to leave it enabled; that may save us from having
760 * to enable it again shortly. See comments in schedule_alarm().
761 */
766 {
770 }
771 }
773 /*
774 * Return true if the timeout is active (enabled and not yet fired)
775 *
776 * This is, of course, subject to race conditions, as the timeout could fire
777 * immediately after we look.
778 */
779 bool
781 {
783 }
785 /*
786 * Return the timeout's I've-been-fired indicator
787 *
788 * If reset_indicator is true, reset the indicator when returning true.
789 * To avoid missing timeouts due to race conditions, we are careful not to
790 * reset the indicator when returning false.
791 */
792 bool
794 {
796 {
800 }
802 }
804 /*
805 * Return the time when the timeout was most recently activated
806 *
807 * Note: will return 0 if timeout has never been activated in this process.
808 * However, we do *not* reset the start_time when a timeout occurs, so as
809 * not to create a race condition if SIGALRM fires just as some code is
810 * about to fetch the value.
811 */
812 TimestampTz
814 {
816 }
818 /*
819 * Return the time when the timeout is, or most recently was, due to fire
820 *
821 * Note: will return 0 if timeout has never been activated in this process.
822 * However, we do *not* reset the fin_time when a timeout occurs, so as
823 * not to create a race condition if SIGALRM fires just as some code is
824 * about to fetch the value.
825 */
826 TimestampTz
828 {
830 }