Design doc feedback from #26621. NFC

Author: sbc100

docs/design/01-precise-futex-wakeups.md

@@ -1,4 +1,4 @@
-# Design Doc: Precise Futex Wakeups in Emscripten
+# Design Doc: Precise Futex Wakeups
 
 - **Status**: Draft
 - **Bug**: https://github.com/emscripten-core/emscripten/issues/26633
@@ -24,7 +24,7 @@ CPU wakeups and increased latency for events.
 ## Non-Goals
 - **Main Browser Thread**: Changes to the busy-wait loop in `futex_wait_main_browser_thread` are out of scope.
 - **Direct Atomics Usage**: Threads that call `atomic.wait` directly (bypassing `emscripten_futex_wait`) will remain un-interruptible.
-- **Wasm Workers**: Wasm Worker do not have a `pthread` structure, they are not covered by this design.
+- **Wasm Workers**: Wasm Workers do not have a `pthread` structure, so they are not covered by this design.
 
 ## Proposed Design
 
@@ -45,11 +45,11 @@ fields must use `memory_order_seq_cst` to ensure the handshake is robust.
 ```c
 // The address the thread is currently waiting on in emscripten_futex_wait.
 // NULL if the thread is not currently in a futex wait.
-_Atomic(void*) waiting_on_address;
+_Atomic(void*) wait_address;
 
 // A counter that is incremented every time the thread wakes up from a futex wait.
 // Used by wakers to ensure the target thread has actually acknowledged the wake.
-_Atomic(uint32_t) wait_counter;
+_Atomic(uint32_t) wake_counter;
 
 // A bitmask of reasons why the thread was woken for a side-channel event.
 _Atomic(uint32_t) wait_reasons;
@@ -62,13 +62,13 @@ _Atomic(uint32_t) wait_reasons;
 The waiter will follow this logic (using `SEQ_CST` for all atomic accesses):
 
 1.  **Pre-check**: Check `wait_reasons`. If non-zero, handle the reasons (e.g., process mailbox or handle cancellation).
-2.  **Publish**: Set `waiting_on_address = addr`.
-3.  **Counter Snapshot**: Read `current_counter = wait_counter`.
-4.  **Double-check**: This is critical to avoid the race where a reason was added just before `waiting_on_address` was set. If `wait_reasons` is now non-zero, clear `waiting_on_address` and go to step 1.
+2.  **Publish**: Set `wait_address = addr`.
+3.  **Counter Snapshot**: Read `current_counter = wake_counter`.
+4.  **Double-check**: This is critical to avoid the race where a reason was added just before `wait_address` was set. If `wait_reasons` is now non-zero, clear `wait_address` and go to step 1.
 5.  **Wait**: Call `ret = __builtin_wasm_memory_atomic_wait32(addr, val, timeout)`.
 6.  **Unpublish**:
-    -   Set `waiting_on_address = NULL`.
-    -   Atomically increment `wait_counter`.
+    -   Set `wait_address = NULL`.
+    -   Atomically increment `wake_counter`.
 7.  **Post-check**: Check `wait_reasons`. If non-zero, handle the reasons.
 8.  **Return**: Return the result of the wait to the caller.
     -   If `ret == ATOMICS_WAIT_OK`, return `0`.
@@ -81,18 +81,18 @@ Note: We do **not** loop internally if `ret == ATOMICS_WAIT_OK`. Even if we susp
 When a thread needs to wake another thread for a side-channel event (e.g., in `pthread_cancel` or `em_task_queue_enqueue`):
 
 1.  Atomically OR the appropriate bit into the target thread's `wait_reasons` (`SEQ_CST`).
-2.  Read `target_addr = target->waiting_on_address` (`SEQ_CST`).
+2.  Read `target_addr = target->wait_address` (`SEQ_CST`).
 3.  If `target_addr` is not NULL:
-    -   Read `start_c = target->wait_counter` (`SEQ_CST`).
+    -   Read `start_c = target->wake_counter` (`SEQ_CST`).
     -   Enter a loop:
-        -   Call `emscripten_futex_wake(target_addr, 1)`.
-        -   Exit loop if `target->wait_counter != start_c` OR `target->waiting_on_address != target_addr`.
+        -   Call `emscripten_futex_wake(target_addr, INT_MAX)`.
+        -   Exit loop if `target->wake_counter != start_c` OR `target->wait_address != target_addr`.
         -   **Yield**: Call `sched_yield()` (or a small sleep) to allow the target thread to proceed if it is currently being scheduled.
 
 ### 4. Handling the Race Condition
 The "Lost Wakeup" race is handled by the combination of:
--   The waiter double-checking `wait_reasons` after publishing its `waiting_on_address`.
--   The waker looping `atomic.wake` until the waiter increments its `wait_counter`.
+-   The waiter double-checking `wait_reasons` after publishing its `wait_address`.
+-   The waker looping `atomic.wake` until the waiter increments its `wake_counter`.
 
 Even if the waker's first `atomic.wake` occurs after the waiter's double-check
 but *before* the waiter actually enters the `atomic.wait` instruction, the waker
@@ -106,19 +106,20 @@ counter.
 ### 5. Overlapping and Spurious Wakeups
 The design must handle cases where "real" wakeups (triggered by the application) and "side-channel" wakeups (cancellation/mailbox) occur simultaneously.
 
-1.  **Spurious Wakeups for Other Threads**: If multiple threads are waiting on the same address (e.g., a shared mutex), a side-channel `atomic_wake(addr, 1)` targeted at Thread A might be delivered by the kernel to Thread B.
-    -   **Thread B's response**: It will wake up, increment its `wait_counter`, see that its `wait_reasons` are empty, and return `0` to its caller.
-    -   **Thread C (the waker)**: It will see that Thread A's `wait_counter` has *not* changed and `waiting_on_address` is still `addr`. It will therefore continue its loop and call `atomic_wake` again until Thread A is finally woken.
+1.  **Spurious Wakeups for Other Threads**: If multiple threads are waiting on the same address (e.g., a shared mutex), a side-channel `atomic_wake(addr, 1)` targeting Thread A could also wake Thread B.
+    -   **Thread B's response**: It will wake up, increment its `wake_counter`, see that its `wait_reasons` are empty, and return `0` to its caller.
+    -   **Thread C (the waker)**: It will see that Thread A's `wake_counter` has *not* changed and `wait_address` is still `addr`. It will therefore continue its loop and call `atomic_wake` again until Thread A is finally woken.
     -   **Result**: Thread B experiences a "spurious" wakeup. This is acceptable and expected behavior for futex-based synchronization.
 2.  **Handling Side-Channel Success**: If Thread A is woken by the side-channel, it handles the event and returns `0`. The user's code will typically see that its own synchronization condition is not yet met and immediately call `emscripten_futex_wait` again. This effectively "resumes" the wait from the user's perspective while having allowed the side-channel event to be processed.
 3.  **No Lost "Real" Wakeups**: By returning to the caller whenever `atomic.wait` returns `OK`, we ensure that we never miss or swallow a real application-level `atomic.wake`.
 
 ### 6. Counter Wrap-around
-The `wait_counter` is a `uint32_t` and will wrap around to zero after $2^{32}$ wakeups. This is safe because:
-1.  **Impossibility of Racing**: For the waker to "miss" a wake-up due to wrap-around, the waiter would have to wake up and re-enter a sleep state exactly $2^{32}$ times in the very brief window between the waker's `atomic_wake` and its subsequent check of `wait_counter`. Even at extreme wakeup frequencies (e.g., 1 million per second), this would take over an hour.
-2.  **Address Change Check**: The waker loop also checks `target->waiting_on_address != target_addr`. If the waiter wakes up and either stops waiting or starts waiting on a *different* address, the waker will exit the loop regardless of the counter value.
+The `wake_counter` is a `uint32_t` and will wrap around to zero after $2^{32}$ wakeups. This is safe because:
+1.  **Impossibility of Racing**: For the waker to "miss" a wake-up due to wrap-around, the waiter would have to wake up and re-enter a sleep state exactly $2^{32}$ times in the very brief window between the waker's `atomic_wake` and its subsequent check of `wake_counter`. Even at extreme wakeup frequencies (e.g., 1 million per second), this would take over an hour.
+2.  **Address Change Check**: The waker loop also checks `target->wait_address != target_addr`. If the waiter wakes up and either stops waiting or starts waiting on a *different* address, the waker will exit the loop regardless of the counter value.
+
+## Benefits
 
-### 6. Benefits
 -   **Lower Power Consumption**: Threads can sleep indefinitely (or for the full duration of a user-requested timeout) without periodic wakeups.
 -   **Lower Latency**: Mailbox events and cancellation requests are processed immediately rather than waiting for the next 1ms or 100ms tick.
 -   **Simpler Loop**: The complex logic for calculating remaining timeout slices in `emscripten_futex_wait` is removed.
@@ -132,8 +133,8 @@ The `wait_counter` is a `uint32_t` and will wrap around to zero after $2^{32}$ w
     design works around this by having the waker use the *user's* futex address.
 
 ## Security/Safety Considerations
--   The `waiting_on_address` must be managed carefully to ensure wakers don't
-    call `atomic.wake` on stale addresses. The `wait_counter` and clearing the
+-   The `wait_address` must be managed carefully to ensure wakers don't
+    call `atomic.wake` on stale addresses. The `wake_counter` and clearing the
     address upon wake mitigate this.
 -   The waker loop should have a reasonable fallback (like a yield) to prevent a
     busy-wait deadlock if the waiter is somehow prevented from waking up (though

docs/design/README.md

@@ -3,8 +3,19 @@
 This directory contains design documents for emscripten features and major
 changes/refactors.
 
-We are experimenting with keeping these document here under source control with
+We are experimenting with keeping these documents here under source control with
 the hope that this will increase understandability of the codebase.  This has
-some advantages over doing all planning in Google Docs or GitHub issues.  For
-example, it allows us to track the history of designs and it allows them to be
-searchable using standard tools like `git grep`.
+some advantages over doing all our planning in Google Docs or GitHub issues.
+For example, it allows us to track the history of designs and it allows them to
+be searchable using standard tools like `git grep`.
+
+## Document Format
+
+Each document in this directory should be a markdown file.  At the top of each
+document should be a `Status` which can be either `Draft`, `Accepted`,
+`Completed`.
+
+When a document is marked as `Completed` it should also be updated such that
+it is clear the work has been done, and is now in the past.  For example,
+phrases such as "The current behavior" should be replaced with "The previous
+behavior".