Re: [Sbcl-devel] probe-file and race conditions

[Nikodemus S. <nik...@ra...>]

On 2/20/08, Richard M Kreuter <kr...@pr...> wrote:

> > (let ((truename (probe-file x)))
> >   (if truename
> >       (make-instance 'old
> >        :stream (open truename :if-does-not-exist :error))
> >       (make-instance 'new
> >        :stream (open x :direction :io :if-exists :error))))
> >
> > It is easy for me to believe that I'm missing subtleties here, but it
> > seems to me that the crucial point is the call to open(), which is
> > atomic -- ENOENT and O_EXCL semantics seem more then sufficient here.
>
> Yes, I agree with that, because it signals an error in the race
> condition cases.  Weren't you arguing against signaling errors for race
> conditions?

Against PROBE-FILE signalling errors for race-conditions. My point was
that while failing early is a good principle, we cannot apply it if we
don't know that we actually have a failure.

This is kind of like threads programming where it is common enough
(and sane!) to do something like

  ;; Check preconditions before grabbing the lock
  (if (preconditions-ok)
      (with-lock (x)
         (if (not (preconditions-still-ok))
             ;; Since our preconditions don't hold anymore, pretend we did
             ;; our stuff and the other thread them stomped on them before
             ;; anyone saw our changes. Ie. don't do anything.
             (return-from foo x)
             (...do stuff...)))
       (error "can't foo"))

In case of PROBE-FILE when we detect a race, we don't have anything we
know to be a truename (maybe something that existed, but doesn't
anymore), but we can return NIL and pretend the file was deleted just
before the stat() call instead of right after it.

IMO there are race conditions you can fix, and race conditions you
have to live with. Since we cannot fix filesystem race conditions, it
seems to me that the right thing is to return a sane not-wrong answer,
and let the context-aware higher levels deal with the race conditions
-- like they do in the above code. The thing is that if you signal an
error early (when you don't have to) for an unavoidable race
condition, you miss out the opportunity that a couple of levels higher
and a microsecond or two later the race might not exist anymore.

Cheers,

 -- Nikodemus