add VerifyDelayedCallbackTimerRaceOnManualQueue with a test hook to force an interleaving where the dispatch thread and threadpool concurrently Cancel and QueueItem - permanently stalling delayed callbacks (#947)

avb-blizzard · web-flow · commit b33ebcee26c5 · 2026-03-11T17:21:47.000-07:00
diff --git a/Source/Task/TaskQueue.cpp b/Source/Task/TaskQueue.cpp
@@ -7,8 +7,12 @@
 #include "TaskQueueImpl.h"
 #include "XTaskQueuePriv.h"
 
+#ifdef HC_UNITTEST_API
+TestBarrier* g_testBarrier = nullptr;
+#endif
+
 //
-// ApiRefs tracks global refcounts for all APIs. It is used to idenfity memory leaks
+// ApiRefs tracks global refcounts for all APIs. It is used to identify memory leaks
 // in tests and can be called to wait for all refs to be released.
 //
 namespace ApiRefs
@@ -1107,7 +1111,32 @@ bool TaskQueuePortImpl::ScheduleNextPendingCallback(
         uint64_t noDueTime = UINT64_MAX;
         if (m_timerDue.compare_exchange_strong(dueTime, noDueTime))
         {
-            m_timer.Cancel();
+#ifdef HC_UNITTEST_API
+            // Test hook: two-phase barrier reproduces the timer race
+            // that results in lost delayed task wakes.
+            if (g_testBarrier != nullptr)
+            {
+                {
+                    std::lock_guard<std::mutex> lk(g_testBarrier->mtx);
+                    g_testBarrier->phase1_ready = true;
+                }
+                g_testBarrier->cv.notify_all();
+
+                std::unique_lock<std::mutex> lk(g_testBarrier->mtx);
+                g_testBarrier->cv.wait_for(lk, std::chrono::seconds(5),
+                    [&] { return g_testBarrier->phase2_ready; });
+            }
+#endif
+            // Bug fix: ScheduleNextPendingCallback timer race results
+            // in lost delayed task wakes.
+            //
+            // The CAS above is sufficient: the timer has already fired
+            // (call site 1: SubmitPendingCallback) or was already
+            // canceled (call site 2: CancelPendingEntries).  A Cancel()
+            // here raced with concurrent QueueItem/Start calls on other
+            // threads, permanently stranding entries in m_pendingList.
+            // See VerifyDelayedCallbackTimerRaceOnManualQueue for full
+            // analysis.
         }
     }
 
diff --git a/Source/Task/XTaskQueuePriv.h b/Source/Task/XTaskQueuePriv.h
@@ -5,6 +5,11 @@
 
 #include "XTaskQueue.h"
 
+#ifdef HC_UNITTEST_API
+#include <mutex>
+#include <condition_variable>
+#endif
+
 //----------------------------------------------------------------//
 //
 // These APIs should be reserved for driving unit test harnesses.
@@ -120,3 +125,20 @@ STDAPI_(bool) XTaskQueueGetCurrentProcessTaskQueueWithOptions(
 STDAPI_(bool) XTaskQueueUninitialize(
     _In_ uint32_t timeoutMilliseconds = 0
     ) noexcept;
+
+#ifdef HC_UNITTEST_API
+
+// Two-phase barrier for deterministic reproduction of the
+// ScheduleNextPendingCallback timer race that results in lost delayed
+// task wakes. See VerifyDelayedCallbackTimerRaceOnManualQueue.
+struct TestBarrier
+{
+    std::mutex mtx;
+    std::condition_variable cv;
+    bool phase1_ready = false;  // threadpool -> test: "CAS done"
+    bool phase2_ready = false;  // test -> threadpool: "Start done"
+};
+
+extern TestBarrier* g_testBarrier;
+
+#endif
diff --git a/Tests/UnitTests/Tests/TaskQueueTests.cpp b/Tests/UnitTests/Tests/TaskQueueTests.cpp
@@ -1851,4 +1851,155 @@ DEFINE_TEST_CLASS(TaskQueueTests)
         LOG_COMMENT(L"Test completed: workCallbacks=%d createErrors=%d terminateErrors=%d",
             workCallbackCount.load(), createErrors.load(), terminateErrors.load());
     }
+#ifdef HC_UNITTEST_API
+    DEFINE_TEST_CASE(VerifyDelayedCallbackTimerRaceOnManualQueue) {
+      // Regression: ScheduleNextPendingCallback timer race results in
+      // lost delayed task wakes.
+      //
+      // We use a barrier to isolate the race. PTP_TIMER callbacks are
+      // not serialized, so a concurrent QueueItem that calls Start()
+      // will have its timer fire on another threadpool thread DURING
+      // the Sleep, self-healing the state before Cancel() runs. In
+      // production the gap is nanoseconds -- the timer can't fire in
+      // time.
+      //
+      // Instead we use a two-phase cv barrier (TestBarrier, compiled under
+      // HC_UNITTEST_API) that forces the exact interleaving that causes the
+      // the permanent stall:
+      //
+      //   Threadpool thread              Test dispatch thread
+      //   -----------------              --------------------
+      //   CAS m_timerDue -> UINT64_MAX
+      //   signal(phase1)  ----------->   (unblocked)
+      //   wait(phase2)                   QueueItem -> push + CAS + Start(T)
+      //                   <-----------   signal(phase2)
+      //   [Cancel() would kill T's timer here -- removed by the fix]
+      //   ... timer never fires ...
+      //   ... m_timerDue stuck at T ...
+      //   ... PERMANENT STALL ...
+      //
+      // The dispatch thread's QueueItem calls Start(T) with a delay of
+      // N ms. Cancel() runs immediately after phase2 -- well within
+      // the N ms window -- so the timer hasn't fired yet. This exactly
+      // reproduces the production race.
+
+      TestBarrier barrier;
+      barrier.phase1_ready = false;
+      barrier.phase2_ready = false;
+      g_testBarrier = &barrier;
+
+      AutoQueueHandle queue;
+      VERIFY_SUCCEEDED(XTaskQueueCreate(XTaskQueueDispatchMode::Manual,
+                                        XTaskQueueDispatchMode::Immediate,
+                                        &queue));
+
+      // Self-cycling delayed callback. As the sole pending entry,
+      // every timer fire hits the "no next item" branch.
+      std::atomic<uint32_t> cycleCount{0};
+      std::atomic<bool> running{true};
+
+      struct CycleContext {
+        XTaskQueueHandle queue;
+        std::atomic<uint32_t> *counter;
+        std::atomic<bool> *running;
+
+        static void CALLBACK Invoke(void *ctx, bool cancel) {
+          if (cancel)
+            return;
+          auto *self = static_cast<CycleContext *>(ctx);
+          self->counter->fetch_add(1);
+          if (self->running->load()) {
+            // 500 ms: long enough that Cancel() reliably beats it.
+            XTaskQueueSubmitDelayedCallback(self->queue, XTaskQueuePort::Work,
+                                            500, ctx,
+                                            &CycleContext::Invoke);
+          }
+        }
+      };
+
+      CycleContext ctx{queue.Handle(), &cycleCount, &running};
+      VERIFY_SUCCEEDED(XTaskQueueSubmitDelayedCallback(
+          queue, XTaskQueuePort::Work, 1, &ctx,
+          &CycleContext::Invoke));
+
+      // Wait for the threadpool to CAS m_timerDue -> UINT64_MAX
+      // and hit the barrier (phase1).
+      {
+        std::unique_lock<std::mutex> lk(barrier.mtx);
+        bool ok = barrier.cv.wait_for(lk, std::chrono::seconds(5),
+            [&] { return barrier.phase1_ready; });
+        VERIFY_IS_TRUE(ok);
+      }
+
+      // The threadpool is blocked inside ScheduleNextPendingCallback,
+      // so the cycling callback's entry hasn't reached the ready queue
+      // yet (AppendEntry hasn't run).  We can't dispatch it directly.
+      //
+      // Instead, submit a delay=0 "trigger" that bypasses the pending
+      // list, lands directly in the ready queue, and when dispatched
+      // calls QueueItem (racing with Cancel) then signals phase2.
+      struct TriggerContext {
+        XTaskQueueHandle queue;
+        TestBarrier* barrier;
+      };
+      TriggerContext trigCtx{queue.Handle(), &barrier};
+
+      auto triggerCallback = [](void *ctx, bool cancel) {
+        if (cancel)
+          return;
+        auto *tc = static_cast<TriggerContext *>(ctx);
+        // delay=1 ms: T_new expires quickly, so m_timerDue becomes a
+        // stale past value -- the condition for a permanent stall.
+        static auto dummyCb = [](void*, bool) {};
+        XTaskQueueSubmitDelayedCallback(
+            tc->queue, XTaskQueuePort::Work, 1, nullptr, dummyCb);
+        {
+          std::lock_guard<std::mutex> lk(tc->barrier->mtx);
+          tc->barrier->phase2_ready = true;
+        }
+        tc->barrier->cv.notify_all();
+      };
+
+      VERIFY_SUCCEEDED(XTaskQueueSubmitCallback(
+          queue, XTaskQueuePort::Work, &trigCtx, triggerCallback));
+
+      // Dispatch trigger on this thread: QueueItem -> Start(1ms),
+      // signal(phase2) -> threadpool wakes -> [Cancel() removed].
+      VERIFY_IS_TRUE(XTaskQueueDispatch(queue, XTaskQueuePort::Work, 1000));
+
+      // Race has fired.  Disable barrier.
+      g_testBarrier = nullptr;
+
+      // Stop cycling callback and drain ready queue.
+      running.store(false);
+      while (XTaskQueueDispatch(queue, XTaskQueuePort::Work, 200)) {
+      }
+
+      // A delayed callback that should fire promptly (canary).
+      // With the bug, it's stranded in pendingList forever.
+      std::atomic<bool> canaryFired{false};
+      auto canaryCallback = [](void *ctx, bool cancel) {
+        if (!cancel)
+          static_cast<std::atomic<bool> *>(ctx)->store(true);
+      };
+      VERIFY_SUCCEEDED(XTaskQueueSubmitDelayedCallback(
+          queue, XTaskQueuePort::Work, 10, &canaryFired, canaryCallback));
+
+      const uint64_t canaryStart = GetTickCount64();
+      while (!canaryFired.load() &&
+             GetTickCount64() - canaryStart < 2000) {
+        XTaskQueueDispatch(queue, XTaskQueuePort::Work, 100);
+      }
+
+      LOG_COMMENT(L"Cycle count: %u", cycleCount.load());
+      LOG_COMMENT(L"Canary fired: %s",
+                  canaryFired.load() ? L"yes" : L"NO -- timer stalled");
+
+      XTaskQueueTerminate(queue, false, nullptr, nullptr);
+      while (XTaskQueueDispatch(queue, XTaskQueuePort::Work, 0)) {
+      }
+
+      VERIFY_IS_TRUE(canaryFired.load());
+    }
+#endif // HC_UNITTEST_API
 };
