std: improve handling of timed condition variable waits on macOS

[joboet]

Fixes #37440 (for good).

This fixes two issues with Condvar::wait_timeout on macOS:

Apple's implementation of pthread_cond_timedwait internally converts the absolute timeout to a relative one, measured in nanoseconds, but fails to consider overflow when doing so. This results in wait_timeout returning much earlier than anticipated when passed a duration that is slightly longer than u64::MAX nanoseconds (around 584 years). The existing clamping introduced by #42604 to address #37440 unfortunately used a maximum duration of 1000 years and thus still runs into the bug when run on older macOS versions (or with PTHREAD_MUTEX_USE_ULOCK set to a value other than "1"). See #37440 (comment) for context.

Reducing the maximum duration alone however would not be enough to make the implementation completely correct. As macOS does not support pthread_condattr_setclock, the deadline passed to pthread_cond_timedwait is measured against the wall-time clock. std currently calculates the deadline by retrieving the current time and adding the duration to that, only for macOS to convert the deadline back to a relative duration by retrieving the current time itself (this conversion is performed before the aforementioned problematic one). Thus, if the wall-time clock is adjusted between the std lookup and the system lookup, the relative duration could have changed, possibly even to a value larger than $2^{64}\ \textrm{ns}$. Luckily however, macOS supports the non-standard, tongue-twisting pthread_cond_timedwait_relative_np function which avoids the wall-clock-time roundtrip by taking a relative timeout. Even apart from that, this function is perfectly suited for std's purposes: it is public (albeit badly-documented) API, available since macOS 10.4 (that's way below our minimum of 10.12) and completely resilient against wall-time changes as all timeouts are measured against the monotonic clock inside the kernel.

Thus, this PR switches Condvar::wait_timeout to pthread_cond_timedwait_relative_np, making sure to clamp the duration to a maximum of $2^{64} - 1 \ \textrm{ns}$. I've added a miri shim as well, so the only thing missing is a definition of pthread_cond_timedwait_relative_np inside libc.

[rustbot]

The Miri subtree was changed

cc @rust-lang/miri

[rustbot]

r? @ibraheemdev

rustbot has assigned @ibraheemdev.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[RalfJung]

So the argument named relative really is very specific for this macos operation, and also swaps out the clock. Please give it a name that more accurately reflects what it does (e.g. macos_relative_np), and document it in the doc comment for this function.

[joboet]

Done, thank you!

[RalfJung]

Suggested change

	assert!(50 <= elapsed_time && elapsed_time <= 150);
	// This is actually deterministic (since isolation remains enabled), but can change slightly with Rust updates.
	assert!(90 <= elapsed_time && elapsed_time <= 110);

[RalfJung]

Suggested change

	this.pthread_cond_timedwait(cond, mutex, reltime, dest, true)?;
	this.pthread_cond_timedwait(cond, mutex, reltime, dest, /* macos_relative_np */ true)?;

[RalfJung]

Suggested change

	this.pthread_cond_timedwait(cond, mutex, abstime, dest, false)?;
	this.pthread_cond_timedwait(cond, mutex, abstime, dest, /* macos_relative_np */ false)?;

[RalfJung]

Suggested change

	// even if the "ulock" variant is used (which does guard against timeouts).
	// even if the "ulock" variant is used (which does guard against overflow).