stats: Repro & fix admin stats crash

[jmarantz]

Commit Message: Fix Stats::Scope destruct/iterate race by holding onto a weak_ptr the scopes_ hash-table in ThreadLocalStore. Also adds GUARDED_BY thread annotation to the scopes_ hash table and refactors a bit to ensure thread safety across all accesses. The thread-safety analysis needs more-than-usual annotation assistance for two reasons:

• the analysis system does not see that ThreadLocalStoreImpl::lock_ and ThreadLocalStoreImpl::ScopeImpl::parent_.lock_ are the same.
• in safeMakeStat call-sites, for code-sharing reasons, we need to take a reference to the guarded central_cache_ entry before we decide whether we need to take the lock the protects it, so we need to disable analysis in that case. This way we can share the code that finds stats in the TLS-cache without taking locks.

A couple of helper methods,centralCacheLockHeld() and centralCacheNoThreadAnalysis(), were added to allow analysis to run with minimally scoped annotations.

A testcase was added which duplicates the race between looping over the stats for admin, and creating/destroying scopes, using the fast /stats implementation that was disconnected in prod in #20835. This PR leaves the fast implementation disconnected, but fixes it. A separate PR will roll back #20835 after this lands.

Additional Description: The repro can spot the race by reverting the definition of ThreadLocalStoreImpl::forEachScope to to its prior state, taking into account that scopes_ is now a map<ScopeImpl*, weak_ptr<ScopeImpl> rather than a set<ScopeImpl>.

  for (auto iter : scopes_) {
    f_scope(*(iter.first));
  }

Then test/server/admin:stats_handler_test, test will fail wtih

 RUN      ] ThreadedTest.Threaded
terminate called after throwing an instance of 'std::bad_weak_ptr'
  what():  bad_weak_ptr

Risk Level: low -- scope iteration is being fixed here, but that doesn't happen in production yet.
Testing: //test/...
Docs Changes: n/a
Release Notes: n/a
Platform Specific Features: n/a

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #20855 was opened by jmarantz.

see: more, trace.

[mattklein123]

Thanks for fixing. Just one test question/comment.

/wait

[mattklein123]

Instead of a stress style test (or in addition) is it possible to do a thread synchronizer style test that is deterministic that also fails?

[jmarantz]

I'm looking at it. I definitely don't want it to be lieu of the real-threads stress test. One thing I often find with synchronizers is that once you fix the race, you can't trigger the synchronizer without deadlock, but I'm iterating a bit.

[jmarantz]

Done.

[mattklein123]

Nice, check CI?

/wait

[jmarantz]

Thanks -- having a hard time sussing out the clang tidy error from the log; maybe an infra flake? I'll retest and if it still fails I'll look more carefully.

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Check envoy-presubmit isn't fully completed, but will still attempt retrying.
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #20855 (comment) was created by @jmarantz.

see: more, trace.

[jmarantz]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #20855 (comment) was created by @jmarantz.

see: more, trace.

[mattklein123]

Thanks!