From owner-cvs-all@FreeBSD.ORG Wed Jun 9 16:39:37 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E14E16A4CE; Wed, 9 Jun 2004 16:39:37 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7438543D2D; Wed, 9 Jun 2004 16:39:37 +0000 (GMT) (envelope-from bmilekic@FreeBSD.org) Received: from freefall.freebsd.org (bmilekic@localhost [127.0.0.1]) i59GdbP6026965; Wed, 9 Jun 2004 16:39:37 GMT (envelope-from bmilekic@freefall.freebsd.org) Received: (from bmilekic@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i59GdbtB026964; Wed, 9 Jun 2004 16:39:37 GMT (envelope-from bmilekic) Date: Wed, 9 Jun 2004 16:39:37 +0000 From: Bosko Milekic To: Nate Lawson Message-ID: <20040609163937.GA26656@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i cc: cvs-src@FreeBSD.org cc: phk@phk.freebsd.dk cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org cc: "M. Warner Losh" Subject: Re: cvs commit: src/sys/kern kern_proc.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 16:39:37 -0000 Nate Lawson wrote: >Bosko wrote: >> MEXT_REM_REF(m); /* Atomic decrement of m->m_ext.ref_cnt */ >> if (atomic_cmpset_int(m->m_ext.ref_cnt, 0, 1)) { >> /* Do the free here... */ >> } >> return; > >This may have a race unless the refcount increment path is done correctly: > >1:atomic_int-- >1:atomic_cmpset_int == 0 (yes, get ready to free it) > >2:atomic_cmpset_int == 0 (yes, object was in process of teardown) >2:create new object, refcount = 1 > >This assumes it's ok to have two objects of the same type in existence at >the same time also (one being torn down while the other is created). Code >that accesses an object must make sure it's locked separately. > >-Nate No, that's not true. The scenario you describe cannot occur. The code I posted prevents you from racing on teardown, so that you never have two threads tearing down the same object. This is because the first one to get to the cmpset will see the refcount to be zero and set it up to 1 (atomically), so that the second thread will see it at 1 and not do the destruction/free as well. There is no race on the reference going back up once it's hit zero because that would imply that we (who have sent it to zero) are now somehow magically making it gain a reference. Think about it, there is no race above. -Bosko