Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Mar 2011 03:56:02 +1100 (EST)
From:      Bruce Evans <brde@optusnet.com.au>
To:        David Malone <dwmalone@maths.tcd.ie>
Cc:        src-committers@FreeBSD.org, John Baldwin <jhb@FreeBSD.org>, svn-src-all@FreeBSD.org, Bruce Evans <brde@optusnet.com.au>, svn-src-head@FreeBSD.org, Jung-uk Kim <jkim@FreeBSD.org>
Subject:   Re: svn commit: r219676 - head/sys/x86/x86 
Message-ID:  <20110325020734.P1958@besplex.bde.org>
In-Reply-To: <201103241503.aa30875@walton.maths.tcd.ie>
References:  <201103241503.aa30875@walton.maths.tcd.ie>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Mar 2011, David Malone wrote:

>> If atomic 64-bit read/write is possible and it is absolutely
>> necessary, it has to be set via machdep.foo_freq, not
>> kern.timecounter.foo.frequency.

Not really.  The i386 TSC frequency variable can be 32 bits.  That
works in almost all cases now, and you can easily scale the variable
so that a 32-bit frequency works for CPUs up to 8GHz, which should be
enough until i386 mode goes away.  amd64 already has sufficiently
atomic 64-bit read/write for this, perhaps even without an explicit
atomic op.  OTOH, kern.timecounter.foo.frequency is also 64 bits,
and needs this and atomic accesses more that the i386 TSC variable,
since it is MI and there are more divisions by it.  Explicit atomic
ops are never used for timecounter variables, but I think some is
needed in the following places:
- switching of timehands.  Atomic ops are supposed to be avoided by
   writing to an inactive timehands and than switching to it using
   a single atomic write, but the write for this is not explicitly
   atomic.  Without an atomic write with certain acquire/release
   semantics whose details I can never remember, the writes before
   the switch may go out after the one for the switch.
- switching of more global things.  These include the switch from
   one timecounter to another, and changing the frequency within a
   timecounter, and stepping the time.  Something like timecounter
   generations could be used to reduced to reduce the locking
   requirements for this, but currently the locking for this is null.
   For stepping the time, the missing locking is even documented by
   an XXX comment:

% /*
%  * Step our concept of UTC.  This is done by modifying our estimate of
%  * when we booted.
%  * XXX: not locked.
%  */
% void
% tc_setclock(struct timespec *ts)
% {
% 	struct timespec tbef, taft;
% 	struct bintime bt, bt2;
% 
% 	cpu_tick_calibrate(1);

This only has a tiny race.  cpu_tick_calibrate() is normally called only
every 16 seconds on 1 designated CPU.  This spacing out of calls to it
gives it significant "time-domain locking".  And passing 1 to it mostly
preserves this locking, by telling it to not do any calibration on this
call, but to reset on this call and wait for another call or 2 to let
things stabilize.  But it must write a global variable for the reset,
and the access for this is not atomic.  I think it should do slightly
more, and arrange for recalibration as soon as possible, after >= 1
but <= 2 seconds.  Now the recalibration might not be delayed at all
(due to the race), or might be delayed by only 1 cycle, or may be 16
seconds away.

% 	nanotime(&tbef);

Safe to call at any time, modulo other timecounter bugs.  This depends
on the update of the generation count being sufficiently atomic, and
on read accesses to boottime being atomic, which they clearly aren't.

% 	timespec2bintime(ts, &bt);

Utility function operating on local variables, so safe.

% 	binuptime(&bt2);
% 	bintime_sub(&bt, &bt2);

Like the previous 2 calls, but safer since boottime is not accessed.

% 	bintime_add(&bt2, &boottimebin);

Unsafe read access to boottimebin.

% 	boottimebin = bt;

Unsafer write access to boottimebin.  This is the main write access to it.
Changing it at all is what makes the read accesses to it unsafe.  Changing
it at all after setting it initially is also wrong.  The boot time is a
time so it cannot actually be changed by any later event, but it is
changed here as a hack to make the current time come out right, even when
this makes the boot time come out wrong.  The boot time needs to be fixed
if it is initially wrong, but should not change after that.  This wouldn't
simplify the locking here, since an adjustment would still be needed.

When this is called from settime(), Giant is held.  This prevents concurrent
calls to here from userland.  Concurrent calls may still be possible, since
this is also called from resume methods.  I don't know if resume methods
are locked by Giant or anything.

% 	bintime2timeval(&bt, &boottime);

Unsafe write access to boottime.  Like the one to boottimebin.

% 
% 	/* XXX fiddle all the little crinkly bits around the fiords... */
% 	tc_windup();

tc_windup() is normally called only every tc_tick ticks on a not-so-
designated CPU, and we break the time-domain locking from that as
above.  tc_windup() begins by operating on the "next" generation of
timehands, so it has obvious races if it is called concurrently.  It
depends on the time-domain locking to prevent this, but here we don't
even try to wait for things to stablize like we do for the much less
important cpu_tock_calibrate() call.

Calling tc_windup() a lot from here also risks cycling through the
timehands too rapidly even if the calls don't overlap.  Userland can
exercise this bug easily at securelevel <= 1 by calling settimeofday()
in a loop.  securelevel > 1 gives (IMO bogus) restrictions and a kernel
printf service rate-limited to only once per second.

OTOH, if tc_windup() were safe to call at any time, calling it here
would be the right thing to do.  Note that updates of the TSC timecounter
frequency variable are propagated from the TSC machdep sysctl to the
timecounter layer in a less racy manner.  The machdep sysctl just
copies the machdep variable to the timecounter variable and depends
on the tc_windup() call propagating it later.  This avoids concurrent
calls and only has a tiny race window which is neverthless easy to hit
by calling the machdep sysctl in a loop.

tc_windup() used to be called (via tc_ticktock()) only from hardclock()
on the BSP.  Now tc_ticktock() is also called from hardclock_anycpu().
tc_ticktock() is now passed an arg which should prevent too-rapid
cycling of the timehands, but I don't see anything to limit the calls
to the BSP or to prevent calls very close together.  This is unlike the
new call to cpu_tick_calibrate() from hardclock_anycpu().  That is
limited to the designated CPU.

% 	nanotime(&taft);

Back to only races for only read accesses.

% 	if (timestepwarnings) {
% 		log(LOG_INFO,
% 		    "Time stepped from %jd.%09ld to %jd.%09ld (%jd.%09ld)\n",
% 		    (intmax_t)tbef.tv_sec, tbef.tv_nsec,
% 		    (intmax_t)taft.tv_sec, taft.tv_nsec,
% 		    (intmax_t)ts->tv_sec, ts->tv_nsec);
% 	}
% 	cpu_tick_calibrate(1);

Like the call at the start.

% }

> A number of people have asked me about adjusting the frequency of
> other time counters - it would seem to make sense to allow this at
> the timecounter layer. It also seems possible that people might
> want the timecounters view of the frequency to be different from
> other uses of a counter.

I can't see any reason for the frequencies to be different, except
transiently to keep changes to them smooth.  Anyway, it should be
possible to change them all to the same frequency, and having a single
operation for this is good for minimizing transients, races and
complexity.

Bruce



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110325020734.P1958>