Date: Mon, 5 Dec 2016 11:36:07 +0300 From: Oleg Bulyzhin <oleg@FreeBSD.org> To: Sepherosa Ziehau <sepherosa@gmail.com> Cc: Ryan Stone <rstone@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r309372 - head/sys/sys Message-ID: <20161205083607.GA38771@lath.RINET.ru> In-Reply-To: <CAMOc5cz7uvuvUVMeoAyb%2BZ17j0jyEHFEGii=6KiVa6fx_fSfAw@mail.gmail.com> References: <201612012108.uB1L8g19026075@repo.freebsd.org> <CAMOc5cz7uvuvUVMeoAyb%2BZ17j0jyEHFEGii=6KiVa6fx_fSfAw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 02, 2016 at 04:11:32PM +0800, Sepherosa Ziehau wrote: > peek_clear_sc is added to address the issue you mentioned. IMHO, this > commit weakens the proper assertion. I would say this check: #ifdef DEBUG_BUFRING int i; for (i = br->br_cons_head; i != br->br_prod_head; i = ((i + 1) & br->br_cons_mask)) if(br->br_ring[i] == buf) panic("buf=%p already enqueue at %d prod=%d cons=%d", buf, i, br->br_prod_tail, br->br_cons_tail); #endif can't be relied upon: 1) it does not synchronize with anything, neither consumers nor producers. So you can read inconsistent data. For example, you are storing NULL in buf_ring_peek_clear_sc() but there is no guarantee you will see it here. 2) it's not covered by critical section so thread running this check can be preempted. Consider the following scenario: a) thread is running this check and gets preempted by other producer before i != br->br_prod_head check. b) other producer moves br->br_prod_head forward. c) if we are unlucky we can spin forever. Current buf_ring implementation has insufficient memory ordering constraints. I've tried to fix acq/rel usage here: https://reviews.freebsd.org/D8637 but didn't get any review yet. > > On Fri, Dec 2, 2016 at 5:08 AM, Ryan Stone <rstone@freebsd.org> wrote: > > Author: rstone > > Date: Thu Dec 1 21:08:42 2016 > > New Revision: 309372 > > URL: https://svnweb.freebsd.org/changeset/base/309372 > > > > Log: > > Fix a false positive in a buf_ring assert > > > > buf_ring contains an assert that checks whether an item being > > enqueued already exists on the ring. There is a subtle bug in > > this assert. An item can be returned by a peek() function and > > freed, and then the consumer thread can be preempted before > > calling advance(). If this happens the item appears to still be > > on the queue, but another thread may allocate the item from the > > free pool and wind up trying to enqueue it again, causing the > > assert to trigger incorrectly. > > > > Fix this by skipping the head of the consumer's portion of the > > ring, as this index is what will be returned by peek(). > > > > Sponsored by: Dell EMC Isilon > > MFC After: 1 week > > Differential Revision: https://reviews.freebsd.org/D8685 > > Reviewed by: hselasky > > > > Modified: > > head/sys/sys/buf_ring.h > > > > Modified: head/sys/sys/buf_ring.h > > ============================================================================== > > --- head/sys/sys/buf_ring.h Thu Dec 1 20:36:48 2016 (r309371) > > +++ head/sys/sys/buf_ring.h Thu Dec 1 21:08:42 2016 (r309372) > > @@ -67,11 +67,13 @@ buf_ring_enqueue(struct buf_ring *br, vo > > uint32_t prod_head, prod_next, cons_tail; > > #ifdef DEBUG_BUFRING > > int i; > > - for (i = br->br_cons_head; i != br->br_prod_head; > > - i = ((i + 1) & br->br_cons_mask)) > > - if(br->br_ring[i] == buf) > > - panic("buf=%p already enqueue at %d prod=%d cons=%d", > > - buf, i, br->br_prod_tail, br->br_cons_tail); > > + if (br->br_cons_head != br->br_prod_head) { > > + for (i = (br->br_cons_head + 1) & br->br_cons_mask; i != br->br_prod_head; > > + i = ((i + 1) & br->br_cons_mask)) > > + if(br->br_ring[i] == buf) > > + panic("buf=%p already enqueue at %d prod=%d cons=%d", > > + buf, i, br->br_prod_tail, br->br_cons_tail); > > + } > > #endif > > critical_enter(); > > do { > > _______________________________________________ > > svn-src-all@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/svn-src-all > > To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" > > > > -- > Tomorrow Will Never Die -- Oleg. ================================================================ === Oleg Bulyzhin -- OBUL-RIPN -- OBUL-RIPE -- oleg@rinet.ru === ================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161205083607.GA38771>