From: Jack Steiner <steiner@sgi.com>
To: Olof Johansson <olof@lixom.net>
Cc: linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org
Subject: Re: [PATCH] - Fix memory ordering problem in wake_futex()
Date: Fri, 23 Dec 2005 21:32:16 +0000 [thread overview]
Message-ID: <20051223213216.GA29541@sgi.com> (raw)
In-Reply-To: <20051223204822.GC24601@pb15.lixom.net>
On Fri, Dec 23, 2005 at 02:48:22PM -0600, Olof Johansson wrote:
> On Fri, Dec 23, 2005 at 10:38:16AM -0600, Jack Steiner wrote:
> >
> > Here is a fix for a ugly race condition that occurs in wake_futex() on IA64.
> >
> > On IA64, locks are released using a "st.rel" instruction. This ensures that
> > preceding "stores" are visible before the lock is released but does NOT prevent
> > a "store" that follows the "st.rel" from becoming visible before the "st.rel".
> > The result is that the task that owns the futex_q continues prematurely.
> >
> > The failure I saw is the task that owned the futex_q resumed prematurely and
> > was context-switch off of the cpu. The task's switch_stack occupied the same
> > space of the futex_q. The store to q->lock_ptr overwrote the ar.bspstore in the
> > switch_stack. When the task resumed, it ran with a corrupted ar.bspstore.
> > Things went downhill from there.
> >
> > Without the fix, the application fails roughly every 10 minutes. With
> > the fix, it ran 16 hours without a failure.
>
> So what happened to what the comment 10 lines above your patch says?
>
> /*
> * The lock in wake_up_all() is a crucial memory barrier after
> * the list_del_init() and also before assigning to q->lock_ptr.
> */
>
> On PPC64, the spinlock unlock path has a sync in there for the very
> purpose of adding the write barrier. Maybe the ia64 unlock path is
> missing something similar?
On IA64, the "sync" instructions are actually part of the ld.acq ot st.rel
instructions that are used to set/clear spinlocks.
The program order of the instructions is:
cmpxchg.acq // set lock
..
.. do things
..
st.rel // release lock
st NULL -> lock_ptr // set flag to allow futex_q to be freed
IA64 implements fencing of ld.acq or st.rel instructions as one-directional
barriers.
For example, st.rel allows stores that FOLLOW the st.rel to be reordered
and become visible before the st.rel
(I hope this picture survives the various mailers)
ld |
st | | ^ ^
- fence - | |
st.rel --------------|-----|------------------- fence
| |
ld | |
st |
I don't understand PPC64 but I suspect it has different memory ordering semantics.
--
Thanks
Jack Steiner (steiner@sgi.com) 651-683-5302
Principal Engineer SGI - Silicon Graphics, Inc.
WARNING: multiple messages have this Message-ID (diff)
From: Jack Steiner <steiner@sgi.com>
To: Olof Johansson <olof@lixom.net>
Cc: linux-kernel@vger.kernel.org, linux-ia64@vger.kernel.org
Subject: Re: [PATCH] - Fix memory ordering problem in wake_futex()
Date: Fri, 23 Dec 2005 15:32:16 -0600 [thread overview]
Message-ID: <20051223213216.GA29541@sgi.com> (raw)
In-Reply-To: <20051223204822.GC24601@pb15.lixom.net>
On Fri, Dec 23, 2005 at 02:48:22PM -0600, Olof Johansson wrote:
> On Fri, Dec 23, 2005 at 10:38:16AM -0600, Jack Steiner wrote:
> >
> > Here is a fix for a ugly race condition that occurs in wake_futex() on IA64.
> >
> > On IA64, locks are released using a "st.rel" instruction. This ensures that
> > preceding "stores" are visible before the lock is released but does NOT prevent
> > a "store" that follows the "st.rel" from becoming visible before the "st.rel".
> > The result is that the task that owns the futex_q continues prematurely.
> >
> > The failure I saw is the task that owned the futex_q resumed prematurely and
> > was context-switch off of the cpu. The task's switch_stack occupied the same
> > space of the futex_q. The store to q->lock_ptr overwrote the ar.bspstore in the
> > switch_stack. When the task resumed, it ran with a corrupted ar.bspstore.
> > Things went downhill from there.
> >
> > Without the fix, the application fails roughly every 10 minutes. With
> > the fix, it ran 16 hours without a failure.
>
> So what happened to what the comment 10 lines above your patch says?
>
> /*
> * The lock in wake_up_all() is a crucial memory barrier after
> * the list_del_init() and also before assigning to q->lock_ptr.
> */
>
> On PPC64, the spinlock unlock path has a sync in there for the very
> purpose of adding the write barrier. Maybe the ia64 unlock path is
> missing something similar?
On IA64, the "sync" instructions are actually part of the ld.acq ot st.rel
instructions that are used to set/clear spinlocks.
The program order of the instructions is:
cmpxchg.acq // set lock
..
.. do things
..
st.rel // release lock
st NULL -> lock_ptr // set flag to allow futex_q to be freed
IA64 implements fencing of ld.acq or st.rel instructions as one-directional
barriers.
For example, st.rel allows stores that FOLLOW the st.rel to be reordered
and become visible before the st.rel
(I hope this picture survives the various mailers)
ld |
st | | ^ ^
- fence - | |
st.rel --------------|-----|------------------- fence
| |
ld | |
st |
I don't understand PPC64 but I suspect it has different memory ordering semantics.
--
Thanks
Jack Steiner (steiner@sgi.com) 651-683-5302
Principal Engineer SGI - Silicon Graphics, Inc.
next prev parent reply other threads:[~2005-12-23 21:32 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-12-23 16:38 [PATCH] - Fix memory ordering problem in wake_futex() Jack Steiner
2005-12-23 16:38 ` Jack Steiner
2005-12-23 17:05 ` Joe Seigh
2005-12-23 20:48 ` Olof Johansson
2005-12-23 20:48 ` Olof Johansson
2005-12-23 21:32 ` Jack Steiner [this message]
2005-12-23 21:32 ` Jack Steiner
2005-12-23 21:59 ` Olof Johansson
2005-12-23 21:59 ` Olof Johansson
2005-12-23 23:48 ` Robin Holt
2005-12-23 23:48 ` Robin Holt
2005-12-24 13:45 ` Jack Steiner
2005-12-24 13:45 ` Jack Steiner
2005-12-24 18:13 ` Olof Johansson
2005-12-24 18:13 ` Olof Johansson
2005-12-27 16:30 ` Jack Steiner
2005-12-27 16:30 ` Jack Steiner
-- strict thread matches above, loose matches on Subject: below --
2005-12-23 22:23 Manfred Spraul
2005-12-23 22:52 ` Manfred Spraul
2005-12-24 3:45 ` Jack Steiner
2005-12-25 16:02 ` Manfred Spraul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051223213216.GA29541@sgi.com \
--to=steiner@sgi.com \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olof@lixom.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.