From: Ingo Molnar <mingo@elte.hu>
To: Nikanth Karthikesan <knikanth@novell.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jens Axboe <jens.axboe@oracle.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Detect and warn on atomic_inc/atomic_dec wrapping around
Date: Thu, 30 Apr 2009 16:05:59 +0200 [thread overview]
Message-ID: <20090430140559.GA14696@elte.hu> (raw)
In-Reply-To: <200904301921.44615.knikanth@novell.com>
* Nikanth Karthikesan <knikanth@novell.com> wrote:
> On Thursday 30 April 2009 19:07:57 Ingo Molnar wrote:
> > * Nikanth Karthikesan <knikanth@novell.com> wrote:
> > > > Then there could be a single, straightforward value check:
> > > >
> > > > static inline void atomic_inc(atomic_t *v)
> > > > {
> > > > debug_atomic_check_value(v);
> > > > raw_atomic_inc(v);
> > > > }
> > > >
> > > > Where debug_atomic_check_value() is just an atomic_read():
> > > >
> > > > static inline void debug_atomic_check_value(atomic_t *v)
> > > > {
> > > > WARN_ONCE(in_range(atomic_read(v), UINT_MAX/4, UINT_MAX/4*3),
> > > > KERN_ERR "atomic counter check failure!");
> > > > }
> > >
> > > I do not understand, why UINT_MAX/4 to UINT_MAX/4*3?
> > > Roughly,
> > > UINT_MAX/4 = INT_MAX/2
> > > UINT_MAX/4*3 = INT_MAX/2*3 which we will never reach with an int.
> >
> > i mean:
> >
> > WARN_ONCE(in_range((u32)atomic_read(v), UINT_MAX/4, UINT_MAX/4*3),
> > KERN_ERR "atomic counter check failure!");
> >
> > that's a single range check on an u32, selecting 'too large' and
> > 'too small' s32 values.
> >
> > > > It's a constant check.
> > > >
> > > > If are overflowing on such a massive rate, it doesnt matter how
> > > > early or late we check the value.
> > >
> > > UINT_MAX/4 early, might be too early. And if it doesn't matter how
> > > early or late, why try to be over-cautious and produce false
> > > warnings. ;-)
> >
> > UINT_MAX/4 is ~1 billion. If we reach a value of 1 billion we are
> > leaking. Your check basically is a sharp test for the specific case
> > of overflowing the boundary - but it makes the code slower (it uses
> > more complex atomic ops) and uglifies it via #ifdefs as well.
> >
> > It doesnt matter whether we wrap over at around +2 billion into -2
> > billion, or treat the whole above-1-billion and
> > below-minus-1-billion range as invalid. (other than we'll catch bugs
> > sooner via this method, and have faster and cleaner code)
> >
>
> Ah.. got it. But, range checking is not required as we are just
> verifying it during increment and decrement, not atomic_add,
> atomic_sub etc... Should we add debug checks to those operations
> as well? If we want to test those operations as well, range check
> would be useful.
Good point! Indeed the checks can be even simpler that way - a
single test.
> Here is a patch, without the overhead of a costly atomic operation
> which would warn if it goes out of [INT_MIN/2 .. INT_MAX/2].
> +static inline void atomic_inc(atomic_t *v)
> +{
> +#ifdef CONFIG_ENABLE_WARN_ATOMIC_INC_WRAP
> + WARN_ONCE((atomic_read(v) > (INT_MAX / 2)),
> + KERN_ERR "atomic counter check failure!");
here the message can be more specific i think:
KERN_ERR "atomic inc overflow!");
> +#endif
> + raw_atomic_inc(v);
> +}
> +
> +/**
> + * atomic_dec - decrement atomic variable
> + * @v: pointer of type atomic_t
> + *
> + * Atomically decrements @v by 1.
> + */
> +static inline void atomic_dec(atomic_t *v)
> +{
> +#ifdef CONFIG_ENABLE_WARN_ATOMIC_INC_WRAP
> + WARN_ONCE((atomic_read(v) < (INT_MIN / 2)),
> + KERN_ERR "atomic counter check failure!");
> +#endif
and here:
KERN_ERR "atomic inc underflow!");
other than these two small details this is looking really nice now.
Ingo
next prev parent reply other threads:[~2009-04-30 14:06 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-29 6:51 [PATCH][RFC] Handle improbable possibility of io_context->refcount overflow Nikanth Karthikesan
2009-04-29 7:59 ` Andrew Morton
2009-04-29 10:03 ` Nikanth Karthikesan
2009-04-29 15:15 ` Andrew Morton
2009-04-30 7:28 ` Nikanth Karthikesan
2009-04-30 7:28 ` [PATCH v2] " Nikanth Karthikesan
2009-04-30 7:29 ` [PATCH] Detect and warn on atomic_inc/atomic_dec wrapping around Nikanth Karthikesan
2009-04-30 8:23 ` Ingo Molnar
2009-04-30 10:11 ` Nikanth Karthikesan
2009-04-30 10:47 ` Ingo Molnar
2009-04-30 12:08 ` Nikanth Karthikesan
2009-04-30 12:21 ` Ingo Molnar
2009-04-30 12:26 ` Nikanth Karthikesan
2009-04-30 12:50 ` Ingo Molnar
2009-04-30 13:29 ` Nikanth Karthikesan
2009-04-30 13:37 ` Ingo Molnar
2009-04-30 13:51 ` Nikanth Karthikesan
2009-04-30 14:05 ` Ingo Molnar [this message]
2009-04-30 14:09 ` Nikanth Karthikesan
2009-04-30 14:44 ` Ingo Molnar
2009-04-30 21:45 ` Andrew Morton
2009-05-01 4:57 ` Nikanth Karthikesan
2009-05-01 5:06 ` Andrew Morton
2009-05-01 5:13 ` Andrew Morton
2009-05-08 0:23 ` Andrew Morton
2009-05-08 10:40 ` Nikanth Karthikesan
2009-05-08 10:46 ` Nikanth Karthikesan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090430140559.GA14696@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@linux-foundation.org \
--cc=jens.axboe@oracle.com \
--cc=knikanth@novell.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.