Re: [Qemu-devel] [PATCH v2 10/11] blockjob: refactor backup_start as backup_job_create

[Kevin Wolf <kwolf@redhat.com>]

Am 07.10.2016 um 20:39 hat John Snow geschrieben:
> On 09/30/2016 06:00 PM, John Snow wrote:
> >Refactor backup_start as backup_job_create, which only creates the job,
> >but does not automatically start it. The old interface, 'backup_start',
> >is not kept in favor of limiting the number of nearly-identical iterfaces
> >that would have to be edited to keep up with QAPI changes in the future.
> >
> >Callers that wish to synchronously start the backup_block_job can
> >instead just call block_job_start immediately after calling
> >backup_job_create.
> >
> >Transactions are updated to use the new interface, calling block_job_start
> >only during the .commit phase, which helps prevent race conditions where
> >jobs may finish before we even finish building the transaction. This may
> >happen, for instance, during empty block backup jobs.
> >
> 
> Sadly for me, I realized this patch has a potential problem. When we
> were adding the bitmap operations, it became clear that the
> atomicity point was during .prepare, not .commit.
> 
> e.g. the bitmap is cleared or created during prepare, and backup_run
> installs its Write Notifier at that point in time, too.

Strictly speaking that's wrong then.

The write notifier doesn't really hurt because it is never triggered
between prepare and commit (we're holding the lock) and it can just be
removed again.

Clearing the bitmap is a bug because the caller could expect that the
bitmap is in its original state if the transaction fails. I doubt this
is a problem in practice, but we should fix it anyway.

By the way, why did we allow to add a 'bitmap' option for DriveBackup
without adding it to BlockdevBackup at the same time?

> By changing BlockJobs to only run on commit, we've severed the
> atomicity point such that some actions will take effect during
> prepare, and others at commit.
> 
> I still think it's the correct thing to do to delay the BlockJobs
> until the commit phase, so I will start auditing the code to see how
> hard it is to shift the atomicity point to commit instead. If it's
> possible to do that, I think from the POV of the managing
> application, having the atomicity point be
> 
> Feel free to chime in with suggestions and counterpoints until then.

I agree that jobs have to be started only at commit. There may be other
things that are currently happening in prepare that really should be
moved as well, but unless moving one thing but not the other doesn't
break anything that was working, we can fix one thing at a time.

Kevin