From: Mathieu Desnoyers <mathieu.desnoyers-vg+e7yoeK/dWk0Htik3J/w@public.gmane.org>
To: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
Cc: Paul Turner <commonly-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Andrew Hunter <ahh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
Andi Kleen <andi-Vw/NltI1exuRpAAqCnN02g@public.gmane.org>,
Dave Watson <davejwatson-b10kYP2dOMg@public.gmane.org>,
"Paul E. McKenney"
<paulmck-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>,
linux-api <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org>,
Ingo Molnar <mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Chris Lameter <cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org>,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Subject: Re: [RFC PATCH v2 3/3] restartable sequences: basic self-tests
Date: Wed, 6 Apr 2016 13:39:22 +0000 (UTC) [thread overview]
Message-ID: <528054829.46502.1459949962537.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <20160406074309.GE3430-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
----- On Apr 6, 2016, at 3:43 AM, Peter Zijlstra peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org wrote:
> On Tue, Apr 05, 2016 at 08:33:27PM +0000, Mathieu Desnoyers wrote:
>
>> A problematic execution sequence would be
>>
>> * Exhibit A: ABA (all threads running on same CPU):
>>
>> Initial state: the list has a single entry "object Z"
>>
>> Thread A Thread B
>> - percpu_list_pop()
>> - cpu = rseq_current_cpu();
>> - head = list->heads[cpu];
>> (head is a pointer to object Z)
>> - next = head->next;
>> (preempted)
>> (scheduled in)
>> - percpu_list_pop()
>> - cpu = rseq_current_cpu();
>> - head = list->heads[cpu];
>> (head is a pointer to object Z)
>> - rseq_percpu_cmpxchgcheck succeeds
>> - percpu_list_push of a new object Y
>> - percpu_list_push of a re-used object Z
>> (its next pointer now points to object Y
>> rather than end of list)
>> (preempted)
>> (scheduled in)
>> - rseq_percpu_cmpxchgcheck succeeds,
>> setting a wrong value into the list
>> head: it will store an end of list,
>> thus skipping over object Y.
>
> OK, so I'm still trying to wake up, but I'm not seeing how
> rseq_percpu_cmpxchgcheck() would succeed in this case.
>
> If you look at the code, the 'check' part would fail, that is:
>
>> +struct percpu_list_node *percpu_list_pop(struct percpu_list *list)
>> +{
>> + int cpu;
>> + struct percpu_list_node *head, *next;
>> +
>> + do {
>> + cpu = rseq_current_cpu();
>> + head = list->heads[cpu];
>> + /*
>> + * Unlike a traditional lock-less linked list; the availability
>> + * of a cmpxchg-check primitive allows us to implement pop
>> + * without concerns over ABA-type races.
>> + */
>> + if (!head) return 0;
>> + next = head->next;
>> + } while (cpu != rseq_percpu_cmpxchgcheck(cpu,
>> + (intptr_t *)&list->heads[cpu], (intptr_t)head, (intptr_t)next,
>> + (intptr_t *)&head->next, (intptr_t)next));
>
> The extra compare is 'head->next == next', and our thread-A will have
> @next == NULL (EOL), while the state after thread-B ran would be
> @head->next = &Y.
>
> So the check will fail, the cmpxchg will fail, and around we go.
>
>> +
>> + return head;
>> +}
>
> Or am I completely not getting it?
No, you're right. I entirely missed the role of check_ptr and
check_val in rseq_percpu_cmpxchgcheck. That indeed ensures we
atomically check, from a per-cpu perspective, that both the
pointer we are about to update and the next pointer are still
the same. Mystery solved. :-)
And of course, for the percpu_list_push(), the rseq_percpu_cmpxchg()
there is enough, because we always try to add a node we own into
the list, and only ever compare to the head. This one is
straightforwardly ABA-free even without rseq.
There is still the question of use-after-free however that
remains open. My understanding is that this lock-free list
should be paired with either a type-safe memory allocator,
using RCU, or a garbage collector.
Thoughts ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
WARNING: multiple messages have this Message-ID (diff)
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Paul Turner <commonly@gmail.com>, Andrew Hunter <ahh@google.com>,
Andy Lutomirski <luto@amacapital.net>,
Andi Kleen <andi@firstfloor.org>,
Dave Watson <davejwatson@fb.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
linux-api <linux-api@vger.kernel.org>,
linux-kernel@vger.kernel.org,
Josh Triplett <josh@joshtriplett.org>,
Ingo Molnar <mingo@redhat.com>, Chris Lameter <cl@linux.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH v2 3/3] restartable sequences: basic self-tests
Date: Wed, 6 Apr 2016 13:39:22 +0000 (UTC) [thread overview]
Message-ID: <528054829.46502.1459949962537.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <20160406074309.GE3430@twins.programming.kicks-ass.net>
----- On Apr 6, 2016, at 3:43 AM, Peter Zijlstra peterz@infradead.org wrote:
> On Tue, Apr 05, 2016 at 08:33:27PM +0000, Mathieu Desnoyers wrote:
>
>> A problematic execution sequence would be
>>
>> * Exhibit A: ABA (all threads running on same CPU):
>>
>> Initial state: the list has a single entry "object Z"
>>
>> Thread A Thread B
>> - percpu_list_pop()
>> - cpu = rseq_current_cpu();
>> - head = list->heads[cpu];
>> (head is a pointer to object Z)
>> - next = head->next;
>> (preempted)
>> (scheduled in)
>> - percpu_list_pop()
>> - cpu = rseq_current_cpu();
>> - head = list->heads[cpu];
>> (head is a pointer to object Z)
>> - rseq_percpu_cmpxchgcheck succeeds
>> - percpu_list_push of a new object Y
>> - percpu_list_push of a re-used object Z
>> (its next pointer now points to object Y
>> rather than end of list)
>> (preempted)
>> (scheduled in)
>> - rseq_percpu_cmpxchgcheck succeeds,
>> setting a wrong value into the list
>> head: it will store an end of list,
>> thus skipping over object Y.
>
> OK, so I'm still trying to wake up, but I'm not seeing how
> rseq_percpu_cmpxchgcheck() would succeed in this case.
>
> If you look at the code, the 'check' part would fail, that is:
>
>> +struct percpu_list_node *percpu_list_pop(struct percpu_list *list)
>> +{
>> + int cpu;
>> + struct percpu_list_node *head, *next;
>> +
>> + do {
>> + cpu = rseq_current_cpu();
>> + head = list->heads[cpu];
>> + /*
>> + * Unlike a traditional lock-less linked list; the availability
>> + * of a cmpxchg-check primitive allows us to implement pop
>> + * without concerns over ABA-type races.
>> + */
>> + if (!head) return 0;
>> + next = head->next;
>> + } while (cpu != rseq_percpu_cmpxchgcheck(cpu,
>> + (intptr_t *)&list->heads[cpu], (intptr_t)head, (intptr_t)next,
>> + (intptr_t *)&head->next, (intptr_t)next));
>
> The extra compare is 'head->next == next', and our thread-A will have
> @next == NULL (EOL), while the state after thread-B ran would be
> @head->next = &Y.
>
> So the check will fail, the cmpxchg will fail, and around we go.
>
>> +
>> + return head;
>> +}
>
> Or am I completely not getting it?
No, you're right. I entirely missed the role of check_ptr and
check_val in rseq_percpu_cmpxchgcheck. That indeed ensures we
atomically check, from a per-cpu perspective, that both the
pointer we are about to update and the next pointer are still
the same. Mystery solved. :-)
And of course, for the percpu_list_push(), the rseq_percpu_cmpxchg()
there is enough, because we always try to add a node we own into
the list, and only ever compare to the head. This one is
straightforwardly ABA-free even without rseq.
There is still the question of use-after-free however that
remains open. My understanding is that this lock-free list
should be paired with either a type-safe memory allocator,
using RCU, or a garbage collector.
Thoughts ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2016-04-06 13:39 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-27 23:56 [RFC PATCH 0/3] restartable sequences v2: fast user-space percpu critical sections Paul Turner
2015-10-27 23:56 ` Paul Turner
2015-10-27 23:56 ` [RFC PATCH v2 1/3] restartable sequences: user-space per-cpu " Paul Turner
[not found] ` <20151027235653.16059.8933.stgit-G8L5E6GV2z5XSTzz+wBt03oUN1GumTyQ7j82oEJ37pA@public.gmane.org>
2015-11-19 16:38 ` Johannes Berg
2015-11-19 16:38 ` Johannes Berg
2015-12-11 12:56 ` Mathieu Desnoyers
2015-12-11 12:56 ` Mathieu Desnoyers
2015-10-27 23:57 ` [RFC PATCH v2 2/3] restartable sequences: x86 ABI Paul Turner
[not found] ` <20151027235705.16059.63268.stgit-G8L5E6GV2z5XSTzz+wBt03oUN1GumTyQ7j82oEJ37pA@public.gmane.org>
2015-10-28 5:03 ` Peter Zijlstra
2015-10-28 5:03 ` Peter Zijlstra
[not found] ` <20151028050314.GC11242-IIpfhp3q70xmmu7s1q4rt2t3HXsI98Cx0E9HWUfgJXw@public.gmane.org>
2015-10-28 5:19 ` Paul Turner
2015-10-28 5:19 ` Paul Turner
2015-12-11 13:30 ` Mathieu Desnoyers
2015-12-11 13:30 ` Mathieu Desnoyers
2015-10-27 23:57 ` [RFC PATCH v2 3/3] restartable sequences: basic self-tests Paul Turner
[not found] ` <20151027235716.16059.47610.stgit-G8L5E6GV2z5XSTzz+wBt03oUN1GumTyQ7j82oEJ37pA@public.gmane.org>
2016-04-05 20:33 ` Mathieu Desnoyers
2016-04-05 20:33 ` Mathieu Desnoyers
[not found] ` <1276514010.46061.1459888406999.JavaMail.zimbra-vg+e7yoeK/dWk0Htik3J/w@public.gmane.org>
2016-04-06 7:43 ` Peter Zijlstra
2016-04-06 7:43 ` Peter Zijlstra
[not found] ` <20160406074309.GE3430-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-06 13:39 ` Mathieu Desnoyers [this message]
2016-04-06 13:39 ` Mathieu Desnoyers
[not found] ` <528054829.46502.1459949962537.JavaMail.zimbra-vg+e7yoeK/dWk0Htik3J/w@public.gmane.org>
2016-04-06 19:25 ` Peter Zijlstra
2016-04-06 19:25 ` Peter Zijlstra
[not found] ` <20151027235635.16059.11630.stgit-G8L5E6GV2z5XSTzz+wBt03oUN1GumTyQ7j82oEJ37pA@public.gmane.org>
2015-10-28 14:44 ` [RFC PATCH 0/3] restartable sequences v2: fast user-space percpu critical sections Dave Watson
2015-10-28 14:44 ` Dave Watson
2015-12-11 12:05 ` Mathieu Desnoyers
2015-12-11 12:05 ` Mathieu Desnoyers
[not found] ` <1070636085.232143.1449835536723.JavaMail.zimbra-vg+e7yoeK/dWk0Htik3J/w@public.gmane.org>
2015-12-11 13:39 ` Mathieu Desnoyers
2015-12-11 13:39 ` Mathieu Desnoyers
2016-04-06 15:56 ` Andy Lutomirski
2016-04-07 12:02 ` Peter Zijlstra
[not found] ` <20160407120254.GY3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-07 14:35 ` Andy Lutomirski
2016-04-07 14:35 ` Andy Lutomirski
[not found] ` <CALCETrV0vcYcnBrs0axykJD=_BM28wKWVMG6bMzK8zh8R3m5fg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-07 15:24 ` Peter Zijlstra
2016-04-07 15:24 ` Peter Zijlstra
[not found] ` <20160407152432.GZ3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-07 15:39 ` Peter Zijlstra
2016-04-07 15:39 ` Peter Zijlstra
2016-04-07 15:44 ` Andy Lutomirski
2016-04-07 15:44 ` Andy Lutomirski
[not found] ` <CALCETrU5ZL6Jajc=9up-j86vY_Xtt-gTFjdQE0sB0d=d-CJZ6A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-07 15:53 ` Peter Zijlstra
2016-04-07 15:53 ` Peter Zijlstra
[not found] ` <20160407155312.GA3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-07 16:43 ` Andy Lutomirski
2016-04-07 16:43 ` Andy Lutomirski
[not found] ` <CALCETrVGo1Di3qamxx1NAFUSN_o=-HnYRDpeVp7zrQEBwe5u-g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-07 20:11 ` Peter Zijlstra
2016-04-07 20:11 ` Peter Zijlstra
[not found] ` <20160407201156.GC3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-07 22:05 ` Andy Lutomirski
2016-04-07 22:05 ` Andy Lutomirski
[not found] ` <CALCETrXVReuuGGKW6EOV7tFFaK9RbwWxYvKdpUdvU=MpDaOtsQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-08 1:11 ` Mathieu Desnoyers
2016-04-08 1:11 ` Mathieu Desnoyers
2016-04-08 1:21 ` Andy Lutomirski
2016-04-08 2:05 ` Mathieu Desnoyers
2016-04-08 2:05 ` Mathieu Desnoyers
2016-04-08 17:46 ` Mathieu Desnoyers
[not found] ` <65466698.51122.1460137589499.JavaMail.zimbra-vg+e7yoeK/dWk0Htik3J/w@public.gmane.org>
2016-04-08 21:16 ` Andy Lutomirski
2016-04-08 21:16 ` Andy Lutomirski
2016-04-08 21:25 ` Linus Torvalds
2016-04-08 21:25 ` Linus Torvalds
[not found] ` <CA+55aFwqJmTy+Nz0k9N_2zsms51meTFMdvYYW5VHdiOq8Jjr7Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-10 14:07 ` Mathieu Desnoyers
2016-04-10 14:07 ` Mathieu Desnoyers
2016-04-08 11:02 ` Peter Zijlstra
2016-04-08 11:02 ` Peter Zijlstra
[not found] ` <20160408110232.GP3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-08 15:57 ` Andy Lutomirski
2016-04-08 15:57 ` Andy Lutomirski
2016-04-08 6:41 ` Peter Zijlstra
2016-04-08 6:41 ` Peter Zijlstra
[not found] ` <20160408064136.GJ3448-ndre7Fmf5hadTX5a5knrm8zTDFooKrT+cvkQGrU6aU0@public.gmane.org>
2016-04-08 15:58 ` Andy Lutomirski
2016-04-08 15:58 ` Andy Lutomirski
2016-04-11 21:55 ` Mathieu Desnoyers
2016-04-11 21:55 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=528054829.46502.1459949962537.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers-vg+e7yoek/dwk0htik3j/w@public.gmane.org \
--cc=ahh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=andi-Vw/NltI1exuRpAAqCnN02g@public.gmane.org \
--cc=cl-vYTEC60ixJUAvxtiuMwx3w@public.gmane.org \
--cc=commonly-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=davejwatson-b10kYP2dOMg@public.gmane.org \
--cc=josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=paulmck-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org \
--cc=peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.