From: Paolo Bonzini <pbonzini@redhat.com>
To: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>,
"Shergill, Gurinder" <gurinder.shergill@hp.com>,
"Vinod, Chegu" <chegu_vinod@hp.com>,
qemu-devel@nongnu.org, Luiz Capitulino <lcapitulino@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 1/2] iothread: stash thread ID away
Date: Tue, 25 Feb 2014 17:10:32 +0100 [thread overview]
Message-ID: <530CC078.4080707@redhat.com> (raw)
In-Reply-To: <20140225154245.GC2374@stefanha-thinkpad.redhat.com>
Il 25/02/2014 16:42, Stefan Hajnoczi ha scritto:
> I guess you're saying that while unlocking the mutex is atomic, that
> doesn't guarantee pthread won't access the mutex internal state some
> more after it has unlocked it. Therefore it's not safe for another
> thread to destroy the mutex even after it has acquired it.
Yes.
> POSIX does say that:
>
> "It shall be safe to destroy an initialized mutex that is unlocked."
The question is what "unlocked" means... :)
> But maybe I am reading too much into that?
>
> After poking around glibc a little I think you are right. I can't say
> for sure but it seems even after a futex call glibc might still mess
> with internal state. But if anyone knows for certain, please speak up.
I think other races are possible. Let's look at the simple lock in
nptl/lowlevellock.h:
/* Mutex lock counter:
bit 31 clear means unlocked;
bit 31 set means locked.
All code that looks at bit 31 first increases the 'number of
interested threads' usage counter, which is in bits 0-30.
The comment is wrong, there is a fast path that does not do that; I'm
not sure if this is why the problem can happen, I'm just pointing this
out because it contradicts the code I'm posting now.
The file uses C code, but it's simpler to look at it in assembly.
Unlocking is very simple:
lock; btcl $31, futex
jz 2f
... do futex wake ...
2:
Locking has a fast path followed by preparing the slow path, re-checking
the fastpath condition, and waiting if it fails still:
lock; btsl $31, futex
jnc 9f
lock; incl futex
1:
lock; btsl $31, futex
jnc 8f
... do futex wait ...
jmp 1b
8:
lock; decl futex
9:
It's possible, if futex is locked by CPU 0 and CPU 1 tries to grab it,
that the following happens:
CPU 0 CPU 1
lock; btsl $31, futex (fails)
lock; incl futex
lock; btcl %0 (not zero)
lock; btsl $31, futex (succeeds)
lock; decl futex
destroy lock
free(lock)
futex wake
If you get an EFAULT from the futex wakeup, this could be a problem.
Paolo
next prev parent reply other threads:[~2014-02-25 16:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-21 14:51 [Qemu-devel] [PATCH 0/2] dataplane: add query-iothreads QMP command Stefan Hajnoczi
2014-02-21 14:51 ` [Qemu-devel] [PATCH 1/2] iothread: stash thread ID away Stefan Hajnoczi
2014-02-21 15:18 ` Paolo Bonzini
2014-02-24 15:53 ` Stefan Hajnoczi
2014-02-24 16:48 ` Paolo Bonzini
2014-02-25 15:42 ` Stefan Hajnoczi
2014-02-25 16:10 ` Paolo Bonzini [this message]
2014-02-25 16:17 ` Stefan Hajnoczi
2014-02-25 16:27 ` Paolo Bonzini
2014-02-21 14:51 ` [Qemu-devel] [PATCH 2/2] qmp: add query-iothreads command Stefan Hajnoczi
2014-02-21 15:27 ` Eric Blake
2014-02-24 15:54 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=530CC078.4080707@redhat.com \
--to=pbonzini@redhat.com \
--cc=chegu_vinod@hp.com \
--cc=gurinder.shergill@hp.com \
--cc=lcapitulino@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.