Question on mutex code - Matthias Bonne

All of lore.kernel.org
 help / color / mirror / Atom feed

From: lemonlime51@gmail.com (Matthias Bonne)
To: kernelnewbies@lists.kernelnewbies.org
Subject: Question on mutex code
Date: Sun, 15 Mar 2015 23:49:07 +0200	[thread overview]
Message-ID: <5505FE53.1060807@gmail.com> (raw)
In-Reply-To: <1426381746.28068.70.camel@stgolabs.net>

On 03/15/15 03:09, Davidlohr Bueso wrote:
> On Sat, 2015-03-14 at 18:03 -0700, Davidlohr Bueso wrote:
>> Good analysis, but not quite accurate for one simple fact: mutex
>> trylocks _only_ use fastpaths (obviously just depend on the counter
>> cmpxchg to 0), so you never fallback to the slowpath you are mentioning,
>> thus the race is non existent. Please see the arch code.
>
> For debug we use the trylock slowpath, but so does everything else, so
> again you cannot hit this scenario.
>
>

You are correct of course - this is why I said that
CONFIG_DEBUG_MUTEXES must be enabled for this to happen. Can you
explain why this scenario is still not possible in the debug case?

The debug case uses mutex-null.h, which contains these macros:

#define __mutex_fastpath_lock(count, fail_fn)           fail_fn(count)
#define __mutex_fastpath_lock_retval(count)             (-1)
#define __mutex_fastpath_unlock(count, fail_fn)         fail_fn(count)
#define __mutex_fastpath_trylock(count, fail_fn)        fail_fn(count)
#define __mutex_slowpath_needs_to_unlock()              1

So both mutex_trylock() and mutex_unlock() always use the slow paths.
The slowpath for mutex_unlock() is __mutex_unlock_slowpath(), which
simply calls __mutex_unlock_common_slowpath(), and the latter starts
like this:

         /*
          * As a performance measurement, release the lock before doing 
other
          * wakeup related duties to follow. This allows other tasks to 
acquire
          * the lock sooner, while still handling cleanups in past 
unlock calls.
          * This can be done as we do not enforce strict equivalence 
between the
          * mutex counter and wait_list.
          *
          *
          * Some architectures leave the lock unlocked in the fastpath 
failure
          * case, others need to leave it locked. In the later case we 
have to
          * unlock it here - as the lock counter is currently 0 or negative.
          */
         if (__mutex_slowpath_needs_to_unlock())
                 atomic_set(&lock->count, 1);

         spin_lock_mutex(&lock->wait_lock, flags);
         [...]

So the counter is set to 1 before taking the spinlock, which I think
might cause the race. Did I miss something?

WARNING: multiple messages have this Message-ID (diff)

From: Matthias Bonne <lemonlime51@gmail.com>
To: Davidlohr Bueso <dave@stgolabs.net>
Cc: Yann Droneaud <ydroneaud@opteya.com>,
	kernelnewbies@kernelnewbies.org, linux-kernel@vger.kernel.org,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>
Subject: Re: Question on mutex code
Date: Sun, 15 Mar 2015 23:49:07 +0200	[thread overview]
Message-ID: <5505FE53.1060807@gmail.com> (raw)
In-Reply-To: <1426381746.28068.70.camel@stgolabs.net>

On 03/15/15 03:09, Davidlohr Bueso wrote:
> On Sat, 2015-03-14 at 18:03 -0700, Davidlohr Bueso wrote:
>> Good analysis, but not quite accurate for one simple fact: mutex
>> trylocks _only_ use fastpaths (obviously just depend on the counter
>> cmpxchg to 0), so you never fallback to the slowpath you are mentioning,
>> thus the race is non existent. Please see the arch code.
>
> For debug we use the trylock slowpath, but so does everything else, so
> again you cannot hit this scenario.
>
>

You are correct of course - this is why I said that
CONFIG_DEBUG_MUTEXES must be enabled for this to happen. Can you
explain why this scenario is still not possible in the debug case?

The debug case uses mutex-null.h, which contains these macros:

#define __mutex_fastpath_lock(count, fail_fn)           fail_fn(count)
#define __mutex_fastpath_lock_retval(count)             (-1)
#define __mutex_fastpath_unlock(count, fail_fn)         fail_fn(count)
#define __mutex_fastpath_trylock(count, fail_fn)        fail_fn(count)
#define __mutex_slowpath_needs_to_unlock()              1

So both mutex_trylock() and mutex_unlock() always use the slow paths.
The slowpath for mutex_unlock() is __mutex_unlock_slowpath(), which
simply calls __mutex_unlock_common_slowpath(), and the latter starts
like this:

         /*
          * As a performance measurement, release the lock before doing 
other
          * wakeup related duties to follow. This allows other tasks to 
acquire
          * the lock sooner, while still handling cleanups in past 
unlock calls.
          * This can be done as we do not enforce strict equivalence 
between the
          * mutex counter and wait_list.
          *
          *
          * Some architectures leave the lock unlocked in the fastpath 
failure
          * case, others need to leave it locked. In the later case we 
have to
          * unlock it here - as the lock counter is currently 0 or negative.
          */
         if (__mutex_slowpath_needs_to_unlock())
                 atomic_set(&lock->count, 1);

         spin_lock_mutex(&lock->wait_lock, flags);
         [...]

So the counter is set to 1 before taking the spinlock, which I think
might cause the race. Did I miss something?

next prev parent reply	other threads:[~2015-03-15 21:49 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-04  0:13 Question on mutex code Matthias Bonne
2015-03-10 13:03 ` Yann Droneaud
2015-03-10 13:03   ` Yann Droneaud
2015-03-10 14:59   ` Valdis.Kletnieks at vt.edu
2015-03-10 14:59     ` Valdis.Kletnieks
2015-03-14 23:08     ` Matthias Bonne
2015-03-14 23:08       ` Matthias Bonne
2015-03-14 23:05   ` Matthias Bonne
2015-03-14 23:05     ` Matthias Bonne
2015-03-15  1:03     ` Davidlohr Bueso
2015-03-15  1:04       ` Davidlohr Bueso
2015-03-15  1:09       ` Davidlohr Bueso
2015-03-15  1:10         ` Davidlohr Bueso
2015-03-15 21:49         ` Matthias Bonne [this message]
2015-03-15 21:49           ` Matthias Bonne
2015-03-15 22:10           ` Rabin Vincent
2015-03-15 22:11             ` Rabin Vincent
2015-03-16  3:40             ` Matthias Bonne
2015-03-16  3:40               ` Matthias Bonne
2015-03-15 22:18           ` Davidlohr Bueso
2015-03-15 22:19             ` Davidlohr Bueso
2015-03-15 22:23             ` Davidlohr Bueso
2015-03-15 22:24               ` Davidlohr Bueso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5505FE53.1060807@gmail.com \
    --to=lemonlime51@gmail.com \
    --cc=kernelnewbies@lists.kernelnewbies.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.