* [PATCH 0/1] Clean up TSAN warnings
@ 2025-12-11 23:11 Marc Morcos
2025-12-11 23:11 ` [PATCH 1/1] qemu: TSAN Clean up Marc Morcos
0 siblings, 1 reply; 3+ messages in thread
From: Marc Morcos @ 2025-12-11 23:11 UTC (permalink / raw)
To: Paolo Bonzini, Richard Henderson, Eduardo Habkost,
Dr . David Alan Gilbert
Cc: Michael S . Tsirkin, Marcel Apfelbaum, Markus Armbruster,
Marcelo Tosatti, qemu-devel, kvm, Marc Morcos
When running several tests with tsan, thread races were detected when reading certain variables. This should allieviate the problem.
Additionally, the apicbase member of APICCommonState has been updated to 64 bit to reflect its contents.
Marc Morcos (1):
qemu: TSAN Clean up
hw/i386/kvm/apic.c | 12 ++++++++----
hw/intc/apic_common.c | 24 ++++++++++++++----------
include/hw/i386/apic_internal.h | 2 +-
monitor/monitor.c | 8 +++++++-
monitor/qmp.c | 2 ++
target/i386/kvm/kvm.c | 3 +++
util/thread-pool.c | 24 +++++++++++-------------
7 files changed, 46 insertions(+), 29 deletions(-)
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] qemu: TSAN Clean up
2025-12-11 23:11 [PATCH 0/1] Clean up TSAN warnings Marc Morcos
@ 2025-12-11 23:11 ` Marc Morcos
2025-12-12 11:20 ` Paolo Bonzini
0 siblings, 1 reply; 3+ messages in thread
From: Marc Morcos @ 2025-12-11 23:11 UTC (permalink / raw)
To: Paolo Bonzini, Richard Henderson, Eduardo Habkost,
Dr . David Alan Gilbert
Cc: Michael S . Tsirkin, Marcel Apfelbaum, Markus Armbruster,
Marcelo Tosatti, qemu-devel, kvm, Marc Morcos
- Fix 3 thread races detected by tsan
- Change apicbase to 64 bit variable to reflect what it holds
Signed-off-by: Marc Morcos <marcmorcos@google.com>
---
hw/i386/kvm/apic.c | 12 ++++++++----
hw/intc/apic_common.c | 24 ++++++++++++++----------
include/hw/i386/apic_internal.h | 2 +-
monitor/monitor.c | 8 +++++++-
monitor/qmp.c | 2 ++
target/i386/kvm/kvm.c | 3 +++
util/thread-pool.c | 24 +++++++++++-------------
7 files changed, 46 insertions(+), 29 deletions(-)
diff --git a/hw/i386/kvm/apic.c b/hw/i386/kvm/apic.c
index 82355f0463..b9b03c529f 100644
--- a/hw/i386/kvm/apic.c
+++ b/hw/i386/kvm/apic.c
@@ -34,9 +34,10 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic,
static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
{
int i;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
memset(kapic, 0, sizeof(*kapic));
- if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+ if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
kvm_apic_set_reg(kapic, 0x2, s->initial_apic_id);
} else {
kvm_apic_set_reg(kapic, 0x2, s->id << 24);
@@ -63,8 +64,9 @@ static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic
void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
{
int i, v;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
- if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
+ if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
assert(kvm_apic_get_reg(kapic, 0x2) == s->initial_apic_id);
} else {
s->id = kvm_apic_get_reg(kapic, 0x2) >> 24;
@@ -97,7 +99,7 @@ void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
static int kvm_apic_set_base(APICCommonState *s, uint64_t val)
{
- s->apicbase = val;
+ qatomic_set__nocheck(&s->apicbase, val);
return 0;
}
@@ -140,12 +142,14 @@ static void kvm_apic_put(CPUState *cs, run_on_cpu_data data)
APICCommonState *s = data.host_ptr;
struct kvm_lapic_state kapic;
int ret;
+ uint64_t apicbase;
if (is_tdx_vm()) {
return;
}
- kvm_put_apicbase(s->cpu, s->apicbase);
+ apicbase = qatomic_read__nocheck(&s->apicbase);
+ kvm_put_apicbase(s->cpu, apicbase);
kvm_put_apic_state(s, &kapic);
ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
index ec9e978b0b..9e42189d8a 100644
--- a/hw/intc/apic_common.c
+++ b/hw/intc/apic_common.c
@@ -19,6 +19,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/atomic.h"
#include "qemu/error-report.h"
#include "qemu/module.h"
#include "qapi/error.h"
@@ -52,8 +53,9 @@ int cpu_set_apic_base(APICCommonState *s, uint64_t val)
uint64_t cpu_get_apic_base(APICCommonState *s)
{
if (s) {
- trace_cpu_get_apic_base((uint64_t)s->apicbase);
- return s->apicbase;
+ uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
+ trace_cpu_get_apic_base(apicbase);
+ return apicbase;
} else {
trace_cpu_get_apic_base(MSR_IA32_APICBASE_BSP);
return MSR_IA32_APICBASE_BSP;
@@ -66,7 +68,7 @@ bool cpu_is_apic_enabled(APICCommonState *s)
return false;
}
- return s->apicbase & MSR_IA32_APICBASE_ENABLE;
+ return qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_ENABLE;
}
void cpu_set_apic_tpr(APICCommonState *s, uint8_t val)
@@ -223,9 +225,9 @@ void apic_designate_bsp(APICCommonState *s, bool bsp)
}
if (bsp) {
- s->apicbase |= MSR_IA32_APICBASE_BSP;
+ qatomic_fetch_or(&s->apicbase, MSR_IA32_APICBASE_BSP);
} else {
- s->apicbase &= ~MSR_IA32_APICBASE_BSP;
+ qatomic_fetch_and(&s->apicbase, ~MSR_IA32_APICBASE_BSP);
}
}
@@ -233,10 +235,11 @@ static void apic_reset_common(DeviceState *dev)
{
APICCommonState *s = APIC_COMMON(dev);
APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
- uint32_t bsp;
+ uint64_t bsp;
- bsp = s->apicbase & MSR_IA32_APICBASE_BSP;
- s->apicbase = APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE;
+ bsp = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_BSP;
+ qatomic_set__nocheck(&s->apicbase,
+ APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE);
s->id = s->initial_apic_id;
kvm_reset_irq_delivered();
@@ -363,7 +366,7 @@ static const VMStateDescription vmstate_apic_common = {
.post_load = apic_dispatch_post_load,
.priority = MIG_PRI_APIC,
.fields = (const VMStateField[]) {
- VMSTATE_UINT32(apicbase, APICCommonState),
+ VMSTATE_UINT64(apicbase, APICCommonState),
VMSTATE_UINT8(id, APICCommonState),
VMSTATE_UINT8(arb_id, APICCommonState),
VMSTATE_UINT8(tpr, APICCommonState),
@@ -405,7 +408,8 @@ static void apic_common_get_id(Object *obj, Visitor *v, const char *name,
APICCommonState *s = APIC_COMMON(obj);
uint32_t value;
- value = s->apicbase & MSR_IA32_APICBASE_EXTD ? s->initial_apic_id : s->id;
+ value = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_EXTD ?
+ s->initial_apic_id : s->id;
visit_type_uint32(v, name, &value, errp);
}
diff --git a/include/hw/i386/apic_internal.h b/include/hw/i386/apic_internal.h
index 4a62fdceb4..32ce2c821e 100644
--- a/include/hw/i386/apic_internal.h
+++ b/include/hw/i386/apic_internal.h
@@ -158,7 +158,7 @@ struct APICCommonState {
MemoryRegion io_memory;
X86CPU *cpu;
- uint32_t apicbase;
+ uint64_t apicbase; /* All accesses to apicbase must use qatomic helpers. */
uint8_t id; /* legacy APIC ID */
uint32_t initial_apic_id;
uint8_t version;
diff --git a/monitor/monitor.c b/monitor/monitor.c
index c5a5d30877..f3bc4f0202 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -338,15 +338,21 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
{
Monitor *mon;
MonitorQMP *qmp_mon;
+ bool send;
trace_monitor_protocol_event_emit(event, qdict);
QTAILQ_FOREACH(mon, &mon_list, entry) {
+ qemu_mutex_lock(&mon->mon_lock);
if (!monitor_is_qmp(mon)) {
+ qemu_mutex_unlock(&mon->mon_lock);
continue;
}
qmp_mon = container_of(mon, MonitorQMP, common);
- if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
+ send = qmp_mon->commands != &qmp_cap_negotiation_commands;
+ qemu_mutex_unlock(&mon->mon_lock);
+
+ if (send) {
qmp_send_response(qmp_mon, qdict);
}
}
diff --git a/monitor/qmp.c b/monitor/qmp.c
index cb99a12d94..73c2fb8cbf 100644
--- a/monitor/qmp.c
+++ b/monitor/qmp.c
@@ -462,9 +462,11 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
switch (event) {
case CHR_EVENT_OPENED:
+ qemu_mutex_lock(&mon->common.mon_lock);
mon->commands = &qmp_cap_negotiation_commands;
monitor_qmp_caps_reset(mon);
data = qmp_greeting(mon);
+ qemu_mutex_unlock(&mon->common.mon_lock);
qmp_send_response(mon, data);
qobject_unref(data);
break;
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index 60c7981138..76bdef2c78 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -5474,7 +5474,10 @@ void kvm_arch_pre_run(CPUState *cpu, struct kvm_run *run)
X86CPU *x86_cpu = X86_CPU(cpu);
CPUX86State *env = &x86_cpu->env;
int ret;
+ bool nmi_pending = false;
+ bool smi_pending = false;
+ bql_lock();
/* Inject NMI */
if (cpu_test_interrupt(cpu, CPU_INTERRUPT_NMI | CPU_INTERRUPT_SMI)) {
if (cpu_test_interrupt(cpu, CPU_INTERRUPT_NMI)) {
diff --git a/util/thread-pool.c b/util/thread-pool.c
index d2ead6b728..af49d4dfd9 100644
--- a/util/thread-pool.c
+++ b/util/thread-pool.c
@@ -18,6 +18,7 @@
#include "qemu/defer-call.h"
#include "qemu/queue.h"
#include "qemu/thread.h"
+#include "qemu/atomic.h"
#include "qemu/coroutine.h"
#include "trace.h"
#include "block/thread-pool.h"
@@ -39,9 +40,9 @@ struct ThreadPoolElementAio {
ThreadPoolFunc *func;
void *arg;
- /* Moving state out of THREAD_QUEUED is protected by lock. After
- * that, only the worker thread can write to it. Reads and writes
- * of state and ret are ordered with memory barriers.
+ /*
+ * All access to state must be atomic,
+ * Use acquire/release ordering if relevant
*/
enum ThreadState state;
int ret;
@@ -105,15 +106,14 @@ static void *worker_thread(void *opaque)
req = QTAILQ_FIRST(&pool->request_list);
QTAILQ_REMOVE(&pool->request_list, req, reqs);
- req->state = THREAD_ACTIVE;
+ qatomic_set(&req->state, THREAD_ACTIVE);
qemu_mutex_unlock(&pool->lock);
ret = req->func(req->arg);
req->ret = ret;
- /* Write ret before state. */
- smp_wmb();
- req->state = THREAD_DONE;
+ /* _release to write ret before state. */
+ qatomic_store_release(&req->state, THREAD_DONE);
qemu_bh_schedule(pool->completion_bh);
qemu_mutex_lock(&pool->lock);
@@ -180,7 +180,8 @@ static void thread_pool_completion_bh(void *opaque)
restart:
QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
- if (elem->state != THREAD_DONE) {
+ /* _acquire to read state before ret. */
+ if (qatomic_load_acquire(&elem->state) != THREAD_DONE) {
continue;
}
@@ -189,9 +190,6 @@ restart:
QLIST_REMOVE(elem, all);
if (elem->common.cb) {
- /* Read state before ret. */
- smp_rmb();
-
/* Schedule ourselves in case elem->common.cb() calls aio_poll() to
* wait for another request that completed at the same time.
*/
@@ -223,11 +221,11 @@ static void thread_pool_cancel(BlockAIOCB *acb)
trace_thread_pool_cancel_aio(elem, elem->common.opaque);
QEMU_LOCK_GUARD(&pool->lock);
- if (elem->state == THREAD_QUEUED) {
+ if (qatomic_read(&elem->state) == THREAD_QUEUED) {
QTAILQ_REMOVE(&pool->request_list, elem, reqs);
qemu_bh_schedule(pool->completion_bh);
- elem->state = THREAD_DONE;
+ qatomic_set(&elem->state, THREAD_DONE);
elem->ret = -ECANCELED;
}
--
2.52.0.239.gd5f0c6e74e-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] qemu: TSAN Clean up
2025-12-11 23:11 ` [PATCH 1/1] qemu: TSAN Clean up Marc Morcos
@ 2025-12-12 11:20 ` Paolo Bonzini
0 siblings, 0 replies; 3+ messages in thread
From: Paolo Bonzini @ 2025-12-12 11:20 UTC (permalink / raw)
To: Marc Morcos, Richard Henderson, Eduardo Habkost,
Dr . David Alan Gilbert
Cc: Michael S . Tsirkin, Marcel Apfelbaum, Markus Armbruster,
Marcelo Tosatti, qemu-devel, kvm
On 12/12/25 00:11, Marc Morcos wrote:
> - Fix 3 thread races detected by tsan
> - Change apicbase to 64 bit variable to reflect what it holds
While APICBASE is indeed 36-bits wide, this changes the migration format
and also makes the patch much larger due to having to use the __nocheck
variant. So it should at least be separate.
The three races are:
- apicbase - this is complex and I cannot fully understand it. It would
be useful to state what the race is.
> @@ -34,9 +34,10 @@ static inline uint32_t kvm_apic_get_reg(struct kvm_lapic_state *kapic,
> static void kvm_put_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
> {
> int i;
> + uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
>
> memset(kapic, 0, sizeof(*kapic));
> - if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
> + if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
This runs in the vCPU thread (see kvm_apic_post_load, kvm_apic_reset).
> void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
> {
> int i, v;
> + uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
Likewise, via kvm_arch_get_registers.
> - if (kvm_has_x2apic_api() && s->apicbase & MSR_IA32_APICBASE_EXTD) {
> + if (kvm_has_x2apic_api() && apicbase & MSR_IA32_APICBASE_EXTD) {
> assert(kvm_apic_get_reg(kapic, 0x2) == s->initial_apic_id);
> } else {
> s->id = kvm_apic_get_reg(kapic, 0x2) >> 24;
> @@ -97,7 +99,7 @@ void kvm_get_apic_state(APICCommonState *s, struct kvm_lapic_state *kapic)
>
> static int kvm_apic_set_base(APICCommonState *s, uint64_t val)
> {
> - s->apicbase = val;
> + qatomic_set__nocheck(&s->apicbase, val);
Likewise, via cpu_set_apic_base (called by kvm_arch_post_run or
helper_wrmsr).
> return 0;
> }
>
> @@ -140,12 +142,14 @@ static void kvm_apic_put(CPUState *cs, run_on_cpu_data data)
> APICCommonState *s = data.host_ptr;
> struct kvm_lapic_state kapic;
> int ret;
> + uint64_t apicbase;
>
> if (is_tdx_vm()) {
> return;
> }
>
> - kvm_put_apicbase(s->cpu, s->apicbase);
> + apicbase = qatomic_read__nocheck(&s->apicbase);
> + kvm_put_apicbase(s->cpu, apicbase);
Also on the vCPU thread.
> kvm_put_apic_state(s, &kapic);
>
> ret = kvm_vcpu_ioctl(CPU(s->cpu), KVM_SET_LAPIC, &kapic);
> diff --git a/hw/intc/apic_common.c b/hw/intc/apic_common.c
> index ec9e978b0b..9e42189d8a 100644
> --- a/hw/intc/apic_common.c
> +++ b/hw/intc/apic_common.c
> @@ -19,6 +19,7 @@
> */
>
> #include "qemu/osdep.h"
> +#include "qemu/atomic.h"
> #include "qemu/error-report.h"
> #include "qemu/module.h"
> #include "qapi/error.h"
> @@ -52,8 +53,9 @@ int cpu_set_apic_base(APICCommonState *s, uint64_t val)
> uint64_t cpu_get_apic_base(APICCommonState *s)
> {
> if (s) {
> - trace_cpu_get_apic_base((uint64_t)s->apicbase);
> - return s->apicbase;
> + uint64_t apicbase = qatomic_read__nocheck(&s->apicbase);
> + trace_cpu_get_apic_base(apicbase);
> + return apicbase;
Also on the vCPU thread, via e.g. helper_rdmsr
> @@ -223,9 +225,9 @@ void apic_designate_bsp(APICCommonState *s, bool bsp)
> }
>
> if (bsp) {
> - s->apicbase |= MSR_IA32_APICBASE_BSP;
> + qatomic_fetch_or(&s->apicbase, MSR_IA32_APICBASE_BSP);
> } else {
> - s->apicbase &= ~MSR_IA32_APICBASE_BSP;
> + qatomic_fetch_and(&s->apicbase, ~MSR_IA32_APICBASE_BSP);
> }
> }
> @@ -233,10 +235,11 @@ static void apic_reset_common(DeviceState *dev)
> {
> APICCommonState *s = APIC_COMMON(dev);
> APICCommonClass *info = APIC_COMMON_GET_CLASS(s);
> - uint32_t bsp;
> + uint64_t bsp;
>
> - bsp = s->apicbase & MSR_IA32_APICBASE_BSP;
> - s->apicbase = APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE;
> + bsp = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_BSP;
> + qatomic_set__nocheck(&s->apicbase,
> + APIC_DEFAULT_ADDRESS | bsp | MSR_IA32_APICBASE_ENABLE);
These two run on reset. Is this the source of the issue? What other
threads are running concurrently on reset?
> @@ -405,7 +408,8 @@ static void apic_common_get_id(Object *obj, Visitor *v, const char *name,
> APICCommonState *s = APIC_COMMON(obj);
> uint32_t value;
>
> - value = s->apicbase & MSR_IA32_APICBASE_EXTD ? s->initial_apic_id : s->id;
> + value = qatomic_read__nocheck(&s->apicbase) & MSR_IA32_APICBASE_EXTD ?
> + s->initial_apic_id : s->id;
> visit_type_uint32(v, name, &value, errp);
> }
Or maybe this one?
> diff --git a/monitor/monitor.c b/monitor/monitor.c
> index c5a5d30877..f3bc4f0202 100644
> --- a/monitor/monitor.c
> +++ b/monitor/monitor.c
> @@ -338,15 +338,21 @@ static void monitor_qapi_event_emit(QAPIEvent event, QDict *qdict)
> {
> Monitor *mon;
> MonitorQMP *qmp_mon;
> + bool send;
>
> trace_monitor_protocol_event_emit(event, qdict);
> QTAILQ_FOREACH(mon, &mon_list, entry) {
> + qemu_mutex_lock(&mon->mon_lock);
> if (!monitor_is_qmp(mon)) {
> + qemu_mutex_unlock(&mon->mon_lock);
This reads mon->is_qmp. It is initialized in monitor_data_init right
after mon->mon_lock, therefore there can be no other concurrent read.
Synchronization with other threads is handled by aio_bh_schedule_oneshot().
> continue;
> }
>
> qmp_mon = container_of(mon, MonitorQMP, common);
> - if (qmp_mon->commands != &qmp_cap_negotiation_commands) {
> + send = qmp_mon->commands != &qmp_cap_negotiation_commands;
> + qemu_mutex_unlock(&mon->mon_lock);
This one is correct; however a better way to write it is
if (!monitor_is_qmp(mon)) {
continue;
}
WITH_QEMU_LOCK_GUARD(&mon->mon_lock) {
qmp_mon = container_of(mon, MonitorQMP, common);
if (qmp_mon->commands == &qmp_cap_negotiation_commands) {
continue;
}
}
qmp_send_response(qmp_mon, qdict);
> + if (send) {
> qmp_send_response(qmp_mon, qdict);
> }
> }
> diff --git a/monitor/qmp.c b/monitor/qmp.c
> index cb99a12d94..73c2fb8cbf 100644
> --- a/monitor/qmp.c
> +++ b/monitor/qmp.c
> @@ -462,9 +462,11 @@ static void monitor_qmp_event(void *opaque, QEMUChrEvent event)
>
> switch (event) {
> case CHR_EVENT_OPENED:
> + qemu_mutex_lock(&mon->common.mon_lock);
> mon->commands = &qmp_cap_negotiation_commands;
> monitor_qmp_caps_reset(mon);
> data = qmp_greeting(mon);
> + qemu_mutex_unlock(&mon->common.mon_lock);
Please make the critical section smaller and use WITH_QEMU_LOCK_GUARD().
> qmp_send_response(mon, data);
> qobject_unref(data);
> break;
> diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
> index 60c7981138..76bdef2c78 100644
> --- a/target/i386/kvm/kvm.c
> +++ b/target/i386/kvm/kvm.c
> @@ -5474,7 +5474,10 @@ void kvm_arch_pre_run(CPUState *cpu, struct kvm_run *run)
> X86CPU *x86_cpu = X86_CPU(cpu);
> CPUX86State *env = &x86_cpu->env;
> int ret;
> + bool nmi_pending = false;
> + bool smi_pending = false;
>
> + bql_lock();
This hunk (unused variables and missing unlock) is definitely wrong, how
was this even tested?
> /* Inject NMI */
> if (cpu_test_interrupt(cpu, CPU_INTERRUPT_NMI | CPU_INTERRUPT_SMI)) {
> if (cpu_test_interrupt(cpu, CPU_INTERRUPT_NMI)) {
> diff --git a/util/thread-pool.c b/util/thread-pool.c
> index d2ead6b728..af49d4dfd9 100644
> --- a/util/thread-pool.c
> +++ b/util/thread-pool.c
> @@ -18,6 +18,7 @@
> #include "qemu/defer-call.h"
> #include "qemu/queue.h"
> #include "qemu/thread.h"
> +#include "qemu/atomic.h"
> #include "qemu/coroutine.h"
> #include "trace.h"
> #include "block/thread-pool.h"
> @@ -39,9 +40,9 @@ struct ThreadPoolElementAio {
> ThreadPoolFunc *func;
> void *arg;
>
> - /* Moving state out of THREAD_QUEUED is protected by lock. After
> - * that, only the worker thread can write to it. Reads and writes
> - * of state and ret are ordered with memory barriers.
> + /*
> + * All access to state must be atomic,
> + * Use acquire/release ordering if relevant
> */
This part is certainly correct, but the comment became worse.
/*
* Accessed with atomics. Moving state out of THREAD_QUEUED is
* protected by pool->lock and only the worker thread can move
* the state from THREAD_ACTIVE to THREAD_DONE.
*
* When state is THREAD_DONE, ret must have been written already.
* Use acquire/release ordering when reading/writing ret as well.
*/
enum ThreadState state;
/* Accessed with atomics. */
int ret;
> @@ -105,15 +106,14 @@ static void *worker_thread(void *opaque)
>
> req = QTAILQ_FIRST(&pool->request_list);
> QTAILQ_REMOVE(&pool->request_list, req, reqs);
> - req->state = THREAD_ACTIVE;
> + qatomic_set(&req->state, THREAD_ACTIVE);
> qemu_mutex_unlock(&pool->lock);
>
> ret = req->func(req->arg);
>
> req->ret = ret;
> - /* Write ret before state. */
> - smp_wmb();
> - req->state = THREAD_DONE;
> + /* _release to write ret before state. */
> + qatomic_store_release(&req->state, THREAD_DONE);
>
> qemu_bh_schedule(pool->completion_bh);
> qemu_mutex_lock(&pool->lock);
> @@ -180,7 +180,8 @@ static void thread_pool_completion_bh(void *opaque)
>
> restart:
> QLIST_FOREACH_SAFE(elem, &pool->head, all, next) {
> - if (elem->state != THREAD_DONE) {
> + /* _acquire to read state before ret. */
> + if (qatomic_load_acquire(&elem->state) != THREAD_DONE) {
> continue;
> }
>
> @@ -189,9 +190,6 @@ restart:
> QLIST_REMOVE(elem, all);
>
> if (elem->common.cb) {
> - /* Read state before ret. */
> - smp_rmb();
> -
> /* Schedule ourselves in case elem->common.cb() calls aio_poll() to
> * wait for another request that completed at the same time.
> */
> @@ -223,11 +221,11 @@ static void thread_pool_cancel(BlockAIOCB *acb)
> trace_thread_pool_cancel_aio(elem, elem->common.opaque);
>
> QEMU_LOCK_GUARD(&pool->lock);
> - if (elem->state == THREAD_QUEUED) {
> + if (qatomic_read(&elem->state) == THREAD_QUEUED) {
> QTAILQ_REMOVE(&pool->request_list, elem, reqs);
> qemu_bh_schedule(pool->completion_bh);
>
> - elem->state = THREAD_DONE;
> + qatomic_set(&elem->state, THREAD_DONE);
This one is not necessary, because it's protected by the lock and no
other thread will look at it. If you want to use atomics here for
consistency, you should first use qatomic_set for ->ret and then
qatomic_store_release for ->state.
Thanks for the patch; I suggest that you split it across multiple
commits and focus on thread-pool.c and the monitor to begin with.
Paolo
> elem->ret = -ECANCELED;
> }
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-12-12 11:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-11 23:11 [PATCH 0/1] Clean up TSAN warnings Marc Morcos
2025-12-11 23:11 ` [PATCH 1/1] qemu: TSAN Clean up Marc Morcos
2025-12-12 11:20 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).