Re: [RFC PATCH] migration: reduce time of loading non-iterable vmstate

[Peter Xu <peterx@redhat.com>]

Chuang,

No worry on the delay; you're faster than when I read yours. :)

On Mon, Dec 05, 2022 at 02:56:15PM +0800, Chuang Xu wrote:
> > As a start, maybe you can try with poison address_space_to_flatview() (by
> > e.g. checking the start_pack_mr_change flag and assert it is not set)
> > during this process to see whether any call stack can even try to
> > dereference a flatview.
> > 
> > It's just that I didn't figure a good way to "prove" its validity, even if
> > I think this is an interesting idea worth thinking to shrink the downtime.
> 
> Thanks for your sugguestions!
> I used a thread local variable to identify whether the current thread is a
> migration thread(main thread of target qemu) and I modified the code of
> qemu_coroutine_switch to make sure the thread local variable true only in
> process_incoming_migration_co call stack. If the target qemu detects that
> start_pack_mr_change is set and address_space_to_flatview() is called in
> non-migrating threads or non-migrating coroutine, it will crash.

Are you using the thread var just to avoid the assert triggering in the
migration thread when commiting memory changes?

I think _maybe_ another cleaner way to sanity check this is directly upon
the depth:

static inline FlatView *address_space_to_flatview(AddressSpace *as)
{
    /*
     * Before using any flatview, sanity check we're not during a memory
     * region transaction or the map can be invalid.  Note that this can
     * also be called during commit phase of memory transaction, but that
     * should also only happen when the depth decreases to 0 first.
     */
    assert(memory_region_transaction_depth == 0);
    return qatomic_rcu_read(&as->current_map);
}

That should also cover the safe cases of memory transaction commits during
migration.

> I tested migration for lots of times, there was no crash. Does this prove
> the validity to some extent?

Yes I think so, it's just that if we cannot 100% prove it's safe (e.g. you
cannot cover all the code paths in qemu that migration can trigger) then we
may need some sanity check like above along with the solution to make sure
even if something wrong it won't go wrong as weird.

And if we want to try this out, it'll better be at the start of a dev cycle
and we fix things or revert before the next rc0 releases.

I'm not sure whether that assert might be too strong, we can use an error
instead, but so far I don't see how that can happen and if that happens I
feel like it's bad enough, so maybe not so much.  Then AFAICT we can
completely drop start_pack_mr_change with that stronger check.

If you agree with above, feel free to have two patches in the new version,
making the depth assert a separate patch.  At the meantime, let's see
whether you can get some other comments from others.

-- 
Peter Xu