Re: [Intel-gfx] [PATCH] drm/i915: Don't wait forever in drop_caches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/4/2022 03:01, Tvrtko Ursulin wrote:
On 03/11/2022 19:16, John Harrison wrote:
On 11/3/2022 02:38, Tvrtko Ursulin wrote:
On 03/11/2022 09:18, Tvrtko Ursulin wrote:
On 03/11/2022 01:33, John Harrison wrote:
On 11/2/2022 07:20, Tvrtko Ursulin wrote:
On 02/11/2022 12:12, Jani Nikula wrote:
On Tue, 01 Nov 2022, John.C.Harrison@xxxxxxxxx wrote:
From: John Harrison <John.C.Harrison@xxxxxxxxx>

At the end of each test, IGT does a drop caches call via sysfs with

sysfs?
Sorry, that was meant to say debugfs. I've also been working on some sysfs IGT issues and evidently got my wires crossed!


special flags set. One of the possible paths waits for idle with an infinite timeout. That causes problems for debugging issues when CI catches a "can't go idle" test failure. Best case, the CI system times
out (after 90s), attempts a bunch of state dump actions and then
reboots the system to recover it. Worst case, the CI system can't do anything at all and then times out (after 1000s) and simply reboots. Sometimes a serial port log of dmesg might be available, sometimes not.

So rather than making life hard for ourselves, change the timeout to
be 10s rather than infinite. Also, trigger the standard
wedge/reset/recover sequence so that testing can continue with a
working system (if possible).

Signed-off-by: John Harrison <John.C.Harrison@xxxxxxxxx>
---
  drivers/gpu/drm/i915/i915_debugfs.c | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
index ae987e92251dd..9d916fbbfc27c 100644
--- a/drivers/gpu/drm/i915/i915_debugfs.c
+++ b/drivers/gpu/drm/i915/i915_debugfs.c
@@ -641,6 +641,9 @@ DEFINE_SIMPLE_ATTRIBUTE(i915_perf_noa_delay_fops,
            DROP_RESET_ACTIVE | \
            DROP_RESET_SEQNO | \
            DROP_RCU)
+
+#define DROP_IDLE_TIMEOUT    (HZ * 10)

I915_IDLE_ENGINES_TIMEOUT is defined in i915_drv.h. It's also only used
here.

So move here, dropping i915 prefix, next to the newly proposed one?
Sure, can do that.


I915_GEM_IDLE_TIMEOUT is defined in i915_gem.h. It's only used in
gt/intel_gt.c.

Move there and rename to GT_IDLE_TIMEOUT?

I915_GT_SUSPEND_IDLE_TIMEOUT is defined and used only in intel_gt_pm.c.

No action needed, maybe drop i915 prefix if wanted.

These two are totally unrelated and in code not being touched by this change. I would rather not conflate changing random other things with fixing this specific issue.

I915_IDLE_ENGINES_TIMEOUT is in ms, the rest are in jiffies.

Add _MS suffix if wanted.

My head spins.

I follow and raise that the newly proposed DROP_IDLE_TIMEOUT applies to DROP_ACTIVE and not only DROP_IDLE.
My original intention for the name was that is the 'drop caches timeout for intel_gt_wait_for_idle'. Which is quite the mouthful and hence abbreviated to DROP_IDLE_TIMEOUT. But yes, I realised later that name can be conflated with the DROP_IDLE flag. Will rename.



Things get refactored, code moves around, bits get left behind, who knows. No reason to get too worked up. :) As long as people are taking a wider view when touching the code base, and are not afraid to send cleanups, things should be good.
On the other hand, if every patch gets blocked in code review because someone points out some completely unrelated piece of code could be a bit better then nothing ever gets fixed. If you spot something that you think should be improved, isn't the general idea that you should post a patch yourself to improve it?

There's two maintainers per branch and an order of magnitude or two more developers so it'd be nice if cleanups would just be incoming on self-initiative basis. ;)

For the actual functional change at hand - it would be nice if code paths in question could handle SIGINT and then we could punt the decision on how long someone wants to wait purely to userspace. But it's probably hard and it's only debugfs so whatever.

The code paths in question will already abort on a signal won't they? Both intel_gt_wait_for_idle() and intel_guc_wait_for_pending_msg(), which is where the uc_wait_for_idle eventually ends up, have an 'if(signal_pending) return -EINTR;' check. Beyond that, it sounds like what you are asking for is a change in the IGT libraries and/or CI framework to start sending signals after some specific timeout. That seems like a significantly more complex change (in terms of the number of entities affected and number of groups involved) and unnecessary.

If you say so, I haven't looked at them all. But if the code path in question already aborts on signals then I am not sure what is the patch fixing? I assumed you are trying to avoid the write stuck in D forever, which then prevents driver unload and everything, requiring the test runner to eventually reboot. If you say SIGINT works then you can already recover from userspace, no?

Whether or not 10s is enough CI will hopefully tell us. I'd probably err on the side of safety and make it longer, but at most half from the test runner timeout.
This is supposed to be test clean up. This is not about how long a particular test takes to complete but about how long it takes to declare the system broken after the test has already finished. I would argue that even 10s is massively longer than required.


I am not convinced that wedging is correct though. Conceptually could be just that the timeout is too short. What does wedging really give us, on top of limiting the wait, when latter AFAIU is the key factor which would prevent the need to reboot the machine?

It gives us a system that knows what state it is in. If we can't idle the GT then something is very badly wrong. Wedging indicates that. It also ensure that a full GT reset will be attempted before the next test is run. Helping to prevent a failure on test X from propagating into failures of unrelated tests X+1, X+2, ... And if the GT reset does not work because the system is really that badly broken then future tests will not run rather than report erroneous failures.

This is not about getting a more stable system for end users by sweeping issues under the carpet and pretending all is well. End users don't run IGTs or explicitly call dodgy debugfs entry points. The sole motivation here is to get more accurate results from CI. That is, correctly identifying which test has hit a problem, getting valid debug analysis for that test (logs and such) and allowing further testing to complete correctly in the case where the system can be recovered.

I don't really oppose shortening of the timeout in principle, just want a clear statement if this is something IGT / test runner could already do or not. It can apply a timeout, it can also send SIGINT, and it could even trigger a reset from outside. Sure it is debugfs hacks so general "kernel should not implement policy" need not be strictly followed, but lets have it clear what are the options.

One conceptual problem with applying this policy is that the code is:

    if (val & (DROP_IDLE | DROP_ACTIVE)) {
        ret = intel_gt_wait_for_idle(gt, MAX_SCHEDULE_TIMEOUT);
        if (ret)
            return ret;
    }

    if (val & DROP_IDLE) {
        ret = intel_gt_pm_wait_for_idle(gt);
        if (ret)
            return ret;
    }

So if someone passes in DROP_IDLE and then why would only the first branch have a short timeout and wedge. Yeah some bug happens to be there at the moment, but put a bug in a different place and you hang on the second branch and then need another patch. Versus perhaps making it all respect SIGINT and handle from outside.

The pm_wait_for_idle is can only called after gt_wait_for_idle has completed successfully. There is no route to skip the GT idle or to do the PM idle even if the GT idle fails. So the chances of the PM idle failing are greatly reduced. There would have to be something outside of a GT keeping the GPU awake and there isn't a whole lot of hardware left at that point!

Well "greatly reduced" is beside my point. Point is today bug is here and we add a timeout, tomorrow bug is there and then the same dance. It can be just a sw bug which forgets to release the pm ref in some circumstances, doesn't really matter.

Huh?

Greatly reduced is the whole point. Today there is a bug and it causes a kernel hang which requires the CI framework to reboot the system in an extremely unfriendly way which makes it very hard to work out what happened. Logs are likely not available. We don't even necessarily know which test was being run at the time. Etc. So we replace the infinite timeout with a meaningful timeout. CI now correctly marks the single test as failing, captures all the correct logs, creates a useful bug report and continues on testing more stuff.

Sure, there is still the chance of hitting an infinite timeout. But that one is significantly more complicated to remove. And the chances of hitting that one are significantly smaller than the chances of hitting the first one.

So you are arguing that because I can't fix the last 0.1% of possible failures, I am not allowed to fix the first 99.9% of the failures?


Regarding signals, the PM idle code ends up at wait_var_event_killable(). I assume that is interruptible via at least a KILL signal if not any signal. Although it's not entirely clear trying to follow through the implementation of this code. Also, I have no idea if there is a safe way to add a timeout to that code (or why it wasn't already written with a timeout included). Someone more familiar with the wakeref internals would need to comment.

However, I strongly disagree that we should not fix the driver just because it is possible to workaround the issue by re-writing the CI framework. Feel free to bring a redesign plan to the IGT WG and whatever equivalent CI meetings in parallel. But we absolutely should not have infinite waits in the kernel if there is a trivial way to not have infinite waits.

I thought I was clear that I am not really opposed to the timeout.

The rest of the paragraph I don't really care - point is moot because it's debugfs so we can do whatever, as long as it is not burdensome to i915, which this isn't. If either wasn't the case then we certainly wouldn't be adding any workarounds in the kernel if it can be achieved in IGT.

Also, sending a signal does not result in the wedge happening. I specifically did not want to change that code path because I was assuming there was a valid reason for it. If you have been interrupted then you are in the territory of maybe it would have succeeded if you just left it for a moment longer. Whereas, hitting the timeout says that someone very deliberately said this is too long to wait and therefore the system must be broken.

I wanted to know specifically about wedging - why can't you wedge/reset from IGT if DROP_IDLE times out in quiescent or wherever, if that's what you say is the right thing?
Huh?

DROP_IDLE has two waits. One that I am trying to change from infinite to finite + wedge. One that would take considerable effort to change and would be quite invasive to a lot more of the driver and which can only be hit if the first timeout actually completed successfully and is therefore of less importance anyway. Both of those time outs appear to respect signal interrupts.

That's a policy decision so why would i915 wedge if an arbitrary timeout expired? I915 is not controlling how much work there is outstanding at the point the IGT decides to call DROP_IDLE.

Because this is a debug test interface that is used solely by IGT after it has finished its testing. This is not about wedging the device at some random arbitrary point because an AI compute workload takes three hours to complete. This is about a very specific test framework cleaning up after testing is completed and making sure the test did not fry the system.

And even if an IGT test was calling DROP_IDLE in the middle of a test for some reason, it should not be deliberately pushing 10+ seconds of work through and then calling a debug only interface to flush it out. If a test wants to verify that the system can cope with submitting a minutes worth of rendering and then waiting for it to complete then the test should be using official channels for that wait.


Plus, infinite wait is not a valid code path in the first place so any change in behaviour is not really a change in behaviour. Code can't be relying on a kernel call to never return for its correct operation!

Why infinite wait wouldn't be valid? Then you better change the other one as well. ;P
In what universe is it ever valid to wait forever for a test to complete?

See above, the PM code would require much more invasive changes. This was low hanging fruit. It was supposed to be a two minute change to a very self contained section of code that would provide significant benefit to debugging a small class of very hard to debug problems.

John.



Regards,

Tvrtko

And if you don't wedge then you don't recover. Each subsequent test would just hit the infinite timeout, get killed by the CI framework's shiny new kill signal and be marked as yet another unrelated bug that will be logged separately. Whereas, using a sensible timeout and then wedging will at least attempt to recover the situation. And if it can be recovered, future tests will pass. If it can't then future testing will be aborted.

John.


Regards,

Tvrtko





[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux