On 09.02.21 13:00, Jan Kara wrote:
Yes, although in last year, people try to convert these unlocked reads to READ_ONCE() or similar as otherwise the compiler is apparently allowed to generate code which is not safe. But that's a different story.Is this ongoing work?Yes, in a way. It's mostly prompted by KCSAN warnings generated by syzbot ;).Using such a macro would a) make our work much easier as we can instrument them, and b) would tell less experienced developers that no locking is needed.Yes, I agree that it has some benefit for documentation and automatic checkers as well. OTOH code readability is sometimes hurt by this...Does the usage of READ_ONCE() imply that no lock is needed?No, but it does indicate there's something unusual happening with the variable - usually that variable write can race with this read.Otherwise, one could introduce another macro for jbd2, such as #define READ_UNLOCKED() READ_ONCE(), which is more precise.Well, yes, but OTOH special macros for small subsystems like this are making more harm than good in terms of readability since people have to lookup what exactly they mean anyway.
So the only option left would be a global macro such as READ_ONCE() I guess. How hard would it be to establish such a global notation?It would make things a lot easier for LockDoc, because we can instrument such a macro, and therefore can annotate those accesses.>
Definitely. The simplest case is: You can fetch journal->j_running_transaction pointer any time without any problem. But you can *dereference* it only if you hold the j_state_lock while fetching the pointer and dereferencing it.
Thx.
So sometimes requiring the lock is just the leastproblematic solution - there's always the tradeoff between the speed and simplicity.All of the above members have word size, i.e., int, long, or ptr. Is it therefore safe to split the locking documentation as follows? @j_flags: General journaling state flags [r:nolocks, w:j_state_lock]I've checked the code and we usually use unlocked reads for quick, possibly racy checks and if they indicate we may need to do something then take the lock and do a reliable check. This is quite common pattern, not sure how to best document this. Maybe like [j_state_lock, no lock for quick racy checks]?Yeah, I'm fine with that. Does this rule apply for the other members of journal_t (and transaction_t?) listed above?Yes.
Thx. I'll submit a patch for those elements.For now, this will improve LockDoc's results as we can add "no locks needed" to our config for j_flags. We check whether the observed accesses match the documented locking rules. LockDoc will accept both results "j_list_lock" and "no locks needed" for reading j_flags.
However, real faulty unlocked accesses will be concealed. :-( - Alex
Honza
-- Technische Universität Dortmund Alexander Lochmann PGP key: 0xBC3EF6FD Otto-Hahn-Str. 16 phone: +49.231.7556141 D-44227 Dortmund fax: +49.231.7556116 http://ess.cs.tu-dortmund.de/Staff/al
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
