tests/qemuhotplugtest.c | 13 +++++-------- tests/qemumonitortestutils.c | 7 ++++++- tests/qemusecuritytest.c | 3 ++- tests/qemuxml2argvtest.c | 22 +++++++++++++--------- 4 files changed, 26 insertions(+), 19 deletions(-)
I've rewritten our virMutexes to check for failures [1] and saw couple of problems. In most cases we are destroying a locked mutex which these patches aim to fix. Then we have virLogLock() which is locked in virFork() and then unlocked from child (a different process) which is problematic. Pthread doesn't like it when one thread locks a mutex only so that another one unlocks it. Semaphores don't care. Anyway, leave virLogMutex aside, patches here fix problems at hand. BTW: commits v8.0.0-267-g39ac285c6b and v8.0.0-236-ga7201789ab were spotted because of this branch of mine. 1: https://gitlab.com/MichalPrivoznik/libvirt/-/commits/tests_mutext/ Michal Prívozník (2): tests: Track if @vm was created by qemuMonitorCommonTestNew() tests: Destroy domain object properly tests/qemuhotplugtest.c | 13 +++++-------- tests/qemumonitortestutils.c | 7 ++++++- tests/qemusecuritytest.c | 3 ++- tests/qemuxml2argvtest.c | 22 +++++++++++++--------- 4 files changed, 26 insertions(+), 19 deletions(-) -- 2.34.1
On Mon, Feb 14, 2022 at 02:32:55PM +0100, Michal Privoznik wrote:
> I've rewritten our virMutexes to check for failures [1] and saw couple
> of problems. In most cases we are destroying a locked mutex which these
> patches aim to fix. Then we have virLogLock() which is locked in
> virFork() and then unlocked from child (a different process) which is
> problematic. Pthread doesn't like it when one thread locks a mutex only
> so that another one unlocks it. Semaphores don't care.
Despite behaviuor being undefined, in practice it works with any
impl we have in supported platforms.
The key problem we're addressing is that the child process needs
to inherit a known state for the mutex. Whether that state is
locked or unlocked doesn't matter, as long as it has a bulletproof
guarantee of what that status is.
We call virLogLock before fork() to guarantee a locked state,
by blocking on any other threads in the parent that might be
temporarily holding it.
The pthread_atfork() handler can be used todo the same trick
if you don't control the place where fork() is called. The
man page explicitly says
https://linux.die.net/man/3/pthread_atfork
"The expected usage is that the prepare handler acquires
all mutex locks and the other two fork handlers release
them."
I understand why error checking mutexes reject this but AFAIK
what we do is the only possible solution that exists, other
than never touching any mutexes at all in the child which is
not viable for us.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 2/14/22 15:01, Daniel P. Berrangé wrote:
> On Mon, Feb 14, 2022 at 02:32:55PM +0100, Michal Privoznik wrote:
>> I've rewritten our virMutexes to check for failures [1] and saw couple
>> of problems. In most cases we are destroying a locked mutex which these
>> patches aim to fix. Then we have virLogLock() which is locked in
>> virFork() and then unlocked from child (a different process) which is
>> problematic. Pthread doesn't like it when one thread locks a mutex only
>> so that another one unlocks it. Semaphores don't care.
>
> Despite behaviuor being undefined, in practice it works with any
> impl we have in supported platforms.
>
Indeed, that's why I haven't sent the patch that rewrites virLogMutex.
> The key problem we're addressing is that the child process needs
> to inherit a known state for the mutex. Whether that state is
> locked or unlocked doesn't matter, as long as it has a bulletproof
> guarantee of what that status is.
>
> We call virLogLock before fork() to guarantee a locked state,
> by blocking on any other threads in the parent that might be
> temporarily holding it.
Again, I understand that. It's just that the following code returns an
error:
#include <pthread.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
pthread_mutex_t l;
pthread_mutexattr_t attr;
pthread_mutexattr_init(&attr);
pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
pthread_mutex_init(&l, &attr);
pthread_mutex_lock(&l);
if (fork() == 0) {
/* child */
int rc;
if ((rc = pthread_mutex_unlock(&l)) != 0) {
fprintf(stderr, "unlock error: %s\n", strerror(rc));
abort();
}
}
return 0;
}
Switching to a semaphore works again. I'm not advocating for that
though, it's needless because apparently pthread does the right thing on
all platforms we care about.
>
> The pthread_atfork() handler can be used todo the same trick
> if you don't control the place where fork() is called. The
> man page explicitly says
>
> https://linux.die.net/man/3/pthread_atfork
>
> "The expected usage is that the prepare handler acquires
> all mutex locks and the other two fork handlers release
> them."
>
Which is a terrible advice, let me say. This assumes that there is a
global list of mutexes (which there certainly is not in projects of our
size), but more importantly - this is so fragile to lock ordering than
anything else.
Michal
On Mon, Feb 14, 2022 at 03:27:51PM +0100, Michal Prívozník wrote:
> On 2/14/22 15:01, Daniel P. Berrangé wrote:
> > On Mon, Feb 14, 2022 at 02:32:55PM +0100, Michal Privoznik wrote:
> >> I've rewritten our virMutexes to check for failures [1] and saw couple
> >> of problems. In most cases we are destroying a locked mutex which these
> >> patches aim to fix. Then we have virLogLock() which is locked in
> >> virFork() and then unlocked from child (a different process) which is
> >> problematic. Pthread doesn't like it when one thread locks a mutex only
> >> so that another one unlocks it. Semaphores don't care.
> >
> > Despite behaviuor being undefined, in practice it works with any
> > impl we have in supported platforms.
> >
>
> Indeed, that's why I haven't sent the patch that rewrites virLogMutex.
>
> > The key problem we're addressing is that the child process needs
> > to inherit a known state for the mutex. Whether that state is
> > locked or unlocked doesn't matter, as long as it has a bulletproof
> > guarantee of what that status is.
> >
> > We call virLogLock before fork() to guarantee a locked state,
> > by blocking on any other threads in the parent that might be
> > temporarily holding it.
>
> Again, I understand that. It's just that the following code returns an
> error:
>
> #include <pthread.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <string.h>
>
> int main(int argc, char *argv[])
> {
> pthread_mutex_t l;
> pthread_mutexattr_t attr;
>
> pthread_mutexattr_init(&attr);
> pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK);
>
> pthread_mutex_init(&l, &attr);
>
> pthread_mutex_lock(&l);
> if (fork() == 0) {
> /* child */
> int rc;
>
> if ((rc = pthread_mutex_unlock(&l)) != 0) {
> fprintf(stderr, "unlock error: %s\n", strerror(rc));
> abort();
> }
> }
>
> return 0;
> }
>
>
> Switching to a semaphore works again. I'm not advocating for that
> though, it's needless because apparently pthread does the right thing on
> all platforms we care about.
I was thinking an alternative was to call 'pthread_mutex_init' in
the child to blindly re-initialize the mutex, since we know the
parent had synchronize already. Downside though is that we could
leak resources if mutexes have some associated OS state we don't
know about.
The 'robust' mutex type looked quite attractive because it says
PTHREAD_MUTEX_ROBUST
If a mutex is initialized with the PTHREAD_MUTEX_ROBUST
attribute and its owner dies without unlocking it, any
future attempts to call pthread_mutex_lock(3) on this
mutex will succeed and return EOWNERDEAD to indicate
that the original owner no longer exists and the mutex
is in an inconsistent state. Usually after EOWNERDEAD
is returned, the next owner should call pthread_mu‐
tex_consistent(3) on the acquired mutex to make it con‐
sistent again before using it any further.
IOW we could
pthread_mutex_lock(&m)
pid = fork()
if (pid == 0) {
pthread_mutex_lock(&m)
pthread_mutex_consistent(&m)
} else {
pthread_mutex_unlock(&m)
}
but in practice that doesn't work. The lock() call in the child
deadlocks instead of returning EOWNERDEAD. IOW, from POV of a
robust mutex the parent thread & child process are the same,
but from POV of an error chekcing mutex they are different.
Yay for consistency :-(
> > The pthread_atfork() handler can be used todo the same trick
> > if you don't control the place where fork() is called. The
> > man page explicitly says
> >
> > https://linux.die.net/man/3/pthread_atfork
> >
> > "The expected usage is that the prepare handler acquires
> > all mutex locks and the other two fork handlers release
> > them."
> >
>
> Which is a terrible advice, let me say. This assumes that there is a
> global list of mutexes (which there certainly is not in projects of our
> size), but more importantly - this is so fragile to lock ordering than
> anything else.
Yeah lock ordering would be a trainwreck.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2024 Red Hat, Inc.