From nobody Mon Feb 9 00:55:54 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1652716298; cv=none; d=zohomail.com; s=zohoarc; b=bINRl6ZcMwcqhPeRvFocVHtIW7pokDnhN4gs/Kji/zeOfNHegdlrydMVnXbxWTeC3D94wJkHoBAi0AVaO5Qh2Ot9UE213qs61UhjrXkEWrpudLKPdJXITdIMv4b008O8O8smaz5PINGgl0K5M+pAv1i6zNi01gm9d07CRFIMCAI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1652716298; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=0LVxyf2uTnuSBTdYJGSV7LawDL9mx09bd6yKipmio+4=; b=Mshs8F2+GhWvQw0sq9hZbu47Jyy54qYHVzCq3sl9fv2Bh+AswK5MfEaRILGb0sy2b0xCEG++3TxIkruZNzpZznd9TRQt0V7ouHLyFx19ToFTD2D2+ijmeC9o1j8tphTIUG9Olld9fqzxB+ivWqhayScpJyw3BCELK3Uhs+JutvE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1652716298446876.8634074819643; Mon, 16 May 2022 08:51:38 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-133-cO4pd0rkPx2poUE0Pm8vwQ-1; Mon, 16 May 2022 11:51:35 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 3D743805F6F; Mon, 16 May 2022 15:51:33 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22C6D40316C; Mon, 16 May 2022 15:51:33 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D37B6194705C; Mon, 16 May 2022 15:51:32 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 479CC194704E for ; Mon, 16 May 2022 15:51:30 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 29B1A1541C42; Mon, 16 May 2022 15:51:30 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.21]) by smtp.corp.redhat.com (Postfix) with ESMTP id 250FA1541C40 for ; Mon, 16 May 2022 15:51:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652716297; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=0LVxyf2uTnuSBTdYJGSV7LawDL9mx09bd6yKipmio+4=; b=MABxw/p2Vq+GGQ1wirEE/iTU50PkmsUzBFbdHsMUdLvwdyflpkLTFpvFywt7tp5p+fMNwG swsCZ1QqmIInkRMS9Ipmw5tIiXTkQ4IlG46T4SdPytRmw2SPw8yVN1k4y86Ew7FU4jF1b0 ARm2eCYmeKjGJudKmuTgGrqmymbgtmA= X-MC-Unique: cO4pd0rkPx2poUE0Pm8vwQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 1/3] qemu: THREADS.txt: rSTize and move to knowledge-base Date: Mon, 16 May 2022 17:51:24 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1652716299571100001 Content-Type: text/plain; charset="utf-8" Move the internal documentation about qemu threading to the knowledge base. The conversion included rstizing of the text document, mainly just fixing of the headline and enclosing function names and code examples into code block sections. Signed-off-by: Peter Krempa --- docs/kbase/index.rst | 3 + docs/kbase/internals/meson.build | 1 + .../kbase/internals/qemu-threads.rst | 136 +++++++++--------- 3 files changed, 69 insertions(+), 71 deletions(-) rename src/qemu/THREADS.txt =3D> docs/kbase/internals/qemu-threads.rst (70= %) diff --git a/docs/kbase/index.rst b/docs/kbase/index.rst index 0848467d51..f1cd143fab 100644 --- a/docs/kbase/index.rst +++ b/docs/kbase/index.rst @@ -101,3 +101,6 @@ Internals `RPC protocol & APIs `__ RPC protocol information and API / dispatch guide + +`QEMU driver threading `__ + Basics of locking and threaded access to qemu driver primitives. diff --git a/docs/kbase/internals/meson.build b/docs/kbase/internals/meson.= build index 8b5daad1f9..3e84b398b2 100644 --- a/docs/kbase/internals/meson.build +++ b/docs/kbase/internals/meson.build @@ -5,6 +5,7 @@ docs_kbase_internals_files =3D [ 'locking', 'migration', 'overview', + 'qemu-threads', 'rpc', ] diff --git a/src/qemu/THREADS.txt b/docs/kbase/internals/qemu-threads.rst similarity index 70% rename from src/qemu/THREADS.txt rename to docs/kbase/internals/qemu-threads.rst index b5f54f203c..c68512d1b3 100644 --- a/src/qemu/THREADS.txt +++ b/docs/kbase/internals/qemu-threads.rst @@ -1,5 +1,7 @@ - QEMU Driver Threading: The Rules - =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +QEMU Driver Threading: The Rules +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D + +.. contents:: This document describes how thread safety is ensured throughout the QEMU driver. The criteria for this model are: @@ -8,37 +10,36 @@ the QEMU driver. The criteria for this model are: - Code which sleeps must be able to time out after suitable period - Must be safe against dispatch of asynchronous events from monitor - Basic locking primitives ------------------------ There are a number of locks on various objects - * virQEMUDriver * + ``virQEMUDriver`` - The qemu_conf.h file has inline comments describing the locking + The ``qemu_conf.h`` file has inline comments describing the locking needs for each field. Any field marked immutable, self-locking can be accessed without the driver lock. For other fields there - are typically helper APIs in qemu_conf.c that provide serialized - access to the data. No code outside qemu_conf.c should ever + are typically helper APIs in ``qemu_conf.c`` that provide serialized + access to the data. No code outside ``qemu_conf.c`` should ever acquire this lock - * virDomainObj * + ``virDomainObj`` Will be locked and the reference counter will be increased after calli= ng - any of the virDomainObjListFindBy{ID,Name,UUID} methods. The preferred= way + any of the ``virDomainObjListFindBy{ID,Name,UUID}`` methods. The prefe= rred way of decrementing the reference counter and unlocking the domain is usin= g the - virDomainObjEndAPI() function. + ``virDomainObjEndAPI()`` function. - Lock must be held when changing/reading any variable in the virDomainO= bj * + Lock must be held when changing/reading any variable in the ``virDomai= nObj`` This lock must not be held for anything which sleeps/waits (i.e. monit= or commands). - * qemuMonitorPrivatePtr: Job conditions + ``qemuMonitorPrivatePtr`` job conditions - Since virDomainObj *lock must not be held during sleeps, the job + Since ``virDomainObj`` lock must not be held during sleeps, the job conditions provide additional protection for code making updates. QEMU driver uses three kinds of job conditions: asynchronous, agent @@ -61,30 +62,30 @@ There are a number of locks on various objects Agent job condition is then used when thread wishes to talk to qemu agent monitor. It is possible to acquire just agent job - (qemuDomainObjBeginAgentJob), or only normal job (qemuDomainObjBeginJo= b) + (``qemuDomainObjBeginAgentJob``), or only normal job (``qemuDomainObjB= eginJob``) but not both at the same time. Holding an agent job and a normal job w= ould allow an unresponsive or malicious agent to block normal libvirt API a= nd potentially result in a denial of service. Which type of job to grab depends whether caller wishes to communicate only with agent socket, or only with qemu monitor socket. - Immediately after acquiring the virDomainObj *lock, any method + Immediately after acquiring the ``virDomainObj`` lock, any method which intends to update state must acquire asynchronous, normal or - agent job . The virDomainObj *lock is released while blocking on + agent job . The ``virDomainObj`` lock is released while blocking on these condition variables. Once the job condition is acquired, a - method can safely release the virDomainObj *lock whenever it hits + method can safely release the ``virDomainObj`` lock whenever it hits a piece of code which may sleep/wait, and re-acquire it after the sleep/wait. Whenever an asynchronous job wants to talk to the monitor, it needs to acquire nested job (a special kind of normal job) to obtain exclusive access to the monitor. - Since the virDomainObj *lock was dropped while waiting for the + Since the ``virDomainObj`` lock was dropped while waiting for the job condition, it is possible that the domain is no longer active when the condition is finally obtained. The monitor lock is only safe to grab after verifying that the domain is still active. - * qemuMonitor *: Mutex + ``qemuMonitor`` mutex Lock to be used when invoking any monitor command to ensure safety wrt any asynchronous events that may be dispatched from the monitor. @@ -92,118 +93,111 @@ There are a number of locks on various objects The job condition *MUST* be held before acquiring the monitor lock - The virDomainObj *lock *MUST* be held before acquiring the monitor + The ``virDomainObj`` lock *MUST* be held before acquiring the monitor lock. - The virDomainObj *lock *MUST* then be released when invoking the + The ``virDomainObj`` lock *MUST* then be released when invoking the monitor command. Helper methods -------------- -To lock the virDomainObj * - - virObjectLock() - - Acquires the virDomainObj *lock +To lock the ``virDomainObj`` - virObjectUnlock() - - Releases the virDomainObj *lock + ``virObjectLock()`` + - Acquires the ``virDomainObj`` lock + ``virObjectUnlock()`` + - Releases the ``virDomainObj`` lock To acquire the normal job condition - qemuDomainObjBeginJob() + ``qemuDomainObjBeginJob()`` - Waits until the job is compatible with current async job or no async job is running - - Waits for job.cond condition 'job.active !=3D 0' using virDomainObj * + - Waits for ``job.cond`` condition ``job.active !=3D 0`` using ``virDo= mainObj`` mutex - Rechecks if the job is still compatible and repeats waiting if it isn't - - Sets job.active to the job type + - Sets ``job.active`` to the job type - - qemuDomainObjEndJob() + ``qemuDomainObjEndJob()`` - Sets job.active to 0 - Signals on job.cond condition - To acquire the agent job condition - qemuDomainObjBeginAgentJob() + ``qemuDomainObjBeginAgentJob()`` - Waits until there is no other agent job set - - Sets job.agentActive tp the job type - - qemuDomainObjEndAgentJob() - - Sets job.agentActive to 0 - - Signals on job.cond condition + - Sets ``job.agentActive`` to the job type + ``qemuDomainObjEndAgentJob()`` + - Sets ``job.agentActive`` to 0 + - Signals on ``job.cond`` condition To acquire the asynchronous job condition - qemuDomainObjBeginAsyncJob() + ``qemuDomainObjBeginAsyncJob()`` - Waits until no async job is running - - Waits for job.cond condition 'job.active !=3D 0' using virDomainObj * + - Waits for ``job.cond`` condition ``job.active !=3D 0`` using ``virDo= mainObj`` mutex - - Rechecks if any async job was started while waiting on job.cond + - Rechecks if any async job was started while waiting on ``job.cond`` and repeats waiting in that case - - Sets job.asyncJob to the asynchronous job type - - - qemuDomainObjEndAsyncJob() - - Sets job.asyncJob to 0 - - Broadcasts on job.asyncCond condition + - Sets ``job.asyncJob`` to the asynchronous job type + ``qemuDomainObjEndAsyncJob()`` + - Sets ``job.asyncJob`` to 0 + - Broadcasts on ``job.asyncCond`` condition To acquire the QEMU monitor lock - qemuDomainObjEnterMonitor() - - Acquires the qemuMonitorObjPtr lock - - Releases the virDomainObj *lock + ``qemuDomainObjEnterMonitor()`` + - Acquires the ``qemuMonitorObj`` lock + - Releases the ``virDomainObj`` lock - qemuDomainObjExitMonitor() - - Releases the qemuMonitorObjPtr lock - - Acquires the virDomainObj *lock + ``qemuDomainObjExitMonitor()`` + - Releases the ``qemuMonitorObj`` lock + - Acquires the ``virDomainObj`` lock These functions must not be used by an asynchronous job. To acquire the QEMU monitor lock as part of an asynchronous job - qemuDomainObjEnterMonitorAsync() + ``qemuDomainObjEnterMonitorAsync()`` - Validates that the right async job is still running - - Acquires the qemuMonitorObjPtr lock - - Releases the virDomainObj *lock + - Acquires the ``qemuMonitorObj`` lock + - Releases the ``virDomainObj`` lock - Validates that the VM is still active qemuDomainObjExitMonitor() - - Releases the qemuMonitorObjPtr lock - - Acquires the virDomainObj *lock + - Releases the ``qemuMonitorObj`` lock + - Acquires the ``virDomainObj`` lock These functions are for use inside an asynchronous job; the caller must check for a return of -1 (VM not running, so nothing to exit). - Helper functions may also call this with VIR_ASYNC_JOB_NONE when + Helper functions may also call this with ``VIR_ASYNC_JOB_NONE`` when used from a sync job (such as when first starting a domain). To keep a domain alive while waiting on a remote command - qemuDomainObjEnterRemote() - - Releases the virDomainObj *lock + ``qemuDomainObjEnterRemote()`` + - Releases the ``virDomainObj`` lock - qemuDomainObjExitRemote() - - Acquires the virDomainObj *lock + ``qemuDomainObjExitRemote()`` + - Acquires the ``virDomainObj`` lock Design patterns --------------- - - * Accessing something directly to do with a virDomainObj * + * Accessing something directly to do with a ``virDomainObj``:: virDomainObj *obj; @@ -214,7 +208,7 @@ Design patterns virDomainObjEndAPI(&obj); - * Updating something directly to do with a virDomainObj * + * Updating something directly to do with a ``virDomainObj``:: virDomainObj *obj; @@ -229,7 +223,7 @@ Design patterns virDomainObjEndAPI(&obj); - * Invoking a monitor command on a virDomainObj * + * Invoking a monitor command on a ``virDomainObj``:: virDomainObj *obj; qemuDomainObjPrivate *priv; @@ -252,7 +246,7 @@ Design patterns virDomainObjEndAPI(&obj); - * Invoking an agent command on a virDomainObj * + * Invoking an agent command on a ``virDomainObj``:: virDomainObj *obj; qemuAgent *agent; @@ -276,7 +270,7 @@ Design patterns virDomainObjEndAPI(&obj); - * Running asynchronous job + * Running asynchronous job:: virDomainObj *obj; qemuDomainObjPrivate *priv; @@ -316,7 +310,7 @@ Design patterns virDomainObjEndAPI(&obj); - * Coordinating with a remote server for migration + * Coordinating with a remote server for migration:: virDomainObj *obj; qemuDomainObjPrivate *priv; --=20 2.35.3