block/io.c | 48 ++++++-- blockjob.c | 3 +- include/block/aio-wait.h | 15 ++- include/block/block.h | 7 ++ tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++ 5 files changed, 274 insertions(+), 17 deletions(-)
This serie tries to provide a proof of concept and a clear explanation
on why we need to use drains (and more precisely subtree_drains)
to replace the aiocontext lock, especially to protect BlockDriverState
->children and ->parent lists.
Just a small recap on the key concepts:
* We split block layer APIs in "global state" (GS), "I/O", and
"global state or I/O".
GS are running in the main loop, under BQL, and are the only
one allowed to modify the BlockDriverState graph.
I/O APIs are thread safe and can run in any thread
"global state or I/O" are essentially all APIs that use
BDRV_POLL_WHILE. This is because there can be only 2 threads
that can use BDRV_POLL_WHILE: main loop and the iothread that
runs the aiocontext.
* Drains allow the caller (either main loop or iothread running
the context) to wait all in_flights requests and operations
of a BDS: normal drains target a given node and is parents, while
subtree ones also include the subgraph of the node. Siblings are
not affected by any of these two kind of drains.
After bdrv_drained_begin, no more request is allowed to come
from the affected nodes. Therefore the only actor left working
on a drained part of the graph should be the main loop.
What do we intend to do
-----------------------
We want to remove the AioContext lock. It is not 100% clear on how
many things we are protecting with it, and why.
As a starter, we want to protect BlockDriverState ->parents and
->children lists, since they are read by main loop and I/O but
only written by main loop under BQL. The function that modifies
these lists is bdrv_replace_child_common().
How do we want to do it
-----------------------
We individuated as ideal subtitute of AioContext lock
the subtree_drain API. The reason is simple: draining prevents the iothread to read or write the nodes, so once the main loop finishes
executing bdrv_drained_begin() on the interested graph, we are sure that
the iothread is not going to look or even interfere with that part of the graph.
We are also sure that the only two actors that can look at a specific
BlockDriverState in any given context are the main loop and the
iothread running the AioContext (ensured by "global state or IO" logic).
Why use _subtree_ instead of normal drain
-----------------------------------------
A simple drain "blocks" a given node and all its parents.
But it doesn't touch the child.
This means that if we use a simple drain, a child can always
keep processing requests, and eventually end up calling itself
bdrv_drained_begin, ending up reading the parents node while the main loop
is modifying them. Therefore a subtree drain is necessary.
Possible scenarios
-------------------
Keeping in mind that we can only have an iothread and the main loop
draining on a certain node, we could have:
main loop successfully drains and then iothread tries to drain:
impossible scenario, as iothread is already stopped once main
successfully drains.
iothread successfully drains and then main loop drains:
should not be a problem, as:
1) the iothread should be already "blocked" by its own drain
2) main loop would still wait for it to completely block
There is the issue of mirror overriding such scenario to avoid
having deadlocks, but that is handled in the next section.
main loop and iothread try to drain together:
As above, this case doens't really matter. As long as
bdrv_drained_begin invariant is respected, the main loop will
continue only once the iothread is "blocked" on that part of the graph.
A note on iothread draining
---------------------------
Theoretically draining from an iothread should not be possible,
as the iothread would be scheduling a bh in the main loop waiting
for itself to stop, even though it is not yet stopped since it is waiting for the bh.
This is what would happen in the tests in patch 5 if .drained_poll
was not implemented.
Therefore, one solution is to use .drained_poll callback in BlockJobDriver.
This callback overrides the default job poll() behavior, and
allows the polling condition to stop waiting for the job.
It is actually used only in mirror.
This however breaks bdrv_drained_begin invariant, because the
iothread is not really blocked on that node but continues running.
In order to fix this, patch 4 allows the polling condition to be
used only by the iothread, and not the main loop too, preventing
the drain to return before the iothread is effectively stopped.
This is also shown in the tests in patch 5. If the fix in patch
4 is removed, then the main loop drain will return earlier and
allow the iothread to run and drain together.
The other patches in this serie are cherry-picked from the various
series I already sent, and are included here just to allow
subtree_drained_begin/end_unlocked implementation.
Emanuele Giuseppe Esposito (5):
aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
introduce BDRV_POLL_WHILE_UNLOCKED
block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
child_job_drained_poll: override polling condition only when in home
thread
test-bdrv-drain: ensure draining from main loop stops iothreads
block/io.c | 48 ++++++--
blockjob.c | 3 +-
include/block/aio-wait.h | 15 ++-
include/block/block.h | 7 ++
tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
5 files changed, 274 insertions(+), 17 deletions(-)
--
2.31.1
I would really love to hear opinions on this, since we already had some
discussions on other similar patches.
Thank you,
Emanuele
On 01/03/2022 15:21, Emanuele Giuseppe Esposito wrote:
> This serie tries to provide a proof of concept and a clear explanation
> on why we need to use drains (and more precisely subtree_drains)
> to replace the aiocontext lock, especially to protect BlockDriverState
> ->children and ->parent lists.
>
> Just a small recap on the key concepts:
> * We split block layer APIs in "global state" (GS), "I/O", and
> "global state or I/O".
> GS are running in the main loop, under BQL, and are the only
> one allowed to modify the BlockDriverState graph.
>
> I/O APIs are thread safe and can run in any thread
>
> "global state or I/O" are essentially all APIs that use
> BDRV_POLL_WHILE. This is because there can be only 2 threads
> that can use BDRV_POLL_WHILE: main loop and the iothread that
> runs the aiocontext.
>
> * Drains allow the caller (either main loop or iothread running
> the context) to wait all in_flights requests and operations
> of a BDS: normal drains target a given node and is parents, while
> subtree ones also include the subgraph of the node. Siblings are
> not affected by any of these two kind of drains.
> After bdrv_drained_begin, no more request is allowed to come
> from the affected nodes. Therefore the only actor left working
> on a drained part of the graph should be the main loop.
>
> What do we intend to do
> -----------------------
> We want to remove the AioContext lock. It is not 100% clear on how
> many things we are protecting with it, and why.
> As a starter, we want to protect BlockDriverState ->parents and
> ->children lists, since they are read by main loop and I/O but
> only written by main loop under BQL. The function that modifies
> these lists is bdrv_replace_child_common().
>
> How do we want to do it
> -----------------------
> We individuated as ideal subtitute of AioContext lock
> the subtree_drain API. The reason is simple: draining prevents the iothread to read or write the nodes, so once the main loop finishes
> executing bdrv_drained_begin() on the interested graph, we are sure that
> the iothread is not going to look or even interfere with that part of the graph.
> We are also sure that the only two actors that can look at a specific
> BlockDriverState in any given context are the main loop and the
> iothread running the AioContext (ensured by "global state or IO" logic).
>
> Why use _subtree_ instead of normal drain
> -----------------------------------------
> A simple drain "blocks" a given node and all its parents.
> But it doesn't touch the child.
> This means that if we use a simple drain, a child can always
> keep processing requests, and eventually end up calling itself
> bdrv_drained_begin, ending up reading the parents node while the main loop
> is modifying them. Therefore a subtree drain is necessary.
>
> Possible scenarios
> -------------------
> Keeping in mind that we can only have an iothread and the main loop
> draining on a certain node, we could have:
>
> main loop successfully drains and then iothread tries to drain:
> impossible scenario, as iothread is already stopped once main
> successfully drains.
>
> iothread successfully drains and then main loop drains:
> should not be a problem, as:
> 1) the iothread should be already "blocked" by its own drain
> 2) main loop would still wait for it to completely block
> There is the issue of mirror overriding such scenario to avoid
> having deadlocks, but that is handled in the next section.
>
> main loop and iothread try to drain together:
> As above, this case doens't really matter. As long as
> bdrv_drained_begin invariant is respected, the main loop will
> continue only once the iothread is "blocked" on that part of the graph.
>
> A note on iothread draining
> ---------------------------
> Theoretically draining from an iothread should not be possible,
> as the iothread would be scheduling a bh in the main loop waiting
> for itself to stop, even though it is not yet stopped since it is waiting for the bh.
>
> This is what would happen in the tests in patch 5 if .drained_poll
> was not implemented.
>
> Therefore, one solution is to use .drained_poll callback in BlockJobDriver.
> This callback overrides the default job poll() behavior, and
> allows the polling condition to stop waiting for the job.
> It is actually used only in mirror.
> This however breaks bdrv_drained_begin invariant, because the
> iothread is not really blocked on that node but continues running.
> In order to fix this, patch 4 allows the polling condition to be
> used only by the iothread, and not the main loop too, preventing
> the drain to return before the iothread is effectively stopped.
> This is also shown in the tests in patch 5. If the fix in patch
> 4 is removed, then the main loop drain will return earlier and
> allow the iothread to run and drain together.
>
> The other patches in this serie are cherry-picked from the various
> series I already sent, and are included here just to allow
> subtree_drained_begin/end_unlocked implementation.
>
> Emanuele Giuseppe Esposito (5):
> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
> introduce BDRV_POLL_WHILE_UNLOCKED
> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
> child_job_drained_poll: override polling condition only when in home
> thread
> test-bdrv-drain: ensure draining from main loop stops iothreads
>
> block/io.c | 48 ++++++--
> blockjob.c | 3 +-
> include/block/aio-wait.h | 15 ++-
> include/block/block.h | 7 ++
> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
> 5 files changed, 274 insertions(+), 17 deletions(-)
>
01.03.2022 17:21, Emanuele Giuseppe Esposito wrote:
> This serie tries to provide a proof of concept and a clear explanation
> on why we need to use drains (and more precisely subtree_drains)
> to replace the aiocontext lock, especially to protect BlockDriverState
> ->children and ->parent lists.
>
> Just a small recap on the key concepts:
> * We split block layer APIs in "global state" (GS), "I/O", and
> "global state or I/O".
> GS are running in the main loop, under BQL, and are the only
> one allowed to modify the BlockDriverState graph.
>
> I/O APIs are thread safe and can run in any thread
>
> "global state or I/O" are essentially all APIs that use
> BDRV_POLL_WHILE. This is because there can be only 2 threads
> that can use BDRV_POLL_WHILE: main loop and the iothread that
> runs the aiocontext.
>
> * Drains allow the caller (either main loop or iothread running
> the context) to wait all in_flights requests and operations
> of a BDS: normal drains target a given node and is parents, while
> subtree ones also include the subgraph of the node. Siblings are
> not affected by any of these two kind of drains.
> After bdrv_drained_begin, no more request is allowed to come
> from the affected nodes. Therefore the only actor left working
> on a drained part of the graph should be the main loop.
>
> What do we intend to do
> -----------------------
> We want to remove the AioContext lock. It is not 100% clear on how
> many things we are protecting with it, and why.
> As a starter, we want to protect BlockDriverState ->parents and
> ->children lists, since they are read by main loop and I/O but
> only written by main loop under BQL. The function that modifies
> these lists is bdrv_replace_child_common().
>
> How do we want to do it
> -----------------------
> We individuated as ideal subtitute of AioContext lock
> the subtree_drain API. The reason is simple: draining prevents the iothread to read or write the nodes, so once the main loop finishes
I'm not sure it's ideal. Unfortunately I'm not really good in all that BQL, AioContext locks and drains. So, I can't give good advice. But here are my doubts:
Draining is very restrictive measure: even if drained section is very short, at least on bdrv_drained_begin() we have to wait for all current requests, and don't start new ones. That slows down the guest. In the same time there are operations that don't require to stop guest IO requests. For example manipulation with dirty bitmaps - qmp commands block-dirty-bitmap-add block-dirty-bitmap-remove. Or different query requests..
I see only two real cases, where we do need drain:
1. When we need a consistent "point-in-time". For example, when we start backup in transaction with some dirty-bitmap manipulation commands.
2. When we need to modify block-graph: if we are going to break relation A -> B, there must not be any in-flight request that want to use this relation.
All other operations, for which we want some kind of lock (like AioContext lock or something) we actually don't want to stop guest IO.
Next, I have a problem in mind, that in past lead to a lot of iotest 30 failures. Next there were different fixes and improvements, but the core problem (as far as I understand) is still here: nothing protects us when we are in some graph modification process (for example block-job finalization) do yield, switch to other coroutine and enter another graph modification process (for example, another block-job finaliztion)..
(for details look at my old "[PATCH RFC 0/5] Fix accidental crash in iotest 30" https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg05290.html , where I suggested to add a global graph_modify_mutex CoMutex, to be held during graph-modifying process that may yield)..
Does your proposal solve this problem?
> executing bdrv_drained_begin() on the interested graph, we are sure that
> the iothread is not going to look or even interfere with that part of the graph.
> We are also sure that the only two actors that can look at a specific
> BlockDriverState in any given context are the main loop and the
> iothread running the AioContext (ensured by "global state or IO" logic).
>
> Why use _subtree_ instead of normal drain
> -----------------------------------------
> A simple drain "blocks" a given node and all its parents.
> But it doesn't touch the child.
> This means that if we use a simple drain, a child can always
> keep processing requests, and eventually end up calling itself
> bdrv_drained_begin, ending up reading the parents node while the main loop
> is modifying them. Therefore a subtree drain is necessary.
I'm not sure I understand.. Could you give a more concrete example of what may happen if we use simple drain?
Who will call bdrv_drained_begin() you say about? Some IO path in parallel thread? Do we really have an IO path that calls bdrv_drained_begin()?
>
> Possible scenarios
> -------------------
> Keeping in mind that we can only have an iothread and the main loop
> draining on a certain node, we could have:
>
> main loop successfully drains and then iothread tries to drain:
> impossible scenario, as iothread is already stopped once main
> successfully drains.
>
> iothread successfully drains and then main loop drains:
> should not be a problem, as:
> 1) the iothread should be already "blocked" by its own drain
> 2) main loop would still wait for it to completely block
> There is the issue of mirror overriding such scenario to avoid
> having deadlocks, but that is handled in the next section.
>
> main loop and iothread try to drain together:
> As above, this case doens't really matter. As long as
> bdrv_drained_begin invariant is respected, the main loop will
> continue only once the iothread is "blocked" on that part of the graph.
>
> A note on iothread draining
> ---------------------------
> Theoretically draining from an iothread should not be possible,
> as the iothread would be scheduling a bh in the main loop waiting
> for itself to stop, even though it is not yet stopped since it is waiting for the bh.
>
> This is what would happen in the tests in patch 5 if .drained_poll
> was not implemented.
>
> Therefore, one solution is to use .drained_poll callback in BlockJobDriver.
> This callback overrides the default job poll() behavior, and
> allows the polling condition to stop waiting for the job.
> It is actually used only in mirror.
> This however breaks bdrv_drained_begin invariant, because the
> iothread is not really blocked on that node but continues running.
> In order to fix this, patch 4 allows the polling condition to be
> used only by the iothread, and not the main loop too, preventing
> the drain to return before the iothread is effectively stopped.
> This is also shown in the tests in patch 5. If the fix in patch
> 4 is removed, then the main loop drain will return earlier and
> allow the iothread to run and drain together.
>
> The other patches in this serie are cherry-picked from the various
> series I already sent, and are included here just to allow
> subtree_drained_begin/end_unlocked implementation.
>
> Emanuele Giuseppe Esposito (5):
> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
> introduce BDRV_POLL_WHILE_UNLOCKED
> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
> child_job_drained_poll: override polling condition only when in home
> thread
> test-bdrv-drain: ensure draining from main loop stops iothreads
>
> block/io.c | 48 ++++++--
> blockjob.c | 3 +-
> include/block/aio-wait.h | 15 ++-
> include/block/block.h | 7 ++
> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
> 5 files changed, 274 insertions(+), 17 deletions(-)
>
--
Best regards,
Vladimir
Am 02/03/2022 um 12:07 schrieb Vladimir Sementsov-Ogievskiy:
> 01.03.2022 17:21, Emanuele Giuseppe Esposito wrote:
>> This serie tries to provide a proof of concept and a clear explanation
>> on why we need to use drains (and more precisely subtree_drains)
>> to replace the aiocontext lock, especially to protect BlockDriverState
>> ->children and ->parent lists.
>>
>> Just a small recap on the key concepts:
>> * We split block layer APIs in "global state" (GS), "I/O", and
>> "global state or I/O".
>> GS are running in the main loop, under BQL, and are the only
>> one allowed to modify the BlockDriverState graph.
>>
>> I/O APIs are thread safe and can run in any thread
>>
>> "global state or I/O" are essentially all APIs that use
>> BDRV_POLL_WHILE. This is because there can be only 2 threads
>> that can use BDRV_POLL_WHILE: main loop and the iothread that
>> runs the aiocontext.
>>
>> * Drains allow the caller (either main loop or iothread running
>> the context) to wait all in_flights requests and operations
>> of a BDS: normal drains target a given node and is parents, while
>> subtree ones also include the subgraph of the node. Siblings are
>> not affected by any of these two kind of drains.
>> After bdrv_drained_begin, no more request is allowed to come
>> from the affected nodes. Therefore the only actor left working
>> on a drained part of the graph should be the main loop.
>>
>> What do we intend to do
>> -----------------------
>> We want to remove the AioContext lock. It is not 100% clear on how
>> many things we are protecting with it, and why.
>> As a starter, we want to protect BlockDriverState ->parents and
>> ->children lists, since they are read by main loop and I/O but
>> only written by main loop under BQL. The function that modifies
>> these lists is bdrv_replace_child_common().
>>
>> How do we want to do it
>> -----------------------
>> We individuated as ideal subtitute of AioContext lock
>> the subtree_drain API. The reason is simple: draining prevents the
>> iothread to read or write the nodes, so once the main loop finishes
>
> I'm not sure it's ideal. Unfortunately I'm not really good in all that
> BQL, AioContext locks and drains. So, I can't give good advice. But here
> are my doubts:
>
> Draining is very restrictive measure: even if drained section is very
> short, at least on bdrv_drained_begin() we have to wait for all current
> requests, and don't start new ones. That slows down the guest.
I don't think we are in a critical path where performance is important here.
In the
> same time there are operations that don't require to stop guest IO
> requests. For example manipulation with dirty bitmaps - qmp commands
> block-dirty-bitmap-add block-dirty-bitmap-remove. Or different query
> requests..
>
Maybe you misunderstood or I was not 100% clear, but I am talking about replacing the AioContext lock for the ->parents and ->children instance. Not everywhere. This is the first step, and then we will see if the additional things that it protects can use drain or something else
> I see only two real cases, where we do need drain:
>
> 1. When we need a consistent "point-in-time". For example, when we start
> backup in transaction with some dirty-bitmap manipulation commands.
>
> 2. When we need to modify block-graph: if we are going to break relation
> A -> B, there must not be any in-flight request that want to use this
> relation.
That's the use case I am considering.
>
> All other operations, for which we want some kind of lock (like
> AioContext lock or something) we actually don't want to stop guest IO.
Yes, they have to be analyzed case by case.
>
>
> Next, I have a problem in mind, that in past lead to a lot of iotest 30
> failures. Next there were different fixes and improvements, but the core
> problem (as far as I understand) is still here: nothing protects us when
> we are in some graph modification process (for example block-job
> finalization) do yield, switch to other coroutine and enter another
> graph modification process (for example, another block-job finaliztion)..
That's another point to consider. I don't really have a solution for this.
> (for details look at my old "[PATCH RFC 0/5] Fix accidental crash in
> iotest 30"
> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg05290.html ,
> where I suggested to add a global graph_modify_mutex CoMutex, to be held
> during graph-modifying process that may yield)..
> Does your proposal solve this problem?
>
>
>> executing bdrv_drained_begin() on the interested graph, we are sure that
>> the iothread is not going to look or even interfere with that part of
>> the graph.
>> We are also sure that the only two actors that can look at a specific
>> BlockDriverState in any given context are the main loop and the
>> iothread running the AioContext (ensured by "global state or IO" logic).
>>
>> Why use _subtree_ instead of normal drain
>> -----------------------------------------
>> A simple drain "blocks" a given node and all its parents.
>> But it doesn't touch the child.
>> This means that if we use a simple drain, a child can always
>> keep processing requests, and eventually end up calling itself
>> bdrv_drained_begin, ending up reading the parents node while the main
>> loop
>> is modifying them. Therefore a subtree drain is necessary.
>
> I'm not sure I understand.. Could you give a more concrete example of
> what may happen if we use simple drain?
> Who will call bdrv_drained_begin() you say about? Some IO path in
> parallel thread? Do we really have an IO path that calls
> bdrv_drained_begin()?
It is already being done in mirror, where it drains while running the .run() Job callback.
I made an unit test for this:
https://gitlab.com/eesposit/qemu/-/commit/1ffd7193ed441020f51aeeb49c3b07edb6949760
assume that you have the following graph:
blk (blk) -> overlay (bs)
overlay (bs) --- backed by ---> backing (bs)
job1 (blockjob) --> backing
Then the main loop calls bdrv_drained_begin(overlay)
This means overlay and bs are under drain, but backing and most importantly the job are not.
At this point, the job run() function decides to drain. It should not be
allowed to read overlay parents list for example, but instead there is nothing
to prevent it from doing that, and thus we see drains_done >0.
On the other side, when we subtree_drain, also the job is drained and thus it goes in
pause.
Makes sense?
>
>>
>> Possible scenarios
>> -------------------
>> Keeping in mind that we can only have an iothread and the main loop
>> draining on a certain node, we could have:
>>
>> main loop successfully drains and then iothread tries to drain:
>> impossible scenario, as iothread is already stopped once main
>> successfully drains.
>>
>> iothread successfully drains and then main loop drains:
>> should not be a problem, as:
>> 1) the iothread should be already "blocked" by its own drain
>> 2) main loop would still wait for it to completely block
>> There is the issue of mirror overriding such scenario to avoid
>> having deadlocks, but that is handled in the next section.
>>
>> main loop and iothread try to drain together:
>> As above, this case doens't really matter. As long as
>> bdrv_drained_begin invariant is respected, the main loop will
>> continue only once the iothread is "blocked" on that part of the
>> graph.
>>
>> A note on iothread draining
>> ---------------------------
>> Theoretically draining from an iothread should not be possible,
>> as the iothread would be scheduling a bh in the main loop waiting
>> for itself to stop, even though it is not yet stopped since it is
>> waiting for the bh.
>>
>> This is what would happen in the tests in patch 5 if .drained_poll
>> was not implemented.
>>
>> Therefore, one solution is to use .drained_poll callback in
>> BlockJobDriver.
>> This callback overrides the default job poll() behavior, and
>> allows the polling condition to stop waiting for the job.
>> It is actually used only in mirror.
>> This however breaks bdrv_drained_begin invariant, because the
>> iothread is not really blocked on that node but continues running.
>> In order to fix this, patch 4 allows the polling condition to be
>> used only by the iothread, and not the main loop too, preventing
>> the drain to return before the iothread is effectively stopped.
>> This is also shown in the tests in patch 5. If the fix in patch
>> 4 is removed, then the main loop drain will return earlier and
>> allow the iothread to run and drain together.
>>
>> The other patches in this serie are cherry-picked from the various
>> series I already sent, and are included here just to allow
>> subtree_drained_begin/end_unlocked implementation.
>>
>> Emanuele Giuseppe Esposito (5):
>> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
>> introduce BDRV_POLL_WHILE_UNLOCKED
>> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
>> child_job_drained_poll: override polling condition only when in home
>> thread
>> test-bdrv-drain: ensure draining from main loop stops iothreads
>>
>> block/io.c | 48 ++++++--
>> blockjob.c | 3 +-
>> include/block/aio-wait.h | 15 ++-
>> include/block/block.h | 7 ++
>> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
>> 5 files changed, 274 insertions(+), 17 deletions(-)
>>
>
>
09.03.2022 16:26, Emanuele Giuseppe Esposito wrote:
>
>
> Am 02/03/2022 um 12:07 schrieb Vladimir Sementsov-Ogievskiy:
>> 01.03.2022 17:21, Emanuele Giuseppe Esposito wrote:
>>> This serie tries to provide a proof of concept and a clear explanation
>>> on why we need to use drains (and more precisely subtree_drains)
>>> to replace the aiocontext lock, especially to protect BlockDriverState
>>> ->children and ->parent lists.
>>>
>>> Just a small recap on the key concepts:
>>> * We split block layer APIs in "global state" (GS), "I/O", and
>>> "global state or I/O".
>>> GS are running in the main loop, under BQL, and are the only
>>> one allowed to modify the BlockDriverState graph.
>>>
>>> I/O APIs are thread safe and can run in any thread
>>>
>>> "global state or I/O" are essentially all APIs that use
>>> BDRV_POLL_WHILE. This is because there can be only 2 threads
>>> that can use BDRV_POLL_WHILE: main loop and the iothread that
>>> runs the aiocontext.
>>>
>>> * Drains allow the caller (either main loop or iothread running
>>> the context) to wait all in_flights requests and operations
>>> of a BDS: normal drains target a given node and is parents, while
>>> subtree ones also include the subgraph of the node. Siblings are
>>> not affected by any of these two kind of drains.
>>> After bdrv_drained_begin, no more request is allowed to come
>>> from the affected nodes. Therefore the only actor left working
>>> on a drained part of the graph should be the main loop.
>>>
>>> What do we intend to do
>>> -----------------------
>>> We want to remove the AioContext lock. It is not 100% clear on how
>>> many things we are protecting with it, and why.
>>> As a starter, we want to protect BlockDriverState ->parents and
>>> ->children lists, since they are read by main loop and I/O but
>>> only written by main loop under BQL. The function that modifies
>>> these lists is bdrv_replace_child_common().
>>>
>>> How do we want to do it
>>> -----------------------
>>> We individuated as ideal subtitute of AioContext lock
>>> the subtree_drain API. The reason is simple: draining prevents the
>>> iothread to read or write the nodes, so once the main loop finishes
>>
>> I'm not sure it's ideal. Unfortunately I'm not really good in all that
>> BQL, AioContext locks and drains. So, I can't give good advice. But here
>> are my doubts:
>>
>> Draining is very restrictive measure: even if drained section is very
>> short, at least on bdrv_drained_begin() we have to wait for all current
>> requests, and don't start new ones. That slows down the guest.
>
> I don't think we are in a critical path where performance is important here.
>
> In the
>> same time there are operations that don't require to stop guest IO
>> requests. For example manipulation with dirty bitmaps - qmp commands
>> block-dirty-bitmap-add block-dirty-bitmap-remove. Or different query
>> requests..
>>
>
> Maybe you misunderstood or I was not 100% clear, but I am talking about replacing the AioContext lock for the ->parents and ->children instance. Not everywhere. This is the first step, and then we will see if the additional things that it protects can use drain or something else
Ok, if we are only about graph modification that's not a critical performance path.
>
>
>> I see only two real cases, where we do need drain:
>>
>> 1. When we need a consistent "point-in-time". For example, when we start
>> backup in transaction with some dirty-bitmap manipulation commands.
>>
>> 2. When we need to modify block-graph: if we are going to break relation
>> A -> B, there must not be any in-flight request that want to use this
>> relation.
>
> That's the use case I am considering.
>>
>> All other operations, for which we want some kind of lock (like
>> AioContext lock or something) we actually don't want to stop guest IO.
>
> Yes, they have to be analyzed case by case.
>>
>>
>> Next, I have a problem in mind, that in past lead to a lot of iotest 30
>> failures. Next there were different fixes and improvements, but the core
>> problem (as far as I understand) is still here: nothing protects us when
>> we are in some graph modification process (for example block-job
>> finalization) do yield, switch to other coroutine and enter another
>> graph modification process (for example, another block-job finaliztion)..
>
> That's another point to consider. I don't really have a solution for this.
>
>> (for details look at my old "[PATCH RFC 0/5] Fix accidental crash in
>> iotest 30"
>> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg05290.html ,
>> where I suggested to add a global graph_modify_mutex CoMutex, to be held
>> during graph-modifying process that may yield)..
>> Does your proposal solve this problem?
>>
>>
>>> executing bdrv_drained_begin() on the interested graph, we are sure that
>>> the iothread is not going to look or even interfere with that part of
>>> the graph.
>>> We are also sure that the only two actors that can look at a specific
>>> BlockDriverState in any given context are the main loop and the
>>> iothread running the AioContext (ensured by "global state or IO" logic).
>>>
>>> Why use _subtree_ instead of normal drain
>>> -----------------------------------------
>>> A simple drain "blocks" a given node and all its parents.
>>> But it doesn't touch the child.
>>> This means that if we use a simple drain, a child can always
>>> keep processing requests, and eventually end up calling itself
>>> bdrv_drained_begin, ending up reading the parents node while the main
>>> loop
>>> is modifying them. Therefore a subtree drain is necessary.
>>
>> I'm not sure I understand.. Could you give a more concrete example of
>> what may happen if we use simple drain?
>> Who will call bdrv_drained_begin() you say about? Some IO path in
>> parallel thread? Do we really have an IO path that calls
>> bdrv_drained_begin()?
>
> It is already being done in mirror, where it drains while running the .run() Job callback.
>
> I made an unit test for this:
> https://gitlab.com/eesposit/qemu/-/commit/1ffd7193ed441020f51aeeb49c3b07edb6949760
>
> assume that you have the following graph:
>
> blk (blk) -> overlay (bs)
> overlay (bs) --- backed by ---> backing (bs)
> job1 (blockjob) --> backing
>
> Then the main loop calls bdrv_drained_begin(overlay)
> This means overlay and bs are under drain, but backing and most importantly the job are not.
> At this point, the job run() function decides to drain. It should not be
> allowed to read overlay parents list for example, but instead there is nothing
> to prevent it from doing that, and thus we see drains_done >0.
>
> On the other side, when we subtree_drain, also the job is drained and thus it goes in
> pause.
>
> Makes sense?
Ah seems I understand what you mean.
One of my arguments is that "drain" - is not a lock against other clients who want to modify the graph. Because, drained section allows nested drained sections.
And you try to solve it, by draining more things, this way, we'll drain also the job, which is a possible client, who may want to modify the graph in parallel.
So, in other words, when we want to modify the graph, we drain the whole connectivity component of the graph. And we think that we are safe from other graph modifications because all related jobs are drained.
Interesting, is that possible that some not drained job from another connectivity component will want to connect some node from our drained component?
I just still feel that draining is a wrong mechanism to avoid interaction with other clients who want to modify the graph, because:
1. we stop the whole IO on all subgraph which is not necessary
2. draining is not a mutex, it allows nesting and it's ok when two different clients drain same nodes. Draining is just a requirement to do no IO at these nodes.
And in your way, it seems that to be absolutely safe we'll need to drain everything..
In my feeling it's better to keep draining what it is now: requirement to have no IO requests. And to isolate graph modifications from each other make a new synchronization mechanism, something like a global queue, where clients who want to get an access to graph modifications wait for their turn.
>>
>>>
>>> Possible scenarios
>>> -------------------
>>> Keeping in mind that we can only have an iothread and the main loop
>>> draining on a certain node, we could have:
>>>
>>> main loop successfully drains and then iothread tries to drain:
>>> impossible scenario, as iothread is already stopped once main
>>> successfully drains.
>>>
>>> iothread successfully drains and then main loop drains:
>>> should not be a problem, as:
>>> 1) the iothread should be already "blocked" by its own drain
>>> 2) main loop would still wait for it to completely block
>>> There is the issue of mirror overriding such scenario to avoid
>>> having deadlocks, but that is handled in the next section.
>>>
>>> main loop and iothread try to drain together:
>>> As above, this case doens't really matter. As long as
>>> bdrv_drained_begin invariant is respected, the main loop will
>>> continue only once the iothread is "blocked" on that part of the
>>> graph.
>>>
>>> A note on iothread draining
>>> ---------------------------
>>> Theoretically draining from an iothread should not be possible,
>>> as the iothread would be scheduling a bh in the main loop waiting
>>> for itself to stop, even though it is not yet stopped since it is
>>> waiting for the bh.
>>>
>>> This is what would happen in the tests in patch 5 if .drained_poll
>>> was not implemented.
>>>
>>> Therefore, one solution is to use .drained_poll callback in
>>> BlockJobDriver.
>>> This callback overrides the default job poll() behavior, and
>>> allows the polling condition to stop waiting for the job.
>>> It is actually used only in mirror.
>>> This however breaks bdrv_drained_begin invariant, because the
>>> iothread is not really blocked on that node but continues running.
>>> In order to fix this, patch 4 allows the polling condition to be
>>> used only by the iothread, and not the main loop too, preventing
>>> the drain to return before the iothread is effectively stopped.
>>> This is also shown in the tests in patch 5. If the fix in patch
>>> 4 is removed, then the main loop drain will return earlier and
>>> allow the iothread to run and drain together.
>>>
>>> The other patches in this serie are cherry-picked from the various
>>> series I already sent, and are included here just to allow
>>> subtree_drained_begin/end_unlocked implementation.
>>>
>>> Emanuele Giuseppe Esposito (5):
>>> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
>>> introduce BDRV_POLL_WHILE_UNLOCKED
>>> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
>>> child_job_drained_poll: override polling condition only when in home
>>> thread
>>> test-bdrv-drain: ensure draining from main loop stops iothreads
>>>
>>> block/io.c | 48 ++++++--
>>> blockjob.c | 3 +-
>>> include/block/aio-wait.h | 15 ++-
>>> include/block/block.h | 7 ++
>>> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
>>> 5 files changed, 274 insertions(+), 17 deletions(-)
>>>
>>
>>
>
--
Best regards,
Vladimir
09.03.2022 16:26, Emanuele Giuseppe Esposito wrote: > > Am 02/03/2022 um 12:07 schrieb Vladimir Sementsov-Ogievskiy: >> 01.03.2022 17:21, Emanuele Giuseppe Esposito wrote: >>> This serie tries to provide a proof of concept and a clear explanation >>> on why we need to use drains (and more precisely subtree_drains) >>> to replace the aiocontext lock, especially to protect BlockDriverState >>> ->children and ->parent lists. >>> >>> Just a small recap on the key concepts: >>> * We split block layer APIs in "global state" (GS), "I/O", and >>> "global state or I/O". >>> GS are running in the main loop, under BQL, and are the only >>> one allowed to modify the BlockDriverState graph. >>> >>> I/O APIs are thread safe and can run in any thread >>> >>> "global state or I/O" are essentially all APIs that use >>> BDRV_POLL_WHILE. This is because there can be only 2 threads >>> that can use BDRV_POLL_WHILE: main loop and the iothread that >>> runs the aiocontext. >>> >>> * Drains allow the caller (either main loop or iothread running >>> the context) to wait all in_flights requests and operations >>> of a BDS: normal drains target a given node and is parents, while >>> subtree ones also include the subgraph of the node. Siblings are >>> not affected by any of these two kind of drains. >>> After bdrv_drained_begin, no more request is allowed to come >>> from the affected nodes. Therefore the only actor left working >>> on a drained part of the graph should be the main loop. >>> >>> What do we intend to do >>> ----------------------- >>> We want to remove the AioContext lock. It is not 100% clear on how >>> many things we are protecting with it, and why. >>> As a starter, we want to protect BlockDriverState ->parents and >>> ->children lists, since they are read by main loop and I/O but >>> only written by main loop under BQL. The function that modifies >>> these lists is bdrv_replace_child_common(). >>> >>> How do we want to do it >>> ----------------------- >>> We individuated as ideal subtitute of AioContext lock >>> the subtree_drain API. The reason is simple: draining prevents the >>> iothread to read or write the nodes, so once the main loop finishes >> I'm not sure it's ideal. Unfortunately I'm not really good in all that >> BQL, AioContext locks and drains. So, I can't give good advice. But here >> are my doubts: >> >> Draining is very restrictive measure: even if drained section is very >> short, at least on bdrv_drained_begin() we have to wait for all current >> requests, and don't start new ones. That slows down the guest. > I don't think we are in a critical path where performance is important here. > > In the >> same time there are operations that don't require to stop guest IO >> requests. For example manipulation with dirty bitmaps - qmp commands >> block-dirty-bitmap-add block-dirty-bitmap-remove. Or different query >> requests.. >> > Maybe you misunderstood or I was not 100% clear, but I am talking about replacing the AioContext lock for the ->parents and ->children instance. Not everywhere. This is the first step, and then we will see if the additional things that it protects can use drain or something else > > >> I see only two real cases, where we do need drain: >> >> 1. When we need a consistent "point-in-time". For example, when we start >> backup in transaction with some dirty-bitmap manipulation commands. >> >> 2. When we need to modify block-graph: if we are going to break relation >> A -> B, there must not be any in-flight request that want to use this >> relation. > That's the use case I am considering. >> All other operations, for which we want some kind of lock (like >> AioContext lock or something) we actually don't want to stop guest IO. > Yes, they have to be analyzed case by case. >> >> Next, I have a problem in mind, that in past lead to a lot of iotest 30 >> failures. Next there were different fixes and improvements, but the core >> problem (as far as I understand) is still here: nothing protects us when >> we are in some graph modification process (for example block-job >> finalization) do yield, switch to other coroutine and enter another >> graph modification process (for example, another block-job finaliztion).. > That's another point to consider. I don't really have a solution for this. > >> (for details look at my old "[PATCH RFC 0/5] Fix accidental crash in >> iotest 30" >> https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg05290.html , >> where I suggested to add a global graph_modify_mutex CoMutex, to be held >> during graph-modifying process that may yield).. >> Does your proposal solve this problem? >> >> >>> executing bdrv_drained_begin() on the interested graph, we are sure that >>> the iothread is not going to look or even interfere with that part of >>> the graph. >>> We are also sure that the only two actors that can look at a specific >>> BlockDriverState in any given context are the main loop and the >>> iothread running the AioContext (ensured by "global state or IO" logic). >>> >>> Why use_subtree_ instead of normal drain >>> ----------------------------------------- >>> A simple drain "blocks" a given node and all its parents. >>> But it doesn't touch the child. >>> This means that if we use a simple drain, a child can always >>> keep processing requests, and eventually end up calling itself >>> bdrv_drained_begin, ending up reading the parents node while the main >>> loop >>> is modifying them. Therefore a subtree drain is necessary. >> I'm not sure I understand.. Could you give a more concrete example of >> what may happen if we use simple drain? >> Who will call bdrv_drained_begin() you say about? Some IO path in >> parallel thread? Do we really have an IO path that calls >> bdrv_drained_begin()? > It is already being done in mirror, where it drains while running the .run() Job callback. > > I made an unit test for this: > https://gitlab.com/eesposit/qemu/-/commit/1ffd7193ed441020f51aeeb49c3b07edb6949760 > > assume that you have the following graph: > > blk (blk) -> overlay (bs) > overlay (bs) --- backed by ---> backing (bs) > job1 (blockjob) --> backing > > Then the main loop calls bdrv_drained_begin(overlay) > This means overlay and bs are under drain, but backing and most importantly the job are not. > At this point, the job run() function decides to drain. It should not be > allowed to read overlay parents list for example, but instead there is nothing > to prevent it from doing that, and thus we see drains_done >0. > > On the other side, when we subtree_drain, also the job is drained and thus it goes in > pause. > > Makes sense? As I understand: You want to make drained section to be a kind of lock, so that if we take this lock, we can modify the graph and we are sure that no other client will modify it in parallel. But drained sections can be nested. So to solve the problem you try to drain more nodes: include subtree for example, or may be we need to drain the whole graph connectivity component, or (to be more safe) the whole block layer (to be sure that during drained section in one connectivity component some not-drained block-job from another connectivity component will not try to attach some node from our drained connectivity component).. I still feel that draining is wrong tool for isolating graph modifying operations from each other: 1. Drained sections can be nested, and natively that's not a kind of lock. That's just a requirement to have no IO requests. There may be several clients that want this condition on same set of nodes. 2. Blocking IO on the whole connected subgraph or even on the whole block layer graph is not necessary, so that's an extra blocking. Could we instead do the following: 1. Keep draining as is - a mechanism to stop IO on some nodes 2. To isolate graph-modifying operations implement another mechanism: something like a global queue, where clients wait until they gen an access to modify block layer. This way, any graph modifying process would look like this: 1. drained_begin(only where necessary, not the whole subgraph in general) 2. wait in the global queue 3. Ok, now we can do all the modifications 4. Kick the global queue, so that next client will get an access 5. drained_end() -- Best regards, Vladimir
> > Ah seems I understand what you mean. > > One of my arguments is that "drain" - is not a lock against other > clients who want to modify the graph. Because, drained section allows > nested drained sections. > > And you try to solve it, by draining more things, this way, we'll drain > also the job, which is a possible client, who may want to modify the > graph in parallel. > > So, in other words, when we want to modify the graph, we drain the whole > connectivity component of the graph. And we think that we are safe from > other graph modifications because all related jobs are drained. > Interesting, is that possible that some not drained job from another > connectivity component will want to connect some node from our drained > component? You mean another job or whathever calling bdrv_find_node() on a random graph? Yes that is not protected. But can this happen? That's the question. What are the invariants here? Can anything happen? > > I just still feel that draining is a wrong mechanism to avoid > interaction with other clients who want to modify the graph, because: > > 1. we stop the whole IO on all subgraph which is not necessary > 2. draining is not a mutex, it allows nesting and it's ok when two > different clients drain same nodes. Draining is just a requirement to do > no IO at these nodes. > > And in your way, it seems that to be absolutely safe we'll need to drain > everything.. > > In my feeling it's better to keep draining what it is now: requirement > to have no IO requests. And to isolate graph modifications from each > other make a new synchronization mechanism, something like a global > queue, where clients who want to get an access to graph modifications > wait for their turn. This is a matter of definitions. Subtree drains can theoretically work, I managed to answer to my own doubts in the last email I sent. Yes, there is still some completely random case like the one I wrote above, but I think it is more a matter of what we want to use and what meaning we want to give to drains. Global queue is what Kevin proposes, I will try to implement it. > > > As I understand: > > You want to make drained section to be a kind of lock, so that if we > take this lock, we can modify the graph and we are sure that no other > client will modify it in parallel. Yes > > But drained sections can be nested. So to solve the problem you try to > drain more nodes: include subtree for example, or may be we need to > drain the whole graph connectivity component, or (to be more safe) the > whole block layer (to be sure that during drained section in one > connectivity component some not-drained block-job from another > connectivity component will not try to attach some node from our drained > connectivity component).. > > I still feel that draining is wrong tool for isolating graph modifying > operations from each other: > > 1. Drained sections can be nested, and natively that's not a kind of > lock. That's just a requirement to have no IO requests. There may be > several clients that want this condition on same set of nodes. > > 2. Blocking IO on the whole connected subgraph or even on the whole > block layer graph is not necessary, so that's an extra blocking. > > > Could we instead do the following: > > 1. Keep draining as is - a mechanism to stop IO on some nodes > > 2. To isolate graph-modifying operations implement another mechanism: > something like a global queue, where clients wait until they gen an > access to modify block layer. > > > This way, any graph modifying process would look like this: > > 1. drained_begin(only where necessary, not the whole subgraph in general) > > 2. wait in the global queue > > 3. Ok, now we can do all the modifications > > 4. Kick the global queue, so that next client will get an access > > 5. drained_end() > > Please give a look at what Kevin (described by me) proposed. I think it's the same as you are suggesting. I am pasting it below. I will try to implement this and see if it is doable or not. I think the advantage of drains is that it isn't so complicated and doesn't add any complication to the existing code. But we'll see how it goes with this global queue. > His idea is to replicate what blk_wait_while_drained() currently does > but on a larger scale. It is something in between this subtree_drains > logic and a rwlock. > > Basically if I understood correctly, we could implement > bdrv_wait_while_drained(), and put in all places where we would put a > read lock: all the reads to ->parents and ->children. > This function detects if the bdrv is under drain, and if so it will stop > and wait that the drain finishes (ie the graph modification). > On the other side, each write would just need to drain probably both > nodes (simple drain), to signal that we are modifying the graph. Once > bdrv_drained_begin() finishes, we are sure all coroutines are stopped. > Once bdrv_drained_end() finishes, we automatically let all coroutine > restart, and continue where they left off. > > Seems a good compromise between drains and rwlock. What do you think? > > I am not sure how painful it will be to implement though. Emanuele
30.03.2022 12:09, Emanuele Giuseppe Esposito wrote: >> >> Ah seems I understand what you mean. >> >> One of my arguments is that "drain" - is not a lock against other >> clients who want to modify the graph. Because, drained section allows >> nested drained sections. >> >> And you try to solve it, by draining more things, this way, we'll drain >> also the job, which is a possible client, who may want to modify the >> graph in parallel. >> >> So, in other words, when we want to modify the graph, we drain the whole >> connectivity component of the graph. And we think that we are safe from >> other graph modifications because all related jobs are drained. >> Interesting, is that possible that some not drained job from another >> connectivity component will want to connect some node from our drained >> component? > > You mean another job or whathever calling bdrv_find_node() on a random > graph? Yes that is not protected. But can this happen? > > That's the question. What are the invariants here? Can anything happen? > >> >> I just still feel that draining is a wrong mechanism to avoid >> interaction with other clients who want to modify the graph, because: >> >> 1. we stop the whole IO on all subgraph which is not necessary >> 2. draining is not a mutex, it allows nesting and it's ok when two >> different clients drain same nodes. Draining is just a requirement to do >> no IO at these nodes. >> >> And in your way, it seems that to be absolutely safe we'll need to drain >> everything.. >> >> In my feeling it's better to keep draining what it is now: requirement >> to have no IO requests. And to isolate graph modifications from each >> other make a new synchronization mechanism, something like a global >> queue, where clients who want to get an access to graph modifications >> wait for their turn. > > This is a matter of definitions. Subtree drains can theoretically work, > I managed to answer to my own doubts in the last email I sent. > > Yes, there is still some completely random case like the one I wrote > above, but I think it is more a matter of what we want to use and what > meaning we want to give to drains. > > Global queue is what Kevin proposes, I will try to implement it. > >> >> >> As I understand: >> >> You want to make drained section to be a kind of lock, so that if we >> take this lock, we can modify the graph and we are sure that no other >> client will modify it in parallel. > > Yes > >> >> But drained sections can be nested. So to solve the problem you try to >> drain more nodes: include subtree for example, or may be we need to >> drain the whole graph connectivity component, or (to be more safe) the >> whole block layer (to be sure that during drained section in one >> connectivity component some not-drained block-job from another >> connectivity component will not try to attach some node from our drained >> connectivity component).. >> >> I still feel that draining is wrong tool for isolating graph modifying >> operations from each other: >> >> 1. Drained sections can be nested, and natively that's not a kind of >> lock. That's just a requirement to have no IO requests. There may be >> several clients that want this condition on same set of nodes. >> >> 2. Blocking IO on the whole connected subgraph or even on the whole >> block layer graph is not necessary, so that's an extra blocking. >> >> >> Could we instead do the following: >> >> 1. Keep draining as is - a mechanism to stop IO on some nodes >> >> 2. To isolate graph-modifying operations implement another mechanism: >> something like a global queue, where clients wait until they gen an >> access to modify block layer. >> >> >> This way, any graph modifying process would look like this: >> >> 1. drained_begin(only where necessary, not the whole subgraph in general) >> >> 2. wait in the global queue >> >> 3. Ok, now we can do all the modifications >> >> 4. Kick the global queue, so that next client will get an access >> >> 5. drained_end() >> >> > > Please give a look at what Kevin (described by me) proposed. I think > it's the same as you are suggesting. I am pasting it below. > I will try to implement this and see if it is doable or not. > > I think the advantage of drains is that it isn't so complicated and > doesn't add any complication to the existing code. > But we'll see how it goes with this global queue. > >> His idea is to replicate what blk_wait_while_drained() currently does >> but on a larger scale. It is something in between this subtree_drains >> logic and a rwlock. >> >> Basically if I understood correctly, we could implement >> bdrv_wait_while_drained(), and put in all places where we would put a >> read lock: all the reads to ->parents and ->children. >> This function detects if the bdrv is under drain, and if so it will stop >> and wait that the drain finishes (ie the graph modification). >> On the other side, each write would just need to drain probably both >> nodes (simple drain), to signal that we are modifying the graph. Once >> bdrv_drained_begin() finishes, we are sure all coroutines are stopped. >> Once bdrv_drained_end() finishes, we automatically let all coroutine >> restart, and continue where they left off. >> >> Seems a good compromise between drains and rwlock. What do you think? >> >> I am not sure how painful it will be to implement though. > Hm, I don't see, where is global queue here? Or bdrv_wait_while_drained() is global and has no bs arguement? -- Best regards, Vladimir
Am 30/03/2022 um 11:52 schrieb Vladimir Sementsov-Ogievskiy: > 30.03.2022 12:09, Emanuele Giuseppe Esposito wrote: >>> >>> Ah seems I understand what you mean. >>> >>> One of my arguments is that "drain" - is not a lock against other >>> clients who want to modify the graph. Because, drained section allows >>> nested drained sections. >>> >>> And you try to solve it, by draining more things, this way, we'll drain >>> also the job, which is a possible client, who may want to modify the >>> graph in parallel. >>> >>> So, in other words, when we want to modify the graph, we drain the whole >>> connectivity component of the graph. And we think that we are safe from >>> other graph modifications because all related jobs are drained. >>> Interesting, is that possible that some not drained job from another >>> connectivity component will want to connect some node from our drained >>> component? >> >> You mean another job or whathever calling bdrv_find_node() on a random >> graph? Yes that is not protected. But can this happen? >> >> That's the question. What are the invariants here? Can anything happen? >> >>> >>> I just still feel that draining is a wrong mechanism to avoid >>> interaction with other clients who want to modify the graph, because: >>> >>> 1. we stop the whole IO on all subgraph which is not necessary >>> 2. draining is not a mutex, it allows nesting and it's ok when two >>> different clients drain same nodes. Draining is just a requirement to do >>> no IO at these nodes. >>> >>> And in your way, it seems that to be absolutely safe we'll need to drain >>> everything.. >>> >>> In my feeling it's better to keep draining what it is now: requirement >>> to have no IO requests. And to isolate graph modifications from each >>> other make a new synchronization mechanism, something like a global >>> queue, where clients who want to get an access to graph modifications >>> wait for their turn. >> >> This is a matter of definitions. Subtree drains can theoretically work, >> I managed to answer to my own doubts in the last email I sent. >> >> Yes, there is still some completely random case like the one I wrote >> above, but I think it is more a matter of what we want to use and what >> meaning we want to give to drains. >> >> Global queue is what Kevin proposes, I will try to implement it. >> >>> >>> >>> As I understand: >>> >>> You want to make drained section to be a kind of lock, so that if we >>> take this lock, we can modify the graph and we are sure that no other >>> client will modify it in parallel. >> >> Yes >> >>> >>> But drained sections can be nested. So to solve the problem you try to >>> drain more nodes: include subtree for example, or may be we need to >>> drain the whole graph connectivity component, or (to be more safe) the >>> whole block layer (to be sure that during drained section in one >>> connectivity component some not-drained block-job from another >>> connectivity component will not try to attach some node from our drained >>> connectivity component).. >>> >>> I still feel that draining is wrong tool for isolating graph modifying >>> operations from each other: >>> >>> 1. Drained sections can be nested, and natively that's not a kind of >>> lock. That's just a requirement to have no IO requests. There may be >>> several clients that want this condition on same set of nodes. >>> >>> 2. Blocking IO on the whole connected subgraph or even on the whole >>> block layer graph is not necessary, so that's an extra blocking. >>> >>> >>> Could we instead do the following: >>> >>> 1. Keep draining as is - a mechanism to stop IO on some nodes >>> >>> 2. To isolate graph-modifying operations implement another mechanism: >>> something like a global queue, where clients wait until they gen an >>> access to modify block layer. >>> >>> >>> This way, any graph modifying process would look like this: >>> >>> 1. drained_begin(only where necessary, not the whole subgraph in >>> general) >>> >>> 2. wait in the global queue >>> >>> 3. Ok, now we can do all the modifications >>> >>> 4. Kick the global queue, so that next client will get an access >>> >>> 5. drained_end() >>> >>> >> >> Please give a look at what Kevin (described by me) proposed. I think >> it's the same as you are suggesting. I am pasting it below. >> I will try to implement this and see if it is doable or not. >> >> I think the advantage of drains is that it isn't so complicated and >> doesn't add any complication to the existing code. >> But we'll see how it goes with this global queue. >> >>> His idea is to replicate what blk_wait_while_drained() currently does >>> but on a larger scale. It is something in between this subtree_drains >>> logic and a rwlock. >>> >>> Basically if I understood correctly, we could implement >>> bdrv_wait_while_drained(), and put in all places where we would put a >>> read lock: all the reads to ->parents and ->children. >>> This function detects if the bdrv is under drain, and if so it will stop >>> and wait that the drain finishes (ie the graph modification). >>> On the other side, each write would just need to drain probably both >>> nodes (simple drain), to signal that we are modifying the graph. Once >>> bdrv_drained_begin() finishes, we are sure all coroutines are stopped. >>> Once bdrv_drained_end() finishes, we automatically let all coroutine >>> restart, and continue where they left off. >>> >>> Seems a good compromise between drains and rwlock. What do you think? >>> >>> I am not sure how painful it will be to implement though. >> > > Hm, I don't see, where is global queue here? Or > bdrv_wait_while_drained() is global and has no bs arguement? > > From what I understand, blk_wait_while_drained has a queue internally. Yes, the queue would be global, and all coroutines that want to perform a read will have to wait until the modification is ended. Whether to wake the queue up with a drain or a write lock is also another point worth discussion maybe.
Am 09/03/2022 um 14:26 schrieb Emanuele Giuseppe Esposito: >> Next, I have a problem in mind, that in past lead to a lot of iotest 30 >> failures. Next there were different fixes and improvements, but the core >> problem (as far as I understand) is still here: nothing protects us when >> we are in some graph modification process (for example block-job >> finalization) do yield, switch to other coroutine and enter another >> graph modification process (for example, another block-job finaliztion).. > That's another point to consider. I don't really have a solution for this. > On a side note, that might not be a real problem. If I understand correctly, your fear is that we are doing something like parent->children[x] = new_node // partial graph operation /* yield to another coroutine */ coroutine reads/writes parent->children[x] and/or new_node->parents[y] /* yield back */ new_node->parents[y] = parent // end of the initial graph operation Is that what you are pointing out here? If so, is there a concrete example for this? Because yields and drains (that eventually can poll) seem to be put either before or after the whole graph modification section. In other words, even if a coroutine enters, it will be always before or after the _whole_ graph modification is performed. Thank you, Emanuele
17.03.2022 00:55, Emanuele Giuseppe Esposito wrote: > > > Am 09/03/2022 um 14:26 schrieb Emanuele Giuseppe Esposito: >>> Next, I have a problem in mind, that in past lead to a lot of iotest 30 >>> failures. Next there were different fixes and improvements, but the core >>> problem (as far as I understand) is still here: nothing protects us when >>> we are in some graph modification process (for example block-job >>> finalization) do yield, switch to other coroutine and enter another >>> graph modification process (for example, another block-job finaliztion).. >> That's another point to consider. I don't really have a solution for this. >> > On a side note, that might not be a real problem. > If I understand correctly, your fear is that we are doing something like > parent->children[x] = new_node // partial graph operation > /* yield to another coroutine */ > coroutine reads/writes parent->children[x] and/or new_node->parents[y] > /* yield back */ > new_node->parents[y] = parent // end of the initial graph operation > > Is that what you are pointing out here? > If so, is there a concrete example for this? Because yields and drains > (that eventually can poll) seem to be put either before or after the > whole graph modification section. In other words, even if a coroutine > enters, it will be always before or after the _whole_ graph modification > is performed. > The old example was here: https://lists.gnu.org/archive/html/qemu-devel/2020-11/msg05212.html - not sure how much is it applicable now. Another example - look at bdrv_drop_intermediate() in block.c and at TODO comments in it. In both cases the problem is we want to update some metadata in qcow2 (backing file name) as part of block-graph modification. But this update does write to qcow2 header which may yield and switch to some another block-graph modification code. -- Best regards, Vladimir
On Tue, Mar 01, 2022 at 09:21:08AM -0500, Emanuele Giuseppe Esposito wrote:
> This serie tries to provide a proof of concept and a clear explanation
> on why we need to use drains (and more precisely subtree_drains)
> to replace the aiocontext lock, especially to protect BlockDriverState
> ->children and ->parent lists.
>
> Just a small recap on the key concepts:
> * We split block layer APIs in "global state" (GS), "I/O", and
> "global state or I/O".
> GS are running in the main loop, under BQL, and are the only
> one allowed to modify the BlockDriverState graph.
>
> I/O APIs are thread safe and can run in any thread
>
> "global state or I/O" are essentially all APIs that use
> BDRV_POLL_WHILE. This is because there can be only 2 threads
> that can use BDRV_POLL_WHILE: main loop and the iothread that
> runs the aiocontext.
>
> * Drains allow the caller (either main loop or iothread running
> the context) to wait all in_flights requests and operations
> of a BDS: normal drains target a given node and is parents, while
> subtree ones also include the subgraph of the node. Siblings are
> not affected by any of these two kind of drains.
Siblings are drained to the extent required for their parent node to
reach in_flight == 0.
I haven't checked the code but I guess the case you're alluding to is
that siblings with multiple parents could have other I/O in flight that
will not be drained and further I/O can be submitted after the parent
has drained?
> After bdrv_drained_begin, no more request is allowed to come
> from the affected nodes. Therefore the only actor left working
> on a drained part of the graph should be the main loop.
It's worth remembering that this invariant is not enforced. Draining is
a cooperative scheme. Everything *should* be notified and stop
submitting I/O, but there is no assertion or return -EBUSY if a request
is submitted while the BDS is drained.
If the thread that drained the BDS wants, I think it can (legally)
submit I/O within the drained section.
> What do we intend to do
> -----------------------
> We want to remove the AioContext lock. It is not 100% clear on how
> many things we are protecting with it, and why.
> As a starter, we want to protect BlockDriverState ->parents and
> ->children lists, since they are read by main loop and I/O but
> only written by main loop under BQL. The function that modifies
> these lists is bdrv_replace_child_common().
>
> How do we want to do it
> -----------------------
> We individuated as ideal subtitute of AioContext lock
> the subtree_drain API. The reason is simple: draining prevents the iothread to read or write the nodes, so once the main loop finishes
> executing bdrv_drained_begin() on the interested graph, we are sure that
> the iothread is not going to look or even interfere with that part of the graph.
> We are also sure that the only two actors that can look at a specific
> BlockDriverState in any given context are the main loop and the
> iothread running the AioContext (ensured by "global state or IO" logic).
>
> Why use _subtree_ instead of normal drain
> -----------------------------------------
> A simple drain "blocks" a given node and all its parents.
> But it doesn't touch the child.
> This means that if we use a simple drain, a child can always
> keep processing requests, and eventually end up calling itself
> bdrv_drained_begin, ending up reading the parents node while the main loop
> is modifying them. Therefore a subtree drain is necessary.
>
> Possible scenarios
> -------------------
> Keeping in mind that we can only have an iothread and the main loop
> draining on a certain node, we could have:
>
> main loop successfully drains and then iothread tries to drain:
> impossible scenario, as iothread is already stopped once main
> successfully drains.
>
> iothread successfully drains and then main loop drains:
> should not be a problem, as:
> 1) the iothread should be already "blocked" by its own drain
Once drained_begin() returns in the IOThread, the IOThread can do
anything it wants, including more submitting I/O. I don't consider that
"blocked", so I'm not sure what this sentence means?
The way the main loop thread protects itself against the IOThread is via
the aio "external" handler concept and block job drain callbacks, which
are activated by drained_begin(). They ensure that the IOThread will not
perform further processing that submits I/O, but the IOThread code that
invoked drained_begin() can still do anything it wants.
> 2) main loop would still wait for it to completely block
> There is the issue of mirror overriding such scenario to avoid
> having deadlocks, but that is handled in the next section.
>
> main loop and iothread try to drain together:
> As above, this case doens't really matter. As long as
> bdrv_drained_begin invariant is respected, the main loop will
> continue only once the iothread is "blocked" on that part of the graph.
I'm not sure about this, see above.
>
> A note on iothread draining
> ---------------------------
> Theoretically draining from an iothread should not be possible,
> as the iothread would be scheduling a bh in the main loop waiting
> for itself to stop, even though it is not yet stopped since it is waiting for the bh.
I'm not sure what you mean. Which function schedules this BH?
>
> This is what would happen in the tests in patch 5 if .drained_poll
> was not implemented.
>
> Therefore, one solution is to use .drained_poll callback in BlockJobDriver.
> This callback overrides the default job poll() behavior, and
> allows the polling condition to stop waiting for the job.
> It is actually used only in mirror.
> This however breaks bdrv_drained_begin invariant, because the
> iothread is not really blocked on that node but continues running.
> In order to fix this, patch 4 allows the polling condition to be
> used only by the iothread, and not the main loop too, preventing
> the drain to return before the iothread is effectively stopped.
> This is also shown in the tests in patch 5. If the fix in patch
> 4 is removed, then the main loop drain will return earlier and
> allow the iothread to run and drain together.
>
> The other patches in this serie are cherry-picked from the various
> series I already sent, and are included here just to allow
> subtree_drained_begin/end_unlocked implementation.
>
> Emanuele Giuseppe Esposito (5):
> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
> introduce BDRV_POLL_WHILE_UNLOCKED
> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
> child_job_drained_poll: override polling condition only when in home
> thread
> test-bdrv-drain: ensure draining from main loop stops iothreads
>
> block/io.c | 48 ++++++--
> blockjob.c | 3 +-
> include/block/aio-wait.h | 15 ++-
> include/block/block.h | 7 ++
> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
> 5 files changed, 274 insertions(+), 17 deletions(-)
>
> --
> 2.31.1
>
Am 02/03/2022 um 10:47 schrieb Stefan Hajnoczi:
> On Tue, Mar 01, 2022 at 09:21:08AM -0500, Emanuele Giuseppe Esposito wrote:
>> This serie tries to provide a proof of concept and a clear explanation
>> on why we need to use drains (and more precisely subtree_drains)
>> to replace the aiocontext lock, especially to protect BlockDriverState
>> ->children and ->parent lists.
>>
>> Just a small recap on the key concepts:
>> * We split block layer APIs in "global state" (GS), "I/O", and
>> "global state or I/O".
>> GS are running in the main loop, under BQL, and are the only
>> one allowed to modify the BlockDriverState graph.
>>
>> I/O APIs are thread safe and can run in any thread
>>
>> "global state or I/O" are essentially all APIs that use
>> BDRV_POLL_WHILE. This is because there can be only 2 threads
>> that can use BDRV_POLL_WHILE: main loop and the iothread that
>> runs the aiocontext.
>>
>> * Drains allow the caller (either main loop or iothread running
>> the context) to wait all in_flights requests and operations
>> of a BDS: normal drains target a given node and is parents, while
>> subtree ones also include the subgraph of the node. Siblings are
>> not affected by any of these two kind of drains.
>
> Siblings are drained to the extent required for their parent node to
> reach in_flight == 0.
>
> I haven't checked the code but I guess the case you're alluding to is
> that siblings with multiple parents could have other I/O in flight that
> will not be drained and further I/O can be submitted after the parent
> has drained?
Yes, this in theory can happen. I don't really know if this happens
practically, and how likely is to happen.
The alternative would be to make a drain that blocks the whole graph,
siblings included, but that would probably be an overkill.
>
>> After bdrv_drained_begin, no more request is allowed to come
>> from the affected nodes. Therefore the only actor left working
>> on a drained part of the graph should be the main loop.
>
> It's worth remembering that this invariant is not enforced. Draining is
> a cooperative scheme. Everything *should* be notified and stop
> submitting I/O, but there is no assertion or return -EBUSY if a request
> is submitted while the BDS is drained.
Yes, it is a cooperative scheme and all except from mirror (fixed in the
last patch) seem to follow the invariant.
>
> If the thread that drained the BDS wants, I think it can (legally)
> submit I/O within the drained section.
>
Yes but at some point the main loop drains too before changing the
graph. Then the thread must be stopped, according with the invariant
above. So it doesn't matter if the thread has already drained or not.
>> What do we intend to do
>> -----------------------
>> We want to remove the AioContext lock. It is not 100% clear on how
>> many things we are protecting with it, and why.
>> As a starter, we want to protect BlockDriverState ->parents and
>> ->children lists, since they are read by main loop and I/O but
>> only written by main loop under BQL. The function that modifies
>> these lists is bdrv_replace_child_common().
>>
>> How do we want to do it
>> -----------------------
>> We individuated as ideal subtitute of AioContext lock
>> the subtree_drain API. The reason is simple: draining prevents the iothread to read or write the nodes, so once the main loop finishes
>> executing bdrv_drained_begin() on the interested graph, we are sure that
>> the iothread is not going to look or even interfere with that part of the graph.
>> We are also sure that the only two actors that can look at a specific
>> BlockDriverState in any given context are the main loop and the
>> iothread running the AioContext (ensured by "global state or IO" logic).
>>
>> Why use _subtree_ instead of normal drain
>> -----------------------------------------
>> A simple drain "blocks" a given node and all its parents.
>> But it doesn't touch the child.
>> This means that if we use a simple drain, a child can always
>> keep processing requests, and eventually end up calling itself
>> bdrv_drained_begin, ending up reading the parents node while the main loop
>> is modifying them. Therefore a subtree drain is necessary.
>>
>> Possible scenarios
>> -------------------
>> Keeping in mind that we can only have an iothread and the main loop
>> draining on a certain node, we could have:
>>
>> main loop successfully drains and then iothread tries to drain:
>> impossible scenario, as iothread is already stopped once main
>> successfully drains.
>>
>> iothread successfully drains and then main loop drains:
>> should not be a problem, as:
>> 1) the iothread should be already "blocked" by its own drain
>
> Once drained_begin() returns in the IOThread, the IOThread can do
> anything it wants, including more submitting I/O. I don't consider that
> "blocked", so I'm not sure what this sentence means?
>
> The way the main loop thread protects itself against the IOThread is via
> the aio "external" handler concept and block job drain callbacks, which
> are activated by drained_begin(). They ensure that the IOThread will not
> perform further processing that submits I/O, but the IOThread code that
> invoked drained_begin() can still do anything it wants.
As above I think that regardless on what the iothread is doing, once the
main loop has finished executing bdrv_drained_begin the iothread should
not be doing anything related to the nodes that have been drained.
>
>> 2) main loop would still wait for it to completely block
>> There is the issue of mirror overriding such scenario to avoid
>> having deadlocks, but that is handled in the next section.
>>
>> main loop and iothread try to drain together:
>> As above, this case doens't really matter. As long as
>> bdrv_drained_begin invariant is respected, the main loop will
>> continue only once the iothread is "blocked" on that part of the graph.
>
> I'm not sure about this, see above.
>
>>
>> A note on iothread draining
>> ---------------------------
>> Theoretically draining from an iothread should not be possible,
>> as the iothread would be scheduling a bh in the main loop waiting
>> for itself to stop, even though it is not yet stopped since it is waiting for the bh.
>
> I'm not sure what you mean. Which function schedules this BH?
bdrv_drained_begin and _end schedule a bh to run the draining code in
the main loop, if they are in a coroutine. That's what I meant here :)
>
>>
>> This is what would happen in the tests in patch 5 if .drained_poll
>> was not implemented.
>>
>> Therefore, one solution is to use .drained_poll callback in BlockJobDriver.
>> This callback overrides the default job poll() behavior, and
>> allows the polling condition to stop waiting for the job.
>> It is actually used only in mirror.
>> This however breaks bdrv_drained_begin invariant, because the
>> iothread is not really blocked on that node but continues running.
>> In order to fix this, patch 4 allows the polling condition to be
>> used only by the iothread, and not the main loop too, preventing
>> the drain to return before the iothread is effectively stopped.
>> This is also shown in the tests in patch 5. If the fix in patch
>> 4 is removed, then the main loop drain will return earlier and
>> allow the iothread to run and drain together.
>>
>> The other patches in this serie are cherry-picked from the various
>> series I already sent, and are included here just to allow
>> subtree_drained_begin/end_unlocked implementation.
>>
>> Emanuele Giuseppe Esposito (5):
>> aio-wait.h: introduce AIO_WAIT_WHILE_UNLOCKED
>> introduce BDRV_POLL_WHILE_UNLOCKED
>> block/io.c: introduce bdrv_subtree_drained_{begin/end}_unlocked
>> child_job_drained_poll: override polling condition only when in home
>> thread
>> test-bdrv-drain: ensure draining from main loop stops iothreads
>>
>> block/io.c | 48 ++++++--
>> blockjob.c | 3 +-
>> include/block/aio-wait.h | 15 ++-
>> include/block/block.h | 7 ++
>> tests/unit/test-bdrv-drain.c | 218 +++++++++++++++++++++++++++++++++++
>> 5 files changed, 274 insertions(+), 17 deletions(-)
>>
>> --
>> 2.31.1
>>