docs/devel/atomics.rst | 26 ++++++++++--- hw/misc/edu.c | 5 +++ include/block/aio-wait.h | 2 +- include/qemu/atomic.h | 17 ++++++++- softmmu/physmem.c | 3 ++ util/async.c | 13 ++++--- util/qemu-coroutine-lock.c | 9 ++++- util/qemu-thread-posix.c | 64 +++++++++++++++++++++---------- util/qemu-thread-win32.c | 78 ++++++++++++++++++++++++++------------ 9 files changed, 160 insertions(+), 57 deletions(-)
This series fixes more instances of the problem fixed by commits
5710a3e09f9b ("async: use explicit memory barriers", 2020-04-09) and
7455ff1aa015 ("aio_wait_kick: add missing memory barrier", 2022-06-24).
This is an interesting case where ARM's memory ordering is somewhat
stronger than what you would expect.
On ARM, seqcst loads and stores (which QEMU does not use) are compiled
respectively as LDAR and STLR instructions. Even though STLR is also
used for store-release operations, STLR followed by LDAR provides
store-against-load ordering, which is stronger than a store-release.
Compare this to ARMv7, where store-release is DMB+STR and store-seqcst
is DMB+STR+DMB.
This means that on ARM a sequence of
qatomic_store_release(&y, ...); // STLR
a = qatomic_load_acquire(&x); // LDAR
provides stronger ordering at the processor level than the two MOV
instructions you'd get on x86.
Likewise, on ARM sequentially consistent read-modify-write operations only
need to use LDAXR and STLXR respectively for the load and the store, which
is weaker than the LOCK prefix used on x86.
In a strange twist of events, however, the _stronger_ semantics
of the ARM instructions can end up causing bugs on ARM, not on x86.
The problems occur when seqcst atomics are mixed with relaxed atomics.
Here is how the two are compiled on ARM:
load store
relaxed LDR STR
seqcst LDAR STLR
QEMU's atomics try to bridge the Linux API (that most of the developers
are familiar with) and the C11 API, and the two have a substantial
difference:
- in Linux, strongly-ordered atomics such as atomic_add_return() affect
the global ordering of _all_ memory operations, including for example
READ_ONCE()/WRITE_ONCE()
- in C11, sequentially consistent atomics (except for seqcst fences)
only affect the ordering of sequentially consistent operations.
In particular, since relaxed loads are done with LDR on ARM, they are
not ordered against seqcst stores (which are done with STLR).
QEMU implements high-level synchronization primitives with the idea that
the primitives contain the necessary memory barriers, and the callers can
use relaxed atomics (qatomic_read/qatomic_set) or even regular accesses.
This is very much incompatible with the C11 view that seqcst accesses
are only ordered against other seqcst accesses, and requires using
seqcst fences as in the following example:
qatomic_set(&y, 1); qatomic_set(&x, 1);
smp_mb(); smp_mb();
... qatomic_read(&x) ... ... qatomic_read(&y) ...
Bugs ensue when a qatomic_*() read-modify write operation is used instead
of one or both stores, for example:
qatomic_<rmw>(&y, ...);
smp_mb();
... qatomic_read(&x) ...
Developers that are more familiar with the Linux API may be tempted
to omit the smp_mb() and that's exactly what yours truly did in
qemu_event_set() and qemu_event_reset(). After a27dd2de68f3 ("KVM:
keep track of running ioctls", 2023-01-11), this caused hangs due to
threads sleeping forever in qemu_event_wait().
This _could_ also have been the cause of occasional hangs of rcutorture,
though I have not observed them personally.
(As an aside, GCC's older __sync_* builtins *did* provide a full barrier
between the RMW operation and loads on the side of the operation. The
difference between seqcst C11 atomics and __sync_* atomics is exactly
an extra memory barrier after the STLXR instruction).
In order to fix this, while avoiding worse performance from having two
back-to-back memory barriers on x86, patch 1 introduces optimized
memory barriers smp_mb__before_rmw() and smp_mb__after_rmw(). The usage
is similar to Linux's smp_mb__before/after_atomic(), but the name is
different because they affect _all_ RMW operations. On Linux, instead,
they are not needed around those RMW operations that return the old value.
The remaining patches add them everywhere they are needed. In the
case of QemuEvent (patches 2-3), I reviewed the algorithm thoroughly,
dropping barriers that were not necessary and killing optimizations that
I wasn't entirely sure about. For the other cases, instead, the changes
are minimal.
Note: I have a follow-up set of patches that gets rid completely of
atomic_mb_read(); atomic_mb_set() instead can remain and mimic Linux's
smp_store_mb() operation. A glimpse of these changes is already visible
in patches 7 and 8.
Thanks to Emanuele Esposito and Gavin Shan for help debugging and
testing the changes!
Paolo
Paolo Bonzini (8):
qatomic: add smp_mb__before/after_rmw()
qemu-thread-posix: cleanup, fix, document QemuEvent
qemu-thread-win32: cleanup, fix, document QemuEvent
edu: add smp_mb__after_rmw()
util/async: add smp_mb__after_rmw() around BH enqueue/dequeue
aio-wait: switch to smp_mb__after_rmw()
qemu-coroutine-lock: add smp_mb__after_rmw()
physmem: add missing memory barrier
docs/devel/atomics.rst | 26 ++++++++++---
hw/misc/edu.c | 5 +++
include/block/aio-wait.h | 2 +-
include/qemu/atomic.h | 17 ++++++++-
softmmu/physmem.c | 3 ++
util/async.c | 13 ++++---
util/qemu-coroutine-lock.c | 9 ++++-
util/qemu-thread-posix.c | 64 +++++++++++++++++++++----------
util/qemu-thread-win32.c | 78 ++++++++++++++++++++++++++------------
9 files changed, 160 insertions(+), 57 deletions(-)
--
2.39.1
On 03.03.23 18:19, Paolo Bonzini wrote:
> This series fixes more instances of the problem fixed by commits
> 5710a3e09f9b ("async: use explicit memory barriers", 2020-04-09) and
> 7455ff1aa015 ("aio_wait_kick: add missing memory barrier", 2022-06-24).
> This is an interesting case where ARM's memory ordering is somewhat
> stronger than what you would expect.
>
> On ARM, seqcst loads and stores (which QEMU does not use) are compiled
> respectively as LDAR and STLR instructions. Even though STLR is also
> used for store-release operations, STLR followed by LDAR provides
> store-against-load ordering, which is stronger than a store-release.
> Compare this to ARMv7, where store-release is DMB+STR and store-seqcst
> is DMB+STR+DMB.
>
> This means that on ARM a sequence of
>
> qatomic_store_release(&y, ...); // STLR
> a = qatomic_load_acquire(&x); // LDAR
>
> provides stronger ordering at the processor level than the two MOV
> instructions you'd get on x86.
>
> Likewise, on ARM sequentially consistent read-modify-write operations only
> need to use LDAXR and STLXR respectively for the load and the store, which
> is weaker than the LOCK prefix used on x86.
>
> In a strange twist of events, however, the _stronger_ semantics
> of the ARM instructions can end up causing bugs on ARM, not on x86.
> The problems occur when seqcst atomics are mixed with relaxed atomics.
> Here is how the two are compiled on ARM:
>
> load store
> relaxed LDR STR
> seqcst LDAR STLR
>
> QEMU's atomics try to bridge the Linux API (that most of the developers
> are familiar with) and the C11 API, and the two have a substantial
> difference:
>
> - in Linux, strongly-ordered atomics such as atomic_add_return() affect
> the global ordering of _all_ memory operations, including for example
> READ_ONCE()/WRITE_ONCE()
>
> - in C11, sequentially consistent atomics (except for seqcst fences)
> only affect the ordering of sequentially consistent operations.
> In particular, since relaxed loads are done with LDR on ARM, they are
> not ordered against seqcst stores (which are done with STLR).
>
> QEMU implements high-level synchronization primitives with the idea that
> the primitives contain the necessary memory barriers, and the callers can
> use relaxed atomics (qatomic_read/qatomic_set) or even regular accesses.
> This is very much incompatible with the C11 view that seqcst accesses
> are only ordered against other seqcst accesses, and requires using
> seqcst fences as in the following example:
>
> qatomic_set(&y, 1); qatomic_set(&x, 1);
> smp_mb(); smp_mb();
> ... qatomic_read(&x) ... ... qatomic_read(&y) ...
>
> Bugs ensue when a qatomic_*() read-modify write operation is used instead
> of one or both stores, for example:
>
> qatomic_<rmw>(&y, ...);
> smp_mb();
> ... qatomic_read(&x) ...
>
> Developers that are more familiar with the Linux API may be tempted
> to omit the smp_mb() and that's exactly what yours truly did in
> qemu_event_set() and qemu_event_reset(). After a27dd2de68f3 ("KVM:
> keep track of running ioctls", 2023-01-11), this caused hangs due to
> threads sleeping forever in qemu_event_wait().
>
> This _could_ also have been the cause of occasional hangs of rcutorture,
> though I have not observed them personally.
>
> (As an aside, GCC's older __sync_* builtins *did* provide a full barrier
> between the RMW operation and loads on the side of the operation. The
> difference between seqcst C11 atomics and __sync_* atomics is exactly
> an extra memory barrier after the STLXR instruction).
>
> In order to fix this, while avoiding worse performance from having two
> back-to-back memory barriers on x86, patch 1 introduces optimized
> memory barriers smp_mb__before_rmw() and smp_mb__after_rmw(). The usage
> is similar to Linux's smp_mb__before/after_atomic(), but the name is
> different because they affect _all_ RMW operations. On Linux, instead,
> they are not needed around those RMW operations that return the old value.
>
> The remaining patches add them everywhere they are needed. In the
> case of QemuEvent (patches 2-3), I reviewed the algorithm thoroughly,
> dropping barriers that were not necessary and killing optimizations that
> I wasn't entirely sure about. For the other cases, instead, the changes
> are minimal.
>
> Note: I have a follow-up set of patches that gets rid completely of
> atomic_mb_read(); atomic_mb_set() instead can remain and mimic Linux's
> smp_store_mb() operation. A glimpse of these changes is already visible
> in patches 7 and 8.
That sounds interesting. I was briefly confused about atomic_mb_* ...
... do we want to add some Fixes: tags or is it too hard to come up with
something reasonable?
--
Thanks,
David / dhildenb
On 3/6/23 14:35, David Hildenbrand wrote:
>> Note: I have a follow-up set of patches that gets rid completely of
>> atomic_mb_read(); atomic_mb_set() instead can remain and mimic Linux's
>> smp_store_mb() operation. A glimpse of these changes is already visible
>> in patches 7 and 8.
>
> That sounds interesting. I was briefly confused about atomic_mb_* ...
>
> ... do we want to add some Fixes: tags or is it too hard to come up with
> something reasonable?
The Fixes tag would often point to
commit a0aa44b488b3601415d55041e4619aef5f3a4ba8
Author: Alex Bennée <alex.bennee@linaro.org>
Date: Thu Jan 28 10:15:17 2016 +0000
include/qemu/atomic.h: default to __atomic functions
The __atomic primitives have been available since GCC 4.7 and provide
a richer interface for describing memory ordering requirements. As a
bonus by using the primitives instead of hand-rolled functions we can
use tools such as the ThreadSanitizer which need the use of well
defined APIs for its analysis.
If we have __ATOMIC defines we exclusively use the __atomic primitives
for all our atomic access. Otherwise we fall back to the mixture of
__sync and hand-rolled barrier cases.
(for which I would have sworn I was the sole perpetrator, not just the
committer). But it pre-dates some of the code that is being fixed, so
I am not sure it makes sense to add it.
Paolo
© 2016 - 2024 Red Hat, Inc.