Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp424567pxb; Tue, 9 Feb 2021 04:04:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJwwKaCF+H7c+2OCneji7Qrfi+58aFLjB9qf7IWFR/DUZNTTeBYBeIMXpC2W8zrYcy1IbKUB X-Received: by 2002:a17:906:5cf:: with SMTP id t15mr13981557ejt.128.1612872273982; Tue, 09 Feb 2021 04:04:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612872273; cv=none; d=google.com; s=arc-20160816; b=B+WSgPCEWTjfXhfEqwxVsA8lQ5sbDDl4lbzkPXiHu7Q5cxy2Gzdf/vpMJFwoiciaWH U7iB+oDK0KJdWT+xrr4fqoYxb5TRgQt8HQigJUmHSxHJ6KaJkNaTow5rDX0M4eGwKrDa Yl+AhkZ2VHbnSjRiKp4fADUmEx2C9iYjeRsWYkTJLDlUozfHGAoyEd1FD/dWo+y6Utf8 hbwR/1B//JnPDfqTJM4CAuuE7Wzw7NUe5KvYqLGOTcxrmko0+DM+lSDXDYJ776HJWmTU DJZl4yrGykCNrGPGCpH0aXjyyXwhigQ7kXvLe/5icG3fpts7/OiroswJxFHGyFbSG8Mj KrHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=ba7N7ujhxKboQHPOvDuF/xn07Ggjwq1xlbsVsGTnC00=; b=QJQxpweVSjGGyfSJBkt/6cNKAq6rSez36pHl3s9kR97o4bWjORVq6Jezw9czrTTS9W CPHKTzMo8mxRHJZut6jNSPsvmnRpojTaxlrIKCCx3BlFwot+QCA95xhdvy/UVIwHx0L5 MuQz4JOmstASIOn5K+Jrq7IQFmp4+K6Hb/oh/YkzEsR4InObLFzGQgXcN3swmARLWfTk tTyMWRf5xILMXc0Zs2IEywv1Z6DG+6DxuSSxYNQcB0BztXAk01TzW80+KnouvNFltU10 vpNciENQ94G+f2x9J7fqOCAjr1OkfQEB1dSa8l/ZS/7LJXyugUDccf8vchXfCyd5nAYw 12gw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y26si8671237ejb.235.2021.02.09.04.04.04; Tue, 09 Feb 2021 04:04:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229800AbhBIMDD (ORCPT + 99 others); Tue, 9 Feb 2021 07:03:03 -0500 Received: from mx2.suse.de ([195.135.220.15]:41370 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229763AbhBIMBB (ORCPT ); Tue, 9 Feb 2021 07:01:01 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 371CDAD24; Tue, 9 Feb 2021 12:00:18 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id DD3221E14AC; Tue, 9 Feb 2021 13:00:17 +0100 (CET) Date: Tue, 9 Feb 2021 13:00:17 +0100 From: Jan Kara To: Alexander Lochmann Cc: Jan Kara , tytso@mit.edu, Jan Kara , Horst Schirmeier , linux-ext4@vger.kernel.org Subject: Re: [RFC] Fine-grained locking documentation for jbd2 data structures Message-ID: <20210209120017.GB19070@quack2.suse.cz> References: <20190408083500.66759-1-alexander.lochmann@tu-dortmund.de> <7827d153-f75c-89a2-1890-86e85f86c704@tu-dortmund.de> <14dbc946-b0c5-4165-3e6a-3cbe3c6a74b4@tu-dortmund.de> <20210208152750.GD30081@quack2.suse.cz> <02643d06-0066-a7c3-b6dd-2d190c8e0c41@tu-dortmund.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <02643d06-0066-a7c3-b6dd-2d190c8e0c41@tu-dortmund.de> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue 09-02-21 10:58:48, Alexander Lochmann wrote: > > > On 08.02.21 16:27, Jan Kara wrote: > > Hi Alexander! > > > > On Fri 05-02-21 16:31:54, Alexander Lochmann wrote: > > > have you had the chance to review our results? > > > > It fell through the cracks I guess. Thanks for pinging. Let me have a look. > > > > > On 15.10.20 15:56, Alexander Lochmann wrote: > > > > Hi folks, > > > > > > > > when comparing our generated locking documentation with the current > > > > documentation > > > > located in include/linux/jbd2.h, I found some inconsistencies. (Our > > > > approach: https://dl.acm.org/doi/10.1145/3302424.3303948) > > > > According to the official documentation, the following members should be > > > > read using a lock: > > > > journal_t > > > > - j_flags: j_state_lock > > > > - j_barrier_count: j_state_lock > > > > - j_running_transaction: j_state_lock > > > > - j_commit_sequence: j_state_lock > > > > - j_commit_request: j_state_lock > > > > transactiont_t > > > > - t_nr_buffers: j_list_lock > > > > - t_buffers: j_list_lock > > > > - t_reserved_list: j_list_lock > > > > - t_shadow_list: j_list_lock > > > > jbd2_inode > > > > - i_transaction: j_list_lock > > > > - i_next_transaction: j_list_lock > > > > - i_flags: j_list_lock > > > > - i_dirty_start: j_list_lock > > > > - i_dirty_start: j_list_lock > > > > > > > > However, our results say that no locks are needed at all for *reading* > > > > those members. > > > > From what I know, it is common wisdom that word-sized data types can be > > > > read without any lock in the Linux kernel. > > > > Yes, although in last year, people try to convert these unlocked reads to > > READ_ONCE() or similar as otherwise the compiler is apparently allowed to > > generate code which is not safe. But that's a different story. > Is this ongoing work? Yes, in a way. It's mostly prompted by KCSAN warnings generated by syzbot ;). > Using such a macro would a) make our work much easier as we can instrument > them, and b) would tell less experienced developers that no locking is > needed. Yes, I agree that it has some benefit for documentation and automatic checkers as well. OTOH code readability is sometimes hurt by this... > Does the usage of READ_ONCE() imply that no lock is needed? No, but it does indicate there's something unusual happening with the variable - usually that variable write can race with this read. > Otherwise, one could introduce another macro for jbd2, such as #define > READ_UNLOCKED() READ_ONCE(), which is more precise. Well, yes, but OTOH special macros for small subsystems like this are making more harm than good in terms of readability since people have to lookup what exactly they mean anyway. > Also note > > that although reading that particular word may be safe without any other > > locks, the lock still may be needed to safely interpret the value in the > > context of other fetched values (e.g., due to consistency among multiple > > structure members). > Just a side quest: Do you have an example for such a situation? Definitely. The simplest case is: You can fetch journal->j_running_transaction pointer any time without any problem. But you can *dereference* it only if you hold the j_state_lock while fetching the pointer and dereferencing it. > So sometimes requiring the lock is just the least > > problematic solution - there's always the tradeoff between the speed and > > simplicity. > > > > > > All of the above members have word size, i.e., int, long, or ptr. > > > > Is it therefore safe to split the locking documentation as follows? > > > > @j_flags: General journaling state flags [r:nolocks, w:j_state_lock] > > > > I've checked the code and we usually use unlocked reads for quick, possibly > > racy checks and if they indicate we may need to do something then take the > > lock and do a reliable check. This is quite common pattern, not sure how to > > best document this. Maybe like [j_state_lock, no lock for quick racy checks]? > > > Yeah, I'm fine with that. Does this rule apply for the other members of > journal_t (and transaction_t?) listed above? Yes. Honza -- Jan Kara SUSE Labs, CR