New "timeout" api, to replace callout
Hans Petter Selasky
hselasky at c2i.net
Fri Dec 28 02:03:12 PST 2007
On Friday 28 December 2007, John Baldwin wrote:
> On Sunday 02 December 2007 07:53:18 am Andre Oppermann wrote:
> > Poul-Henning Kamp wrote:
> > > In message <4752998A.9030007 at freebsd.org>, Andre Oppermann writes:
> > >> o TCP puts the timer into an allocated structure and upon close of
> > >> the session it has to be deallocated including stopping of all
> > >> currently running timers.
> > >> [...]
> > >> -> The timer facility should provide an atomic stop/remove call
> > >> that prevent any further callbacks upon return. It should not
> > >> do a 'drain' where the callback may be run anyway.
> > >> Note: We hold the lock the callback would have to obtain.
> > >
> > > It is my intent, that the implementation behind the new API will
> > > only ever grab the specified lock when it calls the timeout function.
> >
> > This is the same for the current one and pretty much a given.
> >
> > > When you do a timeout_disable() or timeout_cleanup() you will be
> > > sleeping on a mutex internal to the implementation, if the timeout
> > > is currently executing.
> >
> > This is the problematic part. We can't sleep in TCP when cleaning up
> > the timer. We're not always called from userland but from interrupt
> > context. And when calling the cleanup we currently hold the lock the
> > callout wants to obtain. We can't drop it either as the race would
> > be back again. What you describe here is the equivalent of callout_
> > drain(). This is unfortunately unworkable in TCP's context. The
> > callout has to go away even if it is already pending and waiting on
> > the lock. Maybe that can only be solved by a flag in the lock saying
> > "give up and go away".
>
> The reason you need to do a drain is to allow for safe destroying of the
> lock. Specifically, drivers tend to do this:
>
> FOO_LOCK(sc);
> ...
> callout_stop(...);
> FOO_UNLOCK(sc);
> ...
> callout_drain(...);
> ...
> mtx_destroy(&sc->foo_mtx);
>
> If you don't have the drain and softclock is trying to acquire the backing
> mutex while you have it held (before the callout_stop) then Bad Things can
> happen if you don't do the drain. Having the lock just "give up" doesn't
> work either because if the memory containing the lock is free'd and
> reinitialized such that it looks enough like a valid lock then softclock
> (or its equivalent) will still try to obtain it. Also, you need to do a
> drain so it is safe to free the callout structure to prevent it from being
> recycled and having weird races where it gets recycled and rescheduled but
> the timer code thinks it has a pending stop for that pointer and so it
> aborts the wrong instance of the timer, etc.
Hi,
I completely agree to what John Baldwin is writing. You need two
stop-functions:
xxx_stop which is non-blocking and
xxx_drain which can block i.e. sleep
BTW: The USB code in P4 uses the same semantics, due to the same reasons:
usbd_transfer_stop() and usbd_transfer_drain()
The only difference is that I pass an error code to the callback which might
happen after that usbd_transfer_stop is called.
I think that xxx_stop() and xxx_drain() is a generic approach that should be
applied to all callback systems. Whenever you have a callback you need to be
able to stop it and drain it.
--HPS
More information about the freebsd-arch
mailing list