Reference count race window

Gumpula, Suresh Suresh.Gumpula at netapp.com
Fri Jan 3 02:38:25 UTC 2014 

Hi Alfred,
      I agree that there could have been an extra/invalid  crfree() which decremented the count  and  looks valid  crhold(acquire) from socket code  panic'ed in my case. As per your suggestion if we 
 replace  the assert with if condition in release,  we will end up panicing  when the actual  crfree() happens.  But we may not be knowing who crfree'ed() in the first and invalid place.  Am I correct?   I will try your suggestion.

Can you please bit more explain your array trick ?

Thanks
Suresh



-----Original Message-----
From: owner-freebsd-hackers at freebsd.org [mailto:owner-freebsd-hackers at freebsd.org] On Behalf Of Alfred Perlstein
Sent: Thursday, January 02, 2014 8:21 PM
To: Gumpula, Suresh; Julian Elischer; freebsd-hackers at freebsd.org
Subject: Re: Reference count race window


On 1/2/14, 3:53 PM, Gumpula, Suresh wrote:
>>> Without changing the return-value semantics of refcount_acquire, we 
>>> have introduced a panic if we detected a race as below.
>>> static __inline void
>>> refcount_acquire(volatile u_int *count) {
>>>           u_int old;
>>>
>>>           old = atomic_fetchadd_int(count, 1);
>>>           if (old == 0) {
>>>             panic("refcount_acquire race condition detected!\n");
>>>           }
>>>>>> so what is the stacktrace of the panic?
> It's from the socket code calling crhold.   It's a non debug build( NO INVARIANTS )
>
> #4  0xffffffff80331d34 in panic (fmt=0xffffffff805c1e60 
> "refcount_acquire race condition detected!\n") at 
> ../../../../sys/kern/kern_shutdown.c:1009
> #5  0xffffffff80326662 in refcount_acquire (count=<optimized out>) at 
> ../../../../sys/sys/refcount.h:65
> #6  crhold (cr=<optimized out>) at 
> ../../../../sys/kern/kern_prot.c:1814
> #7  0xffffffff803aa0d9 in socreate (dom=<optimized out>, 
> aso=0xffffff80345c1b00, type=<optimized out>, proto=0, 
> cred=0xffffff0017d7aa00, td=0xffffff000b294410) at 
> ../../../../sys/kern/uipc_socket.c:441
> #8  0xffffffff803b2e5c in socket (td=0xffffff000b294410, 
> uap=0xffffff80345c1be0) at ../../../../sys/kern/uipc_syscalls.c:201
> #9  0xffffffff80539ecb in syscall (frame=0xffffff80345c1c80) at 
> ../../../../sys/amd64/amd64/trap.c:1260
>
If it's a non-debug build then how do you know that someone isn't incorrectly lowering the refcount?

Please try some invariants or at least manually turn on the one KASSERT I mentioned.

Another trick would be to add a an array of char*+int for the last few places that decremented, you can use the returned refcount as an index to that array to track who may be doing the extra frees.

-Alfred

_______________________________________________
freebsd-hackers at freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

More information about the freebsd-hackers mailing list