diff options
author | Paul E. McKenney <paulmck@linux.vnet.ibm.com> | 2014-02-28 19:11:28 -0500 |
---|---|---|
committer | Paul E. McKenney <paulmck@linux.vnet.ibm.com> | 2014-04-29 11:38:33 -0400 |
commit | b4c5bf353452c49edd860a67845627c9a8f32638 (patch) | |
tree | 2831f1d9bf2c3523081312b4d0a5d45eaf19c6a8 /Documentation | |
parent | 96224daa16d6589aff87339cf0f630ef13600a59 (diff) |
documentation: Record rcu_dereference() value mishandling
Recent LKML discussings (see http://lwn.net/Articles/586838/ and
http://lwn.net/Articles/588300/ for the LWN writeups) brought out
some ways of misusing the return value from rcu_dereference() that
are not necessarily completely intuitive. This commit therefore
documents what can and cannot safely be done with these values.
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/RCU/00-INDEX | 2 | ||||
-rw-r--r-- | Documentation/RCU/checklist.txt | 12 | ||||
-rw-r--r-- | Documentation/RCU/rcu_dereference.txt | 371 |
3 files changed, 381 insertions, 4 deletions
diff --git a/Documentation/RCU/00-INDEX b/Documentation/RCU/00-INDEX index fa57139f50bf..f773a264ae02 100644 --- a/Documentation/RCU/00-INDEX +++ b/Documentation/RCU/00-INDEX | |||
@@ -12,6 +12,8 @@ lockdep-splat.txt | |||
12 | - RCU Lockdep splats explained. | 12 | - RCU Lockdep splats explained. |
13 | NMI-RCU.txt | 13 | NMI-RCU.txt |
14 | - Using RCU to Protect Dynamic NMI Handlers | 14 | - Using RCU to Protect Dynamic NMI Handlers |
15 | rcu_dereference.txt | ||
16 | - Proper care and feeding of return values from rcu_dereference() | ||
15 | rcubarrier.txt | 17 | rcubarrier.txt |
16 | - RCU and Unloadable Modules | 18 | - RCU and Unloadable Modules |
17 | rculist_nulls.txt | 19 | rculist_nulls.txt |
diff --git a/Documentation/RCU/checklist.txt b/Documentation/RCU/checklist.txt index 9d10d1db16a5..877947130ebe 100644 --- a/Documentation/RCU/checklist.txt +++ b/Documentation/RCU/checklist.txt | |||
@@ -114,12 +114,16 @@ over a rather long period of time, but improvements are always welcome! | |||
114 | http://www.openvms.compaq.com/wizard/wiz_2637.html | 114 | http://www.openvms.compaq.com/wizard/wiz_2637.html |
115 | 115 | ||
116 | The rcu_dereference() primitive is also an excellent | 116 | The rcu_dereference() primitive is also an excellent |
117 | documentation aid, letting the person reading the code | 117 | documentation aid, letting the person reading the |
118 | know exactly which pointers are protected by RCU. | 118 | code know exactly which pointers are protected by RCU. |
119 | Please note that compilers can also reorder code, and | 119 | Please note that compilers can also reorder code, and |
120 | they are becoming increasingly aggressive about doing | 120 | they are becoming increasingly aggressive about doing |
121 | just that. The rcu_dereference() primitive therefore | 121 | just that. The rcu_dereference() primitive therefore also |
122 | also prevents destructive compiler optimizations. | 122 | prevents destructive compiler optimizations. However, |
123 | with a bit of devious creativity, it is possible to | ||
124 | mishandle the return value from rcu_dereference(). | ||
125 | Please see rcu_dereference.txt in this directory for | ||
126 | more information. | ||
123 | 127 | ||
124 | The rcu_dereference() primitive is used by the | 128 | The rcu_dereference() primitive is used by the |
125 | various "_rcu()" list-traversal primitives, such | 129 | various "_rcu()" list-traversal primitives, such |
diff --git a/Documentation/RCU/rcu_dereference.txt b/Documentation/RCU/rcu_dereference.txt new file mode 100644 index 000000000000..ceb05da5a5ac --- /dev/null +++ b/Documentation/RCU/rcu_dereference.txt | |||
@@ -0,0 +1,371 @@ | |||
1 | PROPER CARE AND FEEDING OF RETURN VALUES FROM rcu_dereference() | ||
2 | |||
3 | Most of the time, you can use values from rcu_dereference() or one of | ||
4 | the similar primitives without worries. Dereferencing (prefix "*"), | ||
5 | field selection ("->"), assignment ("="), address-of ("&"), addition and | ||
6 | subtraction of constants, and casts all work quite naturally and safely. | ||
7 | |||
8 | It is nevertheless possible to get into trouble with other operations. | ||
9 | Follow these rules to keep your RCU code working properly: | ||
10 | |||
11 | o You must use one of the rcu_dereference() family of primitives | ||
12 | to load an RCU-protected pointer, otherwise CONFIG_PROVE_RCU | ||
13 | will complain. Worse yet, your code can see random memory-corruption | ||
14 | bugs due to games that compilers and DEC Alpha can play. | ||
15 | Without one of the rcu_dereference() primitives, compilers | ||
16 | can reload the value, and won't your code have fun with two | ||
17 | different values for a single pointer! Without rcu_dereference(), | ||
18 | DEC Alpha can load a pointer, dereference that pointer, and | ||
19 | return data preceding initialization that preceded the store of | ||
20 | the pointer. | ||
21 | |||
22 | In addition, the volatile cast in rcu_dereference() prevents the | ||
23 | compiler from deducing the resulting pointer value. Please see | ||
24 | the section entitled "EXAMPLE WHERE THE COMPILER KNOWS TOO MUCH" | ||
25 | for an example where the compiler can in fact deduce the exact | ||
26 | value of the pointer, and thus cause misordering. | ||
27 | |||
28 | o Do not use single-element RCU-protected arrays. The compiler | ||
29 | is within its right to assume that the value of an index into | ||
30 | such an array must necessarily evaluate to zero. The compiler | ||
31 | could then substitute the constant zero for the computation, so | ||
32 | that the array index no longer depended on the value returned | ||
33 | by rcu_dereference(). If the array index no longer depends | ||
34 | on rcu_dereference(), then both the compiler and the CPU | ||
35 | are within their rights to order the array access before the | ||
36 | rcu_dereference(), which can cause the array access to return | ||
37 | garbage. | ||
38 | |||
39 | o Avoid cancellation when using the "+" and "-" infix arithmetic | ||
40 | operators. For example, for a given variable "x", avoid | ||
41 | "(x-x)". There are similar arithmetic pitfalls from other | ||
42 | arithmetic operatiors, such as "(x*0)", "(x/(x+1))" or "(x%1)". | ||
43 | The compiler is within its rights to substitute zero for all of | ||
44 | these expressions, so that subsequent accesses no longer depend | ||
45 | on the rcu_dereference(), again possibly resulting in bugs due | ||
46 | to misordering. | ||
47 | |||
48 | Of course, if "p" is a pointer from rcu_dereference(), and "a" | ||
49 | and "b" are integers that happen to be equal, the expression | ||
50 | "p+a-b" is safe because its value still necessarily depends on | ||
51 | the rcu_dereference(), thus maintaining proper ordering. | ||
52 | |||
53 | o Avoid all-zero operands to the bitwise "&" operator, and | ||
54 | similarly avoid all-ones operands to the bitwise "|" operator. | ||
55 | If the compiler is able to deduce the value of such operands, | ||
56 | it is within its rights to substitute the corresponding constant | ||
57 | for the bitwise operation. Once again, this causes subsequent | ||
58 | accesses to no longer depend on the rcu_dereference(), causing | ||
59 | bugs due to misordering. | ||
60 | |||
61 | Please note that single-bit operands to bitwise "&" can also | ||
62 | be dangerous. At this point, the compiler knows that the | ||
63 | resulting value can only take on one of two possible values. | ||
64 | Therefore, a very small amount of additional information will | ||
65 | allow the compiler to deduce the exact value, which again can | ||
66 | result in misordering. | ||
67 | |||
68 | o If you are using RCU to protect JITed functions, so that the | ||
69 | "()" function-invocation operator is applied to a value obtained | ||
70 | (directly or indirectly) from rcu_dereference(), you may need to | ||
71 | interact directly with the hardware to flush instruction caches. | ||
72 | This issue arises on some systems when a newly JITed function is | ||
73 | using the same memory that was used by an earlier JITed function. | ||
74 | |||
75 | o Do not use the results from the boolean "&&" and "||" when | ||
76 | dereferencing. For example, the following (rather improbable) | ||
77 | code is buggy: | ||
78 | |||
79 | int a[2]; | ||
80 | int index; | ||
81 | int force_zero_index = 1; | ||
82 | |||
83 | ... | ||
84 | |||
85 | r1 = rcu_dereference(i1) | ||
86 | r2 = a[r1 && force_zero_index]; /* BUGGY!!! */ | ||
87 | |||
88 | The reason this is buggy is that "&&" and "||" are often compiled | ||
89 | using branches. While weak-memory machines such as ARM or PowerPC | ||
90 | do order stores after such branches, they can speculate loads, | ||
91 | which can result in misordering bugs. | ||
92 | |||
93 | o Do not use the results from relational operators ("==", "!=", | ||
94 | ">", ">=", "<", or "<=") when dereferencing. For example, | ||
95 | the following (quite strange) code is buggy: | ||
96 | |||
97 | int a[2]; | ||
98 | int index; | ||
99 | int flip_index = 0; | ||
100 | |||
101 | ... | ||
102 | |||
103 | r1 = rcu_dereference(i1) | ||
104 | r2 = a[r1 != flip_index]; /* BUGGY!!! */ | ||
105 | |||
106 | As before, the reason this is buggy is that relational operators | ||
107 | are often compiled using branches. And as before, although | ||
108 | weak-memory machines such as ARM or PowerPC do order stores | ||
109 | after such branches, but can speculate loads, which can again | ||
110 | result in misordering bugs. | ||
111 | |||
112 | o Be very careful about comparing pointers obtained from | ||
113 | rcu_dereference() against non-NULL values. As Linus Torvalds | ||
114 | explained, if the two pointers are equal, the compiler could | ||
115 | substitute the pointer you are comparing against for the pointer | ||
116 | obtained from rcu_dereference(). For example: | ||
117 | |||
118 | p = rcu_dereference(gp); | ||
119 | if (p == &default_struct) | ||
120 | do_default(p->a); | ||
121 | |||
122 | Because the compiler now knows that the value of "p" is exactly | ||
123 | the address of the variable "default_struct", it is free to | ||
124 | transform this code into the following: | ||
125 | |||
126 | p = rcu_dereference(gp); | ||
127 | if (p == &default_struct) | ||
128 | do_default(default_struct.a); | ||
129 | |||
130 | On ARM and Power hardware, the load from "default_struct.a" | ||
131 | can now be speculated, such that it might happen before the | ||
132 | rcu_dereference(). This could result in bugs due to misordering. | ||
133 | |||
134 | However, comparisons are OK in the following cases: | ||
135 | |||
136 | o The comparison was against the NULL pointer. If the | ||
137 | compiler knows that the pointer is NULL, you had better | ||
138 | not be dereferencing it anyway. If the comparison is | ||
139 | non-equal, the compiler is none the wiser. Therefore, | ||
140 | it is safe to compare pointers from rcu_dereference() | ||
141 | against NULL pointers. | ||
142 | |||
143 | o The pointer is never dereferenced after being compared. | ||
144 | Since there are no subsequent dereferences, the compiler | ||
145 | cannot use anything it learned from the comparison | ||
146 | to reorder the non-existent subsequent dereferences. | ||
147 | This sort of comparison occurs frequently when scanning | ||
148 | RCU-protected circular linked lists. | ||
149 | |||
150 | o The comparison is against a pointer that references memory | ||
151 | that was initialized "a long time ago." The reason | ||
152 | this is safe is that even if misordering occurs, the | ||
153 | misordering will not affect the accesses that follow | ||
154 | the comparison. So exactly how long ago is "a long | ||
155 | time ago"? Here are some possibilities: | ||
156 | |||
157 | o Compile time. | ||
158 | |||
159 | o Boot time. | ||
160 | |||
161 | o Module-init time for module code. | ||
162 | |||
163 | o Prior to kthread creation for kthread code. | ||
164 | |||
165 | o During some prior acquisition of the lock that | ||
166 | we now hold. | ||
167 | |||
168 | o Before mod_timer() time for a timer handler. | ||
169 | |||
170 | There are many other possibilities involving the Linux | ||
171 | kernel's wide array of primitives that cause code to | ||
172 | be invoked at a later time. | ||
173 | |||
174 | o The pointer being compared against also came from | ||
175 | rcu_dereference(). In this case, both pointers depend | ||
176 | on one rcu_dereference() or another, so you get proper | ||
177 | ordering either way. | ||
178 | |||
179 | That said, this situation can make certain RCU usage | ||
180 | bugs more likely to happen. Which can be a good thing, | ||
181 | at least if they happen during testing. An example | ||
182 | of such an RCU usage bug is shown in the section titled | ||
183 | "EXAMPLE OF AMPLIFIED RCU-USAGE BUG". | ||
184 | |||
185 | o All of the accesses following the comparison are stores, | ||
186 | so that a control dependency preserves the needed ordering. | ||
187 | That said, it is easy to get control dependencies wrong. | ||
188 | Please see the "CONTROL DEPENDENCIES" section of | ||
189 | Documentation/memory-barriers.txt for more details. | ||
190 | |||
191 | o The pointers are not equal -and- the compiler does | ||
192 | not have enough information to deduce the value of the | ||
193 | pointer. Note that the volatile cast in rcu_dereference() | ||
194 | will normally prevent the compiler from knowing too much. | ||
195 | |||
196 | o Disable any value-speculation optimizations that your compiler | ||
197 | might provide, especially if you are making use of feedback-based | ||
198 | optimizations that take data collected from prior runs. Such | ||
199 | value-speculation optimizations reorder operations by design. | ||
200 | |||
201 | There is one exception to this rule: Value-speculation | ||
202 | optimizations that leverage the branch-prediction hardware are | ||
203 | safe on strongly ordered systems (such as x86), but not on weakly | ||
204 | ordered systems (such as ARM or Power). Choose your compiler | ||
205 | command-line options wisely! | ||
206 | |||
207 | |||
208 | EXAMPLE OF AMPLIFIED RCU-USAGE BUG | ||
209 | |||
210 | Because updaters can run concurrently with RCU readers, RCU readers can | ||
211 | see stale and/or inconsistent values. If RCU readers need fresh or | ||
212 | consistent values, which they sometimes do, they need to take proper | ||
213 | precautions. To see this, consider the following code fragment: | ||
214 | |||
215 | struct foo { | ||
216 | int a; | ||
217 | int b; | ||
218 | int c; | ||
219 | }; | ||
220 | struct foo *gp1; | ||
221 | struct foo *gp2; | ||
222 | |||
223 | void updater(void) | ||
224 | { | ||
225 | struct foo *p; | ||
226 | |||
227 | p = kmalloc(...); | ||
228 | if (p == NULL) | ||
229 | deal_with_it(); | ||
230 | p->a = 42; /* Each field in its own cache line. */ | ||
231 | p->b = 43; | ||
232 | p->c = 44; | ||
233 | rcu_assign_pointer(gp1, p); | ||
234 | p->b = 143; | ||
235 | p->c = 144; | ||
236 | rcu_assign_pointer(gp2, p); | ||
237 | } | ||
238 | |||
239 | void reader(void) | ||
240 | { | ||
241 | struct foo *p; | ||
242 | struct foo *q; | ||
243 | int r1, r2; | ||
244 | |||
245 | p = rcu_dereference(gp2); | ||
246 | if (p == NULL) | ||
247 | return; | ||
248 | r1 = p->b; /* Guaranteed to get 143. */ | ||
249 | q = rcu_dereference(gp1); /* Guaranteed non-NULL. */ | ||
250 | if (p == q) { | ||
251 | /* The compiler decides that q->c is same as p->c. */ | ||
252 | r2 = p->c; /* Could get 44 on weakly order system. */ | ||
253 | } | ||
254 | do_something_with(r1, r2); | ||
255 | } | ||
256 | |||
257 | You might be surprised that the outcome (r1 == 143 && r2 == 44) is possible, | ||
258 | but you should not be. After all, the updater might have been invoked | ||
259 | a second time between the time reader() loaded into "r1" and the time | ||
260 | that it loaded into "r2". The fact that this same result can occur due | ||
261 | to some reordering from the compiler and CPUs is beside the point. | ||
262 | |||
263 | But suppose that the reader needs a consistent view? | ||
264 | |||
265 | Then one approach is to use locking, for example, as follows: | ||
266 | |||
267 | struct foo { | ||
268 | int a; | ||
269 | int b; | ||
270 | int c; | ||
271 | spinlock_t lock; | ||
272 | }; | ||
273 | struct foo *gp1; | ||
274 | struct foo *gp2; | ||
275 | |||
276 | void updater(void) | ||
277 | { | ||
278 | struct foo *p; | ||
279 | |||
280 | p = kmalloc(...); | ||
281 | if (p == NULL) | ||
282 | deal_with_it(); | ||
283 | spin_lock(&p->lock); | ||
284 | p->a = 42; /* Each field in its own cache line. */ | ||
285 | p->b = 43; | ||
286 | p->c = 44; | ||
287 | spin_unlock(&p->lock); | ||
288 | rcu_assign_pointer(gp1, p); | ||
289 | spin_lock(&p->lock); | ||
290 | p->b = 143; | ||
291 | p->c = 144; | ||
292 | spin_unlock(&p->lock); | ||
293 | rcu_assign_pointer(gp2, p); | ||
294 | } | ||
295 | |||
296 | void reader(void) | ||
297 | { | ||
298 | struct foo *p; | ||
299 | struct foo *q; | ||
300 | int r1, r2; | ||
301 | |||
302 | p = rcu_dereference(gp2); | ||
303 | if (p == NULL) | ||
304 | return; | ||
305 | spin_lock(&p->lock); | ||
306 | r1 = p->b; /* Guaranteed to get 143. */ | ||
307 | q = rcu_dereference(gp1); /* Guaranteed non-NULL. */ | ||
308 | if (p == q) { | ||
309 | /* The compiler decides that q->c is same as p->c. */ | ||
310 | r2 = p->c; /* Locking guarantees r2 == 144. */ | ||
311 | } | ||
312 | spin_unlock(&p->lock); | ||
313 | do_something_with(r1, r2); | ||
314 | } | ||
315 | |||
316 | As always, use the right tool for the job! | ||
317 | |||
318 | |||
319 | EXAMPLE WHERE THE COMPILER KNOWS TOO MUCH | ||
320 | |||
321 | If a pointer obtained from rcu_dereference() compares not-equal to some | ||
322 | other pointer, the compiler normally has no clue what the value of the | ||
323 | first pointer might be. This lack of knowledge prevents the compiler | ||
324 | from carrying out optimizations that otherwise might destroy the ordering | ||
325 | guarantees that RCU depends on. And the volatile cast in rcu_dereference() | ||
326 | should prevent the compiler from guessing the value. | ||
327 | |||
328 | But without rcu_dereference(), the compiler knows more than you might | ||
329 | expect. Consider the following code fragment: | ||
330 | |||
331 | struct foo { | ||
332 | int a; | ||
333 | int b; | ||
334 | }; | ||
335 | static struct foo variable1; | ||
336 | static struct foo variable2; | ||
337 | static struct foo *gp = &variable1; | ||
338 | |||
339 | void updater(void) | ||
340 | { | ||
341 | initialize_foo(&variable2); | ||
342 | rcu_assign_pointer(gp, &variable2); | ||
343 | /* | ||
344 | * The above is the only store to gp in this translation unit, | ||
345 | * and the address of gp is not exported in any way. | ||
346 | */ | ||
347 | } | ||
348 | |||
349 | int reader(void) | ||
350 | { | ||
351 | struct foo *p; | ||
352 | |||
353 | p = gp; | ||
354 | barrier(); | ||
355 | if (p == &variable1) | ||
356 | return p->a; /* Must be variable1.a. */ | ||
357 | else | ||
358 | return p->b; /* Must be variable2.b. */ | ||
359 | } | ||
360 | |||
361 | Because the compiler can see all stores to "gp", it knows that the only | ||
362 | possible values of "gp" are "variable1" on the one hand and "variable2" | ||
363 | on the other. The comparison in reader() therefore tells the compiler | ||
364 | the exact value of "p" even in the not-equals case. This allows the | ||
365 | compiler to make the return values independent of the load from "gp", | ||
366 | in turn destroying the ordering between this load and the loads of the | ||
367 | return values. This can result in "p->b" returning pre-initialization | ||
368 | garbage values. | ||
369 | |||
370 | In short, rcu_dereference() is -not- optional when you are going to | ||
371 | dereference the resulting pointer. | ||