[erlang-patches] Fix efile_drv crash when using async thread pool

Patrik Nyblom pan@REDACTED
Tue Jan 15 17:16:03 CET 2013


Hi Filipe!

On 01/11/2013 09:12 PM, Filipe David Manana wrote:
> On Fri, Jan 11, 2013 at 8:00 PM, Björn-Egil Dahlberg <egil@REDACTED> wrote:
>> On 2013-01-08 11:46, Filipe David Manana wrote:
>>> Any reason for no feedback on this submission? It's quite critical
>>> imho, it affects all file:open/2 calls that specify the 'compressed'
>>> option, even for files that are not compressed. For example,
>>> file_sorter always opens file with the 'compressed' option, and
>>> shutting down a process that uses it, leads to these crashes when
>>> using the async thread pool.
>>
>> Though your patch probably solves this (crucial) issue something is off.
> Have been trying it in loops lasting several hours, without no more
> crashes nor memory/fd leaks, for a few weeks now.
Yes, this certainly fixes the problem - many thanks for both the 
excellent test case and for pointing out the serious flaw in the code!
>> We have mechanisms in place to guard against exactly this but apparently the
>> guards are unsuccessful in this case, so therein lies a bug.
> Which guards? In the allocator for the double gzFile close() call?
> For the reads for example, there doesn't seem to be any guard at all.
I mislead Egil into writing that :).

What I was trying to say, was that the async file driver implementation 
relies on the fact that operations are carried out in order. This is 
maintained by simply giving all operations belonging to one single file 
to the same async thread, as you may have noticed in the code. However, 
when a port is closing, we need to guard the *write que* against 
deletion as it's coupled to the port, not the data sent to the async 
thread. If the port exits, an async operation can access the write que 
afterwards and - if no guard was there - *bang*. So, the port_data_lock 
guards against that, why write operations have to take the port data lock.

As long as all operations on the file are queued to the async thread, 
the port data lock is all that's needed, as any close of the fd 
(regardless of if it's a gz-close or an ordinary close) will happen 
after the previously scheduled async operations on the file. Two async 
close operations cannot be scheduled as only one scheduler operates on a 
port at a time, so the simple setting of the FILE_FD_INVALID flag when 
scheduling a close should stop two close calls being scheduled. The only 
thing to be afraid of is data belonging to the port, not the file as 
such, why the port data lock should suffice to guard the writev que 
associated with the actual port.

That was the supposed guards against simultaneous access to files etc 
happening...

So what's the problem then? The problem is that the port_exit callback, 
which is invoked when you kill the port, does *not* schedule the close! 
It executes it directly in the scheduler thread. Your approach to make 
sure that all operations on the file are run, fixes that. However, this 
means a scheduler thread potentially waiting for an NFS operation or 
something to finish in an async thread, so that the port can be closed. 
This is exactly the thing we do not want to happen unless absolutely 
necessary. That's after all one of the purposes of async thread - do not 
let the scheduler thread wait for lengthy file operations.

My suggestion is that in order to solve this, we should rather schedule 
the close onto the async thread when the port get's an exit signal. I 
suppose the direct call is there to make the close more synchronous, but 
as we have to wait for the other operations anyway, doing the close in 
the async thread would give roughly the same result but without making 
the scheduler wait on a condition variable. Even though file operations 
on ordinary files actually is harmless after a close (which is probably 
why we havent spotted this) I think we should also schedule close for 
*all* files in this situation, there seems to be no real benefit from 
treating regular files differently in this case - a future port of the 
VM may also be to a platform where operations on closed regular files 
also gives problems. Besides that, avoiding a 'close' call in the 
scheduler thread would be a good thing.

I've tested this and your test cases pass, but I would like your 
thoughts on this! You're obviously using files a lot and also have a 
firm grasp on the implementation and has recently worked on the problem, 
so your input would be extremely valuable!

I also supplied a test patch, that replaces your solution with the above 
mentioned and should fix the same problem with this other approach of 
mine. It's based on the current master (with your other patch for leaks 
included) and has your testcase included. Note that this new approach 
will not fix the fd leak you fixed in the other patch, that patch is 
still needed. Furthermore the approach of scheduling the close upon an 
async thread does not work in that situation as the port is really dead 
there, we cannot schedule async jobs. To make that close (the one you 
added to avoid the fd leaks) happen in another thread than the scheduler 
thread would be nice, but I cannot find a viable solution there, so the 
close (which is safe as there can be no other async jobs for that file) 
has to happen in the scheduler thread if we do not add a special thread 
to do such things - leading to (even more) code bloat in efile_drv.


Please note that the test patch is only smoke tested (I've run the 
complete kernel suite, but more will be run this noght as I'll put it to 
internal testing). Think of it more as a sketch than a real patch for now :)

And once again, thanks for the extreamly valuable bug report and fix!

Cheers,
/Patrik

>> I, or someone else from the VM team, needs to look closer at this.
> Thanks.
>
>> // Björn-Egil
>>
>>
>>
>>> Thanks.
>>>
>>> On Thu, Dec 27, 2012 at 1:07 PM, Filipe David Manana <fdmanana@REDACTED>
>>> wrote:
>>>>
>>>> https://github.com/fdmanana/otp/compare/master...fix_efile_drv_crash.patch
>>>> https://github.com/fdmanana/otp/compare/master...fix_efile_drv_crash
>>>>
>>>> git  fetch  git://github.com/fdmanana/otp.git  fix_efile_drv_crash
>>>>
>>>>
>>>>
>>>> --
>>>> Filipe David Manana,
>>>>
>>>> "Reasonable men adapt themselves to the world.
>>>>    Unreasonable men adapt the world to themselves.
>>>>    That's why all progress depends on unreasonable men."
>>>
>>>
>> _______________________________________________
>> erlang-patches mailing list
>> erlang-patches@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-patches
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: file_drv_crash_suggestion.diff
Type: text/x-patch
Size: 6964 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-patches/attachments/20130115/2cc948f0/attachment.bin>


More information about the erlang-patches mailing list