From: "Martin Ågren" <martin.agren@gmail.com>
To: Stefan Beller <sbeller@google.com>
Cc: Jeff Hostetler <git@jeffhostetler.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Jeff Hostetler <jeffhost@microsoft.com>
Subject: Re: tsan: t3008: hashmap_add touches size from multiple threads
Date: Tue, 15 Aug 2017 20:40:37 +0200 [thread overview]
Message-ID: <CAN0heSoXysu=6E_ScfWQVLOk805V=j7AYJi=z62SmNkP5U=A9Q@mail.gmail.com> (raw)
In-Reply-To: <CAGZ79kbf52Uu-Th9W20QZV204A81kOAPTj2x6JkEP1rN=GTYtw@mail.gmail.com>
On 15 August 2017 at 20:17, Stefan Beller <sbeller@google.com> wrote:
> On Tue, Aug 15, 2017 at 10:59 AM, Jeff Hostetler <git@jeffhostetler.com> wrote:
>>
>>
>> On 8/15/2017 8:53 AM, Martin Ågren wrote:
>>>
>>> Using SANITIZE=thread made t3008-ls-files-lazy-init-name-hash.sh hit
>>> the potential race below.
>>>
>>> What seems to happen is, threaded_lazy_init_name_hash ends up using
>>> hashmap_add on the_index.dir_hash from two threads in a way that tsan
>>> considers racy. While the buckets each have their own mutex, the "size"
>>> does not. So it might end up with the wrong (lower) value. The size is
>>> used to determine when to resize, but that should be fine, since
>>> resizing is turned off due to threading anyway.
>>
>>>
>>>
>>> If the size is ever used for something else, the consequences might
>>> range from cosmetic error to devastating. I have a "feeling" the size is
>>> not used at the time, although maybe it is, in some roundabout way which
>>> I'm not seeing.
>>
>>
>> Good catch! Yes, the size field is unguarded. The only references to
>> it that I found were used in _add() and _remove() in the need-to-rehash
>> check.
>>
>> Since auto-rehash is turned off, this shouldn't be a problem, but it
>> does feel odd to have a possibly incorrect size due to races.
>>
>> Rather than adding something like (a cross-platform version of)
>> InterlockedIncrement(), I'm wondering if it would be better to
>> disable/invalidate the size field when auto-rehash is turned off
>> so we don't have to worry about it.
>>
>> Something like this:
>>
>>
>> $ git diff
>> diff --git a/hashmap.c b/hashmap.c
>> index 9b6a12859b..be97642daa 100644
>> --- a/hashmap.c
>> +++ b/hashmap.c
>> @@ -205,6 +205,9 @@ void hashmap_add(struct hashmap *map, void *entry)
>> ((struct hashmap_entry *) entry)->next = map->table[b];
>> map->table[b] = entry;
>>
>> + if (map->disallow_rehash)
>> + return;
>> +
>> /* fix size and rehash if appropriate */
>> map->size++;
>> if (map->size > map->grow_at)
>> @@ -223,6 +226,9 @@ void *hashmap_remove(struct hashmap *map, const void
>> *key, const void *keydata)
>> *e = old->next;
>> old->next = NULL;
>>
>> + if (map->disallow_rehash)
>> + return;
>> +
>
>
> Once we have these two checks, the check in rehash itself becomes
> redundant (as any code path leading to the check in rehash already
> had the check).
>
> Which leads me to wonder if we want to make the size (in/de)crease
> part of the rehash function, which could be
>
> adjust_size(struct hashmap *map, int n)
>
> with `n` either +1 or -1 (the increase value). Depending on 'n', we could
> compute the newsize for the potential rehash in that function as well.
>
> Note sure if that is a cleaner internal API.
>
>> /* fix size and rehash if appropriate */
>> map->size--;
>> if (map->size < map->shrink_at)
>> diff --git a/hashmap.h b/hashmap.h
>> index 7a8fa7fa3d..ec9541b981 100644
>> --- a/hashmap.h
>> +++ b/hashmap.h
>> @@ -183,7 +183,8 @@ struct hashmap {
>> const void *cmpfn_data;
>>
>> /* total number of entries (0 means the hashmap is empty) */
>> - unsigned int size;
>> + /* -1 means size is unknown for threading reasons */
>> + int size;
>
> This double-encodes the state of disallow_rehash (i.e. if we had
> signed size, then the invariant disallow_rehash === (size < 0)
> is true, such that we could omit either the flag and just check for
> size < 0 or we do not need the negative size as any user would
> need to check disallow_rehash first. Not sure which API is harder
> to misuse. I'd think just having the size and getting rid of
> disallow_rehash might be hard to to reused.
(Do you mean "might be hard to be misused"?)
One good thing about turning off the size-tracking with threading is
that someone who later wants to know the size in a threaded application
will not introduce any subtle bugs by misusing size, but will be forced
to provide and use some sort of InterlockedIncrement(). When/if that
change happens, it would be nice if no-one relied on the value of size
to say anything about threading. So it might make sense to have an
implementation-independent way of accessing disallow_rehash a.k.a.
(size < 0).
For example a function hashmap_disallow_rehash(), except that's
obviously taken. :-) Maybe the existing function would then be
hashmap_set_disallow_rehash(). Oh well..
>
>>
>> /*
>> * tablesize is the allocated size of the hash table. A non-0 value
>> @@ -360,6 +361,15 @@ int hashmap_bucket(const struct hashmap *map, unsigned
>> int hash);
>> static inline void hashmap_disallow_rehash(struct hashmap *map, unsigned
>> value)
>> {
>> map->disallow_rehash = value;
>> + if (value) {
>> + /*
>> + * Assume threaded operations starting, so don't
>> + * try to keep size current.
>> + */
>> + size = -1;
>> + } else {
>> + /* TODO count items in all buckets and set size. */
>> + }
>> }
>>
>> /*
>>
>>
>> Jeff
next prev parent reply other threads:[~2017-08-15 18:40 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 12:53 [PATCH/RFC 0/5] Some ThreadSanitizer-results Martin Ågren
2017-08-15 12:53 ` [PATCH 1/5] convert: initialize attr_action in convert_attrs Martin Ågren
2017-08-15 14:17 ` Torsten Bögershausen
2017-08-15 14:29 ` Torsten Bögershausen
2017-08-15 14:40 ` Martin Ågren
2017-08-15 12:53 ` [PATCH 2/5] pack-objects: take lock before accessing `remaining` Martin Ågren
2017-08-15 19:50 ` Johannes Sixt
2017-08-15 12:53 ` [PATCH 3/5] Makefile: define GIT_THREAD_SANITIZER Martin Ågren
2017-08-15 12:53 ` [PATCH 4/5] strbuf_reset: don't write to slopbuf with ThreadSanitizer Martin Ågren
2017-08-15 18:43 ` Junio C Hamano
2017-08-15 19:06 ` Martin Ågren
2017-08-15 19:19 ` Junio C Hamano
2017-08-15 12:53 ` [PATCH 5/5] ThreadSanitizer: add suppressions Martin Ågren
2017-08-15 12:53 ` tsan: t3008: hashmap_add touches size from multiple threads Martin Ågren
2017-08-15 17:59 ` Jeff Hostetler
2017-08-15 18:17 ` Stefan Beller
2017-08-15 18:40 ` Martin Ågren [this message]
2017-08-15 18:48 ` Stefan Beller
2017-08-15 19:21 ` Martin Ågren
2017-08-15 20:46 ` Jeff Hostetler
2017-08-30 18:59 ` [PATCH] hashmap: address ThreadSanitizer concerns Jeff Hostetler
2017-08-30 18:59 ` [PATCH] hashmap: add API to disable item counting when threaded Jeff Hostetler
2017-09-01 23:31 ` Johannes Schindelin
2017-09-01 23:50 ` Jonathan Nieder
2017-09-05 16:39 ` Jeff Hostetler
2017-09-05 17:13 ` Martin Ågren
2017-09-02 8:17 ` Jeff King
2017-09-04 15:59 ` Johannes Schindelin
2017-09-05 16:54 ` Jeff Hostetler
2017-09-06 3:43 ` Junio C Hamano
2017-09-05 16:33 ` Jeff Hostetler
2017-09-02 8:05 ` Jeff King
2017-09-05 17:07 ` Jeff Hostetler
2017-09-02 8:39 ` Simon Ruderich
2017-09-06 1:24 ` Junio C Hamano
2017-09-06 15:33 ` Jeff Hostetler
2017-09-06 15:43 ` [PATCH v2] hashmap: address ThreadSanitizer concerns Jeff Hostetler
2017-09-06 15:43 ` [PATCH v2] hashmap: add API to disable item counting when threaded Jeff Hostetler
2017-08-15 12:53 ` tsan: t5400: set_try_to_free_routine Martin Ågren
2017-08-15 17:35 ` Stefan Beller
2017-08-15 18:44 ` Martin Ågren
2017-08-17 10:57 ` Jeff King
2017-08-20 10:06 ` [PATCH/RFC 0/5] Some ThreadSanitizer-results Jeff King
2017-08-20 10:45 ` Martin Ågren
2017-08-21 17:43 ` [PATCH v2 0/4] " Martin Ågren
2017-08-21 17:43 ` [PATCH v2 1/4] convert: always initialize attr_action in convert_attrs Martin Ågren
2017-08-21 17:43 ` [PATCH v2 2/4] pack-objects: take lock before accessing `remaining` Martin Ågren
2017-08-21 17:43 ` [PATCH v2 3/4] strbuf_setlen: don't write to strbuf_slopbuf Martin Ågren
2017-08-23 17:24 ` Junio C Hamano
2017-08-23 17:43 ` Martin Ågren
2017-08-23 18:30 ` Junio C Hamano
2017-08-23 20:37 ` Brandon Casey
2017-08-23 21:04 ` Junio C Hamano
2017-08-23 21:20 ` Brandon Casey
2017-08-23 21:54 ` Brandon Casey
2017-08-23 22:11 ` Brandon Casey
2017-08-24 16:52 ` Junio C Hamano
2017-08-24 18:29 ` Brandon Casey
2017-08-24 19:16 ` Martin Ågren
2017-08-23 22:24 ` Junio C Hamano
2017-08-23 22:39 ` Brandon Casey
2017-08-21 17:43 ` [PATCH v2 4/4] ThreadSanitizer: add suppressions Martin Ågren
2017-08-25 17:04 ` Jeff King
2017-08-28 20:56 ` [PATCH v2 0/4] Some ThreadSanitizer-results Jeff Hostetler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAN0heSoXysu=6E_ScfWQVLOk805V=j7AYJi=z62SmNkP5U=A9Q@mail.gmail.com' \
--to=martin.agren@gmail.com \
--cc=git@jeffhostetler.com \
--cc=git@vger.kernel.org \
--cc=jeffhost@microsoft.com \
--cc=sbeller@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).