/Documentation/RCU/checklist.txt

https://bitbucket.org/evzijst/gittest · Plain Text · 157 lines · 125 code · 32 blank · 0 comment · 0 complexity · f8cf861864267427926add14bfce957f MD5 · raw file

  1. Review Checklist for RCU Patches
  2. This document contains a checklist for producing and reviewing patches
  3. that make use of RCU. Violating any of the rules listed below will
  4. result in the same sorts of problems that leaving out a locking primitive
  5. would cause. This list is based on experiences reviewing such patches
  6. over a rather long period of time, but improvements are always welcome!
  7. 0. Is RCU being applied to a read-mostly situation? If the data
  8. structure is updated more than about 10% of the time, then
  9. you should strongly consider some other approach, unless
  10. detailed performance measurements show that RCU is nonetheless
  11. the right tool for the job.
  12. The other exception would be where performance is not an issue,
  13. and RCU provides a simpler implementation. An example of this
  14. situation is the dynamic NMI code in the Linux 2.6 kernel,
  15. at least on architectures where NMIs are rare.
  16. 1. Does the update code have proper mutual exclusion?
  17. RCU does allow -readers- to run (almost) naked, but -writers- must
  18. still use some sort of mutual exclusion, such as:
  19. a. locking,
  20. b. atomic operations, or
  21. c. restricting updates to a single task.
  22. If you choose #b, be prepared to describe how you have handled
  23. memory barriers on weakly ordered machines (pretty much all of
  24. them -- even x86 allows reads to be reordered), and be prepared
  25. to explain why this added complexity is worthwhile. If you
  26. choose #c, be prepared to explain how this single task does not
  27. become a major bottleneck on big multiprocessor machines.
  28. 2. Do the RCU read-side critical sections make proper use of
  29. rcu_read_lock() and friends? These primitives are needed
  30. to suppress preemption (or bottom halves, in the case of
  31. rcu_read_lock_bh()) in the read-side critical sections,
  32. and are also an excellent aid to readability.
  33. 3. Does the update code tolerate concurrent accesses?
  34. The whole point of RCU is to permit readers to run without
  35. any locks or atomic operations. This means that readers will
  36. be running while updates are in progress. There are a number
  37. of ways to handle this concurrency, depending on the situation:
  38. a. Make updates appear atomic to readers. For example,
  39. pointer updates to properly aligned fields will appear
  40. atomic, as will individual atomic primitives. Operations
  41. performed under a lock and sequences of multiple atomic
  42. primitives will -not- appear to be atomic.
  43. This is almost always the best approach.
  44. b. Carefully order the updates and the reads so that
  45. readers see valid data at all phases of the update.
  46. This is often more difficult than it sounds, especially
  47. given modern CPUs' tendency to reorder memory references.
  48. One must usually liberally sprinkle memory barriers
  49. (smp_wmb(), smp_rmb(), smp_mb()) through the code,
  50. making it difficult to understand and to test.
  51. It is usually better to group the changing data into
  52. a separate structure, so that the change may be made
  53. to appear atomic by updating a pointer to reference
  54. a new structure containing updated values.
  55. 4. Weakly ordered CPUs pose special challenges. Almost all CPUs
  56. are weakly ordered -- even i386 CPUs allow reads to be reordered.
  57. RCU code must take all of the following measures to prevent
  58. memory-corruption problems:
  59. a. Readers must maintain proper ordering of their memory
  60. accesses. The rcu_dereference() primitive ensures that
  61. the CPU picks up the pointer before it picks up the data
  62. that the pointer points to. This really is necessary
  63. on Alpha CPUs. If you don't believe me, see:
  64. http://www.openvms.compaq.com/wizard/wiz_2637.html
  65. The rcu_dereference() primitive is also an excellent
  66. documentation aid, letting the person reading the code
  67. know exactly which pointers are protected by RCU.
  68. The rcu_dereference() primitive is used by the various
  69. "_rcu()" list-traversal primitives, such as the
  70. list_for_each_entry_rcu().
  71. b. If the list macros are being used, the list_del_rcu(),
  72. list_add_tail_rcu(), and list_del_rcu() primitives must
  73. be used in order to prevent weakly ordered machines from
  74. misordering structure initialization and pointer planting.
  75. Similarly, if the hlist macros are being used, the
  76. hlist_del_rcu() and hlist_add_head_rcu() primitives
  77. are required.
  78. c. Updates must ensure that initialization of a given
  79. structure happens before pointers to that structure are
  80. publicized. Use the rcu_assign_pointer() primitive
  81. when publicizing a pointer to a structure that can
  82. be traversed by an RCU read-side critical section.
  83. [The rcu_assign_pointer() primitive is in process.]
  84. 5. If call_rcu(), or a related primitive such as call_rcu_bh(),
  85. is used, the callback function must be written to be called
  86. from softirq context. In particular, it cannot block.
  87. 6. Since synchronize_kernel() blocks, it cannot be called from
  88. any sort of irq context.
  89. 7. If the updater uses call_rcu(), then the corresponding readers
  90. must use rcu_read_lock() and rcu_read_unlock(). If the updater
  91. uses call_rcu_bh(), then the corresponding readers must use
  92. rcu_read_lock_bh() and rcu_read_unlock_bh(). Mixing things up
  93. will result in confusion and broken kernels.
  94. One exception to this rule: rcu_read_lock() and rcu_read_unlock()
  95. may be substituted for rcu_read_lock_bh() and rcu_read_unlock_bh()
  96. in cases where local bottom halves are already known to be
  97. disabled, for example, in irq or softirq context. Commenting
  98. such cases is a must, of course! And the jury is still out on
  99. whether the increased speed is worth it.
  100. 8. Although synchronize_kernel() is a bit slower than is call_rcu(),
  101. it usually results in simpler code. So, unless update performance
  102. is important or the updaters cannot block, synchronize_kernel()
  103. should be used in preference to call_rcu().
  104. 9. All RCU list-traversal primitives, which include
  105. list_for_each_rcu(), list_for_each_entry_rcu(),
  106. list_for_each_continue_rcu(), and list_for_each_safe_rcu(),
  107. must be within an RCU read-side critical section. RCU
  108. read-side critical sections are delimited by rcu_read_lock()
  109. and rcu_read_unlock(), or by similar primitives such as
  110. rcu_read_lock_bh() and rcu_read_unlock_bh().
  111. Use of the _rcu() list-traversal primitives outside of an
  112. RCU read-side critical section causes no harm other than
  113. a slight performance degradation on Alpha CPUs and some
  114. confusion on the part of people trying to read the code.
  115. Another way of thinking of this is "If you are holding the
  116. lock that prevents the data structure from changing, why do
  117. you also need RCU-based protection?" That said, there may
  118. well be situations where use of the _rcu() list-traversal
  119. primitives while the update-side lock is held results in
  120. simpler and more maintainable code. The jury is still out
  121. on this question.
  122. 10. Conversely, if you are in an RCU read-side critical section,
  123. you -must- use the "_rcu()" variants of the list macros.
  124. Failing to do so will break Alpha and confuse people reading
  125. your code.