Merge lp:~alan-griffiths/mir/SwitchingBundle-controls-completion-of-client_acquire-without-blocking into lp:mir

PASSED: Continuous integration, rev:1383
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/812/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/858
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/855
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/451
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/542
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/542/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/546
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/546/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/452
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/452/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/440
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/3795

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/812/rebuild

previous approve still stands, it looks like the fix was to just prevent any frontend throws from making it to the compositor. Seems like a test for that scenario might be helpful though :)

I notice you only eliminated one out of three wait() calls in client_acquire(). I think that's the significant one anyway.

Also, the removal of cond.notify_all() is potentially very dangerous with cond.wait()'s scattered throughout the code still. I can't yet tell if it's safe.

> previous approve still stands, it looks like the fix was to just prevent any
> frontend throws from making it to the compositor. Seems like a test for that
> scenario might be helpful though :)

Actually, adding the missing lock in ~SessionMediator() is at least as significant as it prevents race conditions where the session closes down while swapping buffers. Vis:

97 + std::unique_lock<std::mutex> lock(session_mutex);

> I notice you only eliminated one out of three wait() calls in
> client_acquire(). I think that's the significant one anyway.
>
> Also, the removal of cond.notify_all() is potentially very dangerous with
> cond.wait()'s scattered throughout the code still. I can't yet tell if it's
> safe.

One of the "wait()"s moved to complete_client_acquire() and relates to snapshotting - the "notify()" in snapshot_release() is clearly still in place.

The "wait()" that remains in client_acquire() seems to relate to a scenario that AFAICS doesn't happen in current usage (multiple client buffers having been acquired). But again, there is a "notify()" in client_release()

The "wait()" and "notify()"s I've remove relate to a third wait condition - waiting for compositing to release a buffer.

One concerning aspect of the changes I realized while reviewing this MP (but not introduced by this MP) is that we moved work from the client thread to the compositor thread. That is, compositor_release() calls complete_client_acquire() which:

1. May block if a snapshot is taking place.
2. Calls the externally provided completion function which may take some time to finish.
3. The provided completion function is called under lock, which needs care.

The compositor's interaction with the SwitchingBundle is supposed to be super-fast and non-blocking, and the changes break these assumptions.

I am OK with this MP per se, so approving, but I think we need to re-evaluate our approach, in light of the points above (I am not saying they are a problem necessarily, but we certainly need to investigate/discuss further).

> I am OK with this MP per se, so approving, but I think we need to re-evaluate our approach, in light of the points > above (I am not saying they are a problem necessarily, but we certainly need to investigate/discuss further).

Oops, sorry, left over draft. Should have been only:

I think we need to re-evaluate our approach, in light of the points above (I am not saying they are a problem necessarily, but we certainly need to investigate/discuss further).

> (but not introduced by this MP)

This is not true either, remains of earlier draft...

So, I think you're saying: "Needs Discussion"

~~~~

we moved work from the client thread to the compositor thread. That is, compositor_release() calls complete_client_acquire() which:

1. May block if a snapshot is taking place.
2. Calls the externally provided completion function which may take some time to finish.
3. The provided completion function is called under lock, which needs care.

The compositor's interaction with the SwitchingBundle is supposed to be super-fast and non-blocking, and the changes break these assumptions.

I think we need to re-evaluate our approach, in light of the points above (I am not saying they are a problem necessarily, but we certainly need to investigate/discuss further).

~~~~

It is worth mentioning that these assumptions will only fail when we start compositing a surface that we'd previously blocked. Not that it can't be considered an issue, but it isn't the principle path through the code.

It seems my original concerns [1] about thread safety are somewhat justified now, according to helgrind:

development-branch: 236 errors from 8 contexts
This branch: 1998 errors from 9 contexts

Tested with:
    valgrind --tool=helgrind bin/mir_unit_tests --gtest_filter="SwitchingBundle*"

[1] https://code.launchpad.net/~alan-griffiths/mir/refactoring-so-SwitchingBundle-can-control-completion-of-client_acquire/+merge/204244

I can't immediately see what the new context is, but the significant increase in errors warrants some attention.

> It seems my original concerns [1] about thread safety are somewhat justified
> now, according to helgrind:
>
> development-branch: 236 errors from 8 contexts
> This branch: 1998 errors from 9 contexts
>
> Tested with:
> valgrind --tool=helgrind bin/mir_unit_tests
> --gtest_filter="SwitchingBundle*"
>
> [1] https://code.launchpad.net/~alan-griffiths/mir/refactoring-so-
> SwitchingBundle-can-control-completion-of-client_acquire/+merge/204244
>
> I can't immediately see what the new context is, but the significant increase
> in errors warrants some attention.

Giving it some attention.

> It seems my original concerns [1] about thread safety are somewhat justified
> now, according to helgrind:
>
> development-branch: 236 errors from 8 contexts
> This branch: 1998 errors from 9 contexts
>
> Tested with:
> valgrind --tool=helgrind bin/mir_unit_tests
> --gtest_filter="SwitchingBundle*"
>
> [1] https://code.launchpad.net/~alan-griffiths/mir/refactoring-so-
> SwitchingBundle-can-control-completion-of-client_acquire/+merge/204244
>
> I can't immediately see what the new context is, but the significant increase
> in errors warrants some attention.

With the following suppression file we get a clean run. (Please check you're happy with these suppressions.)

AFAICS the only possibly contentious one is for client_acquire_blocking() in test_swapping_swappers.cpp

###############################################################################
# Part 1: Suppress spurious races in std library functions

{
   std::atomic::load
   Helgrind:Race
   fun:_ZNKSt13__atomic_baseIbE4loadESt12memory_order
}
{
   std::atomic::store
   Helgrind:Race
   fun:_ZNSt13__atomic_baseIbE5storeEbSt12memory_order
}

{
   std::mutex::unlock()
   Helgrind:Race
   fun:_ZNSt5mutex6unlockEv
   obj:*
}

{
   std::mutex::lock()
   Helgrind:Race
   fun:_ZNSt5mutex4lockEv
   obj:*
}

{
   std::thread::join
   Helgrind:Race
   obj:/usr/lib/valgrind/vgpreload_helgrind-amd64-linux.so
   fun:_ZNSt6thread4joinEv
}

{
   std::unique_lock::~unique_lock()
   Helgrind:Race
   fun:_ZNSt11unique_lockISt5mutexED1Ev
   obj:*
}

{
   std::unique_lock::unique_lock(std::mutex&)
   Helgrind:Race
   fun:_ZNSt11unique_lockISt5mutexEC1ERS0_
}

{
   std::shared_ptr<mir::graphics::Buffer, (__gnu_cxx::_Lock_policy)2>::get() const
   Helgrind:Race
   fun:_ZNKSt12__shared_ptrIN3mir8graphics6BufferELN9__gnu_cxx12_Lock_policyE2EE3getEv
   obj:*
}

{
   std::chrono::duration_cast
   Helgrind:Race
   fun:_ZNSt6chrono20__duration_cast_implINS_8durationIlSt5ratioILl1ELl1EEEES2_ILl1ELl1000EElLb1ELb0EE6__castIlS5_EES4_RKNS1_IT_T0_EE
}

{
   std::thread::_Impl_base::~_Impl_base()
   Helgrind:Race
   fun:_ZNSt6thread10_Impl_baseD1Ev
}

{
   std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count()
   Helgrind:Race
   fun:_ZNSt14__shared_countILN9__gnu_cxx12_Lock_policyE2EED1Ev
}

###############################################################################
# Part 2: Suppress spurious races in std library template instantiations

{
   std::thread::_Impl<std::_Bind_simple<void (*(std::reference_wrapper<mir::compositor::SwitchingBundle>, std::reference_wrapper<unsigned long>, std::reference_wrapper<mir::graphics::BufferID>))(mir::compositor::SwitchingBundle&, unsigned long&, mir::graphics::BufferID&)> >::~_Impl()
   Helgrind:Race
   fun:_ZNSt6thread5_ImplISt12_Bind_simpleIFPFvRN3mir10compositor15SwitchingBundleERmRNS2_8graphics8BufferIDEESt17reference_wrapperIS4_ESC_ImESC_IS8_EEEED1Ev
}

{
   std::thread::_Impl<std::_Bind_simple<void (*(std::reference_wrapper<mir::compositor::SwitchingBundle>, int))(mir::compositor::SwitchingBundle&, int)> >::~_Impl()
   Helgrind:Race
   fun:_ZNSt6thread5_ImplISt12_Bind_simpleIFPFvRN3mir10compositor15SwitchingBundleEiESt17reference_wrapperIS4_EiEEED1Ev
}...

FAILED: Continuous integration, rev:1385
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/838/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/895
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/892
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/487/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/568
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/568/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/572
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/572/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/488/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/838/rebuild

PASSED: Continuous integration, rev:1386
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/840/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/898
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/895
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/490
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/570
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/570/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/574
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/574/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/491
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/491/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/473
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/3944

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/840/rebuild

I find it hard to believe the C++ library is really that bad. I know if using pure pthread calls then helgrind is always right and you always need to fix your code. Although I can see helgrind is wrong about std::atomic, so it could be wrong elsewhere too. Not sure.

OK, ignoring helgrind, I don't see any reason why this proposal would be wrong.

I'm nervous about major changes to something that took several months to perfect, just as we were nervous to retire the code it replaced. But I don't have a logical argument against these changes right now.

I am OK with the implementation details, but I am still concerned about introducing delays in the compositing threads. Approving, but we should keep our eyes open for unwanted effects.

> I find it hard to believe the C++ library is really that bad. I know if using
> pure pthread calls then helgrind is always right and you always need to fix
> your code. Although I can see helgrind is wrong about std::atomic, so it could
> be wrong elsewhere too. Not sure.

The difficulty for helgrind is that there are a lot of built-in types that are inherently atomic on Intel. Which means that the generated opcodes are identical to using thew without the atomic wrapper. The same is true of atomic counters used in the threads and smart pointer implementations.

There's discussion on the valgrind, g++ and clang forums about this as it obviously makes checking use of c++11 atomics, threads, lambdas and smart pointers noisy with the potential to lose the signal in the noise.

I don't see a clear solution other than to suppress the false positives (and, I don't immediately see a way to handle generically for template instantiations).