Merge lp:~dandrader/mir/switchingBundle_lp1270964 into lp:mir

> (2) Please remove "friend class ..." and all the ASSERT_EQ statements that depend on it. They're not needed to produce a correct regression test

Sure, but I do think there's a lot of value in testing the internal state, as you can identify problems at an earlier stage before they manifest themselves externally, in this case, locking in a subsequent call.

PASSED: Continuous integration, rev:1342
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/697/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/686
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/682
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/288
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/427
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/427/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/431
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/431/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/288
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/288/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/302
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/3225

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/697/rebuild

52 +/*
53 + Regression test for LP#1270964
54 + In the situation emulated here SwitchingBundle::last_consumed ise used without ever being set,
55 + thus its initial value of zero will wrongly be used and lead to bogus behavior.
56 + */
57 +TEST_F(SwitchingBundleTest, compositor_client_interleaved)

Would a better name be "does_not_hang_as_described_in_bug_1270964"?

71 + //(nbufs=3,fcomp=2,ncomp=1,fready=0,nready=1,fclient=1,nclient=1) <-- BUG starts here
72 + // Should be:
73 + //(nbufs=3,fcomp=0,ncomp=1,fready=0,nready=0,fclient=1,nclient=1)
...
77 + //(nbufs=3,fcomp=2,ncomp=1,fready=0,nready=2,fclient=2,nclient=0)
78 + // Should be:
79 + //(nbufs=3,fcomp=0,ncomp=1,fready=1,nready=1,fclient=2,nclient=0)

These comments are too cryptic for me.

81 + client_buffer = bundle.client_acquire(); // <- would lock here if in buggy state

I'm not a fan of tests that fail by hanging.

> 71 + //(nbufs=3,fcomp=2,ncomp=1,fready=0,nready=1,fclient=1,nclient=1)
> <-- BUG starts here
> 72 + // Should be:
> 73 + //(nbufs=3,fcomp=0,ncomp=1,fready=0,nready=0,fclient=1,nclient=1)
> ...
> 77 + //(nbufs=3,fcomp=2,ncomp=1,fready=0,nready=2,fclient=2,nclient=0)
> 78 + // Should be:
> 79 + //(nbufs=3,fcomp=0,ncomp=1,fready=1,nready=1,fclient=2,nclient=0)
>
> These comments are too cryptic for me.

This is the output of operator<<, telling the internal state of SwitchingBundle.

>
> 81 + client_buffer = bundle.client_acquire(); // <- would lock here if in
> buggy state
>
> I'm not a fan of tests that fail by hanging.

Me neither, suggestions?

That's the external, "visible", symptom of this bug. The other option being checking the internal state of SwitchingBundle after each step to see if doing things correctly. But duflu doesn't like that.

I vote for internal state checks, as explained on a previous comment.

So, what do we do?
1 - test if it locks (current approach)
2 - check the internal state (doesn't hang when it fails as it detects the issue at earlier steps)
3 - Suggestions?

> > I'm not a fan of tests that fail by hanging.
>
> Me neither, suggestions?
>
> That's the external, "visible", symptom of this bug. The other option being
> checking the internal state of SwitchingBundle after each step to see if doing
> things correctly. But duflu doesn't like that.
>
> I vote for internal state checks, as explained on a previous comment.
>
> So, what do we do?
> 1 - test if it locks (current approach)
> 2 - check the internal state (doesn't hang when it fails as it detects the
> issue at earlier steps)
> 3 - Suggestions?

Some (not necessarily good) suggestions...

Expose enough of the state to enable a check through the public interface. e.g.

   ASSERT_TRUE(bundle.is_valid());

Or check the result of streaming?

    std::ostringstream out;
    out << bundle;
    ASSERT_THAT(out.str(), HasSubstring(...));

Have a timer thread that breaks the lock.

could this be related to https://bugs.launchpad.net/mir/+bug/1270245 ?

As stated yesterday:
"And before anyone asks, this has nothing to do with bug 1270245 (which still happens with this branch)."

This solution is indeed technically correct. Although I would personally take a simpler approach and initialize last_consumed to 0xdeadbeef or something similar. Then the caller has much less (1 in 4 billion) chance of accidentally writing code than could trigger the bug. And no need for a new member.

Fortunately I just realized and remembered Mir presently has 0% chance of experiencing the bug. Because our real compositor starts at frame #1.

> Fortunately I just realized and remembered Mir presently has 0% chance of
> experiencing the bug. Because our real compositor starts at frame #1.

Then a comment "use 1 for the first frameno" would appear to suffice".

> Fortunately I just realized and remembered Mir presently has 0% chance of
> experiencing the bug. Because our real compositor starts at frame #1.

For what it's worth, I consistently get it with the prototype qml compositor.

> > Fortunately I just realized and remembered Mir presently has 0% chance of
> > experiencing the bug. Because our real compositor starts at frame #1.
>
> Then a comment "use 1 for the first frameno" would appear to suffice".

As a workaround.

> > Fortunately I just realized and remembered Mir presently has 0% chance of
> > experiencing the bug. Because our real compositor starts at frame #1.
>
> For what it's worth, I consistently get it with the prototype qml compositor.

Because I start with frameno 0, duh.

> > Fortunately I just realized and remembered Mir presently has 0% chance of
> > experiencing the bug. Because our real compositor starts at frame #1.
>
> For what it's worth, I consistently get it with the prototype qml compositor.

Then it could be argued that the prototype qml compositor is buggy - as we now realize know it should not start with frameno = 0.

I'm now tending to the view that 0 is a bad initial value (as it is otherwise reasonable for a compositor to start with this value) and that there ought to be better way to manage frame numbers (e.g. a generator class or just a constant "initial_frameno").

I don't like the proposed test (as discussed above) and the proposed solution feels complex for what is really a poor interface relying on an undocumented convention.

Now the test doesn't lock on failure or probe SwitchingBundle's internal state. Should make everybody happy. :)

Since 0 is a valid value it may come up again when our global/local frameno counts wrap around. So we either:
1. Need to allow it (proposed solution)
2. Make the value invalid and ensure 100% that it never comes up during normal operation

I am OK with (1). It allows the user to start with any initial value they want and this is in IMO a better interface since less is expected from the user and there is no opportunity for error.

That being said, I would also be happy with something like the following for approach (2):

struct FrameNumber
{
    void operator++() { if (++number == invalid_value) ++number; }
    int operator int() { return number; }

    static int const invalid_value = 0;

private:
    int number = invalid_value + 1;
};

BufferBundle::compositor_acquire(FrameNumber frameno);

As a gradual improvement I would suggest an encapsulation of these two member variables into one:

i.e. using boost::optional<unsigned long> last_consuned;

But Alexandros proposal for (2) is nicer.

> Since 0 is a valid value it may come up again when our global/local frameno
> counts wrap around.

that doesn't matter if last_consumed has been written - it is only the first frame number used that can trigger the failure.

PASSED: Continuous integration, rev:1343
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/708/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/702
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/698
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/304
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/438
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/438/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/442
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/442/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/304
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/304/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/317
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/3255

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/708/rebuild

> > Since 0 is a valid value it may come up again when our global/local frameno
> > counts wrap around.
>
> that doesn't matter if last_consumed has been written - it is only the first
> frame number used that can trigger the failure.

The fine point here is that this is a potential problem for all new surfaces, since they may be created just after the count wraps around and therefore get 0 as their first frameno value.

> As a gradual improvement I would suggest an encapsulation of these two member
> variables into one:
>
> i.e. using boost::optional<unsigned long> last_consuned;

I liked it! Done.

PASSED: Continuous integration, rev:1344
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/711/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-trusty-i386-build/708
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-trusty-amd64-build/704
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-trusty-touch/309
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/441
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-amd64-ci/441/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/445
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-trusty-armhf-ci/445/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/309
        deb: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-builder-trusty-armhf/309/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/322
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/3266

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/711/rebuild

> As stated yesterday:
> "And before anyone asks, this has nothing to do with bug 1270245 (which still
> happens with this branch)."

must have missed the message, sorry

I'm not sure that using boost is a better solution. Mostly because boost is so hideously documented that it's often very hard for the reader to learn what a particular template is/does. If using an additional variable lets you create a solution that the reader will understand immediately (no new library to learn), then that would have been better.

Now I kind of understand boost::optional, I think it's a dangerous template to use. Because assigning to an optional and testing its boolean value are essentially unrelated values. That's asking to be misinterpreted (as I have already today).

But this new version looks correct also.

> [...] Mostly because boost is so hideously documented that it's often very hard for the reader to learn what a particular template is/does. [...]

Gotta agree with you on that.

Wasn't easy to learn boost::optional from its own documentation, which is more an essay on its motivation and design than an explanation on how to actually use it (the header file ended up doing the job).