Merge lp:~epics-core/epics-base/ioc-shutdown into lp:~epics-core/epics-base/3.15

Ralph, have you tested re-initialization? I see that callbackOnceFlag in callback.c is not being reset.

> static volatile enum ctl cbCtl;

Also, while I don't think this case will cause any problem, do we want to start using atomic ops for global flags like this as a matter of good practice?

Looks like re-init does quite work. Remaining issues include:

> Warning: Registration already done.

From the generated registrar code. Only a warning.

> Warning -- iocshRegisterVariable redefining asCaDebug.

From iocsh.c. The lists for registered shell functions and variables need to be cleared.

> Access security is NOT enabled. Was asSetFilename specified before iocInit?
> iocBuild: asInit Failed.

The 'firstTime' flag (at least) in asDbLib.c also needs to be reset.

> Looks like re-init does quite work.

doesn't

re-init crashes and errors are fixed (I think). Still leaking memory in dbReadCOM().

I've added a new test dbShutdownTest which does the complete startup and shutdown sequence twice. This is added in src/ioc/db/test despite the fact that it depends on src/std (ie base.dbd) because I'm too lazy to create src/std/test (or similar).

Seems that only the scan threads are restarted.
errlog, timerQueue, taskwd, and callback threads are missing in the second cycle().

Added a test that shows this.

Fixed the restart issues - the extended dbShutdownTests pass now.

For future reference: With almost 2**10 lines of diff this branch mixes together (admittedly related) changes to several different subsystems, which makes it hard to review (Jeff's 3.15_libcom_from_cvs_trunk branch has the same problem). The easier you make it to review a branch, the sooner and quicker it will likely be reviewed.

The documentation branch does not cover all the changes made here, it only talks about the modifications to the callback subsystem.

Is it wise to provide public APIs to all these Shutdown functions? I'm not so much concerned that this code doesn't work as whether by making them available we're letting ourselves in for a maintenance nightmare in the future. Do all these subsystems *need* to be shut down and restarted? What are the criteria for choosing which ones should and shouldn't be included? Could we shut everything down by calling epicsExitCallAtExits() instead, and just ensure that each system's registered shutdown function leaves the subsystem in a state that can be properly restarted?

The idea of resetting OnceFlags makes me cringe; they were never designed for that, and I'm not convinced that doing so is completely safe. The state change from EPICS_THREAD_ONCE_INIT through <active> to EPICS_THREAD_ONCE_DONE happens within the protection of a mutex inside the epicsThreadOnce() routines, the mutex providing a memory barrier on SMP. The reversals here are unprotected by either, and don't check that the subsystems have even been initialized either — could some other thread such as a time provider on a different CPU call a subsystem function at the wrong time while the subsystem is shutting down and crash it?

I'm not convinced that restarting an IOC inside the same process is a good idea, given the code we have (I know you're trying to change that, but I think it needs a properly planned solution, which this isn't [yet]). Just making the shutdown APIs available will mean that someone will want/try to use them on a running hard IOC, which is not going to work since we can't communicate the shutdown request to any device support or driver threads (other than by calling their epicsExitCallAtExits() routines, but existing support don't use that to prepare themselves for a restart).

IMHO if you need to test two independent IOCs, they need to be in two separate processes. You could split them into two test programs, or write the test as a Perl script which starts, controls and stops the IOCs as sub-processes; I have a Perl module which can do that on a host OS and could be extended to control an embedded IOC.

This isn't a definite NO, but I will need convincing that this is the right way to go.

- Andrew

On 12/03/2013 02:35 PM, Andrew Johnson wrote:
> For future reference: With almost 2**10 lines of diff this branch mixes together (admittedly related) changes to several different subsystems,

??? The merge proposal shows:

961 lines (+337/-53) 21 files modified

Also, the branch consists of many small, focused, changesets.

> The documentation branch does not cover all the changes made here, it only talks about the modifications to the callback subsystem.

Agreed, this needs to change.

> Is it wise to provide public APIs to all these Shutdown functions?

I would like to wrap all of this up into a single function (say
"testdbCleanup"). We could then make private header(s) for the many
shutdown calls. Would this make the change more acceptable.

> Could we shut everything down by calling epicsExitCallAtExits() instead, and just ensure that each system's registered shutdown function leaves the subsystem in a state that can be properly restarted?

This is an option I suppose.

> The idea of resetting OnceFlags makes me cringe;

A good point.

> I'm not convinced that restarting an IOC inside the same process is a good idea, given the code we have (I know you're trying to change that, but I think it needs a properly planned solution, which this isn't [yet]). Just making the shutdown APIs available will mean that someone will want/try to use them on a running hard IOC, which is not going to work since we can't communicate the shutdown request to any device support or driver threads (other than by calling their epicsExitCallAtExits() routines, but existing support don't use that to prepare themselves for a restart).

The goal is unittests. It it would help in your mind we can only allow
shutdown/cleanup between calling testPlan() and testDone().

On 12/03/2013 03:39 PM, mdavidsaver wrote:
> On 12/03/2013 02:35 PM, Andrew Johnson wrote:
>> For future reference: With almost 2**10 lines of diff this branch mixes
> together (admittedly related) changes to several different subsystems,
>
> ??? The merge proposal shows:
>
> 961 lines (+337/-53) 21 files modified

961 ≈ 1024

I'm just saying that the longer the diff is, the more reviewers will be
put off looking at it. If the changes were split into smaller dependent
branches, reviewing them might look like less work and could be done in
smaller chunks (this was a human psychology comment, not a programming
issue at all).

>> Is it wise to provide public APIs to all these Shutdown functions?
>
> I would like to wrap all of this up into a single function (say
> "testdbCleanup"). We could then make private header(s) for the many
> shutdown calls. Would this make the change more acceptable.

Hmm, maybe. How about an alternative API to iocInit, for test programs
only, and implemented outside of iocInit.c? I would be quite happy for
the various init*Sup() and related routines to be moved out of there and
into ioc/db somewhere, dbInit.c maybe?

>> Could we shut everything down by calling epicsExitCallAtExits() instead,
> and just ensure that each system's registered shutdown function leaves
> the subsystem in a state that can be properly restarted?
>
> This is an option I suppose.

The advantage of using epicsExitCallAtExits() is that we don't have to
expose the various Shutdown symbols at all, and we automatically stop
everything that we've started, in the (correct) reverse order.

The disadvantage is this will slow down IOC shutdown unnecessarily,
since we only need the 'clean up ready to start up again' actions in
those exit routines when we're running tests that need restart.

I'm getting visions of a subsystem management API; subsystems would
register both a fast exit and a slow clean-up routine with it. It could
even incorporate the taskwd, and provide subsystem/task status & health
info on request. This could also somewhere to centralize all of the
init/run/pause/exit enum task controls that are proliferating (which I
agree should probably become atomics).

Too much work?

- Andrew
--
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it. -- Stephen Leacock

> On 12/03/2013 03:39 PM, mdavidsaver wrote:
> > On 12/03/2013 02:35 PM, Andrew Johnson wrote:
> >> For future reference: With almost 2**10 lines of diff this branch mixes
> > together (admittedly related) changes to several different subsystems,
> >
> > ??? The merge proposal shows:
> >
> > 961 lines (+337/-53) 21 files modified
>
> 961 ≈ 1024
>
> I'm just saying that the longer the diff is, the more reviewers will be
> put off looking at it. If the changes were split into smaller dependent
> branches, reviewing them might look like less work and could be done in
> smaller chunks (this was a human psychology comment, not a programming
> issue at all).

I was considering this, but did not find a useful subset of the changes that would have added a functionality that could be documented and tested for.

Which in my imagination would have led to rejection of each individual branch and you commenting that a single functionality should have been presented as a single branch instead of multiple dependent branches that don't add anything useful by itself. ;-)

Admittedly, I might have been able to split the callback related things off. But still with a high change of not being able to add the mandatory tests.

> The documentation branch does not cover all the changes made here, it only
> talks about the modifications to the callback subsystem.

If you are talking about the Application Developer's Guide, this change is IMHO the only one that is part of an API that Application Developers use.

Base development and internal APIs are not supposed to be covered by this document, correct?

> The advantage of using epicsExitCallAtExits() is that we don't have to
> expose the various Shutdown symbols at all, and we automatically stop
> everything that we've started, in the (correct) reverse order.
>
> The disadvantage is this will slow down IOC shutdown unnecessarily,
> since we only need the 'clean up ready to start up again' actions in
> those exit routines when we're running tests that need restart.
>
> I'm getting visions of a subsystem management API; subsystems would
> register both a fast exit and a slow clean-up routine with it. It could
> even incorporate the taskwd, and provide subsystem/task status & health
> info on request. This could also somewhere to centralize all of the
> init/run/pause/exit enum task controls that are proliferating (which I
> agree should probably become atomics).
>
> Too much work?

If you think further, that becomes a major design change of iocCore.

It basically means going from somewhat modular spaghetti toward a component model where we have a mostly administrative core framework, and everything else becomes a component, possibly with separate versioning, providing a component API that handles component admin (version), compatibility (components requiring certain versions of other components), status/health, init/run/pause/exit, etc.
The lists of available RSETs and DSETs would basically become extension points.

Existing support modules should have the choice of registering as a component. Plus maybe some generic (generated) code that handles existing record and device support to become (pseudo) components.

That would be a lot of work.
But I like the idea.

On 12/04/2013 03:49 AM, Ralph Lange wrote:
>> The documentation branch does not cover all the changes made here,
>> it only talks about the modifications to the callback subsystem.
>
> If you are talking about the Application Developer's Guide, this
> change is IMHO the only one that is part of an API that Application
> Developers use.

8.6.4 documents asInit(), so should mention asShutdown() nearby.
15.8.1 documents dbCaLinkInit(), so should mention dbCaShutdown(). Mea
culpa that it doesn't cover dbCaRun() or dbCaPause(), although they are
mentioned in section 7.
17.3 documents scanInit(), so should mention scanShutdown() nearby.
10.5 documents errlogInit(), so should mention errlogShutdown() nearby.

> Base development and internal APIs are not supposed to be covered by
> this document, correct?

Maybe, but as demonstrated above the documentation already covers
several internal APIs. If we don't modify those sections when we're
updating the code, the existing docs could start to contain wrong
information, which is a Bad Thing™ and may lead to Broken Window Syndrome.

--
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it. -- Stephen Leacock

On 12/04/2013 04:56 AM, Ralph Lange wrote:
>> Too much work?
>
> If you think further, that becomes a major design change of iocCore.

I agree; maybe a Codeathon project for someone to look at?

> That would be a lot of work. But I like the idea.

I created a Blueprint on LP to keep the idea alive.

--
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it. -- Stephen Leacock

So, where to go with this from here?

My preference would be to look further at the epicsExitCallAtExits() solution, instead of adding all the public Shutdown routines (which also reduces the documentation changes needed). Maybe we could add a global flag to epicsExit.c which the registered routines can check to decide whether they need to do a full clean-up ready for a restart, or just a quick shutdown (I want to avoid them all wasting time freeing memory if the process is about to exit or VxWorks is about to reboot).

epicsExitCallAtExits() is not currently re-usable, but can be made so relatively easily, I have the necessary changes here.

I've added epicsThreadOnceReset() to provide a safe way to reset once flags.

Also I introduce dbUnitTest.h to provide the boilerplate which unittests running in an IOC should use.

Where are we on this?

I would like to get this branch into a mergeable state, but I have lost track a bit, and I'm not sure about the line between long-term goals and mandatory features for this to be merged.

OK ... I think hiding the additional shutdown calls is what is left to do. I will

- move the various init*Sup() and related routines to ioc/db/dbInit.c
- create a private header dbInit.h
- call appropriately from iocInit.c and dbUnitTest.c through the dbInit.h API

- document dbUnitTest.h

That will not preclude us from doing more sophisticated module start/shutdown management later on, and be sufficient for the merge.

Correct?

Just merged the replacement ioc-shutdown2 branch, this merge is no longer applicable.