CA-399757: Add CAS style check for SR scan #6113
Conversation
Vincent-lau
force-pushed
the
private/shul2/scan-cas
branch
from
a7928b1 to
95322fe
Compare
Well then someone has to be constantly changing it under our feet. I think the only source that could do that would be SMAPIv1 calling back to xapi, which shouldn't happen all the time... |
There was a problem hiding this comment.
See commentary above.
I think the lack of else begin ... end makes the following a bug:
if db_vdis_after <> db_vdis_before then
scan_rec () ;
update_vdis ~__context ~sr db_vdis_after vs ;If you do recursively call scan_rec and it converges, you will then update_vdis, return to the caller and update_vdis with its version of db_vdis_after. This is probably not the desired semantics.
I think this should be a loop guard with a max retry bound, not recursion.
|
Could we mitigate the TOCTOU issue somewhat by holding the DB lock when computing I don't know how expensive all the storage operations are in general or if this is the TOCTOU issue you mention, so this suggestion may be deeply destructive if you hold the lock for too long. This assumes the TOCTOU issue you're talking about is the potential to interleave changes between the breaking of the loop and the subsequent updates. |
The TOCTOU problem happens when the db gets changed after we do the check So you are suggesting holding the lock before |
Something like: I don't think the database lock exposes such an interface, I think we restricted it to be a |
Yes I am worried about deadlocking if we hold this lock. It could be that SR.scan is run on a pool member, and it will hold the lock for a period, while invoking updates such as In general there is just no way to solve this cleanly... |
Vincent-lau
force-pushed
the
private/shul2/scan-cas
branch
from
95322fe to
1e9ed52
Compare
This function can run on any host (e.g. a pool member for a local SR), but the coordinator runs the database and only the coordinator has access to DB locks. |
|
I think this is fine after adding the iteration limit, as discussed above. |
Vincent-lau
force-pushed
the
private/shul2/scan-cas
branch
2 times, most recently
from
f03e740 to
2756dd0
Compare
There was a problem hiding this comment.
The recent changes look good.
My only nitpick is that the order of operands in db_vdis_after <> db_vdis_before && limit > 0 could be swapped under the general idea that less costly computations that can short-circuit a condition should be tested first. Of course, it is the single limit retry case that this benefits the most and only in marginal ways.
Vincent-lau
force-pushed
the
private/shul2/scan-cas
branch
from
2756dd0 to
87ca90e
Compare
SR.scan is currently not an atomic operation, and this has caused problems as during the scan itself, there might be other calls changing the state of the database, such as VDI.db_introduce called by SM, if using SMAPIv1. This will confuse SR.scan as it sees an outdated snapshot. The proposed workaround would be add a CAS style check for SR.scan, which will refuse to update the db if it detects changes. This is still subject to the TOCTOU problem, but should reduce the racing window. Signed-off-by: Vincent Liu <shuntian.liu2@cloud.com>
This is to reduce the chance of race between
SR.scanandVDI.db_introduce. More details in the comment, but this won't fix the problem, but just makes it less likely to happen...I have seen a few instances of this happening now in SXM tests, so need to prioritise fixing this
Trying to run some tests on this, but it's hard to know effective this is as storage migration tends to require lots of resources, and does not get run very often. Plus this issue is not very reproducible.