(#507) Change platform_buffer_create()/destroy() interfaces to platform_buffer_init() / deinit() methods.

[gapisback]

This commit reworks the interfaces of platform_buffer_create() and platform_buffer_destroy() to now become platform_buffer_init() and platform_buffer_deinit() interfaces.

This removes a dependency on platform_heap_id or platform_heap_handle arg.

This change does not functionally change anything in these methods. Also, this (indirectly) fixes a minor bug in the create function to deal with the (very rare) case of failing to allocate memory from the heap for buffer_handle *bh . Added small unit-test, platform_apis_test, to exercise these changes.

---

NOTE: This is some common infra-code built in a prototype dev branch for supporting different memory handles.

I'm pulling this piece out on its own for integration to /main, so that this ground work can be laid for integrating future dev-efforts (w/ little less pain).

[netlify]

✅ Deploy Preview for splinterdb canceled.

Name	Link
🔨 Latest commit	3f57698
🔍 Latest deploy log	https://app.netlify.com/sites/splinterdb/deploys/63be05d639bc1f0008bd100f

[gapisback]

Minor new unit-test to exercise the changed APIs.

[gapisback]

This arg sets the stage to allow diff heap-ID handles in future.

(As discussed previously, for the in-flight prototype dev code to support use of shared memory for allocation, I am reusing this heap_id as the handle to select the shared-segment ID to allocate from. The change I'm doing here sets up the stage to move to that model, if we ever decide to productize that implementation.

Even if we choose to not go that route, this change by itself is not problematic, and should continue to work correctly.
)

[gapisback]

Minor bug-fix; otherwise old L99 will seg-fault.

[gapisback]

Interface changed (for the same reasons as for the create() method) so that we can use the right heap_id while freeing memory. Otherwise, default platform_get_heap_id() may be NULL, and we may end up not freeing the memory with the proper heap-ID.

[gapisback]

Blocks of code are indented to the left now as we've lost L 66 if() condition. Function will return early on L73 if bh == NULL.

[gapisback]

Changed the interface to receive address of buffer_handle *, so that it can be NULL'ed out on exit.
(This is a safer way to avoid callers accidentally accessing bh_in after this call.

[gapisback]

example of this usage. al->bh will be NULL'ed out upon return.

[ajhconway]

LGTM

[rtjohnso]

I would like to propose a different approach:

Change these from create and destroy functions to init and deinit functions.

Then change all users to declare buffer_handles instead of buffer_handle * fields in their structures.

I believe this will solve the problem you are trying to solve.

I discussed this with Alex and he also thinks this would actually be better than the existing code.

[gapisback]

HI @rtjohnso - Based on your suggestion to rework this approach, I made the required changes. Uploaded a new commit, here.

(I will squash the two commits and will clean up the commit messages once you approve this work, and before I integrate this to /main.)

It has certainly simplified the interface and code and solves the dependency on the heap_id argument entirely. This works well to pre-stage this change to absorb use of different memory streams in the future. So, thanks!

[rtjohnso]

Awesome.

There are two main things I'm requesting:

• Clean up the error handling in clockcache_init (see comments).
• Audit the code you've changed to see if any additional heap_id or heap_handle parameters or structure fields can be eliminated. I think I flagged them all in comments, but it would be good to double-check.

Thank you!

[rtjohnso]

The error handling needs to be tightened up.

If either platform_buffer_init fails, then we goto alloc_error, which does clockcache_deinit. And clockcache_deinit unconditionally calls platform_buffer_deinit on both buffers. And platform_buffer_deinit unconditionally calls munmap on the buffer_handle's addr. But, depending on where we fail, none, one, or both of the buffers may have not been inited, so calling munmap could cause an error.

There are two ways to fix this, I think:

1. Modify clockcache_deinit to check whether the corresponding pointer is NULL before it calls platform_buffer_deinit. So, it would check cc->data before calling platform_buffer_deinit(&cc->bh) and it would check cc->refcount before calling platform_buffer_deinit(&cc->rc_bh).
2. Modify clockcache_init to have different error handling targets and do the cleanup on its own, i.e. have goto alloc_failure1;, goto alloc_failure2;, etc.

My preference is Option 1, but either is fine.

[gapisback]

@rtjohnso - There are quite a few callers to platform_buffer_deinit(), and technically, one has to comb through all instances to make sure that we are not calling this wrongly.

A 3rd approach would be to push the checks to inside of platform_buffer_deinit().

It will try to do the munmap() only if bh->addr is non-NULL. This will solve the error handling issue from clockcache_deinit() and also protect all other instances where platform_buffer_deinit() is being called.

What are your thoughts on this approach (before I implement it).

[gapisback]

(And, ooops, ... sorry, I introduced this error handling issue when implementing the change to introduce init() / deinit() interface, without looking too hard at error handling. Sorry!)

[gapisback]

@rtjohnso : Re: your comment that "Before the buffer_handle is inited, addr may be garbage, so you cannot safely deinit based on the value of addr."

In the two places we are talking about, both rc_allocator_init() and clockcache_init() do a ZERO_CONTENTS(al) and ZERO_CONTENTS(cc).

So, certainly for the error path going through clockcache_deinit(), we should be sure that cc->bh->addrwill be NULL even beforeinit()` happened.

Unless you can spot something else I am overlooking, seems like pushing the NULL-check to inside platform_buffer_deinit() should work.

[gapisback]

Discussed this in PR meeting. Rework this as suggested by @robj. clockcache_deinit() will only call platform_buffer_deinit() only if corresponding pointers are non-NULL.

Remove the fix as applied in the latter function.

[rtjohnso]

Before the buffer_handle is inited, addr may be garbage, so you cannot safely deinit based on the value of addr. Best, Rob Message ID: ***@***.***>

…

[rtjohnso]

Actually I think it was broken in different ways before, so no worries! Thank you fixing it all up.

…

On Sun, Jan 8, 2023 at 9:01 PM gapisback ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In src/clockcache.c <#508 (comment)>: > @@ -1841,11 +1843,12 @@ clockcache_init(clockcache *cc, // OUT /* Entry per-thread ref counts */ size_t refcount_size = cc->cfg->page_capacity * CC_RC_WIDTH * sizeof(uint8); - cc->rc_bh = platform_buffer_create(refcount_size, cc->heap_handle, mid); - if (!cc->rc_bh) { + + rc = platform_buffer_init(&cc->rc_bh, refcount_size); + if (!SUCCESS(rc)) { (And, ooops, ... sorry, I introduced this error handling issue when implementing the change to introduce init() / deinit() interface, without looking too hard at error handling. Sorry!) — Reply to this email directly, view it on GitHub <#508 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA45FRK6LX3MSDTAVNGS4YTWROLT7ANCNFSM6AAAAAATGFT2QU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[rtjohnso]

That's pretty un-idiomatic of how `_init` functions usually work and makes some weird usage rules. What if I want to use a buffer_handle somewhere else? What if I want one on the stack? Now I have to know that I need to zero it before I can init it? Very error prone.

…

On Sun, Jan 8, 2023 at 9:44 PM gapisback ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In src/clockcache.c <#508 (comment)>: > @@ -1841,11 +1843,12 @@ clockcache_init(clockcache *cc, // OUT /* Entry per-thread ref counts */ size_t refcount_size = cc->cfg->page_capacity * CC_RC_WIDTH * sizeof(uint8); - cc->rc_bh = platform_buffer_create(refcount_size, cc->heap_handle, mid); - if (!cc->rc_bh) { + + rc = platform_buffer_init(&cc->rc_bh, refcount_size); + if (!SUCCESS(rc)) { @rtjohnso <https://github.com/rtjohnso> : Re: your comment that "*Before the buffer_handle is inited, addr may be garbage, so you cannot safely deinit based on the value of addr.*" In the two places we are talking about, both rc_allocator_init() and clockcache_init() do a ZERO_CONTENTS(al) and ZERO_CONTENTS(cc). So, certainly for the error path going through clockcache_deinit(), we should be sure that cc->bh->addrwill be NULL even beforeinit()` happened. Unless you can spot something else I am overlooking, seems like pushing the NULL-check to inside platform_buffer_deinit() should work. — Reply to this email directly, view it on GitHub <#508 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA45FRLHOW4SBR2QRAI4NGLWROQR5ANCNFSM6AAAAAATGFT2QU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[gapisback]

@rtjohnso - I implemented much of the cleanup to rip out heap_handle * args from many places, but chasing other not-needed hh and hid will take me some time ( and a big screen ) ... Will follow-up tomorrow.

[gapisback]

This part, Rob - "What if I want one on the stack? Now I have to know that I need to zero it before I can initit? Very error prone." .... I'm not so sure, it's that error prone.

I have been trained and have gotten used to a conventional way of coding where every on-stack structure is always MEMZERO()-ed; i.e. in our code base ZERO_CONTENTS(). For precisely the reason that you want to make sure that all fields are zero'ed out before anything -- including init -- is done with the structure.

I think requiring that on-stack variables, structures are always zero'ed out before use is a stronger discipline to have / enforce.

I can implement it in the ways you are suggesting, but I think then there is more work to chase down all other places where platform_buffer_init() is called and ensure that error handling is done right.

We should probably try to talk this through to resolve the right approach to adopt.

[gapisback]

I did not bother to arrange these backout codes in reverse order of how they are done in init() method as each backout fragment is protected under an if() check.

So, although, not done in "pure backout form", this code ordering should work.

[gapisback]

I did not bracket this with a corresponding if (!NULL) check on the member field as I am relying on the bh struct being zero'ed out on declaration.

Current code always conforms to this ... Let's talk this point through ...

[gapisback]

Hi, @rtjohnso & @ajhconway -- I am in the middle of amending the code to correctly handle backout error issues, and to purge heap_handle * args, and fn-params that are no longer needed.

The error handling corrections are partially implemented; see this commit.

I paused as this needs some unit-testing and I have provided a sample of such a unit-test here. We need better errno-type error reporting back from individual sub-systems [ here, clockcache ], so the unit-test can verify that the backout was triggered at the expected error location. See, e.g., the logic implemented in new test case test_clockcache_init_fails_to_allocate_lookup_array().

I think there are few open items with this work that are best discussed in-person. Let's try to cover these items on Tue's PR meeting.

[gapisback]

Potential bugfix. buffer_size declared as uint32 could overflow, to 0, for very large extent_capacity. (Discovered this while trying to build negative test cases in newly added, incomplete, clockcache_test.c unit test.

[gapisback]

Rename existing rc which shadows the new instance added at the top of this function (in an earlier commit of this PR cycle).

[gapisback]

As suggested by Rob ... this is is better.

[gapisback]

Missing in initial code; not an issue right now ... (Not sure why ASAN-builds are not tripping up ...)

[gapisback]

Discuss with @rtjohnso -- is this acceptable to you now?

[gapisback]

This and L124 are added so that we can validate the state of resulting output bh in unit-tests.

[gapisback]

Deleting this arg caused clang-format to throw a fit.

[gapisback]

This block will be simplified with just call to one function when PR #514 checks-in to /main.

[gapisback]

From code inspection and manual testing, the length set on L90 is sufficiently big-enough to cause mmap() to fail w/ an error.

Should this approach be tightened further? (I think this is sufficient.)

[gapisback]

@rtjohnso - As per our discussion in the PR review meeting, I reworked the flow in clockcache_deinit() and adjusted the logic accordingly in platform_buffer_deinit().

This latest commit (squashing 2 prev related-commits) should address the last remaining issue.

[rtjohnso]

Thank you! That cleaned up a lot of stuff.

[gapisback]

@rtjohnso - About your very last comment, I'm only adding the extra check that in case we are unable to allocate memory to cc->pincount() via TYPED_ARRAY_ZALLOC(), that we bail, and go to error-backout target. (This is not test code; this is mainline library code.)

This was also (already) being done in /main here, further below, and also in other places in this clockcache_init() function which is allocation memory using TYPED_ARRAY_ZALLOC() or variants.

1860    cc->batch_busy =
1861       TYPED_ARRAY_ZALLOC(cc->heap_id,
1862                          cc->batch_busy,
1863                          cc->cfg->page_capacity / CC_ENTRIES_PER_BATCH);
1864    if (!cc->batch_busy) {
1865       goto alloc_error;
1866    }