Ubuntu
linux package

Bug #838026
Comment #1

Comment 1 for bug 838026

Revision history for this message

Andy Whitcroft (apw) wrote on 2011-08-31:

From the raw crash dump here is the lock/set_next_request/unlock sequence. Note that
this has had its locking primatives rewritten as direct calls where inline (for the unlock):

ffffffffa0020df0: 00 e9 ed fe ff ff 66 2e 0f 1f 84 00 00 00 00 00 ......f.........
ffffffffa0020e00: 48 c7 c7 f8 5e 02 a0
    6e00: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
                                        e8 74 c3 5d e1
    6e07: e8 00 00 00 00 callq 6e0c <redo_fd_request+0x17c>
FFFFFFFFA0020E0C + FFFFFFFFE15DC374 => FFFFFFFF815FD180
ffffffff815fd180 (T) _raw_spin_lock_irq
                                                       e8 cf a7 ff H...^...t.].....
ffffffffa0020e10: ff
    6e0c: e8 cf a7 ff ff callq 15e0 <set_next_request>
ffffffffa0020e10: 4c 89 e7
    6e11: 4c 89 e7 mov %r12,%rdi
ffffffffa0020e10: 89 c3
    6e14: 89 c3 mov %eax,%ebx
ffffffffa0020e10: e8 25 83 fe e0
                                                    66 90 fb 66 66 .L.....%...f..ff
    6e16: ff 14 25 00 00 00 00 callq *0x0
NOTE: this has been rewritten as a callq
FFFFFFFFA0020E1B + FFFFFFFFE0FE8325 => FFFFFFFF81009140
ffffffff81009140 (t) xen_spin_unlock
ffffffffa0020e20: 90 66 66 90 85 db 0f 84 1c 01 00 00 48 8b 05 bd .ff.........H...

Looking at the out-of-line lock this has been written as the ticket version:

12:37:31 smb | 0xffffffff815fd180 <_raw_spin_lock_irq+0>: push %rbp
12:37:31 smb | 0xffffffff815fd181 <_raw_spin_lock_irq+1>: mov %rsp,%rbp
12:37:31 smb | 0xffffffff815fd184 <_raw_spin_lock_irq+4>: xchg %ax,%ax
12:37:31 smb | 0xffffffff815fd189 <_raw_spin_lock_irq+9>: cli
12:37:32 smb | 0xffffffff815fd18a <_raw_spin_lock_irq+10>: xchg %ax,%ax
12:37:34 smb | 0xffffffff815fd18d <_raw_spin_lock_irq+13>: xchg %ax,%ax
12:37:36 smb | 0xffffffff815fd190 <_raw_spin_lock_irq+16>: callq 0xffffffff81033900 <__ticket_spin_lock>
12:37:40 smb | 0xffffffff815fd195 <_raw_spin_lock_irq+21>: xchg %ax,%ax
12:37:42 smb | 0xffffffff815fd197 <_raw_spin_lock_irq+23>: pop %rbp
12:37:44 smb | 0xffffffff815fd198 <_raw_spin_lock_irq+24>: retq

Proving smb's conjecture we are locking with ticket and unlocking with xen paravirt locks. As the lock and unlock are not the same form, explosions are inevitable.

From the raw crash dump here is the lock/set_next_request/unlock sequence.  Note that
this has had its locking primatives rewritten as direct calls where inline (for the unlock):

ffffffffa0020df0:  00 e9 ed fe ff ff 66 2e 0f 1f 84 00 00 00 00 00   ......f.........
ffffffffa0020e00:  48 c7 c7 f8 5e 02 a0 
    6e00:       48 c7 c7 00 00 00 00    mov    $0x0,%rdi
                                        e8 74 c3 5d e1
    6e07:       e8 00 00 00 00          callq  6e0c <redo_fd_request+0x17c>
FFFFFFFFA0020E0C + FFFFFFFFE15DC374 => FFFFFFFF815FD180
ffffffff815fd180 (T) _raw_spin_lock_irq
                                                       e8 cf a7 ff   H...^...t.].....
ffffffffa0020e10:  ff 
    6e0c:       e8 cf a7 ff ff          callq  15e0 <set_next_request>
ffffffffa0020e10:     4c 89 e7
    6e11:       4c 89 e7                mov    %r12,%rdi
ffffffffa0020e10:              89 c3
    6e14:       89 c3                   mov    %eax,%ebx
ffffffffa0020e10:                    e8 25 83 fe e0
                                                    66 90 fb 66 66   .L.....%...f..ff
    6e16:       ff 14 25 00 00 00 00    callq  *0x0
NOTE: this has been rewritten as a callq
FFFFFFFFA0020E1B + FFFFFFFFE0FE8325 => FFFFFFFF81009140
ffffffff81009140 (t) xen_spin_unlock
ffffffffa0020e20:  90 66 66 90 85 db 0f 84 1c 01 00 00 48 8b 05 bd   .ff.........H...

Looking at the out-of-line lock this has been written as the ticket version:

12:37:31 smb | 0xffffffff815fd180 <_raw_spin_lock_irq+0>:      push   %rbp
12:37:31 smb | 0xffffffff815fd181 <_raw_spin_lock_irq+1>:      mov    %rsp,%rbp
12:37:31 smb | 0xffffffff815fd184 <_raw_spin_lock_irq+4>:      xchg   %ax,%ax
12:37:31 smb | 0xffffffff815fd189 <_raw_spin_lock_irq+9>:      cli
12:37:32 smb | 0xffffffff815fd18a <_raw_spin_lock_irq+10>:     xchg   %ax,%ax
12:37:34 smb | 0xffffffff815fd18d <_raw_spin_lock_irq+13>:     xchg   %ax,%ax
12:37:36 smb | 0xffffffff815fd190 <_raw_spin_lock_irq+16>:     callq  0xffffffff81033900 <__ticket_spin_lock>
12:37:40 smb | 0xffffffff815fd195 <_raw_spin_lock_irq+21>:     xchg   %ax,%ax
12:37:42 smb | 0xffffffff815fd197 <_raw_spin_lock_irq+23>:     pop    %rbp
12:37:44 smb | 0xffffffff815fd198 <_raw_spin_lock_irq+24>:     retq

Proving smb's conjecture we are locking with ticket and unlocking with xen paravirt locks.  As the lock and unlock are not the same form, explosions are inevitable.

Ubuntulinux package

Comment 1 for bug 838026

Ubuntu
linux package