From mboxrd@z Thu Jan  1 00:00:00 1970
From: erik quanstrom <quanstro@quanstro.net>
Date: Thu, 24 Feb 2011 17:01:10 -0500
To: 9fans@9fans.net
Message-ID: <62412e4ba21aba9b056860657c24927d@ladd.quanstro.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [9fans] sleep/wakeup bug?
Topicbox-Message-UUID: b44a5d1a-ead6-11e9-9d60-3106f5b1d025

/sys/doc/sleep.ps says that sleep/wakeup are atomic.
in concrete terms, i take this to mean that if sleep
has returned, wakeup will no longer be in its critical
section.

unfortunately, this does not seem to be the case.
the woken process can continue before the rendezvous
lock is dropped.  this means that any dynamic allocation
of structures containing rendezvous is not possible because
structure can be free'd before the rendezvous lock is
dropped by the waking process.

this was biting me on a high-end mp system with improved
lapic arbitration in the aoe driver, faulting in the pool
library.  the memory in question was an Srb.  after i zeroed
the memory before free'ing, i observed an unlock: not locked:
pc x, where x was the splx in wakeup().  this led directly to
the observation that the ready'd process could never know
when it would be safe to free the rendezvous-containing
structure.

here's my suggested correction

Proc*
wakeup(Rendez *r)
{
	Proc *p;
	int s;

	s = splhi();

	lock(r);
	p = r->p;

	if(p != nil){
		lock(&p->rlock);
		if(p->state != Wakeme || p->r != r){
			iprint("%p %p %d\n", p->r, r, p->state);
			panic("wakeup: state");
		}
		r->p = nil;
		p->r = nil;
	}
	unlock(r);
	if(p != nil){
		ready(p);
		unlock(&p->rlock);
	}
	splx(s);

	return p;
}

the handling of p->rlock looks wierd, but i haven't
investigated.

- erik