Change in libosmocore[master]: fsm: support graceful osmo_fsm_inst_term() cascades
gerrit-no-reply at lists.osmocom.org
Sun Mar 24 18:21:22 UTC 2019
Hello Jenkins Builder,
I'd like you to reexamine a change. Please visit
to look at the new patch set (#4).
Change subject: fsm: support graceful osmo_fsm_inst_term() cascades
fsm: support graceful osmo_fsm_inst_term() cascades
Detect osmo_fsm_inst_term() occuring within osmo_fsm_inst_term():
- prevent the same FSM instance from entering term twice, and
- collect deallocations until the outermost osmo_fsm_inst_term() is done.
- call osmo_fsm_inst_free() *after* dispatching the parent event.
If a struct osmo_fsm_inst enters osmo_fsm_inst_term() while another is already
within osmo_fsm_inst_term(), do not directly deallocate it, but talloc-reparent
it to the struct osmo_fsm_inst that first started terminating.
The effect is that all osmo_fsm_inst freed within an osmo_fsm_inst_term()
cascade will stay allocated until all osmo_fsm_inst_term() are complete and all
of them will be deallocated at the same time.
To prevent re-entering osmo_fsm_inst_term() twice for the same osmo_fsm_inst,
add flag osmo_fsm_inst.proc.terminating. osmo_fsm_inst_term() sets this to
true, or exits if it already is true.
This is showcased by fsm_dealloc_test.c.
Enhance fsm_dealloc_test.c to show that now all of the modeled situations solve
Make fsm_dealloc_test a normal regression test in testsuite.at.
Note: at least osmo-msc's msc_vlr_tests' expected output needs to be adjusted
after merging this, because of logging changes for FSM deallocations.
Note: This patch's mechanism is not thread safe. It might be made thread safe
if the new global variable osmo_fsm_inst_terminating_root were handled
per-thread instead of once globally.
It is difficult to gracefully handle deallocations of groups of FSM instances
that reference each other. As soon as one child dispatching a cleanup event
causes its parent to deallocate before fsm.c was ready for it, deallocation
will hit a use-after-free. Before this patch, by using parent_term events and
distinct "terminating" FSM states, parent/child FSMs can be taught to wait for
all children to deallocate before deallocating the parent. But as soon as a
non-child / non-parent FSM instance is involved, or actually any other
cleanup() action that triggers parent FSMs or parent talloc contexts to become
unused, it is near impossible to think of all possible deallocation events
ricocheting, and to avoid running into freeing FSM instances that were still in
the middle of osmo_fsm_inst_term(), or FSM instances to enter
osmo_fsm_inst_term() more than once. This patch makes deallocation of "all
possible" setups of complex cross referencing FSM instances easy to handle
correctly, without running into use-after-free or double free situations, and,
notably, without changing calling code.
Logging of FSM deallocation changes, but only in cases where
osmo_fsm_inst_term() triggers other osmo_fsm_inst_term().
6 files changed, 3,624 insertions(+), 93 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/92/13392/4
To view, visit https://gerrit.osmocom.org/13392
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder (1000002)
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the gerrit-log