Question about graph locking preconditions regarding qemu_in_main_thread()

[Fiona Ebner]

Hi,
I noticed that the bdrv_graph_co_rd_lock() and bdrv_graph_co_rd_unlock()
functions use qemu_in_main_thread() as a conditional to return early.
What high-level requirements ensure that qemu_in_main_thread() will
evaluate to the same value during locking and unlocking?

This paragraph assumes no iothreads are used for simplicity. One
requirement is: don't call bdrv_* functions without the BQL. Well,
snapshot-save does just that during setup, but it might be fine, because
it's done after calling vm_stop() and within a bdrv_drain_all section
(there is another issue however [0], so it still makes sense to change
snapshot-save to hold the BQL during setup).

But a variation without the vm_stop() and drained section will be able
to produce a negative reader count, see below[1][2]. The issue obviously
depends on dropping the BQL, but I'm not entirely sure it depends on the
bdrv_* call or if steps 3. and 4. in [2] could also happen in some other
scenario.

I'm not aware of any actual issues in QEMU :) But I thought, I'd better ask.

Best Regards,
Fiona

[0]: https://lists.nongnu.org/archive/html/qemu-devel/2023-04/msg05415.html

[1]: Example QMP function inspired by snapshot-save

> void qmp_unlock_write_lock(Error **errp)
> {
>     Error *local_err = NULL;
>     QDict *options = qdict_new();
>     const uint8_t *buf = malloc(1000);
> 
>     /*
>     vm_stop(RUN_STATE_SAVE_VM);
>     bdrv_drain_all_begin();
>     */
> 
>     qdict_put_str(options, "driver", "qcow2");
>     BlockBackend *bb = blk_new_open("/tmp/disk.qcow2", NULL, options, 
> BDRV_O_RDWR, &local_err);
>     if (!bb) {
>         error_set(errp, ERROR_CLASS_GENERIC_ERROR, "failed to open");
>     } else {
>         qemu_mutex_unlock_iothread();
>         bdrv_save_vmstate(blk_bs(bb), buf, 0, 1000);
>         qemu_mutex_lock_iothread();
>         blk_unref(bb);
>     }
> 
>     /*
>     bdrv_drain_all_end();
>     vm_start();
>     */
> }

[2]:

In the output below, the boolean value after the backtraces of
bdrv_graph_co_rd(un)lock is the value of qemu_in_main_thread().

AFAICT, what happened below is:
1. QMP function is executed in the main thread and drops the BQL.
2. bdrv_co_writev_vmstate_entry is called, increasing the reader count,
because qemu_in_main_thread() is false.
3. A vCPU thread issued a write, not increasing the reader count,
because qemu_in_main_thread() is true.
4. The write is finished in the main thread, decreasing the reader
count, because qemu_in_main_thread() is false.
5. bdrv_co_writev_vmstate_entry is finished in the main thread,
decreasing the reader count, because qemu_in_main_thread() is false.
6. The assertion that the reader count is non-negative fails (during
blk_unref(), bdrv_graph_wrlock() is called which triggers the assert,
not shown below).

> Thread 1 "qemu-system-x86" hit Breakpoint 3, qmp_unlock_write_lock 
> (errp=0x7fffffffd740) at ../migration/savevm.c:3410
> 3410            qemu_mutex_unlock_iothread();
> 
> Thread 1 "qemu-system-x86" hit Breakpoint 5, bdrv_graph_co_rdlock () at 
> ../block/graph-lock.c:161
> 161     {
> #0  bdrv_graph_co_rdlock () at ../block/graph-lock.c:161
> #1  0x0000555555e8e4f3 in bdrv_co_writev_vmstate_entry 
> (opaque=0x7fffffffd600) at block/block-gen.c:784
> #2  0x0000555556053c15 in coroutine_trampoline (i0=1457248608, i1=21845) at 
> ../util/coroutine-ucontext.c:177
> #3  0x00007ffff6169d40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #4  0x00007fffffffc950 in ?? ()
> #5  0x0000000000000000 in ?? ()
> $51 = false
> [Switching to Thread 0x7ffff0a47700 (LWP 54187)]
> 
> Thread 7 "CPU 0/KVM" hit Breakpoint 5, bdrv_graph_co_rdlock () at 
> ../block/graph-lock.c:161
> 161     {
> #0  bdrv_graph_co_rdlock () at ../block/graph-lock.c:161
> #1  0x0000555555ebf2e3 in graph_lockable_auto_lock (x=0x7fff4bfffdf3) at 
> /home/febner/repos/qemu/include/block/graph-lock.h:214
> #2  0x0000555555ec20d6 in blk_co_do_pwritev_part (blk=0x555556dac400, 
> offset=145920, bytes=512, qiov=0x7fff4bfffef0, qiov_offset=0, flags=0) at 
> ../block/block-backend.c:1367
> #3  0x0000555555ec2234 in blk_co_pwritev_part (blk=0x555556dac400, 
> offset=145920, bytes=512, qiov=0x7fff4bfffef0, qiov_offset=0, flags=0) at 
> ../block/block-backend.c:1404
> #4  0x0000555555ec2311 in blk_co_pwritev (blk=0x555556dac400, offset=145920, 
> bytes=512, qiov=0x7fff4bfffef0, flags=0) at ../block/block-backend.c:1426
> #5  0x0000555555ec22bb in blk_co_pwrite (blk=0x555556dac400, offset=145920, 
> bytes=512, buf=0x7fff5ae23a00, flags=0) at ../block/block-backend.c:1418
> #6  0x0000555555e8fc60 in blk_co_pwrite_entry (opaque=0x7ffff0a41eb0) at 
> block/block-gen.c:1624
> #7  0x0000555556053c15 in coroutine_trampoline (i0=-535577088, i1=32767) at 
> ../util/coroutine-ucontext.c:177
> #8  0x00007ffff6169d40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #9  0x00007ffff0a41690 in ?? ()
> #10 0x0000000000000000 in ?? ()
> $52 = true
> [Switching to Thread 0x7ffff3901280 (LWP 54113)]
> 
> Thread 1 "qemu-system-x86" hit Breakpoint 6, bdrv_graph_co_rdunlock () at 
> ../block/graph-lock.c:231
> 231         bdrv_graph = qemu_get_current_aio_context()->bdrv_graph;
> #0  bdrv_graph_co_rdunlock () at ../block/graph-lock.c:231
> #1  0x0000555555ebf2fa in graph_lockable_auto_unlock (x=0x7fff4bfffdf3) at 
> /home/febner/repos/qemu/include/block/graph-lock.h:221
> #2  0x0000555555ebf31c in glib_autoptr_clear_GraphLockable 
> (_ptr=0x7fff4bfffdf3) at 
> /home/febner/repos/qemu/include/block/graph-lock.h:224
> #3  0x0000555555ebf33a in glib_autoptr_cleanup_GraphLockable 
> (_ptr=0x7fff4bfffdf8) at 
> /home/febner/repos/qemu/include/block/graph-lock.h:224
> #4  0x0000555555ec21c6 in blk_co_do_pwritev_part (blk=0x555556dac400, 
> offset=145920, bytes=512, qiov=0x7fff4bfffef0, qiov_offset=0, flags=0) at 
> ../block/block-backend.c:1367
> #5  0x0000555555ec2234 in blk_co_pwritev_part (blk=0x555556dac400, 
> offset=145920, bytes=512, qiov=0x7fff4bfffef0, qiov_offset=0, flags=0) at 
> ../block/block-backend.c:1404
> #6  0x0000555555ec2311 in blk_co_pwritev (blk=0x555556dac400, offset=145920, 
> bytes=512, qiov=0x7fff4bfffef0, flags=0) at ../block/block-backend.c:1426
> #7  0x0000555555ec22bb in blk_co_pwrite (blk=0x555556dac400, offset=145920, 
> bytes=512, buf=0x7fff5ae23a00, flags=0) at ../block/block-backend.c:1418
> #8  0x0000555555e8fc60 in blk_co_pwrite_entry (opaque=0x7ffff0a41eb0) at 
> block/block-gen.c:1624
> #9  0x0000555556053c15 in coroutine_trampoline (i0=-535577088, i1=32767) at 
> ../util/coroutine-ucontext.c:177
> #10 0x00007ffff6169d40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #11 0x00007ffff0a41690 in ?? ()
> #12 0x0000000000000000 in ?? ()
> $53 = false
> 
> Thread 1 "qemu-system-x86" hit Breakpoint 6, bdrv_graph_co_rdunlock () at 
> ../block/graph-lock.c:231
> 231         bdrv_graph = qemu_get_current_aio_context()->bdrv_graph;
> #0  bdrv_graph_co_rdunlock () at ../block/graph-lock.c:231
> #1  0x0000555555e8e522 in bdrv_co_writev_vmstate_entry 
> (opaque=0x7fffffffd600) at block/block-gen.c:786
> #2  0x0000555556053c15 in coroutine_trampoline (i0=1457248608, i1=21845) at 
> ../util/coroutine-ucontext.c:177
> #3  0x00007ffff6169d40 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #4  0x00007fffffffc950 in ?? ()
> #5  0x0000000000000000 in ?? ()
> $54 = false
> 
> Thread 1 "qemu-system-x86" hit Breakpoint 4, qmp_unlock_write_lock 
> (errp=0x7fffffffd740) at ../migration/savevm.c:3412
> 3412            qemu_mutex_lock_iothread();
> qemu-system-x86_64: ../block/graph-lock.c:105: reader_count: Assertion 
> `(int32_t)rd >= 0' failed.