Hi Wen,
On Mon, 2026-05-18 at 01:13 +0800, Wen Yang wrote:
Yes. The ftracetest check_requires logic calls `command -v <binary>` to
satisfy `requires: <name>:program` directives. Without the script's
directory in PATH those checks evaluate to exit_unsupported and test cases
are skipped rather than run. The make path avoids this only because make
sets OUTDIR and the runner appends it to PATH internally.
So you're overriding PATH so the selftest's binaries can be found from
the test, right?
Wouldn't it be simpler to just put the absolute paths in the tests and
don't touch PATH.
If the selftests are run via makefile, it ensures the required binaries
are built and available, so there's no need to go through the `requires:
<name>:program` infrastructure (that's more about what's installed on
the system.
Or if you don't want anything hardcoded, you could pass the $OUTDIR from
the environment and use that in scripts, whatever looks cleaner.
Does it make sense to you?
-- Patch 04: pre-allocated storage pool
> Since you're using spinlocks, isn't that going to sleep on PREEMPT_RT?
User-mode uprobe handlers run with preempt_count == 0, fully preemptible on
both PREEMPT_RT and non-PREEMPT_RT. The strongest evidence is in tlob
itself: tlob_start_task() takes a mutex and calls kmem_cache_zalloc(...,
GFP_KERNEL) from the uprobe entry handler; both are illegal in atomic
context and would trigger lockdep splats immediately.
On PREEMPT_RT, spinlock_t becoming a sleeping lock in the uprobe handler
iscfine: both call sites (da_create_or_get_pool() from the handler and
da_pool_return_cb() from the rcuc kthread) are in sleepable task context.
Yeah exactly, the uprobe is fine with anything (even the automatic
`kmalloc_nolock`), but sure preallocation at least guarantees the slots
are there.
> We can have a macro DA_MON_ALLOCATION_STRATEGY = {DA_ALLOC_AUTO,
> DA_ALLOC_POOL, DA_ALLOC_MANUAL} where DA_MON_POOL also requires
> DA_MON_POOL_SIZE to be defined (force that with an #error).
>
> Anyway, this way you probably wouldn't need to define a different init
> function and let everything handled more transparently.
>
> Also you don't need to call da_create_or_get() explicitly,
> da_handle_start_event() should do it for you.
Agreed on all counts. We plan to implement this in v3 as follows.
The three strategies would be a compile-time selection in da_monitor.h:
DA_ALLOC_AUTO (default) - lock-free kmalloc_nolock on the hot path;
unbounded capacity.
DA_ALLOC_POOL - pre-allocated fixed-size pool;
DA_MON_POOL_SIZE
required, enforced with #error if missing.
DA_ALLOC_MANUAL - caller pre-inserts storage via
da_create_empty_storage() before the first
da_handle_start_event(); the framework only
links the target field.
da_monitor_init_prealloc() would be removed; da_monitor_init() would
select pool or kmalloc initialisation internally based on the strategy.
da_handle_start_event() and da_handle_start_run_event() would both call
da_prepare_storage() at compile time:
DA_ALLOC_AUTO -> da_create_storage() (kmalloc_nolock)
DA_ALLOC_POOL -> da_create_or_get_pool()
DA_ALLOC_MANUAL -> da_fill_empty_storage() (link target into pre-
allocated slot; no allocation on the hot path)
No explicit da_create_or_get() call would be needed in any monitor.
da_create_or_get_kmalloc() would be removed: as you noted, a caller that
uses kmalloc_nolock does so because locking is forbidden; a GFP_KERNEL
fallback is equally forbidden if the lockless attempt fails, so the
function has no viable use case.
tlob would define:
#define DA_MON_ALLOCATION_STRATEGY DA_ALLOC_POOL
#define DA_MON_POOL_SIZE TLOB_MAX_MONITORED
nomiss would define:
#define DA_MON_ALLOCATION_STRATEGY DA_ALLOC_MANUAL
and call da_create_empty_storage() from handle_sys_enter() (the
sched_setscheduler syscall path), which runs in safe task context;
da_fill_empty_storage() would then link the sched_dl_entity target on
the first da_handle_start_run_event() call in handle_sched_switch().
Yeah good point, there's no need to make it a special path even if we
have the target ready, da_handle_start_run_event() can do it just fine.
-- Patch 05: generic uprobe infrastructure
Carried unchanged into v3 (as part of the 08-b split described below).
-- Patch 06: rvgen __init arrow reset
Thanks, carried unchanged into v3.
Well, if you don't need reset() on the __init arrow we can drop this,
right? Also it doesn't seem fully wired with the rest and requires a
separate event to do handle_monitor_start(), which can be only just
another handler for tlob, nothing general.
> Why don't you make it a separate event (e.g. "start_tlob") [...] then
> you also wouldn't need to call reset() and start_timer() manually.
Good suggestion. We plan to use a dedicated start_tlob event instead,
with a self-loop in tlob.dot:
"running" -> "running" [ label = "start;reset(clk_elapsed)" ]
da_handle_start_run_event(task->pid, ws, start_tlob) would put the
monitor into running and deliver start_tlob, which resets clk_elapsed
and arms the budget hrtimer via the generated ha_setup_invariants() —
no manual reset() or start_timer() calls needed.
One guard would be added in tlob's ha_setup_invariants() to make the
self-loop work correctly:
if (next_state == curr_state && event != start_tlob)
return;
Without this, the start_tlob self-loop would be treated the same as any
repeated switch_in (already running) and ha_setup_invariants() would
return early, leaving the timer unarmed. Does this look right to you?
If you just add a separate event rvgen should take care of everything,
you should be able to take ha_verify_constraint() and friends as-is from
the generated code.
But yeah, that's what it would end up doing.
-- Patch 08: tlob monitor
--- Patch structure ---
> Could you have everything that isn't strictly tlob-related in another
> patch.
Agreed. With the ioctl interface deferred (see below), v3 would keep
patch 08 as the tlob monitor only:
05-b: rv: extend uprobe API with three-phase detach helpers
(rv_uprobe.c, rv_uprobe.h, rv_uprobe_detach refactoring)
— extension of patch 05, independent of tlob
08: rv/tlob: add the tlob monitor itself
(tlob.c, tlob.h, tlob_trace.h, Kconfig/Makefile, Documentation,
rv_trace.h include; ha_monitor.h EVENT_NONE_LBL override
bundled here as it is only needed by tlob)
The chardev infrastructure (rv_chardev.c, rv.h additions) and the UAPI
header (include/uapi/linux/rv.h) would move to a follow-up series
together with the ioctl self-instrumentation feature.
--- ioctl interface design ---
> I'm not particularly fond of ioctls, they aren't that flexible and in
> this way I don't really see an added value.
> [...] cannot the same thing be achieved using uprobes alone, e.g. by
> registering a function address or the current instruction pointer?
> [...] wouldn't a sysfs/tracefs file achieve a similar purpose without
> much of the boilerplate code?
Fair point. We plan to ship v3 with the tracefs/uprobe interface only
and defer the ioctl (/dev/rv chardev) to a follow-up series once there
is a concrete in-tree user that requires it.
The unique value of the ioctl is that TLOB_IOCTL_TRACE_STOP returns a
synchronous per-call result (-EOVERFLOW or 0) to the calling thread,
which neither uprobes nor tracefs writes can provide. We want to keep
that option open for later, but agree it should not block the initial
tlob submission.
Does this approach work for you?
What is your preference?
Yeah looks good to me.
Ioctls are cumbersome to set up also for the user, perhaps another sysfs
file in the monitor directory would keep the control entirely in tlob.c
and give you roughly the same value with easier setup.
Heck we might even think of an RV reactor that does that: e.g. creates a
file where reads sleep until the first reaction (-EOVERFLOW) and returns
0 in other scenarios. I'm gonna have a thought on that, but anyway I
don't see why a sysfs file cannot do this.
Let's defer it for now.
--- Handler simplification ---
> Perhaps keep the handler simpler by moving this reporting to a helper
> function and use guard(rcu)() there.
Done. The accumulation logic is extracted into three inline helpers, each
using scoped_guard(rcu) and returning bool (true if the task is monitored):
tlob_acc_running(prev) - accumulate running_ns on sched-out
tlob_acc_waiting(next) - accumulate waiting_ns on sched-in
tlob_acc_sleeping(task) - accumulate sleeping_ns on wakeup
handle_sched_switch() and handle_sched_wakeup() become one-liners:
static void handle_sched_switch(...)
{
bool prev_preempted = (prev_state == 0);
if (tlob_acc_running(prev))
da_handle_event(prev->pid, NULL,
prev_preempted ? preempt_tlob : sleep_tlob);
if (tlob_acc_waiting(next))
da_handle_event(next->pid, NULL, switch_in_tlob);
}
Yeah sounds good.
> You probably don't need these. da_handle_event should skip tasks without
> a monitor.
Agreed; the do_prev/do_next flags are gone. The helpers return false
for unmonitored tasks, and da_handle_event() skips them too — both paths
are no-ops for tasks with no pool entry.
--- scoped_guard(rcu) ---
> That should be a scoped_guard(rcu), definitely use guards if you have
> return paths, the compiler is going to clean up (unlock) for you.
Applied to all RCU-protected sections in tlob_start_task() and
tlob_stop_task(). tlob_start_task() now uses guard(mutex) for the
serialised duplicate-check (replacing the explicit mutex_lock/unlock),
and tlob_stop_task() uses scoped_guard(rcu) for the atomic CAS section:
scoped_guard(rcu) {
ws = da_get_target_by_id(task->pid);
if (!ws)
return -ESRCH;
...
if (atomic_cmpxchg_release(&ws->stopping, 0, 1) != 0)
return -EAGAIN;
}
Perfect.
--- tlob_stop_all removal ---
> All this function does should be done by da_monitor_destroy. We could
> add a way to pass some additional deallocation for all the other cleanup
> you're doing on each storage. Something like a da_extra_cleanup() you
> can define as whatever you need and gets called in all per-obj
> destruction paths.
Agreed. tlob_stop_all() (~50 lines) has been removed entirely.
A da_extra_cleanup() hook macro is introduced in da_monitor.h: the default
is a no-op; a monitor may override it before including the header. tlob
defines:
static inline void tlob_extra_cleanup(struct da_monitor *da_mon)
{
struct ha_monitor *ha_mon = to_ha_monitor(da_mon);
struct tlob_task_state *ws = da_get_target(ha_mon);
if (!ws)
return;
if (atomic_cmpxchg_release(&ws->stopping, 0, 1) != 0)
return;
ha_cancel_timer_sync(ha_mon);
After my patch making timer callbacks RCU read-side critical section,
you won't need that, just let the usual reset asynchronously stop the
timer and put everything that needs it stopped in your RCU callback.
Of course make sure the timer was stopped before this extra cleanup, so
put the macro accordingly.
I don't think da_extra_cleanup in general should be expected to sleep
and call_rcu should do the heavy lifting (it may run from any tracepoint).
Anyway we can see it later after that's merged.
atomic_dec(&tlob_num_monitored);
put_task_struct(ws->task);
call_rcu(&ws->rcu, tlob_free_rcu);
}
#define da_extra_cleanup tlob_extra_cleanup
da_monitor_destroy() iterates remaining entries via da_extra_cleanup +
hash_del_rcu + call_rcu, then waits for all callbacks via rcu_barrier().
tlob's disable path is now simply:
static void __tlob_destroy_monitor(void)
{
da_monitor_destroy();
}
Looks good, let's see the full picture.
--- EVENT_NONE_LBL ---
> Why don't you just override EVENT_NONE_LBL (and if you prefer call it
> MONITOR_TIMER_EVENT_NAME) without the need for another function?
Done. model_get_timer_event_name() has been removed from automata.h.
In ha_monitor.h, EVENT_NONE_LBL is now overridable:
#ifndef EVENT_NONE_LBL
#define EVENT_NONE_LBL "none"
#endif
tlob.c defines it before including the model header:
#define EVENT_NONE_LBL "budget_exceeded"
The two call sites in ha_monitor.h that previously called
model_get_timer_event_name() now use EVENT_NONE_LBL directly.
--- KUnit config / tristate ---
> Do you need to add this here? Since you have a patch adding KUnit tests
> to tlob, cannot you put everything kunit-related there?
> I couldn't build it as module.
Agreed on moving the Kconfig entry to patch 09.
The module build issue is fixed by exporting the symbols needed by the
test via EXPORT_SYMBOL_IF_KUNIT (EXPORTED_FOR_KUNIT_TESTING namespace);
tlob_kunit.c imports the namespace with MODULE_IMPORT_NS. We plan to
keep tristate rather than changing to bool. Does that work for you?
Yeah it's good as long as it works as module too.
I might have a look at making my patch module-ready, for now it just
can't work but I wonder if we can do something nicer to allow it
(like in your case a bunch of exports, a separate file and a standalone
testcase, perhaps all wrapped in some helper).
--- detail_env_tlob tracepoint ---
> Since you are not documenting the detail_env_tlob tracepoint, is it
> something really required? I would at the very least document its usage.
Fair point. detail_env_tlob emits (running_ns, waiting_ns, sleeping_ns)
so the user can see which phase consumed the budget: high sleeping_ns
indicates I/O latency, high waiting_ns indicates scheduler pressure, high
running_ns indicates a compute overrun. Without this breakdown the user
only knows the total elapsed time exceeded the threshold, not why.
Alright, then this can go into the docs.
--- Documentation ---
> This is standard tracepoints usage, there's nothing about tlob we should
> document here.
> Same here, standard RV [for enable/desc tracefs files].
> And this is duplicating what mentioned above about uprobes, isn't it?
Agreed. The following have been removed:
- "Violation events" section: generic trace-cmd examples and cat-trace
instructions (standard tracepoints usage).
- tracefs files: "enable (rw)" and "desc (ro)" entries (standard RV).
- tracefs files: "monitor (rw)" description condensed to one line with
a cross-reference to the uprobes section above.
In their place, a new "Violation tracepoints" subsection documents both
tlob-specific tracepoints with fields and a worked example:
error_env_tlob: id, state, event ("budget_exceeded"), env ("clk_elapsed")
detail_env_tlob: id, threshold_us, running_ns, waiting_ns, sleeping_ns
Use sleeping_ns to diagnose I/O latency, waiting_ns for scheduler
pressure, running_ns for compute overruns.
Example:
trace-cmd record -e error_env_tlob -e detail_env_tlob &
# ... run workload ...
trace-cmd report
Yeah sounds good, also pointing out to enable the monitor.
We might think of a general way to do this kind of thing in
tools/rv, although detail_env_tlob is non-standard.
> Is kernel code going to use this API? RV monitors are meant to be
> enabled by userspace. What's the use-case here?
Agreed. The uprobe interface is driven from userspace; tlob_start_task()
and tlob_stop_task() are the internal implementation functions it calls,
not a public API for external kernel modules. The hypothetical
kernel-module use case would be removed from the documentation; the
kernel-doc block is retained for code maintainers.
> That's probably a bit too detailed for this page. If you really want
> this information somewhere couldn't it stay in the code?
Agreed; moved to comments in handle_sched_switch() and
handle_sched_wakeup(). The "Limitations" subsection is retained.
-- Patch 09: KUnit tests
> What caught my eyes are tests enrolling tracepoints handlers. If you
> go there you're no longer doing unit testing, what's the advantage of
> testing the entire monitor here over doing that in selftests?
Agreed. The three suites that register tracepoint handlers or create
kthreads (tlob_sched_integration, tlob_trace_output, tlob_violation_react)
have been removed from KUnit and will be added to selftests in v3.
Two pure unit test suites remain in KUnit:
tlob_task_api:
Tests tlob_start_task / tlob_stop_task return values (-ENODEV,
-EALREADY, -ESRCH, -EOVERFLOW, -ENOSPC, -ERANGE) via direct calls
(these functions are the internal implementation used by both the
uprobe and, in future, the ioctl interface).
No tracepoints, no scheduling.
tlob_uprobe_format:
Tests the uprobe line parser (tlob_parse_uprobe_line,
tlob_parse_remove_line) against valid and invalid input strings.
Pure string parsing; no scheduling, no tracepoints.
This also resolves the tristate-vs-bool issue: with only pure unit tests
there is no dependency on sched_setscheduler_nocheck, so bool is correct.
Yeah looks good.
-- Patch 10: selftests
--- PREEMPT_RT RCU stall ---
> I run it on a VM and have it hanging at step 9 [...] rcu_preempt stall.
> Did you see that? Am I doing something wrong?
Thanks for reporting. The patch changed ha_monitor.h from
HRTIMER_MODE_REL_HARD (the existing upstream value) to REL_SOFT; the
stall appeared on PREEMPT_RT after that change. We have not fully
confirmed whether REL_SOFT is the root cause — REL_SOFT defers the
callback to the ktimers kthread, which could starve rcu_preempt under
certain PREEMPT_RT configurations, but other factors may be involved.
We plan to revert to HRTIMER_MODE_REL_HARD at both sites in ha_monitor.h
as the conservative choice:
ha_setup_timer(): HRTIMER_MODE_REL_SOFT -> HRTIMER_MODE_REL_HARD
ha_start_timer_ns(): HRTIMER_MODE_REL_SOFT -> HRTIMER_MODE_REL_HARD
Do you have more insight into the stall, or does REL_HARD resolve it on
your setup?
Right, good point, any specific reason why you wanted REL_SOFT?
I indeed always test under PREEMPT_RT but I still see the same splat
also after reverting REL_HARD..
Could you reproduce it on your setup?
My config is nothing special: what vng gives you adding
PREEMPT_RT/RCU_PREEMPT and lockdep (PROVE_LOCKING/PROVE_RCU).
