Re: [lttng-dev] lttng enable-channel option for blocking

2012-05-02 Thread Woegerer, Paul 

On 04/30/2012 04:20 PM, Mathieu Desnoyers wrote:

* Woegerer, Paul (paul_woege...@mentor.com) wrote:

On 04/27/2012 02:43 PM, Mathieu Desnoyers wrote:

* Woegerer, Paul (paul_woege...@mentor.com) wrote:

On 04/27/2012 01:33 PM, Mathieu Desnoyers wrote:

A core difference between ulimit and user-space tracing is that ulimit
can only be set within the environment (and access right) of the user
running the application. System-wide tracing sessions can be initiated
by users member of the tracing group -- giving them the ability to
potentially DoS an application does not appear to me to be a good
security practice. Thoughts ?

Hmm, how would that look in practice ? Lets assume there is the web
server which was started by an init-script in runlevel 3. How does a
user that belongs to group tracing hava a chance to DoS the already
running running web server. As far as I understand the trace session
concept every tracing user can only see (and affect) the tracing session
that he initiated. Even if the web server itself runs in a tracing
session (of user wwwrun) other tracing users wouldn't see it when they
do a lttng list, right ?

Let me clarify the concept of tracing session in lttng 2.0.

We support launching per-user sessiond, which only interact with the
user's applications. That's all fine with security.

Now, we also support a root system-wide sessiond, which allows kernel
and user-space tracing. The tracing group has every right to create a
tracing session and trace the kernel and _all_ applications that were
already or will be running on the system.

Ah, I see. I was not aware of the ... and _all_ applications that were
already or will be running on the system aspect of the concept. In that
case I would rather invert the semantic in the API and instead of having
a tracepoint() function that potentially blocks I would declare
tracepoint() to never ever block and additionally provide tracepointb()
that does potentially block.

So keeping this in mind, one way to allow this kind of blocking mode
might be to add a special option to the lttng-sessiond, e.g. a
--developer mode, which could enable this feature, and possibly other
features that are not safe to deploy on production machines.


Sounds good. Our need for blocking channels is only during development 
phase.


In case of blocking it would be useful to emit a meta-event to indicate 
that blocking happened. This allows to (optionally) factor out blocking 
periods from event data visualizations.


Thanks,
Paul

PS: A more general question: In the light of the upcoming event 
streaming support for LTTng, is it intended to use lttng for regular 
event based real-time communication (non-tracing/debugging related) as 
well. From that perspective, support for blocking (reliably emitted 
events) would become mandatory (there might be events of kind 
cooling_system_deactivated, containment_leakage_detected, ...).




Thoughts ?

Thanks,

Mathieu




--
Paul Woegerer | SW Development Engineer
Mentor Embedded(tm) | Prinz Eugen Straße 72/2/4, Vienna, 1040 Austria
P 43.1.535991320
Nucleus® | Linux® | Android(tm) | Services | UI | Multi-OS

Android is a trademark of Google Inc. Use of this trademark is subject to 
Google Permissions.
Linux is the registered trademark of Linus Torvalds in the U.S. and other 
countries.


___
lttng-dev mailing list
lttng-dev@lists.lttng.org
http://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev

Re: [lttng-dev] [rp] [RFC] Readiness for URCU release with RCU lock-free hash table

2012-05-02 Thread Paul E. McKenney 
On Wed, May 02, 2012 at 12:16:39AM -0400, Mathieu Desnoyers wrote:
 * Paul E. McKenney (paul...@linux.vnet.ibm.com) wrote:
  On Tue, May 01, 2012 at 05:02:06PM -0400, Mathieu Desnoyers wrote:
   * Paul E. McKenney (paul...@linux.vnet.ibm.com) wrote:
On Tue, May 01, 2012 at 01:41:36PM -0400, Mathieu Desnoyers wrote:
 * Paul E. McKenney (paul...@linux.vnet.ibm.com) wrote:
  On Tue, May 01, 2012 at 11:21:44AM -0400, Mathieu Desnoyers wrote:
   * Mathieu Desnoyers (mathieu.desnoy...@efficios.com) wrote:
* Paul E. McKenney (paul...@linux.vnet.ibm.com) wrote:
 On Tue, May 01, 2012 at 10:16:09AM -0400, Mathieu Desnoyers 
 wrote:
  Hi!
  
  After 1 year of development, with the last 6-7 months spent 
  polishing
  the API and testing the implementation, I think it is 
  getting about time
  to release the RCU lock-free hash table in a new Userspace 
  RCU version
  (0.7).
  
  I recently described the guarantees provided by the hash 
  table in more
  detail, and created tests for the uniqueness guarantee for 
  traversals
  performed concurrently with add_unique and add_replace 
  operations. I
  also added test modes that create long hash chains, to test 
  corner-cases
  of the hash table.
  
  One small thing I wonder is whether we should document that 
  the hash
  table update operations imply full memory barriers ?
 
 The Linux kernel's rule seems good here -- if a hash-table 
 operation is
 atomic and returns a value, it should imply a full barrier.  
 So:
 
 cds_lfht_new(): No point in claiming barriers -- publishing 
 the
   pointer to the hash table is where the barriers are 
 important.
 
 cds_lfht_destroy(): Ditto.
 
 cds_lfht_lookup(): Not an update (let alone an atomic 
 update), no barriers.
 
 cds_lfht_next_duplicate(): Ditto.
 
 cds_lfht_first(): Ditto.
 
 cds_lfht_next(): Ditto.
 
 cds_lfht_add(): Atomic update, but no return value, so no 
 barrier
   implied.

Yep, makes sense. We use cmpxchg internally to perform the 
update, but
it could make sense to eventually use a cmpxchg that has no 
memory
barriers to perform this update. So I agree on not providing a 
memory
barrier guarantee on the add operation, since it does not 
return any
value.

 
 cds_lfht_add_unique(): Atomic update that returns a value, so 
 should
   imply a full memory barrier.

add_unique is a bit special:

- if it returns the node received as parameter, it means the add
  succeeded, which imply an update, and thus a memory barrier.
   
   Hrm, thinking further: if we make the add operation not act as a
   full memory barrier, then the add_unique success should not act 
   as a
   full mb neither.
  
  Think of it as being similar to the Linux kernel's atomic_inc() and
  atomic_add_return() primitives.  The latter guarantees memory 
  barriers
  and the former does not.
 
 I think add/add_unique vs atomic_inc/atomic_add_return are 
 fundamentally
 different.
 
 atomic_inc:
  - input: increment
  - output: none
  - effect: increment target address value
 
 atomic_add_return:
  - input: increment
  - output: incremented value
  - effect: increment target address value, atomically reading the
resulting value.
 
 hash table add:
  - input: new node to add
  - output: none
  - effect: atomically add the new node into the table
 
 hash table add_unique (success):
  - input: new node to add
  - output: (we just return whether the operation has succeeded)
  - effect: atomically add the new node into the table
 
 hash table add_unique (failure):
  - input: new node to try adding
  - output: (we just return whether the operation has succeeded)
  - effect: simple lookup (read)
 
 So as we see, the add_unique failure only performs a read. Adding a
 memory barrier before this read would require us to add a memory 
 barrier
 also on the success path, which would degrade performance. The success
 path does: lookup failure, cmpxchg to add the node, retry if changed.
 Adding a memory barrier before the lookup would add an extra memory
 barrier in addition to the one located in the cmpxchg, and I don't 
 think
 we want that overhead.

Perhaps a better analogy is cmpxchg() in the Linux kernel.  Some
architectures place the memory barrier before