MIME-Version: 1.0
References: 
 <CAPpHfdudejddHLLw=Uk_7pZ=1g2SZXfwubSgmWUhJ7fBUtR9rg@mail.gmail.com>
 <2muwyx6a5vojkg7iegknhnkcch3lfxptsxk7icwuh7szkvvu2y@vc3ukkfvnu6i>
 <CAPpHfdvucbQ9w7_eJYefUUp6w-WZUes+SRfq+GKfhukhs7kLqg@mail.gmail.com>
 <oc4iicdkwyhdf5o5vbwsl7jdlqnds37xtf27wuxvhy3abxoo6i@4ek3xp5j6niy>
In-Reply-To: <oc4iicdkwyhdf5o5vbwsl7jdlqnds37xtf27wuxvhy3abxoo6i@4ek3xp5j6niy>
From: Alexander Korotkov <aekorotkov@gmail.com>
Date: Fri, 7 Mar 2025 19:15:23 +0200
Message-ID: 
 <CAPpHfdvp=_1NRF4YFFp9Oii7mRR5V4b-C2aukbuLQjWMjynYrw@mail.gmail.com>
Subject: Re: pg_atomic_compare_exchange_*() and memory barriers
To: Andres Freund <andres@anarazel.de>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000043ac3d062fc3c55f"
Archived-At: 
 <https://www.postgresql.org/message-id/CAPpHfdvp%3D_1NRF4YFFp9Oii7mRR5V4b-C2aukbuLQjWMjynYrw%40mail.gmail.com>
Precedence: bulk

--00000000000043ac3d062fc3c55f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 7, 2025 at 7:07=E2=80=AFPM Andres Freund <andres@anarazel.de> w=
rote:
> On 2025-03-07 18:39:42 +0200, Alexander Korotkov wrote:
> > On Fri, Mar 7, 2025 at 6:02=E2=80=AFPM Andres Freund <andres@anarazel.d=
e> wrote:
> > >
> > > On 2025-03-07 17:47:08 +0200, Alexander Korotkov wrote:
> > > > While investigating a bug in the patch to get rid of
WALBufMappingLock, I
> > > > found that the surrounding pg_atomic_compare_exchange_u64() fixes
the
> > > > problem for me.
> > >
> > > That sounds more likely to be due to slowing down things enough to
make a race
> > > less likely to be hit. Or a compiler bug.
> > >
> > >
> > > > That doesn't feel right because, according to the
> > > > comments, both pg_atomic_compare_exchange_u32() and
> > > > pg_atomic_compare_exchange_u64() should provide full memory barrier
> > > > semantics.  So, I decided to investigate this further.
> > > >
> > > > In my case, the implementation of pg_atomic_compare_exchange_u64()
is based
> > > > on __atomic_compare_exchange_n().
> > > >
> > > > static inline bool
> > > > pg_atomic_compare_exchange_u64_impl(volatile pg_atomic_uint64 *ptr,
> > > >                                     uint64 *expected, uint64 newval=
)
> > > > {
> > > >     AssertPointerAlignment(expected, 8);
> > > >     return __atomic_compare_exchange_n(&ptr->value, expected,
newval, false,
> > > >                                        __ATOMIC_SEQ_CST,
__ATOMIC_SEQ_CST);
> > > > }
> > > >
> > > > According to the docs __ATOMIC_SEQ_CST enforces total ordering with
*all
> > > > other __ATOMIC_SEQ_CST operations*.  It only says about other
> > > > __ATOMIC_SEQ_CST operations; nothing is said about regular
reads/writes.
> > > > This sounds quite far from our comment, promising full barrier
semantics,
> > > > which, in my understanding, means the equivalent of
> > > > both pg_read_barrier()/pg_write_barrier(), which should barrier
*all other
> > > > read/writes*.
> > >
> > > A memory barrier in one process/thread always needs be paired with a
barrier
> > > in another process/thread. It's not enough to have a memory barrier
on one
> > > side but not the other.
> >
> > Yes, there surely should be a memory barrier on another side.  But
> > does __ATOMIC_SEQ_CST works as a barrier for the regular read/write
> > operations on the same side?
>
> Yes, if it's paired with another barrier on the other side. The regular
> read/write operations are basically protected transitively, due to
>
> a) An acquire barrier preventing non-atomic reads/writes in the same
thread
>    from appearing to have been moved to before the barrier
>
> b) A release barrier preventing non-atomic reads/writes in the same threa=
d
>    from appearing to have been moved to after the barrier
>
> c) The other thread being guaranteed a) and b) for the other threads'
>    non-atomic reads/writes depending on the type of barrier
>
> d) The atomic value itself being guaranteed to be, well, atomic

Yes, looks good to me.

> > > > This function first checks if LSE instructions are present.  If so,
> > > > instruction LSE casal is used.  If not (in my case), the loop of
> > > > ldaxr/stlxr is used instead.  The documentation says both
ldaxr/stlxr
> > > > provides one-way barriers.  Read/writes after ldaxr will be
observed after,
> > > > and read/writes before stlxr will be observed before.  So, a pair
of these
> > > > instructions provides a full memory barrier.  However, if we don't
observe
> > > > the expected value, only ldaxr gets executed.  So, an unsuccessful
> > > > pg_atomic_compare_exchange_u64() attempt will leave us with a
one-way
> > > > barrier, and that caused a bug in my case.
> > >
> > > That has to be a compiler bug.  We specify __ATOMIC_SEQ_CST for both
> > > success_memorder *and* failure_memorder.
> > >
> > > What compiler & version is this?
> >
> > I've tried and got the same results with two compilers.
> > gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
> > Ubuntu clang version 19.1.1 (1ubuntu1~24.04.2)
>
> Thinking more about it I wonder if the behaviour of not doing a release i=
n
> case the atomic fails *might* arguably actually be correct - if the
> compare-exchange fails, there's nothing that the non-atomic values could
be
> ordered against.
>
> What is the access pattern and the observed problems with it that made yo=
u
> look at the disassembly?

Check this code.

l1:     pg_atomic_write_u64(&XLogCtl->xlblocks[nextidx], NewPageEndPtr);

        /*
         * Try to advance XLogCtl->InitializedUpTo.
         *
         * If the CAS operation failed, then some of previous pages are not
         * initialized yet, and this backend gives up.
         *
         * Since initializer of next page might give up on advancing of
         * InitializedUpTo, this backend have to attempt advancing until it
         * find page "in the past" or concurrent backend succeeded at
         * advancing.  When we finish advancing XLogCtl->InitializedUpTo, w=
e
         * notify all the waiters with XLogCtl->InitializedUpToCondVar.
         */
l2:     while (pg_atomic_compare_exchange_u64(&XLogCtl->InitializedUpTo,
&NewPageBeginPtr, NewPageEndPtr))
        {
            NewPageBeginPtr =3D NewPageEndPtr;
            NewPageEndPtr =3D NewPageBeginPtr + XLOG_BLCKSZ;
            nextidx =3D XLogRecPtrToBufIdx(NewPageBeginPtr);

l3:         if (pg_atomic_read_u64(&XLogCtl->xlblocks[nextidx]) !=3D
NewPageEndPtr)
            {
                /*
                 * Page at nextidx wasn't initialized yet, so we cann't mov=
e
                 * InitializedUpto further. It will be moved by backend
which
                 * will initialize nextidx.
                 */

ConditionVariableBroadcast(&XLogCtl->InitializedUpToCondVar);
                break;
            }
        }

Consider the following execution order with process 1 (p1) and process 2
(p2).

1. p1 executes l1
2. p2 executes l2 with success
3. p1 executes l2 with failure
4. p2 execute l3, but doesn't see the results of step 1, because 3 didn't
provide enough of memory barrier

------
Regards,
Alexander Korotkov
Supabase

--00000000000043ac3d062fc3c55f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Fri, Mar 7, 2025 at 7:07=E2=80=AFPM Andres Freund &lt;<=
a href=3D"mailto:andres@anarazel.de">andres@anarazel.de</a>&gt; wrote:<br>&=
gt; On 2025-03-07 18:39:42 +0200, Alexander Korotkov wrote:<br>&gt; &gt; On=
 Fri, Mar 7, 2025 at 6:02=E2=80=AFPM Andres Freund &lt;<a href=3D"mailto:an=
dres@anarazel.de">andres@anarazel.de</a>&gt; wrote:<br>&gt; &gt; &gt;<br>&g=
t; &gt; &gt; On 2025-03-07 17:47:08 +0200, Alexander Korotkov wrote:<br>&gt=
; &gt; &gt; &gt; While investigating a bug in the patch to get rid of WALBu=
fMappingLock, I<br>&gt; &gt; &gt; &gt; found that the surrounding pg_atomic=
_compare_exchange_u64() fixes the<br>&gt; &gt; &gt; &gt; problem for me.<br=
>&gt; &gt; &gt;<br>&gt; &gt; &gt; That sounds more likely to be due to slow=
ing down things enough to make a race<br>&gt; &gt; &gt; less likely to be h=
it. Or a compiler bug.<br>&gt; &gt; &gt;<br>&gt; &gt; &gt;<br>&gt; &gt; &gt=
; &gt; That doesn&#39;t feel right because, according to the<br>&gt; &gt; &=
gt; &gt; comments, both pg_atomic_compare_exchange_u32() and<br>&gt; &gt; &=
gt; &gt; pg_atomic_compare_exchange_u64() should provide full memory barrie=
r<br>&gt; &gt; &gt; &gt; semantics.=C2=A0 So, I decided to investigate this=
 further.<br>&gt; &gt; &gt; &gt;<br>&gt; &gt; &gt; &gt; In my case, the imp=
lementation of pg_atomic_compare_exchange_u64() is based<br>&gt; &gt; &gt; =
&gt; on __atomic_compare_exchange_n().<br>&gt; &gt; &gt; &gt;<br>&gt; &gt; =
&gt; &gt; static inline bool<br>&gt; &gt; &gt; &gt; pg_atomic_compare_excha=
nge_u64_impl(volatile pg_atomic_uint64 *ptr,<br>&gt; &gt; &gt; &gt; =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 uint64 *expected, uint64 newv=
al)<br>&gt; &gt; &gt; &gt; {<br>&gt; &gt; &gt; &gt; =C2=A0 =C2=A0 AssertPoi=
nterAlignment(expected, 8);<br>&gt; &gt; &gt; &gt; =C2=A0 =C2=A0 return __a=
tomic_compare_exchange_n(&amp;ptr-&gt;value, expected, newval, false,<br>&g=
t; &gt; &gt; &gt; =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0__ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST);<br>&gt; &gt; &gt; &gt; }<br>=
&gt; &gt; &gt; &gt;<br>&gt; &gt; &gt; &gt; According to the docs __ATOMIC_S=
EQ_CST enforces total ordering with *all<br>&gt; &gt; &gt; &gt; other __ATO=
MIC_SEQ_CST operations*.=C2=A0 It only says about other<br>&gt; &gt; &gt; &=
gt; __ATOMIC_SEQ_CST operations; nothing is said about regular reads/writes=
.<br>&gt; &gt; &gt; &gt; This sounds quite far from our comment, promising =
full barrier semantics,<br>&gt; &gt; &gt; &gt; which, in my understanding, =
means the equivalent of<br>&gt; &gt; &gt; &gt; both pg_read_barrier()/pg_wr=
ite_barrier(), which should barrier *all other<br>&gt; &gt; &gt; &gt; read/=
writes*.<br>&gt; &gt; &gt;<br>&gt; &gt; &gt; A memory barrier in one proces=
s/thread always needs be paired with a barrier<br>&gt; &gt; &gt; in another=
 process/thread. It&#39;s not enough to have a memory barrier on one<br>&gt=
; &gt; &gt; side but not the other.<br>&gt; &gt;<br>&gt; &gt; Yes, there su=
rely should be a memory barrier on another side.=C2=A0 But<br>&gt; &gt; doe=
s __ATOMIC_SEQ_CST works as a barrier for the regular read/write<br>&gt; &g=
t; operations on the same side?<br>&gt;<br>&gt; Yes, if it&#39;s paired wit=
h another barrier on the other side. The regular<br>&gt; read/write operati=
ons are basically protected transitively, due to<br>&gt;<br>&gt; a) An acqu=
ire barrier preventing non-atomic reads/writes in the same thread<br>&gt; =
=C2=A0 =C2=A0from appearing to have been moved to before the barrier<br>&gt=
;<br>&gt; b) A release barrier preventing non-atomic reads/writes in the sa=
me thread<br>&gt; =C2=A0 =C2=A0from appearing to have been moved to after t=
he barrier<br>&gt;<br>&gt; c) The other thread being guaranteed a) and b) f=
or the other threads&#39;<br>&gt; =C2=A0 =C2=A0non-atomic reads/writes depe=
nding on the type of barrier<br>&gt;<br>&gt; d) The atomic value itself bei=
ng guaranteed to be, well, atomic<br><br>Yes, looks good to me.<br><br>&gt;=
 &gt; &gt; &gt; This function first checks if LSE instructions are present.=
=C2=A0 If so,<br>&gt; &gt; &gt; &gt; instruction LSE casal is used.=C2=A0 I=
f not (in my case), the loop of<br>&gt; &gt; &gt; &gt; ldaxr/stlxr is used =
instead.=C2=A0 The documentation says both ldaxr/stlxr<br>&gt; &gt; &gt; &g=
t; provides one-way barriers.=C2=A0 Read/writes after ldaxr will be observe=
d after,<br>&gt; &gt; &gt; &gt; and read/writes before stlxr will be observ=
ed before.=C2=A0 So, a pair of these<br>&gt; &gt; &gt; &gt; instructions pr=
ovides a full memory barrier.=C2=A0 However, if we don&#39;t observe<br>&gt=
; &gt; &gt; &gt; the expected value, only ldaxr gets executed.=C2=A0 So, an=
 unsuccessful<br>&gt; &gt; &gt; &gt; pg_atomic_compare_exchange_u64() attem=
pt will leave us with a one-way<br>&gt; &gt; &gt; &gt; barrier, and that ca=
used a bug in my case.<br>&gt; &gt; &gt;<br>&gt; &gt; &gt; That has to be a=
 compiler bug.=C2=A0 We specify __ATOMIC_SEQ_CST for both<br>&gt; &gt; &gt;=
 success_memorder *and* failure_memorder.<br>&gt; &gt; &gt;<br>&gt; &gt; &g=
t; What compiler &amp; version is this?<br>&gt; &gt;<br>&gt; &gt; I&#39;ve =
tried and got the same results with two compilers.<br>&gt; &gt; gcc (Ubuntu=
 13.3.0-6ubuntu2~24.04) 13.3.0<br>&gt; &gt; Ubuntu clang version 19.1.1 (1u=
buntu1~24.04.2)<br>&gt;<br>&gt; Thinking more about it I wonder if the beha=
viour of not doing a release in<br>&gt; case the atomic fails *might* argua=
bly actually be correct - if the<br>&gt; compare-exchange fails, there&#39;=
s nothing that the non-atomic values could be<br>&gt; ordered against.<br>&=
gt;<br>&gt; What is the access pattern and the observed problems with it th=
at made you<br>&gt; look at the disassembly?<br><br>Check this code.<br><br=
><font face=3D"monospace">l1:=C2=A0 =C2=A0 =C2=A0pg_atomic_write_u64(&amp;X=
LogCtl-&gt;xlblocks[nextidx], NewPageEndPtr);<br><br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 /*<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* Try to advance XLogCtl-&gt=
;InitializedUpTo.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0* If the CAS operation failed, then some of previous pa=
ges are not<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* initialized yet, and thi=
s backend gives up.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*<br>=C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0* Since initializer of next page might give up on adva=
ncing of<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* InitializedUpTo, this backe=
nd have to attempt advancing until it<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
* find page &quot;in the past&quot; or concurrent backend succeeded at<br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* advancing.=C2=A0 When we finish advanci=
ng XLogCtl-&gt;InitializedUpTo, we<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* n=
otify all the waiters with XLogCtl-&gt;InitializedUpToCondVar.<br>=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0*/<br>l2:=C2=A0 =C2=A0 =C2=A0while (pg_atomic_co=
mpare_exchange_u64(&amp;XLogCtl-&gt;InitializedUpTo, &amp;NewPageBeginPtr, =
NewPageEndPtr))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 {<br>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 NewPageBeginPtr =3D NewPageEndPtr;<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 NewPageEndPtr =3D NewPageBeginPtr + XLOG_BLCKSZ=
;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 nextidx =3D XLogRecPtrToBufI=
dx(NewPageBeginPtr);<br><br>l3:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (pg_ato=
mic_read_u64(&amp;XLogCtl-&gt;xlblocks[nextidx]) !=3D NewPageEndPtr)<br>=C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 {<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 /*<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0* Page at nextidx wasn&#39;t initialized yet, so we can=
n&#39;t move<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0* InitializedUpto further. It will be moved by backend which<br>=C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0* will initialize ne=
xtidx.<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0*/<=
br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ConditionVariabl=
eBroadcast(&amp;XLogCtl-&gt;InitializedUpToCondVar);<br>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 break;<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 }<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br></font><br>Consider=
 the following execution order with process 1 (p1) and process 2 (p2).<div>=
<br></div><div>1. p1 executes l1</div><div>2. p2 executes l2 with success</=
div><div>3. p1 executes l2 with failure</div><div><div>4. p2 execute l3, bu=
t doesn&#39;t see the results of step 1, because 3 didn&#39;t provide enoug=
h of memory barrier<br><br>------<br>Regards,<br>Alexander Korotkov<div>Sup=
abase</div><br></div></div></div>

--00000000000043ac3d062fc3c55f--