Increment operator cause unnecessary data races by always calling bpf_map_update_elem #3175
Comments
|
Poke @jordalgo as it looks related to improvement in PR #2795 |
|
@netoptimizer Good catch. Let me take a look. |
This will save a call to bpf_map_update_elem Issue: bpftrace#3175
…omic Fix comment about increment operator being atomic. It is both slow and contains data races as described here: - bpftrace/bpftrace#3175 Maybe this will soon get fixed via: - bpftrace/bpftrace#3179 - bpftrace#3179 Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
|
Just wanted to follow up a bit after some internal discussion. As per the docs I'm also thinking that maybe we should have a config setting for atomic/safer writes. This would include per-cpu map updating as there still can be races if a bpf prog thread is pre-empted by another (via NMI) and updates the same map. Most of the time the overhead is probably not worth accounting for this edge case but it might be worth adding as an option for some users. |
|
Dug into this a little more and AFAICT we're NOT double updating e.g. if I comment out this line, then the value doesn't get updated at all for a map increment The LLVM IR also shows that we're loading the map pointer value into a register and adding that to another pointer instead of directly updating. Maybe it's possible there some additional optimization happening where that indirect updating is being removed but I'm having trouble reproing it. Going to close this task for now but feel free to re-open if you think I missed something. That being said, I am going to look into an atomic increment for ++ instead of a |
What reproduces the bug? Provide code if possible.
The simple increment operator
@++cause unnecessary data races by always callingbpf_map_update_elem.This simple bpftrace oneliner:
sudo bpftrace -e 'kprobe:cgroup_rstat_flush_locked {@flush_calls++}'Produces the following eBPF bytecode:
Looking closely at the eBPF bytecode instructions, we observe that BPF-helper
map_update_elemis always invoked.The code in line 11 gets a pointer to the map
value(inr0) and increment the value in memory, which is great as we are basically done and could exit, but instead the code continues and callshtab_map_update_elem.I looked at the code generated for
@=count()that does the right thing and skips callingmap_update_elem.count()bpftrace --infooutput$ sudo bpftrace --info
System
OS: Linux 6.6.30-cloudflare-2024.5.4 #1 SMP PREEMPT_DYNAMIC Mon Sep 27 00:00:00 UTC 2010
Arch: x86_64
Build
version: v0.20.0-149-g742f
LLVM: 18.1.5
unsafe probe: no
bfd: yes
liblldb (DWARF support): yes
libsystemd (systemd notify support): no
Kernel helpers
probe_read: yes
probe_read_str: yes
probe_read_user: yes
probe_read_user_str: yes
probe_read_kernel: yes
probe_read_kernel_str: yes
get_current_cgroup_id: yes
send_signal: yes
override_return: yes
get_boot_ns: yes
dpath: yes
skboutput: yes
get_tai_ns: yes
get_func_ip: yes
jiffies64: yes
for_each_map_elem: yes
Kernel features
Instruction limit: 1000000
Loop support: yes
btf: yes
module btf: yes
map batch: yes
uprobe refcount (depends on Build:bcc bpf_attach_uprobe refcount): yes
Map types
hash: yes
percpu hash: yes
array: yes
percpu array: yes
stack_trace: yes
perf_event_array: yes
ringbuf: yes
Probe types
kprobe: yes
tracepoint: yes
perf_event: yes
kfunc: yes
kprobe_multi: no
uprobe_multi: yes
raw_tp_special: yes
iter: yes
The text was updated successfully, but these errors were encountered: