diff options
| author | fishsoupisgood <github@madingley.org> | 2019-04-29 01:17:54 +0100 | 
|---|---|---|
| committer | fishsoupisgood <github@madingley.org> | 2019-05-27 03:43:43 +0100 | 
| commit | 3f2546b2ef55b661fd8dd69682b38992225e86f6 (patch) | |
| tree | 65ca85f13617aee1dce474596800950f266a456c /docs/aio_notify_bug.promela | |
| download | qemu-master.tar.gz qemu-master.tar.bz2 qemu-master.zip | |
Diffstat (limited to 'docs/aio_notify_bug.promela')
| -rw-r--r-- | docs/aio_notify_bug.promela | 140 | 
1 files changed, 140 insertions, 0 deletions
| diff --git a/docs/aio_notify_bug.promela b/docs/aio_notify_bug.promela new file mode 100644 index 00000000..b3bfca1c --- /dev/null +++ b/docs/aio_notify_bug.promela @@ -0,0 +1,140 @@ +/* + * This model describes a bug in aio_notify.  If ctx->notifier is + * cleared too late, a wakeup could be lost. + * + * Author: Paolo Bonzini <pbonzini@redhat.com> + * + * This file is in the public domain.  If you really want a license, + * the WTFPL will do. + * + * To verify the buggy version: + *     spin -a -DBUG docs/aio_notify_bug.promela + *     gcc -O2 pan.c + *     ./a.out -a -f + * + * To verify the fixed version: + *     spin -a docs/aio_notify_bug.promela + *     gcc -O2 pan.c + *     ./a.out -a -f + * + * Add -DCHECK_REQ to test an alternative invariant and the + * "notify_me" optimization. + */ + +int notify_me; +bool event; +bool req; +bool notifier_done; + +#ifdef CHECK_REQ +#define USE_NOTIFY_ME 1 +#else +#define USE_NOTIFY_ME 0 +#endif + +active proctype notifier() +{ +    do +        :: true -> { +            req = 1; +            if +               :: !USE_NOTIFY_ME || notify_me -> event = 1; +               :: else -> skip; +            fi +        } +        :: true -> break; +    od; +    notifier_done = 1; +} + +#ifdef BUG +#define AIO_POLL                                                    \ +    notify_me++;                                                    \ +    if                                                              \ +        :: !req -> {                                                \ +            if                                                      \ +                :: event -> skip;                                   \ +            fi;                                                     \ +        }                                                           \ +        :: else -> skip;                                            \ +    fi;                                                             \ +    notify_me--;                                                    \ +                                                                    \ +    req = 0;                                                        \ +    event = 0; +#else +#define AIO_POLL                                                    \ +    notify_me++;                                                    \ +    if                                                              \ +        :: !req -> {                                                \ +            if                                                      \ +                :: event -> skip;                                   \ +            fi;                                                     \ +        }                                                           \ +        :: else -> skip;                                            \ +    fi;                                                             \ +    notify_me--;                                                    \ +                                                                    \ +    event = 0;                                                      \ +    req = 0; +#endif + +active proctype waiter() +{ +    do +       :: true -> AIO_POLL; +    od; +} + +/* Same as waiter(), but disappears after a while.  */ +active proctype temporary_waiter() +{ +    do +       :: true -> AIO_POLL; +       :: true -> break; +    od; +} + +#ifdef CHECK_REQ +never { +    do +        :: req -> goto accept_if_req_not_eventually_false; +        :: true -> skip; +    od; + +accept_if_req_not_eventually_false: +    if +        :: req -> goto accept_if_req_not_eventually_false; +    fi; +    assert(0); +} + +#else +/* There must be infinitely many transitions of event as long + * as the notifier does not exit. + * + * If event stayed always true, the waiters would be busy looping. + * If event stayed always false, the waiters would be sleeping + * forever. + */ +never { +    do +        :: !event    -> goto accept_if_event_not_eventually_true; +        :: event     -> goto accept_if_event_not_eventually_false; +        :: true      -> skip; +    od; + +accept_if_event_not_eventually_true: +    if +        :: !event && notifier_done  -> do :: true -> skip; od; +        :: !event && !notifier_done -> goto accept_if_event_not_eventually_true; +    fi; +    assert(0); + +accept_if_event_not_eventually_false: +    if +        :: event     -> goto accept_if_event_not_eventually_false; +    fi; +    assert(0); +} +#endif | 
