Re: [PATCH v9 10/17] refcount: introduce __refcount_{add|inc}_not_zero_limited
From: Paul E. McKenney
Date: Sat Jan 11 2025 - 13:30:49 EST
On Sat, Jan 11, 2025 at 12:39:00PM +0000, David Laight wrote:
> On Fri, 10 Jan 2025 20:25:57 -0800
> Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
>
> > Introduce functions to increase refcount but with a top limit above which
> > they will fail to increase (the limit is inclusive). Setting the limit to
> > INT_MAX indicates no limit.
>
> This function has never worked as expected!
> I've removed the update and added in the rest of the code.
>
> > diff --git a/include/linux/refcount.h b/include/linux/refcount.h
> > index 35f039ecb272..5072ba99f05e 100644
> > --- a/include/linux/refcount.h
> > +++ b/include/linux/refcount.h
> > @@ -137,13 +137,23 @@ static inline unsigned int refcount_read(const refcount_t *r)
> > }
> >
> > static inline __must_check __signed_wrap
> > -bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp)
> > {
> > int old = refcount_read(r);
> >
> > do {
> > if (!old)
> > break;
> >
> > } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i));
> >
> > if (oldp)
> > *oldp = old;
> ?
> > if (unlikely(old < 0 || old + i < 0))
> > refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF);
> >
> > return old;
> > }
>
> The saturate test just doesn't work as expected.
> In C signed integer overflow is undefined (probably so that cpu that saturate/trap
> signed overflow can be conformant) and gcc uses that to optimise code.
>
> So if you compile (https://www.godbolt.org/z/WYWo84Weq):
> int inc_wraps(int i)
> {
> return i < 0 || i + 1 < 0;
> }
> the second test is optimised away.
> I don't think the kernel compiles disable this optimisation.
Last I checked, my kernel compiles specified -fno-strict-overflow.
What happens if you try that in godbolt?
Thanx, Paul