vcpu lifecycle: fix race-condition in resume()-pause() cycle #7397
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
phip1611
force-pushed
the
upstream-run-vcpu-loop
branch
3 times, most recently
from
1be7611 to
dec7e69
Compare
Member
|
Thanks @phip1611 - i've seen this. I'm going to need a bit of time with a clear head to give this a proper review. Thanks for your patience. |
Member
Author
In the commit message there is a reproducer! We discovered and fixed this in a four person -two-day workshop 😁 So no worries, it is hard to debug these issues. I can tell you that since we have this patch, we've successfully ran tens of thousands of live-migrations in our test setup including vCPU auto-converging (vCPU throttling - not upstream). |
rbradford
approved these changes
Oct 9, 2025
likebreath
reviewed
Oct 9, 2025
Member
likebreath
left a comment
likebreath
left a comment
There was a problem hiding this comment.
Thanks for reporting and fixing the bug with detailed information. Overall look good to me. Some minor comments below for clarify.
phip1611
force-pushed
the
upstream-run-vcpu-loop
branch
from
dec7e69 to
bf75a81
Compare
Member
Author
|
I think we should be good to go now. |
phip1611
force-pushed
the
upstream-run-vcpu-loop
branch
from
bf75a81 to
f9965a8
Compare
rbradford
approved these changes
Oct 21, 2025
github-merge-queue
bot
removed this pull request from the merge queue due to no response for status checks
likebreath
approved these changes
Oct 21, 2025
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
The vCPU lifecycle is already complicated. Let's remove dead code (the impl is a no-op). Signed-off-by: Philipp Schuster <[email protected]> On-behalf-of: SAP [email protected]
These bindings actually refer to atomic bool shared across all vCPUs to instruct single vCPUs with their next action. As there are already enough Arc<AtomicBool>, this helps while debugging things to see that different bindings refer to the same atomic bool. In other words: This naming really confused us while debugging. Signed-off-by: Philipp Schuster <[email protected]> On-behalf-of: SAP [email protected]
Fix a race condition that happens in resume()-pause() cycles. It is odd that for pause(), the CpuManager waited via `state.paused` for the vCPU thread to ACK the state change but not for `resume()`. In the `resume()` case, oddly CpuManager "owned" the state change in `state.paused`. This commit changes this so that the vCPU ACKs its state change itself in `state.paused` when it transitions from pause->run. Further, `CpuManager::resume()` now gracefully waits for the vCPU to be resumed. More technical: This change ensures proper synchronization and prevents situations in that park() follows right after unpark(), causing deadlocks and other weird behavior due to race conditions. Calling resume() now takes slightly longer, very similar to pause(). This is, however, even for 254 vCPUs in the range of less than 10ms, and ultimately we now have correct behaviour. ## Reproducer Since [0] is merged, the underlying problem can be tested without this commit by modifying the pause() API call to run `CpuManager::pause()` and `CpuManager::resume()` in a loop a thousand times. `ch-remote --api-socket ... pause` ```patch diff --git a/vmm/src/vm.rs b/vmm/src/vm.rs index d7bba25..35557d58f 100644 --- a/vmm/src/vm.rs +++ b/vmm/src/vm.rs @@ -2687,6 +2687,10 @@ impl Pausable for Vm { MigratableError::Pause(anyhow!("Error activating pending virtio devices: {:?}", e)) })?; + for _ in 0..1000 { + self.cpu_manager.lock().unwrap().pause()?; + self.cpu_manager.lock().unwrap().resume()?; + } self.cpu_manager.lock().unwrap().pause()?; self.device_manager.lock().unwrap().pause()?; ``` ## Outlook Decades of experience in VMM development showed us that using many AtomicBools is a footgun. They are not synchronized with each other at all. On the long term, we might want to refactor things to have a single shared AtomicU64 with different bits having different meanings. [0] cloud-hypervisor#7290 Signed-off-by: Philipp Schuster <[email protected]> On-behalf-of: SAP [email protected]
phip1611
force-pushed
the
upstream-run-vcpu-loop
branch
from
f9965a8 to
bb3c012
Compare
Member
Author
|
Rebased - hopefully the flakyness in the net_hotplug test is gone now. |
phip1611
commented
Oct 22, 2025
| while vcpus_pause_signalled.load(Ordering::SeqCst) { | ||
| thread::park(); | ||
| } | ||
| vcpu_paused.store(false, Ordering::SeqCst); |
Member
Author
There was a problem hiding this comment.
btw: this is the line were the individual vCPU tells the cPU manager is has been resumed
Member
Author
|
more CI flakiness.. now the |
Merged
via the queue into
cloud-hypervisor:main
with commit Oct 22, 2025
d39b565
42 of 46 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
List of Changes
Hints for Reviewers
Please review the commits one-by-one, as they include a comprehensive description.