CP-32622: avoid using select and instead use epoll

[snwoods]

To avoid xapi from running out of file descriptors, replace select with epoll in most cases

[robhoes]

I think that the old code can be summarised as: "Wait for any r to be ready to reading or any of the w to be ready for writing. Then read/write to the fd found ready. Start again.". In every round of the loop (every time select returns) one or more fds would be ready, and it may often be just one. So we can't assume that we can write + read in the same round.

The third argument of the function passed in here, currently ignore with _, is set to the kind of event that happened and indicates whether we can read from or write to fd.

[snwoods]

This line is giving a parse error on make test

[lindig]

An alternative style could use match:

match file_desc with
| file_desc when file_desc = Unix.stdin -> ..
| file_desc when file_desc = fd -> ..
| _otherwise ->

[lindig]

Do we want to handle one or all FDs that are ready? Up to 2 can be ready. This code handles two if they are ready but we have other places where we handle only one. It's not obvious why we have different behavior.

[edwintorok]

Is 1 correct here though, would that prevent it from even watching the other FD?

[lindig]

My understanding is that one FD would be processed per round - and any other FD that is ready would be reported again in the next round. But does this guarantee fairness?

[snwoods]

This was the only way I could think to make it work, do you have any other alternatives?

[lindig]

Remember that the timeout in Polly.wait is specified in milliseconds. Maybe I should change the Polly interface to use a labeled argument timeout_ms.

[lindig]

Note that the code below matches exactly one condition and not all fds that are ready; could this be written as

if fd = x then do something;
if fd = y then do something;
..

Maybe leave a comment why the selected behavior is the right one.

[lindig]

Do we want to handle one or all FDs that are ready? Up to 2 can be ready. This code handles two if they are ready but we have other places where we handle only one. It's not obvious why we have different behavior.

[lindig]

Again, this handles at most one FD. I think the unconditional else case is a bit dangerous and I would explicitly check than any FD is ready before acting on it. This applies to other places as well.

[lindig]

Could be expressed as

| n when n >= max_bytes -> ..
| n (* otherwise *) ->
| exception .. ->

[edwintorok]

we use this pattern quite a lot, should we have a with_polly somewhere?

[edwintorok]

Does SO_RCVTIMEO work with accept? I can't find a clear statement for or against in the manpage of 'socket(7)', it mentions read/recvmsg/send/sendmsg

[snwoods]

It looks like you're right, the only examples online of using a timeout with accept are using select

[edwintorok]

We do seem to repeat this quite often, perhaps as a future cleanup PR we could define a helper function: 'timed_read' which does the setsockopt+read+fun.protect to set it back, same for write a 'timed_write' might be useful

[robhoes]

Yes, this would avoid mistakes, such as around resetting the socket option.

[edwintorok]

Wouldn't be so sure, we could get spurious notifications from 'epoll', and we don't want to crash the application (or thread). Perhaps just log it as error for now?
Especially that you've added 2 file descriptors s_ip and s_unix, this will NOT be just s_unix, it is entirely possible that s_ip will have something available, otherwise why add it to epoll in the first place?

[snwoods]

I believe all of the comments have now been addressed.

[psafont]

While List.hd is guarded here, it's preferrable to destructure the list to obtain values from it:

Suggested change

	if fds = [] then (* We must have timed out *)
	raise Unixext.Timeout
	else (* There will only ever be a maximum of one fd *)
	List.hd fds
	match fds with
	| [] -> (* We must have timed out *)
	raise Unixext.Timeout
	| fd :: _ -> (* There will only ever be a maximum of one fd *)
	fd

[snwoods]

All comments addressed and suiterun 179915 passing.

[robhoes]

Use Thread.delay

[robhoes]

I think we'd better use finally to ensure that this timeout is reset in case of any exception (only one kind is caught above.

[edwintorok]

Every read on ic.fd seems to go through here, and each read is preceded by setting a timeout, so I don't think we even need to reset the timeout, just drop this line.

[edwintorok]

There are more reads in http.ml but they also set a socket timeout. Will need to check the other callers too.

[robhoes]

Here we'd miss resetting the socket option in case of an exception.

[edwintorok]

Testing whether 'select' is completely gone or not is tricky due to a lot of dead code in the linked binary.
I hacked up a script to find at least the actual OCaml functions that call 'Unix.select' directly:

#!/bin/sh
set -eu

EXE="$1"
ADDR="${EXE}.unix_select.address"
DISASM="${EXE}.disasm"

# Find address of 'unix_select' symbol
addr2line -pae "${EXE}" unix_select \
  | sed -e "s/^0x0*\\([0-9a-fA-F]*\\):.*/\\1/" \
  | tr -d '\n' >"${ADDR}"

# Find all calls to 'unix_select', which is done by
#  mov $0x...,%rax
#  call <caml_c_call>

# disassemble, but without sources
# (source lookup doesn't work for all dependencies, and is very slow on a large binary)
# To make debugging easier the disassembly is saved to a file instead of piping
objdump -d --no-show-raw-insn --no-addresses "${EXE}" >"${DISASM}"

SYMADDR=$(cat "${ADDR}")
# Prints a list of functions that call unix_select
# But we won't know whether it is dead code or not
gawk -f unix_select.gawk "${SYMADDR}" <"${DISASM}"

unix_select.gawk:

BEGIN { SYMADDR=ARGV[1]; ARGV[1]=""; }

/^<.*/ { SYMBOL=$1 }
match($0, /mov.*0x([0-9a-fA-F]*),%rax/, addr) { RAX=addr[1]; }
/call.*<caml_c_call>/ { if (RAX == SYMADDR) { print SYMBOL }  }

It shows these for XAPI and xenopsd:

./no-unix-select.sh _build/default/ocaml/xapi/xapi_main.exe
<camlXapi_stdext_threads__Threadext__fun_812>:
<camlXapi_stdext_unix__Unixext__kill_and_wait_inner_2120>:
<camlXapi_stdext_unix__Unixext__proxy_1371>:
<camlXapi_stdext_unix__Unixext__time_limited_write_internal_1424>:
<camlXapi_stdext_unix__Unixext__time_limited_read_1450>:
<camlThread__wait_timed_read_777>:
<camlThread__wait_timed_write_781>:
<camlUnix__fun_2441>:

And for xenopsd:

./no-unix-select.sh _build/default/ocaml/xenopsd/xc/xenops_xc_main.exe
<camlXapi_stdext_unix__Unixext__kill_and_wait_inner_2120>:
<camlXapi_stdext_unix__Unixext__proxy_1371>:
<camlXapi_stdext_unix__Unixext__time_limited_write_internal_1424>:
<camlXapi_stdext_unix__Unixext__time_limited_read_1450>:
<camlXapi_stdext_threads__Threadext__fun_812>:
<camlWatch__fun_884>:
<camlThread__wait_timed_read_777>:
<camlThread__wait_timed_write_781>:
<camlUnix__fun_2441>:

[edwintorok]

The 'select' in watch.ml can be replaced similarly as elsewhere by changing pipe->socket and using socket timeouts.

[edwintorok]

Removed some Unix.select and Thread.wait* usages in xapi-project/stdext#80.

And a few more from XAPI and xenopsd as well: https://github.com/edwintorok/xen-api/commits/private/edvint/CP-32622

We'll probably need a CA ticket and backport the watch.ml fix since it affects xenopsd which already claims to support >1024 fds.

I think these now remove all the obvious Unix.select usages, but we should implement what has been suggested here and add some CI checks in xs-opam with various methods to check that we really don't call it anymore (and then add some unit tests to all these functions that we modified to check that they still work correctly):
https://discuss.ocaml.org/t/ensuring-that-an-ocaml-binary-never-calls-unix-select/13465/7?u=edwin

[edwintorok]

I've updated the no-unix-select.sh to be recursive up to a certain depth, and it didn't find more calls.
Going to try the .cmt iterator suggested in the forums just to have another way to validate this.

[snwoods]

I'm closing this and have opened a PR against Edwin's fork so that he can still keep track of it edwintorok#4