rados: Make "operation" code comply to pointer passing rules

[ansiwen]

In #581 we discovered, that we are actually violating the pointer passing rules in some places. For the write buffer of the writeSteps this change uses a PtrGuard, while the return parameters of GetOmapSteps are allocated in C memory.

Related: #584

[phlogistonjohn]

My only real specific request is to choose a name that's clear for the current "Poke."

I also wonder if we're going to make a direct call to pointer guard from library code if we should have a bit of "soak time" by merging it after we release rather than immediately before release.

Most everything else seems ok to me.

[phlogistonjohn]

Suggested change

	// Poke stores the pinned Go pointer in C memory at cPtr
	func (v *PtrGuard) Poke(cPtr CPtr) *PtrGuard {
	// Store the pinned Go pointer into the C memory located at cPtr.
	func (v *PtrGuard) Store(cPtr CPtr) *PtrGuard {

I think the above naming would be clearer. I'm not sure if Poke is meant to be a reference to Peek/Poke - but even that seems kind of obscure to me.

[ansiwen]

Yes, that was the idea (Peek/Poke). But Store is also fine for me.

[phlogistonjohn]

Is this our first hard dependency on ptrgourd? I think that all previous cases were wrapped so that they either copied data or used ptrguard, right?

If so, I'm ok with it in theory but I'm just a tad hesitant to merge it right before we release. Thoughts?

[ansiwen]

Yes you are right, I forgot about our ptrguard tag. I mean, we test it, but it's true, that it's not used in the "field" (that is, CSI) yet. Let's not merge then for now.

[gman0]

I just noticed this comment. Does that mean PRs that would depend on this fix (e.g. #581) are blocked until after December's release?

[phlogistonjohn]

No, the PRs can be merged prior to release. We simply need to discuss our options, some of the work can possibly be split up, for example. In fact I'd prefer to merge as much as possible sooner rather than later Unfortunately, things have been slow due to illnesses and time off. Please continue to ping us on these items so that we don't forget to work on them!

[phlogistonjohn]

Following up on this: do you prefer to:
a) take this as-is - adding one new hard dependency on prtguard
b) add some wrapping around this change to make prtguard a build-time toggle, like it's other uses
c) enable prtguard generally, including a new hard dependency on prtguard
d) enable prtguard generally, including a build-time toggle for the new usage

Note: I don't think these all need to be done in this pr, just looking for a general idea where you'd like to go with this. I have a preference but I'm not going to tell you (yet). :-)

[ansiwen]

@phlogistonjohn Ok, how about this: we switch to ptrguard by default and wait one release cycle, if someone complains. This PR I will split up so that without ptrguard tag the old ("insecure") code is used. I'm not in the mood to build another "safe" shim layer that we will remove after one release again. ;-)

[phlogistonjohn]

That sounds OK to me, but I'm a bit unclear on "wait one release cycle, if someone complains". If we enable prtguard by default (soonish) we'll have the remaining october/november period of pre-release "soak time" before the next release in Dec.
Then unless we find an issue it would be enabled by default in the released version. At that point it'd be the default in all released versions unless we get reports [1]. But I don't quite get the "one release cycle" aspect from your comment.

[1] - what we do if we get reports is contingent on the severity of the report and how many releases it's been enabled IMO

[ansiwen]

Sorry, I wasn't clear enough. What I meant was: for the next release we will switch to ptrguard by default, but keep the other code. If until the following release no one complains, we can remove the non-ptrguard code.

[ansiwen]

Actually, now that I know a lot more about that whole topic, and given that the pinning API has been accepted, I would address the whole thing differently now: we can assume, that the pinning API will land before the GC becomes "moving". So before the API is there, ptrguard doesn't have to do anything. And as soon as the API is there, it can use it. The only use-case for the current implementation would be, that older versions of go-ceph would still work with some future version of go that might have a moving GC.

[phlogistonjohn]

Actually, now that I know a lot more about that whole topic, and given that the pinning API has been accepted, I would address the whole thing differently now: we can assume, that the pinning API will land before the GC becomes "moving". So before the API is there, ptrguard doesn't have to do anything. And as soon as the API is there, it can use it. The only use-case for the current implementation would be, that older versions of go-ceph would still work with some future version of go that might have a moving GC.

Sure, I agree that it wouldn't make a lot of sense to worry about moving gc a lot given the above. To make things more "actionable" what should we do over the next couple of weeks? Break this PR up into parts, one for the ptrguard stuff and one for the other changes? I also want to unblock PR #581.

[ansiwen]

I removed the PtrGuard related changes and just added a TODO comment for later reference.

[phlogistonjohn]

LGTM Thanks.

For a little extra context: we discussed this PR earlier today and decided that it would not be the place and time to create a hard dependency on ptrguard given that Go's GC is not a moving GC today.