WIP: Intrusive

[jamesmunns]

No description provided.

[JuliDi]

What do you mean by that? Should we just use the Option<>?
&'static instead of the AtomicPtr would also seem more ergonomic if we require it to be 'static anyway.

[jamesmunns]

I used an AtomicPtr because this is in the shared "read only" part of the storage. We'd need to use an UnsafeCell<Option<&'static PinList<R>>> (and ensure we have the lock locked) to write this in a shared static item.

We might be able to get rid of this entirely tho, see the notes about PinListNodeHandle.

[JuliDi]

Honestly, I don't understand whether or not this is resolved now. Doesn't hurt to keep it in there for now, does it?

[jamesmunns]

I think rust-lang/rust#63818 (comment) is what I saw at some point, definitely does not hurt to keep, I'd leave it and we can investigate more later.

[JuliDi]

What tool did you use to draw these? I was thinking about doing one for the entire list, as well.

[jamesmunns]

I used MonoDraw for MacOS

[JuliDi]

Would it be sufficient to only check this when a new key is added? Once we have the list read from flash it is somewhat quick to traverse and check for the presence of key.

[jamesmunns]

Yes, I think when we do attach, we should iterate over the full list before adding the new node to the list, checking if there are any duplicate keys, and failing if any node has the same key as the potential new node.

[JuliDi]

Do we have to manage this on a per-node basis or could we have this handled between the flash worker and the node owner?
(This is more of a note to myself, I will need to look into how this is done in other implementations. Maybe the owner can pass a waker to the flash task or so)

[jamesmunns]

Yeah, maybe another thing we could do is put a single WaitQueue in the PinList (and remove all the node WaitCells), and when a node is waiting for hydration, it waits on that WaitQueue, and when the worker has finished processing reads, it can do a wake_all. WaitQueue also supports wait_for, so that would likely be way easier. This could be a good first follow-up PR to do if you have time today!

[JuliDi]

Does this need a different state as marking? Or is this more of a state transition back to NeedsWrite?

[jamesmunns]

Yeah, we may end up needing to use a bitfield or something, because a node could potentially simultaneously be "NeedsWriting" AND "WriteStarted".

For example, we could have a process like:

1. The node has no writes pending, it is in ValidNoWriteNeeded
2. The node is written to. It moves to NeedsWrite
3. The flash worker starts the write, moves the node to WriteStarted
4. The flash worker lets go of the mutex and awaits the flash to be written
5. The node is written to again with NEW data.
   • If we overwrite WriteStarted to NeedsWrite, how to we make sure the flash worker doesn't move it back to ValidNoWriteNeeded before it does ANOTHER write?

[JuliDi]

How will this be implemented with real flash? I assume we would be reading everything from the flash and keep track of all keys and their locations in a HashMap to avoid reading from flash for every key? Might also depend on how slow the reads are and whether that's acceptable.

[jamesmunns]

Yeah, "it depends" on how we implement the flash data structure. If we have some way of loading, say, up to 4K at a time, we could do something like:

• For each <=4K chunk of flash in the "latest" window
  • Read the chunk to RAM w/async+dma read
  • For each node in the list
    • If the node "needs to be hydrated":
    • For each K:V pair in the flash chunk
      • if the key from the chunk item matches the key from the node
      • then attempt to deser the value into the node
      • On success, mark it "Valid"
      • On failure, mark it "NonResident"
• When all chunks from the "latest" flash window have been processed
  • For each node in the list
    • If the node still needs to be hydrated, mark it as "NonResident"

This assumes we can build some interface like this for the flash, that the storage worker can use:

let mut buf = [0u8; MAX_PAGE_LEN];
// returns an iterator of addr+len pairs we can read from the flash
// this would be just one if the total data is <4K, or more if the
// total data is >4k
let page_iter = flash.get_latest();
for (page_addr, page_len) in page_iter {
    let chunk = flash.read(page_addr, &mut buf[..page_len]).await?;
    let item_iter = deser_kvs(chunk);
    for (key, value) in item_iter {
        // key: &str
        // value: &[u8]
        // do the stuff with iterating the nodes to find if we have this
    }
}

[JuliDi]

Since serialization is deterministic, we should be able to have some way of catching this during compilation.

[jamesmunns]

maaaaaybe. Remember the max size is different for every type, and we don't have dynamic memory allocation or anything like alloca. We should probably just set some reasonable max size like 1k for each individual item.

[JuliDi]

This makes sense to me from a (C) pointer perspective, but I don't yet understand the peculiarities of the Pin (and how we ensure to "treat the data as pinned") and the cast.

My understanding of what it does is the Rusty way of Node* nodeptr = reinterpret_cast<Node*>(header_ptr) .

Does this get "easier" when the nodes are 'static? Or do we still need the Pin then?

[jamesmunns]

The Pin is an artifact of cordyceps::List's interface. Pin guarantees we DO NOT move out of the pinned reference, e.g. we don't swap out an old Node for a new Node, because Pin says things are allowed to hold pointers to items, and doing that would invalidate them.

We don't do any of that, so mostly it should be fine as-is. If you need to tag me to check the safety of something, let me know and I can take a quick peek.

[JuliDi]

Is this what happens with the into_inner_unchecked?

[jamesmunns]

Yes, more specifically NonNull::new() consumes the &mut ptr we get out of into_inner_unchecked.

[JuliDi]

Maybe add this to the docs later:

This works because we passed nodeptr to deserialize and hdrptr is actually Copy so it was not moved with the above call to cast.

[jamesmunns]

yes, pointers can be copied, the important thing for safety is that we never have aliasing mutable REFERENCES live at the same time. We can have "duped" pointers, but we can't turn those into references (or ACCESS through the pointers) if there are other references live.

References have stricter rules than pointers: References assert "no aliased mutable access" for THE WHOLE TIME they exist, while pointers only assert that while you are accessing through them.

I say "assert": it's not something that will panic, it is just something that is undefined behavior. You might catch cases of this with miri testing.

[JuliDi]

How will this be handled with actual flash? We won't be writing immediately but collect multiple nodes into a single page to avoid erasing entire pages, right?
Do we end up with a two-step process here, where we first insert into a "buffer to be written" and then"write buffer to flash"? Or is this entirely handled by the "flash driver" (that implements a Flash trait?)

[jamesmunns]

See some previous comments, this is still to be solved.

[JuliDi]

Consider providing a Default impl for NodeHeader

[JuliDi]

https://github.com/embassy-rs/embassy/blob/64a2b9b2a36adbc26117b8e76ae2b178a5e3eb9f/embassy-hal-internal/src/macros.rs#L58-L70 is the approach with a taken flag.
Returning a handle or having some sort of newtype/builder pattern might also be an option.

However, properly documenting that it will panic if called twice and implementing the flag approach is easier and works quite well in embassy.

[JuliDi]

On second thought: couldn't we check whether self.list != null and return (since it has already been attached)?

[jamesmunns]

Yes, if we do a compare and swap at the top instead of just an is_null check, right now I don't "set" the pointer until the end of the function, which means two attachs could happen concurrently.

I think switching to a handle is a better idea because it solves a lot of other API problems I've commented on.

[JuliDi]

How do we ensure that a process_read is triggered so we don't wait forever?

[jamesmunns]

"it is up to the storage writer to ensure that reads are processed regularly".

I don't think we magically can, but imo it's reasonable to say "you must await the "reads needed" future, or just make sure you check regularly enough.

[JuliDi]

Consider making this a separate function on t (init_with_default or so), such that the State is not managed by different parties

[jamesmunns]

I'm not sure what you mean, State definitely has to be managed by two parties, the flash worker (sets state on initial load, and when writes are processed), and the node itself (when a write occurs and it marks "needs write").

[JuliDi]

My note was more geared towards development: how can we logically group (or confine?) the places where the node's state is manipulated so refactoring is less error prone (or how can I make it harder to forget setting the right state, especially if we change the state enum).