Finish the safety argument for `BinEntry::Moved`
jonhoo opened this issue · comments
I'm thinking as follows: If we perform an operation that sees a Moved(t)
, we must have gotten there by loading self.table
with a guard g
. This guard g
will pin an epoch before the resize is finished with respect to the loaded table, otherwise we would have loaded the next table. This argument also exists here:
Lines 719 to 749 in 051ca79
- During the resize,
t
points tonext_table
and is thus valid. - After the resize,
t == self.table
, thust
is valid. - This holds until a subsequent resize ends, at which point
self.table != t
andt
isdefer_destroy
ed (see the code above). At this point,t
is not referenced by the map anymore. However, thedefer_destroy
happens whileg
is still pinning the epoch. Thus,t
remains valid for at least the lifetime ofg
. - After releasing
g
, performing operations on the map with a new guardg'
cannot access the table anymore (also see above).
Since this traces the entire lifetime of both the guard and the table and in particular, the above code is the only place that defer_destroy
s tables, I think the argument is sound. What do you think? Does this make sense to you?
Yes, that seems correct to me as well! Could you submit a PR with that argument included? I think maybe we want to make that argument as a comment on the Moved
variant of BinEntry
(rather than in everywhere that uses it), and then reference that argument from the two or three places that rely on it.
Nice! I just created #35 for this. I was also already thinking about reducing redundancy with these comments, but wasn't sure where to put them yet. The definition of Moved
seems like a good place!
There is also some other PR i saw which had copied the argument, I'll go find it and tell them about the PR so that we don't introduce more copies of the FIXME again 😉