Add MemoryPool apis

[ghost]

Fixes https://github.com/dotnet/corefx/issues/26357

[stephentoub]

What's the goal of the interlockeds being used here? As it stands, for example, even if Release throws, the _referenceCount will already have gone negative, and code could subsequently continue to use the object that now has a negative reference count... so then, for example, another thread could call Retain, have it succeed, but the count could still be <= 0 and IsRetained would return false.

Seems like either we shouldn't care about thread-safety, in which case we don't need to use interlockeds, or we should care, in which case this should be more robust and use a standard Interlocked.CompareExchange loop for these kinds of operations.

[ghost]

@ahsonkhan, @KrzysztofCwalina - what are the thread-safety goals here? These interlocked calls were all part of the original prototype in corefxlab.

[KrzysztofCwalina]

The main goal of the implementation is to detect use after free. "Detect" is the key word here. I dont think we can make it 100% thread safe without unacceptable perf hit. For that to happen, we would need to do what @stephentoub says plus synchronize access to the array (the Span property, for example).

BTW, I don't mind making this method more robust, I am just not sure it will add value without also changing get_Span, which I don't think we can change without significant perf hit.

[ghost]

Ok - I'm inclined to drop any pretense of thread-safety then. It's pretty well established the .NET objects are thread-unsafe in the 90% case and synchronization is outsourced to the users.

[KrzysztofCwalina]

Wait, gat_Span is synchronized as it checks for IsDisposed first. Maybe we are not too far from having valuable "more safety". Still there is an issue of Memory callers not having to call Retain, but at least I think we can make it totally safe for those who want to religiously use Retain/Release.

[ghost]

It's not a thread-safe check though - when I see "synchronized", I think thread-safe.

[stephentoub]

Retain checks IsDisposed. Release doesn't need to? And we don't need disposal to be coordinated with the interlockeds used by Retain/Release? (Goes back to my question about what the thread-safety goals are.)

[ghost]

@ahsonkhan khan, @KrzysztofCwalina - care to address this? I noticed this asymmetry in the corefxlab code too but figured there may be a reason (perhaps because if someone didn't follow the normal dispose pattern, Release can happen as part of a MemoryHandle finalization which could happen after the OwnedMemory it came from got disposed - and we don't want an exception being thrown there?)

[KrzysztofCwalina]

If somebody calls "release" they simply communicate that they wont be using this OwnedMemory (OM) anymore. I am not sure why we would want to throw on already disposed objects. It does not seem to be adding to safety of the system and just makes the Release callsite subject to exceptions. Having said that, I don't mind changing it, if we feel it adds value.

[jkotas]

If you are calling Release() on already disposed object, it means that you have use-after-free security bug. The calls to Rent and Release have to be always matched.

The C/C++ memory allocators fail fast right away and abort the program when they detect use after free. We may want to do the same instead of throwing catchable exception.

[stephentoub]

What if it's currently retained?

[ghost]

Then it throws an InvalidOperationException. That check is encapsulated in the OwnedMemory class itself.

[stephentoub]

What throws an InvalidOperationException? If you Dispose of this while it's already retained, then the array is likely already in use, but we're returning it to the pool here.

[ghost]

Right here:

corefx/src/Common/src/CoreLib/System/Buffers/OwnedMemory.cs

Line 63 in 83f35ef

ThrowHelper.ThrowInvalidOperationException_OutstandingReferences();

[stephentoub]

But you're not calling base.Dispose(disposing). So who calls that?

[stephentoub]

Oh, sorry, different overload. I see.

[stephentoub]

Does MaxBufferSize get devirtualized? Otherwise, this is another virtual call.

[ghost]

I would hope the JIT can do that considering the class is sealed at this level. Though it's easy enough to substitute a const to be safe.

[ahsonkhan]

Why not allow minimumBufferSize == 0?

[stephentoub]

Every rental allocates?

[ghost]

It's not clear to me how that could be avoided. The OwnedMemory wrapper object is meant to be used in a "using () {}" type-pattern. If we tried to pool those as well, we'd be handing out IDisposable objects that the caller isn't meant to dispose.

[stephentoub]

I'm not really commenting on the implementation so much as the MemoryPool design. Seems problematic if the default implementation that most folks will use allocates on every Rent.

[jkotas]

This depends on what the MemoryPool abstraction is meant to be used for.

I see it designed for large buffers. You get large buffer and allocate a little bit in the process. I do not think that allocation is problematic in this scenario.

[stephentoub]

The default size here is 4096, which is also a common size used with ArrayPool, and for ArrayPool, there have been complaints about things as small as the virtual dispatch cost associated with calling ArrayPool.Shared.Rent/Release; even a small allocation and the associated GC impact is at least as much as that. I'm skeptical this will only be used for large buffers; of course, if we add costs like such allocations on every Rent/Release, we may certainly force it in that direction.

[jkotas]

If you want a bare bone malloc/free, you should use ArrayPool. MemoryPool is higher level abstraction.

And yes - we need to fix ArrayPool to not have the unnecessary overheads and to not leak.

[stephentoub]

Still seems like it's going to be a problem. I guess we'll have to agree to disagree.

[davidfowl]

The memory pool in kestrel pools the OwnedMemory<byte> objects 😄

[jkotas]

You can certainly pool OwnedMemory memory if you know what you are doing. It increases your security risk profile.

[KrzysztofCwalina]

We used to have a cookie in OM to allow it to be pooled safely. We removed the cookie during the performance push, but I am not sure it actually helps performance, yet it makes it so much more difficult to pool OM safely.

[jkotas]

This is unnecessary extra layer MemoryPool<T> Shared can allocate ArrayMemoryPool directly.

[KrzysztofCwalina]

Yeah, I think we should use the shared array pool directly.

[jkotas]

Why is this 1GB and not 2GB?

[KrzysztofCwalina]

Yeah, I think we should change it to 2GB

[jkotas]

Is this a good default size even for large Ts ? Should this rather be 1 + (4095 / sizeof(T)) ?

[KrzysztofCwalina]

We had a discussion at the API review about the default here. Did we really settle on -1? Why not have the default be 0?

[stephentoub]

Why not have the default be 0?

FWIW, ArrayPool.Shared.Rent(0) gives back an empty array. Then again, it also throws for -1.

[jkotas]

IIRC, we have settled on -1.

[davidfowl]

It's on youtube, it was -1.

[KrzysztofCwalina]

you mean "it's on the internet"? :-)

[jkotas]

Can we use array == null to signal disposes instead of an extra bool flag?

[ghost]

Seems reasonable.

[KrzysztofCwalina]

Why is 0 bad? ArrayPool allows to rent empty buffers.

[ghost]

Another artifact from the corefxlab code. Since we've settled on -1 as the sentinel, I'll remove that restriction.

[KrzysztofCwalina]

Could you add some stress tests too to ensure we don't let people access the array (the Span) after Dispose on a separate thread. Also, to ensure that Dispose throws is there are outstanding Retain (called on a different thread).

[ghost]

Dispose on a separate thread

That would be contingent on whether we want to guarantee thread-safety. I'm inclined against that.

On a separate note, is CI really the place to be doing stress tests? CI should be about prevent clearly bad stuff from going in, not randomly holding up PR's because of intermittent stress failures.

The Dispose throwing on an outstanding ref-count is already tested in the OwnedMemory tests (and the OwnedMemory class is the one that does that check so checking for individual variants doesn't add any code coverage.) It's an invariant of OwnedMemory objects in general and not specific to MemoryPool.

[ahsonkhan]

nit: fix sort order. put it above
<Compile Include="System\Buffers\OperationStatus.cs" />

Also, the file name ArrayMemoryPool.ArrayMemoryPoolBuffer.cs is confusing. Do we have this type of naming based on nested classes elsewhere?

[ghost]

The double-dot notation is used generally when partial classes are used. This is just another instance of that.

[ahsonkhan]

Do properties and methods on a sealed class need to marked as sealed as well?

[stephentoub]

Do properties and methods on a sealed class need to marked as sealed as well?

No

[ahsonkhan]

Add argument checks for byteOffset?

Similar to: https://github.com/dotnet/corefx/blob/master/src/System.Memory/tests/Memory/CustomMemoryForTest.cs#L47

if (byteOffset < 0 || (byteOffset/Unsafe.SizeOf<T>()) > _array.Length) throw

[ghost]

This check isn't right - for an array of 10 ints, "40" should be a valid input, but not 41, 42 and 43.

This seems like low-level api to be doing this kind of check - I'll put in but it gets tricky since MemoryPool owners don't have strict control over the sizes they get back. The byteOffset might not actually fit in an Int32.

[ahsonkhan]

Returns a memory block capable of holding at least <paramref name="minBufferSize"/> elements of T.?

[ahsonkhan]

nit: This is awkward to read. Do we need to mention in elements?

[ghost]

I'll just nuke that part of the phrase - the summary plus the param name makes it obvious.

[ahsonkhan]

Remove empty returns tag.

[ahsonkhan]

We recently removed the objectName argument from ThrowObjectDisposedException_MemoryDisposed.
3f03814#diff-4021c6d7a5c4f084b4e8867d8cb0f973L67
@jkotas, why was that?

[jkotas]

dotnet/coreclr#15909 (comment)

[ahsonkhan]

Thanks for the context! Should we keep passing the object name to the newly added ThrowObjectDisposedException method or remove that argument here as well?

[ahsonkhan]

Should we add another block.Dispose() and check that block.IsDisposed remains true?

[ahsonkhan]

How are we testing Pin after Dispose here?

[stephentoub]

Nit: s_ prefix is used for statics; consts should be PascalCased.

[ghost]

I know - this is kinda tough case since the "best" name is already taken by the property. MaxBufferSizeConst just sounds awkward.

[ahsonkhan]

@atsushikan, can you please maintain the commit history during PR review? It makes it easier to view only the diffs between commits.

[ghost]

can you please maintain the commit history during PR review?

That's not so easy on GitHub when a PR stretches across days. I merge from upstream at least once a day so you either get a commit history that includes massive merges (and thus the main file list containing hundreds of unrelated changes, which someone complained about earlier) or a multi-commit rebase (which is treacherous and a pain in the neck and still results in a force push with new hashes so have to take on faith the "older" commits are actually the commits you reviewed previously.) Either way, there are drawbacks that make someone unhappy.

[ahsonkhan]

I merge from upstream at least once a day so you either get a commit history that includes massive merges (and thus the main file list containing hundreds of unrelated changes, which someone complained about earlier)

Why would merging from upstream result in unrelated changes to show up? Isn't the diff view against what is in master? So, we may see the Merge branch... commits in the PR, but the changes themselves shouldn't show up.

I would imagine it would be something like this (from #26232), which only shows my changes even though I have merged from upstream:

[ghost]

Why would merging from upstream result in unrelated changes to show up?

That was the experience about a year ago - people complained so I switched to the rebase-and-force-push method. Maybe GitHub is smarter now - I'd be happy to switch back (until someone complains again...)

[ghost]

@ahsonkhan - any further blocking issues?

[jkotas]

We should allow byteOffset that points right at the end of the array.

[jkotas]

(See discussion at #25770 (comment))

[ghost]

It does allow that. We have a specific test for it: https://github.com/AtsushiKan/corefx/blob/mempool/src/System.Memory/tests/MemoryPool/MemoryPool.cs#L96

[jkotas]

Yes, you are right.

[ahsonkhan]

LGTM.