itimer_transition: do not keep it_value unchanged after firing the event

yamt · yamt · commit ad2737fbd400 · 2026-03-17T08:12:53.000Z
this mostly fixes the very quick output from "netstat -w1" i've seen on netbsd on qemu/nvmm. the following logs are the output of https://github.com/yamt/garbage/blob/cf7b893415080b177b5104ff6e8c75be5b57dc94/c/itimer/itimer.c on the vm. w/o this change: ``` # ./a.out 1: 490375420ns frm start, 490375420ns frm prev, ov=0, int=1 2: 750174060ns frm start, 259798640ns frm prev, ov=0, int=2 3: 875501930ns frm start, 125327870ns frm prev, ov=0, int=3 4: 933287110ns frm start, 57785180ns frm prev, ov=0, int=4 5: 970379010ns frm start, 37091900ns frm prev, ov=0, int=5 6: 972449040ns frm start, 2070030ns frm prev, ov=0, int=6 7: 990374320ns frm start, 17925280ns frm prev, ov=0, int=7 8: 991798300ns frm start, 1423980ns frm prev, ov=0, int=8 9: 992333220ns frm start, 534920ns frm prev, ov=0, int=9 10: 993545880ns frm start, 1212660ns frm prev, ov=0, int=10 11: 994030150ns frm start, 484270ns frm prev, ov=0, int=11 12: 994496010ns frm start, 465860ns frm prev, ov=0, int=12 13: 996376070ns frm start, 1880060ns frm prev, ov=0, int=13 14: 996848870ns frm start, 472800ns frm prev, ov=0, int=14 15: 998169890ns frm start, 1321020ns frm prev, ov=0, int=15 16: 998632820ns frm start, 462930ns frm prev, ov=0, int=16 17: 999045990ns frm start, 413170ns frm prev, ov=0, int=17 18: 2298018910ns frm start, 1298972920ns frm prev, ov=0, int=18 19: 3377882220ns frm start, 1079863310ns frm prev, ov=0, int=19 20: 4195221330ns frm start, 817339110ns frm prev, ov=0, int=20 21: 5275385900ns frm start, 1080164570ns frm prev, ov=0, int=21 22: 6565223200ns frm start, 1289837300ns frm prev, ov=0, int=22 23: 7375210250ns frm start, 809987050ns frm prev, ov=0, int=23 24: 8555230580ns frm start, 1180020330ns frm prev, ov=0, int=24 25: 9300371900ns frm start, 745141320ns frm prev, ov=0, int=25 26: 10600372960ns frm start, 1300001060ns frm prev, ov=0, int=26 27: 11340376020ns frm start, 740003060ns frm prev, ov=0, int=27 ^C # ``` w/ this change: ``` # ./a.out 1: 605541180ns frm start, 605541180ns frm prev, ov=0, int=1 2: 1407955990ns frm start, 802414810ns frm prev, ov=0, int=2 3: 2285627110ns frm start, 877671120ns frm prev, ov=0, int=3 4: 2602194370ns frm start, 316567260ns frm prev, ov=0, int=4 5: 3932994350ns frm start, 1330799980ns frm prev, ov=0, int=5 6: 6022993810ns frm start, 2089999460ns frm prev, ov=0, int=6 7: 6942991930ns frm start, 919998120ns frm prev, ov=0, int=7 8: 8103008190ns frm start, 1160016260ns frm prev, ov=0, int=8 9: 9149924480ns frm start, 1046916290ns frm prev, ov=0, int=9 10: 9218383340ns frm start, 68458860ns frm prev, ov=0, int=10 11: 12002313290ns frm start, 2783929950ns frm prev, ov=1, int=12 12: 13682980240ns frm start, 1680666950ns frm prev, ov=1, int=13 13: 14282982100ns frm start, 600001860ns frm prev, ov=1, int=14 14: 15642962120ns frm start, 1359980020ns frm prev, ov=1, int=15 15: 16302952020ns frm start, 659989900ns frm prev, ov=1, int=16 16: 17667002460ns frm start, 1364050440ns frm prev, ov=1, int=17 17: 18276997850ns frm start, 609995390ns frm prev, ov=1, int=18 18: 19606989090ns frm start, 1329991240ns frm prev, ov=1, int=19 19: 20396986930ns frm start, 789997840ns frm prev, ov=1, int=20 20: 21596995570ns frm start, 1200008640ns frm prev, ov=1, int=21 21: 22396987640ns frm start, 799992070ns frm prev, ov=1, int=22 22: 23556982430ns frm start, 1159994790ns frm prev, ov=1, int=23 23: 24416981240ns frm start, 859998810ns frm prev, ov=1, int=24 24: 25576994000ns frm start, 1160012760ns frm prev, ov=1, int=25 25: 26356993150ns frm start, 779999150ns frm prev, ov=1, int=26 26: 27082519580ns frm start, 725526430ns frm prev, ov=1, int=27 ^C # ```
diff --git a/sys/kern/subr_time_arith.c b/sys/kern/subr_time_arith.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: subr_time_arith.c,v 1.7 2026/01/04 03:21:19 riastradh Exp $	*/
+/*	$NetBSD: subr_time_arith.c,v 1.8 2026/03/17 08:12:53 yamt Exp $	*/
 
 /*-
  * Copyright (c) 2000, 2004, 2005, 2007, 2008, 2009, 2020
@@ -63,7 +63,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time_arith.c,v 1.7 2026/01/04 03:21:19 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time_arith.c,v 1.8 2026/03/17 08:12:53 yamt Exp $");
 
 #include <sys/types.h>
 
@@ -482,8 +482,7 @@ itimer_transition(const struct itimerspec *restrict it,
     struct timespec *restrict next,
     int *restrict overrunsp)
 {
-	int64_t last_val, next_val, interval, remainder, now_ns;
-	int backwards;
+	int64_t last_val, interval, now_ns, overruns, last_tick;
 
 	/*
 	 * Zero the outputs so we can test assertions in userland
@@ -500,9 +499,6 @@ itimer_transition(const struct itimerspec *restrict it,
 		return;
 	}
 
-	/* Did the clock wind backwards? */
-	backwards = (timespeccmp(&it->it_value, now, >));
-
 	/* Valid value and interval guaranteed by itimerfix. */
 	KASSERT(it->it_value.tv_sec >= 0);
 	KASSERT(it->it_value.tv_nsec < 1000000000);
@@ -513,20 +509,31 @@ itimer_transition(const struct itimerspec *restrict it,
 	KASSERT(it->it_interval.tv_sec >= 0);
 	KASSERT(it->it_interval.tv_nsec >= 0);
 
-	/* Handle the easy case of non-overflown timers first. */
-	if (__predict_true(!backwards)) {
-		if (__predict_false(!timespecaddok(&it->it_value,
-			    &it->it_interval)))
-			goto overflow;
-		timespecadd(&it->it_value, &it->it_interval, next);
-		if (__predict_true(timespeccmp(now, next, <)))
-			return;
+	/*
+	 * Handle the easy case of non-overflown timers first.
+	 *
+	 * Note: 'it_value' can be after 'now' here. maybe the callout fired
+	 * a bit earlier than we expected. or maybe the system REALTIME clock
+	 * went backward. in that case, as the caller may have already queued
+	 * the event (eg. SIGALRM) corresponding to the current value of
+	 * it_value, the best thing we can do here is to advance it by
+	 * it_interval as usual.
+	 */
+	if (__predict_false(!timespecaddok(&it->it_value, &it->it_interval)))
+		goto overflow;
+	timespecadd(&it->it_value, &it->it_interval, next);
+	if (__predict_true(timespeccmp(now, next, <))) {
+		/* no overruns. */
+		return;
 	}
 
 	/*
 	 * If we can't represent the input as a number of nanoseconds,
 	 * bail.  This is good up to the year 2262, if we start
 	 * counting from 1970 (2^63 nanoseconds ~ 292 years).
+	 *
+	 * TODO: we can implement timespecdiv etc to overcome this
+	 * limitation. maybe it's more straightforward with bintime.
 	 */
 	if (__predict_false(!timespec2nsok(now)) ||
 	    __predict_false(!timespec2nsok(&it->it_value)) ||
@@ -539,83 +546,34 @@ itimer_transition(const struct itimerspec *restrict it,
 
 	KASSERT(now_ns >= 0);
 	KASSERT(last_val >= 0);
-	KASSERT(interval >= 0);
+	KASSERT(interval > 0);
 
 	/*
-	 *            now [backwards]         overruns    now [forwards]
-	 *           |                      v    v    v  |
-	 * |--+----+-*--x----+----+----|----+----+----+--*-x----+-->
-	 *            \/               |               \/
-	 *         remainder        last_val        remainder
-	 *     (zero or negative)                (zero or positive)
-	 *
-	 * Set next_val to last_value + k*interval for some k.
-	 *
-	 * The interval is always positive, and division in C
-	 * truncates, so dividing a positive duration by the interval
-	 * always gives zero or a positive remainder, and dividing a
-	 * negative duration by the interval always gives zero or a
-	 * negative remainder.  Hence:
-	 *
-	 * - If now_ns < last_val -- which happens iff backwards, i.e.,
-	 *   the clock was wound backwards -- then remainder is zero or
-	 *   negative, so subtracting it stays in place or moves
-	 *   forward in time, and thus this finds the _earliest_ value
-	 *   that is not earlier than now_ns.  We will advance this by
-	 *   one more interval if we are already firing exactly on the
-	 *   interval to find the earliest value _after_ now_ns.
+	 * at this point, we know 'last_val' < 'next' <= 'now'.
+	 * we are about to compute 'overruns' and new 'next'.
 	 *
-	 * - If now_ns > last_val -- which happens iff !backwards,
-	 *   i.e., the clock ran fast -- then remainder is zero or
-	 *   positive positive, so this finds the _latest_ value not
-	 *   later than now_ns.  We will always advance this by one
-	 *   more interval to find the earliest value _after_ now_ns.
-	 *   We will also count overflows.
-	 *
-	 * (now_ns == last_val is not possible at this point because it
-	 * only happens if the addition of struct timespec would
-	 * overflow, and that is only possible when timespec2ns would
-	 * also overflow for at least one of the inputs.)
+	 *            overruns   now
+	 *          v    v    v  |
+	 *     |----+----+----+--*-x----+-->
+	 *     |    |         |    |
+	 * last_val |         |    next (to be computed)
+	 *          |         |
+	 *          |       last_tick
+	 *          |
+	 *          next (at this point)
 	 */
-	KASSERT(last_val != now_ns);
-	remainder = (now_ns - last_val) % interval;
-	next_val = now_ns - remainder;
-	KASSERT((last_val - next_val) % interval == 0);
-	if (backwards) {
-		/*
-		 * If the clock was wound back to an exact multiple of
-		 * the interval, so next_val = now_ns, don't demand to
-		 * fire again in the same instant -- advance to the
-		 * next interval.  Overflow is not possible; proof is
-		 * asserted.
-		 */
-		if (remainder == 0) {
-			KASSERT(now_ns < last_val);
-			KASSERT(next_val == now_ns);
-			KASSERT(last_val - next_val >= interval);
-			KASSERT(interval <= last_val - next_val);
-			KASSERT(next_val <= last_val - interval);
-			KASSERT(next_val <= INT64_MAX - interval);
-			next_val += interval;
-		}
-	} else {
-		/*
-		 * next_val is the largest integer multiple of interval
-		 * not later than now_ns.  Count the number of full
-		 * intervals that were skipped (division should be
-		 * exact here), not counting any partial interval
-		 * between next_val and now_ns, as the number of
-		 * overruns.  Advance by one interval -- unless that
-		 * would overflow.
-		 */
-		*overrunsp = MIN(INT_MAX, (next_val - last_val) / interval);
-		if (__predict_false(next_val > INT64_MAX - interval))
-			goto overflow;
-		next_val += interval;
-	}
-
-	next->tv_sec = next_val / 1000000000;
-	next->tv_nsec = next_val % 1000000000;
+	KASSERT(last_val < now_ns);
+	overruns = (now_ns - last_val) / interval;
+	KASSERT(overruns > 0);
+	last_tick = last_val + interval * overruns;
+	next->tv_sec = last_tick / 1000000000;
+	next->tv_nsec = last_tick % 1000000000;
+	KASSERT(timespeccmp(next, now, <=));
+	if (__predict_false(!timespecaddok(next, &it->it_interval)))
+		goto overflow;
+	timespecadd(next, &it->it_interval, next);
+	KASSERT(timespeccmp(now, next, <));
+	*overrunsp = MIN(INT_MAX, overruns);
 	return;
 
 overflow:
diff --git a/tests/kernel/t_time_arith.c b/tests/kernel/t_time_arith.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: t_time_arith.c,v 1.8 2026/03/17 08:10:58 yamt Exp $	*/
+/*	$NetBSD: t_time_arith.c,v 1.9 2026/03/17 08:12:53 yamt Exp $	*/
 
 /*-
  * Copyright (c) 2024-2025 The NetBSD Foundation, Inc.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: t_time_arith.c,v 1.8 2026/03/17 08:10:58 yamt Exp $");
+__RCSID("$NetBSD: t_time_arith.c,v 1.9 2026/03/17 08:12:53 yamt Exp $");
 
 #include <sys/timearith.h>
 
@@ -89,33 +89,33 @@ const struct itimer_transition {
 	 * integral multiple of it_interval starting from it_value.
 	 */
 	[0] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {0,1}, {1,0}, 0,
+	       {0,1}, {4,0}, 0,
 	       NULL},
 	[1] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {0,500000000}, {1,0}, 0,
+	       {0,500000000}, {4,0}, 0,
 	       NULL},
 	[2] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {0,999999999}, {1,0}, 0,
+	       {0,999999999}, {4,0}, 0,
 	       NULL},
 	[3] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {1,0}, {2,0}, 0,
+	       {1,0}, {4,0}, 0,
 	       NULL},
 	[4] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {1,1}, {2,0}, 0,
+	       {1,1}, {4,0}, 0,
 	       NULL},
 	[5] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {1,500000000}, {2,0}, 0,
+	       {1,500000000}, {4,0}, 0,
 	       NULL},
 	[6] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {1,999999999}, {2,0}, 0,
+	       {1,999999999}, {4,0}, 0,
 	       NULL},
 
 	/*
 	 * Fired exactly one interval early.  Treat this too as clock
 	 * wound backwards.
 	 */
 	[7] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {2,0}, {3,0}, 0,
+	       {2,0}, {4,0}, 0,
 	       NULL},
 
 	/*
@@ -124,13 +124,13 @@ const struct itimer_transition {
 	 * overruns.  Advance by one interval from the scheduled time.
 	 */
 	[8] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {2,1}, {3,0}, 0,
+	       {2,1}, {4,0}, 0,
 	       NULL},
 	[9] = {{.it_value = {3,0}, .it_interval = {1,0}},
-	       {2,500000000}, {3,0}, 0,
+	       {2,500000000}, {4,0}, 0,
 	       NULL},
 	[10] = {{.it_value = {3,0}, .it_interval = {1,0}},
-		{2,999999999}, {3,0}, 0,
+		{2,999999999}, {4,0}, 0,
 		NULL},
 
 	/*
@@ -222,24 +222,19 @@ const struct itimer_transition {
 	[28] = {{.it_value = {3,0}, .it_interval = {9223372036,854775809}},
 		{3,1}, {9223372039,854775809}, 0, NULL},
 
-	/*
-	 * Overflows -- we should (XXX but currently don't) reject
-	 * intervals of at least 2^64 nanoseconds up front, since this
-	 * is more time than it is reasonable to wait (more than 584
-	 * years).
-	 */
+	/* Large intervals */
 
 	/* (2^64 - 1) ns */
 	[29] = {{.it_value = {3,0}, .it_interval = {18446744073,709551615}},
-		{2,999999999}, {0,0}, 0,
+		{2,999999999}, {18446744076,709551615}, 0,
 		NULL},
 	/* 2^64 ns */
 	[30] = {{.it_value = {3,0}, .it_interval = {18446744073,709551616}},
-		{2,999999999}, {0,0}, 0,
+		{2,999999999}, {18446744076,709551616}, 0,
 		NULL},
 	/* (2^64 + 1) ns */
 	[31] = {{.it_value = {3,0}, .it_interval = {18446744073,709551617}},
-		{2,999999999}, {0,0}, 0,
+		{2,999999999}, {18446744076,709551617}, 0,
 		NULL},
 
 	/* invalid intervals */
