template <class Q, class T, class P>
void TCallbackTimerQueueTestBase<Q, T, P>::TestDestroyTimerDuringOnTimerInHandleTimeouts()
{
   JetByteTools::Win32::Mock::CMockTimerQueueMonitor monitor;

   P tickProvider;

   tickProvider.logTickCount = false;

   {
      Q timerQueue(monitor, tickProvider);

      CheckConstructionResults(tickProvider);

      CLoggingCallbackTimer timer;

      const Milliseconds timeout = 100;

      const IQueueTimers::UserData userData = 1;

      IQueueTimers::Handle handle = CreateAndSetTimer(
         tickProvider,
         timerQueue,
         timer,
         timeout,
         userData);

      timer.DestroyTimerInOnTimer(timerQueue, handle);

      const Milliseconds expectedTimeout = CalculateExpectedTimeout(timeout);

      THROW_ON_FAILURE_EX(expectedTimeout == timerQueue.GetNextTimeout());

      tickProvider.CheckResult(_T("|GetTickCount|"));

      tickProvider.SetTickCount(expectedTimeout);

      timerQueue.HandleTimeouts();

      tickProvider.CheckResult(_T("|GetTickCount|"));

      timer.CheckResult(_T("|OnTimer: 1|TimerDestroyed|"));

      tickProvider.CheckNoResults();

      THROW_ON_NO_EXCEPTION_EX_1(timerQueue.DestroyTimer, handle);
   }

   THROW_ON_FAILURE_EX(true == monitor.NoTimersAreActive());
}

And the change to the mock looks something like this:

void CLoggingCallbackTimer::OnTimer(
   UserData userData)
{
   if (logMessage)
   {
      if (logUserData)
      {
         LogMessage(_T("OnTimer: ") + ToString(userData));
      }
      else
      {
         LogMessage(_T("OnTimer"));
      }
   }

   if (m_pTimerQueue)
   {
      m_pTimerQueue->DestroyTimer(m_handle);

      LogMessage(_T("TimerDestroyed"));
   }

   ::InterlockedIncrement(&m_numTimerEvents);

   m_timerEvent.Set();
}

The result is that the timer is destroyed during timeout handling and the test demonstrates the failure in the code.

Unfortunately, with the latest build of the code the test does NOT demonstrate the problem. Unfortunately the PTMalloc implementation that we're currently using doesn't allow you to set it to fill deleted memory with an unlikely bit pattern. The default allocator with the Visual Studio C runtime does allow this in debug builds and this helps to force the bug into view. Adding the new test to the code that was presented in part 29 causes the bug to manifest and for Visual Studio to pop up a debug assertion message when the memory is double deleted.

The potential for this problem to occur when using the BeginTimeoutHandling(), EndTimeoutHandling() style of "lock free" timeout handling was already identified and fixed back when I first added the "lock free" timeout handling in part 18. The fix is pretty similar. There's already a flag in the internal timer data structure that's used to delay destruction until after the timer has finished being processed but it doesn't get set when using HandleTimeouts(). The fixes are fairly simple for both the timer wheel and the timer queue.

void CCallbackTimerQueueBase::TimerData::OnTimer()
{
   m_processingTimeout = true;

   OnTimer(m_active);

   m_processingTimeout = false;
}

CCallbackTimerWheel::TimerData *CCallbackTimerWheel::TimerData::OnTimer()
{
   m_ppPrevious = 0;

   m_processingTimeout = true;

   OnTimer(m_active);

   m_processingTimeout = false;

   return m_pNext;
}

The code from part 29 with these fixes applied can be found here.

The code that uses PTMalloc from part 30 with these fixes applied can be found here.

Please note that the previous rules apply.

typedef std::deque<TimerData *> Timers;
 
typedef std::pair<size_t, Timers> TimersAtThisTime;
 
typedef std::map<ULONGLONG, TimersAtThisTime *> TimerQueue;
 
typedef std::pair<TimerQueue::iterator, size_t> TimerLocation;
 
typedef std::map<TimerData *, TimerLocation> HandleMap;

became

typedef std::deque<TimerData *, CAlloc<TimerData *> > Timers;
 
typedef std::pair<size_t, Timers> TimersAtThisTime;
 
typedef std::map<ULONGLONG, TimersAtThisTime *,
   std::less<ULONGLONG>,
   CAlloc<std::pair<ULONGLONG, TimersAtThisTime *> > > TimerQueue;
 
typedef std::pair<TimerQueue::iterator, size_t> TimerLocation;
 
typedef std::map<TimerData *, TimerLocation,
   std::less<TimerData *>,
   CAlloc<std::pair<TimerData *, TimerLocation> > > HandleMap;

And I had to add some allocators and a private heap to the class.

CSmartHeapHandle m_heap;
 
CAlloc<TimerData *> m_timersAllocator;
 
CAlloc<std::pair<ULONGLONG, TimersAtThisTime *> > m_timerQueueAllocator;
 
CAlloc<std::pair<TimerData *, TimerLocation> > m_handleMapAllocator;

CCallbackTimerQueueBase::CCallbackTimerQueueBase()
   :  m_heap(::HeapCreate(HEAP_NO_SERIALIZE, 0,0)),
      m_timersAllocator(m_heap),
      m_timerQueueAllocator(m_heap),
      m_handleMapAllocator(m_heap),
      m_queue(std::less<ULONGLONG>(), m_timerQueueAllocator),
      m_handleMap(std::less<TimerData *>(), m_handleMapAllocator),
      m_monitor(s_monitor),
      m_maxTimeout(s_timeoutMax),
      m_handlingTimeouts(InvalidTimeoutHandleValue)
{
   if (!m_heap.IsValid())
   {
      throw CException(_T("CCallbackTimerQueueBase::CCallbackTimerQueueBase()"), _T("Failed to create private heap"));
   }
}

Note that since we are taking responsibility for locking around access to the heap we can tell HeapCreate() not to bother locking internally with the HEAP_NO_SERIALIZE flag.

Unfortunately this makes performance worse, though arguably it has reduced contention. The problem is that HeapAlloc() isn't as efficient as the standard implementation of new and so whilst we've reduced contention we've also reduced overall performance. Not good.

I did some research on high performance memory allocators and decided that PTMalloc was a good fit for what I needed. PTMalloc supports separate heaps by what it terms "malloc spaces" or mspace and it supports multi-threaded use where you're responsible for locking. I wrapped the code in one of my library projects and created some helper code so that it integrated more easily with the rest of my code.

A new STL allocator implementation can then allocate and deallocate from a PTMalloc mspace rather than from a heap created with HeapAlloc(). The results were good, faster than the original new implementation and, due to the private heap, the contention of the timer queue was reduced to C(n threads using the queue).

The STL allocator isn't the only place that dynamic memory is being allocated though, we're also allocating a timer handle when we create a timer and in the timer queue we need to allocate the various structures that help us build and manage our queue. If these continue to use the standard program heap then our worst possible contention is still C(n threads using the program heap) rather than C(n threads using the queue).

Providing custom allocation and deallocation code, that uses the PTMalloc private heap, for the other memory allocations deals with both the contention and boosts performance.

In the case of the TimerData object we can add a placement new implementation for it that uses our private heap. For the simpler memory objects we allocate and construct them manually using the private heap's allocator.

On my system the performance tests show some pretty nice improvements for the timer queues. Every operation is faster. Timer creation is down from 60ms per 100,000 to 40ms. Setting timers down from 130ms to 100ms (again per 100,000) and timer handling down a little.

Of course the allocation and STL allocator changes can also be applied, albeit with lesser results as the only STL collection used is for timer handle validation and the only dynamically allocated data is the timer handle.

The code for the STL allocator using HeapAlloc() can be found here.

The code for the STL allocator using PTMalloc can be found here.

And the code for all allocations using PTMalloc can be found here.

Please note that the previous rules apply.

That said, I still should have included a test for these particular bugs in my original test suite for the timer wheel, it's a fairly obvious hole in the testing. Both bugs are fairly serious, and fairly simple. Luckily once I integrated the code into the real application the problems showed up quickly and regularly; this meant that it was easy to track them down and once I had an idea of what the likely problems were it was easy to put together some tests that showed the problems.

The first bug is in how we handle calculating the next timeout when that timer has wrapped and is before our current position in the timer wheel rather than after it. None of the existing tests put the code in this position, but real usage caused it almost immediately.

The calculation for this situation was wrong, it was this:

nextTimeout = static_cast<Milliseconds>((
   (m_pFirstTimerSetHint > m_pNow ?
      (m_pFirstTimerSetHint - m_pNow) :
      (m_pNow - m_pFirstTimerSetHint)) + 1) * m_timerGranularity);

and it should be this:

nextTimeout = static_cast<Milliseconds>((
   (m_pFirstTimerSetHint >= m_pNow ?
      (m_pFirstTimerSetHint - m_pNow) :
      (m_pTimersEnd - m_pNow + m_pFirstTimerSetHint - m_pTimersStart)) + 1) * m_timerGranularity);

The original calculation caused the timer wheel to report an incorrect next timeout which caused timeout handling to stall until our first timer was larger than "now" again....

The second bug is slightly less serious but occurs if there are no timers set and we're using the HandleTimeouts() call for timeout processing. The timer wheel's view of the current time is updated during timer processing. If this there are no timers set then the timer processing loop is skipped inside of HandleTimeouts() and the wheel's view of the current time begins to lag. This progressively reduces the value of the timeout that you can set with SetTimer(). The fix is to have SetTimer() reset the wheel if no timers are currently set. In this situation it's safe to set the wheel to its initial state before setting a new timer. The fix is pretty simple, we just add this:

Milliseconds CCallbackTimerWheel::CalculateTimeout(
   const Milliseconds timeout)
{
   const Milliseconds now = m_tickCountProvider.GetTickCount();
  
   if (m_numTimersSet == 0)
   {
      m_currentTime = now;
  
      m_pNow = m_pTimersStart;
   }
  
   const Milliseconds actualTimeout = timeout + (now - m_currentTime);
  
   if (actualTimeout > m_maximumTimeout)
   {
      throw CException(
         _T("CCallbackTimerWheel::CalculateTimeout()"),
         _T("Timeout is too long. Max is: ") +
         ToString(m_maximumTimeout) +
         _T(" tried to set: ") + ToString(actualTimeout) +
         _T(" (") + ToString(timeout) + _T(")"));
   }
  
   return actualTimeout;
}

Where the fix is the code inside of the if (m_numTimersSet == 0) block.

I've also renamed the #define that's used to enable monitoring; the previous name seemed a little back to front...

Over the last four entries I've implemented various parts of the timer wheel and adjusted the test code so that I could reuse the tests that I already had for the other implementations with my timer wheel. The tests needed to be tweaked quite a bit to take into account the different behavioural characteristics of the wheel and the queues, this was accomplished using traits which determine the detail of how the class under test interacts with its service providers (mainly a tick count provider).

The main change is in how we store the timer data so that we can be dispatching an expired timer and setting, cancelling or destroying the same timer during the dispatch. We need to allow for this because the lock that should be held whilst you're updating the timer wheel is not held during timer dispatch. So, rather than holding a single set of timer data within the timer we hold two sets, an active set and a timed out set. When the timeout handling begins the call to BeginTimeoutHandling(), which should be protected by a lock, updates each of the timers to prepare it for timeout dispatch. This means that it needs to walk the list of timers for this time and copy the active set of data to the timed out set and clear the active set. Now when the timer is processed by HandleTimeout() we're working with the timed out set of data which allows the timer to be manipulated normally using the active data. Having to prepare the timers is a bit of a pain, it means that timer dispatch is O(n) where n is the number of timers to be dispatched, however this is the same as for the timer queue and we're avoiding the O(log n) (n being the number of timers currently set in this case) of the balanced tree lookup required for the timer queues...

There's still scope for some refactoring in the code and there's a need for some more tests to make sure that we're doing things sensibly when we fail to handle timeouts for a long period of time but this can be done later. I've added a few new tests to test the timer wheel with the CThreadedCallbackTimerQueue, I expect that could do with a name change now, but that can also wait.

Since we now have a fully functional timer wheel I can compare the performance results with those from the timer queue implementations. Note that these are the results that I get on my development box, the results that you get are likely to be different but the proportional differences should be similar... All test results are an average of 10 runs of the same test with 100,000 timers in use in each test.

• Creating timers - Unsurprisingly, since very similar work is being done by both the queues and the wheel, CreateTimer() is roughly similar with the wheel actually taking fractionally longer at 55ms vs the queues which both take 50ms.
• Setting timers - Again unsurprisingly, the timer wheel is much faster when setting timers at 8ms compared to 88ms for the queue. Note that the 8ms value is a best case scenario where we set and reset the same timer, with different timers the times rise to 15ms vs 130ms and with different timers being set for the same times we get 14ms vs 60ms. What doesn't show here is that the wheel is also only C(n wheel users) compared to the queue's C(n wheel users)+2C(n heap users) (see here for details of my 'big C' notation for talking about contention).
• HandleTimeouts - When handling timeouts and holding the lock we get results of 54ms against 94ms for the queues. When not holding the locks the numbers are 57ms and 98ms. Again the wheel has lower contention.

All in all I'm pleased with the performance and contention improvements that have come from using a radically different design. The timer wheel isn't as general purpose as the timer queues and it's not going to be a good fit for all of the usage scenarios that I use the queue in but for those situations that it is appropriate for, the performance will be considerably better.

I've taken the second approach as non O(1) timer setting and 'random thread timer dispatch' are not desirable qualities for the usage scenarios that I'm currently targeting. This means that the timer wheel now queries the tick count provider when you call SetTimer() but it's easy to adjust the tests for this due to the test traits that I introduced a while back.

Now that SetTimer() works correctly we can move on to implementing the remaining functions. Unfortunately though, before we do that we need to deal with a memory leak bug in the CCallbackTimerQueueBase class which the tests can't detect and which I missed due to not running BoundsChecker after each set of changes... The leak was introduced when I switched from using the std::multimap to using a std::deque back in part 21. Unfortunately I missed out a couple of delete statements to clear up the new structure that we allocate to store in the std::deque when we set timers. This just goes to show that it doesn't matter how many tests you have and how good your coverage is, it's never enough to prove that the code is without bugs. Running BoundsChecker showed the bug quite clearly but it's a pity that it needs to be a separate stage of testing. Instrumenting memory allocation within the test would help and is something that I might look into... Anyway, the fixes are to add a loop which cleans up the allocated memory in the queue's destructor and to clean up blocks of timers as they expire in HandleTimeouts().

Whilst adjusting the tests to make sure they took into account the timer wheel's traits and generally worked correctly with the new implementation I decided that although I like my tests rigid (some would say brittle, or fragile), I'd gone slightly too far with the logging coming out of the tick count providers. These were reporting the value of the tick count that was being provided as well as the fact that the call was made. Now in some of my tests this is useful but here the test was clearly setting the value so logging it was of no use and made the tests more complex in the presence of variable timer granularities. Adjusting the mocks and the tests makes them a bit cleaner.

The tests also needed adjusting now that all of the code can be built with monitoring enabled. The traits work pretty well for this and I'm happy with the results.

There's still quite a bit of duplicate code in the tests and the code to create and set a timer is one piece that's easy to slim down by using the helper function that is used by some but not all of the tests. Only the tests that are actually for SetTimer() need to do it long hand to make it clear what we're actually testing.

Since we now have timers that can delete themselves and since I recently added to the timer monitoring interface to allow us to ensure that all timers were always cleaned up it seems about the right time to add monitoring interface support to the timer wheel.

The resulting changes to implement the second SetTimer() overload are as follows, note that I've adjusted CreateTimer() so that the common code that I need to call when I create a timer in SetTimer() isn't duplicated. The timer data constructor that we're using there sets the timer up appropriately for single use mode.

CCallbackTimerWheel::Handle CCallbackTimerWheel::CreateTimer()
{
   TimerData *pData = new TimerData();
  
   return OnTimerCreated(pData);
}

CCallbackTimerWheel::Handle CCallbackTimerWheel::OnTimerCreated(
   TimerData *pData)
{
   m_handles.insert(pData);
  
#if (JETBYTE_PERF_TIMER_WHEEL_MONITORING_DISABLED == 0)
  
   m_monitor.OnTimerCreated();
  
#endif
  
   return reinterpret_cast<Handle>(pData);
}

bool CCallbackTimerWheel::SetTimer(
   const Handle &handle,
   Timer &timer,
   const Milliseconds timeout,
   const UserData userData)
{
   if (timeout > m_maximumTimeout)
   {
      throw CException(
         _T("CCallbackTimerWheel::SetTimer()"), 
         _T("Timeout is too long. Max is: ") + ToString(m_maximumTimeout) + _T(" tried to set: ") + ToString(timeout));
   }
  
   TimerData &data = ValidateHandle(handle);
  
   const bool wasPending = data.CancelTimer();
  
   data.UpdateData(timer, userData);
  
   InsertTimer(timeout, data, wasPending);
  
#if (JETBYTE_PERF_TIMER_WHEEL_MONITORING_DISABLED == 0)
  
   m_monitor.OnTimerSet(wasPending);
  
#endif
  
   return wasPending;
}
  
void CCallbackTimerWheel::SetTimer(
   IQueueTimers::Timer &timer,
   const Milliseconds timeout,
   const IQueueTimers::UserData userData)
{
   if (timeout > m_maximumTimeout)
   {
      throw CException(
         _T("CCallbackTimerWheel::SetTimer()"), 
         _T("Timeout is too long. Max is: ") + ToString(m_maximumTimeout) + _T(" tried to set: ") + ToString(timeout));
   }
  
   TimerData *pData = new TimerData(timer, userData);
  
   OnTimerCreated(pData);
  
   InsertTimer(timeout, *pData);
  
#if (JETBYTE_PERF_TIMER_WHEEL_MONITORING_DISABLED == 0)
  
   m_monitor.OnOneOffTimerSet();
  
#endif
}

So that we can delete these "one shot" timers when the timer wheel is destroyed we need to keep the handle in the handle map, this does, however, open a hole in our handle validation code as someone could pass in a random invalid handle value that matches one of the "one shot" timers and convince the timer wheel that the handle is valid. To prevent this we now also check that the handle isn't scheduled to be deleted after the timer expires, the only handles in the handle map that will be set like this are the "one shot" timers and these, by definition, don't have a valid handle that you can manipulate.

CCallbackTimerWheel::TimerData &CCallbackTimerWheel::ValidateHandle(
   const Handle &handle) const
{
   TimerData *pData = reinterpret_cast<TimerData *>(handle);
  
   Handles::const_iterator it = m_handles.find(pData);
  
   if (it == m_handles.end())
   {
      throw CException(
         _T("CCallbackTimerWheel::ValidateHandle()"), 
         _T("Invalid timer handle: ") + ToString(handle));
   }
  
   if (pData->DeleteAfterTimeout())
   {
      throw CException(
         _T("CCallbackTimerWheel::ValidateHandle()"), 
         _T("Invalid timer handle: ") + ToString(handle));
   }
  
   return *pData;
}

With all of that done and with some more tests passing I'm left with just the BeginTimeoutHandling(), HandleTimeout(), EndTimeoutHandling() code to implement. Unfortunately there's a bug in our timer setting code for the timer wheel and the existing tests don't catch it.

Let's assume that we're in the situation shown above and we set a timer. The timer wheel has its current time set to 35ms before the actual time because timeouts haven't been handled yet. At present if we set a timer for 10ms the timer will be set at the point marked as 30 on the diagram above rather than at the point marked 65. The existing tests don't show this problem as they all set timers for a 'now' that is the same as the time the wheel was created or just after timeouts have been handled; which means that current always equals now in most of the tests that set timers. A new test that sets a timer with now != current clearly shows the problem. I'll leave this broken test to show me the way for next time.

In the diagram above, if the timer wheel's current time is 0 then we would need to scan forward sequentially from 'start' to the first timer that is set at position 30 to determine that the first timer is set at 30...

It's possible to optimise this. We could manage a 'hint' which points to the earliest timer that has been set, discovering the next timeout could then be O(1) if the hint is set. The hint could be managed by our calls to SetTimer(), if the timer we're setting is earlier than the hint, or if it's the first timer set then we set the hint to point at it. Unfortunately this scheme falls down in the presence of timer cancellation. If you cancel the earliest timer then you need to scan forward to update the hint, this forward scan is potentially O(n); so now your cancellation has gone from O(1) to O(n) to keep your timeout processing at O(1)... In some usage scenarios this might be acceptable except that, of course, expiring a timer or setting a timer that is already set are also forms of cancellation...

For now we'll avoid all of this complexity and settle for O(n) next timeout calculation. We will, however, mitigate the worst case and add a counter that counts how many timers are currently set, if the counter is zero then there's no need to scan the whole array to discover that no timer is set; our worst case is now that only one timer is set and it's set to the maximum timeout value. Likewise we can keep a hint that can be passed from one call to GetNextTimeout() to the next as long as the hint is zeroed upon any timer changes.

Milliseconds CCallbackTimerWheel::GetNextTimeout()
{
   Milliseconds nextTimeout = INFINITE;
  
   // We need to work out the time difference between now and the first timer that is set. 
  
   if (!m_pFirstTimerSetHint)
   {
      m_pFirstTimerSetHint = GetFirstTimerSet(); 
   }
  
   if (m_pFirstTimerSetHint)
   {
      // A timer is set! Calculate the timeout in ms
  
      nextTimeout = static_cast<milliseconds>((
         (m_pFirstTimerSetHint > m_pNow ? 
            (m_pFirstTimerSetHint - m_pNow) : 
            (m_pNow - m_pFirstTimerSetHint)) + 1) * m_timerGranularity);
  
      const Milliseconds now = m_tickCountProvider.GetTickCount();
  
      if (now != m_currentTime)
      {
         // Time has moved on, adjust the next timeout to take into account the difference between now and 
         // the timer wheel's view of the current time...
  
         const Milliseconds timeDiff = (now > m_currentTime ? now - m_currentTime : m_currentTime - now);
  
         if (timeDiff > nextTimeout)
         {
            nextTimeout = 0;
         }
         else
         {
            nextTimeout -= timeDiff;
         }
      }
   }
  
   return nextTimeout;
}
  
CCallbackTimerWheel::TimerData **CCallbackTimerWheel::GetFirstTimerSet() const
{
   TimerData **pFirstTimer = 0;
  
   if (m_numTimersSet != 0)
   {
      // Scan forwards from now to the end of the array...
  
      for (TimerData **p = m_pNow; !pFirstTimer && p < m_pTimersEnd; ++p)
      {
         if (*p)
         {
            pFirstTimer = p;
         }
      }
  
      if (!pFirstTimer)
      {
         // We havent yet found our first timer, now scan from the start of the array to 
         // now...
  
         for (TimerData **p = m_pTimersStart; !pFirstTimer && p < m_pNow; ++p)
         {
            if (*p)
            {
               pFirstTimer = p;
            }
         }
      }
  
      if (!pFirstTimer)
      {
         throw CException(_T("CCallbackTimerWheel::GetFirstTimerSet()"),
            _T("Unexpected, no timer set but count = ") +
            ToString(m_numTimersSet));
      }
   }
  
   return pFirstTimer;
}

Now that we can work out when the next timeout is due we can start to think about handling the timers when they expire. Given the diagram below, if the timer wheel believes that the current time is as indicated and the timers are then expired when the time is at 'now' we will need to process all of the the timers that are set in the order shown by their index numbers.

Again, if we were driving the wheel from a timer tick then things are simplified as we would only ever 'rotate' the wheel by one slot at a time. In the world of general purpose, multi-threaded, non-real time systems though (is that a big enough proviso?) all manner of reasons might mean that we don't actually get to process the timers until after they're due.

If all we need to worry about is processing the timers in sequence then we could step along the wheel and then walk each chain of timers and handle them as we go. It could be a little more complex than that if we want to use the BeginTimeoutHandling(), HandleTimeouts(), EndTimeoutHandling() methods to allow us to process timers without holding our lock onto the timer system whilst the timers are dispatched (I talk about why this is a desirable design here, and why needing to go through the begin, handle, end sequence multiple times to process timers is less than ideal here). Ideally, for the later situation we'd want our 'begin' to accumulate all 6 timers into a correctly ordered list and remove them from the wheel. We would then unlock the wheel and process the 6 timers in order before locking the wheel again to update the processed timers inside of EndTimeoutHandling(). Doing it this way would mean traversing each slot's list of timers to get to the last one so that we can link the next list onto the end of the previous lists...

If we ignore the more complex scenario and implement the easy one we end up with code like this to deal with the 'holding a lock whilst dispatching' case.

void CCallbackTimerWheel::HandleTimeouts()
{
   const Milliseconds now = m_tickCountProvider.GetTickCount();
  
   while (TimerData *pTimers = GetTimersToProcess(now))
   {
      while (pTimers)
      {
         pTimers = pTimers->OnTimer();
  
         --m_numTimersSet;
      }
   }
}
  
CCallbackTimerWheel::TimerData *CCallbackTimerWheel::GetTimersToProcess(
   const Milliseconds now)
{
   TimerData *pTimers = 0;
  
   // Round 'now' down to the timer granularity
  
   const Milliseconds thisTime = ((now / m_timerGranularity) * m_timerGranularity);
  
   while (!pTimers && m_currentTime != thisTime)
   {
      TimerData **ppTimers = GetTimerAtOffset(0);
  
      pTimers = *ppTimers;
  
      // Step along the wheel...
  
      m_pNow++;
  
      if (m_pNow >= m_pTimersEnd)
      {
         m_pNow = m_pTimersStart + (m_pNow - m_pTimersEnd);
      }
  
      m_currentTime += m_timerGranularity;
   }
  
   if (pTimers)
   {
      m_pFirstTimerSetHint = 0;
   }
  
   return pTimers;
}

With this in place we're left with 20 tests that fail due to lack of implementation and 4 functions that we need to deal with properly. Three form the begin, handle, end API for unlocked timer dispatch and the fourth is for the the SetTimer() overload that doesn't require a handle. There's an interesting amount of functionality required to implement the remaining functions as you can see from here and here. We'll look at this next time.

The code for the std::set based implementation can be found here.

The code for the std::deque based implementation can be found here.

The same rules as last time apply.

As expected the time taken to handle the timeouts drops but the time taken to set and cancel a timer has increased. We're doing more work when setting timers because we have to allocate space in the new structure as well as in the map that we were using before. Cancellation likewise takes longer in some circumstances due to the corresponding deallocation.

The increased performance for handling timeouts may well be worth the performance degradation in setting and cancelling timers in some situations. These tests don't show what we're doing about cross-thread lock contention though. These changes have made that slightly worse.

Lets use a new notation to discuss the contention issues, I'll call it "Big C notation" ;). For a given operation that accesses a shared lock we have a worst case contention value of C. In a piece of code where a single thread performs an operation involving a single lock but where no other threads can ever perform the operation then the operation can be classified as C(0); no contention. If we have a single shared lock then operations involving the lock are C(n) where n is the number of threads that can perform the operation. For operations that access multiple locks their overall contention value can either be represented as the highest value of C for each of the operations involving the shared locks, or as the sum of the contention; so an operation involving two locks which are C(2) and C(5) could either be C(5) or C(2)+C(5). I think I prefer the later as it shows the number of times that the contention factor can bite as an operation that is C(2)+3C(5)+C(1) is obviously more contention prone whereas representing it as simply C(5) is somewhat misleading...

In our timer queue the queue operations themselves are C(n1) where n1 is the number of threads that access the queue. Queue operations that involve dynamic memory allocation or release are C(n2) where n2 is the number of threads that access the heap used for allocation. Thus any operation on the queue that involves dynamic memory allocation degrades from C(n1) to C(n1)+C(n2) where n2 is always assumed to be at least equal to n1 but probably higher. The latest changes to add the std::set or std::deque make this worse by converting the contention value to C(n1)+2C(n2) as we need to access the STL's allocator twice...

From this it's quite clear that to reduce contention we should have a private heap that is only used by a specific instance of a timer queue; this would mean that n2 is always the same as n1. Whilst providing a private heap and custom allocators for the STL types would be a worthwhile exercise I can't help thinking that, at this point, there's a better way to solve the actual problem that I'm facing with regards to the specific use case of the timer queue.

There really should be no need to do any dynamic memory allocation at all apart from to create and destroy the timer handle itself and even that could be avoided if we take a similar approach to the Win32 Critical Section API. Using the STL is convenient but the fact that the containers are non-invasive (that is you don't have to change a type or have it derive from a specific type to be able to place it into a container) means that book-keeping data needs to be allocated outside of the type that's being stored to provide, for example, the space for the pointers that connect nodes in a std::map together. I've already implemented an invasive container in the form of CNodeList which is used for buffer and socket allocation tracking and the advantage of an invasive container is that the object that's being stored in the container can include space for the data that is needed to store it in the container. This is especially beneficial when you're inserting and removing the same object time and again as the data is only ever allocated and released once as part of the object that you wish to store. I'm actually quite surprised that the STL didn't also include invasive containers as the non-invasive containers could have been implemented in terms of the invasive ones.

Anyway, in an ideal world, with a custom invasive container, the timer handle could include links for the tree nodes of the tree that it's stored in for searching and links to the other timers at this timeout (the equivalent of the std::set or std::deque in the latest timer queue). Since the timer handle itself would contain space for these links there would be no need for allocation or deallocation when setting, cancelling or expiring timers. This would remove all of the potential allocation contention and leave us with operations which were C(n) where n is the number of threads that can access the timer queue... The insertion and timeout handling would still be O(log n) due to the balanced binary tree lookups required but a) the potential contention would be lower and b) O would be much smaller as in general all you're doing once you find the place in the tree is adjusting the linking pointers.

But... you need to be aware of the tests that you haven't written... You may think you're testing the code completely but often you're not testing as well as you might think. Code coverage metrics don't really help either, no matter how many tests you write and how complete your coverage is there's no way to be sure that you're actually covering everything. 100% code coverage might give you a warm feeling but unless you have 100% concurrent code permutation coverage then that warm feeling is misplaced.

In part 18 I redesigned the timer queue to allow for lock-free timer dispatch; that is we no longer hold an internal lock when calling back into user code. This removed the potential for deadlocking user code due to unexpected lock inversions but complicated the timer queue implementation due to the fact that the internals of the queue needed to remain sane when timer manipulation functions interrupted the unlocked portion of the timer dispatch code.

void CCallbackTimerQueueBase::TimerData::HandleTimeout()
{
   OnTimer(m_timedout);
  
   m_timedout.Clear();
}

This is where we call into user code, so this happens whilst the queue is unlocked and it must be safe to allow other timer manipulation calls to occur on the timer queue whilst this code executes. Unfortunately DestroyTimer() uses the fact that the m_timedout data is valid to decide whether or not to actually delete the timer data during the call to DestoryTimer() or whether to simply mark the timer data to be deleted when the timer handling is complete. Since we unset the data that DestroyTimer() is using to make this decision whilst we're unlocked there's a race condition. If we unset m_timedout before a call to DestroyTimer() checks the data for this timer then DestroyTimer() will think that the timer is not currently in the process of being timed out and will delete the timer data. When the timeout handling completes we may also delete the data or, worse, when we try to access the data it will already have been deleted.

Our existing tests for this kind of interruption test to see that it's OK to call the various timer manipulation functions during timer dispatch and cause the interruption to occur between two calls, one of which is locked and so atomic and the other which is not. The bug shows up if we interrupt the timer dispatch after the actual dispatch to user code is complete but before we've re-entered the locked code in the timer queue to finish the dispatch. Adding some more tests to interrupt the timer dispatch at this point shows the fault.

Of course the unlocked timer dispatch could be interrupted at any point in its execution, luckily for us there's only one point where it would cause us problems and that's the point where we update the value of m_timedout.pTimer from a valid pointer to 0. The window of opportunity for the race condition is from after we've updated the pointer to before we re-acquire the lock. Our new tests therefore test the right thing...

And now on to fixing the problem...

The problem occurs because we're using m_timedout.pTimer for two purposes. One of them, requires that it be updated immediately after the user's timer code has been executed, this is so that we prevent OnTimer() being called multiple times. The second requires that it only be updated whilst the lock is held as we also use the value to determine if the timer is currently being processed. The solution is to add a flag to the timer data which is used to state that the timer is currently being processed. This flag is only ever updated when the lock is held and therefore removes the race condition. The unlocked update of m_timedout.pTimer is now safe as DestroyTimer() uses the new flag to determine if it should delete the timer data or not...

There's still a potential race condition that would allow OnTimer() to be called multiple times if multiple threads were able to call HandleTimeout() concurrently for the same timer but since you'd have to jump through quite a few hoops to make that occur I think we'll leave that for now.

Finally there's the whole concept of the 'maintenance timer' that CCallbackTimerQueue uses. This can also be hoisted into the base class, made slightly more generic and CCallbackTimerQueue can then set and manipulate its maintenance timer by calling the appropriate methods on its base class.

Once again we can be sure that we haven't broken anything because our tests still run. There's still some duplication in the tests and, perhaps, we'll address this next time...

There has always been a potential for deadlock when using the timer queue, which is unfortunate but something that you can avoid if you know the rules. The problem is that if you have a lock in your code which you hold when calling into the timer queue and you also try and acquire your lock when the timer queue calls into you in OnTimer() and you're using the CThreadedCallbackTimerQueue then you will deadlock as the threaded timer queue has its own lock which it acquires when you call into the queue and which it holds when it calls into you via OnTimer(). As I pointed out in Part 12, the threading is orthogonal, so it's only the CThreadedCallbackTimerQueue that has this problem, but this is probably the class you're most likely to use!

The lock holding problem is slightly harder to address. The problem exists because of this code in Run() in the threaded timer queue:

while (!m_shutdown)
{
   const Milliseconds timeout = GetNextTimeout();
  
   if (timeout == 0)
   {
      CCriticalSection::Owner lock(m_criticalSection);
   
      m_timerQueue.HandleTimeouts();
   }
   else 
   {
      m_stateChangeEvent.Wait(timeout);
   }
}

To maintain the thread safety of the data structures inside the queue we lock our critical section when we call HandleTimeouts(). We also lock around all other calls into the queue implementation. Inside the implementation, in HandleTimeouts(), we do this:

void CCallbackTimerQueue::HandleTimeouts()
{
   while (0 == GetNextTimeout())
   {
      TimerQueue::iterator it = m_queue.begin();
      
      TimerData *pData = it->second;
  
      m_queue.erase(it);
  
      Handle handle = reinterpret_cast<handle>(pData);
  
      MarkHandleUnset(handle);
  
      pData->OnTimer();
  
      if (pData->IsOneShotTimer())
      {
         DestroyTimer(handle);
      }
   }
}

which means that our lock is held when OnTimer() is called.

The first step in solving this problem is to break the timer processing into several functions and separate the pieces that require that they're locked to maintain thread safety from the pieces that do not require locking. Logically we need the queue to expose something like this; BeginTimeoutHandling(), HandleTimeout() and EndTimeoutHandling() where HandleTimeout() doesn't need a lock to be held to maintain thread safety.

Our new interface looks a bit like this:

class IManageTimerQueue : public IQueueTimers
{
   public :
  
      virtual Milliseconds GetNextTimeout() = 0;
  
      virtual void HandleTimeouts() = 0;
  
      typedef ULONG_PTR * TimeoutHandle;
  
      static TimeoutHandle InvalidTimeoutHandleValue;
  
      virtual TimeoutHandle BeginTimeoutHandling() = 0;
  
      virtual void HandleTimeout(
         TimeoutHandle &handle) = 0;
  
      virtual void EndTimeoutHandling(
         TimeoutHandle &handle) = 0;
  
      virtual ~IManageTimerQueue() {}
};

TimeoutHandle is a new type of handle to a timeout which is only used for processing timeouts that have happened.

With the new interface we can write the timeout handling in our threaded queue like this:

while (!m_shutdown)
{
   const Milliseconds timeout = GetNextTimeout();
   
   if (timeout == 0)
   {
      IManageTimerQueue::TimeoutHandle handle = IManageTimerQueue::InvalidTimeoutHandleValue;
 
      {
         CCriticalSection::Owner lock(m_criticalSection);
      
         handle = m_pTimerQueue->BeginTimeoutHandling();
      }
 
      if (handle != IManageTimerQueue::InvalidTimeoutHandleValue)
      {
         m_pTimerQueue->HandleTimeout(handle);
  
         CCriticalSection::Owner lock(m_criticalSection);
 
         m_pTimerQueue->EndTimeoutHandling(handle);
      }
   }
   else 
   {
      m_stateChangeEvent.Wait(timeout);
   }
}

We hold our lock to obtain a handle to a timeout that needs to be dispatched, unlock, dispatch the timeout and then acquire our lock again to complete the dispatch. Now we just have to make the implementations operate correctly in terms of the new interface.

Note that the queue must be able to operate correctly when any of the timer queue manipulation functions are called whilst a timer is being dispatched. So, for example, if we have called BeginTimeoutHandling() and then call SetTimer() or CancelTimer() for the timer that is currently being processed by BeginTimeoutHandling() then things should work as expected. Luckily, due to the fact that we have separated out the threading from the logic of the queue we can write tests for these situations pretty easily. With the tests in place, and failing due to lack of implementation, we can begin to implement the changes.

At first glance, HandleTimeouts() just needs to be broken into three pieces; BeginTimeoutHandling() needs to do this

if (0 == GetNextTimeout())
{
   TimerQueue::iterator it = m_queue.begin();
 
   TimerData *pData = it->second;
 
   m_queue.erase(it);
 
   Handle handle = reinterpret_cast(pData);
 
   MarkHandleUnset(handle);

HandleTimeout() needs to do this:

   pData->OnTimer();

   if (pData->IsOneShotTimer())
   {
      DestroyTimer(handle);
   }

Unfortunately things aren't quite that simple... The tests that we wrote earlier for making sure that timer dispatch can be safely interrupted by other calls show that SetTimer() could cause the timer to be updated whilst it is being dispatched and, if the user data or timer callback is changed in the call to SetTimer then the timer that is being dispatched might be the wrong one! Even worse, DeleteTimer() may destroy the timer that we're in the middle of dispatching!

To work around these issues we need to adjust the data that we store for each timer. By separating the data that is used during dispatch from the data that is used when the timer is set and queued we can allow a call to SetTimer() to update a timer and requeue it whilst it's being dispatched. We then need to check to see if a timer is being dispatched when DeleteTimer() is called for it and if so we should simply note that the timer has been deleted and delete it once the dispatch is complete. See the code for the detail.

Since our new CThreadedCallbackTimerQueue works in terms of IManagerTimerQueue we can add a constructor to allow you to plug your own implementation of IManagerTimerQueue in if you like, and once we've done that we can test the CThreadedCallbackTimerQueue more easily because we can give it a mock of IManagerTimerQueue.

The duplication in the code still bothers me, so I expect the next instalment will deal with that!

The suggestion is, essentially, to use a timer with a longer range before roll-over rather than GetTickCount() with its 49.7 day roll-over. In Vista and later we could just use GetTickCount64() but on earlier platforms that's not available to us. My commenter's solution was to build a GetTickCount64() on top of GetTickCount() and use that. Given that adjusting the code for Vista support via the real GetTickCount64() was on my list of things to do, I decided to also take a look at the potential of the hybrid approach suggested by my commenter.

Switching to using a greater range means that we can remove much of the complexity which was there to protect us from the rollover as this will now only occur after around 584942417.4 years of machine up-time rather than after 49.7 days...

In the zip file that accompanies this article there are two timer queues under test. The first, CCallbackTimerQueue uses a hybrid GetTickCount64() implementation that will work on any platform as it uses GetTickCount() to do the work and the timer queue manages the upper 32-bits itself. The second, CCallbackTimerQueueEx, uses the real GetTickCount64() call and will only run on Windows Vista or later platforms. You can build for pre-Vista systems by editing the Admin\TargetWindowsVersion.h header file and adjusting the values for NTDDI_VERSION and _WIN32_WINNT.

The native Vista version of the code is the simplest so I'll discuss that first. There are several additional issues that need to be dealt with if we are building our own GetTickCount64() and these get in the way of the simpler code...

The first thing, of course, is that I had the tests that were written for the previous versions of the code to make it easier for me to make these changes to the internals of the code. I did this before in part 15 when I fiddled around with the internals to make the code more scalable. The presence of the tests makes this kind of change quite fun; I can concentrate on hacking away at the old design and know that if I change some functionality that is covered by my tests then I should find out as soon as I run the tests. Looking at the header for CCallbackTimerQueueEx the first thing that you'll notice is that I've removed a couple of constructors; there's now no need to allow the user to tune the maximum timeout allowed. Next you'll see that the actual data structures used for the queue have been simplified; we only need one queue now rather than two and the timers are keyed by ULONGLONG rather than Millisecond (DWORD). There are less helper functions and we use an instance of IProvideTickCount64 rather than IProvideTickCount. Looking at the code itself, I've hardcoded the maximum timeout to one less than INFINITE which gives us the whole usable range of a DWORD for timeouts. I don't see any advantage in expanding the length of the timeouts that you can set to be ULONGLONGs as 49.7 days should be long enough for anyone ;) and, if it isn't, the user can set another timer when that one expires and build a longer timeout using the current implementation. Since all of the multiple queue stuff can go, setting timers is now simpler and we can go back to the functionality from part 15 where calling SetTimer() does NOT cause timed out timers to be handled automatically (I was never really comfortable with that change anyway!). InsertTimer() is simpler as we're only ever dealing with a single timer queue and rather than all the complexity that we had before for dealing with a timer that spans a rollover we can now simply disallow timers that do that; I don't feel too bad about doing this as I think it's reasonable to specify that the code doesn't support setting timers that cross a 584942417.4 years rollover point. GetNextTimeout() is now massively simplified as all it needs to do is look at the timeout value and compare it with now to see if it has expired. And that's it.

CCallbackTimerQueue is more complex, but not massively so. The complexity arises due to how I maintain the high 32-bits of the 64-bit counter. Since the code works in terms of the 32-bit counter value returned by GetTickCount() and we know that this wraps every 49.7 days I figure we can spot the wrap (now is less than the last time we checked) and use the event to increment the high 32-bit counter. The only potential risk is that we don't spot the wrap, that is, we don't call GetTickCount() for 49.7 days and the counter wraps and then becomes more than the last time we called GetTickCount(). To prevent this unlikely situation, the timer queue sets its own internal maintenance timer for the 32-bit counter roll over point. All this timer does is go off reset itself, but, I think, this is enough to cause GetTickCount() to be called often enough to prevent any problems...

The tests need to change a little due to the way that SetTimer() no longer implies HandleTimeouts() and because of the internal maintenance timer that is set upon construction.

The duplication in the code bothers me, so I expect the next instalment will deal with that, and any bugs that people report!

Code is here and the new rules apply.

Time passed...

Recently I've had a bug reported against the timer queue code that was developed in the testing articles. You can find the bug report comment here. I'd like to thank the commenter for taking the time to report the bug in such a thorough manner; it made it much easier for me to validate the problem and craft a test that proved its existence.

The bug is as follows: If the tick count has wrapped but no timers have fired since it wrapped and you then add a new timer the two queues that are used to manage wrapped timers have not been adjusted to allow for the fact that the tick count has wrapped. This means that the new timer is added to the wrong queue and the queues are then not swapped and timers expire in the wrong order.

It's a nice edge case bug and it's one that was not tested for in the original test harness. The first thing that I did was set out to write a test to reproduce the bug. The commenter had used TickShifter to force the situation; which is what it's for! but for development and regression purposes it's better to have tests in the test harness that makes sure the bug stays fixed.

The first new test TestTickCountWrap2() sets up the environment exactly as the bug report stated. Take a look at the code for full details. First we set the tick count to be 1000ms before roll-over. Next we set a timer for 2000ms time, i.e. 1000ms after the tick count rolls over to 0. Next we set the tick count to 0, i.e. the point at which it rolls over. We then set another timer for 10000ms time. At this point we should have two timers set; the first will expire in 1000ms and the second in 10000ms. This is the point where the original code had a bug. Next we set the tick count to 1000. At this time the first timer should go off and we check that it does. We also verify that there are 9000ms until the next timeout. Finally we set the tick count to 10000 and verify that the second timer expires correctly.

Of course, when run with the code from part 15 this test fails for exactly the reason that the bug report stated. The problem was that we used two queues for the timers, one for timers before the "wrap point" and one for timers after. The only point that we ever switched the queues over was when a timer expired. At that point if we knew we had a timer that had expired and the current queue didn't contain any timers then we knew that the tick count had wrapped and that the timer we wanted was in the other queue. Of course, looking at this now, written down like that, it's quite obvious to see the flaws. It doesn't matter how many tests you write, if you don't write the correct tests then your code can still have bugs!

A solution to this bug is to keep a track of the tick count when we set a 'wrapped' timer. Then, when checking for timeouts, if the current tick count is less than the tick count when we last set a wrapped time we know that the count has wrapped and we can adjust the queues accordingly. The problem then is that we need to make sure the queues are correct when we set new timers as well as when existing timers expire. The simplest fix seems to be to cause a call to SetTimer() to first check for the expiry of existing timers. This means that the code that is used to check for a wrap when a timer expires is also executed before adding new timers. Hopefully, this means that the queues will always remain correct.

The second new test expands on the first to ensure that a timer that has expired when SetTimer() is called is correctly processed.