)]}' { "log": [ { "commit": "8f17d3a5049d32392b79925c73a0cf99ce6d5af0", "tree": "3c2aa0cbe337684d353dd2cfb0c177b4ae15217c", "parents": [ "8fdd6c6df7889dc89df3d9fe0f5bbe6733e39f48" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Mon Mar 27 01:16:27 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Mar 27 08:44:49 2006 -0800" }, "message": "[PATCH] lightweight robust futexes updates\n\n- fix: initialize the robust list(s) to NULL in copy_process.\n\n- doc update\n\n- cleanup: rename _inuser to _inatomic\n\n- __user cleanups and other small cleanups\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nCc: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nCc: Arjan van de Ven \u003carjan@infradead.org\u003e\nCc: Ulrich Drepper \u003cdrepper@redhat.com\u003e\nCc: Andi Kleen \u003cak@muc.de\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "e9056f13bfcdd054a0c3d730e4e096748d8a363a", "tree": "876d70d99cb679f7c4cbf6609d6341cadfb5c57e", "parents": [ "62ac285f3c701f0457a15fe01baa64a965c4f5f1" ], "author": { "name": "Ingo Molnar", "email": "mingo@elte.hu", "time": "Mon Mar 27 01:16:21 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Mon Mar 27 08:44:49 2006 -0800" }, "message": "[PATCH] lightweight robust futexes: arch defaults\n\nThis patchset provides a new (written from scratch) implementation of robust\nfutexes, called \"lightweight robust futexes\". We believe this new\nimplementation is faster and simpler than the vma-based robust futex solutions\npresented before, and we\u0027d like this patchset to be adopted in the upstream\nkernel. This is version 1 of the patchset.\n\n Background\n ----------\n\nWhat are robust futexes? To answer that, we first need to understand what\nfutexes are: normal futexes are special types of locks that in the\nnoncontended case can be acquired/released from userspace without having to\nenter the kernel.\n\nA futex is in essence a user-space address, e.g. a 32-bit lock variable\nfield. If userspace notices contention (the lock is already owned and someone\nelse wants to grab it too) then the lock is marked with a value that says\n\"there\u0027s a waiter pending\", and the sys_futex(FUTEX_WAIT) syscall is used to\nwait for the other guy to release it. The kernel creates a \u0027futex queue\u0027\ninternally, so that it can later on match up the waiter with the waker -\nwithout them having to know about each other. When the owner thread releases\nthe futex, it notices (via the variable value) that there were waiter(s)\npending, and does the sys_futex(FUTEX_WAKE) syscall to wake them up. Once all\nwaiters have taken and released the lock, the futex is again back to\n\u0027uncontended\u0027 state, and there\u0027s no in-kernel state associated with it. The\nkernel completely forgets that there ever was a futex at that address. This\nmethod makes futexes very lightweight and scalable.\n\n\"Robustness\" is about dealing with crashes while holding a lock: if a process\nexits prematurely while holding a pthread_mutex_t lock that is also shared\nwith some other process (e.g. yum segfaults while holding a pthread_mutex_t,\nor yum is kill -9-ed), then waiters for that lock need to be notified that the\nlast owner of the lock exited in some irregular way.\n\nTo solve such types of problems, \"robust mutex\" userspace APIs were created:\npthread_mutex_lock() returns an error value if the owner exits prematurely -\nand the new owner can decide whether the data protected by the lock can be\nrecovered safely.\n\nThere is a big conceptual problem with futex based mutexes though: it is the\nkernel that destroys the owner task (e.g. due to a SEGFAULT), but the kernel\ncannot help with the cleanup: if there is no \u0027futex queue\u0027 (and in most cases\nthere is none, futexes being fast lightweight locks) then the kernel has no\ninformation to clean up after the held lock! Userspace has no chance to clean\nup after the lock either - userspace is the one that crashes, so it has no\nopportunity to clean up. Catch-22.\n\nIn practice, when e.g. yum is kill -9-ed (or segfaults), a system reboot is\nneeded to release that futex based lock. This is one of the leading\nbugreports against yum.\n\nTo solve this problem, \u0027Robust Futex\u0027 patches were created and presented on\nlkml: the one written by Todd Kneisel and David Singleton is the most advanced\nat the moment. These patches all tried to extend the futex abstraction by\nregistering futex-based locks in the kernel - and thus give the kernel a\nchance to clean up.\n\nE.g. in David Singleton\u0027s robust-futex-6.patch, there are 3 new syscall\nvariants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and FUTEX_RECOVER.\nThe kernel attaches such robust futexes to vmas (via\nvma-\u003evm_file-\u003ef_mapping-\u003erobust_head), and at do_exit() time, all vmas are\nsearched to see whether they have a robust_head set.\n\nLots of work went into the vma-based robust-futex patch, and recently it has\nimproved significantly, but unfortunately it still has two fundamental\nproblems left:\n\n - they have quite complex locking and race scenarios. The vma-based\n patches had been pending for years, but they are still not completely\n reliable.\n\n - they have to scan _every_ vma at sys_exit() time, per thread!\n\nThe second disadvantage is a real killer: pthread_exit() takes around 1\nmicrosecond on Linux, but with thousands (or tens of thousands) of vmas every\npthread_exit() takes a millisecond or more, also totally destroying the CPU\u0027s\nL1 and L2 caches!\n\nThis is very much noticeable even for normal process sys_exit_group() calls:\nthe kernel has to do the vma scanning unconditionally! (this is because the\nkernel has no knowledge about how many robust futexes there are to be cleaned\nup, because a robust futex might have been registered in another task, and the\nfutex variable might have been simply mmap()-ed into this process\u0027s address\nspace).\n\nThis huge overhead forced the creation of CONFIG_FUTEX_ROBUST, but worse than\nthat: the overhead makes robust futexes impractical for any type of generic\nLinux distribution.\n\nSo it became clear to us, something had to be done. Last week, when Thomas\nGleixner tried to fix up the vma-based robust futex patch in the -rt tree, he\nfound a handful of new races and we were talking about it and were analyzing\nthe situation. At that point a fundamentally different solution occured to\nme. This patchset (written in the past couple of days) implements that new\nsolution. Be warned though - the patchset does things we normally dont do in\nLinux, so some might find the approach disturbing. Parental advice\nrecommended ;-)\n\n New approach to robust futexes\n ------------------------------\n\nAt the heart of this new approach there is a per-thread private list of robust\nlocks that userspace is holding (maintained by glibc) - which userspace list\nis registered with the kernel via a new syscall [this registration happens at\nmost once per thread lifetime]. At do_exit() time, the kernel checks this\nuser-space list: are there any robust futex locks to be cleaned up?\n\nIn the common case, at do_exit() time, there is no list registered, so the\ncost of robust futexes is just a simple current-\u003erobust_list !\u003d NULL\ncomparison. If the thread has registered a list, then normally the list is\nempty. If the thread/process crashed or terminated in some incorrect way then\nthe list might be non-empty: in this case the kernel carefully walks the list\n[not trusting it], and marks all locks that are owned by this thread with the\nFUTEX_OWNER_DEAD bit, and wakes up one waiter (if any).\n\nThe list is guaranteed to be private and per-thread, so it\u0027s lockless. There\nis one race possible though: since adding to and removing from the list is\ndone after the futex is acquired by glibc, there is a few instructions window\nfor the thread (or process) to die there, leaving the futex hung. To protect\nagainst this possibility, userspace (glibc) also maintains a simple per-thread\n\u0027list_op_pending\u0027 field, to allow the kernel to clean up if the thread dies\nafter acquiring the lock, but just before it could have added itself to the\nlist. Glibc sets this list_op_pending field before it tries to acquire the\nfutex, and clears it after the list-add (or list-remove) has finished.\n\nThat\u0027s all that is needed - all the rest of robust-futex cleanup is done in\nuserspace [just like with the previous patches].\n\nUlrich Drepper has implemented the necessary glibc support for this new\nmechanism, which fully enables robust mutexes. (Ulrich plans to commit these\nchanges to glibc-HEAD later today.)\n\nKey differences of this userspace-list based approach, compared to the vma\nbased method:\n\n - it\u0027s much, much faster: at thread exit time, there\u0027s no need to loop\n over every vma (!), which the VM-based method has to do. Only a very\n simple \u0027is the list empty\u0027 op is done.\n\n - no VM changes are needed - \u0027struct address_space\u0027 is left alone.\n\n - no registration of individual locks is needed: robust mutexes dont need\n any extra per-lock syscalls. Robust mutexes thus become a very lightweight\n primitive - so they dont force the application designer to do a hard choice\n between performance and robustness - robust mutexes are just as fast.\n\n - no per-lock kernel allocation happens.\n\n - no resource limits are needed.\n\n - no kernel-space recovery call (FUTEX_RECOVER) is needed.\n\n - the implementation and the locking is \"obvious\", and there are no\n interactions with the VM.\n\n Performance\n -----------\n\nI have benchmarked the time needed for the kernel to process a list of 1\nmillion (!) held locks, using the new method [on a 2GHz CPU]:\n\n - with FUTEX_WAIT set [contended mutex]: 130 msecs\n - without FUTEX_WAIT set [uncontended mutex]: 30 msecs\n\nI have also measured an approach where glibc does the lock notification [which\nit currently does for !pshared robust mutexes], and that took 256 msecs -\nclearly slower, due to the 1 million FUTEX_WAKE syscalls userspace had to do.\n\n(1 million held locks are unheard of - we expect at most a handful of locks to\nbe held at a time. Nevertheless it\u0027s nice to know that this approach scales\nnicely.)\n\n Implementation details\n ----------------------\n\nThe patch adds two new syscalls: one to register the userspace list, and one\nto query the registered list pointer:\n\n asmlinkage long\n sys_set_robust_list(struct robust_list_head __user *head,\n size_t len);\n\n asmlinkage long\n sys_get_robust_list(int pid, struct robust_list_head __user **head_ptr,\n size_t __user *len_ptr);\n\nList registration is very fast: the pointer is simply stored in\ncurrent-\u003erobust_list. [Note that in the future, if robust futexes become\nwidespread, we could extend sys_clone() to register a robust-list head for new\nthreads, without the need of another syscall.]\n\nSo there is virtually zero overhead for tasks not using robust futexes, and\neven for robust futex users, there is only one extra syscall per thread\nlifetime, and the cleanup operation, if it happens, is fast and\nstraightforward. The kernel doesnt have any internal distinction between\nrobust and normal futexes.\n\nIf a futex is found to be held at exit time, the kernel sets the highest bit\nof the futex word:\n\n\t#define FUTEX_OWNER_DIED 0x40000000\n\nand wakes up the next futex waiter (if any). User-space does the rest of\nthe cleanup.\n\nOtherwise, robust futexes are acquired by glibc by putting the TID into the\nfutex field atomically. Waiters set the FUTEX_WAITERS bit:\n\n\t#define FUTEX_WAITERS 0x80000000\n\nand the remaining bits are for the TID.\n\n Testing, architecture support\n -----------------------------\n\nI\u0027ve tested the new syscalls on x86 and x86_64, and have made sure the parsing\nof the userspace list is robust [ ;-) ] even if the list is deliberately\ncorrupted.\n\ni386 and x86_64 syscalls are wired up at the moment, and Ulrich has tested the\nnew glibc code (on x86_64 and i386), and it works for his robust-mutex\ntestcases.\n\nAll other architectures should build just fine too - but they wont have the\nnew syscalls yet.\n\nArchitectures need to implement the new futex_atomic_cmpxchg_inuser() inline\nfunction before writing up the syscalls (that function returns -ENOSYS right\nnow).\n\nThis patch:\n\nAdd placeholder futex_atomic_cmpxchg_inuser() implementations to every\narchitecture that supports futexes. It returns -ENOSYS.\n\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Thomas Gleixner \u003ctglx@linutronix.de\u003e\nSigned-off-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nAcked-by: Ulrich Drepper \u003cdrepper@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "f8aaeacec159f2d9003872781fa4d49659e347fb", "tree": "f59dc7ae8fccc41e2ded098182a146086c6e2239", "parents": [ "c66fdd5e324392584c6f11de65cfe24b0e2d9303" ], "author": { "name": "Jeff Dike", "email": "jdike@addtoit.com", "time": "Sun Jan 08 01:01:32 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sun Jan 08 20:13:39 2006 -0800" }, "message": "[PATCH] consolidate asm/futex.h\n\nMost of the architectures have the same asm/futex.h. This consolidates them\ninto asm-generic, with the arches including it from their own asm/futex.h.\n\nIn the case of UML, this reverts the old broken futex.h and goes back to using\nthe same one as almost everyone else.\n\nSigned-off-by: Jeff Dike \u003cjdike@addtoit.com\u003e\nCc: Paolo \u0027Blaisorblade\u0027 Giarrusso \u003cblaisorblade@yahoo.it\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" } ] }