Based on kernel version 4.13.3. Page generated on 2017-09-23 13:56 EST.
1 ======================================== 2 A description of what robust futexes are 3 ======================================== 4 5 :Started by: Ingo Molnar <firstname.lastname@example.org> 6 7 Background 8 ---------- 9 10 what are robust futexes? To answer that, we first need to understand 11 what futexes are: normal futexes are special types of locks that in the 12 noncontended case can be acquired/released from userspace without having 13 to enter the kernel. 14 15 A futex is in essence a user-space address, e.g. a 32-bit lock variable 16 field. If userspace notices contention (the lock is already owned and 17 someone else wants to grab it too) then the lock is marked with a value 18 that says "there's a waiter pending", and the sys_futex(FUTEX_WAIT) 19 syscall is used to wait for the other guy to release it. The kernel 20 creates a 'futex queue' internally, so that it can later on match up the 21 waiter with the waker - without them having to know about each other. 22 When the owner thread releases the futex, it notices (via the variable 23 value) that there were waiter(s) pending, and does the 24 sys_futex(FUTEX_WAKE) syscall to wake them up. Once all waiters have 25 taken and released the lock, the futex is again back to 'uncontended' 26 state, and there's no in-kernel state associated with it. The kernel 27 completely forgets that there ever was a futex at that address. This 28 method makes futexes very lightweight and scalable. 29 30 "Robustness" is about dealing with crashes while holding a lock: if a 31 process exits prematurely while holding a pthread_mutex_t lock that is 32 also shared with some other process (e.g. yum segfaults while holding a 33 pthread_mutex_t, or yum is kill -9-ed), then waiters for that lock need 34 to be notified that the last owner of the lock exited in some irregular 35 way. 36 37 To solve such types of problems, "robust mutex" userspace APIs were 38 created: pthread_mutex_lock() returns an error value if the owner exits 39 prematurely - and the new owner can decide whether the data protected by 40 the lock can be recovered safely. 41 42 There is a big conceptual problem with futex based mutexes though: it is 43 the kernel that destroys the owner task (e.g. due to a SEGFAULT), but 44 the kernel cannot help with the cleanup: if there is no 'futex queue' 45 (and in most cases there is none, futexes being fast lightweight locks) 46 then the kernel has no information to clean up after the held lock! 47 Userspace has no chance to clean up after the lock either - userspace is 48 the one that crashes, so it has no opportunity to clean up. Catch-22. 49 50 In practice, when e.g. yum is kill -9-ed (or segfaults), a system reboot 51 is needed to release that futex based lock. This is one of the leading 52 bugreports against yum. 53 54 To solve this problem, the traditional approach was to extend the vma 55 (virtual memory area descriptor) concept to have a notion of 'pending 56 robust futexes attached to this area'. This approach requires 3 new 57 syscall variants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and 58 FUTEX_RECOVER. At do_exit() time, all vmas are searched to see whether 59 they have a robust_head set. This approach has two fundamental problems 60 left: 61 62 - it has quite complex locking and race scenarios. The vma-based 63 approach had been pending for years, but they are still not completely 64 reliable. 65 66 - they have to scan _every_ vma at sys_exit() time, per thread! 67 68 The second disadvantage is a real killer: pthread_exit() takes around 1 69 microsecond on Linux, but with thousands (or tens of thousands) of vmas 70 every pthread_exit() takes a millisecond or more, also totally 71 destroying the CPU's L1 and L2 caches! 72 73 This is very much noticeable even for normal process sys_exit_group() 74 calls: the kernel has to do the vma scanning unconditionally! (this is 75 because the kernel has no knowledge about how many robust futexes there 76 are to be cleaned up, because a robust futex might have been registered 77 in another task, and the futex variable might have been simply mmap()-ed 78 into this process's address space). 79 80 This huge overhead forced the creation of CONFIG_FUTEX_ROBUST so that 81 normal kernels can turn it off, but worse than that: the overhead makes 82 robust futexes impractical for any type of generic Linux distribution. 83 84 So something had to be done. 85 86 New approach to robust futexes 87 ------------------------------ 88 89 At the heart of this new approach there is a per-thread private list of 90 robust locks that userspace is holding (maintained by glibc) - which 91 userspace list is registered with the kernel via a new syscall [this 92 registration happens at most once per thread lifetime]. At do_exit() 93 time, the kernel checks this user-space list: are there any robust futex 94 locks to be cleaned up? 95 96 In the common case, at do_exit() time, there is no list registered, so 97 the cost of robust futexes is just a simple current->robust_list != NULL 98 comparison. If the thread has registered a list, then normally the list 99 is empty. If the thread/process crashed or terminated in some incorrect 100 way then the list might be non-empty: in this case the kernel carefully 101 walks the list [not trusting it], and marks all locks that are owned by 102 this thread with the FUTEX_OWNER_DIED bit, and wakes up one waiter (if 103 any). 104 105 The list is guaranteed to be private and per-thread at do_exit() time, 106 so it can be accessed by the kernel in a lockless way. 107 108 There is one race possible though: since adding to and removing from the 109 list is done after the futex is acquired by glibc, there is a few 110 instructions window for the thread (or process) to die there, leaving 111 the futex hung. To protect against this possibility, userspace (glibc) 112 also maintains a simple per-thread 'list_op_pending' field, to allow the 113 kernel to clean up if the thread dies after acquiring the lock, but just 114 before it could have added itself to the list. Glibc sets this 115 list_op_pending field before it tries to acquire the futex, and clears 116 it after the list-add (or list-remove) has finished. 117 118 That's all that is needed - all the rest of robust-futex cleanup is done 119 in userspace [just like with the previous patches]. 120 121 Ulrich Drepper has implemented the necessary glibc support for this new 122 mechanism, which fully enables robust mutexes. 123 124 Key differences of this userspace-list based approach, compared to the 125 vma based method: 126 127 - it's much, much faster: at thread exit time, there's no need to loop 128 over every vma (!), which the VM-based method has to do. Only a very 129 simple 'is the list empty' op is done. 130 131 - no VM changes are needed - 'struct address_space' is left alone. 132 133 - no registration of individual locks is needed: robust mutexes don't 134 need any extra per-lock syscalls. Robust mutexes thus become a very 135 lightweight primitive - so they don't force the application designer 136 to do a hard choice between performance and robustness - robust 137 mutexes are just as fast. 138 139 - no per-lock kernel allocation happens. 140 141 - no resource limits are needed. 142 143 - no kernel-space recovery call (FUTEX_RECOVER) is needed. 144 145 - the implementation and the locking is "obvious", and there are no 146 interactions with the VM. 147 148 Performance 149 ----------- 150 151 I have benchmarked the time needed for the kernel to process a list of 1 152 million (!) held locks, using the new method [on a 2GHz CPU]: 153 154 - with FUTEX_WAIT set [contended mutex]: 130 msecs 155 - without FUTEX_WAIT set [uncontended mutex]: 30 msecs 156 157 I have also measured an approach where glibc does the lock notification 158 [which it currently does for !pshared robust mutexes], and that took 256 159 msecs - clearly slower, due to the 1 million FUTEX_WAKE syscalls 160 userspace had to do. 161 162 (1 million held locks are unheard of - we expect at most a handful of 163 locks to be held at a time. Nevertheless it's nice to know that this 164 approach scales nicely.) 165 166 Implementation details 167 ---------------------- 168 169 The patch adds two new syscalls: one to register the userspace list, and 170 one to query the registered list pointer:: 171 172 asmlinkage long 173 sys_set_robust_list(struct robust_list_head __user *head, 174 size_t len); 175 176 asmlinkage long 177 sys_get_robust_list(int pid, struct robust_list_head __user **head_ptr, 178 size_t __user *len_ptr); 179 180 List registration is very fast: the pointer is simply stored in 181 current->robust_list. [Note that in the future, if robust futexes become 182 widespread, we could extend sys_clone() to register a robust-list head 183 for new threads, without the need of another syscall.] 184 185 So there is virtually zero overhead for tasks not using robust futexes, 186 and even for robust futex users, there is only one extra syscall per 187 thread lifetime, and the cleanup operation, if it happens, is fast and 188 straightforward. The kernel doesn't have any internal distinction between 189 robust and normal futexes. 190 191 If a futex is found to be held at exit time, the kernel sets the 192 following bit of the futex word:: 193 194 #define FUTEX_OWNER_DIED 0x40000000 195 196 and wakes up the next futex waiter (if any). User-space does the rest of 197 the cleanup. 198 199 Otherwise, robust futexes are acquired by glibc by putting the TID into 200 the futex field atomically. Waiters set the FUTEX_WAITERS bit:: 201 202 #define FUTEX_WAITERS 0x80000000 203 204 and the remaining bits are for the TID. 205 206 Testing, architecture support 207 ----------------------------- 208 209 I've tested the new syscalls on x86 and x86_64, and have made sure the 210 parsing of the userspace list is robust [ ;-) ] even if the list is 211 deliberately corrupted. 212 213 i386 and x86_64 syscalls are wired up at the moment, and Ulrich has 214 tested the new glibc code (on x86_64 and i386), and it works for his 215 robust-mutex testcases. 216 217 All other architectures should build just fine too - but they won't have 218 the new syscalls yet. 219 220 Architectures need to implement the new futex_atomic_cmpxchg_inatomic() 221 inline function before writing up the syscalls (that function returns 222 -ENOSYS right now).