About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / robust-futexes.txt




Custom Search

Based on kernel version 4.16.1. Page generated on 2018-04-09 11:53 EST.

1	========================================
2	A description of what robust futexes are
3	========================================
4	
5	:Started by: Ingo Molnar <mingo@redhat.com>
6	
7	Background
8	----------
9	
10	what are robust futexes? To answer that, we first need to understand
11	what futexes are: normal futexes are special types of locks that in the
12	noncontended case can be acquired/released from userspace without having
13	to enter the kernel.
14	
15	A futex is in essence a user-space address, e.g. a 32-bit lock variable
16	field. If userspace notices contention (the lock is already owned and
17	someone else wants to grab it too) then the lock is marked with a value
18	that says "there's a waiter pending", and the sys_futex(FUTEX_WAIT)
19	syscall is used to wait for the other guy to release it. The kernel
20	creates a 'futex queue' internally, so that it can later on match up the
21	waiter with the waker - without them having to know about each other.
22	When the owner thread releases the futex, it notices (via the variable
23	value) that there were waiter(s) pending, and does the
24	sys_futex(FUTEX_WAKE) syscall to wake them up.  Once all waiters have
25	taken and released the lock, the futex is again back to 'uncontended'
26	state, and there's no in-kernel state associated with it. The kernel
27	completely forgets that there ever was a futex at that address. This
28	method makes futexes very lightweight and scalable.
29	
30	"Robustness" is about dealing with crashes while holding a lock: if a
31	process exits prematurely while holding a pthread_mutex_t lock that is
32	also shared with some other process (e.g. yum segfaults while holding a
33	pthread_mutex_t, or yum is kill -9-ed), then waiters for that lock need
34	to be notified that the last owner of the lock exited in some irregular
35	way.
36	
37	To solve such types of problems, "robust mutex" userspace APIs were
38	created: pthread_mutex_lock() returns an error value if the owner exits
39	prematurely - and the new owner can decide whether the data protected by
40	the lock can be recovered safely.
41	
42	There is a big conceptual problem with futex based mutexes though: it is
43	the kernel that destroys the owner task (e.g. due to a SEGFAULT), but
44	the kernel cannot help with the cleanup: if there is no 'futex queue'
45	(and in most cases there is none, futexes being fast lightweight locks)
46	then the kernel has no information to clean up after the held lock!
47	Userspace has no chance to clean up after the lock either - userspace is
48	the one that crashes, so it has no opportunity to clean up. Catch-22.
49	
50	In practice, when e.g. yum is kill -9-ed (or segfaults), a system reboot
51	is needed to release that futex based lock. This is one of the leading
52	bugreports against yum.
53	
54	To solve this problem, the traditional approach was to extend the vma
55	(virtual memory area descriptor) concept to have a notion of 'pending
56	robust futexes attached to this area'. This approach requires 3 new
57	syscall variants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and
58	FUTEX_RECOVER. At do_exit() time, all vmas are searched to see whether
59	they have a robust_head set. This approach has two fundamental problems
60	left:
61	
62	 - it has quite complex locking and race scenarios. The vma-based
63	   approach had been pending for years, but they are still not completely
64	   reliable.
65	
66	 - they have to scan _every_ vma at sys_exit() time, per thread!
67	
68	The second disadvantage is a real killer: pthread_exit() takes around 1
69	microsecond on Linux, but with thousands (or tens of thousands) of vmas
70	every pthread_exit() takes a millisecond or more, also totally
71	destroying the CPU's L1 and L2 caches!
72	
73	This is very much noticeable even for normal process sys_exit_group()
74	calls: the kernel has to do the vma scanning unconditionally! (this is
75	because the kernel has no knowledge about how many robust futexes there
76	are to be cleaned up, because a robust futex might have been registered
77	in another task, and the futex variable might have been simply mmap()-ed
78	into this process's address space).
79	
80	This huge overhead forced the creation of CONFIG_FUTEX_ROBUST so that
81	normal kernels can turn it off, but worse than that: the overhead makes
82	robust futexes impractical for any type of generic Linux distribution.
83	
84	So something had to be done.
85	
86	New approach to robust futexes
87	------------------------------
88	
89	At the heart of this new approach there is a per-thread private list of
90	robust locks that userspace is holding (maintained by glibc) - which
91	userspace list is registered with the kernel via a new syscall [this
92	registration happens at most once per thread lifetime]. At do_exit()
93	time, the kernel checks this user-space list: are there any robust futex
94	locks to be cleaned up?
95	
96	In the common case, at do_exit() time, there is no list registered, so
97	the cost of robust futexes is just a simple current->robust_list != NULL
98	comparison. If the thread has registered a list, then normally the list
99	is empty. If the thread/process crashed or terminated in some incorrect
100	way then the list might be non-empty: in this case the kernel carefully
101	walks the list [not trusting it], and marks all locks that are owned by
102	this thread with the FUTEX_OWNER_DIED bit, and wakes up one waiter (if
103	any).
104	
105	The list is guaranteed to be private and per-thread at do_exit() time,
106	so it can be accessed by the kernel in a lockless way.
107	
108	There is one race possible though: since adding to and removing from the
109	list is done after the futex is acquired by glibc, there is a few
110	instructions window for the thread (or process) to die there, leaving
111	the futex hung. To protect against this possibility, userspace (glibc)
112	also maintains a simple per-thread 'list_op_pending' field, to allow the
113	kernel to clean up if the thread dies after acquiring the lock, but just
114	before it could have added itself to the list. Glibc sets this
115	list_op_pending field before it tries to acquire the futex, and clears
116	it after the list-add (or list-remove) has finished.
117	
118	That's all that is needed - all the rest of robust-futex cleanup is done
119	in userspace [just like with the previous patches].
120	
121	Ulrich Drepper has implemented the necessary glibc support for this new
122	mechanism, which fully enables robust mutexes.
123	
124	Key differences of this userspace-list based approach, compared to the
125	vma based method:
126	
127	 - it's much, much faster: at thread exit time, there's no need to loop
128	   over every vma (!), which the VM-based method has to do. Only a very
129	   simple 'is the list empty' op is done.
130	
131	 - no VM changes are needed - 'struct address_space' is left alone.
132	
133	 - no registration of individual locks is needed: robust mutexes don't
134	   need any extra per-lock syscalls. Robust mutexes thus become a very
135	   lightweight primitive - so they don't force the application designer
136	   to do a hard choice between performance and robustness - robust
137	   mutexes are just as fast.
138	
139	 - no per-lock kernel allocation happens.
140	
141	 - no resource limits are needed.
142	
143	 - no kernel-space recovery call (FUTEX_RECOVER) is needed.
144	
145	 - the implementation and the locking is "obvious", and there are no
146	   interactions with the VM.
147	
148	Performance
149	-----------
150	
151	I have benchmarked the time needed for the kernel to process a list of 1
152	million (!) held locks, using the new method [on a 2GHz CPU]:
153	
154	 - with FUTEX_WAIT set [contended mutex]: 130 msecs
155	 - without FUTEX_WAIT set [uncontended mutex]: 30 msecs
156	
157	I have also measured an approach where glibc does the lock notification
158	[which it currently does for !pshared robust mutexes], and that took 256
159	msecs - clearly slower, due to the 1 million FUTEX_WAKE syscalls
160	userspace had to do.
161	
162	(1 million held locks are unheard of - we expect at most a handful of
163	locks to be held at a time. Nevertheless it's nice to know that this
164	approach scales nicely.)
165	
166	Implementation details
167	----------------------
168	
169	The patch adds two new syscalls: one to register the userspace list, and
170	one to query the registered list pointer::
171	
172	 asmlinkage long
173	 sys_set_robust_list(struct robust_list_head __user *head,
174	                     size_t len);
175	
176	 asmlinkage long
177	 sys_get_robust_list(int pid, struct robust_list_head __user **head_ptr,
178	                     size_t __user *len_ptr);
179	
180	List registration is very fast: the pointer is simply stored in
181	current->robust_list. [Note that in the future, if robust futexes become
182	widespread, we could extend sys_clone() to register a robust-list head
183	for new threads, without the need of another syscall.]
184	
185	So there is virtually zero overhead for tasks not using robust futexes,
186	and even for robust futex users, there is only one extra syscall per
187	thread lifetime, and the cleanup operation, if it happens, is fast and
188	straightforward. The kernel doesn't have any internal distinction between
189	robust and normal futexes.
190	
191	If a futex is found to be held at exit time, the kernel sets the
192	following bit of the futex word::
193	
194		#define FUTEX_OWNER_DIED        0x40000000
195	
196	and wakes up the next futex waiter (if any). User-space does the rest of
197	the cleanup.
198	
199	Otherwise, robust futexes are acquired by glibc by putting the TID into
200	the futex field atomically. Waiters set the FUTEX_WAITERS bit::
201	
202		#define FUTEX_WAITERS           0x80000000
203	
204	and the remaining bits are for the TID.
205	
206	Testing, architecture support
207	-----------------------------
208	
209	I've tested the new syscalls on x86 and x86_64, and have made sure the
210	parsing of the userspace list is robust [ ;-) ] even if the list is
211	deliberately corrupted.
212	
213	i386 and x86_64 syscalls are wired up at the moment, and Ulrich has
214	tested the new glibc code (on x86_64 and i386), and it works for his
215	robust-mutex testcases.
216	
217	All other architectures should build just fine too - but they won't have
218	the new syscalls yet.
219	
220	Architectures need to implement the new futex_atomic_cmpxchg_inatomic()
221	inline function before writing up the syscalls (that function returns
222	-ENOSYS right now).
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.