0001 Started by: Ingo Molnar <email@example.com>
0006 what are robust futexes? To answer that, we first need to understand
0007 what futexes are: normal futexes are special types of locks that in the
0008 noncontended case can be acquired/released from userspace without having
0009 to enter the kernel.
0011 A futex is in essence a user-space address, e.g. a 32-bit lock variable
0012 field. If userspace notices contention (the lock is already owned and
0013 someone else wants to grab it too) then the lock is marked with a value
0014 that says "there's a waiter pending", and the sys_futex(FUTEX_WAIT)
0015 syscall is used to wait for the other guy to release it. The kernel
0016 creates a 'futex queue' internally, so that it can later on match up the
0017 waiter with the waker - without them having to know about each other.
0018 When the owner thread releases the futex, it notices (via the variable
0019 value) that there were waiter(s) pending, and does the
0020 sys_futex(FUTEX_WAKE) syscall to wake them up. Once all waiters have
0021 taken and released the lock, the futex is again back to 'uncontended'
0022 state, and there's no in-kernel state associated with it. The kernel
0023 completely forgets that there ever was a futex at that address. This
0024 method makes futexes very lightweight and scalable.
0026 "Robustness" is about dealing with crashes while holding a lock: if a
0027 process exits prematurely while holding a pthread_mutex_t lock that is
0028 also shared with some other process (e.g. yum segfaults while holding a
0029 pthread_mutex_t, or yum is kill -9-ed), then waiters for that lock need
0030 to be notified that the last owner of the lock exited in some irregular
0033 To solve such types of problems, "robust mutex" userspace APIs were
0034 created: pthread_mutex_lock() returns an error value if the owner exits
0035 prematurely - and the new owner can decide whether the data protected by
0036 the lock can be recovered safely.
0038 There is a big conceptual problem with futex based mutexes though: it is
0039 the kernel that destroys the owner task (e.g. due to a SEGFAULT), but
0040 the kernel cannot help with the cleanup: if there is no 'futex queue'
0041 (and in most cases there is none, futexes being fast lightweight locks)
0042 then the kernel has no information to clean up after the held lock!
0043 Userspace has no chance to clean up after the lock either - userspace is
0044 the one that crashes, so it has no opportunity to clean up. Catch-22.
0046 In practice, when e.g. yum is kill -9-ed (or segfaults), a system reboot
0047 is needed to release that futex based lock. This is one of the leading
0048 bugreports against yum.
0050 To solve this problem, the traditional approach was to extend the vma
0051 (virtual memory area descriptor) concept to have a notion of 'pending
0052 robust futexes attached to this area'. This approach requires 3 new
0053 syscall variants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and
0054 FUTEX_RECOVER. At do_exit() time, all vmas are searched to see whether
0055 they have a robust_head set. This approach has two fundamental problems
0058 - it has quite complex locking and race scenarios. The vma-based
0059 approach had been pending for years, but they are still not completely
0062 - they have to scan _every_ vma at sys_exit() time, per thread!
0064 The second disadvantage is a real killer: pthread_exit() takes around 1
0065 microsecond on Linux, but with thousands (or tens of thousands) of vmas
0066 every pthread_exit() takes a millisecond or more, also totally
0067 destroying the CPU's L1 and L2 caches!
0069 This is very much noticeable even for normal process sys_exit_group()
0070 calls: the kernel has to do the vma scanning unconditionally! (this is
0071 because the kernel has no knowledge about how many robust futexes there
0072 are to be cleaned up, because a robust futex might have been registered
0073 in another task, and the futex variable might have been simply mmap()-ed
0074 into this process's address space).
0076 This huge overhead forced the creation of CONFIG_FUTEX_ROBUST so that
0077 normal kernels can turn it off, but worse than that: the overhead makes
0078 robust futexes impractical for any type of generic Linux distribution.
0080 So something had to be done.
0082 New approach to robust futexes
0085 At the heart of this new approach there is a per-thread private list of
0086 robust locks that userspace is holding (maintained by glibc) - which
0087 userspace list is registered with the kernel via a new syscall [this
0088 registration happens at most once per thread lifetime]. At do_exit()
0089 time, the kernel checks this user-space list: are there any robust futex
0090 locks to be cleaned up?
0092 In the common case, at do_exit() time, there is no list registered, so
0093 the cost of robust futexes is just a simple current->robust_list != NULL
0094 comparison. If the thread has registered a list, then normally the list
0095 is empty. If the thread/process crashed or terminated in some incorrect
0096 way then the list might be non-empty: in this case the kernel carefully
0097 walks the list [not trusting it], and marks all locks that are owned by
0098 this thread with the FUTEX_OWNER_DIED bit, and wakes up one waiter (if
0101 The list is guaranteed to be private and per-thread at do_exit() time,
0102 so it can be accessed by the kernel in a lockless way.
0104 There is one race possible though: since adding to and removing from the
0105 list is done after the futex is acquired by glibc, there is a few
0106 instructions window for the thread (or process) to die there, leaving
0107 the futex hung. To protect against this possibility, userspace (glibc)
0108 also maintains a simple per-thread 'list_op_pending' field, to allow the
0109 kernel to clean up if the thread dies after acquiring the lock, but just
0110 before it could have added itself to the list. Glibc sets this
0111 list_op_pending field before it tries to acquire the futex, and clears
0112 it after the list-add (or list-remove) has finished.
0114 That's all that is needed - all the rest of robust-futex cleanup is done
0115 in userspace [just like with the previous patches].
0117 Ulrich Drepper has implemented the necessary glibc support for this new
0118 mechanism, which fully enables robust mutexes.
0120 Key differences of this userspace-list based approach, compared to the
0121 vma based method:
0123 - it's much, much faster: at thread exit time, there's no need to loop
0124 over every vma (!), which the VM-based method has to do. Only a very
0125 simple 'is the list empty' op is done.
0127 - no VM changes are needed - 'struct address_space' is left alone.
0129 - no registration of individual locks is needed: robust mutexes don't
0130 need any extra per-lock syscalls. Robust mutexes thus become a very
0131 lightweight primitive - so they don't force the application designer
0132 to do a hard choice between performance and robustness - robust
0133 mutexes are just as fast.
0135 - no per-lock kernel allocation happens.
0137 - no resource limits are needed.
0139 - no kernel-space recovery call (FUTEX_RECOVER) is needed.
0141 - the implementation and the locking is "obvious", and there are no
0142 interactions with the VM.
0147 I have benchmarked the time needed for the kernel to process a list of 1
0148 million (!) held locks, using the new method [on a 2GHz CPU]:
0150 - with FUTEX_WAIT set [contended mutex]: 130 msecs
0151 - without FUTEX_WAIT set [uncontended mutex]: 30 msecs
0153 I have also measured an approach where glibc does the lock notification
0154 [which it currently does for !pshared robust mutexes], and that took 256
0155 msecs - clearly slower, due to the 1 million FUTEX_WAKE syscalls
0156 userspace had to do.
0158 (1 million held locks are unheard of - we expect at most a handful of
0159 locks to be held at a time. Nevertheless it's nice to know that this
0160 approach scales nicely.)
0162 Implementation details
0165 The patch adds two new syscalls: one to register the userspace list, and
0166 one to query the registered list pointer:
0168 asmlinkage long
0169 sys_set_robust_list(struct robust_list_head __user *head,
0170 size_t len);
0172 asmlinkage long
0173 sys_get_robust_list(int pid, struct robust_list_head __user **head_ptr,
0174 size_t __user *len_ptr);
0176 List registration is very fast: the pointer is simply stored in
0177 current->robust_list. [Note that in the future, if robust futexes become
0178 widespread, we could extend sys_clone() to register a robust-list head
0179 for new threads, without the need of another syscall.]
0181 So there is virtually zero overhead for tasks not using robust futexes,
0182 and even for robust futex users, there is only one extra syscall per
0183 thread lifetime, and the cleanup operation, if it happens, is fast and
0184 straightforward. The kernel doesn't have any internal distinction between
0185 robust and normal futexes.
0187 If a futex is found to be held at exit time, the kernel sets the
0188 following bit of the futex word:
0190 #define FUTEX_OWNER_DIED 0x40000000
0192 and wakes up the next futex waiter (if any). User-space does the rest of
0193 the cleanup.
0195 Otherwise, robust futexes are acquired by glibc by putting the TID into
0196 the futex field atomically. Waiters set the FUTEX_WAITERS bit:
0198 #define FUTEX_WAITERS 0x80000000
0200 and the remaining bits are for the TID.
0202 Testing, architecture support
0205 I've tested the new syscalls on x86 and x86_64, and have made sure the
0206 parsing of the userspace list is robust [ ;-) ] even if the list is
0207 deliberately corrupted.
0209 i386 and x86_64 syscalls are wired up at the moment, and Ulrich has
0210 tested the new glibc code (on x86_64 and i386), and it works for his
0211 robust-mutex testcases.
0213 All other architectures should build just fine too - but they won't have
0214 the new syscalls yet.
0216 Architectures need to implement the new futex_atomic_cmpxchg_inatomic()
0217 inline function before writing up the syscalls (that function returns
0218 -ENOSYS right now).