2729 lines
132 KiB
ReStructuredText
2729 lines
132 KiB
ReStructuredText
|
=================================
|
|||
|
A Tour Through RCU's Requirements
|
|||
|
=================================
|
|||
|
|
|||
|
Copyright IBM Corporation, 2015
|
|||
|
|
|||
|
Author: Paul E. McKenney
|
|||
|
|
|||
|
The initial version of this document appeared in the
|
|||
|
`LWN <https://lwn.net/>`_ on those articles:
|
|||
|
`part 1 <https://lwn.net/Articles/652156/>`_,
|
|||
|
`part 2 <https://lwn.net/Articles/652677/>`_, and
|
|||
|
`part 3 <https://lwn.net/Articles/653326/>`_.
|
|||
|
|
|||
|
Introduction
|
|||
|
------------
|
|||
|
|
|||
|
Read-copy update (RCU) is a synchronization mechanism that is often used
|
|||
|
as a replacement for reader-writer locking. RCU is unusual in that
|
|||
|
updaters do not block readers, which means that RCU's read-side
|
|||
|
primitives can be exceedingly fast and scalable. In addition, updaters
|
|||
|
can make useful forward progress concurrently with readers. However, all
|
|||
|
this concurrency between RCU readers and updaters does raise the
|
|||
|
question of exactly what RCU readers are doing, which in turn raises the
|
|||
|
question of exactly what RCU's requirements are.
|
|||
|
|
|||
|
This document therefore summarizes RCU's requirements, and can be
|
|||
|
thought of as an informal, high-level specification for RCU. It is
|
|||
|
important to understand that RCU's specification is primarily empirical
|
|||
|
in nature; in fact, I learned about many of these requirements the hard
|
|||
|
way. This situation might cause some consternation, however, not only
|
|||
|
has this learning process been a lot of fun, but it has also been a
|
|||
|
great privilege to work with so many people willing to apply
|
|||
|
technologies in interesting new ways.
|
|||
|
|
|||
|
All that aside, here are the categories of currently known RCU
|
|||
|
requirements:
|
|||
|
|
|||
|
#. `Fundamental Requirements`_
|
|||
|
#. `Fundamental Non-Requirements`_
|
|||
|
#. `Parallelism Facts of Life`_
|
|||
|
#. `Quality-of-Implementation Requirements`_
|
|||
|
#. `Linux Kernel Complications`_
|
|||
|
#. `Software-Engineering Requirements`_
|
|||
|
#. `Other RCU Flavors`_
|
|||
|
#. `Possible Future Changes`_
|
|||
|
|
|||
|
This is followed by a summary_, however, the answers to
|
|||
|
each quick quiz immediately follows the quiz. Select the big white space
|
|||
|
with your mouse to see the answer.
|
|||
|
|
|||
|
Fundamental Requirements
|
|||
|
------------------------
|
|||
|
|
|||
|
RCU's fundamental requirements are the closest thing RCU has to hard
|
|||
|
mathematical requirements. These are:
|
|||
|
|
|||
|
#. `Grace-Period Guarantee`_
|
|||
|
#. `Publish/Subscribe Guarantee`_
|
|||
|
#. `Memory-Barrier Guarantees`_
|
|||
|
#. `RCU Primitives Guaranteed to Execute Unconditionally`_
|
|||
|
#. `Guaranteed Read-to-Write Upgrade`_
|
|||
|
|
|||
|
Grace-Period Guarantee
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
RCU's grace-period guarantee is unusual in being premeditated: Jack
|
|||
|
Slingwine and I had this guarantee firmly in mind when we started work
|
|||
|
on RCU (then called “rclock”) in the early 1990s. That said, the past
|
|||
|
two decades of experience with RCU have produced a much more detailed
|
|||
|
understanding of this guarantee.
|
|||
|
|
|||
|
RCU's grace-period guarantee allows updaters to wait for the completion
|
|||
|
of all pre-existing RCU read-side critical sections. An RCU read-side
|
|||
|
critical section begins with the marker rcu_read_lock() and ends
|
|||
|
with the marker rcu_read_unlock(). These markers may be nested, and
|
|||
|
RCU treats a nested set as one big RCU read-side critical section.
|
|||
|
Production-quality implementations of rcu_read_lock() and
|
|||
|
rcu_read_unlock() are extremely lightweight, and in fact have
|
|||
|
exactly zero overhead in Linux kernels built for production use with
|
|||
|
``CONFIG_PREEMPTION=n``.
|
|||
|
|
|||
|
This guarantee allows ordering to be enforced with extremely low
|
|||
|
overhead to readers, for example:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 int x, y;
|
|||
|
2
|
|||
|
3 void thread0(void)
|
|||
|
4 {
|
|||
|
5 rcu_read_lock();
|
|||
|
6 r1 = READ_ONCE(x);
|
|||
|
7 r2 = READ_ONCE(y);
|
|||
|
8 rcu_read_unlock();
|
|||
|
9 }
|
|||
|
10
|
|||
|
11 void thread1(void)
|
|||
|
12 {
|
|||
|
13 WRITE_ONCE(x, 1);
|
|||
|
14 synchronize_rcu();
|
|||
|
15 WRITE_ONCE(y, 1);
|
|||
|
16 }
|
|||
|
|
|||
|
Because the synchronize_rcu() on line 14 waits for all pre-existing
|
|||
|
readers, any instance of thread0() that loads a value of zero from
|
|||
|
``x`` must complete before thread1() stores to ``y``, so that
|
|||
|
instance must also load a value of zero from ``y``. Similarly, any
|
|||
|
instance of thread0() that loads a value of one from ``y`` must have
|
|||
|
started after the synchronize_rcu() started, and must therefore also
|
|||
|
load a value of one from ``x``. Therefore, the outcome:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
(r1 == 0 && r2 == 1)
|
|||
|
|
|||
|
cannot happen.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Wait a minute! You said that updaters can make useful forward |
|
|||
|
| progress concurrently with readers, but pre-existing readers will |
|
|||
|
| block synchronize_rcu()!!! |
|
|||
|
| Just who are you trying to fool??? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| First, if updaters do not wish to be blocked by readers, they can use |
|
|||
|
| call_rcu() or kfree_rcu(), which will be discussed later. |
|
|||
|
| Second, even when using synchronize_rcu(), the other update-side |
|
|||
|
| code does run concurrently with readers, whether pre-existing or not. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
This scenario resembles one of the first uses of RCU in
|
|||
|
`DYNIX/ptx <https://en.wikipedia.org/wiki/DYNIX>`__, which managed a
|
|||
|
distributed lock manager's transition into a state suitable for handling
|
|||
|
recovery from node failure, more or less as follows:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 #define STATE_NORMAL 0
|
|||
|
2 #define STATE_WANT_RECOVERY 1
|
|||
|
3 #define STATE_RECOVERING 2
|
|||
|
4 #define STATE_WANT_NORMAL 3
|
|||
|
5
|
|||
|
6 int state = STATE_NORMAL;
|
|||
|
7
|
|||
|
8 void do_something_dlm(void)
|
|||
|
9 {
|
|||
|
10 int state_snap;
|
|||
|
11
|
|||
|
12 rcu_read_lock();
|
|||
|
13 state_snap = READ_ONCE(state);
|
|||
|
14 if (state_snap == STATE_NORMAL)
|
|||
|
15 do_something();
|
|||
|
16 else
|
|||
|
17 do_something_carefully();
|
|||
|
18 rcu_read_unlock();
|
|||
|
19 }
|
|||
|
20
|
|||
|
21 void start_recovery(void)
|
|||
|
22 {
|
|||
|
23 WRITE_ONCE(state, STATE_WANT_RECOVERY);
|
|||
|
24 synchronize_rcu();
|
|||
|
25 WRITE_ONCE(state, STATE_RECOVERING);
|
|||
|
26 recovery();
|
|||
|
27 WRITE_ONCE(state, STATE_WANT_NORMAL);
|
|||
|
28 synchronize_rcu();
|
|||
|
29 WRITE_ONCE(state, STATE_NORMAL);
|
|||
|
30 }
|
|||
|
|
|||
|
The RCU read-side critical section in do_something_dlm() works with
|
|||
|
the synchronize_rcu() in start_recovery() to guarantee that
|
|||
|
do_something() never runs concurrently with recovery(), but with
|
|||
|
little or no synchronization overhead in do_something_dlm().
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Why is the synchronize_rcu() on line 28 needed? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Without that extra grace period, memory reordering could result in |
|
|||
|
| do_something_dlm() executing do_something() concurrently with |
|
|||
|
| the last bits of recovery(). |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
In order to avoid fatal problems such as deadlocks, an RCU read-side
|
|||
|
critical section must not contain calls to synchronize_rcu().
|
|||
|
Similarly, an RCU read-side critical section must not contain anything
|
|||
|
that waits, directly or indirectly, on completion of an invocation of
|
|||
|
synchronize_rcu().
|
|||
|
|
|||
|
Although RCU's grace-period guarantee is useful in and of itself, with
|
|||
|
`quite a few use cases <https://lwn.net/Articles/573497/>`__, it would
|
|||
|
be good to be able to use RCU to coordinate read-side access to linked
|
|||
|
data structures. For this, the grace-period guarantee is not sufficient,
|
|||
|
as can be seen in function add_gp_buggy() below. We will look at the
|
|||
|
reader's code later, but in the meantime, just think of the reader as
|
|||
|
locklessly picking up the ``gp`` pointer, and, if the value loaded is
|
|||
|
non-\ ``NULL``, locklessly accessing the ``->a`` and ``->b`` fields.
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool add_gp_buggy(int a, int b)
|
|||
|
2 {
|
|||
|
3 p = kmalloc(sizeof(*p), GFP_KERNEL);
|
|||
|
4 if (!p)
|
|||
|
5 return -ENOMEM;
|
|||
|
6 spin_lock(&gp_lock);
|
|||
|
7 if (rcu_access_pointer(gp)) {
|
|||
|
8 spin_unlock(&gp_lock);
|
|||
|
9 return false;
|
|||
|
10 }
|
|||
|
11 p->a = a;
|
|||
|
12 p->b = a;
|
|||
|
13 gp = p; /* ORDERING BUG */
|
|||
|
14 spin_unlock(&gp_lock);
|
|||
|
15 return true;
|
|||
|
16 }
|
|||
|
|
|||
|
The problem is that both the compiler and weakly ordered CPUs are within
|
|||
|
their rights to reorder this code as follows:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool add_gp_buggy_optimized(int a, int b)
|
|||
|
2 {
|
|||
|
3 p = kmalloc(sizeof(*p), GFP_KERNEL);
|
|||
|
4 if (!p)
|
|||
|
5 return -ENOMEM;
|
|||
|
6 spin_lock(&gp_lock);
|
|||
|
7 if (rcu_access_pointer(gp)) {
|
|||
|
8 spin_unlock(&gp_lock);
|
|||
|
9 return false;
|
|||
|
10 }
|
|||
|
11 gp = p; /* ORDERING BUG */
|
|||
|
12 p->a = a;
|
|||
|
13 p->b = a;
|
|||
|
14 spin_unlock(&gp_lock);
|
|||
|
15 return true;
|
|||
|
16 }
|
|||
|
|
|||
|
If an RCU reader fetches ``gp`` just after ``add_gp_buggy_optimized``
|
|||
|
executes line 11, it will see garbage in the ``->a`` and ``->b`` fields.
|
|||
|
And this is but one of many ways in which compiler and hardware
|
|||
|
optimizations could cause trouble. Therefore, we clearly need some way
|
|||
|
to prevent the compiler and the CPU from reordering in this manner,
|
|||
|
which brings us to the publish-subscribe guarantee discussed in the next
|
|||
|
section.
|
|||
|
|
|||
|
Publish/Subscribe Guarantee
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
RCU's publish-subscribe guarantee allows data to be inserted into a
|
|||
|
linked data structure without disrupting RCU readers. The updater uses
|
|||
|
rcu_assign_pointer() to insert the new data, and readers use
|
|||
|
rcu_dereference() to access data, whether new or old. The following
|
|||
|
shows an example of insertion:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool add_gp(int a, int b)
|
|||
|
2 {
|
|||
|
3 p = kmalloc(sizeof(*p), GFP_KERNEL);
|
|||
|
4 if (!p)
|
|||
|
5 return -ENOMEM;
|
|||
|
6 spin_lock(&gp_lock);
|
|||
|
7 if (rcu_access_pointer(gp)) {
|
|||
|
8 spin_unlock(&gp_lock);
|
|||
|
9 return false;
|
|||
|
10 }
|
|||
|
11 p->a = a;
|
|||
|
12 p->b = a;
|
|||
|
13 rcu_assign_pointer(gp, p);
|
|||
|
14 spin_unlock(&gp_lock);
|
|||
|
15 return true;
|
|||
|
16 }
|
|||
|
|
|||
|
The rcu_assign_pointer() on line 13 is conceptually equivalent to a
|
|||
|
simple assignment statement, but also guarantees that its assignment
|
|||
|
will happen after the two assignments in lines 11 and 12, similar to the
|
|||
|
C11 ``memory_order_release`` store operation. It also prevents any
|
|||
|
number of “interesting” compiler optimizations, for example, the use of
|
|||
|
``gp`` as a scratch location immediately preceding the assignment.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| But rcu_assign_pointer() does nothing to prevent the two |
|
|||
|
| assignments to ``p->a`` and ``p->b`` from being reordered. Can't that |
|
|||
|
| also cause problems? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| No, it cannot. The readers cannot see either of these two fields |
|
|||
|
| until the assignment to ``gp``, by which time both fields are fully |
|
|||
|
| initialized. So reordering the assignments to ``p->a`` and ``p->b`` |
|
|||
|
| cannot possibly cause any problems. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
It is tempting to assume that the reader need not do anything special to
|
|||
|
control its accesses to the RCU-protected data, as shown in
|
|||
|
do_something_gp_buggy() below:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool do_something_gp_buggy(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 p = gp; /* OPTIMIZATIONS GALORE!!! */
|
|||
|
5 if (p) {
|
|||
|
6 do_something(p->a, p->b);
|
|||
|
7 rcu_read_unlock();
|
|||
|
8 return true;
|
|||
|
9 }
|
|||
|
10 rcu_read_unlock();
|
|||
|
11 return false;
|
|||
|
12 }
|
|||
|
|
|||
|
However, this temptation must be resisted because there are a
|
|||
|
surprisingly large number of ways that the compiler (or weak ordering
|
|||
|
CPUs like the DEC Alpha) can trip this code up. For but one example, if
|
|||
|
the compiler were short of registers, it might choose to refetch from
|
|||
|
``gp`` rather than keeping a separate copy in ``p`` as follows:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool do_something_gp_buggy_optimized(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 if (gp) { /* OPTIMIZATIONS GALORE!!! */
|
|||
|
5 do_something(gp->a, gp->b);
|
|||
|
6 rcu_read_unlock();
|
|||
|
7 return true;
|
|||
|
8 }
|
|||
|
9 rcu_read_unlock();
|
|||
|
10 return false;
|
|||
|
11 }
|
|||
|
|
|||
|
If this function ran concurrently with a series of updates that replaced
|
|||
|
the current structure with a new one, the fetches of ``gp->a`` and
|
|||
|
``gp->b`` might well come from two different structures, which could
|
|||
|
cause serious confusion. To prevent this (and much else besides),
|
|||
|
do_something_gp() uses rcu_dereference() to fetch from ``gp``:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool do_something_gp(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 p = rcu_dereference(gp);
|
|||
|
5 if (p) {
|
|||
|
6 do_something(p->a, p->b);
|
|||
|
7 rcu_read_unlock();
|
|||
|
8 return true;
|
|||
|
9 }
|
|||
|
10 rcu_read_unlock();
|
|||
|
11 return false;
|
|||
|
12 }
|
|||
|
|
|||
|
The rcu_dereference() uses volatile casts and (for DEC Alpha) memory
|
|||
|
barriers in the Linux kernel. Should a |high-quality implementation of
|
|||
|
C11 memory_order_consume [PDF]|_
|
|||
|
ever appear, then rcu_dereference() could be implemented as a
|
|||
|
``memory_order_consume`` load. Regardless of the exact implementation, a
|
|||
|
pointer fetched by rcu_dereference() may not be used outside of the
|
|||
|
outermost RCU read-side critical section containing that
|
|||
|
rcu_dereference(), unless protection of the corresponding data
|
|||
|
element has been passed from RCU to some other synchronization
|
|||
|
mechanism, most commonly locking or `reference
|
|||
|
counting <https://www.kernel.org/doc/Documentation/RCU/rcuref.txt>`__.
|
|||
|
|
|||
|
.. |high-quality implementation of C11 memory_order_consume [PDF]| replace:: high-quality implementation of C11 ``memory_order_consume`` [PDF]
|
|||
|
.. _high-quality implementation of C11 memory_order_consume [PDF]: http://www.rdrop.com/users/paulmck/RCU/consume.2015.07.13a.pdf
|
|||
|
|
|||
|
In short, updaters use rcu_assign_pointer() and readers use
|
|||
|
rcu_dereference(), and these two RCU API elements work together to
|
|||
|
ensure that readers have a consistent view of newly added data elements.
|
|||
|
|
|||
|
Of course, it is also necessary to remove elements from RCU-protected
|
|||
|
data structures, for example, using the following process:
|
|||
|
|
|||
|
#. Remove the data element from the enclosing structure.
|
|||
|
#. Wait for all pre-existing RCU read-side critical sections to complete
|
|||
|
(because only pre-existing readers can possibly have a reference to
|
|||
|
the newly removed data element).
|
|||
|
#. At this point, only the updater has a reference to the newly removed
|
|||
|
data element, so it can safely reclaim the data element, for example,
|
|||
|
by passing it to kfree().
|
|||
|
|
|||
|
This process is implemented by remove_gp_synchronous():
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool remove_gp_synchronous(void)
|
|||
|
2 {
|
|||
|
3 struct foo *p;
|
|||
|
4
|
|||
|
5 spin_lock(&gp_lock);
|
|||
|
6 p = rcu_access_pointer(gp);
|
|||
|
7 if (!p) {
|
|||
|
8 spin_unlock(&gp_lock);
|
|||
|
9 return false;
|
|||
|
10 }
|
|||
|
11 rcu_assign_pointer(gp, NULL);
|
|||
|
12 spin_unlock(&gp_lock);
|
|||
|
13 synchronize_rcu();
|
|||
|
14 kfree(p);
|
|||
|
15 return true;
|
|||
|
16 }
|
|||
|
|
|||
|
This function is straightforward, with line 13 waiting for a grace
|
|||
|
period before line 14 frees the old data element. This waiting ensures
|
|||
|
that readers will reach line 7 of do_something_gp() before the data
|
|||
|
element referenced by ``p`` is freed. The rcu_access_pointer() on
|
|||
|
line 6 is similar to rcu_dereference(), except that:
|
|||
|
|
|||
|
#. The value returned by rcu_access_pointer() cannot be
|
|||
|
dereferenced. If you want to access the value pointed to as well as
|
|||
|
the pointer itself, use rcu_dereference() instead of
|
|||
|
rcu_access_pointer().
|
|||
|
#. The call to rcu_access_pointer() need not be protected. In
|
|||
|
contrast, rcu_dereference() must either be within an RCU
|
|||
|
read-side critical section or in a code segment where the pointer
|
|||
|
cannot change, for example, in code protected by the corresponding
|
|||
|
update-side lock.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Without the rcu_dereference() or the rcu_access_pointer(), |
|
|||
|
| what destructive optimizations might the compiler make use of? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Let's start with what happens to do_something_gp() if it fails to |
|
|||
|
| use rcu_dereference(). It could reuse a value formerly fetched |
|
|||
|
| from this same pointer. It could also fetch the pointer from ``gp`` |
|
|||
|
| in a byte-at-a-time manner, resulting in *load tearing*, in turn |
|
|||
|
| resulting a bytewise mash-up of two distinct pointer values. It might |
|
|||
|
| even use value-speculation optimizations, where it makes a wrong |
|
|||
|
| guess, but by the time it gets around to checking the value, an |
|
|||
|
| update has changed the pointer to match the wrong guess. Too bad |
|
|||
|
| about any dereferences that returned pre-initialization garbage in |
|
|||
|
| the meantime! |
|
|||
|
| For remove_gp_synchronous(), as long as all modifications to |
|
|||
|
| ``gp`` are carried out while holding ``gp_lock``, the above |
|
|||
|
| optimizations are harmless. However, ``sparse`` will complain if you |
|
|||
|
| define ``gp`` with ``__rcu`` and then access it without using either |
|
|||
|
| rcu_access_pointer() or rcu_dereference(). |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
In short, RCU's publish-subscribe guarantee is provided by the
|
|||
|
combination of rcu_assign_pointer() and rcu_dereference(). This
|
|||
|
guarantee allows data elements to be safely added to RCU-protected
|
|||
|
linked data structures without disrupting RCU readers. This guarantee
|
|||
|
can be used in combination with the grace-period guarantee to also allow
|
|||
|
data elements to be removed from RCU-protected linked data structures,
|
|||
|
again without disrupting RCU readers.
|
|||
|
|
|||
|
This guarantee was only partially premeditated. DYNIX/ptx used an
|
|||
|
explicit memory barrier for publication, but had nothing resembling
|
|||
|
rcu_dereference() for subscription, nor did it have anything
|
|||
|
resembling the dependency-ordering barrier that was later subsumed
|
|||
|
into rcu_dereference() and later still into READ_ONCE(). The
|
|||
|
need for these operations made itself known quite suddenly at a
|
|||
|
late-1990s meeting with the DEC Alpha architects, back in the days when
|
|||
|
DEC was still a free-standing company. It took the Alpha architects a
|
|||
|
good hour to convince me that any sort of barrier would ever be needed,
|
|||
|
and it then took me a good *two* hours to convince them that their
|
|||
|
documentation did not make this point clear. More recent work with the C
|
|||
|
and C++ standards committees have provided much education on tricks and
|
|||
|
traps from the compiler. In short, compilers were much less tricky in
|
|||
|
the early 1990s, but in 2015, don't even think about omitting
|
|||
|
rcu_dereference()!
|
|||
|
|
|||
|
Memory-Barrier Guarantees
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The previous section's simple linked-data-structure scenario clearly
|
|||
|
demonstrates the need for RCU's stringent memory-ordering guarantees on
|
|||
|
systems with more than one CPU:
|
|||
|
|
|||
|
#. Each CPU that has an RCU read-side critical section that begins
|
|||
|
before synchronize_rcu() starts is guaranteed to execute a full
|
|||
|
memory barrier between the time that the RCU read-side critical
|
|||
|
section ends and the time that synchronize_rcu() returns. Without
|
|||
|
this guarantee, a pre-existing RCU read-side critical section might
|
|||
|
hold a reference to the newly removed ``struct foo`` after the
|
|||
|
kfree() on line 14 of remove_gp_synchronous().
|
|||
|
#. Each CPU that has an RCU read-side critical section that ends after
|
|||
|
synchronize_rcu() returns is guaranteed to execute a full memory
|
|||
|
barrier between the time that synchronize_rcu() begins and the
|
|||
|
time that the RCU read-side critical section begins. Without this
|
|||
|
guarantee, a later RCU read-side critical section running after the
|
|||
|
kfree() on line 14 of remove_gp_synchronous() might later run
|
|||
|
do_something_gp() and find the newly deleted ``struct foo``.
|
|||
|
#. If the task invoking synchronize_rcu() remains on a given CPU,
|
|||
|
then that CPU is guaranteed to execute a full memory barrier sometime
|
|||
|
during the execution of synchronize_rcu(). This guarantee ensures
|
|||
|
that the kfree() on line 14 of remove_gp_synchronous() really
|
|||
|
does execute after the removal on line 11.
|
|||
|
#. If the task invoking synchronize_rcu() migrates among a group of
|
|||
|
CPUs during that invocation, then each of the CPUs in that group is
|
|||
|
guaranteed to execute a full memory barrier sometime during the
|
|||
|
execution of synchronize_rcu(). This guarantee also ensures that
|
|||
|
the kfree() on line 14 of remove_gp_synchronous() really does
|
|||
|
execute after the removal on line 11, but also in the case where the
|
|||
|
thread executing the synchronize_rcu() migrates in the meantime.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Given that multiple CPUs can start RCU read-side critical sections at |
|
|||
|
| any time without any ordering whatsoever, how can RCU possibly tell |
|
|||
|
| whether or not a given RCU read-side critical section starts before a |
|
|||
|
| given instance of synchronize_rcu()? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| If RCU cannot tell whether or not a given RCU read-side critical |
|
|||
|
| section starts before a given instance of synchronize_rcu(), then |
|
|||
|
| it must assume that the RCU read-side critical section started first. |
|
|||
|
| In other words, a given instance of synchronize_rcu() can avoid |
|
|||
|
| waiting on a given RCU read-side critical section only if it can |
|
|||
|
| prove that synchronize_rcu() started first. |
|
|||
|
| A related question is “When rcu_read_lock() doesn't generate any |
|
|||
|
| code, why does it matter how it relates to a grace period?” The |
|
|||
|
| answer is that it is not the relationship of rcu_read_lock() |
|
|||
|
| itself that is important, but rather the relationship of the code |
|
|||
|
| within the enclosed RCU read-side critical section to the code |
|
|||
|
| preceding and following the grace period. If we take this viewpoint, |
|
|||
|
| then a given RCU read-side critical section begins before a given |
|
|||
|
| grace period when some access preceding the grace period observes the |
|
|||
|
| effect of some access within the critical section, in which case none |
|
|||
|
| of the accesses within the critical section may observe the effects |
|
|||
|
| of any access following the grace period. |
|
|||
|
| |
|
|||
|
| As of late 2016, mathematical models of RCU take this viewpoint, for |
|
|||
|
| example, see slides 62 and 63 of the `2016 LinuxCon |
|
|||
|
| EU <http://www2.rdrop.com/users/paulmck/scalability/paper/LinuxMM.201 |
|
|||
|
| 6.10.04c.LCE.pdf>`__ |
|
|||
|
| presentation. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| The first and second guarantees require unbelievably strict ordering! |
|
|||
|
| Are all these memory barriers *really* required? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Yes, they really are required. To see why the first guarantee is |
|
|||
|
| required, consider the following sequence of events: |
|
|||
|
| |
|
|||
|
| #. CPU 1: rcu_read_lock() |
|
|||
|
| #. CPU 1: ``q = rcu_dereference(gp); /* Very likely to return p. */`` |
|
|||
|
| #. CPU 0: ``list_del_rcu(p);`` |
|
|||
|
| #. CPU 0: synchronize_rcu() starts. |
|
|||
|
| #. CPU 1: ``do_something_with(q->a);`` |
|
|||
|
| ``/* No smp_mb(), so might happen after kfree(). */`` |
|
|||
|
| #. CPU 1: rcu_read_unlock() |
|
|||
|
| #. CPU 0: synchronize_rcu() returns. |
|
|||
|
| #. CPU 0: ``kfree(p);`` |
|
|||
|
| |
|
|||
|
| Therefore, there absolutely must be a full memory barrier between the |
|
|||
|
| end of the RCU read-side critical section and the end of the grace |
|
|||
|
| period. |
|
|||
|
| |
|
|||
|
| The sequence of events demonstrating the necessity of the second rule |
|
|||
|
| is roughly similar: |
|
|||
|
| |
|
|||
|
| #. CPU 0: ``list_del_rcu(p);`` |
|
|||
|
| #. CPU 0: synchronize_rcu() starts. |
|
|||
|
| #. CPU 1: rcu_read_lock() |
|
|||
|
| #. CPU 1: ``q = rcu_dereference(gp);`` |
|
|||
|
| ``/* Might return p if no memory barrier. */`` |
|
|||
|
| #. CPU 0: synchronize_rcu() returns. |
|
|||
|
| #. CPU 0: ``kfree(p);`` |
|
|||
|
| #. CPU 1: ``do_something_with(q->a); /* Boom!!! */`` |
|
|||
|
| #. CPU 1: rcu_read_unlock() |
|
|||
|
| |
|
|||
|
| And similarly, without a memory barrier between the beginning of the |
|
|||
|
| grace period and the beginning of the RCU read-side critical section, |
|
|||
|
| CPU 1 might end up accessing the freelist. |
|
|||
|
| |
|
|||
|
| The “as if” rule of course applies, so that any implementation that |
|
|||
|
| acts as if the appropriate memory barriers were in place is a correct |
|
|||
|
| implementation. That said, it is much easier to fool yourself into |
|
|||
|
| believing that you have adhered to the as-if rule than it is to |
|
|||
|
| actually adhere to it! |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| You claim that rcu_read_lock() and rcu_read_unlock() generate |
|
|||
|
| absolutely no code in some kernel builds. This means that the |
|
|||
|
| compiler might arbitrarily rearrange consecutive RCU read-side |
|
|||
|
| critical sections. Given such rearrangement, if a given RCU read-side |
|
|||
|
| critical section is done, how can you be sure that all prior RCU |
|
|||
|
| read-side critical sections are done? Won't the compiler |
|
|||
|
| rearrangements make that impossible to determine? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| In cases where rcu_read_lock() and rcu_read_unlock() generate |
|
|||
|
| absolutely no code, RCU infers quiescent states only at special |
|
|||
|
| locations, for example, within the scheduler. Because calls to |
|
|||
|
| schedule() had better prevent calling-code accesses to shared |
|
|||
|
| variables from being rearranged across the call to schedule(), if |
|
|||
|
| RCU detects the end of a given RCU read-side critical section, it |
|
|||
|
| will necessarily detect the end of all prior RCU read-side critical |
|
|||
|
| sections, no matter how aggressively the compiler scrambles the code. |
|
|||
|
| Again, this all assumes that the compiler cannot scramble code across |
|
|||
|
| calls to the scheduler, out of interrupt handlers, into the idle |
|
|||
|
| loop, into user-mode code, and so on. But if your kernel build allows |
|
|||
|
| that sort of scrambling, you have broken far more than just RCU! |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
Note that these memory-barrier requirements do not replace the
|
|||
|
fundamental RCU requirement that a grace period wait for all
|
|||
|
pre-existing readers. On the contrary, the memory barriers called out in
|
|||
|
this section must operate in such a way as to *enforce* this fundamental
|
|||
|
requirement. Of course, different implementations enforce this
|
|||
|
requirement in different ways, but enforce it they must.
|
|||
|
|
|||
|
RCU Primitives Guaranteed to Execute Unconditionally
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The common-case RCU primitives are unconditional. They are invoked, they
|
|||
|
do their job, and they return, with no possibility of error, and no need
|
|||
|
to retry. This is a key RCU design philosophy.
|
|||
|
|
|||
|
However, this philosophy is pragmatic rather than pigheaded. If someone
|
|||
|
comes up with a good justification for a particular conditional RCU
|
|||
|
primitive, it might well be implemented and added. After all, this
|
|||
|
guarantee was reverse-engineered, not premeditated. The unconditional
|
|||
|
nature of the RCU primitives was initially an accident of
|
|||
|
implementation, and later experience with synchronization primitives
|
|||
|
with conditional primitives caused me to elevate this accident to a
|
|||
|
guarantee. Therefore, the justification for adding a conditional
|
|||
|
primitive to RCU would need to be based on detailed and compelling use
|
|||
|
cases.
|
|||
|
|
|||
|
Guaranteed Read-to-Write Upgrade
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
As far as RCU is concerned, it is always possible to carry out an update
|
|||
|
within an RCU read-side critical section. For example, that RCU
|
|||
|
read-side critical section might search for a given data element, and
|
|||
|
then might acquire the update-side spinlock in order to update that
|
|||
|
element, all while remaining in that RCU read-side critical section. Of
|
|||
|
course, it is necessary to exit the RCU read-side critical section
|
|||
|
before invoking synchronize_rcu(), however, this inconvenience can
|
|||
|
be avoided through use of the call_rcu() and kfree_rcu() API
|
|||
|
members described later in this document.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| But how does the upgrade-to-write operation exclude other readers? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| It doesn't, just like normal RCU updates, which also do not exclude |
|
|||
|
| RCU readers. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
This guarantee allows lookup code to be shared between read-side and
|
|||
|
update-side code, and was premeditated, appearing in the earliest
|
|||
|
DYNIX/ptx RCU documentation.
|
|||
|
|
|||
|
Fundamental Non-Requirements
|
|||
|
----------------------------
|
|||
|
|
|||
|
RCU provides extremely lightweight readers, and its read-side
|
|||
|
guarantees, though quite useful, are correspondingly lightweight. It is
|
|||
|
therefore all too easy to assume that RCU is guaranteeing more than it
|
|||
|
really is. Of course, the list of things that RCU does not guarantee is
|
|||
|
infinitely long, however, the following sections list a few
|
|||
|
non-guarantees that have caused confusion. Except where otherwise noted,
|
|||
|
these non-guarantees were premeditated.
|
|||
|
|
|||
|
#. `Readers Impose Minimal Ordering`_
|
|||
|
#. `Readers Do Not Exclude Updaters`_
|
|||
|
#. `Updaters Only Wait For Old Readers`_
|
|||
|
#. `Grace Periods Don't Partition Read-Side Critical Sections`_
|
|||
|
#. `Read-Side Critical Sections Don't Partition Grace Periods`_
|
|||
|
|
|||
|
Readers Impose Minimal Ordering
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Reader-side markers such as rcu_read_lock() and
|
|||
|
rcu_read_unlock() provide absolutely no ordering guarantees except
|
|||
|
through their interaction with the grace-period APIs such as
|
|||
|
synchronize_rcu(). To see this, consider the following pair of
|
|||
|
threads:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 void thread0(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 WRITE_ONCE(x, 1);
|
|||
|
5 rcu_read_unlock();
|
|||
|
6 rcu_read_lock();
|
|||
|
7 WRITE_ONCE(y, 1);
|
|||
|
8 rcu_read_unlock();
|
|||
|
9 }
|
|||
|
10
|
|||
|
11 void thread1(void)
|
|||
|
12 {
|
|||
|
13 rcu_read_lock();
|
|||
|
14 r1 = READ_ONCE(y);
|
|||
|
15 rcu_read_unlock();
|
|||
|
16 rcu_read_lock();
|
|||
|
17 r2 = READ_ONCE(x);
|
|||
|
18 rcu_read_unlock();
|
|||
|
19 }
|
|||
|
|
|||
|
After thread0() and thread1() execute concurrently, it is quite
|
|||
|
possible to have
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
(r1 == 1 && r2 == 0)
|
|||
|
|
|||
|
(that is, ``y`` appears to have been assigned before ``x``), which would
|
|||
|
not be possible if rcu_read_lock() and rcu_read_unlock() had
|
|||
|
much in the way of ordering properties. But they do not, so the CPU is
|
|||
|
within its rights to do significant reordering. This is by design: Any
|
|||
|
significant ordering constraints would slow down these fast-path APIs.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Can't the compiler also reorder this code? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| No, the volatile casts in READ_ONCE() and WRITE_ONCE() |
|
|||
|
| prevent the compiler from reordering in this particular case. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
Readers Do Not Exclude Updaters
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Neither rcu_read_lock() nor rcu_read_unlock() exclude updates.
|
|||
|
All they do is to prevent grace periods from ending. The following
|
|||
|
example illustrates this:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 void thread0(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 r1 = READ_ONCE(y);
|
|||
|
5 if (r1) {
|
|||
|
6 do_something_with_nonzero_x();
|
|||
|
7 r2 = READ_ONCE(x);
|
|||
|
8 WARN_ON(!r2); /* BUG!!! */
|
|||
|
9 }
|
|||
|
10 rcu_read_unlock();
|
|||
|
11 }
|
|||
|
12
|
|||
|
13 void thread1(void)
|
|||
|
14 {
|
|||
|
15 spin_lock(&my_lock);
|
|||
|
16 WRITE_ONCE(x, 1);
|
|||
|
17 WRITE_ONCE(y, 1);
|
|||
|
18 spin_unlock(&my_lock);
|
|||
|
19 }
|
|||
|
|
|||
|
If the thread0() function's rcu_read_lock() excluded the
|
|||
|
thread1() function's update, the WARN_ON() could never fire. But
|
|||
|
the fact is that rcu_read_lock() does not exclude much of anything
|
|||
|
aside from subsequent grace periods, of which thread1() has none, so
|
|||
|
the WARN_ON() can and does fire.
|
|||
|
|
|||
|
Updaters Only Wait For Old Readers
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
It might be tempting to assume that after synchronize_rcu()
|
|||
|
completes, there are no readers executing. This temptation must be
|
|||
|
avoided because new readers can start immediately after
|
|||
|
synchronize_rcu() starts, and synchronize_rcu() is under no
|
|||
|
obligation to wait for these new readers.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Suppose that synchronize_rcu() did wait until *all* readers had |
|
|||
|
| completed instead of waiting only on pre-existing readers. For how |
|
|||
|
| long would the updater be able to rely on there being no readers? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| For no time at all. Even if synchronize_rcu() were to wait until |
|
|||
|
| all readers had completed, a new reader might start immediately after |
|
|||
|
| synchronize_rcu() completed. Therefore, the code following |
|
|||
|
| synchronize_rcu() can *never* rely on there being no readers. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
Grace Periods Don't Partition Read-Side Critical Sections
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
It is tempting to assume that if any part of one RCU read-side critical
|
|||
|
section precedes a given grace period, and if any part of another RCU
|
|||
|
read-side critical section follows that same grace period, then all of
|
|||
|
the first RCU read-side critical section must precede all of the second.
|
|||
|
However, this just isn't the case: A single grace period does not
|
|||
|
partition the set of RCU read-side critical sections. An example of this
|
|||
|
situation can be illustrated as follows, where ``x``, ``y``, and ``z``
|
|||
|
are initially all zero:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 void thread0(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 WRITE_ONCE(a, 1);
|
|||
|
5 WRITE_ONCE(b, 1);
|
|||
|
6 rcu_read_unlock();
|
|||
|
7 }
|
|||
|
8
|
|||
|
9 void thread1(void)
|
|||
|
10 {
|
|||
|
11 r1 = READ_ONCE(a);
|
|||
|
12 synchronize_rcu();
|
|||
|
13 WRITE_ONCE(c, 1);
|
|||
|
14 }
|
|||
|
15
|
|||
|
16 void thread2(void)
|
|||
|
17 {
|
|||
|
18 rcu_read_lock();
|
|||
|
19 r2 = READ_ONCE(b);
|
|||
|
20 r3 = READ_ONCE(c);
|
|||
|
21 rcu_read_unlock();
|
|||
|
22 }
|
|||
|
|
|||
|
It turns out that the outcome:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
(r1 == 1 && r2 == 0 && r3 == 1)
|
|||
|
|
|||
|
is entirely possible. The following figure show how this can happen,
|
|||
|
with each circled ``QS`` indicating the point at which RCU recorded a
|
|||
|
*quiescent state* for each thread, that is, a state in which RCU knows
|
|||
|
that the thread cannot be in the midst of an RCU read-side critical
|
|||
|
section that started before the current grace period:
|
|||
|
|
|||
|
.. kernel-figure:: GPpartitionReaders1.svg
|
|||
|
|
|||
|
If it is necessary to partition RCU read-side critical sections in this
|
|||
|
manner, it is necessary to use two grace periods, where the first grace
|
|||
|
period is known to end before the second grace period starts:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 void thread0(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 WRITE_ONCE(a, 1);
|
|||
|
5 WRITE_ONCE(b, 1);
|
|||
|
6 rcu_read_unlock();
|
|||
|
7 }
|
|||
|
8
|
|||
|
9 void thread1(void)
|
|||
|
10 {
|
|||
|
11 r1 = READ_ONCE(a);
|
|||
|
12 synchronize_rcu();
|
|||
|
13 WRITE_ONCE(c, 1);
|
|||
|
14 }
|
|||
|
15
|
|||
|
16 void thread2(void)
|
|||
|
17 {
|
|||
|
18 r2 = READ_ONCE(c);
|
|||
|
19 synchronize_rcu();
|
|||
|
20 WRITE_ONCE(d, 1);
|
|||
|
21 }
|
|||
|
22
|
|||
|
23 void thread3(void)
|
|||
|
24 {
|
|||
|
25 rcu_read_lock();
|
|||
|
26 r3 = READ_ONCE(b);
|
|||
|
27 r4 = READ_ONCE(d);
|
|||
|
28 rcu_read_unlock();
|
|||
|
29 }
|
|||
|
|
|||
|
Here, if ``(r1 == 1)``, then thread0()'s write to ``b`` must happen
|
|||
|
before the end of thread1()'s grace period. If in addition
|
|||
|
``(r4 == 1)``, then thread3()'s read from ``b`` must happen after
|
|||
|
the beginning of thread2()'s grace period. If it is also the case
|
|||
|
that ``(r2 == 1)``, then the end of thread1()'s grace period must
|
|||
|
precede the beginning of thread2()'s grace period. This mean that
|
|||
|
the two RCU read-side critical sections cannot overlap, guaranteeing
|
|||
|
that ``(r3 == 1)``. As a result, the outcome:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
(r1 == 1 && r2 == 1 && r3 == 0 && r4 == 1)
|
|||
|
|
|||
|
cannot happen.
|
|||
|
|
|||
|
This non-requirement was also non-premeditated, but became apparent when
|
|||
|
studying RCU's interaction with memory ordering.
|
|||
|
|
|||
|
Read-Side Critical Sections Don't Partition Grace Periods
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
It is also tempting to assume that if an RCU read-side critical section
|
|||
|
happens between a pair of grace periods, then those grace periods cannot
|
|||
|
overlap. However, this temptation leads nowhere good, as can be
|
|||
|
illustrated by the following, with all variables initially zero:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 void thread0(void)
|
|||
|
2 {
|
|||
|
3 rcu_read_lock();
|
|||
|
4 WRITE_ONCE(a, 1);
|
|||
|
5 WRITE_ONCE(b, 1);
|
|||
|
6 rcu_read_unlock();
|
|||
|
7 }
|
|||
|
8
|
|||
|
9 void thread1(void)
|
|||
|
10 {
|
|||
|
11 r1 = READ_ONCE(a);
|
|||
|
12 synchronize_rcu();
|
|||
|
13 WRITE_ONCE(c, 1);
|
|||
|
14 }
|
|||
|
15
|
|||
|
16 void thread2(void)
|
|||
|
17 {
|
|||
|
18 rcu_read_lock();
|
|||
|
19 WRITE_ONCE(d, 1);
|
|||
|
20 r2 = READ_ONCE(c);
|
|||
|
21 rcu_read_unlock();
|
|||
|
22 }
|
|||
|
23
|
|||
|
24 void thread3(void)
|
|||
|
25 {
|
|||
|
26 r3 = READ_ONCE(d);
|
|||
|
27 synchronize_rcu();
|
|||
|
28 WRITE_ONCE(e, 1);
|
|||
|
29 }
|
|||
|
30
|
|||
|
31 void thread4(void)
|
|||
|
32 {
|
|||
|
33 rcu_read_lock();
|
|||
|
34 r4 = READ_ONCE(b);
|
|||
|
35 r5 = READ_ONCE(e);
|
|||
|
36 rcu_read_unlock();
|
|||
|
37 }
|
|||
|
|
|||
|
In this case, the outcome:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
(r1 == 1 && r2 == 1 && r3 == 1 && r4 == 0 && r5 == 1)
|
|||
|
|
|||
|
is entirely possible, as illustrated below:
|
|||
|
|
|||
|
.. kernel-figure:: ReadersPartitionGP1.svg
|
|||
|
|
|||
|
Again, an RCU read-side critical section can overlap almost all of a
|
|||
|
given grace period, just so long as it does not overlap the entire grace
|
|||
|
period. As a result, an RCU read-side critical section cannot partition
|
|||
|
a pair of RCU grace periods.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| How long a sequence of grace periods, each separated by an RCU |
|
|||
|
| read-side critical section, would be required to partition the RCU |
|
|||
|
| read-side critical sections at the beginning and end of the chain? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| In theory, an infinite number. In practice, an unknown number that is |
|
|||
|
| sensitive to both implementation details and timing considerations. |
|
|||
|
| Therefore, even in practice, RCU users must abide by the theoretical |
|
|||
|
| rather than the practical answer. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
Parallelism Facts of Life
|
|||
|
-------------------------
|
|||
|
|
|||
|
These parallelism facts of life are by no means specific to RCU, but the
|
|||
|
RCU implementation must abide by them. They therefore bear repeating:
|
|||
|
|
|||
|
#. Any CPU or task may be delayed at any time, and any attempts to avoid
|
|||
|
these delays by disabling preemption, interrupts, or whatever are
|
|||
|
completely futile. This is most obvious in preemptible user-level
|
|||
|
environments and in virtualized environments (where a given guest
|
|||
|
OS's VCPUs can be preempted at any time by the underlying
|
|||
|
hypervisor), but can also happen in bare-metal environments due to
|
|||
|
ECC errors, NMIs, and other hardware events. Although a delay of more
|
|||
|
than about 20 seconds can result in splats, the RCU implementation is
|
|||
|
obligated to use algorithms that can tolerate extremely long delays,
|
|||
|
but where “extremely long” is not long enough to allow wrap-around
|
|||
|
when incrementing a 64-bit counter.
|
|||
|
#. Both the compiler and the CPU can reorder memory accesses. Where it
|
|||
|
matters, RCU must use compiler directives and memory-barrier
|
|||
|
instructions to preserve ordering.
|
|||
|
#. Conflicting writes to memory locations in any given cache line will
|
|||
|
result in expensive cache misses. Greater numbers of concurrent
|
|||
|
writes and more-frequent concurrent writes will result in more
|
|||
|
dramatic slowdowns. RCU is therefore obligated to use algorithms that
|
|||
|
have sufficient locality to avoid significant performance and
|
|||
|
scalability problems.
|
|||
|
#. As a rough rule of thumb, only one CPU's worth of processing may be
|
|||
|
carried out under the protection of any given exclusive lock. RCU
|
|||
|
must therefore use scalable locking designs.
|
|||
|
#. Counters are finite, especially on 32-bit systems. RCU's use of
|
|||
|
counters must therefore tolerate counter wrap, or be designed such
|
|||
|
that counter wrap would take way more time than a single system is
|
|||
|
likely to run. An uptime of ten years is quite possible, a runtime of
|
|||
|
a century much less so. As an example of the latter, RCU's
|
|||
|
dyntick-idle nesting counter allows 54 bits for interrupt nesting
|
|||
|
level (this counter is 64 bits even on a 32-bit system). Overflowing
|
|||
|
this counter requires 2\ :sup:`54` half-interrupts on a given CPU
|
|||
|
without that CPU ever going idle. If a half-interrupt happened every
|
|||
|
microsecond, it would take 570 years of runtime to overflow this
|
|||
|
counter, which is currently believed to be an acceptably long time.
|
|||
|
#. Linux systems can have thousands of CPUs running a single Linux
|
|||
|
kernel in a single shared-memory environment. RCU must therefore pay
|
|||
|
close attention to high-end scalability.
|
|||
|
|
|||
|
This last parallelism fact of life means that RCU must pay special
|
|||
|
attention to the preceding facts of life. The idea that Linux might
|
|||
|
scale to systems with thousands of CPUs would have been met with some
|
|||
|
skepticism in the 1990s, but these requirements would have otherwise
|
|||
|
have been unsurprising, even in the early 1990s.
|
|||
|
|
|||
|
Quality-of-Implementation Requirements
|
|||
|
--------------------------------------
|
|||
|
|
|||
|
These sections list quality-of-implementation requirements. Although an
|
|||
|
RCU implementation that ignores these requirements could still be used,
|
|||
|
it would likely be subject to limitations that would make it
|
|||
|
inappropriate for industrial-strength production use. Classes of
|
|||
|
quality-of-implementation requirements are as follows:
|
|||
|
|
|||
|
#. `Specialization`_
|
|||
|
#. `Performance and Scalability`_
|
|||
|
#. `Forward Progress`_
|
|||
|
#. `Composability`_
|
|||
|
#. `Corner Cases`_
|
|||
|
|
|||
|
These classes is covered in the following sections.
|
|||
|
|
|||
|
Specialization
|
|||
|
~~~~~~~~~~~~~~
|
|||
|
|
|||
|
RCU is and always has been intended primarily for read-mostly
|
|||
|
situations, which means that RCU's read-side primitives are optimized,
|
|||
|
often at the expense of its update-side primitives. Experience thus far
|
|||
|
is captured by the following list of situations:
|
|||
|
|
|||
|
#. Read-mostly data, where stale and inconsistent data is not a problem:
|
|||
|
RCU works great!
|
|||
|
#. Read-mostly data, where data must be consistent: RCU works well.
|
|||
|
#. Read-write data, where data must be consistent: RCU *might* work OK.
|
|||
|
Or not.
|
|||
|
#. Write-mostly data, where data must be consistent: RCU is very
|
|||
|
unlikely to be the right tool for the job, with the following
|
|||
|
exceptions, where RCU can provide:
|
|||
|
|
|||
|
a. Existence guarantees for update-friendly mechanisms.
|
|||
|
b. Wait-free read-side primitives for real-time use.
|
|||
|
|
|||
|
This focus on read-mostly situations means that RCU must interoperate
|
|||
|
with other synchronization primitives. For example, the add_gp() and
|
|||
|
remove_gp_synchronous() examples discussed earlier use RCU to
|
|||
|
protect readers and locking to coordinate updaters. However, the need
|
|||
|
extends much farther, requiring that a variety of synchronization
|
|||
|
primitives be legal within RCU read-side critical sections, including
|
|||
|
spinlocks, sequence locks, atomic operations, reference counters, and
|
|||
|
memory barriers.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| What about sleeping locks? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| These are forbidden within Linux-kernel RCU read-side critical |
|
|||
|
| sections because it is not legal to place a quiescent state (in this |
|
|||
|
| case, voluntary context switch) within an RCU read-side critical |
|
|||
|
| section. However, sleeping locks may be used within userspace RCU |
|
|||
|
| read-side critical sections, and also within Linux-kernel sleepable |
|
|||
|
| RCU `(SRCU) <Sleepable RCU_>`__ read-side critical sections. In |
|
|||
|
| addition, the -rt patchset turns spinlocks into a sleeping locks so |
|
|||
|
| that the corresponding critical sections can be preempted, which also |
|
|||
|
| means that these sleeplockified spinlocks (but not other sleeping |
|
|||
|
| locks!) may be acquire within -rt-Linux-kernel RCU read-side critical |
|
|||
|
| sections. |
|
|||
|
| Note that it *is* legal for a normal RCU read-side critical section |
|
|||
|
| to conditionally acquire a sleeping locks (as in |
|
|||
|
| mutex_trylock()), but only as long as it does not loop |
|
|||
|
| indefinitely attempting to conditionally acquire that sleeping locks. |
|
|||
|
| The key point is that things like mutex_trylock() either return |
|
|||
|
| with the mutex held, or return an error indication if the mutex was |
|
|||
|
| not immediately available. Either way, mutex_trylock() returns |
|
|||
|
| immediately without sleeping. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
It often comes as a surprise that many algorithms do not require a
|
|||
|
consistent view of data, but many can function in that mode, with
|
|||
|
network routing being the poster child. Internet routing algorithms take
|
|||
|
significant time to propagate updates, so that by the time an update
|
|||
|
arrives at a given system, that system has been sending network traffic
|
|||
|
the wrong way for a considerable length of time. Having a few threads
|
|||
|
continue to send traffic the wrong way for a few more milliseconds is
|
|||
|
clearly not a problem: In the worst case, TCP retransmissions will
|
|||
|
eventually get the data where it needs to go. In general, when tracking
|
|||
|
the state of the universe outside of the computer, some level of
|
|||
|
inconsistency must be tolerated due to speed-of-light delays if nothing
|
|||
|
else.
|
|||
|
|
|||
|
Furthermore, uncertainty about external state is inherent in many cases.
|
|||
|
For example, a pair of veterinarians might use heartbeat to determine
|
|||
|
whether or not a given cat was alive. But how long should they wait
|
|||
|
after the last heartbeat to decide that the cat is in fact dead? Waiting
|
|||
|
less than 400 milliseconds makes no sense because this would mean that a
|
|||
|
relaxed cat would be considered to cycle between death and life more
|
|||
|
than 100 times per minute. Moreover, just as with human beings, a cat's
|
|||
|
heart might stop for some period of time, so the exact wait period is a
|
|||
|
judgment call. One of our pair of veterinarians might wait 30 seconds
|
|||
|
before pronouncing the cat dead, while the other might insist on waiting
|
|||
|
a full minute. The two veterinarians would then disagree on the state of
|
|||
|
the cat during the final 30 seconds of the minute following the last
|
|||
|
heartbeat.
|
|||
|
|
|||
|
Interestingly enough, this same situation applies to hardware. When push
|
|||
|
comes to shove, how do we tell whether or not some external server has
|
|||
|
failed? We send messages to it periodically, and declare it failed if we
|
|||
|
don't receive a response within a given period of time. Policy decisions
|
|||
|
can usually tolerate short periods of inconsistency. The policy was
|
|||
|
decided some time ago, and is only now being put into effect, so a few
|
|||
|
milliseconds of delay is normally inconsequential.
|
|||
|
|
|||
|
However, there are algorithms that absolutely must see consistent data.
|
|||
|
For example, the translation between a user-level SystemV semaphore ID
|
|||
|
to the corresponding in-kernel data structure is protected by RCU, but
|
|||
|
it is absolutely forbidden to update a semaphore that has just been
|
|||
|
removed. In the Linux kernel, this need for consistency is accommodated
|
|||
|
by acquiring spinlocks located in the in-kernel data structure from
|
|||
|
within the RCU read-side critical section, and this is indicated by the
|
|||
|
green box in the figure above. Many other techniques may be used, and
|
|||
|
are in fact used within the Linux kernel.
|
|||
|
|
|||
|
In short, RCU is not required to maintain consistency, and other
|
|||
|
mechanisms may be used in concert with RCU when consistency is required.
|
|||
|
RCU's specialization allows it to do its job extremely well, and its
|
|||
|
ability to interoperate with other synchronization mechanisms allows the
|
|||
|
right mix of synchronization tools to be used for a given job.
|
|||
|
|
|||
|
Performance and Scalability
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Energy efficiency is a critical component of performance today, and
|
|||
|
Linux-kernel RCU implementations must therefore avoid unnecessarily
|
|||
|
awakening idle CPUs. I cannot claim that this requirement was
|
|||
|
premeditated. In fact, I learned of it during a telephone conversation
|
|||
|
in which I was given “frank and open” feedback on the importance of
|
|||
|
energy efficiency in battery-powered systems and on specific
|
|||
|
energy-efficiency shortcomings of the Linux-kernel RCU implementation.
|
|||
|
In my experience, the battery-powered embedded community will consider
|
|||
|
any unnecessary wakeups to be extremely unfriendly acts. So much so that
|
|||
|
mere Linux-kernel-mailing-list posts are insufficient to vent their ire.
|
|||
|
|
|||
|
Memory consumption is not particularly important for in most situations,
|
|||
|
and has become decreasingly so as memory sizes have expanded and memory
|
|||
|
costs have plummeted. However, as I learned from Matt Mackall's
|
|||
|
`bloatwatch <http://elinux.org/Linux_Tiny-FAQ>`__ efforts, memory
|
|||
|
footprint is critically important on single-CPU systems with
|
|||
|
non-preemptible (``CONFIG_PREEMPTION=n``) kernels, and thus `tiny
|
|||
|
RCU <https://lore.kernel.org/r/20090113221724.GA15307@linux.vnet.ibm.com>`__
|
|||
|
was born. Josh Triplett has since taken over the small-memory banner
|
|||
|
with his `Linux kernel tinification <https://tiny.wiki.kernel.org/>`__
|
|||
|
project, which resulted in `SRCU <Sleepable RCU_>`__ becoming optional
|
|||
|
for those kernels not needing it.
|
|||
|
|
|||
|
The remaining performance requirements are, for the most part,
|
|||
|
unsurprising. For example, in keeping with RCU's read-side
|
|||
|
specialization, rcu_dereference() should have negligible overhead
|
|||
|
(for example, suppression of a few minor compiler optimizations).
|
|||
|
Similarly, in non-preemptible environments, rcu_read_lock() and
|
|||
|
rcu_read_unlock() should have exactly zero overhead.
|
|||
|
|
|||
|
In preemptible environments, in the case where the RCU read-side
|
|||
|
critical section was not preempted (as will be the case for the
|
|||
|
highest-priority real-time process), rcu_read_lock() and
|
|||
|
rcu_read_unlock() should have minimal overhead. In particular, they
|
|||
|
should not contain atomic read-modify-write operations, memory-barrier
|
|||
|
instructions, preemption disabling, interrupt disabling, or backwards
|
|||
|
branches. However, in the case where the RCU read-side critical section
|
|||
|
was preempted, rcu_read_unlock() may acquire spinlocks and disable
|
|||
|
interrupts. This is why it is better to nest an RCU read-side critical
|
|||
|
section within a preempt-disable region than vice versa, at least in
|
|||
|
cases where that critical section is short enough to avoid unduly
|
|||
|
degrading real-time latencies.
|
|||
|
|
|||
|
The synchronize_rcu() grace-period-wait primitive is optimized for
|
|||
|
throughput. It may therefore incur several milliseconds of latency in
|
|||
|
addition to the duration of the longest RCU read-side critical section.
|
|||
|
On the other hand, multiple concurrent invocations of
|
|||
|
synchronize_rcu() are required to use batching optimizations so that
|
|||
|
they can be satisfied by a single underlying grace-period-wait
|
|||
|
operation. For example, in the Linux kernel, it is not unusual for a
|
|||
|
single grace-period-wait operation to serve more than `1,000 separate
|
|||
|
invocations <https://www.usenix.org/conference/2004-usenix-annual-technical-conference/making-rcu-safe-deep-sub-millisecond-response>`__
|
|||
|
of synchronize_rcu(), thus amortizing the per-invocation overhead
|
|||
|
down to nearly zero. However, the grace-period optimization is also
|
|||
|
required to avoid measurable degradation of real-time scheduling and
|
|||
|
interrupt latencies.
|
|||
|
|
|||
|
In some cases, the multi-millisecond synchronize_rcu() latencies are
|
|||
|
unacceptable. In these cases, synchronize_rcu_expedited() may be
|
|||
|
used instead, reducing the grace-period latency down to a few tens of
|
|||
|
microseconds on small systems, at least in cases where the RCU read-side
|
|||
|
critical sections are short. There are currently no special latency
|
|||
|
requirements for synchronize_rcu_expedited() on large systems, but,
|
|||
|
consistent with the empirical nature of the RCU specification, that is
|
|||
|
subject to change. However, there most definitely are scalability
|
|||
|
requirements: A storm of synchronize_rcu_expedited() invocations on
|
|||
|
4096 CPUs should at least make reasonable forward progress. In return
|
|||
|
for its shorter latencies, synchronize_rcu_expedited() is permitted
|
|||
|
to impose modest degradation of real-time latency on non-idle online
|
|||
|
CPUs. Here, “modest” means roughly the same latency degradation as a
|
|||
|
scheduling-clock interrupt.
|
|||
|
|
|||
|
There are a number of situations where even
|
|||
|
synchronize_rcu_expedited()'s reduced grace-period latency is
|
|||
|
unacceptable. In these situations, the asynchronous call_rcu() can
|
|||
|
be used in place of synchronize_rcu() as follows:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 struct foo {
|
|||
|
2 int a;
|
|||
|
3 int b;
|
|||
|
4 struct rcu_head rh;
|
|||
|
5 };
|
|||
|
6
|
|||
|
7 static void remove_gp_cb(struct rcu_head *rhp)
|
|||
|
8 {
|
|||
|
9 struct foo *p = container_of(rhp, struct foo, rh);
|
|||
|
10
|
|||
|
11 kfree(p);
|
|||
|
12 }
|
|||
|
13
|
|||
|
14 bool remove_gp_asynchronous(void)
|
|||
|
15 {
|
|||
|
16 struct foo *p;
|
|||
|
17
|
|||
|
18 spin_lock(&gp_lock);
|
|||
|
19 p = rcu_access_pointer(gp);
|
|||
|
20 if (!p) {
|
|||
|
21 spin_unlock(&gp_lock);
|
|||
|
22 return false;
|
|||
|
23 }
|
|||
|
24 rcu_assign_pointer(gp, NULL);
|
|||
|
25 call_rcu(&p->rh, remove_gp_cb);
|
|||
|
26 spin_unlock(&gp_lock);
|
|||
|
27 return true;
|
|||
|
28 }
|
|||
|
|
|||
|
A definition of ``struct foo`` is finally needed, and appears on
|
|||
|
lines 1-5. The function remove_gp_cb() is passed to call_rcu()
|
|||
|
on line 25, and will be invoked after the end of a subsequent grace
|
|||
|
period. This gets the same effect as remove_gp_synchronous(), but
|
|||
|
without forcing the updater to wait for a grace period to elapse. The
|
|||
|
call_rcu() function may be used in a number of situations where
|
|||
|
neither synchronize_rcu() nor synchronize_rcu_expedited() would
|
|||
|
be legal, including within preempt-disable code, local_bh_disable()
|
|||
|
code, interrupt-disable code, and interrupt handlers. However, even
|
|||
|
call_rcu() is illegal within NMI handlers and from idle and offline
|
|||
|
CPUs. The callback function (remove_gp_cb() in this case) will be
|
|||
|
executed within softirq (software interrupt) environment within the
|
|||
|
Linux kernel, either within a real softirq handler or under the
|
|||
|
protection of local_bh_disable(). In both the Linux kernel and in
|
|||
|
userspace, it is bad practice to write an RCU callback function that
|
|||
|
takes too long. Long-running operations should be relegated to separate
|
|||
|
threads or (in the Linux kernel) workqueues.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Why does line 19 use rcu_access_pointer()? After all, |
|
|||
|
| call_rcu() on line 25 stores into the structure, which would |
|
|||
|
| interact badly with concurrent insertions. Doesn't this mean that |
|
|||
|
| rcu_dereference() is required? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Presumably the ``->gp_lock`` acquired on line 18 excludes any |
|
|||
|
| changes, including any insertions that rcu_dereference() would |
|
|||
|
| protect against. Therefore, any insertions will be delayed until |
|
|||
|
| after ``->gp_lock`` is released on line 25, which in turn means that |
|
|||
|
| rcu_access_pointer() suffices. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
However, all that remove_gp_cb() is doing is invoking kfree() on
|
|||
|
the data element. This is a common idiom, and is supported by
|
|||
|
kfree_rcu(), which allows “fire and forget” operation as shown
|
|||
|
below:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 struct foo {
|
|||
|
2 int a;
|
|||
|
3 int b;
|
|||
|
4 struct rcu_head rh;
|
|||
|
5 };
|
|||
|
6
|
|||
|
7 bool remove_gp_faf(void)
|
|||
|
8 {
|
|||
|
9 struct foo *p;
|
|||
|
10
|
|||
|
11 spin_lock(&gp_lock);
|
|||
|
12 p = rcu_dereference(gp);
|
|||
|
13 if (!p) {
|
|||
|
14 spin_unlock(&gp_lock);
|
|||
|
15 return false;
|
|||
|
16 }
|
|||
|
17 rcu_assign_pointer(gp, NULL);
|
|||
|
18 kfree_rcu(p, rh);
|
|||
|
19 spin_unlock(&gp_lock);
|
|||
|
20 return true;
|
|||
|
21 }
|
|||
|
|
|||
|
Note that remove_gp_faf() simply invokes kfree_rcu() and
|
|||
|
proceeds, without any need to pay any further attention to the
|
|||
|
subsequent grace period and kfree(). It is permissible to invoke
|
|||
|
kfree_rcu() from the same environments as for call_rcu().
|
|||
|
Interestingly enough, DYNIX/ptx had the equivalents of call_rcu()
|
|||
|
and kfree_rcu(), but not synchronize_rcu(). This was due to the
|
|||
|
fact that RCU was not heavily used within DYNIX/ptx, so the very few
|
|||
|
places that needed something like synchronize_rcu() simply
|
|||
|
open-coded it.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Earlier it was claimed that call_rcu() and kfree_rcu() |
|
|||
|
| allowed updaters to avoid being blocked by readers. But how can that |
|
|||
|
| be correct, given that the invocation of the callback and the freeing |
|
|||
|
| of the memory (respectively) must still wait for a grace period to |
|
|||
|
| elapse? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| We could define things this way, but keep in mind that this sort of |
|
|||
|
| definition would say that updates in garbage-collected languages |
|
|||
|
| cannot complete until the next time the garbage collector runs, which |
|
|||
|
| does not seem at all reasonable. The key point is that in most cases, |
|
|||
|
| an updater using either call_rcu() or kfree_rcu() can proceed |
|
|||
|
| to the next update as soon as it has invoked call_rcu() or |
|
|||
|
| kfree_rcu(), without having to wait for a subsequent grace |
|
|||
|
| period. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
But what if the updater must wait for the completion of code to be
|
|||
|
executed after the end of the grace period, but has other tasks that can
|
|||
|
be carried out in the meantime? The polling-style
|
|||
|
get_state_synchronize_rcu() and cond_synchronize_rcu() functions
|
|||
|
may be used for this purpose, as shown below:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 bool remove_gp_poll(void)
|
|||
|
2 {
|
|||
|
3 struct foo *p;
|
|||
|
4 unsigned long s;
|
|||
|
5
|
|||
|
6 spin_lock(&gp_lock);
|
|||
|
7 p = rcu_access_pointer(gp);
|
|||
|
8 if (!p) {
|
|||
|
9 spin_unlock(&gp_lock);
|
|||
|
10 return false;
|
|||
|
11 }
|
|||
|
12 rcu_assign_pointer(gp, NULL);
|
|||
|
13 spin_unlock(&gp_lock);
|
|||
|
14 s = get_state_synchronize_rcu();
|
|||
|
15 do_something_while_waiting();
|
|||
|
16 cond_synchronize_rcu(s);
|
|||
|
17 kfree(p);
|
|||
|
18 return true;
|
|||
|
19 }
|
|||
|
|
|||
|
On line 14, get_state_synchronize_rcu() obtains a “cookie” from RCU,
|
|||
|
then line 15 carries out other tasks, and finally, line 16 returns
|
|||
|
immediately if a grace period has elapsed in the meantime, but otherwise
|
|||
|
waits as required. The need for ``get_state_synchronize_rcu`` and
|
|||
|
cond_synchronize_rcu() has appeared quite recently, so it is too
|
|||
|
early to tell whether they will stand the test of time.
|
|||
|
|
|||
|
RCU thus provides a range of tools to allow updaters to strike the
|
|||
|
required tradeoff between latency, flexibility and CPU overhead.
|
|||
|
|
|||
|
Forward Progress
|
|||
|
~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
In theory, delaying grace-period completion and callback invocation is
|
|||
|
harmless. In practice, not only are memory sizes finite but also
|
|||
|
callbacks sometimes do wakeups, and sufficiently deferred wakeups can be
|
|||
|
difficult to distinguish from system hangs. Therefore, RCU must provide
|
|||
|
a number of mechanisms to promote forward progress.
|
|||
|
|
|||
|
These mechanisms are not foolproof, nor can they be. For one simple
|
|||
|
example, an infinite loop in an RCU read-side critical section must by
|
|||
|
definition prevent later grace periods from ever completing. For a more
|
|||
|
involved example, consider a 64-CPU system built with
|
|||
|
``CONFIG_RCU_NOCB_CPU=y`` and booted with ``rcu_nocbs=1-63``, where
|
|||
|
CPUs 1 through 63 spin in tight loops that invoke call_rcu(). Even
|
|||
|
if these tight loops also contain calls to cond_resched() (thus
|
|||
|
allowing grace periods to complete), CPU 0 simply will not be able to
|
|||
|
invoke callbacks as fast as the other 63 CPUs can register them, at
|
|||
|
least not until the system runs out of memory. In both of these
|
|||
|
examples, the Spiderman principle applies: With great power comes great
|
|||
|
responsibility. However, short of this level of abuse, RCU is required
|
|||
|
to ensure timely completion of grace periods and timely invocation of
|
|||
|
callbacks.
|
|||
|
|
|||
|
RCU takes the following steps to encourage timely completion of grace
|
|||
|
periods:
|
|||
|
|
|||
|
#. If a grace period fails to complete within 100 milliseconds, RCU
|
|||
|
causes future invocations of cond_resched() on the holdout CPUs
|
|||
|
to provide an RCU quiescent state. RCU also causes those CPUs'
|
|||
|
need_resched() invocations to return ``true``, but only after the
|
|||
|
corresponding CPU's next scheduling-clock.
|
|||
|
#. CPUs mentioned in the ``nohz_full`` kernel boot parameter can run
|
|||
|
indefinitely in the kernel without scheduling-clock interrupts, which
|
|||
|
defeats the above need_resched() strategem. RCU will therefore
|
|||
|
invoke resched_cpu() on any ``nohz_full`` CPUs still holding out
|
|||
|
after 109 milliseconds.
|
|||
|
#. In kernels built with ``CONFIG_RCU_BOOST=y``, if a given task that
|
|||
|
has been preempted within an RCU read-side critical section is
|
|||
|
holding out for more than 500 milliseconds, RCU will resort to
|
|||
|
priority boosting.
|
|||
|
#. If a CPU is still holding out 10 seconds into the grace period, RCU
|
|||
|
will invoke resched_cpu() on it regardless of its ``nohz_full``
|
|||
|
state.
|
|||
|
|
|||
|
The above values are defaults for systems running with ``HZ=1000``. They
|
|||
|
will vary as the value of ``HZ`` varies, and can also be changed using
|
|||
|
the relevant Kconfig options and kernel boot parameters. RCU currently
|
|||
|
does not do much sanity checking of these parameters, so please use
|
|||
|
caution when changing them. Note that these forward-progress measures
|
|||
|
are provided only for RCU, not for `SRCU <Sleepable RCU_>`__ or `Tasks
|
|||
|
RCU`_.
|
|||
|
|
|||
|
RCU takes the following steps in call_rcu() to encourage timely
|
|||
|
invocation of callbacks when any given non-\ ``rcu_nocbs`` CPU has
|
|||
|
10,000 callbacks, or has 10,000 more callbacks than it had the last time
|
|||
|
encouragement was provided:
|
|||
|
|
|||
|
#. Starts a grace period, if one is not already in progress.
|
|||
|
#. Forces immediate checking for quiescent states, rather than waiting
|
|||
|
for three milliseconds to have elapsed since the beginning of the
|
|||
|
grace period.
|
|||
|
#. Immediately tags the CPU's callbacks with their grace period
|
|||
|
completion numbers, rather than waiting for the ``RCU_SOFTIRQ``
|
|||
|
handler to get around to it.
|
|||
|
#. Lifts callback-execution batch limits, which speeds up callback
|
|||
|
invocation at the expense of degrading realtime response.
|
|||
|
|
|||
|
Again, these are default values when running at ``HZ=1000``, and can be
|
|||
|
overridden. Again, these forward-progress measures are provided only for
|
|||
|
RCU, not for `SRCU <Sleepable RCU_>`__ or `Tasks
|
|||
|
RCU`_. Even for RCU, callback-invocation forward
|
|||
|
progress for ``rcu_nocbs`` CPUs is much less well-developed, in part
|
|||
|
because workloads benefiting from ``rcu_nocbs`` CPUs tend to invoke
|
|||
|
call_rcu() relatively infrequently. If workloads emerge that need
|
|||
|
both ``rcu_nocbs`` CPUs and high call_rcu() invocation rates, then
|
|||
|
additional forward-progress work will be required.
|
|||
|
|
|||
|
Composability
|
|||
|
~~~~~~~~~~~~~
|
|||
|
|
|||
|
Composability has received much attention in recent years, perhaps in
|
|||
|
part due to the collision of multicore hardware with object-oriented
|
|||
|
techniques designed in single-threaded environments for single-threaded
|
|||
|
use. And in theory, RCU read-side critical sections may be composed, and
|
|||
|
in fact may be nested arbitrarily deeply. In practice, as with all
|
|||
|
real-world implementations of composable constructs, there are
|
|||
|
limitations.
|
|||
|
|
|||
|
Implementations of RCU for which rcu_read_lock() and
|
|||
|
rcu_read_unlock() generate no code, such as Linux-kernel RCU when
|
|||
|
``CONFIG_PREEMPTION=n``, can be nested arbitrarily deeply. After all, there
|
|||
|
is no overhead. Except that if all these instances of
|
|||
|
rcu_read_lock() and rcu_read_unlock() are visible to the
|
|||
|
compiler, compilation will eventually fail due to exhausting memory,
|
|||
|
mass storage, or user patience, whichever comes first. If the nesting is
|
|||
|
not visible to the compiler, as is the case with mutually recursive
|
|||
|
functions each in its own translation unit, stack overflow will result.
|
|||
|
If the nesting takes the form of loops, perhaps in the guise of tail
|
|||
|
recursion, either the control variable will overflow or (in the Linux
|
|||
|
kernel) you will get an RCU CPU stall warning. Nevertheless, this class
|
|||
|
of RCU implementations is one of the most composable constructs in
|
|||
|
existence.
|
|||
|
|
|||
|
RCU implementations that explicitly track nesting depth are limited by
|
|||
|
the nesting-depth counter. For example, the Linux kernel's preemptible
|
|||
|
RCU limits nesting to ``INT_MAX``. This should suffice for almost all
|
|||
|
practical purposes. That said, a consecutive pair of RCU read-side
|
|||
|
critical sections between which there is an operation that waits for a
|
|||
|
grace period cannot be enclosed in another RCU read-side critical
|
|||
|
section. This is because it is not legal to wait for a grace period
|
|||
|
within an RCU read-side critical section: To do so would result either
|
|||
|
in deadlock or in RCU implicitly splitting the enclosing RCU read-side
|
|||
|
critical section, neither of which is conducive to a long-lived and
|
|||
|
prosperous kernel.
|
|||
|
|
|||
|
It is worth noting that RCU is not alone in limiting composability. For
|
|||
|
example, many transactional-memory implementations prohibit composing a
|
|||
|
pair of transactions separated by an irrevocable operation (for example,
|
|||
|
a network receive operation). For another example, lock-based critical
|
|||
|
sections can be composed surprisingly freely, but only if deadlock is
|
|||
|
avoided.
|
|||
|
|
|||
|
In short, although RCU read-side critical sections are highly
|
|||
|
composable, care is required in some situations, just as is the case for
|
|||
|
any other composable synchronization mechanism.
|
|||
|
|
|||
|
Corner Cases
|
|||
|
~~~~~~~~~~~~
|
|||
|
|
|||
|
A given RCU workload might have an endless and intense stream of RCU
|
|||
|
read-side critical sections, perhaps even so intense that there was
|
|||
|
never a point in time during which there was not at least one RCU
|
|||
|
read-side critical section in flight. RCU cannot allow this situation to
|
|||
|
block grace periods: As long as all the RCU read-side critical sections
|
|||
|
are finite, grace periods must also be finite.
|
|||
|
|
|||
|
That said, preemptible RCU implementations could potentially result in
|
|||
|
RCU read-side critical sections being preempted for long durations,
|
|||
|
which has the effect of creating a long-duration RCU read-side critical
|
|||
|
section. This situation can arise only in heavily loaded systems, but
|
|||
|
systems using real-time priorities are of course more vulnerable.
|
|||
|
Therefore, RCU priority boosting is provided to help deal with this
|
|||
|
case. That said, the exact requirements on RCU priority boosting will
|
|||
|
likely evolve as more experience accumulates.
|
|||
|
|
|||
|
Other workloads might have very high update rates. Although one can
|
|||
|
argue that such workloads should instead use something other than RCU,
|
|||
|
the fact remains that RCU must handle such workloads gracefully. This
|
|||
|
requirement is another factor driving batching of grace periods, but it
|
|||
|
is also the driving force behind the checks for large numbers of queued
|
|||
|
RCU callbacks in the call_rcu() code path. Finally, high update
|
|||
|
rates should not delay RCU read-side critical sections, although some
|
|||
|
small read-side delays can occur when using
|
|||
|
synchronize_rcu_expedited(), courtesy of this function's use of
|
|||
|
smp_call_function_single().
|
|||
|
|
|||
|
Although all three of these corner cases were understood in the early
|
|||
|
1990s, a simple user-level test consisting of ``close(open(path))`` in a
|
|||
|
tight loop in the early 2000s suddenly provided a much deeper
|
|||
|
appreciation of the high-update-rate corner case. This test also
|
|||
|
motivated addition of some RCU code to react to high update rates, for
|
|||
|
example, if a given CPU finds itself with more than 10,000 RCU callbacks
|
|||
|
queued, it will cause RCU to take evasive action by more aggressively
|
|||
|
starting grace periods and more aggressively forcing completion of
|
|||
|
grace-period processing. This evasive action causes the grace period to
|
|||
|
complete more quickly, but at the cost of restricting RCU's batching
|
|||
|
optimizations, thus increasing the CPU overhead incurred by that grace
|
|||
|
period.
|
|||
|
|
|||
|
Software-Engineering Requirements
|
|||
|
---------------------------------
|
|||
|
|
|||
|
Between Murphy's Law and “To err is human”, it is necessary to guard
|
|||
|
against mishaps and misuse:
|
|||
|
|
|||
|
#. It is all too easy to forget to use rcu_read_lock() everywhere
|
|||
|
that it is needed, so kernels built with ``CONFIG_PROVE_RCU=y`` will
|
|||
|
splat if rcu_dereference() is used outside of an RCU read-side
|
|||
|
critical section. Update-side code can use
|
|||
|
rcu_dereference_protected(), which takes a `lockdep
|
|||
|
expression <https://lwn.net/Articles/371986/>`__ to indicate what is
|
|||
|
providing the protection. If the indicated protection is not
|
|||
|
provided, a lockdep splat is emitted.
|
|||
|
Code shared between readers and updaters can use
|
|||
|
rcu_dereference_check(), which also takes a lockdep expression,
|
|||
|
and emits a lockdep splat if neither rcu_read_lock() nor the
|
|||
|
indicated protection is in place. In addition,
|
|||
|
rcu_dereference_raw() is used in those (hopefully rare) cases
|
|||
|
where the required protection cannot be easily described. Finally,
|
|||
|
rcu_read_lock_held() is provided to allow a function to verify
|
|||
|
that it has been invoked within an RCU read-side critical section. I
|
|||
|
was made aware of this set of requirements shortly after Thomas
|
|||
|
Gleixner audited a number of RCU uses.
|
|||
|
#. A given function might wish to check for RCU-related preconditions
|
|||
|
upon entry, before using any other RCU API. The
|
|||
|
rcu_lockdep_assert() does this job, asserting the expression in
|
|||
|
kernels having lockdep enabled and doing nothing otherwise.
|
|||
|
#. It is also easy to forget to use rcu_assign_pointer() and
|
|||
|
rcu_dereference(), perhaps (incorrectly) substituting a simple
|
|||
|
assignment. To catch this sort of error, a given RCU-protected
|
|||
|
pointer may be tagged with ``__rcu``, after which sparse will
|
|||
|
complain about simple-assignment accesses to that pointer. Arnd
|
|||
|
Bergmann made me aware of this requirement, and also supplied the
|
|||
|
needed `patch series <https://lwn.net/Articles/376011/>`__.
|
|||
|
#. Kernels built with ``CONFIG_DEBUG_OBJECTS_RCU_HEAD=y`` will splat if
|
|||
|
a data element is passed to call_rcu() twice in a row, without a
|
|||
|
grace period in between. (This error is similar to a double free.)
|
|||
|
The corresponding ``rcu_head`` structures that are dynamically
|
|||
|
allocated are automatically tracked, but ``rcu_head`` structures
|
|||
|
allocated on the stack must be initialized with
|
|||
|
init_rcu_head_on_stack() and cleaned up with
|
|||
|
destroy_rcu_head_on_stack(). Similarly, statically allocated
|
|||
|
non-stack ``rcu_head`` structures must be initialized with
|
|||
|
init_rcu_head() and cleaned up with destroy_rcu_head().
|
|||
|
Mathieu Desnoyers made me aware of this requirement, and also
|
|||
|
supplied the needed
|
|||
|
`patch <https://lore.kernel.org/r/20100319013024.GA28456@Krystal>`__.
|
|||
|
#. An infinite loop in an RCU read-side critical section will eventually
|
|||
|
trigger an RCU CPU stall warning splat, with the duration of
|
|||
|
“eventually” being controlled by the ``RCU_CPU_STALL_TIMEOUT``
|
|||
|
``Kconfig`` option, or, alternatively, by the
|
|||
|
``rcupdate.rcu_cpu_stall_timeout`` boot/sysfs parameter. However, RCU
|
|||
|
is not obligated to produce this splat unless there is a grace period
|
|||
|
waiting on that particular RCU read-side critical section.
|
|||
|
|
|||
|
Some extreme workloads might intentionally delay RCU grace periods,
|
|||
|
and systems running those workloads can be booted with
|
|||
|
``rcupdate.rcu_cpu_stall_suppress`` to suppress the splats. This
|
|||
|
kernel parameter may also be set via ``sysfs``. Furthermore, RCU CPU
|
|||
|
stall warnings are counter-productive during sysrq dumps and during
|
|||
|
panics. RCU therefore supplies the rcu_sysrq_start() and
|
|||
|
rcu_sysrq_end() API members to be called before and after long
|
|||
|
sysrq dumps. RCU also supplies the rcu_panic() notifier that is
|
|||
|
automatically invoked at the beginning of a panic to suppress further
|
|||
|
RCU CPU stall warnings.
|
|||
|
|
|||
|
This requirement made itself known in the early 1990s, pretty much
|
|||
|
the first time that it was necessary to debug a CPU stall. That said,
|
|||
|
the initial implementation in DYNIX/ptx was quite generic in
|
|||
|
comparison with that of Linux.
|
|||
|
|
|||
|
#. Although it would be very good to detect pointers leaking out of RCU
|
|||
|
read-side critical sections, there is currently no good way of doing
|
|||
|
this. One complication is the need to distinguish between pointers
|
|||
|
leaking and pointers that have been handed off from RCU to some other
|
|||
|
synchronization mechanism, for example, reference counting.
|
|||
|
#. In kernels built with ``CONFIG_RCU_TRACE=y``, RCU-related information
|
|||
|
is provided via event tracing.
|
|||
|
#. Open-coded use of rcu_assign_pointer() and rcu_dereference()
|
|||
|
to create typical linked data structures can be surprisingly
|
|||
|
error-prone. Therefore, RCU-protected `linked
|
|||
|
lists <https://lwn.net/Articles/609973/#RCU%20List%20APIs>`__ and,
|
|||
|
more recently, RCU-protected `hash
|
|||
|
tables <https://lwn.net/Articles/612100/>`__ are available. Many
|
|||
|
other special-purpose RCU-protected data structures are available in
|
|||
|
the Linux kernel and the userspace RCU library.
|
|||
|
#. Some linked structures are created at compile time, but still require
|
|||
|
``__rcu`` checking. The RCU_POINTER_INITIALIZER() macro serves
|
|||
|
this purpose.
|
|||
|
#. It is not necessary to use rcu_assign_pointer() when creating
|
|||
|
linked structures that are to be published via a single external
|
|||
|
pointer. The RCU_INIT_POINTER() macro is provided for this task.
|
|||
|
|
|||
|
This not a hard-and-fast list: RCU's diagnostic capabilities will
|
|||
|
continue to be guided by the number and type of usage bugs found in
|
|||
|
real-world RCU usage.
|
|||
|
|
|||
|
Linux Kernel Complications
|
|||
|
--------------------------
|
|||
|
|
|||
|
The Linux kernel provides an interesting environment for all kinds of
|
|||
|
software, including RCU. Some of the relevant points of interest are as
|
|||
|
follows:
|
|||
|
|
|||
|
#. `Configuration`_
|
|||
|
#. `Firmware Interface`_
|
|||
|
#. `Early Boot`_
|
|||
|
#. `Interrupts and NMIs`_
|
|||
|
#. `Loadable Modules`_
|
|||
|
#. `Hotplug CPU`_
|
|||
|
#. `Scheduler and RCU`_
|
|||
|
#. `Tracing and RCU`_
|
|||
|
#. `Accesses to User Memory and RCU`_
|
|||
|
#. `Energy Efficiency`_
|
|||
|
#. `Scheduling-Clock Interrupts and RCU`_
|
|||
|
#. `Memory Efficiency`_
|
|||
|
#. `Performance, Scalability, Response Time, and Reliability`_
|
|||
|
|
|||
|
This list is probably incomplete, but it does give a feel for the most
|
|||
|
notable Linux-kernel complications. Each of the following sections
|
|||
|
covers one of the above topics.
|
|||
|
|
|||
|
Configuration
|
|||
|
~~~~~~~~~~~~~
|
|||
|
|
|||
|
RCU's goal is automatic configuration, so that almost nobody needs to
|
|||
|
worry about RCU's ``Kconfig`` options. And for almost all users, RCU
|
|||
|
does in fact work well “out of the box.”
|
|||
|
|
|||
|
However, there are specialized use cases that are handled by kernel boot
|
|||
|
parameters and ``Kconfig`` options. Unfortunately, the ``Kconfig``
|
|||
|
system will explicitly ask users about new ``Kconfig`` options, which
|
|||
|
requires almost all of them be hidden behind a ``CONFIG_RCU_EXPERT``
|
|||
|
``Kconfig`` option.
|
|||
|
|
|||
|
This all should be quite obvious, but the fact remains that Linus
|
|||
|
Torvalds recently had to
|
|||
|
`remind <https://lore.kernel.org/r/CA+55aFy4wcCwaL4okTs8wXhGZ5h-ibecy_Meg9C4MNQrUnwMcg@mail.gmail.com>`__
|
|||
|
me of this requirement.
|
|||
|
|
|||
|
Firmware Interface
|
|||
|
~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
In many cases, kernel obtains information about the system from the
|
|||
|
firmware, and sometimes things are lost in translation. Or the
|
|||
|
translation is accurate, but the original message is bogus.
|
|||
|
|
|||
|
For example, some systems' firmware overreports the number of CPUs,
|
|||
|
sometimes by a large factor. If RCU naively believed the firmware, as it
|
|||
|
used to do, it would create too many per-CPU kthreads. Although the
|
|||
|
resulting system will still run correctly, the extra kthreads needlessly
|
|||
|
consume memory and can cause confusion when they show up in ``ps``
|
|||
|
listings.
|
|||
|
|
|||
|
RCU must therefore wait for a given CPU to actually come online before
|
|||
|
it can allow itself to believe that the CPU actually exists. The
|
|||
|
resulting “ghost CPUs” (which are never going to come online) cause a
|
|||
|
number of `interesting
|
|||
|
complications <https://paulmck.livejournal.com/37494.html>`__.
|
|||
|
|
|||
|
Early Boot
|
|||
|
~~~~~~~~~~
|
|||
|
|
|||
|
The Linux kernel's boot sequence is an interesting process, and RCU is
|
|||
|
used early, even before rcu_init() is invoked. In fact, a number of
|
|||
|
RCU's primitives can be used as soon as the initial task's
|
|||
|
``task_struct`` is available and the boot CPU's per-CPU variables are
|
|||
|
set up. The read-side primitives (rcu_read_lock(),
|
|||
|
rcu_read_unlock(), rcu_dereference(), and
|
|||
|
rcu_access_pointer()) will operate normally very early on, as will
|
|||
|
rcu_assign_pointer().
|
|||
|
|
|||
|
Although call_rcu() may be invoked at any time during boot,
|
|||
|
callbacks are not guaranteed to be invoked until after all of RCU's
|
|||
|
kthreads have been spawned, which occurs at early_initcall() time.
|
|||
|
This delay in callback invocation is due to the fact that RCU does not
|
|||
|
invoke callbacks until it is fully initialized, and this full
|
|||
|
initialization cannot occur until after the scheduler has initialized
|
|||
|
itself to the point where RCU can spawn and run its kthreads. In theory,
|
|||
|
it would be possible to invoke callbacks earlier, however, this is not a
|
|||
|
panacea because there would be severe restrictions on what operations
|
|||
|
those callbacks could invoke.
|
|||
|
|
|||
|
Perhaps surprisingly, synchronize_rcu() and
|
|||
|
synchronize_rcu_expedited(), will operate normally during very early
|
|||
|
boot, the reason being that there is only one CPU and preemption is
|
|||
|
disabled. This means that the call synchronize_rcu() (or friends)
|
|||
|
itself is a quiescent state and thus a grace period, so the early-boot
|
|||
|
implementation can be a no-op.
|
|||
|
|
|||
|
However, once the scheduler has spawned its first kthread, this early
|
|||
|
boot trick fails for synchronize_rcu() (as well as for
|
|||
|
synchronize_rcu_expedited()) in ``CONFIG_PREEMPTION=y`` kernels. The
|
|||
|
reason is that an RCU read-side critical section might be preempted,
|
|||
|
which means that a subsequent synchronize_rcu() really does have to
|
|||
|
wait for something, as opposed to simply returning immediately.
|
|||
|
Unfortunately, synchronize_rcu() can't do this until all of its
|
|||
|
kthreads are spawned, which doesn't happen until some time during
|
|||
|
early_initcalls() time. But this is no excuse: RCU is nevertheless
|
|||
|
required to correctly handle synchronous grace periods during this time
|
|||
|
period. Once all of its kthreads are up and running, RCU starts running
|
|||
|
normally.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| How can RCU possibly handle grace periods before all of its kthreads |
|
|||
|
| have been spawned??? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Very carefully! |
|
|||
|
| During the “dead zone” between the time that the scheduler spawns the |
|
|||
|
| first task and the time that all of RCU's kthreads have been spawned, |
|
|||
|
| all synchronous grace periods are handled by the expedited |
|
|||
|
| grace-period mechanism. At runtime, this expedited mechanism relies |
|
|||
|
| on workqueues, but during the dead zone the requesting task itself |
|
|||
|
| drives the desired expedited grace period. Because dead-zone |
|
|||
|
| execution takes place within task context, everything works. Once the |
|
|||
|
| dead zone ends, expedited grace periods go back to using workqueues, |
|
|||
|
| as is required to avoid problems that would otherwise occur when a |
|
|||
|
| user task received a POSIX signal while driving an expedited grace |
|
|||
|
| period. |
|
|||
|
| |
|
|||
|
| And yes, this does mean that it is unhelpful to send POSIX signals to |
|
|||
|
| random tasks between the time that the scheduler spawns its first |
|
|||
|
| kthread and the time that RCU's kthreads have all been spawned. If |
|
|||
|
| there ever turns out to be a good reason for sending POSIX signals |
|
|||
|
| during that time, appropriate adjustments will be made. (If it turns |
|
|||
|
| out that POSIX signals are sent during this time for no good reason, |
|
|||
|
| other adjustments will be made, appropriate or otherwise.) |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
I learned of these boot-time requirements as a result of a series of
|
|||
|
system hangs.
|
|||
|
|
|||
|
Interrupts and NMIs
|
|||
|
~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The Linux kernel has interrupts, and RCU read-side critical sections are
|
|||
|
legal within interrupt handlers and within interrupt-disabled regions of
|
|||
|
code, as are invocations of call_rcu().
|
|||
|
|
|||
|
Some Linux-kernel architectures can enter an interrupt handler from
|
|||
|
non-idle process context, and then just never leave it, instead
|
|||
|
stealthily transitioning back to process context. This trick is
|
|||
|
sometimes used to invoke system calls from inside the kernel. These
|
|||
|
“half-interrupts” mean that RCU has to be very careful about how it
|
|||
|
counts interrupt nesting levels. I learned of this requirement the hard
|
|||
|
way during a rewrite of RCU's dyntick-idle code.
|
|||
|
|
|||
|
The Linux kernel has non-maskable interrupts (NMIs), and RCU read-side
|
|||
|
critical sections are legal within NMI handlers. Thankfully, RCU
|
|||
|
update-side primitives, including call_rcu(), are prohibited within
|
|||
|
NMI handlers.
|
|||
|
|
|||
|
The name notwithstanding, some Linux-kernel architectures can have
|
|||
|
nested NMIs, which RCU must handle correctly. Andy Lutomirski `surprised
|
|||
|
me <https://lore.kernel.org/r/CALCETrXLq1y7e_dKFPgou-FKHB6Pu-r8+t-6Ds+8=va7anBWDA@mail.gmail.com>`__
|
|||
|
with this requirement; he also kindly surprised me with `an
|
|||
|
algorithm <https://lore.kernel.org/r/CALCETrXSY9JpW3uE6H8WYk81sg56qasA2aqmjMPsq5dOtzso=g@mail.gmail.com>`__
|
|||
|
that meets this requirement.
|
|||
|
|
|||
|
Furthermore, NMI handlers can be interrupted by what appear to RCU to be
|
|||
|
normal interrupts. One way that this can happen is for code that
|
|||
|
directly invokes rcu_irq_enter() and rcu_irq_exit() to be called
|
|||
|
from an NMI handler. This astonishing fact of life prompted the current
|
|||
|
code structure, which has rcu_irq_enter() invoking
|
|||
|
rcu_nmi_enter() and rcu_irq_exit() invoking rcu_nmi_exit().
|
|||
|
And yes, I also learned of this requirement the hard way.
|
|||
|
|
|||
|
Loadable Modules
|
|||
|
~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The Linux kernel has loadable modules, and these modules can also be
|
|||
|
unloaded. After a given module has been unloaded, any attempt to call
|
|||
|
one of its functions results in a segmentation fault. The module-unload
|
|||
|
functions must therefore cancel any delayed calls to loadable-module
|
|||
|
functions, for example, any outstanding mod_timer() must be dealt
|
|||
|
with via del_timer_sync() or similar.
|
|||
|
|
|||
|
Unfortunately, there is no way to cancel an RCU callback; once you
|
|||
|
invoke call_rcu(), the callback function is eventually going to be
|
|||
|
invoked, unless the system goes down first. Because it is normally
|
|||
|
considered socially irresponsible to crash the system in response to a
|
|||
|
module unload request, we need some other way to deal with in-flight RCU
|
|||
|
callbacks.
|
|||
|
|
|||
|
RCU therefore provides rcu_barrier(), which waits until all
|
|||
|
in-flight RCU callbacks have been invoked. If a module uses
|
|||
|
call_rcu(), its exit function should therefore prevent any future
|
|||
|
invocation of call_rcu(), then invoke rcu_barrier(). In theory,
|
|||
|
the underlying module-unload code could invoke rcu_barrier()
|
|||
|
unconditionally, but in practice this would incur unacceptable
|
|||
|
latencies.
|
|||
|
|
|||
|
Nikita Danilov noted this requirement for an analogous
|
|||
|
filesystem-unmount situation, and Dipankar Sarma incorporated
|
|||
|
rcu_barrier() into RCU. The need for rcu_barrier() for module
|
|||
|
unloading became apparent later.
|
|||
|
|
|||
|
.. important::
|
|||
|
|
|||
|
The rcu_barrier() function is not, repeat,
|
|||
|
*not*, obligated to wait for a grace period. It is instead only required
|
|||
|
to wait for RCU callbacks that have already been posted. Therefore, if
|
|||
|
there are no RCU callbacks posted anywhere in the system,
|
|||
|
rcu_barrier() is within its rights to return immediately. Even if
|
|||
|
there are callbacks posted, rcu_barrier() does not necessarily need
|
|||
|
to wait for a grace period.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Wait a minute! Each RCU callbacks must wait for a grace period to |
|
|||
|
| complete, and rcu_barrier() must wait for each pre-existing |
|
|||
|
| callback to be invoked. Doesn't rcu_barrier() therefore need to |
|
|||
|
| wait for a full grace period if there is even one callback posted |
|
|||
|
| anywhere in the system? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Absolutely not!!! |
|
|||
|
| Yes, each RCU callbacks must wait for a grace period to complete, but |
|
|||
|
| it might well be partly (or even completely) finished waiting by the |
|
|||
|
| time rcu_barrier() is invoked. In that case, rcu_barrier() |
|
|||
|
| need only wait for the remaining portion of the grace period to |
|
|||
|
| elapse. So even if there are quite a few callbacks posted, |
|
|||
|
| rcu_barrier() might well return quite quickly. |
|
|||
|
| |
|
|||
|
| So if you need to wait for a grace period as well as for all |
|
|||
|
| pre-existing callbacks, you will need to invoke both |
|
|||
|
| synchronize_rcu() and rcu_barrier(). If latency is a concern, |
|
|||
|
| you can always use workqueues to invoke them concurrently. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
Hotplug CPU
|
|||
|
~~~~~~~~~~~
|
|||
|
|
|||
|
The Linux kernel supports CPU hotplug, which means that CPUs can come
|
|||
|
and go. It is of course illegal to use any RCU API member from an
|
|||
|
offline CPU, with the exception of `SRCU <Sleepable RCU_>`__ read-side
|
|||
|
critical sections. This requirement was present from day one in
|
|||
|
DYNIX/ptx, but on the other hand, the Linux kernel's CPU-hotplug
|
|||
|
implementation is “interesting.”
|
|||
|
|
|||
|
The Linux-kernel CPU-hotplug implementation has notifiers that are used
|
|||
|
to allow the various kernel subsystems (including RCU) to respond
|
|||
|
appropriately to a given CPU-hotplug operation. Most RCU operations may
|
|||
|
be invoked from CPU-hotplug notifiers, including even synchronous
|
|||
|
grace-period operations such as (synchronize_rcu() and
|
|||
|
synchronize_rcu_expedited()). However, these synchronous operations
|
|||
|
do block and therefore cannot be invoked from notifiers that execute via
|
|||
|
stop_machine(), specifically those between the ``CPUHP_AP_OFFLINE``
|
|||
|
and ``CPUHP_AP_ONLINE`` states.
|
|||
|
|
|||
|
In addition, all-callback-wait operations such as rcu_barrier() may
|
|||
|
not be invoked from any CPU-hotplug notifier. This restriction is due
|
|||
|
to the fact that there are phases of CPU-hotplug operations where the
|
|||
|
outgoing CPU's callbacks will not be invoked until after the CPU-hotplug
|
|||
|
operation ends, which could also result in deadlock. Furthermore,
|
|||
|
rcu_barrier() blocks CPU-hotplug operations during its execution,
|
|||
|
which results in another type of deadlock when invoked from a CPU-hotplug
|
|||
|
notifier.
|
|||
|
|
|||
|
Finally, RCU must avoid deadlocks due to interaction between hotplug,
|
|||
|
timers and grace period processing. It does so by maintaining its own set
|
|||
|
of books that duplicate the centrally maintained ``cpu_online_mask``,
|
|||
|
and also by reporting quiescent states explicitly when a CPU goes
|
|||
|
offline. This explicit reporting of quiescent states avoids any need
|
|||
|
for the force-quiescent-state loop (FQS) to report quiescent states for
|
|||
|
offline CPUs. However, as a debugging measure, the FQS loop does splat
|
|||
|
if offline CPUs block an RCU grace period for too long.
|
|||
|
|
|||
|
An offline CPU's quiescent state will be reported either:
|
|||
|
|
|||
|
1. As the CPU goes offline using RCU's hotplug notifier (rcu_report_dead()).
|
|||
|
2. When grace period initialization (rcu_gp_init()) detects a
|
|||
|
race either with CPU offlining or with a task unblocking on a leaf
|
|||
|
``rcu_node`` structure whose CPUs are all offline.
|
|||
|
|
|||
|
The CPU-online path (rcu_cpu_starting()) should never need to report
|
|||
|
a quiescent state for an offline CPU. However, as a debugging measure,
|
|||
|
it does emit a warning if a quiescent state was not already reported
|
|||
|
for that CPU.
|
|||
|
|
|||
|
During the checking/modification of RCU's hotplug bookkeeping, the
|
|||
|
corresponding CPU's leaf node lock is held. This avoids race conditions
|
|||
|
between RCU's hotplug notifier hooks, the grace period initialization
|
|||
|
code, and the FQS loop, all of which refer to or modify this bookkeeping.
|
|||
|
|
|||
|
Scheduler and RCU
|
|||
|
~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
RCU makes use of kthreads, and it is necessary to avoid excessive CPU-time
|
|||
|
accumulation by these kthreads. This requirement was no surprise, but
|
|||
|
RCU's violation of it when running context-switch-heavy workloads when
|
|||
|
built with ``CONFIG_NO_HZ_FULL=y`` `did come as a surprise
|
|||
|
[PDF] <http://www.rdrop.com/users/paulmck/scalability/paper/BareMetal.2015.01.15b.pdf>`__.
|
|||
|
RCU has made good progress towards meeting this requirement, even for
|
|||
|
context-switch-heavy ``CONFIG_NO_HZ_FULL=y`` workloads, but there is
|
|||
|
room for further improvement.
|
|||
|
|
|||
|
There is no longer any prohibition against holding any of
|
|||
|
scheduler's runqueue or priority-inheritance spinlocks across an
|
|||
|
rcu_read_unlock(), even if interrupts and preemption were enabled
|
|||
|
somewhere within the corresponding RCU read-side critical section.
|
|||
|
Therefore, it is now perfectly legal to execute rcu_read_lock()
|
|||
|
with preemption enabled, acquire one of the scheduler locks, and hold
|
|||
|
that lock across the matching rcu_read_unlock().
|
|||
|
|
|||
|
Similarly, the RCU flavor consolidation has removed the need for negative
|
|||
|
nesting. The fact that interrupt-disabled regions of code act as RCU
|
|||
|
read-side critical sections implicitly avoids earlier issues that used
|
|||
|
to result in destructive recursion via interrupt handler's use of RCU.
|
|||
|
|
|||
|
Tracing and RCU
|
|||
|
~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
It is possible to use tracing on RCU code, but tracing itself uses RCU.
|
|||
|
For this reason, rcu_dereference_raw_check() is provided for use
|
|||
|
by tracing, which avoids the destructive recursion that could otherwise
|
|||
|
ensue. This API is also used by virtualization in some architectures,
|
|||
|
where RCU readers execute in environments in which tracing cannot be
|
|||
|
used. The tracing folks both located the requirement and provided the
|
|||
|
needed fix, so this surprise requirement was relatively painless.
|
|||
|
|
|||
|
Accesses to User Memory and RCU
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The kernel needs to access user-space memory, for example, to access data
|
|||
|
referenced by system-call parameters. The get_user() macro does this job.
|
|||
|
|
|||
|
However, user-space memory might well be paged out, which means that
|
|||
|
get_user() might well page-fault and thus block while waiting for the
|
|||
|
resulting I/O to complete. It would be a very bad thing for the compiler to
|
|||
|
reorder a get_user() invocation into an RCU read-side critical section.
|
|||
|
|
|||
|
For example, suppose that the source code looked like this:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 rcu_read_lock();
|
|||
|
2 p = rcu_dereference(gp);
|
|||
|
3 v = p->value;
|
|||
|
4 rcu_read_unlock();
|
|||
|
5 get_user(user_v, user_p);
|
|||
|
6 do_something_with(v, user_v);
|
|||
|
|
|||
|
The compiler must not be permitted to transform this source code into
|
|||
|
the following:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 rcu_read_lock();
|
|||
|
2 p = rcu_dereference(gp);
|
|||
|
3 get_user(user_v, user_p); // BUG: POSSIBLE PAGE FAULT!!!
|
|||
|
4 v = p->value;
|
|||
|
5 rcu_read_unlock();
|
|||
|
6 do_something_with(v, user_v);
|
|||
|
|
|||
|
If the compiler did make this transformation in a ``CONFIG_PREEMPTION=n`` kernel
|
|||
|
build, and if get_user() did page fault, the result would be a quiescent
|
|||
|
state in the middle of an RCU read-side critical section. This misplaced
|
|||
|
quiescent state could result in line 4 being a use-after-free access,
|
|||
|
which could be bad for your kernel's actuarial statistics. Similar examples
|
|||
|
can be constructed with the call to get_user() preceding the
|
|||
|
rcu_read_lock().
|
|||
|
|
|||
|
Unfortunately, get_user() doesn't have any particular ordering properties,
|
|||
|
and in some architectures the underlying ``asm`` isn't even marked
|
|||
|
``volatile``. And even if it was marked ``volatile``, the above access to
|
|||
|
``p->value`` is not volatile, so the compiler would not have any reason to keep
|
|||
|
those two accesses in order.
|
|||
|
|
|||
|
Therefore, the Linux-kernel definitions of rcu_read_lock() and
|
|||
|
rcu_read_unlock() must act as compiler barriers, at least for outermost
|
|||
|
instances of rcu_read_lock() and rcu_read_unlock() within a nested set
|
|||
|
of RCU read-side critical sections.
|
|||
|
|
|||
|
Energy Efficiency
|
|||
|
~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Interrupting idle CPUs is considered socially unacceptable, especially
|
|||
|
by people with battery-powered embedded systems. RCU therefore conserves
|
|||
|
energy by detecting which CPUs are idle, including tracking CPUs that
|
|||
|
have been interrupted from idle. This is a large part of the
|
|||
|
energy-efficiency requirement, so I learned of this via an irate phone
|
|||
|
call.
|
|||
|
|
|||
|
Because RCU avoids interrupting idle CPUs, it is illegal to execute an
|
|||
|
RCU read-side critical section on an idle CPU. (Kernels built with
|
|||
|
``CONFIG_PROVE_RCU=y`` will splat if you try it.) The RCU_NONIDLE()
|
|||
|
macro and ``_rcuidle`` event tracing is provided to work around this
|
|||
|
restriction. In addition, rcu_is_watching() may be used to test
|
|||
|
whether or not it is currently legal to run RCU read-side critical
|
|||
|
sections on this CPU. I learned of the need for diagnostics on the one
|
|||
|
hand and RCU_NONIDLE() on the other while inspecting idle-loop code.
|
|||
|
Steven Rostedt supplied ``_rcuidle`` event tracing, which is used quite
|
|||
|
heavily in the idle loop. However, there are some restrictions on the
|
|||
|
code placed within RCU_NONIDLE():
|
|||
|
|
|||
|
#. Blocking is prohibited. In practice, this is not a serious
|
|||
|
restriction given that idle tasks are prohibited from blocking to
|
|||
|
begin with.
|
|||
|
#. Although nesting RCU_NONIDLE() is permitted, they cannot nest
|
|||
|
indefinitely deeply. However, given that they can be nested on the
|
|||
|
order of a million deep, even on 32-bit systems, this should not be a
|
|||
|
serious restriction. This nesting limit would probably be reached
|
|||
|
long after the compiler OOMed or the stack overflowed.
|
|||
|
#. Any code path that enters RCU_NONIDLE() must sequence out of that
|
|||
|
same RCU_NONIDLE(). For example, the following is grossly
|
|||
|
illegal:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 RCU_NONIDLE({
|
|||
|
2 do_something();
|
|||
|
3 goto bad_idea; /* BUG!!! */
|
|||
|
4 do_something_else();});
|
|||
|
5 bad_idea:
|
|||
|
|
|||
|
|
|||
|
It is just as illegal to transfer control into the middle of
|
|||
|
RCU_NONIDLE()'s argument. Yes, in theory, you could transfer in
|
|||
|
as long as you also transferred out, but in practice you could also
|
|||
|
expect to get sharply worded review comments.
|
|||
|
|
|||
|
It is similarly socially unacceptable to interrupt an ``nohz_full`` CPU
|
|||
|
running in userspace. RCU must therefore track ``nohz_full`` userspace
|
|||
|
execution. RCU must therefore be able to sample state at two points in
|
|||
|
time, and be able to determine whether or not some other CPU spent any
|
|||
|
time idle and/or executing in userspace.
|
|||
|
|
|||
|
These energy-efficiency requirements have proven quite difficult to
|
|||
|
understand and to meet, for example, there have been more than five
|
|||
|
clean-sheet rewrites of RCU's energy-efficiency code, the last of which
|
|||
|
was finally able to demonstrate `real energy savings running on real
|
|||
|
hardware
|
|||
|
[PDF] <http://www.rdrop.com/users/paulmck/realtime/paper/AMPenergy.2013.04.19a.pdf>`__.
|
|||
|
As noted earlier, I learned of many of these requirements via angry
|
|||
|
phone calls: Flaming me on the Linux-kernel mailing list was apparently
|
|||
|
not sufficient to fully vent their ire at RCU's energy-efficiency bugs!
|
|||
|
|
|||
|
Scheduling-Clock Interrupts and RCU
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The kernel transitions between in-kernel non-idle execution, userspace
|
|||
|
execution, and the idle loop. Depending on kernel configuration, RCU
|
|||
|
handles these states differently:
|
|||
|
|
|||
|
+-----------------+------------------+------------------+-----------------+
|
|||
|
| ``HZ`` Kconfig | In-Kernel | Usermode | Idle |
|
|||
|
+=================+==================+==================+=================+
|
|||
|
| ``HZ_PERIODIC`` | Can rely on | Can rely on | Can rely on |
|
|||
|
| | scheduling-clock | scheduling-clock | RCU's |
|
|||
|
| | interrupt. | interrupt and | dyntick-idle |
|
|||
|
| | | its detection | detection. |
|
|||
|
| | | of interrupt | |
|
|||
|
| | | from usermode. | |
|
|||
|
+-----------------+------------------+------------------+-----------------+
|
|||
|
| ``NO_HZ_IDLE`` | Can rely on | Can rely on | Can rely on |
|
|||
|
| | scheduling-clock | scheduling-clock | RCU's |
|
|||
|
| | interrupt. | interrupt and | dyntick-idle |
|
|||
|
| | | its detection | detection. |
|
|||
|
| | | of interrupt | |
|
|||
|
| | | from usermode. | |
|
|||
|
+-----------------+------------------+------------------+-----------------+
|
|||
|
| ``NO_HZ_FULL`` | Can only | Can rely on | Can rely on |
|
|||
|
| | sometimes rely | RCU's | RCU's |
|
|||
|
| | on | dyntick-idle | dyntick-idle |
|
|||
|
| | scheduling-clock | detection. | detection. |
|
|||
|
| | interrupt. In | | |
|
|||
|
| | other cases, it | | |
|
|||
|
| | is necessary to | | |
|
|||
|
| | bound kernel | | |
|
|||
|
| | execution times | | |
|
|||
|
| | and/or use | | |
|
|||
|
| | IPIs. | | |
|
|||
|
+-----------------+------------------+------------------+-----------------+
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Why can't ``NO_HZ_FULL`` in-kernel execution rely on the |
|
|||
|
| scheduling-clock interrupt, just like ``HZ_PERIODIC`` and |
|
|||
|
| ``NO_HZ_IDLE`` do? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| Because, as a performance optimization, ``NO_HZ_FULL`` does not |
|
|||
|
| necessarily re-enable the scheduling-clock interrupt on entry to each |
|
|||
|
| and every system call. |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
However, RCU must be reliably informed as to whether any given CPU is
|
|||
|
currently in the idle loop, and, for ``NO_HZ_FULL``, also whether that
|
|||
|
CPU is executing in usermode, as discussed
|
|||
|
`earlier <Energy Efficiency_>`__. It also requires that the
|
|||
|
scheduling-clock interrupt be enabled when RCU needs it to be:
|
|||
|
|
|||
|
#. If a CPU is either idle or executing in usermode, and RCU believes it
|
|||
|
is non-idle, the scheduling-clock tick had better be running.
|
|||
|
Otherwise, you will get RCU CPU stall warnings. Or at best, very long
|
|||
|
(11-second) grace periods, with a pointless IPI waking the CPU from
|
|||
|
time to time.
|
|||
|
#. If a CPU is in a portion of the kernel that executes RCU read-side
|
|||
|
critical sections, and RCU believes this CPU to be idle, you will get
|
|||
|
random memory corruption. **DON'T DO THIS!!!**
|
|||
|
This is one reason to test with lockdep, which will complain about
|
|||
|
this sort of thing.
|
|||
|
#. If a CPU is in a portion of the kernel that is absolutely positively
|
|||
|
no-joking guaranteed to never execute any RCU read-side critical
|
|||
|
sections, and RCU believes this CPU to be idle, no problem. This
|
|||
|
sort of thing is used by some architectures for light-weight
|
|||
|
exception handlers, which can then avoid the overhead of
|
|||
|
rcu_irq_enter() and rcu_irq_exit() at exception entry and
|
|||
|
exit, respectively. Some go further and avoid the entireties of
|
|||
|
irq_enter() and irq_exit().
|
|||
|
Just make very sure you are running some of your tests with
|
|||
|
``CONFIG_PROVE_RCU=y``, just in case one of your code paths was in
|
|||
|
fact joking about not doing RCU read-side critical sections.
|
|||
|
#. If a CPU is executing in the kernel with the scheduling-clock
|
|||
|
interrupt disabled and RCU believes this CPU to be non-idle, and if
|
|||
|
the CPU goes idle (from an RCU perspective) every few jiffies, no
|
|||
|
problem. It is usually OK for there to be the occasional gap between
|
|||
|
idle periods of up to a second or so.
|
|||
|
If the gap grows too long, you get RCU CPU stall warnings.
|
|||
|
#. If a CPU is either idle or executing in usermode, and RCU believes it
|
|||
|
to be idle, of course no problem.
|
|||
|
#. If a CPU is executing in the kernel, the kernel code path is passing
|
|||
|
through quiescent states at a reasonable frequency (preferably about
|
|||
|
once per few jiffies, but the occasional excursion to a second or so
|
|||
|
is usually OK) and the scheduling-clock interrupt is enabled, of
|
|||
|
course no problem.
|
|||
|
If the gap between a successive pair of quiescent states grows too
|
|||
|
long, you get RCU CPU stall warnings.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Quick Quiz**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| But what if my driver has a hardware interrupt handler that can run |
|
|||
|
| for many seconds? I cannot invoke schedule() from an hardware |
|
|||
|
| interrupt handler, after all! |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| **Answer**: |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
| One approach is to do ``rcu_irq_exit();rcu_irq_enter();`` every so |
|
|||
|
| often. But given that long-running interrupt handlers can cause other |
|
|||
|
| problems, not least for response time, shouldn't you work to keep |
|
|||
|
| your interrupt handler's runtime within reasonable bounds? |
|
|||
|
+-----------------------------------------------------------------------+
|
|||
|
|
|||
|
But as long as RCU is properly informed of kernel state transitions
|
|||
|
between in-kernel execution, usermode execution, and idle, and as long
|
|||
|
as the scheduling-clock interrupt is enabled when RCU needs it to be,
|
|||
|
you can rest assured that the bugs you encounter will be in some other
|
|||
|
part of RCU or some other part of the kernel!
|
|||
|
|
|||
|
Memory Efficiency
|
|||
|
~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Although small-memory non-realtime systems can simply use Tiny RCU, code
|
|||
|
size is only one aspect of memory efficiency. Another aspect is the size
|
|||
|
of the ``rcu_head`` structure used by call_rcu() and
|
|||
|
kfree_rcu(). Although this structure contains nothing more than a
|
|||
|
pair of pointers, it does appear in many RCU-protected data structures,
|
|||
|
including some that are size critical. The ``page`` structure is a case
|
|||
|
in point, as evidenced by the many occurrences of the ``union`` keyword
|
|||
|
within that structure.
|
|||
|
|
|||
|
This need for memory efficiency is one reason that RCU uses hand-crafted
|
|||
|
singly linked lists to track the ``rcu_head`` structures that are
|
|||
|
waiting for a grace period to elapse. It is also the reason why
|
|||
|
``rcu_head`` structures do not contain debug information, such as fields
|
|||
|
tracking the file and line of the call_rcu() or kfree_rcu() that
|
|||
|
posted them. Although this information might appear in debug-only kernel
|
|||
|
builds at some point, in the meantime, the ``->func`` field will often
|
|||
|
provide the needed debug information.
|
|||
|
|
|||
|
However, in some cases, the need for memory efficiency leads to even
|
|||
|
more extreme measures. Returning to the ``page`` structure, the
|
|||
|
``rcu_head`` field shares storage with a great many other structures
|
|||
|
that are used at various points in the corresponding page's lifetime. In
|
|||
|
order to correctly resolve certain `race
|
|||
|
conditions <https://lore.kernel.org/r/1439976106-137226-1-git-send-email-kirill.shutemov@linux.intel.com>`__,
|
|||
|
the Linux kernel's memory-management subsystem needs a particular bit to
|
|||
|
remain zero during all phases of grace-period processing, and that bit
|
|||
|
happens to map to the bottom bit of the ``rcu_head`` structure's
|
|||
|
``->next`` field. RCU makes this guarantee as long as call_rcu() is
|
|||
|
used to post the callback, as opposed to kfree_rcu() or some future
|
|||
|
“lazy” variant of call_rcu() that might one day be created for
|
|||
|
energy-efficiency purposes.
|
|||
|
|
|||
|
That said, there are limits. RCU requires that the ``rcu_head``
|
|||
|
structure be aligned to a two-byte boundary, and passing a misaligned
|
|||
|
``rcu_head`` structure to one of the call_rcu() family of functions
|
|||
|
will result in a splat. It is therefore necessary to exercise caution
|
|||
|
when packing structures containing fields of type ``rcu_head``. Why not
|
|||
|
a four-byte or even eight-byte alignment requirement? Because the m68k
|
|||
|
architecture provides only two-byte alignment, and thus acts as
|
|||
|
alignment's least common denominator.
|
|||
|
|
|||
|
The reason for reserving the bottom bit of pointers to ``rcu_head``
|
|||
|
structures is to leave the door open to “lazy” callbacks whose
|
|||
|
invocations can safely be deferred. Deferring invocation could
|
|||
|
potentially have energy-efficiency benefits, but only if the rate of
|
|||
|
non-lazy callbacks decreases significantly for some important workload.
|
|||
|
In the meantime, reserving the bottom bit keeps this option open in case
|
|||
|
it one day becomes useful.
|
|||
|
|
|||
|
Performance, Scalability, Response Time, and Reliability
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
Expanding on the `earlier
|
|||
|
discussion <Performance and Scalability_>`__, RCU is used heavily by
|
|||
|
hot code paths in performance-critical portions of the Linux kernel's
|
|||
|
networking, security, virtualization, and scheduling code paths. RCU
|
|||
|
must therefore use efficient implementations, especially in its
|
|||
|
read-side primitives. To that end, it would be good if preemptible RCU's
|
|||
|
implementation of rcu_read_lock() could be inlined, however, doing
|
|||
|
this requires resolving ``#include`` issues with the ``task_struct``
|
|||
|
structure.
|
|||
|
|
|||
|
The Linux kernel supports hardware configurations with up to 4096 CPUs,
|
|||
|
which means that RCU must be extremely scalable. Algorithms that involve
|
|||
|
frequent acquisitions of global locks or frequent atomic operations on
|
|||
|
global variables simply cannot be tolerated within the RCU
|
|||
|
implementation. RCU therefore makes heavy use of a combining tree based
|
|||
|
on the ``rcu_node`` structure. RCU is required to tolerate all CPUs
|
|||
|
continuously invoking any combination of RCU's runtime primitives with
|
|||
|
minimal per-operation overhead. In fact, in many cases, increasing load
|
|||
|
must *decrease* the per-operation overhead, witness the batching
|
|||
|
optimizations for synchronize_rcu(), call_rcu(),
|
|||
|
synchronize_rcu_expedited(), and rcu_barrier(). As a general
|
|||
|
rule, RCU must cheerfully accept whatever the rest of the Linux kernel
|
|||
|
decides to throw at it.
|
|||
|
|
|||
|
The Linux kernel is used for real-time workloads, especially in
|
|||
|
conjunction with the `-rt
|
|||
|
patchset <https://wiki.linuxfoundation.org/realtime/>`__. The
|
|||
|
real-time-latency response requirements are such that the traditional
|
|||
|
approach of disabling preemption across RCU read-side critical sections
|
|||
|
is inappropriate. Kernels built with ``CONFIG_PREEMPTION=y`` therefore use
|
|||
|
an RCU implementation that allows RCU read-side critical sections to be
|
|||
|
preempted. This requirement made its presence known after users made it
|
|||
|
clear that an earlier `real-time
|
|||
|
patch <https://lwn.net/Articles/107930/>`__ did not meet their needs, in
|
|||
|
conjunction with some `RCU
|
|||
|
issues <https://lore.kernel.org/r/20050318002026.GA2693@us.ibm.com>`__
|
|||
|
encountered by a very early version of the -rt patchset.
|
|||
|
|
|||
|
In addition, RCU must make do with a sub-100-microsecond real-time
|
|||
|
latency budget. In fact, on smaller systems with the -rt patchset, the
|
|||
|
Linux kernel provides sub-20-microsecond real-time latencies for the
|
|||
|
whole kernel, including RCU. RCU's scalability and latency must
|
|||
|
therefore be sufficient for these sorts of configurations. To my
|
|||
|
surprise, the sub-100-microsecond real-time latency budget `applies to
|
|||
|
even the largest systems
|
|||
|
[PDF] <http://www.rdrop.com/users/paulmck/realtime/paper/bigrt.2013.01.31a.LCA.pdf>`__,
|
|||
|
up to and including systems with 4096 CPUs. This real-time requirement
|
|||
|
motivated the grace-period kthread, which also simplified handling of a
|
|||
|
number of race conditions.
|
|||
|
|
|||
|
RCU must avoid degrading real-time response for CPU-bound threads,
|
|||
|
whether executing in usermode (which is one use case for
|
|||
|
``CONFIG_NO_HZ_FULL=y``) or in the kernel. That said, CPU-bound loops in
|
|||
|
the kernel must execute cond_resched() at least once per few tens of
|
|||
|
milliseconds in order to avoid receiving an IPI from RCU.
|
|||
|
|
|||
|
Finally, RCU's status as a synchronization primitive means that any RCU
|
|||
|
failure can result in arbitrary memory corruption that can be extremely
|
|||
|
difficult to debug. This means that RCU must be extremely reliable,
|
|||
|
which in practice also means that RCU must have an aggressive
|
|||
|
stress-test suite. This stress-test suite is called ``rcutorture``.
|
|||
|
|
|||
|
Although the need for ``rcutorture`` was no surprise, the current
|
|||
|
immense popularity of the Linux kernel is posing interesting—and perhaps
|
|||
|
unprecedented—validation challenges. To see this, keep in mind that
|
|||
|
there are well over one billion instances of the Linux kernel running
|
|||
|
today, given Android smartphones, Linux-powered televisions, and
|
|||
|
servers. This number can be expected to increase sharply with the advent
|
|||
|
of the celebrated Internet of Things.
|
|||
|
|
|||
|
Suppose that RCU contains a race condition that manifests on average
|
|||
|
once per million years of runtime. This bug will be occurring about
|
|||
|
three times per *day* across the installed base. RCU could simply hide
|
|||
|
behind hardware error rates, given that no one should really expect
|
|||
|
their smartphone to last for a million years. However, anyone taking too
|
|||
|
much comfort from this thought should consider the fact that in most
|
|||
|
jurisdictions, a successful multi-year test of a given mechanism, which
|
|||
|
might include a Linux kernel, suffices for a number of types of
|
|||
|
safety-critical certifications. In fact, rumor has it that the Linux
|
|||
|
kernel is already being used in production for safety-critical
|
|||
|
applications. I don't know about you, but I would feel quite bad if a
|
|||
|
bug in RCU killed someone. Which might explain my recent focus on
|
|||
|
validation and verification.
|
|||
|
|
|||
|
Other RCU Flavors
|
|||
|
-----------------
|
|||
|
|
|||
|
One of the more surprising things about RCU is that there are now no
|
|||
|
fewer than five *flavors*, or API families. In addition, the primary
|
|||
|
flavor that has been the sole focus up to this point has two different
|
|||
|
implementations, non-preemptible and preemptible. The other four flavors
|
|||
|
are listed below, with requirements for each described in a separate
|
|||
|
section.
|
|||
|
|
|||
|
#. `Bottom-Half Flavor (Historical)`_
|
|||
|
#. `Sched Flavor (Historical)`_
|
|||
|
#. `Sleepable RCU`_
|
|||
|
#. `Tasks RCU`_
|
|||
|
|
|||
|
Bottom-Half Flavor (Historical)
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The RCU-bh flavor of RCU has since been expressed in terms of the other
|
|||
|
RCU flavors as part of a consolidation of the three flavors into a
|
|||
|
single flavor. The read-side API remains, and continues to disable
|
|||
|
softirq and to be accounted for by lockdep. Much of the material in this
|
|||
|
section is therefore strictly historical in nature.
|
|||
|
|
|||
|
The softirq-disable (AKA “bottom-half”, hence the “_bh” abbreviations)
|
|||
|
flavor of RCU, or *RCU-bh*, was developed by Dipankar Sarma to provide a
|
|||
|
flavor of RCU that could withstand the network-based denial-of-service
|
|||
|
attacks researched by Robert Olsson. These attacks placed so much
|
|||
|
networking load on the system that some of the CPUs never exited softirq
|
|||
|
execution, which in turn prevented those CPUs from ever executing a
|
|||
|
context switch, which, in the RCU implementation of that time, prevented
|
|||
|
grace periods from ever ending. The result was an out-of-memory
|
|||
|
condition and a system hang.
|
|||
|
|
|||
|
The solution was the creation of RCU-bh, which does
|
|||
|
local_bh_disable() across its read-side critical sections, and which
|
|||
|
uses the transition from one type of softirq processing to another as a
|
|||
|
quiescent state in addition to context switch, idle, user mode, and
|
|||
|
offline. This means that RCU-bh grace periods can complete even when
|
|||
|
some of the CPUs execute in softirq indefinitely, thus allowing
|
|||
|
algorithms based on RCU-bh to withstand network-based denial-of-service
|
|||
|
attacks.
|
|||
|
|
|||
|
Because rcu_read_lock_bh() and rcu_read_unlock_bh() disable and
|
|||
|
re-enable softirq handlers, any attempt to start a softirq handlers
|
|||
|
during the RCU-bh read-side critical section will be deferred. In this
|
|||
|
case, rcu_read_unlock_bh() will invoke softirq processing, which can
|
|||
|
take considerable time. One can of course argue that this softirq
|
|||
|
overhead should be associated with the code following the RCU-bh
|
|||
|
read-side critical section rather than rcu_read_unlock_bh(), but the
|
|||
|
fact is that most profiling tools cannot be expected to make this sort
|
|||
|
of fine distinction. For example, suppose that a three-millisecond-long
|
|||
|
RCU-bh read-side critical section executes during a time of heavy
|
|||
|
networking load. There will very likely be an attempt to invoke at least
|
|||
|
one softirq handler during that three milliseconds, but any such
|
|||
|
invocation will be delayed until the time of the
|
|||
|
rcu_read_unlock_bh(). This can of course make it appear at first
|
|||
|
glance as if rcu_read_unlock_bh() was executing very slowly.
|
|||
|
|
|||
|
The `RCU-bh
|
|||
|
API <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
|
|||
|
includes rcu_read_lock_bh(), rcu_read_unlock_bh(), rcu_dereference_bh(),
|
|||
|
rcu_dereference_bh_check(), and rcu_read_lock_bh_held(). However, the
|
|||
|
old RCU-bh update-side APIs are now gone, replaced by synchronize_rcu(),
|
|||
|
synchronize_rcu_expedited(), call_rcu(), and rcu_barrier(). In addition,
|
|||
|
anything that disables bottom halves also marks an RCU-bh read-side
|
|||
|
critical section, including local_bh_disable() and local_bh_enable(),
|
|||
|
local_irq_save() and local_irq_restore(), and so on.
|
|||
|
|
|||
|
Sched Flavor (Historical)
|
|||
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
The RCU-sched flavor of RCU has since been expressed in terms of the
|
|||
|
other RCU flavors as part of a consolidation of the three flavors into a
|
|||
|
single flavor. The read-side API remains, and continues to disable
|
|||
|
preemption and to be accounted for by lockdep. Much of the material in
|
|||
|
this section is therefore strictly historical in nature.
|
|||
|
|
|||
|
Before preemptible RCU, waiting for an RCU grace period had the side
|
|||
|
effect of also waiting for all pre-existing interrupt and NMI handlers.
|
|||
|
However, there are legitimate preemptible-RCU implementations that do
|
|||
|
not have this property, given that any point in the code outside of an
|
|||
|
RCU read-side critical section can be a quiescent state. Therefore,
|
|||
|
*RCU-sched* was created, which follows “classic” RCU in that an
|
|||
|
RCU-sched grace period waits for pre-existing interrupt and NMI
|
|||
|
handlers. In kernels built with ``CONFIG_PREEMPTION=n``, the RCU and
|
|||
|
RCU-sched APIs have identical implementations, while kernels built with
|
|||
|
``CONFIG_PREEMPTION=y`` provide a separate implementation for each.
|
|||
|
|
|||
|
Note well that in ``CONFIG_PREEMPTION=y`` kernels,
|
|||
|
rcu_read_lock_sched() and rcu_read_unlock_sched() disable and
|
|||
|
re-enable preemption, respectively. This means that if there was a
|
|||
|
preemption attempt during the RCU-sched read-side critical section,
|
|||
|
rcu_read_unlock_sched() will enter the scheduler, with all the
|
|||
|
latency and overhead entailed. Just as with rcu_read_unlock_bh(),
|
|||
|
this can make it look as if rcu_read_unlock_sched() was executing
|
|||
|
very slowly. However, the highest-priority task won't be preempted, so
|
|||
|
that task will enjoy low-overhead rcu_read_unlock_sched()
|
|||
|
invocations.
|
|||
|
|
|||
|
The `RCU-sched
|
|||
|
API <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
|
|||
|
includes rcu_read_lock_sched(), rcu_read_unlock_sched(),
|
|||
|
rcu_read_lock_sched_notrace(), rcu_read_unlock_sched_notrace(),
|
|||
|
rcu_dereference_sched(), rcu_dereference_sched_check(), and
|
|||
|
rcu_read_lock_sched_held(). However, the old RCU-sched update-side APIs
|
|||
|
are now gone, replaced by synchronize_rcu(), synchronize_rcu_expedited(),
|
|||
|
call_rcu(), and rcu_barrier(). In addition, anything that disables
|
|||
|
preemption also marks an RCU-sched read-side critical section,
|
|||
|
including preempt_disable() and preempt_enable(), local_irq_save()
|
|||
|
and local_irq_restore(), and so on.
|
|||
|
|
|||
|
Sleepable RCU
|
|||
|
~~~~~~~~~~~~~
|
|||
|
|
|||
|
For well over a decade, someone saying “I need to block within an RCU
|
|||
|
read-side critical section” was a reliable indication that this someone
|
|||
|
did not understand RCU. After all, if you are always blocking in an RCU
|
|||
|
read-side critical section, you can probably afford to use a
|
|||
|
higher-overhead synchronization mechanism. However, that changed with
|
|||
|
the advent of the Linux kernel's notifiers, whose RCU read-side critical
|
|||
|
sections almost never sleep, but sometimes need to. This resulted in the
|
|||
|
introduction of `sleepable RCU <https://lwn.net/Articles/202847/>`__, or
|
|||
|
*SRCU*.
|
|||
|
|
|||
|
SRCU allows different domains to be defined, with each such domain
|
|||
|
defined by an instance of an ``srcu_struct`` structure. A pointer to
|
|||
|
this structure must be passed in to each SRCU function, for example,
|
|||
|
``synchronize_srcu(&ss)``, where ``ss`` is the ``srcu_struct``
|
|||
|
structure. The key benefit of these domains is that a slow SRCU reader
|
|||
|
in one domain does not delay an SRCU grace period in some other domain.
|
|||
|
That said, one consequence of these domains is that read-side code must
|
|||
|
pass a “cookie” from srcu_read_lock() to srcu_read_unlock(), for
|
|||
|
example, as follows:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 int idx;
|
|||
|
2
|
|||
|
3 idx = srcu_read_lock(&ss);
|
|||
|
4 do_something();
|
|||
|
5 srcu_read_unlock(&ss, idx);
|
|||
|
|
|||
|
As noted above, it is legal to block within SRCU read-side critical
|
|||
|
sections, however, with great power comes great responsibility. If you
|
|||
|
block forever in one of a given domain's SRCU read-side critical
|
|||
|
sections, then that domain's grace periods will also be blocked forever.
|
|||
|
Of course, one good way to block forever is to deadlock, which can
|
|||
|
happen if any operation in a given domain's SRCU read-side critical
|
|||
|
section can wait, either directly or indirectly, for that domain's grace
|
|||
|
period to elapse. For example, this results in a self-deadlock:
|
|||
|
|
|||
|
::
|
|||
|
|
|||
|
1 int idx;
|
|||
|
2
|
|||
|
3 idx = srcu_read_lock(&ss);
|
|||
|
4 do_something();
|
|||
|
5 synchronize_srcu(&ss);
|
|||
|
6 srcu_read_unlock(&ss, idx);
|
|||
|
|
|||
|
However, if line 5 acquired a mutex that was held across a
|
|||
|
synchronize_srcu() for domain ``ss``, deadlock would still be
|
|||
|
possible. Furthermore, if line 5 acquired a mutex that was held across a
|
|||
|
synchronize_srcu() for some other domain ``ss1``, and if an
|
|||
|
``ss1``-domain SRCU read-side critical section acquired another mutex
|
|||
|
that was held across as ``ss``-domain synchronize_srcu(), deadlock
|
|||
|
would again be possible. Such a deadlock cycle could extend across an
|
|||
|
arbitrarily large number of different SRCU domains. Again, with great
|
|||
|
power comes great responsibility.
|
|||
|
|
|||
|
Unlike the other RCU flavors, SRCU read-side critical sections can run
|
|||
|
on idle and even offline CPUs. This ability requires that
|
|||
|
srcu_read_lock() and srcu_read_unlock() contain memory barriers,
|
|||
|
which means that SRCU readers will run a bit slower than would RCU
|
|||
|
readers. It also motivates the smp_mb__after_srcu_read_unlock() API,
|
|||
|
which, in combination with srcu_read_unlock(), guarantees a full
|
|||
|
memory barrier.
|
|||
|
|
|||
|
Also unlike other RCU flavors, synchronize_srcu() may **not** be
|
|||
|
invoked from CPU-hotplug notifiers, due to the fact that SRCU grace
|
|||
|
periods make use of timers and the possibility of timers being
|
|||
|
temporarily “stranded” on the outgoing CPU. This stranding of timers
|
|||
|
means that timers posted to the outgoing CPU will not fire until late in
|
|||
|
the CPU-hotplug process. The problem is that if a notifier is waiting on
|
|||
|
an SRCU grace period, that grace period is waiting on a timer, and that
|
|||
|
timer is stranded on the outgoing CPU, then the notifier will never be
|
|||
|
awakened, in other words, deadlock has occurred. This same situation of
|
|||
|
course also prohibits srcu_barrier() from being invoked from
|
|||
|
CPU-hotplug notifiers.
|
|||
|
|
|||
|
SRCU also differs from other RCU flavors in that SRCU's expedited and
|
|||
|
non-expedited grace periods are implemented by the same mechanism. This
|
|||
|
means that in the current SRCU implementation, expediting a future grace
|
|||
|
period has the side effect of expediting all prior grace periods that
|
|||
|
have not yet completed. (But please note that this is a property of the
|
|||
|
current implementation, not necessarily of future implementations.) In
|
|||
|
addition, if SRCU has been idle for longer than the interval specified
|
|||
|
by the ``srcutree.exp_holdoff`` kernel boot parameter (25 microseconds
|
|||
|
by default), and if a synchronize_srcu() invocation ends this idle
|
|||
|
period, that invocation will be automatically expedited.
|
|||
|
|
|||
|
As of v4.12, SRCU's callbacks are maintained per-CPU, eliminating a
|
|||
|
locking bottleneck present in prior kernel versions. Although this will
|
|||
|
allow users to put much heavier stress on call_srcu(), it is
|
|||
|
important to note that SRCU does not yet take any special steps to deal
|
|||
|
with callback flooding. So if you are posting (say) 10,000 SRCU
|
|||
|
callbacks per second per CPU, you are probably totally OK, but if you
|
|||
|
intend to post (say) 1,000,000 SRCU callbacks per second per CPU, please
|
|||
|
run some tests first. SRCU just might need a few adjustment to deal with
|
|||
|
that sort of load. Of course, your mileage may vary based on the speed
|
|||
|
of your CPUs and the size of your memory.
|
|||
|
|
|||
|
The `SRCU
|
|||
|
API <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
|
|||
|
includes srcu_read_lock(), srcu_read_unlock(),
|
|||
|
srcu_dereference(), srcu_dereference_check(),
|
|||
|
synchronize_srcu(), synchronize_srcu_expedited(),
|
|||
|
call_srcu(), srcu_barrier(), and srcu_read_lock_held(). It
|
|||
|
also includes DEFINE_SRCU(), DEFINE_STATIC_SRCU(), and
|
|||
|
init_srcu_struct() APIs for defining and initializing
|
|||
|
``srcu_struct`` structures.
|
|||
|
|
|||
|
More recently, the SRCU API has added polling interfaces:
|
|||
|
|
|||
|
#. start_poll_synchronize_srcu() returns a cookie identifying
|
|||
|
the completion of a future SRCU grace period and ensures
|
|||
|
that this grace period will be started.
|
|||
|
#. poll_state_synchronize_srcu() returns ``true`` iff the
|
|||
|
specified cookie corresponds to an already-completed
|
|||
|
SRCU grace period.
|
|||
|
#. get_state_synchronize_srcu() returns a cookie just like
|
|||
|
start_poll_synchronize_srcu() does, but differs in that
|
|||
|
it does nothing to ensure that any future SRCU grace period
|
|||
|
will be started.
|
|||
|
|
|||
|
These functions are used to avoid unnecessary SRCU grace periods in
|
|||
|
certain types of buffer-cache algorithms having multi-stage age-out
|
|||
|
mechanisms. The idea is that by the time the block has aged completely
|
|||
|
from the cache, an SRCU grace period will be very likely to have elapsed.
|
|||
|
|
|||
|
Tasks RCU
|
|||
|
~~~~~~~~~
|
|||
|
|
|||
|
Some forms of tracing use “trampolines” to handle the binary rewriting
|
|||
|
required to install different types of probes. It would be good to be
|
|||
|
able to free old trampolines, which sounds like a job for some form of
|
|||
|
RCU. However, because it is necessary to be able to install a trace
|
|||
|
anywhere in the code, it is not possible to use read-side markers such
|
|||
|
as rcu_read_lock() and rcu_read_unlock(). In addition, it does
|
|||
|
not work to have these markers in the trampoline itself, because there
|
|||
|
would need to be instructions following rcu_read_unlock(). Although
|
|||
|
synchronize_rcu() would guarantee that execution reached the
|
|||
|
rcu_read_unlock(), it would not be able to guarantee that execution
|
|||
|
had completely left the trampoline. Worse yet, in some situations
|
|||
|
the trampoline's protection must extend a few instructions *prior* to
|
|||
|
execution reaching the trampoline. For example, these few instructions
|
|||
|
might calculate the address of the trampoline, so that entering the
|
|||
|
trampoline would be pre-ordained a surprisingly long time before execution
|
|||
|
actually reached the trampoline itself.
|
|||
|
|
|||
|
The solution, in the form of `Tasks
|
|||
|
RCU <https://lwn.net/Articles/607117/>`__, is to have implicit read-side
|
|||
|
critical sections that are delimited by voluntary context switches, that
|
|||
|
is, calls to schedule(), cond_resched(), and
|
|||
|
synchronize_rcu_tasks(). In addition, transitions to and from
|
|||
|
userspace execution also delimit tasks-RCU read-side critical sections.
|
|||
|
|
|||
|
The tasks-RCU API is quite compact, consisting only of
|
|||
|
call_rcu_tasks(), synchronize_rcu_tasks(), and
|
|||
|
rcu_barrier_tasks(). In ``CONFIG_PREEMPTION=n`` kernels, trampolines
|
|||
|
cannot be preempted, so these APIs map to call_rcu(),
|
|||
|
synchronize_rcu(), and rcu_barrier(), respectively. In
|
|||
|
``CONFIG_PREEMPTION=y`` kernels, trampolines can be preempted, and these
|
|||
|
three APIs are therefore implemented by separate functions that check
|
|||
|
for voluntary context switches.
|
|||
|
|
|||
|
Possible Future Changes
|
|||
|
-----------------------
|
|||
|
|
|||
|
One of the tricks that RCU uses to attain update-side scalability is to
|
|||
|
increase grace-period latency with increasing numbers of CPUs. If this
|
|||
|
becomes a serious problem, it will be necessary to rework the
|
|||
|
grace-period state machine so as to avoid the need for the additional
|
|||
|
latency.
|
|||
|
|
|||
|
RCU disables CPU hotplug in a few places, perhaps most notably in the
|
|||
|
rcu_barrier() operations. If there is a strong reason to use
|
|||
|
rcu_barrier() in CPU-hotplug notifiers, it will be necessary to
|
|||
|
avoid disabling CPU hotplug. This would introduce some complexity, so
|
|||
|
there had better be a *very* good reason.
|
|||
|
|
|||
|
The tradeoff between grace-period latency on the one hand and
|
|||
|
interruptions of other CPUs on the other hand may need to be
|
|||
|
re-examined. The desire is of course for zero grace-period latency as
|
|||
|
well as zero interprocessor interrupts undertaken during an expedited
|
|||
|
grace period operation. While this ideal is unlikely to be achievable,
|
|||
|
it is quite possible that further improvements can be made.
|
|||
|
|
|||
|
The multiprocessor implementations of RCU use a combining tree that
|
|||
|
groups CPUs so as to reduce lock contention and increase cache locality.
|
|||
|
However, this combining tree does not spread its memory across NUMA
|
|||
|
nodes nor does it align the CPU groups with hardware features such as
|
|||
|
sockets or cores. Such spreading and alignment is currently believed to
|
|||
|
be unnecessary because the hotpath read-side primitives do not access
|
|||
|
the combining tree, nor does call_rcu() in the common case. If you
|
|||
|
believe that your architecture needs such spreading and alignment, then
|
|||
|
your architecture should also benefit from the
|
|||
|
``rcutree.rcu_fanout_leaf`` boot parameter, which can be set to the
|
|||
|
number of CPUs in a socket, NUMA node, or whatever. If the number of
|
|||
|
CPUs is too large, use a fraction of the number of CPUs. If the number
|
|||
|
of CPUs is a large prime number, well, that certainly is an
|
|||
|
“interesting” architectural choice! More flexible arrangements might be
|
|||
|
considered, but only if ``rcutree.rcu_fanout_leaf`` has proven
|
|||
|
inadequate, and only if the inadequacy has been demonstrated by a
|
|||
|
carefully run and realistic system-level workload.
|
|||
|
|
|||
|
Please note that arrangements that require RCU to remap CPU numbers will
|
|||
|
require extremely good demonstration of need and full exploration of
|
|||
|
alternatives.
|
|||
|
|
|||
|
RCU's various kthreads are reasonably recent additions. It is quite
|
|||
|
likely that adjustments will be required to more gracefully handle
|
|||
|
extreme loads. It might also be necessary to be able to relate CPU
|
|||
|
utilization by RCU's kthreads and softirq handlers to the code that
|
|||
|
instigated this CPU utilization. For example, RCU callback overhead
|
|||
|
might be charged back to the originating call_rcu() instance, though
|
|||
|
probably not in production kernels.
|
|||
|
|
|||
|
Additional work may be required to provide reasonable forward-progress
|
|||
|
guarantees under heavy load for grace periods and for callback
|
|||
|
invocation.
|
|||
|
|
|||
|
Summary
|
|||
|
-------
|
|||
|
|
|||
|
This document has presented more than two decade's worth of RCU
|
|||
|
requirements. Given that the requirements keep changing, this will not
|
|||
|
be the last word on this subject, but at least it serves to get an
|
|||
|
important subset of the requirements set forth.
|
|||
|
|
|||
|
Acknowledgments
|
|||
|
---------------
|
|||
|
|
|||
|
I am grateful to Steven Rostedt, Lai Jiangshan, Ingo Molnar, Oleg
|
|||
|
Nesterov, Borislav Petkov, Peter Zijlstra, Boqun Feng, and Andy
|
|||
|
Lutomirski for their help in rendering this article human readable, and
|
|||
|
to Michelle Rankin for her support of this effort. Other contributions
|
|||
|
are acknowledged in the Linux kernel's git archive.
|