2A description of what robust futexes are
   5:Started by: Ingo Molnar <>
  10what are robust futexes? To answer that, we first need to understand
  11what futexes are: normal futexes are special types of locks that in the
  12noncontended case can be acquired/released from userspace without having
  13to enter the kernel.
  15A futex is in essence a user-space address, e.g. a 32-bit lock variable
  16field. If userspace notices contention (the lock is already owned and
  17someone else wants to grab it too) then the lock is marked with a value
  18that says "there's a waiter pending", and the sys_futex(FUTEX_WAIT)
  19syscall is used to wait for the other guy to release it. The kernel
  20creates a 'futex queue' internally, so that it can later on match up the
  21waiter with the waker - without them having to know about each other.
  22When the owner thread releases the futex, it notices (via the variable
  23value) that there were waiter(s) pending, and does the
  24sys_futex(FUTEX_WAKE) syscall to wake them up.  Once all waiters have
  25taken and released the lock, the futex is again back to 'uncontended'
  26state, and there's no in-kernel state associated with it. The kernel
  27completely forgets that there ever was a futex at that address. This
  28method makes futexes very lightweight and scalable.
  30"Robustness" is about dealing with crashes while holding a lock: if a
  31process exits prematurely while holding a pthread_mutex_t lock that is
  32also shared with some other process (e.g. yum segfaults while holding a
  33pthread_mutex_t, or yum is kill -9-ed), then waiters for that lock need
  34to be notified that the last owner of the lock exited in some irregular
  37To solve such types of problems, "robust mutex" userspace APIs were
  38created: pthread_mutex_lock() returns an error value if the owner exits
  39prematurely - and the new owner can decide whether the data protected by
  40the lock can be recovered safely.
  42There is a big conceptual problem with futex based mutexes though: it is
  43the kernel that destroys the owner task (e.g. due to a SEGFAULT), but
  44the kernel cannot help with the cleanup: if there is no 'futex queue'
  45(and in most cases there is none, futexes being fast lightweight locks)
  46then the kernel has no information to clean up after the held lock!
  47Userspace has no chance to clean up after the lock either - userspace is
  48the one that crashes, so it has no opportunity to clean up. Catch-22.
  50In practice, when e.g. yum is kill -9-ed (or segfaults), a system reboot
  51is needed to release that futex based lock. This is one of the leading
  52bugreports against yum.
  54To solve this problem, the traditional approach was to extend the vma
  55(virtual memory area descriptor) concept to have a notion of 'pending
  56robust futexes attached to this area'. This approach requires 3 new
  57syscall variants to sys_futex(): FUTEX_REGISTER, FUTEX_DEREGISTER and
  58FUTEX_RECOVER. At do_exit() time, all vmas are searched to see whether
  59they have a robust_head set. This approach has two fundamental problems
  62 - it has quite complex locking and race scenarios. The vma-based
  63   approach had been pending for years, but they are still not completely
  64   reliable.
  66 - they have to scan _every_ vma at sys_exit() time, per thread!
  68The second disadvantage is a real killer: pthread_exit() takes around 1
  69microsecond on Linux, but with thousands (or tens of thousands) of vmas
  70every pthread_exit() takes a millisecond or more, also totally
  71destroying the CPU's L1 and L2 caches!
  73This is very much noticeable even for normal process sys_exit_group()
  74calls: the kernel has to do the vma scanning unconditionally! (this is
  75because the kernel has no knowledge about how many robust futexes there
  76are to be cleaned up, because a robust futex might have been registered
  77in another task, and the futex variable might have been simply mmap()-ed
  78into this process's address space).
  80This huge overhead forced the creation of CONFIG_FUTEX_ROBUST so that
  81normal kernels can turn it off, but worse than that: the overhead makes
  82robust futexes impractical for any type of generic Linux distribution.
  84So something had to be done.
  86New approach to robust futexes
  89At the heart of this new approach there is a per-thread private list of
  90robust locks that userspace is holding (maintained by glibc) - which
  91userspace list is registered with the kernel via a new syscall [this
  92registration happens at most once per thread lifetime]. At do_exit()
  93time, the kernel checks this user-space list: are there any robust futex
  94locks to be cleaned up?
  96In the common case, at do_exit() time, there is no list registered, so
  97the cost of robust futexes is just a simple current->robust_list != NULL
  98comparison. If the thread has registered a list, then normally the list
  99is empty. If the thread/process crashed or terminated in some incorrect
 100way then the list might be non-empty: in this case the kernel carefully
 101walks the list [not trusting it], and marks all locks that are owned by
 102this thread with the FUTEX_OWNER_DIED bit, and wakes up one waiter (if
 105The list is guaranteed to be private and per-thread at do_exit() time,
 106so it can be accessed by the kernel in a lockless way.
 108There is one race possible though: since adding to and removing from the
 109list is done after the futex is acquired by glibc, there is a few
 110instructions window for the thread (or process) to die there, leaving
 111the futex hung. To protect against this possibility, userspace (glibc)
 112also maintains a simple per-thread 'list_op_pending' field, to allow the
 113kernel to clean up if the thread dies after acquiring the lock, but just
 114before it could have added itself to the list. Glibc sets this
 115list_op_pending field before it tries to acquire the futex, and clears
 116it after the list-add (or list-remove) has finished.
 118That's all that is needed - all the rest of robust-futex cleanup is done
 119in userspace [just like with the previous patches].
 121Ulrich Drepper has implemented the necessary glibc support for this new
 122mechanism, which fully enables robust mutexes.
 124Key differences of this userspace-list based approach, compared to the
 125vma based method:
 127 - it's much, much faster: at thread exit time, there's no need to loop
 128   over every vma (!), which the VM-based method has to do. Only a very
 129   simple 'is the list empty' op is done.
 131 - no VM changes are needed - 'struct address_space' is left alone.
 133 - no registration of individual locks is needed: robust mutexes don't
 134   need any extra per-lock syscalls. Robust mutexes thus become a very
 135   lightweight primitive - so they don't force the application designer
 136   to do a hard choice between performance and robustness - robust
 137   mutexes are just as fast.
 139 - no per-lock kernel allocation happens.
 141 - no resource limits are needed.
 143 - no kernel-space recovery call (FUTEX_RECOVER) is needed.
 145 - the implementation and the locking is "obvious", and there are no
 146   interactions with the VM.
 151I have benchmarked the time needed for the kernel to process a list of 1
 152million (!) held locks, using the new method [on a 2GHz CPU]:
 154 - with FUTEX_WAIT set [contended mutex]: 130 msecs
 155 - without FUTEX_WAIT set [uncontended mutex]: 30 msecs
 157I have also measured an approach where glibc does the lock notification
 158[which it currently does for !pshared robust mutexes], and that took 256
 159msecs - clearly slower, due to the 1 million FUTEX_WAKE syscalls
 160userspace had to do.
 162(1 million held locks are unheard of - we expect at most a handful of
 163locks to be held at a time. Nevertheless it's nice to know that this
 164approach scales nicely.)
 166Implementation details
 169The patch adds two new syscalls: one to register the userspace list, and
 170one to query the registered list pointer::
 172 asmlinkage long
 173 sys_set_robust_list(struct robust_list_head __user *head,
 174                     size_t len);
 176 asmlinkage long
 177 sys_get_robust_list(int pid, struct robust_list_head __user **head_ptr,
 178                     size_t __user *len_ptr);
 180List registration is very fast: the pointer is simply stored in
 181current->robust_list. [Note that in the future, if robust futexes become
 182widespread, we could extend sys_clone() to register a robust-list head
 183for new threads, without the need of another syscall.]
 185So there is virtually zero overhead for tasks not using robust futexes,
 186and even for robust futex users, there is only one extra syscall per
 187thread lifetime, and the cleanup operation, if it happens, is fast and
 188straightforward. The kernel doesn't have any internal distinction between
 189robust and normal futexes.
 191If a futex is found to be held at exit time, the kernel sets the
 192following bit of the futex word::
 194        #define FUTEX_OWNER_DIED        0x40000000
 196and wakes up the next futex waiter (if any). User-space does the rest of
 197the cleanup.
 199Otherwise, robust futexes are acquired by glibc by putting the TID into
 200the futex field atomically. Waiters set the FUTEX_WAITERS bit::
 202        #define FUTEX_WAITERS           0x80000000
 204and the remaining bits are for the TID.
 206Testing, architecture support
 209I've tested the new syscalls on x86 and x86_64, and have made sure the
 210parsing of the userspace list is robust [ ;-) ] even if the list is
 211deliberately corrupted.
 213i386 and x86_64 syscalls are wired up at the moment, and Ulrich has
 214tested the new glibc code (on x86_64 and i386), and it works for his
 215robust-mutex testcases.
 217All other architectures should build just fine too - but they won't have
 218the new syscalls yet.
 220Architectures need to implement the new futex_atomic_cmpxchg_inatomic()
 221inline function before writing up the syscalls (that function returns
 222-ENOSYS right now).
 223 kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.