Stable pages
Most of the time, that works just fine. In the worst case, the second write to the page will happen before the first writeback I/O operation begins; in that case, the more recently written data will also be written to disk in the first I/O operation and a second, redundant disk write will be queued later. Either way, the data gets to its backing store, which is the real intent.
There are cases where modifying a page that is under writeback is a bad idea, though. Some devices can perform integrity checking, meaning that the data written to disk is checksummed by the hardware and compared against a pre-write checksum provided by the kernel. If the data changes after the kernel calculates its checksum, that check will fail, causing a spurious write error. Software RAID implementations can be tripped up by changing data as well. As a result of problems like this, developers working in the filesystem area have been convinced for a while that the kernel needs to support "stable pages" which are guaranteed not to change while they are under writeback.
When LWN looked at stable pages in February, Darrick Wong had just posted a patch aimed at solving this problem. In situations where integrity checking was in use, the kernel would make a copy of each page before beginning a writeback operation. Since nobody in user space knew about the copy, it was guaranteed to remain unmolested for the duration of the write operation. This patch solved the problem for the integrity checking case, but all of those copy operations were expensive. Given that providing stable pages in all situations was seen as desirable, that cost was considered to be too high.
So Darrick has come back with a new patch set which takes a different - and simpler - approach. In short, with this patch, any attempt to write to a page which is under writeback will simply wait until the writeback completes. There is no need to copy pages or engage in other tricks, but there may be a cost to this approach as well.
As noted above, a page will be marked read-only when it is written back; there is also a page flag which indicates that writeback is in progress. So all of the pieces are there to trap writes to pages under writeback. To make it even easier, the VFS layer already has a callback (page_mkwrite()) to notify filesystems that a read-only page is being made writable; all Darrick really needed to do was to change how those page_mkwrite() callbacks operate in presence of writeback.
Some filesystems do not provide page_mkwrite() at all; for those, Darrick created a generic empty_page_mkwrite() function which locks the page, waits for any writeback to complete, then returns the locked page. More complicated filesystems do have page_mkwrite() handlers, though, so Darrick had to add similar functionality for ext2, ext4, and FAT. Btrfs has implemented stable pages internally for some time, so no changes were required there. Ext3 turns out to have some complicated interactions with the journal layer which make a stable page implementation hard; since invasive changes to ext3 are not welcomed at this point, that filesystem may never get stable page support.
There have been concerns expressed that this approach could slow down applications which repeatedly write to the same part of a file. Before this change, writeback would not slow down subsequent writes; afterward, those writes will wait for writeback to complete. Darrick ran some benchmarks to test this case and found a performance degradation of up to 12%. This slowdown is unwelcome, but there also seems to be a consensus that there are very few applications which would actually run into this problem. Repetitively rewriting data is a relatively rare pattern; indeed, the developers involved are saying that they don't even know of a real-world case they can test.
Lack of awareness of applications which would be adversely affected by this
change does not mean that they don't exist, of course. This is the kind of
change which can create real problems a few years down the line when the
code is finally shipped by distributors and deployed by users; by then,
it's far too late to go back. If there are applications which would react
poorly to this change, it would be good to get the word out now. Otherwise
the benefits of stable pages are likely to cause them to be adopted in most
settings.
| Index entries for this article | |
|---|---|
| Kernel | Data integrity |
| Kernel | Stable pages |
Posted May 12, 2011 2:54 UTC (Thu)
by nirbheek (subscriber, #54111)
[Link] (12 responses)
The copy-on-writeback solution that took too much memory, and the wait-on-writeback solution that causes too much latency are two extreme solutions to this problem.
Wouldn't an intermediate solution such as copy-on-page-modify be better? That way, when a page that's under writeback needs to be modified, a copy is made, that copy is modified, and the modified page can be marked for writeback as well.
Another solution could be to copy only the checksum value instead of the whole page.
I'm probably missing something here, and I'd like to know what that is :)
Posted May 12, 2011 3:12 UTC (Thu)
by jzbiciak (guest, #5246)
[Link] (11 responses)
As for the checksum, what about something like software RAID-5, where the parity block is as large as the block being written back?
Posted May 12, 2011 6:07 UTC (Thu)
by djwong (subscriber, #23506)
[Link] (8 responses)
Posted May 12, 2011 13:00 UTC (Thu)
by smurf (subscriber, #17840)
[Link] (2 responses)
Posted May 12, 2011 13:28 UTC (Thu)
by jzbiciak (guest, #5246)
[Link] (1 responses)
Now, on a separate note: One thing that wasn't clear to me was why this blocking only applies to file backed pages. Wouldn't anonymous pages headed toward swap also be subject to this if swap was on an integrity-checked volume?
Posted May 12, 2011 20:01 UTC (Thu)
by djwong (subscriber, #23506)
[Link]
Posted May 12, 2011 18:07 UTC (Thu)
by davecb (subscriber, #1574)
[Link] (2 responses)
In a previous life I was involved in the performance measurement of coalescing disk writes, and we found a very large number of sequential writes could be coalesced into single writes, and then adjacent blocks coalesced into larger singe writes. This paid off particularly well when a disk was being handed writes at or beyond it's capacity, by removing unneeded writes. I think I still have the graphs somewhere (;-))
I'll comment on the non-sequential case in a sec, after I look at my archive.
--dave
Posted May 12, 2011 18:49 UTC (Thu)
by jzbiciak (guest, #5246)
[Link] (1 responses)
http://lxr.free-electrons.com/source/mm/page-writeback.c
That's what makes it so hard (at least for me) to reason about what workloads would get hurt, since there's not a simple, immediate relationship between "application dirtied a page" and "page got scheduled for writeback." You need both of those things to happen *and* the application must subsequently try to dirty the page further before you hit the page-block.
I guess you could get some negative interactions more immediately if a 'write' call scheduled a writeback for part of a page, and then the app immediately resumed filling the rest of the page. Still, I don't think a write() syscall triggers an immediate writeback on most calls. Take a look at 'queue_io' around line 277:
http://lxr.free-electrons.com/source/fs/fs-writeback.c
Only the oldest dirtied pages get flushed, as I read that.
Posted May 12, 2011 19:23 UTC (Thu)
by davecb (subscriber, #1574)
[Link]
Posted May 12, 2011 18:35 UTC (Thu)
by davecb (subscriber, #1574)
[Link] (1 responses)
Delaying, duplicating or COWing allows us to survive or avoid the data changing while the I/O is queued, which is a pretty long time compared to anything happening in main memory. The speed difference gives us a relatively large period in which a program can race ahead of the disk.
If the purpose is to validate the disk write, one would want to do the checksum as late as possible before the write, and verify it either as part of hardware write or via a read-after-write step. That keeps the time period tiny.
If the purpose is to validate it from end to end, I suspect you need more than one check. One check would need to be done as the data is queued, to be sure it made it to the queue ok, which would need to be amended if the page in queue is coalesced with a later write. In the latter case you have a new, amended checksum to check as-or-after the write.
Alas, I'm not following the main list these days, so I'm unclear of the fine details of the requirements you face!
--dave
Posted May 15, 2011 20:44 UTC (Sun)
by giraffedata (guest, #1954)
[Link]
The race is between Linux and the disk drive. No matter when Linux computes the checksum, if the data in the buffer changes while the disk drive is transferring the data from the buffer to itself, Linux cannot ensure that the checksum the disk drive gets is correct for the rest of the data that the disk drive gets.
It's always been pretty dicey to have the disk drive get a mixture of older and newer data for a single write, but we've always arranged it so that in the cases where than can happen, it doesn't matter that we end up with garbage. But it's a lot harder to ignore a checksum mismatch, which is designed to indicate lower level corruption.
Posted May 12, 2011 18:46 UTC (Thu)
by dlang (guest, #313)
[Link] (1 responses)
if you have a page that's being modified 1000 times a second, you don't want to have 1000 copies/sec to try and write out.
but while the system is working to write the first copy, you can allow the second copy to be modified many different times, and only when you select that page for writeout (and are ready to do the checksum on it), do you set COW.
this will get the modifications to disk as quickly as the disk will support it, but will only have one copy of the page (in addition to what's in the process of being written out to disk)
Posted May 12, 2011 19:54 UTC (Thu)
by djwong (subscriber, #23506)
[Link]
Posted May 12, 2011 6:08 UTC (Thu)
by djwong (subscriber, #23506)
[Link] (1 responses)
Posted May 12, 2011 6:17 UTC (Thu)
by jake (editor, #205)
[Link]
That seems a bit more serious than a 'nit', sorry about that, fixed now.
jake
Posted May 12, 2011 10:32 UTC (Thu)
by dgm (subscriber, #49227)
[Link]
Posted May 12, 2011 13:06 UTC (Thu)
by alex (subscriber, #1355)
[Link]
However performance is currently sucky enough that heavy RRD users are already using the caching daemon to ameliorate the effect.
Posted May 13, 2011 1:32 UTC (Fri)
by smithj (guest, #38034)
[Link] (1 responses)
Then again, I doubt many people consider shred to be performance-critical.
Posted May 13, 2011 2:04 UTC (Fri)
by njs (subscriber, #40338)
[Link]
Posted May 13, 2011 5:27 UTC (Fri)
by bazsi (guest, #63084)
[Link] (2 responses)
syslog-ng is following a logfile, its current position is kept in a file-backed memory region. In case the daemon is crashed the position remains there, so we can continue where we left off.
syslog-ng can update that page 100k/sec (especially if there are multiple such files and multiple threads reading), and I'm sure it's not waiting for writeback all the time, but that would probably negatively affect this and similar workloads.
Posted May 13, 2011 20:06 UTC (Fri)
by dlang (guest, #313)
[Link] (1 responses)
Posted May 17, 2011 20:29 UTC (Tue)
by bazsi (guest, #63084)
[Link]
the only thing to prevent that is an OS level crash.
Stable pages
Stable pages
Stable pages
Stable pages
When I do that, in order to guarantee that the main program responds immediately I lock the whole application in memory and use a separate writing thread.
But if you lock a couple of my process' pages when writing, that lock will affect unrelated data structures which simply happen to be on the same meory page. I can thus no longer guarantee that my main task will no longer block on random memory writes. That's not acceptable.
Stable pages
Stable pages
Stable pages, posible corner cases
Stable pages, posible corner cases
Stable pages, posible corner cases
Stable pages - is this "racy" ?
Stable pages - is this "racy" ?
Stable pages
Stable pages
Stable pages
Stable pages
Stable pages
Pathological corner cases
Stable pages
Stable pages
Stable pages
Stable pages
Stable pages