This is a port on kernel 4.17 of the work done by Peter Zijlstra to handle
page fault without holding the mm semaphore [1].

The idea is to try to handle user space page faults without holding the
mmap_sem. This should allow better concurrency for massively threaded
process since the page fault handler will not wait for other threads memory
layout change to be done, assuming that this change is done in another part
of the process's memory space. This type page fault is named speculative
page fault. If the speculative page fault fails because of a concurrency is
detected or because underlying PMD or PTE tables are not yet allocating, it
is failing its processing and a classic page fault is then tried.

The speculative page fault (SPF) has to look for the VMA matching the fault
address without holding the mmap_sem, this is done by introducing a rwlock
which protects the access to the mm_rb tree. Previously this was done using
SRCU but it was introducing a lot of scheduling to process the VMA's
freeing operation which was hitting the performance by 20% as reported by
Kemi Wang [2]. Using a rwlock to protect access to the mm_rb tree is
limiting the locking contention to these operations which are expected to
be in a O(log n) order. In addition to ensure that the VMA is not freed in
our back a reference count is added and 2 services (get_vma() and
put_vma()) are introduced to handle the reference count. Once a VMA is
fetched from the RB tree using get_vma(), it must be later freed using
put_vma(). I can't see anymore the overhead I got while will-it-scale
benchmark anymore.

The VMA's attributes checked during the speculative page fault processing
have to be protected against parallel changes. This is done by using a per
VMA sequence lock. This sequence lock allows the speculative page fault
handler to fast check for parallel changes in progress and to abort the
speculative page fault in that case.

Once the VMA has been found, the speculative page fault handler would check
for the VMA's attributes to verify that the page fault has to be handled
correctly or not. Thus, the VMA is protected through a sequence lock which
allows fast detection of concurrent VMA changes. If such a change is
detected, the speculative page fault is aborted and a *classic* page fault
is tried.  VMA sequence lockings are added when VMA attributes which are
checked during the page fault are modified.

When the PTE is fetched, the VMA is checked to see if it has been changed,
so once the page table is locked, the VMA is valid, so any other changes
leading to touching this PTE will need to lock the page table, so no
parallel change is possible at this time.

The locking of the PTE is done with interrupts disabled, this allows
checking for the PMD to ensure that there is not an ongoing collapsing
operation. Since khugepaged is firstly set the PMD to pmd_none and then is
waiting for the other CPU to have caught the IPI interrupt, if the pmd is
valid at the time the PTE is locked, we have the guarantee that the
collapsing operation will have to wait on the PTE lock to move forward.
This allows the SPF handler to map the PTE safely. If the PMD value is
different from the one recorded at the beginning of the SPF operation, the
classic page fault handler will be called to handle the operation while
holding the mmap_sem. As the PTE lock is done with the interrupts disabled,
the lock is done using spin_trylock() to avoid dead lock when handling a
page fault while a TLB invalidate is requested by another CPU holding the

In pseudo code, this could be seen as:
            vma = get_vma()
            check vma sequence count
            check vma's support
            disable interrupt
                  check pgd,p4d,...,pte
                  save pmd and pte in vmf
                  save vma sequence counter in vmf
            enable interrupt
            check vma sequence count
                    page = alloc_page()
                            disable interrupt
                                    abort if sequence counter has changed
                                    abort if pmd or pte has changed
                                    pte map and lock
                            enable interrupt
                    if abort
                       free page
            if (speculative_page_fault(&vma))
               goto done
            vma = find_vma();
            if retry
               goto again;
            handle fault error

Support for THP is not done because when checking for the PMD, we can be
confused by an in progress collapsing operation done by khugepaged. The
issue is that pmd_none() could be true either if the PMD is not already
populated or if the underlying PTE are in the way to be collapsed. So we
cannot safely allocate a PMD if pmd_none() is true.

This series add a new software performance event named 'speculative-faults'
or 'spf'. It counts the number of successful page fault event handled
speculatively. When recording 'faults,spf' events, the faults one is
counting the total number of page fault events while 'spf' is only counting
the part of the faults processed speculatively.

There are some trace events introduced by this series. They allow
identifying why the page faults were not processed speculatively. This
doesn't take in account the faults generated by a monothreaded process
which directly processed while holding the mmap_sem. This trace events are
grouped in a system named 'pagefault', they are:
 - pagefault:spf_vma_changed : if the VMA has been changed in our back
 - pagefault:spf_vma_noanon : the vma->anon_vma field was not yet set.
 - pagefault:spf_vma_notsup : the VMA's type is not supported
 - pagefault:spf_vma_access : the VMA's access right are not respected
 - pagefault:spf_pmd_changed : the upper PMD pointer has changed in our

To record all the related events, the easier is to run perf with the
following arguments : 
$ perf stat -e 'faults,spf,pagefault:*' <command>

There is also a dedicated vmstat counter showing the number of successful
page fault handled speculatively. I can be seen this way: 
$ grep speculative_pgfault /proc/vmstat

This series builds on top of v4.16-mmotm-2018-04-13-17-28 and is functional
on x86, PowerPC and arm64.

Real Workload results

As mentioned in previous email, we did non official runs using a "popular
in memory multithreaded database product" on 176 cores SMT8 Power system
which showed a 30% improvements in the number of transaction processed per
second. This run has been done on the v6 series, but changes introduced in
this new version should not impact the performance boost seen.

Here are the perf data captured during 2 of these runs on top of the v8
                vanilla         spf
faults          89.418          101.364         +13%    
spf                n/a           97.989

With the SPF kernel, most of the page fault were processed in a speculative

Ganesh Mahendran had backported the series on top of a 4.9 kernel and gave
it a try on an android device. He reported that the application launch time
was improved in average by 6%, and for large applications (~100 threads) by

Here are the launch time Ganesh mesured on Android 8.0 on top of a Qcom
MSM845 (8 cores) with 6GB (the less is better):

Application                             4.9     4.9+spf delta                          416     389     -7%             1135    986     -13%
com.tencent.mtt                         455     454     0%
com.qqgame.hlddz                        1497    1409    -6%
com.autonavi.minimap                    711     701     -1%
com.tencent.tmgp.sgame                  788     748     -5%
com.immomo.momo                         501     487     -3%
com.tencent.peng                        2145    2112    -2%                      491     461     -6%                      479     366     -23%                       1341    1198    -11%                     333     314     -6%
com.tencent.mobileqq                    394     384     -3%                          907     906     0%                         816     731     -11%
com.happyelements.AndroidAnimal.qq      763     717     -6%
com.UCMobile                            415     411     -1%
com.tencent.tmgp.ak                     1464    1431    -2%
com.tencent.qqmusic                     336     329     -2%
com.sankuai.meituan                     1661    1302    -22%
com.netease.cloudmusic                  1193    1200    1%                    4257    4152    -2%

Benchmarks results

Base kernel is v4.17.0-rc4-mm1
SPF is BASE + this series

Here are the results on a 16 CPUs X86 guest using kernbench on a 4.15
kernel (kernel is build 5 times):

Average Half load -j 8
                 Run    (std deviation)
                 BASE                   SPF
Elapsed Time     1448.65 (5.72312)      1455.84 (4.84951)       0.50%
User    Time     10135.4 (30.3699)      10148.8 (31.1252)       0.13%
System  Time     900.47  (2.81131)      923.28  (7.52779)       2.53%
Percent CPU      761.4   (1.14018)      760.2   (0.447214)      -0.16%
Context Switches 85380   (3419.52)      84748   (1904.44)       -0.74%
Sleeps           105064  (1240.96)      105074  (337.612)       0.01%
Average Optimal load -j 16
                 Run    (std deviation)
                 BASE                   SPF
Elapsed Time     920.528 (10.1212)      927.404 (8.91789)       0.75%
User    Time     11064.8 (981.142)      11085   (990.897)       0.18%
System  Time     979.904 (84.0615)      1001.14 (82.5523)       2.17%
Percent CPU      1089.5  (345.894)      1086.1  (343.545)       -0.31%
Context Switches 159488  (78156.4)      158223  (77472.1)       -0.79%
Sleeps           110566  (5877.49)      110388  (5617.75)       -0.16%

During a run on the SPF, perf events were captured:
 Performance counter stats for '../kernbench -M':
         526743764      faults                   
               210      spf                      
                 3      pagefault:spf_vma_changed
                 0      pagefault:spf_vma_noanon 
              2278      pagefault:spf_vma_notsup 
                 0      pagefault:spf_vma_access 
                 0      pagefault:spf_pmd_changed

Very few speculative page faults were recorded as most of the processes
involved are monothreaded (sounds that on this architecture some threads
were created during the kernel build processing).

Here are the kerbench results on a 80 CPUs Power8 system:

Average Half load -j 40
                 Run    (std deviation)
                 BASE                   SPF
Elapsed Time     117.152 (0.774642)     117.166 (0.476057)      0.01%
User    Time     4478.52 (24.7688)      4479.76 (9.08555)       0.03%
System  Time     131.104 (0.720056)     134.04  (0.708414)      2.24%
Percent CPU      3934    (19.7104)      3937.2  (19.0184)       0.08%
Context Switches 92125.4 (576.787)      92581.6 (198.622)       0.50%
Sleeps           317923  (652.499)      318469  (1255.59)       0.17%
Average Optimal load -j 80
                 Run    (std deviation)
                 BASE                   SPF
Elapsed Time     107.73  (0.632416)     107.31  (0.584936)      -0.39%
User    Time     5869.86 (1466.72)      5871.71 (1467.27)       0.03%
System  Time     153.728 (23.8573)      157.153 (24.3704)       2.23%
Percent CPU      5418.6  (1565.17)      5436.7  (1580.91)       0.33%
Context Switches 223861  (138865)       225032  (139632)        0.52%
Sleeps           330529  (13495.1)      332001  (14746.2)       0.45%

During a run on the SPF, perf events were captured:
 Performance counter stats for '../kernbench -M':
         116730856      faults
                 0      spf
                 3      pagefault:spf_vma_changed
                 0      pagefault:spf_vma_noanon
               476      pagefault:spf_vma_notsup
                 0      pagefault:spf_vma_access
                 0      pagefault:spf_pmd_changed

Most of the processes involved are monothreaded so SPF is not activated but
there is no impact on the performance.

The test is counting the number of records per second it can manage, the
higher is the best. I run it like this 'ebizzy -mTt <nrcpus>'. To get
consistent result I repeated the test 100 times and measure the average
result. The number is the record processes per second, the higher is the

                BASE            SPF             delta   
16 CPUs x86 VM  742.57          1490.24         100.69%
80 CPUs P8 node 13105.4         24174.23        84.46%

Here are the performance counter read during a run on a 16 CPUs x86 VM:
 Performance counter stats for './ebizzy -mTt 16':
           1706379      faults
           1674599      spf
             30588      pagefault:spf_vma_changed
                 0      pagefault:spf_vma_noanon
               363      pagefault:spf_vma_notsup
                 0      pagefault:spf_vma_access 
                 0      pagefault:spf_pmd_changed

And the ones captured during a run on a 80 CPUs Power node:
 Performance counter stats for './ebizzy -mTt 80':
           1874773      faults
           1461153      spf
            413293      pagefault:spf_vma_changed
                 0      pagefault:spf_vma_noanon
               200      pagefault:spf_vma_notsup
                 0      pagefault:spf_vma_access
                 0      pagefault:spf_pmd_changed 

In ebizzy's case most of the page fault were handled in a speculative way,
leading the ebizzy performance boost.

Changes since v10 (
 - Accounted for all review feedbacks from Punit Agrawal, Ganesh Mahendran
   and Minchan Kim, hopefully.
 - Remove unneeded check on CONFIG_SPECULATIVE_PAGE_FAULT in
 - Loop in pte_spinlock() and pte_map_lock() when pte try lock fails
   of aborting the speculative page fault handling. Dropping the now
   trace event pagefault:spf_pte_lock.
 - No more try to reuse the fetched VMA during the speculative page fault
   handling when retrying is needed. This adds a lot of complexity and
   additional tests done didn't show a significant performance improvement.
 - Convert IS_ENABLED(CONFIG_NUMA) back to #ifdef due to build error.


Laurent Dufour (20):
  mm: introduce pte_spinlock for FAULT_FLAG_SPECULATIVE
  mm: make pte_unmap_same compatible with SPF
  mm: introduce INIT_VMA()
  mm: protect VMA modifications using VMA sequence count
  mm: protect mremap() against SPF hanlder
  mm: protect SPF handler against anon_vma changes
  mm: cache some VMA fields in the vm_fault structure
  mm/migrate: Pass vm_fault pointer to migrate_misplaced_page()
  mm: introduce __lru_cache_add_active_or_unevictable
  mm: introduce __vm_normal_page()
  mm: introduce __page_add_new_anon_rmap()
  mm: protect mm_rb tree with a rwlock
  mm: adding speculative page fault failure trace events
  perf: add a speculative page fault sw event
  perf tools: add support for the SPF perf event
  mm: add speculative page fault vmstats
  powerpc/mm: add speculative page fault

Mahendran Ganesh (2):
  arm64/mm: add speculative page fault

Peter Zijlstra (4):
  mm: prepare for FAULT_FLAG_SPECULATIVE
  mm: VMA sequence count
  mm: provide speculative fault infrastructure
  x86/mm: add speculative pagefault handling

 arch/arm64/Kconfig                    |   1 +
 arch/arm64/mm/fault.c                 |  12 +
 arch/powerpc/Kconfig                  |   1 +
 arch/powerpc/mm/fault.c               |  16 +
 arch/x86/Kconfig                      |   1 +
 arch/x86/mm/fault.c                   |  27 +-
 fs/exec.c                             |   2 +-
 fs/proc/task_mmu.c                    |   5 +-
 fs/userfaultfd.c                      |  17 +-
 include/linux/hugetlb_inline.h        |   2 +-
 include/linux/migrate.h               |   4 +-
 include/linux/mm.h                    | 136 +++++++-
 include/linux/mm_types.h              |   7 +
 include/linux/pagemap.h               |   4 +-
 include/linux/rmap.h                  |  12 +-
 include/linux/swap.h                  |  10 +-
 include/linux/vm_event_item.h         |   3 +
 include/trace/events/pagefault.h      |  80 +++++
 include/uapi/linux/perf_event.h       |   1 +
 kernel/fork.c                         |   5 +-
 mm/Kconfig                            |  22 ++
 mm/huge_memory.c                      |   6 +-
 mm/hugetlb.c                          |   2 +
 mm/init-mm.c                          |   3 +
 mm/internal.h                         |  20 ++
 mm/khugepaged.c                       |   5 +
 mm/madvise.c                          |   6 +-
 mm/memory.c                           | 612 +++++++++++++++++++++++++++++-----
 mm/mempolicy.c                        |  51 ++-
 mm/migrate.c                          |   6 +-
 mm/mlock.c                            |  13 +-
 mm/mmap.c                             | 229 ++++++++++---
 mm/mprotect.c                         |   4 +-
 mm/mremap.c                           |  13 +
 mm/nommu.c                            |   2 +-
 mm/rmap.c                             |   5 +-
 mm/swap.c                             |   6 +-
 mm/swap_state.c                       |   8 +-
 mm/vmstat.c                           |   5 +-
 tools/include/uapi/linux/perf_event.h |   1 +
 tools/perf/util/evsel.c               |   1 +
 tools/perf/util/parse-events.c        |   4 +
 tools/perf/util/parse-events.l        |   1 +
 tools/perf/util/python.c              |   1 +
 44 files changed, 1161 insertions(+), 211 deletions(-)
 create mode 100644 include/trace/events/pagefault.h


Reply via email to