Ugh. I claim that the variable "minslptime" is pointless and always has been, ever since its introduction in r83366. Essentially, when the FOREACH_THREAD loop completes, we can assert than the sleep time for every thread is above whichever threshold is being applied. We don't need to maintain and check a min sleep time for the collection of threads.

Index: vm/vm_swapout.c
===================================================================
--- vm/vm_swapout.c     (revision 327361)
+++ vm/vm_swapout.c     (working copy)
@@ -729,10 +729,9 @@ swapout_procs(int action)
 {
        struct proc *p;
        struct thread *td;
-       int minslptime, slptime;
+       int slptime;
        bool didswap;
 
-       minslptime = 100000;
        didswap = false;
 retry:
        sx_slock(&allproc_lock);
@@ -831,8 +830,6 @@ retry:
                                        goto nextproc;
                                }
 
-                               if (minslptime > slptime)
-                                       minslptime = slptime;
                                thread_unlock(td);
                        }
 
@@ -841,15 +838,11 @@ retry:
                         * or if this process is idle and the system is
                         * configured to swap proactively, swap it out.
                         */
-                       if ((action & VM_SWAP_NORMAL) != 0 ||
-                           ((action & VM_SWAP_IDLE) != 0 &&
-                           minslptime > swap_idle_threshold2)) {
-                               _PRELE(p);
-                               if (swapout(p) == 0)
-                                       didswap = true;
-                               PROC_UNLOCK(p);
-                               goto retry;
-                       }
+                       _PRELE(p);
+                       if (swapout(p) == 0)
+                               didswap = true;
+                       PROC_UNLOCK(p);
+                       goto retry;
                }
 nextproc:
                PROC_UNLOCK(p);

minslptime was originally reinitialized for each process, before the FOREACH_THREAD loop, and, in r327354, we moved its initialization outside the FOREACH_PROC loop. This change in initialization had no material effect on the operation of this code.

In D13693#286896, @alc wrote:

Ugh. I claim that the variable "minslptime" is pointless and always has been, ever since its introduction in r83366.

I agree. I incorporated the variable removal into my patch, but I suppose that you are going to commit your change first ?

I've been looking at the history of changes to this code. Once upon a time, allproc_lock was held until either a process was swapped out, in which case, we did a "goto retry;" after releasing allproc_lock, or we completed the FOREACH_PROC loop. Then, a year and a half ago, we introduced the PHOLD and early allproc_lock release to address a lock ordering issue with vnodes. Elsewhere in this file, that change makes sense. Here, I don't see the need, especially now that we are no longer acquiring the map lock. Or, am I missing something?

P.S. Happy new year!

In D13693#287095, @alc wrote:

I've been looking at the history of changes to this code. Once upon a time, allproc_lock was held until either a process was swapped out, in which case, we did a "goto retry;" after releasing allproc_lock, or we completed the FOREACH_PROC loop. Then, a year and a half ago, we introduced the PHOLD and early allproc_lock release to address a lock ordering issue with vnodes. Elsewhere in this file, that change makes sense. Here, I don't see the need, especially now that we are no longer acquiring the map lock. Or, am I missing something?

Are you proposing to keep allproc_lock over the whole duration of FOREACH_PROC() loop ?

If yes, I think I do not agree with this completely. I mean that we will usurp the global lock for a long time, making e.g. a parallel fork() impossible, esp. if we really swap out stack for some process. I agree with the note that there is no sense in dropping the lock if we are not going to swapout() the process unconditionally for each iteration.

Or, maybe we should check for should_yield() and hold the process, drop locks and yield ? This would be more fair globally.

P.S. Happy new year!

Happy New Year to you !

In D13693#287118, @kib wrote:

In D13693#287095, @alc wrote:

I've been looking at the history of changes to this code. Once upon a time, allproc_lock was held until either a process was swapped out, in which case, we did a "goto retry;" after releasing allproc_lock, or we completed the FOREACH_PROC loop. Then, a year and a half ago, we introduced the PHOLD and early allproc_lock release to address a lock ordering issue with vnodes. Elsewhere in this file, that change makes sense. Here, I don't see the need, especially now that we are no longer acquiring the map lock. Or, am I missing something?

Are you proposing to keep allproc_lock over the whole duration of FOREACH_PROC() loop ?

To be clear, I am saying that the original reason for releasing the lock doesn't apply to this code anymore. If we are going to release it, we should be able to articulate a new reason for doing so.

In D13693#287127, @alc wrote:

To be clear, I am saying that the original reason for releasing the lock doesn't apply to this code anymore. If we are going to release it, we should be able to articulate a new reason for doing so.

As I said above, not holding the lock for whole scan time makes it possible for other numerous consumers of the lock to make the progress. We are reducing the contention on allproc_lock by dropping it, either on each iteration or on should_yeild().

In D13693#287195, @markj wrote:

In D13693#287136, @kib wrote:

In D13693#287127, @alc wrote:

To be clear, I am saying that the original reason for releasing the lock doesn't apply to this code anymore. If we are going to release it, we should be able to articulate a new reason for doing so.

As I said above, not holding the lock for whole scan time makes it possible for other numerous consumers of the lock to make the progress. We are reducing the contention on allproc_lock by dropping it, either on each iteration or on should_yeild().

Releasing it on each iteration seems a bit excessive, especially since users can trigger such scans anyway by calling sysctl_kern_proc(), and vm_daemon() performs another allproc scan after calling swapout_procs(). It does seem desirable to release the lock around swapout() calls though.

Initially I also thought that it is bad to hold allproc during swapout(), but really we only unmap the kstacks and unwire the stack pages. So I tend to think that the only viable option is should_yield() or left it as is in the patch.

Happy new year!

Happy New Year !

I observe that we test for the P_SYSTEM flag without the benefit of the process lock in vmtotal(). Is that correct?

Also, why do we have both P_KPROC and P_SYSTEM? With one exception, create_init() in init_main.c, they are set simultaneously.

In D13693#287216, @kib wrote:

In D13693#287195, @markj wrote:

In D13693#287136, @kib wrote:

In D13693#287127, @alc wrote:

To be clear, I am saying that the original reason for releasing the lock doesn't apply to this code anymore. If we are going to release it, we should be able to articulate a new reason for doing so.

As I said above, not holding the lock for whole scan time makes it possible for other numerous consumers of the lock to make the progress. We are reducing the contention on allproc_lock by dropping it, either on each iteration or on should_yeild().

Releasing it on each iteration seems a bit excessive, especially since users can trigger such scans anyway by calling sysctl_kern_proc(), and vm_daemon() performs another allproc scan after calling swapout_procs(). It does seem desirable to release the lock around swapout() calls though.

Initially I also thought that it is bad to hold allproc during swapout(), but really we only unmap the kstacks and unwire the stack pages.

Exactly. I see nothing that makes this loop body of FOREACH_PROC particularly more expensive than some of the others. In essence, I'm looking for a reason why we should be concerned about lock contention here, but not in the other cases.

... So I tend to think that the only viable option is should_yield() or left it as is in the patch.

In D13693#287217, @alc wrote:

I observe that we test for the P_SYSTEM flag without the benefit of the process lock in vmtotal(). Is that correct?

I think it does not matter much because we currently only set P_SYSTEM on creation and vmmeter() rechecks p_state. If we see PRS_NORMAL there, then we woud perhaps see P_SYSTEM. But even if we don't it would only skew the statistics slightly.

Also, why do we have both P_KPROC and P_SYSTEM? With one exception, create_init() in init_main.c, they are set simultaneously.

I always thought that the intent was for P_KPROC to mark real kernel processes, that do not have userspace. In particular, such processes do not react to signals because they never return to absent userspace and do not go through ast(). P_SYSTEM marks processes that should receive more delicate treating. This is vague, but good enough to see that we should test for P_SYSTEM for swapout or OOM selection and init marked as P_SYSTEM but not P_KPROC.

It could be that some time ago there were more nuances, which now reduced to only init not being kproc but still having P_SYSTEM.

In D13693#287219, @alc wrote:

Exactly. I see nothing that makes this loop body of FOREACH_PROC particularly more expensive than some of the others. In essence, I'm looking for a reason why we should be concerned about lock contention here, but not in the other cases.

I think with bigger and bigger systems and gradually bigger average workloads, were current hundreds of processes become thousands, we want to avoid holding the global lock for the whole FOREACH_PROC (esp. nesting FOREACH_THREAD_IN_PROC() three times). We should not regress the code which already does not hold the lock for whole loop.

In D13693#287221, @kib wrote:

In D13693#287219, @alc wrote:

Exactly. I see nothing that makes this loop body of FOREACH_PROC particularly more expensive than some of the others. In essence, I'm looking for a reason why we should be concerned about lock contention here, but not in the other cases.

I think with bigger and bigger systems and gradually bigger average workloads, were current hundreds of processes become thousands, we want to avoid holding the global lock for the whole FOREACH_PROC (esp. nesting FOREACH_THREAD_IN_PROC() three times). We should not regress the code which already does not hold the lock for whole loop.

I'm a bit skeptical that this would represent a true regression, seeing as how swapout_procs() will only be called at most once per second by default, and then only under extreme conditions where lock contention isn't a large concern. OTOH, the single-threaded performance of swapout_procs() is not very important, so I think it would be sufficient to add /* Avoid blocking writers. */ or so to indicate that the unlock is not strictly necessary.

In D13693#287434, @markj wrote:

In D13693#287221, @kib wrote:

In D13693#287219, @alc wrote:

Exactly. I see nothing that makes this loop body of FOREACH_PROC particularly more expensive than some of the others. In essence, I'm looking for a reason why we should be concerned about lock contention here, but not in the other cases.

I think with bigger and bigger systems and gradually bigger average workloads, were current hundreds of processes become thousands, we want to avoid holding the global lock for the whole FOREACH_PROC (esp. nesting FOREACH_THREAD_IN_PROC() three times). We should not regress the code which already does not hold the lock for whole loop.

I'm a bit skeptical that this would represent a true regression, seeing as how swapout_procs() will only be called at most once per second by default, and then only under extreme conditions where lock contention isn't a large concern. OTOH, the single-threaded performance of swapout_procs() is not very important, so I think it would be sufficient to add /* Avoid blocking writers. */ or so to indicate that the unlock is not strictly necessary.

My reaction is based on the similar Peter Jeremy case, see r327468, where very large object scan caused livelock.

It is quite possible to run process with 100K threads, and if swapout_procs() is tricked into scanning that large process, system hangs for tens or even hundreds seconds.

In D13693#287434, @markj wrote:

In D13693#287221, @kib wrote:

In D13693#287219, @alc wrote:

Exactly. I see nothing that makes this loop body of FOREACH_PROC particularly more expensive than some of the others. In essence, I'm looking for a reason why we should be concerned about lock contention here, but not in the other cases.

I think with bigger and bigger systems and gradually bigger average workloads, were current hundreds of processes become thousands, we want to avoid holding the global lock for the whole FOREACH_PROC (esp. nesting FOREACH_THREAD_IN_PROC() three times). We should not regress the code which already does not hold the lock for whole loop.

I'm a bit skeptical that this would represent a true regression, seeing as how swapout_procs() will only be called at most once per second by default, and then only under extreme conditions where lock contention isn't a large concern. OTOH, the single-threaded performance of swapout_procs() is not very important, so I think it would be sufficient to add /* Avoid blocking writers. */ or so to indicate that the unlock is not strictly necessary.

I'll write a comment and post it here a little later.

Peter, could you, please, test this diff ? Ideally, it should demonstrate exactly the same behavior as stock HEAD. In other words, it does not fix any of OOM scenarios

Please take a look at the comment at the head of this function. Every sentence after the first describes behavior different from what the function actually implements.

In D13693#287574, @alc wrote:

Please take a look at the comment at the head of this function. Every sentence after the first describes behavior different from what the function actually implements.

Do you mean that the comment should be fixed, or that we should make the code match the comment ?

In D13693#287571, @kib wrote:

Peter, could you, please, test this diff ? Ideally, it should demonstrate exactly the same behavior as stock HEAD. In other words, it does not fix any of OOM scenarios

I ran all of the stress2 tests and a buildworld/installworld on amd64. No problems seen.

In D13693#288058, @pho wrote:

In D13693#287571, @kib wrote:

Peter, could you, please, test this diff ? Ideally, it should demonstrate exactly the same behavior as stock HEAD. In other words, it does not fix any of OOM scenarios

I ran all of the stress2 tests and a buildworld/installworld on amd64. No problems seen.

Thank you, Peter.

Alan. Mark. Should I go with the commit of the current patch ? There are two supposed comments changing which can be done later.

In D13693#288066, @kib wrote:

Alan. Mark. Should I go with the commit of the current patch ? There are two supposed comments changing which can be done later.

It's fine by me.

In D13693#288066, @kib wrote:

In D13693#288058, @pho wrote:

In D13693#287571, @kib wrote:

Peter, could you, please, test this diff ? Ideally, it should demonstrate exactly the same behavior as stock HEAD. In other words, it does not fix any of OOM scenarios

I ran all of the stress2 tests and a buildworld/installworld on amd64. No problems seen.

Thank you, Peter.

Alan. Mark. Should I go with the commit of the current patch ? There are two supposed comments changing which can be done later.

Yes.

In D13693#287667, @kib wrote:

In D13693#287574, @alc wrote:

Please take a look at the comment at the head of this function. Every sentence after the first describes behavior different from what the function actually implements.

Do you mean that the comment should be fixed, or that we should make the code match the comment ?

I do know that this function has changed dramatically since FreeBSD 4.x. At that point, the comment at the head of the function may have been accurate. I will investigate further and propose something.

Also, once we are no longer dropping the process lock in the midst of this function, I would propose that we add P_INEXEC to the exclusion test at the beginning of the loop body. Any process with that flag set should later fail the swap_idle_threshold1 test anyway, and this would address any hypothetical concerns about the p->p_vmspace access in swapout().