This should be asserted.

You dropped the assertion that OBJ_ANON is set on object.

The check for OBJ_ANON on backing_object is delegated to vm_object_collapse() now, am I right ?

Can do

Yes, I can add more asserts if necessary. We know backing_object was ANON when we entered the function. It could've changed to something that was not anon if we raced with another collapse. In that case object_collapse() will return immediately and checking here is redundant.

This assert is more to help the reader of the function, to understand the assumptions for its environment.

The read of source->flags is unlocked and racy. In principle, we might miss OBJ_DEAD and only note it later when we lock source.

After this loop orig_object == entry->object.vm_object because the only caller has the vm_map locked. This is not obvious to the reader of the function.

This comment seems to be no longer valid: new code does not skip, it always wait for busy and then restarts.

Again, I think we might miss the OBJ_DEAD flag setting there.

IMO it would be cleaner to set OBJ_DEAD on backing_object there instead of in collapse_scan() now.

Please explain why this checks can be removed. In particular, what prevents a parallel collapse of the object as backing_object to start later.

See the comment in anon_deallocate(). It is safe to check DEAD with the parent locked because collapse can only start with both locks held. I was thinking about moving this into its own function like: source = vm_object_backing_wait(orig_object);

Only the first caller to set DEAD does the collapse. This serializes collapse operations. xbusy is sufficient to serialize page use. So we only need to worry about swap contents being serialized. This is why I changed getpages() and force split to wait for collapse to complete.

The one bug in this patch is that we need to grab a ref on the parent object when we come via vm_object_anon_deallocate() or I have to handle collapse and terminate happening concurrently which is messier.

I don't really like this but I can't blindly acquire_if_not_zero because we could reference an object that is part way through collapse() unless I convert the tail of collapse to use vm_object_deallocate() instead of vm_object_teriminate() which starts to get a bit funky.

This could be a WAITERS flag and ad-hoc synchronization if we don't like overloading pip.

The important thing for me is to be able to pip anonymous objects without a lock which prevents its use in synchronization collapse.

This has not been possible for a while.

Quibbling, but it's easier to see that this is a helper for vm_object_deallocate() if it's called vm_object_deallocate_anon() instead.

Can't this assertion be in vm_object_backing_insert_locked()?

This comment is kind of confusing, there is no backing_object.

Could you add a (void) cast while here?

ok if I also rename vm_object_vndeallocate() to vm_object_deallocate_vnode().

Yes that's a good idea

It is called 'source' in this function. I could rename it for clarity.

I missed that inconsistency. It's up to you of course, but I prefer vm_object_deallocate_vnode().

For minimal churn I'd write, "The additional reference on orig_object's backing object by new_object will prevent further collapses until the split completes." I'm fine with renaming too.

It is only referenced a few times. I'm going to rename it for clarity. Only really reading the implementation of shadow objects in detail a few months ago I often found the name inconsistencies confusing at first glance. So I think it's worth a little churn for consistency given the amount of other related churn that has gone on.

Why isn't this a problem for the vnode pager as well?

Extra newline.

Did that not work for some reason?

Just forgot to do it. I will adjust in my next patch.

This lock could go away if we changed the way we teardown vnode objects during forced unmount. This is somewhat significant source of contention in addition to creating a lot of additional complexity here and elsewhere.