I think that caching allocated KVA is fine, but I suspect that also caching the swap pages behind the KVA is not needed. Perhaps you can free the backing object or only the pages from its queue. Or might be, issue vm_object_madvise(MADV_FREE) on the object ?

In D8921#184646, @kib wrote:

I think that caching allocated KVA is fine, but I suspect that also caching the swap pages behind the KVA is not needed. Perhaps you can free the backing object or only the pages from its queue. Or might be, issue vm_object_madvise(MADV_FREE) on the object ?

I like the idea of using madvise(MADV_FREE) here, but don't see how to do so without reintroducing a bottleneck, as there's no direct way to get the object for a given buffer without acquiring the map lock. In particular, vm_map_madvise(MADV_FREE) must acquire the map read lock to look up the entry. I believe each KVA range allocated from the exec_map will have a unique swap object allocated for it, so contention on the object lock in vm_object_madvise() is not a concern. The object point could perhaps be cached with each KVA range, using vm_map_lookup_entry(), but this is a hack. Do you have any suggestions here?

In D8921#184747, @markj wrote:

In D8921#184646, @kib wrote:

I think that caching allocated KVA is fine, but I suspect that also caching the swap pages behind the KVA is not needed. Perhaps you can free the backing object or only the pages from its queue. Or might be, issue vm_object_madvise(MADV_FREE) on the object ?

I like the idea of using madvise(MADV_FREE) here, but don't see how to do so without reintroducing a bottleneck, as there's no direct way to get the object for a given buffer without acquiring the map lock. In particular, vm_map_madvise(MADV_FREE) must acquire the map read lock to look up the entry. I believe each KVA range allocated from the exec_map will have a unique swap object allocated for it, so contention on the object lock in vm_object_madvise() is not a concern. The object point could perhaps be cached with each KVA range, using vm_map_lookup_entry(), but this is a hack. Do you have any suggestions here?

I will try to reply to both main comment and inline comments in one text, hopefully this is digestable.

First, execve(2) call in kernel has many (too much) sleep points. There is a lot of places where vm_map lock for the old/new vmspace is taken, both explicit in the kern_exec.c and imgact_elf.c code and implicit on page faults, binary and elf interpreter vnode locks. sleeps for the buffer locks and sf sleeps on 32bit arches. As indirect proof of my statement, please see r282708, which was very easy to trigger.

In other words, I think you only see the <= ncpu parallel execs because you most likely used make -j ncpu. Would the number of jobs increased, you would get more execs than cpus, and many of that threads appear sleeping inside the exec code, not at the outer boundary of strings copyin or copyout KVA allocations. More, I think that with the freshly allocated strings memory, which was not taked in the warmed state from the per-cpu cache, you would get page faults on the object and page allocations for exec map, re-introducing the exec map lock contention.

The above is simultaneously explanation for my request to not limit the exec map size to 2*ncpu areas, and to not consider e.g. map read lock taken to find the entry and backing object for the entry, as re-introducing much contention. It could be, but only for make -j ncpu. I agree that it must be not less than 2*ncpu, but IMO it should be larger.

WRT caching the backing object together with the KVA, this might be a good solution. You could also store the object somewhere in struct image_params or image_args, filling the value nearby other strings KVA accesses which are likely to fault. Then exec_free_args() could avoid taking the map lock.

In D8921#184798, @kib wrote:

I will try to reply to both main comment and inline comments in one text, hopefully this is digestable.

First, execve(2) call in kernel has many (too much) sleep points. There is a lot of places where vm_map lock for the old/new vmspace is taken, both explicit in the kern_exec.c and imgact_elf.c code and implicit on page faults, binary and elf interpreter vnode locks. sleeps for the buffer locks and sf sleeps on 32bit arches. As indirect proof of my statement, please see r282708, which was very easy to trigger.

In other words, I think you only see the <= ncpu parallel execs because you most likely used make -j ncpu. Would the number of jobs increased, you would get more execs than cpus, and many of that threads appear sleeping inside the exec code, not at the outer boundary of strings copyin or copyout KVA allocations. More, I think that with the freshly allocated strings memory, which was not taked in the warmed state from the per-cpu cache, you would get page faults on the object and page allocations for exec map, re-introducing the exec map lock contention.

Note that the testing I reported included, e.g., a -j 128 buildkernel on a 16-core system. In that somewhat extreme case, the per-CPU cache still had a decent hit rate (close to 90%). However, that was with favourable conditions.

The above is simultaneously explanation for my request to not limit the exec map size to 2*ncpu areas, and to not consider e.g. map read lock taken to find the entry and backing object for the entry, as re-introducing much contention. It could be, but only for make -j ncpu. I agree that it must be not less than 2*ncpu, but IMO it should be larger.

Ok. I did some buildkernel testing with sleep points in kern_execve() instrumented and found that it's indeed quite common to end up sleeping on vnode locks (usually in the name cache or the image activator). It varies quite a lot depending on the setup - with NFS root, we sleep at some point in every execve, while with a local SSD, approximately 10% of execve calls sleep somewhere. So 2*ncpu now seems low to me as well.

make -j ncpu is the main target of this optimization, so I rather dislike the prospect of acquiring the map read lock in the fast path.

WRT caching the backing object together with the KVA, this might be a good solution. You could also store the object somewhere in struct image_params or image_args, filling the value nearby other strings KVA accesses which are likely to fault. Then exec_free_args() could avoid taking the map lock.

I'll try to find a clean way to do this. Do you consider this aspect (applying MADV_FREE) to be a prerequisite for this change?

In D8921#185180, @markj wrote:

In D8921#184798, @kib wrote:

WRT caching the backing object together with the KVA, this might be a good solution. You could also store the object somewhere in struct image_params or image_args, filling the value nearby other strings KVA accesses which are likely to fault. Then exec_free_args() could avoid taking the map lock.

I'll try to find a clean way to do this. Do you consider this aspect (applying MADV_FREE) to be a prerequisite for this change?

How about this: instead of adding extra complexity and shuffling to the fast path, add a lowmem handler that iterates over the cache entries and calls vm_map_madvise(MADV_FREE) on each one. Then they will be quickly reclaimed by the page daemon immediately after.

In D8921#185191, @markj wrote:

In D8921#185180, @markj wrote:

In D8921#184798, @kib wrote:

WRT caching the backing object together with the KVA, this might be a good solution. You could also store the object somewhere in struct image_params or image_args, filling the value nearby other strings KVA accesses which are likely to fault. Then exec_free_args() could avoid taking the map lock.

I'll try to find a clean way to do this. Do you consider this aspect (applying MADV_FREE) to be a prerequisite for this change?

How about this: instead of adding extra complexity and shuffling to the fast path, add a lowmem handler that iterates over the cache entries and calls vm_map_madvise(MADV_FREE) on each one. Then they will be quickly reclaimed by the page daemon immediately after.

Consider usual modern desktop with 8 hw threads. There, with the args size of ~200Kb, you get 1.5M of garbage cached. For larger server class machine with e.g. 32 threads, the lost memory is 6M. I tried to agree with this, but I do not like it.

Lets take a step out and look at the exec_map. It is relatively small, allocations from it are only done in the fixed size, and for single purpose. I believe that a viable strategy there to get rid of the vm_map lock contention, while also avoiding sinking in useless garbage, is to preallocate all args buffers KVA and their backing objects in advance. Since these structures are never freed, and the cache elements are never freed as well, it is very easy to implement lock-less list of the free elements, with fall back to the sleep wait in case of the cache depletion. Since vm_map_entries are stable, you can directly dereference map->object.vm_object for madvise.

Note that we do need exec_map to be real vm_map, so that vm_fault() worked.