FreeBSD: zfs_putpages: don't undirty pages until after write completes (try #2)

[robn]

[Sponsors: Klara, Inc., Wasabi Technology, Inc.]

Motivation and Context

After #17445 was pulled into FreeBSD @markjdb discovered a fairly serious performance regression due to my misunderstanding a difference between how Linux and FreeBSD lock out pages during writebacks.

Mark reverted that change in FreeBSD (freebsd/freebsd-src@738a9a7), and I took another swing at it. Here's what I've got.

Description

First commit reverts the original (238eab7), using the commit message, author and timestamp from freebsd/freebsd-src@738a9a7. That's mostly there to not complicate importing OpenZFS into FreeBSD in the future, but it's useful history too

The second commit is the do-over.

On FreeBSD, writeback is done with the page in an "sbusy" state, which (aiui) is a full and total lockout - it cannot be used or modified while in that state. So in the async case, keeping the page busy until the itx callback fires could have the page locked out until after the txg sync happens, maybe even whole seconds in the future. Linux, by constrast, does writeback under a much "softer" lock, that keeps the page from being evicted while it's being written out, but doesn't make it unusable.

So this commit splits the difference between the old and the new: for sync, we log the pages with a callback and call zil_commit(). For async, we do what we did before - undirty and return OK, and let the kernel unbusy them. The data is still copied to the DMU and to the ZIL, so it will still be written out just fine, and the page is now separately clean and evictable.

How Has This Been Tested?

The mmap test tag passes on FreeBSD 14.3. With #17398 rebased on top, so does the failmode tag.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Quality assurance (non-breaking change which makes the code more robust against bugs)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[amotin]

Looks good to me. I just wonder: on Linux we have to always use sync semantics, because otherwise we may not receive anything on msync() call after all the pages written asynchronously, that would result in not providing promised guaranties. I wonder if this is different on FreeBSD, or with this change we are only doing best we can do (better than before) at reasonable cost?

[markjdb]

Looks good to me. I just wonder: on Linux we have to always use sync semantics, because otherwise we may not receive anything on msync() call after all the pages written asynchronously, that would result in not providing promised guaranties. I wonder if this is different on FreeBSD, or with this change we are only doing best we can do (better than before) at reasonable cost?

Sorry, I'm not very familiar with this area of ZFS, so I have some dumb questions:

• Why do you say Linux always uses sync semantics? It looks like the zil_commit() call is conditional, but maybe commit is always true in practice? Or do you mean something else?
• We are calling zil_commit() for synchronous writes. That seems to be how VOP_FSYNC is implemented as well. Why isn't that sufficient for msync(MS_SYNC)?

On FreeBSD, writeback is done with the page in an "sbusy" state, which (aiui) is a full and total lockout - it cannot be used or modified while in that state.

It's basically a read-only state: the page is being written to storage asynchronously, and must not be modified in that state. In particular, there are no writable mappings of the page while it's in this state, so a write from userspace will trigger a page fault, which will block until the writeback is complete.

On Linux, I see there is some per-mapping STABLE_WRITES flag which I think provides the same effect, but it's not the default. It seems to only be used if there's some data checksumming in play which requires written-back data to be consistent with checksums computed before the writeback begins.

Offhand, I'm not sure exactly why FreeBSD requires writes to be stable always.

[amotin]

@markjdb:

Why do you say Linux always uses sync semantics? It looks like the zil_commit() call is conditional, but maybe commit is always true in practice? Or do you mean something else?

Ah. I've mixed it with different context. There are several cases when we have to force kernel/mmap caches to be flushed, see zn_flush_cached_data() uses. And in that case we have to always request it to be sync, even if we don't care there, since if we do it async, then on later msync(MS_SYNC) from application kernel won't call us at all. In the context of Linux putpage though the zil_commit() use is correct. But the other question is: since we immediately copy the pages into DMU (at least until we support O_DIRECT in this context), why should we hold the pages at all for async writes, not allowing kernel to recycle them? IIRC it was also related to later syncs.

We are calling zil_commit() for synchronous writes. That seems to be how VOP_FSYNC is implemented as well. Why isn't that sufficient for msync(MS_SYNC)?

Will we be called in any way to trigger zil_commit() once we release all the pages? IIRC on Linux we won't.

On FreeBSD, writeback is done with the page in an "sbusy" state, which (aiui) is a full and total lockout - it cannot be used or modified while in that state.

It's basically a read-only state: the page is being written to storage asynchronously, and must not be modified in that state. In particular, there are no writable mappings of the page while it's in this state, so a write from userspace will trigger a page fault, which will block until the writeback is complete.

On Linux, I see there is some per-mapping STABLE_WRITES flag which I think provides the same effect, but it's not the default. It seems to only be used if there's some data checksumming in play which requires written-back data to be consistent with checksums computed before the writeback begins.

Offhand, I'm not sure exactly why FreeBSD requires writes to be stable always.

Having pages stable would be great for O_DIRECT. But for it to be possible, kernel should give us pages in granularity of recordsize, which I suspect might not be true, and should be ready to wait for synchronous writes without performance penalty. I have doubts it is realistic enough to bother implementing it.

[markjdb]

@markjdb:

Why do you say Linux always uses sync semantics? It looks like the zil_commit() call is conditional, but maybe commit is always true in practice? Or do you mean something else?

Ah. I've mixed it with different context. There are several cases when we have to force kernel/mmap caches to be flushed, see zn_flush_cached_data() uses. And in that case we have to always request it to be sync, even if we don't care there, since if we do it async, then on later msync(MS_SYNC) from application kernel won't call us at all. In the context of Linux putpage though the zil_commit() use is correct. But the other question is: since we immediately copy the pages into DMU (at least until we support O_DIRECT in this context), why should we hold the pages at all for async writes, not allowing kernel to recycle them? IIRC it was also related to later syncs.

Well, the problem with the original commit is that we were holding the pages for too long for async writes. Specifically, we were holding them until the corresponding TXG flush (I think), so pages could stay sbusy for several seconds(!).

We are calling zil_commit() for synchronous writes. That seems to be how VOP_FSYNC is implemented as well. Why isn't that sufficient for msync(MS_SYNC)?

Will we be called in any way to trigger zil_commit() once we release all the pages? IIRC on Linux we won't.

In the async case, no, I don't think so.