| blob | b9e7f224d517ee9a2f25f5bf58c39e05ee60a2c7 |
1 /*-------------------------------------------------------------------------
2 *
3 * dsa.c
4 * Dynamic shared memory areas.
5 *
6 * This module provides dynamic shared memory areas which are built on top of
7 * DSM segments. While dsm.c allows segments of memory of shared memory to be
8 * created and shared between backends, it isn't designed to deal with small
9 * objects. A DSA area is a shared memory heap usually backed by one or more
10 * DSM segments which can allocate memory using dsa_allocate() and dsa_free().
11 * Alternatively, it can be created in pre-existing shared memory, including a
12 * DSM segment, and then create extra DSM segments as required. Unlike the
13 * regular system heap, it deals in pseudo-pointers which must be converted to
14 * backend-local pointers before they are dereferenced. These pseudo-pointers
15 * can however be shared with other backends, and can be used to construct
16 * shared data structures.
17 *
18 * Each DSA area manages a set of DSM segments, adding new segments as
19 * required and detaching them when they are no longer needed. Each segment
20 * contains a number of 4KB pages, a free page manager for tracking
21 * consecutive runs of free pages, and a page map for tracking the source of
22 * objects allocated on each page. Allocation requests above 8KB are handled
23 * by choosing a segment and finding consecutive free pages in its free page
24 * manager. Allocation requests for smaller sizes are handled using pools of
25 * objects of a selection of sizes. Each pool consists of a number of 16 page
26 * (64KB) superblocks allocated in the same way as large objects. Allocation
27 * of large objects and new superblocks is serialized by a single LWLock, but
28 * allocation of small objects from pre-existing superblocks uses one LWLock
29 * per pool. Currently there is one pool, and therefore one lock, per size
30 * class. Per-core pools to increase concurrency and strategies for reducing
31 * the resulting fragmentation are areas for future research. Each superblock
32 * is managed with a 'span', which tracks the superblock's freelist. Free
33 * requests are handled by looking in the page map to find which span an
34 * address was allocated from, so that small objects can be returned to the
35 * appropriate free list, and large object pages can be returned directly to
36 * the free page map. When allocating, simple heuristics for selecting
37 * segments and superblocks try to encourage occupied memory to be
38 * concentrated, increasing the likelihood that whole superblocks can become
39 * empty and be returned to the free page manager, and whole segments can
40 * become empty and be returned to the operating system.
41 *
42 * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
43 * Portions Copyright (c) 1994, Regents of the University of California
44 *
45 * IDENTIFICATION
46 * src/backend/utils/mmgr/dsa.c
47 *
48 *-------------------------------------------------------------------------
49 */
64 /*
65 * The size of the initial DSM segment that backs a dsa_area created by
66 * dsa_create. After creating some number of segments of this size we'll
67 * double this size, and so on. Larger segments may be created if necessary
68 * to satisfy large requests.
69 */
70 #define DSA_INITIAL_SEGMENT_SIZE ((size_t) (1 * 1024 * 1024))
72 /*
73 * How many segments to create before we double the segment size. If this is
74 * low, then there is likely to be a lot of wasted space in the largest
75 * segment. If it is high, then we risk running out of segment slots (see
76 * dsm.c's limits on total number of segments), or limiting the total size
77 * an area can manage when using small pointers.
78 */
79 #define DSA_NUM_SEGMENTS_AT_EACH_SIZE 2
81 /*
82 * The number of bits used to represent the offset part of a dsa_pointer.
83 * This controls the maximum size of a segment, the maximum possible
84 * allocation size and also the maximum number of segments per area.
85 */
86 #if SIZEOF_DSA_POINTER == 4
88 #else
90 #endif
92 /*
93 * The maximum number of DSM segments that an area can own, determined by
94 * the number of bits remaining (but capped at 1024).
95 */
96 #define DSA_MAX_SEGMENTS \
97 Min(1024, (1 << ((SIZEOF_DSA_POINTER * 8) - DSA_OFFSET_WIDTH)))
99 /* The bitmask for extracting the offset from a dsa_pointer. */
100 #define DSA_OFFSET_BITMASK (((dsa_pointer) 1 << DSA_OFFSET_WIDTH) - 1)
102 /* The maximum size of a DSM segment. */
103 #define DSA_MAX_SEGMENT_SIZE ((size_t) 1 << DSA_OFFSET_WIDTH)
105 /* Number of pages (see FPM_PAGE_SIZE) per regular superblock. */
106 #define DSA_PAGES_PER_SUPERBLOCK 16
108 /*
109 * A magic number used as a sanity check for following DSM segments belonging
110 * to a DSA area (this number will be XORed with the area handle and
111 * the segment index).
112 */
113 #define DSA_SEGMENT_HEADER_MAGIC 0x0ce26608
115 /* Build a dsa_pointer given a segment number and offset. */
116 #define DSA_MAKE_POINTER(segment_number, offset) \
117 (((dsa_pointer) (segment_number) << DSA_OFFSET_WIDTH) | (offset))
119 /* Extract the segment number from a dsa_pointer. */
120 #define DSA_EXTRACT_SEGMENT_NUMBER(dp) ((dp) >> DSA_OFFSET_WIDTH)
122 /* Extract the offset from a dsa_pointer. */
123 #define DSA_EXTRACT_OFFSET(dp) ((dp) & DSA_OFFSET_BITMASK)
125 /* The type used for index segment indexes (zero based). */
128 /* Sentinel value for dsa_segment_index indicating 'none' or 'end'. */
129 #define DSA_SEGMENT_INDEX_NONE (~(dsa_segment_index)0)
131 /*
132 * How many bins of segments do we have? The bins are used to categorize
133 * segments by their largest contiguous run of free pages.
134 */
135 #define DSA_NUM_SEGMENT_BINS 16
137 /*
138 * What is the lowest bin that holds segments that *might* have n contiguous
139 * free pages? There is no point in looking in segments in lower bins; they
140 * definitely can't service a request for n free pages.
141 */
144 {
149 else
153 }
155 /* Macros for access to locks. */
156 #define DSA_AREA_LOCK(area) (&area->control->lock)
157 #define DSA_SCLASS_LOCK(area, sclass) (&area->control->pools[sclass].lock)
159 /*
160 * The header for an individual segment. This lives at the start of each DSM
161 * segment owned by a DSA area including the first segment (where it appears
162 * as part of the dsa_area_control struct).
163 */
165 {
166 /* Sanity check magic value. */
167 uint32 magic;
168 /* Total number of pages in this segment (excluding metadata area). */
170 /* Total size of this segment in bytes. */
173 /*
174 * Index of the segment that precedes this one in the same segment bin, or
175 * DSA_SEGMENT_INDEX_NONE if this is the first one.
176 */
177 dsa_segment_index prev;
179 /*
180 * Index of the segment that follows this one in the same segment bin, or
181 * DSA_SEGMENT_INDEX_NONE if this is the last one.
182 */
183 dsa_segment_index next;
184 /* The index of the bin that contains this segment. */
187 /*
188 * A flag raised to indicate that this segment is being returned to the
189 * operating system and has been unpinned.
190 */
194 /*
195 * Metadata for one superblock.
196 *
197 * For most blocks, span objects are stored out-of-line; that is, the span
198 * object is not stored within the block itself. But, as an exception, for a
199 * "span of spans", the span object is stored "inline". The allocation is
200 * always exactly one page, and the dsa_area_span object is located at
201 * the beginning of that page. The size class is DSA_SCLASS_BLOCK_OF_SPANS,
202 * and the remaining fields are used just as they would be in an ordinary
203 * block. We can't allocate spans out of ordinary superblocks because
204 * creating an ordinary superblock requires us to be able to allocate a span
205 * *first*. Doing it this way avoids that circularity.
206 */
208 {
222 /*
223 * Given a pointer to an object in a span, access the index of the next free
224 * object in the same span (ie in the span's freelist) as an L-value.
225 */
226 #define NextFreeObjectIndex(object) (* (uint16 *) (object))
228 /*
229 * Small allocations are handled by dividing a single block of memory into
230 * many small objects of equal size. The possible allocation sizes are
231 * defined by the following array. Larger size classes are spaced more widely
232 * than smaller size classes. We fudge the spacing for size classes >1kB to
233 * avoid space wastage: based on the knowledge that we plan to allocate 64kB
234 * blocks, we bump the maximum object size up to the largest multiple of
235 * 8 bytes that still lets us fit the same number of objects into one block.
236 *
237 * NB: Because of this fudging, if we were ever to use differently-sized blocks
238 * for small allocations, these size classes would need to be reworked to be
239 * optimal for the new size.
240 *
241 * NB: The optimal spacing for size classes, as well as the size of the blocks
242 * out of which small objects are allocated, is not a question that has one
243 * right answer. Some allocators (such as tcmalloc) use more closely-spaced
244 * size classes than we do here, while others (like aset.c) use more
245 * widely-spaced classes. Spacing the classes more closely avoids wasting
246 * memory within individual chunks, but also means a larger number of
247 * potentially-unfilled blocks.
248 */
259 };
260 #define DSA_NUM_SIZE_CLASSES lengthof(dsa_size_classes)
262 /* Special size classes. */
263 #define DSA_SCLASS_BLOCK_OF_SPANS 0
264 #define DSA_SCLASS_SPAN_LARGE 1
266 /*
267 * The following lookup table is used to map the size of small objects
268 * (less than 1kB) onto the corresponding size class. To use this table,
269 * round the size of the object up to the next multiple of 8 bytes, and then
270 * index into this array.
271 */
281 };
282 #define DSA_SIZE_CLASS_MAP_QUANTUM 8
284 /*
285 * Superblocks are binned by how full they are. Generally, each fullness
286 * class corresponds to one quartile, but the block being used for
287 * allocations is always at the head of the list for fullness class 1,
288 * regardless of how full it really is.
289 */
290 #define DSA_FULLNESS_CLASSES 4
292 /*
293 * A dsa_area_pool represents a set of objects of a given size class.
294 *
295 * Perhaps there should be multiple pools for the same size class for
296 * contention avoidance, but for now there is just one!
297 */
299 {
300 /* A lock protecting access to this pool. */
301 LWLock lock;
302 /* A set of linked lists of spans, arranged by fullness. */
304 /* Should we pad this out to a cacheline boundary? */
307 /*
308 * The control block for an area. This lives in shared memory, at the start of
309 * the first DSM segment controlled by this area.
310 */
312 {
313 /* The segment header for the first segment. */
314 dsa_segment_header segment_header;
315 /* The handle for this area. */
316 dsa_handle handle;
317 /* The handles of the segments owned by this area. */
319 /* Lists of segments, binned by maximum contiguous run of free pages. */
321 /* The object pools for each size class. */
323 /* The total size of all active segments. */
325 /* The maximum total size of backing storage we are allowed. */
327 /* Highest used segment index in the history of this area. */
328 dsa_segment_index high_segment_index;
329 /* The reference count for this area. */
331 /* A flag indicating that this area has been pinned. */
333 /* The number of times that segments have been freed. */
335 /* The LWLock tranche ID. */
337 /* The general lock (protects everything except object pools). */
338 LWLock lock;
341 /* Given a pointer to a pool, find a dsa_pointer. */
342 #define DsaAreaPoolToDsaPointer(area, p) \
343 DSA_MAKE_POINTER(0, (char *) p - (char *) area->control)
345 /*
346 * A dsa_segment_map is stored within the backend-private memory of each
347 * individual backend. It holds the base address of the segment within that
348 * backend, plus the addresses of key objects within the segment. Those
349 * could instead be derived from the base address but it's handy to have them
350 * around.
351 */
353 {
361 /*
362 * Per-backend state for a storage area. Backends obtain one of these by
363 * creating an area or attaching to an existing one using a handle. Each
364 * process that needs to use an area uses its own object to track where the
365 * segments are mapped.
366 */
367 struct dsa_area
368 {
369 /* Pointer to the control object in shared memory. */
372 /*
373 * All the mappings are owned by this. The dsa_area itself is not
374 * directly tracked by the ResourceOwner, but the effect is the same. NULL
375 * if the attachment has session lifespan, i.e if dsa_pin_mapping() has
376 * been called.
377 */
378 ResourceOwner resowner;
380 /*
381 * This backend's array of segment maps, ordered by segment index
382 * corresponding to control->segment_handles. Some of the area's segments
383 * may not be mapped in this backend yet, and some slots may have been
384 * freed and need to be detached; these operations happen on demand.
385 */
388 /* The highest segment index this backend has ever mapped. */
389 dsa_segment_index high_segment_index;
391 /* The last observed freed_segment_counter. */
393 };
395 #define DSA_SPAN_NOTHING_FREE ((uint16) -1)
396 #define DSA_SUPERBLOCK_SIZE (DSA_PAGES_PER_SUPERBLOCK * FPM_PAGE_SIZE)
398 /* Given a pointer to a segment_map, obtain a segment index number. */
399 #define get_segment_index(area, segment_map_ptr) \
400 (segment_map_ptr - &area->segment_maps[0])
404 uint16 size_class);
411 dsa_segment_index index);
421 dsm_handle control_handle,
424 dsa_handle handle);
429 /*
430 * Create a new shared area in a new DSM segment. Further DSM segments will
431 * be allocated as required to extend the available space.
432 *
433 * We can't allocate a LWLock tranche_id within this function, because tranche
434 * IDs are a scarce resource; there are only 64k available, using low numbers
435 * when possible matters, and we have no provision for recycling them. So,
436 * we require the caller to provide one.
437 */
438 dsa_area *
440 {
444 /*
445 * Create the DSM segment that will hold the shared control object and the
446 * first segment of usable space.
447 */
450 /*
451 * All segments backing this area are pinned, so that DSA can explicitly
452 * control their lifetime (otherwise a newly created segment belonging to
453 * this area might be freed when the only backend that happens to have it
454 * mapped in ends, corrupting the area).
455 */
458 /* Create a new DSA area with the control object in this segment. */
460 DSA_INITIAL_SEGMENT_SIZE,
461 tranche_id,
464 /* Clean up when the control segment detaches. */
469 }
471 /*
472 * Create a new shared area in an existing shared memory space, which may be
473 * either DSM or Postmaster-initialized memory. DSM segments will be
474 * allocated as required to extend the available space, though that can be
475 * prevented with dsa_set_size_limit(area, size) using the same size provided
476 * to dsa_create_in_place.
477 *
478 * Areas created in-place must eventually be released by the backend that
479 * created them and all backends that attach to them. This can be done
480 * explicitly with dsa_release_in_place, or, in the special case that 'place'
481 * happens to be in a pre-existing DSM segment, by passing in a pointer to the
482 * segment so that a detach hook can be registered with the containing DSM
483 * segment.
484 *
485 * See dsa_create() for a note about the tranche arguments.
486 */
487 dsa_area *
490 {
496 /*
497 * Clean up when the control segment detaches, if a containing DSM segment
498 * was provided.
499 */
505 }
507 /*
508 * Obtain a handle that can be passed to other processes so that they can
509 * attach to the given area. Cannot be called for areas created with
510 * dsa_create_in_place.
511 */
512 dsa_handle
514 {
517 }
519 /*
520 * Attach to an area given a handle generated (possibly in another process) by
521 * dsa_get_handle. The area must have been created with dsa_create (not
522 * dsa_create_in_place).
523 */
524 dsa_area *
526 {
530 /*
531 * An area handle is really a DSM segment handle for the first segment, so
532 * we go ahead and attach to that.
533 */
542 /* Clean up when the control segment detaches. */
547 }
549 /*
550 * Attach to an area that was created with dsa_create_in_place. The caller
551 * must somehow know the location in memory that was used when the area was
552 * created, though it may be mapped at a different virtual address in this
553 * process.
554 *
555 * See dsa_create_in_place for note about releasing in-place areas, and the
556 * optional 'segment' argument which can be provided to allow automatic
557 * release if the containing memory happens to be a DSM segment.
558 */
559 dsa_area *
561 {
566 /*
567 * Clean up when the control segment detaches, if a containing DSM segment
568 * was provided.
569 */
575 }
577 /*
578 * Release a DSA area that was produced by dsa_create_in_place or
579 * dsa_attach_in_place. The 'segment' argument is ignored but provides an
580 * interface suitable for on_dsm_detach, for the convenience of users who want
581 * to create a DSA segment inside an existing DSM segment and have it
582 * automatically released when the containing DSM segment is detached.
583 * 'place' should be the address of the place where the area was created.
584 *
585 * This callback is automatically registered for the DSM segment containing
586 * the control object of in-place areas when a segment is provided to
587 * dsa_create_in_place or dsa_attach_in_place, and also for all areas created
588 * with dsa_create.
589 */
590 void
592 {
594 }
596 /*
597 * Release a DSA area that was produced by dsa_create_in_place or
598 * dsa_attach_in_place. The 'code' argument is ignored but provides an
599 * interface suitable for on_shmem_exit or before_shmem_exit, for the
600 * convenience of users who want to create a DSA segment inside shared memory
601 * other than a DSM segment and have it automatically release at backend exit.
602 * 'place' should be the address of the place where the area was created.
603 */
604 void
606 {
608 }
610 /*
611 * Release a DSA area that was produced by dsa_create_in_place or
612 * dsa_attach_in_place. It is preferable to use one of the 'dsa_on_XXX'
613 * callbacks so that this is managed automatically, because failure to release
614 * an area created in-place leaks its segments permanently.
615 *
616 * This is also called automatically for areas produced by dsa_create or
617 * dsa_attach as an implementation detail.
618 */
619 void
621 {
630 {
632 {
633 dsm_handle handle;
638 }
639 }
641 }
643 /*
644 * Keep a DSA area attached until end of session or explicit detach.
645 *
646 * By default, areas are owned by the current resource owner, which means they
647 * are detached automatically when that scope ends.
648 */
649 void
651 {
655 {
661 }
662 }
664 /*
665 * Allocate memory in this storage area. The return value is a dsa_pointer
666 * that can be passed to other processes, and converted to a local pointer
667 * with dsa_get_address. 'flags' is a bitmap which should be constructed
668 * from the following values:
669 *
670 * DSA_ALLOC_HUGE allows allocations >= 1GB. Otherwise, such allocations
671 * will result in an ERROR.
672 *
673 * DSA_ALLOC_NO_OOM causes this function to return InvalidDsaPointer when
674 * no memory is available or a size limit established by dsa_set_size_limit
675 * would be exceeded. Otherwise, such allocations will result in an ERROR.
676 *
677 * DSA_ALLOC_ZERO causes the allocated memory to be zeroed. Otherwise, the
678 * contents of newly-allocated memory are indeterminate.
679 *
680 * These flags correspond to similarly named flags used by
681 * MemoryContextAllocExtended(). See also the macros dsa_allocate and
682 * dsa_allocate0 which expand to a call to this function with commonly used
683 * flags.
684 */
685 dsa_pointer
687 {
688 uint16 size_class;
689 dsa_pointer start_pointer;
691 dsa_pointer result;
695 /* Sanity check on huge individual allocation size. */
700 /*
701 * If bigger than the largest size class, just grab a run of pages from
702 * the free page manager, instead of allocating an object from a pool.
703 * There will still be a span, but it's a special class of span that
704 * manages this whole allocation and simply gives all pages back to the
705 * free page manager when dsa_free is called.
706 */
708 {
711 dsa_pointer span_pointer;
714 /* Obtain a span object. */
717 {
718 /* Raise error unless asked not to. */
724 size)));
726 }
730 /* Find a segment from which to allocate. */
735 {
736 /* Can't make any more segments: game over. */
740 /* Raise error unless asked not to. */
746 size)));
748 }
750 /*
751 * Ask the free page manager for a run of pages. This should always
752 * succeed, since both get_best_segment and make_new_segment should
753 * only return a non-NULL pointer if it actually contains enough
754 * contiguous freespace. If it does fail, something in our backend
755 * private state is out of whack, so use FATAL to kill the process.
756 */
765 /* Initialize span and pagemap. */
767 LW_EXCLUSIVE);
769 DSA_SCLASS_SPAN_LARGE);
773 /* Zero-initialize the memory if requested. */
778 }
780 /* Map allocation to a size class. */
782 {
785 /* For smaller sizes we have a lookup table... */
789 }
790 else
791 {
792 uint16 min;
793 uint16 max;
795 /* ... and for the rest we search by binary chop. */
800 {
806 else
808 }
811 }
815 /* Attempt to allocate an object from the appropriate pool. */
818 /* Check for failure to allocate. */
820 {
821 /* Raise error unless asked not to. */
828 }
830 /* Zero-initialize the memory if requested. */
835 }
837 /*
838 * Free memory obtained with dsa_allocate.
839 */
840 void
842 {
845 dsa_pointer span_pointer;
852 /* Make sure we don't have a stale segment in the slot 'dp' refers to. */
855 /* Locate the object, span and pool. */
865 /*
866 * Special case for large objects that live in a special span: we return
867 * those pages directly to the free page manager and free the span.
868 */
870 {
872 #ifdef CLOBBER_FREED_MEMORY
874 #endif
876 /* Give pages back to free page manager. */
882 /* Move segment to appropriate bin if necessary. */
886 /* Unlink span. */
888 LW_EXCLUSIVE);
891 /* Free the span object so it can be reused. */
894 }
896 #ifdef CLOBBER_FREED_MEMORY
898 #endif
902 /* Put the object on the span's freelist. */
910 /*
911 * See if the span needs to moved to a different fullness class, or be
912 * freed so its pages can be given back to the segment.
913 */
915 {
916 /*
917 * The block was completely full and is located in the
918 * highest-numbered fullness class, which is never scanned for free
919 * chunks. We must move it to the next-lower fullness class.
920 */
925 /*
926 * If this is the only span, and there is no active span, then we
927 * should probably move this span to fullness class 1. (Otherwise if
928 * you allocate exactly all the objects in the only span, it moves to
929 * class 3, then you free them all, it moves to 2, and then is given
930 * back, leaving no active span).
931 */
932 }
935 {
936 /*
937 * This entire block is free, and it's not the active block for this
938 * size class. Return the memory to the free page manager. We don't
939 * do this for the active block to prevent hysteresis: if we
940 * repeatedly allocate and free the only chunk in the active block, it
941 * will be very inefficient if we deallocate and reallocate the block
942 * every time.
943 */
945 }
948 }
950 /*
951 * Obtain a backend-local address for a dsa_pointer. 'dp' must point to
952 * memory allocated by the given area (possibly in another process) that
953 * hasn't yet been freed. This may cause a segment to be mapped into the
954 * current process if required, and may cause freed segments to be unmapped.
955 */
958 {
959 dsa_segment_index index;
962 /* Convert InvalidDsaPointer to NULL. */
966 /* Process any requests to detach from freed segments. */
969 /* Break the dsa_pointer into its components. */
974 /* Check if we need to cause this segment to be mapped in. */
976 {
977 /* Call for effect (we don't need the result). */
979 }
982 }
984 /*
985 * Pin this area, so that it will continue to exist even if all backends
986 * detach from it. In that case, the area can still be reattached to if a
987 * handle has been recorded somewhere.
988 */
989 void
991 {
994 {
997 }
1001 }
1003 /*
1004 * Undo the effects of dsa_pin, so that the given area can be freed when no
1005 * backends are attached to it. May be called only if dsa_pin has been
1006 * called.
1007 */
1008 void
1010 {
1014 {
1017 }
1021 }
1023 /*
1024 * Set the total size limit for this area. This limit is checked whenever new
1025 * segments need to be allocated from the operating system. If the new size
1026 * limit is already exceeded, this has no immediate effect.
1027 *
1028 * Note that the total virtual memory usage may be temporarily larger than
1029 * this limit when segments have been freed, but not yet detached by all
1030 * backends that have attached to them.
1031 */
1032 void
1034 {
1038 }
1040 /*
1041 * Aggressively free all spare memory in the hope of returning DSM segments to
1042 * the operating system.
1043 */
1044 void
1046 {
1049 /*
1050 * Trim in reverse pool order so we get to the spans-of-spans last, just
1051 * in case any become entirely free while processing all the other pools.
1052 */
1054 {
1056 dsa_pointer span_pointer;
1059 {
1060 /* Large object frees give back segments aggressively already. */
1062 }
1064 /*
1065 * Search fullness class 1 only. That is where we expect to find an
1066 * entirely empty superblock (entirely empty superblocks in other
1067 * fullness classes are returned to the free page map by dsa_free).
1068 */
1072 {
1080 }
1082 }
1083 }
1085 /*
1086 * Print out debugging information about the internal state of the shared
1087 * memory area.
1088 */
1089 void
1091 {
1093 j;
1095 /*
1096 * Note: This gives an inconsistent snapshot as it acquires and releases
1097 * individual locks as it goes...
1098 */
1111 {
1113 {
1114 dsa_segment_index segment_index;
1119 else
1125 {
1128 segment_map =
1132 " segment index %zu, usable_pages = %zu, "
1134 segment_index,
1139 }
1140 }
1141 }
1146 {
1154 {
1159 else
1164 {
1167 else
1168 {
1173 {
1178 " span descriptor at "
1179 DSA_POINTER_FORMAT ", superblock at "
1180 DSA_POINTER_FORMAT
1185 }
1186 }
1187 }
1188 }
1190 }
1191 }
1193 /*
1194 * Return the smallest size that you can successfully provide to
1195 * dsa_create_in_place.
1196 */
1197 size_t
1199 {
1206 /* Figure out how many pages we need, including the page map... */
1208 {
1211 }
1214 }
1216 /*
1217 * Workhorse function for dsa_create and dsa_create_in_place.
1218 */
1222 dsm_handle control_handle,
1224 {
1233 /* Sanity check on the space we have to work in. */
1238 /* Now figure out how much space is usable */
1240 metadata_bytes =
1244 /* Add padding up to next page boundary. */
1250 /*
1251 * Initialize the dsa_area_control object located at the start of the
1252 * space.
1253 */
1272 /*
1273 * Create the dsa_area object that this backend will use to access the
1274 * area. Other backends will need to obtain their own dsa_area object by
1275 * attaching.
1276 */
1288 /* Set up the segment map for this process's mapping. */
1301 /* Set up the free page map. */
1303 /* There can be 0 usable pages if size is dsa_minimum_size(). */
1307 usable_pages);
1309 /* Put this segment into the appropriate bin. */
1314 }
1316 /*
1317 * Workhorse function for dsa_attach and dsa_attach_in_place.
1318 */
1321 {
1332 /* Build the backend-local area object. */
1340 /* Set up the segment map for this process's mapping. */
1351 /* Bump the reference count. */
1354 {
1355 /* We can't attach to a DSA area that has already been destroyed. */
1359 }
1365 }
1367 /*
1368 * Add a new span to fullness class 1 of the indicated pool.
1369 */
1370 static void
1372 dsa_pointer span_pointer,
1374 uint16 size_class)
1375 {
1379 /*
1380 * The per-pool lock must be held because we manipulate the span list for
1381 * this pool.
1382 */
1385 /* Push this span onto the front of the span list for fullness class 1. */
1387 {
1392 }
1403 {
1404 /*
1405 * A block-of-spans contains its own descriptor, so mark one object as
1406 * initialized and reduce the count of allocatable objects by one.
1407 * Doing this here has the side effect of also reducing nmax by one,
1408 * which is important to make sure we free this object at the correct
1409 * time.
1410 */
1413 }
1419 }
1421 /*
1422 * Transfer the first span in one fullness class to the head of another
1423 * fullness class.
1424 */
1425 static bool
1428 {
1429 dsa_pointer span_pointer;
1433 /* Can't do it if source list is empty. */
1438 /* Remove span from head of source list. */
1442 {
1446 }
1448 /* Add span to head of target list. */
1452 {
1456 }
1460 }
1462 /*
1463 * Allocate one object of the requested size class from the given area.
1464 */
1467 {
1470 dsa_pointer block;
1471 dsa_pointer result;
1475 /*
1476 * Even though ensure_active_superblock can in turn call alloc_object if
1477 * it needs to allocate a new span, that's always from a different pool,
1478 * and the order of lock acquisition is always the same, so it's OK that
1479 * we hold this lock for the duration of this function.
1480 */
1484 /*
1485 * If there's no active superblock, we must successfully obtain one or
1486 * fail the request.
1487 */
1490 {
1492 }
1493 else
1494 {
1495 /*
1496 * There should be a block in fullness class 1 at this point, and it
1497 * should never be completely full. Thus we can either pop an object
1498 * from the free list or, failing that, initialize a new object.
1499 */
1508 {
1512 }
1513 else
1514 {
1517 }
1520 /* If it's now full, move it to the highest-numbered fullness class. */
1523 }
1529 }
1531 /*
1532 * Ensure an active (i.e. fullness class 1) superblock, unless all existing
1533 * superblocks are completely full and no more can be allocated.
1534 *
1535 * Fullness classes K of 0..N are loosely intended to represent blocks whose
1536 * utilization percentage is at least K/N, but we only enforce this rigorously
1537 * for the highest-numbered fullness class, which always contains exactly
1538 * those blocks that are completely full. It's otherwise acceptable for a
1539 * block to be in a higher-numbered fullness class than the one to which it
1540 * logically belongs. In addition, the active block, which is always the
1541 * first block in fullness class 1, is permitted to have a higher allocation
1542 * percentage than would normally be allowable for that fullness class; we
1543 * don't move it until it's completely full, and then it goes to the
1544 * highest-numbered fullness class.
1545 *
1546 * It might seem odd that the active block is the head of fullness class 1
1547 * rather than fullness class 0, but experience with other allocators has
1548 * shown that it's usually better to allocate from a block that's moderately
1549 * full rather than one that's nearly empty. Insofar as is reasonably
1550 * possible, we want to avoid performing new allocations in a block that would
1551 * otherwise become empty soon.
1552 */
1553 static bool
1556 {
1557 dsa_pointer span_pointer;
1558 dsa_pointer start_pointer;
1569 /*
1570 * Compute the number of objects that will fit in a block of this size
1571 * class. Span-of-spans blocks are just a single page, and the first
1572 * object isn't available for use because it describes the block-of-spans
1573 * itself.
1574 */
1577 else
1580 /*
1581 * If fullness class 1 is empty, try to find a span to put in it by
1582 * scanning higher-numbered fullness classes (excluding the last one,
1583 * whose blocks are certain to all be completely full).
1584 */
1586 {
1590 {
1595 dsa_pointer next_span_pointer;
1601 /* Figure out what fullness class should contain this span. */
1605 /* Look up next span. */
1609 else
1612 /*
1613 * If utilization has dropped enough that this now belongs in some
1614 * other fullness class, move it there.
1615 */
1617 {
1618 /* Remove from the current fullness class list. */
1620 {
1621 /* It was the head; remove it. */
1626 }
1627 else
1628 {
1629 /* It was not the head. */
1634 }
1638 /* Push onto the head of the new fullness class list. */
1643 {
1647 }
1649 }
1651 /* Advance to next span on list. */
1653 }
1655 /* Stop now if we found a suitable block. */
1658 }
1660 /*
1661 * If there are no blocks that properly belong in fullness class 1, pick
1662 * one from some other fullness class and move it there anyway, so that we
1663 * have an allocation target. Our last choice is to transfer a block
1664 * that's almost empty (and might become completely empty soon if left
1665 * alone), but even that is better than failing, which is what we must do
1666 * if there are no blocks at all with freespace.
1667 */
1676 /*
1677 * We failed to find an existing span with free objects, so we need to
1678 * allocate a new superblock and construct a new span to manage it.
1679 *
1680 * First, get a dsa_area_span object to describe the new superblock block
1681 * ... unless this allocation is for a dsa_area_span object, in which case
1682 * that's surely not going to work. We handle that case by storing the
1683 * span describing a block-of-spans inline.
1684 */
1686 {
1691 }
1693 /* Find or create a segment and allocate the superblock. */
1697 {
1700 {
1703 }
1704 }
1706 /*
1707 * This shouldn't happen: get_best_segment() or make_new_segment()
1708 * promised that we can successfully allocate npages.
1709 */
1713 npages);
1716 /* Compute the start of the superblock. */
1717 start_pointer =
1721 /*
1722 * If this is a block-of-spans, carve the descriptor right out of the
1723 * allocated space.
1724 */
1726 {
1727 /*
1728 * We have a pointer into the segment. We need to build a dsa_pointer
1729 * from the segment index and offset into the segment.
1730 */
1732 }
1734 /* Initialize span and pagemap. */
1740 }
1742 /*
1743 * Return the segment map corresponding to a given segment index, mapping the
1744 * segment in if necessary. For internal segment book-keeping, this is called
1745 * with the area lock held. It is also called by dsa_free and dsa_get_address
1746 * without any locking, relying on the fact they have a known live segment
1747 * index and they always call check_for_freed_segments to ensures that any
1748 * freed segment occupying the same slot is detached first.
1749 */
1752 {
1754 {
1755 dsm_handle handle;
1758 ResourceOwner oldowner;
1760 /*
1761 * If we are reached by dsa_free or dsa_get_address, there must be at
1762 * least one object allocated in the referenced segment. Otherwise,
1763 * their caller has a double-free or access-after-free bug, which we
1764 * have no hope of detecting. So we know it's safe to access this
1765 * array slot without holding a lock; it won't change underneath us.
1766 * Furthermore, we know that we can see the latest contents of the
1767 * slot, as explained in check_for_freed_segments, which those
1768 * functions call before arriving here.
1769 */
1772 /* It's an error to try to access an unused slot. */
1796 /* Remember the highest index this backend has ever mapped. */
1802 }
1804 /*
1805 * Callers of dsa_get_address() and dsa_free() don't hold the area lock,
1806 * but it's a bug in the calling code and undefined behavior if the
1807 * address is not live (ie if the segment might possibly have been freed,
1808 * they're trying to use a dangling pointer).
1809 *
1810 * For dsa.c code that holds the area lock to manipulate segment_bins
1811 * lists, it would be a bug if we ever reach a freed segment here. After
1812 * it's marked as freed, the only thing any backend should do with it is
1813 * unmap it, and it should always have done that in
1814 * check_for_freed_segments_locked() before arriving here to resolve an
1815 * index to a segment_map.
1816 *
1817 * Either way we can assert that we aren't returning a freed segment.
1818 */
1822 }
1824 /*
1825 * Return a superblock to the free page manager. If the underlying segment
1826 * has become entirely free, then return it to the operating system.
1827 *
1828 * The appropriate pool lock must be held.
1829 */
1830 static void
1832 {
1838 /* Remove it from its fullness class list. */
1841 /*
1842 * Note: Here we acquire the area lock while we already hold a per-pool
1843 * lock. We never hold the area lock and then take a pool lock, or we
1844 * could deadlock.
1845 */
1848 segment_map =
1853 /* Check if the segment is now entirely free. */
1855 {
1858 /* If it's not the segment with extra control data, free it. */
1860 {
1861 /*
1862 * Give it back to the OS, and allow other backends to detect that
1863 * they need to detach.
1864 */
1878 }
1879 }
1881 /* Move segment to appropriate bin if necessary. */
1887 /*
1888 * Span-of-spans blocks store the span which describes them within the
1889 * block itself, so freeing the storage implicitly frees the descriptor
1890 * also. If this is a block of any other type, we need to separately free
1891 * the span object also. This recursive call to dsa_free will acquire the
1892 * span pool's lock. We can't deadlock because the acquisition order is
1893 * always some other pool and then the span pool.
1894 */
1897 }
1899 static void
1901 {
1903 {
1907 }
1909 {
1913 }
1914 else
1915 {
1919 }
1920 }
1922 static void
1924 dsa_pointer span_pointer,
1926 {
1930 {
1935 }
1940 }
1942 /*
1943 * Detach from an area that was either created or attached to by this process.
1944 */
1945 void
1947 {
1950 /* Detach from all segments. */
1955 /*
1956 * Note that 'detaching' (= detaching from DSM segments) doesn't include
1957 * 'releasing' (= adjusting the reference count). It would be nice to
1958 * combine these operations, but client code might never get around to
1959 * calling dsa_detach because of an error path, and a detach hook on any
1960 * particular segment is too late to detach other segments in the area
1961 * without risking a 'leak' warning in the non-error path.
1962 */
1964 /* Free the backend-local area object. */
1966 }
1968 /*
1969 * Unlink a segment from the bin that contains it.
1970 */
1971 static void
1973 {
1975 {
1980 }
1981 else
1982 {
1987 }
1989 {
1994 }
1995 }
1997 /*
1998 * Find a segment that could satisfy a request for 'npages' of contiguous
1999 * memory, or return NULL if none can be found. This may involve attaching to
2000 * segments that weren't previously attached so that we can query their free
2001 * pages map.
2002 */
2005 {
2011 /*
2012 * Start searching from the first bin that *might* have enough contiguous
2013 * pages.
2014 */
2018 {
2019 /*
2020 * The minimum contiguous size that any segment in this bin should
2021 * have. We'll re-bin if we see segments with fewer.
2022 */
2024 dsa_segment_index segment_index;
2026 /* Search this bin for a segment with enough contiguous space. */
2029 {
2031 dsa_segment_index next_segment_index;
2038 /* Not enough for the request, still enough for this bin. */
2040 {
2043 }
2045 /* Re-bin it if it's no longer in the appropriate bin. */
2047 {
2050 /*
2051 * But fall through to see if it's enough to satisfy this
2052 * request anyway....
2053 */
2054 }
2056 /* Check if we are done. */
2060 /* Continue searching the same bin. */
2062 }
2063 }
2065 /* Not found. */
2067 }
2069 /*
2070 * Create a new segment that can handle at least requested_pages. Returns
2071 * NULL if the requested total size limit or maximum allowed number of
2072 * segments would be exceeded.
2073 */
2076 {
2077 dsa_segment_index new_index;
2084 ResourceOwner oldowner;
2088 /* Find a segment slot that is not in use (linearly for now). */
2090 {
2093 }
2097 /*
2098 * If the total size limit is already exceeded, then we exit early and
2099 * avoid arithmetic wraparound in the unsigned expressions below.
2100 */
2105 /*
2106 * The size should be at least as big as requested, and at least big
2107 * enough to follow a geometric series that approximately doubles the
2108 * total storage each time we create a new segment. We use geometric
2109 * growth because the underlying DSM system isn't designed for large
2110 * numbers of segments (otherwise we might even consider just using one
2111 * DSM segment for each large allocation and for each superblock, and then
2112 * we wouldn't need to use FreePageManager).
2113 *
2114 * We decide on a total segment size first, so that we produce tidy
2115 * power-of-two sized segments. This is a good property to have if we
2116 * move to huge pages in the future. Then we work back to the number of
2117 * pages we can fit.
2118 */
2127 metadata_bytes =
2132 /* Add padding up to next page boundary. */
2140 /* See if that is enough... */
2142 {
2143 /*
2144 * We'll make an odd-sized segment, working forward from the requested
2145 * number of pages.
2146 */
2148 metadata_bytes =
2153 /* Add padding up to next page boundary. */
2158 /* Is that too large for dsa_pointer's addressing scheme? */
2162 /* Would that exceed the limit? */
2166 }
2168 /* Create the segment. */
2177 /* Store the handle in shared memory to be found by index. */
2180 /* Track the highest segment index in the history of the area. */
2183 /* Track the highest segment index this backend has ever mapped. */
2186 /* Track total size of all segments. */
2191 /* Build a segment map for this segment in this backend. */
2204 /* Set up the free page map. */
2207 usable_pages);
2209 /* Set up the segment header and put it in the appropriate bin. */
2221 {
2227 }
2230 }
2232 /*
2233 * Check if any segments have been freed by destroy_superblock, so we can
2234 * detach from them in this backend. This function is called by
2235 * dsa_get_address and dsa_free to make sure that a dsa_pointer they have
2236 * received can be resolved to the correct segment.
2237 *
2238 * The danger we want to defend against is that there could be an old segment
2239 * mapped into a given slot in this backend, and the dsa_pointer they have
2240 * might refer to some new segment in the same slot. So those functions must
2241 * be sure to process all instructions to detach from a freed segment that had
2242 * been generated by the time this process received the dsa_pointer, before
2243 * they call get_segment_by_index.
2244 */
2245 static void
2247 {
2250 /*
2251 * Any other process that has freed a segment has incremented
2252 * freed_segment_counter while holding an LWLock, and that must precede
2253 * any backend creating a new segment in the same slot while holding an
2254 * LWLock, and that must precede the creation of any dsa_pointer pointing
2255 * into the new segment which might reach us here, and the caller must
2256 * have sent the dsa_pointer to this process using appropriate memory
2257 * synchronization (some kind of locking or atomic primitive or system
2258 * call). So all we need to do on the reading side is ask for the load of
2259 * freed_segment_counter to follow the caller's load of the dsa_pointer it
2260 * has, and we can be sure to detect any segments that had been freed as
2261 * of the time that the dsa_pointer reached this process.
2262 */
2266 {
2267 /* Check all currently mapped segments to find what's been freed. */
2271 }
2272 }
2274 /*
2275 * Workhorse for check_for_freed_segments(), and also used directly in path
2276 * where the area lock is already held. This should be called after acquiring
2277 * the lock but before looking up any segment by index number, to make sure we
2278 * unmap any stale segments that might have previously had the same index as a
2279 * current segment.
2280 */
2281 static void
2283 {
2290 {
2292 {
2295 {
2300 }
2301 }
2303 }
2304 }
2306 /*
2307 * Re-bin segment if it's no longer in the appropriate bin.
2308 */
2309 static void
2311 {
2313 dsa_segment_index segment_index;
2319 /* Remove it from its current bin. */
2322 /* Push it onto the front of its new bin. */
2329 {
2335 }
2336 }