Re: Compiling C++ modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kyle Moffett wrote:

My experience with exceptions in kernel-like code (a distributed filesystem) was excellent.

Well from all of the discussions about it that occurred on this list, the biggest problem with exceptions in the kernel was the overhead to keep track of the exception state and the try/catch stack.
There is zero runtime overhead. In fact, code using exceptions is faster than the equivalent code using error returns.
The other problem was handling exceptions in atomic contexts,
Can you elaborate? I don't see any special handling needed.
in the guts of the scheduler,
That may or may not be tricky. The filesystem I worked on had it's own scheduler (in C++ :) but it was orders of magnitude simpler than the Linux scheduler.

I suspect thread creation and context switching need special handling, but I don't think the computational code needs anything.
and in a host of other hot-paths.
The hotter the merrier!

Which of the following shows the flow of code better?

Once you accept the idea that an exception can occur (almost) anywhere

Except they can't. Lots and lots of bits of kernel code explicitly depend on the fact that certain operations _cannot_ fail, and they make that obvious through the fact that those functions don't have any way of returning error conditions.
You can do that in C++ by indicating a function doesn't throw:

   void f() throw();

the C++ code shows you what the code does in the normal case without obfuscating it with error handling. Pretend that after every semicolon there is a comment of the form:
   /* possible exceptional return */

As I pointed out before and seem doomed to point out again, this is an _implicit_ piece of code, and in kernels implicit code is very very bad. Because of the varying contexts and close hardware dependence, you want to explicitly state everything that happens.
This is possibly the core of our disagreement. I find that explicitly repeating the same code over and over again detracts from understanding.

And I disagree that proximity to hardware affects anything. I've written complete bringup code (from CPU reset to GUI) in C++ (in another life...). There is no problem programming memory controller registers and taking interrupts in C++.

First of all, that extra TakeLock object chews up stack, at least 4 or 8 bytes of it, depending on your word size.

No, it's optimized out. gcc notices that &lock doesn't change and that 'l' never escapes the function.

GCC does not notice that when you use out-of-line functions. Let me remind you that many of the kernel's spinlocks and other functions are out-of-line, inlining them has significant performance penalties.
Keep spin_lock() out of line and let spinlock_guard's constructor and destructor remain inline. Zero code size or performance hit.

Secondly with standard integer error returns you have one or two easily-predictable assembly instructions at each step of the way, whereas with exceptions you trade the absence of error handling in the rest of the code for a lot of extra instructions at the exception throw and catch points.

The extra code is out of line (not even an if (unlikely())). So yes, total code grows, but the exceptional paths can be in a .text.exception section and not consume cache or TLB space.

Total bull.  Let me give you an example.  The following C++ code:
{
    Foo my_foo;
    function_that_throws_exception();
}

Is turned by the compiler into a slight variant on this C code:
{
    Foo my_foo = Foo();
    jmp_buf exception;
    if (setjmp(exception))
        goto out;
function_that_throws_exception(); out:
    ~Foo(&my_foo);
}

There is nothing about the above that the compiler can trivially "out-of-line", not to mention the fact that you just royally screwed the CPUs chances of getting branch prediction right. There's the fact that setjmp and longjmp are kind of hard in kernelspace. Finally, the stack usage is significantly increased, I think even in userspace, jmp_buf occupies 8 longs (32 bytes) just for critical registers and instruction pointer of the exception handler. Also, the simplest case of throwing an exception has turned from the three instructions "cmp bnz ret" (compare result or pointer, branch to exception code, return) to this mess:
{
    longjmp((int)pointer);
}

The longjmp function is simple, but not _that_ simple, and it still breaks branch prediction in a bad way.
setjmp()/longjmp() (or equivalents) are not used for exception handling on Linux.

what _actually_ happens is that when an exception is thrown, the exeption handling mechanism rolls back the stack and figures out the program counter where we're due to return, and consults an out-of-line table which tells it which destructors to execute. Something like this:

{
   Foo my_foo = Foo();
e1:
  function_that_throws_exception();
e2:
  my_foo.~Foo();
}

/* begin out-of-line code */
exception_table[] = {
   [e1] : h1
   [e2]: h2
}

{
h2:
   my_foo.~Foo();
h1:
}

In C++ you just have to treat declarations as executable statements. Just as you can't compile the code with a C compiler, you can't read it with a C mindset. Once you get used to it, it isn't surprising at all.

That's all well and good, until you assume that "some_type foo = 3;" is just declaring an integer through a typedef instead of declaring an object with side effects. The thing about the linux kernel is that basically _nobody_ understands all of it, and as a result each and every bit of code must stand on its own and be fairly obvious as to side effects and such. In C++, most of the language features are designed to _hide_ those side effects and as a result it's a terrible fit for the kernel.

So don't assume it, or forbid (through CodingStyle) constructors with single integer parameters.
Let me point out _again_ how unobvious and fragile the flow of code there is. Not to mention the fact that the C++ compiler can easily notice that item1 and item2 are never used and optimize them out entirely.

Excellent! If there are no side effects, I want it out. If there are side effects, it won't optimize them out.

How can it tell? You aren't writing all your member functions inline, are you?
When they're empty, sure. Or when they're one liners. Or when I know they have no side effects.

This isn't any different from C or existing kernel practice.

You also totally missed the "int flags" argument you're supposed to pass to object specifying allocation parameters,

There is no allocation here (both the C and the C++ code allocate on the stack.

Let's look in the kernel. How often do you find non-trivial constructor functions that _don't_ allocate memory, hm?
So it was a bad example. The point is it was much simpler compared to the equivalent C. And the more complex it gets, the more pronounced the difference is.

Should you want to allocate from the heap, try this:

{
   spinlock_t::guard g(some_lock);
auto_ptr<Foo> item(new (gfp_mask) Foo); /* or pass a kmem_cache_t */
   item->do_something();
   item->do_something_else();
   return item.release();
}

I think this code speaks for itself about its lack of readability.
Maybe for a C reader. For a C++ reader it's quite clear.


   if ((r = foo_do_something(item))) {

Your kernel-idiomatic C is terrible. Please don't go around writing much kernel code in this style, that's disgusting. Your multiply-duplicated return statements were also bad form, see my example for a much clearer way of doing it.
You can tweak the style however you like. The C code wil end up longer and with more paths to examine, just doing boilerplate stuff.

We should concentrate on the problem, not boilerplate.

Yeah, sure, yours is 3 lines when you omit the following:
(1)  Handling allocation flags like GFP_KERNEL
done

And unreadable afterwards

(4) Reference counting, garbage collection, or another way to selectively free the allocated objects based on success or failure of other code.
Reference counting is ridiculously to do in C++. I'll spare you the details.

I'll assume you mean "ridiculously easy" there. The problem is that with the exception handling system you add refcounts to a lot of objects that don't need them. Here's an example that doesn't need a refcount. I'm registering the "item" with a subsystem, and if that fails the object is immediately freed.
You seem to assyme that C++ is forcing you into a stranglehold. It isn't. It gives you tools, you choose how and when to use them. You can even write straight C with all the paths spelled out in glorious detail.

{
    int result;
    struct foo *item = kmalloc(sizeof(*item), GFP_KERNEL);
    if (unlikely(!item))
        return ERR_PTR(-ENOMEM);
spin_lock(&item_lock); result = item_init(item, GFP_KERNEL);
    if (unlikely(result))
        goto free;
result = item_register(subsystem, item);
    if (unlikely(result))
        goto destroy;
out:
    spin_unlock(&item_lock);
    return result;

    /* Error handling */
destroy:
    item_destroy(item);
free:
    kfree(item);
    goto out;
}

Here's the C++ code:

(I'm assuming you want item_init() out of the spinlock since you pass it GFP_KERNEL, presumably for its internal allocations. I'm also assuming the function returns 0 or error)

{
   auto_ptr<foo> item = new (GFP_KERNEL) foo(GFP_KERNEL);
   spinlock_t::guard guard(item_lock);
   item->register(subsystem);
   item.release();
}

(and no, auto_ptr<> does not reference count)

This is a translation of what you wrote. 19 lines vs 4.
Please note that the assembly into which this optimizes is quite efficient, the compiler can trivially order the fast-path and place all of the exception code after the function or could theoretically even put it in a different section. The side-effects are quite obvious, and it's also simple to identify exactly how many instructions this function costs; there's a memory allocation, a lock, and two function calls. Interspersed in there are exactly 3 conditional jumps to exception-handling code. Direct stack usage for this function is around 8 or 12 bytes, depending on word size.
The assembly into which the C++ code is even more optimal (at the expense of the exceptional case). Direct stack usage is 4 or 8 bytes, depending on word size, unless foo::register is inlined, in which case usage drops to zero.

The biggest advantage to this method is that we can tell C exactly what exceptions we expect from the various functions. Not only that, but we already know what type they are, how likely they are to occur, and exactly how to handle each kind of exception path. It's even fairly easy to read through the fast-path based on how it's laid out.

That's also the biggest disadvantage. You have to wade through 19 lines of code, 15 of which should have been generated by the compiler. You're following a template; that's a job for machines, not humans.

Modifying those 19 lines won't be fun, either, say you add a mutex_lock() at the beginning, now you have to mutex_unlock() in two separate places or rework the error paths. That's the stuff 2.6.18.9s are made of.

On my example, you add one line to the beginning.

Let me point out a few problems with the C++ ways you've described of doing the same things:

(1) You can't easily allocate and initialize an object in 2 different steps.
You can. Again, C++ doesn't force you to do anything:

   auto_ptr<foo> item = new (GFP_KERNEL) foo();
   spinlock_t::guard guard(item_lock);
   item->init(...);
In the kernel you want to be able to sleep in kmalloc to increase chances of getting the memory you need, but you may need to take a spinlock before actually initializing the data structure (say it's on a linked list). If you split up the actual initialization into another function then you lose all of the advantages of C++ constructors.

Tradeoffs, tradeoffs. but you still get the destructor to clean up, and auto_ptr to free memory on exception.
(2) Your code either adds a refcount for "item" or unconditionally releases it at the end of the function. Yes that's fixable, but not in a way that preserves the exception-handling properties you're espousing so much. When you get an exception, how does the code tell which objects to free and which ones not to? (Answer: it can't, that's a semantic decision made by the programmer with "if" statements).
Sorry, that's based on a wrong understanding of what auto_ptr<> is. It has nothing to do with refcounts.

The code is just a translation of what you wrote.

(3) You still haven't explained how adding all sorts of implicit side effects is a good thing in an operating system kernel.
Reducing code size, improving performance, and reducing bug count. All of which, I believe, are important to Linux.

--
Do not meddle in the internals of kernels, for they are subtle and quick to panic.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux