source: doc/theses/thierry_delisle_PhD/thesis/text/io.tex @ 62424af2

\chapter{User Level \io}\label{userio}
As mentioned in Section~\ref{prev:io}, user-level \io requires multiplexing the \io operations of many \ats onto fewer \glspl{proc} using asynchronous \io operations.
Different operating systems offer various forms of asynchronous operations and, as mentioned in Chapter~\ref{intro}, this work is exclusively focused on the Linux operating-system.

\section{Kernel Interface}
Since this work fundamentally depends on operating-system support, the first step of this design is to discuss the available interfaces and pick one (or more) as the foundation for the non-blocking \io subsystem in this work.

\subsection{\lstinline{O_NONBLOCK}}\label{ononblock}
In Linux, files can be opened with the flag @O_NONBLOCK@~\cite{MAN:open} (or @SO_NONBLOCK@~\cite{MAN:accept}, the equivalent for sockets) to use the file descriptors in ``nonblocking mode''.
In this mode, ``Neither the @open()@ nor any subsequent \io operations on the [opened file descriptor] will cause the calling process to wait''~\cite{MAN:open}.
This feature can be used as the foundation for the non-blocking \io subsystem.
However, for the subsystem to know when an \io operation completes, @O_NONBLOCK@ must be used in conjunction with a system call that monitors when a file descriptor becomes ready, \ie, the next \io operation on it does not cause the process to wait.\footnote{
In this context, ready means \emph{some} operation can be performed without blocking.
It does not mean an operation returning \lstinline{EAGAIN} succeeds on the next try.
For example, a ready read may only return a subset of requested bytes and the read must be issues again for the remaining bytes, at which point it may return \lstinline{EAGAIN}.}
This mechanism is also crucial in determining when all \ats are blocked and the application \glspl{kthrd} can now block.

There are three options to monitor file descriptors in Linux:\footnote{
For simplicity, this section omits \lstinline{pselect} and \lstinline{ppoll}.
The difference between these system calls and \lstinline{select} and \lstinline{poll}, respectively, is not relevant for this discussion.},
@select@~\cite{MAN:select}, @poll@~\cite{MAN:poll} and @epoll@~\cite{MAN:epoll}.
All three of these options offer a system call that blocks a \gls{kthrd} until at least one of many file descriptors becomes ready.
The group of file descriptors being waited on is called the \newterm{interest set}.

\paragraph{\lstinline{select}} is the oldest of these options, and takes as input a contiguous array of bits, where each bit represents a file descriptor of interest.
Hence, the array length must be as long as the largest FD currently of interest.
On return, it outputs the set in place to identify which of the file descriptors changed state.
This destructive change means selecting in a loop requires re-initializing the array for each iteration.
Another limit of @select@ is that calls from different \glspl{kthrd} sharing FDs are independent.
Hence, if one \gls{kthrd} is managing the select calls, other threads can only add/remove to/from the manager's interest set through synchronized calls to update the interest set.
However, these changes are only reflected when the manager makes its next call to @select@.
Note, it is possible for the manager thread to never unblock if its current interest set never changes, \eg the sockets/pipes/ttys it is waiting on never get data again.
Often the I/O manager has a timeout, polls, or is sent a signal on changes to mitigate this problem.

% \begin{comment}
% From: Tim Brecht <brecht@uwaterloo.ca>
% Subject: Re: FD sets
% Date: Wed, 6 Jul 2022 00:29:41 +0000

% Large number of open files
% --------------------------

% In order to be able to use more than the default number of open file
% descriptors you may need to:

% o increase the limit on the total number of open files /proc/sys/fs/file-max
%   (on Linux systems)

% o increase the size of FD_SETSIZE
%   - the way I often do this is to figure out which include file __FD_SETSIZE
%     is defined in, copy that file into an appropriate directory in ./include,
%     and then modify it so that if you use -DBIGGER_FD_SETSIZE the larger size
%     gets used

%   For example on a RH 9.0 distribution I've copied
%   /usr/include/bits/typesizes.h into ./include/i386-linux/bits/typesizes.h

%   Then I modify typesizes.h to look something like:

%   #ifdef BIGGER_FD_SETSIZE
%   #define __FD_SETSIZE            32767
%   #else
%   #define __FD_SETSIZE            1024
%   #endif

%   Note that the since I'm moving and testing the userver on may different
%   machines the Makefiles are set up to use -I ./include/$(HOSTTYPE)

%   This way if you redefine the FD_SETSIZE it will get used instead of the
%   default original file.
% \end{comment}

\paragraph{\lstinline{poll}} is the next oldest option, and takes as input an array of structures containing the FD numbers rather than their position in an array of bits, allowing a more compact input for interest sets that contain widely spaced FDs.
For small interest sets with densely packed FDs, the @select@ bit mask can take less storage, and hence, copy less information into the kernel.
Furthermore, @poll@ is non-destructive, so the array of structures does not have to be re-initialize on every call.
Like @select@, @poll@ suffers from the limitation that the interest set cannot be changed by other \gls{kthrd}, while a manager thread is blocked in @poll@.

\paragraph{\lstinline{epoll}} follows after @poll@, and places the interest set in the kernel rather than the application, where it is managed by an internal \gls{kthrd}.
There are two separate functions: one to add to the interest set and another to check for FDs with state changes.
This dynamic capability is accomplished by creating an \emph{epoll instance} with a persistent interest set, which is used across multiple calls.
As the interest set is augmented, the changes become implicitly part of the interest set for a blocked manager \gls{kthrd}.
This capability significantly reduces synchronization between \glspl{kthrd} and the manager calling @epoll@.

However, all three of these I/O systems have limitations.
The @man@ page for @O_NONBLOCK@ mentions that ``[@O_NONBLOCK@] has no effect for regular files and block devices'', which means none of these three system calls are viable multiplexing strategies for these types of \io operations.
Furthermore, @epoll@ has been shown to have problems with pipes and ttys~\cit{Peter's examples in some fashion}.
Finally, none of these are useful solutions for multiplexing \io operations that do not have a corresponding file descriptor and can be awkward for operations using multiple file descriptors.

\subsection{POSIX asynchronous I/O (AIO)}
An alternative to @O_NONBLOCK@ is the AIO interface.
Its interface lets programmers enqueue operations to be performed asynchronously by the kernel.
Completions of these operations can be communicated in various ways: either by spawning a new \gls{kthrd}, sending a Linux signal, or by polling for completion of one or more operation.
For this work, spawning a new \gls{kthrd} is counter-productive but a related solution is discussed in Section~\ref{io:morethreads}.
Using interrupts handlers can also lead to fairly complicated interactions between subsystems and has non-trivial cost.
Leaving polling for completion, which is similar to the previous system calls.
AIO only supports read and write operations to file descriptors, it does not have the same limitation as @O_NONBLOCK@, \ie, the file descriptors can be regular files and blocked devices.
It also supports batching multiple operations in a single system call.

AIO offers two different approaches to polling: @aio_error@ can be used as a spinning form of polling, returning @EINPROGRESS@ until the operation is completed, and @aio_suspend@ can be used similarly to @select@, @poll@ or @epoll@, to wait until one or more requests have completed.
For the purpose of \io multiplexing, @aio_suspend@ is the best interface.
However, even if AIO requests can be submitted concurrently, @aio_suspend@ suffers from the same limitation as @select@ and @poll@, \ie, the interest set cannot be dynamically changed while a call to @aio_suspend@ is in progress.
AIO also suffers from the limitation of specifying which requests have completed, \ie programmers have to poll each request in the interest set using @aio_error@ to identify the completed requests.
This limitation means that, like @select@ and @poll@ but not @epoll@, the time needed to examine polling results increases based on the total number of requests monitored, not the number of completed requests.
Finally, AIO does not seem to be a popular interface, which I believe is due in part to this poor polling interface.
Linus Torvalds talks about this interface as follows:

\begin{displayquote}
        AIO is a horrible ad-hoc design, with the main excuse being ``other,
        less gifted people, made that design, and we are implementing it for
        compatibility because database people - who seldom have any shred of
        taste - actually use it''.

        But AIO was always really really ugly.

        \begin{flushright}
                -- Linus Torvalds~\cite{AIORant}
        \end{flushright}
\end{displayquote}

Interestingly, in this e-mail, Linus goes on to describe
``a true \textit{asynchronous system call} interface''
that does
``[an] arbitrary system call X with arguments A, B, C, D asynchronously using a kernel thread''
in
``some kind of arbitrary \textit{queue up asynchronous system call} model''.
This description is actually quite close to the interface described in the next section.

\subsection{\lstinline{io_uring}}
A very recent addition to Linux, @io_uring@~\cite{MAN:io_uring}, is a framework that aims to solve many of the problems listed in the above interfaces.
Like AIO, it represents \io operations as entries added to a queue.
But like @epoll@, new requests can be submitted, while a blocking call waiting for requests to complete, is already in progress.
The @io_uring@ interface uses two ring buffers (referred to simply as rings) at its core: a submit ring to which programmers push \io requests and a completion ring from which programmers poll for completion.

One of the big advantages over the prior interfaces is that @io_uring@ also supports a much wider range of operations.
In addition to supporting reads and writes to any file descriptor like AIO, it supports other operations like @open@, @close@, @fsync@, @accept@, @connect@, @send@, @recv@, @splice@, \etc.

On top of these, @io_uring@ adds many extras like avoiding copies between the kernel and user-space using shared memory, allowing different mechanisms to communicate with device drivers, and supporting chains of requests, \ie, requests that automatically trigger followup requests on completion.

\subsection{Extra Kernel Threads}\label{io:morethreads}
Finally, if the operating system does not offer a satisfactory form of asynchronous \io operations, an ad-hoc solution is to create a pool of \glspl{kthrd} and delegate operations to it to avoid blocking \glspl{proc}, which is a compromise for multiplexing.
In the worst case, where all \ats are consistently blocking on \io, it devolves into 1-to-1 threading.
However, regardless of the frequency of \io operations, it achieves the fundamental goal of not blocking \glspl{proc} when \ats are ready to run.
This approach is used by languages like Go~\cite{GITHUB:go}, frameworks like libuv~\cite{libuv}, and web servers like Apache~\cite{apache} and NGINX~\cite{nginx}, since it has the advantage that it can easily be used across multiple operating systems.
This advantage is especially relevant for languages like Go, which offer a homogeneous \glsxtrshort{api} across all platforms.
As opposed to C, which has a very limited standard api for \io, \eg, the C standard library has no networking.

\subsection{Discussion}
These options effectively fall into two broad camps: waiting for \io to be ready versus waiting for \io to complete.
All operating systems that support asynchronous \io must offer an interface along one of these lines, but the details vary drastically.
For example, Free BSD offers @kqueue@~\cite{MAN:bsd/kqueue}, which behaves similarly to @epoll@, but with some small quality of use improvements, while Windows (Win32)~\cite{win:overlap} offers ``overlapped I/O'', which handles submissions similarly to @O_NONBLOCK@ with extra flags on the synchronous system call, but waits for completion events, similarly to @io_uring@.

For this project, I selected @io_uring@, in large parts because of its generality.
While @epoll@ has been shown to be a good solution for socket \io (\cite{Karsten20}), @io_uring@'s transparent support for files, pipes, and more complex operations, like @splice@ and @tee@, make it a better choice as the foundation for a general \io subsystem.

\section{Event-Engine}
An event engine's responsibility is to use the kernel interface to multiplex many \io operations onto few \glspl{kthrd}.
In concrete terms, this means \ats enter the engine through an interface, the event engine then starts an operation and parks the calling \ats, returning control to the \gls{proc}.
The parked \ats are then rescheduled by the event engine once the desired operation has completed.

\subsection{\lstinline{io_uring} in depth}\label{iouring}
Before going into details on the design of my event engine, more details on @io_uring@ usage are presented, each important in the design of the engine.
Figure~\ref{fig:iouring} shows an overview of an @io_uring@ instance.
Two ring buffers are used to communicate with the kernel: one for submissions~(left) and one for completions~(right).
The submission ring contains entries, \newterm{Submit Queue Entries} (SQE), produced (appended) by the application when an operation starts and then consumed by the kernel.
The completion ring contains entries, \newterm{Completion Queue Entries} (CQE), produced (appended) by the kernel when an operation completes and then consumed by the application.
The submission ring contains indexes into the SQE array (denoted \emph{S} in the figure) containing entries describing the I/O operation to start;
the completion ring contains entries for the completed I/O operation.
Multiple @io_uring@ instances can be created, in which case they each have a copy of the data structures in the figure.

\begin{figure}
        \centering
        \input{io_uring.pstex_t}
        \caption[Overview of \lstinline{io_uring}]{Overview of \lstinline{io_uring} \smallskip\newline Two ring buffer are used to communicate with the kernel, one for completions~(right) and one for submissions~(left). The submission ring indexes into a pre-allocated array (denoted \emph{S}) instead.}
        \label{fig:iouring}
\end{figure}

New \io operations are submitted to the kernel following 4 steps, which use the components shown in the figure.
\begin{enumerate}
\item
An SQE is allocated from the pre-allocated array \emph{S}.
This array is created at the same time as the @io_uring@ instance, is in kernel-locked memory visible by both the kernel and the application, and has a fixed size determined at creation.
How these entries are allocated is not important for the functioning of @io_uring@;
the only requirement is that no entry is reused before the kernel has consumed it.
\item
The SQE is filled according to the desired operation.
This step is straight forward.
The only detail worth mentioning is that SQEs have a @user_data@ field that must be filled in order to match submission and completion entries.
\item
The SQE is submitted to the submission ring by appending the index of the SQE to the ring following regular ring buffer steps: \lstinline{buffer[head] = item; head++}.
Since the head is visible to the kernel, some memory barriers may be required to prevent the compiler from reordering these operations.
Since the submission ring is a regular ring buffer, more than one SQE can be added at once and the head is updated only after all entries are updated.
Note, SQE can be filled and submitted in any order, \eg in Figure~\ref{fig:iouring} the submission order is S0, S3, S2 and S1 has not been submitted.
\item
The kernel is notified of the change to the ring using the system call @io_uring_enter@.
The number of elements appended to the submission ring is passed as a parameter and the number of elements consumed is returned.
The @io_uring@ instance can be constructed so this step is not required, but this requires elevated privilege.% and an early version of @io_uring@ had additional restrictions.
\end{enumerate}

\begin{sloppypar}
The completion side is simpler: applications call @io_uring_enter@ with the flag @IORING_ENTER_GETEVENTS@ to wait on a desired number of operations to complete.
The same call can be used to both submit SQEs and wait for operations to complete.
When operations do complete, the kernel appends a CQE to the completion ring and advances the head of the ring.
Each CQE contains the result of the operation as well as a copy of the @user_data@ field of the SQE that triggered the operation.
It is not necessary to call @io_uring_enter@ to get new events because the kernel can directly modify the completion ring.
The system call is only needed if the application wants to block waiting for operations to complete.
\end{sloppypar}

The @io_uring_enter@ system call is protected by a lock inside the kernel.
This protection means that concurrent call to @io_uring_enter@ using the same instance are possible, but there is no performance gained from parallel calls to @io_uring_enter@.
It is possible to do the first three submission steps in parallel;
however, doing so requires careful synchronization.

@io_uring@ also introduces constraints on the number of simultaneous operations that can be ``in flight''.
First, SQEs are allocated from a fixed-size array, meaning that there is a hard limit to how many SQEs can be submitted at once.
Second, the @io_uring_enter@ system call can fail because ``The  kernel [...] ran out of resources to handle [a request]'' or ``The application is attempting to overcommit the number of requests it can have pending.''.
This restriction means \io request bursts may have to be subdivided and submitted in chunks at a later time.

An important detail to keep in mind is that just like ``The cloud is just someone else's computer''\cite{xkcd:cloud}, asynchronous operations are just operation using someone else's threads.
Indeed, asynchronous operation can require computation time to complete, which means that if this time is not taken from the thread that triggered the asynchronous operation, it must be taken from some other threads.
In this case, the @io_uring@ operations that cannot be handled directly in the system call must be delegated to some other \gls{kthrd}.
To this end, @io_uring@ maintains multiple \glspl{kthrd} inside the kernel that are not exposed to the user.
There are three kind of operations that can need the \glspl{kthrd}:

\paragraph{Operations using} @IOSQE_ASYNC@.
This is a straightforward case, users can explicitly set the @IOSQE_ASYNC@ flag on an SQE to specify that it \emph{must} be delegated to a different \gls{kthrd}.

\paragraph{Bounded operations.}
This is also a fairly simple case. As mentioned earlier in this chapter, [@O_NONBLOCK@] has no effect for regular files and block devices.
@io_uring@ must also take this reality into account by delegating operations on regular files and block devices.
In fact @io_uring@ maintains a pool of \glspl{kthrd} dedicated to these operations, which are referred to as \newterm{bounded workers}.

\paragraph{Unbounded operations that must be retried.}
While operations like reads on sockets can return @EAGAIN@ instead of blocking the \gls{kthrd}, in the case these operations return @EAGAIN@ they must be retried by @io_uring@ once the data is available on the socket.
Since this retry cannot necessarily be done in the system call, @io_uring@ must delegate these calls to a \gls{kthrd}.
@io_uring@ maintains a separate pool for these operations.
The \glspl{kthrd} in this pool are referred to as \newterm{unbounded workers}.
Unbounded workers are also responsible of handling operations using @IOSQE_ASYNC@.

@io_uring@ implicitly spawns and joins both the bounded and unbounded workers based on its evaluation of the needs of the workload.
This effectively encapsulates the work that is needed when using @epoll@.
Indeed, @io_uring@ does not change Linux's underlying handling of \io opeartions, it simply offers an asynchronous \glsxtrshort{api} on top of the existing system.


\subsection{Multiplexing \io: Submission}

The submission side is the most complicated aspect of @io_uring@ and the completion side effectively follows from the design decisions made in the submission side.
While there is freedom in designing the submission side, there are some realities of @io_uring@ that must be taken into account.
It is possible to do the first steps of submission in parallel;
however, the duration of the system call scales with the number of entries submitted.
The consequence is that the amount of parallelism used to prepare submissions for the next system call is limited.
Beyond this limit, the length of the system call is the throughput limiting factor.
I concluded from early experiments that preparing submissions seems to take almost as long as the system call itself, which means that with a single @io_uring@ instance, there is no benefit in terms of \io throughput to having more than two \glspl{hthrd}.
Therefore, the design of the submission engine must manage multiple instances of @io_uring@ running in parallel, effectively sharding @io_uring@ instances.
Since completions are sent to the instance where requests were submitted, all instances with pending operations must be polled continuously\footnote{
As described in Chapter~\ref{practice}, this does not translate into constant CPU usage.}.
Note that once an operation completes, there is nothing that ties it to the @io_uring@ instance that handled it.
There is nothing preventing a new operation with, \eg the same file descriptors to a different @io_uring@ instance.

A complicating aspect of submission is @io_uring@'s support for chains of operations, where the completion of an operation triggers the submission of the next operation on the link.
SQEs forming a chain must be allocated from the same instance and must be contiguous in the Submission Ring (see Figure~\ref{fig:iouring}).
The consequence of this feature is that filling SQEs can be arbitrarily complex, and therefore, users may need to run arbitrary code between allocation and submission.
Supporting chains is not a requirement of the \io subsystem, but it is still valuable.
Support for this feature can be fulfilled simply by supporting arbitrary user code between allocation and submission.

Similar to scheduling, sharding @io_uring@ instances can be done privately, \ie, one instance per \glspl{proc}, in decoupled pools, \ie, a pool of \glspl{proc} use a pool of @io_uring@ instances without one-to-one coupling between any given instance and any given \gls{proc}, or some mix of the two.
These three sharding approaches are analyzed.

\subsubsection{Private Instances}
The private approach creates one ring instance per \gls{proc}, \ie one-to-one coupling.
This alleviates the need for synchronization on the submissions, requiring only that \ats are not time-sliced during submission steps.
This requirement is the same as accessing @thread_local@ variables, where a \at is accessing kernel-thread data, is time-sliced, and continues execution on another kernel thread but is now accessing the wrong data.
This failure is the serially reusable problem~\cite{SeriallyReusable}.
Hence, allocated SQEs must be submitted to the same ring on the same \gls{proc}, which effectively forces the application to submit SQEs in allocation order.\footnote{
To remove this requirement, a \at needs the ability to ``yield to a specific \gls{proc}'', \ie, \park with the guarantee it unparks on a specific \gls{proc}, \ie the \gls{proc} attached to the correct ring.}
From the subsystem's point of view, the allocation and submission are sequential, greatly simplifying both.
In this design, allocation and submission form a partitioned ring buffer as shown in Figure~\ref{fig:pring}.
Once added to the ring buffer, the attached \gls{proc} has a significant amount of flexibility with regards to when to perform the system call.
Possible options are: when the \gls{proc} runs out of \ats to run, after running a given number of \ats, \etc.

\begin{figure}
        \centering
        \input{pivot_ring.pstex_t}
        \caption[Partitioned ring buffer]{Partitioned ring buffer \smallskip\newline Allocated sqes are appending to the first partition.
        When submitting, the partition is advanced.
        The kernel considers the partition as the head of the ring.}
        \label{fig:pring}
\end{figure}

This approach has the advantage that it does not require much of the synchronization needed in a shared approach.
However, this benefit means \ats submitting \io operations have less flexibility: they cannot \park or yield, and several exceptional cases are handled poorly.
Instances running out of SQEs cannot run \ats wanting to do \io operations.
In this case, the \io \at needs to be moved to a different \gls{proc}, and the only current way of achieving this is to @yield()@ hoping to be scheduled on a different \gls{proc} with free SQEs, which is not guaranteed.

A more involved version of this approach tries to solve these problems using a pattern called \newterm{helping}.
\ats that cannot submit \io operations, either because of an allocation failure or \glslink{atmig}{migration} to a different \gls{proc} between allocation and submission, create an \io object and add it to a list of pending submissions per \gls{proc} and a list of pending allocations, probably per cluster.
While there is still the strong coupling between \glspl{proc} and @io_uring@ instances, these data structures allow moving \ats to a specific \gls{proc}, when the current \gls{proc} cannot fulfill the \io request.

Imagine a simple scenario with two \ats on two \glspl{proc}, where one \at submits an \io operation and then sets a flag, while the other \at spins until the flag is set.
Assume both \ats are running on the same \gls{proc}, and the \io \at is preempted between allocation and submission, moved to the second \gls{proc}, and the original \gls{proc} starts running the spinning \at.
In this case, the helping solution has the \io \at append an \io object to the submission list of the first \gls{proc}, where the allocation was made.
No other \gls{proc} can help the \at since @io_uring@ instances are strongly coupled to \glspl{proc}.
However, the \io \gls{proc} is unable to help because it is executing the spinning \at resulting in a deadlock.
While this example is artificial, in the presence of many \ats, it is possible for this problem to arise ``in the wild''.
Furthermore, this pattern is difficult to reliably detect and avoid.
Once in this situation, the only escape is to interrupted the spinning \at, either directly or via some regular preemption, \eg time slicing.
Having to interrupt \ats for this purpose is costly, the latency can be large between interrupts, and the situation may be hard to detect.
Interrupts are needed here entirely because the \gls{proc} is tied to an instance it is not using.
Therefore, a more satisfying solution is for the \at submitting the operation to notice that the instance is unused and simply go ahead and use it.
This approach is presented shortly.

\subsubsection{Public Instances}
The public approach creates decoupled pools of @io_uring@ instances and processors, \ie without one-to-one coupling.
\ats attempting an \io operation pick one of the available instances and submit the operation to that instance.
Since there is no coupling between @io_uring@ instances and \glspl{proc} in this approach, \ats running on more than one \gls{proc} can attempt to submit to the same instance concurrently.
Because @io_uring@ effectively sets the amount of sharding needed to avoid contention on its internal locks, performance in this approach is based on two aspects:
\begin{itemize}
\item
The synchronization needed to submit does not induce more contention than @io_uring@ already does.
\item
The scheme to route \io requests to specific @io_uring@ instances does not introduce contention.
This aspect has an oversized importance because it comes into play before the sharding of instances, and as such, all \glspl{hthrd} can contend on the routing algorithm.
\end{itemize}

Allocation in this scheme is fairly easy.
Free SQEs, \ie, SQEs that are not currently being used to represent a request, can be written to safely and have a field called @user_data@ that the kernel only reads to copy to @cqe@s.
Allocation also requires no ordering guarantee as all free SQEs are interchangeable.
The only added complexity is that the number of SQEs is fixed, which means allocation can fail.

Allocation failures need to be pushed to a routing algorithm: \ats attempting \io operations must not be directed to @io_uring@ instances without sufficient SQEs available.
Furthermore, the routing algorithm should block operations up-front, if none of the instances have available SQEs.

Once an SQE is allocated, \ats insert the \io request information, and keep track of the SQE index and the instance it belongs to.

Once an SQE is filled in, it is added to the submission ring buffer, an operation that is not thread-safe, and then the kernel must be notified using the @io_uring_enter@ system call.
The submission ring buffer is the same size as the pre-allocated SQE buffer, therefore pushing to the ring buffer cannot fail because it would mean a \lstinline{sqe} multiple times in the ring buffer, which is undefined behaviour.
However, as mentioned, the system call itself can fail with the expectation that it can be retried once some submitted operations complete.

Since multiple SQEs can be submitted to the kernel at once, it is important to strike a balance between batching and latency.
Operations that are ready to be submitted should be batched together in few system calls, but at the same time, operations should not be left pending for long period of times before being submitted.
Balancing submission can be handled by either designating one of the submitting \ats as the being responsible for the system call for the current batch of SQEs or by having some other party regularly submitting all ready SQEs, \eg, the poller \at mentioned later in this section.

Ideally, when multiple \ats attempt to submit operations to the same @io_uring@ instance, all requests should be batched together and one of the \ats is designated to do the system call on behalf of the others, called the \newterm{submitter}.
However, in practice, \io requests must be handed promptly so there is a need to guarantee everything missed by the current submitter is seen by the next one.
Indeed, as long as there is a ``next'' submitter, \ats submitting new \io requests can move on, knowing that some future system call includes their request.
Once the system call is done, the submitter must also free SQEs so that the allocator can reused them.

Finally, the completion side is much simpler since the @io_uring@ system-call enforces a natural synchronization point.
Polling simply needs to regularly do the system call, go through the produced CQEs and communicate the result back to the originating \ats.
Since CQEs only own a signed 32 bit result, in addition to the copy of the @user_data@ field, all that is needed to communicate the result is a simple future~\cite{wiki:future}.
If the submission side does not designate submitters, polling can also submit all SQEs as it is polling events.
A simple approach to polling is to allocate a \at per @io_uring@ instance and simply let the poller \ats poll their respective instances when scheduled.

With the pool of SEQ instances approach, the big advantage is that it is fairly flexible.
It does not impose restrictions on what \ats submitting \io operations can and cannot do between allocations and submissions.
It also can gracefully handle running out of resources, SQEs or the kernel returning @EBUSY@.
The down side to this approach is that many of the steps used for submitting need complex synchronization to work properly.
The routing and allocation algorithm needs to keep track of which ring instances have available SQEs, block incoming requests if no instance is available, prevent barging if \ats are already queued up waiting for SQEs and handle SQEs being freed.
The submission side needs to safely append SQEs to the ring buffer, correctly handle chains, make sure no SQE is dropped or left pending forever, notify the allocation side when SQEs can be reused, and handle the kernel returning @EBUSY@.
All this synchronization has a significant cost, and compared to the private-instance approach, this synchronization is entirely overhead.

\subsubsection{Instance borrowing}
Both of the prior approaches have undesirable aspects that stem from tight or loose coupling between @io_uring@ and \glspl{proc}.
The first approach suffers from tight coupling causing problems when a \gls{proc} does not benefit from the coupling.
The second approach suffers from loose coupling causing operations to have synchronization overhead, which tighter coupling avoids.
When \glspl{proc} are continuously issuing \io operations, tight coupling is valuable since it avoids synchronization costs.
However, in unlikely failure cases or when \glspl{proc} are not using their instances, tight coupling is no longer advantageous.
A compromise between these approaches is to allow tight coupling but have the option to revoke the coupling dynamically when failure cases arise.
I call this approach \newterm{instance borrowing}.\footnote{
While instance borrowing looks similar to work sharing and stealing, I think it is different enough to warrant a different verb to avoid confusion.}

In this approach, each cluster, see Figure~\ref{fig:system}, owns a pool of @io_uring@ instances managed by an \newterm{arbiter}.
When a \at attempts to issue an \io operation, it ask for an instance from the arbiter and issues requests to that instance.
This instance is now bound to the \gls{proc} the \at is running on.
This binding is kept until the arbiter decides to revoke it, taking back the instance and reverting the \gls{proc} to its initial state with respect to \io.
This tight coupling means that synchronization can be minimal since only one \gls{proc} can use the instance at a time, akin to the private instances approach.
However, it differs in that revocation by the arbiter means this approach does not suffer from the deadlock scenario described above.

Arbitration is needed in the following cases:
\begin{enumerate}
        \item The current \gls{proc} does not hold an instance.
        \item The current instance does not have sufficient SQEs to satisfy the request.
        \item The current \gls{proc} has a wrong instance, this happens if the submitting \at context-switched between allocation and submission, called \newterm{external submissions}.
\end{enumerate}
However, even when the arbiter is not directly needed, \glspl{proc} need to make sure that their instance ownership is not being revoked, which is accomplished by a lock-\emph{less} handshake.\footnote{
Note the handshake is not lock \emph{free} since it lacks the proper progress guarantee.}
A \gls{proc} raises a local flag before using its borrowed instance and checks if the instance is marked as revoked or if the arbiter has raised its flag.
If not, it proceeds, otherwise it delegates the operation to the arbiter.
Once the operation is completed, the \gls{proc} lowers its local flag.

Correspondingly, before revoking an instance, the arbiter marks the instance and then waits for the \gls{proc} using it to lower its local flag.
Only then does it reclaim the instance and potentially assign it to an other \gls{proc}.

The arbiter maintains four lists around which it makes its decisions:
\begin{enumerate}
        \item A list of pending submissions.
        \item A list of pending allocations.
        \item A list of instances currently borrowed by \glspl{proc}.
        \item A list of instances currently available.
\end{enumerate}

\paragraph{External Submissions} are handled by the arbiter by revoking the appropriate instance and adding the submission to the submission ring.
However, there is no need to immediately revoke the instance.
External submissions must simply be added to the ring before the next system call, \ie, when the submission ring is flushed.
This means whoever is responsible for the system call, first checks if the instance has any external submissions.
If so, it asks the arbiter to revoke the instance and add the external submissions to the ring.

\paragraph{Pending Allocations} are handled by the arbiter when it has available instances and can directly hand over the instance and satisfy the request.
Otherwise, it must hold onto the list of threads until SQEs are made available again.
This handling is more complex when an allocation requires multiple SQEs, since the arbiter must make a decision between satisfying requests in FIFO ordering or for fewer SQEs.

While an arbiter has the potential to solve many of the problems mentioned above, it also introduces a significant amount of complexity.
Tracking which processors are borrowing which instances and which instances have SQEs available ends-up adding a significant synchronization prelude to any I/O operation.
Any submission must start with a handshake that pins the currently borrowed instance, if available.
An attempt to allocate is then made, but the arbiter can concurrently be attempting to allocate from the same instance from a different \gls{hthrd}.
Once the allocation is completed, the submission must check that the instance is still burrowed before attempting to flush.
These synchronization steps turn out to have a similar cost to the multiple shared-instances approach.
Furthermore, if the number of instances does not match the number of processors actively submitting I/O, the system can fall into a state where instances are constantly being revoked and end-up cycling the processors, which leads to significant cache deterioration.
For these reasons, this approach, which sounds promising on paper, does not improve on the private instance approach in practice.

\subsubsection{Private Instances V2}

% Verbs of this design

% Allocation: obtaining an sqe from which to fill in the io request, enforces the io instance to use since it must be the one which provided the sqe. Must interact with the arbiter if the instance does not have enough sqe for the allocation. (Typical allocation will ask for only one sqe, but chained sqe must be allocated from the same context so chains of sqe must be allocated in bulks)

% Submission: simply adds the sqe(s) to some data structure to communicate that they are ready to go. This operation can't fail because there are as many spots in the submit buffer than there are sqes. Must interact with the arbiter only if the thread was moved between the allocation and the submission.

% Flushing: Taking all the sqes that were submitted and making them visible to the kernel, also counting them in order to figure out what to_submit should be. Must be thread-safe with submission. Has to interact with the Arbiter if there are external submissions. Can't simply use a protected queue because adding to the array is not safe if the ring is still available for submitters. Flushing must therefore: check if there are external pending requests if so, ask the arbiter to flush otherwise use the fast flush operation.

% Collect: Once the system call is done, it returns how many sqes were consumed by the system. These must be freed for allocation. Must interact with the arbiter to notify that things are now ready.

% Handle: process all the produced cqe. No need to interact with any of the submission operations or the arbiter.


% alloc():
%       proc.io->in_use = true, __ATOMIC_ACQUIRE
%       if cltr.io.flag || !proc.io || proc.io->flag:
%               return alloc_slow(cltr.io, proc.io)

%       a = alloc_fast(proc.io)
%       if a:
%               proc.io->in_use = false, __ATOMIC_RELEASE
%               return a

%       return alloc_slow(cltr.io)

% alloc_fast()
%       left = proc.io->submit_q.free.tail - proc.io->submit_q.free.head
%       if num_entries - left < want:
%               return None

%       a = ready[head]
%       head = head + 1, __ATOMIC_RELEASE

% alloc_slow()
%       cltr.io.flag = true, __ATOMIC_ACQUIRE
%       while(proc.io && proc.io->in_use) pause;



% submit(a):
%       proc.io->in_use = true, __ATOMIC_ACQUIRE
%       if cltr.io.flag || proc.io != alloc.io || proc.io->flag:
%               return submit_slow(cltr.io)

%       submit_fast(proc.io, a)
%       proc.io->in_use = false, __ATOMIC_RELEASE

% polling()
%       loop:
%               yield
%               flush()
%               io_uring_enter
%               collect
%               handle()

\section{Interface}
The last important part of the \io subsystem is its interface.
There are multiple approaches that can be offered to programmers, each with advantages and disadvantages.
The new \io subsystem can replace the C runtime API or extend it, and in the later case, the interface can go from very similar to vastly different.
The following sections discuss some useful options using @read@ as an example.
The standard Linux interface for C is :
\begin{cfa}
ssize_t read(int fd, void *buf, size_t count);
\end{cfa}

\subsection{Replacement}
Replacing the C \glsxtrshort{api} is the more intrusive and draconian approach.
The goal is to convince the compiler and linker to replace any calls to @read@ to direct them to the \CFA implementation instead of glibc's.
This rerouting has the advantage of working transparently and supporting existing binaries without needing recompilation.
It also offers a, presumably, well known and familiar API that C programmers can simply continue to work with.
However, this approach also entails a plethora of subtle technical challenges, which generally boils down to making a perfect replacement.
If the \CFA interface replaces only \emph{some} of the calls to glibc, then this can easily lead to esoteric concurrency bugs.
Since the gcc ecosystems does not offer a scheme for perfect replacement, this approach was rejected as being laudable but infeasible.

\subsection{Synchronous Extension}
Another interface option is to offer an interface different in name only.
For example:
\begin{cfa}
ssize_t cfa_read(int fd, void *buf, size_t count);
\end{cfa}
This approach is feasible and still familiar to C programmers.
It comes with the caveat that any code attempting to use it must be recompiled, which is a problem considering the amount of existing legacy C binaries.
However, it has the advantage of implementation simplicity.
Finally, there is a certain irony to using a blocking synchronous interfaces for a feature often referred to as ``non-blocking'' \io.

\subsection{Asynchronous Extension}
A fairly traditional way of providing asynchronous interactions is using a future mechanism~\cite{multilisp}, \eg:
\begin{cfa}
future(ssize_t) read(int fd, void *buf, size_t count);
\end{cfa}
where the generic @future@ is fulfilled when the read completes and it contains the number of bytes read, which may be less than the number of bytes requested.
The data read is placed in @buf@.
The problem is that both the bytes read and data form the synchronization object, not just the bytes read.
Hence, the buffer cannot be reused until the operation completes but the synchronization does not cover the buffer.
A classical asynchronous API is:
\begin{cfa}
future([ssize_t, void *]) read(int fd, size_t count);
\end{cfa}
where the future tuple covers the components that require synchronization.
However, this interface immediately introduces memory lifetime challenges since the call must effectively allocate a buffer to be returned.
Because of the performance implications of this API, the first approach is considered preferable as it is more familiar to C programmers.

\subsection{Direct \lstinline{io_uring} Interface}
The last interface directly exposes the underlying @io_uring@ interface, \eg:
\begin{cfa}
array(SQE, want) cfa_io_allocate(int want);
void cfa_io_submit( const array(SQE, have) & );
\end{cfa}
where the generic @array@ contains an array of SQEs with a size that may be less than the request.
This offers more flexibility to users wanting to fully utilize all of the @io_uring@ features.
However, it is not the most user-friendly option.
It obviously imposes a strong dependency between user code and @io_uring@ but at the same time restricting users to usages that are compatible with how \CFA internally uses @io_uring@.