众所周知,进程调度使用schedule()函数来完成,下面我们从分析该函数开始,代码如下(kernel/sched/core.c):
1 asmlinkage __visible void __sched schedule(void) 2 { 3 struct task_struct *tsk = current; 4 5 sched_submit_work(tsk); 6 __schedule(); 7 } 8 EXPORT_SYMBOL(schedule);
第3行获取当前进程描述符指针,存放在本地变量tsk中。第6行调用__schedule(),代码如下(kernel/sched/core.c)。
1 static void __sched __schedule(void) 2 { 3 struct task_struct *prev, *next; 4 unsigned long *switch_count; 5 struct rq *rq; 6 int cpu; 7 8 need_resched: 9 preempt_disable(); 10 cpu = smp_processor_id(); 11 rq = cpu_rq(cpu); 12 rcu_note_context_switch(cpu); 13 prev = rq->curr; 14 15 schedule_debug(prev); 16 17 if (sched_feat(HRTICK)) 18 hrtick_clear(rq); 19 20 /* 21 * Make sure that signal_pending_state()->signal_pending() below 22 * can't be reordered with __set_current_state(TASK_INTERRUPTIBLE) 23 * done by the caller to avoid the race with signal_wake_up(). 24 */ 25 smp_mb__before_spinlock(); 26 raw_spin_lock_irq(&rq->lock); 27 28 switch_count = &prev->nivcsw; 29 if (prev->state && !(preempt_count() & PREEMPT_ACTIVE)) { 30 if (unlikely(signal_pending_state(prev->state, prev))) { 31 prev->state = TASK_RUNNING; 32 } else { 33 deactivate_task(rq, prev, DEQUEUE_SLEEP); 34 prev->on_rq = 0; 35 36 /* 37 * If a worker went to sleep, notify and ask workqueue 38 * whether it wants to wake up a task to maintain 39 * concurrency. 40 */ 41 if (prev->flags & PF_WQ_WORKER) { 42 struct task_struct *to_wakeup; 43 44 to_wakeup = wq_worker_sleeping(prev, cpu); 45 if (to_wakeup) 46 try_to_wake_up_local(to_wakeup); 47 } 48 } 49 switch_count = &prev->nvcsw; 50 } 51 52 if (prev->on_rq || rq->skip_clock_update < 0) 53 update_rq_clock(rq); 54 55 next = pick_next_task(rq, prev); 56 clear_tsk_need_resched(prev); 57 clear_preempt_need_resched(); 58 rq->skip_clock_update = 0; 59 60 if (likely(prev != next)) { 61 rq->nr_switches++; 62 rq->curr = next; 63 ++*switch_count; 64 65 context_switch(rq, prev, next); /* unlocks the rq */ 66 /* 67 * The context switch have flipped the stack from under us 68 * and restored the local variables which were saved when 69 * this task called schedule() in the past. prev == current 70 * is still correct, but it can be moved to another cpu/rq. 71 */ 72 cpu = smp_processor_id(); 73 rq = cpu_rq(cpu); 74 } else 75 raw_spin_unlock_irq(&rq->lock); 76 77 post_schedule(rq); 78 79 sched_preempt_enable_no_resched(); 80 if (need_resched()) 81 goto need_resched; 82 }
第9行禁止内核抢占。第10行获取当前的cpu号。第11行获取当前cpu的进程运行队列。第13行将当前进程的描述符指针保存在prev变量中。第55行将下一个被调度的进程描述符指针存放在next变量中。第56行清除当前进程的内核抢占标记。第60行判断当前进程和下一个调度的是不是同一个进程,如果不是的话,就要进行调度。第65行,对当前进程和下一个进程的上下文进行切换(调度之前要先切换上下文)。下面看看该函数(kernel/sched/core.c):
1 context_switch(struct rq *rq, struct task_struct *prev, 2 struct task_struct *next) 3 { 4 struct mm_struct *mm, *oldmm; 5 6 prepare_task_switch(rq, prev, next); 7 8 mm = next->mm; 9 oldmm = prev->active_mm; 10 /* 11 * For paravirt, this is coupled with an exit in switch_to to 12 * combine the page table reload and the switch backend into 13 * one hypercall. 14 */ 15 arch_start_context_switch(prev); 16 17 if (!mm) { 18 next->active_mm = oldmm; 19 atomic_inc(&oldmm->mm_count); 20 enter_lazy_tlb(oldmm, next); 21 } else 22 switch_mm(oldmm, mm, next); 23 24 if (!prev->mm) { 25 prev->active_mm = NULL; 26 rq->prev_mm = oldmm; 27 } 28 /* 29 * Since the runqueue lock will be released by the next 30 * task (which is an invalid locking op but in the case 31 * of the scheduler it's an obvious special-case), so we 32 * do an early lockdep release here: 33 */ 34 #ifndef __ARCH_WANT_UNLOCKED_CTXSW 35 spin_release(&rq->lock.dep_map, 1, _THIS_IP_); 36 #endif 37 38 context_tracking_task_switch(prev, next); 39 /* Here we just switch the register state and the stack. */ 40 switch_to(prev, next, prev); 41 42 barrier(); 43 /* 44 * this_rq must be evaluated again because prev may have moved 45 * CPUs since it called schedule(), thus the 'rq' on its stack 46 * frame will be invalid. 47 */ 48 finish_task_switch(this_rq(), prev); 49 }
上下文切换一般分为两个,一个是硬件上下文切换(指的是cpu寄存器,要把当前进程使用的寄存器内容保存下来,再把下一个程序的寄存器内容恢复),另一个是切换进程的地址空间(说白了就是程序代码)。进程的地址空间(程序代码)主要保存在进程描述符中的struct mm_struct结构体中,因此该函数主要是操作这个结构体。第17行如果被调度的下一个进程地址空间mm为空,说明下个进程是个线程,没有独立的地址空间,共用所属进程的地址空间,因此第18行将上个进程所使用的地址空间active_mm指针赋给下一个进程的该域,下一个进程也使用这个地址空间。第22行,如果下个进程地址空间不为空,说明下个进程有自己的地址空间,那么执行switch_mm切换进程页表。第40行切换进程的硬件上下文。 switch_to函数代码如下(arch/x86/include/asm/switch_to.h):
1 #define switch_to(prev, next, last) 2 do { 3 /* 4 * Context-switching clobbers all registers, so we clobber 5 * them explicitly, via unused output variables. 6 * (EAX and EBP is not listed because EBP is saved/restored 7 * explicitly for wchan access and EAX is the return value of 8 * __switch_to()) 9 */ 10 unsigned long ebx, ecx, edx, esi, edi; 11 12 asm volatile("pushfl " /* save flags */ 13 "pushl %%ebp " /* save EBP */ 14 "movl %%esp,%[prev_sp] " /* save ESP */ 15 "movl %[next_sp],%%esp " /* restore ESP */ 16 "movl $1f,%[prev_ip] " /* save EIP */ 17 "pushl %[next_ip] " /* restore EIP */ 18 __switch_canary 19 "jmp __switch_to " /* regparm call */ 20 "1: " 21 "popl %%ebp " /* restore EBP */ 22 "popfl " /* restore flags */ 23 24 /* output parameters */ 25 : [prev_sp] "=m" (prev->thread.sp), 26 [prev_ip] "=m" (prev->thread.ip), 27 "=a" (last), 28 29 /* clobbered output registers: */ 30 "=b" (ebx), "=c" (ecx), "=d" (edx), 31 "=S" (esi), "=D" (edi) 32 33 __switch_canary_oparam 34 35 /* input parameters: */ 36 : [next_sp] "m" (next->thread.sp), 37 [next_ip] "m" (next->thread.ip), 38 39 /* regparm parameters for __switch_to(): */ 40 [prev] "a" (prev), 41 [next] "d" (next) 42 43 __switch_canary_iparam 44 45 : /* reloaded segment registers */ 46 "memory"); 47 } while (0)
该函数中使用了内联汇编来完成进程的硬件上下文切换。第12-13行将eflags和ebp寄存器的值压栈,因为当进程再次切换回来后要用到这两个寄存器的值。第14行将当前进程的栈顶指针保存到进程的thread_info.sp中。第15行将下个进程的thread_info.sp中的值恢复到esp寄存器中,切换到下个进程的内核栈,至此,进程切换就完成了(进程内核栈的切换是进程切换的标志),后边代码的执行就是在新进程中进行。第16行将标号1所代表的地址存放到上个进程的thread_info.ip中,以后如果切换到上个进程,就从thread_info.ip所指向的代码处执行(实际上,你想让上个进程再次被切换到时从哪个指令开始执行,就将该指令的地址保存在上个进程的thread_info.ip中,进程的现场保护和函数调用时候的现场保护是有区别的,函数调用的现场保护是将寄存器的值压栈(毕竟堆栈没有切换),然后恢复现场时再将寄存器的值弹出来;进程切换的现场保护是将寄存器的值存入进程的thread_info结构中,当被切换掉的进程再次执行时,再从thread_info结构中恢复现场,毕竟进程切换了连内核堆栈都一同换掉了,所以必定要将进程的资源保存在和进程相关的数据结构中,才不会丢失而且容易被恢复)。第17行将当前进程的thread_info.ip压入内核栈中,一会要从这个ip指向的指令开始执行。第19行跳入到__switch_to函数中。下面看下__switch_to函数代码(arch/x86/kernel/process_32.c):
1 __visible __notrace_funcgraph struct task_struct * 2 __switch_to(struct task_struct *prev_p, struct task_struct *next_p) 3 { 4 struct thread_struct *prev = &prev_p->thread, 5 *next = &next_p->thread; 6 int cpu = smp_processor_id(); 7 struct tss_struct *tss = &per_cpu(init_tss, cpu); 8 fpu_switch_t fpu; 9 10 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */ 11 12 fpu = switch_fpu_prepare(prev_p, next_p, cpu); 13 14 /* 15 * Reload esp0. 16 */ 17 load_sp0(tss, next); 18 19 /* 20 * Save away %gs. No need to save %fs, as it was saved on the 21 * stack on entry. No need to save %es and %ds, as those are 22 * always kernel segments while inside the kernel. Doing this 23 * before setting the new TLS descriptors avoids the situation 24 * where we temporarily have non-reloadable segments in %fs 25 * and %gs. This could be an issue if the NMI handler ever 26 * used %fs or %gs (it does not today), or if the kernel is 27 * running inside of a hypervisor layer. 28 */ 29 lazy_save_gs(prev->gs); 30 31 /* 32 * Load the per-thread Thread-Local Storage descriptor. 33 */ 34 load_TLS(next, cpu); 35 36 /* 37 * Restore IOPL if needed. In normal use, the flags restore 38 * in the switch assembly will handle this. But if the kernel 39 * is running virtualized at a non-zero CPL, the popf will 40 * not restore flags, so it must be done in a separate step. 41 */ 42 if (get_kernel_rpl() && unlikely(prev->iopl != next->iopl)) 43 set_iopl_mask(next->iopl); 44 45 /* 46 * If it were not for PREEMPT_ACTIVE we could guarantee that the 47 * preempt_count of all tasks was equal here and this would not be 48 * needed. 49 */ 50 task_thread_info(prev_p)->saved_preempt_count = this_cpu_read(__preempt_count); 51 this_cpu_write(__preempt_count, task_thread_info(next_p)->saved_preempt_count); 52 53 /* 54 * Now maybe handle debug registers and/or IO bitmaps 55 */ 56 if (unlikely(task_thread_info(prev_p)->flags & _TIF_WORK_CTXSW_PREV || 57 task_thread_info(next_p)->flags & _TIF_WORK_CTXSW_NEXT)) 58 __switch_to_xtra(prev_p, next_p, tss); 59 60 /* 61 * Leave lazy mode, flushing any hypercalls made here. 62 * This must be done before restoring TLS segments so 63 * the GDT and LDT are properly updated, and must be 64 * done before math_state_restore, so the TS bit is up 65 * to date. 66 */ 67 arch_end_context_switch(next_p); 68 69 this_cpu_write(kernel_stack, 70 (unsigned long)task_stack_page(next_p) + 71 THREAD_SIZE - KERNEL_STACK_OFFSET); 72 73 /* 74 * Restore %gs if needed (which is common) 75 */ 76 if (prev->gs | next->gs) 77 lazy_load_gs(next->gs); 78 79 switch_fpu_finish(next_p, fpu); 80 81 this_cpu_write(current_task, next_p); 82 83 return prev_p; 84 }
该函数主要是对刚切换过来的新进程进一步做些初始化工作。比如第34将该进程使用的线程局部存储段(TLS)装入本地cpu的全局描述符表。第84行返回语句会被编译成两条汇编指令,一条是将返回值prev_p保存到eax寄存器,另外一个是ret指令,将内核栈顶的元素弹出eip寄存器,从这个eip指针处开始执行,也就是上个函数第17行所压入的那个指针。一般情况下,被压入的指针是上个函数第20行那个标号1所代表的地址,那么从__switch_to函数返回后,将从标号1处开始运行。
需要注意的是,对于已经被调度过的进程而言,从__switch_to函数返回后,将从标号1处开始运行;但是对于用fork(),clone()等函数刚创建的新进程(未调度过),将进入ret_from_fork()函数,因为do_fork()函数在创建好进程之后,会给进程的thread_info.ip赋予ret_from_fork函数的地址,而不是标号1的地址,因此它会跳入ret_from_fork函数。后边我们在分析fork系统调用的时候,就会看到。