lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y4+rn0lsrdCB3pMj@boqun-archlinux>
Date:   Tue, 6 Dec 2022 12:52:47 -0800
From:   Boqun Feng <boqun.feng@...il.com>
To:     "stern@...land.harvard.edu" <stern@...land.harvard.edu>
Cc:     Jonas Oberhauser <jonas.oberhauser@...wei.com>,
        "paulmck@...nel.org" <paulmck@...nel.org>,
        "parri.andrea@...il.com" <parri.andrea@...il.com>,
        "will@...nel.org" <will@...nel.org>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "npiggin@...il.com" <npiggin@...il.com>,
        "dhowells@...hat.com" <dhowells@...hat.com>,
        "j.alglave@....ac.uk" <j.alglave@....ac.uk>,
        "luc.maranget@...ia.fr" <luc.maranget@...ia.fr>,
        "akiyks@...il.com" <akiyks@...il.com>,
        "dlustig@...dia.com" <dlustig@...dia.com>,
        "joel@...lfernandes.org" <joel@...lfernandes.org>,
        "urezki@...il.com" <urezki@...il.com>,
        "quic_neeraju@...cinc.com" <quic_neeraju@...cinc.com>,
        "frederic@...nel.org" <frederic@...nel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] tools: memory-model: Make plain accesses carry
 dependencies

On Tue, Dec 06, 2022 at 12:46:58PM -0800, Boqun Feng wrote:
> On Mon, Dec 05, 2022 at 11:18:13AM -0500, stern@...land.harvard.edu wrote:
> > On Mon, Dec 05, 2022 at 01:42:46PM +0000, Jonas Oberhauser wrote:
> > > > Besides, could you also explain a little bit why only "data;rfi" can be "carry-dep" but "ctrl;rfi" and "addr;rfi" cannot? I think it's because there are special cases when compilers can figure out a condition being true or an address being constant therefore break the dependency
> > > 
> > > Oh, good question. A bit hard for me to write down the answer clearly 
> > > (which some people will claim that I don't understand it well myself, 
> > > but I beg to differ :) :( :) ).
> 
> Nah, I think your answer is clear to me ;-)
> 
> > > 
> > > In a nutshell, it's because x ->data [Plain] ->rfi y ->... z fulfils 
> > > the same role as storing something in a register and then using it in 
> > > a subsequent computation; x ->ctrl y ->... z (and ->addr) don't. So 
> > > it's not due to smart compilers, just the fact that the other two 
> > > cases seem unrelated to the problem being solved, and including them 
> > > might introduce some unsoundness (not that I have checked if they do).
> 
> So it's about whether a value can have a dataflow from x to y, right? In
> that case registers and memory cells should be treated the same by
> compilers, therefore we can extend the dependencies.
> > 
> > More can be said here.  Consider the following simple example:
> > 
> > 	void P0(int *x, int *y)
> > 	{
> > 		int r1, r2;
> > 		int a[10];
> > 
> > 		r1 = READ_ONCE(*x);
> > 		a[r1] = 1;
> > 		r2 = a[r1];
> > 		WRITE_ONCE(*y, r2);
> > 	}
> > 
> > There is an address dependency from the READ_ONCE to the plain store in 
> > a[r1].  Then there is an rfi and a data dependency to the WRITE_ONCE.
> > 
> > But in this example, the WRITE_ONCE is _not_ ordered after the 
> > READ_ONCE, even though they are linked by (addr ; rfi ; data).  The 
> > compiler knows that the value of r1 does not change between the two 
> > plain accesses, so it knows that it can optimize the code to be:
> > 
> > 	r1 = READ_ONCE(*x);
> > 	r2 = 1;
> > 	WRITE_ONCE(*y, r2);
> > 	a[r1] = r2;
> > 
> > And then the CPU can execute the WRITE_ONCE before the READ_ONCE.  This 
> > shows that (addr ; rfi) must not be included in the carry-deps relation.
> > 
> > You may be able to come up with a similar argument for (ctrl ; rfi), 
> > although it might not be quite as clear.
> > 
> 
> Thank you, Alan! One question though, can a "smart" compiler optimize
> out the case below, with the same logic?
> 
> 	void P0(int *x, int *y, int *a)
> 	{
> 		int r1, r2;
> 
> 		r1 = READ_ONCE(*x); // A
> 
> 		*a = r1 & 0xffff; // B
> 
> 		r2 = *a & 0xffff0000; // C
> 
> 		WRITE_ONCE(*y, r2); // D
> 
> 	}
> 
> I think we have A ->data B ->rfi C ->data D, however a "smart" compiler
> can figure out that r2 is actually zero, right? And the code get
> optimized to:
> 
> 	r1 = READ_ONCE(*x);
> 	r2 = 0;
> 	WRITE_ONCE(*y, r2);
> 	*a = r1 & 0xffff;
> 
> and break the dependency.
> 
> I know that our memory model is actually unware of the differences of
> syntatics dependencies vs semantics syntatics, so one may argue that in
> the (data; rfi) example above the compiler optimization is outside the
> scope of LKMM, but won't the same reasoning apply to the (addr; rfi)
> example from you? The WRITE_ONCE() _syntatically_ depends on load of
> a[r1], therefore even a "smart" compiler can figure out the value, LKMM

I guess it should be that r2 (i.e. the load of a[r1]) _syntatically_
depends on the value of r1.

Regards,
Boqun

> won't take that into consideration.
> 
> Am I missing something subtle here?
> 
> Regards,
> Boqun
> 
> > Alan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ