| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.20.2310311523290.15233@wotan.suse.de>
Date: Tue, 31 Oct 2023 15:55:20 +0000 (UTC)
From: Michael Matz <matz@...e.de>
To: Peter Zijlstra <peterz@...radead.org>
cc: "Paul E. McKenney" <paulmck@...nel.org>,
Frederic Weisbecker <frederic@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Boqun Feng <boqun.feng@...il.com>,
Joel Fernandes <joel@...lfernandes.org>,
Josh Triplett <josh@...htriplett.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Neeraj Upadhyay <neeraj.upadhyay@....com>,
Steven Rostedt <rostedt@...dmis.org>,
Uladzislau Rezki <urezki@...il.com>, rcu <rcu@...r.kernel.org>,
Zqiang <qiang.zhang1211@...il.com>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>, ubizjak@...il.com
Subject: Re: [PATCH 2/4] rcu/tasks: Handle new PF_IDLE semantics
Hello,
On Tue, 31 Oct 2023, Peter Zijlstra wrote:
> > > For absolutely no reason :-(
> >
> > The reason is simple (and should be obvious): to adhere to the abstract
> > machine regarding volatile. When x is volatile then x++ consists of a
> > read and a write, in this order. The easiest way to ensure this is to
> > actually generate a read and a write instruction. Anything else is an
> > optimization, and for each such optimization you need to actively find an
> > argument why this optimization is correct to start with (and then if it's
> > an optimization at all). In this case the argument needs to somehow
> > involve arguing that an rmw instruction on x86 is in fact completely
> > equivalent to the separate instructions, from read cycle to write cycle
> > over all pipeline stages, on all implementations of x86. I.e. that a rmw
> > instruction is spec'ed to be equivalent.
> >
> > You most probably can make that argument in this specific case, I'll give
> > you that. But why bother to start with, in a piece of software that is
> > already fairly complex (the compiler)? It's much easier to just not do
> > much anything with volatile accesses at all and be guaranteed correct.
> > Even more so as the software author, when using volatile, most likely is
> > much more interested in correct code (even from a abstract machine
> > perspective) than micro optimizations.
>
> There's a pile of situations where a RmW instruction is actively
> different vs a load-store split, esp for volatile variables that are
> explicitly expected to change asynchronously.
>
> The original RmW instruction is IRQ-safe, while the load-store version
> is not. If an interrupt lands in between the load and store and also
> modifies the variable then the store after interrupt-return will
> over-write said modification.
>
> These are not equivalent.
Okay, then there you have it. Namely that LLVM has a bug (but see next
paragraph). For volatile x, x++ _must_ expand to a separate read and
write, because the abstract machine of C says so. If a RmW isn't
equivalent to that, then it can't be used in this situation. If you
_have_ to use a RmW for other reasons like interrupt safety, then a
volatile variable is not the way to force this, as C simply doesn't have
that concept and hence can't talk about it. (Of course it can't, as not
all architectures could implement such, if it were required).
(If an RmW merely gives you more guarantees than a split load-store then
of course LLVM doesn't have a bug, but you said not-equivalent, so I'm
assuming the worst, that RmW also has fewer (other) guarantees)
> > > At least clang doesn't do this, it stays:
> > >
> > > 0403 413: 49 ff 45 00 incq 0x0(%r13)
> > >
> > > irrespective of the volatile.
> >
> > And, are you 100% sure that this is correct? Even for x86 CPU
> > pipeline implementations that you aren't intimately knowing about? ;-)
>
> It so happens that the x86 architecture does guarantee RmW ops are
> IRQ-safe or locally atomic. SMP/concurrent loads will observe either
> pre or post but no intermediate state as well.
So, are RMW ops a strict superset (vis the guarantees they give) of split
load-store? If so we can at least say that using RMW is a valid
optimization :) Still, an optmization only.
> > But all that seems to be a side-track anyway, what's your real worry with
> > the code sequence generated by GCC?
>
> In this case it's sub-optimal code, both larger and possibly slower for
> having two memops.
>
> The reason to have volatile is because that's what Linux uses to
> dis-allow store-tearing, something that doesn't happen in this case. A
> suitably insane but conforming compiler could compile a non-volatile
> memory increment into something insane like:
>
> load byte-0, r1
> increment r1
> store r1, byte-0
> jno done
> load byte-1, r1
> increment ri
> store r1, byte 1
> jno done
> ...
> done:
>
> We want to explicitly dis-allow this.
Yeah, I see. Within C you don't have much choice than volatile for this
:-/ Funny thing: on some architectures this is actually what is generated
sometimes, even if it has multi-byte loads/stores. This came up
recently on the gcc list and the byte-per-byte sequence was faster ;-)
(it was rather: load-by-bytes, form whole value via shifts, increment,
store-by-bytes)
Insane codegen for insane micro-architectures!
> I know C has recently (2011) grown this _Atomic thing, but that has
> other problems.
Yeah.
So, hmm, I don't quite know what to say, you're between a rock and a hard
place, I guess. You have to use volatile for its effects but then are
unhappy about its effects :)
If you can confirm the above about validity of the optimization, then at
least there'd by a point for adding a peephole in GCC for this, even if
current codegen isn't a bug, but I still wouldn't hold my breath.
volatile is so ... ewww, it's best left alone.
Ciao,
Michael.
Powered by blists - more mailing lists