Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp466357rwr; Thu, 20 Apr 2023 01:48:59 -0700 (PDT) X-Google-Smtp-Source: AKy350YPrPQLy02M0j03IXfxbFNGbG2JHz2k8XAX6LOup1AtMHawxpDs3KiVrdXwVxeCh0uJTc7q X-Received: by 2002:a05:6a20:4281:b0:f0:7ac1:ea61 with SMTP id o1-20020a056a20428100b000f07ac1ea61mr2055511pzj.6.1681980539346; Thu, 20 Apr 2023 01:48:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681980539; cv=none; d=google.com; s=arc-20160816; b=LvwmwLgHtYl2Ypl+OXUcthe7fsh4Xg9doDZ51s22qJ4wpfaGxpL5iumQou6Z5u/onG ciU1laZsPb23fqPMJ6Ty3+ispKiM+UbDDMFYLIxybl+nnUP/bKpl0869Y/eh/95lYVW8 V2kLKoj2VXbwouHRj8Kl73j1QxAbry6S5a2QQ7IMtAeUyjURnTNApCG5y4j0M9s7TQvK s/t53Clo73MbZi4HuugBdJVhnkaESEkgzo0PkS7lxcsd4QrP0IO6Yo2NpzNOtfoUbZJo jusypB3+/NWpoyAyZt/LqnXzhhpnJvpiTwv7XhVfZYjOCNmAJNrs43A6sjCLGlnrwnfU RGCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=rFsx0ApzdCT3kFKALwuSRvDzZZkxZvWU8R+PD9i9XoU=; b=IGexe+JtTUAq+Zh1DiVnfCd3G0oO+KAx6VNXOe7Wfbi8wp1jzkLHuVkRzU/8ZzDX8t JQWi9pjxM/IXO85kNqkufKDArOwvfyjQYCdLWvG+mKrfeCYXFR7pO94IBdNyVa5k5WRT 2Bo4np1Rq7qKz09S4atQe8JWjZbYchRp/G2PBVu76lkELi4bou9nqyBIzfhtspIcqcLI pd4rusMSPK5+pLticVLFsFgJccwY3C+JoiMYmR4FvhKFa1XlpDpc1p5qzMSLGkLYzinJ SqGTfLBm4roLdc0fCCmfOiAIb2ThoFbjq/tDUnhzPDKxB/S9ZVObU0QoeqoZhNIlOcUO JItw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rhD901As; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ie2-20020a17090b400200b002472cd8ded6si2441455pjb.103.2023.04.20.01.48.45; Thu, 20 Apr 2023 01:48:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=rhD901As; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234468AbjDTIgg (ORCPT + 99 others); Thu, 20 Apr 2023 04:36:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233977AbjDTIge (ORCPT ); Thu, 20 Apr 2023 04:36:34 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 596413C31; Thu, 20 Apr 2023 01:36:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E7AB66460B; Thu, 20 Apr 2023 08:36:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 551F9C4339E; Thu, 20 Apr 2023 08:36:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1681979792; bh=sEawzxBfsQuwG5y+dWimYLd+jqvDGsYfpjI5vDaYBwo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=rhD901AskVduoiR8jcYbsoilkHhIk1c4/jP/wFnbyvv36qvRwDGSi7OUpBwRC7h6/ +AZG6cFijgToJPW3eE8jqG8GPzpxIhXpQjDDECrHmPHNnQzOIC1kvdM4lkzj5cMnWT 7MfLN9ICknt0WntJGXs0p6NYJ9oQJGsks0RhPluRmkH937JwBYsPu23MuwfJIB7YpE KlsOTAgnTSnEFlKBxgTV9Z5+3NC9Nw//9GIysdvgVlajJwYiCweruqVMa40U6AZBVf uI/m15v5uIl78su39Mzt/pyHa72rBIh8zSsFIFqRTDZNouBa7iZekaKyMdqVwDtQ7C MNiwMW8KI7j0Q== Received: by mail-ed1-f48.google.com with SMTP id 4fb4d7f45d1cf-506b8c6bbdbso617610a12.1; Thu, 20 Apr 2023 01:36:32 -0700 (PDT) X-Gm-Message-State: AAQBX9eNjhCN5iqSuSHlFmF7MV+HkNsDh+qfGTWxMLaVgQGRaegcDM4u 7Kvge0mrWyUtGtBdb5Y+2rZZKO/5MRpV2FSHdws= X-Received: by 2002:a05:6402:7c2:b0:508:4954:e30c with SMTP id u2-20020a05640207c200b005084954e30cmr1096793edy.11.1681979790467; Thu, 20 Apr 2023 01:36:30 -0700 (PDT) MIME-Version: 1.0 References: <20230416173326.3995295-1-kernel@xen0n.name> <6ca642a9-62a6-00e5-39ac-f14ef36f6bdb@xen0n.name> In-Reply-To: From: Huacai Chen Date: Thu, 20 Apr 2023 16:36:17 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 0/2] LoongArch: Make bounds-checking instructions useful To: Xi Ruoyao Cc: WANG Xuerui , loongarch@lists.linux.dev, WANG Xuerui , Eric Biederman , Al Viro , Arnd Bergmann , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Xuerui, I hope V2 can be applied cleanly without the patch series "LoongArch: Better backtraces", thanks. Huacai On Mon, Apr 17, 2023 at 5:50=E2=80=AFPM Xi Ruoyao wrot= e: > > On Mon, 2023-04-17 at 15:54 +0800, WANG Xuerui wrote: > > On 2023/4/17 14:47, Xi Ruoyao wrote: > > > On Mon, 2023-04-17 at 01:33 +0800, WANG Xuerui wrote: > > > > From: WANG Xuerui > > > > > > > > Hi, > > > > > > > > The LoongArch-64 base architecture is capable of performing > > > > bounds-checking either before memory accesses or alone, with specia= lized > > > > instructions generating BCEs (bounds-checking error) in case of fai= led > > > > assertions (ISA manual Volume 1, Sections 2.2.6.1 [1] and 2.2.10.3 = [2]). > > > > This could be useful for managed runtimes, but the exception is not > > > > being handled so far, resulting in SIGSYSes in these cases, which i= s > > > > incorrect and warrants a fix in itself. > > > > > > > > During experimentation, it was discovered that there is already UAP= I for > > > > expressing such semantics: SIGSEGV with si_code=3DSEGV_BNDERR. This= was > > > > originally added for Intel MPX, and there is currently no user (!) = after > > > > the removal of MPX support a few years ago. Although the semantics = is > > > > not a 1:1 match to that of LoongArch, still it is better than > > > > alternatives such as SIGTRAP or SIGBUS of BUS_OBJERR kind, due to b= eing > > > > able to convey both the value that failed assertion and the bound v= alue. > > > > > > > > This patch series implements just this approach: translating BCEs i= nto > > > > SIGSEGVs with si_code=3DSEGV_BNDERR, si_value set to the offending = value, > > > > and si_lower and si_upper set to resemble a range with both lower a= nd > > > > upper bound while in fact there is only one. > > > > > > > > The instructions are not currently used anywhere yet in the fledgli= ng > > > > LoongArch ecosystem, so it's not very urgent and we could take the = time > > > > to figure out the best way forward (should SEGV_BNDERR turn out not > > > > suitable). > > > > > > I don't think these instructions can be used in any systematic way > > > within a Linux userspace in 2023. IMO they should not exist in > > > LoongArch at all because they have all the same disadvantages of Inte= l > > > MPX; MPX has been removed by Intel in 2019, and LoongArch is designed > > > after 2019. > > > > Well, the difference is IMO significant enough to make LoongArch > > bounds-checking more useful, at least for certain use cases. For > > example, the bounds were a separate register bank in Intel MPX, but in > > LoongArch they are just values in GPRs. This fits naturally into > > JIT-ting or other managed runtimes (e.g. Go) whose slice indexing ops > > already bounds-check with a temporary register per bound anyway, so it'= s > > just a matter of this snippet (or something like it) > > > > - calculate element address > > - if address < base: goto fail > > - load/calculate upper bound > > - if address >=3D upper bound: goto fail > > - access memory > > > > becoming > > > > - calculate element address > > - asrtgt address, base - 1 > > - load/calculate upper bound > > - {ld,st}le address, upper bound > > > > then in SIGSEGV handler, check PC to associate the signal back with the > > exact access op; > > I remember using the signal handler for "usual" error handling can be a > very bad idea but I can't remember where I've read about it. Is there > any managed environments doing so in practice? > > If we redefine new_ldle/new_stle as "if [[likely]] the address is in- > bound, do the load/store and skip the next instruction; otherwise do > nothing", we can say: > > blt address, base, 1f > new_ldle.d rd, address, upperbound > 1:b panic_oob_access > xor rd, rd, 42 // use rd to do something > > This is more versatile, and useful for building a loop as well: > > or a0, r0, r0 > 0:new_ldle.d t1, t0, t2 > b 1f > add.d a0, t1, a0 > add.d t0, t0, 8 > b 0b > 1:bl do_something_with_the_sum > > Yes it's "non-RISC", but at least more RISC than the current ldle: if > you want a trap anyway you can say > > blt address, base, 1f > new_ldle.d rd, address, upperbound > 1:break {a code defined for OOB} > xor rd, rd, 42 // use rd > > -- > Xi Ruoyao > School of Aerospace Science and Technology, Xidian University