Xen project Mailing List

Re: [PATCH] x86/nospec: Fix evaluate_nospec() code generation under Clang

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Tue, 26 Apr 2022 08:43:40 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mbpB8bXWJ8os4uKsHgZoARTuDXfvIZfhceEPa9udbPE=; b=XN3oFKSPO74lUMp/uke5cA5CBoiWC56fQUNUSLYJqn+3qt1KHh/a0A3CUaFT3O3W4qjDHL86J/SCuSp+6kVxRXxc+hthcUEUExb+0ZZwpIT0QCxnFFh9HvjLyfnsN6V3DK+0JpAO81IZOct2b31fGIciQwVY1TTtAeKN+zf0sURYfWFyCTGh7Leud4CysUzr8g7s3+xTjb75l4SnUOi8rJlsrjMrR8TEDeyOjR3SVcfuJbctqDHW08O6M99CeYGrwyCirhMFNl7vFv51J0mxU8t8LcQ2ZWIhs7AXsQXo6qVtcirRZb6oANJxCN22cEm1zgU9ounEW01kdT/VPddeqA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C5e7l9y+nciH2ZNl0KrcaNd462fuE4DDlyrVoUsI97VXm61ESvSMcXIrg/lH1IOZcNX0vP6MUHiuOzwQEwD3ucBqyxzJUISg98NEhkXieTPpJgxg6pcrpbvdsFX1MGRWjQ8WzUCUMbv7UTFJP4iK9iPY1GzS7YMa7fF9tZOMr9/6FJy85LtxT2KiqzIbpKlA9Y1GWa6gTlD+WO8XCjpq4RjeAjSYS5PPZHAZzquaG1eFN2/JL8eO9wxnQOcLcmhU3t5jjSnLE8/ySeDXX7onN7OaQyd9Agmx0ZewieKuiAW7yzhrVVlL3dCFcrcoWVe2rM+eVENSH46UVg7+GwM9zA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Tue, 26 Apr 2022 06:43:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 25.04.2022 19:56, Andrew Cooper wrote: > It turns out that evaluate_nospec() code generation is not safe under Clang. > Given: > > void eval_nospec_test(int x) > { > if ( evaluate_nospec(x) ) > asm volatile ("nop #true" ::: "memory"); > else > asm volatile ("nop #false" ::: "memory"); > } > > Clang emits: > > <eval_nospec_test>: > 0f ae e8 lfence > 85 ff test %edi,%edi > 74 02 je <eval_nospec_test+0x9> > 90 nop > c3 ret > 90 nop > c3 ret > > which is not safe because the lfence has been hoisted above the conditional > jump. Clang concludes that both barrier_nospec_true()'s have identical side > effects and can safely be merged. > > Clang can be persuaded that the side effects are different if there are > different comments in the asm blocks. This is fragile, but no more fragile > that other aspects of this construct. > > Introduce barrier_nospec_false() with a separate internal comment to prevent > Clang merging it with barrier_nospec_true() despite the otherwise-identical > content. The generated code now becomes: > > <eval_nospec_test>: > 85 ff test %edi,%edi > 74 05 je <eval_nospec_test+0x9> > 0f ae e8 lfence > 90 nop > c3 ret > 0f ae e8 lfence > 90 nop > c3 ret > > which has the correct number of lfence's, and in the correct place. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> I can live with us going this route, so Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> However, I'd like alternatives to be considered: Would two asm()s perhaps not be candidates for merging when they have different (perhaps fake) arguments or clobbers? If so, would this be less fragile than relying on comments, which clearly any layer could be viewed as free to strip off (when the same isn't true for arguments and clobbers)? Also you did say you'd open an issue with Clang to try to get their view on relying on comments here. Could you please add a reference to that issue in the description here? Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.