From: will.deacon@arm.com (Will Deacon)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH RFCv3 01/14] arm64: introduce aarch64_insn_gen_comp_branch_imm()
Date: Thu, 17 Jul 2014 18:25:26 +0100 [thread overview]
Message-ID: <20140717172526.GC4844@arm.com> (raw)
In-Reply-To: <CAMEtUux1NRqz-Bqi_H8kJe8x9u+1Q12Sg4a-92cE6OsePEBLxg@mail.gmail.com>
On Thu, Jul 17, 2014 at 04:59:10PM +0100, Alexei Starovoitov wrote:
> On Thu, Jul 17, 2014 at 2:19 AM, Will Deacon <will.deacon@arm.com> wrote:
> > On Wed, Jul 16, 2014 at 10:19:31PM +0100, Zi Shen Lim wrote:
> >> >
> >> > Is a BUG_ON justifiable here? Is there not a nicer way to fail?
> >>
> >> In general, it'd be nice if we returned something like -EINVAL and
> >> have all callers handle failures. Today all code gen functions return
> >> the u32 instruction and there's no error handling by callers.
> >> I think following the precedence (aarch64_insn_gen_branch_imm())
> >> of failing with BUG_ON is a reasonable tradeoff.
> >
> > Well, I don't necessarily agree with that BUG_ON, either :)
> > I take it eBPF doesn't have a `trap' instruction or similar? Otherwise, we
> > could generate that and avoid having to propagate errors directly to the
> > caller.
> >
> >> In this case here, when we hit the default (failure) case, that means
> >> there's a serious error of attempting to use an unsupported
> >> variant. I think we're better off failing hard here than trying to
> >> arbitrarily "fallback" on a default choice.
> >
> > It might be a serious error for BPF, but a BUG_ON brings down the entire
> > machine, which I think is unfortunate.
>
> There is some misunderstanding here. Here BUG_ON will trigger
> only on actual bug in JIT implementation, it cannot be triggered by user.
> eBPF program is verified before it reaches JIT, so all instructions are
> valid and input to JIT is proper. Two instruction are not yet
> implemented in this JIT and they trigger pr_.._once().
> So I don't see any issue with this usage of BUG_ON
> imo living with silent bugs in JIT is more dangerous.
>
> For the same reason there is no 'trap' instruction in eBPF.
> Static verifier checks that program is valid. If there was a 'trap'
> insn the program would be rejected. Like programs with
> 'div by zero' are rejected. There is normal 'bpf_exit' insn to
> return from the program.
Ok, so assuming that BPF doesn't have any issues, I take your point.
However, we could very easily re-use these functions for things like SMP
alternatives and kprobes, where simply failing the instruction generation
might be acceptable.
It just feels like a bit hammer to me, when the machine is probably happily
scheduling user tasks, responding to interrupts, writing data to disk etc.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will.deacon@arm.com>
To: Alexei Starovoitov <ast@plumgrid.com>
Cc: Zi Shen Lim <zlim.lnx@gmail.com>,
Catalin Marinas <Catalin.Marinas@arm.com>,
Jiang Liu <liuj97@gmail.com>,
AKASHI Takahiro <takahiro.akashi@linaro.org>,
"David S. Miller" <davem@davemloft.net>,
Daniel Borkmann <dborkman@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH RFCv3 01/14] arm64: introduce aarch64_insn_gen_comp_branch_imm()
Date: Thu, 17 Jul 2014 18:25:26 +0100 [thread overview]
Message-ID: <20140717172526.GC4844@arm.com> (raw)
In-Reply-To: <CAMEtUux1NRqz-Bqi_H8kJe8x9u+1Q12Sg4a-92cE6OsePEBLxg@mail.gmail.com>
On Thu, Jul 17, 2014 at 04:59:10PM +0100, Alexei Starovoitov wrote:
> On Thu, Jul 17, 2014 at 2:19 AM, Will Deacon <will.deacon@arm.com> wrote:
> > On Wed, Jul 16, 2014 at 10:19:31PM +0100, Zi Shen Lim wrote:
> >> >
> >> > Is a BUG_ON justifiable here? Is there not a nicer way to fail?
> >>
> >> In general, it'd be nice if we returned something like -EINVAL and
> >> have all callers handle failures. Today all code gen functions return
> >> the u32 instruction and there's no error handling by callers.
> >> I think following the precedence (aarch64_insn_gen_branch_imm())
> >> of failing with BUG_ON is a reasonable tradeoff.
> >
> > Well, I don't necessarily agree with that BUG_ON, either :)
> > I take it eBPF doesn't have a `trap' instruction or similar? Otherwise, we
> > could generate that and avoid having to propagate errors directly to the
> > caller.
> >
> >> In this case here, when we hit the default (failure) case, that means
> >> there's a serious error of attempting to use an unsupported
> >> variant. I think we're better off failing hard here than trying to
> >> arbitrarily "fallback" on a default choice.
> >
> > It might be a serious error for BPF, but a BUG_ON brings down the entire
> > machine, which I think is unfortunate.
>
> There is some misunderstanding here. Here BUG_ON will trigger
> only on actual bug in JIT implementation, it cannot be triggered by user.
> eBPF program is verified before it reaches JIT, so all instructions are
> valid and input to JIT is proper. Two instruction are not yet
> implemented in this JIT and they trigger pr_.._once().
> So I don't see any issue with this usage of BUG_ON
> imo living with silent bugs in JIT is more dangerous.
>
> For the same reason there is no 'trap' instruction in eBPF.
> Static verifier checks that program is valid. If there was a 'trap'
> insn the program would be rejected. Like programs with
> 'div by zero' are rejected. There is normal 'bpf_exit' insn to
> return from the program.
Ok, so assuming that BPF doesn't have any issues, I take your point.
However, we could very easily re-use these functions for things like SMP
alternatives and kprobes, where simply failing the instruction generation
might be acceptable.
It just feels like a bit hammer to me, when the machine is probably happily
scheduling user tasks, responding to interrupts, writing data to disk etc.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will.deacon@arm.com>
To: Alexei Starovoitov <ast@plumgrid.com>
Cc: Zi Shen Lim <zlim.lnx@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
AKASHI Takahiro <takahiro.akashi@linaro.org>,
Daniel Borkmann <dborkman@redhat.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Catalin Marinas <Catalin.Marinas@arm.com>,
"David S. Miller" <davem@davemloft.net>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Jiang Liu <liuj97@gmail.com>
Subject: Re: [PATCH RFCv3 01/14] arm64: introduce aarch64_insn_gen_comp_branch_imm()
Date: Thu, 17 Jul 2014 18:25:26 +0100 [thread overview]
Message-ID: <20140717172526.GC4844@arm.com> (raw)
In-Reply-To: <CAMEtUux1NRqz-Bqi_H8kJe8x9u+1Q12Sg4a-92cE6OsePEBLxg@mail.gmail.com>
On Thu, Jul 17, 2014 at 04:59:10PM +0100, Alexei Starovoitov wrote:
> On Thu, Jul 17, 2014 at 2:19 AM, Will Deacon <will.deacon@arm.com> wrote:
> > On Wed, Jul 16, 2014 at 10:19:31PM +0100, Zi Shen Lim wrote:
> >> >
> >> > Is a BUG_ON justifiable here? Is there not a nicer way to fail?
> >>
> >> In general, it'd be nice if we returned something like -EINVAL and
> >> have all callers handle failures. Today all code gen functions return
> >> the u32 instruction and there's no error handling by callers.
> >> I think following the precedence (aarch64_insn_gen_branch_imm())
> >> of failing with BUG_ON is a reasonable tradeoff.
> >
> > Well, I don't necessarily agree with that BUG_ON, either :)
> > I take it eBPF doesn't have a `trap' instruction or similar? Otherwise, we
> > could generate that and avoid having to propagate errors directly to the
> > caller.
> >
> >> In this case here, when we hit the default (failure) case, that means
> >> there's a serious error of attempting to use an unsupported
> >> variant. I think we're better off failing hard here than trying to
> >> arbitrarily "fallback" on a default choice.
> >
> > It might be a serious error for BPF, but a BUG_ON brings down the entire
> > machine, which I think is unfortunate.
>
> There is some misunderstanding here. Here BUG_ON will trigger
> only on actual bug in JIT implementation, it cannot be triggered by user.
> eBPF program is verified before it reaches JIT, so all instructions are
> valid and input to JIT is proper. Two instruction are not yet
> implemented in this JIT and they trigger pr_.._once().
> So I don't see any issue with this usage of BUG_ON
> imo living with silent bugs in JIT is more dangerous.
>
> For the same reason there is no 'trap' instruction in eBPF.
> Static verifier checks that program is valid. If there was a 'trap'
> insn the program would be rejected. Like programs with
> 'div by zero' are rejected. There is normal 'bpf_exit' insn to
> return from the program.
Ok, so assuming that BPF doesn't have any issues, I take your point.
However, we could very easily re-use these functions for things like SMP
alternatives and kprobes, where simply failing the instruction generation
might be acceptable.
It just feels like a bit hammer to me, when the machine is probably happily
scheduling user tasks, responding to interrupts, writing data to disk etc.
Will
next prev parent reply other threads:[~2014-07-17 17:25 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-15 6:24 [PATCH RFCv3 00/14] arm64: eBPF JIT compiler Zi Shen Lim
2014-07-15 6:24 ` Zi Shen Lim
2014-07-15 6:24 ` [PATCH RFCv3 01/14] arm64: introduce aarch64_insn_gen_comp_branch_imm() Zi Shen Lim
2014-07-15 6:24 ` Zi Shen Lim
2014-07-16 16:04 ` Will Deacon
2014-07-16 16:04 ` Will Deacon
2014-07-16 21:19 ` Zi Shen Lim
2014-07-16 21:19 ` Zi Shen Lim
2014-07-17 9:19 ` Will Deacon
2014-07-17 9:19 ` Will Deacon
2014-07-17 15:59 ` Alexei Starovoitov
2014-07-17 15:59 ` Alexei Starovoitov
2014-07-17 17:25 ` Will Deacon [this message]
2014-07-17 17:25 ` Will Deacon
2014-07-17 17:25 ` Will Deacon
2014-07-18 5:44 ` Z Lim
2014-07-18 5:44 ` Z Lim
2014-07-15 6:25 ` [PATCH RFCv3 02/14] arm64: introduce aarch64_insn_gen_branch_reg() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 03/14] arm64: introduce aarch64_insn_gen_cond_branch_imm() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 04/14] arm64: introduce aarch64_insn_gen_load_store_reg() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 05/14] arm64: introduce aarch64_insn_gen_load_store_pair() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 06/14] arm64: introduce aarch64_insn_gen_add_sub_imm() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 07/14] arm64: introduce aarch64_insn_gen_bitfield() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 08/14] arm64: introduce aarch64_insn_gen_movewide() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-16 16:17 ` Will Deacon
2014-07-16 16:17 ` Will Deacon
2014-07-16 16:25 ` David Laight
2014-07-16 16:25 ` David Laight
2014-07-16 22:04 ` Zi Shen Lim
2014-07-16 22:04 ` Zi Shen Lim
2014-07-17 9:41 ` Will Deacon
2014-07-17 9:41 ` Will Deacon
2014-07-17 9:51 ` David Laight
2014-07-17 9:51 ` David Laight
2014-07-18 5:47 ` Z Lim
2014-07-18 5:47 ` Z Lim
2014-07-18 8:43 ` Will Deacon
2014-07-18 8:43 ` Will Deacon
2014-07-15 6:25 ` [PATCH RFCv3 09/14] arm64: introduce aarch64_insn_gen_add_sub_shifted_reg() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 10/14] arm64: introduce aarch64_insn_gen_data1() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 11/14] arm64: introduce aarch64_insn_gen_data2() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 12/14] arm64: introduce aarch64_insn_gen_data3() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 13/14] arm64: introduce aarch64_insn_gen_logical_shifted_reg() Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-15 6:25 ` [PATCH RFCv3 14/14] arm64: eBPF JIT compiler Zi Shen Lim
2014-07-15 6:25 ` Zi Shen Lim
2014-07-16 10:41 ` [PATCH RFCv3 00/14] " Will Deacon
2014-07-16 10:41 ` Will Deacon
2014-07-16 16:21 ` Will Deacon
2014-07-16 16:21 ` Will Deacon
2014-07-16 22:18 ` Zi Shen Lim
2014-07-16 22:18 ` Zi Shen Lim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140717172526.GC4844@arm.com \
--to=will.deacon@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.