From: Nicola Vetrini <nicola.vetrini@bugseng.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Roger Pau Monné" <roger.pau@citrix.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH 3/4] x86/i387: Rework fpu_fxrstor() given a newer toolchain baseline
Date: Mon, 05 Jan 2026 17:13:03 +0100 [thread overview]
Message-ID: <37ff7e30cc0715d619a20d7ea6ab72b5@bugseng.com> (raw)
In-Reply-To: <662888ee-e983-4194-b8ca-f28560881c29@suse.com>
On 2026-01-05 16:52, Jan Beulich wrote:
> On 30.12.2025 14:54, Andrew Cooper wrote:
>> Use asm goto rather than hiding a memset() in the fixup section. With
>> the
>> compiler now able to see the write into fpu_ctxt (as opposed to the
>> asm
>> constraint erroneously stating it as input-only), it validly objects
>> to the
>> pointer being const.
>>
>> While FXRSTOR oughtn't to fault on an all-zeros input, avoid a risk of
>> an
>> infinite loop entirely by using a fixup scheme similar to xrstor(),
>> and
>> crashing the domain if we run out options.
>
> Question being - does ...
>
>> --- a/xen/arch/x86/i387.c
>> +++ b/xen/arch/x86/i387.c
>> @@ -38,7 +38,8 @@ static inline void fpu_xrstor(struct vcpu *v,
>> uint64_t mask)
>> /* Restore x87 FPU, MMX, SSE and SSE2 state */
>> static inline void fpu_fxrstor(struct vcpu *v)
>> {
>> - const fpusse_t *fpu_ctxt = &v->arch.xsave_area->fpu_sse;
>> + fpusse_t *fpu_ctxt = &v->arch.xsave_area->fpu_sse;
>> + unsigned int faults = 0;
>>
>> /*
>> * Some CPUs don't save/restore FDP/FIP/FOP unless an exception
>> @@ -59,49 +60,41 @@ static inline void fpu_fxrstor(struct vcpu *v)
>> * possibility, which may occur if the block was passed to us by
>> control
>> * tools or through VCPUOP_initialise, by silently clearing the
>> block.
>> */
>> + retry:
>> switch ( __builtin_expect(fpu_ctxt->x[FPU_WORD_SIZE_OFFSET], 8) )
>> {
>> default:
>> - asm_inline volatile (
>> + asm_inline volatile goto (
>> "1: fxrstorq %0\n"
>> - ".section .fixup,\"ax\" \n"
>> - "2: push %%"__OP"ax \n"
>> - " push %%"__OP"cx \n"
>> - " push %%"__OP"di \n"
>> - " lea %0,%%"__OP"di \n"
>> - " mov %1,%%ecx \n"
>> - " xor %%eax,%%eax \n"
>> - " rep ; stosl \n"
>> - " pop %%"__OP"di \n"
>> - " pop %%"__OP"cx \n"
>> - " pop %%"__OP"ax \n"
>> - " jmp 1b \n"
>> - ".previous \n"
>> - _ASM_EXTABLE(1b, 2b)
>> - :
>> - : "m" (*fpu_ctxt), "i" (sizeof(*fpu_ctxt) / 4) );
>> + _ASM_EXTABLE(1b, %l[fault])
>> + :: "m" (*fpu_ctxt)
>> + :: fault );
>> break;
>> +
>> case 4: case 2:
>> - asm_inline volatile (
>> - "1: fxrstor %0 \n"
>> - ".section .fixup,\"ax\"\n"
>> - "2: push %%"__OP"ax \n"
>> - " push %%"__OP"cx \n"
>> - " push %%"__OP"di \n"
>> - " lea %0,%%"__OP"di \n"
>> - " mov %1,%%ecx \n"
>> - " xor %%eax,%%eax \n"
>> - " rep ; stosl \n"
>> - " pop %%"__OP"di \n"
>> - " pop %%"__OP"cx \n"
>> - " pop %%"__OP"ax \n"
>> - " jmp 1b \n"
>> - ".previous \n"
>> - _ASM_EXTABLE(1b, 2b)
>> - :
>> - : "m" (*fpu_ctxt), "i" (sizeof(*fpu_ctxt) / 4) );
>> + asm_inline volatile goto (
>> + "1: fxrstor %0\n"
>> + _ASM_EXTABLE(1b, %l[fault])
>> + :: "m" (*fpu_ctxt)
>> + :: fault );
>> break;
>> }
>> +
>> + return;
>> +
>> + fault:
>> + faults++;
>> +
>> + switch ( faults )
>> + {
>> + case 1: /* Stage 1: Reset all state. */
>> + memset(fpu_ctxt, 0, sizeof(*fpu_ctxt));
>> + goto retry;
>> +
>> + default: /* Stage 2: Nothing else to do. */
>> + domain_crash(v->domain, "Uncorrectable FXRSTOR fault\n");
>> + return;
>
> ... this then count as unreachable and/or dead code in Misra's terms?
> Nicola?
> Sure, Eclair wouldn't be able to spot it, but that's no excuse imo.
>
> Jan
Right now, probably not, but even if it did, an ASSERT_UNREACHABLE can
be added in the default branch to deal with that.
--
Nicola Vetrini, B.Sc.
Software Engineer
BUGSENG (https://bugseng.com)
LinkedIn: https://www.linkedin.com/in/nicola-vetrini-a42471253
next prev parent reply other threads:[~2026-01-05 16:13 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-30 13:54 [PATCH 0/4] x86/asm: .byte removal Andrew Cooper
2025-12-30 13:54 ` [PATCH 1/4] x86/xstate: Deindent the logic in xrstor() Andrew Cooper
2026-01-05 15:12 ` Jan Beulich
2025-12-30 13:54 ` [PATCH 2/4] x86/xstate: Rework XSAVE/XRSTOR given a newer toolchain baseline Andrew Cooper
2026-01-02 16:01 ` Andrew Cooper
2026-01-05 15:16 ` Jan Beulich
2026-01-05 16:55 ` Andrew Cooper
2026-01-05 17:06 ` Jan Beulich
2026-01-05 15:46 ` Jan Beulich
2026-01-05 17:45 ` Andrew Cooper
2026-01-06 7:59 ` Jan Beulich
2026-01-08 21:08 ` Andrew Cooper
2026-01-09 8:16 ` Jan Beulich
2025-12-30 13:54 ` [PATCH 3/4] x86/i387: Rework fpu_fxrstor() " Andrew Cooper
2026-01-05 15:52 ` Jan Beulich
2026-01-05 16:13 ` Nicola Vetrini [this message]
2026-01-05 16:39 ` Andrew Cooper
2026-01-05 16:48 ` Jan Beulich
2025-12-30 13:54 ` [PATCH 4/4] x86: Avoid using .byte for instructions where safe to do so Andrew Cooper
2026-01-05 15:58 ` Jan Beulich
2026-01-08 21:14 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=37ff7e30cc0715d619a20d7ea6ab72b5@bugseng.com \
--to=nicola.vetrini@bugseng.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.