From: Marco Elver <elver@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, joey.gouly@arm.com
Subject: Re: [PATCH v2] arm64: Enable KCSAN
Date: Wed, 1 Dec 2021 13:25:22 +0100 [thread overview]
Message-ID: <YadpsjyfdozccsOT@elver.google.com> (raw)
In-Reply-To: <YadiUPpJ0gADbiHQ@FVFF77S0Q05N>
On Wed, Dec 01, 2021 at 11:53AM +0000, Mark Rutland wrote:
[...]
> * In the past clang did not have an attribute to suppress tsan instrumenation
> and would instrument noinstr regions. I'm not sure when clang gained the
> relevant attribute to supress this, but we will need to depend on this
> existing, either based on the clang version or with a test for the attribute.
>
> (If we're lucky, clang 12.0.0 is sufficient, and we solve BTI and this in one
> go).
>
> I *think* GCC always had an attribute, but I'm not certain.
>
> Marco, is there an existing dependency somewhere for this to work on x86? I
> thought there was an objtool pass to NOP this out, but I couldn't find it in
> mainline. If x86 is implicitly depending on a sufficiently recent version of
> clang, we add something to the common KCSAN Kconfig for ARCH_WANTS_NO_INSTR?
Apologies for the confusion w.r.t. attributes and which sanitizers on
which compilers respect which attributes. I think you may be confusing
things with KCOV (see 540540d06e9d9). I think the various 'select
ARCH_HAS_KCOV' may need adjusting, that is true.
But KCOV != KCSAN, and for KCSAN the story is different. Since the first
version of KCSAN in 5.8, we've had a working __no_kcsan (aka
__no_sanitize_thread) with all versions of Clang and GCC that support
KCSAN (see HAVE_KCSAN_COMPILER).
The recent discussion was for CONFIG_KCSAN_WEAK_MEMORY [1], because
Clang's no_sanitize("thread") would still instrument builtin atomics and
__tsan_func_{entry,exit}, which only that mode would start inserting
instrumentation for. That's not in mainline yet.
[1] https://lkml.kernel.org/r/20211130114433.2580590-1-elver@google.com
It is true that v1 and v2 of that series would have caused issues on
arm64, but after our discussion last week and tried a little harder and
v3 does the right thing for all architectures now and __no_kcsan will
disable all instrumentation (even for barriers).
So the attribute and noinstr story should not need anything else, and
the new KCSAN_WEAK_MEMORY has all right Kconfig dependencies in place
when it lands in mainline.
> * There are some latent issues with some code (e.g. alternatives, patching, insn)
> code being instrumentable even though this is unsound, and depending on
> compiler choices this can happen to be fine or can result in boot-time
> failures (I saw lockups when I started trying to add KCSAN for arm64).
>
> While this isn't just a KCSAN problem, fixing that requires some fairly
> significant rework to a bunch of code, and until that's done we're on very
> shaky ground. So I'd like to make KCSAN depend on EXPERT for now.
I take it you mean arm64 should do 'select HAVE_ARCH_KCSAN if EXPERT'. I
certainly don't mind, but usually folks interested in running debug
tools won't be stopped by a dependency on EXPERT. You could do 'select
HAVE_ARCH_KCSAN if BROKEN' which is more likely to prevent usage while
things are still likely to be broken on arm64.
Thanks,
-- Marco
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Marco Elver <elver@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, joey.gouly@arm.com
Subject: Re: [PATCH v2] arm64: Enable KCSAN
Date: Wed, 1 Dec 2021 13:25:22 +0100 [thread overview]
Message-ID: <YadpsjyfdozccsOT@elver.google.com> (raw)
In-Reply-To: <YadiUPpJ0gADbiHQ@FVFF77S0Q05N>
On Wed, Dec 01, 2021 at 11:53AM +0000, Mark Rutland wrote:
[...]
> * In the past clang did not have an attribute to suppress tsan instrumenation
> and would instrument noinstr regions. I'm not sure when clang gained the
> relevant attribute to supress this, but we will need to depend on this
> existing, either based on the clang version or with a test for the attribute.
>
> (If we're lucky, clang 12.0.0 is sufficient, and we solve BTI and this in one
> go).
>
> I *think* GCC always had an attribute, but I'm not certain.
>
> Marco, is there an existing dependency somewhere for this to work on x86? I
> thought there was an objtool pass to NOP this out, but I couldn't find it in
> mainline. If x86 is implicitly depending on a sufficiently recent version of
> clang, we add something to the common KCSAN Kconfig for ARCH_WANTS_NO_INSTR?
Apologies for the confusion w.r.t. attributes and which sanitizers on
which compilers respect which attributes. I think you may be confusing
things with KCOV (see 540540d06e9d9). I think the various 'select
ARCH_HAS_KCOV' may need adjusting, that is true.
But KCOV != KCSAN, and for KCSAN the story is different. Since the first
version of KCSAN in 5.8, we've had a working __no_kcsan (aka
__no_sanitize_thread) with all versions of Clang and GCC that support
KCSAN (see HAVE_KCSAN_COMPILER).
The recent discussion was for CONFIG_KCSAN_WEAK_MEMORY [1], because
Clang's no_sanitize("thread") would still instrument builtin atomics and
__tsan_func_{entry,exit}, which only that mode would start inserting
instrumentation for. That's not in mainline yet.
[1] https://lkml.kernel.org/r/20211130114433.2580590-1-elver@google.com
It is true that v1 and v2 of that series would have caused issues on
arm64, but after our discussion last week and tried a little harder and
v3 does the right thing for all architectures now and __no_kcsan will
disable all instrumentation (even for barriers).
So the attribute and noinstr story should not need anything else, and
the new KCSAN_WEAK_MEMORY has all right Kconfig dependencies in place
when it lands in mainline.
> * There are some latent issues with some code (e.g. alternatives, patching, insn)
> code being instrumentable even though this is unsound, and depending on
> compiler choices this can happen to be fine or can result in boot-time
> failures (I saw lockups when I started trying to add KCSAN for arm64).
>
> While this isn't just a KCSAN problem, fixing that requires some fairly
> significant rework to a bunch of code, and until that's done we're on very
> shaky ground. So I'd like to make KCSAN depend on EXPERT for now.
I take it you mean arm64 should do 'select HAVE_ARCH_KCSAN if EXPERT'. I
certainly don't mind, but usually folks interested in running debug
tools won't be stopped by a dependency on EXPERT. You could do 'select
HAVE_ARCH_KCSAN if BROKEN' which is more likely to prevent usage while
things are still likely to be broken on arm64.
Thanks,
-- Marco
next prev parent reply other threads:[~2021-12-01 12:27 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-29 14:57 [PATCH v2] arm64: Enable KCSAN Kefeng Wang
2021-11-29 14:57 ` Kefeng Wang
2021-12-01 10:17 ` Marco Elver
2021-12-01 10:17 ` Marco Elver
2021-12-01 11:53 ` Mark Rutland
2021-12-01 11:53 ` Mark Rutland
2021-12-01 12:25 ` Marco Elver [this message]
2021-12-01 12:25 ` Marco Elver
2021-12-01 15:05 ` Mark Rutland
2021-12-01 15:05 ` Mark Rutland
2021-12-02 1:35 ` Kefeng Wang
2021-12-02 1:35 ` Kefeng Wang
2021-12-02 10:15 ` Marco Elver
2021-12-02 10:15 ` Marco Elver
2021-12-02 10:19 ` Marco Elver
2021-12-02 10:19 ` Marco Elver
2021-12-02 10:45 ` Kefeng Wang
2021-12-02 10:45 ` Kefeng Wang
2021-12-02 10:58 ` Marco Elver
2021-12-02 10:58 ` Marco Elver
2021-12-02 11:44 ` Kefeng Wang
2021-12-02 11:44 ` Kefeng Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YadpsjyfdozccsOT@elver.google.com \
--to=elver@google.com \
--cc=catalin.marinas@arm.com \
--cc=joey.gouly@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=wangkefeng.wang@huawei.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.