Re: [PATCH v4] Documentation: livepatch: document reliable stacktrace

Re: [PATCH v4] Documentation: livepatch: document reliable stacktrace

[Petr Mladek]

Hi Mark,

first, thanks a lot for writing this.

On Fri 2021-01-15 17:16:17, Mark Brown wrote:
> From: Mark Rutland <mark.rutland@arm.com>
> 
> Add documentation for reliable stacktrace. This is intended to describe
> the semantics and to be an aid for implementing architecture support for
> HAVE_RELIABLE_STACKTRACE.
> 
> Unwinding is a subtle area, and architectures vary greatly in both
> implementation and the set of concerns that affect them, so I've tried
> to avoid making this too specific to any given architecture. I've used
> examples from both x86_64 and arm64 to explain corner cases in more
> detail, but I've tried to keep the descriptions sufficient for those who
> are unfamiliar with the particular architecture.
>
> I've tried to give rationale for all the recommendations/requirements,
> since that makes it easier to spot nearby issues, or when a check
> happens to catch a few things at once.

The above looks enough for the commit message. Well, Josh, typically
asks for a directive style, example:

Instead of "I've tried to give rationale...", please use something like
"The documentation gives rationale...".

> I believe what I have written is
> sound, but as some of this was reverse-engineered I may have missed
> things worth noting.
> 
> I've made a few assumptions about preferred behaviour, notably:
> 
> * If you can reliably unwind through exceptions, you should (as x86_64
>   does).
> 
> * It's fine to omit ftrace_return_to_handler and other return
>   trampolines so long as these are not subject to patching and the
>   original return address is reported. Most architectures do this for
>   ftrace_return_handler, but not other return trampolines.
> 
> * For cases where link register unreliability could result in duplicate
>   entries in the trace or an inverted trace, I've assumed this should be
>   treated as unreliable. This specific case shouldn't matter to
>   livepatching, but I assume that that we want a reliable trace to have
>   the correct order.

This looks like a background that is typically part of the cover
leter. It mentions some Mark's doubts.

Could anyone please answer whether the above assumptions are correct
or not? We should remove them from the commit message. If any
assumption is wrong, we should fix the documentation.

Honestly, I am curious about the anwer. I am not familiar with
these details of the reliable stacktrace ;-)


Otherwise, it looks good to me on the first look. But I am not
expert in this are, so I could not check the details effectively.

Best Regards,
Petr

Re: [PATCH v4] Documentation: livepatch: document reliable stacktrace

[Josh Poimboeuf]

On Mon, Jan 18, 2021 at 03:02:31PM +0100, Petr Mladek wrote:
> Hi Mark,
> 
> first, thanks a lot for writing this.
> 
> On Fri 2021-01-15 17:16:17, Mark Brown wrote:
> > From: Mark Rutland <mark.rutland@arm.com>
> > 
> > Add documentation for reliable stacktrace. This is intended to describe
> > the semantics and to be an aid for implementing architecture support for
> > HAVE_RELIABLE_STACKTRACE.
> > 
> > Unwinding is a subtle area, and architectures vary greatly in both
> > implementation and the set of concerns that affect them, so I've tried
> > to avoid making this too specific to any given architecture. I've used
> > examples from both x86_64 and arm64 to explain corner cases in more
> > detail, but I've tried to keep the descriptions sufficient for those who
> > are unfamiliar with the particular architecture.
> >
> > I've tried to give rationale for all the recommendations/requirements,
> > since that makes it easier to spot nearby issues, or when a check
> > happens to catch a few things at once.
> 
> The above looks enough for the commit message. Well, Josh, typically
> asks for a directive style, example:
> 
> Instead of "I've tried to give rationale...", please use something like
> "The documentation gives rationale...".

True, we do try to use imperative form like "Try to give rationale...".

Though documentation is less technical than code, so maybe technical
language is less important.

> > I believe what I have written is
> > sound, but as some of this was reverse-engineered I may have missed
> > things worth noting.
> > 
> > I've made a few assumptions about preferred behaviour, notably:
> > 
> > * If you can reliably unwind through exceptions, you should (as x86_64
> >   does).
> > 
> > * It's fine to omit ftrace_return_to_handler and other return
> >   trampolines so long as these are not subject to patching and the
> >   original return address is reported. Most architectures do this for
> >   ftrace_return_handler, but not other return trampolines.
> > 
> > * For cases where link register unreliability could result in duplicate
> >   entries in the trace or an inverted trace, I've assumed this should be
> >   treated as unreliable. This specific case shouldn't matter to
> >   livepatching, but I assume that that we want a reliable trace to have
> >   the correct order.
> 
> This looks like a background that is typically part of the cover
> leter. It mentions some Mark's doubts.
> 
> Could anyone please answer whether the above assumptions are correct
> or not? We should remove them from the commit message. If any
> assumption is wrong, we should fix the documentation.

Agreed, this section can probably be dropped.

-- 
Josh

Re: [PATCH v4] Documentation: livepatch: document reliable stacktrace

[Mark Rutland]

Hi Petr,

On Mon, Jan 18, 2021 at 03:02:31PM +0100, Petr Mladek wrote:
> On Fri 2021-01-15 17:16:17, Mark Brown wrote:
> > I've made a few assumptions about preferred behaviour, notably:
> > 
> > * If you can reliably unwind through exceptions, you should (as x86_64
> >   does).

IIRC this was confirmed as desireable, and the text already reflects
this.

> > * It's fine to omit ftrace_return_to_handler and other return
> >   trampolines so long as these are not subject to patching and the
> >   original return address is reported. Most architectures do this for
> >   ftrace_return_handler, but not other return trampolines.

Likewise I think we agreed this was fine, given these were not
themselves subkect to patching.

> > * For cases where link register unreliability could result in duplicate
> >   entries in the trace or an inverted trace, I've assumed this should be
> >   treated as unreliable. This specific case shouldn't matter to
> >   livepatching, but I assume that that we want a reliable trace to have
> >   the correct order.

I don't think we had any comments either way on this, but I think it's
sane to say this for now and later relax it if we need to.

... so I reckon we can just delete all this as Josh suggests. Any acks
for the patch itself tacitly agrees with these points. :)

Thanks,
Mark.