From: Richard Henderson <richard.henderson@linaro.org>
To: hev <r@hev.cc>, Richard Henderson <rth@twiddle.net>,
Pranith Kumar <bobby.prani@gmail.com>, Qi Hu <huqi@loongson.cn>
Cc: qemu-devel@nongnu.org, Peter Maydell <peter.maydell@linaro.org>
Subject: Re: Instruction concurrent modification issue of direct jump in AArch64
Date: Sat, 19 Nov 2022 13:25:18 -0800 [thread overview]
Message-ID: <120b85db-4c05-6ea6-2f82-1281d633f8e9@linaro.org> (raw)
In-Reply-To: <CAHirt9id_Q8K33D4+2iF07e-BhUsjUBBhby9k+BZU2dYg=KToA@mail.gmail.com>
On 11/19/22 00:19, hev wrote:
> Hello,
>
> I talked with Hu Qi about the risk of instruction concurrent
> modification in TCG direct jump for LoongArch, and the conclusion is
> that the implementation is correct.
>
> Similarly, the AArch64 implementation doesn't seem to be quite
> correct. IIUC, multiple instructions paired with an atomic write does
> not guarantee atomic effects on the execution side.
>
> For example, the issue in AArch64 is:
>
> Instruction concurrent modification:
>
> * Before:
> adrp
> addi
> br
>
> * After
> b
> nop
> br
>
> * May actually execution:
> adrp
> nop
> br
>
> That will cause the jump to an unexpected address to execute, What do you think?
Yes, I agree this is a possible execution that I hadn't considered. I *think* that it
requires that the thread be interrupted after the adrp, to resume with the refreshed
cacheline. But an interrupt is certainly a valid sequence of events.
Perhaps a better construction would be
Before:
ldr x30, [pc, -XXX]
br x30
After:
br YYY
br x30
so that we only update 1 insn, and it goes between either a direct branch, or a
pc-relative load of the branch address from the TranslationBlock structure (which sits
right before the code, and we have a 1MB range on LDR (literal)).
Although at the moment the backend hook doesn't have enough information to recreate the
LDR offset, so the quick fix would have to go between BR and NOP, and leave the LDR to follow.
r~
prev parent reply other threads:[~2022-11-19 21:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 8:19 Instruction concurrent modification issue of direct jump in AArch64 hev
2022-11-19 21:25 ` Richard Henderson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=120b85db-4c05-6ea6-2f82-1281d633f8e9@linaro.org \
--to=richard.henderson@linaro.org \
--cc=bobby.prani@gmail.com \
--cc=huqi@loongson.cn \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=r@hev.cc \
--cc=rth@twiddle.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).