Re: [PATCH v2 16/22] tcg/aarch64: Reorg goto_tb implementation

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Alex Bennée" <alex.bennee@linaro.org>
To: Richard Henderson <richard.henderson@linaro.org>
Cc: hev <r@hev.cc>, qemu-devel@nongnu.org
Subject: Re: [PATCH v2 16/22] tcg/aarch64: Reorg goto_tb implementation
Date: Tue, 17 Jan 2023 18:26:29 +0000	[thread overview]
Message-ID: <87tu0p10e2.fsf@linaro.org> (raw)
In-Reply-To: <20230109014248.2894281-17-richard.henderson@linaro.org>


Richard Henderson <richard.henderson@linaro.org> writes:

> The old implementation replaces two insns, swapping between
>
> 	b	<dest>
> 	nop
> 	br	x30
> and
> 	adrp	x30, <dest>
> 	addi	x30, x30, lo12:<dest>
> 	br	x30
>
> There is a race condition in which a thread could be stopped at
> the PC of the second insn, and when restarted does not see the
> complete address computation and branches to nowhere.
>
> The new implemetation replaces only one insn, swapping between
>
> 	b	<dest>
> 	br	tmp
> and
> 	ldr	tmp, <jmp_addr>
> 	br	tmp
>
> Reported-by: hev <r@hev.cc>
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
>  tcg/aarch64/tcg-target.h     |  3 +-
>  tcg/aarch64/tcg-target.c.inc | 64 +++++++++++++++---------------------
>  2 files changed, 28 insertions(+), 39 deletions(-)
>
> diff --git a/tcg/aarch64/tcg-target.h b/tcg/aarch64/tcg-target.h
> index 6067446b03..0ba2298ea6 100644
> --- a/tcg/aarch64/tcg-target.h
> +++ b/tcg/aarch64/tcg-target.h
> @@ -15,7 +15,8 @@
>  
>  #define TCG_TARGET_INSN_UNIT_SIZE  4
>  #define TCG_TARGET_TLB_DISPLACEMENT_BITS 24
> -#define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
> +#define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
> +#undef TCG_TARGET_STACK_GROWSUP
>  
>  typedef enum {
>      TCG_REG_X0, TCG_REG_X1, TCG_REG_X2, TCG_REG_X3,
> diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
> index 0b65f2cac1..1d0ebf01a5 100644
> --- a/tcg/aarch64/tcg-target.c.inc
> +++ b/tcg/aarch64/tcg-target.c.inc
> @@ -1353,33 +1353,6 @@ static void tcg_out_call(TCGContext *s, const tcg_insn_unit *target,
>      tcg_out_call_int(s, target);
>  }
>  
> -void tb_target_set_jmp_target(const TranslationBlock *tb, int n,
> -                              uintptr_t jmp_rx, uintptr_t jmp_rw)
> -{
> -    uintptr_t addr = tb->jmp_target_addr[n];
> -    tcg_insn_unit i1, i2;
> -    TCGType rt = TCG_TYPE_I64;
> -    TCGReg  rd = TCG_REG_TMP;
> -    uint64_t pair;
> -
> -    ptrdiff_t offset = addr - jmp_rx;
> -
> -    if (offset == sextract64(offset, 0, 26)) {
> -        i1 = I3206_B | ((offset >> 2) & 0x3ffffff);
> -        i2 = NOP;
> -    } else {
> -        offset = (addr >> 12) - (jmp_rx >> 12);
> -
> -        /* patch ADRP */
> -        i1 = I3406_ADRP | (offset & 3) << 29 | (offset & 0x1ffffc) << (5 - 2) | rd;
> -        /* patch ADDI */
> -        i2 = I3401_ADDI | rt << 31 | (addr & 0xfff) << 10 | rd << 5 | rd;
> -    }
> -    pair = (uint64_t)i2 << 32 | i1;
> -    qatomic_set((uint64_t *)jmp_rw, pair);
> -    flush_idcache_range(jmp_rx, jmp_rw, 8);
> -}
> -
>  static inline void tcg_out_goto_label(TCGContext *s, TCGLabel *l)
>  {
>      if (!l->has_value) {
> @@ -1902,23 +1875,38 @@ static void tcg_out_exit_tb(TCGContext *s, uintptr_t a0)
>  static void tcg_out_goto_tb(TCGContext *s, int which)
>  {
>      /*
> -     * Ensure that ADRP+ADD are 8-byte aligned so that an atomic
> -     * write can be used to patch the target address.
> +     * Direct branch, or indirect address load, will be patched
> +     * by tb_target_set_jmp_target.  Assert indirect load offset
> +     * in range early, regardless of direct branch distance.
>       */
> -    if ((uintptr_t)s->code_ptr & 7) {
> -        tcg_out32(s, NOP);
> -    }
> +    intptr_t i_off = tcg_pcrel_diff(s, (void *)get_jmp_target_addr(s, which));
> +    tcg_debug_assert(i_off == sextract64(i_off, 0, 21));
> +
>      set_jmp_insn_offset(s, which);
> -    /*
> -     * actual branch destination will be patched by
> -     * tb_target_set_jmp_target later
> -     */
> -    tcg_out_insn(s, 3406, ADRP, TCG_REG_TMP, 0);
> -    tcg_out_insn(s, 3401, ADDI, TCG_TYPE_I64, TCG_REG_TMP, TCG_REG_TMP, 0);
> +    tcg_out32(s, I3206_B);
>      tcg_out_insn(s, 3207, BR, TCG_REG_TMP);
>      set_jmp_reset_offset(s, which);
>  }
>  
> +void tb_target_set_jmp_target(const TranslationBlock *tb, int n,
> +                              uintptr_t jmp_rx, uintptr_t jmp_rw)
> +{
> +    uintptr_t d_addr = tb->jmp_target_addr[n];
> +    uintptr_t i_addr = (uintptr_t)&tb->jmp_target_addr[n];
> +    ptrdiff_t d_offset = d_addr - jmp_rx;
> +    ptrdiff_t i_offset = i_addr - jmp_rx;
> +    tcg_insn_unit insn;
> +
> +    /* Either directly branch, or indirect branch load. */
> +    if (d_offset == sextract64(d_offset, 0, 26)) {
> +        insn = I3206_B | ((d_offset >> 2) & 0x3ffffff);
> +    } else {
> +        insn = I3305_LDR | TCG_REG_TMP | (((i_offset >> 2) & 0x7ffff) << 5);
> +    }

Could we use deposits to build our instructions here? Also the mask
doesn't match the 24 bits you have left, bug from old code?

Otherwise:

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

next prev parent reply	other threads:[~2023-01-17 18:28 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-09  1:42 [PATCH v2 00/22] tcg: exit_tb tidy, goto_tb reorg Richard Henderson
2023-01-09  1:42 ` [PATCH v2 01/22] tcg: Split out tcg_out_exit_tb Richard Henderson
2023-01-17 17:31   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 02/22] tcg/i386: Remove unused goto_tb code for indirect jump Richard Henderson
2023-01-17 17:46   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 03/22] tcg/ppc: " Richard Henderson
2023-01-17 17:46   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 04/22] tcg/sparc64: " Richard Henderson
2023-01-17 17:47   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 05/22] tcg: Replace asserts on tcg_jmp_insn_offset Richard Henderson
2023-01-17 17:48   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 06/22] tcg: Introduce set_jmp_insn_offset Richard Henderson
2023-01-17 17:49   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 07/22] tcg: Introduce get_jmp_target_addr Richard Henderson
2023-01-17 17:51   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 08/22] tcg: Split out tcg_out_goto_tb Richard Henderson
2023-01-17 17:56   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 09/22] tcg: Rename TB_JMP_RESET_OFFSET_INVALID to TB_JMP_OFFSET_INVALID Richard Henderson
2023-01-17 17:57   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 10/22] tcg: Add gen_tb to TCGContext Richard Henderson
2023-01-17 17:58   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 11/22] tcg: Add TranslationBlock.jmp_insn_offset Richard Henderson
2023-01-17 18:01   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 12/22] tcg: Change tb_target_set_jmp_target arguments Richard Henderson
2023-01-17 18:05   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 13/22] tcg: Move tb_target_set_jmp_target declaration to tcg.h Richard Henderson
2023-01-17 18:10   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 14/22] tcg: Always define tb_target_set_jmp_target Richard Henderson
2023-01-17 18:14   ` Alex Bennée
2023-01-17 19:51     ` Richard Henderson
2023-01-09  1:42 ` [PATCH v2 15/22] tcg: Remove TCG_TARGET_HAS_direct_jump Richard Henderson
2023-01-17 18:25   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 16/22] tcg/aarch64: Reorg goto_tb implementation Richard Henderson
2023-01-17 18:26   ` Alex Bennée [this message]
2023-01-09  1:42 ` [PATCH v2 17/22] tcg/ppc: " Richard Henderson
2023-01-17 18:30   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 18/22] tcg/sparc64: Remove USE_REG_TB Richard Henderson
2023-01-17 18:31   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 19/22] tcg/sparc64: Reorg goto_tb implementation Richard Henderson
2023-01-17 18:33   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 20/22] tcg/arm: Implement direct branch for goto_tb Richard Henderson
2023-01-17 18:33   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 21/22] tcg/riscv: Introduce OPC_NOP Richard Henderson
2023-01-17 18:35   ` Alex Bennée
2023-01-09  1:42 ` [PATCH v2 22/22] tcg/riscv: Implement direct branch for goto_tb Richard Henderson
2023-01-17 18:37   ` Alex Bennée
2023-01-15  2:33 ` [PATCH v2 00/22] tcg: exit_tb tidy, goto_tb reorg Richard Henderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tu0p10e2.fsf@linaro.org \
    --to=alex.bennee@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=r@hev.cc \
    --cc=richard.henderson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).