From: Jan Beulich <jbeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>, "Wei Liu" <wl@xen.org>,
Xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: [PATCH] x86/nospec: Fix evaluate_nospec() code generation under Clang
Date: Tue, 26 Apr 2022 08:43:40 +0200 [thread overview]
Message-ID: <d93fee60-0d17-06ee-bb8f-e68ad5aa4fb4@suse.com> (raw)
In-Reply-To: <20220425175603.21086-1-andrew.cooper3@citrix.com>
On 25.04.2022 19:56, Andrew Cooper wrote:
> It turns out that evaluate_nospec() code generation is not safe under Clang.
> Given:
>
> void eval_nospec_test(int x)
> {
> if ( evaluate_nospec(x) )
> asm volatile ("nop #true" ::: "memory");
> else
> asm volatile ("nop #false" ::: "memory");
> }
>
> Clang emits:
>
> <eval_nospec_test>:
> 0f ae e8 lfence
> 85 ff test %edi,%edi
> 74 02 je <eval_nospec_test+0x9>
> 90 nop
> c3 ret
> 90 nop
> c3 ret
>
> which is not safe because the lfence has been hoisted above the conditional
> jump. Clang concludes that both barrier_nospec_true()'s have identical side
> effects and can safely be merged.
>
> Clang can be persuaded that the side effects are different if there are
> different comments in the asm blocks. This is fragile, but no more fragile
> that other aspects of this construct.
>
> Introduce barrier_nospec_false() with a separate internal comment to prevent
> Clang merging it with barrier_nospec_true() despite the otherwise-identical
> content. The generated code now becomes:
>
> <eval_nospec_test>:
> 85 ff test %edi,%edi
> 74 05 je <eval_nospec_test+0x9>
> 0f ae e8 lfence
> 90 nop
> c3 ret
> 0f ae e8 lfence
> 90 nop
> c3 ret
>
> which has the correct number of lfence's, and in the correct place.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
I can live with us going this route, so
Reviewed-by: Jan Beulich <jbeulich@suse.com>
However, I'd like alternatives to be considered: Would two asm()s
perhaps not be candidates for merging when they have different
(perhaps fake) arguments or clobbers? If so, would this be less
fragile than relying on comments, which clearly any layer could be
viewed as free to strip off (when the same isn't true for arguments
and clobbers)?
Also you did say you'd open an issue with Clang to try to get their
view on relying on comments here. Could you please add a reference
to that issue in the description here?
Jan
next prev parent reply other threads:[~2022-04-26 6:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-25 17:56 [PATCH] x86/nospec: Fix evaluate_nospec() code generation under Clang Andrew Cooper
2022-04-26 6:43 ` Jan Beulich [this message]
2022-04-26 7:18 ` Roger Pau Monné
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d93fee60-0d17-06ee-bb8f-e68ad5aa4fb4@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=roger.pau@citrix.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.