[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/livepatch: Fail the build if duplicate symbols exist


  • To: Jan Beulich <JBeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 11 Apr 2019 20:51:44 +0100
  • Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABtClBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPokCOgQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86LkCDQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAYkC HwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, nmanthey@xxxxxxxxx, Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • Delivery-date: Thu, 11 Apr 2019 19:53:04 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Openpgp: preference=signencrypt

On 08/04/2019 11:53, Jan Beulich wrote:
>>>> On 08.04.19 at 12:11, <andrew.cooper3@xxxxxxxxxx> wrote:
>> On 08/04/2019 10:52, Jan Beulich wrote:
>>>>>> On 05.04.19 at 23:02, <konrad.wilk@xxxxxxxxxx> wrote:
>>>> On Fri, Apr 05, 2019 at 08:26:04PM +0100, Andrew Cooper wrote:
>>>>> From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
>>>>>
>>>>> The binary diffing algorithm used by xen-livepatch depends on having 
>>>>> unique
>>>>> symbols.
>>> Question: Is this an inherent requirement, or an effect of the
>>> current implementation? It would seem to me that at least in the
>>> common case (binary didn't changer overly heavily) it ought to
>>> be possible to re-associate the duplicates with their correct
>>> origins. And by making the build fail (including in cases like the
>>> one we have right now), we're painting ourselves into the
>>> corner of having to "fix" code which isn't actually buggy.
>> It is inherent.  The tool needs a unique way to identify each block of
>> code, so it can work out if the binary has changed by more than just
>> relocations.
>>
>> How do you propose disambiguating ambiguous symbols after the fact?
>>
>> (This is semi rhetorical, because even if there is a possible way, there
>> is no plausible way it is the sensible option to take.)
> I don't understand why you consider it impossible for this to be a
> sensible option.

Because there is no problem which is best solved by throwing away the
information you've got, and then trying to reconstruct it at a later
point using divination.

> First of all, from the very beginning of live-patching's existence I've
> been questioning it having got made dependent on the internal
> symbol table we generate, for there being a chance of it being
> broken in some way.

Xen uses the same diffing mechanism as kpatch.  This was chosen for a
number reasons, but first and foremost, because Ross and Konrad did the
work which automatically gives them a 9/10'th choice on how to solve the
various issues at hand, and "reusing an existing tool" is a very good
reason.

You are welcome to invent a brand new way of performing binary diffing,
but on top of needing to be at least as functional as the current
solution, you will need to justify why deviating from the existing
standard tooling is a good thing for the Xen community to be doing.

Until then, the current solution depends on having unique symbols.

> As to disambiguating: Other nearby local symbols could surely
> help. This might be a problem with -ffunction-sections, but other
> than I thought we don't appear to be using it - at least I couldn't
> get grep to produce a hit in xen/, config/, and the tree root.

-ffunction-sections is injected by the livepatch-buildtools build
logic.  It doesn't live in the main xen.git build.

> Finally we likely could avoid the ambiguities altogether, e.g. by
> making the compiler emit (relative) directories when populating
> STT_FILE symbols. We already qualify multiply compiled source
> files by an object file name; I don't see why we couldn't also
> suitably qualify singly compiled files (and perhaps there's even
> a compiler option, such that we wouldn't need to issue .file
> assembler directives ourselves).
>
> Another possibility to avoid (false) ambiguities could be to make
> the non-inline expansions of intended-to-be-inline functions
> link-once (which by implication means non-static, and hence
> necessarily uniquely named).

I repeat my previous questions of "how do you propose to make this
happen", with a side implication of "without inventing increasingly
contorted logic to try and overcome problems which have been solved in
more simple ways by others".

>> Also, this reasoning depends on people only making trivial changes via
>> livepatch, which, as it turns out, isn't the case in practice.
>>
>>> And even if the order changed, as long as both instances in fact
>>> derive from the same inline function, all would still be fine afaict.
>> How do you propose that we determine this?
> We build with debug info, so it ought to be possible in principle
> to know that both have the same source origin.

That doesn't make it safe.  On release builds with LIVEPATCH enabled, it
is domctl.c#is_pv_domain.isra.0 which is the duplicated symbol, and
being separate translation units, the transformation into .isra.0 may be
different.

>
>>> Granted there's some heuristic underlying this, in that we then
>>> would hope for there not to be actually differing functions with
>>> the same source file and symbol names.
>> The more assumptions we start making, the more subtly this will go wrong
>> in the future.
> Yes, I agree - that's the main downside. But failing a build is
> a pretty meaningful downside as well, the more when people
> may not build with LIVEPATCH=y before they submit.

This is what CI is for, and why we also have things like RANDCONFIG.

But for people who want livepatching to work, failing the build is the
obvious choice.  The alternative is finding out that you've got
customers with systems running the broken build of Xen which you can't
generate a livepatch for.

> (FTR, personally I wouldn't consider it appropriate to revert in such
> a case, as an issue here has nothing to do with the actual
> change, but only with how we post-process data.) And even
> if they did, compiler (version) differences may make them not
> notice any issue. For this last reason even automatic testing
> (osstest or else) may end up assuming all is fine when it's not.

No amount of automation is going to be able to perfectly determine that,
for all current and future potential compilers, the resulting binary is
fine.

But what we have here is a construct which breaks every version of GCC
I've tried it with, and general CI definitely will pick this aspect up.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.