Xen project Mailing List

Re: [PATCH 1/6] x86/cpu-policy: Drop build time cross-checks of featureset sizes

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 11 May 2023 13:43:53 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GGJqgexwdaNn0ZMhjGxzc2Ea7RbILscdiQFdjAq+D4w=; b=YfrzrpnzI0jf0tDEq3Nt7kv1evc0h81XSZ4bVMhpTep8sfF23DMJHG2Ost5NyXiZM+8WEoWNuMuUdt3S6NHfKMJEbmUzie9vAra9VKQAB247xKhCZX/4WvpfWak3vRzDXxHjqwFCRdXJMD1Fjik1DTAp9W7eCtEoiIyevhR0y65KJXTUmjJKUl5wiRrv4uLcraZxSD/1zUT8gWPbeZOYvxxK96kQlEfejPzB5rQfebzJUIUdN15T3V36GW/ZcmLJ1ePGZ14nF4abQwrUa0ixvHZaKEo//ELq8FI0lvCT8zfPO4eganTuPOnAWobYB68vQwE22lQv6KzLOOXshiPOcw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HAR7pGklb0PQAkjVoq4z7IFKcL2i9Z1TzbOAFSYSEuFYKggeo4S9DXISUxxDCyU6AR3M5G9qp4AcF8l3RXzSGSTA3kIDmmJ+IpW3aPK4WcQDQAjRgL1WGJ4m5Q5XZqbEc1eVGiree0m6TerDZU3n68yZO8JlscJXL9+8w3Gow4AOaq+VHV5z2V/4eLmSQYZ8Ll58DFsJ9hP9lHpFNhFknxVcKR4eGF3KkavyXRyoOvN1a4N+Kj/djfQY54DE+pZhA5tE8EgiSHDrtOSTt478DEBiE7WxR+4jW8/47leQcbl9/s5e2EnCGP034bxQMhOh0nHjMdom/SAK0ZNIoJ25uQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 11 May 2023 12:44:29 +0000

Ironport-data: A9a23:zn4M4qjlUlDqm8umySUJZGWtX161TREKZh0ujC45NGQN5FlHY01je htvXDiObvnbYmryKdl3b4Tg9xtSvsOEzd9qHgA+qCxkFCsb9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmYpHlUMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWj0N8klgZmP6sT4QaHzyN94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQ1EyAmdC6MmNjx45aGQ/hutOY+L+zSadZ3VnFIlVk1DN4AaLWaGeDgw48d2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilEsluGyabI5efTTLSlRtm+eq njL4CLSBRYCOcbE4TGE7mitlqnEmiaTtIc6TeXnqqQz3AbMroAVIFoTa0ujguSAsR+7fdlvK lcK1BBpvadnoSRHSfG4BXVUukWsvBQRRt5RGO0S8xyWx+zf5APxLncAZi5MbpohrsBebSwn0 BqFks3kARRrsaaJUjSN+7GMtzSwNCMJa2gYakc5oRAt5tDipMQ5iELJR9M6Sqqt1ISqQHf33 iyAqzU4i/MLl8kX2q6n/FfBxTWxupzOSQ1z7QLSNo640j5EiEeeT9TAwTDmATxodu51knHpU KA4pvWj

Ironport-hdrordr: A9a23:/7MgmK+i1R8mwSkGDbJuk+DnI+orL9Y04lQ7vn2ZhyYlC/Bw9v re5MjzsCWftN9/YgBEpTntAtjjfZqYz+8X3WBzB9aftWvdyQ+VxehZhOOI/9SjIU3DH4VmpM BdmsZFebvN5JtB4foSIjPULz/t+ra6GWmT69vj8w==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/05/2023 7:43 am, Jan Beulich wrote: > On 10.05.2023 17:06, Andrew Cooper wrote: >> On 09/05/2023 5:15 pm, Jan Beulich wrote: >>> On 09.05.2023 17:59, Andrew Cooper wrote: >>>> On 09/05/2023 3:28 pm, Jan Beulich wrote: >>>>> On 09.05.2023 15:04, Andrew Cooper wrote: >>>>>> On 08/05/2023 7:47 am, Jan Beulich wrote: >>>>>>> On 04.05.2023 21:39, Andrew Cooper wrote: >>>>>>>> These BUILD_BUG_ON()s exist to cover the curious absence of a >>>>>>>> diagnostic for >>>>>>>> code which looks like: >>>>>>>> >>>>>>>> uint32_t foo[1] = { 1, 2, 3 }; >>>>>>>> >>>>>>>> However, GCC 12 at least does now warn for this: >>>>>>>> >>>>>>>> foo.c:1:24: error: excess elements in array initializer [-Werror] >>>>>>>> 884 | uint32_t foo[1] = { 1, 2, 3 }; >>>>>>>> | ^ >>>>>>>> foo.c:1:24: note: (near initialization for 'foo') >>>>>>> I'm pretty sure all gcc versions we support diagnose such cases. In turn >>>>>>> the arrays in question don't have explicit dimensions at their >>>>>>> definition sites, and hence they derive their dimensions from their >>>>>>> initializers. So the build-time-checks are about the arrays in fact >>>>>>> obtaining the right dimensions, i.e. the initializers being suitable. >>>>>>> >>>>>>> With the core part of the reasoning not being applicable, I'm afraid I >>>>>>> can't even say "okay with an adjusted description". >>>>>> Now I'm extra confused. >>>>>> >>>>>> I put those BUILD_BUG_ON()'s in because I was not getting a diagnostic >>>>>> when I was expecting one, and there was a bug in the original featureset >>>>>> work caused by this going wrong. >>>>>> >>>>>> But godbolt seems to agree that even GCC 4.1 notices. >>>>>> >>>>>> Maybe it was some other error (C file not seeing the header properly?) >>>>>> which disappeared across the upstream review? >>>>> Or maybe, by mistake, too few initializer fields? But what exactly it >>>>> was probably doesn't matter. If this patch is to stay (see below), some >>>>> different description will be needed anyway (or the change be folded >>>>> into the one actually invalidating those BUILD_BUG_ON()s). >>>>> >>>>>> Either way, these aren't appropriate, and need deleting before patch 5, >>>>>> because the check is no longer valid when a featureset can be longer >>>>>> than the autogen length. >>>>> Well, they need deleting if we stick to the approach chosen there right >>>>> now. If we switched to my proposed alternative, they better would stay. >>>> Given that all versions of GCC do warn, I don't see any justification >>>> for them to stay. >>> All versions warn when the variable declarations / definitions have a >>> dimension specified, and then there are excess initializers. Yet none >>> of the five affected arrays have a dimension specified in their >>> definitions. >>> >>> Even if dimensions were added, we'd then have only covered half of >>> what the BUILD_BUG_ON()s cover right now: There could then be fewer >>> than intended initializer fields, and things may still be screwed. I >>> think it was for this very reason why BUILD_BUG_ON() was chosen. >> ??? >> >> The dimensions already exist, as proved by the fact GCC can spot the >> violation. > Where? Quoting cpu-policy.c: > > const uint32_t known_features[] = INIT_KNOWN_FEATURES; > > static const uint32_t __initconst pv_max_featuremask[] = INIT_PV_MAX_FEATURES; > static const uint32_t hvm_shadow_max_featuremask[] = > INIT_HVM_SHADOW_MAX_FEATURES; > static const uint32_t __initconst hvm_hap_max_featuremask[] = > INIT_HVM_HAP_MAX_FEATURES; > static const uint32_t __initconst pv_def_featuremask[] = INIT_PV_DEF_FEATURES; > static const uint32_t __initconst hvm_shadow_def_featuremask[] = > INIT_HVM_SHADOW_DEF_FEATURES; > static const uint32_t __initconst hvm_hap_def_featuremask[] = > INIT_HVM_HAP_DEF_FEATURES; > static const uint32_t deep_features[] = INIT_DEEP_FEATURES; > > I notice that known_features[], as an exception, has its dimension declared > in cpuid.h. Ah. I had indeed not spotted that. Sorry. It explains why all of my test builds (checking known_features[]) appeared to work. I will rework these to have dimensions, because it will remove some reasonably complex logic in gen-cpuid.py. > >> On the other hand, zero extending a featureset is explicitly how they're >> supposed to work. How do you think Xapi has coped with migration >> compatibility over the years, not to mention the microcode changes which >> lengthen a featureset? >> >> So no, there was never any problem with constructs of the form uint32_t >> foo[10] = { 1, } in the first place. >> >> The BUILD_BUG_ON()s therefore serve no purpose at all. > As per above the very minimum would be to accompany their dropping with > adding of explicitly specified dimensions for all the static arrays. I'm > not entirely certain about the other side (the zero-extension), but I'd > likely end up simply trusting you on that. https://godbolt.org/z/c13Kxcdsh GCC (on both extremes that godbolt supports) zero extends to the declaration dimension size. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.