Xen project Mailing List

Re: [PATCH v4 5/7] xen/riscv: introduce and initialize SBI RFENCE extension

Date: Thu, 15 Aug 2024 12:00:21 +0200

Cc: Alistair Francis <alistair.francis@xxxxxxx>, Bob Eshleman <bobbyeshleman@xxxxxxxxx>, Connor Davis <connojdavis@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 15 Aug 2024 10:00:34 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, 2024-08-14 at 17:53 +0200, Jan Beulich wrote: > On 14.08.2024 17:41, oleksii.kurochko@xxxxxxxxx wrote: > > On Tue, 2024-08-13 at 11:34 +0200, Jan Beulich wrote: > > > On 09.08.2024 18:19, Oleksii Kurochko wrote: > > > > +static unsigned long sbi_major_version(void) > > > > +{ > > > > + return (sbi_spec_version >> SBI_SPEC_VERSION_MAJOR_SHIFT) > > > > & > > > > + SBI_SPEC_VERSION_MAJOR_MASK; > > > > +} > > > > > > Can you use MASK_EXTR() here, allowing to even drop the separate > > > SBI_SPEC_VERSION_MAJOR_SHIFT? > > I am not sure that: > > (sbi_spec_version >> SBI_SPEC_VERSION_MAJOR_SHIFT) & > > SBI_SPEC_VERSION_MAJOR_MASK == MASK_EXTR(sbi_spec_version, > > SBI_SPEC_VERSION_MAJOR_MASK) > > How come you're not sure? That's precisely what MASK_EXTR() is for. As the order matter here. First should be shift then applying SBI_SPEC_VERSION_MAJOR_MASK, as SBI_SPEC_VERSION_MAJOR_MASK is defined now as 7f. If SBI_SPEC_VERSION_MAJOR_MASK set to 0x7F000000 then it will work. > > > > > +static long sbi_ext_base_func(long fid) > > > > +{ > > > > + struct sbiret ret; > > > > + > > > > + ret = sbi_ecall(SBI_EXT_BASE, fid, 0, 0, 0, 0, 0, 0); > > > > + if ( !ret.error ) > > > > + return ret.value; > > > > + else > > > > + return ret.error; > > > > > > With the folding of two distinct values, how is the caller going > > > to > > > tell failure from success? > > By checking if the return value is < 0. > > According to the SBI spec [ > > https://github.com/riscv-non-isa/riscv-sbi-doc/blob/master/src/binary-encoding.adoc?plain=1#L32 > > ] ret.error can be or 0 ( which means success ) or something < 0 if > > it > > was a failure. > > Right. And what if ret.error was 0, but ret.value was negative? I wasn't able to find a case in the SBI spec where sbiret.value could be negative. Unfortunately, the spec does not specify the possible values of sbiret.value, but based on the description of the SBI function, it only returns a negative value in the case of an error. Otherwise, ret.value is always greater than or equal to 0. > > > > > +int sbi_remote_sfence_vma(cpumask_t *cpu_mask, > > > > + unsigned long start_addr, > > > > + unsigned long size) > > > > +{ > > > > + return __sbi_rfence(SBI_EXT_RFENCE_REMOTE_SFENCE_VMA, > > > > + cpu_mask, start_addr, size, 0, 0); > > > > > > No check (not even an assertion) here for __sbi_rfence still > > > being > > > NULL? > > I thought that it would be enough to have BUG_ON() in sbi_init() > > but > > then probably would be better to update the message inside > > BUG_ON(): > > int __init sbi_init(void) > > { > > .... > > > > if ( !sbi_has_rfence() ) > > { > > BUG_ON("At the moment flush_xen_tlb_range_va() uses SBI > > rfence > > to " > > "flush TLB for all CPUS!"); > > I never really liked this kind of BUG_ON(). I leave it uncommented in > code which clearly is only temporary. Plus imo such BUG_ON()s want to > be next to where the risk is, i.e. in this case ahead of the possible > NULL deref. Then again, without PV guests and without anything mapped > at VA 0, you'll crash cleanly anyway. So perhaps my request to add a > check went too far. But then there is not big difference whether BUG_ON() or ASSERT() inside sbi_remote_sfence_vma() is present. Even none of the check present it will be a crash anyway. And the other reason why I thought it would be better to have BUG_ON() in sbi_init() as it will be need only one BUG_ON() instead of having ASSERT() in each function which will use __sbi_rfence(). And according to coding-best-practices.pandoc: ``` * Programmers can use ASSERT(), which will cause the check to be executed in DEBUG builds, and cause the hypervisor to crash if it's violated * Programmers can use BUG_ON(), which will cause the check to be executed in both DEBUG and non-DEBUG builds, and cause the hypervisor to crash if it's violated. ``` The difference between them is only the check is working only in DEBUG build or both in DEBUG and non-DEBUG. ~ Oleksii

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.