timer: fix NR_CPUS=1 build with gcc13

Message ID	a17ba988-2850-fced-d225-97e1d11f6576@suse.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <xen-devel-bounces@lists.xenproject.org> Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org> Message-ID: <a17ba988-2850-fced-d225-97e1d11f6576@suse.com> Date: Wed, 13 Sep 2023 09:31:57 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0 Content-Language: en-US To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org> Cc: Andrew Cooper <andrew.cooper3@citrix.com>, George Dunlap <george.dunlap@citrix.com>, Julien Grall <julien@xen.org>, Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org> From: Jan Beulich <jbeulich@suse.com> Subject: [PATCH] timer: fix NR_CPUS=1 build with gcc13 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit MIME-Version: 1.0
Series	timer: fix NR_CPUS=1 build with gcc13 \| expand timer: fix NR_CPUS=1 build with gcc13

Message ID

a17ba988-2850-fced-d225-97e1d11f6576@suse.com (mailing list archive)

State

Superseded

Headers

Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Message-ID: <a17ba988-2850-fced-d225-97e1d11f6576@suse.com>
Date: Wed, 13 Sep 2023 09:31:57 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.15.0
Content-Language: en-US
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
 George Dunlap <george.dunlap@citrix.com>, Julien Grall <julien@xen.org>,
 Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>
From: Jan Beulich <jbeulich@suse.com>
Subject: [PATCH] timer: fix NR_CPUS=1 build with gcc13
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?6U5ULLkyZQ6/T9ukKQRWZ5ly6k5x?=
	=?utf-8?q?kymCQQGGG49o23Mzt0rHCMMBEhbbNrkzDsIPqUfOhmDPMZGuHu9KMCoMsp2QfZevB?=
	=?utf-8?q?vkQeKcbcVcTBWqQOUsD5XD7n233H4IG0cRUnyTb9cOx+eNfvjvwMCQl+RuvRy4Cu8?=
	=?utf-8?q?2kXgqpBSzwaaJvUI4GL0twXVqrBczpYOG/g1LvJLDBUDV8zfw0QGhDs6AMRNsfENg?=
	=?utf-8?q?wEgXrvkcO93F06uQ1uOChhBXK4lkg+FVFjrOrmBDGranX9EeNk9VvZ6GyiBSQrVM7?=
	=?utf-8?q?uNiByRqlsdaY88BruvVieGNVdMiQ4Czt/66KVY49Qg+7XYCwHM8HNkbuyqXNoFfZ/?=
	=?utf-8?q?Gi2CZZyEDQEQLfrA9vW7E/G+UOJSIQPu/tOKJBMetrzqq6K7HsV9In/EcEydmOCRN?=
	=?utf-8?q?aJbhIkDQgrNODj+m+7Rfegqe4I0T2dI23UghVzWH9t7QKkQx9i9g0vNtEddCMvDIq?=
	=?utf-8?q?B63BvebbX6TCE+rI1tCP5dxM4HTXPhPAn3trtOIihe/Z+ZgZ6EBneAnzWGYzJ50f3?=
	=?utf-8?q?dnvbDiOtO39IqszamHG+8jJ5Cj1JG1+CqUPMEEg84C/XsnJwvCP1dOOlKXu7B9vKL?=
	=?utf-8?q?BZ8iXgkMYumYUjOcrVgvV/j5u+XxQf1uQVd7fYlqdshUpSbqRgMXMZVkGzhMgpyB6?=
	=?utf-8?q?FkTCJf0Jycg9PFeMntODK1S4xMKQRiiBbzxuwOT2mEg/YqytpXXdoAj46F+09ErsC?=
	=?utf-8?q?wgY1Ms8P97cjYcSU26LMHUFoi0N2M2bmpj6P77WX0WVpomhbTFpVNSoWjKwkC7+VG?=
	=?utf-8?q?YGmYcGAxtNiHqzftidKzRUX3YqW0LmkMARiIOBUt+mOK13morLZ6Lwl/yP5peoyIa?=
	=?utf-8?q?nsSmXlh/Mh1ULQQ74xd2ZaR6qBikFBLfapnrwv+ik/N9yucRS04Yb34lCzd0Bcn7U?=
	=?utf-8?q?NjlmI+/RrKRdg3nm1vjSFmjv6NGO0p1wNfPjjMHjJYdPO45tMvUJXgGhi+m28WHgr?=
	=?utf-8?q?ujnZpD1yMKMhVghXOfZwJCPOBNNm2Dy1klZ3ZXUa5AacIIjWA0Ue3o3Da9p0VJtAj?=
	=?utf-8?q?buA4q1JpwcS8YZBJLeLiHIkyBOJA8y0e4V+YDIkiapl9CzpbCEVJ7usZs9uqKPwBQ?=
	=?utf-8?q?lweOkmaOcDOaNH861fWwefB7ynR//Q9ZZaNeb5bzPGe36cL2InQlp8JwmRHwogXi+?=
	=?utf-8?q?8inmhUBmA6IeYt8U9HZRQwmmRUUMD+HndIx0pwsbOfiVNyb3yAUagd+GTtLULOSxZ?=
	=?utf-8?q?zLJZhzTh69JrghWeA7FiknzU9k5230L96xMtwvjurOwEYStW7MmEOaD60RSxwTln9?=
	=?utf-8?q?uf1aSDGCa/dWrynUBd9wOAkRTbHFaDpqMtqqfZ3AKEGiIYWyJvwuJKlTzN24qED60?=
	=?utf-8?q?tQnimSleZpR87+MOKANE2T3xNcM9s+PQIh6pWu2BH6EyKsLueQh779ilFqqA22x1F?=
	=?utf-8?q?XMyyKQYw5XDANRgTNnVH87xK9hsZf04iXSV0bGn2CdK7h32BLsLnCIvyc00uzO3j+?=
	=?utf-8?q?nraWlOtSviLOvR/ngr+To3GEmwsP5c9VIBvKZilxAV0amn8lGFv7iiNiSoD07IL+l?=
	=?utf-8?q?l2wy6h/8Q0V+?=
X-OriginatorOrg: suse.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 19b146e7-f195-4b6d-55c2-08dbb42b8468
X-MS-Exchange-CrossTenant-AuthSource: DU2PR04MB8790.eurprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Sep 2023 07:32:00.2497
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 A+kXmMOltB2lqD+stXgOPER9QI2vc7zaqVcX1NsEn0bAzG3VNoAHdhfVH6y66dDbLIfLq7YxysOmbIs1NRig8Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR04MB8756

Series

timer: fix NR_CPUS=1 build with gcc13 | expand

Commit Message

Jan Beulich Sept. 13, 2023, 7:31 a.m. UTC

Gcc13 apparently infers from "if ( old_cpu < new_cpu )" that "new_cpu"
is >= 1, and then (on x86) complains about "per_cpu(timers, new_cpu)"
exceeding __per_cpu_offset[]'s bounds (being an array of 1 in such a
configuration). Make the code conditional upon there being at least 2
CPUs configured (otherwise there simply is nothing to migrate [to]).

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Comments

George Dunlap Sept. 13, 2023, 9:44 a.m. UTC | #1

On Wed, Sep 13, 2023 at 8:32 AM Jan Beulich <jbeulich@suse.com> wrote:
>
> Gcc13 apparently infers from "if ( old_cpu < new_cpu )" that "new_cpu"
> is >= 1, and then (on x86) complains about "per_cpu(timers, new_cpu)"
> exceeding __per_cpu_offset[]'s bounds (being an array of 1 in such a
> configuration). Make the code conditional upon there being at least 2
> CPUs configured (otherwise there simply is nothing to migrate [to]).

Hmm, without digging into it, migrate_timer() doesn't seem like very
robust code: It doesn't check to make sure that new_cpu is valid, nor
does it give the option of returning an error if anything fails.
Making migrate_timer() just do nothing on 1-cpu systems seems will
remove the warning, but not really make things safer.

Is this a super hot path?  Would it make more sense to add `||
(new_cpu > CONFIG_NR_CPUS)` to the early-return  conditional at the
top of the first `for (; ; )` loop?

I guess if we don't expect it ever to be called, it might be better to
get rid of the code entirely; but maybe in that case we should add
something like the following?

```
#else
    WARN_ONCE("migrate_timer: Request to move to %u on a single-core
system!", new_cpu);
    ASSERT_UNREACHABLE();
#endif
```

Thoughts?

 -George

Jan Beulich Sept. 13, 2023, 10:05 a.m. UTC | #2

On 13.09.2023 11:44, George Dunlap wrote:
> On Wed, Sep 13, 2023 at 8:32 AM Jan Beulich <jbeulich@suse.com> wrote:
>>
>> Gcc13 apparently infers from "if ( old_cpu < new_cpu )" that "new_cpu"
>> is >= 1, and then (on x86) complains about "per_cpu(timers, new_cpu)"
>> exceeding __per_cpu_offset[]'s bounds (being an array of 1 in such a
>> configuration). Make the code conditional upon there being at least 2
>> CPUs configured (otherwise there simply is nothing to migrate [to]).
> 
> Hmm, without digging into it, migrate_timer() doesn't seem like very
> robust code: It doesn't check to make sure that new_cpu is valid, nor
> does it give the option of returning an error if anything fails.

Question is - what do you expect the callers to do upon getting back
failure?

> Making migrate_timer() just do nothing on 1-cpu systems seems will
> remove the warning, but not really make things safer.
> 
> Is this a super hot path?

I don't think it is.

>  Would it make more sense to add `||
> (new_cpu > CONFIG_NR_CPUS)` to the early-return  conditional at the
> top of the first `for (; ; )` loop?

But that would mean not doing what was requested without any indication
to the caller. An out-of-range CPU passed in is generally very likely
to result in a crash, I think.

> I guess if we don't expect it ever to be called, it might be better to
> get rid of the code entirely; but maybe in that case we should add
> something like the following?
> 
> ```
> #else
>     WARN_ONCE("migrate_timer: Request to move to %u on a single-core
> system!", new_cpu);
>     ASSERT_UNREACHABLE();
> #endif
> ```

With the old_cpu == new_cpu case explicitly permitted (and that being
the only legal case when NR_CPUS=1, which arguably is an aspect which
makes gcc's diagnostic questionable), perhaps only

#else
    old_cpu = ...;
    if ( old_cpu != TIMER_CPU_status_killed )
        WARN_ON(new_cpu != old_cpu);
#endif

(I'm afraid we have no WARN_ON_ONCE() yet, nor WARN_ONCE())?

Jan

George Dunlap Sept. 13, 2023, 10:25 a.m. UTC | #3

On Wed, Sep 13, 2023 at 11:05 AM Jan Beulich <jbeulich@suse.com> wrote:
>
> On 13.09.2023 11:44, George Dunlap wrote:
> > On Wed, Sep 13, 2023 at 8:32 AM Jan Beulich <jbeulich@suse.com> wrote:
> >>
> >> Gcc13 apparently infers from "if ( old_cpu < new_cpu )" that "new_cpu"
> >> is >= 1, and then (on x86) complains about "per_cpu(timers, new_cpu)"
> >> exceeding __per_cpu_offset[]'s bounds (being an array of 1 in such a
> >> configuration). Make the code conditional upon there being at least 2
> >> CPUs configured (otherwise there simply is nothing to migrate [to]).
> >
> > Hmm, without digging into it, migrate_timer() doesn't seem like very
> > robust code: It doesn't check to make sure that new_cpu is valid, nor
> > does it give the option of returning an error if anything fails.
>
> Question is - what do you expect the callers to do upon getting back
> failure?

[snip]

> >  Would it make more sense to add `||
> > (new_cpu > CONFIG_NR_CPUS)` to the early-return  conditional at the
> > top of the first `for (; ; )` loop?
>
> But that would mean not doing what was requested without any indication
> to the caller. An out-of-range CPU passed in is generally very likely
> to result in a crash, I think.

If it's only off by a little bit, there's a good chance it might just
corrupt some other data, causing a crash further down the line, where
it's not obvious what went wrong.  Generally speaking, passing an
error up the stack, explicitly crashing, or explicitly doing nothing
with a warning to the console are all better options.

> > I guess if we don't expect it ever to be called, it might be better to
> > get rid of the code entirely; but maybe in that case we should add
> > something like the following?
> >
> > ```
> > #else
> >     WARN_ONCE("migrate_timer: Request to move to %u on a single-core
> > system!", new_cpu);
> >     ASSERT_UNREACHABLE();
> > #endif
> > ```
>
> With the old_cpu == new_cpu case explicitly permitted (and that being
> the only legal case when NR_CPUS=1, which arguably is an aspect which
> makes gcc's diagnostic questionable), perhaps only
>
> #else
>     old_cpu = ...;
>     if ( old_cpu != TIMER_CPU_status_killed )
>         WARN_ON(new_cpu != old_cpu);
> #endif
>
> (I'm afraid we have no WARN_ON_ONCE() yet, nor WARN_ONCE())?

I think I was looking for `printk_once`.

If there's no reasonable way to fail more gracefully (or no real point
in making the effort to do so), what if we add the following to the
top of the function?  Does that make gcc13 happy?

```
if ( new_cpu >= CONFIG_NR_CPUS )
{
    printk_once(/* whatever */);
    ASSERT_UNREACHABLE();
    return;
}
```

Or, if we feel like being passed an invalid cpu means the state is so
bad it would be better to just crash and have done with it:

```
  BUG_ON(new_cpu >= CONFIG_NR_CPUS);
```

 -George

Jan Beulich Sept. 14, 2023, 12:36 p.m. UTC | #4

On 13.09.2023 12:25, George Dunlap wrote:
> On Wed, Sep 13, 2023 at 11:05 AM Jan Beulich <jbeulich@suse.com> wrote:
>> On 13.09.2023 11:44, George Dunlap wrote:
>>> On Wed, Sep 13, 2023 at 8:32 AM Jan Beulich <jbeulich@suse.com> wrote:
>>>>
>>>> Gcc13 apparently infers from "if ( old_cpu < new_cpu )" that "new_cpu"
>>>> is >= 1, and then (on x86) complains about "per_cpu(timers, new_cpu)"
>>>> exceeding __per_cpu_offset[]'s bounds (being an array of 1 in such a
>>>> configuration). Make the code conditional upon there being at least 2
>>>> CPUs configured (otherwise there simply is nothing to migrate [to]).
>>>
>>> Hmm, without digging into it, migrate_timer() doesn't seem like very
>>> robust code: It doesn't check to make sure that new_cpu is valid, nor
>>> does it give the option of returning an error if anything fails.
>>
>> Question is - what do you expect the callers to do upon getting back
>> failure?
> 
> [snip]
> 
>>>  Would it make more sense to add `||
>>> (new_cpu > CONFIG_NR_CPUS)` to the early-return  conditional at the
>>> top of the first `for (; ; )` loop?
>>
>> But that would mean not doing what was requested without any indication
>> to the caller. An out-of-range CPU passed in is generally very likely
>> to result in a crash, I think.
> 
> If it's only off by a little bit, there's a good chance it might just
> corrupt some other data, causing a crash further down the line, where
> it's not obvious what went wrong.

In general I would agree. but __per_cpu_offset[] is quite special in
the values it holds. The data immediately following it would therefore
also need to have unusual values within relatively narrow a range for
a crash to not occur right away.

>  Generally speaking, passing an
> error up the stack, explicitly crashing, or explicitly doing nothing
> with a warning to the console are all better options.

I guess I'll go that route then, since ...

>>> I guess if we don't expect it ever to be called, it might be better to
>>> get rid of the code entirely; but maybe in that case we should add
>>> something like the following?
>>>
>>> ```
>>> #else
>>>     WARN_ONCE("migrate_timer: Request to move to %u on a single-core
>>> system!", new_cpu);
>>>     ASSERT_UNREACHABLE();
>>> #endif
>>> ```
>>
>> With the old_cpu == new_cpu case explicitly permitted (and that being
>> the only legal case when NR_CPUS=1, which arguably is an aspect which
>> makes gcc's diagnostic questionable), perhaps only
>>
>> #else
>>     old_cpu = ...;
>>     if ( old_cpu != TIMER_CPU_status_killed )
>>         WARN_ON(new_cpu != old_cpu);
>> #endif
>>
>> (I'm afraid we have no WARN_ON_ONCE() yet, nor WARN_ONCE())?
> 
> I think I was looking for `printk_once`.
> 
> If there's no reasonable way to fail more gracefully (or no real point
> in making the effort to do so), what if we add the following to the
> top of the function?  Does that make gcc13 happy?
> 
> ```
> if ( new_cpu >= CONFIG_NR_CPUS )
> {
>     printk_once(/* whatever */);
>     ASSERT_UNREACHABLE();
>     return;
> }
> ```

... this actually makes things worse (then the compiler complains about
old_cpu uses as array index), ...

> Or, if we feel like being passed an invalid cpu means the state is so
> bad it would be better to just crash and have done with it:
> 
> ```
>   BUG_ON(new_cpu >= CONFIG_NR_CPUS);
> ```

... and this, while it helps when then also done for old_cpu, seems too
hefty to me.

Just to mention it, 'asm volatile ( "" : "+g" (new_cpu) );' placed at
the right location also helps. That's effectively RELOC_HIDE(), which
we use to work around a gcc11 issue in the same area - see gcc11_wrap().

Jan

--- a/xen/common/timer.c
+++ b/xen/common/timer.c
@@ -356,6 +356,7 @@  bool timer_expires_before(struct timer *
 
 void migrate_timer(struct timer *timer, unsigned int new_cpu)
 {
+#if CONFIG_NR_CPUS > 1
     unsigned int old_cpu;
     bool_t active;
     unsigned long flags;
@@ -404,6 +405,7 @@  void migrate_timer(struct timer *timer,
 
     spin_unlock(&per_cpu(timers, old_cpu).lock);
     spin_unlock_irqrestore(&per_cpu(timers, new_cpu).lock, flags);
+#endif /* CONFIG_NR_CPUS > 1 */
 }

timer: fix NR_CPUS=1 build with gcc13

Commit Message

Comments

Patch