[PULL,3/5] exec: Support 64-bit operations in address_space_rw

Il 17/07/2013 11:50, Markus Armbruster ha scritto:
> Richard Henderson <rth@twiddle.net> writes:
> 
>> Honor the implementation maximum access size, and at least check
>> the minimum access size.
>>
>> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>> Signed-off-by: Richard Henderson <rth@twiddle.net>
> 
> Fails for me:
> 
> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.

This:

    unsigned access_size_min = mr->ops->impl.min_access_size;
    unsigned access_size_max = mr->ops->impl.max_access_size;

must be respectively:

    unsigned access_size_min = 1;
    unsigned access_size_max = mr->ops->valid.max_access_size;

access_size_min can be 1 because erroneous accesses must not crash 
QEMU, they should trigger exceptions in the guest or just return 
garbage (depending on the CPU).  I'm not sure I understand the comment, 
placing a 4-byte field at the last byte of a region makes no sense 
(unless impl.unaligned is true).

access_size_max can be mr->ops->valid.max_access_size because memory.c 
can and will still break accesses bigger than 
mr->ops->impl.max_access_size.

Markus, can you try the minimal patch above?  Or this one that also
does the consequent simplifications.


Paolo

On 07/17/2013 04:09 AM, Paolo Bonzini wrote:
>>
>> Fails for me:
>>
>> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.
> 
> This:
> 
>     unsigned access_size_min = mr->ops->impl.min_access_size;
>     unsigned access_size_max = mr->ops->impl.max_access_size;
> 
> must be respectively:
> 
>     unsigned access_size_min = 1;
>     unsigned access_size_max = mr->ops->valid.max_access_size;
> 
> access_size_min can be 1 because erroneous accesses must not crash 
> QEMU, they should trigger exceptions in the guest or just return 
> garbage (depending on the CPU).  I'm not sure I understand the comment, 
> placing a 4-byte field at the last byte of a region makes no sense 
> (unless impl.unaligned is true).
> 
> access_size_max can be mr->ops->valid.max_access_size because memory.c 
> can and will still break accesses bigger than 
> mr->ops->impl.max_access_size.
> 
> Markus, can you try the minimal patch above?  Or this one that also
> does the consequent simplifications.

NAK.

If you remove the check here, you're just trading it for one in the device.
The device told you that it can't support a 1 byte read.  (Either that, or the
device incorrectly reported what it can actually do.)

The proper fix is to change the interface of memory_access_size such that it
can report errors.  Indeed, very likely we should change it and its callers to
also support over-sized reads, like access_with_adjusted_size in memory.c.


r~

Il 17/07/2013 15:23, Richard Henderson ha scritto:
> On 07/17/2013 04:09 AM, Paolo Bonzini wrote:
>>>
>>> Fails for me:
>>>
>>> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.
>>
>> This:
>>
>>     unsigned access_size_min = mr->ops->impl.min_access_size;
>>     unsigned access_size_max = mr->ops->impl.max_access_size;
>>
>> must be respectively:
>>
>>     unsigned access_size_min = 1;
>>     unsigned access_size_max = mr->ops->valid.max_access_size;
>>
>> access_size_min can be 1 because erroneous accesses must not crash 
>> QEMU, they should trigger exceptions in the guest or just return 
>> garbage (depending on the CPU).  I'm not sure I understand the comment, 
>> placing a 4-byte field at the last byte of a region makes no sense 
>> (unless impl.unaligned is true).
>>
>> access_size_max can be mr->ops->valid.max_access_size because memory.c 
>> can and will still break accesses bigger than 
>> mr->ops->impl.max_access_size.
>>
>> Markus, can you try the minimal patch above?  Or this one that also
>> does the consequent simplifications.
> 
> NAK.
> 
> If you remove the check here, you're just trading it for one in the device.
> The device told you that it can't support a 1 byte read.  (Either that, or the
> device incorrectly reported what it can actually do.)

There are two parts to this.

First of all, mr->ops->impl.min_access_size is definitely wrong.  The
device told me that the MMIO functions only know about 2-byte accesses,
but that it _can_ support 1-, 2- and 4- byte reads (with coalescing done
by memory.c).  So I could change access_size_min to
mr->ops->valid.min_access_size, which would also fix Markus's problem.

But then, accesses smaller than mr->ops->valid.min_access_size are fine,
they just result in exceptions or garbage reads (depending on the CPU).
 address_space_rw reports these errors just fine,  memory_access_size's
only purpose is to split address_space_rw's MMIO writes in a sensible
manner.  There is no error reporting because it is done in memory.c.

In fact, I'm not even sure if users of memory_access_size (DMA to an
MMIO destination) exist in real hardware.  I'm curious if "BSAVE"ing
16-color EGA graphics works with a modern graphic card and a BIOS that
doesn't use PIO.

Paolo

> The proper fix is to change the interface of memory_access_size such that it
> can report errors.  Indeed, very likely we should change it and its callers to
> also support over-sized reads, like access_with_adjusted_size in memory.c.
> 
> 
> r~
>

On 07/17/2013 06:45 AM, Paolo Bonzini wrote:
>> NAK.
>>
>> If you remove the check here, you're just trading it for one in the device.
>> The device told you that it can't support a 1 byte read.  (Either that, or the
>> device incorrectly reported what it can actually do.)
> 
> There are two parts to this.
> 
> First of all, mr->ops->impl.min_access_size is definitely wrong.  The
> device told me that the MMIO functions only know about 2-byte accesses,
> but that it _can_ support 1-, 2- and 4- byte reads (with coalescing done
> by memory.c). 

I don't know enough about the specific device (or even which device it was)
to know whether the IMPL and VALID fields are correct.

> So I could change access_size_min to
> mr->ops->valid.min_access_size, which would also fix Markus's problem.

No, you can't.  At least not without changing all of the callers.

If you do as you suggest, the callers will invoke the device with a value of
SIZE that is illegal according to IMPL.  We might as well crash now than later.

There are three possible solutions:

(1) Return an error from memory_access_size, change the callers to propagate
    the error in some fashion.  This isn't ideal, since in this case VALID
    indicates that the guest access is correct.

(2) Return the implementation minimum, change the callers to interact with
    the device using that minimum.  With this scenario, we should likely
    share code with access_with_adjusted_size.

(3) Determine that the device's impl.min_access_size is wrong and adjust it.

Responding to your earlier

> erroneous accesses must not crash 
> QEMU, they should trigger exceptions in the guest or just return 
> garbage (depending on the CPU).

I completely agree -- if we were talking about VALID.  Since this is IMPL, it's
not an "erroneous access", but rather QEMU not being self-consistent.
And for internal logic errors, we've got asserts and aborts all over.


r~

Il 17/07/2013 16:29, Richard Henderson ha scritto:
> On 07/17/2013 06:45 AM, Paolo Bonzini wrote:
>>> NAK.
>>>
>>> If you remove the check here, you're just trading it for one in the device.
>>> The device told you that it can't support a 1 byte read.  (Either that, or the
>>> device incorrectly reported what it can actually do.)
>>
>> There are two parts to this.
>>
>> First of all, mr->ops->impl.min_access_size is definitely wrong.  The
>> device told me that the MMIO functions only know about 2-byte accesses,
>> but that it _can_ support 1-, 2- and 4- byte reads (with coalescing done
>> by memory.c). 
> 
> I don't know enough about the specific device (or even which device it was)
> to know whether the IMPL and VALID fields are correct.

They are correct.  The device was usb-uhci, FWIW.

>> So I could change access_size_min to
>> mr->ops->valid.min_access_size, which would also fix Markus's problem.
> 
> No, you can't.  At least not without changing all of the callers.
> 
> If you do as you suggest, the callers will invoke the device with a value of
> SIZE that is illegal according to IMPL.  We might as well crash now than later.

No, it won't.  access_with_adjusted_size will take care of taking a size
that IMPL rejects, and producing one or more accesses in a size that
IMPL accepts.

Now of course access_with_adjusted_size may have bugs handling
misaligned addresses.  That's possible.

> There are three possible solutions:
> 
> (1) Return an error from memory_access_size, change the callers to propagate
>     the error in some fashion.  This isn't ideal, since in this case VALID
>     indicates that the guest access is correct.

Agreed.

> (2) Return the implementation minimum, change the callers to interact with
>     the device using that minimum.  With this scenario, we should likely
>     share code with access_with_adjusted_size.

I think you misunderstand what the impl.*_access_size are.
impl.min/max_access_size is a private interface between the device and
memory.c, to avoid having code all over the place to combine/split MMIO
accesses.  The public interface of the device is valid.*_access_size.

>> erroneous accesses must not crash 
>> QEMU, they should trigger exceptions in the guest or just return 
>> garbage (depending on the CPU).
> 
> I completely agree -- if we were talking about VALID.  Since this is IMPL, it's
> not an "erroneous access", but rather QEMU not being self-consistent.

Actually, no, for two reasons:

- address_space_rw memory accesses are exactly the same as memory
accesses started by the guest.  In many cases, they use addr/range pairs
passed directly by the guest.  It is not acceptable to crash on these.

- as said above, impl.*_access_size is not visible outside the device
itself, the public interface of the device is valid.*_access_size.

Paolo

Paolo Bonzini <pbonzini@redhat.com> writes:

> Il 17/07/2013 11:50, Markus Armbruster ha scritto:
>> Richard Henderson <rth@twiddle.net> writes:
>> 
>>> Honor the implementation maximum access size, and at least check
>>> the minimum access size.
>>>
>>> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>>> Signed-off-by: Richard Henderson <rth@twiddle.net>
>> 
>> Fails for me:
>> 
>> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.
>
> This:
>
>     unsigned access_size_min = mr->ops->impl.min_access_size;
>     unsigned access_size_max = mr->ops->impl.max_access_size;
>
> must be respectively:
>
>     unsigned access_size_min = 1;
>     unsigned access_size_max = mr->ops->valid.max_access_size;
>
> access_size_min can be 1 because erroneous accesses must not crash 
> QEMU, they should trigger exceptions in the guest or just return 
> garbage (depending on the CPU).  I'm not sure I understand the comment, 
> placing a 4-byte field at the last byte of a region makes no sense 
> (unless impl.unaligned is true).
>
> access_size_max can be mr->ops->valid.max_access_size because memory.c 
> can and will still break accesses bigger than 
> mr->ops->impl.max_access_size.
>
> Markus, can you try the minimal patch above?  Or this one that also
> does the consequent simplifications.

FYI, the reproducer is very simple:

qemu-system-x86_64 -usb

Regards,

Anthony Liguori

>
> diff --git a/exec.c b/exec.c
> index c99a883..0904283 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1898,14 +1898,8 @@ static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
>  
>  static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>  {
> -    unsigned access_size_min = mr->ops->impl.min_access_size;
> -    unsigned access_size_max = mr->ops->impl.max_access_size;
> +    unsigned access_size_max = mr->ops->valid.max_access_size;
>  
> -    /* Regions are assumed to support 1-4 byte accesses unless
> -       otherwise specified.  */
> -    if (access_size_min == 0) {
> -        access_size_min = 1;
> -    }
>      if (access_size_max == 0) {
>          access_size_max = 4;
>      }
> @@ -1922,9 +1916,6 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>      if (l > access_size_max) {
>          l = access_size_max;
>      }
> -    /* ??? The users of this function are wrong, not supporting minimums larger
> -       than the remaining length.  C.f. memory.c:access_with_adjusted_size.  */
> -    assert(l >= access_size_min);
>  
>      return l;
>  }
>
> Paolo

Il 17/07/2013 17:50, Anthony Liguori ha scritto:
> Paolo Bonzini <pbonzini@redhat.com> writes:
> 
>> Il 17/07/2013 11:50, Markus Armbruster ha scritto:
>>> Richard Henderson <rth@twiddle.net> writes:
>>>
>>>> Honor the implementation maximum access size, and at least check
>>>> the minimum access size.
>>>>
>>>> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>>>> Signed-off-by: Richard Henderson <rth@twiddle.net>
>>>
>>> Fails for me:
>>>
>>> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.
>>
>> This:
>>
>>     unsigned access_size_min = mr->ops->impl.min_access_size;
>>     unsigned access_size_max = mr->ops->impl.max_access_size;
>>
>> must be respectively:
>>
>>     unsigned access_size_min = 1;
>>     unsigned access_size_max = mr->ops->valid.max_access_size;
>>
>> access_size_min can be 1 because erroneous accesses must not crash 
>> QEMU, they should trigger exceptions in the guest or just return 
>> garbage (depending on the CPU).  I'm not sure I understand the comment, 
>> placing a 4-byte field at the last byte of a region makes no sense 
>> (unless impl.unaligned is true).
>>
>> access_size_max can be mr->ops->valid.max_access_size because memory.c 
>> can and will still break accesses bigger than 
>> mr->ops->impl.max_access_size.
>>
>> Markus, can you try the minimal patch above?  Or this one that also
>> does the consequent simplifications.
> 
> FYI, the reproducer is very simple:
> 
> qemu-system-x86_64 -usb

My patch works.

Paolo

> Regards,
> 
> Anthony Liguori
> 
>>
>> diff --git a/exec.c b/exec.c
>> index c99a883..0904283 100644
>> --- a/exec.c
>> +++ b/exec.c
>> @@ -1898,14 +1898,8 @@ static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
>>  
>>  static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>>  {
>> -    unsigned access_size_min = mr->ops->impl.min_access_size;
>> -    unsigned access_size_max = mr->ops->impl.max_access_size;
>> +    unsigned access_size_max = mr->ops->valid.max_access_size;
>>  
>> -    /* Regions are assumed to support 1-4 byte accesses unless
>> -       otherwise specified.  */
>> -    if (access_size_min == 0) {
>> -        access_size_min = 1;
>> -    }
>>      if (access_size_max == 0) {
>>          access_size_max = 4;
>>      }
>> @@ -1922,9 +1916,6 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>>      if (l > access_size_max) {
>>          l = access_size_max;
>>      }
>> -    /* ??? The users of this function are wrong, not supporting minimums larger
>> -       than the remaining length.  C.f. memory.c:access_with_adjusted_size.  */
>> -    assert(l >= access_size_min);
>>  
>>      return l;
>>  }
>>
>> Paolo
>

On 07/17/2013 10:32 AM, Paolo Bonzini wrote:
> My patch works.

You patch doesn't crash for this device, which isn't quite the same thing.

But it's certainly no worse than we had before my patch, so I'll not object so
long as a fixme sort of comment is installed too.


r~

Paolo Bonzini <pbonzini@redhat.com> writes:

> Il 17/07/2013 17:50, Anthony Liguori ha scritto:
>> Paolo Bonzini <pbonzini@redhat.com> writes:
>> 
>>> Il 17/07/2013 11:50, Markus Armbruster ha scritto:
>>>> Richard Henderson <rth@twiddle.net> writes:
>>>>
>>>>> Honor the implementation maximum access size, and at least check
>>>>> the minimum access size.
>>>>>
>>>>> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
>>>>> Signed-off-by: Richard Henderson <rth@twiddle.net>
>>>>
>>>> Fails for me:
>>>>
>>>> qemu-system-x86_64: /work/armbru/qemu/exec.c:1927: memory_access_size: Assertion `l >= access_size_min' failed.
>>>
>>> This:
>>>
>>>     unsigned access_size_min = mr->ops->impl.min_access_size;
>>>     unsigned access_size_max = mr->ops->impl.max_access_size;
>>>
>>> must be respectively:
>>>
>>>     unsigned access_size_min = 1;
>>>     unsigned access_size_max = mr->ops->valid.max_access_size;
>>>
>>> access_size_min can be 1 because erroneous accesses must not crash 
>>> QEMU, they should trigger exceptions in the guest or just return 
>>> garbage (depending on the CPU).  I'm not sure I understand the comment, 
>>> placing a 4-byte field at the last byte of a region makes no sense 
>>> (unless impl.unaligned is true).
>>>
>>> access_size_max can be mr->ops->valid.max_access_size because memory.c 
>>> can and will still break accesses bigger than 
>>> mr->ops->impl.max_access_size.
>>>
>>> Markus, can you try the minimal patch above?  Or this one that also
>>> does the consequent simplifications.
>> 
>> FYI, the reproducer is very simple:
>> 
>> qemu-system-x86_64 -usb
>
> My patch works.

Yes, can you send a SoB and submit as a top level?

Right now uhci is completely broken.

Regards,

Anthony Liguori

>
> Paolo
>
>> Regards,
>> 
>> Anthony Liguori
>> 
>>>
>>> diff --git a/exec.c b/exec.c
>>> index c99a883..0904283 100644
>>> --- a/exec.c
>>> +++ b/exec.c
>>> @@ -1898,14 +1898,8 @@ static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
>>>  
>>>  static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>>>  {
>>> -    unsigned access_size_min = mr->ops->impl.min_access_size;
>>> -    unsigned access_size_max = mr->ops->impl.max_access_size;
>>> +    unsigned access_size_max = mr->ops->valid.max_access_size;
>>>  
>>> -    /* Regions are assumed to support 1-4 byte accesses unless
>>> -       otherwise specified.  */
>>> -    if (access_size_min == 0) {
>>> -        access_size_min = 1;
>>> -    }
>>>      if (access_size_max == 0) {
>>>          access_size_max = 4;
>>>      }
>>> @@ -1922,9 +1916,6 @@ static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
>>>      if (l > access_size_max) {
>>>          l = access_size_max;
>>>      }
>>> -    /* ??? The users of this function are wrong, not supporting minimums larger
>>> -       than the remaining length.  C.f. memory.c:access_with_adjusted_size.  */
>>> -    assert(l >= access_size_min);
>>>  
>>>      return l;
>>>  }
>>>
>>> Paolo
>>

Il 17/07/2013 20:26, Richard Henderson ha scritto:
> On 07/17/2013 10:32 AM, Paolo Bonzini wrote:
>> My patch works.
> 
> You patch doesn't crash for this device, which isn't quite the same thing.
> 
> But it's certainly no worse than we had before my patch, so I'll not object so
> long as a fixme sort of comment is installed too.

I'm still not sure what the bug is (so what the FIXME comment would
be)... except of course that there may be bug in access_with_adjusted_size.

Paolo

On 07/17/2013 11:57 AM, Paolo Bonzini wrote:
> I'm still not sure what the bug is (so what the FIXME comment would
> be)... except of course that there may be bug in access_with_adjusted_size.

The code here in exec.c is not using access_with_adjusted_size.

Unfortunately, access_with_adjusted_size only handles single copies,
one direction at a time.  We're attempting a sort of "memcpy", which
calls for some amount of caching across the loop...


r~

Il 17/07/2013 21:28, Richard Henderson ha scritto:
> On 07/17/2013 11:57 AM, Paolo Bonzini wrote:
>> I'm still not sure what the bug is (so what the FIXME comment would
>> be)... except of course that there may be bug in access_with_adjusted_size.
> 
> The code here in exec.c is not using access_with_adjusted_size.

It is:

cpu_outb
-> address_space_write
-> address_space_rw
-> io_mem_write
-> memory_region_dispatch_write
-> access_with_adjusted_size

memory_access_size is just returning a length that makes sense when
passed to io_mem_write and ultimately to access_with_adjusted_size.

Paolo

> Unfortunately, access_with_adjusted_size only handles single copies,
> one direction at a time.  We're attempting a sort of "memcpy", which
> calls for some amount of caching across the loop...
> 
> 
> r~
>

On 07/17/2013 12:56 PM, Paolo Bonzini wrote:
> It is:
> 
> cpu_outb
> -> address_space_write
> -> address_space_rw
> -> io_mem_write
> -> memory_region_dispatch_write
> -> access_with_adjusted_size
> 
> memory_access_size is just returning a length that makes sense when
> passed to io_mem_write and ultimately to access_with_adjusted_size.

Ah, ok.  Sorry for being dense about the full context here.

I agree ignoring impl.minimum is ok here, since a real assert ought
to be lower down in access_with_adjusted_size, right before actually
dispatching to the device code.


r~