-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
c18n: Export c18n statistics to procstat(1) and file (supersedes #2084) #2079
Conversation
874a94c
to
0ecef41
Compare
9680cbd
to
773358e
Compare
e195871
to
c0da4f1
Compare
struct proc *p; | ||
struct cheri_c18n_info info; | ||
int error; | ||
void *buffer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you initialize this to NULL you don't need two labels for the exit path.
b4b5479
to
8c7be11
Compare
lib/libprocstat/libprocstat.c
Outdated
/* | ||
* Error handling here is wrong. If ENOEXEC, really want to print | ||
* output indicating no information, which this function signature | ||
* doesn't currently support. This is because the process probably | ||
* simply doesn't have c18n in use | ||
*/ | ||
name[0] = CTL_KERN; | ||
name[1] = KERN_PROC; | ||
name[2] = KERN_PROC_C18N; | ||
name[3] = kp->ki_pid; | ||
error = sysctl(name, nitems(name), *pp, lenp, NULL, 0); | ||
if (error != 0 && errno != ESRCH && errno != EPERM && | ||
errno != ENOEXEC) { | ||
warn("sysctl(kern.proc.c18n)"); | ||
goto out_free; | ||
} | ||
if (error != 0) | ||
goto out_free; | ||
return (0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rwatson Do we need to fix the error handling here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it make sense to include the environment variable version once procstat is available?
Please fix the "line over 80 characters" style warnings.
Yes. The env var version allows the stats to persist after the process exits, which will be useful for benchmarks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nits mostly.
Exposes LD_COMPARTMENT_STATS that exports a set of compartmentalisation-related statistics to a user-specified file.
Co-authored-by: Dapeng Gao <dapeng.gao@cl.cam.ac.uk>
@@ -400,6 +400,13 @@ TRAMP(tramp_update_fp_untagged) | |||
clrtag c29, TRUSTED_STACK_C | |||
TRAMPEND(tramp_update_fp_untagged) | |||
|
|||
TRAMP(tramp_count_entry) | |||
1: ldr c24, #0 /* To be patched at runtime */ | |||
stadd w25, [c24] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does this w25 come from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the gctag x25, c30
above and we can assume that it is always 1. This is done to save instructions and assumes that the program is well-behaved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Firstly, these things have to be commented. There are so many of these implicit dependencies floating around within and across trampoline fragments that it's really hard to keep track of them all, and it's just asking for someone to break this in future by using a different register for the GCTAG (which would be reasonable, because who would expect it to be used many instructions later?). Secondly, having an untagged return capability seems a totally valid thing to do if you're making a call to a function that won't return. I don't think you can currently easily end up with it from a compiler, but I see no reason why it wouldn't be valid.
Edit: The c18n statistics part of this PR is a bit stalled, so I pulled out the interrupt-safe changes to #2090 which will hopefully get merged soon.
This PR builds upon #2012 and #2032 and the real content is in the very last commit entitled c18n: Rework implementation to be interrupt-safe. This is not meat to be merged but is a stable implementation needing feedback. I do hope it can be merged in the next release if time permits.This commit completely refactors the trampoline and how stack switching works. The purecap and benchmark ABI implementations now both use a dedicated register to store the trusted stack (ddc
andrddc
respectively). This makes the trampolines look identical (modulo register names) on both ABIs. No metadata recording the current top of the stack is stored at the bottom of each compartment's stack. Instead, the stack lookup table now stores that information.The signal handling mechanism has been rewritten to handle (rare) cases where c18n code, in particular trampolines, is interrupted. All c18n code paths that could be interrupted have been audited and it is believed that they can all be handled correctly, although testing for that is hard.This PR modifies #2080 to export a slightly different set of statistics:
It allows exposes environment variable
LD_COMPARTMENT_STATS
that allows a struct containing the above statistics to be exported to a file.