Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cy

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cy

From:	Peter Maydell
Subject:	Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret
Date:	Sat, 20 Jul 2024 15:43:50 +0100

On Thu, 18 Jul 2024 at 03:12, Alistair Francis <alistair23@gmail.com> wrote:
>
> From: Atish Patra <atishp@rivosinc.com>
>
> Privilege mode filtering can also be emulated for cycle/instret by
> tracking host_ticks/icount during each privilege mode switch. This
> patch implements that for both cycle/instret and mhpmcounters. The
> first one requires Smcntrpmf while the other one requires Sscofpmf
> to be enabled.
>
> The cycle/instret are still computed using host ticks when icount
> is not enabled. Otherwise, they are computed using raw icount which
> is more accurate in icount mode.

Hi; Coverity points out some possible issues with this patch
(CID 1558459, 1558462):


> +typedef struct PMUFixedCtrState {
> +        /* Track cycle and icount for each privilege mode */
> +        uint64_t counter[4];
> +        uint64_t counter_prev[4];
> +        /* Track cycle and icount for each privilege mode when V = 1*/
> +        uint64_t counter_virt[2];
> +        uint64_t counter_virt_prev[2];

These two arrays are defined with size 2...


> +static void riscv_pmu_icount_update_priv(CPURISCVState *env,
> +                                         target_ulong newpriv, bool new_virt)
> +{
> +    uint64_t *snapshot_prev, *snapshot_new;
> +    uint64_t current_icount;
> +    uint64_t *counter_arr;
> +    uint64_t delta;
> +
> +    if (icount_enabled()) {
> +        current_icount = icount_get_raw();
> +    } else {
> +        current_icount = cpu_get_host_ticks();
> +    }
> +
> +    if (env->virt_enabled) {
> +        counter_arr = env->pmu_fixed_ctrs[1].counter_virt;
> +        snapshot_prev = env->pmu_fixed_ctrs[1].counter_virt_prev;
> +    } else {
> +        counter_arr = env->pmu_fixed_ctrs[1].counter;
> +        snapshot_prev = env->pmu_fixed_ctrs[1].counter_prev;
> +    }
> +
> +    if (new_virt) {
> +        snapshot_new = env->pmu_fixed_ctrs[1].counter_virt_prev;
> +    } else {
> +        snapshot_new = env->pmu_fixed_ctrs[1].counter_prev;
> +    }
> +
> +     /*
> +      * new_priv can be same as env->priv. So we need to calculate
> +      * delta first before updating snapshot_new[new_priv].
> +      */
> +    delta = current_icount - snapshot_prev[env->priv];
> +    snapshot_new[newpriv] = current_icount;
> +
> +    counter_arr[env->priv] += delta;

...and in this function we may use those counter_virt and
counter_virt_prev arrays with newpriv and env->priv as indexes,
but in the callsites like riscv_cpu_set_mode() the assertions on
newpriv etc are things like
  g_assert(newpriv <= PRV_M && newpriv != PRV_RESERVED);

so Coverity thinks newpriv might be PRV_M (because that's the only
explicit range guard it's seen) and we will overrun the array.

If this is a "can't happen" case I think we should have asserts in the
functions like riscv_pmu_icount_update_priv() and riscv_pmu_cycle_update_priv()
that might index into these arrays that the indexes can't be out of bounds
for these smaller arrays.

thanks
-- PMM

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 12/30] target/riscv: Validate the mode in write_vstvec, (continued)
- [PULL 12/30] target/riscv: Validate the mode in write_vstvec, Alistair Francis, 2024/07/17
- [PULL 13/30] disas/riscv: Add decode for Zawrs extension, Alistair Francis, 2024/07/17
- [PULL 14/30] target/riscv/kvm: update KVM regs to Linux 6.10-rc5, Alistair Francis, 2024/07/17
- [PULL 15/30] target/riscv: Combine set_mode and set_virt functions., Alistair Francis, 2024/07/17
- [PULL 16/30] target/riscv: Fix the predicate functions for mhpmeventhX CSRs, Alistair Francis, 2024/07/17
- [PULL 17/30] target/riscv: Add cycle & instret privilege mode filtering properties, Alistair Francis, 2024/07/17
- [PULL 18/30] target/riscv: Add cycle & instret privilege mode filtering definitions, Alistair Francis, 2024/07/17
- [PULL 19/30] target/riscv: Add cycle & instret privilege mode filtering support, Alistair Francis, 2024/07/17
- [PULL 20/30] target/riscv: Only set INH fields if priv mode is available, Alistair Francis, 2024/07/17
- [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret, Alistair Francis, 2024/07/17
  - Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret, Peter Maydell <=
    - Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret, Atish Kumar Patra, 2024/07/22
- [PULL 22/30] target/riscv: Save counter values during countinhibit update, Alistair Francis, 2024/07/17
- [PULL 23/30] target/riscv: Enforce WARL behavior for scounteren/hcounteren, Alistair Francis, 2024/07/17
- [PULL 25/30] target/riscv: More accurately model priv mode filtering., Alistair Francis, 2024/07/17
- [PULL 24/30] target/riscv: Start counters from both mhpmcounter and mcountinhibit, Alistair Francis, 2024/07/17
- [PULL 29/30] hw/riscv/virt.c: re-insert and deprecate 'riscv, delegate', Alistair Francis, 2024/07/17
- [PULL 26/30] target/riscv: Do not setup pmu timer if OF is disabled, Alistair Francis, 2024/07/17
  - Re: [PULL 26/30] target/riscv: Do not setup pmu timer if OF is disabled, Peter Maydell, 2024/07/20
    - Re: [PULL 26/30] target/riscv: Do not setup pmu timer if OF is disabled, Atish Kumar Patra, 2024/07/22
    - Re: [PULL 26/30] target/riscv: Do not setup pmu timer if OF is disabled, Alistair Francis, 2024/07/22

Prev by Date: Re: [PATCH v2 0/8] hw/display/apple-gfx: New macOS PV Graphics device
Next by Date: Re: [PULL 21/26] hw/arm/smmu: Refactor SMMU OAS
Previous by thread: [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret
Next by thread: Re: [PULL 21/30] target/riscv: Implement privilege mode filtering for cycle/instret
Index(es):
- Date
- Thread