Re: [RFC] GCC support for live-patching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi, 

thanks for the comments.

> 
> thanks for the proposal. The others have already expressed some of my 
> worries and remarks, but I think it would be only right to write them 
> again. Especially since I am part of the team responsible for 
> implementation and maintenance of live patches here at SUSE, we use kGraft 
> and we prepare everything manually (compared to kpatch and ksplice).

One question here,  what’s the major benefit to prepare the patches manually? 
> 
>> 1. A study of Kernel live patching schemes.
>> 
>> Three major kernel live patching tools:  https://lwn.net/Articles/734765/
>> 
>> * ksplice:   http://www.ksplice.com/doc/ksplice.pdf
>> * kpatch:    https://lwn.net/Articles/597123/
>>            https://github.com/dynup/kpatch
>> * kGraft:    
>> https://pdfs.semanticscholar.org/presentation/af4c/895aa3fef0cc2b501317aaec9d91ba2d704c.pdf
>> 
>> In the above, ksplice and kpatch can automatically generate binary patches 
>> as following:
>> 
>>   * a collection of tools which convert a source diff patch to a patch
>> module. They work by compiling the kernel both with and without the source
>> patch, comparing the binaries, and generating a binary patch module which 
>> includes new binary versions of the functions to be replaced.
>> 
>> on the other hand, kGraft offers a way to create patches entirely by hand. 
>> The source of the patch is a single C file, easy to review, easy to
>> maintain. 
>> 
>> In addition to kGraft, there are other live patching tools that prefer
>> creating patches by hand for the similar reason. 
>> 
>> The compiler support is mainly for the above live patching tools that create 
>> patches entirely by hand. the major purpose is:
>> 
>> * control patch code size and debug complexity;
>> * keep good run time performance;
>> 
>> 2. the major problems of compiler in live patching:
>> 
>> For the live patching schemes that create patches by hand, when patching 
>> one function, there might a list of functions that will be impacted by 
>> this patched function due to compiler optimization/analyses (mainly IPA
>> optimization/analyses), a complete patch will include the patched function
>> and all impacted functions. Usually, there are two major factors to be
>> considered in such live patching schemes:
>> 
>> * patch code size, one major factor is the length of the list 
>> of impacted functions;
>> * run time performance.
>> 
>> If we want to control the patch code size, to make the list of impacted 
>> functions minimum, we have to disable corresponding compiler optimizations 
>> as much as possible.
> 
> Andi already talked about it and I, too, do not understand your worry 
> about patch code size. First, it has never been so bad here. Yes, 
> sometimes the function closure gets bigger due to optimizations and 
> inlining. I've considered it as nothing else than a lack of better 
> tooling, because it is indeed something which could be improved a lot. 
> Nicolai (CCed) works on a potential solution. It is also one of the topics 
> at LPC miniconf in Vancouver.
> 
> Second, the idea to disable inlining would not fly at SUSE. I can't 
> imagine to even propose it. The kernel heavily relies on the feature. The 
> optimizations are a different story and some of those certainly could be 
> disabled with no harm caused.
> 
> So let me ask, what is your motivation behind this? Is there a real 
> problem you're trying to solve? It may have been mentioned somewhere and I 
> missed it.

the major functionality we want is:   to Only enable static inlining for live patching for one 
of our internal customers.   the major purpose is to control the patch code size explosion and
debugging complexity due to too much inlining of global functions for the specific application.

therefore, I proposed the multiple level of control for -flive-patching to satisfy multiple request from 
different users. 

So far, from the feedback, I see that among the 4 levels of control,   none, only-inline-static, inline,
and inline-clone,   “none” and “inline” are NOT needed at all.

however,  -flive-patching = [only-inline-static | inline-clone] are necessary.

> 
>> On the other hand, in order to keep good run time performance, we need to 
>> keep the compiler optimization as much as possible. 
>> 
>> So, there should be some tradeoff between these two factors. 
>> 
>> The following are two major categories of compiler optimizations 
>> we should considered:
>> 
>> A. compiler optimizations/analyses that extract ipa info from
>> a routine's body, and use such info to guide other optimization.
>> 
>> Since the body of the routine might be changed for live patching, 
>> the ipa info extracted from the body of the routine also changes,
>> as a result, all the routines that directly or indirectly utilize 
>> the ipa info from this routine are in the list of the impacted 
>> routines.  
>> 
>> Most of the IPA analyses and optimization belong to this category. 
>> 
>> Although theoretically the impacted routine list from such ipa 
>> phases could be computed, the list might be huge. Such huge list
>> of impacted routine might explode the patch code size too much. 
>> 
>> Therefore, it might be more pratical to just completely disable such
>> ipa optimizations/analyses.
>> 
>> B. Inlining, and all optimizaitons that internally create clone. 
>> for example, cloning, ipa-sra, partial inlining, etc.
>> We can track the effect and impacted routine of such optimization 
>> easily. 
>> Such kind of optimization could be kept, but the compiler
>> should provide the list of impacted functions if a routine need to 
>> be patched.
>> 
>> There is patch code size explosion potential even with only enabling
>> inlining and cloning for live patching. Users need a way to control 
>> the inlining and cloning in order to control the code size explosion 
>> and complexity of debugging.
>> 
>> 3. Details of the proposal:
> 
> This sounds awfully complicated. Especially when there is a dumping option 
> in GCC thanks to Martin. What information do you miss there? We could 
> improve the analysis tool. So far, it has given us all the info we need.

Yes, it’s TRUE that the tool Martin wrote should serve the same purpose. nothing new from this
new GCC option -flive-patch-list compared to Martin’s tool.

However,  by simply adding this new GCC’s option, we can simplify the whole procedure for helping
live-patching. by only running  GCC with the new added options once, we can get the impacted function list
at the same time. No need to run another tool anymore.   

this is the major benefit from this new option.

anyway, if most of the people think that this new option is not necessary, I am fine to delete it. 
> 
> In the end, I'd be more than happy with what has been proposed in this 
> thread by the others. To have a way to guarantee that GCC would not apply 
> an optimization that could potentially destroy our effort to livepatch a 
> running system.

So, the major functionality you want from GCC is:

-flive-patching=inline-clone

 Only enable inlining and all optimizations that internally create clone,
for example, cloning, ipa-sra, partial inlining, etc; disable all 
other IPA optimizations/analyses.

As a result, when patching a routine, all its callers and its clones’
callers need to be patched as well. 

?

thanks.

Qing






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux