| Message ID | cae006a7-c1be-4608-a011-dda1fb4a0312@suse.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | x86: prefer RDTSCP in rdtsc_ordered() | expand |
On 30/09/2024 4:08 pm, Jan Beulich wrote: > If available, its use is supposed to be cheaper than LFENCE+RDTSC, and > is virtually guaranteed to be cheaper than MFENCE+RDTSC. > > Unlike in rdtsc() use 64-bit local variables, eliminating the need for I'd drop this reference to rdtsc() seeing as you adjust it in a parallel patch. > the compiler to emit a zero-extension insn for %eax (that's a cheap MOV, > yet still pointless to have). > > Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> > Signed-off-by: Jan Beulich <jbeulich@suse.com> > > --- a/xen/arch/x86/include/asm/msr.h > +++ b/xen/arch/x86/include/asm/msr.h > @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) > > static inline uint64_t rdtsc_ordered(void) > { > - /* > - * The RDTSC instruction is not ordered relative to memory access. > - * The Intel SDM and the AMD APM are both vague on this point, but > - * empirically an RDTSC instruction can be speculatively executed > - * before prior loads. An RDTSC immediately after an appropriate > - * barrier appears to be ordered as a normal load, that is, it > - * provides the same ordering guarantees as reading from a global > - * memory location that some other imaginary CPU is updating > - * continuously with a time stamp. > - */ > - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); > - return rdtsc(); > + uint64_t low, high, aux; > + > + /* > + * The RDTSC instruction is not ordered relative to memory access. > + * The Intel SDM and the AMD APM are both vague on this point, but > + * empirically an RDTSC instruction can be speculatively executed > + * before prior loads. This part of the comment is stale now. For RDTSC, AMD state: "This instruction is not serializing. Therefore, there is no guarantee that all instructions have completed at the time the time-stamp counter is read." and for RDTSCP: "Unlike the RDTSC instruction, RDTSCP forces all older instructions to retire before reading the time-stamp counter." i.e. it's dispatch serialising, given our new post-Spectre terminology. Intel OTOH have much more extensive information. For RDTSC: The RDTSC instruction is not a serializing instruction. It does not necessarily wait until all previous instructions have been executed before reading the counter. Similarly, subsequent instructions may begin execution before the read operation is performed. The following items may guide software seeking to order executions of RDTSC: •If software requires RDTSC to be executed only after all previous instructions have executed and all previous loads are globally visible,1 it can execute LFENCE immediately before RDTSC. •If software requires RDTSC to be executed only after all previous instructions have executed and all previous loads and stores are globally visible, it can execute the sequence MFENCE;LFENCE immediately before RDTSC. •If software requires RDTSC to be executed prior to execution of any subsequent instruction (including any memory accesses), it can execute the sequence LFENCE immediately after RDTSC. Similarly, for RDTSCP: The RDTSCP instruction is not a serializing instruction, but it does wait until all previous instructions have executed and all previous loads are globally visible. But it does not wait for previous stores to be globally visible, and subsequent instructions may begin execution before the read operation is performed. The following items may guide software seeking to order executions of RDTSCP: •If software requires RDTSCP to be executed only after all previous stores are globally visible, it can execute MFENCE immediately before RDTSCP. •If software requires RDTSCP to be executed prior to execution of any subsequent instruction (including any memory accesses), it can execute LFENCE immediately after RDTSCP. I'd delete most of the paragraph, and just state the recommendation to use LFENCE. In truth, X86_FEATURE_MFENCE_RDTSC is useless now that we unilaterally activate LFENCE_DISPATCH on CPUs where it's optional. Linux went as far as removing the case entirely, because if you're running under a hypervisor which hasn't set LFENCE_DISPATCH, then the misbehaviour of lfence;rdtsc is the least of your problems. ~Andrew
On 30.09.2024 18:40, Andrew Cooper wrote: > On 30/09/2024 4:08 pm, Jan Beulich wrote: >> If available, its use is supposed to be cheaper than LFENCE+RDTSC, and >> is virtually guaranteed to be cheaper than MFENCE+RDTSC. >> >> Unlike in rdtsc() use 64-bit local variables, eliminating the need for > > I'd drop this reference to rdtsc() seeing as you adjust it in a parallel > patch. Already done, with that other commit now having gone in. When I wrote this, I wasn't finally decided yet whether to also make that other adjustment. >> --- a/xen/arch/x86/include/asm/msr.h >> +++ b/xen/arch/x86/include/asm/msr.h >> @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) >> >> static inline uint64_t rdtsc_ordered(void) >> { >> - /* >> - * The RDTSC instruction is not ordered relative to memory access. >> - * The Intel SDM and the AMD APM are both vague on this point, but >> - * empirically an RDTSC instruction can be speculatively executed >> - * before prior loads. An RDTSC immediately after an appropriate >> - * barrier appears to be ordered as a normal load, that is, it >> - * provides the same ordering guarantees as reading from a global >> - * memory location that some other imaginary CPU is updating >> - * continuously with a time stamp. >> - */ >> - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); >> - return rdtsc(); >> + uint64_t low, high, aux; >> + >> + /* >> + * The RDTSC instruction is not ordered relative to memory access. >> + * The Intel SDM and the AMD APM are both vague on this point, but >> + * empirically an RDTSC instruction can be speculatively executed >> + * before prior loads. > > This part of the comment is stale now. For RDTSC, AMD state: > > "This instruction is not serializing. Therefore, there is no guarantee > that all instructions have completed at the time the time-stamp counter > is read." > > and for RDTSCP: > > "Unlike the RDTSC instruction, RDTSCP forces all older instructions to > retire before reading the time-stamp counter." > > i.e. it's dispatch serialising, given our new post-Spectre terminology. I don't read that as truly "dispatch serializing"; both Intel and AMD leave open whether subsequent insns would also be affected, or whether those could pass the RDTSCP. Either form is fine for our purposes here aiui. > Intel OTOH have much more extensive information. For RDTSC: > > The RDTSC instruction is not a serializing instruction. It does not > necessarily wait until all previous instructions have been executed > before reading the counter. Similarly, subsequent instructions may begin > execution before the read operation is performed. The following items > may guide software seeking to order executions of RDTSC: > > •If software requires RDTSC to be executed only after all previous > instructions have executed and all previous loads are globally visible,1 > it can execute LFENCE immediately before RDTSC. > > •If software requires RDTSC to be executed only after all previous > instructions have executed and all previous loads and stores are > globally visible, it can execute the sequence MFENCE;LFENCE immediately > before RDTSC. > > •If software requires RDTSC to be executed prior to execution of any > subsequent instruction (including any memory accesses), it can execute > the sequence LFENCE immediately after RDTSC. > > Similarly, for RDTSCP: > > The RDTSCP instruction is not a serializing instruction, but it does > wait until all previous instructions have executed and all previous > loads are globally visible. But it does not wait for previous stores to > be globally visible, and subsequent instructions may begin execution > before the read operation is performed. The following items may guide > software seeking to order executions of RDTSCP: > > •If software requires RDTSCP to be executed only after all previous > stores are globally visible, it can execute MFENCE immediately before > RDTSCP. > > •If software requires RDTSCP to be executed prior to execution of any > subsequent instruction (including any memory accesses), it can execute > LFENCE immediately after RDTSCP. > > > > I'd delete most of the paragraph, and just state the recommendation to > use LFENCE. I was in fact wondering whether to. I'll send a v2 with updated (and shortened) commentary. I think I will want to keep mentioning MFENCE there though, ... > In truth, X86_FEATURE_MFENCE_RDTSC is useless now that we unilaterally > activate LFENCE_DISPATCH on CPUs where it's optional. Linux went as far > as removing the case entirely, because if you're running under a > hypervisor which hasn't set LFENCE_DISPATCH, then the misbehaviour of > lfence;rdtsc is the least of your problems. ... despite this (orthogonal) observation. We can independently decide whether to drop MFENCE_RDTSC. Jan
On 01/10/2024 9:12 am, Jan Beulich wrote: > On 30.09.2024 18:40, Andrew Cooper wrote: >> On 30/09/2024 4:08 pm, Jan Beulich wrote: >>> --- a/xen/arch/x86/include/asm/msr.h >>> +++ b/xen/arch/x86/include/asm/msr.h >>> @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) >>> >>> static inline uint64_t rdtsc_ordered(void) >>> { >>> - /* >>> - * The RDTSC instruction is not ordered relative to memory access. >>> - * The Intel SDM and the AMD APM are both vague on this point, but >>> - * empirically an RDTSC instruction can be speculatively executed >>> - * before prior loads. An RDTSC immediately after an appropriate >>> - * barrier appears to be ordered as a normal load, that is, it >>> - * provides the same ordering guarantees as reading from a global >>> - * memory location that some other imaginary CPU is updating >>> - * continuously with a time stamp. >>> - */ >>> - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); >>> - return rdtsc(); >>> + uint64_t low, high, aux; >>> + >>> + /* >>> + * The RDTSC instruction is not ordered relative to memory access. >>> + * The Intel SDM and the AMD APM are both vague on this point, but >>> + * empirically an RDTSC instruction can be speculatively executed >>> + * before prior loads. >> This part of the comment is stale now. For RDTSC, AMD state: >> >> "This instruction is not serializing. Therefore, there is no guarantee >> that all instructions have completed at the time the time-stamp counter >> is read." >> >> and for RDTSCP: >> >> "Unlike the RDTSC instruction, RDTSCP forces all older instructions to >> retire before reading the time-stamp counter." >> >> i.e. it's dispatch serialising, given our new post-Spectre terminology. > I don't read that as truly "dispatch serializing"; That is precisely what dispatch serialising is and means. Both LFENCE and RDTSCP wait at dispatch until they're the only instruction in the pipeline. That is how they get the property of waiting for all older instructions to retire before executing. > both Intel and AMD > leave open whether subsequent insns would also be affected, or whether > those could pass the RDTSCP. Superscalar pipelines which can dispatch more than one uop per cycle can issue LFENCE/RDTSCP concurrently with younger instructions. This is why LFENCE; JMP * was retracted as safe alternative to retpoline, and why the Intel docs call out explicitly that you need LFENCE following the RDTSC(P) if you want it to complete before subsequent instructions start. ~Andrew
On 01.10.2024 11:45, Andrew Cooper wrote: > On 01/10/2024 9:12 am, Jan Beulich wrote: >> On 30.09.2024 18:40, Andrew Cooper wrote: >>> On 30/09/2024 4:08 pm, Jan Beulich wrote: >>>> --- a/xen/arch/x86/include/asm/msr.h >>>> +++ b/xen/arch/x86/include/asm/msr.h >>>> @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) >>>> >>>> static inline uint64_t rdtsc_ordered(void) >>>> { >>>> - /* >>>> - * The RDTSC instruction is not ordered relative to memory access. >>>> - * The Intel SDM and the AMD APM are both vague on this point, but >>>> - * empirically an RDTSC instruction can be speculatively executed >>>> - * before prior loads. An RDTSC immediately after an appropriate >>>> - * barrier appears to be ordered as a normal load, that is, it >>>> - * provides the same ordering guarantees as reading from a global >>>> - * memory location that some other imaginary CPU is updating >>>> - * continuously with a time stamp. >>>> - */ >>>> - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); >>>> - return rdtsc(); >>>> + uint64_t low, high, aux; >>>> + >>>> + /* >>>> + * The RDTSC instruction is not ordered relative to memory access. >>>> + * The Intel SDM and the AMD APM are both vague on this point, but >>>> + * empirically an RDTSC instruction can be speculatively executed >>>> + * before prior loads. >>> This part of the comment is stale now. For RDTSC, AMD state: >>> >>> "This instruction is not serializing. Therefore, there is no guarantee >>> that all instructions have completed at the time the time-stamp counter >>> is read." >>> >>> and for RDTSCP: >>> >>> "Unlike the RDTSC instruction, RDTSCP forces all older instructions to >>> retire before reading the time-stamp counter." >>> >>> i.e. it's dispatch serialising, given our new post-Spectre terminology. >> I don't read that as truly "dispatch serializing"; > > That is precisely what dispatch serialising is and means. > > Both LFENCE and RDTSCP wait at dispatch until they're the only > instruction in the pipeline. That is how they get the property of > waiting for all older instructions to retire before executing. > >> both Intel and AMD >> leave open whether subsequent insns would also be affected, or whether >> those could pass the RDTSCP. > > Superscalar pipelines which can dispatch more than one uop per cycle can > issue LFENCE/RDTSCP concurrently with younger instructions. > > This is why LFENCE; JMP * was retracted as safe alternative to > retpoline, and why the Intel docs call out explicitly that you need > LFENCE following the RDTSC(P) if you want it to complete before > subsequent instructions start. Yet what you describe still only puts in place a relationship between RDTSCP and what follows. What I was saying is that there's no guarantee that insns following RDTSCP can't actually execute not only in parallel with RDTSCP, but also in parallel with / ahead of earlier insns. Aiui LFENCE makes this guarantee. IOW in ADD ...; LFENCE; SUB ... the SUB is guaranteed to dispatch only after the ADD, whereas in ADD ...; RDTSCP; SUB ... there doesn't appear to be such a guarantee; the only guarantee here is for RDTSCP to dispatch after the ADD. Jan
On 01.10.2024 12:02, Jan Beulich wrote: > On 01.10.2024 11:45, Andrew Cooper wrote: >> On 01/10/2024 9:12 am, Jan Beulich wrote: >>> On 30.09.2024 18:40, Andrew Cooper wrote: >>>> On 30/09/2024 4:08 pm, Jan Beulich wrote: >>>>> --- a/xen/arch/x86/include/asm/msr.h >>>>> +++ b/xen/arch/x86/include/asm/msr.h >>>>> @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) >>>>> >>>>> static inline uint64_t rdtsc_ordered(void) >>>>> { >>>>> - /* >>>>> - * The RDTSC instruction is not ordered relative to memory access. >>>>> - * The Intel SDM and the AMD APM are both vague on this point, but >>>>> - * empirically an RDTSC instruction can be speculatively executed >>>>> - * before prior loads. An RDTSC immediately after an appropriate >>>>> - * barrier appears to be ordered as a normal load, that is, it >>>>> - * provides the same ordering guarantees as reading from a global >>>>> - * memory location that some other imaginary CPU is updating >>>>> - * continuously with a time stamp. >>>>> - */ >>>>> - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); >>>>> - return rdtsc(); >>>>> + uint64_t low, high, aux; >>>>> + >>>>> + /* >>>>> + * The RDTSC instruction is not ordered relative to memory access. >>>>> + * The Intel SDM and the AMD APM are both vague on this point, but >>>>> + * empirically an RDTSC instruction can be speculatively executed >>>>> + * before prior loads. >>>> This part of the comment is stale now. For RDTSC, AMD state: >>>> >>>> "This instruction is not serializing. Therefore, there is no guarantee >>>> that all instructions have completed at the time the time-stamp counter >>>> is read." >>>> >>>> and for RDTSCP: >>>> >>>> "Unlike the RDTSC instruction, RDTSCP forces all older instructions to >>>> retire before reading the time-stamp counter." >>>> >>>> i.e. it's dispatch serialising, given our new post-Spectre terminology. >>> I don't read that as truly "dispatch serializing"; >> >> That is precisely what dispatch serialising is and means. >> >> Both LFENCE and RDTSCP wait at dispatch until they're the only >> instruction in the pipeline. That is how they get the property of >> waiting for all older instructions to retire before executing. >> >>> both Intel and AMD >>> leave open whether subsequent insns would also be affected, or whether >>> those could pass the RDTSCP. >> >> Superscalar pipelines which can dispatch more than one uop per cycle can >> issue LFENCE/RDTSCP concurrently with younger instructions. >> >> This is why LFENCE; JMP * was retracted as safe alternative to >> retpoline, and why the Intel docs call out explicitly that you need >> LFENCE following the RDTSC(P) if you want it to complete before >> subsequent instructions start. > > Yet what you describe still only puts in place a relationship between > RDTSCP and what follows. What I was saying is that there's no guarantee > that insns following RDTSCP can't actually execute not only in parallel > with RDTSCP, but also in parallel with / ahead of earlier insns. Aiui > LFENCE makes this guarantee. IOW in > > ADD ...; LFENCE; SUB ... > > the SUB is guaranteed to dispatch only after the ADD, whereas in > > ADD ...; RDTSCP; SUB ... > > there doesn't appear to be such a guarantee; the only guarantee here is > for RDTSCP to dispatch after the ADD. And btw, if there wasn't this difference, why would RDTSCP be any better than LFENCE; RDTSC? Jan
On 01/10/2024 11:02 am, Jan Beulich wrote: > On 01.10.2024 11:45, Andrew Cooper wrote: >> On 01/10/2024 9:12 am, Jan Beulich wrote: >>> On 30.09.2024 18:40, Andrew Cooper wrote: >>>> On 30/09/2024 4:08 pm, Jan Beulich wrote: >>>>> --- a/xen/arch/x86/include/asm/msr.h >>>>> +++ b/xen/arch/x86/include/asm/msr.h >>>>> @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) >>>>> >>>>> static inline uint64_t rdtsc_ordered(void) >>>>> { >>>>> - /* >>>>> - * The RDTSC instruction is not ordered relative to memory access. >>>>> - * The Intel SDM and the AMD APM are both vague on this point, but >>>>> - * empirically an RDTSC instruction can be speculatively executed >>>>> - * before prior loads. An RDTSC immediately after an appropriate >>>>> - * barrier appears to be ordered as a normal load, that is, it >>>>> - * provides the same ordering guarantees as reading from a global >>>>> - * memory location that some other imaginary CPU is updating >>>>> - * continuously with a time stamp. >>>>> - */ >>>>> - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); >>>>> - return rdtsc(); >>>>> + uint64_t low, high, aux; >>>>> + >>>>> + /* >>>>> + * The RDTSC instruction is not ordered relative to memory access. >>>>> + * The Intel SDM and the AMD APM are both vague on this point, but >>>>> + * empirically an RDTSC instruction can be speculatively executed >>>>> + * before prior loads. >>>> This part of the comment is stale now. For RDTSC, AMD state: >>>> >>>> "This instruction is not serializing. Therefore, there is no guarantee >>>> that all instructions have completed at the time the time-stamp counter >>>> is read." >>>> >>>> and for RDTSCP: >>>> >>>> "Unlike the RDTSC instruction, RDTSCP forces all older instructions to >>>> retire before reading the time-stamp counter." >>>> >>>> i.e. it's dispatch serialising, given our new post-Spectre terminology. >>> I don't read that as truly "dispatch serializing"; >> That is precisely what dispatch serialising is and means. >> >> Both LFENCE and RDTSCP wait at dispatch until they're the only >> instruction in the pipeline. That is how they get the property of >> waiting for all older instructions to retire before executing. >> >>> both Intel and AMD >>> leave open whether subsequent insns would also be affected, or whether >>> those could pass the RDTSCP. >> Superscalar pipelines which can dispatch more than one uop per cycle can >> issue LFENCE/RDTSCP concurrently with younger instructions. >> >> This is why LFENCE; JMP * was retracted as safe alternative to >> retpoline, and why the Intel docs call out explicitly that you need >> LFENCE following the RDTSC(P) if you want it to complete before >> subsequent instructions start. > Yet what you describe still only puts in place a relationship between > RDTSCP and what follows. What I was saying is that there's no guarantee > that insns following RDTSCP can't actually execute not only in parallel > with RDTSCP, but also in parallel with / ahead of earlier insns. I think you're reading too much into the fact that these passages aren't identical. They were written years apart, most likely by different authors. > Aiui > LFENCE makes this guarantee. IOW in > > ADD ...; LFENCE; SUB ... > > the SUB is guaranteed to dispatch only after the ADD, The guarantee made is that ADD has retired before LFENCE executes. SDM: "Specifically, LFENCE does not execute until all prior instructions have completed locally, and no later instruction begins execution until LFENCE completes." "completed locally" == "retired". The APM doesn't have a description of "dispatch serialising" attached to LFENCE. However, the Managing Speculation whitepaper does state: "Set an MSR in the processor so that LFENCE is a dispatch serializing instruction and then use LFENCE in code streams to serialize dispatch (LFENCE is faster than RDTSCP which is also dispatch serializing)." which also doesn't define dispatch serialising, but does make the statement which started this debate. That said, the LFENCE_DISPATCH chicken really was AMD's "behave like Intel" bit. > whereas in > > ADD ...; RDTSCP; SUB ... > > there doesn't appear to be such a guarantee; the only guarantee here is > for RDTSCP to dispatch after the ADD. SDM: "The RDTSCP instruction is not a serializing instruction, but it does wait until all previous instructions have executed and all previous loads are globally visible." APM: "RDTSCP forces all older instructions to retire before reading the timestamp counter." Both have an explicit written guarantee that the ADD retires before RDTSCP starts. The thing which neither manual states, probably because the authors thought it was too obvious to mention, is that dispatch is always in (predicted) program order. Consider the implications on dependency tracking if the CPUs were to dispatch uops out of program order. ~Andrew
--- a/xen/arch/x86/include/asm/msr.h +++ b/xen/arch/x86/include/asm/msr.h @@ -108,18 +108,30 @@ static inline uint64_t rdtsc(void) static inline uint64_t rdtsc_ordered(void) { - /* - * The RDTSC instruction is not ordered relative to memory access. - * The Intel SDM and the AMD APM are both vague on this point, but - * empirically an RDTSC instruction can be speculatively executed - * before prior loads. An RDTSC immediately after an appropriate - * barrier appears to be ordered as a normal load, that is, it - * provides the same ordering guarantees as reading from a global - * memory location that some other imaginary CPU is updating - * continuously with a time stamp. - */ - alternative("lfence", "mfence", X86_FEATURE_MFENCE_RDTSC); - return rdtsc(); + uint64_t low, high, aux; + + /* + * The RDTSC instruction is not ordered relative to memory access. + * The Intel SDM and the AMD APM are both vague on this point, but + * empirically an RDTSC instruction can be speculatively executed + * before prior loads. An RDTSC immediately after an appropriate + * barrier appears to be ordered as a normal load, that is, it + * provides the same ordering guarantees as reading from a global + * memory location that some other imaginary CPU is updating + * continuously with a time stamp. + * + * RDTSCP, otoh, "does wait until all previous instructions have + * executed and all previous loads are globally visible" (SDM) / + * "forces all older instructions to retire before reading the + * timestamp counter" (APM) + */ + alternative_io_2("lfence; rdtsc", + "mfence; rdtsc", X86_FEATURE_MFENCE_RDTSC, + "rdtscp", X86_FEATURE_RDTSCP, + ASM_OUTPUT2("=a" (low), "=d" (high), "=c" (aux)), + /* no inputs */); + + return (high << 32) | low; } #define __write_tsc(val) wrmsrl(MSR_IA32_TSC, val)
If available, its use is supposed to be cheaper than LFENCE+RDTSC, and is virtually guaranteed to be cheaper than MFENCE+RDTSC. Unlike in rdtsc() use 64-bit local variables, eliminating the need for the compiler to emit a zero-extension insn for %eax (that's a cheap MOV, yet still pointless to have). Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com>