Remove PAL FileAlignment restriction #10959
Conversation
|
Ran 10870 test on 4K page on [Arm64/Unix] all tests passed. |
src/zap/zapwriter.cpp
Outdated
| @@ -55,7 +55,8 @@ void ZapWriter::Initialize() | |||
| m_FileAlignment = 0x200; | |||
| } | |||
|
|
|||
| #define SECTION_ALIGNMENT 0x1000 | |||
| #define SECTION_ALIGNMENT m_FileAlignment | |||
There was a problem hiding this comment.
I think we want to do this for Unix (FEATURE_PAL) only.
|
Also ran tests on 64K [Arm64/Unix] platform with updated 64K patch. Tests all passing. |
|
Centos is seeing this failure during crossgen of System.Private.Corelib.dll |
|
The CentOS failure is actually in crossgen with option /CreatePerfMap. I had not been running this with my testing. |
|
Looks like all/most "Ubuntu arm Cross Release Build" PR tests are failing |
src/vm/peimagelayout.cpp
Outdated
| @@ -172,7 +183,9 @@ void PEImageLayout::ApplyBaseRelocations() | |||
| dwOldProtection = 0; | |||
| } | |||
|
|
|||
| IMAGE_SECTION_HEADER *pSection = RvaToSection(rva); | |||
| USHORT fixup = fixupsCount ? VAL16(fixups[0]) : 0; | |||
There was a problem hiding this comment.
It is hard to see whether the fixupsCount==0 case works here. I think it would be better to handle it upfront and do nothing for it - add if (fixupsCount ==0) continue; right after the line that computes the fixupsCount.
It should not ever happen anyway.
There was a problem hiding this comment.
@jkotas Sorry. Missed this request. Will do.
There was a problem hiding this comment.
@jkotas The assertions on lines 162 and 163 effectively guarantee fixupsCount is non-zero. I suspected it was not supposed to happen, but I was not sure, but now that I see the asserts, I know it is designed to not happen.
Therefore I think it is OK to just simplify line 186. Otherwise I can move line 242 to 159 and add an if (fixupsCount ==0) continue, but it is unnecessary code complexity
|
How does this work when images generated before this change are loaded on runtime with this change, and vice versa? |
There should effectively be no change. OS with 4K pages should work correctly. OS with 64K pages should continue to fail
Currently I think these will all fail on *nix PAL systems. If you wanted to support this vice/versa combination, the PAL file alignment could be kept at 4K by reverting the changes to zapimage.cpp. If that was done, the changes to pedecoder.cpp and peimagelayout.cpp could also be reverted. |
|
@dotnet-bot test Ubuntu arm Cross Release Build |
src/pal/src/map/map.cpp
Outdated
| pvBaseAddress = mmap(addr, len, prot, flags, fd, offset); | ||
| off_t adjust = offset & (VIRTUAL_PAGE_MASK); | ||
|
|
||
| pvBaseAddress = mmap(static_cast<char *>(addr) - adjust, len + adjust, prot, flags, fd, offset - adjust); |
There was a problem hiding this comment.
If I understand it correctly, when the addr is not aligned to the page size, we end up mapping some sections to virtual address space multiple times, possibly with different protection settings. So if there was a R/W section next to an executable section, we would create a potential security hole that would allow an attacker to modify the executable code through the adjacent R/W mapping.
There was a problem hiding this comment.
Also, on amd64 where we use the executable allocator to ensure that the virtual address space where we map the image is located close to the libcoreclr.so, this change breaks that functionality. When a section cannot be mapped to the requested address because the previous section mappings have consumed more virtual address space than expected, mmap can map it to a random address in the whole VA space. That would effectively kill the performance benefits we get from mapping close to the libcoreclr.so.
To fix that, it seems one way would be to augment the sectionBase in the MAPMapPEFile for each call to MAPmmapAndRecord to reflect the expected mapping address based on the page size.
There was a problem hiding this comment.
@janvorli Regarding suggested security hole. The mmap of the two pages with different security permissions should not create the security hole you describe. It will create two mappings. Probably even to the same physical memory initially, but the "writable" one will be marked for copy on write so that it cannot modify the clone. This is because we asked for the mapping to be PRIVATE.
There was a problem hiding this comment.
@janvorli I do not think the amd64 issue is real either. We are using the FIXED flag which is supposed to error if we cannot mmap the specified address.
There was a problem hiding this comment.
mmap for MAP_PRIVATE documentation is unclear about whether two PRIVATE mappings of the same file affect each other.
MAP_PRIVATE
Create a private copy-on-write mapping. Updates to the mapping are
not visible to other processes mapping the same file, and are not
carried through to the underlying file. It is unspecified whether
changes made to the file after the mmap() call are visible in the
mapped region.
For the amd64 issue, the mmap documentation is sufficiently clear.
MAP_FIXED
Don't interpret addr as a hint: place the mapping at exactly that
address. addr must be a multiple of the page size. If the
memory region specified by addr and len overlaps pages of any
existing mapping(s), then the overlapped part of the existing
mapping(s) will be discarded. If the specified address cannot be
used, mmap() will fail. Because requiring a fixed address for a
mapping is less portable, the use of this option is discouraged.
There was a problem hiding this comment.
@sdmaclea I am sorry, I've missed the MAP_PRIVATE flag presence, so you are right and there is no security hole.
As for the amd64 issue I also missed the MAP_FIXED flag, so you are right too that it is not causing the issue I was referring to. The mappings of multiple consecutive sections that are not page aligned would just overlap. But that brings another concern for all targets. What if these sections have different protection? Then it seems that after the file is mapped, all sections that map into a single virtual address space page would have the protection of the last section on the page. And what if one of these sections except the last one was executable? Wouldn't that kill its executability? And vice versa. This issue would not reproduce in 100% cases since it depends on the actual sizes and order of the sections. Have you tried to run CoreFX tests with your change on amd64? I guess that would have a higher chance of reproducing the issue.
There was a problem hiding this comment.
@janvorli The intent is that two sections never map to the same virtual page. That is why the virtual address is padded by the maximum page size in the zapWriter.cpp changes included in the PR.
There was a problem hiding this comment.
Ok, I've again missed that. I am sorry, I probably have an off day today. But in that case, it seems it would be good to set the PAL_MAX_PAGE_SIZE / SECTION_ALIGNMENT differently for 32 bit architectures (probably the same as we do for non-PAL in your change) to reduce the virtual address space consumption.
There was a problem hiding this comment.
@janvorli That sounds reasonable. Do you have a particular guard name to recommend? We could just use the larger PAL_MAX_PAGE_SIZE for TARGET_ARM64.... I was using the generic PAL because of something @jkotas had said. I also liked the idea of this being in amd64 CI testing, since arm64 testing is so light.
There was a problem hiding this comment.
You can use BIT64 && FEATURE_PAL to enable it for ARM64 and AMD64, since the cross tools are built for the same bitness of host and target architecture. I guess that if we changed that in the future, we would introduce something like TARGET_BIT64.
src/pal/src/map/map.cpp
Outdated
| @@ -2445,7 +2439,7 @@ void * MAPMapPEFile(HANDLE hFile) | |||
| // First try to reserve virtual memory using ExecutableAllcator. This allows all PE images to be | |||
| // near each other and close to the coreclr library which also allows the runtime to generate | |||
| // more efficient code (by avoiding usage of jump stubs). | |||
| loadedBase = ReserveMemoryFromExecutableAllocator(pThread, virtualSize); | |||
| loadedBase = ReserveMemoryFromExecutableAllocator(pThread, ((virtualSize-1) & ~VIRTUAL_PAGE_MASK) + VIRTUAL_PAGE_SIZE); | |||
There was a problem hiding this comment.
This calculation is incorrect. The allocated size needs to be the size of the virtual address space range that is needed to map the whole executable file on the current system. That can be more than just the virtualSize aligned up to the page size (each section mapped with adjustment requires one more page of virtual memory)
There was a problem hiding this comment.
@janvorli virtualSize covers the whole virtual size of the file including the holes. It seems to be correct.
There was a problem hiding this comment.
@sdmaclea your explanation of the virtual address padding explains this as well.
| @@ -55,7 +55,13 @@ void ZapWriter::Initialize() | |||
| m_FileAlignment = 0x200; | |||
| } | |||
|
|
|||
| #if defined(FEATURE_PAL) && defined(BIT64) | |||
There was a problem hiding this comment.
Looks like this change broke arm32
There was a problem hiding this comment.
I forced the file alignment back to 4K for 32 bit systems.
|
@janvorli @jkotas I think I have responded to all feedback. All checks are passing. I am working on #10981, but I am realizing the clean up of VIRTUAL_PAGE_MASK and VIRTUAL_PAGE_SIZE will introduce merge conflicts with this PR I wanted to keep the patches separate to make them easier to review. I can remerge them if you think it is best. I can put a temporary workaround to avoid the merge conflict. I think I can make all the changes to #10981 except the ones to src/pal/src/map/map.cpp. |
Also simplify previous section code
|
@dotnet-bot |
|
Ubuntu arm Cross passed once and failed twice with segmentation faults in two different tests. @dotnet-bot |
|
@sdmaclea When do you expect to have this merged? I believe the changes you have made in this PR will help my PR (#11040) as the alignment issue you are fixing will help my change consume IL assembly of CoreLib being bound as NI image (thanks to @janvorli who helped investigate the issue on Friday) as opposed to forcing bind as IL assembly. |
|
@gkhanna79 I am ready to have this merged. |
|
LGTM |
* Remove PAL FileAlignment restriction * Address PR dotnet#10959 feedback * Fix amd64 crossgen error * Respond to review feedback * Fix arm32 regression * Prepare to remove VIRTUAL_PAGE_* from map.cpp Also simplify previous section code * Rename function to GetVirtualPageSize()
This change removes the requirement of crossgen native images on PAL systems to have FileAlignmnet set to a multiple of the OS_PAGE_SIZE.
For arm64 with 64K pages this saves 3*64K pages of zero padding in the smallest native images. For larger native images this may result in 50% of this savings.
4K page platforms this only save 8K for the smallest native images.