Skip to content

[USMP] add missing const specifier for global_const_workspace#16999

Merged
Lunderberg merged 1 commit intoapache:mainfrom
PhilippvK:fix-usmp-rodata-const
May 23, 2024
Merged

[USMP] add missing const specifier for global_const_workspace#16999
Lunderberg merged 1 commit intoapache:mainfrom
PhilippvK:fix-usmp-rodata-const

Conversation

@PhilippvK
Copy link
Contributor

@PhilippvK PhilippvK commented May 15, 2024
edited
Loading

The .rodata* section of any program should not be writable.

The missing const specifier in static struct global_const_workspace {...} leads to the following readelf -e output (shortened):

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        00000000 001000 009fbe 00  AX  0   0 16
  [ 2] .rodata           PROGBITS        00009fc0 00afc0 000e50 00  WA  0   0 16
  [ 3] .srodata          PROGBITS        0000ae10 00be10 000068 08  AM  0   0  8
  ...

After this fix, the output looks as follows (AW -> A):

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        00000000 001000 00a1be 00  AX  0   0 16
  [ 2] .rodata           PROGBITS        0000a1c0 00b1c0 000e50 00   A  0   0 16
  [ 3] .srodata          PROGBITS        0000b010 00c010 000070 00   A  0   0  8

More context

This bug affects the default_lib0.c file generated when using CRT AoT & USMP. See this shortened example:

Before fix:

__attribute__((section(".rodata.tvm"), ))
static struct global_const_workspace {
  float fused_constant_1_let[256] __attribute__((aligned(16))); // 1024 bytes, aligned offset: 0
  ...
} global_const_workspace = {
  .fused_constant_1_let = {
    0x1.05a71cp-3, 0x1.660c26p-2, 0x1.9765b6p-2, 0x1.dc7fdp-5, 0x1.4f3b88p-4, 0x1.1bdb82p-2, 0x1.f2443cp-3, 0x1.d3f5e4p-3,
    ...
  },
};// of total size 1284 bytes

After fix:

__attribute__((section(".rodata.tvm"), ))
static const struct global_const_workspace {
  float fused_constant_1_let[256] __attribute__((aligned(16))); // 1024 bytes, aligned offset: 0
  ...
} global_const_workspace = {
  .fused_constant_1_let = {
    0x1.05a71cp-3, 0x1.660c26p-2, 0x1.9765b6p-2, 0x1.dc7fdp-5, 0x1.4f3b88p-4, 0x1.1bdb82p-2, 0x1.f2443cp-3, 0x1.d3f5e4p-3,
    ...
  },
};// of total size 1284 bytes

Example on Compiler Explorer: https://godbolt.org/z/vrs8EnnWf

cc @Lunderberg

@PhilippvK
[USMP] add missing const specifier for global_const_workspace
ffa22f8 
The `.rodata*` section of any program should not be writable.

The missing `const` specifier in `static struct global_const_workspace {...}` leads
to the following `readelf -e` output (shortened):

```
Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        00000000 001000 009fbe 00  AX  0   0 16
  [ 2] .rodata           PROGBITS        00009fc0 00afc0 000e50 00  WA  0   0 16
  [ 3] .srodata          PROGBITS        0000ae10 00be10 000068 08  AM  0   0  8
  ...
```

After this fix, the output looks as follows (`AW` -> `A`):

```
Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        00000000 001000 00a1be 00  AX  0   0 16
  [ 2] .rodata           PROGBITS        0000a1c0 00b1c0 000e50 00   A  0   0 16
  [ 3] .srodata          PROGBITS        0000b010 00c010 000070 00   A  0   0  8
```
@github-actions github-actions bot requested a review from Lunderberg May 15, 2024 12:53
@Lunderberg
Copy link
Contributor

Lunderberg commented May 20, 2024
edited
Loading

Thank you for the fix, and that definitely sounds like a good fix to have. What effect did the non-const .rodata have, and can we also add a test case for it?

My naive guess would have been that the OS-level protections against writing to the .rodata section would have still been present, but language-level const checks wouldn't have been, and that any attempted writes to the .rodata fields would have resulted in runtime errors. Was that the case, and if so can we assert that a compile-time error is raised for these attempted writes instead?

@PhilippvK
Copy link
Contributor Author

PhilippvK commented May 20, 2024
edited
Loading

What effect did the non-const .rodata have, and can we also add a test case for it?

I got the following linker warnings when building using a recent RISC-V Gnu toolchain:

ld: warning: ../bin/prog has a LOAD segment with RWX permissions

I first expected this to be a bug in the linker script but found the TVM bug when trying to solve it.

At runtime (baremetal-level instruction set simulation) this had no impact. However I did not tried it on other architectures.

Was that the case, and if so can we assert that a compile-time error is raised for these attempted writes instead?

I have no idea if turning this specific linker-warning into an error is feasible. I guess --fatal-warnings would catch it, but we would threat any warning as an error (like gcc -Wall) which is probably to much.

I will try test this also on other targets with other target devices to find out if I can trigger any runtime errors caused by this bug.

Update:

With other targets, I got a similar warning even before linkage:

/tmp/cc3NSE9o.s: Assembler messages:
/tmp/cc3NSE9o.s:27: Warning: setting incorrect section attributes for .rodata.tvm

Lunderberg
Lunderberg approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@Lunderberg Lunderberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense, both on the warning encountered and the difficulty of making a targeted test case for it. I suppose in principle we could capture stdout/stderr for a test compilation and assert that both are empty, but that would still be a very compiler-dependent test.

Approved!

@PhilippvK
Copy link
Contributor Author

PhilippvK commented May 23, 2024

@Lunderberg CI passed. Can we merge this?

@Lunderberg Lunderberg merged commit b1951a7 into apache:main May 23, 2024
@Lunderberg
Copy link
Contributor

Lunderberg commented May 23, 2024

Can do, and thank you on the ping!

@PhilippvK PhilippvK deleted the fix-usmp-rodata-const branch May 23, 2024 16:43
@ysh329 ysh329 mentioned this pull request Jul 20, 2024
Closed
@kurisu6912 kurisu6912 mentioned this pull request Sep 5, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lunderberg Lunderberg Lunderberg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PhilippvK @Lunderberg