mpk: optimize layout of protected stripes, again #7622
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is another attempt at bytecodealliance#7603, attempting reduce the slab layout sizes of MPK-protected stripes. While experimenting with the limits of MPK-protected memory pools, @alexcrichton and I discovered that the current slab layout calculations were too conservative. This meant that the memory pool could not pack in as many memories as it should have been able: we were expecting, but not seeing, ~15x more memory slots over non-MPK memory pools. This change brings together several fixes: - it more aggressively divides up the stripes (as in b212152) - it eliminates an extra stripe (as in 8813a30) - it replaces some uses of `checked_*` with `saturating_*` (as in fb22a20) - it improves some documentation - and, crucially, it reports back a larger value for `memory_and_guard_size` The failures observed with bytecodealliance#7603 when run with MPK (`WASMTIME_TEST_FORCE_MPK=1 cargo test`) were due to `Store::wasm_fault` not being able to identify which memory an OOB address belonged to. This is because the `MemoryPool` was underreporting the size of the region in which OOB accesses would fault. The correct value is provided by the new `SlabLayout::bytes_to_next_stripe_slot`: any OOB access within that larger region must fault because (1) the other stripes have different protection keys and (2) a `Store` can only use one protection key. We also use (2) to guarantee that `Store::wasm_fault` will be able to calculate the Wasm address from the raw address. This change also provides a new `traps` test that will reproduce the failures from bytecodealliance#7603; if we observe `SIGABRT` from that test, it will be a regression.
abrown
requested review from
pchickey and
alexcrichton
and removed request for
a team
|
I manually checked that the following pass:
Running the example program from #7609, I see expected improvements in the number of slots: $ cargo run --example mpk
without MPK: 14713 memory slots 86.2 TiB reserved
with MPK: 220685 memory slots 86.2 TiB reserved
14.999x more slots per reserved memory |
alexcrichton
approved these changes
Dec 1, 2023
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
This is kind of interesting: arm64 is miscomputing the It should be |
|
Ah that's expected that some platforms report a different faulting address rounded to some boundary. s390x will round it to a page boundary I think. There's a similar test to what you're doing here which should be ok to copy |
alexcrichton
approved these changes
Dec 1, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is another attempt at #7603, attempting reduce the slab layout sizes of MPK-protected stripes. While experimenting with the limits of MPK-protected memory pools, @alexcrichton and I discovered that the current slab layout calculations were too conservative. This meant that the memory pool could not pack in as many memories as it should have been able: we were expecting, but not seeing, ~15x more memory slots over non-MPK memory pools.
This change brings together several fixes:
checked_*withsaturating_*(as in fb22a20)memory_and_guard_sizeThe failures observed with #7603 when run with MPK (
WASMTIME_TEST_FORCE_MPK=1 cargo test) were due toStore::wasm_faultnot being able to identify which memory an OOB address belonged to. This is because theMemoryPoolwas underreporting the size of the region in which OOB accesses would fault. The correct value is provided by the newSlabLayout::bytes_to_next_stripe_slot: any OOB access within that larger region must fault because (1) the other stripes have different protection keys and (2) aStorecan only use one protection key. We also use (2) to guarantee thatStore::wasm_faultwill be able to calculate the Wasm address from the raw address.This change also provides a new
trapstest that will reproduce the failures from #7603; if we observeSIGABRTfrom that test, it will be a regression.