On 04/03/2020 10:25, Jan Beulich wrote: > On 03.03.2020 19:24, Andrew Cooper wrote: >> ITSC being visible to the guest is currently implicit with the toolstack >> unconditionally asking for it, and Xen clipping it based on the vTSC and/or >> XEN_DOMCTL_disable_migrate settings. >> >> This is problematic for several reasons. >> >> First, the implicit vTSC behaviour manifests as a real bug on migration to a >> host with a different frequency, with ITSC but without TSC scaling >> capabilities, whereby the ITSC feature becomes advertised to the guest. ITSC >> will disappear again if the guest migrates to server with the same frequency >> as the original, or to one with TSC scaling support. >> >> Secondly, disallowing ITSC unless the guest doesn't migrate is conceptually >> wrong. It is common to have migration pools of identical hardware, at which >> point the TSC frequency is the same, > This statement is too broad: Pools of identical hardware may have the same > nominal frequencies, but two distinct systems are hardly ever going to have > the exact same actual (measured or even real) frequencies.
There is no such thing as truly invariant TSC. Even with the best hardware in the world, the reference frequency will change based on physical properties of the surroundings, including things like ambient temperature. i.e. even a single server, sitting in a datacenter is likely to see a fractional change in frequency across a 24h period. What matters is the error margins, and how long until it manifests as a noticeable difference. > Recall Olaf's vTSC-tolerance patch that still hasn't landed anywhere? This is a different problem. Even on the same system, errors in Xen's frequency calculations can differ by several hundred kHz (iirc), boot to boot, making it quite useless for answering the question "am I running at the frequency the guest saw before?", which is how we just whether to intercept TSC accesses or not. There are things which can be done about this, such as using frequency data provided by the CPU directly (rather than correlating it with a separate timesource). At that point, the only difference between two identical systems will be the variability in the reference clock, and PLL circuitry which ultimately multiplies it up from 19.2/25/100 MHz to the 1-3.5GHz typically encountered for core frequencies. > >> and more modern hardware has TSC scaling >> support anyway. In both cases, it is safe to advertise ITSC and migrate the >> guest. >> >> Remove all implicit logic logic in Xen, and make ITSC part of the max CPUID >> policies for guests. Plumb an itsc parameter into xc_cpuid_apply_policy() >> and >> have libxl__cpuid_legacy() fill in the two cases where it can reasonably >> expect ITSC to be safe for the guest to see. >> >> This is a behaviour change for TSC_MODE_NATIVE, where the ITSC will now >> reliably not appear, and for the case where the user explicitly requests >> ITSC, >> in which case it will appear even if the guest isn't marked as nomigrate. > How sensible is it to allow the user to request something like ITSC with > no respective support underneath? Right now, Xen will ignore ITSC if the hardware isn't capable, just like any other missing feature flag. When we get the policy auditing logic in better shape, I intend to reject requests which can't be fulfilled. > Shouldn't we translate such a request > into enabling vTSC if there's no ITSC on the platform? No, because a) doing things implicitly like this is the root of far too many bugs, this patch included, and b) it probably isn't what the user wants. The reason to play around with TSC settings will ultimately to be try and avoid intercepting RDTSC, because the performance hit from interception dominates most other factors. > Actually looking > at the change to libxl__cpuid_legacy() I wonder whether you don't instead > mean "requests vTSC" here. I don't see how you come to that conclusion. It is two separate cases where the toolstack can reasonably expect the guest-observed frequency not to differ. > >> Signed-off-by: Andrew Cooper <andrew.coop...@citrix.com> > Assuming I understand the tools side changes correctly, hypervisor > side > Reviewed-by: Jan Beulich <jbeul...@suse.com> Thanks, but the above confusion wants resolving first. > >> --- a/tools/libxl/libxl_cpuid.c >> +++ b/tools/libxl/libxl_cpuid.c >> @@ -418,6 +418,7 @@ void libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, >> int i; >> char *cpuid_res[4]; >> bool pae = true; >> + bool itsc; >> >> /* >> * For PV guests, PAE is Xen-controlled (it is the 'p' that >> differentiates >> @@ -432,7 +433,22 @@ void libxl__cpuid_legacy(libxl_ctx *ctx, uint32_t domid, >> if (info->type == LIBXL_DOMAIN_TYPE_HVM) >> pae = libxl_defbool_val(info->u.hvm.pae); >> >> - xc_cpuid_apply_policy(ctx->xch, domid, NULL, 0, pae); >> + /* >> + * Advertising Invariant TSC to a guest means that the TSC frequency >> won't >> + * change at any point in the future. >> + * >> + * We do not have enough information about potential migration >> + * destinations to know whether advertising ITSC is safe, but if the >> guest >> + * isn't going to migrate, then the current hardware is all that >> matters. >> + * >> + * Alternatively, an internal property of vTSC is that the values read >> are >> + * invariant. Advertise ITSC when we know the domain will have emualted >> + * TSC everywhere it goes. >> + */ >> + itsc = (libxl_defbool_val(info->disable_migrate) || >> + info->tsc_mode == LIBXL_TSC_MODE_ALWAYS_EMULATE); >> + >> + xc_cpuid_apply_policy(ctx->xch, domid, NULL, 0, pae, itsc); > What's the implication of this on non- or partly-libxl-based tool > stacks? Won't a change like this be needed there, too? In > particular, is libvirt using this function, such that we won't > have a perceived regression again? This function is private to libxl, and used consistently during domain building operations. c/s dacb80f9757c0 covered moving the predecessor from technically being part of the public API to being private, because it a) wasn't acutally used externally, and b) couldn't be used correctly by an external caller. Longer term, I do expect multi-host toolstacks to be able to obtain enough information to sensibly decide whether ITSC can safely be advertised, based on nominally identical frequencies across the resource pool, availability of TSC scaling support, and/or an accepted tolerance. I don't know exactly how this will look yet - there are higher priority activities with CPUID and MSR handling right now. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
