Pinned heap test

[awortman-fastly]

This gets everything in place to use a pinned register for heap accesses via bytecodealliance/cranelift#960

There's a subset of this PR that's just updating to match changed Cranelift APIs - I'll pull that out into a subsequent PR the master I'd branched from was out of date, oops.

[awortman-fastly]

the only concrete numbers I have about the performance differences are some Sightglass runs from my laptop, but as the ambient temperature is currently ~15F warmer than the last time, the numbers don't line up perfectly. So I'm mostly drawing conclusions from the difference in ratio between Reference and lucet. I've discarded Reference rows because "Ratio" is just 1 there.

Non-pinned heap ("before"):

Test	Implementation	Ratio	Median	RSD
ackermann	lucet	1.3497690955373756	1035558	80.81326299594924
base64	lucet	1.7049816285876038	174674942	0.5035638990093719
ctype	lucet	1.758364701632716	329640990	0.4957456489056921
ed25519	lucet	7.477161682868312	4181957083	0
fib2	lucet	1.8590415777221458	1070147771.5	0.4289146275539405
gimli	lucet	1.4933154109750066	2271685	1.278864057596692
heapsort	lucet	1.2326417210958405	974244667	0.20300844929291942
keccak	lucet	2.5368950038835947	11395112	3.8580133072682474
matrix	lucet	2.221355676162694	434864990	1.5867289106775067
matrix2	lucet	2.4150091294003895	240163106	1.3535470418596176
memmove	lucet	1.7799183511381713	24261785	1.1976171298183707
minicsv	lucet	7.050450260371652	1621859544.5	0.26518726546556975
nestedloop	lucet	1.1592762434945167	9393544	1.6173809770515533
nestedloop2	lucet	0.671959992968874	6342825	2.436564327545389
nestedloop3	lucet	0.27547542614405846	163876	2.7599856044926225
random	lucet	0.7175197626697932	348022234.5	0.5228691296719775
random2	lucet	0.7127668768981302	341701984.5	2.2782899093146844
ratelimit	lucet	1.6941663848517983	19494684	2.0380999890430234
sieve	lucet	1.9828161869542846	587013323.5	2.1932126627284925
strcat	lucet	17.040259669994416	144075681.5	2.3932809473020282
strcat2	lucet	20.625676475744793	7161904	3.404230088398167
strchr	lucet	5.7891578983741825	67088577	1.4925247183306705
strlen	lucet	9.840970705948012	87787337	0.9666343672128155
strtok	lucet	8.02946654635939	660564025.5	0.3473319485938872
switch	lucet	1.3028286107396605	50413511	1.5446069738932588
switch2	lucet	0.430411037669344	490633596	2.484274692072736
xblabla20	lucet	2.84512242728933	2849247	3.1778931414118827
xchacha20	lucet	2.0375535491201613	3374187.5	1.5134369942187658

pinned heap register ("after"):

Test	Implementation	Ratio	Median	RSD
ackermann	lucet	1.4620605468289882	1347599	54.029717544789385
base64	lucet	1.6835017995026433	168391817.5	0.09001058250840455
ctype	lucet	1.3982634699455792	252781229.5	0.16414966172530512
ed25519	lucet	6.774986744501223	3647992473	0
fib2	lucet	2.0046666218076012	1104451622	0.4173922050435297
gimli	lucet	1.5239097286264993	2172600	0.5648204394814204
heapsort	lucet	1.2688215765441129	947780968	0.029684029342732957
keccak	lucet	2.4332253591211668	9959253	0.5591637675062976
matrix	lucet	1.9775306281523257	348267019.5	0.5396611690686817
matrix2	lucet	2.0519754684381812	183044835	0.10531159689254153
memmove	lucet	1.8120357378497154	22011044.5	0.3632578275346738
minicsv	lucet	6.978831622173378	1424251349	1.2508617497438925
nestedloop	lucet	1.7873879607207188	13316424	0.4853649719651437
nestedloop2	lucet	0.6575367429714356	5785857.5	3.8075935332877635
nestedloop3	lucet	0.20864130861442642	118009	1.8739689077906179
random	lucet	0.7365050326165821	339029208	0.07325079176035568
random2	lucet	0.7243201174314742	333024359	0.04767769356161239
ratelimit	lucet	1.519709683740532	16308543	0.36157044204779987
sieve	lucet	1.6436880037750063	443002483	0.04738028061537858
strcat	lucet	18.401195239214584	135428405.5	0.6445343425051565
strcat2	lucet	21.162202846513647	6600503	1.1195542994281162
strchr	lucet	6.111496110575047	60829990	1.0114173010716274
strlen	lucet	10.57143945046239	80653182	0.19341943247679888
strtok	lucet	7.1805648196657055	531786041	0.0781122098995218
switch	lucet	1.1324837800991006	40307856	0.5600859662614226
switch2	lucet	0.39359105117216864	424761491	0.2555577651093005
xblabla20	lucet	2.233134133534792	1994917	0.9245448776856623
xchacha20	lucet	1.5287542058647055	2248939	0.796896505137868

Ackermann is the most dramatic difference, which is not exactly expected, and I want to look into why. The rest are pretty close to before or 10-20% faster, which is closer to my expectation both from Benjamin's reported difference and estimation looking at the earlier generated code.

Edit: updated "before" with a more appropriate "before" - master as of today. That uses cranelift 0.40, rather than the relatively old (~2 months ago?) numbers that were present before. ackermann is still slower, and I'm still not sure why, but it's less dramatic than before.

[iximeow]

Now that ModuleFeatures exists I can suggest we might want to merge this :D I'm not convinced this feature is sufficiently tested, but the change to enable it is pretty straightforward. I'll update the benchmark numbers as well.

[pchickey]

Tests are failing to compile because of the wrong number of args to Compiler::new - probably needs to be rebased or merged with master

[iximeow]

turns out I'd only run lucet-runtime tests, not the rest of the repo. agh.

[shravanrn]

@iximeow - just saw your comment on the cranelift thread. This PR looks great! I think this may allow me to prototype my changes for now. So eagerly waiting for this to land 👍

[pchickey]

Awesome. This will create a merge conflict with #418, can you follow up with a patch into that PR which will resolve it?

[iximeow]

In collecting performance numbers from now, rather than the ones from September, I found that I neglected to pass the state of the flag through to the compiler. oops.

With that fixed, I have new numbers, and a surprising finding: on my desktop, an i7-3960x, the use or lack thereof of a pinned heap register makes for what seems to be no difference.

From this machine..

No pinned register (default), Ratio is with respect to a constant gcc -O3 baseline with the same programs:

Test	Implementation	Ratio	Median	RSD
ackermann	lucet	1.5637933411283929	1187861	54.31437059311522
base64	lucet	1.5526403643303204	234449814	0.3532710495550391
ctype	lucet	1.4580739381554952	373201566	0.28176426211953676
ed25519	lucet	6.7795869174559185	4834457418	0
fib2	lucet	2.394942513079342	1482472586.5	0.16782160225558346
gimli	lucet	1.296967054425645	2520565	0.7716317091302847
heapsort	lucet	1.3542201742989588	1017075876.5	0.5604008035774486
keccak	lucet	4.926551899181085	26644118.5	0.5718299875632771
matrix	lucet	3.239483604410945	569278712.5	0.3634076985149356
matrix2	lucet	2.2297744709689056	224119734	0.7559463449155032
memmove	lucet	2.3012286267166533	56765826	1.3438348128760715
minicsv	lucet	15.27591898915007	3933197679	0
nestedloop	lucet	1.525300952656632	19491353	0.08108595392699751
nestedloop2	lucet	0.9798863502701631	13781941	0.3528443401165118
nestedloop3	lucet	0.21235646549887716	172278	0.6966882167516183
random	lucet	0.6954819228600096	322425407	0.03225875533666781
random2	lucet	0.6435776125716709	298899451	0.10823601230700386
ratelimit	lucet	1.6510443150604917	26153620.5	0.2330014630349927
sieve	lucet	2.342069510743626	568777062.5	0.27042644753530737
strcat	lucet	15.275136039913274	243506323	0.3060681016420104
strcat2	lucet	48.40839930622152	21380768	1.1560211600795045
strchr	lucet	3.7303091420791583	88194381	0.8497250127663863
strlen	lucet	10.042818518960107	144549078	0.7732013967262826
strtok	lucet	10.059733654408133	850344855	0.3620899123190202
switch	lucet	1.4273159496150687	48353160	0.5991477160304972
switch2	lucet	0.4507521750809396	542428337	0.9558004123872323
xblabla20	lucet	2.430887983861857	3136035	0.8657217130770715
xchacha20	lucet	1.6127195732390818	3055632	0.7116388282057021

r15 reserved for use as heap base (pinned), Ratio is with respect to the same gcc -O3 baselines, so lower is better:

Test	Implementation	Ratio	Median	RSD
ackermann	lucet	1.403035844539617	1188800.5	46.733713625669196
base64	lucet	1.583537752836171	234515189	0.5460962231184041
ctype	lucet	1.3535628066370116	373701174	0.659720839852311
ed25519	lucet	6.810980976332897	4829108682	0
fib2	lucet	2.403580938211954	1485638739.5	0.2308824780158125
gimli	lucet	1.292584205437577	2524908	0.2510401991542337
heapsort	lucet	1.3526333392933936	1016497185	0.45739716621457926
keccak	lucet	4.97645153337064	26692325	0.5025957669073279
matrix	lucet	3.241459447205686	566149287.5	0.19913929237375175
matrix2	lucet	2.235472754727956	223252039	0.3597995492023506
memmove	lucet	2.2855313547181257	56722964	0.054937344236300846
minicsv	lucet	15.232175768377363	3921093057	0
nestedloop	lucet	1.5318667786413838	19504902	0.8997904180054104
nestedloop2	lucet	0.9787335994975528	13771069	0.42098101329288895
nestedloop3	lucet	0.20887960120125418	171277	0.8482630245273831
random	lucet	0.6952903487097627	322366860	0.03739181233884482
random2	lucet	0.6434077533754771	298755362	0.07060502421963766
ratelimit	lucet	1.6595709116594182	26150776	0.9283957693468758
sieve	lucet	2.351649741974459	570865178	0.2583188418506959
strcat	lucet	15.211365559257828	242931938	0.45918650409412665
strcat2	lucet	48.26509191635153	21386620.5	1.3972489839954882
strchr	lucet	3.7711672280019974	87918656	0.7827726903705284
strlen	lucet	10.112712253532377	144475132	0.4021050472631639
strtok	lucet	10.019874043332138	847376866	0.1329673400563626
switch	lucet	1.4346111923017144	48174142	2.4170905867367245
switch2	lucet	0.44366567040887156	535120806	0.7130303937161252
xblabla20	lucet	2.540109289442898	3156534	2.8352448169658087
xchacha20	lucet	1.6023758276514202	3059118	1.1339151020861913

I don't totally trust ackermann differences to be attributable to this change - it's generally quite variable and in some sightglass runs it appears to be slightly slower post-change. I don't have a good explanation for the variability either way, though.

I was hesitant to accept these numbers since they're so constant, but I checked the generated assembly and it all seems correct:

before:

|   sym.guest_func_ackermann_body ();
|           0x00024390      55             push rbp
|           0x00024391      4889e5         mov rbp, rsp
|           0x00024394      53             push rbx
|           0x00024395      4156           push r14
|           0x00024397      4157           push r15
|           0x00024399      4883ec18       sub rsp, 0x18
|           0x0002439d      4889bc240800.  mov qword [local_8h], rdi
|           0x000243a5      89b424140000.  mov dword [local_14h], esi
|           0x000243ac      4189f7         mov r15d, esi
|           0x000243af      4489f8         mov eax, r15d
|           0x000243b2      488984240000.  mov qword [rsp], rax
|           0x000243ba      4989ff         mov r15, rdi
|           0x000243bd      4989c6         mov r14, rax
|           0x000243c0      438b0437       mov eax, dword [r15 + r14]
|           0x000243c4      438b4c3704     mov ecx, dword [r15 + r14 + 4]
|           0x000243c9      4c89ff         mov rdi, r15
|           0x000243cc      4089c6         mov esi, eax
|           0x000243cf      4089ca         mov edx, ecx
|           0x000243d2      e8b9f6fdff     call sym.guest_func_10
|           0x000243d7      4c8bbc240800.  mov r15, qword [local_8h]
|           0x000243df      4c8bb4240000.  mov r14, qword [rsp]
|           0x000243e7      4389443708     mov dword [r15 + r14 + 8], eax
|           0x000243ec      448bbc241400.  mov r15d, dword [local_14h]
|           0x000243f4      4489f8         mov eax, r15d
|           0x000243f7      83c008         add eax, 8
|           0x000243fa      b950270000     mov ecx, 0x2750
|           0x000243ff      89c9           mov ecx, ecx
|           0x00024401      4c8bbc240800.  mov r15, qword [local_8h]
|           0x00024409      418b0c0f       mov ecx, dword [r15 + rcx]
|           0x0002440d      4863c9         movsxd rcx, ecx
|           0x00024410      488d153a8507.  lea rdx, qword obj.lucet_tables
|           0x00024417      488b5208       mov rdx, qword [rdx + 8]
|           0x0002441b      4839d1         cmp rcx, rdx
|       ,=< 0x0002441e      7202           jb 0x24422
|       |   0x00024420      0f0b           ud2
|       `-> 0x00024422      488d15188307.  lea rdx, qword obj.guest_table_0
|           0x00024429      48c1e104       shl rcx, 4
|           0x0002442d      488b1c0a       mov rbx, qword [rdx + rcx]
|           0x00024431      4883fb00       cmp rbx, 0
|       ,=< 0x00024435      7402           je 0x24439
|       |   0x00024437      0f0b           ud2
|       `-> 0x00024439      488b4c0a08     mov rcx, qword [rdx + rcx + 8] ; [0x8:8]=0
|           0x0002443e      4c89ff         mov rdi, r15
|           0x00024441      4089c6         mov esi, eax
|           0x00024444      ffd1           call rcx
|           0x00024446      4883c418       add rsp, 0x18
|           0x0002444a      415f           pop r15
|           0x0002444c      415e           pop r14
|           0x0002444e      5b             pop rbx
|           0x0002444f      5d             pop rbp
\           0x00024450      c3             ret

after:

|   sym.guest_func_ackermann_body ();
|           0x000235f0      55             push rbp
|           0x000235f1      4889e5         mov rbp, rsp
|           0x000235f4      53             push rbx
|           0x000235f5      4156           push r14
|           0x000235f7      4157           push r15
|           0x000235f9      4883ec18       sub rsp, 0x18
|           0x000235fd      4889bc240800.  mov qword [local_8h], rdi
|           0x00023605      89b424140000.  mov dword [local_14h], esi
|           0x0002360c      4189f6         mov r14d, esi
|           0x0002360f      4489f0         mov eax, r14d
|           0x00023612      488984240000.  mov qword [rsp], rax
|           0x0002361a      4989c6         mov r14, rax
|           0x0002361d      438b0437       mov eax, dword [r15 + r14]
|           0x00023621      438b4c3704     mov ecx, dword [r15 + r14 + 4]
|           0x00023626      4989fe         mov r14, rdi
|           0x00023629      4c89f7         mov rdi, r14
|           0x0002362c      4089c6         mov esi, eax
|           0x0002362f      4089ca         mov edx, ecx
|           0x00023632      e85904feff     call sym.guest_func_10
|           0x00023637      4c8bb4240000.  mov r14, qword [rsp]
|           0x0002363f      4389443708     mov dword [r15 + r14 + 8], eax
|           0x00023644      448bb4241400.  mov r14d, dword [local_14h]
|           0x0002364c      4489f0         mov eax, r14d
|           0x0002364f      83c008         add eax, 8
|           0x00023652      b950270000     mov ecx, 0x2750
|           0x00023657      89c9           mov ecx, ecx
|           0x00023659      418b0c0f       mov ecx, dword [r15 + rcx]
|           0x0002365d      4863c9         movsxd rcx, ecx
|           0x00023660      488d15924607.  lea rdx, qword obj.lucet_tables
|           0x00023667      488b5208       mov rdx, qword [rdx + 8]    ; [0x8:8]=0
|           0x0002366b      4839d1         cmp rcx, rdx
|       ,=< 0x0002366e      7202           jb 0x23672
|       |   0x00023670      0f0b           ud2
|       `-> 0x00023672      488d15704407.  lea rdx, qword obj.guest_table_0
|           0x00023679      48c1e104       shl rcx, 4
|           0x0002367d      488b1c0a       mov rbx, qword [rdx + rcx]
|           0x00023681      4883fb00       cmp rbx, 0
|       ,=< 0x00023685      7402           je 0x23689
|       |   0x00023687      0f0b           ud2
|       `-> 0x00023689      488b4c0a08     mov rcx, qword [rdx + rcx + 8] ; [0x8:8]=0
|           0x0002368e      4c8bb4240800.  mov r14, qword [local_8h]   ; [0x8:8]=0
|           0x00023696      4c89f7         mov rdi, r14
|           0x00023699      4089c6         mov esi, eax
|           0x0002369c      ffd1           call rcx
|           0x0002369e      4883c418       add rsp, 0x18
|           0x000236a2      415f           pop r15
|           0x000236a4      415e           pop r14
|           0x000236a6      5b             pop rbx
|           0x000236a7      5d             pop rbp
\           0x000236a8      c3             ret

giveaways that this change is actually making it through to generated code are the missing 0x000243ba 4989ff mov r15, rdi in after, as well as a few removed reloads of r15 like 0x00024401 4c8bbc240800. mov r15, qword [local_8h].

My suspicion is that the changes to make reloads of spilled registers a few months ago happen to achieve a similar effect as keeping the heap base in r15 in most circumstances. That change had reloads prefer the reversed register list, starting from r15 ending with rax, which is why r15 is so often used in before regardless of pinning.

Either way! Given that this is still useful for @shravanrn's work I'll fix the imminent merge conflict with #418 and not sweat the performance difference too much.

[shravanrn]

Thanks a bunch. Looking forward to this landing 👍 I have plans to use this right away :)

[shravanrn]

@pchickey @iximeow Hmm... I just tried this out and noticed that the heap base (r15) is still spilt and unspilt. Is there an easy way to remove this as well? While this is probably of minor perf impact, it does play havoc with the spectre mitigations I'm working on. Please let me know!

__attribute__((noinline))
void spec_printBranch2(int val)
{
    for(int i = 0; i < val; i++){
        printf("Val: %d\n", val);
    }
}

000000000000f600 <guest_func_spec_printBranch2>:
    f600:	55                   	push   %rbp
    f601:	48 89 e5             	mov    %rsp,%rbp
    f604:	41 54                	push   %r12
    f606:	41 55                	push   %r13
    f608:	41 56                	push   %r14
--------------------------------heap base being spilt
    f60a:	41 57                	push   %r15
    f60c:	48 83 ec 20          	sub    $0x20,%rsp
    f610:	48 89 bc 24 08 00 00 	mov    %rdi,0x8(%rsp)
    f617:	00 
    f618:	89 b4 24 1c 00 00 00 	mov    %esi,0x1c(%rsp)
    f61f:	49 89 fe             	mov    %rdi,%r14
    f622:	49 8b 46 f0          	mov    -0x10(%r14),%rax
    f626:	8b 00                	mov    (%rax),%eax
    f628:	83 c0 f0             	add    $0xfffffff0,%eax
    f62b:	89 84 24 18 00 00 00 	mov    %eax,0x18(%rsp)
    f632:	49 8b 46 f0          	mov    -0x10(%r14),%rax
    f636:	44 8b b4 24 18 00 00 	mov    0x18(%rsp),%r14d
    f63d:	00 
    f63e:	44 89 30             	mov    %r14d,(%rax)
    f641:	41 89 f6             	mov    %esi,%r14d
    f644:	41 83 fe 01          	cmp    $0x1,%r14d
    f648:	7c 7d                	jl     f6c7 <guest_func_spec_printBranch2+0xc7>
    f64a:	44 8b b4 24 18 00 00 	mov    0x18(%rsp),%r14d
    f651:	00 
    f652:	44 89 f0             	mov    %r14d,%eax
    f655:	48 89 84 24 00 00 00 	mov    %rax,0x0(%rsp)
    f65c:	00 
    f65d:	b8 00 04 00 00       	mov    $0x400,%eax
    f662:	89 84 24 14 00 00 00 	mov    %eax,0x14(%rsp)
    f669:	41 89 f6             	mov    %esi,%r14d
    f66c:	44 89 b4 24 10 00 00 	mov    %r14d,0x10(%rsp)
    f673:	00 
    f674:	44 8b b4 24 1c 00 00 	mov    0x1c(%rsp),%r14d
    f67b:	00 
    f67c:	4c 8b ac 24 00 00 00 	mov    0x0(%rsp),%r13
    f683:	00 
    f684:	47 89 34 2f          	mov    %r14d,(%r15,%r13,1)
    f688:	4c 8b b4 24 08 00 00 	mov    0x8(%rsp),%r14
    f68f:	00 
    f690:	44 8b ac 24 14 00 00 	mov    0x14(%rsp),%r13d
    f697:	00 
    f698:	44 8b a4 24 18 00 00 	mov    0x18(%rsp),%r12d
    f69f:	00 
    f6a0:	4c 89 f7             	mov    %r14,%rdi
    f6a3:	44 89 ee             	mov    %r13d,%esi
    f6a6:	44 89 e2             	mov    %r12d,%edx
    f6a9:	e8 22 42 00 00       	callq  138d0 <guest_func_printf>
    f6ae:	44 8b b4 24 10 00 00 	mov    0x10(%rsp),%r14d
    f6b5:	00 
    f6b6:	41 83 c6 ff          	add    $0xffffffff,%r14d
    f6ba:	44 89 b4 24 10 00 00 	mov    %r14d,0x10(%rsp)
    f6c1:	00 
    f6c2:	45 85 f6             	test   %r14d,%r14d
    f6c5:	75 ad                	jne    f674 <guest_func_spec_printBranch2+0x74>
    f6c7:	44 8b b4 24 18 00 00 	mov    0x18(%rsp),%r14d
    f6ce:	00 
    f6cf:	41 83 c6 10          	add    $0x10,%r14d
    f6d3:	4c 8b ac 24 08 00 00 	mov    0x8(%rsp),%r13
    f6da:	00 
    f6db:	49 8b 45 f0          	mov    -0x10(%r13),%rax
    f6df:	44 89 30             	mov    %r14d,(%rax)
    f6e2:	48 83 c4 20          	add    $0x20,%rsp
--------------------------------heap base being unspilt
    f6e6:	41 5f                	pop    %r15
    f6e8:	41 5e                	pop    %r14
    f6ea:	41 5d                	pop    %r13
    f6ec:	41 5c                	pop    %r12
    f6ee:	5d                   	pop    %rbp
    f6ef:	c3                   	retq   

[iximeow]

I think in cases of cranelift-calling-cranelift we can avoid spilling, but at calls to non-cranelift code it would depend on the calling convention we're conforming with. sysv (linux/macos) and microsoft calling conventions look to require r15 be preserved, so maybe it'd end up straightforward anyway. Can you expand on how the spill/reload impacts your mitigation work? It'd be good to note as a motivator for changes in Cranelift.

[shravanrn]

Its a little difficult to summarize, but we will be submitting a paper shortly with details and I can share that writeup with you. But the short version is that this is necessary to prevent abuse of store to load forwarding to read outside the sandbox memory. If we ever unspill into r15, speculatively, it is possible to trick the processor into believe the heap_base register holds some other value allowing a read from outside the heap bounds.

[iximeow]

I'm not deeply familiar with load forwarding but I assume you mean that at the tail end of a call after reloading r15 a heap access might speculate with r15 as it was before reload? Since r15 isn't eligible for allocation when pinned, it should be impossible that pop r15 in code from Cranelift, with heap pinning enabled, actually changes the value in that register.

A similar instance of this would crop up when making hostcalls though, since we'd be calling into native code with no register allocation constraints, and it could be possible to construct code with a heap (r15) access right around when r15 was changed by a hostcall.

Either way, I'll happily read the paper once submitted! And the push/pop are definitely unnecessary in this case.

[shravanrn]

Hi @pchickey @awortman-fastly @iximeow
So far, I have been prototyping from @awortman-fastly 's fork for testing the pinned heap. I am now starting the final clean implementation for the paper. Any chance this this PR may be landed here, or would the best option be to continue working from the fork?

[pchickey]

This PR was closed as a byproduct of deleting the branch named master. If this is still an active PR, re-open as a new PR against main.

[awortman-fastly]

closing in favor of #512