@aaron.ballman do you have any further comments for this patch?

In D111307#3119610, @yonghong-song wrote:

@aaron.ballman do you have any further comments for this patch?

Thanks for your patience -- this review is a bit of a challenge because the feature makes me deeply uncomfortable. It's so outside of the realm of how C behaves that it feels inappropriate to allow this behavior from an attribute with no other opt in required, but I struggle to articulate a path that would make me less uncomfortable. We require a BPF target AND we require the attribute to be used in system headers, so there is a sort of an opt in and safety rails to this already, but at the same time, this just... isn't C. We're not really extending C in this case, we're defining a wholly new C language. Hmmm, which made me go look to see if this is a conforming extension in C and I'm not certain it is because it seems like it can alter the behavior of a strictly conforming program (changes the meaning of object layouts, e.g.). @urnathan, do you get the same reading from Clause 4 of http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2731.pdf ?

This doesn't affect cross-TU well-formedness, mismatched type definintions in different TUs remain in UB/NDR territory. This doesn't change the meaning of a well-formed TU, because those never get into the conflicting situations that this affects. It does cause us to accept ill-formed translation units that one would expect a diagnostic for. I'm not sure if I can read clause 4 to say 'thou must issue a diagnostic', 4/1 just seems to say how you can stay in conformance, not what happens in [some] cases of falling outside it.

We allow violations of the constraint at 6.7/3, no more than one declaration of a particular identifier except as:
a) 6.7/2 bullet 1 (typedef redefinition)
b) 6.7.2.3/1 (struct et al defined at most once)

As you say, this is a most un-C-like direction.

In D111307#3122700, @urnathan wrote:

This doesn't affect cross-TU well-formedness, mismatched type definintions in different TUs remain in UB/NDR territory. This doesn't change the meaning of a well-formed TU, because those never get into the conflicting situations that this affects. It does cause us to accept ill-formed translation units that one would expect a diagnostic for. I'm not sure if I can read clause 4 to say 'thou must issue a diagnostic', 4/1 just seems to say how you can stay in conformance, not what happens in [some] cases of falling outside it.

Hmm, I was thinking about a situation like:

// BPF system header
__attribute__((bpf_dominating_decl)) typedef double foo; // This one now wins

// Original system header
typedef int foo;

// UserCode2.c
extern void func(int a, ...);

int main(void) {
  func(1, 2);
}

// UserCode1.c
#include "header.h"

void func(int a, ...) {
  va_list list;
  va_start(list, a);
  foo val = va_arg(list, foo); // This is now UB due to BPF
  va_end(list);
}

We allow violations of the constraint at 6.7/3, no more than one declaration of a particular identifier except as:
a) 6.7/2 bullet 1 (typedef redefinition)
b) 6.7.2.3/1 (struct et al defined at most once)

As you say, this is a most un-C-like direction.

Yeah, and I'm getting more and more uncomfortable with it. Out of curiosity, how disruptive would rejecting this patch be to your goals? (Note, while I'm considering rejecting this, I'm not doing so now, but if there are other options that could be explored, I would say they'd be worth exploring at this point because that's useful information for this review.)

In D111307#3124286, @aaron.ballman wrote:

In D111307#3122700, @urnathan wrote:

This doesn't affect cross-TU well-formedness, mismatched type definintions in different TUs remain in UB/NDR territory. This doesn't change the meaning of a well-formed TU, because those never get into the conflicting situations that this affects. It does cause us to accept ill-formed translation units that one would expect a diagnostic for. I'm not sure if I can read clause 4 to say 'thou must issue a diagnostic', 4/1 just seems to say how you can stay in conformance, not what happens in [some] cases of falling outside it.

Hmm, I was thinking about a situation like:

// BPF system header
__attribute__((bpf_dominating_decl)) typedef double foo; // This one now wins

// Original system header
typedef int foo;

and that's my language lawyer point -- this is already non-conforming (albeit hidden inside headers), so the UB below is just a manifestation of trying to apply the semantics of well-formed C onto this ill-formed C. Unicorns & rainbows! .(... and madness?)

// UserCode2.c
extern void func(int a, ...);

int main(void) {

func(1, 2);

}

// UserCode1.c
#include "header.h"

void func(int a, ...) {

va_list list;
va_start(list, a);
foo val = va_arg(list, foo); // This is now UB due to BPF
va_end(list);

}

> 
> We allow violations of the constraint at 6.7/3, no more than one declaration of a particular identifier except as:
> a) 6.7/2 bullet 1 (typedef redefinition)
> b) 6.7.2.3/1 (struct et al defined at most once)
> 
> As you say, this is a most un-C-like direction.

Yeah, and I'm getting more and more uncomfortable with it. Out of curiosity, how disruptive would rejecting this patch be to your goals? (Note, while I'm considering rejecting this, I'm not doing so now, but if there are other options that could be explored, I would say they'd be worth exploring at this point because that's useful information for this review.)

I can't answer that -- @yonghong-song ?

In D111307#3124325, @urnathan wrote:

In D111307#3124286, @aaron.ballman wrote:

In D111307#3122700, @urnathan wrote:

This doesn't affect cross-TU well-formedness, mismatched type definintions in different TUs remain in UB/NDR territory. This doesn't change the meaning of a well-formed TU, because those never get into the conflicting situations that this affects. It does cause us to accept ill-formed translation units that one would expect a diagnostic for. I'm not sure if I can read clause 4 to say 'thou must issue a diagnostic', 4/1 just seems to say how you can stay in conformance, not what happens in [some] cases of falling outside it.

Hmm, I was thinking about a situation like:

// BPF system header
__attribute__((bpf_dominating_decl)) typedef double foo; // This one now wins

// Original system header
typedef int foo;

and that's my language lawyer point -- this is already non-conforming (albeit hidden inside headers),

Okay, so we're on the same page that this extension is not a conforming one, but perhaps for different reasons than I was thinking? My logic goes like this:

Implementations are required to diagnose constraint violations (5.1.1.3), but are not required to fail translation because the implementation can then define this space as an extension so long as the extension doesn't change the meaning of a strictly conforming program (Clause 4p6).

So in order to remain conforming, we have to generate at least one diagnostic message in the following full program:

typedef int foo;
__attribute__((bpf_dominating_decl)) typedef double foo;
int main(void) { return 0; }

(otherwise we violate 5.1.1.3), but then we can accept the code. Then, my earlier example becomes an issue because the meaning of the program changes (and worryingly, does so in a way that cannot be detected at compile time). But I suppose it was never a strictly conforming program in the first place because of the duplicate typedefs and the use of attribute, which is your point.

So yeah, I guess it boils down to the diagnostic behavior?

In D111307#3124357, @aaron.ballman wrote:

Okay, so we're on the same page that this extension is not a conforming one, but perhaps for different reasons than I was thinking? My logic goes like this:

Implementations are required to diagnose constraint violations (5.1.1.3), but are not required to fail translation because the implementation can then define this space as an extension so long as the extension doesn't change the meaning of a strictly conforming program (Clause 4p6).

So in order to remain conforming, we have to generate at least one diagnostic message in the following full program:

thanks for the reference -- I thought it should be in there somewhere. Agreed, for a user tracking down the kind of foot gun this enables, a warning at each violation would be best, but I don't know how often that would occur in usual usage of this feature. Perhaps add an option to inhibit such warnings -- so even on bpf you have to explicity pull a 'I'm gonna step outside the std' lever.

In D111307#3124388, @urnathan wrote:

thanks for the reference -- I thought it should be in there somewhere. Agreed, for a user tracking down the kind of foot gun this enables, a warning at each violation would be best, but I don't know how often that would occur in usual usage of this feature. Perhaps add an option to inhibit such warnings -- so even on bpf you have to explicity pull a 'I'm gonna step outside the std' lever.

That would work. I suppose there's really (at least) two ways to go about it: 0) option to explicitly opt into enabling the attribute (and perhaps in a way that's wider than just this review), document that it's a nonconforming language mode, don't bother issuing any diagnostics about these weird things, and maybe even relax the "must be in a system header" safety rails, 1) diagnose conformance issues but give an option to explicitly opt out of those diagnostics messages when in BPF mode. (I'm assuming we're all agreed that the conformance diagnostics here are not pedantic ones but important ones. If we think they're purely pedantic, we could issue them only under -pedantic I suppose, but I personally don't think they're purely pendantic diagnostics.) I lean towards #0, but I'd love to hear thoughts from others.

I am okay with an explicit option to enable this attribute. I remembered in the past we discussed with a possible option -fpermissive to control this. But this may be too generic. Maybe an option like -Xclang -target-feature -Xclang +attr_bpf_dominating_decl? Just a rough idea.

In D111307#3124927, @yonghong-song wrote:

I am okay with an explicit option to enable this attribute. I remembered in the past we discussed with a possible option -fpermissive to control this. But this may be too generic. Maybe an option like -Xclang -target-feature -Xclang +attr_bpf_dominating_decl? Just a rough idea.

If we require anyone using vmlinux.h to start adding extra compilation flags, it's going to be a nightmare-ish experience both for core BPF developers explaining all this, as well as end-users. This bpf_dominating_decl attribute is going to be used together with preserve_access_index attribute and BPF CO-RE technology. That attribute explicitly states that BPF program code knows that the actual kernel memory layout might be different and Clang emits additional CO-RE relocation to help BPF loaders (e.g., libbpf) to adjust the final BPF code accordingly.

I understand the concern when some typedef T changes from int to double, as an example. But that's never going to be the case in practice. So compiler diagnostic in this case totally makes sense. But that can't be easily translated to structs, because they are usually accessed and passed by pointer. So in that case the end size of the struct doesn't matter. And then preserve_access_index will take care of relocating field offsets.

So with that said, if we had to have some diagnostics, can we error out or warn only in places where the size of the type (be that a primitive integer type or struct passed by value or through varargs) matters and determines things like stack layout? That would be actually useful as that will warn users that whatever they are trying to do isn't CO-RE-relocatable?

@aaron.ballman Just to make it clear that you might misunderstand the scope of this attribute. It is implemented as a BPF target attribute, so the attribute will not be available for non-BPF targets.

I second Andrii's concern about option as the option will need to be in every user's makefile.
In current vmlinux.h, we have something like below:

#ifndef BPF_NO_PRESERVE_ACCESS_INDEX
#pragma clang attribute push (__attribute__((preserve_access_index)), apply_to = record)
#endif

Basically if user does not want to have preserve_access_index attribute (which is a bpf target attribute),
user can add -DBPF_NO_PRESERVE_ACCESS_INDEX to their Makefile.

Similarly, if we have bpf_dominating_decl attribute on by default, in vmlinux.h, we will have

#ifndef BPF_NO_DOMINATING_DECL
#pragma clang attribute push (__attribute__((bpf_dominating_decl)), apply_to = record, typedef, enum)
#endif

this way, we provide a way to opt out bpf_dominating_decl attr but we expect virtually no user will do that.

@aaron.ballman @anakryiko and I added some additional context. Could you take a look and share your comments? Thanks!

In D111307#3135521, @yonghong-song wrote:

@aaron.ballman @anakryiko and I added some additional context. Could you take a look and share your comments? Thanks!

I can, but I'm in WG14 (C) standards meetings all week this week and on vacation next week, so my availability for code reviews is pretty limited for the next while.

@aaron.ballman Just to make it clear that you might misunderstand the scope of this attribute. It is implemented as a BPF target attribute, so the attribute will not be available for non-BPF targets.

I understood that, but my concern is that this attribute is a nonconforming extension to C and Clang tries to be a conforming compiler. I would like to try to find a path forward so that we meet the conformance requirements for C in a responsible way. Opting into a target doesn't seem sufficient to me (I don't think any other targets currently work this way); usually a feature flag is used to opt into a nonconforming mode we don't diagnose the use of. Another alternative is to diagnose the uses but that could be onerous for users who opt into the target. There may be more alternatives we could explore as well, but I don't have the bandwidth to try to enumerate them at the moment.

@aaron.ballman thanks for the comment. now I understand. The main concern is about outputting diagnostics about nonconforming extension unless an explicit option says not needed.

The following is another suggestion. https://reviews.llvm.org/D69759 implemented a bpf target attribute attribute((preserve_access_index)). Currently it is used for record only. Its purpose to indicate a particular record declaration is subject to bpf-load-time relocation.

How about we extend preserve_access_index to enum and typedef declarations too. For enumerator, we will actually generate a relocation since it is one of goals too. For typedef, there is no relocation generated *so far*.

With preserve_access_index attribute supporting record, enum and typedef, in this patch whenever a bpf_dominating_decl is seen, it also check whether a preserve_access_index attribute is available for that declaration. If it is, there is no need to output a diagnostic since preserve_access_index already says the declaration might be different from real definition and relocation should take care of it. If there is no preserve_access_index attribute attached, issue a diagnostic.

WDYT?

@aaron.ballman Just ping. Did you get time to think about diagnostics issue and my above linking-to-bpf-preserve_access_index-attr idea?

@aaron.ballman just ping, did you get time to look at this patch again?

In D111307#3182955, @yonghong-song wrote:

@aaron.ballman just ping, did you get time to look at this patch again?

I did, thank you for your patience!

With preserve_access_index attribute supporting record, enum and typedef, in this patch whenever a bpf_dominating_decl is seen, it also check whether a preserve_access_index attribute is available for that declaration. If it is, there is no need to output a diagnostic since preserve_access_index already says the declaration might be different from real definition and relocation should take care of it. If there is no preserve_access_index attribute attached, issue a diagnostic.

I think this could work -- at least, I cannot think of an alternative approach I like better.

That said, I'm still very uncomfortable with this notion, but because this is used within the Linux kernel I think this is a case where I likely need to hold my nose and accept that you have a real need for this. My discomfort is solely around the fact that this is using an attribute to effectively invent a new C-like language because you're ignoring a pretty central tenant of the source language. However, the user has to opt into the target explicitly, the attribute is limited to use within system headers, and will now be diagnosed when used unless used in conjunction with another attribute... so there are plenty of guard rails on this feature. I've added a few more reviewers to see if anyone else has discomfort that rises to the level of "we should not accept this feature" or has other ideas on how to protect the feature.

When dealing with some gross situation where a source generator is generating things that don't really work cleanly with the normal language, I have a strong preference for saying that the source generator should change. In this case, that would mean e.g. generating different type names in the generated headers. Is that really such a non-starter? This is really quite a terrible feature.

In D111307#3190832, @rjmccall wrote:

When dealing with some gross situation where a source generator is generating things that don't really work cleanly with the normal language, I have a strong preference for saying that the source generator should change. In this case, that would mean e.g. generating different type names in the generated headers. Is that really such a non-starter? This is really quite a terrible feature.

When our tooling is generating vmlinux.h, which contains all kernel types (include down to the most primitive typedefs like __u32), we don't know what other headers users will be including along the vmlinux.h. So it's impossible to generate this header in a way that won't conflict with types and typedefs defined in kernel headers. I'd love to be able to do this without introducing new attributes/built-ins, but we never figured out any other way to achieve that. Yet the problem of (impossibility of) combining vmlinux.h with other kernel headers is quite acute and painful and was brought up by users multiple times already.

Generating different type names for every single typedef/struct/union/enum/enum value is really horrible hack from end-user usability point of view. BPF program code will be littered with struct task_struct___1, struct pt_regs___1 and alike everywhere, hurting code readability and maintainability significantly, negating most of the appeal and benefits of using auto-generated vmlinux.h header.

Given this new dominating_decl attribute is:

1. BPF-only (guarded by -target bpf at compiler invocation site)
2. and is only allowed to be used with BPF-only __attribute__((preserve_access_index))
3. which is a statement of user's consent to BPF CO-RE compiler emitting CO-RE relocations
4. which are later used by BPF loader library to adjust generated assembly code at loading time to accommodate struct memory layout changes between what's declared in BPF program (types coming from vmlinux.h) versus what is the actual memory layout of the running Linux kernel (which we get from kernel's BTF type information)
5. and so the user expects that all such types are just a "declaration of intent" and in no way is the actual memory layout that should be used...

it seems there are all the guardrails we could have come up with and have them implemented in a reasonable way. There will definitely be very little, if any, surprise on user's side. And we'll definitely make sure to emphasize that user's should assume the exact memory layout of those types coming from vmlinux.h (we do that already in various blog posts, but never hurts to re-emphasize all that again).

But in short, this is a really crucial feature for great end-user usability for BPF and BPF CO-RE. So while I understand from pure C language stand point how dangerous this might seem, in the case of BPF-specific C language extensions and BPF core all this is par for the course by now and will be even more so going forward.

It sounds like this work you're doing for your target is in essence a target-specific language extension. Have you gone through our standard procedure for contributing extensions? I don't think being target-specific changes our policies here.

The procedure is basically to start an RFC thread on cfe-dev with some specific information. It's all described here:

https://clang.llvm.org/get_involved.html

This isn't a "no"; it's a "I need to know more about your project". I honestly don't know much about BPF. Please CC me on that thread when you make it.

@rjmccall We actually have a discussion in cfe-dev list. https://lists.llvm.org/pipermail/cfe-dev/2021-August/068696.html which contains the background information for this implementation. This patch has evolved a little further from the discussion (e.g., name change, become target specific, proposed to coordinate with bpf preserve_access_index attribute). But the cfe-dev discussion should give you some information about why we want to do this feature and how it helped the bpf community. Please take a look and let us know if you have any questions. Thanks!

I've skimmed that thread, and it doesn't look like there was ever a step where you actually "officially" went through the process of asking Clang to support the extensions you want in order to support BPF / CO-RE. It seems like there's already an attribute in place that causes Clang to emit accesses to fields using a non-static offset. Do you know how long that's been there? Did you go through the process before adding that?

There are a lot of reasons going through the process is important. We need to understand the overall work you're trying to achieve, how large your body of users is, how committed you are to maintaining this, and so on. All of this is laid out in the extensions policy. As an open-source project, we have a lot of people coming to us with research ideas that they think would be valuable to upstream into the compiler. We have this policy in place so that we can decide what we should accept and, potentially, what we should later remove if people don't live up to their commitments.

In D111307#3198862, @rjmccall wrote:

I've skimmed that thread, and it doesn't look like there was ever a step where you actually "officially" went through the process of asking Clang to support the extensions you want in order to support BPF / CO-RE. It seems like there's already an attribute in place that causes Clang to emit accesses to fields using a non-static offset. Do you know how long that's been there? Did you go through the process before adding that?

For the original process_access_index attribute, there is no discussion in llvm-dev and cfe-dev. I just submitted the patch and we just discussed there. Nobody suggested us to initiate a mailing list discussion. Otherwise, we would follow the suggestion to discuss in the mailing list. The feature has landed in H2 2019 and the feature is used by virtually every bpf deverloper or bpf application. The feature will be supported forever. The following are some of posts/blogs mentioning CO-RE:

https://nakryiko.com/posts/bpf-core-reference-guide/
https://www.brendangregg.com/blog/2020-11-04/bpf-co-re-btf-libbpf.html
https://blogs.oracle.com/linux/post/bpf-application-development-and-libbpf 
https://pingcap.com/blog/why-we-switched-from-bcc-to-libbpf-for-linux-bpf-performance-analysis

There are a lot of reasons going through the process is important. We need to understand the overall work you're trying to achieve, how large your body of users is, how committed you are to maintaining this, and so on. All of this is laid out in the extensions policy. As an open-source project, we have a lot of people coming to us with research ideas that they think would be valuable to upstream into the compiler. We have this policy in place so that we can decide what we should accept and, potentially, what we should later remove if people don't live up to their commitments.

For bpf_dominating_decl attribute, I am happy to follow the process. Please let me know what else I should be beyond discussion in cfe-dev mailing list. I searched "clang extension policy" in the internet and didn't get a meaningful result.

In D111307#3199088, @yonghong-song wrote:

In D111307#3198862, @rjmccall wrote:

I've skimmed that thread, and it doesn't look like there was ever a step where you actually "officially" went through the process of asking Clang to support the extensions you want in order to support BPF / CO-RE. It seems like there's already an attribute in place that causes Clang to emit accesses to fields using a non-static offset. Do you know how long that's been there? Did you go through the process before adding that?

For the original process_access_index attribute, there is no discussion in llvm-dev and cfe-dev. I just submitted the patch and we just discussed there. Nobody suggested us to initiate a mailing list discussion. Otherwise, we would follow the suggestion to discuss in the mailing list. The feature has landed in H2 2019 and the feature is used by virtually every bpf deverloper or bpf application. The feature will be supported forever. The following are some of posts/blogs mentioning CO-RE:

https://nakryiko.com/posts/bpf-core-reference-guide/
https://www.brendangregg.com/blog/2020-11-04/bpf-co-re-btf-libbpf.html
https://blogs.oracle.com/linux/post/bpf-application-development-and-libbpf 
https://pingcap.com/blog/why-we-switched-from-bcc-to-libbpf-for-linux-bpf-performance-analysis

There are a lot of reasons going through the process is important. We need to understand the overall work you're trying to achieve, how large your body of users is, how committed you are to maintaining this, and so on. All of this is laid out in the extensions policy. As an open-source project, we have a lot of people coming to us with research ideas that they think would be valuable to upstream into the compiler. We have this policy in place so that we can decide what we should accept and, potentially, what we should later remove if people don't live up to their commitments.

For bpf_dominating_decl attribute, I am happy to follow the process. Please let me know what else I should be beyond discussion in cfe-dev mailing list. I searched "clang extension policy" in the internet and didn't get a meaningful result.

I linked to it above. It's at the bottom of this web page: https://clang.llvm.org/get_involved.html. Just try to cover the points listed there; some of them, like standards bodies, don't apply.

I agree that Clang is highly unlikely to remove its existing support for BPF CO-RE, but please go through this exercise as if all of the support for CO-RE were under review, not just this specific feature. (You can mention that some of this support is already present.) For example, you should talk about the need to have a stable ABI despite the kernel not having one; why users need to include headers with substantially different views of the same types; and any other technical challenges that your environment faces that you think compiler support could help with.

I want to emphasize that this isn't an adversarial process. It sounds like your project really does deserve support in the compiler. A lot of the goal here is for generalist compiler developers, whether reviewing your patches or just doing arbitrary other work on the compiler in ways that touch your code, to have a resource we can turn to to understand enough about your project to both (1) have a good idea of how to resolve questions that come up and (2) know who to reach out to if we need clarification.

@rjmccall Thanks for link and detailed explanation. I will write clang extension request, based on the requirements in the link, for both already-merged CO-RE feature and newer bpf_dominating_del attribute feature and posted to cfe-dev mailing list in the next few days.

I appreciate it, thanks.