RFC: Remove AppPtr::Drop() and Owned::Drop()
#2101
Conversation
|
Isn't it a bug that |
I think that even if free did free memory, a capsule could do this by simply not dropping the types it has allocated. Currently, I don't think that any capsules in Tock actually make use of the allocation API that is exposed by the core kernel (though a use has been proposed for the rubble BLE stack). I am pretty confused why |
Tock does not try to prevent malicious capsules from denying service to the rest of the system. The short explanation is that doing so is not practical in a single-threaded, cooperatively-scheduled system like Tock's kernel. |
|
I do think that Nonetheless, removing the ability to free resources feels like a very big hammer.
I think this is really the crux of the issue. Nothing has really exercised this code path before. It's old code too. Now that this capability is starting to be used, I think I'd rather see free fixed rather than removed if possible. |
|
It seems like there must be some logic error in calling Similarly, every call to Perhaps we should keep |
Where is it being used? |
We talked about this on the call, but for posterity: Not in use in merged code yet, but ideally will be used by @daboross's BLE work. |
hudson-ayers
force-pushed
the
no-appptr-drop
branch
from
1a9ff3d
to
9e0675f
Compare
|
Updated to keep |
hudson-ayers
force-pushed
the
no-appptr-drop
branch
from
9e0675f
to
d1d977d
Compare
|
bors r+ |
This change removes the implementation of the Drop trait for the AppPtr and Owned types. This is just a port of a change I already landed upstream: #2101. The existing Drop impls were incorrect and effectively served no purpose (see the github PR for details). Removing them prevents the compiler from having to generate Drop code for every type that ever holds one of these types, resulting in 2112 bytes of code size savings. Further, despite Drop not actually doing anything, its presence was adding over 100 cycles per system call as a result of the empty portion of the Drop call being behind the Process trait object. BUG=None TEST=make build; + upstream testing that already happened Change-Id: I5caeb38671abdb342b8fa7a9318c647db09827fe Reviewed-on: https://chrome-internal-review.googlesource.com/c/ti50/third_party/tock/tock/+/3944179 Tested-by: Hudson Ayers <hudsonayers@google.com> Commit-Queue: Hudson Ayers <hudsonayers@google.com> Reviewed-by: Vadim Sukhomlinov <sukhomlinov@google.com> Reviewed-by: Jett Rink <jettrink@google.com>
Pull Request Overview
This PR proposes removing
AppPtr::Drop()andOwned::Drop(), as well as theProcessType::free()method that they each call. Currently,Process::free()is implemented with an empty body, merely dropping the passed raw pointer. Therefore, as far as I can tell, calls toDrop()on each type have no useful effect. Despite this, the presence of these implementations have a significant cost -- the implementations ofDropcallkernel.process_map_or(), which takes a trait object reference (e.g.&dyn ProcessType), so the compiler cannot know that the concretefree()function that will be called is empty, and optimize the call out.Currently, anytime an
AppPtrorOwnedtype goes out of scope -- including anytime a struct containing such a type goes out of scope --drop()is called on each type until the underlyingdrop()implementation is called. This happens frequently: a single iteration of the loop in theImixapp callsAppPtr::drop()45 times; a single iteration of thehello_loopapp callsAppPtr::drop()4 times andOwned::drop()3 times. Further, each call has some cost:Cycles per call, measured using cortex-m DWT cycle counter peripheral:
AppSlice::drop()- 139 cycles (increases to 145 if the board is configured for 8 processes instead of 4)Owned::drop()- 84-150 cycles, depending on context.Removing the Drop implementations for
AppPtrandOwnedreduces the measured cycle count in each case to 1 cycle.AppSlice::drop()is called regularly (inserted by the compiler) within the body ofallow()system call implementations,Owned::drop()is called within the body ofGrant::enter()andGrant::each().Keeping in mind recent attempts to reduce Tock syscall overhead, I think that we should not pay all of this overhead for no benefit as Tock is implemented today.
Alternatively, if there is reason to believe these implementations will be useful in the future, I think we should document these functions (and
ProcessType::free()) as to why they are present.Testing Strategy
This pull request was tested by running several apps with the drop implementations removed.
TODO or Help Wanted
The Tock SOSP paper talks a bit about the
Owned::drop()implementation, but as far as I can tell it does not actually do anything in Tock today. Is there reason to believe we will need these implementations for some future process type? Am I totally missing something here?Documentation Updated
Formatting
make prepush.