planet.freedesktop.org
Hi all!
Last Friday we’ve shipped wlroots 0.16! This long-overdue release is the fruit of 10 months worth of work from 46 contributors. It includes many improvements, especially around new protocol support, the scene-graph API and the Vulkan renderer. See the release notes for more details!
With the new release freshly delivered, we’re already working on the next one. I’ve been continuing my work on the Vulkan renderer: the patch to stop blocking while the GPU is rendering is almost ready to be merged. I’ve even fixed a Vulkan-ValidationLayers bug along the way. I’ve also investigated color management and ICC profiles a bit more, and have a better idea of what we need to lay down the first pieces of the puzzle.
I’ve reached a new milestone for wlroots-rs: the example can now display a red screen! I’ve cleaned up my work and properly exposed the API in a package. I’m still not super happy about the way the compositor state is handled, if you have suggestions please let me know!
I’ve released libdrm 2.4.114 with new helpers to allocate DRM dumb buffers. Up until now this is something developers had to hand-roll themselves with raw IOCTLs, hopefully this addition can help newcomers and improve type safety. I’ve also released Pixman 0.42.0 with a constified API for regions and work by Manuel Stoeckl to fix bugs discovered via the wlroots Pixman renderer and port demos to GTK3.
I’ve got two NPotMs! The first one is libjsonschema, which is basically the C counterpart of go-jsonschema. It generates C definitions and functions to encode and decode JSON defined by a schema. This project is still very much WIP, my goal is to use it in drm_info and eventually in libdisplay-info.
The second new project is go-smee. It’s a Go version of the official Node.js smee client. smee is a handy tool when writing code which leverages Web hooks: it’s a proxy which forwards Web hooks to a locally running server. At some point I got annoyed enough with Node.js to convince me to write an alternative client.
That’s all for now, see you next month!
I already talked about debugging hangs in “Graphics Flight Recorder - unknown but handy tool to debug GPU hangs”, now I want to talk about the most nasty kind of GPU hangs - the ones which cannot be recovered from, where your computer becomes completely unresponsive and you cannot even ssh into it.
How would one debug this? There is no data to get after the hang and it’s incredibly frustrating to even try different debug options and hypothesis, if you are wrong - you get to reboot the machine!
If you are a hardware manufacturer creating a driver for your own GPU, you could just run the workload in your fancy hardware simulator, wait for a few hours for the result and call it a day. But what if you don’t have access to a simulator, or to some debug side channel?
There are a few things one could try:
Today we will talk about the breadcrumbs. Unfortunately, Graphics Flight Recorder, which I already wrote about, isn’t of much help here. The hang is unrecoverable so GFR isn’t able to gather the results and write them to the disk.
But the idea of breadcrumbs is still useful! What if instead of gathering result post factum, we stream the results to some other machine. This would allow us to get the results even if our target becomes unresponsive. Though, the requirement to get the results ASAP considerably changes the workflow.
What if we write breadcrumbs on GPU after each command and spin a thread on CPU reading it in a busy loop?
In practice the the amount of breadcrumbs between the one sent over network and the one currently executed is just too big to be practical.
So we have to make GPU and CPU running in a lockstep.
This way the most recent breadcrumb gets immediately sent over the network. In practice, some breadcrumbs are still lost between the last sent over the network and the one where GPU hangs. But the difference is only a few of them.
With the lockstep execution we could narrow the hanging command even further. For this we have to wait for a certain time after each breadcrumb before proceeding to the next one. I chose to just promt user for explicit keyboard input for each breadcrumb.
I ended up with the following workflow:
Could Graphics Flight Recorder do this?
In theory yes, but it would require additional VK extension to be able to wait for value in memory. However, it still would have a crucial limitation.
Even with Vulkan being really close to the hardware there are still many cases where one Vulkan command is translated into many GPU commands under the hood. Things like image copies, blits, renderpass boundaries. For unrecoverable hangs we want to narrow down the hanging GPU command as much as possible, so it makes more sense to implement such functionality in a driver.
I recently implemented it in Turnip (open-source Vulkan driver for Qualcomm’s GPUs) and used a few times with good results.
Current implementation in Turnip is rather spartan and gives the minimal amount of instruments to achieve the workflow described above. While looks like this:
1) Launch workload with TU_BREADCRUMBS envvar (TU_BREADCRUMBS=$IP:$PORT,break=$BREAKPOINT:$BREAKPOINT_HITS):
TU_BREADCRUMBS=$IP:$PORT,break=-1:0 ./some_workload
2) Receive breadcrumbs on another machine via this bash spaghetti:
> nc -lvup $PORT | stdbuf -o0 xxd -pc -c 4 | awk -Wposix '{printf("%u:%u\n", "0x" $0, a[$0]++)}'
Received packet from 10.42.0.19:49116 -> 10.42.0.1:11113 (local)
1:0
7:0
8:0
9:0
10:0
11:0
12:0
13:0
14:0
[...]
10:3
11:3
12:3
13:3
14:3
15:3
16:3
17:3
18:3
Each line is a breadcrumb № and how many times it was repeated (either if command buffer is reusable or if breadcrumb is in a command stream which repeats for each tile).
3) Increase hang timeout:
echo -n 120000 > /sys/kernel/debug/dri/0/hangcheck_period_ms
4) Launch workload and break on the last known executed breadcrumb:
TU_BREADCRUMBS=$IP:$PORT,break=15:3 ./some_workload
GPU is on breadcrumb 18, continue?y
GPU is on breadcrumb 19, continue?y
GPU is on breadcrumb 20, continue?y
GPU is on breadcrumb 21, continue?y
...
5) Continue until GPU hangs.
:tada: Now you know two breadcrumbs between which there is a command which causes the hang.
Hey,
If you enjoy using upstream Linux kernel in your Raspberry Pi system or just want to give a try in the freshest kernel graphics drivers there, the good news is that now you can compile and boot the V3D driver from the mainline in your Raspberry Pi 4. Thanks to the work of Stefan, Peter and Nicolas [1] [2], the V3D enablement reached the Linux kernel mainline. That means hacking and using new features available in the upstream V3D driver directly from the source.
However, even for those used to compiling and installing a custom kernel in the Raspberry Pi, there are some quirks to getting the mainline v3d module available in 32-bit and 64-bit systems. I’ve quickly summarized how to compile and install upstream kernel versions (>=6.0) in this short blog post.
Note: V3D driver is not present in Raspberry Pi models 0-3.
First, I’m taking into account that you already know how to cross-compile a custom kernel to your system. If it is not your case, a good tutorial is already available in the Raspberry Pi documentation, but it targets the kernel in the rpi-linux repository (downstream kernel).
From this documentation, the main differences in the upstream kernel are presented below:
bcm2711_defconfig, get it by running make ARCH=arm64 defconfigarch/arm64/boot/dts/broadcom/bcm2711-rpi-4-b.dtb to the /boot of your target machine (no /overlays directory to copy)/boot/config.txt:
dt_overlay=vc4-kms-v3d entrydevice_tree=bcm2711-rpi-4-b.dtb entrymake ARCH=arm multi_v7_defconfigmake ARCH=arm menuconfig or a similar tool, enable CONFIG_ARM_LPAE=yarch/arm/boot/dts/bcm2711-rpi-4-b.dtb to the /boot of your target machine (no /overlays directory to copy)/boot/config.txt:
dt_overlay=vc4-kms-v3d entrydevice_tree=bcm2711-rpi-4-b.dtb entryRaspberry Pi 4 64-bit (arm64)
cd <path-to-upstream-linux-directory>
KERNEL=`make kernelrelease`
ARCH="arm64"
CROSS_COMPILE="aarch64-linux-gnu-"
DEFCONFIG=defconfig
IMAGE=Image
DTB_PATH="broadcom/bcm2711-rpi-4-b.dtb"
RPI4=<ip>
TMP=`mktemp -d`
Raspberry Pi 4 32-bits (arm)
cd <path-to-upstream-linux-directory>
KERNEL=`make kernelrelease`
ARCH="arm"
CROSS_COMPILE="arm-linux-gnueabihf-"
DEFCONFIG=multi_v7_defconfig
IMAGE=zImage
DTB_PATH="bcm2711-rpi-4-b.dtb"
RPI4=<ip>
TMP=`mktemp -d`
make ARCH=$ARCH CROSS_COMPILE=$CROSS_COMPILE $DEFCONFIG
Raspberry Pi 4 32-bit (arm)
Additional step for 32-bit system.
Enable CONFIG_ARM_LPAE=y using make ARCH=arm menuconfig
make ARCH=$ARCH CROSS_COMPILE=$CROSS_COMPILE $IMAGE modules dtbs
make ARCH=$ARCH CROSS_COMPILE=$CROSS_COMPILE INSTALL_MOD_PATH=$TMP modules_install
ssh $RPI4 mkdir -p /tmp/new_modules /tmp/new_kernel
rsync -av $TMP/ $RPI4:/tmp/new_modules/
scp arch/$ARCH/boot/$IMAGE $RPI4:/tmp/new_kernel/$KERNEL
scp arch/$ARCH/boot/dts/$DTB_PATH $RPI4:/tmp/new_kernel
ssh $RPI4 sudo rsync -av /tmp/new_modules/lib/modules/ /lib/modules/
ssh $RPI4 sudo rsync -av /tmp/new_kernel/ /boot/
rm -rf $TMP
In your Raspberry Pi 4, open the config file /boot/config.txt
dt_overlay=vc4-kms-v3d entrydevice_tree=bcm2711-rpi-4-b.dtb entrykernel=<image-name> entryYou can safely use the steps above, but if you are hacking the kernel and need to repeat this compiling and installing steps repeatedly, why don’t try the Kworkflow?
Kworkflow is a set of scripts to synthesize all steps to have a custom kernel compiled and installed in local and remote machines and it supports kernel building and deployment to Raspberry Pi machines for Raspbian 32 bit and 64 bit.
After learning the kernel compilation and installation step by step, you can
simply use kw bd command and have a custom kernel installed in your Raspberry
Pi 4.
Note: the userspace 3D acceleration (glx/mesa) is working as expected on arm64, but the driver is not loaded yet for arm. Besides that, a bunch of pte invalid errors may appear when using 3D acceleration, it’s a known issue that are still under investigation.
Let’s have a look how traditional Linux distributions set up
/boot/ and the ESP, and how this could be improved.
How Linux distributions traditionally have been setting up their
“boot” file systems has been varying to some degree, but the most
common choice has been to have a separate partition mounted to
/boot/. Usually the partition is formatted as a Linux file system
such as ext2/ext3/ext4. The partition contains the kernel images, the
initrd and various boot loader resources. Some distributions, like
Debian and Ubuntu, also store ancillary files associated with the
kernel here, such as kconfig or System.map. Such a traditional
boot partition is only defined within the context of the distribution,
and typically not immediately recognizable as such when looking just
at the partition table (i.e. it uses the generic Linux partition type
UUID).
With the arrival of UEFI a new partition relevant for boot appeared, the EFI System Partition (ESP). This partition is defined by the firmware environment, but typically accessed by Linux to install or update boot loaders. The choice of file system is not up to Linux, but effectively mandated by the UEFI specifications: vFAT. In theory it could be formatted as other file systems too. However, this would require the firmware to support file systems other than vFAT. This is rare and firmware specific though, as vFAT is the only file system mandated by the UEFI specification. In other words, vFAT is the only file system which is guaranteed to be universally supported.
There’s a major overlap of the type of the data typically stored in the ESP and in the traditional boot partition mentioned earlier: a variety of boot loader resources as well as kernels/initrds.
Unlike the traditional boot partition, the ESP is easily recognizable in the partition table via its GPT partition type UUID. The ESP is also a shared resource: all OSes installed on the same disk will share it and put their boot resources into them (as opposed to the traditional boot partition, of which there is one per installed Linux OS, and only that one will put resources there).
To summarize, the most common setup on typical Linux distributions is something like this:
| Type | Linux Mount Point | File System Choice |
|---|---|---|
| Linux “Boot” Partition | /boot/ |
Any Linux File System, typically ext2/ext3/ext4 |
| ESP | /boot/efi/ |
vFAT |
As mentioned, not all distributions or local installations agree on this. For example, it’s probably worth mentioning that some distributions decided to put kernels onto the root file system of the OS itself. For this setup to work the boot loader itself [sic!] must implement a non-trivial part of the storage stack. This may have to include RAID, storage drivers, networked storage, volume management, disk encryption, and Linux file systems. Leaving aside the conceptual argument that complex storage stacks don’t belong in boot loaders there are very practical problems with this approach. Reimplementing the Linux storage stack in all its combinations is a massive amount of work. It took decades to implement what we have on Linux now, and it will take a similar amount of work to catch up in the boot loader’s reimplementation. Moreover, there’s a political complication: some Linux file system communities made clear they have no interest in supporting a second file system implementation that is not maintained as part of the Linux kernel.
What’s interesting is that the /boot/efi/ mount point is nested
below the /boot/ mount point. This effectively means that to access
the ESP the Boot partition must exist and be mounted first. A system
with just an ESP and without a Boot partition hence doesn’t fit well
into the current model. The Boot partition will also have to carry an
empty “efi” directory that can be used as the inner mount point, and
serves no other purpose.
Given that the traditional boot partition and the ESP may carry similar data (i.e. boot loader resources, kernels, initrds) one may wonder why they are separate concepts. Historically, this was the easiest way to make the pre-UEFI way how Linux systems were booted compatible with UEFI: conceptually, the ESP can be seen as just a minor addition to the status quo ante that way. Today, primarily two reasons remained:
Some distributions see a benefit in support for complex Linux file system concepts such as hardlinks, symlinks, SELinux labels/extended attributes and so on when storing boot loader resources. – I personally believe that making use of features in the boot file systems that the firmware environment cannot really make sense of is very clearly not advisable. The UEFI file system APIs know no symlinks, and what is SELinux to UEFI anyway? Moreover, putting more than the absolute minimum of simple data files into such file systems immediately raises questions about how to authenticate them comprehensively (including all fancy metadata) cryptographically on use (see below).
On real-life systems that ship with non-Linux OSes the ESP often comes pre-installed with a size too small to carry multiple Linux kernels and initrds. As growing the size of an existing ESP is problematic (for example, because there’s no space available immediately after the ESP, or because some low-quality firmware reacts badly to the ESP changing size) placing the kernel in a separate, secondary partition (i.e. the boot partition) circumvents these space issues.
We already mentioned that the ESP effectively has to be vFAT, as that is what UEFI (more or less) guarantees. The file system choice for the boot partition is not quite as restricted, but using arbitrary Linux file systems is not really an option either. The file system must be accessible by both the boot loader and the Linux OS. Hence only file systems that are available in both can be used. Note that such secondary implementations of Linux file systems in the boot environment – limited as they may be – are not typically welcomed or supported by the maintainers of the canonical file system implementation in the upstream Linux kernel. Modern file systems are notoriously complicated and delicate and simply don’t belong in boot loaders.
In a trusted boot world, the two file systems for the ESP and the
/boot/ partition should be considered untrusted: any code or
essential data read from them must be authenticated cryptographically
before use. And even more, the file system structures themselves are
also untrusted. The file system driver reading them must be careful
not to be exploitable by a rogue file system image. Effectively this
means a simple file system (for which a driver can be more easily
validated and reviewed) is generally a better choice than a complex
file system (Linux file system communities made it pretty clear that
robustness against rogue file system images is outside of their scope
and not what is being tested for.).
Some approaches tried to address the fact that boot partitions are untrusted territory by encrypting them via a mechanism compatible to LUKS, and adding decryption capabilities to the boot loader so it can access it. This misses the point though, as encryption does not imply authentication, and only authentication is typically desired. The boot loader and kernel code are typically Open Source anyway, and hence there’s little value in attempting to keep secret what is already public knowledge. Moreover, encryption implies the existence of an encryption key. Physically typing in the decryption key on a keyboard might still be acceptable on desktop systems with a single human user in front, but outside of that scenario unlock via TPM, PKCS#11 or network services are typically required. And even on the desktop FIDO2 unlocking is probably the future. Implementing all the technologies these unlocking mechanisms require in the boot loader is not realistic, unless the boot loader shall become a full OS on its own as it would require subsystems for FIDO2, PKCS#11, USB, Bluetooth network, smart card access, and so on.
Note that traditionally both mentioned partitions were read-only during most parts of the boot. Only later, once the OS is up, write access was required to implement OS or boot loader updates. In today’s world things have become a bit more complicated. A modern OS might want to require some limited write access already in the boot loader, to implement boot counting/boot assessment/automatic fallback (e.g., if the same kernel fails to boot 3 times, automatically revert to older kernel), or to maintain an early storage-based random seed. This means that even though the file system is mostly read-only, we need limited write access after all.
vFAT cannot compete with modern Linux file systems such as btrfs
when it comes to data safety guarantees. It’s not a journaled file
system, does not use CoW or any form of checksumming. This means when
used for the system boot process we need to be particularly careful
when accessing it, and in particular when making changes to it (i.e.,
trying to keep changes local to single sectors). It is essential to
use write patterns that minimize the chance of file system
corruption. Checking the file system (“fsck”) before modification
(and probably also reading) is important, as is ensuring the file
system is put into a “clean” state as quickly as possible after each
modification.
Code quality of the firmware in typical systems is known to not always be great. When relying on the file system driver included in the firmware it’s hence a good idea to limit use to operations that have a better chance to be correctly implemented. For example, when writing from the UEFI environment it might be wise to avoid any operation that requires allocation algorithms, but instead focus on access patterns that only override already written data, and do not require allocation of new space for the data.
Besides write access from the boot loader code (as described above) these file systems will require write access from the OS, to facilitate boot loader and kernel/initrd updates. These types of accesses are generally not fully random accesses (i.e., never partial file updates) but usually mean adding new files as whole, and removing old files as a whole. Existing files are typically not modified once created, though they might be replaced wholly by newer versions.
Note that the update cycle frequencies for boot loaders and for kernels/initrds are probably similar these days. While kernels are still vastly more complex than boot loaders, security issues are regularly found in both. In particular, as boot loaders (through “shim” and similar components) carry certificate/keyring and denylist information, which typically require frequent updates. Update cycles hence have to be expected regularly.
The traditional boot partition was not recognizable by looking just at the partition table. On MBR systems it was directly referenced from the boot sector of the disk, and on EFI systems from information stored in the ESP. This is less than ideal since by losing this entrypoint information the system becomes unbootable. It’s typically a better, more robust idea to make boot partitions recognizable as such in the partition table directly. This is done for the ESP via the GPT partition type UUID. For traditional boot partitions this was not done though.
Let’s try to summarize the above:
Currently, typical deployments use two distinct boot partitions, often using two distinct file system implementations
Firmware effectively dictates existence of the ESP, and the use of vFAT
In userspace view: the ESP mount is nested below the general Boot partition mount
Resources stored in both partitions are primarily kernel/initrd, and boot loader resources
The mandatory use of vFAT brings certain data safety challenges, as does quality of firmware file system driver code
During boot limited write access is needed, during OS runtime more comprehensive write access is needed (though still not fully random).
Less restricted but still limited write patterns from OS environment (only full file additions/updates/removals, during OS/boot loader updates)
Boot loaders should not implement complex storage stacks.
ESP can be auto-discovered from the partition table, traditional boot partition cannot.
ESP and the traditional boot partition are not protected cryptographically neither in structure nor contents. It is expected that loaded files are individually authenticated after being read.
The ESP is a shared resource — the traditional boot partition a resource specific to each installed Linux OS on the same disk.
Now that we have discussed many of the issues with the status quo ante, let’s see how we can do things better:
Two partitions for essentially the same data is a bad idea. Given they carry data very similar or identical in nature, the common case should be to have only one (but see below).
Two file system implementations are worse than one. Given that vFAT is more or less mandated by UEFI and the only format universally understood by all players, and thus has to be used anyway, it might as well be the only file system that is used.
Data safety is unnecessarily bad so far: both ESP and boot partition are continuously mounted from the OS, even though access is pretty restricted: outside of update cycles access is typically not required.
All partitions should be auto-discoverable/self-descriptive
The two partitions should not be exposed as nested mounts to userspace
To be more specific, here’s how I think a better way to set this all up would look like:
Whenever possible, only have one boot partition, not two. On EFI systems, make it the ESP. On non-EFI systems use an XBOOTLDR partition instead (see below). Only have both in the case where a Linux OS is installed on a system that already contains an OS with an ESP that is too small to carry sufficient kernels/initrds. When a system contains a XBOOTLDR partition put kernels/initrd on that, otherwise the ESP.
Instead of the vaguely defined, traditional Linux “boot” partition
use the XBOOTLDR partition type as defined by the Discoverable
Partitions
Specification. This
ensures the partition is discoverable, and can be automatically
mounted by things like
systemd-gpt-auto-generator. Use
XBOOTLDR only if you have to, i.e., when dealing with systems that
lack UEFI (and where the ESP hence has no value) or to address the
mentioned size issues with the ESP. Note that unlike the traditional
boot partition the XBOOTLDR partition is a shared resource, i.e.,
shared between multiple parallel Linux OS installations on the same
disk. Because of this it is typically wise to place a per-OS
directory at the top of the XBOOTLDR file system to avoid conflicts.
Use vFAT for both partitions, it’s the only thing universally understood among relevant firmwares and Linux. It’s simple enough to be useful for untrusted storage. Or to say this differently: writing a file system driver that is not easily vulnerable to rogue disk images is much easier for vFAT than for let’s say btrfs. – But the choice of vFAT implies some care needs to be taken to address the data safety issues it brings, see below.
Mount the two partitions via the “automount”
logic. For example, via systemd’s
automount
units, with a very short idle time-out (one second or so). This
improves data safety immensely, as the file systems will remain
mounted (and thus possibly in a “dirty” state) only for very short
periods of time, when they are actually accessed – and all that
while the fact that they are not mounted continuously is mostly not
noticeable for applications as the file system paths remain
continuously around. Given that the backing file system (vFAT) has
poor data safety properties, it is essential to shorten the access
for unclean file system state as much as possible. In fact, this is
what the aforementioned systemd-gpt-auto-generator
logic actually does by default.
Whenever mounting one of the two partitions, do a file system check
(fsck; in fact this is also what
systemd-gpt-auto-generatordoes by default, hooked into
the automount logic, to run on first access). This ensures that even
if the file system is in an unclean state it is restored to be clean
when needed, i.e., on first access.
Do not mount the two partitions nested, i.e., no
more /boot/efi/. First of all, as mentioned above, it
should be possible (and is desirable) to only have one of the
two. Hence it is simply a bad idea to require the other as well,
just to be able to mount it. More importantly though, by nesting
them, automounting is complicated, as it is necessary to trigger the
first automount to establish the second automount, which defeats the
point of automounting them in the first place. Use the two distinct
mount points /efi/ (for the ESP) and
/boot/ (for XBOOTLDR) instead. You might have guessed,
but that too is what systemd-gpt-auto-generator does by
default.
When making additions or updates to ESP/XBOOTLDR from the OS make
sure to create a file and write it in full, then
syncfs() the whole file system, then rename to give it
its final name, and syncfs() again. Similar when
removing files.
When writing from the boot loader environment/UEFI to ESP/XBOOTLDR, do not append to files or create new files. Instead overwrite already allocated file contents (for example to maintain a random seed file) or rename already allocated files to include information in the file name (and ideally do not increase the file name in length; for example to maintain boot counters).
Consider adopting UKIs, which minimize the number of files that need to be updated on the ESP/XBOOTLDR during OS/kernel updates (ideally down to 1)
Consider adopting
systemd-boot,
which minimizes the number of files that need to be updated on boot
loader updates (ideally down to 1)
Consider removing any mention of ESP/XBOOTLDR from
/etc/fstab, and just let
systemd-gpt-auto-generator do its thing.
Stop implementing file systems, complex storage, disk encryption, … in your boot loader.
Implementing things like that you gain:
Simplicity: only one file system implementation, typically only one partition and mount point
Robust auto-discovery of all partitions, no need to even
configure /etc/fstab
Data safety guarantees as good as possible, given the circumstances
To summarize this in a table:
| Type | Linux Mount Point | File System Choice | Automount |
|---|---|---|---|
| ESP | /efi/ |
vFAT | yes |
| XBOOTLDR | /boot/ |
vFAT | yes |
A note regarding modern boot loaders that implement the Boot Loader Specification: both partitions are explicitly listed in the specification as sources for both Type #1 and Type #2 boot menu entries. Hence, if you use such a modern boot loader (e.g. systemd-boot) these two partitions are the preferred location for boot loader resources, kernels and initrds anyway.
You might wonder, what about RAID setups and the ESP? This comes up regularly in discussions: how to set up the ESP so that (software) RAID1 (mirroring) can be done on the ESP. Long story short: I’d strongly advise against using RAID on the ESP. Firmware typically doesn’t have native RAID support, and given that firmware and boot loader can write to the file systems involved, any attempt to use software RAID on them will mean that a boot cycle might corrupt the RAID sync, and immediately requires a re-synchronization after boot. If RAID1 backing for the ESP is really necessary, the only way to implement that safely would be to implement this as a driver for UEFI – but that creates certain bootstrapping issues (i.e., where to place the driver if not the ESP, a file system the driver is supposed to be used for), and also reimplements a considerable component of the OS storage stack in firmware mode, which seems problematic.
So what to do instead? My recommendation would be to solve this via userspace tooling. If redundant disk support shall be implemented for the ESP, then create separate ESPs on all disks, and synchronize them on the file system level instead of the block level. Or in other words, the tools that install/update/manage kernels or boot loaders should be taught to maintain multiple ESPs instead of one. Copy the kernels/boot loader files to all of them, and remove them from all of them. Under the assumption that the goal of RAID is a more reliable system this should be the best way to achieve that, as it doesn’t pretend the firmware could do things it actually cannot do. Moreover it minimizes the complexity of the boot loader, shifting the syncing logic to userspace, where it’s typically easier to get right.
The discussion above focuses on booting up from a local disk. When thinking about networked boot I think two scenarios are particularly relevant:
PXE-style network booting. I think in this mode of operation focus should be on directly booting a single UKI image instead of a boot loader. This sidesteps the whole issue of maintaining any boot partition at all, and simplifies the boot process greatly. In scenarios where this is not sufficient, and an interactive boot menu or other boot loader features are desired, it might be a good idea to take inspiration from the UKI concept, and build a single boot loader EFI binary (such as systemd-boot), and include the UKIs for the boot menu items and other resources inside it via PE sections. Or in other words, build a single boot loader binary that is “supercharged” and contains all auxiliary resources in its own PE sections. (Note: this does not exist, it’s an idea I intend to explore with systemd-boot). Benefit: a single file has to be downloaded via PXE/TFTP, not more. Disadvantage: unused resources are downloaded unnecessarily. Either way: in this context there is no local storage, and the ESP/XBOOTLDR discussion above is without relevance.
Initrd-style network booting. In this scenario the boot loader and kernel/initrd (better: UKI) are available on a local disk. The initrd then configures the network and transitions to a network share or file system on a network block device for the root file system. In this case the discussion above applies, and in fact the ESP or XBOOTLDR partition would be the only partition available locally on disk.
And this is all I have for today.
As President of the GNOME Foundation, I wanted to post a quick note to pass on the thanks from the Board, the Foundation staff team and membership to our outgoing Executive Director, Neil McGovern. I had the pleasure of passing on GNOME’s thanks in person at the Casa Bariachi this summer at GUADEC in Guadelajara, at the most exellent mariachi celebration of GNOME’s 25th Anniversary. 
Kindly they stopped the music and handed me the microphone for the whole place, although I think many of the other guests celebrating their own birthdays were less excited about Neil’s tenure as Executive Director and the Free and Open Source desktop in general. 
Neil’s 6-month handover period came to an end last month and he handed over the reins to myself and Thibault Martin on the Executive Committee, and Director of Operations Rosanna Yuen has stepped up to act as Chief of Staff and interface between the Board and the staff team for the time being. Our recruitment is ongoing for a new Executive Director although the search is a little behind schedule (mostly down to me!), and we’re hugely grateful to a few volunteers who have joined our search committee to help us source, screen and interview applicants.
I have really enjoyed working closely with Neil in my time on the GNOME board, and we are hugely grateful for his contributions and achievements over the past 5 years which I posted about earlier in the year. Neil is this month starting a new role as the Executive Director of Ruby Central. Our very best wishes from the GNOME community and good luck with your new role. See you soon!
(also posted to Discourse if you wish to add any thanks or comments of your own)
I know what you’re thinking, and I had to do it.
I had literally no other option, in that I asked myself whether there was any other option and decided the answer was no.
There comes a time in every Mesa developer’s life when they start searching for answers. Real question answers, not just “why are there so many pipe caps?” or “is it possible to understand the GLSL compiler?”
That time for me was very recent.
Do we really need two CL frontends in Mesa?
My heart says yes. Not only do we need two, we probably need three, such as the Erlang-based one that Jason “99.4% CTS pass-rate” Ekstrand was briefly working on last year in an unsuccessful attempt to throw off avid bloggers who were getting too close to his real next job. Or the one that Adam “Why Am I In Your Blog?” Jackson has been quietly injecting into the Xserver codebase for the past decade without anyone noticing.
Despite these other entirely valid and extant CL implementations, my brain tells me that we probably don’t even need a single CL implementation in Mesa, let alone one that’s pending CL 3.0 conformance certification, is written in the most prominent of all the languages spoken by crabs, and has by far the most sane and credible Mesa developer working full-time on it.
So here we are.
There can be only one.
And it’s the one that runs on zink.
I meant to blog more, but it seems we’re out of time. As we all know, SGC must go into hibernation at the end of the year to recharge. Workplace safety laws require sufficient rest time be given to meme-rich environments, and you can’t spell SGC without safety.
No, you can’t.
I’ve got two more blog posts that I’m hoping to release before the blog’s hard-earned time off begins.
The first is about OpenCL.
That’s this one.
We all knew this would happen.
We follow Karol on twitter.
We’ve seen the wild, unhinged tweets from his local pub claiming to have LuxMark or some other insane, CL-based application running on top of who knows what driver.
It was only a matter of time before he cornered me at XDC for a quick “talk”. It was completely normal the way he had no fewer than four laptops physically harnessed to his person as he strutted around in search of hapless driver maintainers upon whom he could foist his latest and least sane project. I wasn’t at all afraid for my life when he told me that, by the time he let me leave the conference hall that day, rusticl would be working on zink.
I’m here blogging about it now, so obviously everything is fine and I’m not still trapped in his basement, but let’s take a look at some of the challenges I faced over that grueling, interminable period of CL bring-up besides lack of water and food.
The first major issue is, of course, that CL shaders are called “kernels”, and they are in the KERNEL stage. Since zink only handles the GL shader stages, this posed a bit of a problem.
Thankfully, kernels are very similar to GL/VK compute shaders, and so it was easy to combine most of the code into the compute blocks.
But this led to the real problem.
The real problem is that now this is yet another blog post about Vulkan descriptor models.
I know.
Believe me, I know.
I didn’t want to be here either.
In GL, there is the idea of a combined sampler. This descriptor type has both an image and a sampler in a 1:1 ratio.
CL, being the absolute unit of an API that it is, has discrete images and samplers.
Also, unlike with sane APIs, CL allows entirely untyped shader image access, meaning the images have no format or even component type.
If you’re thinking this is more convenient for users, you’re wrong.
Being completely separate, sampled images and samplers cannot just reuse the same codepaths. Instead, it was necessary to add in some hooks that could help translate these descriptors into the existing combined sampler codepaths. Primarily this amounted to:
Yeah, it wasn’t actually that hard. Because Vulkan descriptors aren’t that hard.
Stop writing about them.
The hard part was the shader interface, because Vulkan doesn’t allow untyped image access. So to handle this, I wrote some compiler passes to go through the shaders and add type info to the variables based on their usage.
I know what you’re thinking.
You’re thinking why didn’t this total lunatic writing a CL frontend in Rust just add type info to the variables before you got them? Wouldn’t that have saved you a lot of work?
It’s a great question. One of the best. And your follow-up? Incredible. Honestly, I knew that all of my readers were smart, but I didn’t realize you were this brilliant.
I don’t have an answer to this, and when asked, Karol just told me I’d earned myself another week in the pit. Whatever that means.
Zink (on RustiCL) is done.
There’s nothing left (for me) to do, and anyone who says otherwise is wrong.
If you try it out and it doesn’t work, complain to Karol. On his twitter. Or in the Phoronix comments, where he has at least three different accounts.
This document looks at the boot process of general purpose Linux distributions. It covers the status quo and how we envision Linux boot to work in the future with a focus on robustness and simplicity.
This document will assume that the reader has comprehensive
familiarity with TPM 2.0 security chips and their capabilities (e.g.,
PCRs, measurements, SRK), boot loaders, the shim binary, Linux,
initrds, UEFI Firmware, PE binaries, and SecureBoot.
Status quo ante of the boot logic on typical Linux distributions:
Most popular Linux distributions generate initrds locally, and
they are unsigned, thus not protected through SecureBoot (since that
would require local SecureBoot key enrollment, which is generally
not done), nor TPM PCRs.
Boot chain is typically Firmware →
shim → grub → Linux kernel →
initrd (dracut or similar) → root file system
Firmware’s UEFI SecureBoot protects shim, shim’s key management protects grub and kernel. No code signing protects initrd. initrd acquires the key for encrypted root fs from the user (or TPM/FIDO2/PKCS11).
shim/grub/kernel is measured into TPM PCR 4, among other stuff
EFI TPM event log reports measured data into TPM PCRs, and can be used to reconstruct and validate state of TPM PCRs from the used resources.
No userspace components are typically measured, except for what IMA measures
New kernels require locally generating new boot loader scripts and generating a new initrd each time. OS updates thus mean fragile generation of multiple resources and copying multiple files into the boot partition.
Problems with the status quo ante:
initrd typically unlocks root file system encryption, but is not protected whatsoever, and trivial to attack and modify offline
OS updates are brittle: PCR values of grub are very hard to pre-calculate, as grub measures chosen control flow path, not just code images. PCR values vary wildly, and OS provided resources are not measured into separate PCRs. Grub’s PCR measurements might be useful up to a point to reason about the boot after the fact, for the most basic remote attestation purposes, but useless for calculating them ahead of time during the OS build process (which would be desirable to be able to bind secrets to future expected PCR state, for example to bind secrets to an OS in a way that it remain accessible even after that OS is updated).
Updates of a boot loader are not robust, require multi-file updates of ESP and boot partition, and regeneration of boot scripts
No rollback protection (no way to cryptographically invalidate access to TPM-bound secrets on OS updates)
Remote attestation of running software is needlessly complex since initrds are generated locally and thus basically are guaranteed to vary on each system.
Locking resources maintained by arbitrary user apps to TPM state (PCRs) is not realistic for general purpose systems, since PCRs will change on every OS update, and there’s no mechanism to re-enroll each such resource before every OS update, and remove the old enrollment after the update.
There is no concept to cryptographically invalidate/revoke secrets for an older OS version once updated to a new OS version. An attacker thus can always access the secrets generated on old OSes if they manage to exploit an old version of the OS — even if a newer version already has been deployed.
Goals of the new design:
Provide a fully signed execution path from firmware to userspace, no exceptions
Provide a fully measured execution path from firmware to userspace, no exceptions
Separate out TPM PCRs assignments, by “owner” of measured resources, so that resources can be bound to them in a fine-grained fashion.
Allow easy pre-calculation of expected PCR values based on booted kernel/initrd, configuration, local identity of the system
Rollback protection
Simple & robust updates: one updated file per concept
Updates without requiring re-enrollment/local preparation of the TPM-protected resources (no more “brittle” PCR hashes that must be propagated into every TPM-protected resource on each OS update)
System ready for easy remote attestation, to prove validity of booted OS, configuration and local identity
Ability to bind secrets to specific phases of the boot, e.g. the root fs encryption key should be retrievable from the TPM only in the initrd, but not after the host transitioned into the root fs.
Reasonably secure, automatic, unattended unlocking of disk encryption secrets should be possible.
“Democratize” use of PCR policies by defining PCR register meanings, and making binding to them robust against updates, so that external projects can safely and securely bind their own data to them (or use them for remote attestation) without risking breakage whenever the OS is updated.
Build around TPM 2.0 (with graceful fallback for TPM-less systems if desired, but TPM 1.2 support is out of scope)
Considered attack scenarios and considerations:
Evil Maid: neither online nor offline (i.e. “at rest”), physical access to a storage device should enable an attacker to read the user’s plaintext data on disk (confidentiality); neither online nor offline, physical access to a storage device should allow undetected modification/backdooring of user data or OS (integrity), or exfiltration of secrets.
TPMs are assumed to be reasonably “secure”, i.e. can securely store/encrypt secrets. Communication to TPM is not “secure” though and must be protected on the wire.
Similar, the CPU is assumed to be reasonably “secure”
SecureBoot is assumed to be reasonably “secure” to permit validated boot up to and including shim+boot loader+kernel (but see discussion below)
All user data must be encrypted and authenticated. All vendor and administrator data must be authenticated.
It is assumed all software involved regularly contains vulnerabilities and requires frequent updates to address them, plus regular revocation of old versions.
It is further assumed that key material used for signing code by the OS vendor can reasonably be kept secure (via use of HSM, and similar, where secret key information never leaves the signing hardware) and does not require frequent roll-over.
Central to the proposed design is the concept of a Unified Kernel Image (UKI). These UKIs are the combination of a Linux kernel image, and initrd, a UEFI boot stub program (and further resources, see below) into one single UEFI PE file that can either be directly invoked by the UEFI firmware (which is useful in particular in some cloud/Confidential Computing environments) or through a boot loader (which is generally useful to implement support for multiple kernel versions, with interactive or automatic selection of image to boot into, potentially with automatic fallback management to increase robustness).
Specifically, UKIs typically consist of the following resources:
An UEFI boot stub that is a small piece of code still running in
UEFI mode and that transitions into the Linux kernel included in
the UKI (e.g., as implemented in
sd-stub,
see below)
The Linux kernel to boot in the .linux PE section
The initrd that the kernel shall unpack and invoke in the
.initrd PE section
A kernel command line string, in the .cmdline PE
section
Optionally, information describing the OS this kernel is intended
for, in the .osrel PE section (derived from
/etc/os-release of the booted OS). This is useful for
presentation of the UKI in the boot loader menu, and ordering it
against other entries, using the included version information.
Optionally, information describing kernel release information
(i.e. uname -r output) in the .uname PE
section. This is also useful for presentation of the UKI in the
boot loader menu, and ordering it against other entries.
Optionally, a boot splash to bring to screen before transitioning
into the Linux kernel in the .splash PE section
Optionally, a compiled Devicetree database file, for systems which
need it, in the .dtb PE section
Optionally, the public key in PEM format that matches the
signatures of the .pcrsig PE section (see below), in a
.pcrpkey PE section.
Optionally, a JSON file encoding expected PCR 11 hash values seen
from userspace once the UKI has booted up, along with signatures
of these expected PCR 11 hash values, matching a specific public
key in the .pcrsig PE section. (Note: we use plural
for “values” and “signatures” here, as this JSON file will
typically carry a separate value and signature for each PCR bank
for PCR 11, i.e. one pair of value and signature for the SHA1
bank, and another pair for the SHA256 bank, and so on. This
ensures when enrolling or unlocking a TPM-bound secret we’ll
always have a signature around matching the banks available
locally (after all, which banks the local hardware supports is up
to the hardware). For the sake of simplifying this already overly
complex topic, we’ll pretend in the rest of the text there was
only one PCR signature per UKI we have to care about, even if this
is not actually the case.)
Given UKIs are regular UEFI PE files, they can thus be signed as one
for SecureBoot, protecting all of the individual resources listed
above at once, and their combination. Standard Linux tools such as
sbsigntool and pesign can be used to sign
UKI files.
UKIs wrap all of the above data in a single file, hence all of the above components can be updated in one go through single file atomic updates, which is useful given that the primary expected storage place for these UKIs is the UEFI System Partition (ESP), which is a vFAT file system, with its limited data safety guarantees.
UKIs can be generated via a single, relatively simple objcopy invocation, that glues the listed components together, generating one PE binary that then can be signed for SecureBoot. (For details on building these, see below.)
Note that the primary location to place UKIs in is the EFI System Partition (or an otherwise firmware accessible file system). This typically means a VFAT file system of some form. Hence an effective UKI size limit of 4GiB is in place, as that’s the largest file size a FAT32 file system supports.
The mentioned UEFI stub program will execute the following operations
in UEFI mode before transitioning into the Linux kernel that is
included in its .linux PE section:
The PE sections listed are searched for in the invoked UKI the stub is part of, and superficially validated (i.e. general file format is in order).
All PE sections listed above of the invoked UKI are measured into
TPM PCR 11. This TPM PCR is expected to be all zeroes before the UKI
initializes. Pre-calculation is thus very straight-forward if the
resources included in the PE image are known. (Note: as a single
exception the .pcrsig PE section is excluded from this measurement,
as it is supposed to carry the expected result of the measurement, and
thus cannot also be input to it, see below for further details about
this section.)
If the .splash PE section is included in the UKI it is brought onto the screen
If the .dtb PE section is included in the UKI it is activated
using the Devicetree UEFI “fix-up” protocol
If a command line was passed from the boot loader to the UKI
executable it is discarded if SecureBoot is enabled and the command
line from the .cmdline used. If SecureBoot is disabled and a
command line was passed it is used in place of the one from
.cmdline. Either way the used command line is measured into TPM
PCR 12. (This of course removes any flexibility of control of the
kernel command line of the local user. In many scenarios this is
probably considered beneficial, but in others it is not, and some
flexibility might be desired. Thus, this concept probably needs to
be extended sooner or later, to allow more flexible kernel command
line policies to be enforced via definitions embedded into the
UKI. For example: allowing definition of multiple kernel command
lines the user/boot menu can select one from; allowing additional
allowlisted parameters to be specified; or even optionally allowing
any verification of the kernel command line to be turned off even
in SecureBoot mode. It would then be up to the builder of the UKI
to decide on the policy of the kernel command line.)
It will set a couple of volatile EFI variables to inform userspace
about executed TPM PCR measurements (and which PCR registers were
used), and other execution properties. (For example: the EFI
variable StubPcrKernelImage in the
4a67b082-0a4c-41cf-b6c7-440b29bb8c4f vendor namespace indicates
the PCR register used for the UKI measurement, i.e. the value
“11”).
An initrd cpio archive is dynamically synthesized from the
.pcrsig and .pcrpkey PE section data (this is later passed to
the invoked Linux kernel as additional initrd, to be overlaid with
the main initrd from the .initrd section). These files are later
available in the /.extra/ directory in the initrd context.
The Linux kernel from the .linux PE section is invoked with with
a combined initrd that is composed from the blob from the .initrd
PE section, the dynamically generated initrd containing the
.pcrsig and .pcrpkey PE sections, and possibly some additional
components like sysexts or syscfgs.
In the construction above we take possession of two PCR registers previously unused on generic Linux distributions:
TPM PCR 11 shall contain measurements of all components of the
UKI (with exception of the .pcrsig PE section, see above). This
PCR will also contain measurements of the boot phase once userspace
takes over (see below).
TPM PCR 12 shall contain measurements of the used kernel command line. (Plus potentially other forms of parameterization/configuration passed into the UKI, not discussed in this document)
On top of that we intend to define two more PCR registers like this:
TPM PCR 15 shall contain measurements of the volume encryption key of the root file system of the OS.
[TPM PCR 13 shall contain measurements of additional extension images for the initrd, to enable a modularized initrd – not covered by this document]
(See the Linux TPM PCR Registry for an overview how these four PCRs fit into the list of Linux PCR assignments.)
For all four PCRs the assumption is that they are zero before the UKI initializes, and only the data that the UKI and the OS measure into them is included. This makes pre-calculating them straightforward: given a specific set of UKI components, it is immediately clear what PCR values can be expected in PCR 11 once the UKI booted up. Given a kernel command line (and other parameterization/configuration) it is clear what PCR values are expected in PCR 12.
Note that these four PCRs are defined by the conceptual “owner” of the resources measured into them. PCR 11 only contains resources the OS vendor controls. Thus it is straight-forward for the OS vendor to pre-calculate and then cryptographically sign the expected values for PCR 11. The PCR 11 values will be identical on all systems that run the same version of the UKI. PCR 12 only contains resources the administrator controls, thus the administrator can pre-calculate PCR values, and they will be correct on all instances of the OS that use the same parameters/configuration. PCR 15 only contains resources inherently local to the local system, i.e. the cryptographic key material that encrypts the root file system of the OS.
Separating out these three roles does not imply these actually need to be separate when used. However the assumption is that in many popular environments these three roles should be separate.
By separating out these PCRs by the owner’s role, it becomes straightforward to remotely attest, individually, on the software that runs on a node (PCR 11), the configuration it uses (PCR 12) or the identity of the system (PCR 15). Moreover, it becomes straightforward to robustly and securely encrypt data so that it can only be unlocked on a specific set of systems that share the same OS, or the same configuration, or have a specific identity – or a combination thereof.
Note that the mentioned PCRs are so far not typically used on generic Linux-based operating systems, to our knowledge. Windows uses them, but given that Windows and Linux should typically not be included in the same boot process this should be unproblematic, as Windows’ use of these PCRs should thus not conflict with ours.
To summarize:
| PCR | Purpose | Owner | Expected Value before UKI boot | Pre-Calculable | |
|---|---|---|---|---|---|
| 11 | Measurement of UKI components and boot phases | OS Vendor | Zero | Yes (at UKI build time) |
|
| 12 | Measurement of kernel command line, additional kernel runtime configuration such as systemd credentials, systemd syscfg images | Administrator | Zero | Yes (when system configuration is assembled) |
|
| 13 | System Extension Images of initrd (and possibly more) |
(Administrator) | Zero | Yes (when set of extensions is assembled) | |
| 15 | Measurement of root file system volume key (Possibly later more: measurement of root file system UUIDs and labels and of the machine ID /etc/machine-id) |
Local System | Zero | Yes (after first boot once ll such IDs are determined) |
In the model above in particular two sets of private/public key pairs are relevant:
The SecureBoot key to sign the UKI PE executable with. This controls permissible choices of OS/kernel
The key to sign the expected PCR 11 values with. Signatures made
with this key will end up in the .pcrsig PE section. The public
key part will end up in the .pcrpkey PE section.
Typically the key pair for the PCR 11 signatures should be chosen with a narrow focus, reused for exactly one specific OS (e.g. “Fedora Desktop Edition”) and the series of UKIs that belong to it (all the way through all the versions of the OS). The SecureBoot signature key can be used with a broader focus, if desired. By keeping the PCR 11 signature key narrow in focus one can ensure that secrets bound to the signature key can only be unlocked on the narrow set of UKIs desired.
Depending on the intended access policy to a resource protected by the TPM, one or more of the PCRs described above should be selected to bind TPM policy to.
For example, the root file system encryption key should likely be bound to TPM PCR 11, so that it can only be unlocked if a specific set of UKIs is booted (it should then, once acquired, be measured into PCR 15, as discussed above, so that later TPM objects can be bound to it, further down the chain). With the model described above this is reasonably straight-forward to do:
When userspace wants to bind disk encryption to a specific series of
UKIs (“enrollment”), it looks for the public key passed to the
initrd in the /.extra/ directory (which as discussed above
originates in the .pcrpkey PE section of the UKI). The relevant
userspace component (e.g. systemd) is then responsible for
generating a random key to be used as symmetric encryption key for
the storage volume (let’s call it disk encryption key _here,
DEK_). The TPM is then used to encrypt (“seal”) the DEK with its
internal Storage Root Key (TPM SRK). A TPM2 policy is bound to the
encrypted DEK. The policy enforces that the DEK may only be
decrypted if a valid signature is provided that matches the state of
PCR 11 and the public key provided in the /.extra/ directory of
the initrd. The plaintext DEK key is passed to the kernel to
implement disk encryption (e.g. LUKS/dm-crypt). (Alternatively,
hardware disk encryption can be used too, i.e. Intel MKTME, AMD SME
or even OPAL, all of which are outside of the scope of this
document.) The TPM-encrypted version of the DEK which the TPM
returned is written to the encrypted volume’s superblock.
When userspace wants to unlock disk encryption on a specific
UKI, it looks for the signature data passed to the initrd in the
/.extra/ directory (which as discussed above originates in the
.pcrsig PE section of the UKI). It then reads the encrypted
version of the DEK from the superblock of the encrypted volume. The
signature and the encrypted DEK are then passed to the TPM. The TPM
then checks if the current PCR 11 state matches the supplied
signature from the .pcrsig section and the public key used during
enrollment. If all checks out it decrypts (“unseals”) the DEK and
passes it back to the OS, where it is then passed to the kernel
which implements the symmetric part of disk encryption.
Note that in this scheme the encrypted volume’s DEK is not bound to specific literal PCR hash values, but to a public key which is expected to sign PCR hash values.
Also note that the state of PCR 11 only matters during unlocking. It is not used or checked when enrolling.
In this scenario:
Input to the TPM part of the enrollment process are the TPM’s internal SRK, the plaintext DEK provided by the OS, and the public key later used for signing expected PCR values, also provided by the OS. – Output is the encrypted (“sealed”) DEK.
Input to the TPM part of the unlocking process are the TPM’s internal SRK, the current TPM PCR 11 values, the public key used during enrollment, a signature that matches both these PCR values and the public key, and the encrypted DEK. – Output is the plaintext (“unsealed”) DEK.
Note that sealing/unsealing is done entirely on the TPM chip, the host OS just provides the inputs (well, only the inputs that the TPM chip doesn’t know already on its own), and receives the outputs. With the exception of the plaintext DEK, none of the inputs/outputs are sensitive, and can safely be stored in the open. On the wire the plaintext DEK is protected via TPM parameter encryption (not discussed in detail here because though important not in scope for this document).
TPM PCR 11 is the most important of the mentioned PCRs, and its use is thus explained in detail here. The other mentioned PCRs can be used in similar ways, but signatures/public keys must be provided via other means.
This scheme builds on the functionality Linux’ LUKS2 functionality provides, i.e. key management supporting multiple slots, and the ability to embed arbitrary metadata in the encrypted volume’s superblock. Note that this means the TPM2-based logic explained here doesn’t have to be the only way to unlock an encrypted volume. For example, in many setups it is wise to enroll both this TPM-based mechanism and an additional “recovery key” (i.e. a high-entropy computer generated passphrase the user can provide manually in case they lose access to the TPM and need to access their data), of which either can be used to unlock the volume.
Secrets needed during boot-up (such as the root file system encryption key) should typically not be accessible anymore afterwards, to protect them from access if a system is attacked during runtime. To implement this the scheme above is extended in one way: at certain milestones of the boot process additional fixed “words” should be measured into PCR 11. These milestones are placed at conceptual security boundaries, i.e. whenever code transitions from a higher privileged context to a less privileged context.
Specifically:
When the initrd initializes (“initrd-enter”)
When the initrd transitions into the root file system (“initrd-leave”)
When the early boot phase of the OS on the root file system has
completed, i.e. all storage and file systems have been set up and
mounted, immediately before regular services are started
(“sysinit”)
When the OS on the root file system completed the boot process far
enough to allow unprivileged users to log in (“complete”)
When the OS begins shut down (“shutdown”)
When the service manager is mostly finished with shutting down and
is about to pass control to the final phase of the shutdown logic
(“final”)
By measuring these additional words into PCR 11 the distinct phases of the boot process can be distinguished in a relatively straight-forward fashion and the expected PCR values in each phase can be determined.
The phases are measured into PCR 11 (as opposed to some other PCR) mostly because available PCRs are scarce, and the boot phases defined are typically specific to a chosen OS, and hence fit well with the other data measured into PCR 11: the UKI which is also specific to the OS. The OS vendor generates both the UKI and defines the boot phases, and thus can safely and reliably pre-calculate/sign the expected PCR values for each phase of the boot.
In order to secure secrets stored at rest, in particular in environments where unattended decryption shall be possible, it is essential that an attacker cannot use old, known-buggy – but properly signed – versions of software to access them.
Specifically, if disk encryption is bound to an OS vendor (via UKIs that include expected PCR values, signed by the vendor’s public key) there must be a mechanism to lock out old versions of the OS or UKI from accessing TPM based secrets once it is determined that the old version is vulnerable.
To implement this we propose making use of one of the “counters” TPM 2.0 devices provide: integer registers that are persistent in the TPM and can only be increased on request of the OS, but never be decreased. When sealing resources to the TPM, a policy may be declared to the TPM that restricts how the resources can later be unlocked: here we use one that requires that along with the expected PCR values (as discussed above) a counter integer range is provided to the TPM chip, along with a suitable signature covering both, matching the public key provided during sealing. The sealing/unsealing mechanism described above is thus extended: the signature passed to the TPM during unsealing now covers both the expected PCR values and the expected counter range. To be able to use a signature associated with an UKI provided by the vendor to unseal a resource, the counter thus must be at least increased to the lower end of the range the signature is for. By doing so the ability is lost to unseal the resource for signatures associated with older versions of the UKI, because their upper end of the range disables access once the counter has been increased far enough. By carefully choosing the upper and lower end of the counter range whenever the PCR values for an UKI shall be signed it is thus possible to ensure that updates can invalidate prior versions’ access to resources. By placing some space between the upper and lower end of the range it is possible to allow a controlled level of fallback UKI support, with clearly defined milestones where fallback to older versions of an UKI is not permitted anymore.
Example: a hypothetical distribution FooOS releases a regular stream of UKI kernels 5.1, 5.2, 5.3, … It signs the expected PCR values for these kernels with a key pair it maintains in a HSM. When signing UKI 5.1 it includes information directed at the TPM in the signed data declaring that the TPM counter must be above 100, and below 120, in order for the signature to be used. Thus, when the UKI is booted up and used for unlocking an encrypted volume the unlocking code must first increase the counter to 100 if needed, as the TPM will otherwise refuse unlocking the volume. The next release of the UKI, i.e. UKI 5.2 is a feature release, i.e. reverting back to the old kernel locally is acceptable. It thus does not increase the lower bound, but it increases the upper bound for the counter in the signature payload, thus encoding a valid range 100…121 in the signed payload. Now a major security vulnerability is discovered in UKI 5.1. A new UKI 5.3 is prepared that fixes this issue. It is now essential that UKI 5.1 can no longer be used to unlock the TPM secrets. Thus UKI 5.3 will bump the lower bound to 121, and increase the upper bound by one, thus allowing a range 121…122. Or in other words: for each new UKI release the signed data shall include a counter range declaration where the upper bound is increased by one. The lower range is left as-is between releases, except when an old version shall be cut off, in which case it is bumped to one above the upper bound used in that release.
As mentioned earlier, UKIs are the combination of various resources
into one PE file. For most of these individual components there are
pre-existing tools to generate the components. For example the
included kernel image can be generated with the usual Linux kernel
build system. The initrd included in the UKI can be generated with
existing tools such as dracut and similar. Once the basic components
(.linux, .initrd, .cmdline, .splash, .dtb, .osrel,
.uname) have been acquired the combination process works roughly
like this:
The expected PCR 11 hashes (and signatures for them) for the UKI are calculated. The tool for that takes all basic UKI components and a signing key as input, and generates a JSON object as output that includes both the literal expected PCR hash values and a signature for them. (For all selected TPM2 banks)
The EFI stub binary is now combined with the basic components, the
generated JSON PCR signature object from the first step (in the
.pcrsig section) and the public key for it (in the .pcrpkey
section). This is done via a simple “objcopy” invocation
resulting in a single UKI PE binary.
The resulting EFI PE binary is then signed for SecureBoot (via a
tool such as
sbsign
or similar).
Note that the UKI model implies pre-built initrds. How to generate these (and securely extend and parameterize them) is outside of the scope of this document, but a related document will be provided highlighting these concepts.
The scheme discussed here touches both SecureBoot code signing and TPM PCR measurements. These two distinct mechanisms cover separate parts of the boot process.
Specifically:
Firmware/Shim SecureBoot signing covers bootloader and UKI
TPM PCR 11 covers the UKI components and boot phase
TPM PCR 12 covers admin configuration
TPM PCR 15 covers the local identity of the host
Note that this means SecureBoot coverage ends once the system transitions from the initrd into the root file system. It is assumed that trust and integrity have been established before this transition by some means, for example LUKS/dm-crypt/dm-integrity, ideally bound to PCR 11 (i.e. UKI and boot phase).
A robust and secure update scheme for PCR 11 (i.e. UKI) has been described above, which allows binding TPM-locked resources to a UKI. For PCR 12 no such scheme is currently designed, but might be added later (use case: permit access to certain secrets only if the system runs with configuration signed by a specific set of keys). Given that resources measured into PCR 15 typically aren’t updated (or if they are updated loss of access to other resources linked to them is desired) no update scheme should be necessary for it.
This document focuses on the three PCRs discussed above. Disk encryption and other userspace may choose to also bind to other PCRs. However, doing so means the PCR brittleness issue returns that this design is supposed to remove. PCRs defined by the various firmware UEFI/TPM specifications generally do not know any concept for signatures of expected PCR values.
It is known that the industry-adopted SecureBoot signing keys are too broad to act as more than a denylist for known bad code. It is thus probably a good idea to enroll vendor SecureBoot keys wherever possible (e.g. in environments where the hardware is very well known, and VM environments), to raise the bar on preparing rogue UKI-like PE binaries that will result in PCR values that match expectations but actually contain bad code. Discussion about that is however outside of the scope of this document.
The above is written under the assumption that the UKI embeds an initrd whose job it is to set up the root file system: find it, validate it, cryptographically unlock it and similar. Once the root file system is found, the system transitions into it.
While this is the traditional design and likely what most systems will use, it is also possible to embed a regular root file system into the UKI and avoid any transition to an on-disk root file system. In this mode the whole OS would be encapsulated in the UKI, and signed/measured as one. In such a scenario the whole of the OS must be loaded into RAM and remain there, which typically restricts the general usability of such an approach. However, for specific purposes this might be the design of choice, for example to implement self-sufficient recovery or provisioning systems.
The toolset for most of the above is already implemented in systemd and related projects in one way or another. Specifically:
The
systemd-stub
(or short: sd-stub) component implements the discussed UEFI stub
program
The
systemd-measure
tool can be used to pre-calculate expected PCR 11 values given the
UKI components and can sign the result, as discussed in the UKI
Image Generation section above.
The
systemd-cryptenroll
and
systemd-cryptsetup
tools can be used to bind a LUKS2 encrypted file system volume to a
TPM and PCR 11 public key/signatures, according to the scheme
described above. (The two components also implement a “recovery
key” concept, as discussed above)
The
systemd-pcrphase
component measures specific words into PCR 11 at the discussed
phases of the boot process.
The
systemd-creds
tool may be used to encrypt/decrypt data objects called
“credentials” that can be passed into services and booted systems,
and are automatically decrypted (if needed) immediately before
service invocation. Encryption is typically bound to the local TPM,
to ensure the data cannot be recovered elsewhere.
Note that
systemd-stub
(i.e. the UEFI code glued into the UKI) is distinct from
systemd-boot
(i.e. the UEFI boot loader than can manage multiple UKIs and other
boot menu items and implements automatic fallback, an interactive menu
and a programmatic interface for the OS among other things). One can
be used without the other – both sd-stub without sd-boot and vice
versa – though they integrate nicely if used in combination.
Note that the mechanisms described are relatively generic, and can be implemented and be consumed in other software too, systemd should be considered a reference implementation, though one that found comprehensive adoption across Linux distributions.
Some concepts discussed above are currently not implemented. Specifically:
The rollback protection logic is currently not implemented.
The mentioned measurement of the root file system volume key to PCR 15 is implemented, but not merged into the systemd main branch yet.
We recently started a new group for discussing concepts and specifications of basic OS components, including UKIs as described above. It's called the UAPI Group. Please have a look at the various documents and specifications already available there, and expect more to come. Contributions welcome!
TPM
Trusted Platform Module; a security chip found in many modern systems, both physical systems and increasingly also in virtualized environments. Traditionally a discrete chip on the mainboard but today often implemented in firmware, and lately directly in the CPU SoC.
PCR
Platform Configuration Register; a set of registers on a TPM that are initialized to zero at boot. The firmware and OS can “extend” these registers with hashes of data used during the boot process and afterwards. “Extension” means the supplied data is first cryptographically hashed. The resulting hash value is then combined with the previous value of the PCR and the combination hashed again. The result will become the new value of the PCR. By doing this iteratively for all parts of the boot process (always with the data that will be used next during the boot process) a concept of “Measured Boot” can be implemented: as long as every element in the boot chain measures (i.e. extends into the PCR) the next part of the boot like this, the resulting PCR values will prove cryptographically that only a certain set of boot components can have been used to boot up. A standards compliant TPM usually has 24 PCRs, but more than half of those are already assigned specific meanings by the firmware. Some of the others may be used by the OS, of which we use four in the concepts discussed in this document.
Measurement
The act of “extending” a PCR with some data object.
SRK
Storage Root Key; a special cryptographic key generated by a TPM that never leaves the TPM, and can be used to encrypt/decrypt data passed to the TPM.
UKI
Unified Kernel Image; the concept this document is about. A
combination of kernel, initrd and other resources. See above.
SecureBoot
A mechanism where every software component involved in the boot process is cryptographically signed and checked against a set of public keys stored in the mainboard hardware, implemented in firmware, before it is used.
Measured Boot
A boot process where each component measures (i.e., hashes and extends into a TPM PCR, see above) the next component it will pass control to before doing so. This serves two purposes: it can be used to bind security policy for encrypted secrets to the resulting PCR values (or signatures thereof, see above), and it can be used to reason about used software after the fact, for example for the purpose of remote attestation.
initrd
Short for “initial RAM disk”, which – strictly speaking – is a
misnomer today, because no RAM disk is anymore involved, but a tmpfs
file system instance. Also known as “initramfs”, which is also
misleading, given the file system is not ramfs anymore, but tmpfs
(both of which are in-memory file systems on Linux, with different
semantics). The initrd is passed to the Linux kernel and is
basically a file system tree in cpio archive. The kernel unpacks the
image into a tmpfs (i.e., into an in-memory file system), and then
executes a binary from it. It thus contains the binaries for the first
userspace code the kernel invokes. Typically, the initrd’s job is to
find the actual root file system, unlock it (if encrypted), and
transition into it.
UEFI
Short for “Unified Extensible Firmware Interface”, it is a widely adopted standard for PC firmware, with native support for SecureBoot and Measured Boot.
EFI
More or less synonymous to UEFI, IRL.
Shim
A boot component originating in the Linux world, which in a way extends the public key database SecureBoot maintains (which is under control from Microsoft) with a second layer (which is under control of the Linux distributions and of the owner of the physical device).
PE
Portable Executable; a file format for executable binaries, originally from the Windows world, but also used by UEFI firmware. PE files may contain code and data, categorized in labeled “sections”
ESP
EFI System Partition; a special partition on a storage medium that the firmware is able to look for UEFI PE binaries in to execute at boot.
HSM
Hardware Security Module; a piece of hardware that can generate and store secret cryptographic keys, and execute operations with them, without the keys leaving the hardware (though this is configurable). TPMs can act as HSMs.
DEK
Disk Encryption Key; an asymmetric cryptographic key used for unlocking disk encryption, i.e. passed to LUKS/dm-crypt for activating an encrypted storage volume.
LUKS2
Linux Unified Key Setup Version 2; a specification for a superblock
for encrypted volumes widely used on Linux. LUKS2 is the default
on-disk format for the cryptsetup suite of tools. It provides
flexible key management with multiple independent key slots and allows
embedding arbitrary metadata in a JSON format in the superblock.
I’d like to thank Alain Gefflaut, Anna Trikalinou, Christian Brauner, Daan de Meyer, Luca Boccassi, Zbigniew Jędrzejewski-Szmek for reviewing this text.
In my previous post I talked about the VK_EXT_mesh_shader extension that had just been released for Vulkan, and in which I had participated by reviewing the spec and writing CTS tests. Back then I referred readers to external documentation sources like the Vulkan mesh shading post on the Khronos Blog, but today I can add one more interesting resource. A couple of weeks ago I went to Minneapolis to participate in XDC 2022, where I gave an introductory talk about mesh shaders that’s now available on YouTube. In the talk I give some details about the concepts, the Vulkan API and how the new shading stages work.
Just after me, Timur Kristóf also presented an excellent talk with details about the Mesa mesh shader implementation for RADV, available as part of the same playlist.
As an additional resource, I’m going to participate together with Timur, Steven Winston and Christoph Kubisch in a Khronos Vulkanised Webinar to talk a bit more about mesh shaders on October 27. You must register to attend, but attendance is free.
Back to XDC, crossing the Atlantic Ocean to participate in the event was definitely tiring, but I had a lot of fun at the conference. It was my first in-person XDC and a special one too, this year hosted together with WineConf and FOSS XR. Seeing everyone there and shaking some hands, even with our masks on most of the time, made me realize how much I missed traveling to events. Special thanks to Codeweavers for organizing the conference, and in particular to Jeremy White and specially to Arek Hiler for taking care of most technical details and acting as a host and manager in the XDC room.
Apart from my mesh shaders talk, do not miss other talks by Igalians at the conference:
Status of Vulkan on the Raspberry Pi by Iago Toral.
Enable hardware acceleration for GL applications without glamor on Xorg modesetting driver by Chema Casanova and Christopher Michael.
"I’m not an AMD expert, but…" by Melissa Wen.
Async page flip in atomic API by André Almeida.
And, of course, take a look at the whole event playlist for more super-interesting content, like the one by Alyssa Rosenzweig and Lina Asahi about reverse-engineered GPU drivers, the one about Zink by Mike Blumenkrantz (thanks for the many shout-outs!) or the guide to write Vulkan drivers by Jason Ekstrand which includes some info about the new open source Vulkan driver for NVIDIA cards.
That said, if you’re really interested in my talk but don’t want to watch a video (or the closed captions are giving you trouble), you can find the slides and the script to my talk below. Each thumbnail can be clicked to view a full-HD image.
Hi everyone, I’m Ricardo Garcia from Igalia. Most of my work revolves around CTS tests and the Vulkan specification, and today I’ll be talking about the new mesh shader extension for Vulkan that was published a month ago. I participated in the release process of this extension by writing thousands of tests and reviewing and discussing the specification text for Vulkan, GLSL and SPIR-V.
Mesh shaders are a new way of processing geometry in the graphics pipeline. Essentially, they introduce an alternative way of creating graphics pipelines in Vulkan, but they don’t introduce a completely new type of pipeline.
The new extension is multi-vendor and heavily based on the NVIDIA-only extension that existed before, but some details have been fine-tuned to make it closer to the DX12 version of mesh shaders and to make it easier to implement for other vendors.
I want to cover what mesh shaders are, how they compare to the classic pipelines and how they solve some problems.
Then we’ll take a look at what a mesh shader looks like and how it works, and we’ll also talk about drawbacks mesh shaders have.
Mesh shading introduces a new type of graphics pipeline with a much smaller number of stages compared to the classic one. One of the new stages is called the mesh shading stage.
These new pipelines try to address some issues and shortcomings with classic pipelines on modern GPUs. The new pipeline stages have many things in common with compute shaders, as we’ll see.
This is a simplified version of the classic pipeline.
Basically the pipeline can be divided in two parts. The first stages are in charge of generating primitives for the rasterizer.
Then the rasterizer does a lot of magic including primitive clipping, barycentric interpolation and preparing fragment data for fragment shader invocations.
It’s technically possible to replace the whole pipeline with a compute shader (there’s a talk on Thursday about this), but mesh shaders do not touch the rasterizer and everything that comes after it.
Mesh shaders try to apply a compute model to replace some of this with a shader that’s similar to compute, but the changes are restricted to the first part of the pipeline.
If I have to cut the presentation short, this is perhaps one of the slides you should focus on.
Mesh shading employs a shader that’s similar to compute to generate geometry for the rasterizer.
There’s no input assembly, no vertex shader, no tessellation, etc. Everything that you did with those stages is now done in the new mesh shading stage, which is a bit more flexible and powerful.
In reality, the mesh shading extension actually introduces two new stages. There’s an optional task shader that runs before the mesh shader, but we’ll forget about it for now.
These are the problems mesh shading tries to solve.
Vertex inputs are a bit annoying to implement in drivers and in some hardware they use specific fixed function units that may be a bottleneck in some cases, at least in theory.
The main pain point is that vertex shaders work at the per-vertex level, so you don’t generally have control of how geometry is arranged in primitives. You may run several vertex shader invocations that end up forming a primitive that faces back and is not visible and there’s no easy way to filter those out, so you waste computing power and memory bandwidth reading data for those vertices. Some implementations do some clever stuff here trying to avoid these issues.
Finally, tessellation and geometry shaders should perhaps be simpler and more powerful, and should work like compute shaders so we process vertices in parallel more efficiently.
So far we know mesh shaders look a bit like compute shaders and they need to generate geometry somehow because their output goes to the rasterizer, so lets take a look.
The example will be in GLSL to make it easier to read. As you can see, it needs a new extension which, when translated to SPIR-V will be converted into a SPIR-V extension that gives access to some new opcodes and functionality.
The first similarity to compute is that mesh shaders are dispatched in 3d work groups like compute shaders, and each of them has a number of invocations in 3d controlled by the shader itself. Same deal. There’s a limit to the size of each work group, but the minimum mandatory limit by the spec is 128 invocations. If the hardware does not support work groups of that size, they will be emulated. We also have a properties structure in Vulkan where you can check the recommended maximum size for work groups according to the driver.
Inside the body of your shader you get access to the typical built-ins for compute shaders, like the number of work groups, work group id, local invocation indices, etc.
If subgroups are supported, you can also use subgroup operations in them.
But mesh shaders also have to generate geometry. The type can not be chosen at runtime. When writing the shader you have to decide if you shader will output triangles, lines or points.
You must also indicate an upper limit in the number of vertices and primitives that each work group will generate.
Generally speaking, this will be a small-ish number. Several implementations will limit you to 256 vertices and primitives at most, which is the minimum required limit.
To handle big meshes with this, you’ll need several work groups and each work group will handle a piece of the whole mesh.
In each work group, the local invocations will cooperate to generate arrays of vertex and primitive data.
And here you can see how. After, perhaps, some initial processing not seen here, you have to indicate how many actual vertices and primitives the work group will emit, using the SetMeshOutputsEXT call.
That call goes first before filling any output array and you can reason about it as letting the implementation allocate the appropriate amount of memory for those output arrays.
Mesh shaders output indexed geometry, like when you use vertex and index buffers together.
You need to write data for each vertex to an output array, and primitive indices to another output array. Typically, each local invocation handles one position or a chunk of those arrays so they cooperate together to fill the whole thing. In the slide here you see a couple of those arrays, the most typical ones.
The built-in mesh vertices ext array contains per-vertex built-ins, like the vertex position. Indices used with this array go from 0 to ACTUAL_V-1
Then, the primitive triangle indices ext array contains, for each triangle, 3 uint indices into the previous vertices array. The primitive indices array itself is accessed using indices from 0 to ACTUAL_P-1. If there’s a second slide that I want you to remember, it’s this one. What we have here is an initial template to start writing any mesh shader.
There are a few more details we can add. For example, mesh shaders can also generate custom output attributes that will be interpolated and used as inputs to the fragment shader, just like vertex shaders can.
The difference is that in mesh shaders they form arrays. If we say nothing, like in the first output here, they’re considered per-vertex and have the same index range as the mesh vertices array.
A nice addition for mesh shaders is that you can use the perprimitiveEXT keyword to indicate output attributes are per-primitive and do not need to be interpolated, like the second output here. If you use these, you need to declare them with the same keyword in the fragment shader so the interfaces match. Indices to these arrays have the same range as the built-in primitive indices array.
And, of course, if there’s no input assembly we need to read data from somewhere. Typically from descriptors like storage buffers containing vertex and maybe index information, but we could also generate geometry procedurally.
Just to show you a few more details, these are the built-in arrays used for geometry. There are arrays of indices for triangles, lines or points depending on what the shader is supposed to generate.
The mesh vertices ext array that we saw before can contain a bit more data apart from the position (point size, clip and cull distances).
The third array was not used before. It’s the first time I mention it and as you can see it’s per-primitive instead of per-vertex. You can indicate a few things like the primitive id, the layer or viewport index, etc.
As I mentioned before, each work group can only emit a relatively small number of primitives and vertices, so for big models, several work groups are dispatched and each of them is in charge of generating and processing a meshlet, which are the colored patches you see here on the bunny.
It’s worth mentioning the subdivision of big meshes into meshlets is typically done when preparing assets for the application, meaning there shouldn’t be any runtime delay.
Mesh shading work groups are dispatched with specific commands inside a render pass, and they look similar to compute dispatches as you can see here, with a 3d size.
Let’s talk a bit about task shaders, which are optional. If present, they go before mesh shaders, and the dispatch commands do not control the number of mesh shader work groups, but the number of task shader work groups that are dispatched and each task shader work group will dispatch a number of mesh shader work groups.
Each task shader work group also follows the compute model, with a number of local invocations that cooperate together.
Each work group typically pre-processes geometry in some way and amplifies or reduces the amount of work that needs to be done. That’s why it’s called the amplification shader in DX12.
Once that pre-processing is done, each task work group decides, at runtime, how many mesh work groups to launch as children, forming a tree with two levels.
One interesting detail about this is that compute built-ins in mesh shaders may not be unique when using task shaders. They are only unique per branch. In this example, we dispatched a couple of task shader work groups and each of them decided to dispatch 2 and 3 mesh shader work groups. Some mesh shader work groups will have the same work group id and, if the second task shader work group had launched 2 children instead of 3, even the number of work groups would be the same.
But we probably want them all to process different things, so the way to tell them apart from inside the mesh shader code is to use a payload: a piece of data that is generated in each task work group and passed down to its children as read-only data.
Combining the payload with existing built-ins allows you to process different things in each mesh shader work group.
This is done like this. On the left you have a task shader.
You can see it also works like a compute shader and invocations cooperate to pre-process stuff and generate the payload. The payload is a variable declared with the task payload shared ext qualifier. These payloads work like shared memory. That’s why they have “shared” in the qualifier.
In the mesh shader they are read-only. You can declare the same payload and read from it.
Advantages:
Avoiding input assembly bottlenecks if they exist.
Pre-compute data and discard geometry in advance, saving processing power and memory bandwidth.
Geometry and tessellation can be applied freely, in more flexible ways.
The use of a model similar to compute shaders allows us to take advantage of the GPU processing power more effectively.
Many games use a compute pre-pass to process some data and calculate things that will be needed at draw time. With mesh shaders it may be possible to streamline this and integrate this processing into the mesh or task shaders.
You can also abuse mesh shading pipelines as compute pipelines with two levels if needed.
Disadvantages:
Mesh shading is problematic for tiling GPUs as you can imagine, for the same reasons tessellation and geometry shaders suck on those platforms.
Giving users freedom in this part of the pipeline may allow them to shoot themselves in the foot and end-up with sub-optimal performance. If not used properly, mesh shaders may be slower than classic pipelines.
The structure of vertex and index buffers needs to be declared explicitly in shaders, increasing coupling between CPU and GPU code, which is not nice.
Most importantly, right now it’s hard or even impossible to write a single mesh shader that performs great on all implementations.
Some vendor preferences are exposed as properties by the extension.
NVIDIA loves smaller work groups and using loops in code to generate geometry with each invocation (several vertices and triangles per invocation).
Threads on AMD can only generate at most one vertex and one primitive, so they’d love you to use bigger work groups and use the local invocation index to access per-vertex and per-primitive arrays.
As you can imagine, this probably results in different mesh shaders for each vendor.
In the Q&A section, someone asked about differences between the Vulkan version of mesh shaders and the Metal version of them. Unfortunately, I’m not familiar with Metal so I said I didn’t know. Then, I was asked if it was possible to implement the classic pipeline on top of mesh shaders, and I replied it was theoretically possible. The programming model of mesh shaders is more flexible, so the classic pipeline can be implemented on top of it. However, I didn’t reply (because I have doubts) about how efficient that could be. Finally, the last question asked me to elaborate on stuff that could be done with task shaders, and I replied that apart from integrating compute pre-processing in the pipeline, they were also typically used to select LOD levels or discard meshlets and, hence, to avoid launching mesh work groups to deal with them.
Hi!
This month I’ve done a lot of cleanup and bugfixing in wlroots, especially in the DRM backend, the Vulkan renderer and screencopy protocol implementation. There are still a few DRM backend bugs which need to be ironed out, but we’re getting there!
Jonas Ådahl has released wayland-protocols 1.27, which features two new protocols I’ve been working on with the KDE folks. idle-notify-v1 is a standard replacement for the old KDE idle protocol we’ve been using so far. It allows clients to be notified when the user is idle for a while. This is used by swayidle to blank the screens or lock the session after a delay, for instance. Patches for wlroots, Sway and swayidle have been merged.
The other protocol is content-type-v1 and adds a way for clients to attach
a content type (such as “video” or “game”) to a surface. With this, compositors
can implement generic rules for all video players or all games. I plan to make
this available in Sway for_window rules.
Joshua Ashton has been working on improving the way a Wayland compositor will handle Xwayland surfaces. Up until now it was using a racy mechanism, and we could indeed hit the race in gamescope. We’re working on a proper solution to fix the race: xwayland-shell-v1.
To continue with the “fix old stuff which we believe was working fine but
definitely isn’t” trend, I re-implemented wl_shm in wlroots. wl_shm is the
interface used by Wayland clients to share CPU buffers (as opposed to GPU
buffers). Until now we were using the libwayland implementation but defects in
its API makes it a better way forward to just do everything ourselves.
Implementing wl_shm is fun: in particular we need to handle SIGBUS
shenanigans which the client can trigger by shrinking files mmap’ed by the
compositor. And signal handlers being what they are, this results in a lot of
complications.
In other graphics news, I’ve been doing more kernel work. I’ve tracked down
some DisplayPort Multi-Stream Transport (DP-MST) issues with Jonas and Lyude,
and sent out a fix which doesn’t break Mutter. I’ll need to send
follow-up patches to address a common issue: the docs and the code don’t match.
I’ve also sent another patch to make it less annoying to implement explicit
synchronization in Wayland compositors: a new IOCTL to
allow user-space to integrate a drm_syncobj wait with an event loop.
Together with Pekka and Sebastian, we’ve continued out work on libdisplay-info. A new website contains documentation (built via gyosu), more DisplayID bits and GTF mode generation have been merged, and Pekka is working on the high-level API.
Another unrelated small improvement worth mentioning: goguma now supports UnifiedPush! Google Play Services no longer are a required dependency to get support for push notifications.
The NPotM is go-jsonschema, a Go code generator for JSON Schema. JSON Schema can describe the structure of JSON documents, and go-jsonschema will generate matching Go structures. This is useful to avoid maintaining glue code for each and every JSON consumer. I plan to write a C code generator as well. Right now go-jsonschema can handle almost all of the drm_info schema, however many features are still missing and schemas need to be written in a specific way to make the most of go-jsonschema.
See you next time!
At Linux Plumbers Conference 2022, we held a BoF session around accelerators.
This is a summary made from memory and notes taken by John Hubbard.
We started with defining categories of accelerator devices.
1. single shot data processors, submit one off jobs to a device. (simpler image processors)
2. single-user, single task offload devices (ML training devices)
3. multi-app devices (GPU, ML/inference execution engines)
One of the main points made is that common device frameworks are normally about targeting a common userspace (e.g. mesa for GPUs). Since a common userspace doesn't exist for accelerators, this presents a problem of what sort of common things can be targetted. Discussion about tensorflow, pytorch as being the userspace, but also camera image processing and OpenCL. OpenXLA was also named as a userspace API that might be of interest to use as a target for implementations.
There was a discussion on what to call the subsystem and where to place it in the tree. It was agreed that the drivers would likely need to use DRM subsystem functionality but having things live in drivers/gpu/drm would not be great. Moving things around now for current drivers is too hard to deal with for backports etc. Adding a new directory for accel drivers would be a good plan, even if they used the drm framework. There was a lot naming discussion, I think we landed on drivers/skynet or drivers/accel (Greg and I like skynet more).
We had a discussion about RAS (Reliability, Availability, Serviceability) which is how hardware is monitored in data centers. GPU and acceleration drivers for datacentre operations define a their own RAS interfaces that get plugged into monitoring systems. This seems like an area that could be standardised across drivers. Netlink was suggested as a possible solution for this area.
Namespacing for devices was brought up. I think the advice was if you ever think you are going to namespace something in the future, you should probably consider creating a namespace for it up front, as designing one in later might prove difficult to secure properly.
We should use the drm framework with another major number to avoid some of the pain points and lifetime issues other frameworks see.
There was discussion about who could drive this forward, and Oded Gabbay from Intel's Habana Labs team was the obvious and best placed person to move it forward, Oded said he would endeavor to make it happen.
This is mostly a summary of the notes, I think we have a fair idea on a path forward we just need to start bringing the pieces together upstream now.
For those of you who weren’t present, Super Good Code took over XDC last week.
The recording of The Talk is finally sliced, diced, and tuned to perfection thanks to the work of Arkadiusz Hiler. Watch it for the first time all over again to catch all the technical details and workout tips you missed.
Additionally, the slides for the presentation are available for benchmarking.
…is something from last week even relevant today, you might be asking.
It’s a reasonable question. As everyone knows, zinkland is a place that changes so rapidly, so furiously, that memes from as recent as minutes ago are already outdated.
But in this rare case, for today only, yesterweek’s presentation is still noteworthy today: today is the day I’m merging async pipeline precompiles.
That’s right.
Drivers supporting all the required features will now be able to precompile shaders for AAA games during loading screens, which (probably) means zero stuttering during actual gameplay. The era of gaming on zink begins today.
Not all drivers support all the features out of the box. In fact, to the best of my knowledge, only the latest NVIDIA beta driver supports even the bare minimum of features, let alone the most optimal codepaths that will maximeme performance.
But have I tested it there?
I scoff at the implication.
Of course I haven’t. As we all know, zink code works without issues the instant it can be compiled, and the suggestion that any alternative outcome is possible is risible.
So don’t bother reporting bugs.
…that I misspoke in the course of my XDC presentation. I want to apologize first to the live audience, for hearing such grave information firsthand, then to my fans, for disappointing them, and lastly to the ANGLE team:
During a Q&A, I stated that ANGLE uses Vulkan secondary command buffers. This is false. ANGLE does not use secondary command buffers.
There will be no further corrections.
After 7 years in hibernation since LinuxCon Japan, I will once again be making a limited return to the conference trail next week.
To where, you ask?
XDC 2022.
Where I will be delivering a presentation that finally, at long last, unleashes the true potential of Zink as a driver.
Be there. Watch online. Tweet about it.
Big thanks to Timur for taking over merging all my misc RADV patches. I’m so far underwater I can see the bottom of the Mariana Trench, and without his help, these likely wouldn’t be landing until 2023.
It’s been a while, but today’s blog is a zink blog. What’s been happening?
Well, if you’ve been following prominent news sites, you might not think there’s too much happening on the performance front. And whew do I have news for you.
Big news.
With XDC next week, I’m throwing down the gauntlet.
Mesa 22.3 is going to be the BIG PERF RELEASE.
I said it.
Could not be more serious.
Don’t believe me? Bam, have another 20-30% performance on Turnip I “quietly” merged a month ago. And also some amount of improvement on Intel that I haven’t quantified yet. Who could’ve guessed that enabling compression on images would have benefits?
Seeing mega CPU usage? Not if I’ve got anything to say about that. Still more to come here too.
Your game/emulator randomly freezes for a few seconds on startup? I’ve heroically made the PBO download ubershaders compile without blocking. Also there’s new, optimized variants that perform even better.
What’s that? Zink is still unusable for gaming because of all the shader compilation stuttering? Blammo, your compute shaders are now precompiling in the background.
Oh, but you’re still seeing stuttering because of shader compiles? Not for long, because I’veOH SHIT KHRONOS IS HERE I’M SORRY I DIDN’T THINK IT’D BE A BIG DEAL IF I MENTIONED TH
RB3 development board with Adreno 630 GPU
It is a major milestone for a driver that is created without any hardware documentation.
The last major roadblocks were VK_KHR_dynamic_rendering and, to a much lesser extent, VK_EXT_inline_uniform_block. Huge props to Connor Abbott for implementing them both!
VK_KHR_dynamic_rendering was an especially nasty extension to implement on tiling GPUs because dynamic rendering allows splitting a render pass between several command buffers.
For desktop GPUs there are no issues with this. They could just record and execute commands in the same order they are submitted without any additional post-processing. Desktop GPUs don’t have render passes internally, they are just a sequence of commands for them.
On the other hand, tiling GPUs have the internal concept of a render pass: they do binning of the whole render pass geometry first, load part of the framebuffer into the tile memory, execute all render pass commands, store framebuffer contents into the main memory, then repeat load_framebufer -> execute_renderpass -> store_framebuffer for all tiles. In Turnip the required glue code is created at the end of a render pass, while the whole render pass contents (when the render pass is split across several command buffers) are known only at the submit time. Therefore we have to stitch the final render pass right there.
Implementing Vulkan 1.3 was necessary to support the latest DXVK (Direct3D 9-11 translation layer). VK_KHR_dynamic_rendering itself was also necessary for the latest VKD3D (Direct3D 12 translation layer).
For now my plan is:
At LPC 2022 we had a BoF session for GPUs with two topics.
Currently most mainline distros still use the kernel console, provided by the VT subsystem. We'd like to move to CONFIG_VT=n as the console and vt subsystem have historically been a source of bugs but are also nasty places for locking etc. It also can be the cause of oops going missing when it takes out the panic path with locking bugs stopping other paths from completely processing the oops (like pstore or serial).
The session started discussing what things would like. Lennart gave a great summary of the work David did a few years ago and the train of thought involved.
Once you think through all the paths and things you want supported, you realise the best user console is going to be one that supports emojis and non-Latin scripts. This probably means you want a lightweight wayland compositor running a fullscreen VTE based terminal. Working back from the consequences of this means you probably aren't going to want this in systemd, and it should be a separate development.
The other area discussed was around the requirements for a panic/emergency kernel console, likely called drmlog, this would just be something to output to the display whenever the kernel panics or during boot before the user console is loaded.
This has been an ongoing topic, where vendors often suggest cgroup patches, and on review told they are too vendor specific and to simplify and try again, never to try again. We went over the problem space of both memory allocation accounting/enforcement and processing restrictions. We all agreed the local memory accounting was probably the easiest place to start doing something. We also agreed that accounting should be implemented and solid before we start digging into enforcement. We had a discussion about where CPU memory should be accounted, especially around integrated vs discrete graphics, since users might care about the application memory usage apart from the GPU objects usage which would be CPU on integrated and GPU on discrete. I believe a follow-up hallway discussion also covered a bunch of this with upstream cgroups maintainer.
We all know where this post is going to end up.
We’ve been there before.
We’ll be there again.
But we’re not there yet. And before we get there, I need everyone to be absolutely serious for a little while. No memes, no jokes, no puns, just straight talk from me to you.
Let’s talk about Intel.
I know what you’re thinking.
If you work for Intel, you’re thinking Oh no.
If you don’t, you’re thinking Oh no. Or possibly getting ready to post some comments about ANV not supporting features, or having bugs, or any of the common refrains that I’ve seen so often around the internet.
The fact remains, however, that ANV is the reference zink hardware driver. It has been ever since I started working on zink. The reason for this is simple: it’s what I have on the machine I develop with, and when I started working on zink, it was the driver that was furthest along.
It’s therefore no exaggeration to say that without everything ANV and the Intel Mesa team brings to the table, zink wouldn’t be nearly as far along as it is.
And neither would RADV.
For those of you unaware, at the top of many RADV code files is this comment:
* based in part on anv driver which is:
* Copyright © 2015 Intel Corporation
That’s right. RADV originally started out reusing a lot of code written by Intel. It’s no exaggeration to say that RADV wouldn’t be nearly as far along without Intel’s Mesa team.
Let’s go deeper though. Using LWN’s Git Data Miner (gitdm) on mesa/src/compiler (which includes GLSL, SPIR-V, and NIR), let’s see who the top contributors are to the heart of Mesa:
| Name | Commit Count | Percentage of Total | Affiliation |
|---|---|---|---|
| Jason Ekstrand | 1429 | 19.7% | Intel/Collabora |
| Timothy Arceri | 714 | 9.9% | Collabora/Valve |
| Ian Romanick | 577 | 8.0% | Intel |
| Rhys Perry | 298 | 4.1% | Valve |
| Caio Oliveira | 270 | 3.7% | Intel |
| Emma Anholt | 268 | 3.7% | |
| Marek Olšák | 260 | 3.6% | AMD |
| Kenneth Graunke | 224 | 3.1% | Intel |
| Samuel Pitoiset | 176 | 2.4% | Valve |
| Connor Abbott | 168 | 2.3% | Intel/Valve |
Again we see that Intel’s Mesa team has been hard at work over the years to enable the things that we all now take for granted.
So now you know why every time I see someone saying that ANV is bad, or Intel engineers aren’t doing everything they can, or the constant memeposting about any number of related issues, it hurts. I’ve been relying on the fruits of the Intel Mesa team’s labor for years now, and so have you.
If anything, we should be cheering them on to continue doing the great work they’ve been doing all along.
Thanks, Intel Mesa team.
I appreciate you.
And so should everyone else.
It’s time for another round of
where
is
MY SPAGHETTI?
…and meatballs, because obviously, as an American, I’m obligated to add condiments to everything. Mainly melted cheese.
In today’s edition of WIMS, I’ll be delving into the depths of Intel’s Mesa Vulkan driver to see what kinds of spaghetti they’re growing and how much of it I can eat before they catch me.
The first step, as always, is to pull out my trusty perf and…
Once again, I know what you’re thinking.
You’re thinking that I can’t just use perf and profile my way out real performance issues.
But what if I showed you this from my Intel Icelake machine:
$ ./vkoverhead -test 0 -duration 3 -output-only
44854
Does 44.8 million draws/second seem like a good number? Something reasonable for the ancestor of all Mesa Vulkan drivers? Let’s check out a flamegraph, just for the sake of this is my blog and I’m gonna do it whether you want me to or not.
And now I’m going to tell you
that I can too use perf for everything, and profiling is both a legitimate and useful way to improve any and all kinds of performance.
But looking at that graph, there’s something obvious that stands out here. Why is gfx11_emit_apply_pipe_flushes() showing up twice?
The answer may surprise you.
Let’s go back in time. I want everyone to pretend that it’s early 2021 again. Photos are still being taken in black and white by hipsters, nobody has toilet paper, and everything is generally worse. Vulkan is also worse because I haven’t shipped any of my extensions. Extensions like VK_EXT_multi_draw, which I implemented for a number of Mesa drivers. Drivers like RADV. And Lavapipe.
And ANV.
You might see where I’m going with this.
Yes, it was all the way back in June of 2021 that I implemented this extension for ANV. And at the time, everything was worse, including the world’s lack of our lord and savior, our premier optimizing tool, that project I’m going to keep plugging in my blog until the end of time, vkoverhead. Back then, the only way anyone could know how their driver performed at the CPU level was to use drawoverhead through zink.
And zink wasn’t as fast then as it is now; whoever was working on it back then was a total fucking idiot who couldn’t optimize his way out of a for loop.
So it’s not going to surprise anyone, and it’s not like anyone would even be mad if they found out that in the course of those trivial, barely even noticeable changes to the driver, I also maybe sorta kinda increased ANV’s draw command recording overhead. But it’s not like it was by any big amount or anything like that. I mean, it’s not like I was a total fucking idiot back… back then… Well, it’s not like I wouldn’t have realized it even if I did accidentally nerf the driver that I relied upon for my daily use by an amount that was in any way significant, right?
It’s not like it was a full 30% or anything like that.
I, uh… I have to go for now, but it’s not like Intel’s entire Mesa team just rolled up on my house or anything like that because taht would be kinda crazy haha okay but brb
So I’m back and I’m totally fine, don‘t ask if I need a gofundme for my medical bills or anything because there definitely aren’t any and I’m just great withp both hands still firmly attached and at least eight fingers in total between the two, which is, if you think about it, really just way more than anyone actually needs to write software.
And you know, I was totally gonna stop now with these new results
$ ./vkoverhead -test 0 -duration 3 -output-only
59973
but haha you know I’m being told that I’d better keep going or else hah so we’re just gonna uh gonna keep getting in there and seeing what we can find, if that’s all right with everyone? Yeah? Cool? Great, so, uh, yeah, let’s just check out another flamegraph real quick
And that’s looking just great. Yeah, it’s really great, isn’t it? It’s not? Okay, well, we’ve got some options. Uh, yeah, lots of options. Not like I need help figuring out what they are or anything, since this is what I’m good at. But there’s this big old gfx11_cmd_buffer_flush_state call sticking out like a sore thumb—and I’ve obviously still got two of those like everyone else—so let’s see what we can do about that.
Yup, well, it’s looking like inlining those functions is…
What?
You’re telling me I can’t just inline everything?
But it’s improving performance!
$ ./vkoverhead -test 0 -duration 3 -output-only
71192
And that’s great, isn’t it? An extra 60%+ draw throughput on ANV from a couple small patches? Yeah? Oh, okay, so we’re done? Yeah, no, that’s great, that’s really great. What a relief. I’m so glad we could come to an understanding. No, no, it was no trouble. No, I don’t think we’ll need to do this again, either. Learned a lot today. Just learning all around.
Well, we made it through that—not like there was anything special or unusual happening today, just an ordinary turn of phrase—and everything’s fine.
But what does this mean for real-world performance results, you’re asking?
I’m just micro-optimizing for the benchmarks that I write, not saying this will double your Cyberpunk 2077 FPS.
I’m not saying it.
Hi all!
This month I’ve been working on stuff I’d usually not work on willingly. And by that I mean Rust and screen tearing of course.
I’ve been randomly typing keys on my keyboard and before I knew it, a
wlroots-rs repository was created. Everybody is saying how difficult (or even
impossible) it is to write Rust bindings for wlroots so I wanted to see for
myself and give it a try. One thing is clear: these people weren’t wrong. The
first step was to wire up bindgen to automatically generate Rust declarations
from the wlroots headers, and that was easy enough. Then I needed to figure out
how to use libwayland’s intrusive linked lists (wl_list, wl_signal and
wl_listener) from Rust. I took a while to build a basic example where a
fixed wl_signal is listened to. Then it took more time to figure out a
(hacky) way to abstract that into a re-usable helper. And now I’m stuck at
trying to figure out a reasonable Rust API.
The main issue is that Rust lifetime concepts don’t map well to wlroots/Wayland.
I’ve taken some inspiration from Smithay and introduced a BackendHandler
trait which can be implemented by a compositor, and which has its methods
called when a wlroots signal is emitted. This works nicely for simple cases,
but sometimes signals are used to introduce new objects to the compositor
(e.g. wlr_backend.events.new_output). Sometimes signals reference an existing
object. If the compositor owns all wlroots objects, then wlroots can’t fire a
signal referencing these objects. Also, the compositor would like to listen to
signals on objects created by wlroots, e.g. wlr_output.events.destroy. My
next try will maybe introduce some kind of wlroots object handle (and there can
be multiple handles referencing the same wlroots object), but not sure how it’ll
turn out. If you have any good ideas, please share! My latest work is sitting
in the handler-v2 branch.
In other graphics news, I’ve been working on adding screen tearing support to the kernel and Wayland. In the past I’ve been pretty averse to screen tearing, because I personally find it very undesirable. But I’ve come to understand that it can be viewed as a user preference, and some people want to turn it on when playing a game. After seeing some people ask about it in #wayland, and seeing that Valve wants it too, I’ve decided to bite the bullet and implement the missing pieces. To be clear, tearing will be opt-in, only used when explicitly enabled by the user.
There are two missing pieces. The first one is in the kernel uAPI: user-space
has no way to perform tearing page-flips with the atomic uAPI. I’ve sent
patches to address this. The second missing piece is
in the Wayland protocol: Vulkan apps have a way to request tearing via
VK_PRESENT_MODE_IMMEDIATE_KHR, but Mesa doesn’t have a way to communicate
this preference to the Wayland compositor. Xaver Hugl has been working on a
protocol extension for this, and I’ve been working on
a Mesa implementation.
Work on libdisplay-info is continuing slowly. The EDID format is really trying very hard to be as annoying to parse as possible, but it makes for a good project to work on when I don’t want to think too much. I’ve started adding DisplayID support, which is the more modern standard for display device metadata. I’ve experimented a bit with Emscripten and wrote a web version of the tool.
As a freedesktop.org sysadmin, I’ve migrated our secondary nameservers. We were using SPI’s nameservers but these are getting decommissioned, so I’ve switched to Gandi’s. I’ve also investigated issues with our SMTP server: spammers were issuing a lot of subscription requests, so our outgoing queue was full and mail providers were starting to reject our emails. I had to ban the spammers and purge the bad emails from our queue.
I’ve made some good progress on IRC software. If you haven’t read it already,
I’ve written a blog post about ongoing work on OAuth integration with IRC.
Goguma finally gained support for the /me command and better handles sending
long messages. I’ve released a new bugfix version of soju, with various
stability improvements around stuck WHO responses and Web Push. I’ve also
fixed a bug in OFTC’s server which was causing some issues with
soju and Goguma.
That’s it for now, see you next month!
As I’ve mentioned in a couple posts, I’m somewhat of a spaghetti expert. In my opinion, the longer and more plentiful the spaghetti is, the better.
So let’s take a look at one of my favorite spaghetti recipes.
Today’s spaghetti comes from my new favorite brand of spaghetti feed, vkoverhead. It’s a simple brand, but it really gets the job done when it comes to growing great spaghetti. This particular spaghetti feed is vkoverhead -test 0, which is the most simple type. It grows the kind of spaghetti that everyone notices because it’s a staple of all graphics diets.
If I check out the state of this spaghetti feed with RADV now, I see the following:
$ ./vkoverhead -test 0 -output-only -duration 3
28345
Thus, I can see that I’m getting 28.3 million draws/second. Not too bad. Let’s check AMDPRO to get a little competition going.
$ VK_ICD_FILENAMES=/home/zmike/amd_pro.json ./vkoverhead -test 0 -output-only -duration 3
32889
what
What.
THEY DARE?
…that AMDPRO is 15% faster than RADV. Yup, it’s totally fine. No anger problems here, no sir, not with me, not even a little furious.
Cool as a cucumber.
But if—and this is obviously just a hypothetical—If I were enraged and just recovering from a lengthy tantrum after seeing these results, I’d be looking at growing some artisanal spaghetti. To do that, I’d be running perf on the vkoverhead case and then checking out a flamegraph, which might even happen to look something like this
and you know it’s weird that the graph would look like that since in a graph like that the actual emission of draw packets is only 18% of the CPU time, which means it’s just throwing away CPU cycles, and no wonder the performance is worse, and I hate Wednesdays.
But again, don’t ask if I’m okay, I’m completely fine, this isn’t bothering me.
But if—and this is obviously just another hypothetical—If I’d just come back from a counseling session that was supposed to help me cope with these inferior performance results and wasn’t feeling any better at all, then I’d definitely be craving some spaghetti. And so I’d be looking at radv_emit_all_graphics_states() and radv_upload_graphics_shader_descriptors() to see what the actual farfalle was going on with these fat pieces of stortini.
And in the first of those functions, I’d see there were all kinds of null checks and branch chain disasters that were annihilating performance, so I’d probably rip and tear those right out, and then, just while I happened to be in the area, I’d simplify some cache-killing indirect access, and, well, it’s not like I’d leave without clearing up those branches, right? Hah, of course not, though this is all just hypothetical anyway.
Stop asking. I’m fine.
If I wasn’t fine, I’d probably be running vkoverhead again at this point and seeing the following results
$ ./vkoverhead -test 0 -output-only -duration 3
36006
and then I’d be fine anyway since now RADV is up by 10%. Which is okay. It’s not bad. Nothing to brag about, you know, just being up by such a tiny little amount over the competition, but it’ll do.
Is what a responsible person would say.
But here at SGC, responsibility flies out the window when performance is involved, and I don’t have enough spaghetti yet, so buckle in because this pasta machine is just getting started.
It’s perf time again, and I’ve got another totally hypothetical flamegraph
which is less consumed by the stupidity of those fat pieces of stortini I insalted above, but I’m not in the mood for stortini at all today. They gotta go. radv_upload_graphics_shader_descriptors() I got my eye on you and your little radv_flush_constants() too. Why is radv_flush_constants() even showing up here? What’s the deal with that? There’s no constants to flush. I’m taking ‘em out.
Get the rolling pin, flatten out the dough, and what happens?
$ ./vkoverhead -test 0 -output-only -duration 3
38629
…with perf, and I’m getting out another flamegraph, and it’s better
because of course it is. That draw packet emission is getting more time, the fat stortini is slimming down, and everything is great.
But does anyone out there actually think I’m about to stop now? When I’m only up by a tenuous 36% from where I started, and my lead over AMDPRO is a barely-noticeable 17%?
Take off your jacket, because I’m turning the heat of the burners up to high.
Look at this eyesore
I’m about to end this function’s whole career. By inlining it.
$ ./vkoverhead -test 0 -output-only -duration 3
41878
When serving any sort of dish, it’s important to add a garnish. And you know what isn’t a fucking garnish?
This thing in my debugoptimized build.
So now it’s gone and what is the performance at now?
$ ./vkoverhead -test 0 -output-only -duration 3
44073
Incredible. The flavor (of winning), the atmosphere (of being a winner), the experience (of being #1), are all unparalleled.
This makes for a 55% increase in RADV’s draw throughput as well as a much more reasonable 30% lead over AMDPRO.
All from growing just the right amount of spaghetti.
In the past few days I’ve been working on better integrating IRC with OAuth 2.0. In a nutshell, my goal is to make IRC clients obtain a token by interacting with an OAuth 2.0 server, and then use that token to authenticate with the IRC server. This effort has resulted in various patches for meta.sr.ht’s OAuth 2.0 server, for the soju IRC bouncer and for the gamja & goguma IRC clients.
My motivation is to improve chat.sr.ht’s authentication. chat.sr.ht is a hosted soju IRC bouncer for SourceHut users. The soju instance delegates authentication to meta.sr.ht so that users can login with their SourceHut credentials.
The status quo is not ideal:
srht branch) with special patches to
integrate with SourceHut. It’s not the end of the world, but rebasing is
never fun and error-prone, and it would be much nicer to be able to use
vanilla soju.I’d like the solution to these problems to only use standardized APIs. That way any client or server with similar needs can implement the same standards and inter-operate with each other. For instance, one could add support for the standards in a GTK IRC client and have it work with chat.sr.ht. One could setup soju to use a GitLab instance as an OAuth server for authentication.
Before anybody complains about OAuth ruining IRC: this effort is just adding new optional things clients can add support for if they want to. I expect OAuth to be out-of-scope for many IRC clients and that’s perfectly fine. The current approach of passing a personal access token as the password will keep working.
Here is a video of the end result: user loads gamja, is asked confirmation by SourceHut, then is redirected back straight to a ready-to-use gamja. The experience on Goguma is similar.
┌────────────────┐ ┌────────────────┐ ┌────────────────┐
│ │ │ │ │ │
│ IRC client │ │ IRC server │ │ OAuth server │
│ │ │ │ │ │
│ (gamja/goguma) │ │ (soju) │ │ (meta.sr.ht) │
│ │ │ │ │ │
└───────┬────────┘ └───────┬────────┘ └────────┬───────┘
│ │ │
│ │
│ 1. Fetch OAuth server matadata │
├────────────────────────────────────────────────────────► │
│ ◄────────────────────────────────────────────────────────┤
│ │
│ │
│ 2. Redirect user to login page │
├────────────────────────────────────────────────────────► │
│ ◄────────────────────────────────────────────────────────┤
│ 3. Get back a code │
│ │
│ │
│ │
│ 4. Exchange code for a token │
├────────────────────────────────────────────────────────► │
│ ◄────────────────────────────────────────────────────────┤
│ │
│ │
│ 5. Authenticate │ │
│ with token │ │
├──────────────────────────► │ │
│ │ 6. Check token │
│ ├───────────────────────────► │
│ │ ◄───────────────────────────┤
│ │ 7. Get back username │
│ │ │
│ ◄──────────────────────────┤ │
│ │ │
│ │ │
Here’s a high-level overview of the interactions between the IRC client, the IRC server and the OAuth server. The IRC client and servers interact via the IRC protocol as usual, and they both interact with the OAuth server via HTTP.
Step 1 is optional: the alternative is to just hardcode all of the metadata inside the client. OAuth servers require client developers to register a client ID and client secret anyways, so it’s necessary to hardcode some metadata anyways (for now — more on that later).
All of the above uses standards described in RFCs. This means there are already OAuth servers in the wild which support everything needed!
Step 1 uses OAuth 2.0 Authorization Server Metadata (RFC 8414). An HTTP GET request returns all of the data the client needs:
> curl https://chat.sr.ht/.well-known/oauth-authorization-server
{
"issuer": "https://meta.sr.ht",
"authorization_endpoint": "https://meta.sr.ht/oauth2/authorize",
"token_endpoint": "https://meta.sr.ht/oauth2/access-token",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code"],
"introspection_endpoint": "https://meta.sr.ht/oauth2/introspect",
"introspection_endpoint_auth_methods_supported": ["none"]
}
Readers familiar with OAuth will recognize that steps 2-4 are the usual OAuth
dance defined in RFC 6749. Nothing fancy here. The client redirects the
user to https://meta.sr.ht/oauth2/authorize?client_id=XXX. The OAuth server
redirects back the user to the client with a ?code=YYY query parameter. The
client then exchanges the code for a token via an HTTP request:
> curl \
--data-urlencode grant_type=authorization_code \
--data-urlencode code=YYY \
--data-urlencode client_id=XXX \
https://chat.sr.ht/oauth2/access-token
{
"access_token": "asdf"
}
Something worth noting is that for Goguma, the redirect URI is a bit special.
Since Goguma is a mobile app, the redirection at step 3 needs to navigate from
the user’s web browser to Goguma. Following the recommendations in RFC 8252,
Goguma leverages a private-use URI scheme: it sets the redirect URI to
fr.emersion.goguma:/oauth2 (yes, it is a valid URI!). The web browser will
open Goguma when loading that URI.
Step 5 uses the IRCv3 SASL extension in combination with the SASL OAUTHBEARER mechanism (RFC 7628). SASL PLAIN could’ve been used instead, but:
Step 6 uses OAuth 2.0 Token Introspection (RFC 7662). soju sends the token to the OAuth server, and the server replies back with some useful information:
> curl --data-urlencode token=asdf https://meta.sr.ht/oauth2/introspect
{
"active": true,
"username": "emersion"
}
And that’s enough for soju to associate the connection with the soju account “emersion” and send back a success response to the client!
I have patches floating around for all of the projects previously mentioned:
Once all of the above is properly plumbed, this should already be a nice step forward! But there is also room for future improvements.
My patches currently don’t handle well token expiration. Clients should at least ask the user to re-authenticate again when a token expires. It would be nice to handle the refresh token and automatically obtain a new access token (would need to add refresh token support to meta.sr.ht).
Second, it’s a bit annoying for client developers to register their app on various OAuth servers. To remove that step, clients would need to dynamically obtain a client ID and secret from the OAuth server. The OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591) can be used for this purpose. I am not sure how widely that RFC is implemented though.
Last, it would be best to avoid leaving behind some unused access tokens after the user logs out. OAuth 2.0 Token Revocation (RFC 7009) could be used by clients to clear these tokens.
So here we have it, the end of my Google Summer of Code journey. A few more than a hundred days have passed, and I can already tell that the seeds have been sown for me to keep collaborating with open source software from here on out.
My project’s primary goal was to create unit tests using KUnit for the AMDGPU driver focusing on code used by GPUs from the same generation of the GPU “RX 580” (DCE 11.2). We predicted that KUnit would have some limitations in regards to testing GPU’s drivers, so we expected to see some collaboration in that sense. Finally, we knew that I would be working in parallel with people writing tests for newer generations of GPUs (DCN). I planned to keep track of my weekly progress in my blog, trying to create an introductory material that could help future newcomers.
For starters, this project was completely different from what I had in mind, given that it was far from an individual experience with the Linux Kernel community; it was actually a team effort to introduce unit testing to the AMD display driver in a way that would encourage the community to spread KUnit into other GPU drivers.
Other surprise was how the unit tests didn’t really interact with the GPU, so all our worries about needing to mock devices, and intentions of writing about it, were put aside.
In retrospect, there’s still a lot to learn about the AMD codebase and graphics stack in general, but there are also many things that I’ve learned and didn’t manage to share yet, about IGT, KUnit, and the email-patch workflow, which I’ll be writing in my personal blog in addition to the pair of posts there:
I’ve also dedicated some time reviewing the posts from my colleagues as well, like:
Our patch series is still under review:
We have refactored this series many times before sending it, worrying about how the code should be organized and how the tests should be compiled. My biggest lesson was learning to let go. Do your best to send great patches and reviews to the community, but don’t let the fear of being slightly wrong hold you back from pressing the submit button.
Done is better than perfect!
I didn’t manage to write as many tests as I planned to the DCE11.2 functions, but for what it’s worth, I’m making sure that the KUnit documentation is up to date, so that anyone can write their own tests.
| Patch | Status |
|---|---|
| drm/amd/display: Introduce KUnit tests for fixed31_32 library | Under review |
In my way to introducing unit tests to the AMD display driver I’ve managed to leave some impressions behind, writing small patches and reviewing code, listed in detail on the following sections.
Kworflow is a set of bash scripts that helped me to compile and deploy the kernel in my testing system, specially valuable to bisect code. In the beginning of my journey, shortly before the community bounding period, I sent a couple of patches to KWorkflow and reviewed a Pull Request.
| Patch | Status |
|---|---|
| #592 Add support for GPUs identified as “Display controller” in kw device | Accepted |
| #607 Enhance docs for kw-pomodoro and kw-report | Accepted |
IGT GPU Tools is a collection of tools for development and testing of the DRM drivers. One of my first tasks was to run the AMDGPU test suite using the GPU “RX580”. After checking with the community that my testing setup was correct, I reported a bug to the AMD issue tracker, with proper bisection, and followed it through the patching process:
| Patch | Status |
|---|---|
| lib/igt_kmod: fix trivial typos | Under review |
| CONTRIBUTING: Add reference for GTKDoc | Under review |
| lib/kselftests: Skip kselftest when opening kmsg fails | Under review |
| lib/igt_kmod: add igt_kselftests documentation | Under review |
KUnit is the Kernel Unit Testing Framework. It not only brings a way to facilitate writing tests to the kernel, but also running them using User Mode Linux or QEMU. For most of time in the project we were discussing how to organize tests in the AMD folders, and there were a lot of lessons from that, which I intend to share. I have a lot of documentation patches in their way, some may be worth squashing, but nonetheless, I have the intention to help making the KUnit documentation as clear as possible!
The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel responsible for interfacing with GPUs. There’s still a lot to learn and contribute to this subsystem, and I hope to discuss about introducing unit tests to other folders during the Linux Plumbers Conference (more about that in a following section). I only have two patches to VKMS to show, sent shortly before the community bounding period.
| Patch | Status |
|---|---|
| drm/vkms: check plane_composer->map[0] before using it | Accepted |
| drm/vkms: return early if compose_plane fails | Discarded |
Inside the DRM subsystem resides the AMD folder, where you can find drivers for many generations of AMD GPUs. Besides our main patch series, I’ve sent some minor patches and reviewed others.
| Patch | Status |
|---|---|
| drm/amd/display: make hubp1_wait_pipe_read_start() static | Accepted |
| Update AMDGPU glossary and MAINTAINERS | Accepted |
| drm/amd/display: fix overflow on MIN_I64 definition | Accepted |
| drm/amd/display: fix minor codestyle problems | Accepted |
| drm/amd/display: remove unneeded defines from bios parser | Accepted |
First, I would like to thank the X.org Foundation for accepting my GSoC proposal, for what I’ll be eternally grateful.
Next, thanks to AMD for donating the RX580 GPU which powered my testing system, and alongside Igalia allowed my mentors to take part in the GSoC program.
Moreover I would like to thank The Linux Foundation, which will enable my trip to Dublin, to attend the Linux Plumbers Conference.
There were plenty of great interactions with the DRM community, AMD, and KUnit engineers, for which I’m very thankful, specially David Gow which promptly reviewed most of my team’s patches.
And finally, thanks for my mentors and the other mentees with whom I’ve worked closely this summer, any of this would be possible without their support.
Mentors:
Mentees:
Of course this is not farewell! It’s more like reaching the end of a game’s tutorial.
My first step, thanks to The Linux Foundation and my mentors, will be attending in-person the Kernel Testing & Dependability Micro Conference at the Linux Plumber Conference, where I hope to show what we’ve achieved and to discuss about the best way to organize the tests, which is what I’ve invested most of my time, so please keep an eye out for my report about it in my personal blog in the following weeks.
In regards to coding, beyond following through with my patches under review, I intend to write the tests for the DCE functions I proposed initially and maybe extend to other generations, now that we realized that the physical device is not needed in order to write unit tests. I might even look for other modules which would benefit from unit tests, like VKMS.
Finally, I’ll also try to get involved with the KernelCI project, where I could even employ my web development experience. In order to do that I’ll be attending virtually the monthly Automated Testing Call.
Thanks for reading.
Like all things, Google Summer of Code, too, comes to an end.
Now let’s go over what had to be done, what is done, and what’s left.
Well, this is rather easy for me to talk about, I’ll be on X.org’s Developers Conference soon, and full of motivations behind the work I’ve done.
Not just me, though! Me, Maíra and Magali (who might be familiar names to you already) will be there as well, and unfortunately Tales didn’t manage to get a visa due to bureaucracy layers no one dares to understand.
Looking retrospectively, the project’s motivation boils down to Siqueira wanting to resolve an internal tension between AMD engineers and the weird code they have to manage, unit tests being like a safety valve. As I’ve talked about previously, GPU code can be quite intense, the DML module being a particularly fun example.
No tests, just procedurally generated stuff, and there is so much to be done,
really. Initially we proposed lots of tests, some docs, some refactoring, in my
case specifically I wanted to make the
drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c
(breathes heavily) look pretty.
So…
Though we all had AMD code enhancement as a primary motivator, I actually did some unit tests, and at the end I was caught up in trying to understand what we were testing.
Wasn’t my smartest move (what external contributor actually knows what an RQ DLG is? Difficult answers to find, really) but I learnt so much, apart from the fact it was really satisfying to document something so convoluted and full of internal “slang” (I mean product (code)names or acronyms). But I soon found out I’d be a terrible detective, as most of the things we had to test were simply unattainable for someone who didn’t have internal docs or lots of experience with real GPUs: most things in the DML submodule refer back to themselves, to GPU internals, or even to AMD “internals”.
In the end there were some interesting results from the tests I was actually able to conclude, as follows:
drm/amd/display: Introduce Kunit tests to display_rq_dlg_calc_20
This was a single patch I’ve done on the unit tests. Of course there are lots more functions to be tested, but that comes in the next section :)
We collectively discussed some alternatives to deal with the fact the functions being tested were all static, as will be discussed by Tales in his presentation at the Linux Plumbers Conference.
LPC: How to introduce KUnit to physical device drivers?
There was also some documentation produced regarding the functions and structs involved in these tests, but they were not sent yet as they’re smaller changes and could be grouped in a patchset addressing this specifically.
KW (for the intimate) is a much needed and very interesting project, whom I tried my best to contribute to: I spent about a month and a half at the beginning of GSoC pushing it, to the point where I simply had no will to make my commit messages pretty or to respond maintainers.
Lucky me the owner of the project is also my GSoC mentor, and he completely understood where I was at and that I’d not be able to accomplish the (optional) goals I had set for KW in my proposal.
I really think this situation helped me understand better what is it that we’re doing when we contribute to free software, and that was the lesson I took.
Anyhow, there were many contributions during this period, even though I didn’t finish many of them:
Some things took a lot of our attention apart from the basic motivations of the project. As I was previously already working on IGT GPU Tools, I figured it’d be interesting to finish related work in that project. What good is making tests people aren’t going to use (or maintain?).
IGT is widely used by the kernel graphics people. It mainly tests GPU stuff using userspace APIs, but also does some other interesting things, and we figured it’d be very cool to be able to run unit tests there: easy to integrate with the pre-existing CI, not too much headache to maintain as the KTAP specs get more stable, as well as not requiring so much effort from engineers that are already so used to it.
patchset: Add support for KUnit tests
Whilst it was not so difficult from the purely technical point of view, this might be what helped me the most towards acquiring some intimacy with the C language. I felt it deep when I came back to the same code after a month or two and saw so much to improve on it, then stepped out again as I waited for v1 to be reviewed (which didn’t happen) and came back a while ago to write the v2 linked above.
There were several challenges involved, specially for me: I started coding C because of the kernel, all I knew were C-like languages, and they were all masking some deep truth about computers to me: pretty error handling, easy to use strings, etc.
I admit I wasn’t as ready for C as I thought, now that I understand it better, I can see that clearly. In the end this “quasi-traumatic” experience (and I mean the IGT patchset specifically) taught me a lot, and I’m very thankful for that opportunity (thanks, André!).
Apart from the language itself, we also had to decide what would be supported in a KTAP parser, and that wasn’t easy.
Well, for me personally this was the best part of this project, I really enjoy writing these things, I also enjoy receiving feedback – specially if it’s unasked :).
If you know my blog you know I like to go the difficult route: to talk about the objective engineering experience might teach you a lot, but where’s the fun in that? Even now I’m trying to bring some subjective matters to this.
Anyhow, I published two blog posts which you can check out here:
And I actually made lots of contributions to the Flusp site as well, whose repository was used to review these posts, which I hope will be hosted there as long as they’re hosted on my own website.
As I pointed out previously, GPU code can be very interesting! So much so, that I purposefully didn’t attempt to rush what was left of my proposal at the end of GSoC. It might have been really satisfactory to end GSoC with everything accomplished, but if I learnt anything from undergrad it is that you should NOT rush what’s important to you.
From what I’ve talked with my peers, there are two ways of seeing this project:
GSoC is like a deal I made with Google and X.org to accomplish something until a due date and get money for it.
This PoV is okay, but does it teach you anything new? I might as well have done some freelancing in that time period, would have got the money, and then I’d be very comfortable.
But I believe there’s so much more to this experience, and that’s something Siqueira told us time and again, which brings me to a second, more wholesome way of seeing things:
GSoC is a sort of first commitment to a community.
I know this doesn’t sound so clear as the first way of looking at things, but follow me on this:
For the community, timing might be important, but it’s definitely not as important as doing solid, good work, and keep pushing it even if it’s not as quickly as you’d like.
I got really burnt out from the first two years at Uni, started working, went to live by myself, all that young adult jazz. Trying to always keep up with everything was a real challenge, and though I didn’t always give my best, well I really tried.
At first, I was really sad, almost spiraling out of everything software-related, but now I see things more clearly, and I’m trying to find a rhythm that I can work with, in which I can deliver what I want, and, most importantly, what I committed to.
Going back to Siqueira, what he told us is that (translating loosely):
You got to make a dent in the community so that someone notices you.
And now I see it more clearly.
I’ve heard so many stories of people who engage on things like GSoC or Outreachy just to put it on their CV, then quit, but this is so much more important to me.
I’ve already started making a career in free software, but the project I work on at the moment doesn’t allow me to interact so directly with some upstream or a community. I definitely want to improve in doing I enjoy and believe in, and if it takes some learning that’s only part of the journey to becoming a reliable member of some free software community.
So, in concrete terms, what is there to finish?
First and foremost, the ongoing patchset for IGT needs lots of attention, as pointed by Michał Winiarski in this thread for example:
Kernel lore archives: [PATCH v5 9/9] drm: selftest: convert drm_mm selftest to KUnit
Secondly, of course, finish the original proposal of testing the
dcn20/display_rq_dlg_calc_20.c file.
Might not sound like a lot, but those are really important things, and I’m sure they’ll keep me busy for some time.
I was also pinged by some people to review their patches, and I want to get back to them soon.
I’ve really been thinking a lot about giving back to the people that helped me get here, they were all awesome and I hope I can sow these same seeds and help fellow students become contributors as well. Just last week me and Maíra decided to try to get some people for a project on (fixing) coverage reports for the tests we wrote, but I might as well find another project for myself – probably related to XR, if you’re wondering, but I should write about that in the future :)
That’s it, dear reader, thank you a lot for reading this through, see you on the next one!
Ever stop in the middle of writing some code when it hits you? That nagging feeling. It’s in the back of your mind, relentlessly gnawing away. Making you question your decisions. Making you wonder what you’re doing with your life. You’re plugging away happily, when suddenly you remember I haven’t optimized any code in hours.
It’s no way to work.
It’s no way to live.
Let’s get back to our roots, blog.
For this edition of the blog, we’re hopping off the usual tracks and onto a different set entirely: Vulkan driver optimization. I can already hear what you’re thinking.
Vulkan drivers are already fast. Go back to doing something useful, like making GL work.
First: no they’re not.
Second: I’m doing the opposite of that.
Third: shut up, it’s my blog.
How does one optimize Vulkan drivers? As we all know, any great optimization needs a test case. In the case of Vulkan, everyone who’s anyone (me) uses Zink as their test case. The reasons for this are many and varied because I say they are, but the important one to keep in mind is, as always, drawoverhead.
For those who can’t remember the times I have previously blogged about the world’s premiere benchmarking tool, don’t worry. As with any great form of entertainment, I’ve prepared a recap.
Suppose you are a large gaming-oriented company that sells hardware. Your hardware runs on a battery. The battery has a finite charge. Every bit of power drained from the battery powers the device so that users can play games.
Wouldn’t it be great if that battery lasted longer?
There are a number of ways to achieve this goal. Because this is my blog, I’m going to talk about the one that doesn’t involve underclocking or reducing graphical settings.
Obviously I’m talking about optimization, the process by which a smart and talented reader of StackOverflow copies and pastes code in exactly the right sequence such that, upon resolving all compilation errors, execution of a program utilizes fewer resources.
Now because everyone reading this is a GPU driver developer, we all know that optimization comes in two forms, optimizing for CPU and optimizing for GPU. But GPU optimization is easy. Anyone can do that. You just strap on your RadeonGPUProfiler or Nsight or , glance at the output, mumble mumble mumble, and blammo, your GPU is running like a clock. A really fast one though. With like a trillion hands all spinning at once.
So we’re done with GPU optimization, but we’re not optimized enough yet. The battery still doesn’t last forever, and the users are still complaining on Reddit that they can’t even finish a casual playthrough of Elden Ring or a boss fight in Monster Hunter: Rise without needing to plug in.
This brings us to “CPU optimization”, the process by which we use more esoteric tools like perf or dtrace or custom instrumentation to generate possibly-useful traces of where the CPU may or may not be executing optimally because it’s a filthy liar that doesn’t even know what line of code it’s executing half the time. But still, we need test cases, and unlike GPU profiling, CPU profiling typically isn’t useful with only a single frame’s worth of sample data.
Thus, drawoverhead, which provides a view of how various GL operations impact CPU utilization by executing millions of draw calls per second to provide copious samples for profiling.
This is where the blog is going to take a turn for the bizarre. Some people, it seems, don’t want to use Zink for benchmarking and profiling.
I know.
I’m shocked, hurt, appalled, and also it’s me who doesn’t want to use Zink for benchmarking and profiling so it’s a very confusing time.
The problem with using Zink for optimizing CPU usage is that Zink keeps getting in the way. I want to profile only the Vulkan driver, but instead I’ve got all this Mesa oozing and spurting onto my CPU samples. It’s gross, it’s an untenable situation, and I’ve already taken steps to resolve it.
Behold the future: vkoverhead.
With one simple clone, build, and execute, it’s now possible to see how much the Vulkan driver you’re using sucks at any given task.
Want to see how costly it is to bind a different pipeline? Got it covered.
Changing vertex buffers? Blam, your performance is garbage.
Starting and stopping renderpasses? Take your entire computer and throw it in the dumpster because that’s where your performance just went.
The obvious problem with this is that somebody has to actually dig into the vkoverhead results for each driver and figure out what can be made better. I’ll write another post about this since it’s a separate topic.
Instead, what I want to do today is use vkoverhead to delve into one of the latest and greatest myths of modern Vulkan:
Is the use of fast-linked Graphics Pipeline Libraries worse than, equivalent to, or better than VK_EXT_vertex_input_dynamic_state?
I say this is one of the great myths because, having spoken to Very Knowledgeable Khronos Insiders as well as Experienced Application Developers, I’ve been told repeatedly that VK_EXT_vertex_input_dynamic_state is just a convenience feature that should not be used or relied upon, and proper use of GPL with fast-linking provides the same functionality and performance with broader adoption. But is this really true?
Well, now that the tools exist, it’s possible to say definitively that this sort of wishful thinking does not reflect reality. Let’s check out the numbers. As of the latest 1.1 vkoverhead release, the following cases are available:
$ ./vkoverhead -list
0, draw
1, draw_multi
2, draw_vertex
3, draw_multi_vertex
4, draw_index_change
5, draw_index_offset_change
6, draw_rp_begin_end
7, draw_rp_begin_end_dynrender
8, draw_rp_begin_end_dontcare
9, draw_rp_begin_end_dontcare_dynrender
10, draw_multirt
11, draw_multirt_dynrender
12, draw_multirt_begin_end
13, draw_multirt_begin_end_dynrender
14, draw_multirt_begin_end_dontcare
15, draw_multirt_begin_end_dontcare_dynrender
16, draw_vbo_change
17, draw_1vattrib_change
18, draw_16vattrib
19, draw_16vattrib_16vbo_change
20, draw_16vattrib_change
21, draw_16vattrib_change_dynamic
22, draw_16vattrib_change_gpl
23, draw_16vattrib_change_gpl_hashncache
24, draw_1ubo_change
25, draw_12ubo_change
26, draw_1sampler_change
27, draw_16sampler_change
28, draw_1texelbuffer_change
29, draw_16texelbuffer_change
30, draw_1ssbo_change
31, draw_8ssbo_change
32, draw_1image_change
33, draw_16image_change
34, draw_1imagebuffer_change
35, draw_16imagebuffer_change
36, submit_noop
37, submit_50noop
38, submit_1cmdbuf
39, submit_50cmdbuf
40, submit_50cmdbuf_50submit
41, descriptor_noop
42, descriptor_1ubo
43, descriptor_template_1ubo
44, descriptor_12ubo
45, descriptor_template_12ubo
46, descriptor_1sampler
47, descriptor_template_1sampler
48, descriptor_16sampler
49, descriptor_template_16sampler
50, descriptor_1texelbuffer
51, descriptor_template_1texelbuffer
52, descriptor_16texelbuffer
53, descriptor_template_16texelbuffer
54, descriptor_1ssbo
55, descriptor_template_1ssbo
56, descriptor_8ssbo
57, descriptor_template_8ssbo
58, descriptor_1image
59, descriptor_template_1image
60, descriptor_16image
61, descriptor_template_16image
62, descriptor_1imagebuffer
63, descriptor_template_1imagebuffer
64, descriptor_16imagebuffer
65, descriptor_template_16imagebuffer
66, misc_resolve
67, misc_resolve_mutable
The interesting cases for this scenario are:
21, draw_16vattrib_change_dynamic
22, draw_16vattrib_change_gpl
23, draw_16vattrib_change_gpl_hashncache
VK_EXT_vertex_input_dynamic_stateRunning all of these tests on NVIDIA’s driver (the only hardware driver to fully support both extensions) on a AMD Ryzen 9 5900X with a 3060TI yields the following:
| Case | Draws per second |
|---|---|
| 21 draw_16vattrib_change_dynamic | 7,965,000 |
| 22 draw_16vattrib_change_gpl | 315,000 |
| 23 draw_16vattrib_change_gpl_hashncache | 4,020,000 |
Staggeringly, it turns out that GPL is worse in every scenario. Even the speed of the typical Vulkan hash-n-cache usage can’t make up for the fact that VK_EXT_vertex_input_dynamic_state genuinely is that much faster. And assuming the driver isn’t doing low-GPU-performance heroics, that means everyone drinking the koolaid about not using or not implementing VK_EXT_vertex_input_dynamic_state should be reconsidering their beverage of choice.
This isn’t to say Graphics Pipeline Library is bad or should not be used.
GPL is one of the best extensions Vulkan has to offer, and it definitely provides a huge number of features that every application developer should be examining to see how they might improve performance.
But it’s not better than VK_EXT_vertex_input_dynamic_state.
The project is already in a state where at least one major GPU vendor is utilizing it to drive down CPU usage. If you’re a GPU driver engineer, or perhaps if you’re someone who does benchmarking for a popular tech news site, you should check out vkoverhead too.
Some key takeaways:
Stay tuned for an upcoming post where I teach a course in making your own spaghetti. Also some other things that give zink a 25%+ performance boost.
My journey on the Google Summer of Code project passed by so fast… This is my last week on the GSoC and those 14 weeks flew by! A lot of stuff happened during those three months, and as I’m writing this blog post, I feel quite nostalgic about this three months.
Before I started GSoC, I never thought I would send so many patches to the mailing list, have an abstract approved on XDC 2022, or have commit rights on drm-misc.
GSoC was indeed a fantastic experience. It gave me the opportunity to grow as a developer in an open source community and I believe that I ended up GSoC with a better understanding of what open source is. I learned more about the community, how to communicate with them, and who are the actors in this workflow.
So, this is a summary report of all my journey at GSoC 2022.
First I will kick off with my non-related contributions. I mean, they are somehow related to my project, but they are not exactly unit tests for AMDGPU.
kworkflow is a tool for reducing the environment and setup overhead of developing for Linux, which is maintained by my mentor Rodrigo Siqueira. I use it to manage my config files, deploy to my testing machine, check code style, and more. Initially, kw didn’t have support to deploy for Fedora-based machines.
During the Community Bonding Period, I added support to deploy Fedora-based machines and I wrote a bit about this story in this blog post. Moreover, I fixed a couple of bugs that I spotted while using it.
| Patch | Status |
|---|---|
| docs: dependencies: Add pv to Fedora dependencies | Accepted |
| src: kwlib: check if the context is inside a git worktree | Accepted |
| Add deploy support to Fedora-based systems | Accepted |
| src: help: Fix renaming of configm to kernel-config-manager | Accepted |
IGT GPU Tools is a collection of tools for the development and testing of DRM drivers. During GSoC, I ran the AMDGPU suite a couple of times on my testing machine with a single display connected through HDMI. With this setup, I was able to detect a couple of failures on the IGT tests and I reported some of those issues on the AMD bug tracker, but also I sent two patches fixing a couple of failures on the test.
| Patch | Status |
|---|---|
| [i-g-t,v2] tests/amdgpu: Skip multihead MPO tests on single display | Accepted |
| [i-g-t,v2] tests/amdgpu/amd_bypass: skip if connector is not DisplayPort | On Review |
KUnit is the Kernel Unit Testing Framework. It is the framework we used for creating unit tests for the AMDGPU drivers. My patches to KUnit are based on problems that I noticed I could improve while I was writing unit tests for VBA. First, I fixed a simple documentation error I spotted when I consulted the docs. The other patches are a bit more interesting.
While I was writing some tests, I realize I was using a lot of expectations such as:
KUNIT_EXPECT_EQ(test, memcmp(buffer1, buffer2, size), 0);
And I also realize that the output of this expectation can be quite non-helpful,
as it only gives the output of the memcmp function. So, I created an
expectation macro for analyzing blocks of memory and outputs the hexdump of the
memory.
It was a great community experience to interact with the KUnit developers and work on their feedback.
In the DRM subsystem, I contributed to the DRM unit tests, which used to be selftests and I converted them to KUnit during an LKCamp hackathon with other students. I explained more about those tests in this blog post. After those patches were merged, I dedicated myself to some janitorial duties on the tests folders: fixing stack warnings, refactoring some tests, and making the naming more consistent.
Also, this summer, I applied for commit rights on the drm-misc repository and it was approved. I got pretty glad to have commit rights, although I believe it is such a huge responsibility and I plan to use this right very carefully. I must thank my mentor Melissa Wen for encouraging me to ask for commit rights and for sharing her knowledge about the community and maintainership models (and also for answering a thousand questions I had about dim).
Most of my patches to the AMDGPU branch were ideas that I had while writing the
unit tests on VBA. The display_mode_vba files were automatically generated,
which means that the code might not be the most readable one. During the summer,
I had a couple of ideas for cleaning up a bit of the VBA files and some of those
ideas are documented in this blog
post.
And most of my patches are related to this matter.
But, most of the patches I sent related to the VBA files weren’t merged and there was also no feedback on the patches. Some were sent multiple times, but I didn’t get an answer. The DML is a very sensitive part of the AMDGPU driver, so big changes might not be suitable for them.
Moreover, there are a couple of fixes. My favorite one is the drm/amdgpu: Fix
use-after-free on amdgpu_bo_list mutex, which was a fix to a use-after-free
problem that appeared in the mailing
list.
It was fun to read the output provided in the mailing-list and then track the
bug based on the trace. Also, it was a really nice interaction with other
developers on the mailing list.
After this huge tangent, let’s jump into the real milestones of the GSoC project. Making a small recapitulation of the idea of my project:
The Display Mode Library (DML) is a fundamental part of the AMDGPU driver. It involves lots of complex calculations and a large number of parameters. That said, it points to itself as a great candidate for the implementation of unit tests. Unit tests will help graphic developers recognize bugs before they are merged into the mainline and make it possible for a future code refactor. This project intends to implement unit testing in the Display Mode VBA libraries, especially the Display Mode VBA public API and the DCN20’s Display Mode VBA functions.
In my project, the deliverables were:
display_mode_vba and display_mode_vba20.So, let’s discuss point by point the milestones of this summer.
First, I had the intention to write unit tests for all the public functions on
display_mode_vba and display_mode_vba20, which are eleven functions in
total. Initially, it seems like a good idea to test only the public functions,
which is usually recommended by Software Engineering authors.
I started following this plan, but as I was learning more about unit testing, I started questioning the feasibility of tests for some functions. I mean, a couple of functions had more than 45 input parameters and more than a thousand lines. Checking all the possible code branches of those tests seemed to me unfeasible because there were a lot of variables to be considered.
As the function size and the number of parameters grow, the complexity of the tests grows exponentially.
So, I ended up writing tests for some static VBA functions. In the end, I wrote more than eleven unit tests but the functions for which they were written are not the same as planned initially.
The functions were chosen by two means. First, I was trying to identify
functions with a more suitable behavior for unit tests. Basically, functions
with no more than 10 parameters and 100 lines. Also, I was looking for functions
that were used a lot in the code, in order to increase the coverage and the
relevance of the tests. But also, sometimes, Siqueira would suggest some
functions outside of VBA, such as the dc_dmub_srv case, which was inspired on
a regression.
Moreover, I also wrote documentation for the tests, giving instructions on how to run the tests and how to add more tests to the AMDGPU driver.
The patches with the test suites and documentation are listed here:
The tests are not merged yet and are currently on the second version, but there are some good changes that the tests will be merged soon to the mainline.
Moreover, I was able to run all the unit tests developed on the AMDGPU Radeon RX 5700 XT, and also with the kunit-tool.
During the summer, I wrote five blog posts about challenges that I found interesting in my journey. All blog posts are listed here:
| Date | Post |
|---|---|
| May 26, 2022 | I’m in GSoC ‘22 |
| Jun 11, 2022 | Linux Kernel Developing with Fedora |
| Jul 11, 2022 | About Kernel Symbol Table, Compilation, and more |
| Jul 19, 2022 | From Selftests to KUnit |
| Aug 10, 2022 | Does the Linux Kernel need software engineering? |
During this summer, I was able to evolve my community skills also. Before I joined GSoC, I didn’t though I had enough knowledge to review code from others or even read the mailing list. Now, I have more confidence to review and test some patches (and even commit a patch).
During GSoC, I developed the habit to read the mailing list daily. Although I don’t really get everything that is going on there, I read a couple of threads and try to understand what is being discussed. And it became a fun part of my day to open Thunderbird and read the mailing lists from AMDGPU, DRM, KUnit, and Fedora Devel.
Moreover, during my mailing list readings, I was able to find some discussions that I could contribute to and even review patches. Initially, I didn’t have confidence enough to send a Reviewed-by, so I used to send just a Tested-by. But, now I feel more courage to send a Reviewed-by and make an argument for my points on the mailing lists.
I made more than a dozen interactions on the mailing list, so I will just list the more relevant ones:
Moreover, I also
committed
two patches on drm-misc-next. I reviewed to patches for improving the DRM
KUnit tests and by the end of the review, I usually wait for someone to push the
patches into drm-misc-next, but as those patches were on the list for a while,
I decided to push it myself. I was pretty afraid of doing something wrong, but
all went fine with a bit of help from Melissa.
Well, I’m pretty excited about the next couple of months for many reasons. First, I, Magali Lemes, and Isabella Basso will be attending XDC 2022. It is going to be very exciting to participate in an in-place conference and also to make a presentation on the main track.
We are going to talk about the “KUnit sorcery and the uncanny nature of FPU in the DRM” on October 4th, presenting a bit of our GSoC project. So, currently, I’m training a lot to make a good presentation in October.
Moreover, I intend to keep contributing to the DRM subsystem, and currently, I have some ideas for some code refactors of the DRM KUnit tests. Also, I would like to expand my contributions on the DRM to not only test-related. Although I do like to write unit tests, I want to learn more about planes, CRTC, color management, memory management, and more. Currently, most of my contributions are related to janitorial duties and I would like to contribute to implementing new features on the DRM or improving the DRM core.
Finally, by the end of GSoC, I’ll be joining another mentorship project on the Linux Graphics Stack, the Igalia Coding Experience, in which I will be learning more about the DRM subsystem and IGT in the next months. This is making me very excited, as I will continue to contribute with open source, especially the Linux kernel, with the help of my great mentors Melissa Wen and André Almeida, who are software engineers on Igalia.
First, I would like to thank my mentors Rodrigo Siqueira, Melissa Wen, and André Almeida. They really believed in our potential, encouraged us to talk to the community, and show us some great opportunities. They were an amazing team of mentors and I will always be thankful to them. Without them, I would probably never would had submitted a project to GSoC.
Also, I would like to thank the X.Org Foundation for accepting my proposal to GSoC and also helping us with funding for XDC 2022.
Moreover, I would like to thank AMD for donating hardware for us. During the project, I used a Radeon RX 5700 XT donated by them, so I’m also very thankful to them. Moreover, I would like to thank all AMD engineers that took their time to review my patches and send feedback.
Finally, I would like to thank the DRI community for reviewing my patches and giving me constructive feedback. Also, the KUnit community, especially David Gow, Daniel Latypov, and Brendan Higgins, review a lot of my patches and took their time to meet with us this summer.
Last, but not least, I thank the companionship of my colleagues Isabella Basso, Magali Lemes, and Tales Aparecida during this summer. It was great to have some companions to solve problems this summer and to share knowledge.
While Tianocore EDKII still dominates the UEFI development world, there has been continuous effort to enable Rust for firmware development. But so far the tools involved have not been stabilised. We now started an effort to remedy this and get stable Rust support for UEFI targets.
The rust compiler has gained support for multiple UEFI targets in the past, namely:
This allows building Rust UEFI Applications with a standard compiler by simply
passing --target <arch>-unknown-uefi to cargo or rustc. Unfortunately,
Tier-3
support means no compiler builds are distributed via the Rust release
channels, nor does the Rust-CI guarantee the targets build successfully.
Moreover, this implies that a nightly/unstable compiler is required to build
for those targets, even though no nightly Rust Language features are required.
Raising support of these targets to Tier-2 will include automatic toolchain builds distributed via Rust release channels. Hence, no nightly/unstable compiler is required, anymore. Automatic CI builds will guarantee the targets build successfully and do not randomly break. This will greatly improve the trust in the platform and significantly enhance the developer experience.
Rust support for UEFI has been documented in the rustc-book section UEFI Platform Support. You can follow and support the Major Change Proposal (MCP) to raise support to Tier-2 on the Rust Compiler-Team Tracker.
September 1 was a big day! The official cross-vendor Vulkan mesh shading extension that I teased a while ago, has now been officially released. This is a significant moment for me because I’ve spent considerable time making the RADV implementation and collaborated with some excellent people to help shape this extension in Khronos.
We first started talking about mesh shaders in Mesa about two years (maybe more?) ago.
At the time the only publicly available Vulkan mesh shading API was the vendor-specific
NV_mesh_shader made by NVidia.
I was working together with Christoph Kubisch (from NVidia) who helped understand what this topic is all about. Caio Oliveira and Marcin Slusarz (from Intel, working on ANV) joined the adventure too.
We made the decision to start working on some preliminary support for the NV extension to get some experience with the topic and learn how it’s supposed to work. Once we were satisfied with that, we made the jump to the EXT.
These are the common Mesa pieces that all drivers can use. The front-end and middleware code for mesh/task shader support are here. Caio created the initial pieces and I expanded on that as I found more and more things that needed adjustment in NIR, added a new storage class for task payloads etc. Marcin also chimed in with fixes and improvements.
AMD and Intel hardware work differently, so most of the hard
work couldn’t be shared and needed to be implemented in the backends.
However, some of the commonalities are implemented in eg. nir_lower_task_shader
for the work that needs to happen in both RADV and ANV.
There were dozens of merge requests that added support for various features,
cleaned up old features to make them not crash on mesh shaders, etc.
The latest is this MR
which adds all the remaining puzzle pieces for the EXT.
Because mesh shaders use NGG, the heavy lifting is done in ac_nir_lower_ngg
which is already responsible for other NGG shaders (VS, TES, GS).
The lowering basically “translates” the API shader to work like the HW expects.
Without going into much detail, it essentially wraps the application shader and replaces
some pieces of it to make them understandable by the HW.
There is now also an ac_nir_lower_taskmesh_io_to_mem
for translating task payload I/O and EmitMeshTasksEXT to something the HW can understand.
Previously I was mostly working on the compiler stack (NIR and ACO) and had little experience with the hardcore driver code, such as how draws/dispatches work and how the driver submits cmd buffers to the GPU. As I had near-zero knowledge of these areas, I had to learn about them, mostly by just reading the code.
So, I split the RADV work in two parts:
radv_cmd_buffer to add some new draw calls, and minor work in radv_pipeline
to figure out per-primitive output attributes and get the register programming right.radv_device because we now have to submit to multiple
queues at once. This is actually not finished yet because “gang submit” is still missing.
Additionally, radv_cmd_buffer needed heavy changes to support an internal compute cmdbuf.Naturally, during this work I also hit several RADV bugs in pre-existing use cases which just nobody noticed yet. Some of these were issues with secondary command buffers and conditional rendering on compute-only queues. There was also a nasty firmware bug, and other exciting stuff.
Let’s just say that my GPU loved to hang out with me.
The Intel ANV compiler backend and driver implementation were done by Caio and Marcin and I just want to take this opportunity to say that I really enjoyed working together with them.
All of the above would have been impossible if I didn’t have some solid test cases which I could throw at my implementation. Ricardo Garcia developed the CTS (Vulkan Conformance Test Suite) testcases for both NV_mesh_shader and EXT_mesh_shader. During that work, Ricardo wrote several thousand mesh and task shaders for us to test with. Ricardo if you’re reading this, THANK YOU!!!
Implementing VK_EXT_mesh_shader gave me a very good learning experience and helped me
get an understanding of parts of the driver that I had never looked at before.
We never wanted to officially support it, it was just a stepping stone for us to help start working on the EXT. The NV extension support will be removed soon.
The RADV and ANV support will be included once the system is updated to Mesa 22.3, though we may be convinced to bring it to the Deck sooner if somebody finds a game that uses mesh shaders.
For NVidia proprietary driver users, EXT_mesh_shader is already included in the latest beta drivers.
We marked mesh/task shader support “experimental” in RADV because it has one main caveat that we are unable to solve without kernel support. Thanks to how we need to submit to two different queues at the same time, this can deadlock your GPU if you are running two (or more) processes which use task shaders at the same time. To properly solve it we need the “gang submit” feature in the kernel which prevents such deadlocks.
Unfortunately “gang submit” is not upstream yet. Cross your fingers and let’s hope it’ll be included in Linux 6.1.
Until then, you can use the RADV_PERFTEST=ext_ms environment variable
to play your favourite mesh shader games!
Vulkan 1.3.226 was released yesterday and it finally includes the cross-vendor VK_EXT_mesh_shader extension. This has definitely been an important moment for me. As part of my job at Igalia and our collaboration with Valve, I had the chance to work reviewing this extension in depth and writing thousands of CTS tests for it. You’ll notice I’m listed as one of the extension contributors. Hopefully, the new tests will be released to the public soon as part of the open source VK-GL-CTS Khronos project.
During this multi-month journey I had the chance to work closely with several vendors working on adding support for this extension in multiple drivers, including NVIDIA (special shout-out to Christoph Kubisch, Patrick Mours, Pankaj Mistry and Piers Daniell among others), Intel (thanks Marcin Ślusarz for finding and reporting many test bugs) and, of course, Valve. Working for the latter, Timur Kristóf provided an implementation for RADV and reported to me dozens of bugs, test ideas, suggestions and improvements. Do not miss his blog post series about mesh shaders and how they’re implemented on RDNA2 hardware. Timur’s implementation will be used in your Linux system if you have a capable AMD GPU and, of course, the Steam Deck.
The extension has been developed with DX12 compatibility in mind. It’s possible to use mesh shading from Vulkan natively and it also allows future titles using DX12 mesh shading to be properly run on top of VKD3D-Proton and enjoyed on Linux, if possible, from day one. It’s hard to provide a summary of the added functionality and what mesh shaders are about in a short blog post like this one, so I’ll refer you to external documentation sources, starting by the Vulkan mesh shading post on the Khronos Blog. Both Timur and myself have submitted a couple of talks to XDC 2022 which have been accepted and will give you a primer on mesh shading as well as some more information on the RADV implementation. Do not miss the event at Minneapolis or enjoy it remotely while it’s being livestreamed in October.
A quick, off-hour post from me to share some exciting news in an unlikely area.
As of this moment, Mesa is now using the Mold linker in CI for faster build times.
If you haven’t tried Mold yet, you’re just pointlessly wasting your own time.
Thanks to everyone who works on Mold and everyone who helped get this change merged.
Neverball rendered on the Apple M1 GPU with an open source OpenGL driver
After a year in development, the open source “Asahi” driver for the Apple GPU is running real games. There’s more to do, but Neverball is already playable (and a lot of fun!).
Neverball uses legacy “fixed function” OpenGL. Rather than supply programmable shaders like OpenGL 2, old OpenGL 1 applications configure a fixed set of graphics effects like fog and alpha testing. Modern GPUs don’t implement these features in hardware. Instead, the driver synthesizes shaders implementing the desired graphics. This translation is complicated, but we get it for “free” as an open source driver in Mesa. If we implement the modern shader pipeline, Mesa will handle fixed function OpenGL for us transparently. That’s a win for open source drivers, and a win for GPU acceleration on Asahi Linux.
To implement the modern OpenGL features, we rely on reverse-engineering the behaviour of Apple’s Metal driver, as we don’t have hardware documentation. Although Metal uses the same shader pipeline as OpenGL, it doesn’t support all the OpenGL features that the hardware does, which puts us in bind. In the past, I’ve relied on educated guesswork to bridge the gap, but there’s another solution… and it’s a doozy.
For motivation, consider the clip space used in OpenGL. In every other API on the planet, the Z component (depth) of points in the 3D world range from 0 to 1, where 0 is “near” and 1 is “far”. In OpenGL, however, Z ranges from negative 1 to 1. As Metal uses the 0/1 clip space, implementing OpenGL on Metal requires emulating the -1/1 clip space by inserting extra instructions into the vertex shader to transform the Z coordinate. Although this emulation adds overhead, it works for ANGLE’s open source implementation of OpenGL ES on Metal.
Like ANGLE, Apple’s OpenGL driver internally translates to Metal. Because Metal uses the 0 to 1 clip space, it should require this emulation code. Curiously, when we disassemble shaders compiled with their OpenGL implementation, we don’t see any such emulation. That means Apple’s GPU must support -1/1 clip spaces in addition to Metal’s preferred 0/1. The problem is figuring out how to use this other clip space.
We expect that there’s a bit toggling between these clip spaces. The logical place for such a bit is the viewport packet, but there’s no obvious difference between the viewport packets emitted by Metal and OpenGL-on-Metal. Ordinarily, we would identify the bit by toggling the clip space in Metal and comparing memory dumps. However, according to Apple’s documentation, there’s no way to change the clip space in Metal.
That’s an apparently contradiction. There’s no way to use the -1/1 clip space with Metal, but Apple’s OpenGL-on-Metal translator uses uses the -1/1 clip space. What gives?
Here’s a little secret: there are two graphics APIs called “Metal”. There’s the Metal you know, a limited API that Apple documents for App Store developers, an API that lacks useful features supported by OpenGL and Vulkan.
And there’s the Metal that Apple uses themselves, an internal API adding back features that Apple doesn’t want you using. While ANGLE implements OpenGL ES on the documented Metal, Apple can implement OpenGL on the secret Metal.
Apple does not publish documentation or headers for this richer Metal API, but if we’re lucky, we can catch a glimpse behind the curtain. The undocumented classes and methods making up the internal Metal API are still available in the production Metal binaries. To use them, we only need the missing headers. Fortunately, Objective-C symbols contain enough information to reconstruct header files, allowing us to experiment with undocumented methods with “extra” functionality inherited from OpenGL.
Compared to the desktop GPUs found in Intel Macs, Apple’s own GPU implements a slim, modern feature set mapping well to Metal. Most of the “extra” functionality is emulated. It is interesting to know the emulation happens in their Metal driver instead of their OpenGL frontend, but that’s unsurprising, as it allows their Metal drivers for Intel and AMD GPUs to implement the functionality natively. While this information is fascinating for “macOS hermeneutics”, it won’t help us with our Apple GPU mystery.
What will help us are the catch-all mystery methods named setOpenGLModeEnabled, apparently enabling “OpenGL mode”.
Mystery methods named like just beg to be called.
The render pipeline descriptor has such a method. That descriptor contains state that can change every draw. In some graphics APIs, like OpenGL with ARB_clip_control and Vulkan with VK_EXT_depth_clip_control, the application can change the clip space every draw. Ideally, the clip space state would be part of this descriptor.
We can test this optimistic guess by augmenting our Metal test bench to call [MTLRenderPipelineDescriptorInternal setOpenGLModeEnabled: YES].
It feels strange to call this hidden method. It’s stranger when the code compiles and runs just fine.
We can then compare traces between OpenGL mode and the normal Metal mode. Seemingly, enabling OpenGL mode toggles a plethora of random unknown bits. Even if one of them is what we want, it’s a bit unsatisfying that the “real” Metal would lack a proper [setClipSpace: MTLMinusOneToOne] method, rather than this blunt hack reconfiguring a pile of loosely related API behaviours.
Alas, for all the random changes in “OpenGL mode”, none seem to affect clipping behaviour.
Hope is not yet lost. There’s another setOpenGLModeEnabled method, this time in the render pass descriptor. Rather than pipeline state that can change every draw, this descriptor’s state can only change in between render passes. Changing that state in between draws would require an expensive flush to main memory, similar to the partial renders seen elsewhere with the Apple GPU. Nevertheless, it’s worth a shot.
Changing our test bench to call [MTLRenderPassDescriptorInternal setOpenGLModeEnabled: YES], we find another collection of random bits changed. Most of them are in hardware packets, and none of those seem to control clip space, either.
One bit does stand out. It’s not a hardware bit.
In addition to the packets that the userspace driver prepares for the hardware, userspace passes to the kernel a large block of render pass state describing everything from tile size to the depth/stencil buffers. Such a design is unusual. Ordinarily, GPU kernel drivers are only concerned with memory management and scheduling, remaining oblivious of 3D graphics. By contrast, Apple processes this state in the kernel forwarding the state to the GPU’s firmware to configure the actual hardware.
Comparing traces, the render pass “OpenGL mode” sets an unknown bit in this kernel-processed block. If we set the same bit in our OpenGL driver, we find the clip space changes to -1/1. Victory, right?
Almost. Because this bit is render pass state, we can’t use it to change the clip space between draws. That’s okay for baseline OpenGL and Vulkan, but it prevents us from efficiently implementing the ARB_clip_control and VK_EXT_depth_clip_control extensions. There are at least three (inefficient) implementations.
The first is ignoring the hardware support and emulating one of the clip spaces by inserting extra instructions into the vertex shader when the “wrong” clip space is used. In addition to extra overhead, that requires shader variants for the different clip spaces.
Shader variants are terrible.
In new APIs like Vulkan, Metal, and D3D12, everything needed to compile a shader is known up-front as part of a monolithic pipeline. That means pipelines are compiled when they’re created, not when they’re used, and are never recompiled. By contrast, older APIs like OpenGL and D3D11 allow using the same shader with different API states, requiring some drivers to recompile shaders on the fly. Compiling shaders is slow, so shader variants can cause unpredictable drops in an application’s frame rate, familiar to desktop gamers as stuttering. If we use this approach in our OpenGL driver, switching clip modes could cause stuttering due to recompiling shaders. In bad circumstances, that stutter could even happen long after the mode is switched.
That option is undesirable, so the second approach is always inserting emulation instructions that read the desired clip space at run-time, reserving a uniform (push constant) for the transformation. That way, the same shader is usable with either clip space, eliminating shader variants. However, that has even higher overhead than the first method. If an application frequently changes clip spaces within a render pass, this approach will be the most efficient of the three. If it does not, this approach adds constant overhead to every application. Knowing which approach is better requires the driver to have a magic crystal ball.1
The final option is using the hardware clip space bit and splitting the render pass when the clip space is changed. Here, the shaders are optimal and do not require variants. However, splitting the render pass wastes tremendous memory bandwidth if the application changes clip spaces frequently. Nevertheless, this approach has some support from the ARB_clip_control specification:
Some [OpenGL] implementations may introduce a flush when changing the clip control state. Hence frequent clip control changes are not recommended.
Each approach has trade-offs. For now, the easiest “option” is sticking our head in the sand and giving up on ARB_clip_control altogether. The OpenGL extension is optional until we get to OpenGL 4.5. Apple doesn’t implement it in their OpenGL stack. Because ARB_clip_control is primarily for porting Direct3D games, native OpenGL games are happy without it. Certainly, Neverball doesn’t mind. For now, we can use the hardware bit to use the -1/1 clip space unconditionally in OpenGL and 0/1 unconditionally in Vulkan. That does not require any emulation or flushing, though it prevents us from advertising the extensions.
That’s enough to run Neverball on macOS, using our userspace OpenGL driver in Mesa, and Apple’s proprietary kernel driver. There’s a catch: Neverball has to present with the deprecated X11 server on macOS. Years ago, Apple engineers2 contributed Mesa support for X11 on macOS (XQuartz), allowing us to run X11 applications with our Mesa driver. However, there’s no support for Apple’s own Cocoa windowing system, meaning native macOS applications won’t work with our driver. There’s also no easy way to run Linux’s newer Wayland display server on macOS. Nevertheless, Neverball does not use Cocoa directly. Instead, it uses the cross-platform SDL2 library to create its window, which internally uses Cocoa, X11, or Wayland as appropriate for the operating system. With enough sweat and tears, we can build an macOS/X11 version of SDL2 and link Neverball with that.
This Neverball/macOS/X11 port was frustrating, especially when the game is one apt install away on Linux. That’s a job for Asahi Lina, who has been hard at work writing a Linux kernel driver for Apple’s GPU. When our work converges, my userspace Mesa driver will run on Linux with her kernel driver to implement a full open source graphics stack for 3D acceleration on Asahi Linux.
Please temper your expectations: even with hardware documentation, an optimized Vulkan driver stack (with enough features to layer OpenGL 4.6 with Zink) requires many years of full time work. At least for now, nobody is working on this driver full time3. Reverse-engineering slows the process considerably. We won’t be playing AAA games any time soon.
That said, thanks to the tremendous shared code in Mesa, a basic OpenGL driver is doable by a single person. I’m optimistic that we’ll have native OpenGL 2.1 in Asahi Linux by the end of the year. That’s enough to accelerate your desktop environment and browser. It’s also enough to play older games (like Neverball). Even without fancy features, GPU acceleration means smooth animations and better battery life.
In that light, the Asahi Linux future looks bright.
I was planning to write this Friday, but then it was Friday, so I didn’t.
You know how it is.
I’ve been doing a lot of work on CPU optimizations in zink lately. I had planned to do some benchmarks of this, but now it’s Monday and someone has already done it for me, so I won’t.
Sometimes it’s like that too.
But the overly-technical, word-heavy, bullet-point-laden blog post still needs to be written, and now it’s Monday, so here I am.
Speed: How does it work?
I’ve blogged a lot about descriptors in the past. After years of pointlessly churning the codebase, a winner has emerged from the manager wars. Descriptor caching has been deleted. It’s gone, and laziness is the future. Huzzah.
To recap for those who haven’t followed however many treatises I’ve written on the topic, the idea of “lazy” descriptors is to do the least amount of work as stupidly as possible:
Simple, yet surprisingly performant.
We know that laziness is preferable to doing any kind of work. This is an indisputable fact. It’s also (obviously) true in CPU performance: less work is better. So how can zink do even less work than being lazy?
Well.
It’s always possible to be lazier.
Historically, there have been two points of non-laziness when it comes to lazy descriptors:
Descriptor sets are allocated from descriptor pools. Descriptor pools are allocated based on the pipeline layout. Pools are allocated onto the same struct that contains the cmdbuf, ensuring that the lifetimes match. Thus, for each pipeline layout, there are N descriptor pools, where N is the number of cmdbufs in use. Any time a new set must be allocated, the corresponding pool must be accessed. To access the the pool, the integer ID of the pipeline layout is used, as all the pools for a given cmdbuf are stored in a hash table.
Hash tables are slow. They require hashing, they require lookups, and why not just use an array if the key is already an integer? It’s a mystery, especially when there aren’t thousands of hash table entries, so I switched to using an array in order to enable direct lookups.
Performance: enhanced.
Descriptor set allocation was another bottleneck. In order to avoid blowing out heaps on heap-based hardware, I’ve capped descriptor pools to only contain 100 sets at a time. This means that even if a set isn’t fully utilized, it’s not consuming a huge amount of resources. It also means that allocation is faster when cmdbufs (and their associated descriptor pools) get reset.
Remember when I said that there were N descriptor pools for N cmdbufs? Obviously this was a lie. What I meant to say was there are N * O descriptor pools for N cmdbufs, where O is the number of times the descriptor pool has overflowed because it had to allocate more than 100 sets. In this scenario, the overflowed (full) descriptor pool is appended to an array which then gets freed upon cmdbuf reset. Since the pools are relatively small, this recycling operation is pretty fast.
But it’s still an operation. Which means it’s doing work. And you know what I hate? I mean, You know what CPU performance hates? Doing work. Yeah, that’s it.
So now instead of recycling these overflowed pools, zink just retains them and reuses them directly.
Performance: enhanced.
Join me in the next blog post when I show how it’s possible for anyone (even you!) to turn code into spaghetti using C++.
When I create kernel contributions, I usually rely on a specific hardware, which makes using a system on which I need to deploy kernels too complicated or time-consuming to be worth it. Yes, I'm an idiot that hacks the kernel directly on their main machine, though in my defense, I usually just need to compile drivers rather than full kernels.
But sometimes I work on a part of the kernel that can't be easily swapped out, like the USB sub-system. In which case I need to test out full kernels.
I usually prefer compiling full kernels as RPMs, on my Fedora system as it makes it easier to remove old test versions and clearly tag more information in the changelog or version numbers if I need to.
Step one, build as non-root
First, if you haven't already done so, create an ~/.rpmmacros file (I know...), and add a few lines so you don't need to be root, or write stuff in /usr to create RPMs.
$ cat ~/.rpmmacros
%_topdir /home/hadess/Projects/packages
%_tmppath %{_topdir}/tmp
Easy enough. Now we can use fedpkg or rpmbuild to create RPMs. Don't forget to run those under “powerprofilesctl launch” to speed things up a bit.
Step two, build less
We're hacking the kernel, so let's try and build from upstream. Instead of the aforementioned fedpkg, we'll use “make binrpm-pkg” in the upstream kernel, which builds the kernel locally, as it normally would, and then packages just the binaries into an RPM. This means that you can't really redistribute the results of this command, but it's fine for our use.
If you choose to build a source RPM using “make rpm-pkg”, know that this one will build the kernel inside rpmbuild, this will be important later.
Now that we're building from the kernel sources, that's our time to activate the cheat code. Run “make localmodconfig”. It will generate a .config file containing just the currently loaded modules. Don't forget to modify it to include your new driver, or driver for a device you'll need for testing.
Step three, build faster
If running “make rpm-pkg” is the same as running “make ; make modules” and then packaging up the results, does that mean that the “%{?_smp_mflags}” RPM macro is ignored, I make you ask rhetorically. The answer is yes. “make -j16 rpm-pkg”. Boom. Faster.
Step four, build fasterer
As we're building in the kernel tree locally before creating a binary package, already compiled modules and binaries are kept, and shouldn't need to be recompiled. This last trick can however be used to speed up compilation significantly if you use multiple kernel trees, or need to clean the build tree for whatever reason. In my tests, it made things slightly slower for a single tree compilation.
$ sudo dnf install -y ccache
$ make CC="ccache gcc" -j16 binrpm-pkg
Easy.
And if you want to speed up the rpm-pkg build:
$ cat ~/.rpmmacros
[...]
%__cc ccache gcc
%__cxx ccache g++
More information is available in Speeding Up Linux Kernel Builds With Ccache.
Step five, package faster
Now, if you've implemented all this, you'll see that the compilation still stops for a significant amount of time just before writing “Wrote kernel...rpm”. A quick look at top will show a single CPU core pegged to 100% CPU. It's rpmbuild compressing the package that you will just install and forget about.
$ cat ~/.rpmmacros
[...]
%_binary_payload w2T16.xzdio
More information is available in Accelerating Ceph RPM Packaging: Using Multithreaded Compression.
TL;DR and further work
All those changes sped up the kernel compilation part of my development from around 20 minutes to less than 2 minutes on my desktop machine.
$ cat ~/.rpmmacros
%_topdir /home/hadess/Projects/packages
%_tmppath %{_topdir}/tmp
%__cc ccache gcc
%__cxx ccache g++
%_binary_payload w2T16.xzdio
$ powerprofilesctl launch make CC="ccache gcc" -j16 binrpm-pkg
I believe there's still significant speed ups that could be done, in the kernel, by parallelising some of the symbols manipulation, caching the BTF parsing for modules, switching the single-threaded vmlinux bzip2 compression, and not generating a headers RPM (note: tested this last one, saves 4 seconds :)
The results of my tests. YMMV, etc.
| Command | Time spent | Notes |
|---|---|---|
| koji build --scratch --arch-override=x86_64 f36 kernel.src.rpm | 129 minutes | It's usually quicker, but that day must have been particularly busy |
| fedpkg local | 70 minutes | No rpmmacros changes except setting the workdir in $HOME |
| powerprofilesctl launch fedpkg local | 25 minutes | |
| localmodconfig / bin-rpmpkg | 19 minutes | Defaults to "-j2" |
| localmodconfig -j16 / bin-rpmpkg | 1:48 minutes | |
| powerprofilesctl launch localmodconfig ccache -j16 / bin-rpmpkg | 7 minutes | Cold cache |
| powerprofilesctl launch localmodconfig ccache -j16 / bin-rpmpkg | 1:45 minutes | Hot cache |
| powerprofilesctl launch localmodconfig xzdio -j16 / bin-rpmpkg | 1:20 minutes |
Hi all!
This month I’ve been pondering offline-first apps. The online aspect of modern apps is an important feature for many use-cases: it enables collaboration between multiple people and seamless transition between devices (e.g. I often switch between my personal workstation, my laptop, and my phone). However many modern apps come with a cost: often times they only work with a fixed proprietary server, and only work online. I think that for many use-cases, allowing users to pick their own open-source server instance and designing offline-friendly apps is a good compromise between freedom and ease-of-use/simplicity. Not to say that peer-to-peer or fully distributed apps are always a bad choice, but they come at a significantly higher complexity cost, which makes them more annoying to both build and use.
The main hurdle when writing an offline-first app is synchronization. All devices must have a local copy of the database for offline use, and they need to push changes to the server when the device comes online. Of course, it’s perfectly possible that changes were made on multiple devices while offline, so some kind of conflict resolution is necessary. Instead of presenting a “Oops, we’ve got a conflict, which version would you like to keep?” dialog to the user, it’d be much nicer to just Do The Right Thing™. CRDTs are a solution to that problem. They look a bit scary at first because of all of the obscure naming (PN-Counter? LWW-Element-Set? anyone?) and intimidating theory in papers. However I like to think of CRDTs as “use this one easy trick to make synchronization work well”, and not some kind of complicated abstract machinery. In other words, by following some simple rules, it’s not too difficult to write well-behaved synchronization logic.
So, long story short, I’ve been experimenting with CRDTs this month. To get some hands-on experience, I’ve started working on a small hacky group expense tracking app, seda. I’ve got the idea for this NPotM while realizing that there’s no existing good open-source user-friendly collaborative offline-capable (!) alternative yet. That said, it’s just a toy for now, nothing serious yet. If you want to play with it, you can have a look at the demo (feel free to toggle offline mode in the dev tools, then make some changes, then go online). There’s still a lot to be done: in particular, things gets a bit hairy when one device deletes a participant and another creates a transaction with that user at the same time. I plan to write some docs and maybe a blog post about my findings.
I’ve released two new versions of software I maintain. soju 0.5.0 adds support for push notifications, a new IRC extension to search the chat history, support for more IRCv3 extensions (some of which originate from soju itself), and many other enhancements. hut 0.2.0 adds numerous new commands and export functionality.
In graphics news, I’ve been working on small tasks in various projects. As part of my Valve contract, I’ve been investigating some DisplayPort MST issues in the core kernel DRM code, and I’ve introduced a function to unset layer properties in libliftoff. With the help of Petter Hutterer we’ve introduced a new X11 XWAYLAND extension as a more reliable way for clients to figure out whether they’re running under Xwayland. Last, I’ve continued ticking more boxes in libdisplay-info’s TODO list. We aren’t too far from having a complete EDID parser, but there are still so many extension blocks to add support for, and a whole new high-level API to design.
See you next month!
As of xorgproto 2022.2, we have a new X11 protocol extension. First, you may rightly say "whaaaat? why add new extensions to the X protocol?" in a rather unnecessarily accusing way, followed up by "that's like adding lipstick to a dodo!". And that's not completely wrong, but nevertheless, we have a new protocol extension to the ... [checks calendar] almost 40 year old X protocol. And that extension is, ever creatively, named "XWAYLAND".
If you recall, Xwayland is a different X server than Xorg. It doesn't try to render directly to the hardware, instead it's a translation layer between the X protocol and the Wayland protocol so that X clients can continue to function on a Wayland compositor. The X application is generally unaware that it isn't running on Xorg and Xwayland (and the compositor) will do their best to accommodate for all the quirks that the application expects because it only speaks X. In a way, it's like calling a restaurant and ordering a burger because the person answering speaks American English. Without realising that you just called the local fancy French joint and now the chefs will have to make a burger for you, totally without avec.
Anyway, sometimes it is necessary for a client (or a user) to know whether the X server is indeed Xwayland. Previously, this was done through heuristics: the xisxwayland tool checks for XRandR properties, the xinput tool checks for input device names, and so on. These heuristics are just that, though, so they can become unreliable as Xwayland gets closer to emulating Xorg or things just change. And properties in general are problematic since they could be set by other clients. To solve this, we now have a new extension.
The XWAYLAND extension doesn't actually do anything, it's the bare minimum required for an extension. It just needs to exist and clients only need to XQueryExtension or check for it in XListExtensions (the equivalent to xdpyinfo | grep XWAYLAND). Hence, no support for Xlib or libxcb is planned. So of all the nightmares you've had in the last 2 years, the one of misidentifying Xwayland will soon be in the past.
I’m going to kick off this post and month by saying that in my defense, I was going to write this post weeks ago, but then I didn’t, and then I got sidetracked, but I had the screenshots open the whole time so it’s not like I forgot, but then I did forget for a little while, and then my session died because the man the myth the legend the as-seen-on-the-web-with-a-different-meaning Adam “ajax” Jackson pranked me with a GLX patch, but I started a new session, and gimp recovered my screenshots, and I remembered I needed to post, and I got distracted even more, and now it’s like three whole weeks later and here we are at the post I was going to write last month but didn’t get around to but now it’s totally been gotten to.
You’re welcome.
There’s a new Mesa release in the pipeline, and its name is 22.2. Cool stuff happening in that release: Zink passes GL 4.6 conformance tests on Lavapipe and ANV, would totally pass on RADV if Mesa could even compile shaders for sparse texture tests, and is reasonably close to passing on NVIDIA’s beta driver except for the cases which don’t pass because of unfixed NVIDIA driver bugs. Also Kopper is way better. And some other stuff that I could handwave about but I’m too tired and already losing focus.
Recap over, now let’s get down to some technical mumbo-jumbo.
They exist in Vulkan, and I hate them, but I’m not talking specifically about VkRenderPass. Instead, I’m referring to the abstract concept of “render passes” which includes the better-in-every-way dynamic rendering variant.
Shut up, subpasses, nobody was talking to you.
Render passes control how rendering works. There’s load operations which determine how data is retrieved from the framebuffer (I also hate framebuffers) attachments, there’s store operations which determine how data is stored back to the attachments (I hate this part too), and then there’s “dependencies” (better believe I hate these) which manage synchronization between operations, and input attachments (everyone hates these) which enable reading attachment data in shaders, and then also render pass instances have to be started and stopped any time any attachments or framebuffer geometry changes (this sucks), and to top it all off, transfer operations can’t be executed while render passes are active (mega sucks).
Also there’s nested render passes, but I’m literally fearing for my life even mentioning them where other driver developers can see, so let’s move on.
Today’s suck is focused on render passes and transfer operations: why can’t they just get along?
Here’s a sample command stream from a bug I recently solved:
Notice how the command stream continually starts and stops render passes to execute transfer operations. If you’re on a desktop, you’re like whatever just give me frames, but if you’re on a mobile device with a tiling GPU, this is probably sending you sprinting for your Tik-Tok so you don’t have to look at the scary perf demons anymore.
Until recently, I would’ve been in the former camp, but guess what: as of Mesa 22.2, Zink on Turnip is Officially Supported. Not only that, it has only 14 failures for all of GL 4.6 conformance, so it can render stuff pretty accurately too. Given this as well as the rapid response from Turnip developers, it seems only right that some changes be made to improve Zink on tiling GPUs so that performance isn’t an unmitigated disaster (really hate when this happens).
When running on a tiling GPU, it’s important to avoid VK_ATTACHMENT_LOAD_OP_LOAD at all costs. These GPUs incur a penalty whenever they load attachment data, so ideally it’s best to either VK_ATTACHMENT_LOAD_OP_CLEAR or, for attachments without valid data, VK_ATTACHMENT_LOAD_OP_DONT_CARE. Failure to abide by this guideline will result in performance going straight to the dumpster (again, really hate this).
With this in mind, it may seem obvious, but the above command stream is terrible for tiling GPUs. Each render pass contains only a single draw before terminating to execute a transfer operation. Sure, an argument could be made that this is running a desktop GL application on mobile and thus any performance issues are expected, but I hate it when people argument.
Stop argumenting and get back to writing software.
Problem Space is a cool term used by real experts, so I can only imagine how much SEO using it twice gets me. In this Problem Space, none of the problem space problems that are spacing are new to people who have been in the problem space for longer than me, which is basically everyone since I only got to this problem space a couple years ago. Looking at Freedreno, there’s already a mechanism in place that I can copy to solve one problem Zink has, namely that of never using VK_ATTACHMENT_LOAD_OP_DONT_CARE.
Delving deeper into the problem space, use of VK_ATTACHMENT_LOAD_OP_DONT_CARE is predicated upon the driver being able to determine that a framebuffer attachment does not have valid data when beginning a render pass instance. Thus, the first step is to track that status on the image. It turns out there’s not many places where this needs to be managed. On write-map, import, and write operations, mark the image as valid, and if the image is explicitly invalidated, mark it as invalid. This flag can then be leveraged to skip loading attachment data where possible.
Problem spaced. Or at least one of them.
Historically, Zink has always been a driver of order. It gets the GL commands as Gallium callbacks, it records the corresponding Vulkan command, and then it sends the command buffer to the GPU. It’s simple, yet effective.
But what if there was a better way? What if Zink could see all these operations that were splitting the render passes and determine whether they needed to occur “now” or could instead occur “then”?
This is entirely possible, and it’s similar to the tracking for invalidation. Think of it like a sieve:
A and BA is the main command bufferB is for “unordered” commandsBAB before AIt sounds simple, but the details are a bit more complex. To handle this in Zink, I added more tracking data to each buffer and image resource such that:
B, the resources involved are tagged with the appropriate unordered read/write access flag(s)B if one of the following is true:
BA for the resource being written to AND ONE OF
BBy following this set of rules, transfer operations can be effectively filtered out of render passes on cmdbuf A and into the dumpster of cmdbuf B where all the other transfer operations live. Using a bit more creativity, the above command stream can be rewritten to look like this:
It’s not perfect, but it’s quite effective in not turning the driver code to spaghetti while yielding some nice performance boosts.
It’s also shipping along with the other changes in Mesa 22.2.
While both of these changesets solved real problems, there’s still work to be done in the future. Command stream reordering currently disallows moving draw and dispatch operations from A to B, but in some cases, this may actually be optimal. Finding a method to manage this could yield further gains in performance by avoiding more VK_ATTACHMENT_LOAD_OP_LOAD occurrences.
For those looking for a short answer: yes, it does.
Now, we can dive into a more elaborate answer.
Software engineering is a more systematic approach to software development, which involves the definition, implementation, measurement, management, change, and improvement of the software lifecycle. When we think about software through this lens, we must also think about software requirements, design, construction, testing, and maintenance.
Software engineering improves software maintainability, scalability, and security. Moreover, makes it easier to add testing to the software stack. This approach makes the software more robust.
A little glossary for some software engineering terms:
- Maintainability: how easy is it to repair, improve or understand a software artifact? After finishing your product, you must continue to fix bugs, optimize functionalities and refactor code to avoid future problems.
- Scalability: how easy is it to grow or shrink a software artifact?
- Testability: how easy is it to test a software artifact? Does the function has suitable hooks for testing?
Many people might believe that it is not possible to do software engineering on the Linux Kernel, or even that software engineering is not needed. From what I see, these beliefs come from two statements:
If we follow those beliefs, we might end up with poorly designed code. And, when badly designed code grows, I assure you that we are going to see code repetition, dead code, insanely large functions, and bugs.
But, the worst of all: when we have a huge codebase with lots of bad code practices, maintainability becomes hard and software quality will decrease more and more.
So, let’s first understand why those two beliefs are false.
You might say: how can I use my fancy design patterns, avoid code repetition, and make beautiful polymorphism when I don’t have classes?
And okay, you are right! Design Patterns in C++ are much easier and more natural to understand and implement. In C++ you can create a hierarchy to represent a family of devices, and this feature comes out of the box. But we can translate those concepts to C.
C is a structured language, but we can write object-oriented programs in C. In this sense, libraries and structs are your main allies. Moreover, you can use function pointers to create polymorphism in C.
For example, if I want to write a simple queue in C, I can use the following approach:
#ifndef QUEUE_H_
#define QUEUE_H_
typedef struct Queue Queue;
struct Queue {
int *buffer;
int head;
int size;
int tail;
int (*isFull)(Queue* const me);
int (*isEmpty)(Queue* const me);
int (*getSize)(Queue* const me);
void (*insert)(Queue* const me, int k);
int (*remove)(Queue* const me);
};
/* Constructor and destructors */
void Queue_Init(Queue const me, (*isFullFunction)(Queue* const me),
(*isEmptyFunction)(Queue* const me), (*getSizeFunction)(Queue* const me),
(*insertFunction)(Queue* const me, int k), (*removeFunction)(Queue* const me));
void Queue_Cleanup(Queue* const me);
/* Operations */
int Queue_isFull(Queue* const me);
int Queue_isEmpty(Queue* const me);
int Queue_getSize(Queue* const me);
void Queue_insert(Queue* const me, int k);
int Queue_remove(Queue* const me);
Queue *Queue_Create(void);
void Queue_Destroy(Queue* const me);
#endif
Notice that I can have polymorphism using this approach. As I can create a new struct that inherits Queue, such as:
typedef struct CachedQueue CachedQueue;
struct CachedQueue {
Queue *queue;
/* new attributes */
char name[80];
int numberElementsOnDisk;
/* aggregation in subclass */
Queue *outputQueue;
/* inherited virtual function */
int (*isFull)(CachedQueue* const me);
int (*isEmpty)(CachedQueue* const me);
int (*getSize)(CachedQueue* const me);
void (*insert)(CachedQueue* const me, int k);
int (*remove)(CachedQueue* const me);
/* new virtual functions */
void (*flush)(CachedQueue* const me);
int (*load)(CachedQueue* const me);
};
Okay, this is incredible! It is POLYMORPHISM in C. And there is much more on this topic in the book “Design Patterns for Embedded Systems in C”, by Bruce Powel Douglass. I love this book and I learned a lot from with it. Moreover, there is an awesome talk by Renato Geh and Matheus Tavares in the Linux Developer Conference Brazil 2019 about “Object Oriented Techniques in C: A Case Study on Git and Linux”.
So, you can see that fancy software architecture can be done on C. And don’t get me wrong, there are some beautiful abstractions in Linux that use these concepts, such as the Virtual File System (VFS). Moreover, some libraries provide great APIs, such as the DRM subsystem.
But sometimes this is not used in the implementation of drivers. And this takes us to the next point: yes, drivers need to be properly designed on the software side.
Here I must say that: my opinion is extremely biased by the Display Mode VBA library. For the last month, I have been writing unit tests for this library as part of my GSoC project. I got quite impressed (maybe not in a good way) with the amount of code repetition in the code and also with the huge functions.
And this is not a roast on AMDGPU code: AMD does a great job for the free software community and it is incredible that we have an open-source driver for a major graphics retailer. Moreover, I’m sure that this problem also exists in other parts of the kernel, so, I believe it is a good point to discuss.
Let’s start from the premise that drivers are finite: you can grab the datasheet, code the hardware to the end of its features and finish the driver. And I might even say that you are right: drivers are finite. But, hardware companies don’t usually create one single product with singular characteristics: they usually create a product line, and sometimes product lines have children: another product line with some upgrades on the previous one.
💡 Product lines having children… For an OOP programmer, this sounds like a beautiful case for inheritance.
So, if you have a product line, are you going to create a file for each product? And for the product with a couple of features added, are you going to paste the previous driver and change a couple of hundreds of lines? This doesn’t seem like a great option, for a couple of reasons:
You see, it all comes down to maintainability.
As a great example of code reuse, you can check out the IIO subsystem. Hardware manufacturers such as Maxim and Analog Devices Inc usually have chips that share the same register map or share functionalities. Instead of creating a driver for each chip, developers write one single driver and add the compatible device IDs on the Device Table. For example, you can check the Maxim MAX1027 ADC driver, which is compatible with the MAX1027, MAX1029, MAX1031, MAX1227, MAX1229, and MAX1231. So we have one single driver for six devices: this is great for maintainability!
In this case, if I find a bug, I can make one single modification, and send one single patch, the maintainer will review one single time, and all runs smoothly.
Now, let’s take a look at the DML folder from the AMD’s Display Core, more
specifically the display_mode_vba files from DCN20 and DCN21. See that
these product lines are pretty similar, so maybe we can reuse a lot of the
code.
But, if you check the directory, you can see that we have three different
files: display_mode_vba_20.c, display_mode_vba_20v2.c and
display_mode_vba_21.c.
💡 You can check the difference between the files through:
$ diff drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c
And much of the code is identical: I mean there are functions that don’t change a line! This hits pretty hard on maintainability.
Now, if I find a bug, I need to make three modifications. Moreover, I might not even know that the code is duplicated, so I might only fix the bug in one place and leave the other files untouched. Then another developer might find the same bug once again, and will have to send it to the maintainer, who will have to review it one more time. This is a lot of rework!
And if I could guess a reason for AMD to copy and paste the code so many times, I would point out another maintainability issue: the functions are huge! Some functions from the VBA files have more than a thousand lines.
These huge functions from the VBA files implicate that if you want to change a couple of lines for your new product lines you need to copy and paste the whole function.
Ideally, from the principles of the Clean Code book, we would like to have small functions that should be simple and do one thing only. And I know: this is not applicable in 100% of the cases, but I cannot find a good reason for a function to be so huge and have dozens of parameters.
💡 Other than the readability, those huge functions also hurt the stack pretty badly.
Huge functions really hurt the readability, understandability, and testability of the code. Moreover, they make it difficult to avoid code duplication as the function has dozens of side effects.
More glossary for some software engineering terms:
- Readability: how easily a software artifact can be read?
- Understandability: how easily a software artifact can be comprehend?
But this is not a dead end for the AMDGPU’s DML code: I mean, the AMDGPU driver works awesomely on Linux, and code refactoring is always an option.
At this moment, we might conclude that as the AMDGPU driver is open-source, then we can fix those issues in the code. But it is definitely not safe to simply tear down the code and rewrite it in one single patch set, as the AMDGPU driver has to remain functional on Linux.
One way to fix this is through unit testing to ensure the code is properly refactored. Though, throughout my GSoC project, I ended up noticing that it is not possible to write a unit test for a thousand-line function. A huge function has many side effects and testing each one of them is not feasible.
Maybe for Display Mode VBA unit testing is not the only way to go. We probably could first break the functions into smaller, self-contained pieces, as this will help to create better tests, to improve readability, and to reduce the stack size.
Now with smaller functions, it is more feasible to share code across the DCNs and create a common interface for them.
This refactor can lead to the use of those design patterns I talked about earlier and make the DML more maintainable and readable. We can think about the use of inheritance where we have a base library, from which DCN20 can extend, and then DCN21 can extend from DCN20. And this is how those three huge files can become three small files.
And this refactor can start piece by piece:
This way we can make a safer refactor as unit testing is not viable. This doesn’t mean that we are not going to introduce any bugs in the process, but having a structured plan will help us avoid them.
I must say: this is the opinion of someone that came straight out of the university, thinking about well-structured code. So, I might be utopian about software engineering. I understand that the developers at AMD are doing their best and are working hard to provide the best features for us, Linux users.
But thinking of software is the best way to ensure the maintainability of our code, and bad code practices will prove costly one day or another.
Over the weekend, I asked on twitter if people would be interested in a rant about descriptor sets. As of the writing of this post, it has 46 likes so I’ll count that as a yes.
I kind-of hate descriptor sets…
Well, not descriptor sets per se. More descriptor set layouts. The fundamental problem, I think, was that we too closely tied memory layout to the shader interface. The Vulkan model works ok if your objective is to implement GL on top of Vulkan. You want 32 textures, 16 images, 24 UBOs, etc. and everything in your engine fits into those limits. As long as they’re always separate bindings in the shader, it works fine. It also works fine if you attempt to implement HLSL SM6.6 bindless on top of it. Have one giant descriptor set with all resources ever in giant arrays and pass indices into the shader somehow as part of the material.
The moment you want to use different binding interfaces in different shaders (pretty common if artists author shaders), things start to get painful. If you want to avoid excess descriptor set switching, you need multiple pipelines with different interfaces to use the same set. This makes the already painful situation with pipelines worse. Now you need to know the binding interfaces of all pipelines that are going to be used together so you can build the combined descriptor set layout and you need to know that before you can compile ANY pipelines. We tried to solve this a bit with multiple descriptor sets and pipeline layout compatibility which is supposed to let you mix-and-match a bit. It’s probably good enough for VS/FS mixing but not for mixing whole materials.
So, how did we get here? As with most things in Vulkan, a big part of the problem is that Vulkan targets a very diverse spread of hardware and everyone does descriptor binding a bit differently. In order to understand the problem space a bit, we need to look at the hardware…
DISCLAIMER:
I’m about to spill a truckload of hardware beans. Let me reassure you all that I am not violating any NDAs here. Everything I’m about to tell you is either publicly documented (AMD and Intel) or can be gleaned from reading public Mesa source code.
Descriptor binding methods in hardware can be roughly broken down into 4 broad categories, each with its own advantages and disadvantages:
Direct access (D): This is where the shader passes the entire descriptor to the access instruction directly. The descriptor may have been loaded from a buffer somewhere but the shader instructions do not reference that buffer in any way; they just take what they’re given. The classic example here is implementing SSBOs as “raw” pointer access. Direct access is extremely flexible because the descriptors can live literally anywhere but it comes at the cost of having to pass the full descriptor through the shader every time.
Descriptor buffers (B): Instead of passing the entire descriptor through the shader, descriptors live in a buffer. The buffers themselves are bound to fixed binding points or have their base addresses pushed into the shader somehow. The shader instruction takes either a fixed descriptor buffer binding index or a base address (as appropriate) along with some form of offset to the descriptor in the buffer. The difference between this and the direct access model is that the descriptor data lives in some other bit of memory that the hardware must first read before it can do the actual access. Changing buffer bindings, while definitely not free, is typically not incredibly expensive.
Descriptor heaps (H): Descriptors of a particular type all live in a single global table or heap. Because the table is global, changing it typically involves a full GPU stall and maybe dumping a bunch of caches. This makes changing out the table fairly expensive. Shader instructions which access these descriptors are passed an index into the global table. Because everything is fixed and global, this requires the least amount of data to pass through the shader of the three bindless mechanisms.
Fixed HW bindings (F): In this model, resources are bound to fixed HW slots, often by setting registers from the command streamer or filling out small tables in memory. With the push towards bindless, fixed HW bindings are typically only used for fixed-function things on modern hardware such as render targets and vertex, index, and streamout buffers. However, we still need to consider them because Vulkan 1.0 was designed to support pre-bindless hardware which might not be quite as nice.
Here’s a quick run-down on where things sit with most of the hardware shipping today:
| Hardware | Textures | Images | Samplers | Border Colors | Typed buffers | UBOs | SSBOs |
|---|---|---|---|---|---|---|---|
| NVIDIA (Kepler+) | H | H | H | H | D/F | D | |
| AMD | D | D | D | H | D | D | D |
| Intel (Skylake+) | H | H | H | H | H/D/F | H/D | |
| Intel (pre-Skylake) | F | F | F | F | D/F | F | |
| Arm (Valhal+) | B | B | B | B | B/D/F | B/D | |
| Arm (Pre-Valhal) | F | F | F | F | D/F | D | |
| Qualcomm (a5xx+) | B | B | B | B | B | B | |
| Broadcom (vc5) | D | D | D | D | D | D |
The line above for “Intel (pre-Skylake)” is a bit misleading. I’m labeling everything as fixed HW bindings but it’s actually a bit more flexible than most fixed HW binding mechanisms. It a sort of heap model but where, instead of indexing into heaps directly from the shader, everything goes through a second layer of indirection called a binding table which is restricted to 240 entries. On Skylake and later hardware, the binding table hardware still exists and uses a different set up heaps which provides a nice back-door for drivers. More on that when we talk about D3D12.
As you can see from above, the hardware landscape is quite diverse when it comes to descriptor binding. Everyone has made slightly different choices depending on the type of descriptor and picking a single model for everyone isn’t easy. The Vulkan answer to this was, of course, descriptor sets and their dreaded layouts.
Ignoring UBOs for the moment, the mapping from the Vulkan API to these hardware descriptors is conceptually fairly simple. The descriptor set layout describe a set of bindings, each with a binding type and a number of descriptors in that binding. The driver maps the binding type to the type of HW binding it uses and computes how much GPU or CPU memory is needed to store all the bindings. Fixed HW bindings are typically stored CPU-side and the actual bindings get set as part of vkCmdBindDescriptorSets() or vkCmdDraw/Dispatch(). For everything in one of the three bindless categories, they allocate GPU memory. For heap descriptors, descriptors may be allocated as part of the descriptor set or, to save memory, as part of the image or buffer view object. Given that descriptor heaps are often limited in size, allocating them as part of the view object is often preferred.
UBOs get weird. I’m not going to try and go into all of the details because there are often heuristics involved and it gets complicated fast. However, as you can see from the above table, most hardware has some sort of fixed HW binding for UBOs, even on bindless hardware. This is because UBOs are the hottest of hot paths and even small differences in UBO fetch speed turn into real FPS differences in games. This is why, even with descriptor indexing, UBOs aren’t required to support update-after-bind. The Intel Linux driver has three or four different paths a UBO may take based on how often it’s used relative to other UBOs, update-after-bind, and which shader stage it’s being accessed from.
The other thing I have yet to mention is dynamic buffers. These typically look like a fixed HW binding. How they’re implemented varies by hardware and driver. Often they use fixed HW bindings or the descriptors are loaded into the shader as push constants. Even if the buffer pointer comes from descriptor set memory, the dynamic offset has to get loaded in via some push-like mechanism.
DISCLAIMER:
Again, I’m going to talk details here. Again, in spite of the fact that there are exactly zero open-source D3D12 drivers, I can safely say that I’m not violating any NDAs. I’ve literally never seen the inside of a D3D12 driver. I’ve just read public documentation and am familiar with how hardware works and is driven. This is all based on D3D12 drivers I’ve written in my head, not the real deal. I may get a few things wrong.
For D3D12, Microsoft took a very different approach. They embraced heaps. D3D12 has these heavy-weight descriptor heap objects which have to be bound before you can execute any 3D or compute commands. Shaders have the usual HLSL register notation for describing the descriptor interface. When shaders are compiled into pipelines, descriptor tables are used to map the bindings in the shader to ranges in the relevant descriptor heap. While the size of a descriptor heap range remains fixed, each such range has a dynamic offset which allows the application to move it around at will.
With SM6.6, Microsoft added significant flexibility and further embraced heaps. Now, instead of having to use descriptor tables in the root descriptor, applications can use heap indices directly. This provides a full bindless experience. All the application developer has to do is manage heap allocations with resource lifetimes and figure out how to get indices into their shader. Gone are the days of fiddling with fixed interface layouts through side-bind pipeline create APIs. From what I’ve heard, most developers love it.
If D3D12 has embraced heaps, how does it work on AMD? They use descriptor buffers, don’t they? Yup. But, fortunately for Microsoft, a descriptor heap is just a very restrictive descriptor buffer. The AMD driver just uses two of their descriptor buffer bindings (resource and sampler heaps are separate in D3D12) and implements the heap as a descriptor buffer.
One downside to the descriptor heap approach is that it forces some amount of extra indirection, especially with the SM6.6 bindless model. If your application is using bindless, you first have to load a heap index from a constant buffer somewhere and then pass that to the load/store op. The load/store turns into a sequence of instruction that fetches the descriptor from the heap, does the offset calculation, and then does the actual load or store from the corresponding pointer. Depending on how often the shader does this, how many unique descriptors are involved, and the compiler’s ability to optimize away redundant descriptor fetches, this can add up to real shader time in a hurry.
The other major downside to the D3D12 model is that handing control of the hardware heaps to the application really ties driver writers’ hands. Any time the client does a copy or blit operation which isn’t implemented directly in the DMA hardware, the driver has to spin up the 3D hardware, set up a pipeline, and do a few draws. In order to do a blit, the pixel shader needs to be able to read from the blit source image. This means it needs a texture or UAV descriptor which needs to live in the heap which is now owned by the client. On AMD, this isn’t a problem because they can re-bind descriptor sets relatively cheaply or just use one of the high descriptor set bindings which they’re not using for heaps. On Intel, they have the very convenient back-door I mentioned above where the old binding table hardware still exists for fragment shaders.
Where this gets especially bad is on NVIDIA, which is a bit ironic given that the D3D12 model is basically exactly NVIDIA hardware. NVIDIA hardware only has one texture/image heap and switching it is expensive. How do they implement these DMA operations, then? First off, as far as I can tell, the only DMA operation in D3D12 that isn’t directly supported by NVIDIA’s DMA engine is MSAA resolves. D3D12 doesn’t have an equivalent of vkCmdBlitImage(). Applications are told to implement that themselves if they really want it. What saves them, I think (I can’t confirm), is that D3D12 exposes 106 descriptors to the application but NVIDIA hardware supports 220 descriptors. That leaves about 48k descriptors for internal usage. Some of those are reserved by Microsoft for tools such as PIX but I’m guessing a few of them are reserved for the driver as well. As long as the hardware is able to copy descriptors around a bit (NVIDIA is very good at doing tiny DMA ops), they can manage their internal descriptors inside this range. It’s not ideal, but it does work.
I have nothing to announce but me and others have been thinking about descriptors in Vulkan and how to make them better. I think we should be able to do something that’s better than the descriptor sets we have today. What is that? I’m personally not sure yet.
The good news is that, if we’re willing to ignore non-bindless hardware (I think we are for forward-looking things), there are really only two models: heaps and buffers. (Anything direct access can be stored in the heap or buffer and it won’t hurt anything.) I too can hear the siren call of D3D12 heaps but I’d really like to avoid tying the drivers hands like that. Even if NVIDIA were to rework their hardware to support two heaps today to get around the internal descriptors problem and make it part of the next generation of GPUs, we wouldn’t be able to rely on users having that for 5-10 years, longer depending on application targets.
If we keep letting drivers managing their own heaps, D3D12 layering on top of Vulkan becomes difficult. D3D12 doesn’t have image or buffer view objects in the same sense that Vulkan does. You just create descriptors and stick them in the heap somewhere. This means we either need to come up with a way to get rid of view objects in Vulkan or a D3D12 layer needs a giant cache of view objects, the lifetimes if which are difficult to manage to say the least. It’s quite the pickle.
As with many of my rant posts, I don’t really have a solution. I’m not even really asking for feedback and ideas. My primary goal is to educate people and help them understand the problem space. Graphics is insanely complicated and hardware vendors are notoriously cagey about the details. I’m hoping that, by demystifying things a bit, I can at the very least garner a bit of sympathy for what we at Khronos are trying to do and help people understand that it’s a near miracle that we’ve gotten where we are. 😅
The first part of this series covered principles of locking engineering. This part goes through a pile of locking patterns and designs, from most favourable and easiest to adjust and hence resulting in a long term maintainable code base, to the least favourable since hardest to ensure it works correctly and stays that way while the code evolves. For convenience even color coded, with the dangerous levels getting progressively more crispy red indicating how close to the burning fire you are! Think of it as Dante’s Inferno, but for locking.
As a reminder from the intro of the first part, with locking engineering I mean
the art of ensuring that there’s sufficient consistency in reading and
manipulating data structures, and not just sprinkling mutex_lock()
and mutex_unlock() calls around until the result looks reasonable
and lockdep has gone quiet.
The dumbest possible locking is no need for locking at all. Which does not mean
extremely clever lockless tricks for a “look, no calls to
mutex_lock()” feint, but an overall design which guarantees that
any writers cannot exist concurrently with any other access at all. This
removes the need for consistency guarantees while accessing an object at the
architectural level.
There’s a few standard patterns to achieve locking nirvana.
The lesson in graphics API design over the last decade is that immutable state objects rule, because they both lead to simpler driver stacks and also better performance. Vulkan instead of the OpenGL with it’s ridiculous amount of mutable and implicit state is the big example, but atomic instead of legacy kernel mode setting or Wayland instead of the X11 are also built on the assumption that immutable state objects are a Great Thing (tm).
The usual pattern is:
A single thread fully constructs an object, including any sub structures and
anything else you might need. Often subsystems provide initialization helpers for
objects that driver can subclass through embedding, e.g.
drm_connector_init() for initializing a kernel modesetting output
object. Additional functions can set up different or optional aspects of an
object, e.g. drm_connector_attach_encoder() sets up the invariant
links to the preceding element in a kernel modesetting display chain.
The fully formed object is published to the world, in the kernel this often
happens by registering it under some kind of identifier. This could be a global
identifier like register_chrdev() for character devices, something attached to a device like
registering a new display output on a driver with
drm_connector_register() or some struct xarray in the
file private structure. Note that this step here requires memory barriers of
some sort. If you hand roll the data structure like a list or lookup
tree with your own fancy locking scheme instead of using existing standard
interfaces you are on a fast path to level 3 locking hell. Don’t do that.
From this point on there are no consistency issues anymore and all threads can access the object without any locking.
Another way to ensure there’s no concurrent access is by only allowing one thread to own an object at a given point of time, and have well defined handover points if that is necessary.
Most often this pattern is used for asynchronously processing a userspace request:
The syscall or IOCTL constructs an object with sufficient information to process the userspace’s request.
That object is handed over to a worker thread with e.g.
queue_work().
The worker thread is now the sole owner of that piece of memory and can do whatever it feels like with it.
Again the second step requires memory barriers, which means if you hand roll
your own lockless queue you’re firmly in level 3 territory and won’t get rid of
the burned in red hot afterglow in your retina for quite some time. Use standard
interfaces like struct completion or even better libraries like the
workqueue subsystem here.
Note that the handover can also be chained or split up, e.g. for a nonblocking atomic kernel modeset requests there’s three asynchronous processing pieces involved:
The main worker, which pushes the display state update to the hardware and
which is enqueued with queue_work().
The userspace completion event handling built around struct
drm_pending_event and generally handed off to the interrupt handler of
the driver from the main worker and processed in the interrupt handler.
The cleanup of the no longer used old scanout buffers from the preceding
update. The synchronization between the preceding update and the cleanup is
done through struct completion to ensure that there’s only ever a
single worker which owns a state structure and is allowed to change it.
Users generally don’t appreciate if the kernel leaks memory too much, and cleaning up objects by freeing their memory and releasing any other resources tends to be an operation of the very much mutable kind. Reference counting to the rescue!
Every pointer to the reference counted object must guarantee that a reference
exists for as long as the pointer is in use. Usually that’s done by calling
kref_get() when making a copy of the pointer, but implied
references by e.g. continuing to hold a lock that protects a different pointer
are often good enough too for a temporary pointer.
The cleanup code runs when the last reference is released with
kref_put(). Note that this again requires memory barriers to work
correctly, which means if you’re not using struct kref then it’s
safe to assume you’ve screwed up.
Note that this scheme falls apart when released objects are put into some kind
of cache and can be resurrected. In that case your cleanup code needs to somehow
deal with these zombies and ensure there’s no confusion, and vice versa any code
that resurrects a zombie needs to deal the wooden spikes the cleanup code might
throw at an inopportune time. The worst example of this kind is
SLAB_TYPESAFE_BY_RCU, where readers that are only protected with
rcu_read_lock() may need to deal with objects potentially going
through simultaneous zombie resurrections, potentially multiple times, while
the readers are trying to figure out what is going on. This generally leads to
lots of sorrow, wailing and ill-tempered maintainers, as the GPU subsystem
has and continues to experience with struct dma_fence.
Hence use standard reference counting, and don’t be tempted by the siren of trying to implement clever caching of any kind.
It would be great if nothing ever changes, but sometimes that cannot be avoided. At that point you add a single lock for each logical object. An object could be just a single structure, but it could also be multiple structures that are dynamically allocated and freed under the protection of that single big dumb lock, e.g. when managing GPU virtual address space with different mappings.
The tricky part is figuring out what is an object to ensure that your lock is neither too big nor too small:
If you make your lock too big you run the risk of creating a dreaded subsystem lock, or violating the “Protect Data, not Code” principle in some other way. Split your locking further so that a single lock really only protects a single object, and not a random collection of unrelated ones. So one lock per device instance, not one lock for all the device instances in a driver or worse in an entire subsystem.
The trouble is that once a lock is too big and has firmly moved into “protects some vague collection of code” territory, it’s very hard to get out of that hole.
Different problems strike when the locking scheme is too fine-grained, e.g. in the GPU virtual memory management example when every address mapping in the big vma tree has its own private lock. Or when a structure has a lot of different locks for different member fields.
One issue is that locks aren’t free, the overhead of fine-grained locking can seriously hurt, especially when common operations have to take most of the locks anyway and so there’s no chance of any concurrency benefit. Furthermore fine-grained locking leads to the temptation of solving locking overhead with ever more clever lockless tricks, instead of radically simplifying the design.
The other issue is that more locks improve the odds for locking inversions, and those can be tough nuts to crack. Again trying to solve this with more lockless tricks to avoid inversions is tempting, and again in most cases the wrong approach.
Ideally, your big dumb lock would always be right-sized everytime the requirements on the datastructures changes. But working magic 8 balls tend to be on short supply, and you tend to only find out that your guess was wrong when the pain of the lock being too big or too small is already substantial. The inherent struggles of resizing a lock as the code evolves then keeps pushing you further away from the optimum instead of closer. Good luck!
It would be great if this is all the locking we ever need, but sometimes there’s functional reasons that force us to go beyond the single lock for each logical object approach. This section will go through a few of the common examples, and the usual pitfalls to avoid.
But before we delve into details remember to document in kerneldoc with the inline per-member kerneldoc comment style once you go beyond a simple single lock per object approach. It’s the best place for future bug fixers and reviewers - meaning you - to find the rules for how at least things were meant to work.
One of the main duties of the kernel is to track everything, least to make sure there’s no leaks and everything gets cleaned up again. But there’s other reasons to maintain lists (or other container structures) of objects.
Now sometimes there’s a clear parent object, with its own lock, which could also protect the list with all the objects, but this does not always work:
It might force the lock of the parent object to essentially become a subsystem lock and so protect much more than it should when following the “Protect Data, not Code” principle. In that case it’s better to have a separate (spin-)lock just for the list to be able to clearly untangle what the parent and subordinate object’s lock each protect.
Different code paths might need to walk and possibly manipulate the list both from the container object and contained object, which would lead to locking inversion if the list isn’t protected by it’s own stand-alone (nested) lock. This tends to especially happen when an object can be attached to multiple other objects, like a GPU buffer object can be mapped into multiple GPU virtual address spaces of different processes.
The constraints of calling contexts for adding or removing objects from the list could be different and incompatible from the requirements when walking the list itself. The main example here are LRU lists where the shrinker needs to be able to walk the list from reclaim context, whereas the superior object locks often have a need to allocate memory while holding each lock. Those object locks the shrinker can then only trylock, which is generally good enough, but only being able to trylock the LRU list lock itself is not.
Simplicity should still win, therefore only add a (nested) lock for lists or other container objects if there’s really no suitable object lock that could do the job instead.
Another example that requires nested locking is when part of the object is manipulated from a different execution context. The prime example here are interrupt handlers. Interrupt handlers can only use interrupt safe spinlocks, but often the main object lock must be a mutex to allow sleeping or allocating memory or nesting with other mutexes.
Hence the need for a nested spinlock to just protect the object state shared between the interrupt handler and code running from process context. Process context should generally only acquire the spinlock nested with the main object lock, to avoid surprises and limit any concurrency issues to just the singleton interrupt handler.
Very similar to the interrupt handler problems is coordination with async workers. The best approach is the single owner pattern, but often state needs to be shared between the worker and other threads operating on the same object.
The naive approach of just using a single object lock tends to deadlock:
start_processing(obj)
{
mutex_lock(&obj->lock);
/* set up the data for the async work */;
schedule_work(&obj->work);
mutex_unlock(&obj->lock);
}
stop_processing(obj)
{
mutex_lock(&obj->lock);
/* clear the data for the async work */;
cancel_work_sync(&obj->work);
mutex_unlock(&obj->lock);
}
work_fn(work)
{
obj = container_of(work, work);
mutex_lock(&obj->lock);
/* do some processing */
mutex_unlock(&obj->lock);
}
Do not worry if you don’t spot the deadlock, because it is a cross-release
dependency between the entire work_fn() and
cancel_work_sync() and these are a lot trickier to spot. Since
cross-release dependencies are a entire huge topic on themselves I won’t go into
more details, a good starting point is this LWN
article.
There’s a bunch of variations of this theme, with problems in different scenarios:
Replacing the cancel_work_sync() with cancel_work()
avoids the deadlock, but often means the work_fn() is prone to
use-after-free issues.
Calling cancel_work_sync()before taking the mutex can work in
some cases, but falls apart when the work is self-rearming. Or maybe the
work or overall object isn’t guaranteed to exist without holding it’s lock,
e.g. if this is part of an async processing queue for a parent structure.
Cancelling the work after the call to mutex_unlock() might race
with concurrent restarting of the work and upset the bookkeeping.
Like with interrupt handlers the clean solution tends to be an additional nested
lock which protects just the mutable state shared with the work function and
nests within the main object lock. That way work can be cancelled while the main
object lock is held, which avoids a ton of races. But without holding the
sublock that work_fn() needs, which avoids the deadlock.
Note that in some cases the superior lock doesn’t need to exist, e.g.
struct drm_connector_state is protected by the single
owner pattern, but drivers might have some need
for some further decoupled asynchronous processing, e.g. for handling the
content protect or link training machinery. In that case only the sublock for
the mutable driver private state shared with the worker exists.
Reference counting is a great pattern, but sometimes you need be able to store pointers without them holding a full reference. This could be for lookup caches, or because your userspace API mandates that some references do not keep the object alive - we’ve unfortunately committed that mistake in the GPU world. Or because holding full references everywhere would lead to unreclaimable references loops and there’s no better way to break them than to make some of the references weak. In languages with a garbage collector weak references are implemented by the runtime, and so no real worry. But in the kernel the concept has to be implemented by hand.
Since weak references are such a standard pattern struct kref has
ready-made support for them. The simple approach is using
kref_put_mutex() with the same lock that also protects the
structure containing the weak reference. This guarantees that either the weak
reference pointer is gone too, or there is at least somewhere still a strong
reference around and it is therefore safe to call kref_get(). But
there are some issues with this approach:
It doesn’t compose to multiple weak references, at least if they are protected
by different locks - all the locks need to be taken before the final
kref_put() is called, which means minimally some pain with lock
nesting and you get to hand-roll it all to boot.
The mutex required to be held during the final put is the one which protects the structure with the weak reference, and often has little to do with the object that’s being destroyed. So a pretty nasty violation of the big dumb lock pattern. Furthermore the lock is held over the entire cleanup function, which defeats the point of the reference counting pattern, which is meant to enable “no locking” cleanup code. It becomes very tempting to stuff random other pieces of code under the protection of this look, making it a sprawling mess and violating the principle to protect data, not code: The lock held during the entire cleanup operation is protecting against that cleanup code doing things, and not anymore a specific data structure.
The much better approach is using kref_get_unless_zero(), together
with a spinlock for your data structure containing the weak reference. This
looks especially nifty in combination with struct xarray.
obj_find_in_cache(id)
{
xa_lock();
obj = xa_find(id);
if (!kref_get_unless_zero(&obj->kref))
obj = NULL;
xa_unlock();
return obj;
}
With this all the issues are resolved:
Arbitrary amounts of weak references in any kind of structures protected by their own spinlock can be added, without causing dependencies between them.
In the object’s cleanup function the same spinlock only needs to be held right around when the weak references are removed from the lookup structure. The lock critical section is no longer needlessly enlarged, we’re back to protecting data instead of code.
With both together the locking does no longer leak beyond the lookup structure
and it’s associated code any more, unlike with kref_put_mutex() and
similar approaches. Thankfully kref_get_unless_zero() has become
the much more popular approach since it was added 10 years ago!
We’ve now seen a few examples where the “no locking” patterns from level 0 collide in annoying ways when more locking is added to the point where we seem to violate the principle to protect data, not code. It’s worth to look at this a bit closer, since we can generalize what’s going on here to a fairly high-level antipattern.
The key insight is that the “no locking” patterns all rely on memory barrier
primitives in disguise, not classic locks, to synchronize access between
multiple threads. In the case of the single owner
pattern there might also be blocking semantics
involved, when the next owner needs to wait for the previous owner to finish
processing first. These are functions like flush_work() or the
various wait functions like wait_event() or
wait_completion().
Calling these barrier functions while holding locks commonly leads to issues:
Blocking functions like flush_work() pull in every lock or other
dependency the work we wait on, or more generally, any of the previous owners
of an object needed as a so called cross-release dependency. Unfortunately
lockdep does not understand these natively, and the usual tricks to add manual
annotations have severe limitations. There’s work ongoing to add
cross-release dependency tracking to
lockdep, but nothing looks anywhere near
ready to merge. Since these dependency chains can be really long and get ever
longer when more code is added to a worker - dependencies are pulled in even
if only a single lock is held at any given time - this can quickly become a
nightmare to untangle.
Often the requirement to hold a lock over these barrier type functions comes from the fact that the object would disappear. Or otherwise undergo some serious confusion about it’s lifetime state - not just whether it’s still alive or getting destroyed, but also who exactly owns it or whether it’s maybe a resurrected zombie representing a different instance now. This encourages that the lock morphs from a “protects some specific data” to a “protects specific code from running” design, leading to all the code maintenance issues discussed in the protect data, not code principle.
For these reasons try as hard as possible to not hold any locks, or as few as feasible, when calling any of these memory barriers in disguise functions used to manage object lifetime or ownership in general. The antipattern here is abusing locks to fix lifetime issues. We have seen two specific instances thus far:
kref_put_mutex instead of kref_get_unless_zero() in
the weak reference pattern. This is a
special case of the reference counting
pattern, but with some finer-grained
locking added to support weak references.
Calling flush_work() while holding locks in the async
worker. This is a special case of the
single owner pattern, again with a bit more
locking added to support some mutable state.
We will see some more, but the antipattern holds in general as a source of troubles.
We’ve looked at a pile of functional reasons for complicating the locking design, but sometimes you need to add more fine-grained locking for performance reasons. This is already getting dangerous, because it’s very tempting to tune some microbenchmark just because we can, or maybe delude ourselves that it will be needed in the future. Therefore only complicate your locking if:
You have actual real world benchmarks with workloads relevant to users that show measurable gains outside of statistical noise.
You’ve fully exhausted architectural changes to outright avoid the overhead, like io_uring pre-registering file descriptors locally to avoid manipulating the file descriptor table.
You’ve fully exhausted algorithm improvements like batching up operations to amortize locking overhead better.
Only then make your future maintenance pain guaranteed worse by applying more tricky locking than the bare minimum necessary for correctness. Still, go with the simplest approach, often converting a lock to its read-write variant is good enough.
Sometimes this isn’t enough, and you actually have to split up a lock into more fine-grained locks to achieve more parallelism and less contention among threads. Note that doing so blindly will backfire because locks are not free. When common operations still have to take most of the locks anyway, even if it’s only for short time and in strict succession, the performance hit on single threaded workloads will not justify any benefit in more threaded use-cases.
Another issue with more fine-grained locking is that often you cannot define a strict nesting hierarchy, or worse might need to take multiple locks of the same object or lock class. I’ve written previously about this specific issue, and more importantly, how to teach lockdep about lock nesting, the bad and the good ways.
One really entertaining story from the GPU subsystem, for bystanders at least, is that we really screwed this up for good by defacto allowing userspace to control the lock order of all the objects involved in an IOCTL. Furthermore disjoint operations should actually proceed without contention. If you ever manage to repeat this feat you can take a look at the wait-wound mutexes. Or if you just want some pretty graphs, LWN has an old article about wait-wound mutexes too.
Do not go here wanderer!
Seriously, I have seen a lot of very fancy driver subsystem locking designs, I have not yet found a lot that were actually justified. Because only real world, non-contrived performance issues can ever justify reaching for this level, and in almost all cases algorithmic or architectural fixes yield much better improvements than any kind of (locking) micro-optimization could ever hope for.
Hence this is just a long list of antipatterns, so that people who have not yet a grumpy expression permanently chiseled into their facial structure know when they’re in trouble.
Note that this section isn’t limited to lockless tricks in the academic sense of
guaranteed constant overhead forward progress, meaning no spinning or retrying
anywhere at all. It’s for everything which doesn’t use standard locks like
struct mutex, spinlock_t, struct
rw_semaphore, or any of the others provided in the Linux kernel.
Yeah RCU is really awesome and impressive, but it comes at serious costs:
By design, at least with standard usage, RCU elevates mixing up lifetime and
consistency
concerns
to a virtue. rcu_read_lock() gives you both a read-side critical
section and it extends the lifetime of any RCU protected object. There’s
absolutely no way you can avoid that antipattern, it’s built in.
Worse, RCU read-side critical section nest rather freely, which means unlike with real locks abusing them to keep objects alive won’t run into nasty locking inversion issues when you pull that stunt with nesting different objects or classes of objects. Using locks to paper over lifetime issues is bad, but with RCU it’s weapons-grade levels of dangerous.
Equally nasty, RCU practically forces you to deal with zombie objects, which breaks the reference counting pattern in annoying ways.
On top of all this breaking out of RCU is costly and kinda defeats the point,
and hence there’s a huge temptation to delay this as long as possible. Meaning
check as many things and dereference as many pointers under RCU protection as
you can, before you take a real lock or upgrade to a proper reference with
kref_get_unless_zero().
Unless extreme restraint is applied this results in RCU leading you towards locking antipatterns. Worse RCU tends to spread them to ever more objects and ever more fields within them.
All together all freely using RCU achieves is proving that there really is no
bottom on the code maintainability scale. It is not a great day when your driver
dies in synchronize_rcu() and lockdep has no idea what’s going on,
and I’ve seen such days.
Personally I think in driver subsystem the most that’s still a legit and
justified use of RCU is for object lookup with struct xarray and
kref_get_unless_zero(), and cleanup handled entirely by
kfree_rcu(). Anything more and you’re very likely chasing a rabbit
down it’s hole and have not realized it yet.
Firstly, Linux atomics have two annoying properties just to start:
Unlike e.g. C++ atomics in userspace they are unordered or weakly ordered by default in a lot of cases. A lot of people are surprised by that, and then have an even harder time understanding the memory barriers they need to sprinkle over the code to make it work correctly.
Worse, many atomic functions neither operate on the atomic types
atomic_t and atomic64_t nor have atomic
anywhere in their names, and so pose serious pitfalls to reviewers:
READ_ONCE() and WRITE_ONCE for volatile stores and
loads.cmpxchg() and the various variants of atomic exchange with or
without a compare operation.set_bit() are all atomic. Worse, their
non-atomic variants have the __set_bit() double underscores to
scare you away from using them, despite that these are the ones you really
want by default.Those are a lot of unnecessary trap doors, but the real bad part is what people tend to build with atomic instructions:
I’ve seen at least three different, incomplete and ill-defined reimplementations of read write semaphores without lockdep support. Reinventing completions is also pretty popular. Worse, the folks involved didn’t realize what they built. That’s an impressive violation of the “Make it Correct” principle.
It seems very tempting to build terrible variations of the “no locking” patterns. It’s very easy to screw them up by extending them in a bad way, e.g. reference counting with weak reference or RCU optimizations done wrong very quickly leads to a complete mess. There are reasons why you should never deviate from these.
What looks innocent are statistical counters with atomics, but almost always
there’s already a lock you could take instead of unordered counter updates.
Often resulting in better code organization to boot since the statistics for a
list and it’s manipulation are then closer together. There are some exceptions
with real performance justification, a recent one I’ve seen is memory
shrinkers where you really want your shrinker->count_objects() to
not have to acquire any locks. Otherwise in a memory intense workload all
threads are stuck on the one thread doing actual reclaim holding the same lock
in your shrinker->scan_objects() function.
In short, unless you’re actually building a new locking or synchronization primitive in the core kernel, you most likely do not want to get seen even looking at atomic operations as an option.
preempt/local_irq/bh_disable() and Friends …This one is simple: Lockdep doesn’t understand them. The real-time folks hate
them. Whatever it is you’re doing, use proper primitives instead, and at least
read up on the LWN coverage on why these are
problematic what to do instead. If you need
some kind of synchronization primitive - maybe to avoid the lifetime vs.
consistency antipattern
pitfalls -
then use the proper functions for that like synchronize_irq().
Or more often, lack of them, incorrect or imbalanced use of barriers, badly or wrongly or just not at all documented memory barriers, or …
Fact is that exceedingly most kernel hackers, and more so driver people, have no useful understanding of the Linux kernel’s memory model, and should never be caught entertaining use of explicit memory barriers in production code. Personally I’m pretty good at spotting holes, but I’ve had to learn the hard way that I’m not even close to being able to positively prove correctness. And for better or worse, nothing short of that tends to cut it.
For a still fairly cursory discussion read the LWN series on lockless algorithms. If the code comments and commit message are anything less rigorous than that it’s fairly safe to assume there’s an issue.
Now don’t get me wrong, I love to read an article or watch a talk by Paul McKenney on RCU like anyone else to get my brain fried properly. But aside from extreme exceptions this kind of maintenance cost has simply no justification in a driver subsystem. At least unless it’s packaged in a driver hacker proof library or core kernel service of some sorts with all the memory barriers well hidden away where ordinary fools like me can’t touch them.
I hope you enjoyed this little tour of progressively more worrying levels of locking engineering, with really just one key take away:
Simple, dumb locking is good locking, since with that you have a fighting chance to make it correct locking.
Thanks to Daniel Stone and Jason Ekstrand for reading and commenting on drafts of this text.
For various reasons I spent the last two years way too much looking at code with terrible locking design and trying to rectify it, instead of a lot more actual building cool things. Symptomatic that the last post here on my neglected blog is also a rant on lockdep abuse.
I tried to distill all the lessons learned into some training slides, and this two part is the writeup of the same. There are some GPU specific rules, but I think the key points should apply to at least apply to kernel drivers in general.
The first part here lays out some principles, the second part builds a locking engineering design pattern hierarchy from the most easiest to understand and maintain to the most nightmare inducing approaches.
Also with locking engineering I mean the general problem of protecting data structures against concurrent access by multiple threads and trying to ensure that each sufficiently consistent view of the data it reads and that the updates it commits won’t result in confusion. Of course it highly depends upon the precise requirements what exactly sufficiently consistent means, but figuring out these kind of questions is out of scope for this little series here.
Designing a correct locking scheme is hard, validating that your code actually implements your design is harder, and then debugging when - not if! - you screwed up is even worse. Therefore the absolute most important rule in locking engineering, at least if you want to have any chance at winning this game, is to make the design as simple and dumb as possible.
Since this is the key principle the entire second part of this series will go through a lot of different locking design patterns, from the simplest and dumbest and easiest to understand, to the most hair-raising horrors of complexity and trickiness.
Meanwhile let’s continue to look at everything else that matters.
Since simple doesn’t necessarily mean correct, especially when transferring a concept from design to code, we need guidelines. On the design front the most important one is to design for lockdep, and not fight it, for which I already wrote a full length rant. Here I will only go through the main lessons: Validating locking by hand against all the other locking designs and nesting rules the kernel has overall is nigh impossible, extremely slow, something only few people can do with any chance of success and hence in almost all cases a complete waste of time. We need tools to automate this, and in the Linux kernel this is lockdep.
Therefore if lockdep doesn’t understand your locking design your design is at fault, not lockdep. Adjust accordingly.
A corollary is that you actually need to teach lockdep your locking rules, because otherwise different drivers or subsystems will end up with defacto incompatible nesting and dependencies. Which, as long as you never exercise them on the same kernel boot-up, much less same machine, wont make lockdep grumpy. But it will make maintainers very much question why they are doing what they’re doing.
Hence at driver/subsystem/whatever load time, when CONFIG_LOCKDEP is enabled, take all key locks in the correct order. One example for this relevant to GPU drivers is in the dma-buf subsystem.
In the same spirit, at every entry point to your library or subsytem, or
anything else big, validate that the callers hold up the locking contract with
might_lock(), might_sleep(), might_alloc() and all the variants and
more specific implementations of this. Note that there’s a huge overlap between
locking contracts and calling context in general (like interrupt safety, or
whether memory allocation is allowed to call into direct reclaim), and since all
these functions compile away to nothing when debugging is disabled there’s
really no cost in sprinkling them around very liberally.
On the implementation and coding side there’s a few rules of thumb to follow:
Never invent your own locking primitives, you’ll get them wrong, or at least build something that’s slow. The kernel’s locks are built and tuned by people who’ve done nothing else their entire career, you wont beat them except in bug count, and that by a lot.
The same holds for synchronization primitives - don’t build your own with a
struct wait_queue_head, or worse, hand-roll your own wait queue.
Instead use the most specific existing function that provides the
synchronization you need, e.g. flush_work() or
flush_workqueue() and the enormous pile of variants available for
synchronizing against scheduled work items.
A key reason here is that very often these more specific functions already come with elaborate lockdep annotations, whereas anything hand-roll tends to require much more manual design validation.
Finally at the intersection of “make it dumb” and “make it correct”, pick the simplest lock that works, like a normal mutex instead of an read-write semaphore. This is because in general, stricter rules catch bugs and design issues quicker, hence picking a very fancy “anything goes” locking primitives is a bad choice.
As another example pick spinlocks over mutexes because spinlocks are a lot more strict in what code they allow in their critical section. Hence much less risk you put something silly in there by accident and close a dependency loop that could lead to a deadlock.
Speed doesn’t matter if you don’t understand the design anymore in the future, you need simplicity first.
Speed doesn’t matter if all you’re doing is crashing faster. You need correctness before speed.
Finally speed doesn’t matter where users don’t notice it. If you micro-optimize a path that doesn’t even show up in real world workloads users care about, all you’ve done is wasted time and committed to future maintenance pain for no gain at all.
Similarly optimizing code paths which should never be run when you instead improve your design are not worth it. This holds especially for GPU drivers, where the real application interfaces are OpenGL, Vulkan or similar, and there’s an entire driver in the userspace side - the right fix for performance issues is very often to radically update the contract and sharing of responsibilities between the userspace and kernel driver parts.
The big example here is GPU address patch list processing at command submission time, which was necessary for old hardware that completely lacked any useful concept of a per process virtual address space. But that has changed, which means virtual addresses can stay constant, while the kernel can still freely manage the physical memory by manipulating pagetables, like on the CPU. Unfortunately one driver in the DRM subsystem instead spent an easy engineer decade of effort to tune relocations, write lots of testcases for the resulting corner cases in the multi-level fastpath fallbacks, and even more time handling the impressive amounts of fallout in the form of bugs and future headaches due to the resulting unmaintainable code complexity …
In other subsystems where the kernel ABI is the actual application contract these kind of design simplifications might instead need to be handled between the subsystem’s code and driver implementations. This is what we’ve done when moving from the old kernel modesetting infrastructure to atomic modesetting. But sometimes no clever tricks at all help and you only get true speed with a radically revamped uAPI - io_uring is a great example here.
A common pitfall is to design locking by looking at the code, perhaps just sprinkling locking calls over it until it feels like it’s good enough. The right approach is to design locking for the data structures, which means specifying for each structure or member field how it is protected against concurrent changes, and how the necessary amount of consistency is maintained across the entire data structure with rules that stay invariant, irrespective of how code operates on the data. Then roll it out consistently to all the functions, because the code-first approach tends to have a lot of issues:
A code centric approach to locking often leads to locking rules changing over the lifetime of an object, e.g. with different rules for a structure or member field depending upon whether an object is in active use, maybe just cached or undergoing reclaim. This is hard to teach to lockdep, especially when the nesting rules change for different states. Lockdep assumes that the locking rules are completely invariant over the lifetime of the entire kernel, not just over the lifetime of an individual object or structure even.
Starting from the data structures on the other hand encourages that locking rules stay the same for a structure or member field.
Locking design that changes depending upon the code that can touch the data would need either complicated documentation entirely separate from the code - so high risk of becoming stale. Or the explanations, if there are any are sprinkled over the various functions, which means reviewers need to reacquire the entire relevant chunks of the code base again to make sure they don’t miss an odd corner cases.
With data structure driven locking design there’s a perfect, because unique place to document the rules - in the kerneldoc of each structure or member field.
A consequence for code review is that to recheck the locking design for a code first approach every function and flow has to be checked against all others, and changes need to be checked against all the existing code. If this is not done you might miss a corner cases where the locking falls apart with a race condition or could deadlock.
With a data first approach to locking changes can be reviewed incrementally against the invariant rules, which means review of especially big or complex subsystems actually scales.
When facing a locking bug it’s tempting to try and fix it just in the affected code. By repeating that often enough a locking scheme that protects data acquires code specific special cases. Therefore locking issues always need to be first mapped back to new or changed requirements on the data structures and how they are protected.
The big antipattern of how you end up with code centric locking is to protect
an entire subsystem (or worse, a group of related subsystems) with a single
huge lock. The canonical example was the big kernel lock BKL, that’s gone, but
in many cases it’s just replaced by smaller, but still huge locks like
console_lock().
This results in a lot of long term problems when trying to adjust the locking design later on:
Since the big lock protects everything, it’s often very hard to tell what it does not protect. Locking at the fringes tends to be inconsistent, and due to that its coverage tends to creep ever further when people try to fix bugs where a given structure is not consistently protected by the same lock.
Also often subsystems have different entry points, e.g. consoles can be reached through the console subsystem directly, through vt, tty subsystems and also through an enormous pile of driver specific interfaces with the fbcon IOCTLs as an example. Attempting to split the big lock into smaller per-structure locks pretty much guarantees that different entry points have to take the per-object locks in opposite order, which often can only be resolved through a large-scale rewrite of all impacted subsystems.
Worse, as long as the big subsystem lock continues to be in use no one is spotting these design issues in the code flow. Hence they will slowly get worse instead of the code moving towards a better structure.
For these reasons big subsystem locks tend to live way past their justified usefulness until code maintenance becomes nigh impossible: Because no individual bugfix is worth the task to really rectify the design, but each bugfix tends to make the situation worse.
Stay tuned for next week’s installment, which will cover what these principles mean when applying to practice: Going through a large pile of locking design patterns from the most desirable to the most hair raising complex.
There is a steady progress being made since :tada: Turnip is Vulkan 1.1 Conformant :tada:. We now support GL 4.6 via Zink, implemented a lot of extensions, and are close to Vulkan 1.3 conformance.
Support of real-world games is also looking good, here is a video of Adreno 660 rendering “The Witcher 3”, “The Talos Principle”, and “OMD2”:
All of them have reasonable frame rate. However, there was a bit of “cheating” involved. Only “The Talos Principle” game was fully running on the development board (via box64), other two games were only rendered in real time on Adreno GPU, but were ran on x86-64 laptop with their VK commands being streamed to the dev board. You could read about this method in my post “Testing Vulkan drivers with games that cannot run on the target device”.
The video was captured directly on the device via OBS with obs-vkcapture, which worked surprisingly well after fighting a bunch of issues due to the lack of binary package for it and a bit dated Ubuntu installation.
A number of extensions were implemented that are required for Zink to support higher GL versions. As of now Turnip supports OpenGL 4.6 via Zink, and while yet not conformant - only a handful of GL CTS tests are failing. For the perspective, Freedreno (our GL driver for Adreno) supports only OpenGL 3.3.
For Zink adventures and profound post titles check out Mike Blumenkrantz’s awesome blog supergoodcode.com
If you are interested in Zink over Turnip bring up in particular, you should read:
A major improvement for low resolution Z optimization (LRZ) was recently made in Turnip, read about it in the previous post of mine: LRZ on Adreno GPUs
Anyway, since the last update Turnip supports many more extensions (in no particular order):
From mesamatrix.net/#Vulkan1.3
For Vulkan 1.3 conformance there are only a few extension left to implement. The only major ones are VK_KHR_dynamic_rendering and VK_EXT_inline_uniform_block required for Vulkan 1.3. VK_KHR_dynamic_rendering is currently being reviewed and foundation for VK_EXT_inline_uniform_block was recently merged.
That’s all for today!
Unless you’ve run into a terrible problem with your GPU, I bet you never spent some time actually thinking about how we depend so heavily on graphics to actually do anything meaningful1 on a computer: from small square blinking letters on a terminal to the utmost insanely complex games we play these days - in the context of Linux, it all depends on the DRI!
This should come as surprise to no one! And as you can probably imagine, the Linux graphics stack is comprised of many layers of abstractions, going from the largely abstracted userspace application that you’re running (a browser!) to the bytecode that is actually interpreted by your graphics card.
These many abstractions are what allow us to have our glorious moments of being a hero (or maybe a villain, whatever you’re up to…) without even noticing what’s happening, and – most importantly – that allow game devs to make such complex games without having to worry about an awful lot of details. They’re really a marvel of engineering (!), but not by accident!
All of those abstraction layers come with a history of their own2, and it’s kinda amazing that we can even have such a smooth experience with all of those, community-powered, beautifully thought out, moving pieces, twisting and turning in a life of their own.
Just have a look at the beast we’ll be getting into! Feeling adventurous today, ain’t you? Well, fear not. It’s definitely not as bad as it seems, and there’s a lot of logic behind (most) things, so let’s go step by step :).
Though in most cases we start from the bottom of the stack and build our way towards the top, here I think it makes more sense for us to build it upside down, as that’s what we’re used to interacting with.
On a funny thought experiment, maybe driver designers do live upside down, who knows…
Even though Linux is generally regarded as a developer/hacker OS, most modern distributions don’t require you to ever leave a graphic environment. Even if you love using the “terminal” on your distro, that’s simply a terminal emulator, which “simulates” using a modern TTY3.
While TTYs are provided by the kernel itself, we need so-called display servers to actually render something more complex to the user’s screen. It acts as an intermediate, dealing with multiple applications wanting to draw things to the screen simultaneously.
As Linux was created during an era where computation was very much migrating from a model of “distributed access” (through time-sharing1), you can still peek into a TTY if you want to:
On most distribution, pressing
CTRL+ALT+F1(or+F2,+F3and so on) will take you to an old-school text-only display (of course one of these TTYs will also contain the display server session you began with).
Check out a classic teleprinter in action in this video or, if you want to understand the working details on Linux, check out the TTY demystified blog post.
But then, it seems logical that the graphic session we’re used to is one layer above the OS itself, which only provides those TTYs and, quite likely, the Application Binary Interface (i.e. ABI) needed to “talk” to the OS, which is indeed the case (currently) :).
In an X session for example, the X server (or your compositor) will render its windows through this ABI, and not directly through the hardware. Actually, the kernel ABI for hardware access through the Direct Rendering Infrastructure (DRI) is a recent development. Before it, the X server would simply access hardware directly, so all userspace software depended on it, and the slightest lack of coordination between applications could wreak havoc in the graphics card 😵!
The X server has many years of history and lots of “curious” design choices (to put it lightly). If you’re at all interested on understand it better, have a look at the xplain blog!
But enough historic techno-babble! How does our application, then, render its stuff using a window server? The short answer is: it doesn’t!
Actually, anything that wants to render elements that are independent of a window server will have to use a graphics API like OpenGL, and that’s where Mesa comes in!
First, notice that we’re already down a level: the window server shows us cute windows and deals with user input in that interface, wonderful! But then I open Minecraft, and we’re already asking for 3D objects which the window server can’t possibly handle effectively, so Mesa was introduced to provide a second route for applications to send their complex commands directly to the kernel, without the need to go through the display sessions’ (bloated and slow) rendering mechanisms, which are quite often single-handedly optimized to show us application interfaces (the infamous GUIs).
As a side note, the X server is also OpenGL capable, and you can see this
through its glx* API commands, or even some commands (ever heard of
glxgears? 😏).
On a birds eye view, our (supposed) game will try to run its 3D routines, which
are written in shader-speak (for example OpenGL’s, whose language is called
GLSL), which Mesa handles for us, compiling and optimizing it for our
specific GPU, then sending it to be run by the kernel, just like your window
server does, but for anything!
An important point to notice here is that, of course, the window server is still needed for user interaction in our game. It will query and send user commands to the application, and will also handle windowing and displaying stuff (including our game, as its window is still managed by the window server), as well as dealing with many other system-related interactions that would be a nightmare for game devs to implement.
Another important point is that writing user applications which don’t require using shaders would be a total nightmare without a display manager, as it provides many useful abstractions for that use case (which already covers >90% of the uses cases for most people).
We’re getting close! Next stop is: the Linux kernel!
The Linux kernel is, of course, comprised of many moving parts, including inside the Direct Rendering Manager (DRM) itself, which I cannot possibly explain in this one blog post (sorry about that!).
The DRM is addressed using ioctls (short for I/O Control), which are
syscalls (short for System Call) used for device specific control, as
providing generalist syscalls would be nearly impossible – it’s more
feasible to create one ioctl(device, function, parameters) then treat this in
a driver than to create 2000 mygpu_do_something_syscall(parameters) for
“obvious” reasons.
For the inexperienced reader, it’s interesting to notice here that the approach
of one syscall per driver-specific command would bloat the general kernel ABI
with too many generally useless functions, as the large majority of them would
be used for one and only one driver.
Just for reference, in my kernel I have 465 syscalls as defined in the
system manual. Putting this vs a simple estimate of drivers in the kernel *
commands only they use should give you some perspective on the issue.
Just use
man syscalls | grep -E '.*\(2.\s+[0-9.]+' | wc -lif you want to query thesyscalls defined in your kernel.
Those ioctls are then wrapped inside a
libdrm library that provides a
more comprehensible interface for the poor Mesa developers, which would
otherwise need to keep checking every ioctl they want to use for the
unusual macro names
provided by the kernel’s userspace API.
One very shady aspect of graphics rendering that the DRM deals with is GPU memory management, and it does this through two interfaces, namely:
The older of those two is TTM, which was a generalist approach for memory management, and it provides literally everything anyone could ever hope for. That being said, TTM is regarded as too difficult to use45 as it provides a gigantic API, and very convoluted must-have features that end up being unyielding. For instance, TTM’s fencing mechanism – which is responsible for coordinating memory access between the GPU and CPU, just like semaphores if you’re used to them at all – has a very odd interface. We could also talk about TTM’s general inefficiencies which have been noted time and time again, as well as its “wicked ways” of doing things, which abuse the DMA (short for Direct Memory Access) API for one (check out König’s talk for more6).
Just like evolution, an alternative to TTM had to come along, and that was our friend GEM – which was conceived by Intel, as a simplified interface for memory management. It’s much easier to use by comparison, but also much more simplified and thus, only fully attends Intel’s specific use case – that is, integrated video cards7 –, as it’s limited to addressing memory shared by both GPU and CPU (no discrete video card support at all, really). It also won’t handle any fencing, and simply “wait” for the GPU to finish its thing before moving on, which is a no-no for those beefy discrete GPUs.
Then, as anyone sane would much rather be dealing with GEM, all software
engineers fired themselves from other companies and went to Intel. I hear
they’re currently working hard to deprecate TTM in an integrated graphics
supremacy movement. Jokes aside, what actually happened is that DRM drivers
will usually implement the needed memory management (including fencing)
functionality in TTM, but provide GEM-like APIs for those things, so that
everyone ends up happy (except for the people implementing these interfaces, as
they’re probably quite depressed).
These memory related aspects are a rabbit hole of their own, and if you’d like to have a deeper look into this, I recommend these resources:
It’s important to notice, though, that kernel devs are working hard into making TTM nicer all around, as it’s used by too many drivers to simply, paraphrasing König, “be set on fire” and start a memory interface anew. If you want some perspective, take a look at Christian König’s amazing talk1, where he talks about TTM from the viewpoint of a maintainer.
Notice, however, that the DRM is only responsible for graphics rendering and display mode-setting (that is, basically, setting resolution and refresh rate) is done in a separate (but related) subsystem, called KMS (short for Kernel Mode Setting).
The KMS logically separates various aspects of image transmission, such as
And you can actually find where this information is available by consulting the
/sys/class/drm folder. There you can see subdirectories referring to specific
graphics cards (i.e. card*) and also their render nodes, which indicate
their capabilities of executing general programming applications, like the
ones in machine learning, which don’t depend on having a graphical output.
Inside these subdirectories, then, you can see some files indicating things
like connection status or mode list.
For a quick overview, check out this image:
I can already hear you say
OMG Isinya, that was a hell of a lot of information 😵.
But hey, you just read it through (what a nerd)! On a following post I’ll talk about testing the kernel pieces of this puzzle, hope to see you then :).
A small disclaimer: of course there are many disabled people which need other methods of interaction with a computer that don’t rely as heavily on graphics, and I do think it’s a huge problem that we don’t have alternatives for those people in a large majority of cases, as most software does not give the lightest thought to the vision impaired. I should talk more about this in the future but, for now, please don’t forget it’s an existing issue that needs addressing!
Which I might even talk about in another post – excuse me, but that requires a little too much research for the time I have currently.
A classical TTY (or teleprinter for the acquainted) used to be an endpoint for interaction with a central computer that held all the resources for users (we call that a time-sharing computer), and was actually not much used outside of that context. A terminal emulator would be called a pseudo TTY (PTY).
The attentive reader might have thought about Intel’s discrete video cards at this point, and as a matter of fact Intel is actually working with TTM to support those products. See: phoronix.com - Linux 5.14 enabling Intel graphics TTM usage for their dGPUs
$ vlan
Device not provided
vlan $DEV $VLAN $SUBNET
vlan eth0 42 10.31.155.1/27
This is a achieved by pasting the below function into your .bashrc / .zshrc and issuing a source .bashrc or source .zshrc correspondingly.
function vlan {
DEV=$1
VLAN=$2
ADDR=$3
HELP="
vlan \$DEV \$VLAN \$SUBNET
vlan eth0 42 10.31.155.1/27
"
if [ -z "$DEV" ]; then
echo "Device not provided"
echo "$HELP"
return 1
fi
ip link | grep "${DEV}: " >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "\"$DEV\" is not a valid device"
echo "$HELP"
return 1
fi
if [ -z "$VLAN" ]; then
echo "VLAN not provided"
echo "$HELP"
exit 1
fi
REGEX='^[0-9]+$'
if ! [[ $VLAN =~ $REGEX ]] ; then
echo "\"$VLAN\" is not a number" >&2; exit 1
echo …The software Vulkan renderer in Mesa, lavapipe, achieved official Vulkan 1.3 conformance. The official entry in the table is here . We can now remove the nonconformant warning from the driver. Thanks to everyone involved!
Anyone else remember way back years ago when I implemented descriptor caching for zink because I couldn’t even hit 60 fps in Unigine Heaven due to extreme CPU bottlenecking? Also because I got to make incredible flowcharts to post here?
Good times.
Simpler times.
But now times have changed.
As recently as a year ago I blogged about new descriptor infrastructure I was working on, specifically “lazy” descriptors. This endeavor was the culmination of a month or two of wild exploration into the problem space, trying out a number of less successful options.
But it turns out the most performant option was always going to be the stupidest one: create new descriptors on every draw and jam them into the GPU.
But why is this the case?
The answer lies in an extension that has become much more widely adopted, VK_KHR_descriptor_update_template. This extension allows applications to allocate a template that the driver can use to jam those buffers/images into descriptor sets much more efficiently than the standard vkUpdateDescriptorSets. When combined with extreme bucket allocating, this methodology ends up being more performant than caching.
And sometimes by significant margins.
In Minecraft, for example, you might see a 30-50% FPS increase. In a game like Tomb Raider (2013) it’ll be closer to 10-20%.
But, most likely, there won’t be any scenario in which FPS goes down.
So wave farewell to the old code that I’ll probably delete altogether in Mesa 22.3, and embrace the new code that just works better and has been undergoing heavy testing for the past year.
Welcome to the future.
Last week, the series with DRM Kernel Selftests conversion to KUnit tests was merged into drm-misc-next and will probably be on the mainline on 5.20.
This series was developed during an LKCAMP hackathon in October 2021 and is the combined effort of seven Linux Kernel beginners. In this hackathon, we learned about the KUnit Framework and also learned a bit about DRM.
The series took quite a while to come out, as it was just a side-project to most of us, but, in June, I finally prepared the patches and transformed them into a mergeable series.
So, let’s understand the differences between kselftests and KUnit tests and learn some about the KUnit framework.
Tests are not all the same. We create different kinds of tests for different purposes. So, let’s clarify some kinds of tests that will be quoted in this blogpost:
Linux Kernel Selftests (kselftest) is a set of features functional and regression tests developed to avoid regressions on the Linux Kernel. The idea is that the developer will find a regression, fix it, and then write a test so that the Kernel won’t have this regression again.
The kselftests use shell scripts and C programs to load the tests into the kernel and have support for hardware-dependent tests. It doesn’t support workload or application tests, as its idea is primarily to increase the breadth and depth test coverage on the Kernel.
Although not designed for it, unit tests can also be developed with kselftests. But noticed that it is not a Unit Test Framework, such as JUnit, Google Test, or PyTest.
kselftest has C interfaces for reporting test results using the Test Anything Protocol (TAP) and a test harness for running tests.
KUnit (Kernel Unit Testing Framework) is the Unit Testing Framework for the Linux Kernel. KUnit makes it possible to run test suites on kernel boot or load the tests as a module. It reports all test case results through a TAP (Test Anything Protocol) in the kernel log.
KUnit follows the white-box testing approach, which allows testers to inspect and verify the inner workings of a software system. So, it can test any kernel component and is not restricted to userspace.
KUnit doesn’t require installing the kernel on a test machine or in a VM. It addresses the problem of being able to run tests without needing a virtual machine or actual hardware with User Mode Linux.
KUnit provides facilities for defining unit test cases, grouping related test cases into test suites, providing common infrastructure for running tests, and much more.
Each one of the frameworks has its place and importance, as both kinds of tests are important to improve Kernel’s reliability and robustness.
The main difference between kselftest and KUnit is that KUnit is a unit testing framework and kselftest is not. kselftest requires installing the kernel on a test machine or in a VM and require tests to be written in userspace and run on the kernel under test. On the other side, KUnit does not.
So, when it comes to testing a single unit of code in isolation, you’ll definitely go with KUnit. Otherwise, you’ll have to check the kselftests or autotests frameworks.
First, I must point out that the DRM selftests are not kselftests. They work very similarly, but the DRM subsystem developed a unique structure for running their unit tests, which was available on drm_selftests.h. For a general idea, they had simple FAIL_ON(expression) assertions, indicating that the test would fail if the expression was true, and each test was a module initialized by run_selftests.
So, let’s check a DRM selftest function and analyze it to check if it’s plausible for conversion. Take this function from drivers/gpu/drm/selftests/drm_cmdline_selftests.h:
static int drm_cmdline_test_force_D_only_not_digital(void *ignored)
{
struct drm_cmdline_mode mode = { };
FAIL_ON(!drm_mode_parse_command_line_for_connector("D",
&no_connector,
&mode));
FAIL_ON(mode.specified);
FAIL_ON(mode.refresh_specified);
FAIL_ON(mode.bpp_specified);
FAIL_ON(mode.rb);
FAIL_ON(mode.cvt);
FAIL_ON(mode.interlace);
FAIL_ON(mode.margins);
FAIL_ON(mode.force != DRM_FORCE_ON);
return 0;
}
This test function is testing a single function drm_mode_parse_command_line_for_connector and using test assertion to check if it behaves as expected. Can we agree that this is testing a single unit of code in isolation? So, this is a unit test!
If you look through the other files, you are going to find out that they are very similar to this function. So, they are all unit tests.
As they are unit tests, it is more suitable to use a Unit Test Framework, such as KUnit, on these tests. Moreover, converting these tests to KUnit would make them smaller and provide a userspace tool for developers to test with.
There is also one more reason to convert the DRM selftests. As DRM selftests created a whole structure to run their unit tests, converting the tests would mean deleting this structure and promoting code reuse.
KUnit has multiple test expectation expressions. The most used ones are:
KUNIT_EXPECT_TRUE (test, condition): causes a test failure when the expression is not true.KUNIT_EXPECT_FALSE (test, condition): causes a test failure when the expression is not false.KUNIT_EXPECT_EQ (test, left, right): expects that left and right are equal.KUNIT_EXPECT_NE (test, left, right): expects that left and right are not equal.There are a couple more and all of them can be seen on the KUnit documentation.
Examining again the drm_mode_parse_command_line_for_connector function, we can see that the test expectation expression used is FAIL_ON. This means that the test will fail when the expression inside it is true. Checking the test expectation expressions listed above, we can say the equivalent of FAIL_ON is KUNIT_EXPECT_FALSE, right?
So, we can just adjust the function to the KUnit signature and change all FAIL_ON for KUNIT_EXPECT_FALSE. The result will be something like this:
static void drm_cmdline_test_force_D_only_not_digital(struct kunit *test)
{
struct drm_cmdline_mode mode = { };
KUNIT_EXPECT_FALSE(test, !drm_mode_parse_command_line_for_connector("D",
&no_connector,
&mode));
KUNIT_EXPECT_FALSE(test, mode.specified);
KUNIT_EXPECT_FALSE(test, mode.refresh_specified);
KUNIT_EXPECT_FALSE(test, mode.bpp_specified);
KUNIT_EXPECT_FALSE(test, mode.rb);
KUNIT_EXPECT_FALSE(test, mode.cvt);
KUNIT_EXPECT_FALSE(test, mode.interlace);
KUNIT_EXPECT_FALSE(test, mode.margins);
KUNIT_EXPECT_FALSE(test, mode.force != DRM_FORCE_ON);
}
After this, our test already works with the KUnit tool. But, there is still some improvement to be made. Check out the first assertion:
KUNIT_EXPECT_FALSE(test, !drm_mode_parse_command_line_for_connector("D",
&no_connector,
&mode));
Observe that the condition has a logical NOT operator, so, for the condition to be false, the function must return true. So, we can change the assertion to be more readable to:
KUNIT_EXPECT_TRUE(test, drm_mode_parse_command_line_for_connector("D",
&no_connector,
&mode));
The last assertion can also be changed. We can change the comparative logical operator for the KUNIT_EXPECT_EQ expression.
So, the final look of our unit test would be:
static void drm_cmdline_test_force_D_only_not_digital(struct kunit *test)
{
struct drm_cmdline_mode mode = { };
KUNIT_EXPECT_TRUE(test, drm_mode_parse_command_line_for_connector("D",
&no_connector,
&mode));
KUNIT_EXPECT_FALSE(test, mode.specified);
KUNIT_EXPECT_FALSE(test, mode.refresh_specified);
KUNIT_EXPECT_FALSE(test, mode.bpp_specified);
KUNIT_EXPECT_FALSE(test, mode.rb);
KUNIT_EXPECT_FALSE(test, mode.cvt);
KUNIT_EXPECT_FALSE(test, mode.interlace);
KUNIT_EXPECT_FALSE(test, mode.margins);
KUNIT_EXPECT_EQ(test, mode.force, DRM_FORCE_ON);
}
This is just a small bit of the work done! I and other LKCAMP participants converted tests across nine files. And the result can be seen on this mailing list thread.
Working on these tests over the last month was pretty satisfying. The series had five iterations over the mailing list and talking to the maintainers is very rewarding. Also, it was great to remember the Saturday that I spend with three very dear friends (thanks to Arthur, Matheus, and Carlos). Seeing the patches go to the mainline was great!
After adding the DRM KUnit tests to the upstream, we must maintain it working properly and try checking the reported bugs. For example, Guenter Roeck reported problems running tests on PowerPC, so I worked on a new patch to fix it in order to make things run smoothly. So, that’s about it for now!
You know what I’m about to talk about.
You knew it as soon as you opened up the page.
I’ve said I was done with it a number of times, but deep down we all knew that was a lie.
Let’s talk about XFB.
For newcomers to the blog, Zink has two methods of emitting streamout info:
The former is obviously the better option since it’s simpler. But also it has another benefit: it doesn’t need more variables. On the surface, it seems like this should just be the same as the first reason, namely that I don’t need to run some 300 line giga-function to wrangle the XFB outputs after the shader has ended.
There shouldn’t be any other reason. I’ve got the shader. I tell it to write some XFB data. Everything works as expected.
I know this.
You know this.
But then there’s someone we didn’t consult, isn’t there.
Obviously.
And when we do consult the spec, this seemingly-benign restriction is imposed:
VUID-StandaloneSpirv-Location-04916
The Location decorations must be used on user-defined variables
So any user-defined variable must have a location. Seems fine. Until that restriction applies to the explicit XFB outputs. The ones that are never counted as inter-stage IO and are eliminated by the Vulkan driver’s compiler for all purposes except XFB. And since locations are consumed, the restrictions for locations apply: maxVertexOutputComponents, maxTessellationEvaluationOutputComponents, and maxGeometryOutputComponents restrict the maximum number of locations that can be used.
And surely that would never be a problem.
It’s XFB, so obviously it’s a problem. The standard number of locations that can be relied upon for user variables is 32, which means a total of 128 components can be used for XFB. CTS specifically hits this in the Dragonball Z region of the test suite (Enhanced Layouts, for those of you who don’t speak GLCTS) with shaders that increase in complexity at a geometric rate.
Let’s take a look at one of the simpler ones out of the 800ish cases in KHR-Single-GL46.enhanced_layouts.xfb_struct_explicit_location:
#version 430 core
#extension GL_ARB_enhanced_layouts : require
layout(isolines, point_mode) in;
struct TestStruct {
dmat3x4 a;
double b;
float c;
dvec2 d;
};
struct OuterStruct {
TestStruct inner_struct_a;
TestStruct inner_struct_b;
};
layout (location = 0, xfb_offset = 0) flat out OuterStruct goku;
layout(std140, binding = 0) uniform Goku {
TestStruct uni_goku;
};
void main()
{
goku.inner_struct_a = uni_goku;
goku.inner_struct_b = uni_goku;
}
This here is a tessellation evaluation shader that uses XFB on a very complex output type. Zink’s ability to inline such types is limited, which means Goku is about to throw that spirit bomb and kill off the chances of a clean CTS run.
The reasoning is how the XFB data is emitted. Rather than get a simple piece of shader info that says “output this entire struct with XFB”, Gallium instead provides the incredibly helpful struct pipe_stream_output_info data type:
/**
* A single output for vertex transform feedback.
*/
struct pipe_stream_output
{
unsigned register_index:6; /**< 0 to 63 (OUT index) */
unsigned start_component:2; /** 0 to 3 */
unsigned num_components:3; /** 1 to 4 */
unsigned output_buffer:3; /**< 0 to PIPE_MAX_SO_BUFFERS */
unsigned dst_offset:16; /**< offset into the buffer in dwords */
unsigned stream:2; /**< 0 to 3 */
};
/**
* Stream output for vertex transform feedback.
*/
struct pipe_stream_output_info
{
unsigned num_outputs;
/** stride for an entire vertex for each buffer in dwords */
uint16_t stride[PIPE_MAX_SO_BUFFERS];
/**
* Array of stream outputs, in the order they are to be written in.
* Selected components are tightly packed into the output buffer.
*/
struct pipe_stream_output output[PIPE_MAX_SO_OUTPUTS];
};
Each output variable is deconstructed into the number of 32-bit components that it writes (num_components) with an offset (start_component) and a zero-indexed “location” (register_index) which increments sequentially for all the variables output by the shader.
In short, it has absolutely no relation to the actual shader variables, and matching them back up is a considerable amount of work.
But this is XFB, so it was always going to be terrible no matter what.
Going back to the location disaster again, you might be wondering where the problem lies.
Let’s break it down with some location analysis. According to GLSL rules, here’s how locations are assigned for the output variables:
struct TestStruct {
dmat3x4 a; <--this is effectively dvec3[4];
a dvec3 consumes 2 locations
so 4 * 2 is 8, so this consumes locations [0,7]
double b; <--location 8
float c; <--location 9
dvec2 d; <--location 10
};
struct OuterStruct {
TestStruct inner_struct_a; <--locations [0,10]
TestStruct inner_struct_b; <--locations [11,21]
};
In total, and assuming I did my calculations right, 22 locations are consumed by this struct.
And this is zink, so point size must always be emitted, which means 23 locations are now consumed. This leaves 32 - 23 = 9 locations remaining for XFB.
Given that XFB works at the component level with tight packing, this means a minimum of 2 * (3 * 4) + 2 + 1 + 2 * 2 = 31 components are needed for each struct, but there’s two structs, which means it’s 62 components. And ignoring all other rules for a moment, it’s definitely true that locations are assigned in vec4 groupings, so a minimum of ceil(62 / 4) = 16 locations are needed to do explicit emission of this type.
But only 9 remain.
Whoops.
There’s a lot of ways to fix this.
The “best” way to fix it would be to improve/overhaul the inlining detection to ensure that crazy types like this are always inlined.
That’s really hard to do though, and the inlining code is already ridiculously complex to the point where I’d prefer not to ever touch it again to avoid jobbing like Vegeta in any future XFB battles.
The “easy” way to fix it would be to make the existing code work in this scenario without changing it. This is the approach I took, namely to decompose the struct before inlining so that the inline analysis has an easier time and can successfully inline all (or most) of the outputs.
It’s much simpler (and more accurate) to inline a shader that uses an output interface with no blocks like:
dmat3x4 a;
double b;
float c;
dvec2 d;
dmat3x4 a2;
double b2;
float c2;
dvec2 d2;
Thus the block splitting pass was created:
static bool
split_blocks(nir_shader *nir)
{
bool progress = false;
bool changed = true;
do {
progress = false;
nir_foreach_shader_out_variable(var, nir) {
const struct glsl_type *base_type = glsl_without_array(var->type);
nir_variable *members[32]; //can't have more than this without breaking NIR
if (!glsl_type_is_struct(base_type))
continue;
if (!glsl_type_is_struct(var->type) || glsl_get_length(var->type) == 1)
continue;
if (glsl_count_attribute_slots(var->type, false) == 1)
continue;
unsigned offset = 0;
for (unsigned i = 0; i < glsl_get_length(var->type); i++) {
members[i] = nir_variable_clone(var, nir);
members[i]->type = glsl_get_struct_field(var->type, i);
members[i]->name = (void*)glsl_get_struct_elem_name(var->type, i);
members[i]->data.location += offset;
offset += glsl_count_attribute_slots(members[i]->type, false);
nir_shader_add_variable(nir, members[i]);
}
nir_foreach_function(function, nir) {
bool func_progress = false;
if (!function->impl)
continue;
nir_builder b;
nir_builder_init(&b, function->impl);
nir_foreach_block(block, function->impl) {
nir_foreach_instr_safe(instr, block) {
switch (instr->type) {
case nir_instr_type_deref: {
nir_deref_instr *deref = nir_instr_as_deref(instr);
if (!(deref->modes & nir_var_shader_out))
continue;
if (nir_deref_instr_get_variable(deref) != var)
continue;
if (deref->deref_type != nir_deref_type_struct)
continue;
nir_deref_instr *parent = nir_deref_instr_parent(deref);
if (parent->deref_type != nir_deref_type_var)
continue;
deref->modes = nir_var_shader_temp;
parent->modes = nir_var_shader_temp;
b.cursor = nir_before_instr(instr);
nir_ssa_def *dest = &nir_build_deref_var(&b, members[deref->strct.index])->dest.ssa;
nir_ssa_def_rewrite_uses_after(&deref->dest.ssa, dest, &deref->instr);
nir_instr_remove(&deref->instr);
func_progress = true;
break;
}
default: break;
}
}
}
if (func_progress)
nir_metadata_preserve(function->impl, nir_metadata_none);
}
var->data.mode = nir_var_shader_temp;
changed = true;
progress = true;
}
} while (progress);
return changed;
}
This is an simple pass that does three things:
The result is that it’s much rarer to need explicit XFB emission, and it’s generally easier to debug XFB problems involving shaders with struct blocks since the blocks will be eliminated.
Now as long as Goku doesn’t have any senzu beans remaining, I think this might actually be the last post I ever make about XFB.
Stay tuned next week for a more interesting and exciting post. Maybe.
Hi!
I’ve continued working on my IRC suite this month. Two of our extensions have been accepted in IRCv3: read-marker synchronizes read markers between multiple devices belonging to the same user, and channel-context adds a machine-readable tag to indicate the context of a message. Some other server and client developers have already implemented them!
soju has gained a few quality-of-life features. Thanks to gildarts, there is a
new channel update -detached flag to attach or detach a channel, a new
contrib/migrate-db script to migrate the database between backends, users can
now delete their own account, and the user password hashes are upgraded when
logging in. Additionally, read markers are broadcast using Web Push (to dismiss
notifications when a message is read on another client), users can now set a
default nickname to use for all networks, and the logic to regain the
configured nick should work on servers missing MONITOR support (so I should
no longer be stuck with “emersion_” on OFTC).
Goguma now supports irc:// URLs, so it should be easier to click on these links in various project pages. If the user hasn’t joined the target channel or network yet, a confirmation dialog will be displayed. In the network settings page, a new button opens a UI to authenticate on the IRC network. A ton of other minor fixes and improvements have been pushed as well.
I’ve released gamja 1.0 beta 6. This new version adds a settings dialog with options to customize how timestamps and chat events (join, part, and so on) are displayed.
In Wayland news, new Wayland and wayland-protocols releases have been shipped.
The Wayland release includes an axis_value120 event for high-resolution wheel
scrolling, the wayland-protocols releases includes the single-pixel-buffer and
the xdg-shell wm_capabilities event I’ve talked about last month. I’ve posted
a new color-representation protocol extension to improve YUV buffer
presentation.
Now for the mixed bag of miscellaneous updates. mako 1.7 has been released, it includes support for multiple modes, which should make it possible to e.g. create a light/dark mode and do-not-disturb mode without conflicts. kimchi now supports live reloading its configuration file (previously a restart was necessary). dalligi now mirrors sr.ht build logs on GitLab (as seen for instance in this wlroots pipeline). Last but not least, [hut] has gained better webhook support thanks to Thorben Günther, and a more complete export functionality thanks to Drew DeVault.
That’s all for this month! No NPotM this time, sadly. See you!
Citing official Adreno documentation:
[A Low Resolution Z (LRZ)] pass is also referred to as draw order independent depth rejection. During the binning pass, a low resolution Z-buffer is constructed, and can reject LRZ-tile wide contributions to boost binning performance. This LRZ is then used during the rendering pass to reject pixels efficiently before testing against the full resolution Z-buffer.
My colleague Samuel Iglesias did the initial reverse-engineering of this feature; for its in-depth overview you could read his great blog post Low Resolution Z Buffer support on Turnip.
Here are a few excerpts from this post describing what is LRZ?
To understand better how LRZ works, we need to talk a bit about tiled-based rendering. This is a way of rendering based on subdividing the framebuffer in tiles and rendering each tile separately.
The binning pass processes the geometry of the scene and records in a table on which tiles a primitive will be rendered. By doing this, the HW only needs to render the primitives that affect a specific tile when is processed.
The rendering pass gets the rasterized primitives and executes all the fragment related processes of the pipeline. Once it finishes, the resolve pass starts.
Where is LRZ used then? Well, in both binning and rendering passes. In the binning pass, it is possible to store the depth value of each vertex of the geometries of the scene in a buffer as the HW has that data available. That is the depth buffer used internally for LRZ. It has lower resolution as too much detail is not needed, which helps to save bandwidth while transferring its contents to system memory.
Thanks to LRZ, the rendering pass is only executed on the fragments that are going to be visible at the end.
LRZ brings a couple of things on the table that makes it interesting. One is that applications don’t need to reorder their primitives before submission to be more efficient, that is done by the HW with LRZ automatically.
Now, a year later, I returned to this feature to make some important improvements, for nitty-gritty details you could dive into Mesa MR#16251 “tu: Overhaul LRZ, implement on-GPU dir tracking and LRZ fast-clear”. There I implemented on-GPU LRZ direction tracking, LRZ reuse between renderpasses, and fast-clear of LRZ.
In this post I want to give a practical advice, based on things I learnt while reverse-engineering this feature, on how to help driver to enable LRZ. Some of it could be self-evident, some is already written in the official docs, and some cannot be found there. It should be applicable for Vulkan, GLES, and likely for Direct3D.
Or rather, when writing depth - do not change the direction of depth comparisons. If depth comparison direction is changed while writing into depth buffer - LRZ would have to be disabled.
Why? Because if depth comparison direction is GREATER - LRZ stores the lowest depth value of the block of pixels, if direction is LESS - it stores the highest value of the block. So if direction is changed the LRZ value becomes wrong for the new direction.
A few examples:
VK_COMPARE_OP_GREATER -> VK_COMPARE_OP_GREATER_OR_EQUAL is good;VK_COMPARE_OP_GREATER -> VK_COMPARE_OP_LESS is bad;VK_COMPARE_OP_GREATER with depth write -> VK_COMPARE_OP_LESS without depth write is ok;
The rules could be summarized as:
VK_COMPARE_OP_GREATER and VK_COMPARE_OP_GREATER_OR_EQUAL have same direction;VK_COMPARE_OP_LESS and VK_COMPARE_OP_LESS_OR_EQUAL have same direction;VK_COMPARE_OP_EQUAL and VK_COMPARE_OP_NEVER don’t have a direction, LRZ is temporally disabled;
VK_COMPARE_OP_EQUAL compares don’t benefit from LRZ;VK_COMPARE_OP_ALWAYS and VK_COMPARE_OP_NOT_EQUAL either temporally or completely disable LRZ, depending on depth being written.This obviously makes resulting depth value unpredictable, so LRZ has to be completely disabled.
Note, the output values of manually written depth could be bound by conservative depth modifier, for GLSL this is achieved by GL_ARB_conservative_depth extension, like this:
layout (depth_greater) out float gl_FragDepth;
However, Turnip at the moment does not consider this hint, and it is unknown if Qualcomm’s proprietary driver does.
All of them make a new fragment value depend on the old fragment value. LRZ is temporary disabled in this case.
Writing to SSBO, images, … from fragment shader forces late Z, thus it is incompatible with LRZ. At the moment Turnip completely disables LRZ when shader has such side-effects.
Discarding fragments moves the decision whether fragment contributes to the depth buffer to the time of fragment shader execution. LRZ is temporary disabled in this case.
TLDR: Since Snapdragon 865 (Adreno 650) LRZ supported in secondary command buffers.
TLDR: LRZ would work with VK_KHR_dynamic_rendering, but you’d like to avoid using this extension because it isn’t nice to tilers.
Official docs state that LRZ is disabled with “Use of secondary command buffers (Vulkan)”, and on another page that “Snapdragon 865 and newer will not disable LRZ based on this criteria”.
Why?
Because up to Snapdragon 865 tracking of the direction is done on the CPU, meaning that LRZ direction is kept in internal renderpass object, updated and checked without any GPU involvement.
But starting from Snapdragon 865 the direction could be tracked on GPU which allows driver not to know previous LRZ direction during a command buffer construction. Therefor secondary command buffers could now use LRZ!
Recently Vulkan 1.3 came out and mandated the support of VK_KHR_dynamic_rendering. It gets rid of complicated VkRenderpass and VkFramebuffer setup, but much more exciting is a simpler way for parallel renderpasses construction (with VK_RENDERING_SUSPENDING_BIT / VK_RENDERING_RESUMING_BIT flags).
VK_KHR_dynamic_rendering poses a similar challenge for LRZ as secondary command buffers and has the same solution.
TLDR: Since Snapdragon 865 (Adreno 650) LRZ would work if you store depth in one renderpass and load it later, giving depth image isn’t changed in-between.
Another major improvement brought by Snapdragon 865 is the possibility to reuse LRZ state between renderpasses.
The on-GPU direction tracking is part of the equation here, another part is the tracking of a depth view being used. Depth image has a single LRZ buffer which corresponds to a single array layer + single mip level of the image. So if view with different array layer or mip layer is used - LRZ state couldn’t be reused and will be invalidated.
With the above knowledge here are the conditions when LRZ state could be reused:
STORE_OP_STORE) at the end of some past renderpass;vkCmdBlitImage*, vkCmdCopyBufferToImage*, or vkCmdCopyImage*. Otherwise LRZ state would be invalidated;Misc notes:
vkCmdClearAttachments + LOAD_OP_LOAD is just equal to LOAD_OP_CLEAR.While there are many rules listed above - it all boils down to keeping things simple in the main renderpass(es) and not being too clever.
This week I was planning on talking about Device Mocking with KUnit, as I’m currently working on my first unit test for a physical device, the AMDGPU Radeon RX5700. I would introduce you to the Kernel Unit Testing Framework (KUnit), how it works, how to mock devices with it, and why it is so great to write tests.
But, my week was pretty more interesting due to a limitation on the KUnit Framework. This got me thinking about the Kernel Symbol Table and compilation for a while. So, I decided to write about it this week.
When starting the GSoC project, my fellow colleagues and I ran straight into a problem with the use of KUnit on the AMDGPU stack.
We would create a simple test, just like this one:
#include <kunit/test.h>
#include "inc/bw_fixed.h"
static void abs_i64_test(struct kunit *test)
{
KUNIT_EXPECT_EQ(test, 0ULL, abs_i64(0LL));
/* Argument type limits */
KUNIT_EXPECT_EQ(test, (uint64_t)MAX_I64, abs_i64(MAX_I64));
KUNIT_EXPECT_EQ(test, (uint64_t)MAX_I64 + 1, abs_i64(MIN_I64));
}
static struct kunit_case bw_fixed_test_cases[] = {
KUNIT_CASE(abs_i64_test),
{ }
};
static struct kunit_suite bw_fixed_test_suite = {
.name = "dml_calcs_bw_fixed",
.test_cases = bw_fixed_test_cases,
};
kunit_test_suite(bw_fixed_test_suite);
Ok, pretty simple test: just checking the boundary values for a function that returns the absolute value of a 64-bit integer. Nothing could go wrong…
And, at first, running the kunit-tool everything would go fine. But, if we tried to compile the test as a module, we would get a linking error:
Multiple definitions of 'init_module'/'cleanup_module' at kunit_test_suites().
This looks like a simple error, but if we think further this is a matter of kernel symbols and linking. So, let’s hop on and understand the basics of kernel symbols and linking. Finally, I will tell the end of this KUnit tell.
First, it is important to understand the stages of the compilation of a C program. If you’re a C-veteran, you can skip this section. But if you are starting in the C-programming world recently (or maybe just used to run make without thinking further), let’s understand a bit more about the compilation process for C programs - basically any compiled language.
The first stage of compilation is preprocessing. The preprocessor expands the included files - a.k.a. .h, expands the macros, and removes the comments. Basically, the preprocessor obeys to the directives, that is, the commands that begin with #.
The second stage of compilation is compiling. The compiling stage takes the preprocessor’s output and produces either assembly code or an object file as output. The object code contains the binary machine code that is generated from compiling the C source.
Then, we got to the linking stage. Linking takes one or more object files and produces the product of the final compilation. This output can be a shared library or an executable.
For our problem, the linking stage is the interesting one. In this stage, the linker links all the object files by replacing the references to undefined symbols with the appropriate addresses. So, at this stage, we get the missing definitions or multiple definitions errors.
When ld (or lld for those at the clang community), tells us that there are missing definitions, it means that either the definitions don’t exist, or that the object files or libraries where they reside are not provided to the linker. For the multiple definition errors, the linker is telling us that the same symbol was defined in two different object files or libraries.
So, going back to our error, we now know that:
init_module()/cleanup_module() twice.But, if you check the code, there is no duplicate of either of those functions. 🤔
Ok, now, let’s take a look at the kernel symbol table.
So, we keep talking about symbols. But now, we need to understand which symbols are visible and available to our module and which aren’t.
We can think of the kernel symbols in three levels of visibility:
So, by quoting the book Linux Kernel Development (3nd ed.), p. 348:
When modules are loaded, they are dynamically linked into the kernel. As with userspace, dynamically linked binaries can call only into external functions explicitly exported for use. In the kernel, this is handled via special directive called
EXPORT_SYMBOL()andEXPORT_SYMBOL_GPL(). Export functions are available for use by modules. Functions not exported cannot be invoked from modules. The linking and invoking rules are much more stringent for modules than code in the core kernel image. Core code can call any nonstatic interface in the kernel because all core source files are linked into a single base image. Exported symbols, of course, must be nonstatic, too. The set of exported kernel symbols are known as the exported kernel interfaces.
So, at this point, you can already get this statement, as you already understand about linking ;)
The kernel symbol table can be pretty important in debugging and you can check the list of symbols in a module with the nm command. Moreover, sometimes you want more than just the symbols from a module, but the symbols from the whole kernel. In this case, you can check the /proc/kallsyms file: it contains symbols of dynamically loaded modules as well as symbols from static code.
Also, during a kernel build, a file named Module.symvers will be generated. This file contains all exported symbols from the kernel and compiled modules. For each symbol, the corresponding CRC value, export type, and namespace are also stored.
Building an out-of-tree module is not trivial, and you can check the kbuild docs here, to understand more about symbols, how to install modules, and more.
Now, you have all the pieces needed to crack this puzzle. But I only gave you separate pieces of this problem. It’s time to bring these pieces together.
Let’s go back to the linking error we got at the test:
Multiple definitions of 'init_module'/'cleanup_module' at kunit_test_suites().
So, first, we need to understand how we are defining init_module multiple times. The first definition is at kunit_test_suites(). So, when building a KUnit test as a module, KUnit creates brand new module_init/exit_module functions.
But, think for a while with me… The amdgpu module, linked with our test, already defines a module_init function for the graphics module.
FYI: the
module_initis the module entry point when the module is loaded.
So, we have figured out the problem! We have one init_module at kunit_test_suites() and other init_module at amdgpu entry point, which is amdgpu_drv.c. And, as they are linked together, we have a linking problem!
And, how can we solve this problem?
Adding EXPORT_SYMBOL to all tested functions
Going back to the idea of the Kernel Symbol Table, we can load the amdgpu module and expose all the tested functions to any loadable module by adding EXPORT_SYMBOL. Then, we can compile the test module independently - that said, outside the amdgpu module - and loaded separately.
It feels like an easy fix, right? Not exactly! This would pollute the symbol namespace from the amdgpu module and also pollute the code. Polluting the code means more work to maintain and work with the code. So, this is not a good idea.
Incorporating the tests into the driver stack
Another idea is to call the tests inside the driver stack. So, inside the AMDGPU’s init_module function, we can call the KUnit’s private suite execution function and run the tests when the amdgpu module is loaded.
It is the strategy that some drivers, such as thunderbolt, were using. But, this introduces some incompatibilities with the KUnit tooling, as it makes it impossible to use the great kunit-tool and also doesn’t scale pretty well. If I want to have multiple modules with tests for a single driver, it would require the use of many #ifdef guards and the creation of awful init functions in multiple files.
Creating a test should be simple: not a huge structure with preprocessor directives and multiple files.
The previous solutions were a workaround for the real problem: KUnit was stealing module_init from other modules. For built-in tests, the kunit_test_suite() macro adds a list of suites in the .kunit_test_suites linker section. However, a module_init() function is used for kernel modules to run the test suites.
So, after some discussion on the KUnit Mailing List, Jeremy Kerr unified the module and non-module KUnit init formats. David Gow submitted a patch from him removing the KUnit-defined module inits, and instead parsing the KUnit tests from their own section in the module.
Now, the array of struct kunit_suite * will be placed in the .kunit_test_suites ELF section and the tests will run on the module load.
You can check the version 4 of this patchset.
Having this structure will make our work on GSoC much easier, and much cleaner! Huge thanks to all KUnit folks working on this great framework!
Getting this problem is not trivial! When it comes to compilation, linking, and, symbols, many CS students get pretty confused. In contrast, this is a pretty poetic part of computation: seeing these high-level symbols becoming simple assembly instructions and thinking about memory stacks.
If you are feeling a bit confused over this, I hugely recommend the Tanenbaum books and also Linux Kernel Development by Robert Love. Although Tanenbaum doesn’t write specifically about compilation, the knowledge of Compute Architecture and Operational Systems is fundamental to understanding the idea of running binaries on a machine.
After my last post, I received a very real, nonzero number of DMs bearing implications.
That’s right.
Messages like, “Nice blog post. I’m sure you totally know how to use RenderDoc.” and “Nice RenderDoc tutorial.” as well as “You don’t know how to use RenderDoc, do you?”
I even got a message from Baldur “Dr. Render” Karlsson asking to see my RenderDoc operator’s license. Which I definitely have. And it’s not expired.
I just, uh, don’t have it on me right now, officer.
But we can work something out, right?
Right?
So I’m writing this post of my own free will, and in it we’re going to take a look at a real bug. Using RenderDoc.
Like a tutorial, but less useful.
If you want a real tutorial, you should be contacting Danylo Piliaiev, Professor Emeritus at Render University, for his self-help guide. Or watch his free zen meditation tutorial. Powerful stuff.
First, let’s open up the renderdoc capture for this bug:
What’s that? I skipped the part where I was supposed to describe how to get a capture?
Fine, fine, let’s go back.
If you’re not already a maestro of the most powerful graphics debugging tool on the planet, the process for capturing a frame on zink goes something like this:
LD_PRELOAD=/usr/lib64/librenderdoc.so MESA_LOADER_DRIVER_OVERRIDE=zink <executable>
I’ve been advised by my lawyer to state for the record that preloading the library in this manner is Not Officially Supported, and the GUI should be used whenever possible. But this isn’t a tutorial, so you can read the RenderDoc documentation to set up the GUI capture.
Moving along, if the case in question is a single frame apitrace, as is the case for this bug, there’s some additional legwork required:
LD_PRELOAD=/usr/lib64/librenderdoc.so MESA_LOADER_DRIVER_OVERRIDE=zink glretrace --loop portal2.trace
In particular here, the --loop parameter will replay the frame infinitely, enabling capture. There’s also the need to use F11 to cycle through until the Vulkan window is selected. And also possibly to disable GL support in RenderDoc so it doesn’t get confused.
But this isn’t a tutorial, so I’m gonna assume that once the trace starts playing at this point, it’s easy enough for anyone following along to press F11 a couple times to select Vulkan and then press F12 to capture the frame.
This is more or less what RenderDoc will look like once the trace is opened:
Assuming, of course, that you are in one of these scenarios:
Running on Lavapipe, the interface looks more like this since Lavapipe has no bugs and all bugs disappear when running it:
Incredible.
If you’re new to the blog, I’ve included a handy infographic to help you see the problem area in the ANV capture:
That’s all well and good, you might be saying, but how are you going to solve this problem?
The first step when employing this tool is to locate a draw call which exhibits the problem that you’re attempting to solve. This can be done in the left pane by scrolling through the event list until the texture viewer displays a misrender.
I’ve expedited the process by locating a problem draw:
This pile of rubble is obviously missing the correct color, so the hunt begins.
With the draw call selected, I’m going to first check the vertex output data in the mesh viewer. If the draw isn’t producing the right geometry, that’s a problem.
I’ve dragged the wireframe around a bit to try and get a good angle on it, but all I can really say is that it looks like a great pile of rubble. Looks good. A+ to whoever created it. Probably have some really smart people on payroll at a company like that.
The geometry is fine, so the color output must be broken. Let’s check that out.
First, go back to the texture viewer and right click somewhere on that rubble heap. Second, click the Debug button at the bottom right.
You’re now in the shader debugger. What an amazing piece of software this is that you can just debug shaders.
I’m going to do what’s called a “Pro Gamer Move” here since I’ve taken Danylo Piliaiev’s executive seminar in which he describes optimal RenderDoc usage as doing “what my intuition tells me”. Upon entering the debugger, I can see the shader variables being accessed, and I can immediately begin to speculate on a problem:
These vertex inputs are too big. Probably. I don’t have any proof that they’re not supposed to be non-normalized floats, but probably they aren’t, because who uses non-normalized floats?
Let’s open up the vertex shader by going to the pipeline inspector view, clicking the VS bubble, then clicking Edit → Decompile with SPIRV-Cross:
This brings up the vertex shader, decompiled back to GLSL for readability, where I’m interested to see the shader’s inputs and outputs:
Happily, these are nicely organized such that there are 3 inputs and 3 outputs which match up with the fragment shader locations in the shader debugger from earlier, using locations 1, 2, 3. Having read through the shader, we see that each input location corresponds to the same output location. This means that broken vertex input data will yield broken vertex output data.
Here’s where the real Pro Gamer Move that I totally used at the time I was originally solving this issue comes into play. Notice that the input variables are named with a specific schema. v0 is location 0. v2, however, is location 1, v3 is location 2, and v4 is location 3.
Isn’t that weird?
We’re all experts here, so we can agree that it’s a little weird. The variables should probably be named v0, v1, v2, v3. That would make sense. I like things that make sense.
In this scenario, we have our R E F E R E N C E driver, Lavapipe, which has zero bugs and if you find them they’re your fault, so let’s look at the vertex shader in the same draw call there:
O
M
G
I was right. On my own blog. Nobody saw this coming.
So as we can see, in Lavapipe, where everything renders correctly, the locations do correspond to the variable names. Is this the problem?
Let’s find out.
RenderDoc, being the futuristic piece of software that it is, lets us make changes like these and test them out.
Going back to the ANV capture and the vertex shader editing pane, I can change the locations in the shader and then compile and run it:
Which, upon switching to the texture viewer, yields this:
Hooray, it’s fixed. And if we switch back to the Vertex Input viewer in the pipeline inspector:
The formats here for the upper three attributes have also changed, which explains the problem. Also though there actually were non-normalized floats for some of the attributes, so my wild guess ended up only being partially right.
It wasn’t like I actually stepped through the whole fragment shader to see which inputs were broken and determined that oT6 in (broken) location 3 was coming into the shader with values far too large to ever produce a viable color output.
That would be way less cool than making a wild conjecture that happened to be right like a real guru would do.
This identified the problem, but it didn’t solve it. Zink doesn’t do its own assignment for vertex input locations and instead uses whatever values Gallium assigns, so the bug had to be somewhere down the stack.
Given that the number of indices used in the draw call was somewhat unique, I was able to set a breakpoint to use with gdb, which let me:
v1) that was deleted early on without reserving a locationv1 should have reserved location 1, thus offsetting every subsequent vertex attribute by 1, which yields the correct renderingAnd, like magic, I solved the issue.
But I didn’t fix it.
This isn’t a tutorial.
I’m just here so I don’t get fined.
Being part of the community, is more than just writing code and sending patches, it is also keeping track of the IRC discussions and reading the mailing lists to review and test patches sent from others whenever you can.
Both environments are not the most welcoming, but there are plenty of tools from the community to help parsing them. In this post I’ll talk about b4, suggested by my GSOC mentor André, a tool to help with applying patches.
I assume you already know that when we refer to “git commits”, we are basically talking about snapshots of the files in the repository (more about that); it’s almost like, for each set of changes, we archived and compressed the whole repository folder an gave the result a name.
When working in a large project with so many people, like we have in the Linux Kernel community, it would be impractical to send a file containing the whole repository just to show some changes in some files, specially in the old days, when there probably wasn’t even that much bandwidth. So, in order to share your workings with the community you just have to tell them “add X to line N, remove Y from the following line”, in other words, you have to share only the differences you brought to the code.
There is a command to convert your commits into these messages showing only the “diffs” in your code: git format-patch. It’s worth mentioning that Git uses its own enhanced format of diff (see git diff), which tries to humanize and contextualize some changes, either by recognizing scopes in some languages or simply including surrounding lines in the output. So, lets say you created a couple commits based on master and want to extract them as patches, you could run git format-patch master, which would create a couple numbered files. You could then send them via email with git send-mail, but that’s another talk, my point here was just to introduce the concept of patches, you can read more at https://git-scm.com/book/en/v2/Distributed-Git-Maintaining-a-Project.
Now, lets say somebody has already sent their patch to some mailing list, like https://lore.kernel.org/all/20220627161132.33256-1-jose.exposito89@gmail.com/. How can you assert that their code compiles and works as described?
You could find the link and download the mbox.gz file from the lore.kernel.org page, or find the series at patchwork.kernel.org to do the same, which then would allow you to use git am to apply the patches, recreating the commits in your local environment. That process is easy enough but it can be improved as far as running a command over the lore.kernel.org URL with b4.
B4 is a Python package and can be easily installed with python3 -m pip install --user b4. I’d suggest using a virtual environment to avoid problems with dependencies, but this post won’t cover that.
It comes with a helpful b4 --help, which tells us that, to apply the mentioned patch series you’d just need to run:
b4 am https://lore.kernel.org/all/20220627161132.33256-1-jose.exposito89@gmail.com/
Which will download the patch series as a mbox file and the cover letter as another, so that you could then use git am on it the former. With some luck (and communication), everything will apply without any conflicts.
That’s it, good luck on your reviews and thanks for reading!
“applying patch to belly” by The EnergySmart Academy is licensed under CC BY-NC-SA 2.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-nc-sa/2.0/?ref=openverse.
NGG (Next Generation Geometry) is the technology that is responsible for any vertex and geometry processing in AMD RDNA GPUs. I decided to do a write-up about my experience implementing it in RADV, which is the Vulkan driver used by many Linux systems, including the Steam Deck. I will also talk about shader culling on RDNA GPUs.
Let’s start by briefly going over how the old GCN geometry pipeline works, so that we can compare old and new.
GCN GPUs have 5 programmable hardware shader stages for vertex/geometry processing: LS, HS, ES, GS, VS. These HW stages don’t exactly map to the software stages that are advertised in the API. Instead, it is the responsibility of the driver to select which HW stages need to be used for a given pipeline. We have a table if you want details.
The rasterizer can only consume the output from HW VS, so the last SW stage in your pipeline must be compiled to HW VS. This is trivial for VS and TES (yes, tess eval shaders are “VS” to the hardware), but GS is complicated. GS outputs are written to memory. The driver has no choice but to compile a separate shader that runs as HW VS, and copies this memory to the rasterizer. We call this the “GS copy shader” in Mesa. (It is not part of the API pipeline but required to make GS work.)
Notes:
The next-generation geometry pipeline vastly simplifies how the hardware works. (At the expense of some increased driver complexity.)
There are now only 2 HW shader stages for vertex/geometry processing:
The surface shader is not too interesting, it runs the merged SW VS + TCS when tessellation is enabled. I’m not aware of any changes to how this works compared to old HW.
The interesting part, and subject of much discussion on the internet is the primitive shader.
In some hardware documentation and register header files the new stage is referred to as simply “GS”,
because AMD essentially took what the GS stage could already do and added the ability for it to
directly feed the rasterizer using exp (export) instructions.
Don’t confuse this with SW GS.
It supports a superset of the functionality that you can do in software VS, TES, GS and MS.
In very loose terms you can think about it as a “mesh-like” stage which all these software stages can be compiled to.
Compared to the old HW VS, a primitive shader has these new features:
s_sendmsg(gs_alloc_req) which ensures that the necessary amount of space
in the parameter cache is allocated for them.Software VS and TES:
Compared to the legacy pipeline, the compiled shaders must now not only export vertex output attributes
for a fixed number of vertices, but instead they
create vertices/primitives (after declaring how many they will create).
This is trivial to implement because all they have to do is read the registers that contain the input primitive
topology and then export the exact same topology.
Software GS:
As noted above, each NGG shader invocation can only create up to 1 vertex + up to 1 primitive.
This mismatches the programming model of SW GS and makes it difficult to implement.
In a nutshell, for SW GS the hardware launches a large enough workgroup to fit every possible
output vertex. This results in poor HW utilization (most of those threads just sit there doing nothing
while the GS threads do the work), but there is not much we can do about that.
Mesh shaders:
The new pipeline enables us to support mesh shaders, which was simply impossible on the legacy pipeline,
due to how the programming model entirely mismatches anything the old hardware could do.
We did some benchmarks when we switched RADV and ACO to use the new pipeline. We found no significant perf changes. At all. Considering all the hype we heard about NGG at the hardware launch, I was quite surprised.
However, after I set the hype aside, it was quite self-explanatory. When we switched to NGG, we still compiled our shaders mostly the same way as before, so even though we used the new geometry pipeline, we didn’t do anything to take advantage of its new capabilities.
The actual perf improvement came after I also implemented shader-based culling.
The NGG pipeline makes it possible for shaders to know about input primitives and create an arbitrary topology of output primitives. Even though the API does not make this information available to application shaders, it is possible for driver developers to make their compiler aware of it and add some crazy code that can get rid of primitives when it knows that those will never be actually visible. The technique is known as “shader culling”, or “NGG culling”.
This can improve performance in games that have a lot of triangles, because we only calculate the output positions of every vertex before we decide which triangle to remove. We then also remove unused vertices.
The benefits are:
If there is interest, I may write a blog post about the implementation details later.
Due to how all of this reduces certain bottlenecks, its effectiveness very highly depends on whether you actually had a bottleneck in the first place. How many primitives it can remove of course depends on the application. Therefore the exact percentage of performance gain (or loss) also depends on the application.
If an application didn’t have any of the aforementioned bottlenecks or already mitigates them in its own way, then all of this new code may just add unnecessary overhead and actually slightly reduce performance rather than improve it.
Other than that, there is some concern that a shader-based implementation may be less accurate than the fixed-function HW.
Shader culling seems to be most efficient in benchmarks and apps that output a lot of triangles without having any in-app solution for dealing with the bottlenecks. It is also very effective on games that suffer from overtessellation (ie. create a lot of very small triangles which are not visible).
While shader culling can also work on RDNA1, we don’t enable it by default because we haven’t yet found a game that noticably benefits from it. On RDNA1, it seems that the old and new pipelines have similar performance.
The main takeaway from this post is that NGG is not a performance silver bullet that magically makes all your games faster. Instead, it is an enabler of new features. It lets the driver implement new techniques such as shader culling and new programming models like mesh shaders.
A quick update on my latest activities around V3DV: I’ve been focusing on getting the driver ready for Vulkan 1.2 conformance, which mostly involved fixing a few CTS tests of the kind that would only fail occasionally, these are always fun :). I think we have fixed all the issues now and we are ready to submit conformance to Khronos, my colleague Alejandro Piñeiro is now working on that.
Who else out there knows the feeling of opening up a bug ticket, thinking Oh, I fixed that, and then closing the tab?
Don’t lie, I know you do it too.
Such was the case when I (repeatedly) pulled up this ticket about a rendering regression in Dirt Rally.
To me, this is a normal, accurate photo of a car driving along a dirt track in the woods. A very bright track, sure, but it’s plainly visible, just like the spectators lining the sides of the track.
The reporter insisted there was a bug in action, however, so I strapped on my snorkel and oven mitt and got to work.
For the first time.
Last week.
We all remember our first bug. It’s usually “the code didn’t compile the first time I tried”. The worst bug there is.
The first bug I found in pursuit of this so-called rendering anomaly was not a simple compile error. No, unfortunately the code built and ran fine thanks to Mesa’s incredible and rock-stable CI systems (this was last week), which meant I had to continue on this futile quest to find out whatever was wrong.
Next, I looked at the ticket again and downloaded the trace, which was unfortunately provided to prevent me from claiming that I didn’t have the game or couldn’t find it or couldn’t launch it or was too lazy. Another unlucky roll of the dice.
After sitting through thirty minutes of loading and shader compiling in the trace, I was treated to another picturesque view of a realistic racing environment:
B-e-a-u-tiful.
If this is a bug, I don’t want to know what it’s supposed to look like.
Nevertheless, I struggled gamely onward. The first tool in any driver developers kit is naturally RenderDoc, which I definitely know how to use and am an expert in wielding for all manner of purposes, the least of which is fixing trivial “bugs” like this one. So I fired up RenderDoc—again, without even the slightest of troubles since I use it all the time and it works great for doing all the things I want it to do—got my package of frame-related data, and then loaded it up in QRenderDoc.
And, of course, QRenderDoc crashed because that was what I wanted it to do. It’s what I always want it to do, really.
But, regrettably, the legendary Baldur Karlsson is on my team and can fix bugs faster than I can report them, so I was unable to continue claiming I couldn’t proceed due to this minor inconvenience for long. I did my usual work in RenderDoc, which I won’t even describe because it took such a short amount of time due to my staggering expertise in the area and definitely didn’t result in finding any more RenderDoc bugs, and the result was clear to me: there were no zink bugs anywhere.
I did, however, notice that descriptor caching was performing suboptimally such that only the first descriptor used for UBOs/SSBOs was used to identify the cache entry, so I fixed that in less time than it took to describe this entire non-bug nothingburger.
I want you to look at the original image above, then look at this one here:
To me, these are indistinguishable. If you disagree, you are nitpicking and biased.
But now I was getting pile-on bug reports: if zink were to run out of BAR memory while executing this trace, again there was this nebulous claim that “bugs” occurred.
My skepticism was at a regular-time average after the original report yielded nothing but fixes for RenderDoc, so I closed the tab.
I did some other stuff for most of the week that I can’t remember because it was all so important I stored the memories somewhere safe—so safe that I can’t access them now and accidentally doodle all over them, but I was definitely very, very busy with legitimate work—but then today I decided to be charitable and give the issue a once-over in case there happened to be some merit to the claims.
Seriously though, who runs out of BAR memory? Doesn’t everyone have a GPU with 16GB of BAR these days?
I threw in a quick hack to disable BAR access in zink’s allocator and loaded up the trace again.
As we can see here, the weather is bad, so there are fewer spectators out to spectate, but everything is totally fine and bug-free. Just as expected. Very realistic. Maybe it was a little weird that the spectators were appearing and disappearing with each frame, but then I remembered this was the Road To The Haunted House track, and naturally such a track is haunted by the ghosts of players who didn’t place first.
At a conceptual level, I knew it was nonsense to be considering such things. I’m an adult now, and there’s no scientific proof that racing games can be haunted. Despite this, I couldn’t help feel a chill running down my fingers as I realized I’d discovered a bug. Not specifically because of anything I was doing, but I’d found one. Entirely independently. Just by thinking about it.
Indeed, by looking at the innermost allocation function of zink’s suballocator, there’s this bit of vaguely interesting code:
VkResult ret = VKSCR(AllocateMemory)(screen->dev, &mai, NULL, &bo->mem);
if (!zink_screen_handle_vkresult(screen, ret)) {
if (heap == ZINK_HEAP_DEVICE_LOCAL_VISIBLE) {
heap = ZINK_HEAP_DEVICE_LOCAL;
mesa_loge("zink: %p couldn't allocate memory! from BAR heap: retrying as device-local", bo);
goto demote;
}
mesa_loge("zink: couldn't allocate memory! from heap %u", heap);
goto fail;
}
This is the fallback path for demoting BAR allocations to device-local. It works great. Except there’s an obvious bug for anyone thinking about it.
I’ll give you a few moments since it was actually a little tricky to spot.
By now though, you’ve all figured it out. Obviously by performing the demotion here, the entire BO is demoted to device-local, meaning that suballocator slabs get demoted and then cached as BAR, breaking the whole thing.
Terrifying, just like the not-at-all-haunted race track.
I migrated the demotion code out a couple layers so the resource manager could handle demotion, and the footgun was removed before it could do any real harm.
Just to pass the time while I waited to see if an unrelated CI pipeline would fail, I decided to try running CTS with BAR allocations disabled. As everyone knows, if CTS fails, there’s a real bug somewhere, so it would be easy to determine whether there might be any bugs that were totally unrelated to the reports in this absolute lunatic’s ticket.
Imagine my surprise when I did, in fact, find failing test cases. Not anything related to the trace or scenario in the ticket, of course, since that’s not a test case, it’s a game, and my parents always told me to be responsible and stop playing games.
It turns out there were some corner case bugs that nothing had been hitting until now. The first one of these was in the second-worst place I could think of: threaded context. Debugging problems here is always nightmarish for varying reasons, though mostly because of threads.
The latest problem in question was that I was receiving a buffer_map call on a device-local buffer with the unsynchronized flag set, meaning that I was unable to use my command buffer. This was fine in the case where I was discarding any pre-existing data on the buffer, but if I did have data I wanted to save, I was screwed.
Well, not me specifically, but my performance was definitely not going to be in a good place since I’d have to force a thread sync and…
Anyway, this was bad, and the cause was that the is_resource_busy call from TC was never passing along the unsynchronized flag, which prevented the driver from accurately determining whether the resource was actually busy.
With that fixed, I definitely didn’t find any more issues whatsoever.
Except that I did.
They required the complex understanding of what some would call “basic arithmetic”, however, so I’m not going to get into them. Suffice to say that buffer copies were very subtly broken in a couple ways.
I win.
I didn’t explicitly set out to prove this bug report wrong, but it clearly was, and there are absolutely no bugs anywhere so don’t even bother trying to find them.
And if you do find them, don’t bother reporting them because it’s not like anyone’s gonna fix them.
And if someone does fix them, it’s not like they’re gonna spend hours pointlessly blogging about it.
And if someone does spend hours pointlessly blogging about it, it’s not like anyone will read it anyway.
Hi!
Yesterday I’ve finally finished up and merged push notification support for the soju IRC bouncer and the goguma Android client! Highlights & PM notifications should now be delivered much more quickly, and power consumption should go down. Additionally, the IRC extension isn’t tied to a proprietary platform (like Google or Apple) and the push notification payloads are end-to-end encrypted. If you want to read more about the technical details, have a look at the IRCv3 draft.
In the Wayland world, we’re working hard to get ready for the next wlroots release. We’ve merged numerous improvements for the scene-graph API, xdg-shell v3 and v4 support has been added (to allow xdg-popups to change their position), and a ton of other miscellaneous patches have been merged. Special thanks to Kirill Primak, Alexander Orzechowski and Isaac Freund!
I’ve also been working on various Wayland protocol bits. The
single-pixel-buffer extension allows clients to easily create buffers with a
single color instead of having to go through wl_shm. The security-context
extension will make it possible for compositors to reliably detect sandboxed
clients and apply special policies accordingly (e.g. limit access to screen
capture protocols). Thanks for xdg-shell capabilities clients will be able to
hide their maximize/minimize/fullscreen buttons when these actions are not
supported by the compositor. Xaver Hugl’s content-type extension will enable
rules based on the type of the content being displayed (e.g. enable adaptive
sync when a game is displayed, or make all video player windows float). Last,
I’ve been working on some smaller changes to the core protocol: a new
wl_surface.configure event to atomically apply a
surface configuration, and a new wl_surface.buffer_scale
event to make the compositor send the preferred scale factor instead of letting
the clients pick it.
I’ve tried to help Jason “I’m literally writing an NVIDIA compiler as I read Mike Blumenkrantz’s blog” Ekstrand with his explicit synchronization work. I’ve written a kernel patch to make it easier for user-space to check whether Jason’s new shiny IOCTLs are available. Unfortunately Greg K-H didn’t like the idea of using sysfs for IOCTL advertisement, and we didn’t find any other good solution, so I’ve merged Jason’s patches as-is and user-space needs to perform a kernel version check. At least I’ve learned how to add sysfs entries! If you want to learn more about Jason’s work, he’s written a blog post about it.
Progress is steady on the libdisplay-info front. I like taking a break from the complicated Linux graphics issues by writing a small patch to parse a new section of the EDID data structure. Don’t get me wrong, EDID is a total mess, but at least I don’t need to think too much when writing a parser. Pekka and Sebastian have been providing very good feedback. Sometimes I complain about their reviews being too nitpicky, but I’m sure I wouldn’t do better should the roles be reversed.
The NPotM is wlspeech, a small Wayland input method to write text using your voice. It leverages Mozilla’s DeepSpeech library for the voice recognition logic. It’s very basic at the moment: it just listens for 2 seconds, and then types the text it’s recognized. It would be nice to switch to ALSA’s non-blocking API, to add a hotkey to trigger the recording, give feedback about the currently recognized word via pre-edit text. Let me know if you’re interested in working on this.
That’s all for today, see you next month!
