Fix potential 'Floating Point Exception' with speculative execution

[grospelliergilles]

With the current version of runtime and version 8.0-rc2, there is a 'Floating Point Exception' (signal SIGFPE) when floating point exception are enabled (via feenableexcept()).

It seems to be due to speculative execution of the division in the check.

This patch remove the check and make sure we do not divide by zero.

Alternatively, because the result of this function is only to check if the fragmentation is high enough, we can rewrite the part of the code to remove all divide operation.

[ghost]

Tagging subscribers to this area: @dotnet/gc
See info in area-owners.md if you want to be subscribed.

Issue Details

---

With the current version of runtime and version 8.0-rc2, there is a 'Floating Point Exception' (signal SIGFPE) when floating point exception are enabled (via feenableexcept()).

It seems to be due to speculative execution of the division in the check.

This patch remove the check and make sure we do not divide by zero.

Alternatively, because the result of this function is only to check if the fragmentation is high enough, we can rewrite the part of the code to remove all divide operation.

Author:	grospelliergilles
Assignees:	-
Labels:	area-GC-coreclr, community-contribution
Milestone:	-

[tannergooding]

Running with floating-point exceptions enabled is explicitly not supported, the behavior that occurs if it is enabled is undefined.

CC. @jkotas

[grospelliergilles]

Thanks for your response.
I already had this kind of error in old versions of the runtime (#76257) and this was fixed.
In my application I do not have control on enabling floating point exception. And because it occurs in the garbage collector I can not disable them in this part.
The fix is pretty simple and should not change the results. Do you think it could be merged ?

[mangod9]

@Maoni0 as well.

[Maoni0]

this is a different issue from the fix I made in #76294. if a speculative execution can result in SIGFPE (which seems quite dangerous to me), that means the fix I made would subject to the same problem.

we should decide whether we want to support this speculative execution scenario at all - if we do, we should harden all the places this can happen instead of making one off fixes like this.

I don't have a strong opinion on whether to support it or not, @jkotas, do you?

[jkotas]

As I have said in #76257 (comment), .NET runtime and libraries are not compatible with enabled floating point exceptions. If you need floating point exceptions enabled for your C/C++ library, you need to disable around them around the calls to .NET runtime.

I do not think that one-off workarounds like the one proposed in this PR make sense.

[grospelliergilles]

Thansk @jkotas for your response. It is difficult to disable FPE around this part of the code because it is called by the garbage collector and I do not know when it will be called. I will try to use GC.RegisterForFullGCNotification() to see if it works.

Alternatively, I think the code may be rewritten without using division because the result is only used in comparison. So instead of checking a>b/c we can rewrite as a*c>b. If you agree I can provide a patch to remove them if you want.

[jkotas]

So instead of checking a>b/c we can rewrite as a*c>b

generation_allocator_efficiency is called in number of places. I do not see how you can do this rewrite.

[grospelliergilles]

I have removed floating point usage in the two functions which can throw FPE.
Using only integer division there is no longer potential FPE.

[grospelliergilles]

@grospelliergilles please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@dotnet-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@dotnet-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@dotnet-policy-service agree company="Microsoft"

Contributor License Agreement
@dotnet-policy-service agree

[grospelliergilles]

@dotnet-policy-service agree

[mangod9]

@grospelliergilles, there appear to be build breaks on x86. @Maoni0 please review as well.

[markples]

I feel like there is some readability loss here. Perhaps it can be addressed (see my specific remark on a comment that could help). Also, I think it would help to limit the use of uint64_t to where the large values can occur. generation_allocator_efficiency_percent can have an intermediate large value but returns a percentage. generation_unusable_fragmentation also can have an intermediate large value but returns a size (in fact, this is the cause of the build break because the call site is appropriately expecting a size_t.

However, given this, I wonder if adding something like FLT_EPSILON to the denominator would be a clearer fix. I thought about suggesting that generation_unusable_fragmentation continue to call generation_allocator_efficiency_percent with appropriate scaling, but I see that you were careful to avoid rounding errors due to integer truncation and I don't think we want to try to analyze if percent, per mille, etc., would be sufficient.

[markples]

This could use a comment, either that it is based on rewriting of (100 - efficiency)/100 * free_list_space or inefficiency * free_list_space, being careful in both cases to minimize the impact of the integer division.

[grospelliergilles]

Thanks for your report. I will make the required change and add the information your want.
If you prefer I revert to the first commit (using FLT_EPSILON) I can also do that.

[Maoni0]

I would really rather to not have to have the presence of FLT_EPSILON in the GC code at all if I can avoid it :) it's just another thing that someone who's not familiar with FP has to care about.

but I agree with @markples that these should continue to return size_t, instead of uint64_t. I would also add a comment above generation_allocator_efficiency_percent to explain why this is written this way (to accommodate this exception specific to FP which is not a common knowledge AFAIK) instead of the previous way which seems more natural.

[Maoni0]

Suggested change

	if (free_obj_space==0)
	if ((free_list_allocated + free_obj_space) == 0)

[markples]

I think the idea is that if free_obj_space is zero, then the computation will be zero regardless of the free_list_allocated value. (unless one can be negative...) It's subtle and perhaps not worth the microoptimization or worth a comment. The same patterns occurs in the efficiency method.

[grospelliergilles]

Yes if free_obj_space is zero then the result is always zero. The operands are of type size_t and so can not be negative.

[Maoni0]

yes, I got the idea. but this kind of microoptimization is not worth it at all. I'd much rather have the code be easier to understand.

[grospelliergilles]

Thanks for your report. I will do as requested.

[jkotas]

Build break

D:\a\_work\1\s\src\coreclr\gc\gc.cpp(22277): error C2220: the following warning is treated as an error
D:\a\_work\1\s\src\coreclr\gc\gc.cpp(22277): warning C4267: '=': conversion from 'size_t' to 'uint32_t', possible loss of data

[mangod9]

@grospelliergilles is this PR ready to review again?

[grospelliergilles]

@grospelliergilles is this PR ready to review again?

I have fixed compile errors so I think it is OK.

[mangod9]

@Maoni0 can you please take another look?

[Maoni0]

LGTM

[mangod9]

thanks @grospelliergilles for your help.

[grospelliergilles]

Thank you very much @mangod9 for accepting my PR.