-
Notifications
You must be signed in to change notification settings - Fork 948
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gate MSL infinite loop optimization workaround to a flag enabled by default #6520
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to fix this as described here: #6518 (comment)
@jimblandy copying your comment here:
What do you mean by "some sort of bounds checks" here? Add a |
Also, I am no wgpu expert, but AIUI native apps needing to use |
This reverts commit 7561726.
A model for this is something like #5508, where this is a new configuration option. It's still possible to execute UB on the GPU with or without this feature, since this doesn't stop you running the infinite loop. So I'd push back on making this unsafe to configure, but I think a new "unsafe" field on |
@DJMcNab @jimblandy could you give me a rationale on why we should be presenting this as an option at all to users instead of just gating it to WASM as I initially considered? Since the bounds checks are necessary if and only if we are on WASM (AIUI), I don't see a need to surface this, and even if the concern is this is a platform-specific tweak, I could internally represent the infinite loop bounds checking platform as a set that merely includes WASM, instead of hardcoding WASM as the only infinite loop bounds checked platform. |
Actually, that part of the PR was also not correct, I just didn't mention it because there were bigger changes needed. Any native application using wgpu's Metal backend needs the The idea is that applications will indeed need to change how they use wgpu if they want to avoid the overhead. Applications that trust their shaders (most native apps) should need to positively indicate this to wgpu, so that the safe behavior is the default. |
I should mention that the I think the proper fix is a similar branch on a volatile, but controlling a break out of the loop. This prevents the compiler from concluding that the loop is infinite in the first place. edit: to be clear - the problems I'm discussing here don't need to be fixed by this PR, they're a separate issue. |
Okay, @jimblandy if I am understanding you correctly the change is quite simple and we only have to check on |
As a wgpu user, I'd prefer to configure this separately to bounds checking. Validating that I don't have any infinite loops is something which I have to do anyway (e.g. on other platforms to avoid timeouts), so making that assertion is something I'd be happy to do. However, I'd quite like to keep bounds checking safety. |
@DJMcNab I don't think this validates you have no infinite loops as much as it just stops them from causing some vulnerability issues (on Metal only), I have no issues with such a feature (or gating this behind such a new feature) but that's probably best done by a separate PR. |
Okay - if the combination of bounds checking and no loop marking is valuable, we can think about how to make that possible. I think that sounds like an unusual combination, though. |
What Daniel meant is, he personally ensures that his shaders have no infinite loops, so he doesn't need the overhead of the kludge, but he would still like the bounds checking. |
Again, it's a question of relative ease of validation. It's relatively feasible to validate that a loop is well formed, but it's hard to do that validation for a memory access. And a poorly-formed loop will make itself apparent (on non-metal platforms where it won't be optimised out) quite quickly (linebender/xilem#613), whereas a missed bounds check would be likely to cause heisenbugs or worse. We access many more arrays than we use (non-for) loops, so the relative effort required to check loops is lower. We're not dealing with untrusted shaders. Ideally, we'd be able to configure them both orthogonally per-shader, rather than getting a grab-bag of properties through using |
Thought: unchecked should have a set of flags of checks to disable. |
Co-authored-by: Erich Gubler <erichdongubler@gmail.com>
I'm not hearing any arguments against @DJMcNab's idea of adding a separate field to |
To be clear I would gladly revert the recent commit if there's pushback. It's also worth taking a step back and asking the following questions
Would appreciate a direct answer to these from a wgpu expert as it would make it clear how to implement this 🙂 |
Alright, lets take a step back and look at the facts:
My vibe is that the entry point should be unsafe, not just setting the boolean as that feels like a bit of a hacky use of unsafe. Which would suggest putting the flags on the create_shader_module_unchecked, potentially alongside the other bounds check flags |
Agreed, though I will say the introduction of the kludge was a breaking change for me, as now (bevy's) performance is impacted unless we start using
Fair, I think this counts as a nay on |
@cwfitzgerald @jimblandy I see there's been a bunch of related development in other PRs... is this something you are still interested in getting merged? |
Yes! I'll lead this to completion, I want to make a few api adjustements, but I'll make sure you're a co-author on it |
Closing in favor of #6662 |
Connections
Fixes #6518
Description
The infinite loop optimization workaround in commit 3fda684 introdues performance issues with loops. This PR gates this change to wasm as that is the main platform where this fixes a security issue.
Testing
Tested the same way as in #6518. Performance is back to normal levels.