Re: [PATCH 0/2] RFC: Precise TSC migration

From: Marcelo Tosatti
Date: Tue Dec 01 2020 - 15:02:05 EST


On Tue, Dec 01, 2020 at 02:30:39PM +0200, Maxim Levitsky wrote:
> On Mon, 2020-11-30 at 16:16 -0300, Marcelo Tosatti wrote:
> > Hi Maxim,
> >
> > On Mon, Nov 30, 2020 at 03:35:57PM +0200, Maxim Levitsky wrote:
> > > Hi!
> > >
> > > This is the first version of the work to make TSC migration more accurate,
> > > as was defined by Paulo at:
> > > https://www.spinics.net/lists/kvm/msg225525.html
> >
> > Description from Oliver's patch:
> >
> > "To date, VMMs have typically restored the guest's TSCs by value using
> > the KVM_SET_MSRS ioctl for each vCPU. However, restoring the TSCs by
> > value introduces some challenges with synchronization as the TSCs
> > continue to tick throughout the restoration process. As such, KVM has
> > some heuristics around TSC writes to infer whether or not the guest or
> > host is attempting to synchronize the TSCs."
> >
> > Not really. The synchronization logic tries to sync TSCs during
> > BIOS boot (and CPU hotplug), because the TSC values are loaded
> > sequentially, say:
> >
> > CPU realtime TSC val
> > vcpu0 0 usec 0
> > vcpu1 100 usec 0
> > vcpu2 200 usec 0
> > ...
> >
> > And we'd like to see all vcpus to read the same value at all times.
> >
> > Other than that, comment makes sense. The problem with live migration
> > is as follows:
> >
> > We'd like the TSC value to be written, ideally, just before the first
> > VM-entry a vCPU (because at the moment the TSC_OFFSET has been written,
> > the vcpus tsc is ticking, which will cause a visible forward jump
> > in vcpus tsc time).
> >
> > Before the first VM-entry is the farthest point in time before guest
> > entry that one could do that.
> >
> > The window (or forward jump) between KVM_SET_TSC and VM-entry was about
> > 100ms last time i checked (which results in a 100ms time jump forward),
> > See QEMU's 6053a86fe7bd3d5b07b49dae6c05f2cd0d44e687.
> >
> > Have we measured any improvement with this patchset?
>
> Its not about this window.
> It is about time that passes between the point that we read the
> TSC on source system (and we do it in qemu each time the VM is paused)
> and the moment that we set the same TSC value on the target.
> That time is unbounded.

OK. Well, its the same problem: ideally you'd want to do that just
before VCPU-entry.

> Also this patchset should decrease TSC skew that happens
> between restoring it on multiple vCPUs as well, since
> KVM_SET_TSC_STATE doesn't have to happen at the same time,
> as it accounts for time passed on each vCPU.
>
>
> Speaking of kvmclock, somewhat offtopic since this is a different issue,
> I found out that qemu reads the kvmclock value on each pause,
> and then 'restores' on unpause, using
> KVM_SET_CLOCK (this modifies the global kvmclock offset)
>
> This means (and I tested it) that if guest uses kvmclock
> for time reference, it will not account for time passed in
> the paused state.

Yes, this is necessary because otherwise there might be an overflow
in the kernel time accounting code (if the clock delta is too large).

>
> >
> > Then Paolo mentions (with >), i am replying as usual.
> >
> > > Ok, after looking more at the code with Maxim I can confidently say that
> > > it's a total mess. And a lot of the synchronization code is dead
> > > because 1) as far as we could see no guest synchronizes the TSC using
> > > MSR_IA32_TSC;
> >
> > Well, recent BIOS'es take care of synchronizing the TSC. So when Linux
> > boots, it does not have to synchronize TSC in software.
>
> Do you have an example of such BIOS? I tested OVMF which I compiled
> from git master a few weeks ago, and I also tested this with seabios
> from qemu repo, and I have never seen writes to either TSC, or TSC_ADJUST
> from BIOS.

Oh, well, QEMU then.

> Or do you refer to the native BIOS on the host doing TSC synchronization?

No, virt.

> > However, upon migration (and initialization), the KVM_SET_TSC's do
> > not happen at exactly the same time (the MSRs for each vCPU are loaded
> > in sequence). The synchronization code in kvm_set_tsc() is for those cases.
>
> I agree with that, and this is one of the issues that KVM_SET_TSC_STATE
> is going to fix, since it accounts for it.
>
>
> >
> > > and 2) writing to MSR_IA32_TSC_ADJUST does not trigger the
> > > synchronization code in kvm_write_tsc.
> >
> > Not familiar how guests are using MSR_IA32_TSC_ADJUST (or Linux)...
> > Lets see:
> >
> >
> > /*
> > * Freshly booted CPUs call into this:
> > */
> > void check_tsc_sync_target(void)
> > {
> > struct tsc_adjust *cur = this_cpu_ptr(&tsc_adjust);
> > unsigned int cpu = smp_processor_id();
> > cycles_t cur_max_warp, gbl_max_warp;
> > int cpus = 2;
> >
> > /* Also aborts if there is no TSC. */
> > if (unsynchronized_tsc())
> > return;
> >
> > /*
> > * Store, verify and sanitize the TSC adjust register. If
> > * successful skip the test.
> > *
> > * The test is also skipped when the TSC is marked reliable. This
> > * is true for SoCs which have no fallback clocksource. On these
> > * SoCs the TSC is frequency synchronized, but still the TSC ADJUST
> > * register might have been wreckaged by the BIOS..
> > */
> > if (tsc_store_and_check_tsc_adjust(false) || tsc_clocksource_reliable) {
> > atomic_inc(&skip_test);
> > return;
> > }
> >
> > retry:
> >
> > I'd force that synchronization path to be taken as a test-case.
>
> Or even better as I suggested, we might tell the guest kernel
> to avoid this synchronization path when KVM is detected
> (regardless of invtsc flag)
>
> >
> >
> > > I have a few thoughts about the kvm masterclock synchronization,
> > > which relate to the Paulo's proposal that I implemented.
> > >
> > > The idea of masterclock is that when the host TSC is synchronized
> > > (or as kernel call it, stable), and the guest TSC is synchronized as well,
> > > then we can base the kvmclock, on the same pair of
> > > (host time in nsec, host tsc value), for all vCPUs.
> >
> > We _have_ to base. See the comment which starts with
> >
> > "Assuming a stable TSC across physical CPUS, and a stable TSC"
> >
> > at x86.c.
> >
> > > This makes the random error in calculation of this value invariant
> > > across vCPUS, and allows the guest to do kvmclock calculation in userspace
> > > (vDSO) since kvmclock parameters are vCPU invariant.
> >
> > Actually, without synchronized host TSCs (and the masterclock scheme,
> > with a single base read from a vCPU), kvmclock in kernel is buggy as
> > well:
> >
> > u64 pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
> > {
> > unsigned version;
> > u64 ret;
> > u64 last;
> > u8 flags;
> >
> > do {
> > version = pvclock_read_begin(src);
> > ret = __pvclock_read_cycles(src, rdtsc_ordered());
> > flags = src->flags;
> > } while (pvclock_read_retry(src, version));
> >
> > if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) {
> > src->flags &= ~PVCLOCK_GUEST_STOPPED;
> > pvclock_touch_watchdogs();
> > }
> >
> > if ((valid_flags & PVCLOCK_TSC_STABLE_BIT) &&
> > (flags & PVCLOCK_TSC_STABLE_BIT))
> > return ret;
> >
> > The code that follows this (including cmpxchg) is a workaround for that
> > bug.
>
> I understand that. I am not arguing that we shoudn't use the masterclock!
> I am just saying the facts about the condition when it works.

Sure.

> > Workaround would require each vCPU to write to a "global clock", on
> > every clock read.
> >
> > > To ensure that the guest tsc is synchronized we currently track host/guest tsc
> > > writes, and enable the master clock only when roughly the same guest's TSC value
> > > was written across all vCPUs.
> >
> > Yes, because then you can do:
> >
> > vcpu0 vcpu1
> >
> > A = read TSC
> > ... elapsed time ...
> >
> > B = read TSC
> >
> > delta = B - A
> >
> > > Recently this was disabled by Paulo
> >
> > What was disabled exactly?
>
> The running of tsc synchronization code when the _guest_ writes the TSC.
>
> Which changes two things:
> 1. If the guest de-synchronizes its TSC, we won't disable master clock.
> 2. If the guest writes similar TSC values on each vCPU we won't detect
> this as synchronization attempt, replace this with exactly the same
> value and finally re-enable the master clock.
>
> I argue that this change is OK, because Linux guests don't write to TSC at all,
> the virtual BIOSes seems not to write there either, and the only case in which
> the Linux guest tries to change its TSC is on CPU hotplug as you mention and
> it uses TSC_ADJUST, that currently doesn't trigger TSC synchronization code in
> KVM anyway, so it is broken already.
>
> However I also argue that we should mention this in documentation just in case,
> and we might also want (also just in case) to make Linux guests avoid even trying to
> touch TSC_ADJUST register when running under KVM.
>
> To rehash my own words, the KVM_CLOCK_TSC_STABLE should be defined as:
> 'kvmclock is vCPU invariant, as long as the guest doesn't mess with its TSC'.
>
> Having said all that, now that I know tsc sync code, and the
> reasons why it is there, I wouldn't be arguing about putting it back either.

Agree.

> > > and I agree with this, because I think
> > > that we indeed should only make the guest TSC synchronized by default
> > > (including new hotplugged vCPUs) and not do any tsc synchronization beyond that.
> > > (Trying to guess when the guest syncs the TSC can cause more harm that good).
> > >
> > > Besides, Linux guests don't sync the TSC via IA32_TSC write,
> > > but rather use IA32_TSC_ADJUST which currently doesn't participate
> > > in the tsc sync heruistics.
> >
> > Linux should not try to sync the TSC with IA32_TSC_ADJUST. It expects
> > the BIOS to boot with synced TSCs.
> >
> > So i wonder what is making it attempt TSC sync in the first place?
>
> CPU hotplug. And the guest doesn't really write to TSC_ADJUST
> since it's measurement code doesn't detect any tsc warps.
>
> I was just thinking that in theory since, this is a VM, and it can be
> interrupted at any point, the measurement code should sometimes fall,
> and cause trouble.
> I didn't do much homework on this so I might be overreacting.

That is true (and you can see it with a CPU starved guest).

> As far as I see X86_FEATURE_TSC_RELIABLE was done mostly to support
> running under Hyper-V and VMWARE, and these should be prone to similar
> issues, supporting my theory.
>
> >
> > (one might also want to have Linux's synchronization via IA32_TSC_ADJUST
> > working, but it should not need to happen in the first place, as long as
> > QEMU and KVM are behaving properly).
> >
> > > And as far as I know, Linux guest is the primary (only?) user of the kvmclock.
> >
> > Only AFAIK.
> >
> > > I *do think* however that we should redefine KVM_CLOCK_TSC_STABLE
> > > in the documentation to state that it only guarantees invariance if the guest
> > > doesn't mess with its own TSC.
> > >
> > > Also I think we should consider enabling the X86_FEATURE_TSC_RELIABLE
> > > in the guest kernel, when kvm is detected to avoid the guest even from trying
> > > to sync TSC on newly hotplugged vCPUs.
> >
> > See 7539b174aef405d9d57db48c58390ba360c91312.
>
> I know about this, and I personally always use invtsc
> with my VMs.

Well, we can't make it (-cpu xxx,+invtsc) the default if vm-stop/vm-cont are unstable
with TSC!

> > Was hoping to make that (-cpu xxx,+invtsc) the default in QEMU once invariant TSC code
> > becomes stable. Should be tested enough by now?
>
> The issue is that Qemu blocks migration when invtsc is set, based on the
> fact that the target machine might have different TSC frequency and no
> support for TSC scaling.
> There was a long debate on this long ago.

Oh right.

> It is possible though to override this by specifying the exact frequency
> you want the guest TSC to run at, by using something like
> (tsc-frequency=3500000000)
> I haven't checked if libvirt does this or not.

It does.

> I do think that as long as the user uses modern CPUs (which have stable TSC
> and support TSC scaling), there is no reason to disable invtsc, and
> therefore no reason to use kvmclock.

Yep. TSC is faster.

> > > (The guest doesn't end up touching TSC_ADJUST usually, but it still might
> > > in some cases due to scheduling of guest vCPUs)
> > >
> > > (X86_FEATURE_TSC_RELIABLE short circuits tsc synchronization on CPU hotplug,
> > > and TSC clocksource watchdog, and the later we might want to keep).
> >
> > The latter we want to keep.
> >
> > > For host TSC writes, just as Paulo proposed we can still do the tsc sync,
> > > unless the new code that I implemented is in use.
> >
> > So Paolo's proposal is to
> >
> > "- for live migration, userspace is expected to use the new
> > KVM_GET/SET_TSC_PRECISE (or whatever the name will be) to get/set a
> > (nanosecond, TSC, TSC_ADJUST) tuple."
> >
> > Makes sense, so that no time between KVM_SET_TSC and
> > MSR_WRITE(TSC_ADJUST) elapses, which would cause the TSC to go out
> > of what is desired by the user.
> >
> > Since you are proposing this new ioctl, perhaps its useful to also
> > reduce the 100ms jump?
>
> Yep. As long as target and destantion clocks are synchronized,
> it should make it better.
>
> >
> > "- for live migration, userspace is expected to use the new
> > KVM_GET/SET_TSC_PRECISE (or whatever the name will be) to get/set a
> > (nanosecond, TSC, TSC_ADJUST) tuple. This value will be written
> > to the guest before the first VM-entry"
> >
> > Sounds like a good idea (to integrate the values in a tuple).
> >
> > > Few more random notes:
> > >
> > > I have a weird feeling about using 'nsec since 1 January 1970'.
> > > Common sense is telling me that a 64 bit value can hold about 580 years,
> > > but still I see that it is more common to use timespec which is a (sec,nsec) pair.
> >
> > struct timespec {
> > time_t tv_sec; /* seconds */
> > long tv_nsec; /* nanoseconds */
> > };
> >
> > > I feel that 'kvm_get_walltime' that I added is a bit of a hack.
> > > Some refactoring might improve things here.
> >
> > Haven't read the patchset yet...
> >
> > > For example making kvm_get_walltime_and_clockread work in non tsc case as well
> > > might make the code cleaner.
> > >
> > > Patches to enable this feature in qemu are in process of being sent to
> > > qemu-devel mailing list.
> > >
> > > Best regards,
> > > Maxim Levitsky
> > >
> > > Maxim Levitsky (2):
> > > KVM: x86: implement KVM_SET_TSC_PRECISE/KVM_GET_TSC_PRECISE
> > > KVM: x86: introduce KVM_X86_QUIRK_TSC_HOST_ACCESS
> > >
> > > Documentation/virt/kvm/api.rst | 56 +++++++++++++++++++++
> > > arch/x86/include/uapi/asm/kvm.h | 1 +
> > > arch/x86/kvm/x86.c | 88 +++++++++++++++++++++++++++++++--
> > > include/uapi/linux/kvm.h | 14 ++++++
> > > 4 files changed, 154 insertions(+), 5 deletions(-)
> > >
> > > --
> > > 2.26.2
> > >
>
> Best regards,
> Maxim Levitsky
>