1ORC unwinder
2============
3
4Overview
5--------
6
7The kernel CONFIG_UNWINDER_ORC option enables the ORC unwinder, which is
8similar in concept to a DWARF unwinder.  The difference is that the
9format of the ORC data is much simpler than DWARF, which in turn allows
10the ORC unwinder to be much simpler and faster.
11
12The ORC data consists of unwind tables which are generated by objtool.
13They contain out-of-band data which is used by the in-kernel ORC
14unwinder.  Objtool generates the ORC data by first doing compile-time
15stack metadata validation (CONFIG_STACK_VALIDATION).  After analyzing
16all the code paths of a .o file, it determines information about the
17stack state at each instruction address in the file and outputs that
18information to the .orc_unwind and .orc_unwind_ip sections.
19
20The per-object ORC sections are combined at link time and are sorted and
21post-processed at boot time.  The unwinder uses the resulting data to
22correlate instruction addresses with their stack states at run time.
23
24
25ORC vs frame pointers
26---------------------
27
28With frame pointers enabled, GCC adds instrumentation code to every
29function in the kernel.  The kernel's .text size increases by about
303.2%, resulting in a broad kernel-wide slowdown.  Measurements by Mel
31Gorman [1] have shown a slowdown of 5-10% for some workloads.
32
33In contrast, the ORC unwinder has no effect on text size or runtime
34performance, because the debuginfo is out of band.  So if you disable
35frame pointers and enable the ORC unwinder, you get a nice performance
36improvement across the board, and still have reliable stack traces.
37
38Ingo Molnar says:
39
40  "Note that it's not just a performance improvement, but also an
41  instruction cache locality improvement: 3.2% .text savings almost
42  directly transform into a similarly sized reduction in cache
43  footprint. That can transform to even higher speedups for workloads
44  whose cache locality is borderline."
45
46Another benefit of ORC compared to frame pointers is that it can
47reliably unwind across interrupts and exceptions.  Frame pointer based
48unwinds can sometimes skip the caller of the interrupted function, if it
49was a leaf function or if the interrupt hit before the frame pointer was
50saved.
51
52The main disadvantage of the ORC unwinder compared to frame pointers is
53that it needs more memory to store the ORC unwind tables: roughly 2-4MB
54depending on the kernel config.
55
56
57ORC vs DWARF
58------------
59
60ORC debuginfo's advantage over DWARF itself is that it's much simpler.
61It gets rid of the complex DWARF CFI state machine and also gets rid of
62the tracking of unnecessary registers.  This allows the unwinder to be
63much simpler, meaning fewer bugs, which is especially important for
64mission critical oops code.
65
66The simpler debuginfo format also enables the unwinder to be much faster
67than DWARF, which is important for perf and lockdep.  In a basic
68performance test by Jiri Slaby [2], the ORC unwinder was about 20x
69faster than an out-of-tree DWARF unwinder.  (Note: That measurement was
70taken before some performance tweaks were added, which doubled
71performance, so the speedup over DWARF may be closer to 40x.)
72
73The ORC data format does have a few downsides compared to DWARF.  ORC
74unwind tables take up ~50% more RAM (+1.3MB on an x86 defconfig kernel)
75than DWARF-based eh_frame tables.
76
77Another potential downside is that, as GCC evolves, it's conceivable
78that the ORC data may end up being *too* simple to describe the state of
79the stack for certain optimizations.  But IMO this is unlikely because
80GCC saves the frame pointer for any unusual stack adjustments it does,
81so I suspect we'll really only ever need to keep track of the stack
82pointer and the frame pointer between call frames.  But even if we do
83end up having to track all the registers DWARF tracks, at least we will
84still be able to control the format, e.g. no complex state machines.
85
86
87ORC unwind table generation
88---------------------------
89
90The ORC data is generated by objtool.  With the existing compile-time
91stack metadata validation feature, objtool already follows all code
92paths, and so it already has all the information it needs to be able to
93generate ORC data from scratch.  So it's an easy step to go from stack
94validation to ORC data generation.
95
96It should be possible to instead generate the ORC data with a simple
97tool which converts DWARF to ORC data.  However, such a solution would
98be incomplete due to the kernel's extensive use of asm, inline asm, and
99special sections like exception tables.
100
101That could be rectified by manually annotating those special code paths
102using GNU assembler .cfi annotations in .S files, and homegrown
103annotations for inline asm in .c files.  But asm annotations were tried
104in the past and were found to be unmaintainable.  They were often
105incorrect/incomplete and made the code harder to read and keep updated.
106And based on looking at glibc code, annotating inline asm in .c files
107might be even worse.
108
109Objtool still needs a few annotations, but only in code which does
110unusual things to the stack like entry code.  And even then, far fewer
111annotations are needed than what DWARF would need, so they're much more
112maintainable than DWARF CFI annotations.
113
114So the advantages of using objtool to generate ORC data are that it
115gives more accurate debuginfo, with very few annotations.  It also
116insulates the kernel from toolchain bugs which can be very painful to
117deal with in the kernel since we often have to workaround issues in
118older versions of the toolchain for years.
119
120The downside is that the unwinder now becomes dependent on objtool's
121ability to reverse engineer GCC code flow.  If GCC optimizations become
122too complicated for objtool to follow, the ORC data generation might
123stop working or become incomplete.  (It's worth noting that livepatch
124already has such a dependency on objtool's ability to follow GCC code
125flow.)
126
127If newer versions of GCC come up with some optimizations which break
128objtool, we may need to revisit the current implementation.  Some
129possible solutions would be asking GCC to make the optimizations more
130palatable, or having objtool use DWARF as an additional input, or
131creating a GCC plugin to assist objtool with its analysis.  But for now,
132objtool follows GCC code quite well.
133
134
135Unwinder implementation details
136-------------------------------
137
138Objtool generates the ORC data by integrating with the compile-time
139stack metadata validation feature, which is described in detail in
140tools/objtool/Documentation/stack-validation.txt.  After analyzing all
141the code paths of a .o file, it creates an array of orc_entry structs,
142and a parallel array of instruction addresses associated with those
143structs, and writes them to the .orc_unwind and .orc_unwind_ip sections
144respectively.
145
146The ORC data is split into the two arrays for performance reasons, to
147make the searchable part of the data (.orc_unwind_ip) more compact.  The
148arrays are sorted in parallel at boot time.
149
150Performance is further improved by the use of a fast lookup table which
151is created at runtime.  The fast lookup table associates a given address
152with a range of indices for the .orc_unwind table, so that only a small
153subset of the table needs to be searched.
154
155
156Etymology
157---------
158
159Orcs, fearsome creatures of medieval folklore, are the Dwarves' natural
160enemies.  Similarly, the ORC unwinder was created in opposition to the
161complexity and slowness of DWARF.
162
163"Although Orcs rarely consider multiple solutions to a problem, they do
164excel at getting things done because they are creatures of action, not
165thought." [3]  Similarly, unlike the esoteric DWARF unwinder, the
166veracious ORC unwinder wastes no time or siloconic effort decoding
167variable-length zero-extended unsigned-integer byte-coded
168state-machine-based debug information entries.
169
170Similar to how Orcs frequently unravel the well-intentioned plans of
171their adversaries, the ORC unwinder frequently unravels stacks with
172brutal, unyielding efficiency.
173
174ORC stands for Oops Rewind Capability.
175
176
177[1] https://lkml.kernel.org/r/20170602104048.jkkzssljsompjdwy@suse.de
178[2] https://lkml.kernel.org/r/d2ca5435-6386-29b8-db87-7f227c2b713a@suse.cz
179[3] http://dustin.wikidot.com/half-orcs-and-orcs
180