RFR: 8312425: [vectorapi] AArch64: Optimize vector math operations with SLEEF [v11]

Stewart X Addison duke at openjdk.org
Tue Jul 16 10:38:58 UTC 2024 

On Tue, 16 Jul 2024 08:21:04 GMT, Andrew Haley <aph at openjdk.org> wrote:

> This is starting to sound like we need a policy decision, because we don't want to re-hash this discussion every time the question comes up, as it surely will. 

+1 to this if we don't already have one

While I haven't read through every comment in this thread in this specific case I generally agree with what @theRealAph has said in some of his earlier comments. My primary concern is that the generated code in there is currently effectively unreviewable in terms of checking for potential vulnerabilities so I also feel it's best to check in the whole (reviewable) source if this PR is to be accepted. Much as I dislike repository bloat I think it's a fairly easy decision in this case IMHO with SLEEF being 7.5MB in size when the openjdk codebase is so large.

An alternative "absolute minimum" would be to reference the GitHub SHA of the SLEEF source and include the process for regenerating it reproducibly so that this information is available to anyone who wanted to verify it. With my distributor (Temurin) hat on either of those solutions would mean we have the original source referenced for inclusion in the product SBOM to track the supply chain. I'll also note that I'm also making an assumption here that the generated code from SLEEF is reproducible and not sensitive to the build environment like the CDS archives - I have not tried building them myself to verify but I feel that is important to understand before merging the generated code.

As a project should also consider whole issue of ensuring that we have sufficient trust from a supply-chain perspective on the SLEEF source ... I have no specific reason to distrust it but it might be good to understand how well reviewed it is before doing this as it's not a project I'm personally familiar with.

_On a slightly separate note (and I see @luhenry is in this comment thread too and has contributed to SLEEF) it will be good if this can be used to enhance the performance on RISC-V too in the future ;-)_

-------------

PR Comment: https://git.openjdk.org/jdk/pull/18605#issuecomment-2230569814

More information about the build-dev mailing list