subject:"RE\: PR84239, Reimplement CET intrinsics for rdssp\/incssp insn"

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-15 Thread Joseph Myers

On Thu, 15 Feb 2018, Tsimbalist, Igor V wrote:

> I haven't managed to run it through 
> ./glibc/glibc.sourceware/scripts/build-many-glibcs.py. I did bootstrap 
> and CET tests.
> 
> Ok for trunk?

OK.

-- 
Joseph S. Myers
jos...@codesourcery.com

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-15 Thread Tsimbalist, Igor V



Igor


> -Original Message-
> From: Joseph Myers [mailto:jos...@codesourcery.com]
> Sent: Thursday, February 15, 2018 1:24 AM
> To: Tsimbalist, Igor V 
> Cc: Sandra Loosemore ; gcc-
> patc...@gcc.gnu.org; Uros Bizjak 
> Subject: RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
> 
> This patch has broken bootstrap of a cross toolchain for x86_64 (the case
> where inhibit_libc is defined because there is no libc for the target
> available at that stage in the bootstrap process).
> 
> In file included from
> /scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-
> first/gcc/include/xmmintrin.h:34,
>  from
> /scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-
> first/gcc/include/x86intrin.h:33,
>  from
> /scratch/jmyers/glibc-bot/src/gcc/libgcc/config/i386/shadow-stack-
> unwind.h:25,
>  from ./md-unwind-support.h:27,
>  from 
> /scratch/jmyers/glibc-bot/src/gcc/libgcc/unwind-dw2.c:411:
> ../../.././gcc/mm_malloc.h:27:10: fatal error: stdlib.h: No such file or 
> directory
>  #include 
>   ^~
> 
> https://sourceware.org/ml/libc-testresults/2018-q1/msg00307.html
> 
> The patch makes shadow-stack-unwind.h include , which ends
> up
> including , which includes  and 
> unconditionally.  You can't include any libc system headers
> unconditionally from libgcc (only when inhibit_libc is not defined - and
> , being an installed header, can't test inhibit_libc because
> it's in the user's namespace).  So I think you need to avoid the
> mm_malloc.h include here somehow (without adding any inhibit_libc
> conditionals to installed headers).

Here is a proposed patch

diff --git a/libgcc/config/i386/shadow-stack-unwind.h 
b/libgcc/config/i386/shadow-stack-unwind.h
index 416e061..b7c3d98 100644
--- a/libgcc/config/i386/shadow-stack-unwind.h
+++ b/libgcc/config/i386/shadow-stack-unwind.h
@@ -22,7 +22,14 @@ a copy of the GCC Runtime Library Exception along with this 
program;
 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 <http://www.gnu.org/licenses/>.  */

-#include 
+/* NB: We need _get_ssp and _inc_ssp from .  But we can't
+   include  which ends up including , which
+   includes  and  unconditionally.  But we can't
+   include any libc system headers unconditionally from libgcc.  Avoid
+   including  here by defining _IMMINTRIN_H_INCLUDED.  */
+#define _IMMINTRIN_H_INCLUDED
+#include 
+#undef _IMMINTRIN_H_INCLUDED

 /* Unwind the shadow stack for EH.  */
 #undef _Unwind_Frames_Extra

I haven't managed to run it through 
./glibc/glibc.sourceware/scripts/build-many-glibcs.py. I did bootstrap and CET 
tests.

Ok for trunk?

Igor

> --
> Joseph S. Myers
> jos...@codesourcery.com

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-14 Thread Joseph Myers

This patch has broken bootstrap of a cross toolchain for x86_64 (the case 
where inhibit_libc is defined because there is no libc for the target 
available at that stage in the bootstrap process).

In file included from 
/scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-first/gcc/include/xmmintrin.h:34,
 from 
/scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-first/gcc/include/x86intrin.h:33,
 from 
/scratch/jmyers/glibc-bot/src/gcc/libgcc/config/i386/shadow-stack-unwind.h:25,
 from ./md-unwind-support.h:27,
 from /scratch/jmyers/glibc-bot/src/gcc/libgcc/unwind-dw2.c:411:
../../.././gcc/mm_malloc.h:27:10: fatal error: stdlib.h: No such file or 
directory
 #include 
  ^~

https://sourceware.org/ml/libc-testresults/2018-q1/msg00307.html

The patch makes shadow-stack-unwind.h include , which ends up 
including , which includes  and  
unconditionally.  You can't include any libc system headers 
unconditionally from libgcc (only when inhibit_libc is not defined - and 
, being an installed header, can't test inhibit_libc because 
it's in the user's namespace).  So I think you need to avoid the 
mm_malloc.h include here somehow (without adding any inhibit_libc 
conditionals to installed headers).

-- 
Joseph S. Myers
jos...@codesourcery.com

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-13 Thread Jeff Law

On 02/12/2018 07:16 AM, Tsimbalist, Igor V wrote:
>> -Original Message-
>> From: Sandra Loosemore [mailto:san...@codesourcery.com]
>> Sent: Friday, February 9, 2018 7:42 PM
>> To: Tsimbalist, Igor V ; gcc-
>> patc...@gcc.gnu.org
>> Cc: Uros Bizjak 
>> Subject: Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
>>
>> On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
>>> Introduce a couple of new CET intrinsics for reading and updating a
>> shadow stack
>>> pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace
>> the existing
>>> _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more
>> deterministic
>>> semantic: it returns a value of the shadow stack pointer if HW is CET
>> capable and
>>> 0 otherwise.
>>>
>>> Ok for trunk?
>> Just reviewing the documentation part:
>>
>>> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
>>> index cb9df97..9f25dd9 100644
>>> --- a/gcc/doc/extend.texi
>>> +++ b/gcc/doc/extend.texi
>>> @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to
>> schedule those calls.
>>>  * TILEPro Built-in Functions::
>>>  * x86 Built-in Functions::
>>>  * x86 transactional memory intrinsics::
>>> +* x86 control-flow protection intrinsics::
>>>  @end menu
>>>
>>>  @node AArch64 Built-in Functions
>>> @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
>>>  unsigned int __builtin_ia32_rdpkru ()
>>>  @end smallexample
>>>
>>> -The following built-in functions are available when @option{-mcet} is
>> used.
>>> -They are used to support Intel Control-flow Enforcment Technology (CET).
>>> -Each built-in function generates the  machine instruction that is part of
>> the
>>> -function's name.
>>> +The following built-in functions are available when @option{-mcet} or
>>> +@option{-mshstk} option is used.  They support shadow stack
>>> +machine instructions from Intel Control-flow Enforcment Technology
>> (CET).
>>
>> s/Enforcment/Enforcement/
>>
>>> +Each built-in function generates the  machine instruction that is part
>>> +of the function's name.  These are the internal low level functions.
>> s/low level/low-level/
>>
>>> +Normally the functions in @ref{x86 control-flow protection intrinsics}
>>> +should be used instead.
>>> +
>>>  @smallexample
>>> -unsigned int __builtin_ia32_rdsspd (unsigned int)
>>> -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
>>> +unsigned int __builtin_ia32_rdsspd (void)
>>> +unsigned long long __builtin_ia32_rdsspq (void)
>>>  void __builtin_ia32_incsspd (unsigned int)
>>>  void __builtin_ia32_incsspq (unsigned long long)
>>>  void __builtin_ia32_saveprevssp(void);
>>> @@ -21885,6 +21890,51 @@ else
>>>  Note that, in most cases, the transactional and non-transactional code
>>>  must synchronize together to ensure consistency.
>>>
>>> +@node x86 control-flow protection intrinsics
>>> +@subsection x86 Control-Flow Protection Intrinsics
>>> +
>>> +@deftypefn {CET Function} {ret_type} _get_ssp (void)
>>> +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
>>> +and @code{unsigned int} for x86 pltform.
>> I'd prefer the sentence about the return type be placed after the
>> description of what the function does.  And please fix typos:
>> s/x86-64 platform/64-bit targets/
>> s/x86 pltform/32-bit targets/
>>
>>> +Get the current value of shadow stack pointer if shadow stack support
>>> +from Intel CET is enabled in the HW or @code{0} otherwise.
>> s/HW/hardware,/
>>
>>> +@end deftypefn
>>> +
>>> +@deftypefn {CET Function} void _inc_ssp (unsigned int)
>>> +Increment the current shadow stack pointer by the size specified by the
>>> +function argument.  For security reason only unsigned byte value is used
>>> +from the argument.  Therefore for the size greater than @code{255} the
>>> +function should be called several times.
>> How about rephrasing the last two sentences:
>>
>> The argument is masked to a byte value for security reasons, so to
>> increment by more than 255 bytes you must call the function multiple times.
>>
>>> +@end deftypefn
>>> +
>>> +The shadow stack unwind code looks like:
>>> +
>>> +@smallexample
>>> +#include 
&g

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-12 Thread Tsimbalist, Igor V

> -Original Message-
> From: Sandra Loosemore [mailto:san...@codesourcery.com]
> Sent: Friday, February 9, 2018 7:42 PM
> To: Tsimbalist, Igor V ; gcc-
> patc...@gcc.gnu.org
> Cc: Uros Bizjak 
> Subject: Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
> 
> On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
> > Introduce a couple of new CET intrinsics for reading and updating a
> shadow stack
> > pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace
> the existing
> > _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more
> deterministic
> > semantic: it returns a value of the shadow stack pointer if HW is CET
> capable and
> > 0 otherwise.
> >
> > Ok for trunk?
> 
> Just reviewing the documentation part:
> 
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> > index cb9df97..9f25dd9 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to
> schedule those calls.
> >  * TILEPro Built-in Functions::
> >  * x86 Built-in Functions::
> >  * x86 transactional memory intrinsics::
> > +* x86 control-flow protection intrinsics::
> >  @end menu
> >
> >  @node AArch64 Built-in Functions
> > @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
> >  unsigned int __builtin_ia32_rdpkru ()
> >  @end smallexample
> >
> > -The following built-in functions are available when @option{-mcet} is
> used.
> > -They are used to support Intel Control-flow Enforcment Technology (CET).
> > -Each built-in function generates the  machine instruction that is part of
> the
> > -function's name.
> > +The following built-in functions are available when @option{-mcet} or
> > +@option{-mshstk} option is used.  They support shadow stack
> > +machine instructions from Intel Control-flow Enforcment Technology
> (CET).
> 
> s/Enforcment/Enforcement/
> 
> > +Each built-in function generates the  machine instruction that is part
> > +of the function's name.  These are the internal low level functions.
> 
> s/low level/low-level/
> 
> > +Normally the functions in @ref{x86 control-flow protection intrinsics}
> > +should be used instead.
> > +
> >  @smallexample
> > -unsigned int __builtin_ia32_rdsspd (unsigned int)
> > -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
> > +unsigned int __builtin_ia32_rdsspd (void)
> > +unsigned long long __builtin_ia32_rdsspq (void)
> >  void __builtin_ia32_incsspd (unsigned int)
> >  void __builtin_ia32_incsspq (unsigned long long)
> >  void __builtin_ia32_saveprevssp(void);
> > @@ -21885,6 +21890,51 @@ else
> >  Note that, in most cases, the transactional and non-transactional code
> >  must synchronize together to ensure consistency.
> >
> > +@node x86 control-flow protection intrinsics
> > +@subsection x86 Control-Flow Protection Intrinsics
> > +
> > +@deftypefn {CET Function} {ret_type} _get_ssp (void)
> > +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
> > +and @code{unsigned int} for x86 pltform.
> 
> I'd prefer the sentence about the return type be placed after the
> description of what the function does.  And please fix typos:
> s/x86-64 platform/64-bit targets/
> s/x86 pltform/32-bit targets/
> 
> > +Get the current value of shadow stack pointer if shadow stack support
> > +from Intel CET is enabled in the HW or @code{0} otherwise.
> 
> s/HW/hardware,/
> 
> > +@end deftypefn
> > +
> > +@deftypefn {CET Function} void _inc_ssp (unsigned int)
> > +Increment the current shadow stack pointer by the size specified by the
> > +function argument.  For security reason only unsigned byte value is used
> > +from the argument.  Therefore for the size greater than @code{255} the
> > +function should be called several times.
> 
> How about rephrasing the last two sentences:
> 
> The argument is masked to a byte value for security reasons, so to
> increment by more than 255 bytes you must call the function multiple times.
> 
> > +@end deftypefn
> > +
> > +The shadow stack unwind code looks like:
> > +
> > +@smallexample
> > +#include 
> > +
> > +/* Unwind the shadow stack for EH.  */
> > +#define _Unwind_Frames_Extra(x)\
> > +  do   \
> > +@{ \
> > +  _Unwind_Word ssp = _get_ssp ();  \
> > +  if (ssp != 0)\
> > +   @{

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

2018-02-09 Thread Sandra Loosemore


On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:

Introduce a couple of new CET intrinsics for reading and updating a shadow stack
pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace the 
existing
_rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more 
deterministic
semantic: it returns a value of the shadow stack pointer if HW is CET capable 
and
0 otherwise.

Ok for trunk?


Just reviewing the documentation part:


diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cb9df97..9f25dd9 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -12461,6 +12461,7 @@ instructions, but allow the compiler to schedule those 
calls.
 * TILEPro Built-in Functions::
 * x86 Built-in Functions::
 * x86 transactional memory intrinsics::
+* x86 control-flow protection intrinsics::
 @end menu
 
 @node AArch64 Built-in Functions

@@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
 unsigned int __builtin_ia32_rdpkru ()
 @end smallexample
 
-The following built-in functions are available when @option{-mcet} is used.

-They are used to support Intel Control-flow Enforcment Technology (CET).
-Each built-in function generates the  machine instruction that is part of the
-function's name.
+The following built-in functions are available when @option{-mcet} or
+@option{-mshstk} option is used.  They support shadow stack
+machine instructions from Intel Control-flow Enforcment Technology (CET).


s/Enforcment/Enforcement/


+Each built-in function generates the  machine instruction that is part
+of the function's name.  These are the internal low level functions.


s/low level/low-level/


+Normally the functions in @ref{x86 control-flow protection intrinsics}
+should be used instead.
+
 @smallexample
-unsigned int __builtin_ia32_rdsspd (unsigned int)
-unsigned long long __builtin_ia32_rdsspq (unsigned long long)
+unsigned int __builtin_ia32_rdsspd (void)
+unsigned long long __builtin_ia32_rdsspq (void)
 void __builtin_ia32_incsspd (unsigned int)
 void __builtin_ia32_incsspq (unsigned long long)
 void __builtin_ia32_saveprevssp(void);
@@ -21885,6 +21890,51 @@ else
 Note that, in most cases, the transactional and non-transactional code
 must synchronize together to ensure consistency.
 
+@node x86 control-flow protection intrinsics

+@subsection x86 Control-Flow Protection Intrinsics
+
+@deftypefn {CET Function} {ret_type} _get_ssp (void)
+The @code{ret_type} is @code{unsigned long long} for x86-64 platform
+and @code{unsigned int} for x86 pltform.


I'd prefer the sentence about the return type be placed after the 
description of what the function does.  And please fix typos:

s/x86-64 platform/64-bit targets/
s/x86 pltform/32-bit targets/


+Get the current value of shadow stack pointer if shadow stack support
+from Intel CET is enabled in the HW or @code{0} otherwise.


s/HW/hardware,/


+@end deftypefn
+
+@deftypefn {CET Function} void _inc_ssp (unsigned int)
+Increment the current shadow stack pointer by the size specified by the
+function argument.  For security reason only unsigned byte value is used
+from the argument.  Therefore for the size greater than @code{255} the
+function should be called several times.


How about rephrasing the last two sentences:

The argument is masked to a byte value for security reasons, so to 
increment by more than 255 bytes you must call the function multiple times.



+@end deftypefn
+
+The shadow stack unwind code looks like:
+
+@smallexample
+#include 
+
+/* Unwind the shadow stack for EH.  */
+#define _Unwind_Frames_Extra(x)\
+  do   \
+@{ \
+  _Unwind_Word ssp = _get_ssp ();  \
+  if (ssp != 0)\
+   @{  \
+ _Unwind_Word tmp = (x);   \
+ while (tmp > 255)  \
+   @{  \
+ _inc_ssp (tmp);   \
+ tmp -= 255;   \
+   @}  \
+ _inc_ssp (tmp);   \
+   @}  \
+@} \
+while (0)
+@end smallexample


Tabs in Texinfo input don't work well.  Please use spaces to format code 
environments.



+
+@noindent
+This code runs unconditionally on all x86-64 processors and all x86
+processors that support multi-byte NOP instructions.


s/x86-64 and all x86/32-bit and 64-bit/


+
 @node Target Format Checks
 @section Format Checks Specific to Particular Target Machines
 


-Sandra

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

6 matches

Site Navigation

Mail list logo

Footer information