Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Richard Biener]

On Mon, 13 Jul 2020, Matthias Klose wrote:

> On 6/17/20 3:11 PM, Richard Biener wrote:
> > On Wed, 17 Jun 2020, H.J. Lu wrote:
> > 
> >> On Wed, Jun 17, 2020 at 5:33 AM Richard Biener  wrote:
> >>>
> >>> On Wed, 17 Jun 2020, H.J. Lu wrote:
> >>>
>  On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
> >
> > On Wed, 17 Jun 2020, H.J. Lu wrote:
> >
> >> On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
> >>  wrote:
> >>>
> >>> On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  
> >>> wrote:
> 
>  PR lto/95604 was seen when checking for binaries without having CET 
>  support in a
>  distro archive, for binaries built with LTO optimization.  The 
>  hardening flag
>  -fcf-protection=full is passed in CFLAGS, and maybe should be passed 
>  in LDFLAGS
>  as well.  However to make it work when not passed to the link step, 
>  it should be
>  extracted from the options found in the lto opts section.
> 
>  Richard suggested two solutions offline.  I checked that both fix 
>  the test case.
>  Which one to install?  Also ok for the 9 and 10 branches?
> >>>
> >>> I guess even though variant two is simpler it doesn't make much sense 
> >>> to
> >>> have differing settings of -fcf-protection between different 
> >>> functions?  HJ?
> >>
> >> -fcf-protection is applied to a file, not a function since CET marker
> >> is per file.
> >>
> >>> So looking at variant one,
> >>>
> >>> @@ -287,6 +287,18 @@
> >>>  foption->orig_option_with_args_text);
> >>>   break;
> >>>
> >>> +   case OPT_fcf_protection_:
> >>> + /* Append or check identical.  */
> >>> + for (j = 0; j < *decoded_options_count; ++j)
> >>> +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> >>> + break;
> >>> + if (j == *decoded_options_count)
> >>> +   append_option (decoded_options, decoded_options_count, 
> >>> foption);
> >>> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> >>> +   warning (input_location, "option %s with different 
> >>> values",
> >>> +foption->orig_option_with_args_text);
> >>> + break;
> >>>
> >>> you are always streaming a -fcf-protection option so the if (j ==
> >>> *decoded_options_count)
> >>> case shouldn't ever happen but I guess it's safe to leave the code
> >>> as-is.  Can you
> >>> amend the warning with the option that prevails?  Maybe
> >>>
> >>> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> >>>{
> >>>   static bool noted;
> >>> +   warning (input_location, "option %s with different 
> >>> values",
> >>> +foption->orig_option_with_args_text);
> >>>   if (!noted)
> >>> {
> >>>inform ("%s will be used instead",
> >>> (*decoded_options)[j].orig_option_with_args_text);
> >>>noted = true;
> >>> }
> >>>
> >>> I guess input_location is simply zero so the diagnostic doesn't
> >>> contain the actual file we're
> >>> looking at.  Something to improve I guess (also applyign to other
> >>> diagnostics we emit).
> >>>
> >>> Otherwise looks OK.
> >>>
> >>> Please wait for HJ in case he'd like to go with option two.
> >>>
> >>
> >> I prefer option one.  But what happens if input files are compiled
> >> with different -fcf-protection settings?
> >
> > You get a warning and the first option setting wins (and I requested
> > to inform the user which that is).
> >
> 
>  I think it should be an error and the user should explicitly specify the
>  option with -lfto in the final link command.
> >>>
> >>> But AFAIK ld will not reject linking objects with mismatched settings?
> >>
> >> Linker will silently change CET run-time behavior.
> >>
> >>> Does -fcf-protection have effects "early" (up to IPA)?  That is, is it
> >>> safe to turn it on only post-IPA?
> >>
> >> I think so.  We don't do anything with SHSTK.   For IBT, we just insert an
> >> ENDBR when we output the indirect branch target.
> >>
> >>> So yeah, if the user provided an explicit -fcf-protection option at link
> >>> we honor that (but with the current patch we'd still warn about conflicts
> >>
> >> I don't think we should warn about the explicit -fcf-protection option at 
> >> link
> >> time.
> >>
> >>> between the original TU setting - but not conflicts with the setting
> >>> at link time).  If we want to error on mismatches but allow if at link
> >>> time a setting is specified that needs extra code (it would be the
> >>> first time we have this behavior).
> >>>
> 

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Matthias Klose]

On 6/17/20 3:11 PM, Richard Biener wrote:
> On Wed, 17 Jun 2020, H.J. Lu wrote:
> 
>> On Wed, Jun 17, 2020 at 5:33 AM Richard Biener  wrote:
>>>
>>> On Wed, 17 Jun 2020, H.J. Lu wrote:
>>>
 On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
>
> On Wed, 17 Jun 2020, H.J. Lu wrote:
>
>> On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
>>  wrote:
>>>
>>> On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:

 PR lto/95604 was seen when checking for binaries without having CET 
 support in a
 distro archive, for binaries built with LTO optimization.  The 
 hardening flag
 -fcf-protection=full is passed in CFLAGS, and maybe should be passed 
 in LDFLAGS
 as well.  However to make it work when not passed to the link step, it 
 should be
 extracted from the options found in the lto opts section.

 Richard suggested two solutions offline.  I checked that both fix the 
 test case.
 Which one to install?  Also ok for the 9 and 10 branches?
>>>
>>> I guess even though variant two is simpler it doesn't make much sense to
>>> have differing settings of -fcf-protection between different functions? 
>>>  HJ?
>>
>> -fcf-protection is applied to a file, not a function since CET marker
>> is per file.
>>
>>> So looking at variant one,
>>>
>>> @@ -287,6 +287,18 @@
>>>  foption->orig_option_with_args_text);
>>>   break;
>>>
>>> +   case OPT_fcf_protection_:
>>> + /* Append or check identical.  */
>>> + for (j = 0; j < *decoded_options_count; ++j)
>>> +   if ((*decoded_options)[j].opt_index == foption->opt_index)
>>> + break;
>>> + if (j == *decoded_options_count)
>>> +   append_option (decoded_options, decoded_options_count, 
>>> foption);
>>> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
>>> +   warning (input_location, "option %s with different values",
>>> +foption->orig_option_with_args_text);
>>> + break;
>>>
>>> you are always streaming a -fcf-protection option so the if (j ==
>>> *decoded_options_count)
>>> case shouldn't ever happen but I guess it's safe to leave the code
>>> as-is.  Can you
>>> amend the warning with the option that prevails?  Maybe
>>>
>>> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
>>>{
>>>   static bool noted;
>>> +   warning (input_location, "option %s with different values",
>>> +foption->orig_option_with_args_text);
>>>   if (!noted)
>>> {
>>>inform ("%s will be used instead",
>>> (*decoded_options)[j].orig_option_with_args_text);
>>>noted = true;
>>> }
>>>
>>> I guess input_location is simply zero so the diagnostic doesn't
>>> contain the actual file we're
>>> looking at.  Something to improve I guess (also applyign to other
>>> diagnostics we emit).
>>>
>>> Otherwise looks OK.
>>>
>>> Please wait for HJ in case he'd like to go with option two.
>>>
>>
>> I prefer option one.  But what happens if input files are compiled
>> with different -fcf-protection settings?
>
> You get a warning and the first option setting wins (and I requested
> to inform the user which that is).
>

 I think it should be an error and the user should explicitly specify the
 option with -lfto in the final link command.
>>>
>>> But AFAIK ld will not reject linking objects with mismatched settings?
>>
>> Linker will silently change CET run-time behavior.
>>
>>> Does -fcf-protection have effects "early" (up to IPA)?  That is, is it
>>> safe to turn it on only post-IPA?
>>
>> I think so.  We don't do anything with SHSTK.   For IBT, we just insert an
>> ENDBR when we output the indirect branch target.
>>
>>> So yeah, if the user provided an explicit -fcf-protection option at link
>>> we honor that (but with the current patch we'd still warn about conflicts
>>
>> I don't think we should warn about the explicit -fcf-protection option at 
>> link
>> time.
>>
>>> between the original TU setting - but not conflicts with the setting
>>> at link time).  If we want to error on mismatches but allow if at link
>>> time a setting is specified that needs extra code (it would be the
>>> first time we have this behavior).
>>>
>>
>> I think we should give an error if there are any mismatches in
>> inputs and let the explicit -fcf-protection option at link time override
>> -fcf-protection options in inputs .
> 
> Note the linker will then still silently change CET run-time behavior
> when there's a non-LTO object involved in the link that has

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Richard Biener]

On Wed, 17 Jun 2020, H.J. Lu wrote:

> On Wed, Jun 17, 2020 at 5:33 AM Richard Biener  wrote:
> >
> > On Wed, 17 Jun 2020, H.J. Lu wrote:
> >
> > > On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
> > > >
> > > > On Wed, 17 Jun 2020, H.J. Lu wrote:
> > > >
> > > > > On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
> > > > >  wrote:
> > > > > >
> > > > > > On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  
> > > > > > wrote:
> > > > > > >
> > > > > > > PR lto/95604 was seen when checking for binaries without having 
> > > > > > > CET support in a
> > > > > > > distro archive, for binaries built with LTO optimization.  The 
> > > > > > > hardening flag
> > > > > > > -fcf-protection=full is passed in CFLAGS, and maybe should be 
> > > > > > > passed in LDFLAGS
> > > > > > > as well.  However to make it work when not passed to the link 
> > > > > > > step, it should be
> > > > > > > extracted from the options found in the lto opts section.
> > > > > > >
> > > > > > > Richard suggested two solutions offline.  I checked that both fix 
> > > > > > > the test case.
> > > > > > > Which one to install?  Also ok for the 9 and 10 branches?
> > > > > >
> > > > > > I guess even though variant two is simpler it doesn't make much 
> > > > > > sense to
> > > > > > have differing settings of -fcf-protection between different 
> > > > > > functions?  HJ?
> > > > >
> > > > > -fcf-protection is applied to a file, not a function since CET marker
> > > > > is per file.
> > > > >
> > > > > > So looking at variant one,
> > > > > >
> > > > > > @@ -287,6 +287,18 @@
> > > > > >  foption->orig_option_with_args_text);
> > > > > >   break;
> > > > > >
> > > > > > +   case OPT_fcf_protection_:
> > > > > > + /* Append or check identical.  */
> > > > > > + for (j = 0; j < *decoded_options_count; ++j)
> > > > > > +   if ((*decoded_options)[j].opt_index == 
> > > > > > foption->opt_index)
> > > > > > + break;
> > > > > > + if (j == *decoded_options_count)
> > > > > > +   append_option (decoded_options, decoded_options_count, 
> > > > > > foption);
> > > > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > > > > +   warning (input_location, "option %s with different 
> > > > > > values",
> > > > > > +foption->orig_option_with_args_text);
> > > > > > + break;
> > > > > >
> > > > > > you are always streaming a -fcf-protection option so the if (j ==
> > > > > > *decoded_options_count)
> > > > > > case shouldn't ever happen but I guess it's safe to leave the code
> > > > > > as-is.  Can you
> > > > > > amend the warning with the option that prevails?  Maybe
> > > > > >
> > > > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > > > >{
> > > > > >   static bool noted;
> > > > > > +   warning (input_location, "option %s with different 
> > > > > > values",
> > > > > > +foption->orig_option_with_args_text);
> > > > > >   if (!noted)
> > > > > > {
> > > > > >inform ("%s will be used instead",
> > > > > > (*decoded_options)[j].orig_option_with_args_text);
> > > > > >noted = true;
> > > > > > }
> > > > > >
> > > > > > I guess input_location is simply zero so the diagnostic doesn't
> > > > > > contain the actual file we're
> > > > > > looking at.  Something to improve I guess (also applyign to other
> > > > > > diagnostics we emit).
> > > > > >
> > > > > > Otherwise looks OK.
> > > > > >
> > > > > > Please wait for HJ in case he'd like to go with option two.
> > > > > >
> > > > >
> > > > > I prefer option one.  But what happens if input files are compiled
> > > > > with different -fcf-protection settings?
> > > >
> > > > You get a warning and the first option setting wins (and I requested
> > > > to inform the user which that is).
> > > >
> > >
> > > I think it should be an error and the user should explicitly specify the
> > > option with -lfto in the final link command.
> >
> > But AFAIK ld will not reject linking objects with mismatched settings?
> 
> Linker will silently change CET run-time behavior.
> 
> > Does -fcf-protection have effects "early" (up to IPA)?  That is, is it
> > safe to turn it on only post-IPA?
> 
> I think so.  We don't do anything with SHSTK.   For IBT, we just insert an
> ENDBR when we output the indirect branch target.
> 
> > So yeah, if the user provided an explicit -fcf-protection option at link
> > we honor that (but with the current patch we'd still warn about conflicts
> 
> I don't think we should warn about the explicit -fcf-protection option at link
> time.
> 
> > between the original TU setting - but not conflicts with the setting
> > at link time).  If we want to error on mismatches but allow if at link
> > time a setting is specified that needs extra code (it would be the
> > first time we have this 

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[H.J. Lu via Gcc-patches]

On Wed, Jun 17, 2020 at 5:33 AM Richard Biener  wrote:
>
> On Wed, 17 Jun 2020, H.J. Lu wrote:
>
> > On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
> > >
> > > On Wed, 17 Jun 2020, H.J. Lu wrote:
> > >
> > > > On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
> > > >  wrote:
> > > > >
> > > > > On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  
> > > > > wrote:
> > > > > >
> > > > > > PR lto/95604 was seen when checking for binaries without having CET 
> > > > > > support in a
> > > > > > distro archive, for binaries built with LTO optimization.  The 
> > > > > > hardening flag
> > > > > > -fcf-protection=full is passed in CFLAGS, and maybe should be 
> > > > > > passed in LDFLAGS
> > > > > > as well.  However to make it work when not passed to the link step, 
> > > > > > it should be
> > > > > > extracted from the options found in the lto opts section.
> > > > > >
> > > > > > Richard suggested two solutions offline.  I checked that both fix 
> > > > > > the test case.
> > > > > > Which one to install?  Also ok for the 9 and 10 branches?
> > > > >
> > > > > I guess even though variant two is simpler it doesn't make much sense 
> > > > > to
> > > > > have differing settings of -fcf-protection between different 
> > > > > functions?  HJ?
> > > >
> > > > -fcf-protection is applied to a file, not a function since CET marker
> > > > is per file.
> > > >
> > > > > So looking at variant one,
> > > > >
> > > > > @@ -287,6 +287,18 @@
> > > > >  foption->orig_option_with_args_text);
> > > > >   break;
> > > > >
> > > > > +   case OPT_fcf_protection_:
> > > > > + /* Append or check identical.  */
> > > > > + for (j = 0; j < *decoded_options_count; ++j)
> > > > > +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> > > > > + break;
> > > > > + if (j == *decoded_options_count)
> > > > > +   append_option (decoded_options, decoded_options_count, 
> > > > > foption);
> > > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > > > +   warning (input_location, "option %s with different 
> > > > > values",
> > > > > +foption->orig_option_with_args_text);
> > > > > + break;
> > > > >
> > > > > you are always streaming a -fcf-protection option so the if (j ==
> > > > > *decoded_options_count)
> > > > > case shouldn't ever happen but I guess it's safe to leave the code
> > > > > as-is.  Can you
> > > > > amend the warning with the option that prevails?  Maybe
> > > > >
> > > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > > >{
> > > > >   static bool noted;
> > > > > +   warning (input_location, "option %s with different 
> > > > > values",
> > > > > +foption->orig_option_with_args_text);
> > > > >   if (!noted)
> > > > > {
> > > > >inform ("%s will be used instead",
> > > > > (*decoded_options)[j].orig_option_with_args_text);
> > > > >noted = true;
> > > > > }
> > > > >
> > > > > I guess input_location is simply zero so the diagnostic doesn't
> > > > > contain the actual file we're
> > > > > looking at.  Something to improve I guess (also applyign to other
> > > > > diagnostics we emit).
> > > > >
> > > > > Otherwise looks OK.
> > > > >
> > > > > Please wait for HJ in case he'd like to go with option two.
> > > > >
> > > >
> > > > I prefer option one.  But what happens if input files are compiled
> > > > with different -fcf-protection settings?
> > >
> > > You get a warning and the first option setting wins (and I requested
> > > to inform the user which that is).
> > >
> >
> > I think it should be an error and the user should explicitly specify the
> > option with -lfto in the final link command.
>
> But AFAIK ld will not reject linking objects with mismatched settings?

Linker will silently change CET run-time behavior.

> Does -fcf-protection have effects "early" (up to IPA)?  That is, is it
> safe to turn it on only post-IPA?

I think so.  We don't do anything with SHSTK.   For IBT, we just insert an
ENDBR when we output the indirect branch target.

> So yeah, if the user provided an explicit -fcf-protection option at link
> we honor that (but with the current patch we'd still warn about conflicts

I don't think we should warn about the explicit -fcf-protection option at link
time.

> between the original TU setting - but not conflicts with the setting
> at link time).  If we want to error on mismatches but allow if at link
> time a setting is specified that needs extra code (it would be the
> first time we have this behavior).
>

I think we should give an error if there are any mismatches in
inputs and let the explicit -fcf-protection option at link time override
-fcf-protection options in inputs .

-- 
H.J.

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Richard Biener]

On Wed, 17 Jun 2020, H.J. Lu wrote:

> On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
> >
> > On Wed, 17 Jun 2020, H.J. Lu wrote:
> >
> > > On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
> > >  wrote:
> > > >
> > > > On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:
> > > > >
> > > > > PR lto/95604 was seen when checking for binaries without having CET 
> > > > > support in a
> > > > > distro archive, for binaries built with LTO optimization.  The 
> > > > > hardening flag
> > > > > -fcf-protection=full is passed in CFLAGS, and maybe should be passed 
> > > > > in LDFLAGS
> > > > > as well.  However to make it work when not passed to the link step, 
> > > > > it should be
> > > > > extracted from the options found in the lto opts section.
> > > > >
> > > > > Richard suggested two solutions offline.  I checked that both fix the 
> > > > > test case.
> > > > > Which one to install?  Also ok for the 9 and 10 branches?
> > > >
> > > > I guess even though variant two is simpler it doesn't make much sense to
> > > > have differing settings of -fcf-protection between different functions? 
> > > >  HJ?
> > >
> > > -fcf-protection is applied to a file, not a function since CET marker
> > > is per file.
> > >
> > > > So looking at variant one,
> > > >
> > > > @@ -287,6 +287,18 @@
> > > >  foption->orig_option_with_args_text);
> > > >   break;
> > > >
> > > > +   case OPT_fcf_protection_:
> > > > + /* Append or check identical.  */
> > > > + for (j = 0; j < *decoded_options_count; ++j)
> > > > +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> > > > + break;
> > > > + if (j == *decoded_options_count)
> > > > +   append_option (decoded_options, decoded_options_count, 
> > > > foption);
> > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > > +   warning (input_location, "option %s with different values",
> > > > +foption->orig_option_with_args_text);
> > > > + break;
> > > >
> > > > you are always streaming a -fcf-protection option so the if (j ==
> > > > *decoded_options_count)
> > > > case shouldn't ever happen but I guess it's safe to leave the code
> > > > as-is.  Can you
> > > > amend the warning with the option that prevails?  Maybe
> > > >
> > > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > >{
> > > >   static bool noted;
> > > > +   warning (input_location, "option %s with different values",
> > > > +foption->orig_option_with_args_text);
> > > >   if (!noted)
> > > > {
> > > >inform ("%s will be used instead",
> > > > (*decoded_options)[j].orig_option_with_args_text);
> > > >noted = true;
> > > > }
> > > >
> > > > I guess input_location is simply zero so the diagnostic doesn't
> > > > contain the actual file we're
> > > > looking at.  Something to improve I guess (also applyign to other
> > > > diagnostics we emit).
> > > >
> > > > Otherwise looks OK.
> > > >
> > > > Please wait for HJ in case he'd like to go with option two.
> > > >
> > >
> > > I prefer option one.  But what happens if input files are compiled
> > > with different -fcf-protection settings?
> >
> > You get a warning and the first option setting wins (and I requested
> > to inform the user which that is).
> >
> 
> I think it should be an error and the user should explicitly specify the
> option with -lfto in the final link command.

But AFAIK ld will not reject linking objects with mismatched settings?

Does -fcf-protection have effects "early" (up to IPA)?  That is, is it
safe to turn it on only post-IPA?

So yeah, if the user provided an explicit -fcf-protection option at link
we honor that (but with the current patch we'd still warn about conflicts
between the original TU setting - but not conflicts with the setting
at link time).  If we want to error on mismatches but allow if at link
time a setting is specified that needs extra code (it would be the
first time we have this behavior).

Richard.

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[H.J. Lu via Gcc-patches]

On Wed, Jun 17, 2020 at 5:00 AM Richard Biener  wrote:
>
> On Wed, 17 Jun 2020, H.J. Lu wrote:
>
> > On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
> >  wrote:
> > >
> > > On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:
> > > >
> > > > PR lto/95604 was seen when checking for binaries without having CET 
> > > > support in a
> > > > distro archive, for binaries built with LTO optimization.  The 
> > > > hardening flag
> > > > -fcf-protection=full is passed in CFLAGS, and maybe should be passed in 
> > > > LDFLAGS
> > > > as well.  However to make it work when not passed to the link step, it 
> > > > should be
> > > > extracted from the options found in the lto opts section.
> > > >
> > > > Richard suggested two solutions offline.  I checked that both fix the 
> > > > test case.
> > > > Which one to install?  Also ok for the 9 and 10 branches?
> > >
> > > I guess even though variant two is simpler it doesn't make much sense to
> > > have differing settings of -fcf-protection between different functions?  
> > > HJ?
> >
> > -fcf-protection is applied to a file, not a function since CET marker
> > is per file.
> >
> > > So looking at variant one,
> > >
> > > @@ -287,6 +287,18 @@
> > >  foption->orig_option_with_args_text);
> > >   break;
> > >
> > > +   case OPT_fcf_protection_:
> > > + /* Append or check identical.  */
> > > + for (j = 0; j < *decoded_options_count; ++j)
> > > +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> > > + break;
> > > + if (j == *decoded_options_count)
> > > +   append_option (decoded_options, decoded_options_count, 
> > > foption);
> > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > > +   warning (input_location, "option %s with different values",
> > > +foption->orig_option_with_args_text);
> > > + break;
> > >
> > > you are always streaming a -fcf-protection option so the if (j ==
> > > *decoded_options_count)
> > > case shouldn't ever happen but I guess it's safe to leave the code
> > > as-is.  Can you
> > > amend the warning with the option that prevails?  Maybe
> > >
> > > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > >{
> > >   static bool noted;
> > > +   warning (input_location, "option %s with different values",
> > > +foption->orig_option_with_args_text);
> > >   if (!noted)
> > > {
> > >inform ("%s will be used instead",
> > > (*decoded_options)[j].orig_option_with_args_text);
> > >noted = true;
> > > }
> > >
> > > I guess input_location is simply zero so the diagnostic doesn't
> > > contain the actual file we're
> > > looking at.  Something to improve I guess (also applyign to other
> > > diagnostics we emit).
> > >
> > > Otherwise looks OK.
> > >
> > > Please wait for HJ in case he'd like to go with option two.
> > >
> >
> > I prefer option one.  But what happens if input files are compiled
> > with different -fcf-protection settings?
>
> You get a warning and the first option setting wins (and I requested
> to inform the user which that is).
>

I think it should be an error and the user should explicitly specify the
option with -lfto in the final link command.

-- 
H.J.

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Richard Biener]

On Wed, 17 Jun 2020, H.J. Lu wrote:

> On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
>  wrote:
> >
> > On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:
> > >
> > > PR lto/95604 was seen when checking for binaries without having CET 
> > > support in a
> > > distro archive, for binaries built with LTO optimization.  The hardening 
> > > flag
> > > -fcf-protection=full is passed in CFLAGS, and maybe should be passed in 
> > > LDFLAGS
> > > as well.  However to make it work when not passed to the link step, it 
> > > should be
> > > extracted from the options found in the lto opts section.
> > >
> > > Richard suggested two solutions offline.  I checked that both fix the 
> > > test case.
> > > Which one to install?  Also ok for the 9 and 10 branches?
> >
> > I guess even though variant two is simpler it doesn't make much sense to
> > have differing settings of -fcf-protection between different functions?  HJ?
> 
> -fcf-protection is applied to a file, not a function since CET marker
> is per file.
> 
> > So looking at variant one,
> >
> > @@ -287,6 +287,18 @@
> >  foption->orig_option_with_args_text);
> >   break;
> >
> > +   case OPT_fcf_protection_:
> > + /* Append or check identical.  */
> > + for (j = 0; j < *decoded_options_count; ++j)
> > +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> > + break;
> > + if (j == *decoded_options_count)
> > +   append_option (decoded_options, decoded_options_count, foption);
> > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> > +   warning (input_location, "option %s with different values",
> > +foption->orig_option_with_args_text);
> > + break;
> >
> > you are always streaming a -fcf-protection option so the if (j ==
> > *decoded_options_count)
> > case shouldn't ever happen but I guess it's safe to leave the code
> > as-is.  Can you
> > amend the warning with the option that prevails?  Maybe
> >
> > + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> >{
> >   static bool noted;
> > +   warning (input_location, "option %s with different values",
> > +foption->orig_option_with_args_text);
> >   if (!noted)
> > {
> >inform ("%s will be used instead",
> > (*decoded_options)[j].orig_option_with_args_text);
> >noted = true;
> > }
> >
> > I guess input_location is simply zero so the diagnostic doesn't
> > contain the actual file we're
> > looking at.  Something to improve I guess (also applyign to other
> > diagnostics we emit).
> >
> > Otherwise looks OK.
> >
> > Please wait for HJ in case he'd like to go with option two.
> >
> 
> I prefer option one.  But what happens if input files are compiled
> with different -fcf-protection settings?

You get a warning and the first option setting wins (and I requested
to inform the user which that is).

Richard.

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[H.J. Lu via Gcc-patches]

On Wed, Jun 17, 2020 at 1:59 AM Richard Biener
 wrote:
>
> On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:
> >
> > PR lto/95604 was seen when checking for binaries without having CET support 
> > in a
> > distro archive, for binaries built with LTO optimization.  The hardening 
> > flag
> > -fcf-protection=full is passed in CFLAGS, and maybe should be passed in 
> > LDFLAGS
> > as well.  However to make it work when not passed to the link step, it 
> > should be
> > extracted from the options found in the lto opts section.
> >
> > Richard suggested two solutions offline.  I checked that both fix the test 
> > case.
> > Which one to install?  Also ok for the 9 and 10 branches?
>
> I guess even though variant two is simpler it doesn't make much sense to
> have differing settings of -fcf-protection between different functions?  HJ?

-fcf-protection is applied to a file, not a function since CET marker
is per file.

> So looking at variant one,
>
> @@ -287,6 +287,18 @@
>  foption->orig_option_with_args_text);
>   break;
>
> +   case OPT_fcf_protection_:
> + /* Append or check identical.  */
> + for (j = 0; j < *decoded_options_count; ++j)
> +   if ((*decoded_options)[j].opt_index == foption->opt_index)
> + break;
> + if (j == *decoded_options_count)
> +   append_option (decoded_options, decoded_options_count, foption);
> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
> +   warning (input_location, "option %s with different values",
> +foption->orig_option_with_args_text);
> + break;
>
> you are always streaming a -fcf-protection option so the if (j ==
> *decoded_options_count)
> case shouldn't ever happen but I guess it's safe to leave the code
> as-is.  Can you
> amend the warning with the option that prevails?  Maybe
>
> + else if (strcmp ((*decoded_options)[j].arg, foption->arg))
>{
>   static bool noted;
> +   warning (input_location, "option %s with different values",
> +foption->orig_option_with_args_text);
>   if (!noted)
> {
>inform ("%s will be used instead",
> (*decoded_options)[j].orig_option_with_args_text);
>noted = true;
> }
>
> I guess input_location is simply zero so the diagnostic doesn't
> contain the actual file we're
> looking at.  Something to improve I guess (also applyign to other
> diagnostics we emit).
>
> Otherwise looks OK.
>
> Please wait for HJ in case he'd like to go with option two.
>

I prefer option one.  But what happens if input files are compiled
with different -fcf-protection settings?

-- 
H.J.

Re: [patch] fix PR lto/95604, -flto and -fcf-protection

[Richard Biener via Gcc-patches]

On Mon, Jun 15, 2020 at 5:30 PM Matthias Klose  wrote:
>
> PR lto/95604 was seen when checking for binaries without having CET support 
> in a
> distro archive, for binaries built with LTO optimization.  The hardening flag
> -fcf-protection=full is passed in CFLAGS, and maybe should be passed in 
> LDFLAGS
> as well.  However to make it work when not passed to the link step, it should 
> be
> extracted from the options found in the lto opts section.
>
> Richard suggested two solutions offline.  I checked that both fix the test 
> case.
> Which one to install?  Also ok for the 9 and 10 branches?

I guess even though variant two is simpler it doesn't make much sense to
have differing settings of -fcf-protection between different functions?  HJ?

So looking at variant one,

@@ -287,6 +287,18 @@
 foption->orig_option_with_args_text);
  break;

+   case OPT_fcf_protection_:
+ /* Append or check identical.  */
+ for (j = 0; j < *decoded_options_count; ++j)
+   if ((*decoded_options)[j].opt_index == foption->opt_index)
+ break;
+ if (j == *decoded_options_count)
+   append_option (decoded_options, decoded_options_count, foption);
+ else if (strcmp ((*decoded_options)[j].arg, foption->arg))
+   warning (input_location, "option %s with different values",
+foption->orig_option_with_args_text);
+ break;

you are always streaming a -fcf-protection option so the if (j ==
*decoded_options_count)
case shouldn't ever happen but I guess it's safe to leave the code
as-is.  Can you
amend the warning with the option that prevails?  Maybe

+ else if (strcmp ((*decoded_options)[j].arg, foption->arg))
   {
  static bool noted;
+   warning (input_location, "option %s with different values",
+foption->orig_option_with_args_text);
  if (!noted)
{
   inform ("%s will be used instead",
(*decoded_options)[j].orig_option_with_args_text);
   noted = true;
}

I guess input_location is simply zero so the diagnostic doesn't
contain the actual file we're
looking at.  Something to improve I guess (also applyign to other
diagnostics we emit).

Otherwise looks OK.

Please wait for HJ in case he'd like to go with option two.

Thanks,
Richard.

> Thanks, Matthias
>
>

[patch] fix PR lto/95604, -flto and -fcf-protection

[Matthias Klose]

PR lto/95604 was seen when checking for binaries without having CET support in a
distro archive, for binaries built with LTO optimization.  The hardening flag
-fcf-protection=full is passed in CFLAGS, and maybe should be passed in LDFLAGS
as well.  However to make it work when not passed to the link step, it should be
extracted from the options found in the lto opts section.

Richard suggested two solutions offline.  I checked that both fix the test case.
Which one to install?  Also ok for the 9 and 10 branches?

Thanks, Matthias



	PR lto/95604
	* lto-wrapper.c (merge_and_complain): Warn about different
	values for -fcf-protection.
	(append_compiler_options): Pass -fcf-protection option.
	* lto-opts.c (lto_write_options): Pass -fcf-protection option.

--- a/src/gcc/lto-opts.c
+++ b/src/gcc/lto-opts.c
@@ -94,6 +94,21 @@ lto_write_options (void)
   : "-fno-pie");
 }
 
+  if (!global_options_set.x_flag_cf_protection)
+{
+  append_to_collect_gcc_options (
+_obstack, _p,
+	global_options.x_flag_cf_protection == CF_NONE
+	? "-fcf-protection=none"
+	: global_options.x_flag_cf_protection == CF_FULL
+	? "-fcf-protection=full"
+	: global_options.x_flag_cf_protection == CF_BRANCH
+	? "-fcf-protection=branch"
+	: global_options.x_flag_cf_protection == CF_RETURN
+	? "-fcf-protection=RETURN"
+	: "");
+}
+
   /* If debug info is enabled append -g.  */
   if (debug_info_level > DINFO_LEVEL_NONE)
 append_to_collect_gcc_options (_obstack, _p, "-g");
--- a/src/gcc/lto-wrapper.c
+++ b/src/gcc/lto-wrapper.c
@@ -287,6 +287,18 @@
 			 foption->orig_option_with_args_text);
 	  break;
 
+	case OPT_fcf_protection_:
+	  /* Append or check identical.  */
+	  for (j = 0; j < *decoded_options_count; ++j)
+	if ((*decoded_options)[j].opt_index == foption->opt_index)
+	  break;
+	  if (j == *decoded_options_count)
+	append_option (decoded_options, decoded_options_count, foption);
+	  else if (strcmp ((*decoded_options)[j].arg, foption->arg))
+	warning (input_location, "option %s with different values",
+		 foption->orig_option_with_args_text);
+	  break;
+
 	case OPT_O:
 	case OPT_Ofast:
 	case OPT_Og:
@@ -645,6 +677,7 @@
 	case OPT_fopenacc:
 	case OPT_fopenacc_dim_:
 	case OPT_foffload_abi_:
+	case OPT_fcf_protection_:
 	case OPT_g:
 	case OPT_O:
 	case OPT_Ofast:
	* common.opt (fcf-protection, fcf-protection=): Mark as optimization.

--- a/src/gcc/common.opt
+++ b/src/gcc/common.opt
@@ -1739,10 +1739,10 @@
 Inline __atomic operations when a lock free instruction sequence is available.
 
 fcf-protection
-Common RejectNegative Alias(fcf-protection=,full)
+Common Optimization RejectNegative Alias(fcf-protection=,full)
 
 fcf-protection=
-Common Report Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE)
+Common Optimization Report Joined RejectNegative Enum(cf_protection_level) Var(flag_cf_protection) Init(CF_NONE)
 -fcf-protection=[full|branch|return|none]	Instrument functions with checks to verify jump/call/return control-flow transfer
 instructions have valid targets.