This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
- From: Jeff Law <law at redhat dot com>
- To: "Tsimbalist, Igor V" <igor dot v dot tsimbalist at intel dot com>, "'gcc-patches at gcc dot gnu dot org'" <gcc-patches at gcc dot gnu dot org>
- Date: Fri, 25 Aug 2017 14:58:44 -0600
- Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=law at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 1CDDA4A70C
- References: <D511F25789BA7F4EBA64C8A63891A0027AA04032@IRSMSX102.ger.corp.intel.com>
On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> Part#2. Document -finstrument-control-flow and notrack attribute.
>
>
> 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
>
>
> From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00 2001
> From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> Date: Mon, 3 Jul 2017 17:12:49 +0300
> Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and notrack
> attribute.
>
> gcc/
> * doc/extend.texi: Add 'notrack' documentation.
> * doc/invoke.texi: Add -finstrument-control-flow documentation.
> * doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> ---
> gcc/doc/extend.texi | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
> gcc/doc/rtl.texi | 15 +++++++++++++++
> 3 files changed, 89 insertions(+)
>
> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> index 6934b4c..80de8a7 100644
> --- a/gcc/doc/extend.texi
> +++ b/gcc/doc/extend.texi
> @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use. You must specify the
> @code{target("fpmath=sse,387")} option as
> @code{target("fpmath=sse+387")} because the comma would separate
> different options.
> +
> +@item notrack
> +@cindex @code{notrack} function attribute
> +The @code{notrack} attribute on a function is used to inform the
> +compiler that the function's prolog should not be instrumented when
> +compiled with the @option{-finstrument-control-flow} option. The
> +compiler assumes that the function's address is a valid target for a
> +control-flow transfer.
Is the default to instrument everything when -finstrument-control-flow
is enabled? Or can we avoid instrumentation on a function that never
has its address taken (ie, it is only called via a call instruction?)
> +
> +The @code{notrack} attribute on a type of pointer to function is
> +used to inform the compiler that a call through the pointer should
> +not be instrumented when compiled with the
> +@option{-finstrument-control-flow} option. The compiler assumes
> +that the function's address from the pointer is a valid target for
> +a control-flow transfer. A direct function call through a function
> +name is assumed as a save call thus direct calls will not be
> +instrumented by the compiler.
s/save/safe/
FWIW, I think putting the attribute into in the type system is a good
thing :-)
> +
> +The @code{notrack} attribute is applied to an object's type. A
> +The @code{notrack} attribute is transfered to a call instruction at
> +the GIMPLE and RTL translation phases. The attribute is not propagated
> +through assignment, store and load.
> +
> +@smallexample
> +@{
> +void (*foo)(void) __attribute__(notrack);
> +void (*foo1)(void) __attribute__(notrack);
> +void (*foo2)(void);
> +
> +int
> +foo (void) /* The function's address is not tracked. */
> +
> + /* This call site is not tracked for
> + control-flow instrumentation. */
> + (*foo1)();
> + foo1 = foo2;
> + /* This call site is still not tracked for
> + control-flow instrumentation. */
> + (*foo1)();
> +
> + /* This call site is tracked for
> + control-flow instrumentation. */
> + (*foo2)();
> + foo2 = foo1;
> + /* This call site is still tracked for
> + control-flow instrumentation. */
> + (*foo2)();
> +
> + return 0;
> +@}
> +@end smallexample
Given the notrack attribute is part of the type system, could we issue a
warning on the foo1 = foo2 assignment since we're discarding tracking
that's implicit on foo2?
> +
> @end table
>
> On the x86, the inliner does not inline a
> diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
> index 5ae9dc4..ff2ce92 100644
> --- a/gcc/doc/invoke.texi
> +++ b/gcc/doc/invoke.texi
> @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
> -fchkp-check-read -fchkp-check-write -fchkp-store-bounds @gol
> -fchkp-instrument-calls -fchkp-instrument-marked-only @gol
> -fchkp-use-wrappers -fchkp-flexible-struct-trailing-arrays@gol
> +-finstrument-control-flow @gol
> -fstack-protector -fstack-protector-all -fstack-protector-strong @gol
> -fstack-protector-explicit -fstack-check @gol
> -fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
> @@ -11284,6 +11285,27 @@ is used to link a program, the GCC driver automatically links
> against @file{libmpxwrappers}. See also @option{-static-libmpxwrappers}.
> Enabled by default.
>
> +@item -finstrument-control-flow
> +@opindex finstrument-control-flow
> +@opindex fno-instrument-control-flow
> +Enable code instrumentation of control-flow transfers to increase
> +a program security by checking a target address of control-flow
> +transfer instructions (i.e. routine call, routine return, jump)
> +are valid targets. This prevents diverting the control flow
> +instructions from its original target address to a new undesigned
> +target. This is intended to protect against such theats as
> +Return-oriented Programming (ROP), and similarly call/jmp-oriented
> +programming (COP/JOP).
"function call, function return, indirect jump" rather than "routine
call, routine return, jump"?
Jeff