This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH][RFA/RFC] Stack clash mitigation patch 06/08 - V3
- From: Jeff Law <law at redhat dot com>
- To: Segher Boessenkool <segher at kernel dot crashing dot org>
- Cc: gcc-patches <gcc-patches at gcc dot gnu dot org>
- Date: Sat, 2 Sep 2017 00:31:16 -0600
- Subject: Re: [PATCH][RFA/RFC] Stack clash mitigation patch 06/08 - V3
- Authentication-results: sourceware.org; auth=none
- Authentication-results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
- Authentication-results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=law at redhat dot com
- Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B4AC95F7A9
- References: <3adc6200-e13d-632c-724d-b8cb3d1b1475@redhat.com> <20170829231421.GP13471@gate.crashing.org>
On 08/29/2017 05:14 PM, Segher Boessenkool wrote:
> Hi Jeff,
>
> Sorry for the delay in reviewing this. It mostly looks good :-)
Thanks. No worries about the delay. Your input definitely helped move
the target independent stuff to a better place. And frankly I
wanted/needed some time away from this stuff.
>
> On Sun, Jul 30, 2017 at 11:45:16PM -0600, Jeff Law wrote:
>>
>> This contains the PPC bits for stack clash protection.
>>
>> Changes since V2:
>>
>> Exploits inlined/unrolled probes and rotated loops for the dynamic area.
>> Some trivial simplifications. It also uses the new params to control
>> if probes are needed and how often to probe.
>
>
>> * config/rs6000/rs6000-protos.h (output_probe_stack_range): Update
>> prototype for new argument.
>> * config/rs6000/rs6000.c (wrap_frame_mem): New function extracted
>> from rs6000_emit_allocate_stack.
>> (handle_residual): New function.
>
> Trailing space.
Fixed, along with the other ChangeLog nits you pointed out.
>
>
>> +/* INSN allocates SIZE bytes on the stack (STACK_REG) using a store
>> + with update style insn.
>> +
>> + Set INSN's alias set/attributes and add suitable flags and notes
>> + for the dwarf CFI machinery. */
>> +static void
>> +wrap_frame_mem (rtx insn, rtx stack_reg, HOST_WIDE_INT size)
>
> This isn't such a great name... Something with "frame allocate"? And
> the "wrap" part is meaningless... "set_attrs_for_frame_allocation"?
> Or maybe "stack allocation" is better.
The name is terrible. I shouldn't have let that get through. I think
set attrs_for_stack_allocation is better given the current behavior of
the function, but as you note some further refinement would probably
help here and would result in a different name.
>
> Actually, everywhere it is used it has a Pmode == SImode wart before
> it, to emit the right update_stack insn... So fold that into this
> function, name it rs6000_emit_allocate_stack_1?
Agreed. That seems like a nice cleanup. Look at the call from
rs6000_emit_allocate_stack. Instead of a Pmode == SImode, it tests
TARGET_32BIT instead. But I think that one is still safe to convert
based on how we set Pmode in rs6000_option_override_internal.
>
>> +/* Allocate ROUNDED_SIZE - ORIG_SIZE bytes on the stack, storing
>> + ORIG_SP into *sp after the allocation.
>
> This is a bit misleading: it has to store it at the _same time_ as doing
> any change to r1. Or, more precisely, it has to ensure r1 points at a
> valid stack backchain at all times. Since the red zone is pretty small
> (if it exists at all, it doesn't on all ABIs) you need atomic store-with-
> update in most cases.
Yea, I was imprecise in my language.
>
>> +static rtx_insn *
>> +handle_residual (HOST_WIDE_INT orig_size,
>> + HOST_WIDE_INT rounded_size,
>> + rtx orig_sp)
>
> Not a great name either. Since this is only used once, and it is hard
> to make a good name for it, and it is only a handful of statements, just
> inline it?
It was originally used multiple times, but refactoring resulted in a
single use. I'll just inline it -- it's trivial after we revamp
wrap_frame_mem.
>
>> +/* Allocate ORIG_SIZE bytes on the stack and probe the newly
>> + allocated space every STACK_CLASH_PROTECTION_PROBE_INTERVAL bytes.
>> +
>> + COPY_REG, if non-null, should contain a copy of the original
>> + stack pointer modified by COPY_OFF at exit from this function.
>> +
>> + This is subtly different than the Ada probing in that it tries hard to
>> + prevent attacks that jump the stack guard. Thus it is never allowed to
>> + allocate more than STACK_CLASH_PROTECTION_PROBE_INTERVAL bytes of stack
>> + space without a suitable probe. */
>
> Please handle the COPY_OFF part in the (single) caller of this, that
> will simplify things a little I think?
Sure. I thought I had it that way at one point.
>
> You don't describe what the return value here is (but neither does
> rs6000_emit_allocate_stack); it is the single instruction that actually
> changes the stack pointer? For the split stack support? (Does the stack
> clash code actually work with split stack, has that been tested?)
As far as I was able to ascertain (and essentially duplicate) we return
the insn that allocates the stack, but only if the allocation was
handled a single insn. Otherwise we return NULL.
But that was determined largely by guesswork. It interacts with split
stack support, but I'm not entirely what it's meant to do. If you have
insights here, I'll happily add comments to the routines -- when I was
poking at this stuff I was rather distressed to not have any real
guidance on what the return value should be.
I have not tested stack clash and split stacks. ISTM they ought to be
able to work together, but I haven't though real deep about it.
>
> Maybe we should keep track of that sp_adjust insn in a global, or in
> machine_function, or even in the stack info struct.
Maybe. It's certainly not obvious to me what is does and how it does
it. THe physical distance between where it gets set and modified and
its use point doesn't help.
>
>> +static rtx_insn *
>> +rs6000_emit_probe_stack_range_stack_clash (HOST_WIDE_INT orig_size,
>> + rtx copy_reg, int copy_off)
>> +{
>> + rtx orig_sp = copy_reg;
>> +
>> + HOST_WIDE_INT probe_interval
>> + = PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_PROBE_INTERVAL);
>> +
>> + /* Round the size down to a multiple of PROBE_INTERVAL. */
>> + HOST_WIDE_INT rounded_size = orig_size & -probe_interval;
>
> Use ROUND_DOWN?
Yea. The tree where this was originally developed didn't have
ROUND_DOWN, so it was open-coded. Fixed.
>
>> +
>> + /* If explicitly requested,
>> + or the rounded size is not the same as the original size
>> + or the the rounded size is greater than a page,
>> + then we will need a copy of the original stack pointer. */
>> + if (rounded_size != orig_size
>> + || rounded_size > probe_interval
>> + || copy_reg)
>> + {
>> + /* If the caller requested a copy of the incoming stack pointer,
>> + then ORIG_SP == COPY_REG and will not be NULL.
>> +
>> + If no copy was requested, then we use r0 to hold the copy. */
>> + if (orig_sp == NULL_RTX)
>> + orig_sp = gen_rtx_REG (Pmode, 0);
>> + emit_move_insn (orig_sp, stack_pointer_rtx);
>> + }
>
> I'm not sure r0 is always free to use here, it's not obvious. You can't
> use the START_USE etc. macros to check, those only work inside
> rs6000_emit_prologue. I'll figure something out.
Should I just leave it as-is until you have a suggestion for the right
way to find a temporary at this point?
>
>> +
>> + /* There's three cases here.
>> +
>> + One is a single probe which is the most common and most efficiently
>> + implemented as it does not have to have a copy of the original
>> + stack pointer if there are no residuals.
>> +
>> + Second is unrolled allocation/probes which we use if there's just
>> + a few of them. It needs to save the original stack pointer into a
>> + temporary for use as a source register in the allocation/probe.
>> +
>> + Last is a loop. This is the most uncommon case and least efficient. */
>
> The way more common case is no probes at all, but that is handled in the
> caller; maybe move it to this function instead?
The comment is correct for what's handled by that code. As you note the
most common case is no probing needed and in those cases we never call
rs6000_emit_probe_stack_range_stack_clash.
The code was written that way so that the common case (no explicit
probes) would just fall into the old code. That minimized the
possibility that I mucked anything up :-)
>
>> + rtx_insn *insn;
>> + rtx_insn *retval = NULL;
>> + if (rounded_size == probe_interval)
>> + {
>> + if (Pmode == SImode)
>> + insn = emit_insn (gen_movsi_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + GEN_INT (-probe_interval),
>> + stack_pointer_rtx));
>> + else
>> + insn = emit_insn (gen_movdi_di_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + GEN_INT (-probe_interval),
>> + stack_pointer_rtx));
>> + wrap_frame_mem (insn, stack_pointer_rtx, probe_interval);
>> +
>> + /* If this was the only allocation, then we can return the allocating
>> + insn. */
>> + if (rounded_size == orig_size)
>> + retval = insn;
>> +
>> + dump_stack_clash_frame_info (PROBE_INLINE, rounded_size != orig_size);
>> + }
>> + else if (rounded_size <= 8 * probe_interval)
>> + {
>> + /* The ABI requires using the store with update insns to allocate
>> + space and store the outer frame into the stack.
>> +
>> + So we save the current stack pointer into a temporary, then
>> + emit the store-with-update insns to store the saved stack pointer
>> + into the right location in each new page. */
>> + rtx probe_int = GEN_INT (-probe_interval);
>> + for (int i = 0; i < rounded_size; i += probe_interval)
>> + {
>> + if (Pmode == SImode)
>> + insn = emit_insn (gen_movsi_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + probe_int, orig_sp));
>> + else
>> + insn = emit_insn (gen_movdi_di_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + probe_int, orig_sp));
>> + wrap_frame_mem (insn, stack_pointer_rtx, probe_interval);
>> + }
>> + retval = NULL;
>> + dump_stack_clash_frame_info (PROBE_INLINE, rounded_size != orig_size);
>> + }
>
> It seems the only thing preventing the probes from being elided is that
> GCC does not realise the probe stores are not actually needed? I guess
> that should be enough, but maybe there should be a test for this.
I'm not sure what you're asking here. In the code above we're
allocating a multiple of PROBE_INTERVAL bytes. We must probe every
PROBE_INTERVAL bytes.
The best way to do that on PPC is to use the
store-with-base-register-modification which does the allocation and
probe at the same time.
It is not safe to allocate all the space at one, then go back and probe
within the space (you can get an async signal between the allocation and
probe).
>
>> + else
>> + {
>> + /* Compute the ending address. */
>> + rtx end_addr
>> + = copy_reg ? gen_rtx_REG (Pmode, 0) : gen_rtx_REG (Pmode, 12);
>> + rtx rs = GEN_INT (-rounded_size);
>> + rtx insn;
>> + if (add_operand (rs, Pmode))
>> + insn = emit_insn (gen_add3_insn (end_addr, stack_pointer_rtx, rs));
>> + else
>> + {
>> + emit_move_insn (end_addr, GEN_INT (-rounded_size));
>> + insn = emit_insn (gen_add3_insn (end_addr, end_addr,
>> + stack_pointer_rtx));
>> + add_reg_note (insn, REG_FRAME_RELATED_EXPR,
>> + gen_rtx_SET (end_addr,
>> + gen_rtx_PLUS (Pmode, stack_pointer_rtx,
>> + rs)));
>> + }
>> + RTX_FRAME_RELATED_P (insn) = 1;
>
> What are these notes for? Not totally obvious... could use a comment :-)
At a high level we're describing to the CFI machinery how to compute the
CFA.
ie we have
(set (endreg) (-rounded_size))
(set (endreg) (endreg) (stack_pointer_rtx))
But only the second insn actually participates in the CFA computation
because it's the only one marked as RTX_FRAME_RELATED. But the CFI
machinery isn't going to be able to figure out what that insn does. So
we describe it with a note. Think of it as a REG_EQUAL note for the CFI
machinery.
I'm far from an expert in the CFI machinery. I've got a pretty good
idea how we handle this stuff on x86 and aarch. We do things a bit
differently on PPC.
>
>> +
>> + /* Emit the loop. */
>> + if (TARGET_64BIT)
>> + insn = emit_insn (gen_probe_stack_rangedi (stack_pointer_rtx,
>> + stack_pointer_rtx, orig_sp,
>> + end_addr));
>> + else
>> + insn = emit_insn (gen_probe_stack_rangesi (stack_pointer_rtx,
>> + stack_pointer_rtx, orig_sp,
>> + end_addr));
>> + RTX_FRAME_RELATED_P (insn) = 1;
>> + add_reg_note (insn, REG_FRAME_RELATED_EXPR,
>> + gen_rtx_SET (stack_pointer_rtx, end_addr));
>> + retval = NULL;
>> + dump_stack_clash_frame_info (PROBE_LOOP, rounded_size != orig_size);
>> + }
>> +
>> + if (orig_size != rounded_size)
>> + {
>> + insn = handle_residual (orig_size, rounded_size, orig_sp);
>> +
>> + /* If the residual was the only allocation, then we can return the
>> + allocating insn. */
>> + if (rounded_size == 0)
>> + retval = insn;
>> + }
>> +
>> + /* If we asked for a copy with an offset, then we still need add in tnhe
>
> Typo ("tnhe").
Fixed.
>
>> + offset. */
>> + if (copy_reg && copy_off)
>> + emit_insn (gen_add3_insn (copy_reg, copy_reg, GEN_INT (copy_off)));
>> + return retval;
>> +}
>
>> +/* Probe a range of stack addresses from REG1 to REG3 inclusive. These are
>> + absolute addresses. REG2 contains the outer stack pointer that must be
>> + stored into *sp at each allocation.
>
> s/outer stack pointer/pointer to the previous frame/ ? Or just say
> "backchain"?
I'll just use backchain here and in another instance I found.
>
>> diff --git a/gcc/config/rs6000/rs6000.md b/gcc/config/rs6000/rs6000.md
>> index f78dbf9..9262c82 100644
>> --- a/gcc/config/rs6000/rs6000.md
>> +++ b/gcc/config/rs6000/rs6000.md
>> @@ -10262,7 +10262,7 @@
>>
>> (define_expand "allocate_stack"
>> [(set (match_operand 0 "gpc_reg_operand" "")
>> - (minus (reg 1) (match_operand 1 "reg_or_short_operand" "")))
>> + (minus (reg 1) (match_operand 1 "reg_or_cint_operand" "")))
>> (set (reg 1)
>> (minus (reg 1) (match_dup 1)))]
>> ""
>> @@ -10272,6 +10272,15 @@
>> rtx neg_op0;
>> rtx insn, par, set, mem;
>>
>> + /* By allowing reg_or_cint_operand as the predicate we can get
>> + better code for stack-clash-protection because we do not lose
>> + size information. But the rest of the code expects the operand
>> + to be reg_or_short_operand. If it isn't, then force it into
>> + a register. */
>> + rtx orig_op1 = operands[1];
>> + if (!reg_or_short_operand (operands[1], Pmode))
>> + operands[1] = force_reg (Pmode, operands[1]);
>
> I don't understand the "we do not lose size information" bit. Maybe
> you can show an example?
If you have a large constant alloca -- large enough that the size does
not fit in a reg_or_cint_operand, then the generic code in explow.c will
force the size into a register before calling this expander.
Thus we don't know the allocation is constant within this expander which
limits our ability to rotate the loop, unroll the loop and/or elide any
residual allocations.
I'm pretty sure this is covered by the tests added in this series -- my
recollection is those tests failed on PPC which is what led me to find
this little nugget.
>
>> + /* Allocate and probe if requested.
>> + This may look similar to the loop we use for prologue allocations,
>> + but it is critically different. For the former we know the loop
>> + will iterate, but do not know that generally here. The former
>> + uses that knowledge to rotate the loop. Combining them would be
>> + possible with some performance cost. */
>> + if (flag_stack_clash_protection)
>> + {
>> + rtx rounded_size, last_addr, residual;
>> + HOST_WIDE_INT probe_interval;
>> + compute_stack_clash_protection_loop_data (&rounded_size, &last_addr,
>> + &residual, &probe_interval,
>> + orig_op1);
>> +
>> + /* We do occasionally get in here with constant sizes, we might
>> + as well do a reasonable job when we obviously can. */
>> + if (rounded_size != CONST0_RTX (Pmode))
>
> That's just const0_rtx.
The canonical way is to test against CONST0_RTX (mode). Testing
"const0_rtx" may be safe here, but in general the right way is
CONST0_RTX (mode).
>
>> + {
>> + rtx loop_lab, end_loop;
>> + bool rotated = GET_CODE (rounded_size) == CONST_INT;
>> +
>> + emit_stack_clash_protection_probe_loop_start (&loop_lab, &end_loop,
>> + last_addr, rotated);
>> +
>> + if (Pmode == SImode)
>> + emit_insn (gen_movsi_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + GEN_INT (-probe_interval),
>> + chain));
>> + else
>> + emit_insn (gen_movdi_di_update_stack (stack_pointer_rtx,
>> + stack_pointer_rtx,
>> + GEN_INT (-probe_interval),
>> + chain));
>> + emit_stack_clash_protection_probe_loop_end (loop_lab, end_loop,
>> + last_addr, rotated);
>> + }
>> +
>> + /* Now handle residuals. We just have to set operands[1] correctly
>> + and let the rest of the expander run. */
>> + if (REG_P (residual) || GET_CODE (residual) == CONST_INT)
>
> CONST_INT_P
Fixed.
>
>> + operands[1] = residual;
>> + else
>> + {
>> + operands[1] = gen_reg_rtx (Pmode);
>> + force_operand (residual, operands[1]);
>> + }
>> + }
>
> Maybe this (from the comment on) could just be
>
> operands[1] = residual;
> if (!CONST_INT_P (operands[1]))
> operands[1] = force_reg (Pmode, operands[1]);
That should work. The key here is to force RESIDUAL into a register is
it is an RTL expression.
I'll spin up a new build/test with these changes...
Jeff