0002-Part-2.-Document-finstrument-control-flow-and-notrack attribute
Tsimbalist, Igor V
igor.v.tsimbalist@intel.com
Tue Sep 19 13:45:00 GMT 2017
Here is an updated patch (version #2). Mainly attribute and option names were changed.
gcc/doc/
* extend.texi: Add 'nocf_check' documentation.
* gimple.texi: Add second parameter to gimple_build_call_from_tree.
* invoke.texi: Add -fcf-protection documentation.
* rtl.texi: Add REG_CALL_NOTRACK documenation.
Is it ok for trunk?
Thanks,
Igor
> -----Original Message-----
> From: Tsimbalist, Igor V
> Sent: Friday, September 15, 2017 5:14 PM
> To: 'Jeff Law' <law@redhat.com>; 'gcc-patches@gcc.gnu.org' <gcc-
> patches@gcc.gnu.org>
> Cc: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>
> Subject: RE: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
>
> > -----Original Message-----
> > From: Jeff Law [mailto:law@redhat.com]
> > Sent: Friday, August 25, 2017 10:59 PM
> > To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; 'gcc-
> > patches@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> > Subject: Re:
> > 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> > attribute
> >
> > On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> > > Part#2. Document -finstrument-control-flow and notrack attribute.
> > >
> > >
> > > 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
> > >
> > >
> > > From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00
> > 2001
> > > From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> > > Date: Mon, 3 Jul 2017 17:12:49 +0300
> > > Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and
> > > notrack attribute.
> > >
> > > gcc/
> > > * doc/extend.texi: Add 'notrack' documentation.
> > > * doc/invoke.texi: Add -finstrument-control-flow documentation.
> > > * doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> > > ---
> > > gcc/doc/extend.texi | 52
> > > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
> > > gcc/doc/rtl.texi | 15 +++++++++++++++
> > > 3 files changed, 89 insertions(+)
> > >
> > > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > > 6934b4c..80de8a7 100644
> > > --- a/gcc/doc/extend.texi
> > > +++ b/gcc/doc/extend.texi
> > > @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use.
> > > You must specify the @code{target("fpmath=sse,387")} option as
> > > @code{target("fpmath=sse+387")} because the comma would separate
> > > different options.
> > > +
> > > +@item notrack
> > > +@cindex @code{notrack} function attribute The @code{notrack}
> > > +attribute on a function is used to inform the compiler that the
> > > +function's prolog should not be instrumented when compiled with the
> > > +@option{-finstrument-control-flow} option. The compiler assumes
> > > +that the function's address is a valid target for a control-flow transfer.
> > Is the default to instrument everything when -finstrument-control-flow
> > is enabled? Or can we avoid instrumentation on a function that never
> > has its address taken (ie, it is only called via a call instruction?)
> The instrumentation is on by default but for all platform except of x86 it does
> nothing as the implementation is not supported. For x86 the implementation
> is lightweight and just increase a bit code size due to 'endbranch' instruction.
>
> Given a function decl is there an information already available if an address
> was taken from the function? I plan to do what you suggested later as an
> optimization especially for global function where ipa is required.
>
> > > +
> > > +The @code{notrack} attribute on a type of pointer to function is
> > > +used to inform the compiler that a call through the pointer should
> > > +not be instrumented when compiled with the
> > > +@option{-finstrument-control-flow} option. The compiler assumes
> > > +that the function's address from the pointer is a valid target for
> > > +a control-flow transfer. A direct function call through a function
> > > +name is assumed as a save call thus direct calls will not be
> > > +instrumented by the compiler.
> > s/save/safe/
> >
> > FWIW, I think putting the attribute into in the type system is a good
> > thing :-)
> >
> > > +
> > > +The @code{notrack} attribute is applied to an object's type. A The
> > > +@code{notrack} attribute is transfered to a call instruction at the
> > > +GIMPLE and RTL translation phases. The attribute is not propagated
> > > +through assignment, store and load.
> > > +
> > > +@smallexample
> > > +@{
> > > +void (*foo)(void) __attribute__(notrack); void (*foo1)(void)
> > > +__attribute__(notrack); void (*foo2)(void);
> > > +
> > > +int
> > > +foo (void) /* The function's address is not tracked. */
> > > +
> > > + /* This call site is not tracked for
> > > + control-flow instrumentation. */ (*foo1)();
> > > + foo1 = foo2;
> > > + /* This call site is still not tracked for
> > > + control-flow instrumentation. */ (*foo1)();
> > > +
> > > + /* This call site is tracked for
> > > + control-flow instrumentation. */ (*foo2)();
> > > + foo2 = foo1;
> > > + /* This call site is still tracked for
> > > + control-flow instrumentation. */ (*foo2)();
> > > +
> > > + return 0;
> > > +@}
> > > +@end smallexample
> > Given the notrack attribute is part of the type system, could we issue
> > a warning on the foo1 = foo2 assignment since we're discarding
> > tracking that's implicit on foo2?
> Fixed. For the code above messages are issued
> w.c: In function 'foo':
> w.c:22:8: warning: nocf_check attribute mismatch for assignment [-
> Wattributes]
> foo1 = foo2;
> ^
> w.c:31:8: warning: nocf_check attribute mismatch for assignment [-
> Wattributes]
> foo2 = foo1;
> ^
>
> > > +
> > > @end table
> > >
> > > On the x86, the inliner does not inline a diff --git
> > > a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 5ae9dc4..ff2ce92
> > > 100644
> > > --- a/gcc/doc/invoke.texi
> > > +++ b/gcc/doc/invoke.texi
> > > @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
> > > -fchkp-check-read -fchkp-check-write -fchkp-store-bounds @gol
> > > -fchkp-instrument-calls -fchkp-instrument-marked-only @gol
> > > -fchkp-use-wrappers -fchkp-flexible-struct-trailing-arrays@gol
> > > +-finstrument-control-flow @gol
> > > -fstack-protector -fstack-protector-all -fstack-protector-strong
> > > @gol -fstack-protector-explicit -fstack-check @gol
> > > -fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym}
> > > @gol @@ -11284,6 +11285,27 @@ is used to link a program, the GCC
> > > driver automatically links against @file{libmpxwrappers}. See also
> > > @option{-
> > static-libmpxwrappers}.
> > > Enabled by default.
> > >
> > > +@item -finstrument-control-flow
> > > +@opindex finstrument-control-flow
> > > +@opindex fno-instrument-control-flow Enable code instrumentation of
> > > +control-flow transfers to increase a program security by checking a
> > > +target address of control-flow transfer instructions (i.e. routine
> > > +call, routine return, jump) are valid targets. This prevents
> > > +diverting the control flow instructions from its original target
> > > +address to a new undesigned target. This is intended to protect
> > > +against such theats as Return-oriented Programming (ROP), and
> > > +similarly call/jmp-oriented programming (COP/JOP).
> > "function call, function return, indirect jump" rather than "routine
> > call, routine return, jump"?
> Ok, fixed.
>
> Thanks,
> Igor
>
> >
> > Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch
Type: application/octet-stream
Size: 7826 bytes
Desc: 0002-Add-documentation-for-fcf-protection-option-and-nocf.patch
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20170919/ae0c2db2/attachment.obj>
More information about the Gcc-patches
mailing list