[PATCH][GCC][AArch64] Ensure that outgoing argument size is at least 8 bytes when alloca and stack-clash. [Patch (3/6)]

Fri Aug 3 18:05:00 GMT 2018

On 07/25/2018 05:09 AM, Tamar Christina wrote:
> Hi All,
> 
> Attached an updated patch which documents what the test cases are expecting as requested.
> 
> Ok for trunk?
> 
> Thanks,
> Tamar
> 
> gcc/
> 2018-07-25  Tamar Christina  <tamar.christina@arm.com>
> 
> 	PR target/86486
> 	* config/aarch64/aarch64.h (STACK_CLASH_OUTGOING_ARGS,
> 	STACK_DYNAMIC_OFFSET): New.
> 	* config/aarch64/aarch64.c (aarch64_layout_frame):
> 	Update outgoing args size.
> 	(aarch64_stack_clash_protection_alloca_probe_range,
> 	TARGET_STACK_CLASH_PROTECTION_ALLOCA_PROBE_RANGE): New.
> 
> gcc/testsuite/
> 2018-07-25  Tamar Christina  <tamar.christina@arm.com>
> 
> 	PR target/86486
> 	* gcc.target/aarch64/stack-check-alloca-1.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-10.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-2.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-3.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-4.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-5.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-6.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-7.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-8.c: New.
> 	* gcc.target/aarch64/stack-check-alloca-9.c: New.
> 	* gcc.target/aarch64/stack-check-alloca.h: New.
> 	* gcc.target/aarch64/stack-check-14.c: New.
> 	* gcc.target/aarch64/stack-check-15.c: New.
> 
>> -----Original Message-----
>> From: Tamar Christina
>> Sent: Friday, July 13, 2018 17:36
>> To: Tamar Christina <Tamar.Christina@arm.com>; gcc-patches@gcc.gnu.org
>> Cc: nd <nd@arm.com>; James Greenhalgh <James.Greenhalgh@arm.com>;
>> Richard Earnshaw <Richard.Earnshaw@arm.com>; Marcus Shawcroft
>> <Marcus.Shawcroft@arm.com>
>> Subject: RE: [PATCH][GCC][AArch64] Ensure that outgoing argument size is at
>> least 8 bytes when alloca and stack-clash. [Patch (3/6)]
>>
>> Hi All,
>>
>> I'm sending an updated patch which updates a testcase that  hits one of our
>> corner cases.
>> This is an assembler scan only update in a testcase.
>>
>> Regards,
>> Tamar
>>
>>> -----Original Message-----
>>> From: Tamar Christina <tamar.christina@arm.com>
>>> Sent: Wednesday, July 11, 2018 12:21
>>> To: gcc-patches@gcc.gnu.org
>>> Cc: nd <nd@arm.com>; James Greenhalgh <James.Greenhalgh@arm.com>;
>>> Richard Earnshaw <Richard.Earnshaw@arm.com>; Marcus Shawcroft
>>> <Marcus.Shawcroft@arm.com>
>>> Subject: [PATCH][GCC][AArch64] Ensure that outgoing argument size is
>>> at least 8 bytes when alloca and stack-clash. [Patch (3/6)]
>>>
>>> Hi All,
>>>
>>> This patch adds a requirement that the number of outgoing arguments
>>> for a function is at least 8 bytes when using stack-clash protection.
>>>
>>> By using this condition we can avoid a check in the alloca code and so
>>> have smaller and simpler code there.
>>>
>>> A simplified version of the AArch64 stack frames is:
>>>
>>>    +-----------------------+
>>>    |                       |
>>>    |                       |
>>>    |                       |
>>>    +-----------------------+
>>>    |LR                     |
>>>    +-----------------------+
>>>    |FP                     |
>>>    +-----------------------+
>>>    |dynamic allocations    | ----  expanding area which will push the outgoing
>>>    +-----------------------+       args down during each allocation.
>>>    |padding                |
>>>    +-----------------------+
>>>    |outgoing stack args    | ---- safety buffer of 8 bytes (aligned)
>>>    +-----------------------+
>>>
>>> By always defining an outgoing argument, alloca(0) effectively is safe
>>> to probe at $sp due to the reserved buffer being there.  It will never
>>> corrupt the stack.
>>>
>>> This is also safe for alloca(x) where x is 0 or x % page_size == 0.
>>> In the former it is the same case as alloca(0) while the latter is
>>> safe because any allocation pushes the outgoing stack args down:
>>>
>>>    |FP                     |
>>>    +-----------------------+
>>>    |                       |
>>>    |dynamic allocations    | ----  alloca (x)
>>>    |                       |
>>>    +-----------------------+
>>>    |padding                |
>>>    +-----------------------+
>>>    |outgoing stack args    | ---- safety buffer of 8 bytes (aligned)
>>>    +-----------------------+
>>>
>>> Which means when you probe for the residual, if it's 0 you'll again
>>> just probe in the outgoing stack args range, which we know is non-zero (at
>> least 8 bytes).
>>>
>>> Bootstrapped Regtested on aarch64-none-linux-gnu and no issues.
>>> Target was tested with stack clash on and off by default.
>>>
>>> Ok for trunk?
>>>
>>> Thanks,
>>> Tamar
>>>
>>> gcc/
>>> 2018-07-11  Tamar Christina  <tamar.christina@arm.com>
>>>
>>> 	PR target/86486
>>> 	* config/aarch64/aarch64.h (STACK_CLASH_OUTGOING_ARGS,
>>> 	STACK_DYNAMIC_OFFSET): New.
>>> 	* config/aarch64/aarch64.c (aarch64_layout_frame):
>>> 	Update outgoing args size.
>>> 	(aarch64_stack_clash_protection_alloca_probe_range,
>>> 	TARGET_STACK_CLASH_PROTECTION_ALLOCA_PROBE_RANGE):
>>> New.
>>>
>>> gcc/testsuite/
>>> 2018-07-11  Tamar Christina  <tamar.christina@arm.com>
>>>
>>> 	PR target/86486
>>> 	* gcc.target/aarch64/stack-check-alloca-1.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-10.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-2.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-3.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-4.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-5.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-6.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-7.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-8.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca-9.c: New.
>>> 	* gcc.target/aarch64/stack-check-alloca.h: New.
>>> 	* gcc.target/aarch64/stack-check-14.c: New.
>>> 	* gcc.target/aarch64/stack-check-15.c: New.
>>>
>>> --
Likewise -- no concerns on my end.  AArch64 maintainers have the final say.

jeff