> -----Original Message-----
> From: Jeff Law [mailto:l...@redhat.com]
> Sent: Friday, August 25, 2017 10:59 PM
> To: Tsimbalist, Igor V <igor.v.tsimbal...@intel.com>; 'gcc-
> patc...@gcc.gnu.org' <gcc-patches@gcc.gnu.org>
> Subject: Re: 0002-Part-2.-Document-finstrument-control-flow-and-notrack
> attribute
>
> On 08/01/2017 02:56 AM, Tsimbalist, Igor V wrote:
> > Part#2. Document -finstrument-control-flow and notrack attribute.
> >
> >
> > 0002-Part-2.-Document-finstrument-control-flow-and-notrac.patch
> >
> >
> > From c3e45c80731672e74d638f787e80ba975279b9b9 Mon Sep 17 00:00:00
> 2001
> > From: Igor Tsimbalist <igor.v.tsimbal...@intel.com>
> > Date: Mon, 3 Jul 2017 17:12:49 +0300
> > Subject: [PATCH 2/9] Part#2. Document -finstrument-control-flow and
> > notrack attribute.
> >
> > gcc/
> > * doc/extend.texi: Add 'notrack' documentation.
> > * doc/invoke.texi: Add -finstrument-control-flow documentation.
> > * doc/rtl.texi: Add REG_CALL_NOTRACK documenation.
> > ---
> > gcc/doc/extend.texi | 52
> > ++++++++++++++++++++++++++++++++++++++++++++++++++++
> > gcc/doc/invoke.texi | 22 ++++++++++++++++++++++
> > gcc/doc/rtl.texi | 15 +++++++++++++++
> > 3 files changed, 89 insertions(+)
> >
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi index
> > 6934b4c..80de8a7 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -5632,6 +5632,58 @@ Specify which floating-point unit to use. You
> > must specify the @code{target("fpmath=sse,387")} option as
> > @code{target("fpmath=sse+387")} because the comma would separate
> > different options.
> > +
> > +@item notrack
> > +@cindex @code{notrack} function attribute The @code{notrack}
> > +attribute on a function is used to inform the compiler that the
> > +function's prolog should not be instrumented when compiled with the
> > +@option{-finstrument-control-flow} option. The compiler assumes that
> > +the function's address is a valid target for a control-flow transfer.
> Is the default to instrument everything when -finstrument-control-flow is
> enabled? Or can we avoid instrumentation on a function that never has its
> address taken (ie, it is only called via a call instruction?)
The instrumentation is on by default but for all platform except of x86 it does
nothing as
the implementation is not supported. For x86 the implementation is lightweight
and just
increase a bit code size due to 'endbranch' instruction.
Given a function decl is there an information already available if an address
was taken from
the function? I plan to do what you suggested later as an optimization
especially for global
function where ipa is required.
> > +
> > +The @code{notrack} attribute on a type of pointer to function is used
> > +to inform the compiler that a call through the pointer should not be
> > +instrumented when compiled with the
> > +@option{-finstrument-control-flow} option. The compiler assumes that
> > +the function's address from the pointer is a valid target for a
> > +control-flow transfer. A direct function call through a function
> > +name is assumed as a save call thus direct calls will not be
> > +instrumented by the compiler.
> s/save/safe/
>
> FWIW, I think putting the attribute into in the type system is a good thing
> :-)
>
> > +
> > +The @code{notrack} attribute is applied to an object's type. A The
> > +@code{notrack} attribute is transfered to a call instruction at the
> > +GIMPLE and RTL translation phases. The attribute is not propagated
> > +through assignment, store and load.
> > +
> > +@smallexample
> > +@{
> > +void (*foo)(void) __attribute__(notrack); void (*foo1)(void)
> > +__attribute__(notrack); void (*foo2)(void);
> > +
> > +int
> > +foo (void) /* The function's address is not tracked. */
> > +
> > + /* This call site is not tracked for
> > + control-flow instrumentation. */ (*foo1)();
> > + foo1 = foo2;
> > + /* This call site is still not tracked for
> > + control-flow instrumentation. */ (*foo1)();
> > +
> > + /* This call site is tracked for
> > + control-flow instrumentation. */ (*foo2)();
> > + foo2 = foo1;
> > + /* This call site is still tracked for
> > + control-flow instrumentation. */ (*foo2)();
> > +
> > + return 0;
> > +@}
> > +@end smallexample
> Given the notrack attribute is part of the type system, could we issue a
> warning on the foo1 = foo2 assignment since we're discarding tracking that's
> implicit on foo2?
Fixed. For the code above messages are issued
w.c: In function 'foo':
w.c:22:8: warning: nocf_check attribute mismatch for assignment [-Wattributes]
foo1 = foo2;
^
w.c:31:8: warning: nocf_check attribute mismatch for assignment [-Wattributes]
foo2 = foo1;
^
> > +
> > @end table
> >
> > On the x86, the inliner does not inline a diff --git
> > a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index 5ae9dc4..ff2ce92
> > 100644
> > --- a/gcc/doc/invoke.texi
> > +++ b/gcc/doc/invoke.texi
> > @@ -459,6 +459,7 @@ Objective-C and Objective-C++ Dialects}.
> > -fchkp-check-read -fchkp-check-write -fchkp-store-bounds @gol
> > -fchkp-instrument-calls -fchkp-instrument-marked-only @gol
> > -fchkp-use-wrappers -fchkp-flexible-struct-trailing-arrays@gol
> > +-finstrument-control-flow @gol
> > -fstack-protector -fstack-protector-all -fstack-protector-strong
> > @gol -fstack-protector-explicit -fstack-check @gol
> > -fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
> > @@ -11284,6 +11285,27 @@ is used to link a program, the GCC driver
> > automatically links against @file{libmpxwrappers}. See also @option{-
> static-libmpxwrappers}.
> > Enabled by default.
> >
> > +@item -finstrument-control-flow
> > +@opindex finstrument-control-flow
> > +@opindex fno-instrument-control-flow
> > +Enable code instrumentation of control-flow transfers to increase a
> > +program security by checking a target address of control-flow
> > +transfer instructions (i.e. routine call, routine return, jump) are
> > +valid targets. This prevents diverting the control flow instructions
> > +from its original target address to a new undesigned target. This is
> > +intended to protect against such theats as Return-oriented
> > +Programming (ROP), and similarly call/jmp-oriented programming
> > +(COP/JOP).
> "function call, function return, indirect jump" rather than "routine call,
> routine return, jump"?
Ok, fixed.
Thanks,
Igor
>
> Jeff
