On Tue, Apr 17, 2018 at 12:03 PM, H.J. Lu <hjl.to...@gmail.com> wrote: > On Tue, Apr 17, 2018 at 11:55 AM, Uros Bizjak <ubiz...@gmail.com> wrote: >> On Tue, Apr 17, 2018 at 8:42 PM, H.J. Lu <hongjiu...@intel.com> wrote: >>> -fcf-protection -mcet can't be used with IFUNC features, like symbol >>> multiversioning or target clone, since IBT/SHSTK are applied to the whole >>> program and they may be disabled in some functions. But -fcf-protection >>> is implemented with multi-byte NOPs on all 64-bit processors as well as >>> 32-bit processors starting with Pentium Pro. If -fcf-protection requires >>> -mcet, IFUNC features can't be used on Linux when -fcf-protection is >>> enabled by default. >>> >>> This patch changes -fcf-protection to to enable the NOP portion of CET >>> ISAs unless IBT and/or SHSTK are disabled explicitly. The rest of CET >>> ISAs, including intrinsics, still requires -mcet, -mibt or -mshstk. >>> >>> OK for trunk? >> >> As said in the PR, NOP sequences have non-zero cost in the executable >> (they enlarge the executable), so I don't think this feature should be >> enabled by default. >> >> There is always a configure option if someone wants their compiler to >> always emit relevant multi-byte nops. > > What we need is an option to enable -fcf-function with multi-byte NOPs > without -mcet which enables the full CET ISAs. A configure option > without the corresponding the command-line option makes test and > debug difficult. I can add > > --enable-cf-function-nop or --with-cf-function-nop > > with > > -fct-function-nop >
How about adding -mno-cet, which enables the NOP portion of CET ISAs? -- H.J.
