riscv64imac: allow shadow call stack sanitizer #129316
Conversation
|
r? @nnethercote rustbot has assigned @nnethercote. Use |
rustbot
added
S-waiting-on-review
|
Some context: on aarch64 there is a requirement to pass the See #128348 for the equivalent aarch64 change. |
|
For SCS RISC-V needs |
|
I don't believe rustc has a nob for that. I've only ever seen it on linkers. It doesn't sound like there's anything we can do about it right now? |
Yeah, I'm not all that surprised. But it does probably make sense to warn i they're used together to compile the same crate/module/TU. Not a problem this patch needs to solve today (I don't even think we do that in |
|
Actualy, I'd suggest rewriting the bulk of the shadow stack documentation to more closely align w/ what's in LLVM: https://clang.llvm.org/docs/ShadowCallStack.html#id6. Before we added RISC-V support, our docs were also very Aarch64 centric, and it seems like the Rust versions were closely following the old version. I'd also suggest that at least some of the descriptions in the |
|
No worries @ilovepi I can help with moving the documentation. I will put it up later and see if we have time next week to walk it through. 👍 There is a |
|
Let's mention the target in I would be happy to commit to making sure that updating the documentation happens, but I won't have time this week or next week. Would that work for you? |
|
Agreed that the extra documentation shouldn’t be a blocker on this. @dingxiangfei2009 @Darksonn Thanks for taking the lead on those updates 😄. Let me know if you’d like feedback, as I’m happy to help. |
dingxiangfei2009
force-pushed
the
riscv64-imac-scs
branch
from
b4deea8
to
31c70df
Compare
|
Some changes occurred in src/doc/unstable-book/src/compiler-flags/sanitizer.md cc @rust-lang/project-exploit-mitigations, @rcvalle These commits modify compiler targets. |
|
I need a bit more time to write a test. Let us move ahead and tweak the wording first. |
|
For the test it looks like you could just copy |
dingxiangfei2009
force-pushed
the
riscv64-imac-scs
branch
from
31c70df
to
133044e
Compare
|
Some changes occurred in tests/codegen/sanitizer cc @rust-lang/project-exploit-mitigations, @rcvalle |
|
@rustbot ready
|
| To that end, implementation of this sanitizer requires reservation of one of the registers on the target platform. | ||
| Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | ||
| See the [Clang ShadowCallStack documentation][clang-scs] for more details. |
There was a problem hiding this comment.
The current phrasing makes it sound like you could reserve any register and tell the compiler. Maybe something that's a mix of the old and new version would make that less ambiguous?
| To that end, implementation of this sanitizer requires reservation of one of the registers on the target platform. | |
| Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | |
| See the [Clang ShadowCallStack documentation][clang-scs] for more details. | |
| The ShadowCallStack (SCS) requires that the platform reserves a register that could be used for the SCS. Aarch64 and RISC-V both have a platform register defined in their ABIs, which can optionally be reserved for this purpose (X18 and X3/GP respectively). Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | |
| See the [Clang ShadowCallStack documentation][clang-scs] for more details. |
There was a problem hiding this comment.
Applied. The wording about the register reservation was indeed a bit ambiguous.
| The following targets support ShadowCallStack. | ||
|
|
||
| * `riscv64imac-unknown-none-elf` | ||
| * `riscv64gc-unknown-none-elf` |
There was a problem hiding this comment.
you could include Fuchsia here as well.
| ShadowCallStack requires on this platform ABI reservation of the register `x18` as the instrumentation makes use of this register. | ||
| When `x18` is not reserved on the target AArch64 platform and is availabe as a scratch register, enabling ShadowCallStack leds to undefined behaviour. | ||
| In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. |
There was a problem hiding this comment.
| ShadowCallStack requires on this platform ABI reservation of the register `x18` as the instrumentation makes use of this register. | |
| When `x18` is not reserved on the target AArch64 platform and is availabe as a scratch register, enabling ShadowCallStack leds to undefined behaviour. | |
| In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. | |
| ShadowCallStack requires the use of the ABI defined platform register, `x18`, which is required for code generation purposes. | |
| When `x18` is not reserved, and is instead used as a scratch register, enabling ShadowCallStack would lead to undefined behavior, due to corruption of the return addresses on the SCS or through clobbering the SCS register. | |
| In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. |
WDYT of this phrasing?
There was a problem hiding this comment.
Applied with additional explanation on the source of UB.
| #[lang = "sized"] | ||
| trait Sized {} | ||
|
|
||
| // CHECK: ; Function Attrs:{{.*}}shadowcallstack |
There was a problem hiding this comment.
You probably want a check line for the definition of foo and the attribute #0 to match up w/ the check below.
There was a problem hiding this comment.
Added. Now the test is matching foo with #0 attribute.
dingxiangfei2009
force-pushed
the
riscv64-imac-scs
branch
from
133044e
to
930c043
Compare
|
@rustbot ready
|
|
@ilovepi: if you are satisfied with the latest version, then I am happy to r+ it. |
|
LGTM. Depending on how complete you want the target info, Fuchsia also supports scs on Aarch64. Not a blocker in my opinion so feel free to land as is. |
@dingxiangfei2009: I will delegate-approve this so you can make that change if you like, and then approve this yourself. @bors delegate=dingxiangfei2009 |
|
✌️ @dingxiangfei2009, you can now approve this pull request! If @nnethercote told you to " |
dingxiangfei2009
force-pushed
the
riscv64-imac-scs
branch
from
930c043
to
9c29b33
Compare
|
@ilovepi I added the AArch64 Fuchsia and went through the docs again. 🚀 |
bors
added
S-waiting-on-bors
…llaumeGomez Rollup of 7 pull requests Successful merges: - rust-lang#123940 (debug-fmt-detail option) - rust-lang#128166 (Improved `checked_isqrt` and `isqrt` methods) - rust-lang#128970 (Add `-Zlint-llvm-ir`) - rust-lang#129316 (riscv64imac: allow shadow call stack sanitizer) - rust-lang#129690 (Add `needs-unwind` compiletest directive to `libtest-thread-limit` and replace some `Path` with `path` in `run-make`) - rust-lang#129732 (Add `unreachable_pub`, round 3) - rust-lang#129743 (Fix rustdoc clippy lints) r? `@ghost` `@rustbot` modify labels: rollup
…llaumeGomez Rollup of 7 pull requests Successful merges: - rust-lang#123940 (debug-fmt-detail option) - rust-lang#128166 (Improved `checked_isqrt` and `isqrt` methods) - rust-lang#128970 (Add `-Zlint-llvm-ir`) - rust-lang#129316 (riscv64imac: allow shadow call stack sanitizer) - rust-lang#129690 (Add `needs-unwind` compiletest directive to `libtest-thread-limit` and replace some `Path` with `path` in `run-make`) - rust-lang#129732 (Add `unreachable_pub`, round 3) - rust-lang#129743 (Fix rustdoc clippy lints) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#129316 - dingxiangfei2009:riscv64-imac-scs, r=nnethercote riscv64imac: allow shadow call stack sanitizer cc `@Darksonn` for shadow call stack sanitizer support on RV64IMAC and RV64GC
cc @Darksonn for shadow call stack sanitizer support on RV64IMAC and RV64GC