GCS ACLE #260
GCS ACLE #260
Conversation
main/acle.md
Outdated
|
|
||
| To use the intrinsics, `arm_acle.h` needs to be included. | ||
|
|
||
| The intrinsics are available if `__ARM_FEATURE_GCS_DEFAULT` is defined, |
There was a problem hiding this comment.
Intrinsics would be always available because there could be cases when the intrinsics is called in the right context but the whole translation unit is not compiled with GCS. (e.g. target attribute or FMV)
There was a problem hiding this comment.
i'm not against making intrinsics always available, but for GCS the intrinsics are only useful if GCS is enabled, and that can only be enabled if everything is compiled in GCS compatible mode, so there is not really any context when __ARM_FEATURE_GCS_DEFAULT is undef but you want the intrinsics anyway.
main/acle.md
Outdated
| but they can only be called if GCS instructions are supported. | ||
|
|
||
| The `__chkfeat` intrinsics with `_CHKFEAT_GCS` can be used to check | ||
| if GCS protection is enabled at runtime. If GCS protection is enabled |
There was a problem hiding this comment.
superfluous space before If GCS
main/acle.md
Outdated
| ``` | ||
|
|
||
| Reads and returns the last entry on the GCS of the current thread and | ||
| updates the GCS pointer to point to the previous entry. If GCS |
There was a problem hiding this comment.
superfluous space before If GCS
main/acle.md
Outdated
| ``` | ||
|
|
||
| Switches the GCS of the current thread, where the argument is the new | ||
| GCS pointer, and returns the old GCS pointer. If GCS protection is |
There was a problem hiding this comment.
superfluous space before If GCS
| @@ -2937,6 +2948,18 @@ inclusive. See implementation documentation for the effect (if any) of | |||
| this instruction and the meaning of the argument. This is available only | |||
| when compiling for AArch32. | |||
|
|
|||
| ``` c | |||
| uint64_t __chkfeat(uint64_t); | |||
There was a problem hiding this comment.
The behaviour of this intrinsic is opposite that of the instruction (chkfeat instruction clears the bit if the feature is enabled), which I think is unique among intrinsics. It would be worthwhile specifically noting this.
Also "feature is available" should be "feature is enabled" (as the chkfeat instruction will leave the bit alone if the feature is available but disabled).
There was a problem hiding this comment.
I'd prefer to write/read this code in applications:
if( __chkfeat(_CHKFEAT_GCS)) { // do GCS stuff. }
chkfeat must clear the bit if the feature is present due to it is a NOP on old CPUs where it won't change the register content.
That logic twist is not required for the app developers.
+1 for the
Also "feature is available" should be "feature is enabled"
|
|
||
| Reads and returns the last entry on the GCS of the current thread and | ||
| updates the GCS pointer to point to the previous entry. If GCS | ||
| protection is disabled then it has no side effect and returns `0`. |
There was a problem hiding this comment.
The gcspopm instruction does nothing when gcs is disabled (i.e. the value in the destination register is unchanged). Is the intent that the intrinsic sets the destination register to zero before executing the instruction?
There was a problem hiding this comment.
yes, i think this is the only way the intrinsic is usable in the "asynchronously disabled gcs" scenario.
(which we don't know yet if linux will support, currently it does not want to)
|
|
||
|
|
||
| ``` c | ||
| const void *__gcspr(void); |
There was a problem hiding this comment.
i plan to change this back to non-const so that the intrinsics support the gcs write access enabled case (even if that's not expected to be a common setting).
potential issues with current spec:
|
I'm not sure we need this. We can always add it later if there's a need.
I think we only really need the pointer to be non-const if we have a gcs store intrinsic. constness is only about if the user is permitted to write to something, so entries on the gcs stack being modified by bl/ret isn't relevant.
Is this about #214? I think the way GCS intrinsics are currently described is OK with regards to that (though I have a couple of comments on the wording). |
main/acle.md
Outdated
|
|
||
| To use the intrinsics, `arm_acle.h` needs to be included. | ||
|
|
||
| The intrinsics are only valid to call when GCS instructions are |
There was a problem hiding this comment.
"The intrinsics are only valid to call" should be "These intrinsics are available" (that's the wording we use elsewhere).
main/acle.md
Outdated
| to check if GCS protection is enabled at runtime. If GCS protection is | ||
| enabled then GCS instructions are supported and the code was compiled | ||
| in a GCS protection compatible way (`__ARM_FEATURE_GCS_DEFAULT` was | ||
| defined). |
There was a problem hiding this comment.
The final sentence here is a bit weird and I'm not sure what exactly it's saying. I think what it's saying is that "GCS enabled implies GCS available", i.e. if you have if (__chkfeat(_CHKFEAT_GCS)) { } then you know GCS must be available inside that block, or perhaps the other way around that if you know GCS isn't available then you know __chkfeat(_CHKFEAT_GCS) will never return true.
There was a problem hiding this comment.
yeah this should be worded better, or removed.
i was trying to point out that the runtime will only enable GCS if all code is built with GCS support, so if __chkfeat check returns true, that implies __ARM_FEATURE_GCS_DEFAULT, no need to check that separately.
|
LGTM. |
main/acle.md
Outdated
|
|
||
| `__ARM_FEATURE_GCS_DEFAULT` is defined to `1` if the code generation is | ||
| compatible with enabling the Guarded Control Stack (GCS) extension based | ||
| protection. It is undefined otherwise. |
There was a problem hiding this comment.
| protection. It is undefined otherwise. | |
| protection. It is undefined otherwise. |
main/acle.md
Outdated
| protection. It is undefined otherwise. | ||
|
|
||
| `__ARM_FEATURE_GCS` is defined to `1` if the Guarded Control Stack (GCS) | ||
| extension is available on the target. It is undefined otherwise. |
There was a problem hiding this comment.
| extension is available on the target. It is undefined otherwise. | |
| extension is available on the target. It is undefined otherwise. |
This adds intrinsics defined in ARM-software/acle#260 Doing this requires some changes to the GCS instruction definitions, as these intrinsics make use of how some instructions don't modify the input register when GCS is disabled, and they need to be correctly marked with mayLoad/mayStore/hasSideEffects for instruction selection to work.
This adds intrinsics defined in ARM-software/acle#260 Doing this requires some changes to the GCS instruction definitions, as these intrinsics make use of how some instructions don't modify the input register when GCS is disabled, and they need to be correctly marked with mayLoad/mayStore/hasSideEffects for instruction selection to work.
This adds intrinsics defined in ARM-software/acle#260 Doing this requires some changes to the GCS instruction definitions, as these intrinsics make use of how some instructions don't modify the input register when GCS is disabled, and they need to be correctly marked with mayLoad/mayStore/hasSideEffects for instruction selection to work.
|
Regarding the return type of In a nutshell, the GCS pointer can be writeable in certain situations: via stack switch operation or via the |
name: Pull request
about: Technical issues, document format problems, bugs in scripts or feature proposal.
Thank you for submitting a pull request!
If this PR is about a bugfix:
Please use the bugfix label and make sure to go through the checklist below.
If this PR is about a proposal:
We are looking forward to evaluate your proposal, and if possible to
make it part of the Arm C Language Extension (ACLE) specifications.
We would like to encourage you reading through the contribution
guidelines, in particular the section on submitting
a proposal.
Please use the proposal label.
As for any pull request, please make sure to go through the below
checklist.
Checklist: (mark with
Xthose which apply)PR (do not bother creating the issue if all you want to do is
fixing the bug yourself).
SPDX-FileCopyrightTextlines on topof any file I have edited. Format is
SPDX-FileCopyrightText: Copyright {year} {entity or name} <{contact informations}>(Please update existing copyright lines if applicable. You can
specify year ranges with hyphen , as in
2017-2019, and usecommas to separate gaps, as in
2018-2020, 2022).Copyrightsection of the sources of thespecification I have edited (this will show up in the text
rendered in the PDF and other output format supported). The
format is the same described in the previous item.
tricky to set up on non-*nix machines). The sequence can be
found in the contribution
guidelines. Don't
worry if you cannot run these scripts on your machine, your
patch will be automatically checked in the Actions of the pull
request.
introduced in this PR in the section Changes for next
release of the section Change Control/Document history
of the document. Create Changes for next release if it does
not exist. Notice that changes that are not modifying the
content and rendering of the specifications (both HTML and PDF)
do not need to be listed.
correctness of the result in the PDF output (please refer to the
instructions on how to build the PDFs
locally).
draftversionis set totruein the YAML headerof the sources of the specifications I have modified.
in the README page of the project.