GCS ACLE #364
Merged
GCS ACLE #364
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The only difference compared to #260 is use of non-const type for GCS pointer (an relevant change in wording). |
main/design_documents/gcs.md
Outdated
| at compile time if (1) is true which can be feature tested. With (C) | ||
| there is no obvious feature test for the presence of the intrinsics. | ||
|
|
||
| The future direction is to make intrinsics available unconditionally |
There was a problem hiding this comment.
This is how other intrinsics are defined already in practice (gcc, clang at least)
Macro just there to indicate to the user the availability of the intrinsics.
There was a problem hiding this comment.
Thank you for clarification. I've changed the wording, let me know if it's better now.
DanielKristofKiss
approved these changes
Nov 25, 2024
Co-authored-by: Yury Khrustalev <yury.khrustalev@arm.com>
yury-khrustalev
force-pushed
the
gcs
branch
2 times, most recently
from
70ac9c6 to
a6e18dd
Compare
Co-authored-by: Yury Khrustalev <yury.khrustalev@arm.com>
|
LGTM |
philgee-oss
reviewed
Feb 18, 2025
| @@ -1713,6 +1713,15 @@ mechanisms such as function attributes. | |||
| Pointer Authentication extension (FEAT_PAuth_LR) are available on the target. | |||
| It is undefined otherwise. | |||
|
|
|||
| ### Guarded Control Stack | |||
|
|
|||
| `__ARM_FEATURE_GCS_DEFAULT` is defined to `1` if the code generation is | |||
|
|
||
| Checks for hardware features at runtime using the CHKFEAT hint instruction. | ||
| `__chkfeat` returns a bitmask where a bit is set if the same bit in the | ||
| input argument is set and the corresponding feature is enabled. (Note: for |
There was a problem hiding this comment.
Don't embed notes in a paragraph. Put the note after the table.
| @@ -4820,6 +4844,60 @@ two pointers, ignoring the tags. | |||
| The return value is the sign-extended result of the computation. | |||
| The tag bits in the input pointers are ignored for this operation. | |||
|
|
|||
| # Guarded Control Stack intrinsics | |||
|
|
|||
| ## Introduction | |||
| Guarded Control Stack (GCS) extension. The GCS instructions are present | ||
| in the AArch64 execution state only. | ||
|
|
||
| When GCS protection is enabled then function calls also save the return |
|
|
||
| When GCS protection is enabled then function calls also save the return | ||
| address to a separate stack, the GCS, that is checked against the actual | ||
| return address when the function returns. At runtime GCS protection can |
|
|
||
| Simplest is (A), but it does not allow asynchronously disabling GCS, | ||
| for that at least (B) is needed since the intrinsics must do something | ||
| reasonable if GCS is disabled. Asynchronous disable is e.g. needed to |
|
|
||
| (C) is similar to (B) but allows using the intrinsics even if GCS is | ||
| guaranteed to be disabled. The intrinsics are expected to be used | ||
| behind runtime check for (3) since they don't do anything useful |
| at compile time if (1) is true which can be feature tested. With (C) | ||
| there is no obvious feature test for the presence of the intrinsics. | ||
|
|
||
| Since intrinsics are available unconditionally and runtime checks |
| The type of the intrinsics is based on the `void *` GCS pointer | ||
| type and `uint64_t` GCS entry type. The GCS pointer could be | ||
| `uint64_t *`, but void is more general in that it allows | ||
| different access to the GCS (e.g. accessing entries as pointers or |
There was a problem hiding this comment.
GCS, for example, accessing entries as pointers or
bytes.
| type and `uint64_t` GCS entry type. The GCS pointer could be | ||
| `uint64_t *`, but void is more general in that it allows | ||
| different access to the GCS (e.g. accessing entries as pointers or | ||
| bytes). A GCS entry is usually a code pointer, but the architecture |
There was a problem hiding this comment.
A GCS entry is usually a code pointer. However, the architecture
requires it to be 8 bytes, even with ILP32, and it might be a special
token that requires bit operations to detect. Therefore, fixed width
unsigned int type is the most appropriate.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is to continue discussion started in #260.
name: Pull request
about: Technical issues, document format problems, bugs in scripts or feature proposal.