-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
riscv64imac: allow shadow call stack sanitizer #129316
Conversation
r? @nnethercote rustbot has assigned @nnethercote. Use |
Some context: on aarch64 there is a requirement to pass the See #128348 for the equivalent aarch64 change. |
For SCS RISC-V needs |
I don't believe rustc has a nob for that. I've only ever seen it on linkers. It doesn't sound like there's anything we can do about it right now? |
Yeah, I'm not all that surprised. But it does probably make sense to warn i they're used together to compile the same crate/module/TU. Not a problem this patch needs to solve today (I don't even think we do that in |
Actualy, I'd suggest rewriting the bulk of the shadow stack documentation to more closely align w/ what's in LLVM: https://clang.llvm.org/docs/ShadowCallStack.html#id6. Before we added RISC-V support, our docs were also very Aarch64 centric, and it seems like the Rust versions were closely following the old version. I'd also suggest that at least some of the descriptions in the |
No worries @ilovepi I can help with moving the documentation. I will put it up later and see if we have time next week to walk it through. 👍 There is a |
Let's mention the target in I would be happy to commit to making sure that updating the documentation happens, but I won't have time this week or next week. Would that work for you? |
Agreed that the extra documentation shouldn’t be a blocker on this. @dingxiangfei2009 @Darksonn Thanks for taking the lead on those updates 😄. Let me know if you’d like feedback, as I’m happy to help. |
b4deea8
to
31c70df
Compare
Some changes occurred in src/doc/unstable-book/src/compiler-flags/sanitizer.md cc @rust-lang/project-exploit-mitigations, @rcvalle These commits modify compiler targets. |
I need a bit more time to write a test. Let us move ahead and tweak the wording first. |
For the test it looks like you could just copy |
31c70df
to
133044e
Compare
Some changes occurred in tests/codegen/sanitizer cc @rust-lang/project-exploit-mitigations, @rcvalle |
@rustbot ready
|
To that end, implementation of this sanitizer requires reservation of one of the registers on the target platform. | ||
Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | ||
See the [Clang ShadowCallStack documentation][clang-scs] for more details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current phrasing makes it sound like you could reserve any register and tell the compiler. Maybe something that's a mix of the old and new version would make that less ambiguous?
To that end, implementation of this sanitizer requires reservation of one of the registers on the target platform. | |
Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | |
See the [Clang ShadowCallStack documentation][clang-scs] for more details. | |
The ShadowCallStack (SCS) requires that the platform reserves a register that could be used for the SCS. Aarch64 and RISC-V both have a platform register defined in their ABIs, which can optionally be reserved for this purpose (X18 and X3/GP respectively). Software support from the operating system and runtime may be required depending on the target platform which is detailed in the remaining section. | |
See the [Clang ShadowCallStack documentation][clang-scs] for more details. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied. The wording about the register reservation was indeed a bit ambiguous.
The following targets support ShadowCallStack. | ||
|
||
* `riscv64imac-unknown-none-elf` | ||
* `riscv64gc-unknown-none-elf` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you could include Fuchsia here as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
ShadowCallStack requires on this platform ABI reservation of the register `x18` as the instrumentation makes use of this register. | ||
When `x18` is not reserved on the target AArch64 platform and is availabe as a scratch register, enabling ShadowCallStack leds to undefined behaviour. | ||
In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ShadowCallStack requires on this platform ABI reservation of the register `x18` as the instrumentation makes use of this register. | |
When `x18` is not reserved on the target AArch64 platform and is availabe as a scratch register, enabling ShadowCallStack leds to undefined behaviour. | |
In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. | |
ShadowCallStack requires the use of the ABI defined platform register, `x18`, which is required for code generation purposes. | |
When `x18` is not reserved, and is instead used as a scratch register, enabling ShadowCallStack would lead to undefined behavior, due to corruption of the return addresses on the SCS or through clobbering the SCS register. | |
In other words, code that is calling into or called by functions instrumented with ShadowCallStack must reserve the `x18` register or preserve its value. |
WDYT of this phrasing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Applied with additional explanation on the source of UB.
#[lang = "sized"] | ||
trait Sized {} | ||
|
||
// CHECK: ; Function Attrs:{{.*}}shadowcallstack |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably want a check line for the definition of foo
and the attribute #0
to match up w/ the check below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added. Now the test is matching foo
with #0
attribute.
133044e
to
930c043
Compare
@rustbot ready
|
@ilovepi: if you are satisfied with the latest version, then I am happy to r+ it. |
LGTM. Depending on how complete you want the target info, Fuchsia also supports scs on Aarch64. Not a blocker in my opinion so feel free to land as is. |
@dingxiangfei2009: I will delegate-approve this so you can make that change if you like, and then approve this yourself. @bors delegate=dingxiangfei2009 |
✌️ @dingxiangfei2009, you can now approve this pull request! If @nnethercote told you to " |
930c043
to
9c29b33
Compare
@ilovepi I added the AArch64 Fuchsia and went through the docs again. 🚀 |
…llaumeGomez Rollup of 7 pull requests Successful merges: - rust-lang#123940 (debug-fmt-detail option) - rust-lang#128166 (Improved `checked_isqrt` and `isqrt` methods) - rust-lang#128970 (Add `-Zlint-llvm-ir`) - rust-lang#129316 (riscv64imac: allow shadow call stack sanitizer) - rust-lang#129690 (Add `needs-unwind` compiletest directive to `libtest-thread-limit` and replace some `Path` with `path` in `run-make`) - rust-lang#129732 (Add `unreachable_pub`, round 3) - rust-lang#129743 (Fix rustdoc clippy lints) r? `@ghost` `@rustbot` modify labels: rollup
…llaumeGomez Rollup of 7 pull requests Successful merges: - rust-lang#123940 (debug-fmt-detail option) - rust-lang#128166 (Improved `checked_isqrt` and `isqrt` methods) - rust-lang#128970 (Add `-Zlint-llvm-ir`) - rust-lang#129316 (riscv64imac: allow shadow call stack sanitizer) - rust-lang#129690 (Add `needs-unwind` compiletest directive to `libtest-thread-limit` and replace some `Path` with `path` in `run-make`) - rust-lang#129732 (Add `unreachable_pub`, round 3) - rust-lang#129743 (Fix rustdoc clippy lints) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#129316 - dingxiangfei2009:riscv64-imac-scs, r=nnethercote riscv64imac: allow shadow call stack sanitizer cc `@Darksonn` for shadow call stack sanitizer support on RV64IMAC and RV64GC
cc @Darksonn for shadow call stack sanitizer support on RV64IMAC and RV64GC