Message ID | 72418e98-a400-c503-e8ce-c3fbe1ecc4a7@foss.arm.com |
---|---|
State | New |
Headers | show |
On Fri, Nov 11, 2016 at 06:21:48PM +0000, Jiong Wang wrote: > This patch introduces three AARCH64 private DWARF operations in vendor extension > space. > > DW_OP_AARCH64_pauth 0xea > === > Takes one unsigned LEB 128 Pointer Authentication Description. Bits [3:0] of > the description contain the Authentication Action Code. All unused bits are > initialized to 0. The operation then proceeds according to the value of the > action code as described in the Action Code Table. > > DW_OP_AARCH64_paciasp 0xeb > === > Authenticates the contents in X30/LR register as per A key for instruction > pointer using current CFA as salt. The result is pushed onto the stack. > > DW_OP_AARCH64_paciasp_deref 0xec > === > Takes one signed LEB128 offset and retrieves 8-byte contents from the address > calculated by CFA plus this offset, the contents then authenticated as per A > key for instruction pointer using current CFA as salt. The result is pushed > onto the stack. I'd like to point out that especially the vendor range of DW_OP_* is extremely scarce resource, we have only a couple of unused values, so taking 3 out of the remaining unused 12 for a single architecture is IMHO too much. Can't you use just a single opcode and encode which of the 3 operations it is in say the low 2 bits of a LEB 128 operand? We'll likely need to do RSN some multiplexing even for the generic GNU opcodes if we need just a few further ones (say 0xff as an extension, followed by uleb128 containing the opcode - 0xff). In the non-vendor area we still have 54 values left, so there is more space for future expansion. Jakub
On 11/11/16 19:38, Jakub Jelinek wrote: > On Fri, Nov 11, 2016 at 06:21:48PM +0000, Jiong Wang wrote: >> This patch introduces three AARCH64 private DWARF operations in vendor extension >> space. >> >> DW_OP_AARCH64_pauth 0xea >> === >> Takes one unsigned LEB 128 Pointer Authentication Description. Bits [3:0] of >> the description contain the Authentication Action Code. All unused bits are >> initialized to 0. The operation then proceeds according to the value of the >> action code as described in the Action Code Table. >> >> DW_OP_AARCH64_paciasp 0xeb >> === >> Authenticates the contents in X30/LR register as per A key for instruction >> pointer using current CFA as salt. The result is pushed onto the stack. >> >> DW_OP_AARCH64_paciasp_deref 0xec >> === >> Takes one signed LEB128 offset and retrieves 8-byte contents from the address >> calculated by CFA plus this offset, the contents then authenticated as per A >> key for instruction pointer using current CFA as salt. The result is pushed >> onto the stack. > I'd like to point out that especially the vendor range of DW_OP_* is > extremely scarce resource, we have only a couple of unused values, so taking > 3 out of the remaining unused 12 for a single architecture is IMHO too much. > Can't you use just a single opcode and encode which of the 3 operations it is > in say the low 2 bits of a LEB 128 operand? > We'll likely need to do RSN some multiplexing even for the generic GNU > opcodes if we need just a few further ones (say 0xff as an extension, > followed by uleb128 containing the opcode - 0xff). > In the non-vendor area we still have 54 values left, so there is more space > for future expansion. > > Jakub Seperate DWARF operations are introduced instead of combining all of them into one are mostly because these operations are going to be used for most of the functions once return address signing are enabled, and they are used for describing frame unwinding that they will go into unwind table for C++ program or C program compiled with -fexceptions, the impact on unwind table size is significant. So I was trying to lower the unwind table size overhead as much as I can. IMHO, three numbers actually is not that much for one architecture in DWARF operation vendor extension space as vendors can overlap with each other. The only painful thing from my understand is there are platform vendors, for example "GNU" and "LLVM" etc, for which architecture vendor can't overlap with. In include/dwarf2.def, I saw DW_OP_GNU* has reserved 13, DW_OP_HP* has reserved 7 and DW_OP_PGI has reserved 1. So for an alternative approach, can these AArch64 extensions overlap and reuse those numbers reserved for DW_OP_HP* ? for example 0xe4, 0xe5, 0xe6. I am even thinking GNU toolchain makes the 8 numbers reserved by existed DW_OP_HP* and DW_OP_SGI* as architecture vendor area and allow multiplexing on them for different architectures. This may offer more flexibilities for architecture vendors. Under current code base, my search shows the overlap should be safe inside GCC/GDB and we only needs minor disassemble tweak in Binutils. Thanks. Regards, Jiong
On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote: > >> Takes one signed LEB128 offset and retrieves 8-byte contents from the address > >> calculated by CFA plus this offset, the contents then authenticated as per A > >> key for instruction pointer using current CFA as salt. The result is pushed > >> onto the stack. > >I'd like to point out that especially the vendor range of DW_OP_* is > >extremely scarce resource, we have only a couple of unused values, so taking > >3 out of the remaining unused 12 for a single architecture is IMHO too much. > >Can't you use just a single opcode and encode which of the 3 operations it is > >in say the low 2 bits of a LEB 128 operand? > >We'll likely need to do RSN some multiplexing even for the generic GNU > >opcodes if we need just a few further ones (say 0xff as an extension, > >followed by uleb128 containing the opcode - 0xff). > >In the non-vendor area we still have 54 values left, so there is more space > >for future expansion. > > Seperate DWARF operations are introduced instead of combining all of them into > one are mostly because these operations are going to be used for most of the > functions once return address signing are enabled, and they are used for > describing frame unwinding that they will go into unwind table for C++ program > or C program compiled with -fexceptions, the impact on unwind table size is > significant. So I was trying to lower the unwind table size overhead as much as > I can. > > IMHO, three numbers actually is not that much for one architecture in DWARF > operation vendor extension space as vendors can overlap with each other. The > only painful thing from my understand is there are platform vendors, for example > "GNU" and "LLVM" etc, for which architecture vendor can't overlap with. For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just one range, so ideally the opcodes would be unique everywhere, if not, there is just a single GNU vendor, there is no separate range for Aarch64, that can overlap with range for x86_64, and powerpc, etc. Perhaps we could declare that certain opcode subrange for the GNU vendor is architecture specific and document that the meaning of opcodes in that range and count/encoding of their arguments depends on the architecture, but then we should document how to figure out the architecture too (e.g. for ELF base it on the containing EM_*). All the tools that look at DWARF (readelf, objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that though. I know nothing about the aarch64 return address signing, would all 3 or say 2 usually appear together without any separate pc advance, or are they all going to appear frequently and at different pcs? Perhaps if there is just 1 opcode and has all the info encoded just in one bigger uleb128 or something similar... Jakub
On 15/11/16 16:18, Jakub Jelinek wrote: > On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote: >>>> Takes one signed LEB128 offset and retrieves 8-byte contents from the address >>>> calculated by CFA plus this offset, the contents then authenticated as per A >>>> key for instruction pointer using current CFA as salt. The result is pushed >>>> onto the stack. >>> I'd like to point out that especially the vendor range of DW_OP_* is >>> extremely scarce resource, we have only a couple of unused values, so taking >>> 3 out of the remaining unused 12 for a single architecture is IMHO too much. >>> Can't you use just a single opcode and encode which of the 3 operations it is >>> in say the low 2 bits of a LEB 128 operand? >>> We'll likely need to do RSN some multiplexing even for the generic GNU >>> opcodes if we need just a few further ones (say 0xff as an extension, >>> followed by uleb128 containing the opcode - 0xff). >>> In the non-vendor area we still have 54 values left, so there is more space >>> for future expansion. >> Seperate DWARF operations are introduced instead of combining all of them into >> one are mostly because these operations are going to be used for most of the >> functions once return address signing are enabled, and they are used for >> describing frame unwinding that they will go into unwind table for C++ program >> or C program compiled with -fexceptions, the impact on unwind table size is >> significant. So I was trying to lower the unwind table size overhead as much as >> I can. >> >> IMHO, three numbers actually is not that much for one architecture in DWARF >> operation vendor extension space as vendors can overlap with each other. The >> only painful thing from my understand is there are platform vendors, for example >> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with. > For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just > one range, so ideally the opcodes would be unique everywhere, if not, there > is just a single GNU vendor, there is no separate range for Aarch64, that > can overlap with range for x86_64, and powerpc, etc. > > Perhaps we could declare that certain opcode subrange for the GNU vendor is > architecture specific and document that the meaning of opcodes in that range > and count/encoding of their arguments depends on the architecture, but then > we should document how to figure out the architecture too (e.g. for ELF > base it on the containing EM_*). All the tools that look at DWARF (readelf, > objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that > though. > > I know nothing about the aarch64 return address signing, would all 3 or say > 2 usually appear together without any separate pc advance, or are they all > going to appear frequently and at different pcs? I think it's the latter, the DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref are going to appear frequently and at different pcs. For example, the following function prologue, there are three instructions at 0x0, 0x4, 0x8. After the first instruction at 0x0, LR/X30 will be mangled. The "paciasp" always mangle LR register using SP as salt and write back the value into LR. We then generate DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is mangled in this way so they can unwind the original value properly. After the second instruction at 0x4, The mangled value of LR/X30 will be pushed on to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: first fetch the mangled value from stack offset -16, then do whatever to restore the original value from the mangled value. This is represented by (DW_OP_AARCH64_paciasp_deref, offset). .cfi_startproc 0x0 paciasp (this instruction sign return address register LR/X30) .cfi_val_expression 30, DW_OP_AARCH64_paciasp 0x4 stp x29, x30, [sp, -32]! .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16 .cfi_offset 29, -32 .cfi_def_cfa_offset 32 0x8 add x29, sp, 0 > Perhaps if there is just 1 > opcode and has all the info encoded just in one bigger uleb128 or something > similar...
On 15/11/16 16:18, Jakub Jelinek wrote: > On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote: >>>> Takes one signed LEB128 offset and retrieves 8-byte contents from the address >>>> calculated by CFA plus this offset, the contents then authenticated as per A >>>> key for instruction pointer using current CFA as salt. The result is pushed >>>> onto the stack. >>> I'd like to point out that especially the vendor range of DW_OP_* is >>> extremely scarce resource, we have only a couple of unused values, so taking >>> 3 out of the remaining unused 12 for a single architecture is IMHO too much. >>> Can't you use just a single opcode and encode which of the 3 operations it is >>> in say the low 2 bits of a LEB 128 operand? >>> We'll likely need to do RSN some multiplexing even for the generic GNU >>> opcodes if we need just a few further ones (say 0xff as an extension, >>> followed by uleb128 containing the opcode - 0xff). >>> In the non-vendor area we still have 54 values left, so there is more space >>> for future expansion. >> Seperate DWARF operations are introduced instead of combining all of them into >> one are mostly because these operations are going to be used for most of the >> functions once return address signing are enabled, and they are used for >> describing frame unwinding that they will go into unwind table for C++ program >> or C program compiled with -fexceptions, the impact on unwind table size is >> significant. So I was trying to lower the unwind table size overhead as much as >> I can. >> >> IMHO, three numbers actually is not that much for one architecture in DWARF >> operation vendor extension space as vendors can overlap with each other. The >> only painful thing from my understand is there are platform vendors, for example >> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with. > For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just > one range, so ideally the opcodes would be unique everywhere, if not, there > is just a single GNU vendor, there is no separate range for Aarch64, that > can overlap with range for x86_64, and powerpc, etc. > > Perhaps we could declare that certain opcode subrange for the GNU vendor is > architecture specific and document that the meaning of opcodes in that range > and count/encoding of their arguments depends on the architecture, but then > we should document how to figure out the architecture too (e.g. for ELF > base it on the containing EM_*). All the tools that look at DWARF (readelf, > objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that > though. > > I know nothing about the aarch64 return address signing, would all 3 or say > 2 usually appear together without any separate pc advance, or are they all > going to appear frequently and at different pcs? I think it's the latter, the DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref are going to appear frequently and at different pcs. For example, the following function prologue, there are three instructions at 0x0, 0x4, 0x8. After the first instruction at 0x0, LR/X30 will be mangled. The "paciasp" always mangle LR register using SP as salt and write back the value into LR. We then generate DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is mangled in this way so they can unwind the original value properly. After the second instruction at 0x4, The mangled value of LR/X30 will be pushed on to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: first fetch the mangled value from stack offset -16, then do whatever to restore the original value from the mangled value. This is represented by (DW_OP_AARCH64_paciasp_deref, offset). .cfi_startproc 0x0 paciasp (this instruction sign return address register LR/X30) .cfi_val_expression 30, DW_OP_AARCH64_paciasp 0x4 stp x29, x30, [sp, -32]! .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16 .cfi_offset 29, -32 .cfi_def_cfa_offset 32 0x8 add x29, sp, 0 > Perhaps if there is just 1 > opcode and has all the info encoded just in one bigger uleb128 or something > similar... > > Jakub
On 15/11/16 16:48, Jiong Wang wrote: > > > On 15/11/16 16:18, Jakub Jelinek wrote: >> On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote: >>>>> Takes one signed LEB128 offset and retrieves 8-byte contents >>>>> from the address >>>>> calculated by CFA plus this offset, the contents then >>>>> authenticated as per A >>>>> key for instruction pointer using current CFA as salt. The >>>>> result is pushed >>>>> onto the stack. >>>> I'd like to point out that especially the vendor range of DW_OP_* is >>>> extremely scarce resource, we have only a couple of unused values, >>>> so taking >>>> 3 out of the remaining unused 12 for a single architecture is IMHO >>>> too much. >>>> Can't you use just a single opcode and encode which of the 3 >>>> operations it is >>>> in say the low 2 bits of a LEB 128 operand? >>>> We'll likely need to do RSN some multiplexing even for the generic GNU >>>> opcodes if we need just a few further ones (say 0xff as an extension, >>>> followed by uleb128 containing the opcode - 0xff). >>>> In the non-vendor area we still have 54 values left, so there is >>>> more space >>>> for future expansion. >>> Seperate DWARF operations are introduced instead of combining all >>> of them into >>> one are mostly because these operations are going to be used for most >>> of the >>> functions once return address signing are enabled, and they are used for >>> describing frame unwinding that they will go into unwind table for >>> C++ program >>> or C program compiled with -fexceptions, the impact on unwind table >>> size is >>> significant. So I was trying to lower the unwind table size overhead >>> as much as >>> I can. >>> >>> IMHO, three numbers actually is not that much for one architecture >>> in DWARF >>> operation vendor extension space as vendors can overlap with each >>> other. The >>> only painful thing from my understand is there are platform vendors, >>> for example >>> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with. >> For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is >> just >> one range, so ideally the opcodes would be unique everywhere, if not, >> there >> is just a single GNU vendor, there is no separate range for Aarch64, that >> can overlap with range for x86_64, and powerpc, etc. >> >> Perhaps we could declare that certain opcode subrange for the GNU >> vendor is >> architecture specific and document that the meaning of opcodes in that >> range >> and count/encoding of their arguments depends on the architecture, but >> then >> we should document how to figure out the architecture too (e.g. for ELF >> base it on the containing EM_*). All the tools that look at DWARF >> (readelf, >> objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to >> agree on that >> though. >> >> I know nothing about the aarch64 return address signing, would all 3 >> or say >> 2 usually appear together without any separate pc advance, or are they >> all >> going to appear frequently and at different pcs? > > I think it's the latter, the DW_OP_AARCH64_paciasp and > DW_OP_AARCH64_paciasp_deref are going to appear frequently and at > different pcs. > For example, the following function prologue, there are three > instructions > at 0x0, 0x4, 0x8. > > After the first instruction at 0x0, LR/X30 will be mangled. The > "paciasp" always > mangle LR register using SP as salt and write back the value into LR. > We then generate > DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is > mangled in this > way so they can unwind the original value properly. > > After the second instruction at 0x4, The mangled value of LR/X30 will > be pushed on > to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: > first fetch the > mangled value from stack offset -16, then do whatever to restore the > original value > from the mangled value. This is represented by > (DW_OP_AARCH64_paciasp_deref, offset). > > .cfi_startproc > 0x0 paciasp (this instruction sign return address register LR/X30) > .cfi_val_expression 30, DW_OP_AARCH64_paciasp > 0x4 stp x29, x30, [sp, -32]! > .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16 > .cfi_offset 29, -32 > .cfi_def_cfa_offset 32 > 0x8 add x29, sp, 0 > Now I'm confused. I was thinking that we needed one opcode for the sign operation in the prologue and one for the unsign/validate operation in the epilogue (to support non-call exceptions. But why do we need a separate code to say that a previously signed value has now been pushed on the stack? Surely that's just a normal store operation that can be tracked through the unwinding state machine. I was expecting the third opcode to be needed for the special operations that are not frequently used by the compiler. R. >> Perhaps if there is just 1 >> opcode and has all the info encoded just in one bigger uleb128 or >> something >> similar... >
On 15/11/16 19:25, Richard Earnshaw (lists) wrote: > On 15/11/16 16:48, Jiong Wang wrote: >> On 15/11/16 16:18, Jakub Jelinek wrote: >>> I know nothing about the aarch64 return address signing, would all 3 >>> or say >>> 2 usually appear together without any separate pc advance, or are they >>> all >>> going to appear frequently and at different pcs? >> >> I think it's the latter, the DW_OP_AARCH64_paciasp and >> DW_OP_AARCH64_paciasp_deref are going to appear frequently and at >> different pcs. >> For example, the following function prologue, there are three >> instructions >> at 0x0, 0x4, 0x8. >> >> After the first instruction at 0x0, LR/X30 will be mangled. The >> "paciasp" always >> mangle LR register using SP as salt and write back the value into LR. >> We then generate >> DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is >> mangled in this >> way so they can unwind the original value properly. >> >> After the second instruction at 0x4, The mangled value of LR/X30 will >> be pushed on >> to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: >> first fetch the >> mangled value from stack offset -16, then do whatever to restore the >> original value >> from the mangled value. This is represented by >> (DW_OP_AARCH64_paciasp_deref, offset). >> >> .cfi_startproc >> 0x0 paciasp (this instruction sign return address register LR/X30) >> .cfi_val_expression 30, DW_OP_AARCH64_paciasp >> 0x4 stp x29, x30, [sp, -32]! >> .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16 >> .cfi_offset 29, -32 >> .cfi_def_cfa_offset 32 >> 0x8 add x29, sp, 0 >> > > Now I'm confused. > > I was thinking that we needed one opcode for the sign operation in the > prologue and one for the unsign/validate operation in the epilogue (to > support non-call exceptions. IMO, non-call exceptions is fine, it looks to me doesn't need extra description as for non-call exceptions (exceptions thrown from signal handler) the key point is how to unwind across signal frame. For libgcc EH unwinder, when normal unwinding failed, it will fall back to architecture unwinding hook which restore some information from signal frame which is just on top of the signal handler's frame. I can see AArch64 implementation will setup return address column like the following logic where "sc->pc" is initialized by kernel and it's not signed therefore should sucess on further unwinding. fs->regs.reg[__LIBGCC_DWARF_ALT_FRAME_RETURN_COLUMN__].how = REG_SAVED_VAL_OFFSET; fs->regs.reg[__LIBGCC_DWARF_ALT_FRAME_RETURN_COLUMN__].loc.offset = (_Unwind_Ptr) (sc->pc) - new_cfa; > But why do we need a separate code to say > that a previously signed value has now been pushed on the stack? Surely > that's just a normal store operation that can be tracked through the > unwinding state machine. I was thinking the same thing, but found it doesn't work. My understanding of frame unwinding described at DWARF specification is: there are two steps for frame unwinding. The first step is to calculate register restore rules. Unwinder scans register rules from function start to the unwinding PC, one rule will be *overridden* by the next for the same register, there is *no inheritance*. The second step is then to evaluate all the final rules collected at the unwinding PC. According to the rule, either fetch the value from stack or evaluate the value on DWARF expression stack etc. I also had tried to modify ".cfi_val_expression" at offset 0x4 in above example into ".cfi_offset 30, -24", libgcc EH unwinder just doesn't work. > > I was expecting the third opcode to be needed for the special operations > that are not frequently used by the compiler. The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were designed as shortcut operations when LR is signed with A key and using function's CFA as salt. This is the default behaviour of return address signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth is designed as a generic operation that allow describing pointer signing on any value using any salt and key in case we can't use the shortcut operations we can use this.
On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote: > The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were > designed as shortcut operations when LR is signed with A key and using > function's CFA as salt. This is the default behaviour of return address > signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth > is designed as a generic operation that allow describing pointer signing on > any value using any salt and key in case we can't use the shortcut operations > we can use this. I admit to not fully understand the salting/keying involved. But given that the DW_OP space is really tiny, so we would like to not eat up too many of them for new opcodes. And given that introducing any new DW_OPs using for CFI unwinding will break any unwinder anyway causing us to update them all for this new feature. Have you thought about using a new CIE augmentation string character for describing that the return address/link register used by a function/frame is salted/keyed? This seems a good description of CIE records and augmentation characters: http://www.airs.com/blog/archives/460 It obviously also involves updating all unwinders to understand the new augmentation character (and possible arguments). But it might be more generic and saves us from using up too many DW_OPs. Cheers, Mark
On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote: > On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote: > > The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were > > designed as shortcut operations when LR is signed with A key and using > > function's CFA as salt. This is the default behaviour of return address > > signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth > > is designed as a generic operation that allow describing pointer signing on > > any value using any salt and key in case we can't use the shortcut operations > > we can use this. > > I admit to not fully understand the salting/keying involved. But given > that the DW_OP space is really tiny, so we would like to not eat up too > many of them for new opcodes. And given that introducing any new DW_OPs > using for CFI unwinding will break any unwinder anyway causing us to > update them all for this new feature. Have you thought about using a new > CIE augmentation string character for describing that the return > address/link register used by a function/frame is salted/keyed? > > This seems a good description of CIE records and augmentation > characters: http://www.airs.com/blog/archives/460 > > It obviously also involves updating all unwinders to understand the new > augmentation character (and possible arguments). But it might be more > generic and saves us from using up too many DW_OPs. From what I understood, the return address is not always scrambled, so it doesn't apply to the whole function, just to most of it (except for an insn in the prologue and some in the epilogue). So I think one op is needed. But can't it be just a toggable flag whether the return address is scrambled + some arguments to it? Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default way of scrambling starts here (if not already active) or any kind of scrambling ends here (if already active), and DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need to represent details of the less common variants with details what to do. Then you'd just hook through some MD_* macro in the unwinder the descrambling operation if the scrambling is active at the insns you unwind on. Jakub
How about if instead of special DW_OP codes, you instead define a new virtual register that contains the mangled return address? If the rule for that virtual register is anything other than DW_CFA_undefined, you'd expect to find the mangled return address using that rule; otherwise, you would use the rule for LR instead and expect an unmangled return address. The earlier example would become (picking an arbitrary value of 120 for the new virtual register number): .cfi_startproc 0x0 paciasp (this instruction sign return address register LR/X30) .cfi_val 120, DW_OP_reg30 0x4 stp x29, x30, [sp, -32]! .cfi_offset 120, -16 .cfi_offset 29, -32 .cfi_def_cfa_offset 32 0x8 add x29, sp, 0 Just a suggestion... -cary On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote: > On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote: >> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote: >> > The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were >> > designed as shortcut operations when LR is signed with A key and using >> > function's CFA as salt. This is the default behaviour of return address >> > signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth >> > is designed as a generic operation that allow describing pointer signing on >> > any value using any salt and key in case we can't use the shortcut operations >> > we can use this. >> >> I admit to not fully understand the salting/keying involved. But given >> that the DW_OP space is really tiny, so we would like to not eat up too >> many of them for new opcodes. And given that introducing any new DW_OPs >> using for CFI unwinding will break any unwinder anyway causing us to >> update them all for this new feature. Have you thought about using a new >> CIE augmentation string character for describing that the return >> address/link register used by a function/frame is salted/keyed? >> >> This seems a good description of CIE records and augmentation >> characters: http://www.airs.com/blog/archives/460 >> >> It obviously also involves updating all unwinders to understand the new >> augmentation character (and possible arguments). But it might be more >> generic and saves us from using up too many DW_OPs. > > From what I understood, the return address is not always scrambled, so > it doesn't apply to the whole function, just to most of it (except for > an insn in the prologue and some in the epilogue). So I think one op is > needed. But can't it be just a toggable flag whether the return address > is scrambled + some arguments to it? > Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default > way of scrambling starts here (if not already active) or any kind of > scrambling ends here (if already active), and > DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need > to represent details of the less common variants with details what to do. > Then you'd just hook through some MD_* macro in the unwinder the > descrambling operation if the scrambling is active at the insns you unwind > on. > > Jakub
On 30/11/16 21:43, Cary Coutant wrote: > How about if instead of special DW_OP codes, you instead define a new > virtual register that contains the mangled return address? If the rule > for that virtual register is anything other than DW_CFA_undefined, > you'd expect to find the mangled return address using that rule; > otherwise, you would use the rule for LR instead and expect an > unmangled return address. The earlier example would become (picking an > arbitrary value of 120 for the new virtual register number): > > .cfi_startproc > 0x0 paciasp (this instruction sign return address register LR/X30) > .cfi_val 120, DW_OP_reg30 > 0x4 stp x29, x30, [sp, -32]! > .cfi_offset 120, -16 > .cfi_offset 29, -32 > .cfi_def_cfa_offset 32 > 0x8 add x29, sp, 0 > > Just a suggestion... What about signing other registers? And what if the value is then copied to another register? Don't you end up with every possible register (including the FP/SIMD registers) needing a shadow copy? R. > > -cary > > > On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote: >> On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote: >>> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote: >>>> The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were >>>> designed as shortcut operations when LR is signed with A key and using >>>> function's CFA as salt. This is the default behaviour of return address >>>> signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth >>>> is designed as a generic operation that allow describing pointer signing on >>>> any value using any salt and key in case we can't use the shortcut operations >>>> we can use this. >>> >>> I admit to not fully understand the salting/keying involved. But given >>> that the DW_OP space is really tiny, so we would like to not eat up too >>> many of them for new opcodes. And given that introducing any new DW_OPs >>> using for CFI unwinding will break any unwinder anyway causing us to >>> update them all for this new feature. Have you thought about using a new >>> CIE augmentation string character for describing that the return >>> address/link register used by a function/frame is salted/keyed? >>> >>> This seems a good description of CIE records and augmentation >>> characters: http://www.airs.com/blog/archives/460 >>> >>> It obviously also involves updating all unwinders to understand the new >>> augmentation character (and possible arguments). But it might be more >>> generic and saves us from using up too many DW_OPs. >> >> From what I understood, the return address is not always scrambled, so >> it doesn't apply to the whole function, just to most of it (except for >> an insn in the prologue and some in the epilogue). So I think one op is >> needed. But can't it be just a toggable flag whether the return address >> is scrambled + some arguments to it? >> Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default >> way of scrambling starts here (if not already active) or any kind of >> scrambling ends here (if already active), and >> DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need >> to represent details of the less common variants with details what to do. >> Then you'd just hook through some MD_* macro in the unwinder the >> descrambling operation if the scrambling is active at the insns you unwind >> on. >> >> Jakub
On 01/12/16 10:42, Richard Earnshaw (lists) wrote: > On 30/11/16 21:43, Cary Coutant wrote: >> How about if instead of special DW_OP codes, you instead define a new >> virtual register that contains the mangled return address? If the rule >> for that virtual register is anything other than DW_CFA_undefined, >> you'd expect to find the mangled return address using that rule; >> otherwise, you would use the rule for LR instead and expect an >> unmangled return address. The earlier example would become (picking an >> arbitrary value of 120 for the new virtual register number): >> >> .cfi_startproc >> 0x0 paciasp (this instruction sign return address register LR/X30) >> .cfi_val 120, DW_OP_reg30 >> 0x4 stp x29, x30, [sp, -32]! >> .cfi_offset 120, -16 >> .cfi_offset 29, -32 >> .cfi_def_cfa_offset 32 >> 0x8 add x29, sp, 0 >> >> Just a suggestion... > What about signing other registers? And what if the value is then > copied to another register? Don't you end up with every possible > register (including the FP/SIMD registers) needing a shadow copy? Another issue is compared with the DW_CFA approach, this virtual register approach is less efficient on unwind table size and complexer to implement. .cfi_register takes two ULEB128 register number, it needs 3 bytes rather than DW_CFA's 1 byte. From example .debug_frame section size for linux kernel increment will be ~14% compared with DW_CFA approach's 5%. In the implementation, the prologue then normally will be .cfi_startproc 0x0 paciasp (this instruction sign return address register LR/X30) .cfi_val 120, DW_OP_reg30 <-A 0x4 stp x29, x30, [sp, -32]! .cfi_offset 120, -16 <-B .cfi_offset 29, -32 .cfi_def_cfa_offset 32 The epilogue normally will be ... ldp x29, x30, [sp], 32 .cfi_val 120, DW_OP_reg30 <- C .cfi_restore 29 .cfi_def_cfa 31, 0 autiasp (this instruction unsign LR/X30) .cfi_restore 30 For the virual register approach, GCC needs to track dwarf generation for LR/X30 in every place (A/B/C, maybe some other rare LR copy places), and rewrite LR to new virtual register accordingly. This seems easy, but my practice shows GCC won't do any DWARF auto-deduction if you have one explict DWARF CFI note attached to an insn (handled_one will be true in dwarf2out_frame_debug). So for instruction like stp/ldp, we then need to explicitly generate all three DWARF CFI note manually. While for DW_CFA approach, they will be: .cfi_startproc 0x0 paciasp (this instruction sign return address register LR/X30) .cfi_cfa_window_save 0x4 stp x29, x30, [sp, -32]! \ .cfi_offset 30, -16 | .cfi_offset 29, -32 | .cfi_def_cfa_offset 32 | all dwarf generation between sign and ... | unsign (paciasp/autiasp) is the same ldp x29, x30, [sp], 16 | as before .cfi_restore 30 | .cfi_restore 29 | .cfi_def_cfa 31, 0 | / autiasp (this instruction unsign LR/X30) .cfi_cfa_window_save The DWARF generation implementation in backend is very simple, nothing needs to be updated between sign and unsign instruction. For the impact on the unwinder, the virtual register approach needs to change the implementation of "save value" rule which is quite general code. A target hook might need for AArch64 that when the destination register is the special virtual register, it seems a little bit hack to me. >> -cary >> >> >> On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote: >>> On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote: >>>> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote: >>>>> The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were >>>>> designed as shortcut operations when LR is signed with A key and using >>>>> function's CFA as salt. This is the default behaviour of return address >>>>> signing so is expected to be used for most of the time. DW_OP_AARCH64_pauth >>>>> is designed as a generic operation that allow describing pointer signing on >>>>> any value using any salt and key in case we can't use the shortcut operations >>>>> we can use this. >>>> I admit to not fully understand the salting/keying involved. But given >>>> that the DW_OP space is really tiny, so we would like to not eat up too >>>> many of them for new opcodes. And given that introducing any new DW_OPs >>>> using for CFI unwinding will break any unwinder anyway causing us to >>>> update them all for this new feature. Have you thought about using a new >>>> CIE augmentation string character for describing that the return >>>> address/link register used by a function/frame is salted/keyed? >>>> >>>> This seems a good description of CIE records and augmentation >>>> characters: http://www.airs.com/blog/archives/460 >>>> >>>> It obviously also involves updating all unwinders to understand the new >>>> augmentation character (and possible arguments). But it might be more >>>> generic and saves us from using up too many DW_OPs. >>> From what I understood, the return address is not always scrambled, so >>> it doesn't apply to the whole function, just to most of it (except for >>> an insn in the prologue and some in the epilogue). So I think one op is >>> needed. But can't it be just a toggable flag whether the return address >>> is scrambled + some arguments to it? >>> Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default >>> way of scrambling starts here (if not already active) or any kind of >>> scrambling ends here (if already active), and >>> DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need >>> to represent details of the less common variants with details what to do. >>> Then you'd just hook through some MD_* macro in the unwinder the >>> descrambling operation if the scrambling is active at the insns you unwind >>> on. >>> >>> Jakub
> I'd like to point out that especially the vendor range of DW_OP_* is > extremely scarce resource, we have only a couple of unused values, so taking > 3 out of the remaining unused 12 for a single architecture is IMHO too much. > Can't you use just a single opcode and encode which of the 3 operations it is > in say the low 2 bits of a LEB 128 operand? > We'll likely need to do RSN some multiplexing even for the generic GNU > opcodes if we need just a few further ones (say 0xff as an extension, > followed by uleb128 containing the opcode - 0xff). > In the non-vendor area we still have 54 values left, so there is more space > for future expansion. Most of the Gnu extensions have been adopted into the standard as of DWARF 5: /* GNU extensions. */ DW_OP (DW_OP_GNU_push_tls_address, 0xe0) /* The following is for marking variables that are uninitialized. */ DW_OP (DW_OP_GNU_uninit, 0xf0) DW_OP (DW_OP_GNU_encoded_addr, 0xf1) /* The GNU implicit pointer extension. See http://www.dwarfstd.org/ShowIssue.php?issue=100831.1&type=open . */ DW_OP (DW_OP_GNU_implicit_pointer, 0xf2) /* The GNU entry value extension. See http://www.dwarfstd.org/ShowIssue.php?issue=100909.1&type=open . */ DW_OP (DW_OP_GNU_entry_value, 0xf3) /* The GNU typed stack extension. See http://www.dwarfstd.org/doc/040408.1.html . */ DW_OP (DW_OP_GNU_const_type, 0xf4) DW_OP (DW_OP_GNU_regval_type, 0xf5) DW_OP (DW_OP_GNU_deref_type, 0xf6) DW_OP (DW_OP_GNU_convert, 0xf7) DW_OP (DW_OP_GNU_reinterpret, 0xf9) /* The GNU parameter ref extension. */ DW_OP (DW_OP_GNU_parameter_ref, 0xfa) /* Extensions for Fission. See http://gcc.gnu.org/wiki/DebugFission. */ DW_OP (DW_OP_GNU_addr_index, 0xfb) DW_OP (DW_OP_GNU_const_index, 0xfc) Of these, I think only DW_OP_GNU_uninit and DW_OP_GNU_encoded_addr remain as Gnu extensions. The rest could be deprecated as of DWARF 5, and, if necessary, reused for other purposes in DWARF 6 and later. Depending on how aggressive we want to be with deprecation, we could even declare that they are available for reuse in DWARF 5 and later, as long as the Gnu toolchain uses only the new standard values when generating DWARF 5. That frees up 11 more opcodes. -cary
diff --git a/include/dwarf2.def b/include/dwarf2.def index 5241fe8615e0e3b288fee80c08a67723686ef411..8eaa90c3b4748ecfc025a6c2dd6afcd5fd80be28 100644 --- a/include/dwarf2.def +++ b/include/dwarf2.def @@ -631,6 +631,16 @@ DW_OP (DW_OP_HP_unmod_range, 0xe5) DW_OP (DW_OP_HP_tls, 0xe6) /* PGI (STMicroelectronics) extensions. */ DW_OP (DW_OP_PGI_omp_thread_num, 0xf8) +/* ARM extension for pointer authentication + DW_OP_AARCH64_pauth: takes one uleb128 operand which is authentication + descriptor. Perform actions indicated by the descriptor. + DW_OP_AARCH64_paciasp: no operand. Authenticate value in X30/LR using A key + and CFA as salt. + DW_OP_AARCH64_paciasp_deref: takes one sleb128 operand as offset. + Authenticate value in [CFA + offset] using A key and salt is CFA. */ +DW_OP (DW_OP_AARCH64_pauth, 0xea) +DW_OP (DW_OP_AARCH64_paciasp, 0xeb) +DW_OP (DW_OP_AARCH64_paciasp_deref, 0xec) DW_END_OP DW_FIRST_ATE (DW_ATE_void, 0x0)