[1/9,RFC,DWARF] Reserve three DW_OP numbers in vendor extension space

This patch introduces three AARCH64 private DWARF operations in vendor extension
space.

DW_OP_AARCH64_pauth 0xea
===
   Takes one unsigned LEB 128 Pointer Authentication Description. Bits [3:0] of
   the description contain the Authentication Action Code. All unused bits are
   initialized to 0. The operation then proceeds according to the value of the
   action code as described in the Action Code Table.

DW_OP_AARCH64_paciasp 0xeb
===
   Authenticates the contents in X30/LR register as per A key for instruction
   pointer using current CFA as salt. The result is pushed onto the stack.

DW_OP_AARCH64_paciasp_deref 0xec
===
   Takes one signed LEB128 offset and retrieves 8-byte contents from the address
   calculated by CFA plus this offset, the contents then authenticated as per A
   key for instruction pointer using current CFA as salt. The result is pushed
   onto the stack.

Action Code Table
==================================
Action Code      |     Note
----------------------------------
0                |  Pops a single 8-byte operand from the stack representing a
                  |  signed instruction pointer, "drops" the authentication
                  |  signature and pushes the value  onto stack.
----------------------------------
1                |  Pops a single 8-byte operand from the stack representing a
                  |  signed data pointer, "drops" the authentication signature
                  |  and pushes the value on to stack.
----------------------------------
2                |  Bits [7:4] of the Pointer Authentication Description contain
                  |  an Authentication Key Index. The operation then pops the top
                  |  two stack entries. The first is an 8-byte value to be
                  |  authenticated. The second is an 8-byte salt. The first value
                  |  is then authenticated as per the Authentication Key Index
                  |  using the salt. The result is pushed onto stack.

Authentication Key Index
=================================
0                |  A key for instruction pointer.
---------------------------------
1                |  B key for instruction pointer.
---------------------------------
2                |  A key for data pointer.
---------------------------------
3                |  B key for data pointer.
---------------------------------
4                |  A key for general pointer.

DW_OP_AARCH64_pauth is designed to offer general description for all scenarios.

DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref are two shortcut
operations for return address signing.  They offer more compact debug frame
encoding.

For DWARF operation vendor extension space between DW_OP_lo_user and
DW_OP_hi_user, I think vendor is free to reserve any number and numbers for one
vender can overlap with the other, as operations for different vendors are
not supposed to co-exist.

One exception is that GNU toolchain have reserved some numbers inside this space
(DW_OP_GNU*), so vendor's numbers need to avoid overlapping with them.

For these three numbers,  they are not used in LLVM's implementation.

NOTE: the assigned values are provisional, we may need to change them if they are
found to be in conflict with on other toolchains.

Please review, Thanks.


include/
2016-11-09  Richard Earnshaw<richard.earnshaw@arm.com>
             Jiong Wang<jiong.wang@arm.com>

         * dwarf2.def (DW_OP_AARCH64_pauth): Reserve the number 0xea.
         (DW_OP_AARCH64_paciasp): Reserve the number 0xeb.
         (Dw_OP_AARCH64_paciasp_deref): Reserve the number 0xec.

On Fri, Nov 11, 2016 at 06:21:48PM +0000, Jiong Wang wrote:
> This patch introduces three AARCH64 private DWARF operations in vendor extension
> space.
> 
> DW_OP_AARCH64_pauth 0xea
> ===
>   Takes one unsigned LEB 128 Pointer Authentication Description. Bits [3:0] of
>   the description contain the Authentication Action Code. All unused bits are
>   initialized to 0. The operation then proceeds according to the value of the
>   action code as described in the Action Code Table.
> 
> DW_OP_AARCH64_paciasp 0xeb
> ===
>   Authenticates the contents in X30/LR register as per A key for instruction
>   pointer using current CFA as salt. The result is pushed onto the stack.
> 
> DW_OP_AARCH64_paciasp_deref 0xec
> ===
>   Takes one signed LEB128 offset and retrieves 8-byte contents from the address
>   calculated by CFA plus this offset, the contents then authenticated as per A
>   key for instruction pointer using current CFA as salt. The result is pushed
>   onto the stack.

I'd like to point out that especially the vendor range of DW_OP_* is
extremely scarce resource, we have only a couple of unused values, so taking
3 out of the remaining unused 12 for a single architecture is IMHO too much.
Can't you use just a single opcode and encode which of the 3 operations it is
in say the low 2 bits of a LEB 128 operand?
We'll likely need to do RSN some multiplexing even for the generic GNU
opcodes if we need just a few further ones (say 0xff as an extension,
followed by uleb128 containing the opcode - 0xff).
In the non-vendor area we still have 54 values left, so there is more space
for future expansion.

	Jakub

On 11/11/16 19:38, Jakub Jelinek wrote:

> On Fri, Nov 11, 2016 at 06:21:48PM +0000, Jiong Wang wrote:
>> This patch introduces three AARCH64 private DWARF operations in vendor extension
>> space.
>>
>> DW_OP_AARCH64_pauth 0xea
>> ===
>>    Takes one unsigned LEB 128 Pointer Authentication Description. Bits [3:0] of
>>    the description contain the Authentication Action Code. All unused bits are
>>    initialized to 0. The operation then proceeds according to the value of the
>>    action code as described in the Action Code Table.
>>
>> DW_OP_AARCH64_paciasp 0xeb
>> ===
>>    Authenticates the contents in X30/LR register as per A key for instruction
>>    pointer using current CFA as salt. The result is pushed onto the stack.
>>
>> DW_OP_AARCH64_paciasp_deref 0xec
>> ===
>>    Takes one signed LEB128 offset and retrieves 8-byte contents from the address
>>    calculated by CFA plus this offset, the contents then authenticated as per A
>>    key for instruction pointer using current CFA as salt. The result is pushed
>>    onto the stack.
> I'd like to point out that especially the vendor range of DW_OP_* is
> extremely scarce resource, we have only a couple of unused values, so taking
> 3 out of the remaining unused 12 for a single architecture is IMHO too much.
> Can't you use just a single opcode and encode which of the 3 operations it is
> in say the low 2 bits of a LEB 128 operand?
> We'll likely need to do RSN some multiplexing even for the generic GNU
> opcodes if we need just a few further ones (say 0xff as an extension,
> followed by uleb128 containing the opcode - 0xff).
> In the non-vendor area we still have 54 values left, so there is more space
> for future expansion.
>
> 	Jakub

                                                                                        
   Seperate DWARF operations are introduced instead of combining all of them into
one are mostly because these operations are going to be used for most of the
functions once return address signing are enabled, and they are used for
describing frame unwinding that they will go into unwind table for C++ program
or C program compiled with -fexceptions, the impact on unwind table size is
significant.  So I was trying to lower the unwind table size overhead as much as
I can.

   IMHO, three numbers actually is not that much for one architecture in DWARF
operation vendor extension space as vendors can overlap with each other.  The
only painful thing from my understand is there are platform vendors, for example
"GNU" and "LLVM" etc, for which architecture vendor can't overlap with.

   In include/dwarf2.def, I saw DW_OP_GNU* has reserved 13, DW_OP_HP* has reserved
7 and DW_OP_PGI has reserved 1.

   So for an alternative approach, can these AArch64 extensions overlap and reuse
those numbers reserved for DW_OP_HP* ? for example 0xe4, 0xe5, 0xe6.  I am even
thinking GNU toolchain makes the 8 numbers reserved by existed DW_OP_HP* and
DW_OP_SGI* as architecture vendor area and allow multiplexing on them for
different architectures.  This may offer more flexibilities for architecture
vendors.

   Under current code base, my search shows the overlap should be safe inside
GCC/GDB and we only needs minor disassemble tweak in Binutils.

   Thanks.

Regards,
Jiong

On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote:
> >>   Takes one signed LEB128 offset and retrieves 8-byte contents from the address
> >>   calculated by CFA plus this offset, the contents then authenticated as per A
> >>   key for instruction pointer using current CFA as salt. The result is pushed
> >>   onto the stack.
> >I'd like to point out that especially the vendor range of DW_OP_* is
> >extremely scarce resource, we have only a couple of unused values, so taking
> >3 out of the remaining unused 12 for a single architecture is IMHO too much.
> >Can't you use just a single opcode and encode which of the 3 operations it is
> >in say the low 2 bits of a LEB 128 operand?
> >We'll likely need to do RSN some multiplexing even for the generic GNU
> >opcodes if we need just a few further ones (say 0xff as an extension,
> >followed by uleb128 containing the opcode - 0xff).
> >In the non-vendor area we still have 54 values left, so there is more space
> >for future expansion.
> 
>   Seperate DWARF operations are introduced instead of combining all of them into
> one are mostly because these operations are going to be used for most of the
> functions once return address signing are enabled, and they are used for
> describing frame unwinding that they will go into unwind table for C++ program
> or C program compiled with -fexceptions, the impact on unwind table size is
> significant.  So I was trying to lower the unwind table size overhead as much as
> I can.
> 
>   IMHO, three numbers actually is not that much for one architecture in DWARF
> operation vendor extension space as vendors can overlap with each other.  The
> only painful thing from my understand is there are platform vendors, for example
> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with.

For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just
one range, so ideally the opcodes would be unique everywhere, if not, there
is just a single GNU vendor, there is no separate range for Aarch64, that
can overlap with range for x86_64, and powerpc, etc.

Perhaps we could declare that certain opcode subrange for the GNU vendor is
architecture specific and document that the meaning of opcodes in that range
and count/encoding of their arguments depends on the architecture, but then
we should document how to figure out the architecture too (e.g. for ELF
base it on the containing EM_*).  All the tools that look at DWARF (readelf,
objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that
though.

I know nothing about the aarch64 return address signing, would all 3 or say
2 usually appear together without any separate pc advance, or are they all
going to appear frequently and at different pcs?  Perhaps if there is just 1
opcode and has all the info encoded just in one bigger uleb128 or something
similar...

	Jakub

On 15/11/16 16:18, Jakub Jelinek wrote:
> On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote:
>>>>    Takes one signed LEB128 offset and retrieves 8-byte contents from the address
>>>>    calculated by CFA plus this offset, the contents then authenticated as per A
>>>>    key for instruction pointer using current CFA as salt. The result is pushed
>>>>    onto the stack.
>>> I'd like to point out that especially the vendor range of DW_OP_* is
>>> extremely scarce resource, we have only a couple of unused values, so taking
>>> 3 out of the remaining unused 12 for a single architecture is IMHO too much.
>>> Can't you use just a single opcode and encode which of the 3 operations it is
>>> in say the low 2 bits of a LEB 128 operand?
>>> We'll likely need to do RSN some multiplexing even for the generic GNU
>>> opcodes if we need just a few further ones (say 0xff as an extension,
>>> followed by uleb128 containing the opcode - 0xff).
>>> In the non-vendor area we still have 54 values left, so there is more space
>>> for future expansion.
>>    Seperate DWARF operations are introduced instead of combining all of them into
>> one are mostly because these operations are going to be used for most of the
>> functions once return address signing are enabled, and they are used for
>> describing frame unwinding that they will go into unwind table for C++ program
>> or C program compiled with -fexceptions, the impact on unwind table size is
>> significant.  So I was trying to lower the unwind table size overhead as much as
>> I can.
>>
>>    IMHO, three numbers actually is not that much for one architecture in DWARF
>> operation vendor extension space as vendors can overlap with each other.  The
>> only painful thing from my understand is there are platform vendors, for example
>> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with.
> For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just
> one range, so ideally the opcodes would be unique everywhere, if not, there
> is just a single GNU vendor, there is no separate range for Aarch64, that
> can overlap with range for x86_64, and powerpc, etc.
>
> Perhaps we could declare that certain opcode subrange for the GNU vendor is
> architecture specific and document that the meaning of opcodes in that range
> and count/encoding of their arguments depends on the architecture, but then
> we should document how to figure out the architecture too (e.g. for ELF
> base it on the containing EM_*).  All the tools that look at DWARF (readelf,
> objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that
> though.
>
> I know nothing about the aarch64 return address signing, would all 3 or say
> 2 usually appear together without any separate pc advance, or are they all
> going to appear frequently and at different pcs?

   I think it's the latter, the DW_OP_AARCH64_paciasp and
DW_OP_AARCH64_paciasp_deref are going to appear frequently and at different pcs.
   
   For example, the following function prologue, there are three instructions
at 0x0, 0x4, 0x8.

   After the first instruction at 0x0, LR/X30 will be mangled.  The "paciasp" always
mangle LR register using SP as salt and write back the value into LR.  We then generate
DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is mangled in this
way so they can unwind the original value properly.

   After the second instruction at 0x4, The mangled value of LR/X30 will be pushed on
to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: first fetch the
mangled value from stack offset -16, then do whatever to restore the original value
from the mangled value.  This is represented by (DW_OP_AARCH64_paciasp_deref, offset).

         .cfi_startproc
    0x0  paciasp (this instruction sign return address register LR/X30)
         .cfi_val_expression 30, DW_OP_AARCH64_paciasp
    0x4  stp     x29, x30, [sp, -32]!
         .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16
         .cfi_offset 29, -32
         .cfi_def_cfa_offset 32
    0x8  add     x29, sp, 0

> Perhaps if there is just 1
> opcode and has all the info encoded just in one bigger uleb128 or something
> similar...

On 15/11/16 16:18, Jakub Jelinek wrote:
> On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote:
>>>>    Takes one signed LEB128 offset and retrieves 8-byte contents from the address
>>>>    calculated by CFA plus this offset, the contents then authenticated as per A
>>>>    key for instruction pointer using current CFA as salt. The result is pushed
>>>>    onto the stack.
>>> I'd like to point out that especially the vendor range of DW_OP_* is
>>> extremely scarce resource, we have only a couple of unused values, so taking
>>> 3 out of the remaining unused 12 for a single architecture is IMHO too much.
>>> Can't you use just a single opcode and encode which of the 3 operations it is
>>> in say the low 2 bits of a LEB 128 operand?
>>> We'll likely need to do RSN some multiplexing even for the generic GNU
>>> opcodes if we need just a few further ones (say 0xff as an extension,
>>> followed by uleb128 containing the opcode - 0xff).
>>> In the non-vendor area we still have 54 values left, so there is more space
>>> for future expansion.
>>    Seperate DWARF operations are introduced instead of combining all of them into
>> one are mostly because these operations are going to be used for most of the
>> functions once return address signing are enabled, and they are used for
>> describing frame unwinding that they will go into unwind table for C++ program
>> or C program compiled with -fexceptions, the impact on unwind table size is
>> significant.  So I was trying to lower the unwind table size overhead as much as
>> I can.
>>
>>    IMHO, three numbers actually is not that much for one architecture in DWARF
>> operation vendor extension space as vendors can overlap with each other.  The
>> only painful thing from my understand is there are platform vendors, for example
>> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with.
> For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is just
> one range, so ideally the opcodes would be unique everywhere, if not, there
> is just a single GNU vendor, there is no separate range for Aarch64, that
> can overlap with range for x86_64, and powerpc, etc.
>
> Perhaps we could declare that certain opcode subrange for the GNU vendor is
> architecture specific and document that the meaning of opcodes in that range
> and count/encoding of their arguments depends on the architecture, but then
> we should document how to figure out the architecture too (e.g. for ELF
> base it on the containing EM_*).  All the tools that look at DWARF (readelf,
> objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to agree on that
> though.
>
> I know nothing about the aarch64 return address signing, would all 3 or say
> 2 usually appear together without any separate pc advance, or are they all
> going to appear frequently and at different pcs?

  I think it's the latter, the DW_OP_AARCH64_paciasp and
DW_OP_AARCH64_paciasp_deref are going to appear frequently and at different pcs.
     For example, the following function prologue, there are three instructions
at 0x0, 0x4, 0x8.

   After the first instruction at 0x0, LR/X30 will be mangled.  The "paciasp" always
mangle LR register using SP as salt and write back the value into LR.  We then generate
DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is mangled in this
way so they can unwind the original value properly.

   After the second instruction at 0x4, The mangled value of LR/X30 will be pushed on
to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes: first fetch the
mangled value from stack offset -16, then do whatever to restore the original value
from the mangled value.  This is represented by (DW_OP_AARCH64_paciasp_deref, offset).

         .cfi_startproc
    0x0  paciasp (this instruction sign return address register LR/X30)
         .cfi_val_expression 30, DW_OP_AARCH64_paciasp
    0x4  stp     x29, x30, [sp, -32]!
         .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16
         .cfi_offset 29, -32
         .cfi_def_cfa_offset 32
    0x8  add     x29, sp, 0


>   Perhaps if there is just 1
> opcode and has all the info encoded just in one bigger uleb128 or something
> similar...
>
> 	Jakub

On 15/11/16 16:48, Jiong Wang wrote:
> 
> 
> On 15/11/16 16:18, Jakub Jelinek wrote:
>> On Tue, Nov 15, 2016 at 04:00:40PM +0000, Jiong Wang wrote:
>>>>>    Takes one signed LEB128 offset and retrieves 8-byte contents
>>>>> from the address
>>>>>    calculated by CFA plus this offset, the contents then
>>>>> authenticated as per A
>>>>>    key for instruction pointer using current CFA as salt. The
>>>>> result is pushed
>>>>>    onto the stack.
>>>> I'd like to point out that especially the vendor range of DW_OP_* is
>>>> extremely scarce resource, we have only a couple of unused values,
>>>> so taking
>>>> 3 out of the remaining unused 12 for a single architecture is IMHO
>>>> too much.
>>>> Can't you use just a single opcode and encode which of the 3
>>>> operations it is
>>>> in say the low 2 bits of a LEB 128 operand?
>>>> We'll likely need to do RSN some multiplexing even for the generic GNU
>>>> opcodes if we need just a few further ones (say 0xff as an extension,
>>>> followed by uleb128 containing the opcode - 0xff).
>>>> In the non-vendor area we still have 54 values left, so there is
>>>> more space
>>>> for future expansion.
>>>    Seperate DWARF operations are introduced instead of combining all
>>> of them into
>>> one are mostly because these operations are going to be used for most
>>> of the
>>> functions once return address signing are enabled, and they are used for
>>> describing frame unwinding that they will go into unwind table for
>>> C++ program
>>> or C program compiled with -fexceptions, the impact on unwind table
>>> size is
>>> significant.  So I was trying to lower the unwind table size overhead
>>> as much as
>>> I can.
>>>
>>>    IMHO, three numbers actually is not that much for one architecture
>>> in DWARF
>>> operation vendor extension space as vendors can overlap with each
>>> other.  The
>>> only painful thing from my understand is there are platform vendors,
>>> for example
>>> "GNU" and "LLVM" etc, for which architecture vendor can't overlap with.
>> For DW_OP_*, there aren't two vendor ranges like e.g. in ELF, there is
>> just
>> one range, so ideally the opcodes would be unique everywhere, if not,
>> there
>> is just a single GNU vendor, there is no separate range for Aarch64, that
>> can overlap with range for x86_64, and powerpc, etc.
>>
>> Perhaps we could declare that certain opcode subrange for the GNU
>> vendor is
>> architecture specific and document that the meaning of opcodes in that
>> range
>> and count/encoding of their arguments depends on the architecture, but
>> then
>> we should document how to figure out the architecture too (e.g. for ELF
>> base it on the containing EM_*).  All the tools that look at DWARF
>> (readelf,
>> objdump, eu-readelf, libdw, libunwind, gdb, dwz, ...) would need to
>> agree on that
>> though.
>>
>> I know nothing about the aarch64 return address signing, would all 3
>> or say
>> 2 usually appear together without any separate pc advance, or are they
>> all
>> going to appear frequently and at different pcs?
> 
>   I think it's the latter, the DW_OP_AARCH64_paciasp and
> DW_OP_AARCH64_paciasp_deref are going to appear frequently and at
> different pcs.
>     For example, the following function prologue, there are three
> instructions
> at 0x0, 0x4, 0x8.
> 
>   After the first instruction at 0x0, LR/X30 will be mangled.  The
> "paciasp" always
> mangle LR register using SP as salt and write back the value into LR. 
> We then generate
> DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is
> mangled in this
> way so they can unwind the original value properly.
> 
>   After the second instruction at 0x4, The mangled value of LR/X30 will
> be pushed on
> to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes:
> first fetch the
> mangled value from stack offset -16, then do whatever to restore the
> original value
> from the mangled value.  This is represented by
> (DW_OP_AARCH64_paciasp_deref, offset).
> 
>         .cfi_startproc
>    0x0  paciasp (this instruction sign return address register LR/X30)
>         .cfi_val_expression 30, DW_OP_AARCH64_paciasp
>    0x4  stp     x29, x30, [sp, -32]!
>         .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16
>         .cfi_offset 29, -32
>         .cfi_def_cfa_offset 32
>    0x8  add     x29, sp, 0
> 

Now I'm confused.

I was thinking that we needed one opcode for the sign operation in the
prologue and one for the unsign/validate operation in the epilogue (to
support non-call exceptions.  But why do we need a separate code to say
that a previously signed value has now been pushed on the stack?  Surely
that's just a normal store operation that can be tracked through the
unwinding state machine.

I was expecting the third opcode to be needed for the special operations
that are not frequently used by the compiler.

R.

>> Perhaps if there is just 1
>> opcode and has all the info encoded just in one bigger uleb128 or
>> something
>> similar...
>

On 15/11/16 19:25, Richard Earnshaw (lists) wrote:
> On 15/11/16 16:48, Jiong Wang wrote:
>> On 15/11/16 16:18, Jakub Jelinek wrote:
>>> I know nothing about the aarch64 return address signing, would all 3
>>> or say
>>> 2 usually appear together without any separate pc advance, or are they
>>> all
>>> going to appear frequently and at different pcs?
>>
>>   I think it's the latter, the DW_OP_AARCH64_paciasp and
>> DW_OP_AARCH64_paciasp_deref are going to appear frequently and at
>> different pcs.
>>     For example, the following function prologue, there are three
>> instructions
>> at 0x0, 0x4, 0x8.
>>
>>   After the first instruction at 0x0, LR/X30 will be mangled.  The
>> "paciasp" always
>> mangle LR register using SP as salt and write back the value into LR.
>> We then generate
>> DW_OP_AARCH64_paciasp to notify any unwinder that the original LR is
>> mangled in this
>> way so they can unwind the original value properly.
>>
>>   After the second instruction at 0x4, The mangled value of LR/X30 will
>> be pushed on
>> to stack, unlike usual .cfi_offset, the unwind rule for LR/X30 becomes:
>> first fetch the
>> mangled value from stack offset -16, then do whatever to restore the
>> original value
>> from the mangled value.  This is represented by
>> (DW_OP_AARCH64_paciasp_deref, offset).
>>
>>         .cfi_startproc
>>    0x0  paciasp (this instruction sign return address register LR/X30)
>>         .cfi_val_expression 30, DW_OP_AARCH64_paciasp
>>    0x4  stp     x29, x30, [sp, -32]!
>>         .cfi_val_expression 30, DW_OP_AARCH64_paciasp_deref, -16
>>         .cfi_offset 29, -32
>>         .cfi_def_cfa_offset 32
>>    0x8  add     x29, sp, 0
>>
>
> Now I'm confused.
>
> I was thinking that we needed one opcode for the sign operation in the
> prologue and one for the unsign/validate operation in the epilogue (to
> support non-call exceptions.

   IMO, non-call exceptions is fine, it looks to me doesn't need extra
description as for non-call exceptions (exceptions thrown from signal
handler) the key point is how to unwind across signal frame.  For libgcc EH
unwinder, when normal unwinding failed, it will fall back to architecture
unwinding hook which restore some information from signal frame which is just
on top of the signal handler's frame.

   I can see AArch64 implementation will setup return address column like the
following logic where "sc->pc" is initialized by kernel and it's not signed
therefore should sucess on further unwinding.

     fs->regs.reg[__LIBGCC_DWARF_ALT_FRAME_RETURN_COLUMN__].how =
       REG_SAVED_VAL_OFFSET;
     fs->regs.reg[__LIBGCC_DWARF_ALT_FRAME_RETURN_COLUMN__].loc.offset =
       (_Unwind_Ptr) (sc->pc) - new_cfa;

> But why do we need a separate code to say
> that a previously signed value has now been pushed on the stack?  Surely
> that's just a normal store operation that can be tracked through the
> unwinding state machine.

   I was thinking the same thing, but found it doesn't work.  My understanding
of frame unwinding described at DWARF specification is: there are two steps
for frame unwinding.  The first step is to calculate register restore rules.
Unwinder scans register rules from function start to the unwinding PC, one
rule will be *overridden* by the next for the same register, there is *no
inheritance*.  The second step is then to evaluate all the final rules
collected at the unwinding PC.  According to the rule, either fetch the value
from stack or evaluate the value on DWARF expression stack etc.

  I also had tried to modify ".cfi_val_expression" at offset 0x4 in above
example into ".cfi_offset 30, -24", libgcc EH unwinder just doesn't work.

>
> I was expecting the third opcode to be needed for the special operations
> that are not frequently used by the compiler.

  The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
designed as shortcut operations when LR is signed with A key and using
function's CFA as salt.  This is the default behaviour of return address
signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
is designed as a generic operation that allow describing pointer signing on
any value using any salt and key in case we can't use the shortcut operations
we can use this.

On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote:
>   The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
> designed as shortcut operations when LR is signed with A key and using
> function's CFA as salt.  This is the default behaviour of return address
> signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
> is designed as a generic operation that allow describing pointer signing on
> any value using any salt and key in case we can't use the shortcut operations
> we can use this.

I admit to not fully understand the salting/keying involved. But given
that the DW_OP space is really tiny, so we would like to not eat up too
many of them for new opcodes. And given that introducing any new DW_OPs
using for CFI unwinding will break any unwinder anyway causing us to
update them all for this new feature. Have you thought about using a new
CIE augmentation string character for describing that the return
address/link register used by a function/frame is salted/keyed?

This seems a good description of CIE records and augmentation
characters: http://www.airs.com/blog/archives/460

It obviously also involves updating all unwinders to understand the new
augmentation character (and possible arguments). But it might be more
generic and saves us from using up too many DW_OPs.

Cheers,

Mark

On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote:
> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote:
> >   The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
> > designed as shortcut operations when LR is signed with A key and using
> > function's CFA as salt.  This is the default behaviour of return address
> > signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
> > is designed as a generic operation that allow describing pointer signing on
> > any value using any salt and key in case we can't use the shortcut operations
> > we can use this.
> 
> I admit to not fully understand the salting/keying involved. But given
> that the DW_OP space is really tiny, so we would like to not eat up too
> many of them for new opcodes. And given that introducing any new DW_OPs
> using for CFI unwinding will break any unwinder anyway causing us to
> update them all for this new feature. Have you thought about using a new
> CIE augmentation string character for describing that the return
> address/link register used by a function/frame is salted/keyed?
> 
> This seems a good description of CIE records and augmentation
> characters: http://www.airs.com/blog/archives/460
> 
> It obviously also involves updating all unwinders to understand the new
> augmentation character (and possible arguments). But it might be more
> generic and saves us from using up too many DW_OPs.

From what I understood, the return address is not always scrambled, so
it doesn't apply to the whole function, just to most of it (except for
an insn in the prologue and some in the epilogue).  So I think one op is
needed.  But can't it be just a toggable flag whether the return address
is scrambled + some arguments to it?
Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default
way of scrambling starts here (if not already active) or any kind of
scrambling ends here (if already active), and
DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need
to represent details of the less common variants with details what to do.
Then you'd just hook through some MD_* macro in the unwinder the
descrambling operation if the scrambling is active at the insns you unwind
on.

	Jakub

How about if instead of special DW_OP codes, you instead define a new
virtual register that contains the mangled return address? If the rule
for that virtual register is anything other than DW_CFA_undefined,
you'd expect to find the mangled return address using that rule;
otherwise, you would use the rule for LR instead and expect an
unmangled return address. The earlier example would become (picking an
arbitrary value of 120 for the new virtual register number):

        .cfi_startproc
   0x0  paciasp (this instruction sign return address register LR/X30)
        .cfi_val 120, DW_OP_reg30
   0x4  stp     x29, x30, [sp, -32]!
        .cfi_offset 120, -16
        .cfi_offset 29, -32
        .cfi_def_cfa_offset 32
   0x8  add     x29, sp, 0

Just a suggestion...

-cary


On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote:
> On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote:
>> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote:
>> >   The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
>> > designed as shortcut operations when LR is signed with A key and using
>> > function's CFA as salt.  This is the default behaviour of return address
>> > signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
>> > is designed as a generic operation that allow describing pointer signing on
>> > any value using any salt and key in case we can't use the shortcut operations
>> > we can use this.
>>
>> I admit to not fully understand the salting/keying involved. But given
>> that the DW_OP space is really tiny, so we would like to not eat up too
>> many of them for new opcodes. And given that introducing any new DW_OPs
>> using for CFI unwinding will break any unwinder anyway causing us to
>> update them all for this new feature. Have you thought about using a new
>> CIE augmentation string character for describing that the return
>> address/link register used by a function/frame is salted/keyed?
>>
>> This seems a good description of CIE records and augmentation
>> characters: http://www.airs.com/blog/archives/460
>>
>> It obviously also involves updating all unwinders to understand the new
>> augmentation character (and possible arguments). But it might be more
>> generic and saves us from using up too many DW_OPs.
>
> From what I understood, the return address is not always scrambled, so
> it doesn't apply to the whole function, just to most of it (except for
> an insn in the prologue and some in the epilogue).  So I think one op is
> needed.  But can't it be just a toggable flag whether the return address
> is scrambled + some arguments to it?
> Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default
> way of scrambling starts here (if not already active) or any kind of
> scrambling ends here (if already active), and
> DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need
> to represent details of the less common variants with details what to do.
> Then you'd just hook through some MD_* macro in the unwinder the
> descrambling operation if the scrambling is active at the insns you unwind
> on.
>
>         Jakub

On 30/11/16 21:43, Cary Coutant wrote:
> How about if instead of special DW_OP codes, you instead define a new
> virtual register that contains the mangled return address? If the rule
> for that virtual register is anything other than DW_CFA_undefined,
> you'd expect to find the mangled return address using that rule;
> otherwise, you would use the rule for LR instead and expect an
> unmangled return address. The earlier example would become (picking an
> arbitrary value of 120 for the new virtual register number):
> 
>         .cfi_startproc
>    0x0  paciasp (this instruction sign return address register LR/X30)
>         .cfi_val 120, DW_OP_reg30
>    0x4  stp     x29, x30, [sp, -32]!
>         .cfi_offset 120, -16
>         .cfi_offset 29, -32
>         .cfi_def_cfa_offset 32
>    0x8  add     x29, sp, 0
> 
> Just a suggestion...

What about signing other registers?  And what if the value is then
copied to another register?  Don't you end up with every possible
register (including the FP/SIMD registers) needing a shadow copy?

R.

> 
> -cary
> 
> 
> On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote:
>> On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote:
>>> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote:
>>>>   The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
>>>> designed as shortcut operations when LR is signed with A key and using
>>>> function's CFA as salt.  This is the default behaviour of return address
>>>> signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
>>>> is designed as a generic operation that allow describing pointer signing on
>>>> any value using any salt and key in case we can't use the shortcut operations
>>>> we can use this.
>>>
>>> I admit to not fully understand the salting/keying involved. But given
>>> that the DW_OP space is really tiny, so we would like to not eat up too
>>> many of them for new opcodes. And given that introducing any new DW_OPs
>>> using for CFI unwinding will break any unwinder anyway causing us to
>>> update them all for this new feature. Have you thought about using a new
>>> CIE augmentation string character for describing that the return
>>> address/link register used by a function/frame is salted/keyed?
>>>
>>> This seems a good description of CIE records and augmentation
>>> characters: http://www.airs.com/blog/archives/460
>>>
>>> It obviously also involves updating all unwinders to understand the new
>>> augmentation character (and possible arguments). But it might be more
>>> generic and saves us from using up too many DW_OPs.
>>
>> From what I understood, the return address is not always scrambled, so
>> it doesn't apply to the whole function, just to most of it (except for
>> an insn in the prologue and some in the epilogue).  So I think one op is
>> needed.  But can't it be just a toggable flag whether the return address
>> is scrambled + some arguments to it?
>> Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default
>> way of scrambling starts here (if not already active) or any kind of
>> scrambling ends here (if already active), and
>> DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need
>> to represent details of the less common variants with details what to do.
>> Then you'd just hook through some MD_* macro in the unwinder the
>> descrambling operation if the scrambling is active at the insns you unwind
>> on.
>>
>>         Jakub

On 01/12/16 10:42, Richard Earnshaw (lists) wrote:
> On 30/11/16 21:43, Cary Coutant wrote:
>> How about if instead of special DW_OP codes, you instead define a new
>> virtual register that contains the mangled return address? If the rule
>> for that virtual register is anything other than DW_CFA_undefined,
>> you'd expect to find the mangled return address using that rule;
>> otherwise, you would use the rule for LR instead and expect an
>> unmangled return address. The earlier example would become (picking an
>> arbitrary value of 120 for the new virtual register number):
>>
>>          .cfi_startproc
>>     0x0  paciasp (this instruction sign return address register LR/X30)
>>          .cfi_val 120, DW_OP_reg30
>>     0x4  stp     x29, x30, [sp, -32]!
>>          .cfi_offset 120, -16
>>          .cfi_offset 29, -32
>>          .cfi_def_cfa_offset 32
>>     0x8  add     x29, sp, 0
>>
>> Just a suggestion...
> What about signing other registers?  And what if the value is then
> copied to another register?  Don't you end up with every possible
> register (including the FP/SIMD registers) needing a shadow copy?

   
   Another issue is compared with the DW_CFA approach, this virtual register
   approach is less efficient on unwind table size and complexer to implement.

   .cfi_register takes two ULEB128 register number, it needs 3 bytes rather
    than DW_CFA's 1 byte.  From example .debug_frame section size for linux
    kernel increment will be ~14% compared with DW_CFA approach's 5%.

   In the implementation, the prologue then normally will be

          .cfi_startproc
     0x0  paciasp (this instruction sign return address register LR/X30)
          .cfi_val 120, DW_OP_reg30  <-A
     0x4  stp     x29, x30, [sp, -32]!
          .cfi_offset 120, -16       <-B
          .cfi_offset 29, -32
          .cfi_def_cfa_offset 32

     The epilogue normally will be
     ...
         ldp     x29, x30, [sp], 32
           .cfi_val 120, DW_OP_reg30  <- C
           .cfi_restore 29
           .cfi_def_cfa 31, 0

         autiasp (this instruction unsign LR/X30)
           .cfi_restore 30

    For the virual register approach, GCC needs to track dwarf generation for
    LR/X30 in every place (A/B/C, maybe some other rare LR copy places), and
    rewrite LR to new virtual register accordingly. This seems easy, but my
    practice shows GCC won't do any DWARF auto-deduction if you have one
    explict DWARF CFI note attached to an insn (handled_one will be true in
    dwarf2out_frame_debug).  So for instruction like stp/ldp, we then need to
    explicitly generate all three DWARF CFI note manually.

    While for DW_CFA approach, they will be:

          .cfi_startproc
     0x0  paciasp (this instruction sign return address register LR/X30)
          .cfi_cfa_window_save
     0x4  stp     x29, x30, [sp, -32]!     \
          .cfi_offset 30, -16              |
          .cfi_offset 29, -32              |
          .cfi_def_cfa_offset 32           |  all dwarf generation between sign and
     ...                                   |  unsign (paciasp/autiasp) is the same
         ldp     x29, x30, [sp], 16        |  as before
           .cfi_restore 30                 |
           .cfi_restore 29                 |
           .cfi_def_cfa 31, 0              |
                                           /
         autiasp (this instruction unsign LR/X30)
           .cfi_cfa_window_save

    The DWARF generation implementation in backend is very simple, nothing needs to be
    updated between sign and unsign instruction.

  For the impact on the unwinder, the virtual register approach needs to change
  the implementation of "save value" rule which is quite general code. A target hook
  might need for AArch64 that when the destination register is the special virtual
  register, it seems a little bit hack to me.

>> -cary
>>
>>
>> On Wed, Nov 16, 2016 at 6:02 AM, Jakub Jelinek <jakub@redhat.com> wrote:
>>> On Wed, Nov 16, 2016 at 02:54:56PM +0100, Mark Wielaard wrote:
>>>> On Wed, 2016-11-16 at 10:00 +0000, Jiong Wang wrote:
>>>>>    The two operations DW_OP_AARCH64_paciasp and DW_OP_AARCH64_paciasp_deref were
>>>>> designed as shortcut operations when LR is signed with A key and using
>>>>> function's CFA as salt.  This is the default behaviour of return address
>>>>> signing so is expected to be used for most of the time.  DW_OP_AARCH64_pauth
>>>>> is designed as a generic operation that allow describing pointer signing on
>>>>> any value using any salt and key in case we can't use the shortcut operations
>>>>> we can use this.
>>>> I admit to not fully understand the salting/keying involved. But given
>>>> that the DW_OP space is really tiny, so we would like to not eat up too
>>>> many of them for new opcodes. And given that introducing any new DW_OPs
>>>> using for CFI unwinding will break any unwinder anyway causing us to
>>>> update them all for this new feature. Have you thought about using a new
>>>> CIE augmentation string character for describing that the return
>>>> address/link register used by a function/frame is salted/keyed?
>>>>
>>>> This seems a good description of CIE records and augmentation
>>>> characters: http://www.airs.com/blog/archives/460
>>>>
>>>> It obviously also involves updating all unwinders to understand the new
>>>> augmentation character (and possible arguments). But it might be more
>>>> generic and saves us from using up too many DW_OPs.
>>>  From what I understood, the return address is not always scrambled, so
>>> it doesn't apply to the whole function, just to most of it (except for
>>> an insn in the prologue and some in the epilogue).  So I think one op is
>>> needed.  But can't it be just a toggable flag whether the return address
>>> is scrambled + some arguments to it?
>>> Thus DW_OP_AARCH64_scramble .uleb128 0 would mean that the default
>>> way of scrambling starts here (if not already active) or any kind of
>>> scrambling ends here (if already active), and
>>> DW_OP_AARCH64_scramble .uleb128 non-zero would be whatever encoding you need
>>> to represent details of the less common variants with details what to do.
>>> Then you'd just hook through some MD_* macro in the unwinder the
>>> descrambling operation if the scrambling is active at the insns you unwind
>>> on.
>>>
>>>          Jakub

> I'd like to point out that especially the vendor range of DW_OP_* is
> extremely scarce resource, we have only a couple of unused values, so taking
> 3 out of the remaining unused 12 for a single architecture is IMHO too much.
> Can't you use just a single opcode and encode which of the 3 operations it is
> in say the low 2 bits of a LEB 128 operand?
> We'll likely need to do RSN some multiplexing even for the generic GNU
> opcodes if we need just a few further ones (say 0xff as an extension,
> followed by uleb128 containing the opcode - 0xff).
> In the non-vendor area we still have 54 values left, so there is more space
> for future expansion.

Most of the Gnu extensions have been adopted into the standard as of DWARF 5:

/* GNU extensions.  */
DW_OP (DW_OP_GNU_push_tls_address, 0xe0)
/* The following is for marking variables that are uninitialized.  */
DW_OP (DW_OP_GNU_uninit, 0xf0)
DW_OP (DW_OP_GNU_encoded_addr, 0xf1)
/* The GNU implicit pointer extension.
   See http://www.dwarfstd.org/ShowIssue.php?issue=100831.1&type=open .  */
DW_OP (DW_OP_GNU_implicit_pointer, 0xf2)
/* The GNU entry value extension.
   See http://www.dwarfstd.org/ShowIssue.php?issue=100909.1&type=open .  */
DW_OP (DW_OP_GNU_entry_value, 0xf3)
/* The GNU typed stack extension.
   See http://www.dwarfstd.org/doc/040408.1.html .  */
DW_OP (DW_OP_GNU_const_type, 0xf4)
DW_OP (DW_OP_GNU_regval_type, 0xf5)
DW_OP (DW_OP_GNU_deref_type, 0xf6)
DW_OP (DW_OP_GNU_convert, 0xf7)
DW_OP (DW_OP_GNU_reinterpret, 0xf9)
/* The GNU parameter ref extension.  */
DW_OP (DW_OP_GNU_parameter_ref, 0xfa)
/* Extensions for Fission.  See http://gcc.gnu.org/wiki/DebugFission.  */
DW_OP (DW_OP_GNU_addr_index, 0xfb)
DW_OP (DW_OP_GNU_const_index, 0xfc)

Of these, I think only DW_OP_GNU_uninit and DW_OP_GNU_encoded_addr
remain as Gnu extensions. The rest could be deprecated as of DWARF 5,
and, if necessary, reused for other purposes in DWARF 6 and later.
Depending on how aggressive we want to be with deprecation, we could
even declare that they are available for reuse in DWARF 5 and later,
as long as the Gnu toolchain uses only the new standard values when
generating DWARF 5. That frees up 11 more opcodes.

-cary