Blame SOURCES/gcc8-rh1512529-aarch64.patch

0e3697
--- gcc/config/aarch64/aarch64.c
0e3697
+++ gcc/config/aarch64/aarch64.c
0e3697
@@ -3799,7 +3799,14 @@ aarch64_output_probe_stack_range (rtx reg1, rtx reg2)
0e3697
   output_asm_insn ("sub\t%0, %0, %1", xops);
0e3697
 
0e3697
   /* Probe at TEST_ADDR.  */
0e3697
-  output_asm_insn ("str\txzr, [%0]", xops);
0e3697
+  if (flag_stack_clash_protection)
0e3697
+    {
0e3697
+      gcc_assert (xops[0] == stack_pointer_rtx);
0e3697
+      xops[1] = GEN_INT (PROBE_INTERVAL - 8);
0e3697
+      output_asm_insn ("str\txzr, [%0, %1]", xops);
0e3697
+    }
0e3697
+  else
0e3697
+    output_asm_insn ("str\txzr, [%0]", xops);
0e3697
 
0e3697
   /* Test if TEST_ADDR == LAST_ADDR.  */
0e3697
   xops[1] = reg2;
0e3697
@@ -4589,6 +4596,133 @@ aarch64_set_handled_components (sbitmap components)
0e3697
       cfun->machine->reg_is_wrapped_separately[regno] = true;
0e3697
 }
0e3697
 
0e3697
+/* Allocate POLY_SIZE bytes of stack space using TEMP1 and TEMP2 as scratch
0e3697
+   registers.  */
0e3697
+
0e3697
+static void
0e3697
+aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2,
0e3697
+					poly_int64 poly_size)
0e3697
+{
0e3697
+  HOST_WIDE_INT size;
0e3697
+  if (!poly_size.is_constant (&size))
0e3697
+    {
0e3697
+      sorry ("stack probes for SVE frames");
0e3697
+      return;
0e3697
+    }
0e3697
+
0e3697
+  HOST_WIDE_INT probe_interval
0e3697
+    = 1 << PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_PROBE_INTERVAL);
0e3697
+  HOST_WIDE_INT guard_size
0e3697
+    = 1 << PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE);
0e3697
+  HOST_WIDE_INT guard_used_by_caller = 1024;
0e3697
+
0e3697
+  /* SIZE should be large enough to require probing here.  ie, it
0e3697
+     must be larger than GUARD_SIZE - GUARD_USED_BY_CALLER.
0e3697
+
0e3697
+     We can allocate GUARD_SIZE - GUARD_USED_BY_CALLER as a single chunk
0e3697
+     without any probing.  */
0e3697
+  gcc_assert (size >= guard_size - guard_used_by_caller);
0e3697
+  aarch64_sub_sp (temp1, temp2, guard_size - guard_used_by_caller, true);
0e3697
+  HOST_WIDE_INT orig_size = size;
0e3697
+  size -= (guard_size - guard_used_by_caller);
0e3697
+
0e3697
+  HOST_WIDE_INT rounded_size = size & -probe_interval;
0e3697
+  HOST_WIDE_INT residual = size - rounded_size;
0e3697
+
0e3697
+  /* We can handle a small number of allocations/probes inline.  Otherwise
0e3697
+     punt to a loop.  */
0e3697
+  if (rounded_size && rounded_size <= 4 * probe_interval)
0e3697
+    {
0e3697
+      /* We don't use aarch64_sub_sp here because we don't want to
0e3697
+	 repeatedly load TEMP1.  */
0e3697
+      rtx step = GEN_INT (-probe_interval);
0e3697
+      if (probe_interval > ARITH_FACTOR)
0e3697
+	{
0e3697
+	  emit_move_insn (temp1, step);
0e3697
+	  step = temp1;
0e3697
+	}
0e3697
+
0e3697
+      for (HOST_WIDE_INT i = 0; i < rounded_size; i += probe_interval)
0e3697
+	{
0e3697
+	  rtx_insn *insn = emit_insn (gen_add2_insn (stack_pointer_rtx, step));
0e3697
+          add_reg_note (insn, REG_STACK_CHECK, const0_rtx);
0e3697
+
0e3697
+	  if (probe_interval > ARITH_FACTOR)
0e3697
+	    {
0e3697
+	      RTX_FRAME_RELATED_P (insn) = 1;
0e3697
+	      rtx adj = plus_constant (Pmode, stack_pointer_rtx, -probe_interval);
0e3697
+	      add_reg_note (insn, REG_CFA_ADJUST_CFA,
0e3697
+			    gen_rtx_SET (stack_pointer_rtx, adj));
0e3697
+	    }
0e3697
+
0e3697
+	  emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
0e3697
+					   (probe_interval
0e3697
+					    - GET_MODE_SIZE (word_mode))));
0e3697
+	  emit_insn (gen_blockage ());
0e3697
+	}
0e3697
+      dump_stack_clash_frame_info (PROBE_INLINE, size != rounded_size);
0e3697
+    }
0e3697
+  else if (rounded_size)
0e3697
+    {
0e3697
+      /* Compute the ending address.  */
0e3697
+      unsigned int scratchreg = REGNO (temp1);
0e3697
+      emit_move_insn (temp1, GEN_INT (-rounded_size));
0e3697
+      rtx_insn *insn
0e3697
+	 = emit_insn (gen_add3_insn (temp1, stack_pointer_rtx, temp1));
0e3697
+
0e3697
+      /* For the initial allocation, we don't have a frame pointer
0e3697
+	 set up, so we always need CFI notes.  If we're doing the
0e3697
+	 final allocation, then we may have a frame pointer, in which
0e3697
+	 case it is the CFA, otherwise we need CFI notes.
0e3697
+
0e3697
+	 We can determine which allocation we are doing by looking at
0e3697
+	 the temporary register.  IP0 is the initial allocation, IP1
0e3697
+	 is the final allocation.  */
0e3697
+      if (scratchreg == IP0_REGNUM || !frame_pointer_needed)
0e3697
+	{
0e3697
+	  /* We want the CFA independent of the stack pointer for the
0e3697
+	     duration of the loop.  */
0e3697
+	  add_reg_note (insn, REG_CFA_DEF_CFA,
0e3697
+			plus_constant (Pmode, temp1,
0e3697
+				       (rounded_size + (orig_size - size))));
0e3697
+	  RTX_FRAME_RELATED_P (insn) = 1;
0e3697
+	}
0e3697
+
0e3697
+      /* This allocates and probes the stack.
0e3697
+
0e3697
+	 It also probes at a 4k interval regardless of the value of
0e3697
+	 PARAM_STACK_CLASH_PROTECTION_PROBE_INTERVAL.  */
0e3697
+      insn = emit_insn (gen_probe_stack_range (stack_pointer_rtx,
0e3697
+					       stack_pointer_rtx, temp1));
0e3697
+
0e3697
+      /* Now reset the CFA register if needed.  */
0e3697
+      if (scratchreg == IP0_REGNUM || !frame_pointer_needed)
0e3697
+	{
0e3697
+	  add_reg_note (insn, REG_CFA_DEF_CFA,
0e3697
+			plus_constant (Pmode, stack_pointer_rtx,
0e3697
+				       (rounded_size + (orig_size - size))));
0e3697
+	  RTX_FRAME_RELATED_P (insn) = 1;
0e3697
+	}
0e3697
+
0e3697
+      emit_insn (gen_blockage ());
0e3697
+      dump_stack_clash_frame_info (PROBE_LOOP, size != rounded_size);
0e3697
+    }
0e3697
+  else
0e3697
+    dump_stack_clash_frame_info (PROBE_INLINE, size != rounded_size);
0e3697
+
0e3697
+  /* Handle any residuals.
0e3697
+     Note that any residual must be probed.  */
0e3697
+  if (residual)
0e3697
+    {
0e3697
+      aarch64_sub_sp (temp1, temp2, residual, true);
0e3697
+      add_reg_note (get_last_insn (), REG_STACK_CHECK, const0_rtx);
0e3697
+      emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx,
0e3697
+				       (residual - GET_MODE_SIZE (word_mode))));
0e3697
+      emit_insn (gen_blockage ());
0e3697
+    }
0e3697
+  return;
0e3697
+}
0e3697
+
0e3697
 /* Add a REG_CFA_EXPRESSION note to INSN to say that register REG
0e3697
    is saved at BASE + OFFSET.  */
0e3697
 
0e3697
@@ -4686,7 +4820,54 @@ aarch64_expand_prologue (void)
0e3697
   rtx ip0_rtx = gen_rtx_REG (Pmode, IP0_REGNUM);
0e3697
   rtx ip1_rtx = gen_rtx_REG (Pmode, IP1_REGNUM);
0e3697
 
0e3697
-  aarch64_sub_sp (ip0_rtx, ip1_rtx, initial_adjust, true);
0e3697
+  /* We do not fully protect aarch64 against stack clash style attacks
0e3697
+     as doing so would be prohibitively expensive with less utility over
0e3697
+     time as newer compilers are deployed.
0e3697
+
0e3697
+     We assume the guard is at least 64k.  Furthermore, we assume that
0e3697
+     the caller has not pushed the stack pointer more than 1k into
0e3697
+     the guard.  A caller that pushes the stack pointer than 1k into
0e3697
+     the guard is considered invalid.
0e3697
+
0e3697
+     Note that the caller's ability to push the stack pointer into the
0e3697
+     guard is a function of the number and size of outgoing arguments and/or
0e3697
+     dynamic stack allocations due to the mandatory save of the link register
0e3697
+     in the caller's frame.
0e3697
+
0e3697
+     With those assumptions the callee can allocate up to 63k of stack
0e3697
+     space without probing.
0e3697
+
0e3697
+     When probing is needed, we emit a probe at the start of the prologue
0e3697
+     and every PARAM_STACK_CLASH_PROTECTION_PROBE_INTERVAL bytes thereafter.
0e3697
+
0e3697
+     We have to track how much space has been allocated, but we do not
0e3697
+     track stores into the stack as implicit probes except for the
0e3697
+     fp/lr store.  */
0e3697
+  HOST_WIDE_INT guard_size
0e3697
+    = 1 << PARAM_VALUE (PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE);
0e3697
+  HOST_WIDE_INT guard_used_by_caller = 1024;
0e3697
+  if (flag_stack_clash_protection)
0e3697
+    {
0e3697
+      if (known_eq (frame_size, 0))
0e3697
+	dump_stack_clash_frame_info (NO_PROBE_NO_FRAME, false);
0e3697
+      else if (known_lt (initial_adjust, guard_size - guard_used_by_caller)
0e3697
+	       && known_lt (final_adjust, guard_size - guard_used_by_caller))
0e3697
+	dump_stack_clash_frame_info (NO_PROBE_SMALL_FRAME, true);
0e3697
+    }
0e3697
+
0e3697
+  /* In theory we should never have both an initial adjustment
0e3697
+     and a callee save adjustment.  Verify that is the case since the
0e3697
+     code below does not handle it for -fstack-clash-protection.  */
0e3697
+  gcc_assert (known_eq (initial_adjust, 0) || callee_adjust == 0);
0e3697
+
0e3697
+  /* Only probe if the initial adjustment is larger than the guard
0e3697
+     less the amount of the guard reserved for use by the caller's
0e3697
+     outgoing args.  */
0e3697
+  if (flag_stack_clash_protection
0e3697
+      && maybe_ge (initial_adjust, guard_size - guard_used_by_caller))
0e3697
+    aarch64_allocate_and_probe_stack_space (ip0_rtx, ip1_rtx, initial_adjust);
0e3697
+  else
0e3697
+    aarch64_sub_sp (ip0_rtx, ip1_rtx, initial_adjust, true);
0e3697
 
0e3697
   if (callee_adjust != 0)
0e3697
     aarch64_push_regs (reg1, reg2, callee_adjust);
0e3697
@@ -4742,7 +4923,31 @@ aarch64_expand_prologue (void)
0e3697
 			     callee_adjust != 0 || emit_frame_chain);
0e3697
   aarch64_save_callee_saves (DFmode, callee_offset, V0_REGNUM, V31_REGNUM,
0e3697
 			     callee_adjust != 0 || emit_frame_chain);
0e3697
-  aarch64_sub_sp (ip1_rtx, ip0_rtx, final_adjust, !frame_pointer_needed);
0e3697
+
0e3697
+  /* We may need to probe the final adjustment as well.  */
0e3697
+  if (flag_stack_clash_protection && maybe_ne (final_adjust, 0))
0e3697
+    {
0e3697
+      /* First probe if the final adjustment is larger than the guard size
0e3697
+	 less the amount of the guard reserved for use by the caller's
0e3697
+	 outgoing args.  */
0e3697
+      if (maybe_ge (final_adjust, guard_size - guard_used_by_caller))
0e3697
+	aarch64_allocate_and_probe_stack_space (ip1_rtx, ip0_rtx,
0e3697
+						final_adjust);
0e3697
+      else
0e3697
+	aarch64_sub_sp (ip1_rtx, ip0_rtx, final_adjust, !frame_pointer_needed);
0e3697
+
0e3697
+      /* We must also probe if the final adjustment is larger than the guard
0e3697
+	 that is assumed used by the caller.  This may be sub-optimal.  */
0e3697
+      if (maybe_ge (final_adjust, guard_used_by_caller))
0e3697
+	{
0e3697
+	  if (dump_file)
0e3697
+	    fprintf (dump_file,
0e3697
+		     "Stack clash aarch64 large outgoing arg, probing\n");
0e3697
+	  emit_stack_probe (stack_pointer_rtx);
0e3697
+	}
0e3697
+    }
0e3697
+  else
0e3697
+    aarch64_sub_sp (ip1_rtx, ip0_rtx, final_adjust, !frame_pointer_needed);
0e3697
 }
0e3697
 
0e3697
 /* Return TRUE if we can use a simple_return insn.
0e3697
@@ -10476,6 +10681,12 @@ aarch64_override_options_internal (struct gcc_options *opts)
0e3697
       && opts->x_optimize >= aarch64_tune_params.prefetch->default_opt_level)
0e3697
     opts->x_flag_prefetch_loop_arrays = 1;
0e3697
 
0e3697
+  /* We assume the guard page is 64k.  */
0e3697
+  maybe_set_param_value (PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE,
0e3697
+			 16,
0e3697
+			 opts->x_param_values,
0e3697
+			 global_options_set.x_param_values);
0e3697
+
0e3697
   aarch64_override_options_after_change_1 (opts);
0e3697
 }
0e3697
 
0e3697
@@ -17161,6 +17372,28 @@ aarch64_sched_can_speculate_insn (rtx_insn *insn)
0e3697
     }
0e3697
 }
0e3697
 
0e3697
+/* It has been decided that to allow up to 1kb of outgoing argument
0e3697
+   space to be allocated w/o probing.  If more than 1kb of outgoing
0e3697
+   argment space is allocated, then it must be probed and the last
0e3697
+   probe must occur no more than 1kbyte away from the end of the
0e3697
+   allocated space.
0e3697
+
0e3697
+   This implies that the residual part of an alloca allocation may
0e3697
+   need probing in cases where the generic code might not otherwise
0e3697
+   think a probe is needed.
0e3697
+
0e3697
+   This target hook returns TRUE when allocating RESIDUAL bytes of
0e3697
+   alloca space requires an additional probe, otherwise FALSE is
0e3697
+   returned.  */
0e3697
+
0e3697
+static bool
0e3697
+aarch64_stack_clash_protection_final_dynamic_probe (rtx residual)
0e3697
+{
0e3697
+  return (residual == CONST0_RTX (Pmode)
0e3697
+	  || GET_CODE (residual) != CONST_INT
0e3697
+	  || INTVAL (residual) >= 1024);
0e3697
+}
0e3697
+
0e3697
 /* Implement TARGET_COMPUTE_PRESSURE_CLASSES.  */
0e3697
 
0e3697
 static int
0e3697
@@ -17669,6 +17902,10 @@ aarch64_libgcc_floating_mode_supported_p
0e3697
 #undef TARGET_CONSTANT_ALIGNMENT
0e3697
 #define TARGET_CONSTANT_ALIGNMENT aarch64_constant_alignment
0e3697
 
0e3697
+#undef TARGET_STACK_CLASH_PROTECTION_FINAL_DYNAMIC_PROBE
0e3697
+#define TARGET_STACK_CLASH_PROTECTION_FINAL_DYNAMIC_PROBE \
0e3697
+  aarch64_stack_clash_protection_final_dynamic_probe
0e3697
+
0e3697
 #undef TARGET_COMPUTE_PRESSURE_CLASSES
0e3697
 #define TARGET_COMPUTE_PRESSURE_CLASSES aarch64_compute_pressure_classes
0e3697
 
0e3697
--- gcc/config/aarch64/aarch64.md
0e3697
+++ gcc/config/aarch64/aarch64.md
0e3697
@@ -5812,7 +5812,7 @@
0e3697
 )
0e3697
 
0e3697
 (define_insn "probe_stack_range"
0e3697
-  [(set (match_operand:DI 0 "register_operand" "=r")
0e3697
+  [(set (match_operand:DI 0 "register_operand" "=rk")
0e3697
 	(unspec_volatile:DI [(match_operand:DI 1 "register_operand" "0")
0e3697
 			     (match_operand:DI 2 "register_operand" "r")]
0e3697
 			      UNSPECV_PROBE_STACK_RANGE))]
0e3697
--- gcc/testsuite/gcc.target/aarch64/stack-check-12.c
0e3697
+++ gcc/testsuite/gcc.target/aarch64/stack-check-12.c
0e3697
@@ -0,0 +1,20 @@
0e3697
+/* { dg-do compile } */
0e3697
+/* { dg-options "-O2 -fstack-clash-protection --param stack-clash-protection-guard-size=12" } */
0e3697
+/* { dg-require-effective-target supports_stack_clash_protection } */
0e3697
+
0e3697
+extern void arf (unsigned long int *, unsigned long int *);
0e3697
+void
0e3697
+frob ()
0e3697
+{
0e3697
+  unsigned long int num[1000];
0e3697
+  unsigned long int den[1000];
0e3697
+  arf (den, num);
0e3697
+}
0e3697
+
0e3697
+/* This verifies that the scheduler did not break the dependencies
0e3697
+   by adjusting the offsets within the probe and that the scheduler
0e3697
+   did not reorder around the stack probes.  */
0e3697
+/* { dg-final { scan-assembler-times "sub\\tsp, sp, #4096\\n\\tstr\\txzr, .sp, 4088." 3 } } */
0e3697
+
0e3697
+
0e3697
+
0e3697
--- gcc/testsuite/gcc.target/aarch64/stack-check-13.c
0e3697
+++ gcc/testsuite/gcc.target/aarch64/stack-check-13.c
0e3697
@@ -0,0 +1,28 @@
0e3697
+/* { dg-do compile } */
0e3697
+/* { dg-options "-O2 -fstack-clash-protection --param stack-clash-protection-guard-size=12" } */
0e3697
+/* { dg-require-effective-target supports_stack_clash_protection } */
0e3697
+
0e3697
+#define ARG32(X) X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X,X
0e3697
+#define ARG192(X) ARG32(X),ARG32(X),ARG32(X),ARG32(X),ARG32(X),ARG32(X)
0e3697
+void out1(ARG192(__int128));
0e3697
+int t1(int);
0e3697
+
0e3697
+int t3(int x)
0e3697
+{
0e3697
+  if (x < 1000)
0e3697
+    return t1 (x) + 1;
0e3697
+
0e3697
+  out1 (ARG192(1));
0e3697
+  return 0;
0e3697
+}
0e3697
+
0e3697
+
0e3697
+
0e3697
+/* This test creates a large (> 1k) outgoing argument area that needs
0e3697
+   to be probed.  We don't test the exact size of the space or the
0e3697
+   exact offset to make the test a little less sensitive to trivial
0e3697
+   output changes.  */
0e3697
+/* { dg-final { scan-assembler-times "sub\\tsp, sp, #....\\n\\tstr\\txzr, \\\[sp" 1 } } */
0e3697
+
0e3697
+
0e3697
+
0e3697
--- gcc/testsuite/gcc.target/aarch64/stack-check-14.c
0e3697
+++ gcc/testsuite/gcc.target/aarch64/stack-check-14.c
0e3697
@@ -0,0 +1,25 @@
0e3697
+/* { dg-do compile } */
0e3697
+/* { dg-options "-O2 -fstack-clash-protection --param stack-clash-protection-guard-size=12" } */
0e3697
+/* { dg-require-effective-target supports_stack_clash_protection } */
0e3697
+
0e3697
+int t1(int);
0e3697
+
0e3697
+int t2(int x)
0e3697
+{
0e3697
+  char *p = __builtin_alloca (4050);
0e3697
+  x = t1 (x);
0e3697
+  return p[x];
0e3697
+}
0e3697
+
0e3697
+
0e3697
+/* This test has a constant sized alloca that is smaller than the
0e3697
+   probe interval.  But it actually requires two probes instead
0e3697
+   of one because of the optimistic assumptions we made in the
0e3697
+   aarch64 prologue code WRT probing state. 
0e3697
+
0e3697
+   The form can change quite a bit so we just check for two
0e3697
+   probes without looking at the actual address.  */
0e3697
+/* { dg-final { scan-assembler-times "str\\txzr," 2 } } */
0e3697
+
0e3697
+
0e3697
+
0e3697
--- gcc/testsuite/gcc.target/aarch64/stack-check-15.c
0e3697
+++ gcc/testsuite/gcc.target/aarch64/stack-check-15.c
0e3697
@@ -0,0 +1,24 @@
0e3697
+/* { dg-do compile } */
0e3697
+/* { dg-options "-O2 -fstack-clash-protection --param stack-clash-protection-guard-size=12" } */
0e3697
+/* { dg-require-effective-target supports_stack_clash_protection } */
0e3697
+
0e3697
+int t1(int);
0e3697
+
0e3697
+int t2(int x)
0e3697
+{
0e3697
+  char *p = __builtin_alloca (x);
0e3697
+  x = t1 (x);
0e3697
+  return p[x];
0e3697
+}
0e3697
+
0e3697
+
0e3697
+/* This test has a variable sized alloca.  It requires 3 probes.
0e3697
+   One in the loop, one for the residual and at the end of the
0e3697
+   alloca area. 
0e3697
+
0e3697
+   The form can change quite a bit so we just check for two
0e3697
+   probes without looking at the actual address.  */
0e3697
+/* { dg-final { scan-assembler-times "str\\txzr," 3 } } */
0e3697
+
0e3697
+
0e3697
+
0e3697
--- gcc/testsuite/lib/target-supports.exp
0e3697
+++ gcc/testsuite/lib/target-supports.exp
0e3697
@@ -9201,14 +9201,9 @@ proc check_effective_target_autoincdec { } {
0e3697
 # 
0e3697
 proc check_effective_target_supports_stack_clash_protection { } {
0e3697
 
0e3697
-   # Temporary until the target bits are fully ACK'd.
0e3697
-#  if { [istarget aarch*-*-*] } {
0e3697
-#	return 1
0e3697
-#  }
0e3697
-
0e3697
     if { [istarget x86_64-*-*] || [istarget i?86-*-*] 
0e3697
 	  || [istarget powerpc*-*-*] || [istarget rs6000*-*-*]
0e3697
-	  || [istarget s390*-*-*] } {
0e3697
+	  || [istarget aarch64*-**] || [istarget s390*-*-*] } {
0e3697
 	return 1
0e3697
     }
0e3697
   return 0
0e3697
@@ -9217,9 +9212,9 @@ proc check_effective_target_supports_stack_clash_protection { } {
0e3697
 # Return 1 if the target creates a frame pointer for non-leaf functions
0e3697
 # Note we ignore cases where we apply tail call optimization here.
0e3697
 proc check_effective_target_frame_pointer_for_non_leaf { } {
0e3697
-  if { [istarget aarch*-*-*] } {
0e3697
-	return 1
0e3697
-  }
0e3697
+#  if { [istarget aarch*-*-*] } {
0e3697
+#	return 1
0e3697
+#  }
0e3697
 
0e3697
   # Solaris/x86 defaults to -fno-omit-frame-pointer.
0e3697
   if { [istarget i?86-*-solaris*] || [istarget x86_64-*-solaris*] } {