public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-24 17:18 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-24 17:18 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:972a1750d4b53481e3084f370be4881fd1503b1f
commit 972a1750d4b53481e3084f370be4881fd1503b1f
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 24 13:37:03 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
.../doc/gnat_rm/security_hardening_features.rst | 29 +-
gcc/common.opt | 29 ++
gcc/doc/invoke.texi | 51 ++-
gcc/flag-types.h | 10 +
gcc/gimple-harden-control-flow.cc | 351 ++++++++++++++++-----
.../c-c++-common/harden-cfr-noret-never-O0.c | 12 +
.../c-c++-common/torture/harden-cfr-noret-never.c | 18 ++
.../torture/harden-cfr-noret-noexcept.c | 16 +
.../torture/harden-cfr-noret-nothrow.c | 13 +
.../c-c++-common/torture/harden-cfr-noret.c | 38 +++
gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C | 11 +
.../torture/harden-cfr-noret-always-no-nothrow.C | 16 +
.../torture/harden-cfr-noret-never-no-nothrow.C | 17 +
.../g++.dg/torture/harden-cfr-noret-no-nothrow.C | 22 ++
.../g++.dg/torture/harden-cfr-throw-always.C | 20 ++
.../g++.dg/torture/harden-cfr-throw-nocleanup.C | 11 +
gcc/testsuite/g++.dg/torture/harden-cfr-throw.C | 65 ++++
.../gcc.dg/torture/harden-cfr-noret-no-nothrow.c | 15 +
libgcc/hardcfr.c | 119 ++++++-
19 files changed, 768 insertions(+), 95 deletions(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index b7803cde588..9d762e7c8cc 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -263,16 +263,25 @@ For each block that is marked as visited, the mechanism checks that at
least one of its predecessors, and at least one of its successors, are
also marked as visited.
-Verification is performed just before returns, tail- and noreturn
-calls. Furthermore, any subprogram from which an exception may
-escape, i.e., that may raise or propagate an exception that isn't
-handled internally, is automatically enclosed by a cleanup handler
-that performs verification. When a noreturn call returns control to
-its caller through an exception, verification will have already been
-performed before the call, but it will take place again when the
-caller reaches the next verification point, whether it is the end of
-the enclosing cleanup handler, a return or reraise statement after the
-exception is otherwise handled, or even another noreturn call.
+Verification is performed just before returns and tail calls.
+Verification may also be performed before noreturn calls, whether only
+nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`,
+or all of them, with :switch:`-fhardcfr-check-noreturn-calls=always`.
+Furthermore, any subprogram from which an exception may escape, i.e.,
+that may raise or propagate an exception that isn't handled
+internally, is automatically enclosed by a cleanup handler that
+performs verification, unless this is disabled with
+:switch:`-fno-hardcfr-check-exceptions`. When a noreturn call returns
+control to its caller through an exception, verification may have
+already been performed before the call, assuming
+:switch:`-fhardcfr-check-noreturn-calls=always` is in effect. The
+compiler arranges for already-checked noreturn calls without a
+preexisting handler to bypass the implicitly-added cleanup handler and
+thus the redundant check, but calls with a local handler will use it,
+which modifies the set of visited blocks, and checking will take place
+againwhen the caller reaches the next verification point, whether it
+is a return or reraise statement after the exception is otherwise
+handled, or even another noreturn call.
The instrumentation for hardening with control flow redundancy can be
observed in dump files generated by the command-line option
diff --git a/gcc/common.opt b/gcc/common.opt
index e0a002e6b16..8f97eebb210 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -1801,6 +1801,35 @@ fharden-control-flow-redundancy
Common Var(flag_harden_control_flow_redundancy) Init(-1) Optimization
Harden control flow by recording and checking execution paths.
+fhardcfr-check-exceptions
+Common Var(flag_harden_control_flow_redundancy_check_exceptions) Init(-1) Optimization
+Check CFR execution paths also when exiting a function through an exception.
+
+fhardcfr-check-noreturn-calls=
+Common Joined RejectNegative Enum(hardcfr_check_noreturn_calls) Var(flag_harden_control_flow_redundancy_check_noreturn) Init(HCFRNR_UNSPECIFIED) Optimization
+-fhardcfr-check-noreturn-calls=[always|nothrow|never] Check CFR execution paths also before calling noreturn functions.
+
+Enum
+Name(hardcfr_check_noreturn_calls) Type(enum hardcfr_noret) UnknownError(unknown hardcfr noreturn checking level %qs)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(never) Value(HCFRNR_NEVER)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(nothrow) Value(HCFRNR_NOTHROW)
+
+; ??? There could be yet another option here, that checked before
+; noreturn calls, except for those known to always throw, if we had
+; means to distinguish noreturn functions known to always throw, such
+; as those used to (re)raise exceptions, from those that merely might
+; throw. "not always" stands for "not always-throwing", but it also
+; contrasts with "always" below.
+; EnumValue
+; Enum(hardcfr_check_noreturn_calls) String(not-always) Value(HCFRNR_NOT_ALWAYS)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(always) Value(HCFRNR_ALWAYS)
+
; Nonzero means ignore `#ident' directives. 0 means handle them.
; Generate position-independent code for executables if possible
; On SVR4 targets, it also controls whether or not to emit a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 9c8f2eecb6c..1a8409d6e3e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -624,7 +624,8 @@ Objective-C and Objective-C++ Dialects}.
-fsanitize-undefined-trap-on-error -fbounds-check @gol
-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{|}check@r{]} @gol
-fharden-compares -fharden-conditional-branches @gol
--fharden-control-flow-redundancy @gol
+-fharden-control-flow-redundancy -fhardcfr-check-exceptions @gol
+-fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]} @gol
-fstack-protector -fstack-protector-all -fstack-protector-strong @gol
-fstack-protector-explicit -fstack-check @gol
-fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
@@ -16556,11 +16557,49 @@ conditionals.
@item -fharden-control-flow-redundancy
@opindex fharden-control-flow-redundancy
Emit extra code to set booleans when entering basic blocks, and to
-verify, at function exits (returns, escaping exceptions, and before tail
-and noreturn calls), and trap when they indicate an execution path that
-is incompatible with the control flow graph. Tuning options
-@option{--param hardcfr-max-blocks} and @option{--param
-hardcfr-max-inline-blocks} are available.
+verify, at function exits (returns, before tail calls, and optionally,
+before escaping exceptions with @option{-fhardcfr-check-exceptions}, and
+before noreturn calls with @option{-fhardcfr-check-noreturn-calls}), and
+trap when they indicate an execution path that is incompatible with the
+control flow graph. Tuning options @option{--param hardcfr-max-blocks}
+and @option{--param hardcfr-max-inline-blocks} are available.
+
+@item -fhardcfr-check-exceptions
+@opindex fhardcfr-check-exceptions
+@opindex fno-hardcfr-check-exceptions
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph at exception
+escape points, as if the function body was wrapped with a cleanup
+handler that performed the check and reraised. This option is enabled
+by default; use @option{-fno-hardcfr-check-exceptions} to disable it.
+
+@item -fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]}
+@opindex fhardcfr-check-noreturn-calls
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph before
+@code{noreturn} calls, either all of them (@option{always}), those that
+may not return control to the caller through an exception either
+(@option{nothrow}), or none of them (@option{never}, the default).
+
+Checking before a @code{noreturn} function that may return control to
+the caller through an exception may cause checking to be performed more
+than once, if the exception is caught in the caller, whether by a
+handler or a cleanup. When @option{-fhardcfr-check-exceptions} is also
+enabled, the compiler will avoid associating a @code{noreturn} call with
+the implicitly-added cleanup handler, since it would be redundant with
+the check performed before the call, but other handlers or cleanups in
+the function, if activated, will modify the recorded execution path and
+check it again when another checkpoint is hit. The checkpoint may even
+be another @code{noreturn} call, so checking may end up performed
+multiple times.
+
+Various optimizers may cause calls to be marked as @code{noreturn}
+and/or @code{nothrow}, even in the absence of the corresponding
+attributes, which may affect the placement of checks before calls, as
+well as the addition of implicit cleanup handlers for them. This
+unpredictability, and the fact that raising and reraising exceptions
+frequently amounts to implicitly calling @code{noreturn} functions, have
+made @option{never} the default setting for this option.
@item -fstack-protector
@opindex fstack-protector
diff --git a/gcc/flag-types.h b/gcc/flag-types.h
index a11f99af887..02926184559 100644
--- a/gcc/flag-types.h
+++ b/gcc/flag-types.h
@@ -163,6 +163,16 @@ enum stack_reuse_level
SR_ALL
};
+/* Control Flow Redundancy hardening options for noreturn calls. */
+enum hardcfr_noret
+{
+ HCFRNR_NEVER,
+ HCFRNR_NOTHROW,
+ HCFRNR_NOT_ALWAYS, /* Reserved for future use. */
+ HCFRNR_ALWAYS,
+ HCFRNR_UNSPECIFIED = -1
+};
+
/* The live patching level. */
enum live_patching_level
{
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..149b2b674e7 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -29,7 +29,9 @@ along with GCC; see the file COPYING3. If not see
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +115,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +176,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -246,8 +249,7 @@ class rt_bb_visited
}
/* Set the bit corresponding to BB in VISITED. Add to SEQ any
- required gimple statements, and return SEQ, possibly
- modified. */
+ required gimple stmts, and return SEQ, possibly modified. */
gimple_seq vset (basic_block bb, gimple_seq seq = NULL)
{
tree bit, setme = vword (bb, &bit);
@@ -350,8 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
- || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
{
@@ -509,6 +510,12 @@ public:
edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in"
+ " block %i's edge to exit.\n",
+ e->src->index);
+
insert_exit_check (seq, e);
gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index));
@@ -525,6 +532,11 @@ public:
if (--count_noreturn)
seq = gimple_seq_copy (seq);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in noreturn block %i.\n",
+ bb->index);
+
if (!insert_exit_check (seq, bb))
gcc_unreachable ();
}
@@ -536,8 +548,43 @@ public:
/* Inline checking requires a single exit edge. */
gimple *last = gsi_stmt (gsi_last (ckseq));
- insert_exit_check (ckseq,
- single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ if (!count_noreturn)
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in"
+ " block %i's edge to exit.\n",
+ single_pred (EXIT_BLOCK_PTR_FOR_FN (cfun))->index);
+
+ insert_exit_check (ckseq,
+ single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ }
+ else
+ {
+ gcc_checking_assert (count_noreturn == 1);
+
+ sbitmap_iterator it;
+ unsigned i;
+ EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it)
+ {
+ basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
+
+ gimple_seq seq = ckseq;
+ gcc_checking_assert (count_noreturn > 0);
+ if (--count_noreturn)
+ seq = gimple_seq_copy (seq);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in noreturn block %i.\n",
+ bb->index);
+
+ if (!insert_exit_check (seq, bb))
+ gcc_unreachable ();
+ }
+
+ gcc_checking_assert (count_noreturn == 0);
+ }
/* The inserted ckseq computes CKFAIL at LAST. Now we have to
conditionally trap on it. */
@@ -558,8 +605,7 @@ public:
add_bb_to_loop (trp, current_loops->tree_root);
/* Insert a conditional branch to the trap block. If the
- conditional wouldn't be the last statement, split the
- block. */
+ conditional wouldn't be the last stmt, split the block. */
gimple_stmt_iterator gsi = gsi_for_stmt (last);
if (!gsi_one_before_end_p (gsi))
split_block (gsi_bb (gsi), gsi_stmt (gsi));
@@ -643,7 +689,7 @@ public:
return false;
}
- /* Add to CKSEQ statements to clear CKPART if OBB is visited. */
+ /* Add to CKSEQ stmts to clear CKPART if OBB is visited. */
void
build_block_check (basic_block obb)
{
@@ -669,7 +715,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +735,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +762,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -723,16 +774,44 @@ public:
}
};
+/* It might be useful to avoid checking before noreturn calls that are
+ known to always finish by throwing an exception, rather than by
+ ending the program or looping forever. Such functions would have
+ to be annotated somehow, with an attribute or flag.
+ Exception-raising functions, such as C++'s __cxa_throw,
+ __cxa_rethrow, and Ada's */
+static bool
+always_throwing_noreturn_call_p (gimple *)
+{
+ return false;
+}
+
/* Control flow redundancy hardening: record the execution path, and
verify at exit that an expect path was taken. */
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool const check_at_escaping_exceptions
+ = (flag_exceptions
+ && flag_harden_control_flow_redundancy_check_exceptions);
+ bool const check_before_noreturn_calls
+ = flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NEVER;
+ bool const check_before_nothrow_noreturn_calls
+ = (check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_NOTHROW);
+ bool const check_before_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NOTHROW);
+ bool const check_before_always_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_ALWAYS);
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (check_at_escaping_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +837,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +845,48 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at, nor add EH edvges to, tail
+ calls, we will add verification before the call
+ anyway. */
+ if (is_a <gcall *> (stmt)
+ && (gimple_call_must_tail_p (as_a <gcall *> (stmt))
+ || gimple_call_tail_p (as_a <gcall *> (stmt))))
+ continue;
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A resx or noreturn call needs not be associated with
+ the cleanup handler if we're going to add checking
+ before it. We only test cases that didn't require
+ block splitting because noreturn calls would always
+ be at the end of blocks, and we test for zero
+ successors because if there is an edge, it's not
+ noreturn, as any EH edges would have already been
+ caught by the lookup_stmt_eh_lp test above. */
+ else if (check_before_noreturn_calls
+ && EDGE_COUNT (bb->succs) == 0
+ && (is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls))
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Bypassing cleanup for noreturn stmt"
+ " in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+ continue;
+ }
if (!bb_eh_cleanup)
{
@@ -790,15 +909,47 @@ pass_harden_control_flow_redundancy::execute (function *fun)
ehgsi = gsi_after_labels (bb_eh_cleanup);
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Created cleanup block %i:\n",
+ bb_eh_cleanup->index);
+ }
+ else if (dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
- else
+
+ if (dump_file)
{
- // Update immedite dominator and loop?
+ fprintf (dump_file,
+ "Associated cleanup block with stmt in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
+ gcc_checking_assert (EDGE_COUNT (bb_eh_cleanup->succs) == 0);
}
}
@@ -809,56 +960,97 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ if (gsi_end_p (gsi))
continue;
- }
+ gimple *stmt = gsi_stmt (gsi);
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
-
- if (found_non_eh_edge)
- continue;
-
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ /* A stmt at the end of a block without any successors is
+ either a resx or a noreturn call without a local
+ handler. Check that it's one of the desired
+ checkpoints. */
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? (check_before_always_throwing_noreturn_calls
+ || bb == bb_eh_cleanup)
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (/* Catch cases in which successors would be
+ expected. */
+ gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in succ-less block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
continue;
- }
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup
+ || !check_at_escaping_exceptions);
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? false
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? (/* Catch cases that should not have successors. */
+ gcc_unreachable (), check_before_nothrow_noreturn_calls)
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ gcc_checking_assert (single_succ_p (bb)
+ && (single_succ_edge (bb)->flags & EDGE_EH));
+
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in EH-succ block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
+ }
+ else if (bb_eh_cleanup)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
count_noreturn++;
+ else
+ gcc_unreachable ();
}
gcc_checking_assert (!bb_eh_cleanup
@@ -869,12 +1061,29 @@ pass_harden_control_flow_redundancy::execute (function *fun)
amount to a function that ends with an infinite loop. */
if (!count_noreturn
&& EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0)
- return 0;
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Disabling CFR, no exit paths to check\n");
+
+ return 0;
+ }
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
new file mode 100644
index 00000000000..a6992eb9f8e
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -O0 -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization. */
+
+#include "torture/harden-cfr-noret.c"
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f and of h2. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
new file mode 100644
index 00000000000..8bd2d13ac18
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization, which
+ affects codegen for h2, so h2 is omitted here at -O0. */
+
+#if !__OPTIMIZE__
+# define OMIT_H2
+#endif
+
+#include "harden-cfr-noret.c"
+
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
new file mode 100644
index 00000000000..a804a6cfe59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fno-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that -fno-exceptions makes for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
new file mode 100644
index 00000000000..f390cfdbc59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before nothrow noreturn calls. */
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
new file mode 100644
index 00000000000..a58afd7944c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
@@ -0,0 +1,38 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before all noreturn calls. */
+
+#ifndef ATTR_NOTHROW_OPT /* Overridden in harden-cfr-noret-noexcept. */
+#define ATTR_NOTHROW_OPT __attribute__ ((__nothrow__))
+#endif
+
+extern void __attribute__ ((__noreturn__)) ATTR_NOTHROW_OPT g(void);
+
+void f(int i) {
+ if (i)
+ /* Out-of-line checks here... */
+ g ();
+ /* ... and here. */
+}
+
+void __attribute__ ((__noinline__, __noclone__))
+h(void) {
+ /* Inline check here. */
+ g ();
+}
+
+#ifndef OMIT_H2 /* from harden-cfr-noret-never. */
+void h2(void) {
+ /* Inline check either here, whether because of noreturn or tail call... */
+ h ();
+ /* ... or here, if not optimizing. */
+}
+#endif
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
new file mode 100644
index 00000000000..17ea79f7cfb
--- /dev/null
+++ b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects -O0" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. h2 and h2b get an extra resx without ehcleanup. */
+
+#include "torture/harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 16 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
new file mode 100644
index 00000000000..dad9693e1d2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Bypassing cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
new file mode 100644
index 00000000000..33e1ae26f80
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. Expected results for =never and =nothrow are the same,
+ since the functions are not nothrow. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
new file mode 100644
index 00000000000..b47d880ada2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#if ! __OPTIMIZE__
+void __attribute__ ((__noreturn__)) h (void);
+#endif
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
new file mode 100644
index 00000000000..52ef7bc601a
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+#if ! __OPTIMIZE__
+/* Without optimization, functions with cleanups end up with an extra
+ resx that is not optimized out, so arrange to optimize them. */
+void __attribute__ ((__optimize__ (1))) h2(void);
+void __attribute__ ((__optimize__ (1))) h2b(void);
+#endif
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 14 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
+/* h, h2, h2b, and h4. */
+/* { dg-final { scan-tree-dump-times "Bypassing" 4 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
new file mode 100644
index 00000000000..da7c9cf1033
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we do not insert cleanups for checking around the bodies
+ of maybe-throwing functions. h4 doesn't get any checks, because we
+ don't have noreturn checking enabled. */
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 6 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
new file mode 100644
index 00000000000..2dbc67c34d9
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
@@ -0,0 +1,65 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions. */
+
+extern void g (void);
+extern void g2 (void);
+
+void f(int i) {
+ if (i)
+ g ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void f2(int i) {
+ if (i)
+ g ();
+ else
+ g2 ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h(void) {
+ try {
+ g ();
+ } catch (...) {
+ throw;
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+struct needs_cleanup {
+ ~needs_cleanup();
+};
+
+void h2(void) {
+ needs_cleanup y; /* No check in the cleanup handler. */
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+extern void __attribute__ ((__nothrow__)) another_cleanup (void*);
+
+void h2b(void) {
+ int x __attribute__ ((cleanup (another_cleanup)));
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h3(void) {
+ try {
+ throw 1;
+ } catch (...) {
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h4(void) {
+ /* Inline check before the __cxa_throw noreturn call. */
+ throw 1;
+}
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 12 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
new file mode 100644
index 00000000000..8e4ee1fab08
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C makes for implicit nothrow in noreturn handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..55f6b995f2f 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,94 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+/* Print out the CFG with BLOCKS blocks, presumed to be associated with CALLER.
+ This is expected to be optimized out entirely, unless the verbose part of
+ __hardcfr_check_fail is enabled. */
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void const *const caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+/* This is called when an out-of-line hardcfr check fails. All the arguments
+ are ignored, and it just traps, unless HARDCFR_VERBOSE_FAIL is enabled. IF
+ it is, it prints the PART of the CFG, expected to have BLOCKS blocks, that
+ failed at CALLER's BLOCK, and the VISITED bitmap. When the verbose mode is
+ enabled, it also forces __hardcfr_debug_cfg (above) to be compiled into an
+ out-of-line function, that could be called from a debugger.
+ */
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t const block ATTRIBUTE_UNUSED,
+ int const part ATTRIBUTE_UNUSED,
+ void const *const caller ATTRIBUTE_UNUSED)
+{
+#if HARDCFR_VERBOSE_FAIL
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[part]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = part; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +267,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-24 22:59 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-24 22:59 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:85db5682b0eb62f0a68702efe8c0731d47e8d060
commit 85db5682b0eb62f0a68702efe8c0731d47e8d060
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 24 19:58:03 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
.../doc/gnat_rm/security_hardening_features.rst | 29 +-
gcc/common.opt | 29 ++
gcc/doc/invoke.texi | 51 ++-
gcc/flag-types.h | 10 +
gcc/gimple-harden-control-flow.cc | 353 ++++++++++++++++-----
.../c-c++-common/harden-cfr-noret-never-O0.c | 12 +
.../c-c++-common/torture/harden-cfr-noret-never.c | 18 ++
.../torture/harden-cfr-noret-noexcept.c | 16 +
.../torture/harden-cfr-noret-nothrow.c | 13 +
.../c-c++-common/torture/harden-cfr-noret.c | 38 +++
gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C | 11 +
.../torture/harden-cfr-noret-always-no-nothrow.C | 16 +
.../torture/harden-cfr-noret-never-no-nothrow.C | 17 +
.../g++.dg/torture/harden-cfr-noret-no-nothrow.C | 22 ++
.../g++.dg/torture/harden-cfr-throw-always.C | 20 ++
.../g++.dg/torture/harden-cfr-throw-nocleanup.C | 11 +
gcc/testsuite/g++.dg/torture/harden-cfr-throw.C | 65 ++++
.../gcc.dg/torture/harden-cfr-noret-no-nothrow.c | 15 +
libgcc/hardcfr.c | 119 ++++++-
19 files changed, 769 insertions(+), 96 deletions(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index b7803cde588..9d762e7c8cc 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -263,16 +263,25 @@ For each block that is marked as visited, the mechanism checks that at
least one of its predecessors, and at least one of its successors, are
also marked as visited.
-Verification is performed just before returns, tail- and noreturn
-calls. Furthermore, any subprogram from which an exception may
-escape, i.e., that may raise or propagate an exception that isn't
-handled internally, is automatically enclosed by a cleanup handler
-that performs verification. When a noreturn call returns control to
-its caller through an exception, verification will have already been
-performed before the call, but it will take place again when the
-caller reaches the next verification point, whether it is the end of
-the enclosing cleanup handler, a return or reraise statement after the
-exception is otherwise handled, or even another noreturn call.
+Verification is performed just before returns and tail calls.
+Verification may also be performed before noreturn calls, whether only
+nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`,
+or all of them, with :switch:`-fhardcfr-check-noreturn-calls=always`.
+Furthermore, any subprogram from which an exception may escape, i.e.,
+that may raise or propagate an exception that isn't handled
+internally, is automatically enclosed by a cleanup handler that
+performs verification, unless this is disabled with
+:switch:`-fno-hardcfr-check-exceptions`. When a noreturn call returns
+control to its caller through an exception, verification may have
+already been performed before the call, assuming
+:switch:`-fhardcfr-check-noreturn-calls=always` is in effect. The
+compiler arranges for already-checked noreturn calls without a
+preexisting handler to bypass the implicitly-added cleanup handler and
+thus the redundant check, but calls with a local handler will use it,
+which modifies the set of visited blocks, and checking will take place
+againwhen the caller reaches the next verification point, whether it
+is a return or reraise statement after the exception is otherwise
+handled, or even another noreturn call.
The instrumentation for hardening with control flow redundancy can be
observed in dump files generated by the command-line option
diff --git a/gcc/common.opt b/gcc/common.opt
index e347251f713..57f01330fcf 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -1801,6 +1801,35 @@ fharden-control-flow-redundancy
Common Var(flag_harden_control_flow_redundancy) Optimization
Harden control flow by recording and checking execution paths.
+fhardcfr-check-exceptions
+Common Var(flag_harden_control_flow_redundancy_check_exceptions) Init(-1) Optimization
+Check CFR execution paths also when exiting a function through an exception.
+
+fhardcfr-check-noreturn-calls=
+Common Joined RejectNegative Enum(hardcfr_check_noreturn_calls) Var(flag_harden_control_flow_redundancy_check_noreturn) Init(HCFRNR_UNSPECIFIED) Optimization
+-fhardcfr-check-noreturn-calls=[always|nothrow|never] Check CFR execution paths also before calling noreturn functions.
+
+Enum
+Name(hardcfr_check_noreturn_calls) Type(enum hardcfr_noret) UnknownError(unknown hardcfr noreturn checking level %qs)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(never) Value(HCFRNR_NEVER)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(nothrow) Value(HCFRNR_NOTHROW)
+
+; ??? There could be yet another option here, that checked before
+; noreturn calls, except for those known to always throw, if we had
+; means to distinguish noreturn functions known to always throw, such
+; as those used to (re)raise exceptions, from those that merely might
+; throw. "not always" stands for "not always-throwing", but it also
+; contrasts with "always" below.
+; EnumValue
+; Enum(hardcfr_check_noreturn_calls) String(not-always) Value(HCFRNR_NOT_ALWAYS)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(always) Value(HCFRNR_ALWAYS)
+
; Nonzero means ignore `#ident' directives. 0 means handle them.
; Generate position-independent code for executables if possible
; On SVR4 targets, it also controls whether or not to emit a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 9c8f2eecb6c..1a8409d6e3e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -624,7 +624,8 @@ Objective-C and Objective-C++ Dialects}.
-fsanitize-undefined-trap-on-error -fbounds-check @gol
-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{|}check@r{]} @gol
-fharden-compares -fharden-conditional-branches @gol
--fharden-control-flow-redundancy @gol
+-fharden-control-flow-redundancy -fhardcfr-check-exceptions @gol
+-fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]} @gol
-fstack-protector -fstack-protector-all -fstack-protector-strong @gol
-fstack-protector-explicit -fstack-check @gol
-fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
@@ -16556,11 +16557,49 @@ conditionals.
@item -fharden-control-flow-redundancy
@opindex fharden-control-flow-redundancy
Emit extra code to set booleans when entering basic blocks, and to
-verify, at function exits (returns, escaping exceptions, and before tail
-and noreturn calls), and trap when they indicate an execution path that
-is incompatible with the control flow graph. Tuning options
-@option{--param hardcfr-max-blocks} and @option{--param
-hardcfr-max-inline-blocks} are available.
+verify, at function exits (returns, before tail calls, and optionally,
+before escaping exceptions with @option{-fhardcfr-check-exceptions}, and
+before noreturn calls with @option{-fhardcfr-check-noreturn-calls}), and
+trap when they indicate an execution path that is incompatible with the
+control flow graph. Tuning options @option{--param hardcfr-max-blocks}
+and @option{--param hardcfr-max-inline-blocks} are available.
+
+@item -fhardcfr-check-exceptions
+@opindex fhardcfr-check-exceptions
+@opindex fno-hardcfr-check-exceptions
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph at exception
+escape points, as if the function body was wrapped with a cleanup
+handler that performed the check and reraised. This option is enabled
+by default; use @option{-fno-hardcfr-check-exceptions} to disable it.
+
+@item -fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]}
+@opindex fhardcfr-check-noreturn-calls
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph before
+@code{noreturn} calls, either all of them (@option{always}), those that
+may not return control to the caller through an exception either
+(@option{nothrow}), or none of them (@option{never}, the default).
+
+Checking before a @code{noreturn} function that may return control to
+the caller through an exception may cause checking to be performed more
+than once, if the exception is caught in the caller, whether by a
+handler or a cleanup. When @option{-fhardcfr-check-exceptions} is also
+enabled, the compiler will avoid associating a @code{noreturn} call with
+the implicitly-added cleanup handler, since it would be redundant with
+the check performed before the call, but other handlers or cleanups in
+the function, if activated, will modify the recorded execution path and
+check it again when another checkpoint is hit. The checkpoint may even
+be another @code{noreturn} call, so checking may end up performed
+multiple times.
+
+Various optimizers may cause calls to be marked as @code{noreturn}
+and/or @code{nothrow}, even in the absence of the corresponding
+attributes, which may affect the placement of checks before calls, as
+well as the addition of implicit cleanup handlers for them. This
+unpredictability, and the fact that raising and reraising exceptions
+frequently amounts to implicitly calling @code{noreturn} functions, have
+made @option{never} the default setting for this option.
@item -fstack-protector
@opindex fstack-protector
diff --git a/gcc/flag-types.h b/gcc/flag-types.h
index a11f99af887..02926184559 100644
--- a/gcc/flag-types.h
+++ b/gcc/flag-types.h
@@ -163,6 +163,16 @@ enum stack_reuse_level
SR_ALL
};
+/* Control Flow Redundancy hardening options for noreturn calls. */
+enum hardcfr_noret
+{
+ HCFRNR_NEVER,
+ HCFRNR_NOTHROW,
+ HCFRNR_NOT_ALWAYS, /* Reserved for future use. */
+ HCFRNR_ALWAYS,
+ HCFRNR_UNSPECIFIED = -1
+};
+
/* The live patching level. */
enum live_patching_level
{
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 00c84f6ada1..6d03e24d38a 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -29,7 +29,9 @@ along with GCC; see the file COPYING3. If not see
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -108,8 +110,9 @@ public:
return false;
}
- if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ if (fun->cfg && param_hardcfr_max_blocks > 0
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
warning_at (DECL_SOURCE_LOCATION (fun->decl), 0,
"%qD has more than %u blocks, the requested"
@@ -167,8 +170,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -240,8 +243,7 @@ class rt_bb_visited
}
/* Set the bit corresponding to BB in VISITED. Add to SEQ any
- required gimple statements, and return SEQ, possibly
- modified. */
+ required gimple stmts, and return SEQ, possibly modified. */
gimple_seq vset (basic_block bb, gimple_seq seq = NULL)
{
tree bit, setme = vword (bb, &bit);
@@ -344,8 +346,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
- || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
{
@@ -503,6 +504,12 @@ public:
edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in"
+ " block %i's edge to exit.\n",
+ e->src->index);
+
insert_exit_check (seq, e);
gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index));
@@ -519,6 +526,11 @@ public:
if (--count_noreturn)
seq = gimple_seq_copy (seq);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in noreturn block %i.\n",
+ bb->index);
+
if (!insert_exit_check (seq, bb))
gcc_unreachable ();
}
@@ -530,8 +542,43 @@ public:
/* Inline checking requires a single exit edge. */
gimple *last = gsi_stmt (gsi_last (ckseq));
- insert_exit_check (ckseq,
- single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ if (!count_noreturn)
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in"
+ " block %i's edge to exit.\n",
+ single_pred (EXIT_BLOCK_PTR_FOR_FN (cfun))->index);
+
+ insert_exit_check (ckseq,
+ single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ }
+ else
+ {
+ gcc_checking_assert (count_noreturn == 1);
+
+ sbitmap_iterator it;
+ unsigned i;
+ EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it)
+ {
+ basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
+
+ gimple_seq seq = ckseq;
+ gcc_checking_assert (count_noreturn > 0);
+ if (--count_noreturn)
+ seq = gimple_seq_copy (seq);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in noreturn block %i.\n",
+ bb->index);
+
+ if (!insert_exit_check (seq, bb))
+ gcc_unreachable ();
+ }
+
+ gcc_checking_assert (count_noreturn == 0);
+ }
/* The inserted ckseq computes CKFAIL at LAST. Now we have to
conditionally trap on it. */
@@ -552,8 +599,7 @@ public:
add_bb_to_loop (trp, current_loops->tree_root);
/* Insert a conditional branch to the trap block. If the
- conditional wouldn't be the last statement, split the
- block. */
+ conditional wouldn't be the last stmt, split the block. */
gimple_stmt_iterator gsi = gsi_for_stmt (last);
if (!gsi_one_before_end_p (gsi))
split_block (gsi_bb (gsi), gsi_stmt (gsi));
@@ -637,7 +683,7 @@ public:
return false;
}
- /* Add to CKSEQ statements to clear CKPART if OBB is visited. */
+ /* Add to CKSEQ stmts to clear CKPART if OBB is visited. */
void
build_block_check (basic_block obb)
{
@@ -663,7 +709,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -683,10 +729,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -707,6 +756,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -717,16 +768,44 @@ public:
}
};
+/* It might be useful to avoid checking before noreturn calls that are
+ known to always finish by throwing an exception, rather than by
+ ending the program or looping forever. Such functions would have
+ to be annotated somehow, with an attribute or flag.
+ Exception-raising functions, such as C++'s __cxa_throw,
+ __cxa_rethrow, and Ada's */
+static bool
+always_throwing_noreturn_call_p (gimple *)
+{
+ return false;
+}
+
/* Control flow redundancy hardening: record the execution path, and
verify at exit that an expect path was taken. */
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool const check_at_escaping_exceptions
+ = (flag_exceptions
+ && flag_harden_control_flow_redundancy_check_exceptions);
+ bool const check_before_noreturn_calls
+ = flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NEVER;
+ bool const check_before_nothrow_noreturn_calls
+ = (check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_NOTHROW);
+ bool const check_before_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NOTHROW);
+ bool const check_before_always_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_ALWAYS);
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (check_at_escaping_exceptions)
{
int lp_eh_cleanup = -1;
@@ -752,7 +831,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -760,8 +839,48 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at, nor add EH edvges to, tail
+ calls, we will add verification before the call
+ anyway. */
+ if (is_a <gcall *> (stmt)
+ && (gimple_call_must_tail_p (as_a <gcall *> (stmt))
+ || gimple_call_tail_p (as_a <gcall *> (stmt))))
+ continue;
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A resx or noreturn call needs not be associated with
+ the cleanup handler if we're going to add checking
+ before it. We only test cases that didn't require
+ block splitting because noreturn calls would always
+ be at the end of blocks, and we test for zero
+ successors because if there is an edge, it's not
+ noreturn, as any EH edges would have already been
+ caught by the lookup_stmt_eh_lp test above. */
+ else if (check_before_noreturn_calls
+ && EDGE_COUNT (bb->succs) == 0
+ && (is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls))
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Bypassing cleanup for noreturn stmt"
+ " in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+ continue;
+ }
if (!bb_eh_cleanup)
{
@@ -784,15 +903,47 @@ pass_harden_control_flow_redundancy::execute (function *fun)
ehgsi = gsi_after_labels (bb_eh_cleanup);
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Created cleanup block %i:\n",
+ bb_eh_cleanup->index);
+ }
+ else if (dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
- else
+
+ if (dump_file)
{
- // Update immedite dominator and loop?
+ fprintf (dump_file,
+ "Associated cleanup block with stmt in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
+ gcc_checking_assert (EDGE_COUNT (bb_eh_cleanup->succs) == 0);
}
}
@@ -803,56 +954,97 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ if (gsi_end_p (gsi))
continue;
- }
+ gimple *stmt = gsi_stmt (gsi);
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
-
- if (found_non_eh_edge)
- continue;
-
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ /* A stmt at the end of a block without any successors is
+ either a resx or a noreturn call without a local
+ handler. Check that it's one of the desired
+ checkpoints. */
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? (check_before_always_throwing_noreturn_calls
+ || bb == bb_eh_cleanup)
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (/* Catch cases in which successors would be
+ expected. */
+ gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in succ-less block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
continue;
- }
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup
+ || !check_at_escaping_exceptions);
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? false
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? (/* Catch cases that should not have successors. */
+ gcc_unreachable (), check_before_nothrow_noreturn_calls)
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ gcc_checking_assert (single_succ_p (bb)
+ && (single_succ_edge (bb)->flags & EDGE_EH));
+
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in EH-succ block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
+ }
+ else if (bb_eh_cleanup)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
count_noreturn++;
+ else
+ gcc_unreachable ();
}
gcc_checking_assert (!bb_eh_cleanup
@@ -863,12 +1055,29 @@ pass_harden_control_flow_redundancy::execute (function *fun)
amount to a function that ends with an infinite loop. */
if (!count_noreturn
&& EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0)
- return 0;
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Disabling CFR, no exit paths to check\n");
+
+ return 0;
+ }
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
new file mode 100644
index 00000000000..a6992eb9f8e
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -O0 -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization. */
+
+#include "torture/harden-cfr-noret.c"
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f and of h2. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
new file mode 100644
index 00000000000..8bd2d13ac18
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization, which
+ affects codegen for h2, so h2 is omitted here at -O0. */
+
+#if !__OPTIMIZE__
+# define OMIT_H2
+#endif
+
+#include "harden-cfr-noret.c"
+
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
new file mode 100644
index 00000000000..a804a6cfe59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fno-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that -fno-exceptions makes for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
new file mode 100644
index 00000000000..f390cfdbc59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before nothrow noreturn calls. */
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
new file mode 100644
index 00000000000..a58afd7944c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
@@ -0,0 +1,38 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before all noreturn calls. */
+
+#ifndef ATTR_NOTHROW_OPT /* Overridden in harden-cfr-noret-noexcept. */
+#define ATTR_NOTHROW_OPT __attribute__ ((__nothrow__))
+#endif
+
+extern void __attribute__ ((__noreturn__)) ATTR_NOTHROW_OPT g(void);
+
+void f(int i) {
+ if (i)
+ /* Out-of-line checks here... */
+ g ();
+ /* ... and here. */
+}
+
+void __attribute__ ((__noinline__, __noclone__))
+h(void) {
+ /* Inline check here. */
+ g ();
+}
+
+#ifndef OMIT_H2 /* from harden-cfr-noret-never. */
+void h2(void) {
+ /* Inline check either here, whether because of noreturn or tail call... */
+ h ();
+ /* ... or here, if not optimizing. */
+}
+#endif
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
new file mode 100644
index 00000000000..17ea79f7cfb
--- /dev/null
+++ b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects -O0" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. h2 and h2b get an extra resx without ehcleanup. */
+
+#include "torture/harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 16 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
new file mode 100644
index 00000000000..dad9693e1d2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Bypassing cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
new file mode 100644
index 00000000000..33e1ae26f80
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. Expected results for =never and =nothrow are the same,
+ since the functions are not nothrow. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
new file mode 100644
index 00000000000..b47d880ada2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#if ! __OPTIMIZE__
+void __attribute__ ((__noreturn__)) h (void);
+#endif
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
new file mode 100644
index 00000000000..52ef7bc601a
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+#if ! __OPTIMIZE__
+/* Without optimization, functions with cleanups end up with an extra
+ resx that is not optimized out, so arrange to optimize them. */
+void __attribute__ ((__optimize__ (1))) h2(void);
+void __attribute__ ((__optimize__ (1))) h2b(void);
+#endif
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 14 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
+/* h, h2, h2b, and h4. */
+/* { dg-final { scan-tree-dump-times "Bypassing" 4 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
new file mode 100644
index 00000000000..da7c9cf1033
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we do not insert cleanups for checking around the bodies
+ of maybe-throwing functions. h4 doesn't get any checks, because we
+ don't have noreturn checking enabled. */
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 6 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
new file mode 100644
index 00000000000..2dbc67c34d9
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
@@ -0,0 +1,65 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions. */
+
+extern void g (void);
+extern void g2 (void);
+
+void f(int i) {
+ if (i)
+ g ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void f2(int i) {
+ if (i)
+ g ();
+ else
+ g2 ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h(void) {
+ try {
+ g ();
+ } catch (...) {
+ throw;
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+struct needs_cleanup {
+ ~needs_cleanup();
+};
+
+void h2(void) {
+ needs_cleanup y; /* No check in the cleanup handler. */
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+extern void __attribute__ ((__nothrow__)) another_cleanup (void*);
+
+void h2b(void) {
+ int x __attribute__ ((cleanup (another_cleanup)));
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h3(void) {
+ try {
+ throw 1;
+ } catch (...) {
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h4(void) {
+ /* Inline check before the __cxa_throw noreturn call. */
+ throw 1;
+}
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 12 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
new file mode 100644
index 00000000000..8e4ee1fab08
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C makes for implicit nothrow in noreturn handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..55f6b995f2f 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,94 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+/* Print out the CFG with BLOCKS blocks, presumed to be associated with CALLER.
+ This is expected to be optimized out entirely, unless the verbose part of
+ __hardcfr_check_fail is enabled. */
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void const *const caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+/* This is called when an out-of-line hardcfr check fails. All the arguments
+ are ignored, and it just traps, unless HARDCFR_VERBOSE_FAIL is enabled. IF
+ it is, it prints the PART of the CFG, expected to have BLOCKS blocks, that
+ failed at CALLER's BLOCK, and the VISITED bitmap. When the verbose mode is
+ enabled, it also forces __hardcfr_debug_cfg (above) to be compiled into an
+ out-of-line function, that could be called from a debugger.
+ */
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t const block ATTRIBUTE_UNUSED,
+ int const part ATTRIBUTE_UNUSED,
+ void const *const caller ATTRIBUTE_UNUSED)
+{
+#if HARDCFR_VERBOSE_FAIL
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[part]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = part; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +267,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-24 22:46 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-24 22:46 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:0b5b8e041b88f1cf84ad69b7bb2a22d33749d4bd
commit 0b5b8e041b88f1cf84ad69b7bb2a22d33749d4bd
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 24 13:37:03 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
.../doc/gnat_rm/security_hardening_features.rst | 29 +-
gcc/common.opt | 29 ++
gcc/doc/invoke.texi | 51 ++-
gcc/flag-types.h | 10 +
gcc/gimple-harden-control-flow.cc | 353 ++++++++++++++++-----
.../c-c++-common/harden-cfr-noret-never-O0.c | 12 +
.../c-c++-common/torture/harden-cfr-noret-never.c | 18 ++
.../torture/harden-cfr-noret-noexcept.c | 16 +
.../torture/harden-cfr-noret-nothrow.c | 13 +
.../c-c++-common/torture/harden-cfr-noret.c | 38 +++
gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C | 11 +
.../torture/harden-cfr-noret-always-no-nothrow.C | 16 +
.../torture/harden-cfr-noret-never-no-nothrow.C | 17 +
.../g++.dg/torture/harden-cfr-noret-no-nothrow.C | 22 ++
.../g++.dg/torture/harden-cfr-throw-always.C | 20 ++
.../g++.dg/torture/harden-cfr-throw-nocleanup.C | 11 +
gcc/testsuite/g++.dg/torture/harden-cfr-throw.C | 65 ++++
.../gcc.dg/torture/harden-cfr-noret-no-nothrow.c | 15 +
libgcc/hardcfr.c | 119 ++++++-
19 files changed, 769 insertions(+), 96 deletions(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index b7803cde588..9d762e7c8cc 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -263,16 +263,25 @@ For each block that is marked as visited, the mechanism checks that at
least one of its predecessors, and at least one of its successors, are
also marked as visited.
-Verification is performed just before returns, tail- and noreturn
-calls. Furthermore, any subprogram from which an exception may
-escape, i.e., that may raise or propagate an exception that isn't
-handled internally, is automatically enclosed by a cleanup handler
-that performs verification. When a noreturn call returns control to
-its caller through an exception, verification will have already been
-performed before the call, but it will take place again when the
-caller reaches the next verification point, whether it is the end of
-the enclosing cleanup handler, a return or reraise statement after the
-exception is otherwise handled, or even another noreturn call.
+Verification is performed just before returns and tail calls.
+Verification may also be performed before noreturn calls, whether only
+nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`,
+or all of them, with :switch:`-fhardcfr-check-noreturn-calls=always`.
+Furthermore, any subprogram from which an exception may escape, i.e.,
+that may raise or propagate an exception that isn't handled
+internally, is automatically enclosed by a cleanup handler that
+performs verification, unless this is disabled with
+:switch:`-fno-hardcfr-check-exceptions`. When a noreturn call returns
+control to its caller through an exception, verification may have
+already been performed before the call, assuming
+:switch:`-fhardcfr-check-noreturn-calls=always` is in effect. The
+compiler arranges for already-checked noreturn calls without a
+preexisting handler to bypass the implicitly-added cleanup handler and
+thus the redundant check, but calls with a local handler will use it,
+which modifies the set of visited blocks, and checking will take place
+againwhen the caller reaches the next verification point, whether it
+is a return or reraise statement after the exception is otherwise
+handled, or even another noreturn call.
The instrumentation for hardening with control flow redundancy can be
observed in dump files generated by the command-line option
diff --git a/gcc/common.opt b/gcc/common.opt
index e347251f713..57f01330fcf 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -1801,6 +1801,35 @@ fharden-control-flow-redundancy
Common Var(flag_harden_control_flow_redundancy) Optimization
Harden control flow by recording and checking execution paths.
+fhardcfr-check-exceptions
+Common Var(flag_harden_control_flow_redundancy_check_exceptions) Init(-1) Optimization
+Check CFR execution paths also when exiting a function through an exception.
+
+fhardcfr-check-noreturn-calls=
+Common Joined RejectNegative Enum(hardcfr_check_noreturn_calls) Var(flag_harden_control_flow_redundancy_check_noreturn) Init(HCFRNR_UNSPECIFIED) Optimization
+-fhardcfr-check-noreturn-calls=[always|nothrow|never] Check CFR execution paths also before calling noreturn functions.
+
+Enum
+Name(hardcfr_check_noreturn_calls) Type(enum hardcfr_noret) UnknownError(unknown hardcfr noreturn checking level %qs)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(never) Value(HCFRNR_NEVER)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(nothrow) Value(HCFRNR_NOTHROW)
+
+; ??? There could be yet another option here, that checked before
+; noreturn calls, except for those known to always throw, if we had
+; means to distinguish noreturn functions known to always throw, such
+; as those used to (re)raise exceptions, from those that merely might
+; throw. "not always" stands for "not always-throwing", but it also
+; contrasts with "always" below.
+; EnumValue
+; Enum(hardcfr_check_noreturn_calls) String(not-always) Value(HCFRNR_NOT_ALWAYS)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(always) Value(HCFRNR_ALWAYS)
+
; Nonzero means ignore `#ident' directives. 0 means handle them.
; Generate position-independent code for executables if possible
; On SVR4 targets, it also controls whether or not to emit a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 9c8f2eecb6c..1a8409d6e3e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -624,7 +624,8 @@ Objective-C and Objective-C++ Dialects}.
-fsanitize-undefined-trap-on-error -fbounds-check @gol
-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{|}check@r{]} @gol
-fharden-compares -fharden-conditional-branches @gol
--fharden-control-flow-redundancy @gol
+-fharden-control-flow-redundancy -fhardcfr-check-exceptions @gol
+-fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]} @gol
-fstack-protector -fstack-protector-all -fstack-protector-strong @gol
-fstack-protector-explicit -fstack-check @gol
-fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
@@ -16556,11 +16557,49 @@ conditionals.
@item -fharden-control-flow-redundancy
@opindex fharden-control-flow-redundancy
Emit extra code to set booleans when entering basic blocks, and to
-verify, at function exits (returns, escaping exceptions, and before tail
-and noreturn calls), and trap when they indicate an execution path that
-is incompatible with the control flow graph. Tuning options
-@option{--param hardcfr-max-blocks} and @option{--param
-hardcfr-max-inline-blocks} are available.
+verify, at function exits (returns, before tail calls, and optionally,
+before escaping exceptions with @option{-fhardcfr-check-exceptions}, and
+before noreturn calls with @option{-fhardcfr-check-noreturn-calls}), and
+trap when they indicate an execution path that is incompatible with the
+control flow graph. Tuning options @option{--param hardcfr-max-blocks}
+and @option{--param hardcfr-max-inline-blocks} are available.
+
+@item -fhardcfr-check-exceptions
+@opindex fhardcfr-check-exceptions
+@opindex fno-hardcfr-check-exceptions
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph at exception
+escape points, as if the function body was wrapped with a cleanup
+handler that performed the check and reraised. This option is enabled
+by default; use @option{-fno-hardcfr-check-exceptions} to disable it.
+
+@item -fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]}
+@opindex fhardcfr-check-noreturn-calls
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph before
+@code{noreturn} calls, either all of them (@option{always}), those that
+may not return control to the caller through an exception either
+(@option{nothrow}), or none of them (@option{never}, the default).
+
+Checking before a @code{noreturn} function that may return control to
+the caller through an exception may cause checking to be performed more
+than once, if the exception is caught in the caller, whether by a
+handler or a cleanup. When @option{-fhardcfr-check-exceptions} is also
+enabled, the compiler will avoid associating a @code{noreturn} call with
+the implicitly-added cleanup handler, since it would be redundant with
+the check performed before the call, but other handlers or cleanups in
+the function, if activated, will modify the recorded execution path and
+check it again when another checkpoint is hit. The checkpoint may even
+be another @code{noreturn} call, so checking may end up performed
+multiple times.
+
+Various optimizers may cause calls to be marked as @code{noreturn}
+and/or @code{nothrow}, even in the absence of the corresponding
+attributes, which may affect the placement of checks before calls, as
+well as the addition of implicit cleanup handlers for them. This
+unpredictability, and the fact that raising and reraising exceptions
+frequently amounts to implicitly calling @code{noreturn} functions, have
+made @option{never} the default setting for this option.
@item -fstack-protector
@opindex fstack-protector
diff --git a/gcc/flag-types.h b/gcc/flag-types.h
index a11f99af887..02926184559 100644
--- a/gcc/flag-types.h
+++ b/gcc/flag-types.h
@@ -163,6 +163,16 @@ enum stack_reuse_level
SR_ALL
};
+/* Control Flow Redundancy hardening options for noreturn calls. */
+enum hardcfr_noret
+{
+ HCFRNR_NEVER,
+ HCFRNR_NOTHROW,
+ HCFRNR_NOT_ALWAYS, /* Reserved for future use. */
+ HCFRNR_ALWAYS,
+ HCFRNR_UNSPECIFIED = -1
+};
+
/* The live patching level. */
enum live_patching_level
{
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 00c84f6ada1..6d03e24d38a 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -29,7 +29,9 @@ along with GCC; see the file COPYING3. If not see
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -108,8 +110,9 @@ public:
return false;
}
- if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ if (fun->cfg && param_hardcfr_max_blocks > 0
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
warning_at (DECL_SOURCE_LOCATION (fun->decl), 0,
"%qD has more than %u blocks, the requested"
@@ -167,8 +170,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -240,8 +243,7 @@ class rt_bb_visited
}
/* Set the bit corresponding to BB in VISITED. Add to SEQ any
- required gimple statements, and return SEQ, possibly
- modified. */
+ required gimple stmts, and return SEQ, possibly modified. */
gimple_seq vset (basic_block bb, gimple_seq seq = NULL)
{
tree bit, setme = vword (bb, &bit);
@@ -344,8 +346,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
- || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
{
@@ -503,6 +504,12 @@ public:
edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in"
+ " block %i's edge to exit.\n",
+ e->src->index);
+
insert_exit_check (seq, e);
gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index));
@@ -519,6 +526,11 @@ public:
if (--count_noreturn)
seq = gimple_seq_copy (seq);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in noreturn block %i.\n",
+ bb->index);
+
if (!insert_exit_check (seq, bb))
gcc_unreachable ();
}
@@ -530,8 +542,43 @@ public:
/* Inline checking requires a single exit edge. */
gimple *last = gsi_stmt (gsi_last (ckseq));
- insert_exit_check (ckseq,
- single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ if (!count_noreturn)
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in"
+ " block %i's edge to exit.\n",
+ single_pred (EXIT_BLOCK_PTR_FOR_FN (cfun))->index);
+
+ insert_exit_check (ckseq,
+ single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ }
+ else
+ {
+ gcc_checking_assert (count_noreturn == 1);
+
+ sbitmap_iterator it;
+ unsigned i;
+ EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it)
+ {
+ basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
+
+ gimple_seq seq = ckseq;
+ gcc_checking_assert (count_noreturn > 0);
+ if (--count_noreturn)
+ seq = gimple_seq_copy (seq);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in noreturn block %i.\n",
+ bb->index);
+
+ if (!insert_exit_check (seq, bb))
+ gcc_unreachable ();
+ }
+
+ gcc_checking_assert (count_noreturn == 0);
+ }
/* The inserted ckseq computes CKFAIL at LAST. Now we have to
conditionally trap on it. */
@@ -552,8 +599,7 @@ public:
add_bb_to_loop (trp, current_loops->tree_root);
/* Insert a conditional branch to the trap block. If the
- conditional wouldn't be the last statement, split the
- block. */
+ conditional wouldn't be the last stmt, split the block. */
gimple_stmt_iterator gsi = gsi_for_stmt (last);
if (!gsi_one_before_end_p (gsi))
split_block (gsi_bb (gsi), gsi_stmt (gsi));
@@ -637,7 +683,7 @@ public:
return false;
}
- /* Add to CKSEQ statements to clear CKPART if OBB is visited. */
+ /* Add to CKSEQ stmts to clear CKPART if OBB is visited. */
void
build_block_check (basic_block obb)
{
@@ -663,7 +709,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -683,10 +729,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -707,6 +756,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -717,16 +768,44 @@ public:
}
};
+/* It might be useful to avoid checking before noreturn calls that are
+ known to always finish by throwing an exception, rather than by
+ ending the program or looping forever. Such functions would have
+ to be annotated somehow, with an attribute or flag.
+ Exception-raising functions, such as C++'s __cxa_throw,
+ __cxa_rethrow, and Ada's */
+static bool
+always_throwing_noreturn_call_p (gimple *)
+{
+ return false;
+}
+
/* Control flow redundancy hardening: record the execution path, and
verify at exit that an expect path was taken. */
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool const check_at_escaping_exceptions
+ = (flag_exceptions
+ && flag_harden_control_flow_redundancy_check_exceptions);
+ bool const check_before_noreturn_calls
+ = flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NEVER;
+ bool const check_before_nothrow_noreturn_calls
+ = (check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_NOTHROW);
+ bool const check_before_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NOTHROW);
+ bool const check_before_always_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_ALWAYS);
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (check_at_escaping_exceptions)
{
int lp_eh_cleanup = -1;
@@ -752,7 +831,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -760,8 +839,48 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at, nor add EH edvges to, tail
+ calls, we will add verification before the call
+ anyway. */
+ if (is_a <gcall *> (stmt)
+ && (gimple_call_must_tail_p (as_a <gcall *> (stmt))
+ || gimple_call_tail_p (as_a <gcall *> (stmt))))
+ continue;
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A resx or noreturn call needs not be associated with
+ the cleanup handler if we're going to add checking
+ before it. We only test cases that didn't require
+ block splitting because noreturn calls would always
+ be at the end of blocks, and we test for zero
+ successors because if there is an edge, it's not
+ noreturn, as any EH edges would have already been
+ caught by the lookup_stmt_eh_lp test above. */
+ else if (check_before_noreturn_calls
+ && EDGE_COUNT (bb->succs) == 0
+ && (is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls))
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Bypassing cleanup for noreturn stmt"
+ " in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+ continue;
+ }
if (!bb_eh_cleanup)
{
@@ -784,15 +903,47 @@ pass_harden_control_flow_redundancy::execute (function *fun)
ehgsi = gsi_after_labels (bb_eh_cleanup);
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Created cleanup block %i:\n",
+ bb_eh_cleanup->index);
+ }
+ else if (dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
- else
+
+ if (dump_file)
{
- // Update immedite dominator and loop?
+ fprintf (dump_file,
+ "Associated cleanup block with stmt in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
+ gcc_checking_assert (EDGE_COUNT (bb_eh_cleanup->succs) == 0);
}
}
@@ -803,56 +954,97 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ if (gsi_end_p (gsi))
continue;
- }
+ gimple *stmt = gsi_stmt (gsi);
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
-
- if (found_non_eh_edge)
- continue;
-
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ /* A stmt at the end of a block without any successors is
+ either a resx or a noreturn call without a local
+ handler. Check that it's one of the desired
+ checkpoints. */
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? (check_before_always_throwing_noreturn_calls
+ || bb == bb_eh_cleanup)
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (/* Catch cases in which successors would be
+ expected. */
+ gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in succ-less block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
continue;
- }
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup
+ || !check_at_escaping_exceptions);
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? false
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? (/* Catch cases that should not have successors. */
+ gcc_unreachable (), check_before_nothrow_noreturn_calls)
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ gcc_checking_assert (single_succ_p (bb)
+ && (single_succ_edge (bb)->flags & EDGE_EH));
+
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in EH-succ block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
+ }
+ else if (bb_eh_cleanup)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
count_noreturn++;
+ else
+ gcc_unreachable ();
}
gcc_checking_assert (!bb_eh_cleanup
@@ -863,12 +1055,29 @@ pass_harden_control_flow_redundancy::execute (function *fun)
amount to a function that ends with an infinite loop. */
if (!count_noreturn
&& EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0)
- return 0;
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Disabling CFR, no exit paths to check\n");
+
+ return 0;
+ }
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
new file mode 100644
index 00000000000..a6992eb9f8e
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -O0 -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization. */
+
+#include "torture/harden-cfr-noret.c"
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f and of h2. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
new file mode 100644
index 00000000000..8bd2d13ac18
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization, which
+ affects codegen for h2, so h2 is omitted here at -O0. */
+
+#if !__OPTIMIZE__
+# define OMIT_H2
+#endif
+
+#include "harden-cfr-noret.c"
+
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
new file mode 100644
index 00000000000..a804a6cfe59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fno-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that -fno-exceptions makes for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
new file mode 100644
index 00000000000..f390cfdbc59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before nothrow noreturn calls. */
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
new file mode 100644
index 00000000000..a58afd7944c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
@@ -0,0 +1,38 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before all noreturn calls. */
+
+#ifndef ATTR_NOTHROW_OPT /* Overridden in harden-cfr-noret-noexcept. */
+#define ATTR_NOTHROW_OPT __attribute__ ((__nothrow__))
+#endif
+
+extern void __attribute__ ((__noreturn__)) ATTR_NOTHROW_OPT g(void);
+
+void f(int i) {
+ if (i)
+ /* Out-of-line checks here... */
+ g ();
+ /* ... and here. */
+}
+
+void __attribute__ ((__noinline__, __noclone__))
+h(void) {
+ /* Inline check here. */
+ g ();
+}
+
+#ifndef OMIT_H2 /* from harden-cfr-noret-never. */
+void h2(void) {
+ /* Inline check either here, whether because of noreturn or tail call... */
+ h ();
+ /* ... or here, if not optimizing. */
+}
+#endif
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
new file mode 100644
index 00000000000..17ea79f7cfb
--- /dev/null
+++ b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects -O0" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. h2 and h2b get an extra resx without ehcleanup. */
+
+#include "torture/harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 16 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
new file mode 100644
index 00000000000..dad9693e1d2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Bypassing cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
new file mode 100644
index 00000000000..33e1ae26f80
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. Expected results for =never and =nothrow are the same,
+ since the functions are not nothrow. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
new file mode 100644
index 00000000000..b47d880ada2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#if ! __OPTIMIZE__
+void __attribute__ ((__noreturn__)) h (void);
+#endif
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
new file mode 100644
index 00000000000..52ef7bc601a
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+#if ! __OPTIMIZE__
+/* Without optimization, functions with cleanups end up with an extra
+ resx that is not optimized out, so arrange to optimize them. */
+void __attribute__ ((__optimize__ (1))) h2(void);
+void __attribute__ ((__optimize__ (1))) h2b(void);
+#endif
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 14 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
+/* h, h2, h2b, and h4. */
+/* { dg-final { scan-tree-dump-times "Bypassing" 4 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
new file mode 100644
index 00000000000..da7c9cf1033
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we do not insert cleanups for checking around the bodies
+ of maybe-throwing functions. h4 doesn't get any checks, because we
+ don't have noreturn checking enabled. */
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 6 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
new file mode 100644
index 00000000000..2dbc67c34d9
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
@@ -0,0 +1,65 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions. */
+
+extern void g (void);
+extern void g2 (void);
+
+void f(int i) {
+ if (i)
+ g ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void f2(int i) {
+ if (i)
+ g ();
+ else
+ g2 ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h(void) {
+ try {
+ g ();
+ } catch (...) {
+ throw;
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+struct needs_cleanup {
+ ~needs_cleanup();
+};
+
+void h2(void) {
+ needs_cleanup y; /* No check in the cleanup handler. */
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+extern void __attribute__ ((__nothrow__)) another_cleanup (void*);
+
+void h2b(void) {
+ int x __attribute__ ((cleanup (another_cleanup)));
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h3(void) {
+ try {
+ throw 1;
+ } catch (...) {
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h4(void) {
+ /* Inline check before the __cxa_throw noreturn call. */
+ throw 1;
+}
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 12 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
new file mode 100644
index 00000000000..8e4ee1fab08
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C makes for implicit nothrow in noreturn handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..55f6b995f2f 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,94 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+/* Print out the CFG with BLOCKS blocks, presumed to be associated with CALLER.
+ This is expected to be optimized out entirely, unless the verbose part of
+ __hardcfr_check_fail is enabled. */
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void const *const caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+/* This is called when an out-of-line hardcfr check fails. All the arguments
+ are ignored, and it just traps, unless HARDCFR_VERBOSE_FAIL is enabled. IF
+ it is, it prints the PART of the CFG, expected to have BLOCKS blocks, that
+ failed at CALLER's BLOCK, and the VISITED bitmap. When the verbose mode is
+ enabled, it also forces __hardcfr_debug_cfg (above) to be compiled into an
+ out-of-line function, that could be called from a debugger.
+ */
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t const block ATTRIBUTE_UNUSED,
+ int const part ATTRIBUTE_UNUSED,
+ void const *const caller ATTRIBUTE_UNUSED)
+{
+#if HARDCFR_VERBOSE_FAIL
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[part]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = part; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +267,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-24 19:39 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-24 19:39 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:0a1889d03ba989893ce1cebd9459604953ff565c
commit 0a1889d03ba989893ce1cebd9459604953ff565c
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 24 13:37:03 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
.../doc/gnat_rm/security_hardening_features.rst | 29 +-
gcc/common.opt | 29 ++
gcc/doc/invoke.texi | 51 ++-
gcc/flag-types.h | 10 +
gcc/gimple-harden-control-flow.cc | 351 ++++++++++++++++-----
.../c-c++-common/harden-cfr-noret-never-O0.c | 12 +
.../c-c++-common/torture/harden-cfr-noret-never.c | 18 ++
.../torture/harden-cfr-noret-noexcept.c | 16 +
.../torture/harden-cfr-noret-nothrow.c | 13 +
.../c-c++-common/torture/harden-cfr-noret.c | 38 +++
gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C | 11 +
.../torture/harden-cfr-noret-always-no-nothrow.C | 16 +
.../torture/harden-cfr-noret-never-no-nothrow.C | 17 +
.../g++.dg/torture/harden-cfr-noret-no-nothrow.C | 22 ++
.../g++.dg/torture/harden-cfr-throw-always.C | 20 ++
.../g++.dg/torture/harden-cfr-throw-nocleanup.C | 11 +
gcc/testsuite/g++.dg/torture/harden-cfr-throw.C | 65 ++++
.../gcc.dg/torture/harden-cfr-noret-no-nothrow.c | 15 +
libgcc/hardcfr.c | 119 ++++++-
19 files changed, 768 insertions(+), 95 deletions(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index b7803cde588..9d762e7c8cc 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -263,16 +263,25 @@ For each block that is marked as visited, the mechanism checks that at
least one of its predecessors, and at least one of its successors, are
also marked as visited.
-Verification is performed just before returns, tail- and noreturn
-calls. Furthermore, any subprogram from which an exception may
-escape, i.e., that may raise or propagate an exception that isn't
-handled internally, is automatically enclosed by a cleanup handler
-that performs verification. When a noreturn call returns control to
-its caller through an exception, verification will have already been
-performed before the call, but it will take place again when the
-caller reaches the next verification point, whether it is the end of
-the enclosing cleanup handler, a return or reraise statement after the
-exception is otherwise handled, or even another noreturn call.
+Verification is performed just before returns and tail calls.
+Verification may also be performed before noreturn calls, whether only
+nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`,
+or all of them, with :switch:`-fhardcfr-check-noreturn-calls=always`.
+Furthermore, any subprogram from which an exception may escape, i.e.,
+that may raise or propagate an exception that isn't handled
+internally, is automatically enclosed by a cleanup handler that
+performs verification, unless this is disabled with
+:switch:`-fno-hardcfr-check-exceptions`. When a noreturn call returns
+control to its caller through an exception, verification may have
+already been performed before the call, assuming
+:switch:`-fhardcfr-check-noreturn-calls=always` is in effect. The
+compiler arranges for already-checked noreturn calls without a
+preexisting handler to bypass the implicitly-added cleanup handler and
+thus the redundant check, but calls with a local handler will use it,
+which modifies the set of visited blocks, and checking will take place
+againwhen the caller reaches the next verification point, whether it
+is a return or reraise statement after the exception is otherwise
+handled, or even another noreturn call.
The instrumentation for hardening with control flow redundancy can be
observed in dump files generated by the command-line option
diff --git a/gcc/common.opt b/gcc/common.opt
index e347251f713..57f01330fcf 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -1801,6 +1801,35 @@ fharden-control-flow-redundancy
Common Var(flag_harden_control_flow_redundancy) Optimization
Harden control flow by recording and checking execution paths.
+fhardcfr-check-exceptions
+Common Var(flag_harden_control_flow_redundancy_check_exceptions) Init(-1) Optimization
+Check CFR execution paths also when exiting a function through an exception.
+
+fhardcfr-check-noreturn-calls=
+Common Joined RejectNegative Enum(hardcfr_check_noreturn_calls) Var(flag_harden_control_flow_redundancy_check_noreturn) Init(HCFRNR_UNSPECIFIED) Optimization
+-fhardcfr-check-noreturn-calls=[always|nothrow|never] Check CFR execution paths also before calling noreturn functions.
+
+Enum
+Name(hardcfr_check_noreturn_calls) Type(enum hardcfr_noret) UnknownError(unknown hardcfr noreturn checking level %qs)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(never) Value(HCFRNR_NEVER)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(nothrow) Value(HCFRNR_NOTHROW)
+
+; ??? There could be yet another option here, that checked before
+; noreturn calls, except for those known to always throw, if we had
+; means to distinguish noreturn functions known to always throw, such
+; as those used to (re)raise exceptions, from those that merely might
+; throw. "not always" stands for "not always-throwing", but it also
+; contrasts with "always" below.
+; EnumValue
+; Enum(hardcfr_check_noreturn_calls) String(not-always) Value(HCFRNR_NOT_ALWAYS)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(always) Value(HCFRNR_ALWAYS)
+
; Nonzero means ignore `#ident' directives. 0 means handle them.
; Generate position-independent code for executables if possible
; On SVR4 targets, it also controls whether or not to emit a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 9c8f2eecb6c..1a8409d6e3e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -624,7 +624,8 @@ Objective-C and Objective-C++ Dialects}.
-fsanitize-undefined-trap-on-error -fbounds-check @gol
-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{|}check@r{]} @gol
-fharden-compares -fharden-conditional-branches @gol
--fharden-control-flow-redundancy @gol
+-fharden-control-flow-redundancy -fhardcfr-check-exceptions @gol
+-fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]} @gol
-fstack-protector -fstack-protector-all -fstack-protector-strong @gol
-fstack-protector-explicit -fstack-check @gol
-fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
@@ -16556,11 +16557,49 @@ conditionals.
@item -fharden-control-flow-redundancy
@opindex fharden-control-flow-redundancy
Emit extra code to set booleans when entering basic blocks, and to
-verify, at function exits (returns, escaping exceptions, and before tail
-and noreturn calls), and trap when they indicate an execution path that
-is incompatible with the control flow graph. Tuning options
-@option{--param hardcfr-max-blocks} and @option{--param
-hardcfr-max-inline-blocks} are available.
+verify, at function exits (returns, before tail calls, and optionally,
+before escaping exceptions with @option{-fhardcfr-check-exceptions}, and
+before noreturn calls with @option{-fhardcfr-check-noreturn-calls}), and
+trap when they indicate an execution path that is incompatible with the
+control flow graph. Tuning options @option{--param hardcfr-max-blocks}
+and @option{--param hardcfr-max-inline-blocks} are available.
+
+@item -fhardcfr-check-exceptions
+@opindex fhardcfr-check-exceptions
+@opindex fno-hardcfr-check-exceptions
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph at exception
+escape points, as if the function body was wrapped with a cleanup
+handler that performed the check and reraised. This option is enabled
+by default; use @option{-fno-hardcfr-check-exceptions} to disable it.
+
+@item -fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]}
+@opindex fhardcfr-check-noreturn-calls
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph before
+@code{noreturn} calls, either all of them (@option{always}), those that
+may not return control to the caller through an exception either
+(@option{nothrow}), or none of them (@option{never}, the default).
+
+Checking before a @code{noreturn} function that may return control to
+the caller through an exception may cause checking to be performed more
+than once, if the exception is caught in the caller, whether by a
+handler or a cleanup. When @option{-fhardcfr-check-exceptions} is also
+enabled, the compiler will avoid associating a @code{noreturn} call with
+the implicitly-added cleanup handler, since it would be redundant with
+the check performed before the call, but other handlers or cleanups in
+the function, if activated, will modify the recorded execution path and
+check it again when another checkpoint is hit. The checkpoint may even
+be another @code{noreturn} call, so checking may end up performed
+multiple times.
+
+Various optimizers may cause calls to be marked as @code{noreturn}
+and/or @code{nothrow}, even in the absence of the corresponding
+attributes, which may affect the placement of checks before calls, as
+well as the addition of implicit cleanup handlers for them. This
+unpredictability, and the fact that raising and reraising exceptions
+frequently amounts to implicitly calling @code{noreturn} functions, have
+made @option{never} the default setting for this option.
@item -fstack-protector
@opindex fstack-protector
diff --git a/gcc/flag-types.h b/gcc/flag-types.h
index a11f99af887..02926184559 100644
--- a/gcc/flag-types.h
+++ b/gcc/flag-types.h
@@ -163,6 +163,16 @@ enum stack_reuse_level
SR_ALL
};
+/* Control Flow Redundancy hardening options for noreturn calls. */
+enum hardcfr_noret
+{
+ HCFRNR_NEVER,
+ HCFRNR_NOTHROW,
+ HCFRNR_NOT_ALWAYS, /* Reserved for future use. */
+ HCFRNR_ALWAYS,
+ HCFRNR_UNSPECIFIED = -1
+};
+
/* The live patching level. */
enum live_patching_level
{
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 00c84f6ada1..b3759d31bb9 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -29,7 +29,9 @@ along with GCC; see the file COPYING3. If not see
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -109,7 +111,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
warning_at (DECL_SOURCE_LOCATION (fun->decl), 0,
"%qD has more than %u blocks, the requested"
@@ -167,8 +170,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -240,8 +243,7 @@ class rt_bb_visited
}
/* Set the bit corresponding to BB in VISITED. Add to SEQ any
- required gimple statements, and return SEQ, possibly
- modified. */
+ required gimple stmts, and return SEQ, possibly modified. */
gimple_seq vset (basic_block bb, gimple_seq seq = NULL)
{
tree bit, setme = vword (bb, &bit);
@@ -344,8 +346,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
- || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
{
@@ -503,6 +504,12 @@ public:
edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in"
+ " block %i's edge to exit.\n",
+ e->src->index);
+
insert_exit_check (seq, e);
gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index));
@@ -519,6 +526,11 @@ public:
if (--count_noreturn)
seq = gimple_seq_copy (seq);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in noreturn block %i.\n",
+ bb->index);
+
if (!insert_exit_check (seq, bb))
gcc_unreachable ();
}
@@ -530,8 +542,43 @@ public:
/* Inline checking requires a single exit edge. */
gimple *last = gsi_stmt (gsi_last (ckseq));
- insert_exit_check (ckseq,
- single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ if (!count_noreturn)
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in"
+ " block %i's edge to exit.\n",
+ single_pred (EXIT_BLOCK_PTR_FOR_FN (cfun))->index);
+
+ insert_exit_check (ckseq,
+ single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ }
+ else
+ {
+ gcc_checking_assert (count_noreturn == 1);
+
+ sbitmap_iterator it;
+ unsigned i;
+ EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it)
+ {
+ basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
+
+ gimple_seq seq = ckseq;
+ gcc_checking_assert (count_noreturn > 0);
+ if (--count_noreturn)
+ seq = gimple_seq_copy (seq);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in noreturn block %i.\n",
+ bb->index);
+
+ if (!insert_exit_check (seq, bb))
+ gcc_unreachable ();
+ }
+
+ gcc_checking_assert (count_noreturn == 0);
+ }
/* The inserted ckseq computes CKFAIL at LAST. Now we have to
conditionally trap on it. */
@@ -552,8 +599,7 @@ public:
add_bb_to_loop (trp, current_loops->tree_root);
/* Insert a conditional branch to the trap block. If the
- conditional wouldn't be the last statement, split the
- block. */
+ conditional wouldn't be the last stmt, split the block. */
gimple_stmt_iterator gsi = gsi_for_stmt (last);
if (!gsi_one_before_end_p (gsi))
split_block (gsi_bb (gsi), gsi_stmt (gsi));
@@ -637,7 +683,7 @@ public:
return false;
}
- /* Add to CKSEQ statements to clear CKPART if OBB is visited. */
+ /* Add to CKSEQ stmts to clear CKPART if OBB is visited. */
void
build_block_check (basic_block obb)
{
@@ -663,7 +709,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -683,10 +729,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -707,6 +756,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -717,16 +768,44 @@ public:
}
};
+/* It might be useful to avoid checking before noreturn calls that are
+ known to always finish by throwing an exception, rather than by
+ ending the program or looping forever. Such functions would have
+ to be annotated somehow, with an attribute or flag.
+ Exception-raising functions, such as C++'s __cxa_throw,
+ __cxa_rethrow, and Ada's */
+static bool
+always_throwing_noreturn_call_p (gimple *)
+{
+ return false;
+}
+
/* Control flow redundancy hardening: record the execution path, and
verify at exit that an expect path was taken. */
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool const check_at_escaping_exceptions
+ = (flag_exceptions
+ && flag_harden_control_flow_redundancy_check_exceptions);
+ bool const check_before_noreturn_calls
+ = flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NEVER;
+ bool const check_before_nothrow_noreturn_calls
+ = (check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_NOTHROW);
+ bool const check_before_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn > HCFRNR_NOTHROW);
+ bool const check_before_always_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= HCFRNR_ALWAYS);
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (check_at_escaping_exceptions)
{
int lp_eh_cleanup = -1;
@@ -752,7 +831,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -760,8 +839,48 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at, nor add EH edvges to, tail
+ calls, we will add verification before the call
+ anyway. */
+ if (is_a <gcall *> (stmt)
+ && (gimple_call_must_tail_p (as_a <gcall *> (stmt))
+ || gimple_call_tail_p (as_a <gcall *> (stmt))))
+ continue;
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A resx or noreturn call needs not be associated with
+ the cleanup handler if we're going to add checking
+ before it. We only test cases that didn't require
+ block splitting because noreturn calls would always
+ be at the end of blocks, and we test for zero
+ successors because if there is an edge, it's not
+ noreturn, as any EH edges would have already been
+ caught by the lookup_stmt_eh_lp test above. */
+ else if (check_before_noreturn_calls
+ && EDGE_COUNT (bb->succs) == 0
+ && (is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls))
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Bypassing cleanup for noreturn stmt"
+ " in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+ continue;
+ }
if (!bb_eh_cleanup)
{
@@ -784,15 +903,47 @@ pass_harden_control_flow_redundancy::execute (function *fun)
ehgsi = gsi_after_labels (bb_eh_cleanup);
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Created cleanup block %i:\n",
+ bb_eh_cleanup->index);
+ }
+ else if (dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
- else
+
+ if (dump_file)
{
- // Update immedite dominator and loop?
+ fprintf (dump_file,
+ "Associated cleanup block with stmt in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
+ gcc_checking_assert (EDGE_COUNT (bb_eh_cleanup->succs) == 0);
}
}
@@ -803,56 +954,97 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ if (gsi_end_p (gsi))
continue;
- }
+ gimple *stmt = gsi_stmt (gsi);
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
-
- if (found_non_eh_edge)
- continue;
-
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ /* A stmt at the end of a block without any successors is
+ either a resx or a noreturn call without a local
+ handler. Check that it's one of the desired
+ checkpoints. */
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? (check_before_always_throwing_noreturn_calls
+ || bb == bb_eh_cleanup)
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (/* Catch cases in which successors would be
+ expected. */
+ gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in succ-less block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
continue;
- }
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup
+ || !check_at_escaping_exceptions);
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? false
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? (/* Catch cases that should not have successors. */
+ gcc_unreachable (), check_before_nothrow_noreturn_calls)
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ gcc_checking_assert (single_succ_p (bb)
+ && (single_succ_edge (bb)->flags & EDGE_EH));
+
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in EH-succ block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
+ }
+ else if (bb_eh_cleanup)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
count_noreturn++;
+ else
+ gcc_unreachable ();
}
gcc_checking_assert (!bb_eh_cleanup
@@ -863,12 +1055,29 @@ pass_harden_control_flow_redundancy::execute (function *fun)
amount to a function that ends with an infinite loop. */
if (!count_noreturn
&& EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0)
- return 0;
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Disabling CFR, no exit paths to check\n");
+
+ return 0;
+ }
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
new file mode 100644
index 00000000000..a6992eb9f8e
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -O0 -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization. */
+
+#include "torture/harden-cfr-noret.c"
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f and of h2. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
new file mode 100644
index 00000000000..8bd2d13ac18
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization, which
+ affects codegen for h2, so h2 is omitted here at -O0. */
+
+#if !__OPTIMIZE__
+# define OMIT_H2
+#endif
+
+#include "harden-cfr-noret.c"
+
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
new file mode 100644
index 00000000000..a804a6cfe59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fno-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that -fno-exceptions makes for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
new file mode 100644
index 00000000000..f390cfdbc59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before nothrow noreturn calls. */
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
new file mode 100644
index 00000000000..a58afd7944c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
@@ -0,0 +1,38 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before all noreturn calls. */
+
+#ifndef ATTR_NOTHROW_OPT /* Overridden in harden-cfr-noret-noexcept. */
+#define ATTR_NOTHROW_OPT __attribute__ ((__nothrow__))
+#endif
+
+extern void __attribute__ ((__noreturn__)) ATTR_NOTHROW_OPT g(void);
+
+void f(int i) {
+ if (i)
+ /* Out-of-line checks here... */
+ g ();
+ /* ... and here. */
+}
+
+void __attribute__ ((__noinline__, __noclone__))
+h(void) {
+ /* Inline check here. */
+ g ();
+}
+
+#ifndef OMIT_H2 /* from harden-cfr-noret-never. */
+void h2(void) {
+ /* Inline check either here, whether because of noreturn or tail call... */
+ h ();
+ /* ... or here, if not optimizing. */
+}
+#endif
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
new file mode 100644
index 00000000000..17ea79f7cfb
--- /dev/null
+++ b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects -O0" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. h2 and h2b get an extra resx without ehcleanup. */
+
+#include "torture/harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 16 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
new file mode 100644
index 00000000000..dad9693e1d2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Bypassing cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
new file mode 100644
index 00000000000..33e1ae26f80
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. Expected results for =never and =nothrow are the same,
+ since the functions are not nothrow. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
new file mode 100644
index 00000000000..b47d880ada2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#if ! __OPTIMIZE__
+void __attribute__ ((__noreturn__)) h (void);
+#endif
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
new file mode 100644
index 00000000000..52ef7bc601a
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+#if ! __OPTIMIZE__
+/* Without optimization, functions with cleanups end up with an extra
+ resx that is not optimized out, so arrange to optimize them. */
+void __attribute__ ((__optimize__ (1))) h2(void);
+void __attribute__ ((__optimize__ (1))) h2b(void);
+#endif
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 14 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
+/* h, h2, h2b, and h4. */
+/* { dg-final { scan-tree-dump-times "Bypassing" 4 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
new file mode 100644
index 00000000000..da7c9cf1033
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we do not insert cleanups for checking around the bodies
+ of maybe-throwing functions. h4 doesn't get any checks, because we
+ don't have noreturn checking enabled. */
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 6 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
new file mode 100644
index 00000000000..2dbc67c34d9
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
@@ -0,0 +1,65 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions. */
+
+extern void g (void);
+extern void g2 (void);
+
+void f(int i) {
+ if (i)
+ g ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void f2(int i) {
+ if (i)
+ g ();
+ else
+ g2 ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h(void) {
+ try {
+ g ();
+ } catch (...) {
+ throw;
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+struct needs_cleanup {
+ ~needs_cleanup();
+};
+
+void h2(void) {
+ needs_cleanup y; /* No check in the cleanup handler. */
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+extern void __attribute__ ((__nothrow__)) another_cleanup (void*);
+
+void h2b(void) {
+ int x __attribute__ ((cleanup (another_cleanup)));
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h3(void) {
+ try {
+ throw 1;
+ } catch (...) {
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h4(void) {
+ /* Inline check before the __cxa_throw noreturn call. */
+ throw 1;
+}
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 12 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
new file mode 100644
index 00000000000..8e4ee1fab08
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C makes for implicit nothrow in noreturn handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..55f6b995f2f 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,94 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+/* Print out the CFG with BLOCKS blocks, presumed to be associated with CALLER.
+ This is expected to be optimized out entirely, unless the verbose part of
+ __hardcfr_check_fail is enabled. */
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void const *const caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+/* This is called when an out-of-line hardcfr check fails. All the arguments
+ are ignored, and it just traps, unless HARDCFR_VERBOSE_FAIL is enabled. IF
+ it is, it prints the PART of the CFG, expected to have BLOCKS blocks, that
+ failed at CALLER's BLOCK, and the VISITED bitmap. When the verbose mode is
+ enabled, it also forces __hardcfr_debug_cfg (above) to be compiled into an
+ out-of-line function, that could be called from a debugger.
+ */
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t const block ATTRIBUTE_UNUSED,
+ int const part ATTRIBUTE_UNUSED,
+ void const *const caller ATTRIBUTE_UNUSED)
+{
+#if HARDCFR_VERBOSE_FAIL
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[part]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = part; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +267,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-24 16:53 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-24 16:53 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:c01de61fbd36a708f8ecd346f496d99585f7026c
commit c01de61fbd36a708f8ecd346f496d99585f7026c
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 24 13:37:03 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
.../doc/gnat_rm/security_hardening_features.rst | 29 +-
gcc/common.opt | 26 ++
gcc/doc/invoke.texi | 51 ++-
gcc/gimple-harden-control-flow.cc | 351 ++++++++++++++++-----
.../c-c++-common/harden-cfr-noret-never-O0.c | 12 +
.../c-c++-common/torture/harden-cfr-noret-never.c | 18 ++
.../torture/harden-cfr-noret-noexcept.c | 16 +
.../torture/harden-cfr-noret-nothrow.c | 13 +
.../c-c++-common/torture/harden-cfr-noret.c | 38 +++
gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C | 11 +
.../torture/harden-cfr-noret-always-no-nothrow.C | 16 +
.../torture/harden-cfr-noret-never-no-nothrow.C | 17 +
.../g++.dg/torture/harden-cfr-noret-no-nothrow.C | 22 ++
.../g++.dg/torture/harden-cfr-throw-always.C | 20 ++
.../g++.dg/torture/harden-cfr-throw-nocleanup.C | 11 +
gcc/testsuite/g++.dg/torture/harden-cfr-throw.C | 65 ++++
.../gcc.dg/torture/harden-cfr-noret-no-nothrow.c | 15 +
libgcc/hardcfr.c | 119 ++++++-
18 files changed, 755 insertions(+), 95 deletions(-)
diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index b7803cde588..9d762e7c8cc 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -263,16 +263,25 @@ For each block that is marked as visited, the mechanism checks that at
least one of its predecessors, and at least one of its successors, are
also marked as visited.
-Verification is performed just before returns, tail- and noreturn
-calls. Furthermore, any subprogram from which an exception may
-escape, i.e., that may raise or propagate an exception that isn't
-handled internally, is automatically enclosed by a cleanup handler
-that performs verification. When a noreturn call returns control to
-its caller through an exception, verification will have already been
-performed before the call, but it will take place again when the
-caller reaches the next verification point, whether it is the end of
-the enclosing cleanup handler, a return or reraise statement after the
-exception is otherwise handled, or even another noreturn call.
+Verification is performed just before returns and tail calls.
+Verification may also be performed before noreturn calls, whether only
+nothrow ones, with :switch:`-fhardcfr-check-noreturn-calls=nothrow`,
+or all of them, with :switch:`-fhardcfr-check-noreturn-calls=always`.
+Furthermore, any subprogram from which an exception may escape, i.e.,
+that may raise or propagate an exception that isn't handled
+internally, is automatically enclosed by a cleanup handler that
+performs verification, unless this is disabled with
+:switch:`-fno-hardcfr-check-exceptions`. When a noreturn call returns
+control to its caller through an exception, verification may have
+already been performed before the call, assuming
+:switch:`-fhardcfr-check-noreturn-calls=always` is in effect. The
+compiler arranges for already-checked noreturn calls without a
+preexisting handler to bypass the implicitly-added cleanup handler and
+thus the redundant check, but calls with a local handler will use it,
+which modifies the set of visited blocks, and checking will take place
+againwhen the caller reaches the next verification point, whether it
+is a return or reraise statement after the exception is otherwise
+handled, or even another noreturn call.
The instrumentation for hardening with control flow redundancy can be
observed in dump files generated by the command-line option
diff --git a/gcc/common.opt b/gcc/common.opt
index e0a002e6b16..749cc287fe5 100644
--- a/gcc/common.opt
+++ b/gcc/common.opt
@@ -1801,6 +1801,32 @@ fharden-control-flow-redundancy
Common Var(flag_harden_control_flow_redundancy) Init(-1) Optimization
Harden control flow by recording and checking execution paths.
+fhardcfr-check-exceptions
+Common Var(flag_harden_control_flow_redundancy_check_exceptions) Init(-1) Optimization
+Check CFR execution paths also when exiting a function through an exception.
+
+fhardcfr-check-noreturn-calls=
+Common Joined RejectNegative Enum(hardcfr_check_noreturn_calls) Var(flag_harden_control_flow_redundancy_check_noreturn) Init(-1) Optimization
+-fhardcfr-check-noreturn-calls=[always|nothrow|never] Check CFR execution paths also before calling noreturn functions.
+
+Enum
+Name(hardcfr_check_noreturn_calls) Type(int) UnknownError(unknown hardcfr noreturn checking level %qs)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(never) Value(0)
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(nothrow) Value(1)
+
+; ??? There could be yet another option here, that checked before
+; noreturn calls, except for those known to always throw, if we had
+; means to distinguish noreturn functions known to always throw, such
+; as those used to (re)raise exceptions, from those that merely might
+; throw.
+
+EnumValue
+Enum(hardcfr_check_noreturn_calls) String(always) Value(3)
+
; Nonzero means ignore `#ident' directives. 0 means handle them.
; Generate position-independent code for executables if possible
; On SVR4 targets, it also controls whether or not to emit a
diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi
index 9c8f2eecb6c..1a8409d6e3e 100644
--- a/gcc/doc/invoke.texi
+++ b/gcc/doc/invoke.texi
@@ -624,7 +624,8 @@ Objective-C and Objective-C++ Dialects}.
-fsanitize-undefined-trap-on-error -fbounds-check @gol
-fcf-protection=@r{[}full@r{|}branch@r{|}return@r{|}none@r{|}check@r{]} @gol
-fharden-compares -fharden-conditional-branches @gol
--fharden-control-flow-redundancy @gol
+-fharden-control-flow-redundancy -fhardcfr-check-exceptions @gol
+-fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]} @gol
-fstack-protector -fstack-protector-all -fstack-protector-strong @gol
-fstack-protector-explicit -fstack-check @gol
-fstack-limit-register=@var{reg} -fstack-limit-symbol=@var{sym} @gol
@@ -16556,11 +16557,49 @@ conditionals.
@item -fharden-control-flow-redundancy
@opindex fharden-control-flow-redundancy
Emit extra code to set booleans when entering basic blocks, and to
-verify, at function exits (returns, escaping exceptions, and before tail
-and noreturn calls), and trap when they indicate an execution path that
-is incompatible with the control flow graph. Tuning options
-@option{--param hardcfr-max-blocks} and @option{--param
-hardcfr-max-inline-blocks} are available.
+verify, at function exits (returns, before tail calls, and optionally,
+before escaping exceptions with @option{-fhardcfr-check-exceptions}, and
+before noreturn calls with @option{-fhardcfr-check-noreturn-calls}), and
+trap when they indicate an execution path that is incompatible with the
+control flow graph. Tuning options @option{--param hardcfr-max-blocks}
+and @option{--param hardcfr-max-inline-blocks} are available.
+
+@item -fhardcfr-check-exceptions
+@opindex fhardcfr-check-exceptions
+@opindex fno-hardcfr-check-exceptions
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph at exception
+escape points, as if the function body was wrapped with a cleanup
+handler that performed the check and reraised. This option is enabled
+by default; use @option{-fno-hardcfr-check-exceptions} to disable it.
+
+@item -fhardcfr-check-noreturn-calls=@r{[}always@r{|}nothrow@r{|}never@r{]}
+@opindex fhardcfr-check-noreturn-calls
+When @option{-fharden-control-flow-redundancy} is active, check the
+recorded execution path against the control flow graph before
+@code{noreturn} calls, either all of them (@option{always}), those that
+may not return control to the caller through an exception either
+(@option{nothrow}), or none of them (@option{never}, the default).
+
+Checking before a @code{noreturn} function that may return control to
+the caller through an exception may cause checking to be performed more
+than once, if the exception is caught in the caller, whether by a
+handler or a cleanup. When @option{-fhardcfr-check-exceptions} is also
+enabled, the compiler will avoid associating a @code{noreturn} call with
+the implicitly-added cleanup handler, since it would be redundant with
+the check performed before the call, but other handlers or cleanups in
+the function, if activated, will modify the recorded execution path and
+check it again when another checkpoint is hit. The checkpoint may even
+be another @code{noreturn} call, so checking may end up performed
+multiple times.
+
+Various optimizers may cause calls to be marked as @code{noreturn}
+and/or @code{nothrow}, even in the absence of the corresponding
+attributes, which may affect the placement of checks before calls, as
+well as the addition of implicit cleanup handlers for them. This
+unpredictability, and the fact that raising and reraising exceptions
+frequently amounts to implicitly calling @code{noreturn} functions, have
+made @option{never} the default setting for this option.
@item -fstack-protector
@opindex fstack-protector
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..a72143ea5a4 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -29,7 +29,9 @@ along with GCC; see the file COPYING3. If not see
#include "tree-pass.h"
#include "ssa.h"
#include "gimple-iterator.h"
+#include "gimple-pretty-print.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +115,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +176,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -246,8 +249,7 @@ class rt_bb_visited
}
/* Set the bit corresponding to BB in VISITED. Add to SEQ any
- required gimple statements, and return SEQ, possibly
- modified. */
+ required gimple stmts, and return SEQ, possibly modified. */
gimple_seq vset (basic_block bb, gimple_seq seq = NULL)
{
tree bit, setme = vword (bb, &bit);
@@ -350,8 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
- || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
{
@@ -509,6 +510,12 @@ public:
edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in"
+ " block %i's edge to exit.\n",
+ e->src->index);
+
insert_exit_check (seq, e);
gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index));
@@ -525,6 +532,11 @@ public:
if (--count_noreturn)
seq = gimple_seq_copy (seq);
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting out-of-line check in noreturn block %i.\n",
+ bb->index);
+
if (!insert_exit_check (seq, bb))
gcc_unreachable ();
}
@@ -536,8 +548,43 @@ public:
/* Inline checking requires a single exit edge. */
gimple *last = gsi_stmt (gsi_last (ckseq));
- insert_exit_check (ckseq,
- single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ if (!count_noreturn)
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in"
+ " block %i's edge to exit.\n",
+ single_pred (EXIT_BLOCK_PTR_FOR_FN (cfun))->index);
+
+ insert_exit_check (ckseq,
+ single_pred_edge (EXIT_BLOCK_PTR_FOR_FN (cfun)));
+ }
+ else
+ {
+ gcc_checking_assert (count_noreturn == 1);
+
+ sbitmap_iterator it;
+ unsigned i;
+ EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it)
+ {
+ basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i);
+
+ gimple_seq seq = ckseq;
+ gcc_checking_assert (count_noreturn > 0);
+ if (--count_noreturn)
+ seq = gimple_seq_copy (seq);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Inserting inline check in noreturn block %i.\n",
+ bb->index);
+
+ if (!insert_exit_check (seq, bb))
+ gcc_unreachable ();
+ }
+
+ gcc_checking_assert (count_noreturn == 0);
+ }
/* The inserted ckseq computes CKFAIL at LAST. Now we have to
conditionally trap on it. */
@@ -558,8 +605,7 @@ public:
add_bb_to_loop (trp, current_loops->tree_root);
/* Insert a conditional branch to the trap block. If the
- conditional wouldn't be the last statement, split the
- block. */
+ conditional wouldn't be the last stmt, split the block. */
gimple_stmt_iterator gsi = gsi_for_stmt (last);
if (!gsi_one_before_end_p (gsi))
split_block (gsi_bb (gsi), gsi_stmt (gsi));
@@ -643,7 +689,7 @@ public:
return false;
}
- /* Add to CKSEQ statements to clear CKPART if OBB is visited. */
+ /* Add to CKSEQ stmts to clear CKPART if OBB is visited. */
void
build_block_check (basic_block obb)
{
@@ -669,7 +715,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +735,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +762,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -723,16 +774,44 @@ public:
}
};
+/* It might be useful to avoid checking before noreturn calls that are
+ known to always finish by throwing an exception, rather than by
+ ending the program or looping forever. Such functions would have
+ to be annotated somehow, with an attribute or flag.
+ Exception-raising functions, such as C++'s __cxa_throw,
+ __cxa_rethrow, and Ada's */
+static bool
+always_throwing_noreturn_call_p (gimple *)
+{
+ return false;
+}
+
/* Control flow redundancy hardening: record the execution path, and
verify at exit that an expect path was taken. */
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool const check_at_escaping_exceptions
+ = (flag_exceptions
+ && flag_harden_control_flow_redundancy_check_exceptions);
+ bool const check_before_noreturn_calls
+ = flag_harden_control_flow_redundancy_check_noreturn > 0;
+ bool const check_before_nothrow_noreturn_calls
+ = (check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn >= 1);
+ bool const check_before_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn > 1);
+ bool const check_before_always_throwing_noreturn_calls
+ = (flag_exceptions
+ && check_before_noreturn_calls
+ && flag_harden_control_flow_redundancy_check_noreturn == 3);
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (check_at_escaping_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +837,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +845,48 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at, nor add EH edvges to, tail
+ calls, we will add verification before the call
+ anyway. */
+ if (is_a <gcall *> (stmt)
+ && (gimple_call_must_tail_p (as_a <gcall *> (stmt))
+ || gimple_call_tail_p (as_a <gcall *> (stmt))))
+ continue;
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A resx or noreturn call needs not be associated with
+ the cleanup handler if we're going to add checking
+ before it. We only test cases that didn't require
+ block splitting because noreturn calls would always
+ be at the end of blocks, and we test for zero
+ successors because if there is an edge, it's not
+ noreturn, as any EH edges would have already been
+ caught by the lookup_stmt_eh_lp test above. */
+ else if (check_before_noreturn_calls
+ && EDGE_COUNT (bb->succs) == 0
+ && (is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls))
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Bypassing cleanup for noreturn stmt"
+ " in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+ continue;
+ }
if (!bb_eh_cleanup)
{
@@ -790,15 +909,47 @@ pass_harden_control_flow_redundancy::execute (function *fun)
ehgsi = gsi_after_labels (bb_eh_cleanup);
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
+
+ if (dump_file)
+ fprintf (dump_file,
+ "Created cleanup block %i:\n",
+ bb_eh_cleanup->index);
+ }
+ else if (dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
- else
+
+ if (dump_file)
{
- // Update immedite dominator and loop?
+ fprintf (dump_file,
+ "Associated cleanup block with stmt in block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
+ gcc_checking_assert (EDGE_COUNT (bb_eh_cleanup->succs) == 0);
}
}
@@ -809,56 +960,97 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ if (gsi_end_p (gsi))
continue;
- }
+ gimple *stmt = gsi_stmt (gsi);
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
-
- if (found_non_eh_edge)
- continue;
-
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ /* A stmt at the end of a block without any successors is
+ either a resx or a noreturn call without a local
+ handler. Check that it's one of the desired
+ checkpoints. */
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? (check_before_always_throwing_noreturn_calls
+ || bb == bb_eh_cleanup)
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? (/* Catch cases in which successors would be
+ expected. */
+ gcc_unreachable (), false)
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? check_before_nothrow_noreturn_calls
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in succ-less block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
continue;
- }
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup
+ || !check_at_escaping_exceptions);
+ if (flag_exceptions && is_a <gresx *> (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : (!is_a <gcall *> (stmt)
+ || !gimple_call_noreturn_p (stmt))
+ ? false
+ : (!flag_exceptions
+ || gimple_call_nothrow_p (as_a <gcall *> (stmt)))
+ ? (/* Catch cases that should not have successors. */
+ gcc_unreachable (), check_before_nothrow_noreturn_calls)
+ : always_throwing_noreturn_call_p (stmt)
+ ? check_before_always_throwing_noreturn_calls
+ : check_before_throwing_noreturn_calls)
+ {
+ gcc_checking_assert (single_succ_p (bb)
+ && (single_succ_edge (bb)->flags & EDGE_EH));
+
+ if (dump_file)
+ {
+ fprintf (dump_file,
+ "Scheduling check before stmt"
+ " in EH-succ block %i:\n",
+ bb->index);
+ print_gimple_stmt (dump_file, stmt, 0);
+ }
+
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ else
+ gcc_unreachable ();
+ }
+ }
+ else if (bb_eh_cleanup)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
count_noreturn++;
+ else
+ gcc_unreachable ();
}
gcc_checking_assert (!bb_eh_cleanup
@@ -869,12 +1061,29 @@ pass_harden_control_flow_redundancy::execute (function *fun)
amount to a function that ends with an infinite loop. */
if (!count_noreturn
&& EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0)
- return 0;
+ {
+ if (dump_file)
+ fprintf (dump_file,
+ "Disabling CFR, no exit paths to check\n");
+
+ return 0;
+ }
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
new file mode 100644
index 00000000000..a6992eb9f8e
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/harden-cfr-noret-never-O0.c
@@ -0,0 +1,12 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -O0 -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization. */
+
+#include "torture/harden-cfr-noret.c"
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f and of h2. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
new file mode 100644
index 00000000000..8bd2d13ac18
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-never.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we don't insert checking before noreturn calls. -O0 is tested
+ separately because h is not found to be noreturn without optimization, which
+ affects codegen for h2, so h2 is omitted here at -O0. */
+
+#if !__OPTIMIZE__
+# define OMIT_H2
+#endif
+
+#include "harden-cfr-noret.c"
+
+
+/* No out-of-line checks. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* Only one inline check at the end of f. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
new file mode 100644
index 00000000000..a804a6cfe59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-noexcept.c
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fno-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that -fno-exceptions makes for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
new file mode 100644
index 00000000000..f390cfdbc59
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret-nothrow.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before nothrow noreturn calls. */
+
+#include "harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
new file mode 100644
index 00000000000..a58afd7944c
--- /dev/null
+++ b/gcc/testsuite/c-c++-common/torture/harden-cfr-noret.c
@@ -0,0 +1,38 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert checking before all noreturn calls. */
+
+#ifndef ATTR_NOTHROW_OPT /* Overridden in harden-cfr-noret-noexcept. */
+#define ATTR_NOTHROW_OPT __attribute__ ((__nothrow__))
+#endif
+
+extern void __attribute__ ((__noreturn__)) ATTR_NOTHROW_OPT g(void);
+
+void f(int i) {
+ if (i)
+ /* Out-of-line checks here... */
+ g ();
+ /* ... and here. */
+}
+
+void __attribute__ ((__noinline__, __noclone__))
+h(void) {
+ /* Inline check here. */
+ g ();
+}
+
+#ifndef OMIT_H2 /* from harden-cfr-noret-never. */
+void h2(void) {
+ /* Inline check either here, whether because of noreturn or tail call... */
+ h ();
+ /* ... or here, if not optimizing. */
+}
+#endif
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
new file mode 100644
index 00000000000..17ea79f7cfb
--- /dev/null
+++ b/gcc/testsuite/g++.dg/harden-cfr-throw-always-O0.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects -O0" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. h2 and h2b get an extra resx without ehcleanup. */
+
+#include "torture/harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 16 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
new file mode 100644
index 00000000000..dad9693e1d2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-always-no-nothrow.C
@@ -0,0 +1,16 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Bypassing cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
new file mode 100644
index 00000000000..33e1ae26f80
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-never-no-nothrow.C
@@ -0,0 +1,17 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=never -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. Expected results for =never and =nothrow are the same,
+ since the functions are not nothrow. */
+
+#include "harden-cfr-noret-no-nothrow.C"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
new file mode 100644
index 00000000000..b47d880ada2
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-noret-no-nothrow.C
@@ -0,0 +1,22 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C++ does NOT make for implicit nothrow in noreturn
+ handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#if ! __OPTIMIZE__
+void __attribute__ ((__noreturn__)) h (void);
+#endif
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* All 3 noreturn calls. */
+/* { dg-final { scan-tree-dump-times "Associated cleanup" 3 "hardcfr" } } */
+/* Out-of-line checks in f. */
+/* { dg-final { scan-tree-dump-times "Inserting out-of-line check in noreturn block" 1 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* Inline checks in h and h2. */
+/* { dg-final { scan-tree-dump-times "Inserting inline check in noreturn block" 2 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
new file mode 100644
index 00000000000..52ef7bc601a
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-always.C
@@ -0,0 +1,20 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=always -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions, and also checking before noreturn
+ calls. */
+
+#if ! __OPTIMIZE__
+/* Without optimization, functions with cleanups end up with an extra
+ resx that is not optimized out, so arrange to optimize them. */
+void __attribute__ ((__optimize__ (1))) h2(void);
+void __attribute__ ((__optimize__ (1))) h2b(void);
+#endif
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 14 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
+/* h, h2, h2b, and h4. */
+/* { dg-final { scan-tree-dump-times "Bypassing" 4 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
new file mode 100644
index 00000000000..da7c9cf1033
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw-nocleanup.C
@@ -0,0 +1,11 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fno-hardcfr-check-exceptions -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we do not insert cleanups for checking around the bodies
+ of maybe-throwing functions. h4 doesn't get any checks, because we
+ don't have noreturn checking enabled. */
+
+#include "harden-cfr-throw.C"
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 0 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 6 "hardcfr" } } */
diff --git a/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
new file mode 100644
index 00000000000..2dbc67c34d9
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/harden-cfr-throw.C
@@ -0,0 +1,65 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that we insert cleanups for checking around the bodies of
+ maybe-throwing functions. */
+
+extern void g (void);
+extern void g2 (void);
+
+void f(int i) {
+ if (i)
+ g ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void f2(int i) {
+ if (i)
+ g ();
+ else
+ g2 ();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h(void) {
+ try {
+ g ();
+ } catch (...) {
+ throw;
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+struct needs_cleanup {
+ ~needs_cleanup();
+};
+
+void h2(void) {
+ needs_cleanup y; /* No check in the cleanup handler. */
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+extern void __attribute__ ((__nothrow__)) another_cleanup (void*);
+
+void h2b(void) {
+ int x __attribute__ ((cleanup (another_cleanup)));
+ g();
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h3(void) {
+ try {
+ throw 1;
+ } catch (...) {
+ }
+ /* Out-of-line checks here, and in the implicit handler. */
+}
+
+void h4(void) {
+ /* Inline check before the __cxa_throw noreturn call. */
+ throw 1;
+}
+
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 12 "hardcfr" } } */
+/* { dg-final { scan-tree-dump-times "builtin_trap" 1 "hardcfr" } } */
diff --git a/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
new file mode 100644
index 00000000000..8e4ee1fab08
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/torture/harden-cfr-noret-no-nothrow.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-fharden-control-flow-redundancy -fhardcfr-check-noreturn-calls=nothrow -fdump-tree-hardcfr -ffat-lto-objects" } */
+
+/* Check that C makes for implicit nothrow in noreturn handling. */
+
+#define ATTR_NOTHROW_OPT
+
+#include "../../c-c++-common/torture/harden-cfr-noret.c"
+
+/* One out-of-line check before the noreturn call in f, and another at the end
+ of f. */
+/* { dg-final { scan-tree-dump-times "hardcfr_check" 2 "hardcfr" } } */
+/* One inline check in h, before the noreturn call, and another in h2, before
+ or after the call, depending on noreturn detection. */
+/* { dg-final { scan-tree-dump-times "__builtin_trap" 2 "hardcfr" } } */
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..55f6b995f2f 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,94 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+/* Print out the CFG with BLOCKS blocks, presumed to be associated with CALLER.
+ This is expected to be optimized out entirely, unless the verbose part of
+ __hardcfr_check_fail is enabled. */
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void const *const caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+/* This is called when an out-of-line hardcfr check fails. All the arguments
+ are ignored, and it just traps, unless HARDCFR_VERBOSE_FAIL is enabled. IF
+ it is, it prints the PART of the CFG, expected to have BLOCKS blocks, that
+ failed at CALLER's BLOCK, and the VISITED bitmap. When the verbose mode is
+ enabled, it also forces __hardcfr_debug_cfg (above) to be compiled into an
+ out-of-line function, that could be called from a debugger.
+ */
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t const block ATTRIBUTE_UNUSED,
+ int const part ATTRIBUTE_UNUSED,
+ void const *const caller ATTRIBUTE_UNUSED)
+{
+#if HARDCFR_VERBOSE_FAIL
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[part]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = part; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +267,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 7:28 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 7:28 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:3b83827bf024d3b7bc7f8fab1d9fd5cac314500c
commit 3b83827bf024d3b7bc7f8fab1d9fd5cac314500c
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 181 +++++++++++++++++++++++++-------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++--
2 files changed, 219 insertions(+), 71 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..266ed1ca08e 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +767,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +775,23 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ /* Don't split blocks at or add EH edvges to tail calls,
+ we will add verification before the call anyway. */
+ if (is_a <gcall *> (stmt))
+ {
+ gcall *call = as_a <gcall *> (stmt);
+ if (gimple_call_tail_p (call)
+ || gimple_call_must_tail_p (call))
+ continue;
+ }
+
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +815,31 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+ if (bb_eh_cleanup)
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +849,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +917,19 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 7:13 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 7:13 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:1ebb376abbcbf787d3f553765532e64298c670af
commit 1ebb376abbcbf787d3f553765532e64298c670af
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 171 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 ++++++++++++++++++++++--
2 files changed, 209 insertions(+), 71 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..47886d6352f 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +767,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +775,13 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +805,31 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+ if (bb_eh_cleanup)
+ /* A cfg_cleanup after bb_eh_cleanup makes for a more compact
+ rtcfg, and it avoids bb numbering differences when we split
+ blocks because of trailing debug insns only. */
+ cleanup_tree_cfg ();
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +839,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +907,19 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 7:07 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 7:07 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:3acbb4013c1f4642cc9df743c97f4c45b74eb853
commit 3acbb4013c1f4642cc9df743c97f4c45b74eb853
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 178 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++--
2 files changed, 214 insertions(+), 73 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..23a920260e8 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -396,7 +398,7 @@ public:
Also avoid disrupting tail calls, inserting the check before
them. This works for must-tail calls, but tail calling as an
optimization is detected too late for us. */
- gimple_stmt_iterator gsi = gsi_last_bb (insbb);
+ gimple_stmt_iterator gsi = gsi_last_nondebug_bb (insbb);
gimple *ret = gsi_stmt (gsi);
if (ret && is_a <gresx *> (ret))
@@ -407,7 +409,7 @@ public:
if (ret && is_a <greturn *> (ret))
{
- gsi_prev (&gsi);
+ gsi_prev_nondebug (&gsi);
if (!gsi_end_p (gsi))
ret = gsi_stmt (gsi);
}
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +767,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +775,13 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ if (!gsi_one_nondebug_before_end_p (gsi))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +805,31 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ int n = last_basic_block_for_fn (fun);
+ cleanup_tree_cfg ();
+ gcc_checking_assert (n == last_basic_block_for_fn (fun));
}
}
@@ -809,57 +840,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +908,21 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. A cfg_cleanup after bb_eh_cleanup would
+ make for a more compact rtcfg, but it could also undo the
+ insertion of bb_eh_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 6:54 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 6:54 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:5ae46368ab16be40451a92a697864ea6e00ee1d2
commit 5ae46368ab16be40451a92a697864ea6e00ee1d2
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 174 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 ++++++++++++++++++++++--
2 files changed, 212 insertions(+), 71 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..fd2c563fdb8 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +767,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -766,8 +775,13 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (lookup_stmt_eh_lp (stmt) != 0)
continue;
- if (!stmt_ends_bb_p (stmt))
+ if (!gsi_one_before_end_p (gsi))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +805,31 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ int n = last_basic_block_for_fn (fun);
+ cleanup_tree_cfg ();
+ gcc_checking_assert (n == last_basic_block_for_fn (fun));
}
}
@@ -809,57 +840,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +908,21 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. A cfg_cleanup after bb_eh_cleanup would
+ make for a more compact rtcfg, but it could also undo the
+ insertion of bb_eh_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 6:43 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 6:43 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:ea7d772160932ab85301fb81355ab9b1f4183b21
commit ea7d772160932ab85301fb81355ab9b1f4183b21
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 172 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 ++++++++++++++++++++++--
2 files changed, 211 insertions(+), 70 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..1eaa1668510 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -758,7 +767,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
!gsi_end_p (gsi); gsi_prev (&gsi))
{
gimple *stmt = gsi_stmt (gsi);
- if (!gimple_could_trap_p (stmt))
+ if (!stmt_could_throw_p (fun, stmt))
continue;
/* If it must not throw, or if it already has a handler,
@@ -768,6 +777,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +805,31 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, bb, immdom))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
+ }
+
+ if (bb_eh_cleanup)
+ {
+ int n = last_basic_block_for_fn (fun);
+ cleanup_tree_cfg ();
+ gcc_checking_assert (n == last_basic_block_for_fn (fun));
}
}
@@ -809,57 +840,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +908,21 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. A cfg_cleanup after bb_eh_cleanup would
+ make for a more compact rtcfg, but it could also undo the
+ insertion of bb_eh_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 5:45 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 5:45 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:97b88329d0e3569c06b82726b1401c5aa63bda71
commit 97b88329d0e3569c06b82726b1401c5aa63bda71
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 163 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++--
2 files changed, 203 insertions(+), 69 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..4aa68dbda6a 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +777,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +805,24 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
}
@@ -809,57 +833,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +901,21 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. A cfg_cleanup after bb_eh_cleanup would
+ make for a more compact rtcfg, but it could also undo the
+ insertion of bb_eh_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 5:22 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 5:22 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:2bc08eda84dca9e8453d6cc5fdcb61ffc0e66806
commit 2bc08eda84dca9e8453d6cc5fdcb61ffc0e66806
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 168 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++--
2 files changed, 208 insertions(+), 69 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..25e78742226 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -30,6 +30,7 @@ along with GCC; see the file COPYING3. If not see
#include "ssa.h"
#include "gimple-iterator.h"
#include "tree-cfg.h"
+#include "tree-cfgcleanup.h"
#include "tree-eh.h"
#include "except.h"
#include "sbitmap.h"
@@ -113,7 +114,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +175,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +352,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +671,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +691,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +718,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +736,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +777,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +805,32 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+#if 1
+ /* Renumbering blocks makes for a more compact rtcfg
+ representation. */
+ if (bb_eh_cleanup)
+ cleanup_tree_cfg ();
+#endif
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +840,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +908,19 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. We could run cfg_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 5:20 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 5:20 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:b949cab955834b30bddc12f970b44030f7c1f8a9
commit b949cab955834b30bddc12f970b44030f7c1f8a9
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 167 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++--
2 files changed, 207 insertions(+), 69 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..c673774887b 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -113,7 +113,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +174,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +351,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +670,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +690,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +717,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +735,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +776,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +804,32 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+#if 1
+ /* Renumbering blocks makes for a more compact rtcfg
+ representation. */
+ if (bb_eh_cleanup)
+ cleanup_tree_cfg ();
+#endif
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +839,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +907,19 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. We could run cfg_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 5:17 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 5:17 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:0875b6a73b6071b7da95fbb953e42b3de20457f3
commit 0875b6a73b6071b7da95fbb953e42b3de20457f3
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 167 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++--
2 files changed, 207 insertions(+), 69 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..27a62f1b93a 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -113,7 +113,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +174,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +351,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +670,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +690,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +717,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +735,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +776,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +804,32 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+#if 0
+ /* Renumbering blocks makes for a more compact rtcfg
+ representation. */
+ if (bb_eh_cleanup)
+ cleanup_tree_cfg ();
+#endif
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +839,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +907,19 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. We could run cfg_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (int i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ gcc_checking_assert (bb->index == i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 5:08 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 5:08 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:4f581e14a4d48f437de8d0000ceec69256e8fc20
commit 4f581e14a4d48f437de8d0000ceec69256e8fc20
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 166 ++++++++++++++++++++++++--------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++--
2 files changed, 206 insertions(+), 69 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..acd09a95910 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -113,7 +113,8 @@ public:
}
if (param_hardcfr_max_blocks > 0
- && n_basic_blocks_for_fn (fun) - 2 > param_hardcfr_max_blocks)
+ && (n_basic_blocks_for_fn (fun) - NUM_FIXED_BLOCKS
+ > param_hardcfr_max_blocks))
{
if (flag_harden_control_flow_redundancy < 0)
return false;
@@ -173,8 +174,8 @@ class rt_bb_visited
neither ENTRY nor EXIT, but maybe one-past-the-end, to compute
the visited array length. */
blknum num2idx (blknum n) {
- gcc_checking_assert (n >= 2 && n <= nblocks);
- return (n - 2);
+ gcc_checking_assert (n >= NUM_FIXED_BLOCKS && n <= nblocks);
+ return (n - NUM_FIXED_BLOCKS);
}
/* Return the block vindex for BB, that must not be ENTRY or
EXIT. */
@@ -350,7 +351,7 @@ public:
NULL, NULL);
gimple_seq_add_stmt (&ckseq, detach);
- if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks)
+ if (nblocks - NUM_FIXED_BLOCKS > blknum (param_hardcfr_max_inline_blocks)
|| !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))
|| (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds)
+ noreturn_blocks > 1))
@@ -669,7 +670,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +690,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +717,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +735,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +776,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,15 +804,32 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
+
+#if 0
+ /* Renumbering blocks makes for a more compact rtcfg
+ representation. */
+ if (bb_eh_cleanup)
+ cleanup_tree_cfg ();
+#endif
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +839,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -873,8 +907,18 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
- FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ /* Visit blocks in index order, because building rtcfg depends on
+ that. Blocks must be compact, which the cleanup_cfg requirement
+ ensures. This would also enable FOR_EACH_BB_FN to be used to
+ iterate in index order, but bb_eh_cleanup block splits and
+ insertions changes that. We could run cfg_cleanup. */
+ gcc_checking_assert (n_basic_blocks_for_fn (fun)
+ == last_basic_block_for_fn (fun));
+ for (size_t i = NUM_FIXED_BLOCKS; i < n_basic_blocks_for_fn (fun); i++)
+ {
+ bb = BASIC_BLOCK_FOR_FN (fun, i);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, i));
+ }
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 4:24 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 4:24 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:5bfcd6c6690c206cc413388284b74c7068b7d4fc
commit 5bfcd6c6690c206cc413388284b74c7068b7d4fc
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 138 ++++++++++++++++++++++----------------
libgcc/hardcfr.c | 109 +++++++++++++++++++++++++++---
2 files changed, 183 insertions(+), 64 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..837f498c86d 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -669,7 +669,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +689,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +716,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +734,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +775,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +803,24 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
}
@@ -809,57 +831,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -874,7 +900,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, bb->index));
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..0bf2599fd15 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,84 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ vword const *const visited,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("hardcfr fail at %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("\nvisited:");
+ block2mask (blocks, &mask, &wordidx);
+ for (size_t i = 0; i <= wordidx; i++)
+ __builtin_printf (" (%lu/0x%lx)",
+ (unsigned long)i, (unsigned long)visited[i]);
+ __builtin_printf ("\n");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +257,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 0,
+ __builtin_return_address (0));
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, visited, cfg, i, 1,
+ __builtin_return_address (0));
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 4:13 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 4:13 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:c8d3669b617c5cebc5c7510b59e2d31a792cbd53
commit c8d3669b617c5cebc5c7510b59e2d31a792cbd53
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 138 ++++++++++++++++++++++----------------
libgcc/hardcfr.c | 104 +++++++++++++++++++++++++---
2 files changed, 178 insertions(+), 64 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..837f498c86d 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -669,7 +669,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +689,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +716,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +734,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +775,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +803,24 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
}
@@ -809,57 +831,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -874,7 +900,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, bb->index));
vstd.check (count_noreturn, noreturn_blocks);
diff --git a/libgcc/hardcfr.c b/libgcc/hardcfr.c
index 8ef29428111..3daf18bf0ae 100644
--- a/libgcc/hardcfr.c
+++ b/libgcc/hardcfr.c
@@ -60,14 +60,25 @@ extern void __hardcfr_check (size_t blocks,
vword const *visited,
vword const *cfg);
+/* Compute the MASK for the bit representing BLOCK in WORDIDX's vword in a
+ visited blocks bit array. */
+static inline void
+block2mask (size_t const block, vword *const mask, size_t *const wordidx)
+{
+ size_t wbits = __CHAR_BIT__ * sizeof (vword);
+ *wordidx = block / wbits;
+ *mask = (vword)1 << (block % wbits);
+}
/* Check whether the bit corresponding to BLOCK is set in VISITED. */
static inline bool
visited_p (size_t const block, vword const *const visited)
{
- size_t wbits = __CHAR_BIT__ * sizeof (vword);
- vword w = visited[block / wbits];
- return (w & ((vword)1 << (block % wbits))) != 0;
+ vword mask;
+ size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ vword w = visited[wordidx];
+ return (w & mask) != 0;
}
/* Read and consume a mask from **CFG_IT. (Consume meaning advancing the
@@ -118,19 +129,19 @@ consume_seq (vword const **const cfg_it)
we reach the terminator without finding any. Consume the entire sequence
otherwise, so that *CFG_IT points just past the terminator, which may be the
beginning of the next sequence. */
-static inline void
+static inline bool
check_seq (vword const *const visited, vword const **const cfg_it)
{
vword mask;
size_t wordidx;
/* If the block was visited, check that at least one of the
- preds was also visited. */
+ preds/succs was also visited. */
do
/* If we get to the end of the sequence without finding any
match, something is amiss. */
if (!next_pair (cfg_it, &mask, &wordidx))
- __builtin_trap ();
+ return false;
/* Keep searching until we find a match, at which point the
condition is satisfied. */
while (!test_mask (visited, mask, wordidx));
@@ -139,6 +150,79 @@ check_seq (vword const *const visited, vword const **const cfg_it)
skipped the block, so as to position the iterator at the beginning of the
next . */
consume_seq (cfg_it);
+
+ return true;
+}
+
+static inline void
+__hardcfr_debug_cfg (size_t const blocks,
+ void *caller,
+ vword const *const cfg)
+{
+ __builtin_printf ("CFG at %p, for %p", cfg, caller);
+ vword const *cfg_it = cfg;
+ for (size_t i = 0; i < blocks; i++)
+ {
+ vword mask; size_t wordidx;
+ block2mask (i, &mask, &wordidx);
+ __builtin_printf ("\nblock %lu (%lu/0x%lx)\npreds: ",
+ (unsigned long)i,
+ (unsigned long)wordidx, (unsigned long)mask);
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lux/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ __builtin_printf ("\nsuccs: ");
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lux/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+ }
+ __builtin_printf ("\n");
+}
+
+#ifndef ATTRIBUTE_UNUSED
+# define ATTRIBUTE_UNUSED __attribute__ ((__unused__))
+#endif
+
+static inline void
+__hardcfr_check_fail (size_t const blocks ATTRIBUTE_UNUSED,
+ void *caller ATTRIBUTE_UNUSED,
+ vword const *const cfg ATTRIBUTE_UNUSED,
+ size_t block ATTRIBUTE_UNUSED,
+ int which ATTRIBUTE_UNUSED)
+{
+#if 1
+ static const char *parts[] = { "preds", "succs" };
+
+ vword mask; size_t wordidx;
+ block2mask (block, &mask, &wordidx);
+ __builtin_printf ("-fharden-control-flow-redundancy fail at "
+ " %p block %lu (%lu/0x%lx), expected %s:",
+ caller, (unsigned long)block,
+ (unsigned long)wordidx, (unsigned long)mask,
+ parts[which]);
+
+ /* Skip data for previous blocks. */
+ vword const *cfg_it = cfg;
+ for (size_t i = block; i--; )
+ {
+ consume_seq (&cfg_it);
+ consume_seq (&cfg_it);
+ }
+ for (size_t i = which; i--; )
+ consume_seq (&cfg_it);
+
+ while (next_pair (&cfg_it, &mask, &wordidx))
+ __builtin_printf (" (%lux/0x%lx)",
+ (unsigned long)wordidx, (unsigned long)mask);
+
+ __builtin_printf ("xn");
+
+ /* Reference __hardcfr_debug_cfg so that it's output out-of-line, so that it
+ can be called from a debugger. */
+ if (!caller || caller == __hardcfr_debug_cfg)
+ return;
+#endif
+ __builtin_trap ();
}
/* Check that, for each of the BLOCKS basic blocks, if its bit is set in
@@ -168,9 +252,13 @@ __hardcfr_check (size_t const blocks,
else
{
/* Check predecessors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, __builtin_return_address (0),
+ cfg, i, 0);
/* Check successors. */
- check_seq (visited, &cfg_it);
+ if (!check_seq (visited, &cfg_it))
+ __hardcfr_check_fail (blocks, __builtin_return_address (0),
+ cfg, i, 1);
}
}
}
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 2:50 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 2:50 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:f321a92432dfa2abaf0171dc7b0284c247a92c35
commit f321a92432dfa2abaf0171dc7b0284c247a92c35
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 138 ++++++++++++++++++++++----------------
1 file changed, 82 insertions(+), 56 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..837f498c86d 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -669,7 +669,7 @@ public:
/* Add to BB code to set its bit in VISITED, and add to RTCFG or
CKSEQ the data or code needed to check BB's predecessors and
successors. Do NOT change the CFG. */
- void visit (basic_block bb)
+ void visit (basic_block bb, bool noreturn)
{
/* Set the bit in VISITED when entering the block. */
gimple_stmt_iterator gsi = gsi_after_labels (bb);
@@ -689,10 +689,13 @@ public:
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
/* Then, successors. */
- for (int i = EDGE_COUNT (bb->succs); i--; )
- if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
- EXIT_BLOCK_PTR_FOR_FN (cfun)))
- break;
+ if (!noreturn
+ || !push_rtcfg_pair (EXIT_BLOCK_PTR_FOR_FN (cfun),
+ bb, EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ for (int i = EDGE_COUNT (bb->succs); i--; )
+ if (push_rtcfg_pair (EDGE_SUCC (bb, i)->dest, bb,
+ EXIT_BLOCK_PTR_FOR_FN (cfun)))
+ break;
rtcfg = tree_cons (NULL_TREE, build_int_cst (vword_type, 0), rtcfg);
}
else
@@ -713,6 +716,8 @@ public:
gassign *blkruns = gimple_build_assign (ckpart, unshare_expr (bit));
gimple_seq_add_stmt (&ckseq, blkruns);
+ if (noreturn)
+ build_block_check (EXIT_BLOCK_PTR_FOR_FN (cfun));
for (int i = 0, e = EDGE_COUNT (bb->succs); i < e; i++)
build_block_check (EDGE_SUCC (bb, i)->dest);
@@ -729,10 +734,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +775,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +803,24 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
}
@@ -809,57 +831,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
@@ -874,7 +900,7 @@ pass_harden_control_flow_redundancy::execute (function *fun)
rt_bb_visited vstd (count_noreturn);
FOR_EACH_BB_FN (bb, fun)
- vstd.visit (bb);
+ vstd.visit (bb, bitmap_bit_p (noreturn_blocks, bb->index));
vstd.check (count_noreturn, noreturn_blocks);
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 2:34 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 2:34 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:4a10a36a038842f0c932130c7c1b3dcd5eb13d47
commit 4a10a36a038842f0c932130c7c1b3dcd5eb13d47
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 121 ++++++++++++++++++++++----------------
1 file changed, 71 insertions(+), 50 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..00b60da0030 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -729,10 +729,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,6 +770,11 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
@@ -791,14 +798,24 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
+ else if (dom_info_available_p (CDI_DOMINATORS))
{
- // Update immedite dominator and loop?
+ basic_block immdom;
+ immdom = get_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup);
+ if (!dominated_by_p (CDI_DOMINATORS, immdom, bb))
+ {
+ immdom = nearest_common_dominator (CDI_DOMINATORS,
+ immdom, bb);
+ set_immediate_dominator (CDI_DOMINATORS,
+ bb_eh_cleanup, immdom);
+ }
}
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
- make_eh_edges (stmt); }
+ make_eh_edges (stmt);
+ }
}
}
@@ -809,57 +826,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 2:24 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 2:24 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:c7e2b43a43de1c27ab9e797b87b7fc9c0499c28b
commit c7e2b43a43de1c27ab9e797b87b7fc9c0499c28b
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 122 +++++++++++++++++++++-----------------
1 file changed, 67 insertions(+), 55 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..235f19c6548 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -729,10 +729,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,14 +770,15 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
bb_eh_cleanup = create_empty_bb (bb);
- if (dom_info_available_p (CDI_DOMINATORS))
- set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, bb);
- if (current_loops)
- add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root);
/* Make the new block an EH cleanup for the call. */
eh_region new_r = gen_eh_region_cleanup (NULL);
@@ -791,15 +794,20 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
- {
- // Update immedite dominator and loop?
- }
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
make_eh_edges (stmt); }
}
+
+ if (bb_eh_cleanup && dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = recompute_dominator (CDI_DOMINATORS, bb_eh_cleanup);
+ set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, immdom);
+ }
+ if (bb_eh_cleanup && current_loops)
+ add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root);
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +817,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set_bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 2:20 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 2:20 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:b9aac092373a7314baaa4dec8efe6a15eb7c10d4
commit b9aac092373a7314baaa4dec8efe6a15eb7c10d4
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 122 +++++++++++++++++++++-----------------
1 file changed, 67 insertions(+), 55 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..849812a6c3f 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -729,10 +729,12 @@ public:
unsigned int
pass_harden_control_flow_redundancy::execute (function *fun)
{
+ bool param_check_at_escaping_exceptions = true;
+ bool param_check_before_noreturn_calls = true;
basic_block bb_eh_cleanup = NULL;
basic_block bb;
- if (flag_exceptions)
+ if (param_check_at_escaping_exceptions && flag_exceptions)
{
int lp_eh_cleanup = -1;
@@ -768,14 +770,15 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!stmt_ends_bb_p (stmt))
split_block (bb, stmt);
+ /* A noreturn call needs not be associated with the
+ cleanup handler, because we'll add checking before
+ the call. */
+ else if (EDGE_COUNT (bb->succs) == 0)
+ continue;
if (!bb_eh_cleanup)
{
bb_eh_cleanup = create_empty_bb (bb);
- if (dom_info_available_p (CDI_DOMINATORS))
- set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, bb);
- if (current_loops)
- add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root);
/* Make the new block an EH cleanup for the call. */
eh_region new_r = gen_eh_region_cleanup (NULL);
@@ -791,15 +794,20 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
- {
- // Update immedite dominator and loop?
- }
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
make_eh_edges (stmt); }
}
+
+ if (bb_eh_cleanup && dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = recompute_dominator (CDI_DOMINATORS, bb_eh_cleanup);
+ set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, immdom);
+ }
+ if (bb_eh_cleanup && current_loops)
+ add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root);
}
/* We wish to add verification at blocks without successors, such as
@@ -809,57 +817,61 @@ pass_harden_control_flow_redundancy::execute (function *fun)
int count_noreturn = 0;
auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun));
bitmap_clear (noreturn_blocks);
- FOR_EACH_BB_FN (bb, fun)
- {
- if (EDGE_COUNT (bb->succs) == 0)
- {
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
+ if (!param_check_before_noreturn_calls)
+ FOR_EACH_BB_FN (bb, fun)
+ {
+ if (EDGE_COUNT (bb->succs) == 0)
+ {
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ continue;
+ }
+
+ /* If there are no exceptions, then any noreturn call must have
+ zero successor edges. Otherwise, check for blocks without
+ non-EH successors, but skip those with resx stmts and edges
+ (i.e., those other than that in bb_eh_cleanup), since those
+ will go through bb_eh_cleanup, that will have been counted as
+ noreturn above because it has no successors. */
+ gcc_checking_assert (bb != bb_eh_cleanup);
+ if (!flag_exceptions)
continue;
- }
- /* If there are no exceptions, then any noreturn call must have
- zero successor edges. Otherwise, check for blocks without
- non-EH successors, but skip those with resx stmts and edges
- (i.e., those other than that in bb_eh_cleanup), since those
- will go through bb_eh_cleanup, that will have been counted as
- noreturn above because it has no successors. */
- gcc_checking_assert (bb != bb_eh_cleanup);
- if (!flag_exceptions)
- continue;
-
- bool found_non_eh_edge = false;
- bool found_eh_edge = false;
- edge e;
- edge_iterator ei;
- FOR_EACH_EDGE (e, ei, bb->succs)
- {
- if ((e->flags & EDGE_EH))
- found_eh_edge = true;
- else
- found_non_eh_edge = true;
- if (found_non_eh_edge && found_eh_edge)
- break;
- }
+ bool found_non_eh_edge = false;
+ bool found_eh_edge = false;
+ edge e;
+ edge_iterator ei;
+ FOR_EACH_EDGE (e, ei, bb->succs)
+ {
+ if ((e->flags & EDGE_EH))
+ found_eh_edge = true;
+ else
+ found_non_eh_edge = true;
+ if (found_non_eh_edge && found_eh_edge)
+ break;
+ }
- if (found_non_eh_edge)
- continue;
+ if (found_non_eh_edge)
+ continue;
- if (found_eh_edge)
- {
- /* We don't wish to check before (re?)raises, those will
- have checking performed at bb_eh_cleanup. The one
- exception is bb_eh_cleanup itself. */
- gimple_stmt_iterator gsi = gsi_last_bb (bb);
- gcc_checking_assert (!gsi_end_p (gsi));
- gimple *stmt = gsi_stmt (gsi);
- if (is_a <gresx *> (stmt))
- continue;
- }
+ if (found_eh_edge)
+ {
+ /* We don't wish to check before (re?)raises, those will
+ have checking performed at bb_eh_cleanup. The one
+ exception is bb_eh_cleanup itself. */
+ gimple_stmt_iterator gsi = gsi_last_bb (bb);
+ gcc_checking_assert (!gsi_end_p (gsi));
+ gimple *stmt = gsi_stmt (gsi);
+ if (is_a <gresx *> (stmt))
+ continue;
+ }
- if (bitmap_set_bit (noreturn_blocks, bb->index))
- count_noreturn++;
- }
+ if (bitmap_set_bit (noreturn_blocks, bb->index))
+ count_noreturn++;
+ }
+ else if (bb_eh_cleanup
+ && bitmap_set-bit (noreturn_blocks, bb_eh_cleanup->index))
+ count_noreturn++;
gcc_checking_assert (!bb_eh_cleanup
|| bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index));
^ permalink raw reply [flat|nested] 22+ messages in thread
* [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks
@ 2022-08-11 1:57 Alexandre Oliva
0 siblings, 0 replies; 22+ messages in thread
From: Alexandre Oliva @ 2022-08-11 1:57 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:125b843bb77c74a9329fa1b1db4dfcc688b5a054
commit 125b843bb77c74a9329fa1b1db4dfcc688b5a054
Author: Alexandre Oliva <oliva@gnu.org>
Date: Wed Aug 10 22:56:28 2022 -0300
hardcfr: add checking at exceptions and noreturn calls: tweaks
Diff:
---
gcc/gimple-harden-control-flow.cc | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc
index 5066a43fe6c..6d56e78dd8d 100644
--- a/gcc/gimple-harden-control-flow.cc
+++ b/gcc/gimple-harden-control-flow.cc
@@ -772,10 +772,6 @@ pass_harden_control_flow_redundancy::execute (function *fun)
if (!bb_eh_cleanup)
{
bb_eh_cleanup = create_empty_bb (bb);
- if (dom_info_available_p (CDI_DOMINATORS))
- set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, bb);
- if (current_loops)
- add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root);
/* Make the new block an EH cleanup for the call. */
eh_region new_r = gen_eh_region_cleanup (NULL);
@@ -791,15 +787,18 @@ pass_harden_control_flow_redundancy::execute (function *fun)
gresx *resx = gimple_build_resx (new_r->index);
gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT);
}
- else
- {
- // Update immedite dominator and loop?
- }
add_stmt_to_eh_lp (stmt, lp_eh_cleanup);
/* Finally, wire the EH cleanup block into the CFG. */
make_eh_edges (stmt); }
}
+
+ if (bb_eh_cleanup && dom_info_available_p (CDI_DOMINATORS))
+ {
+ basic_block immdom;
+ immdom = recompute_dominator (CDI_DOMINATORS, bb_eh_cleanup);
+ set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, immdom);
+ }
}
/* We wish to add verification at blocks without successors, such as
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2022-08-24 22:59 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-24 17:18 [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls: tweaks Alexandre Oliva
-- strict thread matches above, loose matches on Subject: below --
2022-08-24 22:59 Alexandre Oliva
2022-08-24 22:46 Alexandre Oliva
2022-08-24 19:39 Alexandre Oliva
2022-08-24 16:53 Alexandre Oliva
2022-08-11 7:28 Alexandre Oliva
2022-08-11 7:13 Alexandre Oliva
2022-08-11 7:07 Alexandre Oliva
2022-08-11 6:54 Alexandre Oliva
2022-08-11 6:43 Alexandre Oliva
2022-08-11 5:45 Alexandre Oliva
2022-08-11 5:22 Alexandre Oliva
2022-08-11 5:20 Alexandre Oliva
2022-08-11 5:17 Alexandre Oliva
2022-08-11 5:08 Alexandre Oliva
2022-08-11 4:24 Alexandre Oliva
2022-08-11 4:13 Alexandre Oliva
2022-08-11 2:50 Alexandre Oliva
2022-08-11 2:34 Alexandre Oliva
2022-08-11 2:24 Alexandre Oliva
2022-08-11 2:20 Alexandre Oliva
2022-08-11 1:57 Alexandre Oliva
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).