[Ada] Extend hardcfr testing (documentation)

public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed

* [Ada] Extend hardcfr testing (documentation)
@ 2022-05-13  8:07 Pierre-Marie de Rodat
  0 siblings, 0 replies; only message in thread
From: Pierre-Marie de Rodat @ 2022-05-13  8:07 UTC (permalink / raw)
  To: gcc-patches; +Cc: Alexandre Oliva

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

Having realized that noreturn calls of __builtin_return are special,
and other noreturn calls don't get edges to the exit block, I've
realized the consequences of the logic to insert checking before
noreturn and tail calls were not quite what I'd expected before.

Specifically, noreturn calls other than __builtin_return don't get any
checking whatsoever.  Moreover, optional tail calls are only detected
long after hardcfr; the logic should work for must-tail calls, but
there doesn't seem to be a way to test it.

Documentation has been simplified so as to remove mention of these
possibilities, that can't really be relied on.

Tested on x86_64-pc-linux-gnu, committed on trunk

gcc/ada/

	* doc/gnat_rm/security_hardening_features.rst (Control Flow
	Redundancy): Drop mentions of noreturn and tail calls.
	* gnat_rm.texi: Regenerate.

[-- Attachment #2: patch.diff --]
[-- Type: text/x-diff, Size: 3320 bytes --]

diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -232,22 +232,13 @@ instrumentation.
 
 For each block that is marked as visited, the mechanism checks that at
 least one of its predecessors, and at least one of its successors, are
-also marked as visited.  Verification is normally performed just
-before return, but when a nonreturning call or a tail-call opportunity
-is detected, verification is moved before that (presumed) final call.
-
-If an exception from a nonreturning call is handled by its caller,
-verification at the caller may run again if another verification point
-is reached.  The additional verifications are desirable and benign.
-
-Conversely, since no verification is inserted before calls that are
-expected to return, if they never do, the caller's own
-verification-and-return points are never reached.
-
-Subprogram executions that complete by raising or propagating an
-exception also bypass verification-and-return points.  A subprogram
-that can only complete by raising or propagating an exception may have
-instrumentation disabled altogether.
+also marked as visited.
+
+Verification is performed just before returning.  Subprogram
+executions that complete by raising or propagating an exception bypass
+verification-and-return points.  A subprogram that can only complete
+by raising or propagating an exception may have instrumentation
+disabled altogether.
 
 The instrumentation for hardening with control flow redundancy can be
 observed in dump files generated by the command-line option


diff --git a/gcc/ada/gnat_rm.texi b/gcc/ada/gnat_rm.texi
--- a/gcc/ada/gnat_rm.texi
+++ b/gcc/ada/gnat_rm.texi
@@ -29084,22 +29084,13 @@ instrumentation.
 
 For each block that is marked as visited, the mechanism checks that at
 least one of its predecessors, and at least one of its successors, are
-also marked as visited.  Verification is normally performed just
-before return, but when a nonreturning call or a tail-call opportunity
-is detected, verification is moved before that (presumed) final call.
-
-If an exception from a nonreturning call is handled by its caller,
-verification at the caller may run again if another verification point
-is reached.  The additional verifications are desirable and benign.
-
-Conversely, since no verification is inserted before calls that are
-expected to return, if they never do, the caller’s own
-verification-and-return points are never reached.
-
-Subprogram executions that complete by raising or propagating an
-exception also bypass verification-and-return points.  A subprogram
-that can only complete by raising or propagating an exception may have
-instrumentation disabled altogether.
+also marked as visited.
+
+Verification is performed just before returning.  Subprogram
+executions that complete by raising or propagating an exception bypass
+verification-and-return points.  A subprogram that can only complete
+by raising or propagating an exception may have instrumentation
+disabled altogether.
 
 The instrumentation for hardening with control flow redundancy can be
 observed in dump files generated by the command-line option



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-05-13  8:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-13  8:07 [Ada] Extend hardcfr testing (documentation) Pierre-Marie de Rodat

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).