Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Sandra Loosemore <sandra@codesourcery.com>]

On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
> Introduce a couple of new CET intrinsics for reading and updating a shadow stack
> pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace the existing
> _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more deterministic
> semantic: it returns a value of the shadow stack pointer if HW is CET capable and
> 0 otherwise.
> 
> Ok for trunk?

Just reviewing the documentation part:

> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> index cb9df97..9f25dd9 100644
> --- a/gcc/doc/extend.texi
> +++ b/gcc/doc/extend.texi
> @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to schedule those calls.
>  * TILEPro Built-in Functions::
>  * x86 Built-in Functions::
>  * x86 transactional memory intrinsics::
> +* x86 control-flow protection intrinsics::
>  @end menu
>  
>  @node AArch64 Built-in Functions
> @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
>  unsigned int __builtin_ia32_rdpkru ()
>  @end smallexample
>  
> -The following built-in functions are available when @option{-mcet} is used.
> -They are used to support Intel Control-flow Enforcment Technology (CET).
> -Each built-in function generates the  machine instruction that is part of the
> -function's name.
> +The following built-in functions are available when @option{-mcet} or
> +@option{-mshstk} option is used.  They support shadow stack
> +machine instructions from Intel Control-flow Enforcment Technology (CET).

s/Enforcment/Enforcement/

> +Each built-in function generates the  machine instruction that is part
> +of the function's name.  These are the internal low level functions.

s/low level/low-level/

> +Normally the functions in @ref{x86 control-flow protection intrinsics}
> +should be used instead.
> +
>  @smallexample
> -unsigned int __builtin_ia32_rdsspd (unsigned int)
> -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
> +unsigned int __builtin_ia32_rdsspd (void)
> +unsigned long long __builtin_ia32_rdsspq (void)
>  void __builtin_ia32_incsspd (unsigned int)
>  void __builtin_ia32_incsspq (unsigned long long)
>  void __builtin_ia32_saveprevssp(void);
> @@ -21885,6 +21890,51 @@ else
>  Note that, in most cases, the transactional and non-transactional code
>  must synchronize together to ensure consistency.
>  
> +@node x86 control-flow protection intrinsics
> +@subsection x86 Control-Flow Protection Intrinsics
> +
> +@deftypefn {CET Function} {ret_type} _get_ssp (void)
> +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
> +and @code{unsigned int} for x86 pltform.

I'd prefer the sentence about the return type be placed after the 
description of what the function does.  And please fix typos:
s/x86-64 platform/64-bit targets/
s/x86 pltform/32-bit targets/

> +Get the current value of shadow stack pointer if shadow stack support
> +from Intel CET is enabled in the HW or @code{0} otherwise.

s/HW/hardware,/

> +@end deftypefn
> +
> +@deftypefn {CET Function} void _inc_ssp (unsigned int)
> +Increment the current shadow stack pointer by the size specified by the
> +function argument.  For security reason only unsigned byte value is used
> +from the argument.  Therefore for the size greater than @code{255} the
> +function should be called several times.

How about rephrasing the last two sentences:

The argument is masked to a byte value for security reasons, so to 
increment by more than 255 bytes you must call the function multiple times.

> +@end deftypefn
> +
> +The shadow stack unwind code looks like:
> +
> +@smallexample
> +#include <immintrin.h>
> +
> +/* Unwind the shadow stack for EH.  */
> +#define _Unwind_Frames_Extra(x)		\
> +  do					\
> +    @{					\
> +      _Unwind_Word ssp = _get_ssp ();	\
> +      if (ssp != 0)			\
> +	@{				\
> +	  _Unwind_Word tmp = (x);	\
> +	  while (tmp > 255)		\
> +	    @{				\
> +	      _inc_ssp (tmp);		\
> +	      tmp -= 255;		\
> +	    @}				\
> +	  _inc_ssp (tmp);		\
> +	@}				\
> +    @}					\
> +    while (0)
> +@end smallexample

Tabs in Texinfo input don't work well.  Please use spaces to format code 
environments.

> +
> +@noindent
> +This code runs unconditionally on all x86-64 processors and all x86
> +processors that support multi-byte NOP instructions.

s/x86-64 and all x86/32-bit and 64-bit/

> +
>  @node Target Format Checks
>  @section Format Checks Specific to Particular Target Machines
>  

-Sandra