PR84239, Reimplement CET intrinsics for rdssp/incssp insn

PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Tsimbalist, Igor V]

[-- Attachment #1: Type: text/plain, Size: 387 bytes --]

Introduce a couple of new CET intrinsics for reading and updating a shadow stack
pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace the existing
_rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more deterministic
semantic: it returns a value of the shadow stack pointer if HW is CET capable and
0 otherwise.

Ok for trunk?

Igor



[-- Attachment #2: 0001-Reimplement-CET-intrinsics-for-rdssp-incssp-insn.patch --]
[-- Type: application/octet-stream, Size: 14601 bytes --]

From b2628a08ca7d0a77f631ff1d93d61ee4cc248ab1 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Wed, 7 Feb 2018 19:31:32 +0300
Subject: [PATCH] Reimplement CET intrinsics for rdssp/incssp insn

	PR target/84239
---
 gcc/ChangeLog                                | 16 +++++++
 gcc/config/i386/cetintrin.h                  | 31 ++++++--------
 gcc/config/i386/i386-builtin-types.def       |  1 +
 gcc/config/i386/i386-builtin.def             |  4 +-
 gcc/config/i386/i386.c                       |  3 +-
 gcc/config/i386/i386.md                      | 16 ++++---
 gcc/doc/extend.texi                          | 62 +++++++++++++++++++++++++---
 gcc/testsuite/ChangeLog                      |  9 ++++
 gcc/testsuite/gcc.target/i386/cet-intrin-3.c | 10 ++---
 gcc/testsuite/gcc.target/i386/cet-intrin-4.c | 25 +----------
 gcc/testsuite/gcc.target/i386/cet-rdssp-1.c  |  8 ++--
 libgcc/ChangeLog                             |  6 +++
 libgcc/config/i386/shadow-stack-unwind.h     | 17 +++-----
 13 files changed, 126 insertions(+), 82 deletions(-)

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 51c45c0..937a474 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,19 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* config/i386/cetintrin.h: Remove _rdssp[d|q] and
+	add _get_ssp intrinsics. Remove argument from
+	__builtin_ia32_rdssp[d|q].
+	* config/i386/i386-builtin-types.def: Add UINT_FTYPE_VOID.
+	* config/i386/i386-builtin.def: Remove argument from
+	__builtin_ia32_rdssp[d|q].
+	* config/i386/i386.c: Use UINT_FTYPE_VOID. Use
+	ix86_expand_special_args_builtin for _rdssp[d|q].
+	* config/i386/i386.md: Remove argument from rdssp[si|di] insn.
+	Clear register before usage.
+	* doc/extend.texi: Remove argument from __builtin_ia32_rdssp[d|q].
+	Add documentation for new _get_ssp and _inc_ssp intrinsics.
+
 2018-02-07  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR target/84248
diff --git a/gcc/config/i386/cetintrin.h b/gcc/config/i386/cetintrin.h
index 7a4b4d8..e9abcf3 100644
--- a/gcc/config/i386/cetintrin.h
+++ b/gcc/config/i386/cetintrin.h
@@ -34,37 +34,32 @@
 #define __DISABLE_SHSTK__
 #endif /* __SHSTK__ */
 
-extern __inline unsigned int
-__attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_rdsspd (unsigned int __B)
-{
-  return __builtin_ia32_rdsspd (__B);
-}
-
 #ifdef __x86_64__
 extern __inline unsigned long long
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_rdsspq (unsigned long long __B)
+_get_ssp (void)
 {
-  return __builtin_ia32_rdsspq (__B);
+  return __builtin_ia32_rdsspq ();
 }
-#endif
-
-extern __inline void
+#else
+extern __inline unsigned int
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_incsspd (unsigned int __B)
+_get_ssp (void)
 {
-  __builtin_ia32_incsspd (__B);
+  return __builtin_ia32_rdsspd ();
 }
+#endif
 
-#ifdef __x86_64__
 extern __inline void
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_incsspq (unsigned long long __B)
+_inc_ssp (unsigned int __B)
 {
-  __builtin_ia32_incsspq (__B);
-}
+#ifdef __x86_64__
+  __builtin_ia32_incsspq ((unsigned long long) __B);
+#else
+  __builtin_ia32_incsspd (__B);
 #endif
+}
 
 extern __inline void
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
diff --git a/gcc/config/i386/i386-builtin-types.def b/gcc/config/i386/i386-builtin-types.def
index ba33549..08360d2 100644
--- a/gcc/config/i386/i386-builtin-types.def
+++ b/gcc/config/i386/i386-builtin-types.def
@@ -192,6 +192,7 @@ DEF_POINTER_TYPE (PCV64QI, V64QI, CONST)
 DEF_FUNCTION_TYPE (FLOAT128)
 DEF_FUNCTION_TYPE (UINT64)
 DEF_FUNCTION_TYPE (UNSIGNED)
+DEF_FUNCTION_TYPE (UINT)
 DEF_FUNCTION_TYPE (USHORT)
 DEF_FUNCTION_TYPE (INT)
 DEF_FUNCTION_TYPE (VOID)
diff --git a/gcc/config/i386/i386-builtin.def b/gcc/config/i386/i386-builtin.def
index 2caac88..a510196 100644
--- a/gcc/config/i386/i386-builtin.def
+++ b/gcc/config/i386/i386-builtin.def
@@ -3043,7 +3043,7 @@ BDESC (OPTION_MASK_ISA_SHSTK, CODE_FOR_clrssbsy, "__builtin_ia32_clrssbsy", IX86
 BDESC_END (CET, CET_NORMAL)
 
 BDESC_FIRST (cet_rdssp, CET_NORMAL,
-       OPTION_MASK_ISA_SHSTK, CODE_FOR_rdsspsi, "__builtin_ia32_rdsspd", IX86_BUILTIN_RDSSPD, UNKNOWN, (int) UINT_FTYPE_UINT)
-BDESC (OPTION_MASK_ISA_SHSTK | OPTION_MASK_ISA_64BIT, CODE_FOR_rdsspdi, "__builtin_ia32_rdsspq", IX86_BUILTIN_RDSSPQ, UNKNOWN, (int) UINT64_FTYPE_UINT64)
+       OPTION_MASK_ISA_SHSTK, CODE_FOR_rdsspsi, "__builtin_ia32_rdsspd", IX86_BUILTIN_RDSSPD, UNKNOWN, (int) UINT_FTYPE_VOID)
+BDESC (OPTION_MASK_ISA_SHSTK | OPTION_MASK_ISA_64BIT, CODE_FOR_rdsspdi, "__builtin_ia32_rdsspq", IX86_BUILTIN_RDSSPQ, UNKNOWN, (int) UINT64_FTYPE_VOID)
 
 BDESC_END (CET_NORMAL, MAX)
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index fc3d6f0..53f9cae 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -35701,6 +35701,7 @@ ix86_expand_special_args_builtin (const struct builtin_description *d,
     case INT_FTYPE_VOID:
     case USHORT_FTYPE_VOID:
     case UINT64_FTYPE_VOID:
+    case UINT_FTYPE_VOID:
     case UNSIGNED_FTYPE_VOID:
       nargs = 0;
       klass = load;
@@ -38490,7 +38491,7 @@ s4fma_expand:
       && fcode <= IX86_BUILTIN__BDESC_CET_NORMAL_LAST)
     {
       i = fcode - IX86_BUILTIN__BDESC_CET_NORMAL_FIRST;
-      return ix86_expand_args_builtin (bdesc_cet_rdssp + i, exp,
+      return ix86_expand_special_args_builtin (bdesc_cet_rdssp + i, exp,
 				       target);
     }
 
diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
index a4832bf..3998053 100644
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -18391,8 +18391,8 @@
       reg_ssp = gen_reg_rtx (word_mode);
       emit_insn (gen_rtx_SET (reg_ssp, const0_rtx));
       emit_insn ((word_mode == SImode)
-		 ? gen_rdsspsi (reg_ssp, reg_ssp)
-		 : gen_rdsspdi (reg_ssp, reg_ssp));
+		 ? gen_rdsspsi (reg_ssp)
+		 : gen_rdsspdi (reg_ssp));
       emit_move_insn (mem, reg_ssp);
     }
   DONE;
@@ -18437,8 +18437,8 @@
       reg_ssp = gen_reg_rtx (word_mode);
       emit_insn (gen_rtx_SET (reg_ssp, const0_rtx));
       emit_insn ((word_mode == SImode)
-		 ? gen_rdsspsi (reg_ssp, reg_ssp)
-		 : gen_rdsspdi (reg_ssp, reg_ssp));
+		 ? gen_rdsspsi (reg_ssp)
+		 : gen_rdsspdi (reg_ssp));
       mem_buf = gen_rtx_MEM (word_mode,
 			     plus_constant (Pmode, operands[0],
 					    3 * GET_MODE_SIZE (ptr_mode)));
@@ -20167,12 +20167,10 @@
 ;; CET instructions
 (define_insn "rdssp<mode>"
   [(set (match_operand:SWI48x 0 "register_operand" "=r")
-	(unspec_volatile:SWI48x
-	  [(match_operand:SWI48x 1 "register_operand" "0")]
-	  UNSPECV_NOP_RDSSP))]
+	(unspec_volatile:SWI48x [(const_int 0)] UNSPECV_NOP_RDSSP))]
   "TARGET_SHSTK"
-  "rdssp<mskmodesuffix>\t%0"
-  [(set_attr "length" "4")
+  "xor{l}\t%k0, %k0\n\trdssp<mskmodesuffix>\t%0"
+  [(set_attr "length" "6")
    (set_attr "type" "other")])
 
 (define_insn "incssp<mode>"
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cb9df97..9f25dd9 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -12461,6 +12461,7 @@ instructions, but allow the compiler to schedule those calls.
 * TILEPro Built-in Functions::
 * x86 Built-in Functions::
 * x86 transactional memory intrinsics::
+* x86 control-flow protection intrinsics::
 @end menu
 
 @node AArch64 Built-in Functions
@@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
 unsigned int __builtin_ia32_rdpkru ()
 @end smallexample
 
-The following built-in functions are available when @option{-mcet} is used.
-They are used to support Intel Control-flow Enforcment Technology (CET).
-Each built-in function generates the  machine instruction that is part of the
-function's name.
+The following built-in functions are available when @option{-mcet} or
+@option{-mshstk} option is used.  They support shadow stack
+machine instructions from Intel Control-flow Enforcment Technology (CET).
+Each built-in function generates the  machine instruction that is part
+of the function's name.  These are the internal low level functions.
+Normally the functions in @ref{x86 control-flow protection intrinsics}
+should be used instead.
+
 @smallexample
-unsigned int __builtin_ia32_rdsspd (unsigned int)
-unsigned long long __builtin_ia32_rdsspq (unsigned long long)
+unsigned int __builtin_ia32_rdsspd (void)
+unsigned long long __builtin_ia32_rdsspq (void)
 void __builtin_ia32_incsspd (unsigned int)
 void __builtin_ia32_incsspq (unsigned long long)
 void __builtin_ia32_saveprevssp(void);
@@ -21885,6 +21890,51 @@ else
 Note that, in most cases, the transactional and non-transactional code
 must synchronize together to ensure consistency.
 
+@node x86 control-flow protection intrinsics
+@subsection x86 Control-Flow Protection Intrinsics
+
+@deftypefn {CET Function} {ret_type} _get_ssp (void)
+The @code{ret_type} is @code{unsigned long long} for x86-64 platform
+and @code{unsigned int} for x86 pltform.
+Get the current value of shadow stack pointer if shadow stack support
+from Intel CET is enabled in the HW or @code{0} otherwise.
+@end deftypefn
+
+@deftypefn {CET Function} void _inc_ssp (unsigned int)
+Increment the current shadow stack pointer by the size specified by the
+function argument.  For security reason only unsigned byte value is used
+from the argument.  Therefore for the size greater than @code{255} the
+function should be called several times.
+@end deftypefn
+
+The shadow stack unwind code looks like:
+
+@smallexample
+#include <immintrin.h>
+
+/* Unwind the shadow stack for EH.  */
+#define _Unwind_Frames_Extra(x)		\
+  do					\
+    @{					\
+      _Unwind_Word ssp = _get_ssp ();	\
+      if (ssp != 0)			\
+	@{				\
+	  _Unwind_Word tmp = (x);	\
+	  while (tmp > 255)		\
+	    @{				\
+	      _inc_ssp (tmp);		\
+	      tmp -= 255;		\
+	    @}				\
+	  _inc_ssp (tmp);		\
+	@}				\
+    @}					\
+    while (0)
+@end smallexample
+
+@noindent
+This code runs unconditionally on all x86-64 processors and all x86
+processors that support multi-byte NOP instructions.
+
 @node Target Format Checks
 @section Format Checks Specific to Particular Target Machines
 
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index c90dc88..3fa26cc 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,12 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* testsuite/gcc.target/i386/cet-intrin-3.c: Use new _get_ssp and
+	_inc_ssp intrinsics.
+	* testsuite/gcc.target/i386/cet-intrin-4.c: Likewise.
+	* testsuite/gcc.target/i386/cet-rdssp-1.c: Remove argument from
+	__builtin_ia32_rdssp[d|q].
+
 2018-02-07  Tom de Vries  <tom@codesourcery.com>
 
 	* gcc.dg/pr83844.c: Require effective target alloca.
diff --git a/gcc/testsuite/gcc.target/i386/cet-intrin-3.c b/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
index bcd7203..b98c1e9 100644
--- a/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
+++ b/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
@@ -10,24 +10,22 @@
 
 unsigned int f1 ()
 {
-  unsigned int x = 0;
-  return _rdsspd (x);
+  return _get_ssp ();
 }
 
 void f3 (unsigned int _a)
 {
-  _incsspd (_a);
+  _inc_ssp (_a);
 }
 
 #ifdef __x86_64__
 unsigned long long f2 ()
 {
-  unsigned long long x = 0;
-  return _rdsspq (x);
+  return _get_ssp ();
 }
 
 void f4 (unsigned int _a)
 {
-  _incsspq (_a);
+  _inc_ssp (_a);
 }
 #endif
diff --git a/gcc/testsuite/gcc.target/i386/cet-intrin-4.c b/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
index 437a4cd..86957b2 100644
--- a/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
+++ b/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
@@ -5,27 +5,4 @@
 /* { dg-final { scan-assembler "incssp\[dq]\[ \t]+(%|)\[re]di" { target { ! ia32 } } } } */
 
 #include <immintrin.h>
-
-unsigned int f1 ()
-{
-  unsigned int x = 0;
-  return _rdsspd (x);
-}
-
-void f3 (unsigned int _a)
-{
-  _incsspd (_a);
-}
-
-#ifdef __x86_64__
-unsigned long long f2 ()
-{
-  unsigned long long x = 0;
-  return _rdsspq (x);
-}
-
-void f4 (unsigned int _a)
-{
-  _incsspq (_a);
-}
-#endif
+#include "cet-intrin-3.c"
diff --git a/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c b/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
index fb50ff4..6cd24f6 100644
--- a/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
+++ b/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
@@ -5,18 +5,18 @@ void _exit(int status) __attribute__ ((__noreturn__));
 
 #ifdef __x86_64__
 # define incssp(x) __builtin_ia32_incsspq (x)
-# define rdssp(x) __builtin_ia32_rdsspq (x)
+# define rdssp() __builtin_ia32_rdsspq ()
 #else
 # define incssp(x) __builtin_ia32_incsspd (x)
-# define rdssp(x) __builtin_ia32_rdsspd (x)
+# define rdssp() __builtin_ia32_rdsspd ()
 #endif
 
 static void
 __attribute__ ((noinline, noclone))
 test (unsigned long frames)
 {
-  unsigned long ssp = 0;
-  ssp = rdssp (ssp);
+  unsigned long ssp;
+  ssp = rdssp ();
   if (ssp != 0)
     {
       unsigned long tmp = frames;
diff --git a/libgcc/ChangeLog b/libgcc/ChangeLog
index 1eb1663..692773d 100644
--- a/libgcc/ChangeLog
+++ b/libgcc/ChangeLog
@@ -1,3 +1,9 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* config/i386/shadow-stack-unwind.hi (_Unwind_Frames_Extra):
+	Use new _get_ssp and _inc_ssp intrinsics.
+
 2018-02-02  Julia Koval  <julia.koval@intel.com>
 
 	* config/i386/cpuinfo.h (processor_subtypes): Add INTEL_COREI7_ICELAKE.
diff --git a/libgcc/config/i386/shadow-stack-unwind.h b/libgcc/config/i386/shadow-stack-unwind.h
index ef75d97..416e061 100644
--- a/libgcc/config/i386/shadow-stack-unwind.h
+++ b/libgcc/config/i386/shadow-stack-unwind.h
@@ -22,30 +22,23 @@ a copy of the GCC Runtime Library Exception along with this program;
 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 <http://www.gnu.org/licenses/>.  */
 
-#ifdef __x86_64__
-# define incssp(x) __builtin_ia32_incsspq ((x))
-# define rdssp(x) __builtin_ia32_rdsspq (x)
-#else
-# define incssp(x) __builtin_ia32_incsspd ((x))
-# define rdssp(x) __builtin_ia32_rdsspd (x)
-#endif
+#include <x86intrin.h>
 
 /* Unwind the shadow stack for EH.  */
 #undef _Unwind_Frames_Extra
 #define _Unwind_Frames_Extra(x)			\
   do						\
     {						\
-      unsigned long ssp = 0;			\
-      ssp = rdssp (ssp);			\
+      _Unwind_Word ssp = _get_ssp ();		\
       if (ssp != 0)				\
 	{					\
-	  unsigned long tmp = (x);		\
+	  _Unwind_Word tmp = (x);		\
 	  while (tmp > 255)			\
 	    {					\
-	      incssp (tmp);			\
+	      _inc_ssp (tmp);			\
 	      tmp -= 255;			\
 	    }					\
-	  incssp (tmp);				\
+	  _inc_ssp (tmp);			\
 	}					\
     }						\
     while (0)
-- 
1.8.3.1

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Sandra Loosemore]

On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
> Introduce a couple of new CET intrinsics for reading and updating a shadow stack
> pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace the existing
> _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more deterministic
> semantic: it returns a value of the shadow stack pointer if HW is CET capable and
> 0 otherwise.
> 
> Ok for trunk?

Just reviewing the documentation part:

> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> index cb9df97..9f25dd9 100644
> --- a/gcc/doc/extend.texi
> +++ b/gcc/doc/extend.texi
> @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to schedule those calls.
>  * TILEPro Built-in Functions::
>  * x86 Built-in Functions::
>  * x86 transactional memory intrinsics::
> +* x86 control-flow protection intrinsics::
>  @end menu
>  
>  @node AArch64 Built-in Functions
> @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
>  unsigned int __builtin_ia32_rdpkru ()
>  @end smallexample
>  
> -The following built-in functions are available when @option{-mcet} is used.
> -They are used to support Intel Control-flow Enforcment Technology (CET).
> -Each built-in function generates the  machine instruction that is part of the
> -function's name.
> +The following built-in functions are available when @option{-mcet} or
> +@option{-mshstk} option is used.  They support shadow stack
> +machine instructions from Intel Control-flow Enforcment Technology (CET).

s/Enforcment/Enforcement/

> +Each built-in function generates the  machine instruction that is part
> +of the function's name.  These are the internal low level functions.

s/low level/low-level/

> +Normally the functions in @ref{x86 control-flow protection intrinsics}
> +should be used instead.
> +
>  @smallexample
> -unsigned int __builtin_ia32_rdsspd (unsigned int)
> -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
> +unsigned int __builtin_ia32_rdsspd (void)
> +unsigned long long __builtin_ia32_rdsspq (void)
>  void __builtin_ia32_incsspd (unsigned int)
>  void __builtin_ia32_incsspq (unsigned long long)
>  void __builtin_ia32_saveprevssp(void);
> @@ -21885,6 +21890,51 @@ else
>  Note that, in most cases, the transactional and non-transactional code
>  must synchronize together to ensure consistency.
>  
> +@node x86 control-flow protection intrinsics
> +@subsection x86 Control-Flow Protection Intrinsics
> +
> +@deftypefn {CET Function} {ret_type} _get_ssp (void)
> +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
> +and @code{unsigned int} for x86 pltform.

I'd prefer the sentence about the return type be placed after the 
description of what the function does.  And please fix typos:
s/x86-64 platform/64-bit targets/
s/x86 pltform/32-bit targets/

> +Get the current value of shadow stack pointer if shadow stack support
> +from Intel CET is enabled in the HW or @code{0} otherwise.

s/HW/hardware,/

> +@end deftypefn
> +
> +@deftypefn {CET Function} void _inc_ssp (unsigned int)
> +Increment the current shadow stack pointer by the size specified by the
> +function argument.  For security reason only unsigned byte value is used
> +from the argument.  Therefore for the size greater than @code{255} the
> +function should be called several times.

How about rephrasing the last two sentences:

The argument is masked to a byte value for security reasons, so to 
increment by more than 255 bytes you must call the function multiple times.

> +@end deftypefn
> +
> +The shadow stack unwind code looks like:
> +
> +@smallexample
> +#include <immintrin.h>
> +
> +/* Unwind the shadow stack for EH.  */
> +#define _Unwind_Frames_Extra(x)		\
> +  do					\
> +    @{					\
> +      _Unwind_Word ssp = _get_ssp ();	\
> +      if (ssp != 0)			\
> +	@{				\
> +	  _Unwind_Word tmp = (x);	\
> +	  while (tmp > 255)		\
> +	    @{				\
> +	      _inc_ssp (tmp);		\
> +	      tmp -= 255;		\
> +	    @}				\
> +	  _inc_ssp (tmp);		\
> +	@}				\
> +    @}					\
> +    while (0)
> +@end smallexample

Tabs in Texinfo input don't work well.  Please use spaces to format code 
environments.

> +
> +@noindent
> +This code runs unconditionally on all x86-64 processors and all x86
> +processors that support multi-byte NOP instructions.

s/x86-64 and all x86/32-bit and 64-bit/

> +
>  @node Target Format Checks
>  @section Format Checks Specific to Particular Target Machines
>  

-Sandra

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Tsimbalist, Igor V]

[-- Attachment #1: Type: text/plain, Size: 5250 bytes --]

> -----Original Message-----
> From: Sandra Loosemore [mailto:sandra@codesourcery.com]
> Sent: Friday, February 9, 2018 7:42 PM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; gcc-
> patches@gcc.gnu.org
> Cc: Uros Bizjak <ubizjak@gmail.com>
> Subject: Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
> 
> On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
> > Introduce a couple of new CET intrinsics for reading and updating a
> shadow stack
> > pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace
> the existing
> > _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more
> deterministic
> > semantic: it returns a value of the shadow stack pointer if HW is CET
> capable and
> > 0 otherwise.
> >
> > Ok for trunk?
> 
> Just reviewing the documentation part:
> 
> > diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
> > index cb9df97..9f25dd9 100644
> > --- a/gcc/doc/extend.texi
> > +++ b/gcc/doc/extend.texi
> > @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to
> schedule those calls.
> >  * TILEPro Built-in Functions::
> >  * x86 Built-in Functions::
> >  * x86 transactional memory intrinsics::
> > +* x86 control-flow protection intrinsics::
> >  @end menu
> >
> >  @node AArch64 Built-in Functions
> > @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
> >  unsigned int __builtin_ia32_rdpkru ()
> >  @end smallexample
> >
> > -The following built-in functions are available when @option{-mcet} is
> used.
> > -They are used to support Intel Control-flow Enforcment Technology (CET).
> > -Each built-in function generates the  machine instruction that is part of
> the
> > -function's name.
> > +The following built-in functions are available when @option{-mcet} or
> > +@option{-mshstk} option is used.  They support shadow stack
> > +machine instructions from Intel Control-flow Enforcment Technology
> (CET).
> 
> s/Enforcment/Enforcement/
> 
> > +Each built-in function generates the  machine instruction that is part
> > +of the function's name.  These are the internal low level functions.
> 
> s/low level/low-level/
> 
> > +Normally the functions in @ref{x86 control-flow protection intrinsics}
> > +should be used instead.
> > +
> >  @smallexample
> > -unsigned int __builtin_ia32_rdsspd (unsigned int)
> > -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
> > +unsigned int __builtin_ia32_rdsspd (void)
> > +unsigned long long __builtin_ia32_rdsspq (void)
> >  void __builtin_ia32_incsspd (unsigned int)
> >  void __builtin_ia32_incsspq (unsigned long long)
> >  void __builtin_ia32_saveprevssp(void);
> > @@ -21885,6 +21890,51 @@ else
> >  Note that, in most cases, the transactional and non-transactional code
> >  must synchronize together to ensure consistency.
> >
> > +@node x86 control-flow protection intrinsics
> > +@subsection x86 Control-Flow Protection Intrinsics
> > +
> > +@deftypefn {CET Function} {ret_type} _get_ssp (void)
> > +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
> > +and @code{unsigned int} for x86 pltform.
> 
> I'd prefer the sentence about the return type be placed after the
> description of what the function does.  And please fix typos:
> s/x86-64 platform/64-bit targets/
> s/x86 pltform/32-bit targets/
> 
> > +Get the current value of shadow stack pointer if shadow stack support
> > +from Intel CET is enabled in the HW or @code{0} otherwise.
> 
> s/HW/hardware,/
> 
> > +@end deftypefn
> > +
> > +@deftypefn {CET Function} void _inc_ssp (unsigned int)
> > +Increment the current shadow stack pointer by the size specified by the
> > +function argument.  For security reason only unsigned byte value is used
> > +from the argument.  Therefore for the size greater than @code{255} the
> > +function should be called several times.
> 
> How about rephrasing the last two sentences:
> 
> The argument is masked to a byte value for security reasons, so to
> increment by more than 255 bytes you must call the function multiple times.
> 
> > +@end deftypefn
> > +
> > +The shadow stack unwind code looks like:
> > +
> > +@smallexample
> > +#include <immintrin.h>
> > +
> > +/* Unwind the shadow stack for EH.  */
> > +#define _Unwind_Frames_Extra(x)		\
> > +  do					\
> > +    @{					\
> > +      _Unwind_Word ssp = _get_ssp ();	\
> > +      if (ssp != 0)			\
> > +	@{				\
> > +	  _Unwind_Word tmp = (x);	\
> > +	  while (tmp > 255)		\
> > +	    @{				\
> > +	      _inc_ssp (tmp);		\
> > +	      tmp -= 255;		\
> > +	    @}				\
> > +	  _inc_ssp (tmp);		\
> > +	@}				\
> > +    @}					\
> > +    while (0)
> > +@end smallexample
> 
> Tabs in Texinfo input don't work well.  Please use spaces to format code
> environments.
> 
> > +
> > +@noindent
> > +This code runs unconditionally on all x86-64 processors and all x86
> > +processors that support multi-byte NOP instructions.
> 
> s/x86-64 and all x86/32-bit and 64-bit/
> 
> > +
> >  @node Target Format Checks
> >  @section Format Checks Specific to Particular Target Machines
> >

All comments are fixed. The updated patch is attached.

Igor

> -Sandra

[-- Attachment #2: 0001-Reimplement-CET-intrinsics-for-rdssp-incssp-insn.patch --]
[-- Type: application/octet-stream, Size: 14910 bytes --]

From f9453d2f1eec40c04812ba4059c329fbe6fa9309 Mon Sep 17 00:00:00 2001
From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
Date: Wed, 7 Feb 2018 19:31:32 +0300
Subject: [PATCH] Reimplement CET intrinsics for rdssp/incssp insn

	PR target/84239
---
 gcc/ChangeLog                                | 16 +++++++
 gcc/config/i386/cetintrin.h                  | 31 ++++++--------
 gcc/config/i386/i386-builtin-types.def       |  1 +
 gcc/config/i386/i386-builtin.def             |  4 +-
 gcc/config/i386/i386.c                       |  3 +-
 gcc/config/i386/i386.md                      | 16 ++++---
 gcc/doc/extend.texi                          | 62 +++++++++++++++++++++++++---
 gcc/testsuite/ChangeLog                      |  9 ++++
 gcc/testsuite/gcc.target/i386/cet-intrin-3.c | 10 ++---
 gcc/testsuite/gcc.target/i386/cet-intrin-4.c | 25 +----------
 gcc/testsuite/gcc.target/i386/cet-rdssp-1.c  |  8 ++--
 libgcc/ChangeLog                             |  6 +++
 libgcc/config/i386/shadow-stack-unwind.h     | 17 +++-----
 13 files changed, 126 insertions(+), 82 deletions(-)

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 51c45c0..937a474 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,19 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* config/i386/cetintrin.h: Remove _rdssp[d|q] and
+	add _get_ssp intrinsics. Remove argument from
+	__builtin_ia32_rdssp[d|q].
+	* config/i386/i386-builtin-types.def: Add UINT_FTYPE_VOID.
+	* config/i386/i386-builtin.def: Remove argument from
+	__builtin_ia32_rdssp[d|q].
+	* config/i386/i386.c: Use UINT_FTYPE_VOID. Use
+	ix86_expand_special_args_builtin for _rdssp[d|q].
+	* config/i386/i386.md: Remove argument from rdssp[si|di] insn.
+	Clear register before usage.
+	* doc/extend.texi: Remove argument from __builtin_ia32_rdssp[d|q].
+	Add documentation for new _get_ssp and _inc_ssp intrinsics.
+
 2018-02-07  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR target/84248
diff --git a/gcc/config/i386/cetintrin.h b/gcc/config/i386/cetintrin.h
index 7a4b4d8..e9abcf3 100644
--- a/gcc/config/i386/cetintrin.h
+++ b/gcc/config/i386/cetintrin.h
@@ -34,37 +34,32 @@
 #define __DISABLE_SHSTK__
 #endif /* __SHSTK__ */
 
-extern __inline unsigned int
-__attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_rdsspd (unsigned int __B)
-{
-  return __builtin_ia32_rdsspd (__B);
-}
-
 #ifdef __x86_64__
 extern __inline unsigned long long
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_rdsspq (unsigned long long __B)
+_get_ssp (void)
 {
-  return __builtin_ia32_rdsspq (__B);
+  return __builtin_ia32_rdsspq ();
 }
-#endif
-
-extern __inline void
+#else
+extern __inline unsigned int
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_incsspd (unsigned int __B)
+_get_ssp (void)
 {
-  __builtin_ia32_incsspd (__B);
+  return __builtin_ia32_rdsspd ();
 }
+#endif
 
-#ifdef __x86_64__
 extern __inline void
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
-_incsspq (unsigned long long __B)
+_inc_ssp (unsigned int __B)
 {
-  __builtin_ia32_incsspq (__B);
-}
+#ifdef __x86_64__
+  __builtin_ia32_incsspq ((unsigned long long) __B);
+#else
+  __builtin_ia32_incsspd (__B);
 #endif
+}
 
 extern __inline void
 __attribute__((__gnu_inline__, __always_inline__, __artificial__))
diff --git a/gcc/config/i386/i386-builtin-types.def b/gcc/config/i386/i386-builtin-types.def
index ba33549..08360d2 100644
--- a/gcc/config/i386/i386-builtin-types.def
+++ b/gcc/config/i386/i386-builtin-types.def
@@ -192,6 +192,7 @@ DEF_POINTER_TYPE (PCV64QI, V64QI, CONST)
 DEF_FUNCTION_TYPE (FLOAT128)
 DEF_FUNCTION_TYPE (UINT64)
 DEF_FUNCTION_TYPE (UNSIGNED)
+DEF_FUNCTION_TYPE (UINT)
 DEF_FUNCTION_TYPE (USHORT)
 DEF_FUNCTION_TYPE (INT)
 DEF_FUNCTION_TYPE (VOID)
diff --git a/gcc/config/i386/i386-builtin.def b/gcc/config/i386/i386-builtin.def
index 2caac88..a510196 100644
--- a/gcc/config/i386/i386-builtin.def
+++ b/gcc/config/i386/i386-builtin.def
@@ -3043,7 +3043,7 @@ BDESC (OPTION_MASK_ISA_SHSTK, CODE_FOR_clrssbsy, "__builtin_ia32_clrssbsy", IX86
 BDESC_END (CET, CET_NORMAL)
 
 BDESC_FIRST (cet_rdssp, CET_NORMAL,
-       OPTION_MASK_ISA_SHSTK, CODE_FOR_rdsspsi, "__builtin_ia32_rdsspd", IX86_BUILTIN_RDSSPD, UNKNOWN, (int) UINT_FTYPE_UINT)
-BDESC (OPTION_MASK_ISA_SHSTK | OPTION_MASK_ISA_64BIT, CODE_FOR_rdsspdi, "__builtin_ia32_rdsspq", IX86_BUILTIN_RDSSPQ, UNKNOWN, (int) UINT64_FTYPE_UINT64)
+       OPTION_MASK_ISA_SHSTK, CODE_FOR_rdsspsi, "__builtin_ia32_rdsspd", IX86_BUILTIN_RDSSPD, UNKNOWN, (int) UINT_FTYPE_VOID)
+BDESC (OPTION_MASK_ISA_SHSTK | OPTION_MASK_ISA_64BIT, CODE_FOR_rdsspdi, "__builtin_ia32_rdsspq", IX86_BUILTIN_RDSSPQ, UNKNOWN, (int) UINT64_FTYPE_VOID)
 
 BDESC_END (CET_NORMAL, MAX)
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index fc3d6f0..53f9cae 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -35701,6 +35701,7 @@ ix86_expand_special_args_builtin (const struct builtin_description *d,
     case INT_FTYPE_VOID:
     case USHORT_FTYPE_VOID:
     case UINT64_FTYPE_VOID:
+    case UINT_FTYPE_VOID:
     case UNSIGNED_FTYPE_VOID:
       nargs = 0;
       klass = load;
@@ -38490,7 +38491,7 @@ s4fma_expand:
       && fcode <= IX86_BUILTIN__BDESC_CET_NORMAL_LAST)
     {
       i = fcode - IX86_BUILTIN__BDESC_CET_NORMAL_FIRST;
-      return ix86_expand_args_builtin (bdesc_cet_rdssp + i, exp,
+      return ix86_expand_special_args_builtin (bdesc_cet_rdssp + i, exp,
 				       target);
     }
 
diff --git a/gcc/config/i386/i386.md b/gcc/config/i386/i386.md
index a4832bf..3998053 100644
--- a/gcc/config/i386/i386.md
+++ b/gcc/config/i386/i386.md
@@ -18391,8 +18391,8 @@
       reg_ssp = gen_reg_rtx (word_mode);
       emit_insn (gen_rtx_SET (reg_ssp, const0_rtx));
       emit_insn ((word_mode == SImode)
-		 ? gen_rdsspsi (reg_ssp, reg_ssp)
-		 : gen_rdsspdi (reg_ssp, reg_ssp));
+		 ? gen_rdsspsi (reg_ssp)
+		 : gen_rdsspdi (reg_ssp));
       emit_move_insn (mem, reg_ssp);
     }
   DONE;
@@ -18437,8 +18437,8 @@
       reg_ssp = gen_reg_rtx (word_mode);
       emit_insn (gen_rtx_SET (reg_ssp, const0_rtx));
       emit_insn ((word_mode == SImode)
-		 ? gen_rdsspsi (reg_ssp, reg_ssp)
-		 : gen_rdsspdi (reg_ssp, reg_ssp));
+		 ? gen_rdsspsi (reg_ssp)
+		 : gen_rdsspdi (reg_ssp));
       mem_buf = gen_rtx_MEM (word_mode,
 			     plus_constant (Pmode, operands[0],
 					    3 * GET_MODE_SIZE (ptr_mode)));
@@ -20167,12 +20167,10 @@
 ;; CET instructions
 (define_insn "rdssp<mode>"
   [(set (match_operand:SWI48x 0 "register_operand" "=r")
-	(unspec_volatile:SWI48x
-	  [(match_operand:SWI48x 1 "register_operand" "0")]
-	  UNSPECV_NOP_RDSSP))]
+	(unspec_volatile:SWI48x [(const_int 0)] UNSPECV_NOP_RDSSP))]
   "TARGET_SHSTK"
-  "rdssp<mskmodesuffix>\t%0"
-  [(set_attr "length" "4")
+  "xor{l}\t%k0, %k0\n\trdssp<mskmodesuffix>\t%0"
+  [(set_attr "length" "6")
    (set_attr "type" "other")])
 
 (define_insn "incssp<mode>"
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index cb9df97..d012eef 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -12461,6 +12461,7 @@ instructions, but allow the compiler to schedule those calls.
 * TILEPro Built-in Functions::
 * x86 Built-in Functions::
 * x86 transactional memory intrinsics::
+* x86 control-flow protection intrinsics::
 @end menu
 
 @node AArch64 Built-in Functions
@@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
 unsigned int __builtin_ia32_rdpkru ()
 @end smallexample
 
-The following built-in functions are available when @option{-mcet} is used.
-They are used to support Intel Control-flow Enforcment Technology (CET).
-Each built-in function generates the  machine instruction that is part of the
-function's name.
+The following built-in functions are available when @option{-mcet} or
+@option{-mshstk} option is used.  They support shadow stack
+machine instructions from Intel Control-flow Enforcement Technology (CET).
+Each built-in function generates the  machine instruction that is part
+of the function's name.  These are the internal low-level functions.
+Normally the functions in @ref{x86 control-flow protection intrinsics}
+should be used instead.
+
 @smallexample
-unsigned int __builtin_ia32_rdsspd (unsigned int)
-unsigned long long __builtin_ia32_rdsspq (unsigned long long)
+unsigned int __builtin_ia32_rdsspd (void)
+unsigned long long __builtin_ia32_rdsspq (void)
 void __builtin_ia32_incsspd (unsigned int)
 void __builtin_ia32_incsspq (unsigned long long)
 void __builtin_ia32_saveprevssp(void);
@@ -21885,6 +21890,51 @@ else
 Note that, in most cases, the transactional and non-transactional code
 must synchronize together to ensure consistency.
 
+@node x86 control-flow protection intrinsics
+@subsection x86 Control-Flow Protection Intrinsics
+
+@deftypefn {CET Function} {ret_type} _get_ssp (void)
+Get the current value of shadow stack pointer if shadow stack support
+from Intel CET is enabled in the hardware or @code{0} otherwise.
+The @code{ret_type} is @code{unsigned long long} for 64-bit targets 
+and @code{unsigned int} for 32-bit targets.
+@end deftypefn
+
+@deftypefn {CET Function} void _inc_ssp (unsigned int)
+Increment the current shadow stack pointer by the size specified by the
+function argument.  The argument is masked to a byte value for security
+reasons, so to increment by more than 255 bytes you must call the function
+multiple times.
+@end deftypefn
+
+The shadow stack unwind code looks like:
+
+@smallexample
+#include <immintrin.h>
+
+/* Unwind the shadow stack for EH.  */
+#define _Unwind_Frames_Extra(x)       \
+  do                                  \
+    @{                                \
+      _Unwind_Word ssp = _get_ssp (); \
+      if (ssp != 0)                   \
+        @{                            \
+          _Unwind_Word tmp = (x);     \
+          while (tmp > 255)           \
+            @{                        \
+              _inc_ssp (tmp);         \
+              tmp -= 255;             \
+            @}                        \
+          _inc_ssp (tmp);             \
+        @}                            \
+    @}                                \
+    while (0)
+@end smallexample
+
+@noindent
+This code runs unconditionally on all 64-bit processors.  For 32-bit
+processors the code runs on those that support multi-byte NOP instructions.
+
 @node Target Format Checks
 @section Format Checks Specific to Particular Target Machines
 
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index c90dc88..3fa26cc 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,12 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* testsuite/gcc.target/i386/cet-intrin-3.c: Use new _get_ssp and
+	_inc_ssp intrinsics.
+	* testsuite/gcc.target/i386/cet-intrin-4.c: Likewise.
+	* testsuite/gcc.target/i386/cet-rdssp-1.c: Remove argument from
+	__builtin_ia32_rdssp[d|q].
+
 2018-02-07  Tom de Vries  <tom@codesourcery.com>
 
 	* gcc.dg/pr83844.c: Require effective target alloca.
diff --git a/gcc/testsuite/gcc.target/i386/cet-intrin-3.c b/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
index bcd7203..b98c1e9 100644
--- a/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
+++ b/gcc/testsuite/gcc.target/i386/cet-intrin-3.c
@@ -10,24 +10,22 @@
 
 unsigned int f1 ()
 {
-  unsigned int x = 0;
-  return _rdsspd (x);
+  return _get_ssp ();
 }
 
 void f3 (unsigned int _a)
 {
-  _incsspd (_a);
+  _inc_ssp (_a);
 }
 
 #ifdef __x86_64__
 unsigned long long f2 ()
 {
-  unsigned long long x = 0;
-  return _rdsspq (x);
+  return _get_ssp ();
 }
 
 void f4 (unsigned int _a)
 {
-  _incsspq (_a);
+  _inc_ssp (_a);
 }
 #endif
diff --git a/gcc/testsuite/gcc.target/i386/cet-intrin-4.c b/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
index 437a4cd..86957b2 100644
--- a/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
+++ b/gcc/testsuite/gcc.target/i386/cet-intrin-4.c
@@ -5,27 +5,4 @@
 /* { dg-final { scan-assembler "incssp\[dq]\[ \t]+(%|)\[re]di" { target { ! ia32 } } } } */
 
 #include <immintrin.h>
-
-unsigned int f1 ()
-{
-  unsigned int x = 0;
-  return _rdsspd (x);
-}
-
-void f3 (unsigned int _a)
-{
-  _incsspd (_a);
-}
-
-#ifdef __x86_64__
-unsigned long long f2 ()
-{
-  unsigned long long x = 0;
-  return _rdsspq (x);
-}
-
-void f4 (unsigned int _a)
-{
-  _incsspq (_a);
-}
-#endif
+#include "cet-intrin-3.c"
diff --git a/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c b/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
index fb50ff4..6cd24f6 100644
--- a/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
+++ b/gcc/testsuite/gcc.target/i386/cet-rdssp-1.c
@@ -5,18 +5,18 @@ void _exit(int status) __attribute__ ((__noreturn__));
 
 #ifdef __x86_64__
 # define incssp(x) __builtin_ia32_incsspq (x)
-# define rdssp(x) __builtin_ia32_rdsspq (x)
+# define rdssp() __builtin_ia32_rdsspq ()
 #else
 # define incssp(x) __builtin_ia32_incsspd (x)
-# define rdssp(x) __builtin_ia32_rdsspd (x)
+# define rdssp() __builtin_ia32_rdsspd ()
 #endif
 
 static void
 __attribute__ ((noinline, noclone))
 test (unsigned long frames)
 {
-  unsigned long ssp = 0;
-  ssp = rdssp (ssp);
+  unsigned long ssp;
+  ssp = rdssp ();
   if (ssp != 0)
     {
       unsigned long tmp = frames;
diff --git a/libgcc/ChangeLog b/libgcc/ChangeLog
index 1eb1663..692773d 100644
--- a/libgcc/ChangeLog
+++ b/libgcc/ChangeLog
@@ -1,3 +1,9 @@
+2018-02-08  Igor Tsimbalist  <igor.v.tsimbalist@intel.com>
+
+	PR target/84239
+	* config/i386/shadow-stack-unwind.hi (_Unwind_Frames_Extra):
+	Use new _get_ssp and _inc_ssp intrinsics.
+
 2018-02-02  Julia Koval  <julia.koval@intel.com>
 
 	* config/i386/cpuinfo.h (processor_subtypes): Add INTEL_COREI7_ICELAKE.
diff --git a/libgcc/config/i386/shadow-stack-unwind.h b/libgcc/config/i386/shadow-stack-unwind.h
index ef75d97..416e061 100644
--- a/libgcc/config/i386/shadow-stack-unwind.h
+++ b/libgcc/config/i386/shadow-stack-unwind.h
@@ -22,30 +22,23 @@ a copy of the GCC Runtime Library Exception along with this program;
 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 <http://www.gnu.org/licenses/>.  */
 
-#ifdef __x86_64__
-# define incssp(x) __builtin_ia32_incsspq ((x))
-# define rdssp(x) __builtin_ia32_rdsspq (x)
-#else
-# define incssp(x) __builtin_ia32_incsspd ((x))
-# define rdssp(x) __builtin_ia32_rdsspd (x)
-#endif
+#include <x86intrin.h>
 
 /* Unwind the shadow stack for EH.  */
 #undef _Unwind_Frames_Extra
 #define _Unwind_Frames_Extra(x)			\
   do						\
     {						\
-      unsigned long ssp = 0;			\
-      ssp = rdssp (ssp);			\
+      _Unwind_Word ssp = _get_ssp ();		\
       if (ssp != 0)				\
 	{					\
-	  unsigned long tmp = (x);		\
+	  _Unwind_Word tmp = (x);		\
 	  while (tmp > 255)			\
 	    {					\
-	      incssp (tmp);			\
+	      _inc_ssp (tmp);			\
 	      tmp -= 255;			\
 	    }					\
-	  incssp (tmp);				\
+	  _inc_ssp (tmp);			\
 	}					\
     }						\
     while (0)
-- 
1.8.3.1

Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Jeff Law]

On 02/12/2018 07:16 AM, Tsimbalist, Igor V wrote:
>> -----Original Message-----
>> From: Sandra Loosemore [mailto:sandra@codesourcery.com]
>> Sent: Friday, February 9, 2018 7:42 PM
>> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>; gcc-
>> patches@gcc.gnu.org
>> Cc: Uros Bizjak <ubizjak@gmail.com>
>> Subject: Re: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
>>
>> On 02/09/2018 05:50 AM, Tsimbalist, Igor V wrote:
>>> Introduce a couple of new CET intrinsics for reading and updating a
>> shadow stack
>>> pointer (_get_ssp and _inc_ssp), which are more user friendly. They replace
>> the existing
>>> _rdssp[d|q] and _incssp[d|q] instrinsics. The _get_ssp intrinsic has more
>> deterministic
>>> semantic: it returns a value of the shadow stack pointer if HW is CET
>> capable and
>>> 0 otherwise.
>>>
>>> Ok for trunk?
>> Just reviewing the documentation part:
>>
>>> diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
>>> index cb9df97..9f25dd9 100644
>>> --- a/gcc/doc/extend.texi
>>> +++ b/gcc/doc/extend.texi
>>> @@ -12461,6 +12461,7 @@ instructions, but allow the compiler to
>> schedule those calls.
>>>  * TILEPro Built-in Functions::
>>>  * x86 Built-in Functions::
>>>  * x86 transactional memory intrinsics::
>>> +* x86 control-flow protection intrinsics::
>>>  @end menu
>>>
>>>  @node AArch64 Built-in Functions
>>> @@ -21772,13 +21773,17 @@ void __builtin_ia32_wrpkru (unsigned int)
>>>  unsigned int __builtin_ia32_rdpkru ()
>>>  @end smallexample
>>>
>>> -The following built-in functions are available when @option{-mcet} is
>> used.
>>> -They are used to support Intel Control-flow Enforcment Technology (CET).
>>> -Each built-in function generates the  machine instruction that is part of
>> the
>>> -function's name.
>>> +The following built-in functions are available when @option{-mcet} or
>>> +@option{-mshstk} option is used.  They support shadow stack
>>> +machine instructions from Intel Control-flow Enforcment Technology
>> (CET).
>>
>> s/Enforcment/Enforcement/
>>
>>> +Each built-in function generates the  machine instruction that is part
>>> +of the function's name.  These are the internal low level functions.
>> s/low level/low-level/
>>
>>> +Normally the functions in @ref{x86 control-flow protection intrinsics}
>>> +should be used instead.
>>> +
>>>  @smallexample
>>> -unsigned int __builtin_ia32_rdsspd (unsigned int)
>>> -unsigned long long __builtin_ia32_rdsspq (unsigned long long)
>>> +unsigned int __builtin_ia32_rdsspd (void)
>>> +unsigned long long __builtin_ia32_rdsspq (void)
>>>  void __builtin_ia32_incsspd (unsigned int)
>>>  void __builtin_ia32_incsspq (unsigned long long)
>>>  void __builtin_ia32_saveprevssp(void);
>>> @@ -21885,6 +21890,51 @@ else
>>>  Note that, in most cases, the transactional and non-transactional code
>>>  must synchronize together to ensure consistency.
>>>
>>> +@node x86 control-flow protection intrinsics
>>> +@subsection x86 Control-Flow Protection Intrinsics
>>> +
>>> +@deftypefn {CET Function} {ret_type} _get_ssp (void)
>>> +The @code{ret_type} is @code{unsigned long long} for x86-64 platform
>>> +and @code{unsigned int} for x86 pltform.
>> I'd prefer the sentence about the return type be placed after the
>> description of what the function does.  And please fix typos:
>> s/x86-64 platform/64-bit targets/
>> s/x86 pltform/32-bit targets/
>>
>>> +Get the current value of shadow stack pointer if shadow stack support
>>> +from Intel CET is enabled in the HW or @code{0} otherwise.
>> s/HW/hardware,/
>>
>>> +@end deftypefn
>>> +
>>> +@deftypefn {CET Function} void _inc_ssp (unsigned int)
>>> +Increment the current shadow stack pointer by the size specified by the
>>> +function argument.  For security reason only unsigned byte value is used
>>> +from the argument.  Therefore for the size greater than @code{255} the
>>> +function should be called several times.
>> How about rephrasing the last two sentences:
>>
>> The argument is masked to a byte value for security reasons, so to
>> increment by more than 255 bytes you must call the function multiple times.
>>
>>> +@end deftypefn
>>> +
>>> +The shadow stack unwind code looks like:
>>> +
>>> +@smallexample
>>> +#include <immintrin.h>
>>> +
>>> +/* Unwind the shadow stack for EH.  */
>>> +#define _Unwind_Frames_Extra(x)		\
>>> +  do					\
>>> +    @{					\
>>> +      _Unwind_Word ssp = _get_ssp ();	\
>>> +      if (ssp != 0)			\
>>> +	@{				\
>>> +	  _Unwind_Word tmp = (x);	\
>>> +	  while (tmp > 255)		\
>>> +	    @{				\
>>> +	      _inc_ssp (tmp);		\
>>> +	      tmp -= 255;		\
>>> +	    @}				\
>>> +	  _inc_ssp (tmp);		\
>>> +	@}				\
>>> +    @}					\
>>> +    while (0)
>>> +@end smallexample
>> Tabs in Texinfo input don't work well.  Please use spaces to format code
>> environments.
>>
>>> +
>>> +@noindent
>>> +This code runs unconditionally on all x86-64 processors and all x86
>>> +processors that support multi-byte NOP instructions.
>> s/x86-64 and all x86/32-bit and 64-bit/
>>
>>> +
>>>  @node Target Format Checks
>>>  @section Format Checks Specific to Particular Target Machines
>>>
> All comments are fixed. The updated patch is attached.
> 
> Igor
> 
>> -Sandra
> 
> 0001-Reimplement-CET-intrinsics-for-rdssp-incssp-insn.patch
> 
> 
> From f9453d2f1eec40c04812ba4059c329fbe6fa9309 Mon Sep 17 00:00:00 2001
> From: Igor Tsimbalist <igor.v.tsimbalist@intel.com>
> Date: Wed, 7 Feb 2018 19:31:32 +0300
> Subject: [PATCH] Reimplement CET intrinsics for rdssp/incssp insn
> 
> 	PR target/84239
> ---
>  gcc/ChangeLog                                | 16 +++++++
>  gcc/config/i386/cetintrin.h                  | 31 ++++++--------
>  gcc/config/i386/i386-builtin-types.def       |  1 +
>  gcc/config/i386/i386-builtin.def             |  4 +-
>  gcc/config/i386/i386.c                       |  3 +-
>  gcc/config/i386/i386.md                      | 16 ++++---
>  gcc/doc/extend.texi                          | 62 +++++++++++++++++++++++++---
>  gcc/testsuite/ChangeLog                      |  9 ++++
>  gcc/testsuite/gcc.target/i386/cet-intrin-3.c | 10 ++---
>  gcc/testsuite/gcc.target/i386/cet-intrin-4.c | 25 +----------
>  gcc/testsuite/gcc.target/i386/cet-rdssp-1.c  |  8 ++--
>  libgcc/ChangeLog                             |  6 +++
>  libgcc/config/i386/shadow-stack-unwind.h     | 17 +++-----
>  13 files changed, 126 insertions(+), 82 deletions(-)
[ ... ]
OK.  Thanks,
Jeff

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Joseph Myers]

This patch has broken bootstrap of a cross toolchain for x86_64 (the case 
where inhibit_libc is defined because there is no libc for the target 
available at that stage in the bootstrap process).

In file included from 
/scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-first/gcc/include/xmmintrin.h:34,
                 from 
/scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-first/gcc/include/x86intrin.h:33,
                 from 
/scratch/jmyers/glibc-bot/src/gcc/libgcc/config/i386/shadow-stack-unwind.h:25,
                 from ./md-unwind-support.h:27,
                 from /scratch/jmyers/glibc-bot/src/gcc/libgcc/unwind-dw2.c:411:
../../.././gcc/mm_malloc.h:27:10: fatal error: stdlib.h: No such file or directory
 #include <stdlib.h>
          ^~~~~~~~~~

https://sourceware.org/ml/libc-testresults/2018-q1/msg00307.html

The patch makes shadow-stack-unwind.h include <x86intrin.h>, which ends up 
including <mm_malloc.h>, which includes <stdlib.h> and <errno.h> 
unconditionally.  You can't include any libc system headers 
unconditionally from libgcc (only when inhibit_libc is not defined - and 
<mm_malloc.h>, being an installed header, can't test inhibit_libc because 
it's in the user's namespace).  So I think you need to avoid the 
mm_malloc.h include here somehow (without adding any inhibit_libc 
conditionals to installed headers).

-- 
Joseph S. Myers
joseph@codesourcery.com

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Tsimbalist, Igor V]

Igor


> -----Original Message-----
> From: Joseph Myers [mailto:joseph@codesourcery.com]
> Sent: Thursday, February 15, 2018 1:24 AM
> To: Tsimbalist, Igor V <igor.v.tsimbalist@intel.com>
> Cc: Sandra Loosemore <sandra@codesourcery.com>; gcc-
> patches@gcc.gnu.org; Uros Bizjak <ubizjak@gmail.com>
> Subject: RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn
> 
> This patch has broken bootstrap of a cross toolchain for x86_64 (the case
> where inhibit_libc is defined because there is no libc for the target
> available at that stage in the bootstrap process).
> 
> In file included from
> /scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-
> first/gcc/include/xmmintrin.h:34,
>                  from
> /scratch/jmyers/glibc-bot/build/compilers/x86_64-linux-gnu/gcc-
> first/gcc/include/x86intrin.h:33,
>                  from
> /scratch/jmyers/glibc-bot/src/gcc/libgcc/config/i386/shadow-stack-
> unwind.h:25,
>                  from ./md-unwind-support.h:27,
>                  from /scratch/jmyers/glibc-bot/src/gcc/libgcc/unwind-dw2.c:411:
> ../../.././gcc/mm_malloc.h:27:10: fatal error: stdlib.h: No such file or directory
>  #include <stdlib.h>
>           ^~~~~~~~~~
> 
> https://sourceware.org/ml/libc-testresults/2018-q1/msg00307.html
> 
> The patch makes shadow-stack-unwind.h include <x86intrin.h>, which ends
> up
> including <mm_malloc.h>, which includes <stdlib.h> and <errno.h>
> unconditionally.  You can't include any libc system headers
> unconditionally from libgcc (only when inhibit_libc is not defined - and
> <mm_malloc.h>, being an installed header, can't test inhibit_libc because
> it's in the user's namespace).  So I think you need to avoid the
> mm_malloc.h include here somehow (without adding any inhibit_libc
> conditionals to installed headers).

Here is a proposed patch

diff --git a/libgcc/config/i386/shadow-stack-unwind.h b/libgcc/config/i386/shadow-stack-unwind.h
index 416e061..b7c3d98 100644
--- a/libgcc/config/i386/shadow-stack-unwind.h
+++ b/libgcc/config/i386/shadow-stack-unwind.h
@@ -22,7 +22,14 @@ a copy of the GCC Runtime Library Exception along with this program;
 see the files COPYING3 and COPYING.RUNTIME respectively.  If not, see
 <http://www.gnu.org/licenses/>.  */

-#include <x86intrin.h>
+/* NB: We need _get_ssp and _inc_ssp from <cetintrin.h>.  But we can't
+   include <x86intrin.h> which ends up including <mm_malloc.h>, which
+   includes <stdlib.h> and <errno.h> unconditionally.  But we can't
+   include any libc system headers unconditionally from libgcc.  Avoid
+   including <mm_malloc.h> here by defining _IMMINTRIN_H_INCLUDED.  */
+#define _IMMINTRIN_H_INCLUDED
+#include <cetintrin.h>
+#undef _IMMINTRIN_H_INCLUDED

 /* Unwind the shadow stack for EH.  */
 #undef _Unwind_Frames_Extra

I haven't managed to run it through ./glibc/glibc.sourceware/scripts/build-many-glibcs.py. I did bootstrap and CET tests.

Ok for trunk?

Igor

> --
> Joseph S. Myers
> joseph@codesourcery.com

RE: PR84239, Reimplement CET intrinsics for rdssp/incssp insn

[Joseph Myers]

On Thu, 15 Feb 2018, Tsimbalist, Igor V wrote:

> I haven't managed to run it through 
> ./glibc/glibc.sourceware/scripts/build-many-glibcs.py. I did bootstrap 
> and CET tests.
> 
> Ok for trunk?

OK.

-- 
Joseph S. Myers
joseph@codesourcery.com