-fpatchable-function-entry should set SHF_WRITE and create one __patchable_function_entries per function

-fpatchable-function-entry should set SHF_WRITE and create one __patchable_function_entries per function

[Fangrui Song]

The addresses of NOPs are collected in a section named __patchable_function_entries.
A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE); preemptible: symbolic relocation (e.g. R_X86_64_64)).

In either case, the section contents will be modified at runtime.
Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).



When -ffunction-sections is used, ideally GCC should emit one __patchable_function_entries (SHF_LINK_ORDER) per .text.foo .
If the corresponding .text.foo is discarded (--gc-sections, COMDAT, /DISCARD/), the linker can discard the associated __patchable_function_entries. This can be seen as a lightweight COMDAT section group. (A section group adds an extra section and costs 3 words)
Currently lld (LLVM linker) has implemented such SHF_LINK_ORDER collecting features. GNU ld and gold don't have the features.

I have summarized the feature requests in this post https://sourceware.org/ml/binutils/2019-11/msg00266.html

gcc -fpatchable-function-entry=2 -ffunction-sections -c a.c

   [ 4] .text.f0          PROGBITS        0000000000000000 000040 000009 00  AX  0   0  1
   ### No W flag
   ### One __patchable_function_entries instead of 3.
   [ 5] __patchable_function_entries PROGBITS        0000000000000000 000049 000018 00   A  0   0  1
   [ 6] .rela__patchable_function_entries RELA            0000000000000000 000280 000048 18   I 13   5  8
   [ 7] .text.f1          PROGBITS        0000000000000000 000061 000009 00  AX  0   0  1
   [ 8] .text.f2          PROGBITS        0000000000000000 00006a 000009 00  AX  0   0  1

Re: -fpatchable-function-entry should set SHF_WRITE and create one __patchable_function_entries per function

[Fangrui Song]

On 2020-01-06, Fangrui Song wrote:
>The addresses of NOPs are collected in a section named __patchable_function_entries.
>A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
>In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE); preemptible: symbolic relocation (e.g. R_X86_64_64)).
>
>In either case, the section contents will be modified at runtime.
>Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).
>
>
>
>When -ffunction-sections is used, ideally GCC should emit one __patchable_function_entries (SHF_LINK_ORDER) per .text.foo .
>If the corresponding .text.foo is discarded (--gc-sections, COMDAT, /DISCARD/), the linker can discard the associated __patchable_function_entries. This can be seen as a lightweight COMDAT section group. (A section group adds an extra section and costs 3 words)
>Currently lld (LLVM linker) has implemented such SHF_LINK_ORDER collecting features. GNU ld and gold don't have the features.
>
>I have summarized the feature requests in this post https://sourceware.org/ml/binutils/2019-11/msg00266.html
>
>gcc -fpatchable-function-entry=2 -ffunction-sections -c a.c
>
>  [ 4] .text.f0          PROGBITS        0000000000000000 000040 000009 00  AX  0   0  1
>  ### No W flag
>  ### One __patchable_function_entries instead of 3.
>  [ 5] __patchable_function_entries PROGBITS        0000000000000000 000049 000018 00   A  0   0  1
>  [ 6] .rela__patchable_function_entries RELA            0000000000000000 000280 000048 18   I 13   5  8
>  [ 7] .text.f1          PROGBITS        0000000000000000 000061 000009 00  AX  0   0  1
>  [ 8] .text.f2          PROGBITS        0000000000000000 00006a 000009 00  AX  0   0  1

Emitting a __patchable_function_entries for each function may waste
object file sizes (64 bytes per function on ELF64). If zeros are
allowed, emitting a single __patchable_function_entries should be fine.

If we do want to emit unique sections, the condition should be either
-ffunction-sections or COMDAT is used.

Re: -fpatchable-function-entry should set SHF_WRITE and create one __patchable_function_entries per function

[Szabolcs Nagy]

On 07/01/2020 07:25, Fangrui Song wrote:
> On 2020-01-06, Fangrui Song wrote:
>> The addresses of NOPs are collected in a section named __patchable_function_entries.
>> A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
>> In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE);
>> preemptible: symbolic relocation (e.g. R_X86_64_64)).
>>
>> In either case, the section contents will be modified at runtime.
>> Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).

pie/pic should either imply writable __patchable_function_entries,
or __patchable_function_entries should be documented to be offsets
from some base address in the module: the users of it have to modify
.text and do lowlevel hacks so they should be able to handle such
arithmetics.

i think it's worth opening a gcc bug report.

>> When -ffunction-sections is used, ideally GCC should emit one __patchable_function_entries (SHF_LINK_ORDER) per .text.foo .
>> If the corresponding .text.foo is discarded (--gc-sections, COMDAT, /DISCARD/), the linker can discard the associated
>> __patchable_function_entries. This can be seen as a lightweight COMDAT section group. (A section group adds an extra section and costs 3 words)
>> Currently lld (LLVM linker) has implemented such SHF_LINK_ORDER collecting features. GNU ld and gold don't have the features.
>>
>> I have summarized the feature requests in this post https://sourceware.org/ml/binutils/2019-11/msg00266.html
>>
>> gcc -fpatchable-function-entry=2 -ffunction-sections -c a.c
>>
>>  [ 4] .text.f0          PROGBITS        0000000000000000 000040 000009 00  AX  0   0  1
>>  ### No W flag
>>  ### One __patchable_function_entries instead of 3.
>>  [ 5] __patchable_function_entries PROGBITS        0000000000000000 000049 000018 00   A  0   0  1
>>  [ 6] .rela__patchable_function_entries RELA            0000000000000000 000280 000048 18   I 13   5  8
>>  [ 7] .text.f1          PROGBITS        0000000000000000 000061 000009 00  AX  0   0  1
>>  [ 8] .text.f2          PROGBITS        0000000000000000 00006a 000009 00  AX  0   0  1
> 
> Emitting a __patchable_function_entries for each function may waste
> object file sizes (64 bytes per function on ELF64). If zeros are
> allowed, emitting a single __patchable_function_entries should be fine.
> 
> If we do want to emit unique sections, the condition should be either
> -ffunction-sections or COMDAT is used.

again it's worth raising a gcc bug i think.

there is another known issue: aarch64 -mbranch-protect=bti
(and presumably x86_64 -fcf-protection=branch) has to add
landing pad at the begining of each indirectly called function
so the patchable nops can only come after that.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92424

no matter how this gets resolved i think this will require
documentation changes too.

__patchable_function_entries is flawed

[Fangrui Song]

On 2020-01-07, Szabolcs Nagy wrote:
>On 07/01/2020 07:25, Fangrui Song wrote:
>> On 2020-01-06, Fangrui Song wrote:
>>> The addresses of NOPs are collected in a section named __patchable_function_entries.
>>> A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
>>> In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE);
>>> preemptible: symbolic relocation (e.g. R_X86_64_64)).
>>>
>>> In either case, the section contents will be modified at runtime.
>>> Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).
>
>pie/pic should either imply writable __patchable_function_entries,
>or __patchable_function_entries should be documented to be offsets
>from some base address in the module: the users of it have to modify
>.text and do lowlevel hacks so they should be able to handle such
>arithmetics.
>
>i think it's worth opening a gcc bug report.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93194 patch posted to gcc-patches.

PC-relative relocation types (R_X86_64_64, R_AARCH64_PREL64,
R_PPC64_REL64) can avoid dynamic relocations, and avoid the need for
SHF_WRITE. Unfortunately, it seems we cannot re-interpret
__patchable_function_entries. I have found 2 other problems with the
current __patchable_function_entries. Perhaps we need a new design.


* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93197
   __patchable_function_entries will always be collected by --gc-sections
   (.tmp_vmlinux1 is not linked with --gc-sections, so it appears that
   the Linux kernel is not affected.)
   
   I think the solution requires a GNU ld and gold side fix:
   https://sourceware.org/bugzilla/show_bug.cgi?id=24526

   If you clang>=8, you can play with clang -fstack-size-section -c a.cc
   Basically I think __patchable_function_entry has to behave like .stack_sizes .

* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93195
   __patchable_function_entries should consider comdat groups.

   It can cause linker failures (GNU ld, gold and lld). It is fairly
   easy to trigger with C++ inline.
   (OK, the Linux kernel does not speak C++.)
   (Clang's function multi-versioning implementation uses comdat, even in
   C. I don't have an example with GCC. My GCC __attribute__((target(..))) is broken.)

The two issues make -fpatchable-function-entry useless for user
applications. I still hope we can make the solution more general, not
restricted to the Linux kernel. We've already implemented enough GCC
options for dynamic ftrace (with regs) and live patching: -mfentry
-mnop-mcount -mrecord-mcount -mhotpatch -fpatchable-function-entry.

FWIW I am working on a clang/llvm patch https://reviews.llvm.org/D72215
I have tried resolving these problems.
("o" (SHF_LINK_ORDER+sh_link) is not recognized by GNU as.)

Re: __patchable_function_entries is flawed

[Fangrui Song]

On 2020-01-08, Fangrui Song wrote:
>On 2020-01-07, Szabolcs Nagy wrote:
>>On 07/01/2020 07:25, Fangrui Song wrote:
>>>On 2020-01-06, Fangrui Song wrote:
>>>>The addresses of NOPs are collected in a section named __patchable_function_entries.
>>>>A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
>>>>In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE);
>>>>preemptible: symbolic relocation (e.g. R_X86_64_64)).
>>>>
>>>>In either case, the section contents will be modified at runtime.
>>>>Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).
>>
>>pie/pic should either imply writable __patchable_function_entries,
>>or __patchable_function_entries should be documented to be offsets
>>from some base address in the module: the users of it have to modify
>>.text and do lowlevel hacks so they should be able to handle such
>>arithmetics.
>>
>>i think it's worth opening a gcc bug report.
>
>https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93194 patch posted to gcc-patches.
>
>PC-relative relocation types (R_X86_64_64, R_AARCH64_PREL64,
>R_PPC64_REL64) can avoid dynamic relocations, and avoid the need for
>SHF_WRITE. Unfortunately, it seems we cannot re-interpret
>__patchable_function_entries. I have found 2 other problems with the
>current __patchable_function_entries. Perhaps we need a new design.
>
>
>* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93197
>  __patchable_function_entries will always be collected by --gc-sections
>  (.tmp_vmlinux1 is not linked with --gc-sections, so it appears that
>  the Linux kernel is not affected.)
>  I think the solution requires a GNU ld and gold side fix:
>  https://sourceware.org/bugzilla/show_bug.cgi?id=24526
>
>  If you clang>=8, you can play with clang -fstack-size-section -c a.cc
>  Basically I think __patchable_function_entry has to behave like .stack_sizes .
>
>* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93195
>  __patchable_function_entries should consider comdat groups.
>
>  It can cause linker failures (GNU ld, gold and lld). It is fairly
>  easy to trigger with C++ inline.
>  (OK, the Linux kernel does not speak C++.)
>  (Clang's function multi-versioning implementation uses comdat, even in
>  C. I don't have an example with GCC. My GCC __attribute__((target(..))) is broken.)
>
>The two issues make -fpatchable-function-entry useless for user
>applications. I still hope we can make the solution more general, not
>restricted to the Linux kernel. We've already implemented enough GCC
>options for dynamic ftrace (with regs) and live patching: -mfentry
>-mnop-mcount -mrecord-mcount -mhotpatch -fpatchable-function-entry.
>
>FWIW I am working on a clang/llvm patch https://reviews.llvm.org/D72215
>I have tried resolving these problems.
>("o" (SHF_LINK_ORDER+sh_link) is not recognized by GNU as.)

The LLVM 10.0 release branch is scheduled next week. I want to
contribute my clang -fpatchable-function-entry patches before that
(already approved), so that clang built Linux people can play with it
with Clang 10.0 .

Can we agree on the syntax of the new option before 2020-01-15?

We can reuse the option name, just overload the value by adding the
third argument, "pcrel":

-fpatchable-function-entry=2,0,pcrel

If "pcrel" is seen, GCC should emit the __patchable_function_entries
section which contains PC-relative addresses, instead of absolute
addresses. This is backward compatible.

   % stage1-gcc/xgcc -B stage1-gcc -fpatchable-function-entry=1,a -xc /dev/null
   cc1: error: invalid arguments for ‘-fpatchable_function_entry’

(OK, another bug: incorrect option name in the diagnostic.)

I can teach Clang to only recognize the pcrel form.


The function attribute does not need any change: __attribute__((patchable_function_entry(N,M)))

Re: __patchable_function_entries is flawed

[Fangrui Song]

On 2020-01-09, Fangrui Song wrote:
>On 2020-01-08, Fangrui Song wrote:
>>On 2020-01-07, Szabolcs Nagy wrote:
>>>On 07/01/2020 07:25, Fangrui Song wrote:
>>>>On 2020-01-06, Fangrui Song wrote:
>>>>>The addresses of NOPs are collected in a section named __patchable_function_entries.
>>>>>A __patchable_function_entries entry is relocated by a symbolic relocation (e.g. R_X86_64_64, R_AARCH64_ABS64, R_PPC64_ADDR64).
>>>>>In -shared or -pie mode, the linker will create a dynamic relocation (non-preemptible: relative relocation (e.g. R_X86_64_RELATIVE);
>>>>>preemptible: symbolic relocation (e.g. R_X86_64_64)).
>>>>>
>>>>>In either case, the section contents will be modified at runtime.
>>>>>Thus, the section should have the SHF_WRITE flag to avoid text relocations (DF_TEXTREL).
>>>
>>>pie/pic should either imply writable __patchable_function_entries,
>>>or __patchable_function_entries should be documented to be offsets
>>>from some base address in the module: the users of it have to modify
>>>.text and do lowlevel hacks so they should be able to handle such
>>>arithmetics.
>>>
>>>i think it's worth opening a gcc bug report.
>>
>>https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93194 patch posted to gcc-patches.
>>
>>PC-relative relocation types (R_X86_64_64, R_AARCH64_PREL64,
>>R_PPC64_REL64) can avoid dynamic relocations, and avoid the need for
>>SHF_WRITE. Unfortunately, it seems we cannot re-interpret
>>__patchable_function_entries. I have found 2 other problems with the
>>current __patchable_function_entries. Perhaps we need a new design.
>>
>>
>>* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93197
>> __patchable_function_entries will always be collected by --gc-sections
>> (.tmp_vmlinux1 is not linked with --gc-sections, so it appears that
>> the Linux kernel is not affected.)
>> I think the solution requires a GNU ld and gold side fix:
>> https://sourceware.org/bugzilla/show_bug.cgi?id=24526
>>
>> If you clang>=8, you can play with clang -fstack-size-section -c a.cc
>> Basically I think __patchable_function_entry has to behave like .stack_sizes .
>>
>>* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93195
>> __patchable_function_entries should consider comdat groups.
>>
>> It can cause linker failures (GNU ld, gold and lld). It is fairly
>> easy to trigger with C++ inline.
>> (OK, the Linux kernel does not speak C++.)
>> (Clang's function multi-versioning implementation uses comdat, even in
>> C. I don't have an example with GCC. My GCC __attribute__((target(..))) is broken.)
>>
>>The two issues make -fpatchable-function-entry useless for user
>>applications. I still hope we can make the solution more general, not
>>restricted to the Linux kernel. We've already implemented enough GCC
>>options for dynamic ftrace (with regs) and live patching: -mfentry
>>-mnop-mcount -mrecord-mcount -mhotpatch -fpatchable-function-entry.
>>
>>FWIW I am working on a clang/llvm patch https://reviews.llvm.org/D72215
>>I have tried resolving these problems.
>>("o" (SHF_LINK_ORDER+sh_link) is not recognized by GNU as.)
>
>The LLVM 10.0 release branch is scheduled next week. I want to
>contribute my clang -fpatchable-function-entry patches before that
>(already approved), so that clang built Linux people can play with it
>with Clang 10.0 .
>
>Can we agree on the syntax of the new option before 2020-01-15?
>
>We can reuse the option name, just overload the value by adding the
>third argument, "pcrel":
>
>-fpatchable-function-entry=2,0,pcrel
>
>If "pcrel" is seen, GCC should emit the __patchable_function_entries
>section which contains PC-relative addresses, instead of absolute
>addresses. This is backward compatible.
>
>  % stage1-gcc/xgcc -B stage1-gcc -fpatchable-function-entry=1,a -xc /dev/null
>  cc1: error: invalid arguments for ‘-fpatchable_function_entry’
>
>(OK, another bug: incorrect option name in the diagnostic.)
>
>I can teach Clang to only recognize the pcrel form.
>
>
>The function attribute does not need any change: __attribute__((patchable_function_entry(N,M)))

Some architectures do not have a PC-relative relocation type of pointer
size, e.g. MIPS has R_MIPS_PC32 (GNU extension) but not R_MIPS_PC64, and
.quad foo-. is not representable.

Making -fpatchable-function-entry=2,0 absolute by default is fine (I
will teach Clang to emit such __patchable_function_entries table). Just
wanted to mention that on most other architectures PC-relative is
better.