be178ecd5a
Instructions following RET or BR are not necessarily executed. In order to avoid speculation past RET and BR we can simply append a speculation barrier. Since these speculation barriers will not be architecturally executed, they are not expected to add a high performance penalty. The speculation barrier is to be SB when targeting architectures which have this enabled, and DSB SY + ISB otherwise. We add tests for each of the cases where such an instruction was seen. This is implemented by modifying each machine description pattern that emits either a RET or a BR instruction. We choose not to use something like `TARGET_ASM_FUNCTION_EPILOGUE` since it does not affect the `indirect_jump`, `jump`, `sibcall_insn` and `sibcall_value_insn` patterns and we find it preferable to implement the functionality in the same way for every pattern. There is one particular case which is slightly tricky. The implementation of TARGET_ASM_TRAMPOLINE_TEMPLATE uses a BR which needs to be mitigated against. The trampoline template is used *once* per compilation unit, and the TRAMPOLINE_SIZE is exposed to the user via the builtin macro __LIBGCC_TRAMPOLINE_SIZE__. In the future we may implement function specific attributes to turn on and off hardening on a per-function basis. The fixed nature of the trampoline described above implies it will be safer to ensure this speculation barrier is always used. Testing: Bootstrap and regtest done on aarch64-none-linux Used a temporary hack(1) to use these options on every test in the testsuite and a script to check that the output never emitted an unmitigated RET or BR. 1) Temporary hack was a change to the testsuite to always use `-save-temps` and run a script on the assembly output of those compilations which produced one to ensure every RET or BR is immediately followed by a speculation barrier. gcc/ChangeLog: * config/aarch64/aarch64-protos.h (aarch64_sls_barrier): New. * config/aarch64/aarch64.c (aarch64_output_casesi): Emit speculation barrier after BR instruction if needs be. (aarch64_trampoline_init): Handle ptr_mode value & adjust size of code copied. (aarch64_sls_barrier): New. (aarch64_asm_trampoline_template): Add needed barriers. * config/aarch64/aarch64.h (AARCH64_ISA_SB): New. (TARGET_SB): New. (TRAMPOLINE_SIZE): Account for barrier. * config/aarch64/aarch64.md (indirect_jump, *casesi_dispatch, simple_return, *do_return, *sibcall_insn, *sibcall_value_insn): Emit barrier if needs be, also account for possible barrier using "sls_length" attribute. (sls_length): New attribute. (length): Determine default using any non-default sls_length value. gcc/testsuite/ChangeLog: * gcc.target/aarch64/sls-mitigation/sls-miti-retbr.c: New test. * gcc.target/aarch64/sls-mitigation/sls-miti-retbr-pacret.c: New test. * gcc.target/aarch64/sls-mitigation/sls-mitigation.exp: New file. * lib/target-supports.exp (check_effective_target_aarch64_asm_sb_ok): New proc. |
||
|---|---|---|
| config | ||
| contrib | ||
| fixincludes | ||
| gcc | ||
| gnattools | ||
| gotools | ||
| include | ||
| INSTALL | ||
| intl | ||
| libada | ||
| libatomic | ||
| libbacktrace | ||
| libcc1 | ||
| libcpp | ||
| libdecnumber | ||
| libffi | ||
| libgcc | ||
| libgfortran | ||
| libgo | ||
| libgomp | ||
| libhsail-rt | ||
| libiberty | ||
| libitm | ||
| libobjc | ||
| liboffloadmic | ||
| libphobos | ||
| libquadmath | ||
| libsanitizer | ||
| libssp | ||
| libstdc++-v3 | ||
| libvtv | ||
| lto-plugin | ||
| maintainer-scripts | ||
| zlib | ||
| .dir-locals.el | ||
| .gitattributes | ||
| .gitignore | ||
| ABOUT-NLS | ||
| ar-lib | ||
| ChangeLog | ||
| ChangeLog.jit | ||
| ChangeLog.tree-ssa | ||
| compile | ||
| config-ml.in | ||
| config.guess | ||
| config.rpath | ||
| config.sub | ||
| configure | ||
| configure.ac | ||
| COPYING | ||
| COPYING3 | ||
| COPYING3.LIB | ||
| COPYING.LIB | ||
| COPYING.RUNTIME | ||
| depcomp | ||
| install-sh | ||
| libtool-ldflags | ||
| libtool.m4 | ||
| lt~obsolete.m4 | ||
| ltgcc.m4 | ||
| ltmain.sh | ||
| ltoptions.m4 | ||
| ltsugar.m4 | ||
| ltversion.m4 | ||
| MAINTAINERS | ||
| Makefile.def | ||
| Makefile.in | ||
| Makefile.tpl | ||
| missing | ||
| mkdep | ||
| mkinstalldirs | ||
| move-if-change | ||
| multilib.am | ||
| README | ||
| symlink-tree | ||
| test-driver | ||
| ylwrap | ||
This directory contains the GNU Compiler Collection (GCC). The GNU Compiler Collection is free software. See the files whose names start with COPYING for copying permission. The manuals, and some of the runtime libraries, are under different terms; see the individual source files for details. The directory INSTALL contains copies of the installation information as HTML and plain text. The source of this information is gcc/doc/install.texi. The installation information includes details of what is included in the GCC sources and what files GCC installs. See the file gcc/doc/gcc.texi (together with other files that it includes) for usage and porting information. An online readable version of the manual is in the files gcc/doc/gcc.info*. See http://gcc.gnu.org/bugs/ for how to report bugs usefully. Copyright years on GCC source files may be listed using range notation, e.g., 1987-2012, indicating that every year in the range, inclusive, is a copyrightable year that could otherwise be listed individually.