This is an archive of the discontinued LLVM Phabricator instance.

Differential D79743

[clang][asm goto][slh] Warn if asm goto + SLH
ClosedPublic

Authored by zbrid on May 11 2020, 1:35 PM.

Details

Reviewers
mattdr
rsmith
jyu2
craig.topper
Commits
rG60ee88599098: [clang][asm goto][slh] Warn if asm goto + SLH
Summary

Asm goto is not supported by SLH. Warn if an instance of asm goto is detected
while SLH is enabled.

Test included.

Diff Detail

Event Timeline

zbrid created this revision.May 11 2020, 1:35 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 11 2020, 1:35 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster failed remote builds in B56358: Diff 263266!May 11 2020, 3:08 PM
zbrid added reviewers: jyu2, craig.topper.May 13 2020, 10:52 AM
jyu2 added a comment.May 13 2020, 11:58 AM

Two questions:
1> What happen under SLH, will asm goto gets removed, or a runtime problem?
2> Should we emit error or warning in the Parser instead?

zbrid updated this revision to Diff 263819.May 13 2020, 12:18 PM

Update to fix failing test

zbrid added a comment.May 13 2020, 12:58 PM
In D79743#2034792, @jyu2 wrote:

Two questions:
1> What happen under SLH, will asm goto gets removed, or a runtime problem?
2> Should we emit error or warning in the Parser instead?

  1. SLH crashes with an unhelpful error message.
  2. I'd be happy to emit the warning in the Parser. Could you give me a pointer to where in the parser would be appropriate? I'm not super familiar with the clang codebase. Also why do you think the parser would be a better place? (Asking to learn since I'm new to this area)
jyu2 added a comment.May 13 2020, 1:43 PM
In D79743#2034945, @zbrid wrote:
In D79743#2034792, @jyu2 wrote:

Two questions:
1> What happen under SLH, will asm goto gets removed, or a runtime problem?
2> Should we emit error or warning in the Parser instead?

  1. SLH crashes with an unhelpful error message.
  2. I'd be happy to emit the warning in the Parser. Could you give me a pointer to where in the parser would be appropriate? I'm not super familiar with the clang codebase. Also why do you think the parser would be a better place? (Asking to learn since I'm new to this area)

Understand, no problem!
Do you mean runtime crash? If so, I think error should be emit, so that programmer can remove use of "asm goto" and recompile.

It to me, you can emit error somewhere in ParseAsmStatement when “goto” is parsed. Let me know if you have problem.

Harbormaster completed remote builds in B56649: Diff 263819.May 13 2020, 3:17 PM
mattdr added a comment.May 13 2020, 5:53 PM

Not sure we want to move this into the Parser -- SLH is a property of code generation, and I think it's possible (through LTO?) to mismatch the flags between parse and codegen.

mattdr added inline comments.May 13 2020, 6:16 PM
clang/include/clang/Basic/DiagnosticCommonKinds.td
251–252

I think at the UI level this feature is just called "asm goto" with no "GCC". See e.g. https://lists.llvm.org/pipermail/llvm-dev/2018-October/127239.html

Also, since this is a warning (vs. an error), we probably want to hint about the consequences of continuing despite the warning.

My attempt:
"Speculative load hardening may not fully protect functions with 'asm goto'"

252

I don't think we need to attach a DiagGroup to this. The goal would be to allow users to turn a bunch of different diagnostics on/off at once, which doesn't apply here yet.

If in the future we do need to add a DiagGroup, I think we would need to add it here before attaching it to specific warnings: https://github.com/llvm/llvm-project/blob/master/clang/include/clang/Basic/DiagnosticGroups.td

craig.topper added a comment.May 13 2020, 6:20 PM
In D79743#2035575, @mattdr wrote:

Not sure we want to move this into the Parser -- SLH is a property of code generation, and I think it's possible (through LTO?) to mismatch the flags between parse and codegen.

This is frontend code generation or "IR generation". So it should't be possible to mismatch the flags.

jyu2 added a comment.May 14 2020, 10:44 AM

I don’t know what consequences is of using asm goto under SLH.

In general, if asm-goto is not allowed, the diagnostic should be emitted during the parser. If asm-goto is not allowed under specified condition, the diagnostic should be emitted during sema. Diagnostic should not be emitted in the lower(codegen) in general (exception may be for target related).

zbrid marked 3 inline comments as done.May 18 2020, 1:07 PM

Do you mean runtime crash? If so, I think error should be emit, so that programmer can remove use of "asm goto" and recompile.

This would be a compile time crash. At some point the X86SpeculativeLoadHardening pass in the backend will notice asm goto is being used and give up. As far as I can tell it's hard to determine that asm goto was the root cause of that crash in the backend, so I want to emit it earlier in Clang. Does that make sense? Let me know if not :)

It to me, you can emit error somewhere in ParseAsmStatement when “goto” is parsed. Let me know if you have problem.

Thanks for the pointer! I'll send an update that emits at that point.

In D79743#2036814, @jyu2 wrote:

I don’t know what consequences is of using asm goto under SLH.

In general, if asm-goto is not allowed, the diagnostic should be emitted during the parser. If asm-goto is not allowed under specified condition, the diagnostic should be emitted during sema. Diagnostic should not be emitted in the lower(codegen) in general (exception may be for target related).

Ah okay. Asm goto isn't allowed with SLH in general, so sounds like this should be in the parser based on your comment here. Thanks for the explanation.

Thanks for the comments, everyone.

clang/include/clang/Basic/DiagnosticCommonKinds.td
251–252

I believe the DiagGroup is required for all new warnings (see: https://github.com/llvm/llvm-project/blob/master/clang/test/Misc/warning-flags.c) and I didn't notice one that fit this particular flag well. In addition I saw that adding a diag group in this way was used in the other places (like the warning right before the one I added), so I think this is an okay addition. If we add other slh related flags, we could perhaps generalize the diagnostic group to cover all those flags at that point.

Good points wrt the error message. I'll update it not to mention gcc and to explain what will happen if they use asm goto with SLH.

zbrid updated this revision to Diff 264740.May 18 2020, 3:57 PM
zbrid marked an inline comment as done.

Update to emit the warning in the parser

zbrid added a comment.May 18 2020, 3:59 PM

@jyu2 and @mattdr - updated to address your comments.

Harbormaster completed remote builds in B57136: Diff 264740.May 18 2020, 5:54 PM
jyu2 added a comment.May 19 2020, 11:58 AM

This looks good to me. Could you also add a test to use this new DiagGroup (-Wno-slh-asm-goto)?

Thanks.

Jennifer

zbrid updated this revision to Diff 265081.May 19 2020, 4:22 PM

Add test; Update command for existing test

Also rename file to match warning flag

zbrid added a comment.May 19 2020, 4:24 PM
In D79743#2044676, @jyu2 wrote:

This looks good to me. Could you also add a test to use this new DiagGroup (-Wno-slh-asm-goto)?

Thanks.

Jennifer

Done.

jyu2 accepted this revision.May 19 2020, 5:19 PM

LGTM. Please changed format for td file.

clang/include/clang/Basic/DiagnosticCommonKinds.td
250

Just need run clang-format:
def warn_slh_does_not_support_asm_goto

: Warning<"Speculative load hardening does not protect functions with "
          "asm goto">,
  InGroup<DiagGroup<"slh-asm-goto">>;
This revision is now accepted and ready to land.May 19 2020, 5:19 PM
Harbormaster completed remote builds in B57295: Diff 265081.May 19 2020, 6:11 PM
zbrid updated this revision to Diff 265282.May 20 2020, 9:43 AM

ClangFormat diagnostic definition

zbrid marked an inline comment as done.May 20 2020, 9:44 AM
Harbormaster failed remote builds in B57405: Diff 265282!May 20 2020, 9:50 AM
Closed by commit rG60ee88599098: [clang][asm goto][slh] Warn if asm goto + SLH (authored by zbrid). · Explain WhyMay 20 2020, 9:50 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
Basic/
5 lines
lib/
Parse/
3 lines
test/
Parser/
5 lines
5 lines

Diff 265287

clang/include/clang/Basic/DiagnosticCommonKinds.td

Show First 20 LinesShow All 240 Lines▼ Show 20 Lines def err_asm_invalid_type_in_input : Error<
"invalid type %0 in asm input for constraint '%1'">; "invalid type %0 in asm input for constraint '%1'">;
def err_asm_invalid_type : Error< def err_asm_invalid_type : Error<
"invalid type %0 in asm %select{input|output}1">; "invalid type %0 in asm %select{input|output}1">;
def warn_stack_clash_protection_inline_asm : Warning< def warn_stack_clash_protection_inline_asm : Warning<
"Unable to protect inline asm that clobbers stack pointer against stack clash">, "Unable to protect inline asm that clobbers stack pointer against stack clash">,
InGroup<DiagGroup<"stack-protector">>; InGroup<DiagGroup<"stack-protector">>;
def warn_slh_does_not_support_asm_goto
jyu2Unsubmitted
Done
ReplyInline Actions

Just need run clang-format:
def warn_slh_does_not_support_asm_goto

: Warning<"Speculative load hardening does not protect functions with "
          "asm goto">,
  InGroup<DiagGroup<"slh-asm-goto">>;
jyu2: Just need run clang-format: def warn_slh_does_not_support_asm_goto : Warning<"Speculative…
: Warning<"Speculative load hardening does not protect functions with "
"asm goto">,
mattdrUnsubmitted
Done
ReplyInline Actions

I think at the UI level this feature is just called "asm goto" with no "GCC". See e.g. https://lists.llvm.org/pipermail/llvm-dev/2018-October/127239.html

Also, since this is a warning (vs. an error), we probably want to hint about the consequences of continuing despite the warning.

My attempt:
"Speculative load hardening may not fully protect functions with 'asm goto'"

mattdr: I think at the UI level this feature is just called "asm goto" with no "GCC". See e.g. https…
zbridAuthorUnsubmitted
Done
ReplyInline Actions

I believe the DiagGroup is required for all new warnings (see: https://github.com/llvm/llvm-project/blob/master/clang/test/Misc/warning-flags.c) and I didn't notice one that fit this particular flag well. In addition I saw that adding a diag group in this way was used in the other places (like the warning right before the one I added), so I think this is an okay addition. If we add other slh related flags, we could perhaps generalize the diagnostic group to cover all those flags at that point.

Good points wrt the error message. I'll update it not to mention gcc and to explain what will happen if they use asm goto with SLH.

zbrid: I believe the DiagGroup is required for all new warnings (see: https://github.com/llvm/llvm…
mattdrUnsubmitted
Done
ReplyInline Actions

I don't think we need to attach a DiagGroup to this. The goal would be to allow users to turn a bunch of different diagnostics on/off at once, which doesn't apply here yet.

If in the future we do need to add a DiagGroup, I think we would need to add it here before attaching it to specific warnings: https://github.com/llvm/llvm-project/blob/master/clang/include/clang/Basic/DiagnosticGroups.td

mattdr: I don't think we need to attach a `DiagGroup` to this. The goal would be to allow users to turn…
InGroup<DiagGroup<"slh-asm-goto">>;
} }
// Sema && Serialization // Sema && Serialization
def warn_dup_category_def : Warning< def warn_dup_category_def : Warning<
"duplicate definition of category %1 on interface %0">; "duplicate definition of category %1 on interface %0">;
// Targets // Targets
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

clang/lib/Parse/ParseStmtAsm.cpp

Show First 20 LinesShow All 723 Lines▼ Show 20 Lines if (getLangOpts().AsmBlocks && !isGCCAsmStatement(Tok)) {
return ParseMicrosoftAsmStatement(AsmLoc); return ParseMicrosoftAsmStatement(AsmLoc);
} }
SourceLocation Loc = Tok.getLocation(); SourceLocation Loc = Tok.getLocation();
GNUAsmQualifiers GAQ; GNUAsmQualifiers GAQ;
if (parseGNUAsmQualifierListOpt(GAQ)) if (parseGNUAsmQualifierListOpt(GAQ))
return StmtError(); return StmtError();
if (GAQ.isGoto() && getLangOpts().SpeculativeLoadHardening)
Diag(Loc, diag::warn_slh_does_not_support_asm_goto);
BalancedDelimiterTracker T(*this, tok::l_paren); BalancedDelimiterTracker T(*this, tok::l_paren);
T.consumeOpen(); T.consumeOpen();
ExprResult AsmString(ParseAsmStringLiteral(/*ForAsmLabel*/ false)); ExprResult AsmString(ParseAsmStringLiteral(/*ForAsmLabel*/ false));
// Check if GNU-style InlineAsm is disabled. // Check if GNU-style InlineAsm is disabled.
// Error on anything other than empty string. // Error on anything other than empty string.
if (!(getLangOpts().GNUAsm || AsmString.isInvalid())) { if (!(getLangOpts().GNUAsm || AsmString.isInvalid())) {
▲ Show 20 LinesShow All 218 LinesShow Last 20 Lines

clang/test/Parser/slh-asm-goto-no-warn.cpp

  • This file was added.
// RUN: %clang_cc1 -Wno-slh-asm-goto -mspeculative-load-hardening -fsyntax-only -verify %s
void f() {
__asm goto("movl %ecx, %edx"); // expected-no-diagnostics
}

clang/test/Parser/slh-asm-goto.cpp

  • This file was added.
// RUN: %clang_cc1 -mspeculative-load-hardening -fsyntax-only -verify %s
void f() {
__asm goto("movl %ecx, %edx"); // expected-warning {{Speculative load hardening does not protect functions with asm goto}}
}