RFC: Add GNU_PROPERTY_UINT32_AND_XXX/GNU_PROPERTY_UINT32_OR_XXX

Fangrui Song i@maskray.me
Sat Apr 17 18:25:55 GMT 2021


On 2021-04-17, H.J. Lu wrote:
>On Thu, Jan 21, 2021 at 1:42 PM Fangrui Song <i@maskray.me> wrote:
>>
>> On 2021-01-21, H.J. Lu via Gnu-gabi wrote:
>> >On Wed, Jan 13, 2021 at 9:06 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>> >>
>> >> 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
>> >>
>> >>  #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
>> >>  #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
>> >>
>> >> A bit in the output pr_data field is set only if it is set in all
>> >> relocatable input pr_data fields.  If all bits in the the output
>> >> pr_data field are zero, this property should be removed from output.
>> >>
>> >> If the bit is 1, all input relocatables have the feature.  If the
>> >> bit is 0 or the property is missing, the info is unknown.
>> >>
>> >> 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
>> >>
>> >>  #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
>> >>  #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
>> >>
>> >> A bit in the output pr_data field is set if it is set in any
>> >> relocatable input pr_data fields. If all bits in the the output
>> >> pr_data field are zero, this property should be removed from output.
>> >>
>> >> If the bit is 1, some input relocatables have the feature.  If the
>> >> bit is 0 or the property is missing, the info is unknown.
>> >>
>> >> The PDF is at
>> >>
>> >> https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
>> >>
>> >> --
>> >> H.J.
>> >
>> >Here is the binutils patch to implement it.
>> >
>> >--
>> >H.J.
>>
>> Hi, H.J.
>>
>> Thank you for CCing llvm-dev:) In the past various GNU ABI proposals
>> went unnoticed by LLVM folks who don't happen to subscribe to GNU lists.
>> (A lot! I personally subscribe to some lists and check the discussion
>> just in case I miss something important:) )
>>
>> I have researched a bit and observed that the following GNU_PROPERTY
>> values are currently used by compilers/linkers:
>>
>> Bitwise OR for relocatable links. Bitwise AND for executable/shared
>> object links.
>>
>> * GNU_PROPERTY_X86_FEATURE_1_AND = GNU_PROPERTY_X86_UINT32_AND_LO + 0,
>> * used by Intel Indirect branch tracking and Shadow Stack
>> * GNU_PROPERTY_AARCH64_FEATURE_1_AND, used by AArch64 Branch Target
>> * Identification and Pointer Authentication
>>
>> Bitwise OR for all links.
>>
>> * GNU_PROPERTY_X86_ISA_1_NEEDED = GNU_PROPERTY_X86_UINT32_OR_LO + 2,
>> * used by GCC -mneeded (for -march=x86-64-v[234])
>>
>> There appear to be another type of AND/OR bits which are not defined in
>> ABIs (AFAICT):
>>
>> * GNU_PROPERTY_X86_ISA_1_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO + 2
>> * GNU_PROPERTY_X86_FEATURE_2_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO +
>> * 1
>
>I have no use for these operations for generic targets.
>
>>
>> I think generalizing the AND/OR idea to all architectures probably
>> requires us to think about these questions:
>>
>> * What's the impending usage of the generic AND/OR ranges? ifunc? :)
>
>I'd like to add GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION:
>
>https://groups.google.com/g/x86-64-abi/c/DRvKxJ1AH3Q
>
>> * Does the concept generalize well to other architectures? If we
>
>It should work for GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION.
>
>> * consider AArch64/x86 FEATURE_1_AND to be the same thing, the current
>> * usage is purely x86 specific.
>> * Is AND/OR encoding expressive enough to represent the required states?
>
>For GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION, yes.
>
>> * I've asked two folks and they expressed concerns. I think the three
>> * AND/OR usage above speak for themselves.
>> * Szabolcs Nagy mentioned that GNU_PROPERTY is an OS-specific mechanism
>> * (GNU), but the features are oftentimes arch specific which make sense
>> * to other OSes or bare-metal.
>> * Szabolcs: Do we need any versioning mechanism?
>>
>> The feature selection and compatibility checking mechanism has some
>> overlap with GNU/arch-specific attributes (e.g .ARM.attributes,
>> .riscv.attributes).  If I understand correctly, GNU_PROPERTY has an
>> associated program header so it can be checked by loaders
>> (kernel/ld.so/emulator) while Attributes don't have program headers so
>> they are largely assembler/linker protocols. In an inflexible way that
>> such feature bits can affect observable states to loaders as well, e.g.
>> .ARM.attributes can affect e_flags (soft/hard float).  .MIPS.abiflags
>> has an associated program header PT_MIPS_ABIFLAGS (I know nearly nothing
>> about mips) Some thoughts from mips folks would be useful.
>>
>> Last, I think a feature selection and compatibility checking mechanism
>> is assuredly useful, but whether the current AND/OR scheme can perfectly
>> satisfy that goal I am unsure. Having the proposal is a very good start,
>> though:) Thanks a lot for driving the discussion:)
>
>My current ultimate goal is GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION
>with a compiler option, -fsingle-global-definition:
>
>1. All accesses to protected definitions are local access.
>2. In executable, all accesses to defined symbols are local access.

For other folks,
I think
https://maskray.me/blog/2021-01-09-copy-relocations-canonical-plt-entries-and-protected#protected-data-symbols-and-copy-relocations
has summarized the current toolchain state and answered these questions.

clang always emits local access for protected definitions so there
should be no change.
gcc does use GOT for protected data symbols but the scheme only works on
i386 and x86-64.
(arm and aarch64 have glibc support bot no binutils support IIUC).
ld.lld always errors for copy relocations on protected data, and it will
continue doing so, like gold (https://sourceware.org/bugzilla/show_bug.cgi?id=19823)

So on the clang side, there is no needed change.


On the GCC side, switching to local access for protected data symbols
technically changes the behavior for i386 and x86-64 and might be considered an
ABI change. But I'd argue that that does not matter because of three reasons:

* clang i386 and x86-64 always emits local access for protected definitions
* protected data+copy relocations never work on non-x86. (glibc has support for arm/aarch64 but binutils doesn't support it)
* gold never supports protected data+copy relocations, even for x86 (https://sourceware.org/bugzilla/show_bug.cgi?id=19823)

So if there is breakage (if any..), it must be x86 specific code using
protected definitions, only built with gcc, not caring about traditional
behavior (<~2015 or 2016), never supporting non-x86 architectures, only
linkable with GNU ld (not gold), never supporting libc other than glibc.

OK, I cannot even imagine who is doing this:)

My blog post has mentioned what'd be great if gcc does:

* GCC: add -f[no-]direct-access-external-data.
* GCC: drop HAVE_LD_PIE_COPYRELOC in favor of -f[no-]direct-access-external-data.
* GCC x86-64: default to GOT indirection for external data symbols in -fpie mode.
* GCC or GNU as i386: emit R_386_PLT32 for branches to undefined function symbols.
* GNU ld x86: disallow copy relocations on protected data symbols. (I think canonical PLT entries on protected symbols have been disallowed.)
* GCC aarch64/arm/x86/...: allow direct access relocations on protected symbols in -fpic mode.
* GNU ld aarch64/x86: allow direct access relocations on protected data symbols in -shared mode.

I can understand that some GCC folks may like
-f[no-]direct-access-external-data.  That doesn't matter: just ignore
-f[no-]direct-access-external-data (which gives the user a choice) and do the
rest.

>3. All global function pointers, whose function bodies aren't
>locally defined, must use GOT.

This should be the case for -fpie and -fpic.

For -fno-pic, some users may want direct access and I think the compiler should
give users a choice for compatibility.

clang -fno-pic -fdirect-access-external-data (in -fno-pic mode,
-fdirect-access-external-data is the default)does this perfectly.  I know some
GCC folks may not like the idea that the option name does not talk about
function pointers....  That is unfortunate.

>4. All read/write accesses to symbols, which aren't locally defined
>must, use GOT.

Ditto.

>5. Branches to undefined symbols may use PLT.

This has always been the case for most non-x86 architectures.
For x86-64, the 2018 R_X86_64_PLT32 switch made this true.

There is just a disagreement for R_386_PC32/R_386_PLT32 due to an ifunc
diagnostic (which I think is not a big deal). Since i386 is becoming
more and more irrelevant, this can be left unresolved. If you want to
switch to R_386_PLT32, that'd certainly be great news to me:)

>GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION will be enforced
>by assembler, linker and ld.so.

With the above, I think we won't break code without introducing a new
gnu property.  It is just that GCC/GNU ld need to take some actions
which reflect traditional/non-x86 behaviors.


More information about the Gnu-gabi mailing list