From: Alexandre Oliva Date: Wed, 23 Feb 2022 15:57:15 +0000 (-0300) Subject: [Ada] Extend hardcfr testing (documentation) X-Git-Tag: basepoints/gcc-14~6799 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8150f295ec3b9b147c1355d136609c8226300375;p=thirdparty%2Fgcc.git [Ada] Extend hardcfr testing (documentation) Having realized that noreturn calls of __builtin_return are special, and other noreturn calls don't get edges to the exit block, I've realized the consequences of the logic to insert checking before noreturn and tail calls were not quite what I'd expected before. Specifically, noreturn calls other than __builtin_return don't get any checking whatsoever. Moreover, optional tail calls are only detected long after hardcfr; the logic should work for must-tail calls, but there doesn't seem to be a way to test it. Documentation has been simplified so as to remove mention of these possibilities, that can't really be relied on. gcc/ada/ * doc/gnat_rm/security_hardening_features.rst (Control Flow Redundancy): Drop mentions of noreturn and tail calls. * gnat_rm.texi: Regenerate. --- diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst index fc29ffdedcd..8c4c1f64a4e 100644 --- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst +++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst @@ -232,22 +232,13 @@ instrumentation. For each block that is marked as visited, the mechanism checks that at least one of its predecessors, and at least one of its successors, are -also marked as visited. Verification is normally performed just -before return, but when a nonreturning call or a tail-call opportunity -is detected, verification is moved before that (presumed) final call. - -If an exception from a nonreturning call is handled by its caller, -verification at the caller may run again if another verification point -is reached. The additional verifications are desirable and benign. - -Conversely, since no verification is inserted before calls that are -expected to return, if they never do, the caller's own -verification-and-return points are never reached. - -Subprogram executions that complete by raising or propagating an -exception also bypass verification-and-return points. A subprogram -that can only complete by raising or propagating an exception may have -instrumentation disabled altogether. +also marked as visited. + +Verification is performed just before returning. Subprogram +executions that complete by raising or propagating an exception bypass +verification-and-return points. A subprogram that can only complete +by raising or propagating an exception may have instrumentation +disabled altogether. The instrumentation for hardening with control flow redundancy can be observed in dump files generated by the command-line option diff --git a/gcc/ada/gnat_rm.texi b/gcc/ada/gnat_rm.texi index 8997f6352db..c5a87793494 100644 --- a/gcc/ada/gnat_rm.texi +++ b/gcc/ada/gnat_rm.texi @@ -29084,22 +29084,13 @@ instrumentation. For each block that is marked as visited, the mechanism checks that at least one of its predecessors, and at least one of its successors, are -also marked as visited. Verification is normally performed just -before return, but when a nonreturning call or a tail-call opportunity -is detected, verification is moved before that (presumed) final call. - -If an exception from a nonreturning call is handled by its caller, -verification at the caller may run again if another verification point -is reached. The additional verifications are desirable and benign. - -Conversely, since no verification is inserted before calls that are -expected to return, if they never do, the caller’s own -verification-and-return points are never reached. - -Subprogram executions that complete by raising or propagating an -exception also bypass verification-and-return points. A subprogram -that can only complete by raising or propagating an exception may have -instrumentation disabled altogether. +also marked as visited. + +Verification is performed just before returning. Subprogram +executions that complete by raising or propagating an exception bypass +verification-and-return points. A subprogram that can only complete +by raising or propagating an exception may have instrumentation +disabled altogether. The instrumentation for hardening with control flow redundancy can be observed in dump files generated by the command-line option