From: Alexandre Oliva Date: Thu, 8 Sep 2022 02:49:58 +0000 (-0300) Subject: ada: hardened conditionals: exemplify codegen changes X-Git-Tag: basepoints/gcc-14~4086 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a93fd547bacd1bab37290f9f3c44ef3ddf334287;p=thirdparty%2Fgcc.git ada: hardened conditionals: exemplify codegen changes gcc/ada/ * doc/gnat_rm/security_hardening_features.rst: Add examples of codegen changes in hardened conditionals. * gnat_rm.texi: Regenerate. --- diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst index d8ea849c032a..d7c02b94f36d 100644 --- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst +++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst @@ -203,11 +203,58 @@ activated by a separate command-line option. The option :switch:`-fharden-compares` enables hardening of compares that compute results stored in variables, adding verification that the -reversed compare yields the opposite result. +reversed compare yields the opposite result, turning: + +.. code-block:: ada + + B := X = Y; + + +into: + +.. code-block:: ada + + B := X = Y; + declare + NotB : Boolean := X /= Y; -- Computed independently of B. + begin + if B = NotB then + <__builtin_trap>; + end if; + end; + The option :switch:`-fharden-conditional-branches` enables hardening of compares that guard conditional branches, adding verification of -the reversed compare to both execution paths. +the reversed compare to both execution paths, turning: + +.. code-block:: ada + + if X = Y then + X := Z + 1; + else + Y := Z - 1; + end if; + + +into: + +.. code-block:: ada + + if X = Y then + if X /= Y then -- Computed independently of X = Y. + <__builtin_trap>; + end if; + X := Z + 1; + else + if X /= Y then -- Computed independently of X = Y. + null; + else + <__builtin_trap>; + end if; + Y := Z - 1; + end if; + These transformations are introduced late in the compilation pipeline, long after boolean expressions are decomposed into separate compares, diff --git a/gcc/ada/gnat_rm.texi b/gcc/ada/gnat_rm.texi index dad0092713e7..e13dba037ffd 100644 --- a/gcc/ada/gnat_rm.texi +++ b/gcc/ada/gnat_rm.texi @@ -28858,11 +28858,54 @@ activated by a separate command-line option. The option @code{-fharden-compares} enables hardening of compares that compute results stored in variables, adding verification that the -reversed compare yields the opposite result. +reversed compare yields the opposite result, turning: + +@example +B := X = Y; +@end example + +into: + +@example +B := X = Y; +declare + NotB : Boolean := X /= Y; -- Computed independently of B. +begin + if B = NotB then + <__builtin_trap>; + end if; +end; +@end example The option @code{-fharden-conditional-branches} enables hardening of compares that guard conditional branches, adding verification of -the reversed compare to both execution paths. +the reversed compare to both execution paths, turning: + +@example +if X = Y then + X := Z + 1; +else + Y := Z - 1; +end if; +@end example + +into: + +@example +if X = Y then + if X /= Y then -- Computed independently of X = Y. + <__builtin_trap>; + end if; + X := Z + 1; +else + if X /= Y then -- Computed independently of X = Y. + null; + else + <__builtin_trap>; + end if; + Y := Z - 1; +end if; +@end example These transformations are introduced late in the compilation pipeline, long after boolean expressions are decomposed into separate compares,