[lld] 4286f4d - [AArch64][GCS][LLD] Introduce -zgcs-report-dynamic Command Line Option (#127787)
via llvm-commits
llvm-commits at lists.llvm.org
Sat Mar 15 18:15:09 PDT 2025
Author: Jack Styles
Date: 2025-03-15T18:15:05-07:00
New Revision: 4286f4dccee9140eef3ef7d059619eaab73fc392
URL: https://github.com/llvm/llvm-project/commit/4286f4dccee9140eef3ef7d059619eaab73fc392
DIFF: https://github.com/llvm/llvm-project/commit/4286f4dccee9140eef3ef7d059619eaab73fc392.diff
LOG: [AArch64][GCS][LLD] Introduce -zgcs-report-dynamic Command Line Option (#127787)
When GCS was introduced to LLD, the gcs-report option allowed for a user
to gain information relating to if their relocatable objects supported
the feature. For an executable or shared-library to support GCS, all
relocatable objects must declare that they support GCS.
The gcs-report checks were only done on relocatable object files,
however for a program to enable GCS, the executable and all shared
libraries that it loads must enable GCS. gcs-report-dynamic enables
checks to be performed on all shared objects loaded by LLD, and in cases
where GCS is not supported, a warning or error will be emitted.
It should be noted that only shared files directly passed to LLD are
checked for GCS support. Files that are noted in the `DT_NEEDED` tags
are assumed to have had their GCS support checked when they were
created.
The behaviour of the -zgcs-dynamic-report option matches that of GNU ld.
The behaviour is as follows unless the user explicitly sets the value:
* -zgcs-report=warning or -zgcs-report=error implies
-zgcs-report-dynamic=warning.
This approach avoids inheriting an error level if the user wishes to
continue building a module without rebuilding all the shared libraries.
The same approach was taken for the GNU ld linker, so behaviour is
identical across the toolchains.
This implementation matches the error message and command line interface
used within the GNU ld Linker. See here:
https://github.com/bminor/binutils-gdb/commit/724a8341f6491283cf90038260c83a454b7268ef
To support this option being introduced, two other changes are included
as part of this PR. The first converts the -zgcs-report option to
utilise an Enum, opposed to StringRef values. This enables easier
tracking of the value the user defines when inheriting the value for the
gas-report-dynamic option. The second is to parse the Dynamic Objects
program headers to locate the GNU Attribute flag that shows GCS is
supported. This is needed so, when using the gcs-report-dynamic option,
LLD can correctly determine if a dynamic object supports GCS.
---------
Co-authored-by: Fangrui Song <i at maskray.me>
Added:
Modified:
lld/ELF/Config.h
lld/ELF/Driver.cpp
lld/ELF/InputFiles.cpp
lld/ELF/InputFiles.h
lld/docs/ReleaseNotes.rst
lld/test/ELF/aarch64-feature-gcs.s
Removed:
################################################################################
diff --git a/lld/ELF/Config.h b/lld/ELF/Config.h
index d14faca31d58f..e07c7dd4ca1b6 100644
--- a/lld/ELF/Config.h
+++ b/lld/ELF/Config.h
@@ -232,6 +232,7 @@ struct Config {
ReportPolicy zCetReport = ReportPolicy::None;
ReportPolicy zPauthReport = ReportPolicy::None;
ReportPolicy zGcsReport = ReportPolicy::None;
+ ReportPolicy zGcsReportDynamic = ReportPolicy::None;
ReportPolicy zExecuteOnlyReport = ReportPolicy::None;
bool ltoBBAddrMap;
llvm::StringRef ltoBasicBlockSections;
diff --git a/lld/ELF/Driver.cpp b/lld/ELF/Driver.cpp
index 18f9fed0d08e2..3e7e05746483a 100644
--- a/lld/ELF/Driver.cpp
+++ b/lld/ELF/Driver.cpp
@@ -56,13 +56,13 @@
#include "llvm/Object/IRObjectFile.h"
#include "llvm/Remarks/HotnessThresholdParser.h"
#include "llvm/Support/CommandLine.h"
-#include "llvm/Support/SaveAndRestore.h"
#include "llvm/Support/Compression.h"
#include "llvm/Support/FileSystem.h"
#include "llvm/Support/GlobPattern.h"
#include "llvm/Support/LEB128.h"
#include "llvm/Support/Parallel.h"
#include "llvm/Support/Path.h"
+#include "llvm/Support/SaveAndRestore.h"
#include "llvm/Support/TarWriter.h"
#include "llvm/Support/TargetSelect.h"
#include "llvm/Support/TimeProfiler.h"
@@ -402,6 +402,8 @@ static void checkOptions(Ctx &ctx) {
ErrAlways(ctx) << "-z pauth-report only supported on AArch64";
if (ctx.arg.zGcsReport != ReportPolicy::None)
ErrAlways(ctx) << "-z gcs-report only supported on AArch64";
+ if (ctx.arg.zGcsReportDynamic != ReportPolicy::None)
+ ErrAlways(ctx) << "-z gcs-report-dynamic only supported on AArch64";
if (ctx.arg.zGcs != GcsPolicy::Implicit)
ErrAlways(ctx) << "-z gcs only supported on AArch64";
}
@@ -1625,7 +1627,9 @@ static void readConfigs(Ctx &ctx, opt::InputArgList &args) {
std::make_pair("cet-report", &ctx.arg.zCetReport),
std::make_pair("execute-only-report", &ctx.arg.zExecuteOnlyReport),
std::make_pair("gcs-report", &ctx.arg.zGcsReport),
+ std::make_pair("gcs-report-dynamic", &ctx.arg.zGcsReportDynamic),
std::make_pair("pauth-report", &ctx.arg.zPauthReport)};
+ bool hasGcsReportDynamic = false;
for (opt::Arg *arg : args.filtered(OPT_z)) {
std::pair<StringRef, StringRef> option =
StringRef(arg->getValue()).split('=');
@@ -1644,9 +1648,16 @@ static void readConfigs(Ctx &ctx, opt::InputArgList &args) {
<< "= value: " << option.second;
continue;
}
+ hasGcsReportDynamic |= option.first == "gcs-report-dynamic";
}
}
+ // When -zgcs-report-dynamic is unspecified, it inherits -zgcs-report
+ // but is capped at warning to avoid needing to rebuild the shared library
+ // with GCS enabled.
+ if (!hasGcsReportDynamic && ctx.arg.zGcsReport != ReportPolicy::None)
+ ctx.arg.zGcsReportDynamic = ReportPolicy::Warning;
+
for (opt::Arg *arg : args.filtered(OPT_compress_sections)) {
SmallVector<StringRef, 0> fields;
StringRef(arg->getValue()).split(fields, '=');
@@ -2907,6 +2918,22 @@ static void readSecurityNotes(Ctx &ctx) {
ctx.arg.andFeatures |= GNU_PROPERTY_AARCH64_FEATURE_1_GCS;
else if (ctx.arg.zGcs == GcsPolicy::Never)
ctx.arg.andFeatures &= ~GNU_PROPERTY_AARCH64_FEATURE_1_GCS;
+
+ // If we are utilising GCS at any stage, the sharedFiles should be checked to
+ // ensure they also support this feature. The gcs-report-dynamic option is
+ // used to indicate if the user wants information relating to this, and will
+ // be set depending on the user's input, or warning if gcs-report is set to
+ // either `warning` or `error`.
+ if (ctx.arg.andFeatures & GNU_PROPERTY_AARCH64_FEATURE_1_GCS)
+ for (SharedFile *f : ctx.sharedFiles)
+ reportUnless(ctx.arg.zGcsReportDynamic,
+ f->andFeatures & GNU_PROPERTY_AARCH64_FEATURE_1_GCS)
+ << f
+ << ": GCS is required by -z gcs, but this shared library lacks the "
+ "necessary property note. The "
+ << "dynamic loader might not enable GCS or refuse to load the "
+ "program unless all shared library "
+ << "dependencies have the GCS marking.";
}
static void initSectionsAndLocalSyms(ELFFileBase *file, bool ignoreComdats) {
diff --git a/lld/ELF/InputFiles.cpp b/lld/ELF/InputFiles.cpp
index d43de8ce6dfef..5f6d2b6b647ee 100644
--- a/lld/ELF/InputFiles.cpp
+++ b/lld/ELF/InputFiles.cpp
@@ -918,6 +918,56 @@ void ObjFile<ELFT>::initializeSections(bool ignoreComdats,
handleSectionGroup<ELFT>(this->sections, entries);
}
+template <typename ELFT>
+static void parseGnuPropertyNote(Ctx &ctx, ELFFileBase &f,
+ uint32_t featureAndType,
+ ArrayRef<uint8_t> &desc, const uint8_t *base,
+ ArrayRef<uint8_t> *data = nullptr) {
+ auto err = [&](const uint8_t *place) -> ELFSyncStream {
+ auto diag = Err(ctx);
+ diag << &f << ":(" << ".note.gnu.property+0x"
+ << Twine::utohexstr(place - base) << "): ";
+ return diag;
+ };
+
+ while (!desc.empty()) {
+ const uint8_t *place = desc.data();
+ if (desc.size() < 8)
+ return void(err(place) << "program property is too short");
+ uint32_t type = read32<ELFT::Endianness>(desc.data());
+ uint32_t size = read32<ELFT::Endianness>(desc.data() + 4);
+ desc = desc.slice(8);
+ if (desc.size() < size)
+ return void(err(place) << "program property is too short");
+
+ if (type == featureAndType) {
+ // We found a FEATURE_1_AND field. There may be more than one of these
+ // in a .note.gnu.property section, for a relocatable object we
+ // accumulate the bits set.
+ if (size < 4)
+ return void(err(place) << "FEATURE_1_AND entry is too short");
+ f.andFeatures |= read32<ELFT::Endianness>(desc.data());
+ } else if (ctx.arg.emachine == EM_AARCH64 &&
+ type == GNU_PROPERTY_AARCH64_FEATURE_PAUTH) {
+ ArrayRef<uint8_t> contents = data ? *data : desc;
+ if (!f.aarch64PauthAbiCoreInfo.empty()) {
+ return void(
+ err(contents.data())
+ << "multiple GNU_PROPERTY_AARCH64_FEATURE_PAUTH entries are "
+ "not supported");
+ } else if (size != 16) {
+ return void(err(contents.data())
+ << "GNU_PROPERTY_AARCH64_FEATURE_PAUTH entry "
+ "is invalid: expected 16 bytes, but got "
+ << size);
+ }
+ f.aarch64PauthAbiCoreInfo = desc;
+ }
+
+ // Padding is present in the note descriptor, if necessary.
+ desc = desc.slice(alignTo<(ELFT::Is64Bits ? 8 : 4)>(size));
+ }
+}
// Read the following info from the .note.gnu.property section and write it to
// the corresponding fields in `ObjFile`:
// - Feature flags (32 bits) representing x86 or AArch64 features for
@@ -955,42 +1005,8 @@ static void readGnuProperty(Ctx &ctx, const InputSection &sec,
// Read a body of a NOTE record, which consists of type-length-value fields.
ArrayRef<uint8_t> desc = note.getDesc(sec.addralign);
- while (!desc.empty()) {
- const uint8_t *place = desc.data();
- if (desc.size() < 8)
- return void(err(place) << "program property is too short");
- uint32_t type = read32<ELFT::Endianness>(desc.data());
- uint32_t size = read32<ELFT::Endianness>(desc.data() + 4);
- desc = desc.slice(8);
- if (desc.size() < size)
- return void(err(place) << "program property is too short");
-
- if (type == featureAndType) {
- // We found a FEATURE_1_AND field. There may be more than one of these
- // in a .note.gnu.property section, for a relocatable object we
- // accumulate the bits set.
- if (size < 4)
- return void(err(place) << "FEATURE_1_AND entry is too short");
- f.andFeatures |= read32<ELFT::Endianness>(desc.data());
- } else if (ctx.arg.emachine == EM_AARCH64 &&
- type == GNU_PROPERTY_AARCH64_FEATURE_PAUTH) {
- if (!f.aarch64PauthAbiCoreInfo.empty()) {
- return void(
- err(data.data())
- << "multiple GNU_PROPERTY_AARCH64_FEATURE_PAUTH entries are "
- "not supported");
- } else if (size != 16) {
- return void(err(data.data())
- << "GNU_PROPERTY_AARCH64_FEATURE_PAUTH entry "
- "is invalid: expected 16 bytes, but got "
- << size);
- }
- f.aarch64PauthAbiCoreInfo = desc;
- }
-
- // Padding is present in the note descriptor, if necessary.
- desc = desc.slice(alignTo<(ELFT::Is64Bits ? 8 : 4)>(size));
- }
+ const uint8_t *base = sec.content().data();
+ parseGnuPropertyNote<ELFT>(ctx, f, featureAndType, desc, base, &data);
// Go to next NOTE record to look for more FEATURE_1_AND descriptions.
data = data.slice(nhdr->getSize(sec.addralign));
@@ -1418,6 +1434,28 @@ std::vector<uint32_t> SharedFile::parseVerneed(const ELFFile<ELFT> &obj,
return verneeds;
}
+// Parse PT_GNU_PROPERTY segments in DSO. The process is similar to
+// readGnuProperty, but we don't have the InputSection information.
+template <typename ELFT>
+void SharedFile::parseGnuAndFeatures(const ELFFile<ELFT> &obj) {
+ if (ctx.arg.emachine != EM_AARCH64)
+ return;
+ const uint8_t *base = obj.base();
+ auto phdrs = CHECK2(obj.program_headers(), this);
+ for (auto phdr : phdrs) {
+ if (phdr.p_type != PT_GNU_PROPERTY)
+ continue;
+ typename ELFT::Note note(
+ *reinterpret_cast<const typename ELFT::Nhdr *>(base + phdr.p_offset));
+ if (note.getType() != NT_GNU_PROPERTY_TYPE_0 || note.getName() != "GNU")
+ continue;
+
+ ArrayRef<uint8_t> desc = note.getDesc(phdr.p_align);
+ parseGnuPropertyNote<ELFT>(ctx, *this, GNU_PROPERTY_AARCH64_FEATURE_1_AND,
+ desc, base);
+ }
+}
+
// We do not usually care about alignments of data in shared object
// files because the loader takes care of it. However, if we promote a
// DSO symbol to point to .bss due to copy relocation, we need to keep
@@ -1528,6 +1566,7 @@ template <class ELFT> void SharedFile::parse() {
verdefs = parseVerdefs<ELFT>(obj.base(), verdefSec);
std::vector<uint32_t> verneeds = parseVerneed<ELFT>(obj, verneedSec);
+ parseGnuAndFeatures<ELFT>(obj);
// Parse ".gnu.version" section which is a parallel array for the symbol
// table. If a given file doesn't have a ".gnu.version" section, we use
diff --git a/lld/ELF/InputFiles.h b/lld/ELF/InputFiles.h
index 0b186db1ba0d1..808cb5d24079f 100644
--- a/lld/ELF/InputFiles.h
+++ b/lld/ELF/InputFiles.h
@@ -364,6 +364,8 @@ class SharedFile : public ELFFileBase {
template <typename ELFT>
std::vector<uint32_t> parseVerneed(const llvm::object::ELFFile<ELFT> &obj,
const typename ELFT::Shdr *sec);
+ template <typename ELFT>
+ void parseGnuAndFeatures(const llvm::object::ELFFile<ELFT> &obj);
};
class BinaryFile : public InputFile {
diff --git a/lld/docs/ReleaseNotes.rst b/lld/docs/ReleaseNotes.rst
index 6f60efd87c975..133a6fe87402d 100644
--- a/lld/docs/ReleaseNotes.rst
+++ b/lld/docs/ReleaseNotes.rst
@@ -25,6 +25,10 @@ Non-comprehensive list of changes in this release
ELF Improvements
----------------
+* For AArch64, added support for ``-zgcs-report-dynamic``, enabling checks for
+ GNU GCS Attribute Flags in Dynamic Objects when GCS is enabled. Inherits value
+ from ``-zgcs-report`` (capped at ``warning`` level) unless user-defined,
+ ensuring compatibility with GNU ld linker.
Breaking changes
----------------
diff --git a/lld/test/ELF/aarch64-feature-gcs.s b/lld/test/ELF/aarch64-feature-gcs.s
index b53a653dddaee..99407d0b2b095 100644
--- a/lld/test/ELF/aarch64-feature-gcs.s
+++ b/lld/test/ELF/aarch64-feature-gcs.s
@@ -49,10 +49,26 @@
# REPORT-WARN: warning: func2.o: -z gcs-report: file does not have GNU_PROPERTY_AARCH64_FEATURE_1_GCS property
# REPORT-ERROR: error: func3.o: -z gcs-report: file does not have GNU_PROPERTY_AARCH64_FEATURE_1_GCS property
+## gcs-report-dynamic should report any dynamic objects that does not have the gcs property. This also ensures the inhertance from gcs-report is working correctly.
+
+# RUN: ld.lld func1-gcs.o func3-gcs.o no-gcs.so force-gcs.so -z gcs-report=warning -z gcs=always 2>&1 | FileCheck --check-prefix=REPORT-WARN-DYNAMIC %s
+# RUN: ld.lld func1-gcs.o func3-gcs.o no-gcs.so force-gcs.so -z gcs-report=error -z gcs=always 2>&1 | FileCheck --check-prefix=REPORT-WARN-DYNAMIC %s
+# RUN: ld.lld func1-gcs.o func3-gcs.o no-gcs.so force-gcs.so -z gcs-report-dynamic=warning -z gcs=always 2>&1 | FileCheck --check-prefix=REPORT-WARN-DYNAMIC %s
+# RUN: not ld.lld func1-gcs.o func3-gcs.o no-gcs.so force-gcs.so -z gcs-report-dynamic=error -z gcs=always 2>&1 | FileCheck --check-prefix=REPORT-ERROR-DYNAMIC %s
+# RUN: ld.lld func1-gcs.o func3-gcs.o force-gcs.so -z gcs-report-dynamic=warning -z gcs=always 2>&1 | count 0
+# RUN: ld.lld func1-gcs.o func3-gcs.o force-gcs.so -z gcs-report-dynamic=error -z gcs=always 2>&1 | count 0
+
+# REPORT-WARN-DYNAMIC: warning: no-gcs.so: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all shared library dependencies have the GCS marking.
+# REPORT-WARN-DYNAMIC-NOT: warning:
+# REPORT-ERROR-DYNAMIC: error: no-gcs.so: GCS is required by -z gcs, but this shared library lacks the necessary property note. The dynamic loader might not enable GCS or refuse to load the program unless all shared library dependencies have the GCS marking.
+# REPORT-ERROR-DYNAMIC-NOT: error:
+
## An invalid gcs option should give an error
-# RUN: not ld.lld func1-gcs.o func2-gcs.o func3-gcs.o -z gcs=nonsense 2>&1 | FileCheck --check-prefix=INVALID %s
+# RUN: not ld.lld func1-gcs.o func2-gcs.o func3-gcs.o -z gcs=nonsense -z gcs-report=nonsense -z gcs-report-dynamic=nonsense 2>&1 | FileCheck --check-prefix=INVALID %s
# INVALID: error: unknown -z gcs= value: nonsense
+# INVALID: error: unknown -z gcs-report= value: nonsense
+# INVALID: error: unknown -z gcs-report-dynamic= value: nonsense
#--- func1-gcs.s
.section ".note.gnu.property", "a"
More information about the llvm-commits
mailing list