[llvm-dev] [cfe-dev] More verbose -mspeculative-load-hardening

Zola Bridges via llvm-dev llvm-dev at lists.llvm.org
Fri Apr 24 10:43:59 PDT 2020


Hi milsegv,

Gotcha. Makes sense.

Another option would be to compare the assembly output of a program built
with and without the SLH flag. Adding -S to your build command will output
the assembly.

A few other Spectre gadget detectors I've seen are:

   - Red Hat Spectre v1 Scanning tool:
   https://access.redhat.com/blogs/766093/posts/3510331
   - SMatch: https://lwn.net/Articles/752408/

In case you haven't come across them yet.

Good luck on your search! Feel free to ask any additional questions.

Zola Bridges


On Fri, Apr 24, 2020 at 5:45 AM Robinson, Paul <paul.robinson at sony.com>
wrote:

> For reporting from the backend, the “optimization remarks” feature might
> be what you are looking for.  I have not used it myself so I should not
> provide details, but it is enabled from the clang command line with the
> `-R` option I believe.
>
> --paulr
>
>
>
> *From:* cfe-dev <cfe-dev-bounces at lists.llvm.org> *On Behalf Of *Zola
> Bridges via cfe-dev
> *Sent:* Thursday, April 23, 2020 4:43 PM
> *To:* Praveen Velliengiri <praveenvelliengiri at gmail.com>
> *Cc:* llvm-dev <llvm-dev at lists.llvm.org>; cfe-dev at lists.llvm.org; milsegv
> <milsegv at protonmail.com>
> *Subject:* Re: [cfe-dev] More verbose -mspeculative-load-hardening
>
>
>
> Another thing to consider about your feature idea is that the output may
> be noisy depending on what you were hoping for.
>
>
>
> SLH tries to mitigate anything that could potentially be a problem and
> thus it instruments almost every branch, load, and function entry, for
> example. There isn't a lot of signal about what is really a gadget among
> the code instrumented by SLH. It really tries to be comprehensive and to
> avoid missing anything even when that means protecting things that can't
> realistically be used for a Spectre v1 gadget.
>
>
> Zola Bridges
>
>
>
>
>
> On Thu, Apr 23, 2020 at 12:59 PM Zola Bridges <zbrid at google.com> wrote:
>
> Hi milsegv,
>
>
>
> I work on SLH. I haven't thought about the feature you'd like to see. It
> sounds pretty interesting. What would you like to use it for? Are you
> trying to learn more about how SLH works or are you hoping to use this
> feature for your project? I'm also interested in what you're working on for
> Spectre v1 detection if you'd like to share!
>
>
>
> I'm not sure how to go from the Machine IR that the SLH pass works on to
> the original C++ source code, so I can't give you advice on implementing
> that in LLVM. Hopefully someone else can chime in who understands the LLVM
> stack better than me.
>
>
>
> *If you'd like to get a better understanding of how SLH works:*
>
>
>
> Have you looked into using the LLVM_DEBUG macro? You can use it to print
> where you want from the SLH pass.
> Check it out here:
> https://llvm.org/docs/ProgrammersManual.html#the-llvm-debug-macro-and-debug-option
> <https://urldefense.com/v3/__https:/llvm.org/docs/ProgrammersManual.html*the-llvm-debug-macro-and-debug-option__;Iw!!JmoZiZGBv3RvKRSx!tbubacyoXA98g75-qd_gdiwivwPZQbA83yxyhEEPEmkXk00FiBjyCrq4FRJAuCEjMw$> You'll
> have to add it where you want to see what SLH is doing in the
> X86SpeculativeLoadHardening.cpp file and rebuild from source to get the new
> error messages.
>
>
>
> Another useful thing for you might be to pass either of these to clang
> when you enable -mspeculative-load-hardening
>
>    - -mllvm -print-after-all
>    - -mllvm -print-after="x86-slh"
>
> This will let you look at the code before and after the SLH
> transformations.
>
>
>
> *If you want to implement this new feature that you want to build on:*
>
>
>
> One thing about your question to print where SLH applies the mitigation.
> I'd say the mitigation has multiple parts and it may be easier to
> understand your problem if you get more granular about what you mean. Do
> you want to know which loads in the C++ source get hardened? Or which
> conditions had instrumentation added? There are the instruction sequences
> that are added to track the predicate state and there are the instruction
> sequences that are added to mask data dependent loads and probably other
> parts that I can't think of off the top of my head. To figure out what you
> want to print it might be helpful to read this design doc if you haven't
> seen it: https://llvm.org/docs/SpeculativeLoadHardening.html
> <https://urldefense.com/v3/__https:/llvm.org/docs/SpeculativeLoadHardening.html__;!!JmoZiZGBv3RvKRSx!tbubacyoXA98g75-qd_gdiwivwPZQbA83yxyhEEPEmkXk00FiBjyCrq4FRIIf6umiA$>
> .
>
>
>
> Zola Bridges
>
>
>
>
>
> On Wed, Apr 22, 2020 at 9:52 AM Praveen Velliengiri via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
>
> Hi
>
> I think llvm-dev list (CC'ed) have more visibility in this.
>
>
>
> On Wed, 22 Apr 2020 at 22:18, milsegv via cfe-dev <cfe-dev at lists.llvm.org>
> wrote:
>
> Hello everyone,
>
>
>
> It may not be the best place to ask this but I found nothing on the
> internet about it.
>
> I'm working on Spectre V1 detection and stumbled upon the mitigation
> provided by clang, the "-mspeculative-load-hardening" option. I found it
> really interesting, and my question is the following: is there a way to
> tweak the compiler to print a message whenever it applies the mitigation,
> telling the user at which line of its code it applied the patch ?
>
> I have no idea of the difficulty of such a feature, but I'm ready to learn
> how to do it myself if anybody has time to tell me how to !
>
>
>
> Thanks for any help,
>
> milsegv
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
> <https://urldefense.com/v3/__https:/lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev__;!!JmoZiZGBv3RvKRSx!tbubacyoXA98g75-qd_gdiwivwPZQbA83yxyhEEPEmkXk00FiBjyCrq4FRI9sjCFiA$>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
> <https://urldefense.com/v3/__https:/lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev__;!!JmoZiZGBv3RvKRSx!tbubacyoXA98g75-qd_gdiwivwPZQbA83yxyhEEPEmkXk00FiBjyCrq4FRI9sjCFiA$>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20200424/7a6311cd/attachment-0001.html>


More information about the llvm-dev mailing list