Date: Tue, 10 Nov 2020 22:57:11 +0000 From: Brooks Davis <brooks@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r367577 - in head: share/mk sys/conf tools/build/options Message-ID: <20201110225711.GE1959@spindle.one-eyed-alien.net> In-Reply-To: <20201110194445.wf5v63trwcv7fmzs@mutt-hbsd> References: <202011101915.0AAJFEWf059408@repo.freebsd.org> <20201110191729.GC1959@spindle.one-eyed-alien.net> <20201110194445.wf5v63trwcv7fmzs@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
--UfEAyuTBtIjiZzX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 10, 2020 at 02:44:45PM -0500, Shawn Webb wrote: > On Tue, Nov 10, 2020 at 07:17:29PM +0000, Brooks Davis wrote: > > On Tue, Nov 10, 2020 at 07:15:14PM +0000, Brooks Davis wrote: > > > Author: brooks > > > Date: Tue Nov 10 19:15:13 2020 > > > New Revision: 367577 > > > URL: https://svnweb.freebsd.org/changeset/base/367577 > > >=20 > > > Log: > > > Support initializing stack variables on function entry > > > =20 > > > There are two options: > > > - WITH_INIT_ALL_ZERO: Zero all variables on the stack. > > > - WITH_INIT_ALL_PATTERN: Initialize variables with well-defined pa= tterns. > > > =20 > > > The exact pattern are a compiler implementation detail and vary by = type. > > > They are somewhat documented in the LLVM commit message: > > > https://reviews.llvm.org/rL349442 > > > I've used WITH_INIT_ALL_* to match Microsoft's InitAll feature rath= er > > > than naming them after the LLVM specific compiler flags. > > > =20 > > > In a range of consumer products, options like these are used in > > > both debug and production builds with debugs builds using patterns > > > (intended to provoke crashes on use of uninitialized values) and > > > production using zeros (deemed more likely to lead to harmless > > > misbehavior or NULL-pointer dereferences). > >=20 > > We've tested this extensively in CheriBSD on RISC-V, in the wild it's > > probably most tested on Arm64 and x86. > >=20 > > Despite the silly compiler flag you'll spot in the code, the zeroing > > option isn't going away in practice as Apple, Google, and Microsoft all > > ship with this feature in some of their products. >=20 > HardenedBSD's testing of this last year on amd64 have (privately) > shown the feature to really hinder performance on more complex > applications (like when applied to clang/lld). A build of base > without init all zero applied to clang/lld would take around 1.5 > hours on my system. A build with it applied to clang/lld took around > four hours, if my memory serves correctly. I would probably advise > against applying it system-wide. But YMMV. I agree a more nuanced approach is likely useful in practice, but this does work and is part of the configuration we shipped for DARPA's FETT bug bounty. Hopefully this provides a starting point for further exploration. -- Brooks --UfEAyuTBtIjiZzX6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJfqxrHAAoJEKzQXbSebgfAtNYIAJCpuSTOYukQKyc6+56Xvn9G ht5hEAAjfqcmaVtu3pYnVsdlp/VjMmCMPkiWje5VSSpzQg5BHETX+/LW3GCR6ICo DKeMvtWBxz/pB0jAfIKMcjdfEzz4JC6FprNhmOwEdW7lj27YVf2qFHvzhppjCX4N 4G8wsWS/ENKkzAadPoPPPMzjz0oqaRaugBK9Z/20/pMtQ6akWlmeW+nZGq/CLUbl qTjp1AkTn2O5IzqQX2tytzE7R5e3azc7u/li5mVj/gb1NBn/8GgGAoZdBZhw2i3G DaALOM8lSybubDUS+yURs43chwn8D/qUBXUWAuaqeO78hg+FHBrd0Lsa9cGXOrw= =cDR1 -----END PGP SIGNATURE----- --UfEAyuTBtIjiZzX6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201110225711.GE1959>