From owner-svn-src-all@freebsd.org Tue Nov 10 22:57:12 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6A5A2466960; Tue, 10 Nov 2020 22:57:12 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CW3CX2dDDz3JKJ; Tue, 10 Nov 2020 22:57:12 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 9C5173C0199; Tue, 10 Nov 2020 22:57:11 +0000 (UTC) Date: Tue, 10 Nov 2020 22:57:11 +0000 From: Brooks Davis To: Shawn Webb Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r367577 - in head: share/mk sys/conf tools/build/options Message-ID: <20201110225711.GE1959@spindle.one-eyed-alien.net> References: <202011101915.0AAJFEWf059408@repo.freebsd.org> <20201110191729.GC1959@spindle.one-eyed-alien.net> <20201110194445.wf5v63trwcv7fmzs@mutt-hbsd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UfEAyuTBtIjiZzX6" Content-Disposition: inline In-Reply-To: <20201110194445.wf5v63trwcv7fmzs@mutt-hbsd> User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 4CW3CX2dDDz3JKJ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2020 22:57:12 -0000 --UfEAyuTBtIjiZzX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 10, 2020 at 02:44:45PM -0500, Shawn Webb wrote: > On Tue, Nov 10, 2020 at 07:17:29PM +0000, Brooks Davis wrote: > > On Tue, Nov 10, 2020 at 07:15:14PM +0000, Brooks Davis wrote: > > > Author: brooks > > > Date: Tue Nov 10 19:15:13 2020 > > > New Revision: 367577 > > > URL: https://svnweb.freebsd.org/changeset/base/367577 > > >=20 > > > Log: > > > Support initializing stack variables on function entry > > > =20 > > > There are two options: > > > - WITH_INIT_ALL_ZERO: Zero all variables on the stack. > > > - WITH_INIT_ALL_PATTERN: Initialize variables with well-defined pa= tterns. > > > =20 > > > The exact pattern are a compiler implementation detail and vary by = type. > > > They are somewhat documented in the LLVM commit message: > > > https://reviews.llvm.org/rL349442 > > > I've used WITH_INIT_ALL_* to match Microsoft's InitAll feature rath= er > > > than naming them after the LLVM specific compiler flags. > > > =20 > > > In a range of consumer products, options like these are used in > > > both debug and production builds with debugs builds using patterns > > > (intended to provoke crashes on use of uninitialized values) and > > > production using zeros (deemed more likely to lead to harmless > > > misbehavior or NULL-pointer dereferences). > >=20 > > We've tested this extensively in CheriBSD on RISC-V, in the wild it's > > probably most tested on Arm64 and x86. > >=20 > > Despite the silly compiler flag you'll spot in the code, the zeroing > > option isn't going away in practice as Apple, Google, and Microsoft all > > ship with this feature in some of their products. >=20 > HardenedBSD's testing of this last year on amd64 have (privately) > shown the feature to really hinder performance on more complex > applications (like when applied to clang/lld). A build of base > without init all zero applied to clang/lld would take around 1.5 > hours on my system. A build with it applied to clang/lld took around > four hours, if my memory serves correctly. I would probably advise > against applying it system-wide. But YMMV. I agree a more nuanced approach is likely useful in practice, but this does work and is part of the configuration we shipped for DARPA's FETT bug bounty. Hopefully this provides a starting point for further exploration. -- Brooks --UfEAyuTBtIjiZzX6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJfqxrHAAoJEKzQXbSebgfAtNYIAJCpuSTOYukQKyc6+56Xvn9G ht5hEAAjfqcmaVtu3pYnVsdlp/VjMmCMPkiWje5VSSpzQg5BHETX+/LW3GCR6ICo DKeMvtWBxz/pB0jAfIKMcjdfEzz4JC6FprNhmOwEdW7lj27YVf2qFHvzhppjCX4N 4G8wsWS/ENKkzAadPoPPPMzjz0oqaRaugBK9Z/20/pMtQ6akWlmeW+nZGq/CLUbl qTjp1AkTn2O5IzqQX2tytzE7R5e3azc7u/li5mVj/gb1NBn/8GgGAoZdBZhw2i3G DaALOM8lSybubDUS+yURs43chwn8D/qUBXUWAuaqeO78hg+FHBrd0Lsa9cGXOrw= =cDR1 -----END PGP SIGNATURE----- --UfEAyuTBtIjiZzX6--