Skip to content

Fix size of capability relocations for linker-defined symbols #768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

Fix size of capability relocations for linker-defined symbols #768

wants to merge 4 commits into from

Conversation

arichardson
Copy link
Member

See individual commits for change descriptions

arichardson and others added 4 commits June 20, 2025 17:11
@arichardson @amilendra
[ELF] Baseline test for capability relocs against section start symbols
560e71e 
This shows that when in hybrid, we don't treat capability relocations
against the linker-syntesized or linker-script-defined section symbols
as having a size. It also shows that we don't set the sizes correctly for
linker-script synthesized scripts even in purecap outputs.

This test is adapted from the Morello LLVM test checking the same property for Morello.

Co-authored-by: Amilendra Kodithuwakku <[email protected]>
@arichardson @jrtc27
[ELF][CHERI] Use section size for caprelocs in hybrid mode
ad3d821 
This adapts the patch from Morello LLVM to use the section size for
start symbols even in hybrid mode.

Co-authored-by: Jessica Clarke <[email protected]>
@arichardson @jrtc27
[ELF][CHERI] Mark linker-script defined symbols as section start
b8bc09d 
This adapts the patch from Morello LLVM to use the section size for
start symbols even in hybrid mode. This only partially fixes the
start-stop-symbols.s test since the isSectionStartSymbol value is lost
prior to writing the relocations.

Co-authored-by: Jessica Clarke <[email protected]>
@arichardson
[ELF][CHERI] Fix isSectionStartSymbol when merging Symbols
0e1e968 
Symbol::mergeProperties() was dropping the isSectionStartSymbol value,
so linker-script defined symbols never had this set.

To fix this issue we could also have moved the assignment of
isSectionStartSymbol down after the call to mergeProperties inside
LinkerScript::addSymbol(), but performing the check inside
mergeProperties seems more future-proof in case this code is refactored
in upstream changes.
@arichardson arichardson requested a review from jrtc27 June 21, 2025 00:13
@jrtc27
Copy link
Member

jrtc27 commented Jun 21, 2025

Do we actually care about this edge case in hybrid? Besides, if st_size stays as 0, how you get the capability will lead to different bounds, which isn't particularly sensible; a run-time linker isn't going to get this right, for example.

Given we've never seen a need for this on CHERI-RISC-V and it's likely a result of Arm caring too much about hybrid, my inclination would be to drop this, and only pull in the minimal set of changes needed to support Morello in the ways it's actually used.

@jrtc27
Copy link
Member

jrtc27 commented Jun 21, 2025

Our compiler support for this isn't even coherent; it's an addrspacecast in a global's initialiser, but an addrspacecast inside a function gives you a CSetAddr DDC, not a bounded and permission-restricted capability.

@arichardson
Copy link
Member Author

Do we actually care about this edge case in hybrid? Besides, if st_size stays as 0, how you get the capability will lead to different bounds, which isn't particularly sensible; a run-time linker isn't going to get this right, for example.

Given we've never seen a need for this on CHERI-RISC-V and it's likely a result of Arm caring too much about hybrid, my inclination would be to drop this, and only pull in the minimal set of changes needed to support Morello in the ways it's actually used.

I'd be tempted to set st_size as soon as we encounter any indication of CHERI support in any of the input files? That way we don't break the existing upstream tests but set something sensible for hybrid?

@jrtc27
Copy link
Member

jrtc27 commented Jun 21, 2025

Do we actually care about this edge case in hybrid? Besides, if st_size stays as 0, how you get the capability will lead to different bounds, which isn't particularly sensible; a run-time linker isn't going to get this right, for example.
Given we've never seen a need for this on CHERI-RISC-V and it's likely a result of Arm caring too much about hybrid, my inclination would be to drop this, and only pull in the minimal set of changes needed to support Morello in the ways it's actually used.

I'd be tempted to set st_size as soon as we encounter any indication of CHERI support in any of the input files? That way we don't break the existing upstream tests but set something sensible for hybrid?

Just because there are no CHERI relocations doesn't mean it's not being used in a hybrid context. Hybrid just does not work fully and never will. Can at least prioritise purecap (and the bits of hybrid that CheriBSD needs) and come back to this contentious case some time later, if you believe we should be caring about it (which I don't)?

@arichardson
Copy link
Member Author

Do we actually care about this edge case in hybrid? Besides, if st_size stays as 0, how you get the capability will lead to different bounds, which isn't particularly sensible; a run-time linker isn't going to get this right, for example.
Given we've never seen a need for this on CHERI-RISC-V and it's likely a result of Arm caring too much about hybrid, my inclination would be to drop this, and only pull in the minimal set of changes needed to support Morello in the ways it's actually used.

I'd be tempted to set st_size as soon as we encounter any indication of CHERI support in any of the input files? That way we don't break the existing upstream tests but set something sensible for hybrid?

Just because there are no CHERI relocations doesn't mean it's not being used in a hybrid context. Hybrid just does not work fully and never will. Can at least prioritise purecap (and the bits of hybrid that CheriBSD needs) and come back to this contentious case some time later, if you believe we should be caring about it (which I don't)?

That's fair. The other option would be to just always set st_size to Nonzero. I don't see this causing any problems but when I tried to upstream that many years ago I recall some pushback. But having it downstream should be fine IMO and there really shouldn't be many tests that are affected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrtc27 jrtc27 Awaiting requested review from jrtc27

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arichardson @jrtc27