Jessica Clarke wrote:
> So it’s not really a case of not being necessary, it’s a case of “are
> you using void * or using void * __capability everywhere to opt into
> capability use?”
Indeed, when I try to compile the current Gnulib code in "hybrid" mode
(CC="clang -march=morello"), I get compilation errors due to mismatches
between 'void *' and 'void * __capability':
../../gltests/../gllib/alignalloc.h:101:11: error: converting capability type
'void * __capability' to non-capability type 'void *' without an explicit cast;
if this is intended use __cheri_fromcap
ptr = cheri_bounds_set (ptr, size);
^
(__cheri_fromcap void *)
../../gltests/test-malloca.c:28:24: error: converting capability type 'void *
__capability' to non-capability type 'void *' without an explicit cast; if this
is intended use __cheri_fromcap
../../gltests/../gllib/malloca.h:77:8: note: expanded from macro 'malloca'
? cheri_bounds_set ((void *) (((uintptr_t) \
^
../../gltests/../gllib/safe-alloc.h:50:11: error: converting capability type
'void * __capability' to non-capability type 'void *' without an explicit cast;
if this is intended use __cheri_fromcap
ptr = cheri_bounds_set (ptr, 0);
^
(__cheri_fromcap void *)
> This need to annotate all uses
> (including any third-party library APIs you use with them), which ends
> up spreading throughout entire codebases, is why hybrid is awkward to
> use at scale and only really works in highly-constrained environments.
> For most userspace code there’s very little benefit to using it
I see. So, I'm following your advice:
2023-11-13 Bruno Haible <br...@clisp.org>
Don't use CHERI facilities with CC="clang -march=morello".
Suggested by Jessica Clarke <jrt...@jrtc27.com> in
<https://lists.gnu.org/archive/html/bug-gnulib/2023-11/msg00116.html>.
* lib/alignalloc.h (alignalloc): Test __CHERI_PURE_CAPABILITY__, not
__CHERI__.
* lib/eealloc.h (eemalloc, eerealloc): Likewise.
* lib/ialloc.h (irealloc, ireallocarray): Likewise.
* lib/malloca.h (malloca): Likewise.
* lib/malloca.c (small_t, mmalloca, freea): Likewise.
* lib/rawmemchr.c (rawmemchr): Likewise.
* lib/safe-alloc.h (safe_alloc_realloc_n): Likewise.
* lib/sigsegv.c (SIGSEGV_FAULT_STACKPOINTER): Likewise.
* lib/ssfmalloc.h (struct dissected_page_header, init_small_block_page,
init_medium_block_page, free_block_from_pool, allocate_block): Likewise.
* tests/test-stdint.c: Likewise.
diff --git a/lib/alignalloc.h b/lib/alignalloc.h
index cb40b344e8..4f75084d13 100644
--- a/lib/alignalloc.h
+++ b/lib/alignalloc.h
@@ -29,7 +29,7 @@
#include <errno.h>
#include <stdlib.h>
#include "idx.h"
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -96,7 +96,7 @@ alignalloc (idx_t alignment, idx_t size)
if (alignment < sizeof (void *))
alignment = sizeof (void *);
errno = posix_memalign (&ptr, alignment, size | !size);
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
if (ptr != NULL)
ptr = cheri_bounds_set (ptr, size);
# endif
diff --git a/lib/eealloc.h b/lib/eealloc.h
index bae3915146..1c54465680 100644
--- a/lib/eealloc.h
+++ b/lib/eealloc.h
@@ -36,7 +36,7 @@
#endif
#include <stdlib.h>
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -59,7 +59,7 @@ eemalloc (size_t n)
if (n == 0)
nx = 1;
void *ptr = malloc (nx);
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
if (ptr != NULL)
ptr = cheri_bounds_set (ptr, n);
# endif
@@ -80,7 +80,7 @@ eerealloc (void *p, size_t n)
if (n == 0)
nx = 1;
void *ptr = realloc (p, nx);
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
if (ptr != NULL)
ptr = cheri_bounds_set (ptr, n);
# endif
diff --git a/lib/ialloc.h b/lib/ialloc.h
index 527b1f48be..5b336ab1c5 100644
--- a/lib/ialloc.h
+++ b/lib/ialloc.h
@@ -29,7 +29,7 @@
#include <errno.h>
#include <stdint.h>
#include <stdlib.h>
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -73,7 +73,7 @@ irealloc (void *p, idx_t s)
/* Work around GNU realloc glitch by treating a zero size as if it
were 1, so that returning NULL is equivalent to failing. */
p = realloc (p, s | !s);
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
if (p != NULL)
p = cheri_bounds_set (p, s);
#endif
@@ -121,7 +121,7 @@ ireallocarray (void *p, idx_t n, idx_t s)
if (n == 0 || s == 0)
nx = sx = 1;
p = reallocarray (p, nx, sx);
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
if (p != NULL && (n == 0 || s == 0))
p = cheri_bounds_set (p, 0);
#endif
diff --git a/lib/malloca.c b/lib/malloca.c
index f98fdf152d..5ddb867039 100644
--- a/lib/malloca.c
+++ b/lib/malloca.c
@@ -22,7 +22,7 @@
#include "malloca.h"
#include <stdckdint.h>
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -39,7 +39,7 @@
allocation.
- NULL comes from a failed heap allocation. */
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
/* Type for holding the original malloc() result. */
typedef uintptr_t small_t;
#else
@@ -78,7 +78,7 @@ mmalloca (size_t n)
So, the memory range [p, p+n) lies in the allocated memory range
[mem, mem + nplus). */
small_t *sp = p;
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
sp[-1] = umem;
p = (char *) cheri_bounds_set ((char *) p - sizeof (small_t),
sizeof (small_t) + n)
@@ -117,7 +117,7 @@ freea (void *p)
{
char *cp = p;
small_t *sp = p;
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
void *mem = sp[-1];
# else
void *mem = cp - sp[-1];
diff --git a/lib/malloca.h b/lib/malloca.h
index 120f406880..2165e07096 100644
--- a/lib/malloca.h
+++ b/lib/malloca.h
@@ -28,7 +28,7 @@
#include <stddef.h>
#include <stdlib.h>
#include <stdint.h>
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -71,7 +71,7 @@ extern void freea (void *p);
memory allocated on the stack, that must be freed using freea() before
the function returns. Upon failure, it returns NULL. */
#if HAVE_ALLOCA
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
# define malloca(N) \
((N) < 4032 - (2 * sa_alignment_max - 1) \
? cheri_bounds_set ((void *) (((uintptr_t) \
diff --git a/lib/rawmemchr.c b/lib/rawmemchr.c
index 9386ffc628..1c4a662ebf 100644
--- a/lib/rawmemchr.c
+++ b/lib/rawmemchr.c
@@ -30,7 +30,7 @@
void *
rawmemchr (const void *s, int c_in)
{
-# ifdef __CHERI__
+# ifdef __CHERI_PURE_CAPABILITY__
/* Most architectures let you read an aligned word,
even if the unsigned char array at S ends in the middle of the word.
However CHERI does not, so call memchr
diff --git a/lib/safe-alloc.h b/lib/safe-alloc.h
index 27049d3836..556735ab74 100644
--- a/lib/safe-alloc.h
+++ b/lib/safe-alloc.h
@@ -27,7 +27,7 @@
#endif
#include <stdlib.h>
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -45,7 +45,7 @@ safe_alloc_realloc_n (void *ptr, size_t count, size_t size)
if (count == 0 || size == 0)
countx = sizex = 1;
ptr = reallocarray (ptr, countx, sizex);
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
if (ptr != NULL && (count == 0 || size == 0))
ptr = cheri_bounds_set (ptr, 0);
#endif
diff --git a/lib/sigsegv.c b/lib/sigsegv.c
index c683c03ac0..9a1b8cc6c0 100644
--- a/lib/sigsegv.c
+++ b/lib/sigsegv.c
@@ -440,7 +440,7 @@ int libsigsegv_version = LIBSIGSEGV_VERSION;
/* See sys/arm64/include/ucontext.h. */
-# if defined __CHERI__
+# if defined __CHERI_PURE_CAPABILITY__
# define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *)
ucp)->uc_mcontext.mc_capregs.cap_sp
# else
# define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *)
ucp)->uc_mcontext.mc_gpregs.gp_sp
diff --git a/lib/ssfmalloc.h b/lib/ssfmalloc.h
index 14644cb1d4..645a2eda07 100644
--- a/lib/ssfmalloc.h
+++ b/lib/ssfmalloc.h
@@ -133,7 +133,7 @@ static void free_block (uintptr_t block);
#include "thread-optim.h"
#include "gl_oset.h"
#include "gl_rbtree_oset.h"
-#ifdef __CHERI__
+#ifdef __CHERI_PURE_CAPABILITY__
# include <cheri.h>
#endif
@@ -181,7 +181,7 @@ struct page_tree_element
struct dissected_page_header
{
struct any_page_header common;
- #ifdef __CHERI__
+ #ifdef __CHERI_PURE_CAPABILITY__
/* This page, with bounds [page, page + PAGESIZE). */
uintptr_t whole_page;
#endif
@@ -393,7 +393,7 @@ init_small_block_page (uintptr_t page)
{
struct small_page_header *pageptr = (struct small_page_header *) page;
pageptr->common.common.page_type = small_page_type;
- #ifdef __CHERI__
+ #ifdef __CHERI_PURE_CAPABILITY__
pageptr->common.whole_page = page;
#endif
@@ -555,7 +555,7 @@ init_medium_block_page (uintptr_t page)
{
struct medium_page_header *pageptr = (struct medium_page_header *) page;
pageptr->common.common.page_type = medium_page_type;
- #ifdef __CHERI__
+ #ifdef __CHERI_PURE_CAPABILITY__
pageptr->common.whole_page = page;
#endif
pageptr->num_gaps = 1;
@@ -857,7 +857,7 @@ free_block_from_pool (uintptr_t block, uintptr_t page,
struct page_pool *pool)
FREE_PAGES (pool->freeable_page, PAGESIZE);
/* Don't free the page now, but later. */
- #ifdef __CHERI__
+ #ifdef __CHERI_PURE_CAPABILITY__
pool->freeable_page = pageptr->whole_page;
#else
pool->freeable_page = page;
@@ -925,7 +925,7 @@ allocate_block (size_t size)
(size <= SMALL_BLOCK_MAX_SIZE ? &small_block_pages :
&medium_block_pages);
block = allocate_block_from_pool (size, pool);
if (mt) gl_lock_unlock (ssfmalloc_lock);
-#if defined __CHERI__
+#if defined __CHERI_PURE_CAPABILITY__
if (block != 0)
{
size_t offset = block & (PAGESIZE - 1);
diff --git a/tests/test-stdint.c b/tests/test-stdint.c
index fd12207b34..988c452217 100644
--- a/tests/test-stdint.c
+++ b/tests/test-stdint.c
@@ -219,7 +219,7 @@ err or;
#ifdef INTPTR_MAX
intptr_t g[3] = { 17, INTPTR_MIN, INTPTR_MAX };
verify (sizeof (void *) <= sizeof (intptr_t));
-# ifndef __CHERI__
+# ifndef __CHERI_PURE_CAPABILITY__
verify (TYPE_MINIMUM (intptr_t) == INTPTR_MIN);
verify (TYPE_MAXIMUM (intptr_t) == INTPTR_MAX);
# endif
@@ -230,7 +230,7 @@ verify_same_types (INTPTR_MAX, (intptr_t) 0 + 0);
#ifdef UINTPTR_MAX
uintptr_t h[2] = { 17, UINTPTR_MAX };
verify (sizeof (void *) <= sizeof (uintptr_t));
-# ifndef __CHERI__
+# ifndef __CHERI_PURE_CAPABILITY__
verify (TYPE_MAXIMUM (uintptr_t) == UINTPTR_MAX);
# endif
verify_same_types (UINTPTR_MAX, (uintptr_t) 0 + 0);
@@ -410,7 +410,7 @@ verify_width (INT_FAST32_WIDTH, INT_FAST32_MIN,
INT_FAST32_MAX);
verify_width (UINT_FAST32_WIDTH, 0, UINT_FAST32_MAX);
verify_width (INT_FAST64_WIDTH, INT_FAST64_MIN, INT_FAST64_MAX);
verify_width (UINT_FAST64_WIDTH, 0, UINT_FAST64_MAX);
-#ifndef __CHERI__
+#ifndef __CHERI_PURE_CAPABILITY__
# ifdef INTPTR_WIDTH
verify_width (INTPTR_WIDTH, INTPTR_MIN, INTPTR_MAX);
# endif
