| Message ID | 20230407215406.768464-1-ndesaulniers@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ubsan: remove cc-option test for UBSAN_TRAP | expand |
On Fri, Apr 07, 2023 at 02:54:06PM -0700, Nick Desaulniers wrote: > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > Clang 3.2. The minimum supported version of these according to > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > this cc-option check. > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Nathan Chancellor <nathan@kernel.org> As an aside, we should really consider having some standard format of comment around cc-option checks so that we can easily remove them when they become stale... > --- > Masahiro, Kees: get_maintainer.pl leaves much to be desired for this > file. Can one of you please pick this up? > > lib/Kconfig.ubsan | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > index fd15230a703b..0e7ad0782399 100644 > --- a/lib/Kconfig.ubsan > +++ b/lib/Kconfig.ubsan > @@ -15,7 +15,6 @@ if UBSAN > config UBSAN_TRAP > bool "On Sanitizer warnings, abort the running kernel code" > depends on !COMPILE_TEST > - depends on $(cc-option, -fsanitize-undefined-trap-on-error) > help > Building kernels with Sanitizer features enabled tends to grow > the kernel size by around 5%, due to adding all the debugging > -- > 2.40.0.577.gac1e443424-goog >
On Fri, Apr 7, 2023 at 2:58 PM Nathan Chancellor <nathan@kernel.org> wrote: > > On Fri, Apr 07, 2023 at 02:54:06PM -0700, Nick Desaulniers wrote: > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > Clang 3.2. The minimum supported version of these according to > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > this cc-option check. > > > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > > Reviewed-by: Nathan Chancellor <nathan@kernel.org> > > As an aside, we should really consider having some standard format of > comment around cc-option checks so that we can easily remove them when > they become stale... > > > --- > > Masahiro, Kees: get_maintainer.pl leaves much to be desired for this > > file. Can one of you please pick this up? > > > > lib/Kconfig.ubsan | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > > index fd15230a703b..0e7ad0782399 100644 > > --- a/lib/Kconfig.ubsan > > +++ b/lib/Kconfig.ubsan > > @@ -15,7 +15,6 @@ if UBSAN > > config UBSAN_TRAP > > bool "On Sanitizer warnings, abort the running kernel code" > > depends on !COMPILE_TEST > > - depends on $(cc-option, -fsanitize-undefined-trap-on-error) > > help > > Building kernels with Sanitizer features enabled tends to grow > > the kernel size by around 5%, due to adding all the debugging > > -- > > 2.40.0.577.gac1e443424-goog > > > -fsanitize-undefined-trap-on-error is a legacy option from 2013 when -fcatch-undefined-behavior instead of -fsanitize=undefined enabled UBSan. On the Clang side, http://reviews.llvm.org/D10464 added -fsanitize-trap= in June 2015. It's best to use -fsanitize-trap=undefined and avoid uses of -fsanitize-undefined-trap-on-error.
On Tue, Apr 11, 2023 at 05:12:24PM -0700, Fangrui Song wrote: > On Fri, Apr 7, 2023 at 2:58 PM Nathan Chancellor <nathan@kernel.org> wrote: > > > > On Fri, Apr 07, 2023 at 02:54:06PM -0700, Nick Desaulniers wrote: > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > Clang 3.2. The minimum supported version of these according to > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > this cc-option check. > > > > > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > > > > Reviewed-by: Nathan Chancellor <nathan@kernel.org> > > > > As an aside, we should really consider having some standard format of > > comment around cc-option checks so that we can easily remove them when > > they become stale... > > > > > --- > > > Masahiro, Kees: get_maintainer.pl leaves much to be desired for this > > > file. Can one of you please pick this up? > > > > > > lib/Kconfig.ubsan | 1 - > > > 1 file changed, 1 deletion(-) > > > > > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > > > index fd15230a703b..0e7ad0782399 100644 > > > --- a/lib/Kconfig.ubsan > > > +++ b/lib/Kconfig.ubsan > > > @@ -15,7 +15,6 @@ if UBSAN > > > config UBSAN_TRAP > > > bool "On Sanitizer warnings, abort the running kernel code" > > > depends on !COMPILE_TEST > > > - depends on $(cc-option, -fsanitize-undefined-trap-on-error) > > > help > > > Building kernels with Sanitizer features enabled tends to grow > > > the kernel size by around 5%, due to adding all the debugging > > > -- > > > 2.40.0.577.gac1e443424-goog > > > > > > > -fsanitize-undefined-trap-on-error is a legacy option from 2013 when > -fcatch-undefined-behavior instead of -fsanitize=undefined enabled > UBSan. > On the Clang side, http://reviews.llvm.org/D10464 added > -fsanitize-trap= in June 2015. > It's best to use -fsanitize-trap=undefined and avoid uses of > -fsanitize-undefined-trap-on-error. But that's Clang-only. -fsanitize-undefined-trap-on-error works for both GCC and Clang.
On Wed, Apr 12, 2023 at 8:12 AM Kees Cook <keescook@chromium.org> wrote: > > On Tue, Apr 11, 2023 at 05:12:24PM -0700, Fangrui Song wrote: > > On Fri, Apr 7, 2023 at 2:58 PM Nathan Chancellor <nathan@kernel.org> wrote: > > > > > > On Fri, Apr 07, 2023 at 02:54:06PM -0700, Nick Desaulniers wrote: > > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > > Clang 3.2. The minimum supported version of these according to > > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > > this cc-option check. > > > > > > > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > > > > > > Reviewed-by: Nathan Chancellor <nathan@kernel.org> > > > > > > As an aside, we should really consider having some standard format of > > > comment around cc-option checks so that we can easily remove them when > > > they become stale... > > > > > > > --- > > > > Masahiro, Kees: get_maintainer.pl leaves much to be desired for this > > > > file. Can one of you please pick this up? > > > > > > > > lib/Kconfig.ubsan | 1 - > > > > 1 file changed, 1 deletion(-) > > > > > > > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > > > > index fd15230a703b..0e7ad0782399 100644 > > > > --- a/lib/Kconfig.ubsan > > > > +++ b/lib/Kconfig.ubsan > > > > @@ -15,7 +15,6 @@ if UBSAN > > > > config UBSAN_TRAP > > > > bool "On Sanitizer warnings, abort the running kernel code" > > > > depends on !COMPILE_TEST > > > > - depends on $(cc-option, -fsanitize-undefined-trap-on-error) > > > > help > > > > Building kernels with Sanitizer features enabled tends to grow > > > > the kernel size by around 5%, due to adding all the debugging > > > > -- > > > > 2.40.0.577.gac1e443424-goog > > > > > > > > > > > -fsanitize-undefined-trap-on-error is a legacy option from 2013 when > > -fcatch-undefined-behavior instead of -fsanitize=undefined enabled > > UBSan. > > On the Clang side, http://reviews.llvm.org/D10464 added > > -fsanitize-trap= in June 2015. > > It's best to use -fsanitize-trap=undefined and avoid uses of > > -fsanitize-undefined-trap-on-error. > > But that's Clang-only. -fsanitize-undefined-trap-on-error works for both > GCC and Clang. > > -- > Kees Cook Just filed a -fsanitize-trap= feature request for GCC: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109489 :) https://reviews.llvm.org/D10464 (2015) does mention the state of the legacy option: // https://clang.llvm.org/docs/UsersManual.html#cmdoption-fsanitize-undefined-trap-on-error -fsanitize-undefined-trap-on-error Deprecated alias for -fsanitize-trap=undefined.
On Wed, Apr 12, 2023 at 11:13 AM Fangrui Song <maskray@google.com> wrote: > > On Wed, Apr 12, 2023 at 8:12 AM Kees Cook <keescook@chromium.org> wrote: > > > > On Tue, Apr 11, 2023 at 05:12:24PM -0700, Fangrui Song wrote: > > > On Fri, Apr 7, 2023 at 2:58 PM Nathan Chancellor <nathan@kernel.org> wrote: > > > > > > > > On Fri, Apr 07, 2023 at 02:54:06PM -0700, Nick Desaulniers wrote: > > > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > > > Clang 3.2. The minimum supported version of these according to > > > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > > > this cc-option check. > > > > > > > > > > Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> > > > > > > > > Reviewed-by: Nathan Chancellor <nathan@kernel.org> > > > > > > > > As an aside, we should really consider having some standard format of > > > > comment around cc-option checks so that we can easily remove them when > > > > they become stale... > > > > > > > > > --- > > > > > Masahiro, Kees: get_maintainer.pl leaves much to be desired for this > > > > > file. Can one of you please pick this up? > > > > > > > > > > lib/Kconfig.ubsan | 1 - > > > > > 1 file changed, 1 deletion(-) > > > > > > > > > > diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan > > > > > index fd15230a703b..0e7ad0782399 100644 > > > > > --- a/lib/Kconfig.ubsan > > > > > +++ b/lib/Kconfig.ubsan > > > > > @@ -15,7 +15,6 @@ if UBSAN > > > > > config UBSAN_TRAP > > > > > bool "On Sanitizer warnings, abort the running kernel code" > > > > > depends on !COMPILE_TEST > > > > > - depends on $(cc-option, -fsanitize-undefined-trap-on-error) > > > > > help > > > > > Building kernels with Sanitizer features enabled tends to grow > > > > > the kernel size by around 5%, due to adding all the debugging > > > > > -- > > > > > 2.40.0.577.gac1e443424-goog > > > > > > > > > > > > > > > -fsanitize-undefined-trap-on-error is a legacy option from 2013 when > > > -fcatch-undefined-behavior instead of -fsanitize=undefined enabled > > > UBSan. > > > On the Clang side, http://reviews.llvm.org/D10464 added > > > -fsanitize-trap= in June 2015. > > > It's best to use -fsanitize-trap=undefined and avoid uses of > > > -fsanitize-undefined-trap-on-error. > > > > But that's Clang-only. -fsanitize-undefined-trap-on-error works for both > > GCC and Clang. > > > > -- > > Kees Cook > > Just filed a -fsanitize-trap= feature request for GCC: > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109489 :) > > https://reviews.llvm.org/D10464 (2015) does mention the state of the > legacy option: > > // https://clang.llvm.org/docs/UsersManual.html#cmdoption-fsanitize-undefined-trap-on-error > -fsanitize-undefined-trap-on-error > Deprecated alias for -fsanitize-trap=undefined. Circling back. it seems that GCC 13 will have -fsanitize-trap=undefined (a commit from 2022-06). The current https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html says "The -fsanitize-undefined-trap-on-error option is deprecated equivalent of -fsanitize-trap=all." We need to discourage further uses of the deprecated -fsanitize-undefined-trap-on-error.
On Fri, 7 Apr 2023 14:54:06 -0700, Nick Desaulniers wrote: > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > Clang 3.2. The minimum supported version of these according to > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > this cc-option check. > > Applied to for-next/hardening, thanks! [1/1] ubsan: remove cc-option test for UBSAN_TRAP https://git.kernel.org/kees/c/08e4044243a6
On Wed, May 17, 2023 at 12:02 PM Kees Cook <keescook@chromium.org> wrote: > > On Fri, 7 Apr 2023 14:54:06 -0700, Nick Desaulniers wrote: > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > Clang 3.2. The minimum supported version of these according to > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > this cc-option check. > > > > > > Applied to for-next/hardening, thanks! > > [1/1] ubsan: remove cc-option test for UBSAN_TRAP > https://git.kernel.org/kees/c/08e4044243a6 > > -- > Kees Cook > > For this -fsanitize-undefined-trap-on-error, I think we need a v2 patch that tries -fsanitize-trap=all as well. -fsanitize-undefined-trap-on-error has been deprecated in Clang for 8 years, and at some point we will remove the option. GCC implements -fsanitize-trap=all later, but -fsanitize-undefined-trap-on-error is documented as deprecated as well.
On Wed, May 17, 2023 at 12:08 PM Fangrui Song <maskray@google.com> wrote: > > On Wed, May 17, 2023 at 12:02 PM Kees Cook <keescook@chromium.org> wrote: > > > > On Fri, 7 Apr 2023 14:54:06 -0700, Nick Desaulniers wrote: > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > Clang 3.2. The minimum supported version of these according to > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > this cc-option check. > > > > > > > > > > Applied to for-next/hardening, thanks! > > > > [1/1] ubsan: remove cc-option test for UBSAN_TRAP > > https://git.kernel.org/kees/c/08e4044243a6 > > > > -- > > Kees Cook > > > > > > For this -fsanitize-undefined-trap-on-error, I think we need a v2 patch that > tries -fsanitize-trap=all as well. Correction: -fsanitize-trap=undefined > -fsanitize-undefined-trap-on-error has been deprecated in Clang for 8 > years, and at some point we will remove the option. > > GCC implements -fsanitize-trap=all later, but > -fsanitize-undefined-trap-on-error is documented as deprecated as > well.
On Wed, May 17, 2023 at 12:09:35PM -0700, Fangrui Song wrote: > On Wed, May 17, 2023 at 12:08 PM Fangrui Song <maskray@google.com> wrote: > > > > On Wed, May 17, 2023 at 12:02 PM Kees Cook <keescook@chromium.org> wrote: > > > > > > On Fri, 7 Apr 2023 14:54:06 -0700, Nick Desaulniers wrote: > > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > > Clang 3.2. The minimum supported version of these according to > > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > > this cc-option check. > > > > > > > > > > > > > > Applied to for-next/hardening, thanks! > > > > > > [1/1] ubsan: remove cc-option test for UBSAN_TRAP > > > https://git.kernel.org/kees/c/08e4044243a6 > > > > > > -- > > > Kees Cook > > > > > > > > > > For this -fsanitize-undefined-trap-on-error, I think we need a v2 patch that > > tries -fsanitize-trap=all as well. > > Correction: -fsanitize-trap=undefined > > > -fsanitize-undefined-trap-on-error has been deprecated in Clang for 8 > > years, and at some point we will remove the option. > > > > GCC implements -fsanitize-trap=all later, but > > -fsanitize-undefined-trap-on-error is documented as deprecated as > > well. Right now all the compilers support the old way, and I'd rather remove a cc-option call than add two. :)
On Wed, May 17, 2023 at 12:16 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, May 17, 2023 at 12:09:35PM -0700, Fangrui Song wrote: > > On Wed, May 17, 2023 at 12:08 PM Fangrui Song <maskray@google.com> wrote: > > > > > > On Wed, May 17, 2023 at 12:02 PM Kees Cook <keescook@chromium.org> wrote: > > > > > > > > On Fri, 7 Apr 2023 14:54:06 -0700, Nick Desaulniers wrote: > > > > > -fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and > > > > > Clang 3.2. The minimum supported version of these according to > > > > > Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop > > > > > this cc-option check. > > > > > > > > > > > > > > > > > > Applied to for-next/hardening, thanks! > > > > > > > > [1/1] ubsan: remove cc-option test for UBSAN_TRAP > > > > https://git.kernel.org/kees/c/08e4044243a6 > > > > > > > > -- > > > > Kees Cook > > > > > > > > > > > > > > For this -fsanitize-undefined-trap-on-error, I think we need a v2 patch that > > > tries -fsanitize-trap=all as well. > > > > Correction: -fsanitize-trap=undefined > > > > > -fsanitize-undefined-trap-on-error has been deprecated in Clang for 8 > > > years, and at some point we will remove the option. > > > > > > GCC implements -fsanitize-trap=all later, but > > > -fsanitize-undefined-trap-on-error is documented as deprecated as > > > well. > > Right now all the compilers support the old way, and I'd rather remove a > cc-option call than add two. :) > > -- > Kees Cook Hmm, this gives Clang developers a disadvantage... Anyone who removes Clang's -fsanitize-undefined-trap-on-error (or give it a warning before removal) will probably face complaints from kernel developers...
diff --git a/lib/Kconfig.ubsan b/lib/Kconfig.ubsan index fd15230a703b..0e7ad0782399 100644 --- a/lib/Kconfig.ubsan +++ b/lib/Kconfig.ubsan @@ -15,7 +15,6 @@ if UBSAN config UBSAN_TRAP bool "On Sanitizer warnings, abort the running kernel code" depends on !COMPILE_TEST - depends on $(cc-option, -fsanitize-undefined-trap-on-error) help Building kernels with Sanitizer features enabled tends to grow the kernel size by around 5%, due to adding all the debugging
-fsanitize-undefined-trap-on-error has been supported since GCC 5.1 and Clang 3.2. The minimum supported version of these according to Documentation/process/changes.rst is 5.1 and 11.0.0 respectively. Drop this cc-option check. Signed-off-by: Nick Desaulniers <ndesaulniers@google.com> --- Masahiro, Kees: get_maintainer.pl leaves much to be desired for this file. Can one of you please pick this up? lib/Kconfig.ubsan | 1 - 1 file changed, 1 deletion(-)