Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine CHERI macro and feature definitions #763

Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

Refine CHERI macro and feature definitions #763

wants to merge 7 commits into from
+52 −26

Conversation

brooksdavis
Copy link
Member

@brooksdavis brooksdavis commented Feb 28, 2025
edited
Loading

This set of changes does three main things:

  • adds an __CHERI_HYBRID__ to indicate hybrid compilation
  • adds an __has_feature(cheri) to eventually replace the overly generic __has_feature(capabilities)
  • Makes __CHERI__ a synonym for __CHERI_PURE_CAPABILITY__ and adds an __CHERI_HYBRID__ This is a breaking change

Rationale: We strongly encourage all CHERI consumers to use a pure-capability ABI whenever possible. Therefore it should be the easiest thing to type and less preferred options should be longer. The existing macros date to the earliest compiler support which barely supported capability types. Before broad adoption of CHERI we should make the macros be sensible. We're past Stuart Feldman's too many users of make to change the tabs threshold (12), but few codebases will be effected and the required changes are simple and can be safely performed automatically. We shouldn't have to live with this aspect of history forever.

@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from 00f9977 to 4f38f04 Compare February 28, 2025 23:54
@brooksdavis brooksdavis mentioned this pull request Mar 1, 2025
Merged
@brooksdavis
Copy link
Member Author

This should probably be split into two changes, the backwards compatible changes to __CHERI__ use so we can pull them into CheriBSD and the breaking changes.

@arichardson
Copy link
Member

I do wonder if we want to use __has_feature(cheri) ? Capabilities seems rather generic and may be difficult to upstream

@heshamelmatary
Copy link
Member

I do wonder if we want to use __has_feature(cheri) ? Capabilities seems rather generic and may be difficult to upstream

I agree on that. It's rather confusing for systems like seL4 that already have their own notion/definition/types for a capability.

arichardson
arichardson approved these changes Mar 3, 2025
View reviewed changes
Copy link
Member

@arichardson arichardson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this is a major breaking change but I don't think there is much choice outside of cheribsd that uses it so LGTM if @jrtc27 is also happy with it

@brooksdavis
Add __has_feature(cheri)
f919342 
This is intended to replace __has_feature(capabilities) which is almost
certainly too generic to upstream.  We'll support them side by side for
the long term in our tree, but projects should generally migrate to
__has_feature(cheri) as their need for older compilers passes.
@brooksdavis
Use __has_feature(cheri) in tests
5b64c4e 
Migrate tests that aren't explicitly about __has_feature(capabilities)
to __has_feature(cheri).
@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from 4f38f04 to b374716 Compare March 4, 2025 17:41
arichardson
arichardson reviewed Mar 4, 2025
View reviewed changes
clang/test/Preprocessor/cheri-features.c
@@ -25,7 +25,7 @@ void* __capability x = 0;

#if defined(__CHERI__)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a test for the new hybrid macro here? And maybe update the RUN lines for RISC-V instead of MIPS? But that can be done in a future commit

arichardson
arichardson approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@arichardson arichardson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the new change, LGTM. Will wait for @jrtc27 for merging though

@brooksdavis
Introduce __CHERI_HYBRID__ macro
abbe9d3 
This is meant to replace expressions like:
    __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__)
or (currently(
    __CHERI__ && !defined(__CHERI_PURE_CAPABILITY__)
@brooksdavis
Make __CHERI__ a synonym for __CHERI_PURE_CAPABILITY__
da8608d 
WARNING: This is a breaking change for hybrid code bases.

Rationale: We strongly encourage all CHERI consumers to use a
pure-capability ABI whenever possible. Therefore it should be the
easiest thing to type and less preferred options should be longer. The
existing macros date to the earliest compiler support which barely
supported capability types. Before broad adoption of CHERI we should
make the macros be sensible. We're past Stuart Feldman's too many users
of make to change the tabs threshold (12), but few codebases will be
effected, the required changes are simple can be safely performed
without automatic review, and we shouldn't have to live with this aspect
of history forever.

Backwards compatible code transition:

For purecap + standard C/C++ code:
  No change required.

For hybrid + standard C/C++ code:
  __CHERI__ -> __has_feature(capabilities)

For mixed code:
  __CHERI__ -> __has_feature(capabilities)

Once the need for compatability with old compilers is passed further
simplication is possible.

For purecap + standard C/C++ code:
  __CHERI_PURE_CAPABILITY__ -> __CHERI__

For hybrid + standard C/C++ code:
  __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__) ->
      __CHERI_HYBRID__
@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from b374716 to da8608d Compare March 4, 2025 21:40
@brooksdavis brooksdavis changed the title Make __CHERI__ mean purecap Refine CHERI macro and feature definitions Mar 4, 2025
@heshamelmatary
Copy link
Member

I used to use __CHERI__ whenever I wanted to guard or do something that applies to both purecap and hybrid. Some compatibility issues arise with using __has_feature with (old) GCC etc and broke legacy GCC builds. Those required some workarounds. eg:

#ifndef __has_feature
#define __has_feature(x) 0
#endif

This assumes all projects have some sort of a global shared header where this could be defined, but unfortunately this is not always the case.

Existing projects such as muslc [1], newlib, CHERI-Linux also still use __CHERI__. While an easy fix, but probably worth notifying the maintainers and/or fixing it ourselves.

[1] https://git.morello-project.org/search?search=__CHERI__&nav_source=navbar&project_id=122&group_id=6&search_code=true&repository_ref=morello%2Fmaster

@bsdjhb
Copy link
Contributor

bsdjhb commented Mar 5, 2025

Note that this set of changes will actually make the GCC world happier as you can just use #if defined(__CHERI__) || defined(__CHERI_HYBRID__) in place of #if __has_feature(cheri) if desired once they are adopted.

@arichardson
Copy link
Member

Note that this set of changes will actually make the GCC world happier as you can just use #if defined(__CHERI__) || defined(__CHERI_HYBRID__) in place of #if __has_feature(cheri) if desired once they are adopted.

And that change can be made now even if they want to support the older compiler versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arichardson arichardson arichardson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brooksdavis @arichardson @heshamelmatary @bsdjhb