RFC: Add GNU_PROPERTY_UINT32_AND_XXX/GNU_PROPERTY_UINT32_OR_XXX

1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI

#define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
#define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff

A bit in the output pr_data field is set only if it is set in all
relocatable input pr_data fields. If all bits in the the output
pr_data field are zero, this property should be removed from output.

If the bit is 1, all input relocatables have the feature. If the
bit is 0 or the property is missing, the info is unknown.

2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI

#define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
#define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff

A bit in the output pr_data field is set if it is set in any
relocatable input pr_data fields. If all bits in the the output
pr_data field are zero, this property should be removed from output.

If the bit is 1, some input relocatables have the feature. If the
bit is 0 or the property is missing, the info is unknown.

The PDF is at

Here is the binutils patch to implement it.

0001-elf-Add-GNU_PROPERTY_UINT32_AND_XXX-GNU_PROPERTY_UIN.patch (17.3 KB)

Hi, H.J.

Thank you for CCing llvm-dev:) In the past various GNU ABI proposals
went unnoticed by LLVM folks who don't happen to subscribe to GNU lists.
(A lot! I personally subscribe to some lists and check the discussion
just in case I miss something important:) )

I have researched a bit and observed that the following GNU_PROPERTY
values are currently used by compilers/linkers:

Bitwise OR for relocatable links. Bitwise AND for executable/shared
object links.

* GNU_PROPERTY_X86_FEATURE_1_AND = GNU_PROPERTY_X86_UINT32_AND_LO + 0,
* used by Intel Indirect branch tracking and Shadow Stack
* GNU_PROPERTY_AARCH64_FEATURE_1_AND, used by AArch64 Branch Target
* Identification and Pointer Authentication

Bitwise OR for all links.

* GNU_PROPERTY_X86_ISA_1_NEEDED = GNU_PROPERTY_X86_UINT32_OR_LO + 2,
* used by GCC -mneeded (for -march=x86-64-v[234])

There appear to be another type of AND/OR bits which are not defined in
ABIs (AFAICT):

* GNU_PROPERTY_X86_ISA_1_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO + 2
* GNU_PROPERTY_X86_FEATURE_2_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO +
* 1

I think generalizing the AND/OR idea to all architectures probably
requires us to think about these questions:

* What's the impending usage of the generic AND/OR ranges? ifunc? :slight_smile:
* Does the concept generalize well to other architectures? If we
* consider AArch64/x86 FEATURE_1_AND to be the same thing, the current
* usage is purely x86 specific.
* Is AND/OR encoding expressive enough to represent the required states?
* I've asked two folks and they expressed concerns. I think the three
* AND/OR usage above speak for themselves.
* Szabolcs Nagy mentioned that GNU_PROPERTY is an OS-specific mechanism
* (GNU), but the features are oftentimes arch specific which make sense
* to other OSes or bare-metal.
* Szabolcs: Do we need any versioning mechanism?

The feature selection and compatibility checking mechanism has some
overlap with GNU/arch-specific attributes (e.g .ARM.attributes,
.riscv.attributes). If I understand correctly, GNU_PROPERTY has an
associated program header so it can be checked by loaders
(kernel/ld.so/emulator) while Attributes don't have program headers so
they are largely assembler/linker protocols. In an inflexible way that
such feature bits can affect observable states to loaders as well, e.g.
.ARM.attributes can affect e_flags (soft/hard float). .MIPS.abiflags
has an associated program header PT_MIPS_ABIFLAGS (I know nearly nothing
about mips) Some thoughts from mips folks would be useful.

Last, I think a feature selection and compatibility checking mechanism
is assuredly useful, but whether the current AND/OR scheme can perfectly
satisfy that goal I am unsure. Having the proposal is a very good start,
though:) Thanks a lot for driving the discussion:)

>>
>> 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
>>
>> #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
>> #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
>>
>> A bit in the output pr_data field is set only if it is set in all
>> relocatable input pr_data fields. If all bits in the the output
>> pr_data field are zero, this property should be removed from output.
>>
>> If the bit is 1, all input relocatables have the feature. If the
>> bit is 0 or the property is missing, the info is unknown.
>>
>> 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
>>
>> #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
>> #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
>>
>> A bit in the output pr_data field is set if it is set in any
>> relocatable input pr_data fields. If all bits in the the output
>> pr_data field are zero, this property should be removed from output.
>>
>> If the bit is 1, some input relocatables have the feature. If the
>> bit is 0 or the property is missing, the info is unknown.
>>
>> The PDF is at
>>
>> https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
>>
>> --
>> H.J.
>
>Here is the binutils patch to implement it.
>
>--
>H.J.

Hi, H.J.

Thank you for CCing llvm-dev:) In the past various GNU ABI proposals
went unnoticed by LLVM folks who don't happen to subscribe to GNU lists.
(A lot! I personally subscribe to some lists and check the discussion
just in case I miss something important:) )

I have researched a bit and observed that the following GNU_PROPERTY
values are currently used by compilers/linkers:

Bitwise OR for relocatable links. Bitwise AND for executable/shared
object links.

* GNU_PROPERTY_X86_FEATURE_1_AND = GNU_PROPERTY_X86_UINT32_AND_LO + 0,
* used by Intel Indirect branch tracking and Shadow Stack
* GNU_PROPERTY_AARCH64_FEATURE_1_AND, used by AArch64 Branch Target
* Identification and Pointer Authentication

Bitwise OR for all links.

* GNU_PROPERTY_X86_ISA_1_NEEDED = GNU_PROPERTY_X86_UINT32_OR_LO + 2,
* used by GCC -mneeded (for -march=x86-64-v[234])

There appear to be another type of AND/OR bits which are not defined in
ABIs (AFAICT):

* GNU_PROPERTY_X86_ISA_1_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO + 2
* GNU_PROPERTY_X86_FEATURE_2_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO +
* 1

I have no use for these operations for generic targets.

I think generalizing the AND/OR idea to all architectures probably
requires us to think about these questions:

* What's the impending usage of the generic AND/OR ranges? ifunc? :slight_smile:

I'd like to add GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION:

https://groups.google.com/g/x86-64-abi/c/DRvKxJ1AH3Q

* Does the concept generalize well to other architectures? If we

It should work for GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION.

* consider AArch64/x86 FEATURE_1_AND to be the same thing, the current
* usage is purely x86 specific.
* Is AND/OR encoding expressive enough to represent the required states?

For GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION, yes.

* I've asked two folks and they expressed concerns. I think the three
* AND/OR usage above speak for themselves.
* Szabolcs Nagy mentioned that GNU_PROPERTY is an OS-specific mechanism
* (GNU), but the features are oftentimes arch specific which make sense
* to other OSes or bare-metal.
* Szabolcs: Do we need any versioning mechanism?

The feature selection and compatibility checking mechanism has some
overlap with GNU/arch-specific attributes (e.g .ARM.attributes,
.riscv.attributes). If I understand correctly, GNU_PROPERTY has an
associated program header so it can be checked by loaders
(kernel/ld.so/emulator) while Attributes don't have program headers so
they are largely assembler/linker protocols. In an inflexible way that
such feature bits can affect observable states to loaders as well, e.g.
.ARM.attributes can affect e_flags (soft/hard float). .MIPS.abiflags
has an associated program header PT_MIPS_ABIFLAGS (I know nearly nothing
about mips) Some thoughts from mips folks would be useful.

Last, I think a feature selection and compatibility checking mechanism
is assuredly useful, but whether the current AND/OR scheme can perfectly
satisfy that goal I am unsure. Having the proposal is a very good start,
though:) Thanks a lot for driving the discussion:)

My current ultimate goal is GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION
with a compiler option, -fsingle-global-definition:

1. All accesses to protected definitions are local access.
2. In executable, all accesses to defined symbols are local access.
3. All global function pointers, whose function bodies aren't
locally defined, must use GOT.
4. All read/write accesses to symbols, which aren't locally defined
must, use GOT.
5. Branches to undefined symbols may use PLT.

GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION will be enforced
by assembler, linker and ld.so.

>>
>> 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
>>
>> #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
>> #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
>>
>> A bit in the output pr_data field is set only if it is set in all
>> relocatable input pr_data fields. If all bits in the the output
>> pr_data field are zero, this property should be removed from output.
>>
>> If the bit is 1, all input relocatables have the feature. If the
>> bit is 0 or the property is missing, the info is unknown.
>>
>> 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
>>
>> #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
>> #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
>>
>> A bit in the output pr_data field is set if it is set in any
>> relocatable input pr_data fields. If all bits in the the output
>> pr_data field are zero, this property should be removed from output.
>>
>> If the bit is 1, some input relocatables have the feature. If the
>> bit is 0 or the property is missing, the info is unknown.
>>
>> The PDF is at
>>
>> https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
>>
>> --
>> H.J.
>
>Here is the binutils patch to implement it.
>
>--
>H.J.

Hi, H.J.

Thank you for CCing llvm-dev:) In the past various GNU ABI proposals
went unnoticed by LLVM folks who don't happen to subscribe to GNU lists.
(A lot! I personally subscribe to some lists and check the discussion
just in case I miss something important:) )

I have researched a bit and observed that the following GNU_PROPERTY
values are currently used by compilers/linkers:

Bitwise OR for relocatable links. Bitwise AND for executable/shared
object links.

* GNU_PROPERTY_X86_FEATURE_1_AND = GNU_PROPERTY_X86_UINT32_AND_LO + 0,
* used by Intel Indirect branch tracking and Shadow Stack
* GNU_PROPERTY_AARCH64_FEATURE_1_AND, used by AArch64 Branch Target
* Identification and Pointer Authentication

Bitwise OR for all links.

* GNU_PROPERTY_X86_ISA_1_NEEDED = GNU_PROPERTY_X86_UINT32_OR_LO + 2,
* used by GCC -mneeded (for -march=x86-64-v[234])

There appear to be another type of AND/OR bits which are not defined in
ABIs (AFAICT):

* GNU_PROPERTY_X86_ISA_1_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO + 2
* GNU_PROPERTY_X86_FEATURE_2_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO +
* 1

I have no use for these operations for generic targets.

I think generalizing the AND/OR idea to all architectures probably
requires us to think about these questions:

* What's the impending usage of the generic AND/OR ranges? ifunc? :slight_smile:

I'd like to add GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION:

https://groups.google.com/g/x86-64-abi/c/DRvKxJ1AH3Q

* Does the concept generalize well to other architectures? If we

It should work for GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION.

* consider AArch64/x86 FEATURE_1_AND to be the same thing, the current
* usage is purely x86 specific.
* Is AND/OR encoding expressive enough to represent the required states?

For GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION, yes.

* I've asked two folks and they expressed concerns. I think the three
* AND/OR usage above speak for themselves.
* Szabolcs Nagy mentioned that GNU_PROPERTY is an OS-specific mechanism
* (GNU), but the features are oftentimes arch specific which make sense
* to other OSes or bare-metal.
* Szabolcs: Do we need any versioning mechanism?

The feature selection and compatibility checking mechanism has some
overlap with GNU/arch-specific attributes (e.g .ARM.attributes,
.riscv.attributes). If I understand correctly, GNU_PROPERTY has an
associated program header so it can be checked by loaders
(kernel/ld.so/emulator) while Attributes don't have program headers so
they are largely assembler/linker protocols. In an inflexible way that
such feature bits can affect observable states to loaders as well, e.g.
.ARM.attributes can affect e_flags (soft/hard float). .MIPS.abiflags
has an associated program header PT_MIPS_ABIFLAGS (I know nearly nothing
about mips) Some thoughts from mips folks would be useful.

Last, I think a feature selection and compatibility checking mechanism
is assuredly useful, but whether the current AND/OR scheme can perfectly
satisfy that goal I am unsure. Having the proposal is a very good start,
though:) Thanks a lot for driving the discussion:)

My current ultimate goal is GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION
with a compiler option, -fsingle-global-definition:

1. All accesses to protected definitions are local access.
2. In executable, all accesses to defined symbols are local access.

For other folks,
I think

has summarized the current toolchain state and answered these questions.

clang always emits local access for protected definitions so there
should be no change.
gcc does use GOT for protected data symbols but the scheme only works on
i386 and x86-64.
(arm and aarch64 have glibc support bot no binutils support IIUC).
ld.lld always errors for copy relocations on protected data, and it will
continue doing so, like gold (19823 – gold produces copy reloc of protected symbols)

So on the clang side, there is no needed change.

On the GCC side, switching to local access for protected data symbols
technically changes the behavior for i386 and x86-64 and might be considered an
ABI change. But I'd argue that that does not matter because of three reasons:

* clang i386 and x86-64 always emits local access for protected definitions
* protected data+copy relocations never work on non-x86. (glibc has support for arm/aarch64 but binutils doesn't support it)
* gold never supports protected data+copy relocations, even for x86 (19823 – gold produces copy reloc of protected symbols)

So if there is breakage (if any..), it must be x86 specific code using
protected definitions, only built with gcc, not caring about traditional
behavior (<~2015 or 2016), never supporting non-x86 architectures, only
linkable with GNU ld (not gold), never supporting libc other than glibc.

OK, I cannot even imagine who is doing this:)

My blog post has mentioned what'd be great if gcc does:

* GCC: add -f[no-]direct-access-external-data.
* GCC: drop HAVE_LD_PIE_COPYRELOC in favor of -f[no-]direct-access-external-data.
* GCC x86-64: default to GOT indirection for external data symbols in -fpie mode.
* GCC or GNU as i386: emit R_386_PLT32 for branches to undefined function symbols.
* GNU ld x86: disallow copy relocations on protected data symbols. (I think canonical PLT entries on protected symbols have been disallowed.)
* GCC aarch64/arm/x86/...: allow direct access relocations on protected symbols in -fpic mode.
* GNU ld aarch64/x86: allow direct access relocations on protected data symbols in -shared mode.

I can understand that some GCC folks may like
-f[no-]direct-access-external-data. That doesn't matter: just ignore
-f[no-]direct-access-external-data (which gives the user a choice) and do the
rest.

3. All global function pointers, whose function bodies aren't
locally defined, must use GOT.

This should be the case for -fpie and -fpic.

For -fno-pic, some users may want direct access and I think the compiler should
give users a choice for compatibility.

clang -fno-pic -fdirect-access-external-data (in -fno-pic mode,
-fdirect-access-external-data is the default)does this perfectly. I know some
GCC folks may not like the idea that the option name does not talk about
function pointers.... That is unfortunate.

4. All read/write accesses to symbols, which aren't locally defined
must, use GOT.

Ditto.

5. Branches to undefined symbols may use PLT.

This has always been the case for most non-x86 architectures.
For x86-64, the 2018 R_X86_64_PLT32 switch made this true.

There is just a disagreement for R_386_PC32/R_386_PLT32 due to an ifunc
diagnostic (which I think is not a big deal). Since i386 is becoming
more and more irrelevant, this can be left unresolved. If you want to
switch to R_386_PLT32, that'd certainly be great news to me:)

GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION will be enforced
by assembler, linker and ld.so.

With the above, I think we won't break code without introducing a new
gnu property. It is just that GCC/GNU ld need to take some actions
which reflect traditional/non-x86 behaviors.

>>
>> >>
>> >> 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
>> >>
>> >> #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
>> >> #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
>> >>
>> >> A bit in the output pr_data field is set only if it is set in all
>> >> relocatable input pr_data fields. If all bits in the the output
>> >> pr_data field are zero, this property should be removed from output.
>> >>
>> >> If the bit is 1, all input relocatables have the feature. If the
>> >> bit is 0 or the property is missing, the info is unknown.
>> >>
>> >> 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
>> >>
>> >> #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
>> >> #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
>> >>
>> >> A bit in the output pr_data field is set if it is set in any
>> >> relocatable input pr_data fields. If all bits in the the output
>> >> pr_data field are zero, this property should be removed from output.
>> >>
>> >> If the bit is 1, some input relocatables have the feature. If the
>> >> bit is 0 or the property is missing, the info is unknown.
>> >>
>> >> The PDF is at
>> >>
>> >> https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
>> >>
>> >> --
>> >> H.J.
>> >
>> >Here is the binutils patch to implement it.
>> >
>> >--
>> >H.J.
>>
>> Hi, H.J.
>>
>> Thank you for CCing llvm-dev:) In the past various GNU ABI proposals
>> went unnoticed by LLVM folks who don't happen to subscribe to GNU lists.
>> (A lot! I personally subscribe to some lists and check the discussion
>> just in case I miss something important:) )
>>
>> I have researched a bit and observed that the following GNU_PROPERTY
>> values are currently used by compilers/linkers:
>>
>> Bitwise OR for relocatable links. Bitwise AND for executable/shared
>> object links.
>>
>> * GNU_PROPERTY_X86_FEATURE_1_AND = GNU_PROPERTY_X86_UINT32_AND_LO + 0,
>> * used by Intel Indirect branch tracking and Shadow Stack
>> * GNU_PROPERTY_AARCH64_FEATURE_1_AND, used by AArch64 Branch Target
>> * Identification and Pointer Authentication
>>
>> Bitwise OR for all links.
>>
>> * GNU_PROPERTY_X86_ISA_1_NEEDED = GNU_PROPERTY_X86_UINT32_OR_LO + 2,
>> * used by GCC -mneeded (for -march=x86-64-v[234])
>>
>> There appear to be another type of AND/OR bits which are not defined in
>> ABIs (AFAICT):
>>
>> * GNU_PROPERTY_X86_ISA_1_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO + 2
>> * GNU_PROPERTY_X86_FEATURE_2_USED = GNU_PROPERTY_X86_UINT32_OR_AND_LO +
>> * 1
>
>I have no use for these operations for generic targets.
>
>>
>> I think generalizing the AND/OR idea to all architectures probably
>> requires us to think about these questions:
>>
>> * What's the impending usage of the generic AND/OR ranges? ifunc? :slight_smile:
>
>I'd like to add GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION:
>
>https://groups.google.com/g/x86-64-abi/c/DRvKxJ1AH3Q
>
>> * Does the concept generalize well to other architectures? If we
>
>It should work for GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION.
>
>> * consider AArch64/x86 FEATURE_1_AND to be the same thing, the current
>> * usage is purely x86 specific.
>> * Is AND/OR encoding expressive enough to represent the required states?
>
>For GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION, yes.
>
>> * I've asked two folks and they expressed concerns. I think the three
>> * AND/OR usage above speak for themselves.
>> * Szabolcs Nagy mentioned that GNU_PROPERTY is an OS-specific mechanism
>> * (GNU), but the features are oftentimes arch specific which make sense
>> * to other OSes or bare-metal.
>> * Szabolcs: Do we need any versioning mechanism?
>>
>> The feature selection and compatibility checking mechanism has some
>> overlap with GNU/arch-specific attributes (e.g .ARM.attributes,
>> .riscv.attributes). If I understand correctly, GNU_PROPERTY has an
>> associated program header so it can be checked by loaders
>> (kernel/ld.so/emulator) while Attributes don't have program headers so
>> they are largely assembler/linker protocols. In an inflexible way that
>> such feature bits can affect observable states to loaders as well, e.g.
>> .ARM.attributes can affect e_flags (soft/hard float). .MIPS.abiflags
>> has an associated program header PT_MIPS_ABIFLAGS (I know nearly nothing
>> about mips) Some thoughts from mips folks would be useful.
>>
>> Last, I think a feature selection and compatibility checking mechanism
>> is assuredly useful, but whether the current AND/OR scheme can perfectly
>> satisfy that goal I am unsure. Having the proposal is a very good start,
>> though:) Thanks a lot for driving the discussion:)
>
>My current ultimate goal is GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION
>with a compiler option, -fsingle-global-definition:
>
>1. All accesses to protected definitions are local access.
>2. In executable, all accesses to defined symbols are local access.

For other folks,
I think
Copy relocations, canonical PLT entries and protected visibility | MaskRay
has summarized the current toolchain state and answered these questions.

clang always emits local access for protected definitions so there
should be no change.
gcc does use GOT for protected data symbols but the scheme only works on
i386 and x86-64.
(arm and aarch64 have glibc support bot no binutils support IIUC).
ld.lld always errors for copy relocations on protected data, and it will
continue doing so, like gold (19823 – gold produces copy reloc of protected symbols)

So on the clang side, there is no needed change.

On the GCC side, switching to local access for protected data symbols
technically changes the behavior for i386 and x86-64 and might be considered an
ABI change. But I'd argue that that does not matter because of three reasons:

* clang i386 and x86-64 always emits local access for protected definitions
* protected data+copy relocations never work on non-x86. (glibc has support for arm/aarch64 but binutils doesn't support it)
* gold never supports protected data+copy relocations, even for x86 (19823 – gold produces copy reloc of protected symbols)

So if there is breakage (if any..), it must be x86 specific code using
protected definitions, only built with gcc, not caring about traditional
behavior (<~2015 or 2016), never supporting non-x86 architectures, only
linkable with GNU ld (not gold), never supporting libc other than glibc.

OK, I cannot even imagine who is doing this:)

My blog post has mentioned what'd be great if gcc does:

* GCC: add -f[no-]direct-access-external-data.
* GCC: drop HAVE_LD_PIE_COPYRELOC in favor of -f[no-]direct-access-external-data.
* GCC x86-64: default to GOT indirection for external data symbols in -fpie mode.
* GCC or GNU as i386: emit R_386_PLT32 for branches to undefined function symbols.
* GNU ld x86: disallow copy relocations on protected data symbols. (I think canonical PLT entries on protected symbols have been disallowed.)
* GCC aarch64/arm/x86/...: allow direct access relocations on protected symbols in -fpic mode.
* GNU ld aarch64/x86: allow direct access relocations on protected data symbols in -shared mode.

I can understand that some GCC folks may like
-f[no-]direct-access-external-data. That doesn't matter: just ignore
-f[no-]direct-access-external-data (which gives the user a choice) and do the
rest.

>3. All global function pointers, whose function bodies aren't
>locally defined, must use GOT.

This should be the case for -fpie and -fpic.

For -fno-pic, some users may want direct access and I think the compiler should
give users a choice for compatibility.

clang -fno-pic -fdirect-access-external-data (in -fno-pic mode,
-fdirect-access-external-data is the default)does this perfectly. I know some
GCC folks may not like the idea that the option name does not talk about
function pointers.... That is unfortunate.

>4. All read/write accesses to symbols, which aren't locally defined
>must, use GOT.

Ditto.

>5. Branches to undefined symbols may use PLT.

This has always been the case for most non-x86 architectures.
For x86-64, the 2018 R_X86_64_PLT32 switch made this true.

There is just a disagreement for R_386_PC32/R_386_PLT32 due to an ifunc
diagnostic (which I think is not a big deal). Since i386 is becoming
more and more irrelevant, this can be left unresolved. If you want to
switch to R_386_PLT32, that'd certainly be great news to me:)

>GNU_PROPERTY_SINGLE_GLOBAL_DEFINITION will be enforced
>by assembler, linker and ld.so.

With the above, I think we won't break code without introducing a new
gnu property. It is just that GCC/GNU ld need to take some actions
which reflect traditional/non-x86 behaviors.

There are special codes in ld.so to handle STV_PROTECTED:

commit 62da1e3b00b51383ffa7efc89d8addda0502e107
Author: H.J. Lu <hjl.tools@gmail.com>

If there are no objections, I will check it in tomorrow.

>
> 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
>
> #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
>
> A bit in the output pr_data field is set only if it is set in all
> relocatable input pr_data fields. If all bits in the the output
> pr_data field are zero, this property should be removed from output.
>
> If the bit is 1, all input relocatables have the feature. If the
> bit is 0 or the property is missing, the info is unknown.

How to use AND in practice?
Are you going to add .note.gnu.property to all of crt1.o crti.o
crtbegin.o crtend.o crtn.o and miscellaneous libc_nonshared.a object
files written in assembly?

> 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
>
> #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
>
> A bit in the output pr_data field is set if it is set in any
> relocatable input pr_data fields. If all bits in the the output
> pr_data field are zero, this property should be removed from output.
>
> If the bit is 1, some input relocatables have the feature. If the
> bit is 0 or the property is missing, the info is unknown.
>
> The PDF is at
>
> https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
>
> --
> H.J.

Here is the binutils patch to implement it.

If there are no objections, I will check it in tomorrow.

If the use case is just ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, it'd be
very kind of you if you can collect more use cases before generalizing
this into a non-arch-specific GNU PROPERTY.

The "copy relocations on protected data symbols" thing is x86 specific
and only applies with gcc+GNU ld+glibc.
Non-x86 architectures don't have this thing.
gold doesn't have this thing.
clang doesn't have this thing.

It will be used to remove copy relocation and implement canonical function
pointers, which will benefit protected data and function.

The action items in

can be applied without a GNU PROPERTY.

If we want to enforce the link-time check that a shared object is no longer
compatible with copy relocations, just make the shared object's non-weak
definitions protected, and add a GNU ld diagnostic like gold
(19823 – gold produces copy reloc of protected symbols)

>
> >
> > >>
> > >> >
> > >> > 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
> > >> >
> > >> > #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> > >> > #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> > >> >
> > >> > A bit in the output pr_data field is set only if it is set in all
> > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > pr_data field are zero, this property should be removed from output.
> > >> >
> > >> > If the bit is 1, all input relocatables have the feature. If the
> > >> > bit is 0 or the property is missing, the info is unknown.
> >
> > How to use AND in practice?
> > Are you going to add .note.gnu.property to all of crt1.o crti.o
> > crtbegin.o crtend.o crtn.o and miscellaneous libc_nonshared.a object
> > files written in assembly?
> >
> > >> > 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
> > >> >
> > >> > #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> > >> > #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> > >> >
> > >> > A bit in the output pr_data field is set if it is set in any
> > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > pr_data field are zero, this property should be removed from output.
> > >> >
> > >> > If the bit is 1, some input relocatables have the feature. If the
> > >> > bit is 0 or the property is missing, the info is unknown.
> > >> >
> > >> > The PDF is at
> > >> >
> > >> > https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
> > >> >
> > >> > --
> > >> > H.J.
> > >>
> > >> Here is the binutils patch to implement it.
> > >>
> > >
> > >If there are no objections, I will check it in tomorrow.
> >
> > If the use case is just ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, it'd be
> > very kind of you if you can collect more use cases before generalizing
> > this into a non-arch-specific GNU PROPERTY.
> >
> > The "copy relocations on protected data symbols" thing is x86 specific
> > and only applies with gcc+GNU ld+glibc.
> > Non-x86 architectures don't have this thing.
> > gold doesn't have this thing.
> > clang doesn't have this thing.
>
> It will be used to remove copy relocation and implement canonical function
> pointers, which will benefit protected data and function.

The action items in
Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
can be applied without a GNU PROPERTY.

If we want to enforce the link-time check that a shared object is no longer
compatible with copy relocations, just make the shared object's non-weak
definitions protected, and add a GNU ld diagnostic like gold
(19823 – gold produces copy reloc of protected symbols)

---

For functions,

On x86-64, gcc -fpic has been using leaq addr()(%rip), %rax since at least
4.1.2 (oldest gcc I can find on godbolt):

  __attribute__((visibility("protected")))
  void *addr() { return (void*)addr; }

  // a protected non-definition declaration is the same.

  // while asm(".protected addr") can use GOT, it is super rare if ever exists
  // outside glibc elf/vis*.c

I have checked all of binutils 2.11, 2.16, 2.20, 2.24, 2.35. The have
the same diagnostic:

  relocation R_X86_64_PC32 against protected function `addr' can not
be used when making a shared object

I think we can assert that taking the address of a protected function
never works with GNU ld.
So no compatibility concern.
Fixing it ([PATCH] x86-64: Allow direct access relocations referencing a protected symbol for -shared)
doesn't need any GNU PROPERTY.

---

For variables, if an object file/archive member does not have GNU PROPERTY, do
you consider it incompatible with "single global definition"? That is why I
mentioned crt1.o crti.o crtbegin.o crtend.o crtn.o and libc_nonshared.a members
written in assembly.

If you consider such an object compatible with "single global definition", I
don't see why a GNU PROPERTY is needed.

If you consider such an object incompatible with "single global definition", I
don't see how "single global definition" benefits can be claimed giving so many
prebuilt object files without GNU PROPERTY.

Please see the slides in

which includes

Dynamic Linker for Single Global Definition
• Check the single global definition marker on all components, the executable
and its dependency shared libraries.
• Issue an error/warning if the marker is not consistent on all components.
• Disallow copy relocation against definition in the shared library with the
marker.
• For systems without function descriptor:
• Disallow function pointer reference in executable without the marker to the
definition with the STV_PROTECTED visibility in a shared library with
the marker.
• Use the address of the function body as function pointer on functions with the
STV_PROTECTED visibility, which are defined in shared libraries with the marker.

This provides the capability to detect the ABI change at run-time as well as
optimize for STV_PROTECTED symbol lookup.

My linker implementation is at

I will implement the dynamic linker change.

If we still want "absolutely no copy relocation for -fno-pic", just use GOT for
default visibility external data access
(98112 – Add -f[no-]direct-access-external-data & drop HAVE_LD_PIE_COPYRELOC)
Some architectures may not like it (i386/ppc32), just leave them behind.
Modern architectures can do it. When things get matured, add a ld warning,
then add a ld.so warning. When things get more matured, change the warnings to
errors.

Such changes should use a mechanism similar to glibc LD_DYNAMIC_WEAK (weak can
preempt global) and Solaris LD_BREADTH (breadth-first order based dependency
order) and LD_NODIRECT (direct bindings). At some point, introduce a behavior
change. I don't think how an explicit marker can improve the compatibility
story. The conceived compatibility issues likely don't really exist for

The compatibility issue does exist. Please see the linker tests I added.

functions. For copy relocations, I think we may need to wait an extended period
of time.

That is what the single global definition marker is used for.

>
> >
> > >>
> > >> >
> > >> > 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
> > >> >
> > >> > #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> > >> > #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> > >> >
> > >> > A bit in the output pr_data field is set only if it is set in all
> > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > pr_data field are zero, this property should be removed from output.
> > >> >
> > >> > If the bit is 1, all input relocatables have the feature. If the
> > >> > bit is 0 or the property is missing, the info is unknown.
> >
> > How to use AND in practice?
> > Are you going to add .note.gnu.property to all of crt1.o crti.o
> > crtbegin.o crtend.o crtn.o and miscellaneous libc_nonshared.a object
> > files written in assembly?
> >
> > >> > 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
> > >> >
> > >> > #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> > >> > #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> > >> >
> > >> > A bit in the output pr_data field is set if it is set in any
> > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > pr_data field are zero, this property should be removed from output.
> > >> >
> > >> > If the bit is 1, some input relocatables have the feature. If the
> > >> > bit is 0 or the property is missing, the info is unknown.
> > >> >
> > >> > The PDF is at
> > >> >
> > >> > https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
> > >> >
> > >> > --
> > >> > H.J.
> > >>
> > >> Here is the binutils patch to implement it.
> > >>
> > >
> > >If there are no objections, I will check it in tomorrow.
> >
> > If the use case is just ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, it'd be
> > very kind of you if you can collect more use cases before generalizing
> > this into a non-arch-specific GNU PROPERTY.
> >
> > The "copy relocations on protected data symbols" thing is x86 specific
> > and only applies with gcc+GNU ld+glibc.
> > Non-x86 architectures don't have this thing.
> > gold doesn't have this thing.
> > clang doesn't have this thing.
>
> It will be used to remove copy relocation and implement canonical function
> pointers, which will benefit protected data and function.

The action items in
Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
can be applied without a GNU PROPERTY.

If we want to enforce the link-time check that a shared object is no longer
compatible with copy relocations, just make the shared object's non-weak
definitions protected, and add a GNU ld diagnostic like gold
(19823 – gold produces copy reloc of protected symbols)

---

For functions,

On x86-64, gcc -fpic has been using leaq addr()(%rip), %rax since at least
4.1.2 (oldest gcc I can find on godbolt):

  __attribute__((visibility("protected")))
  void *addr() { return (void*)addr; }

  // a protected non-definition declaration is the same.

  // while asm(".protected addr") can use GOT, it is super rare if ever exists
  // outside glibc elf/vis*.c

I have checked all of binutils 2.11, 2.16, 2.20, 2.24, 2.35. The have
the same diagnostic:

  relocation R_X86_64_PC32 against protected function `addr' can not
be used when making a shared object

I think we can assert that taking the address of a protected function
never works with GNU ld.
So no compatibility concern.
Fixing it ([PATCH] x86-64: Allow direct access relocations referencing a protected symbol for -shared)
doesn't need any GNU PROPERTY.

---

For variables, if an object file/archive member does not have GNU PROPERTY, do
you consider it incompatible with "single global definition"? That is why I
mentioned crt1.o crti.o crtbegin.o crtend.o crtn.o and libc_nonshared.a members
written in assembly.

If you consider such an object compatible with "single global definition", I
don't see why a GNU PROPERTY is needed.

If you consider such an object incompatible with "single global definition", I
don't see how "single global definition" benefits can be claimed giving so many
prebuilt object files without GNU PROPERTY.

Please see the slides in

Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab

which includes

Dynamic Linker for Single Global Definition
• Check the single global definition marker on all components, the executable
and its dependency shared libraries.
• Issue an error/warning if the marker is not consistent on all components.

This is not appealing from a compatibility point of view.
It is common that a system has mixed shared objects:

-fsingle-global-definition => a.so (marker value 1)
no -fsingle-global-definition => b.so (marker value 0 or no marker)

Issuing a warning will be annoying.

If glibc x86 wants to deprecate copy relocations support,
just fix the compilers(*)/GNU ld. -fno-pic dynamically linked executables are
becoming rarer on modern Linux distributions,
When the toolchain support is sufficiently mature (e.g. ld has warned/errored),
add an opt-opt `LD_` style environment variable and let glibc ld.so warn, then gradually
make it an error.

* I can fix Clang -fno-pic at any time. I haven't done that just to be compatible with gcc -fno-pic.

• Disallow copy relocation against definition in the shared library with the
marker.
• For systems without function descriptor:

• Disallow function pointer reference in executable without the marker to the
definition with the STV_PROTECTED visibility in a shared library with
the marker.
• Use the address of the function body as function pointer on functions with the
STV_PROTECTED visibility, which are defined in shared libraries with the marker.

I have provided the solutions in my previous message.

This provides the capability to detect the ABI change at run-time as well as
optimize for STV_PROTECTED symbol lookup.

STV_PROTECTED symbols should not need a compiler option or a GNU PROPERTY to work (efficiently).

As my previous message mentioned (gcc 4.1.2~now; GNU ld 2.11~now),
protected function addresses in a shared object likely never work, at
least for the past 20 years.

For protected data, x86 copy relocations did not work prior to circa 2015.
It never works on non-x86, gold, clang, or non-glibc.
And I doubt any project uses protected data given that its sole purpose is for
optimization while GCC 5 added unneeded indirection.

Ulrich Drepper did add elf/vis* tests into glibc in 2000, but they use
artificial inline asm .protected which does not reflect any reality.

GNU ld -shared for a protected symbol

* x86-64: broken direct access relocation, unneeded GLOB_DAT
* aarch64: broken direct access relocation, unneeded GLOB_DAT
* arm: unneeded GLOB_DAT for STT_OBJECT
* ppc32: unneeded GLOB_DAT for STT_OBJECT
* ppc64le: good, no GLOB_DAT
* mips64el: good, no GLOB_DAT
* riscv64: good, no GLOB_DAT

Perhaps for binutils in 2000, more ports had unneeded dynamic relocations which
made the elf/vis* tests more plausible. But the fragile support (acked by
multiple glibc maintainers, including Adhemerval/Carlos/Szabolcs) is definitely
largely irrelevant nowadays.

My linker implementation is at

Files · users/hjl/property/master · x86 binutils / binutils-gdb · GitLab

I will implement the dynamic linker change.

If we still want "absolutely no copy relocation for -fno-pic", just use GOT for
default visibility external data access
(98112 – Add -f[no-]direct-access-external-data & drop HAVE_LD_PIE_COPYRELOC)
Some architectures may not like it (i386/ppc32), just leave them behind.
Modern architectures can do it. When things get matured, add a ld warning,
then add a ld.so warning. When things get more matured, change the warnings to
errors.

Such changes should use a mechanism similar to glibc LD_DYNAMIC_WEAK (weak can
preempt global) and Solaris LD_BREADTH (breadth-first order based dependency
order) and LD_NODIRECT (direct bindings). At some point, introduce a behavior
change. I don't think how an explicit marker can improve the compatibility
story. The conceived compatibility issues likely don't really exist for

The compatibility issue does exist. Please see the linker tests I added.

ld-x86-64/protecte-func-* are artificial assembly which do not match the reality.
They are cases where never work or aren't really promised to work before.

functions. For copy relocations, I think we may need to wait an extended period
of time.

That is what the single global definition marker is used for.

See my first paragraph why a GNU PROPERTY may not be a good compatibility solution.

I updated my proposal to

Dynamic Linker for Single Global Definition
• Check the single global definition marker on all components, the executable
and its dependency shared libraries.
• Disallow copy relocation against definition with the STV_PROTECTED
visibility in the shared library with the marker.
• For systems without function descriptor:
• Disallow non-GOT function pointer reference in executable without
the marker to the
definition with the STV_PROTECTED visibility in a shared library with
the marker.
• Use the address of the function body as function pointer on functions with the
STV_PROTECTED visibility, which are defined in shared libraries with the marker.

>
> >>
> >> >
> >> > >
> >> > > >>
> >> > > >> >
> >> > > >> > 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
> >> > > >> >
> >> > > >> > #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> >> > > >> > #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> >> > > >> >
> >> > > >> > A bit in the output pr_data field is set only if it is set in all
> >> > > >> > relocatable input pr_data fields. If all bits in the the output
> >> > > >> > pr_data field are zero, this property should be removed from output.
> >> > > >> >
> >> > > >> > If the bit is 1, all input relocatables have the feature. If the
> >> > > >> > bit is 0 or the property is missing, the info is unknown.
> >> > >
> >> > > How to use AND in practice?
> >> > > Are you going to add .note.gnu.property to all of crt1.o crti.o
> >> > > crtbegin.o crtend.o crtn.o and miscellaneous libc_nonshared.a object
> >> > > files written in assembly?
> >> > >
> >> > > >> > 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
> >> > > >> >
> >> > > >> > #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> >> > > >> > #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> >> > > >> >
> >> > > >> > A bit in the output pr_data field is set if it is set in any
> >> > > >> > relocatable input pr_data fields. If all bits in the the output
> >> > > >> > pr_data field are zero, this property should be removed from output.
> >> > > >> >
> >> > > >> > If the bit is 1, some input relocatables have the feature. If the
> >> > > >> > bit is 0 or the property is missing, the info is unknown.
> >> > > >> >
> >> > > >> > The PDF is at
> >> > > >> >
> >> > > >> > https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
> >> > > >> >
> >> > > >> > --
> >> > > >> > H.J.
> >> > > >>
> >> > > >> Here is the binutils patch to implement it.
> >> > > >>
> >> > > >
> >> > > >If there are no objections, I will check it in tomorrow.
> >> > >
> >> > > If the use case is just ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, it'd be
> >> > > very kind of you if you can collect more use cases before generalizing
> >> > > this into a non-arch-specific GNU PROPERTY.
> >> > >
> >> > > The "copy relocations on protected data symbols" thing is x86 specific
> >> > > and only applies with gcc+GNU ld+glibc.
> >> > > Non-x86 architectures don't have this thing.
> >> > > gold doesn't have this thing.
> >> > > clang doesn't have this thing.
> >> >
> >> > It will be used to remove copy relocation and implement canonical function
> >> > pointers, which will benefit protected data and function.
> >>
> >> The action items in
> >> Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
> >> can be applied without a GNU PROPERTY.
> >>
> >> If we want to enforce the link-time check that a shared object is no longer
> >> compatible with copy relocations, just make the shared object's non-weak
> >> definitions protected, and add a GNU ld diagnostic like gold
> >> (19823 – gold produces copy reloc of protected symbols)
> >>
> >> ---
> >>
> >> For functions,
> >>
> >> On x86-64, gcc -fpic has been using leaq addr()(%rip), %rax since at least
> >> 4.1.2 (oldest gcc I can find on godbolt):
> >>
> >> __attribute__((visibility("protected")))
> >> void *addr() { return (void*)addr; }
> >>
> >> // a protected non-definition declaration is the same.
> >>
> >> // while asm(".protected addr") can use GOT, it is super rare if ever exists
> >> // outside glibc elf/vis*.c
> >>
> >> I have checked all of binutils 2.11, 2.16, 2.20, 2.24, 2.35. The have
> >> the same diagnostic:
> >>
> >> relocation R_X86_64_PC32 against protected function `addr' can not
> >> be used when making a shared object
> >>
> >> I think we can assert that taking the address of a protected function
> >> never works with GNU ld.
> >> So no compatibility concern.
> >> Fixing it ([PATCH] x86-64: Allow direct access relocations referencing a protected symbol for -shared)
> >> doesn't need any GNU PROPERTY.
> >>
> >> ---
> >>
> >> For variables, if an object file/archive member does not have GNU PROPERTY, do
> >> you consider it incompatible with "single global definition"? That is why I
> >> mentioned crt1.o crti.o crtbegin.o crtend.o crtn.o and libc_nonshared.a members
> >> written in assembly.
> >>
> >> If you consider such an object compatible with "single global definition", I
> >> don't see why a GNU PROPERTY is needed.
> >>
> >> If you consider such an object incompatible with "single global definition", I
> >> don't see how "single global definition" benefits can be claimed giving so many
> >> prebuilt object files without GNU PROPERTY.
> >
> >Please see the slides in
> >
> >Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
> >
> >which includes
> >
> >Dynamic Linker for Single Global Definition
> >• Check the single global definition marker on all components, the executable
> >and its dependency shared libraries.
> >• Issue an error/warning if the marker is not consistent on all components.
>
> This is not appealing from a compatibility point of view.
> It is common that a system has mixed shared objects:
>
> -fsingle-global-definition => a.so (marker value 1)
> no -fsingle-global-definition => b.so (marker value 0 or no marker)
> Issuing a warning will be annoying.
>

I updated my proposal to

Dynamic Linker for Single Global Definition
• Check the single global definition marker on all components, the executable
and its dependency shared libraries.

I find that I forgot (in so many of my previous messages) to mention
that the name "single global definition" may give a false impression.
For example, a dynamic STV_DEFAULT STB_WEAK/STB_GLOBAL symbol defined
in a shared object can still be interposed.

• Disallow copy relocation against definition with the STV_PROTECTED
visibility in the shared library with the marker.

If this is for GNU ld x86 only, I'm fine with it:)

gold and ld.lld just emit an error unconditionally. I think non-x86
GNU ld ports which never support "copy relocations on protected data
symbols" may want to make the diagnostic unconditional as well.
Well, while (Michael Matz and ) I think compatibility check for "copy
relocations on protected data symbols" is over-engineering (and
Alan/Cary think it was a mistake), if you still want to add it, it is
fine for me...
For Clang, I hope we will not emit such a property, because Clang
never supports the "copy relocations on protected data symbols"
scheme.

• For systems without function descriptor:
• Disallow non-GOT function pointer reference in executable without
the marker to the
definition with the STV_PROTECTED visibility in a shared library with
the marker.

I think this can be unconditional, because the "pointer equality for
STV_PROTECTED function address in -shared" case hasn't been working
for GNU ld for at least 20 years...
Many ports don't even produce a dynamic relocation.
I don't mind if you add it just for symmetry, but it just feels unneeded.

>
> >
> > >>
> > >> >
> > >> > >
> > >> > > >>
> > >> > > >> >
> > >> > > >> > 1. GNU_PROPERTY_UINT32_AND_LO..GNU_PROPERTY_UINT32_AND_HI
> > >> > > >> >
> > >> > > >> > #define GNU_PROPERTY_UINT32_AND_LO 0xb0000000
> > >> > > >> > #define GNU_PROPERTY_UINT32_AND_HI 0xb0007fff
> > >> > > >> >
> > >> > > >> > A bit in the output pr_data field is set only if it is set in all
> > >> > > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > > >> > pr_data field are zero, this property should be removed from output.
> > >> > > >> >
> > >> > > >> > If the bit is 1, all input relocatables have the feature. If the
> > >> > > >> > bit is 0 or the property is missing, the info is unknown.
> > >> > >
> > >> > > How to use AND in practice?
> > >> > > Are you going to add .note.gnu.property to all of crt1.o crti.o
> > >> > > crtbegin.o crtend.o crtn.o and miscellaneous libc_nonshared.a object
> > >> > > files written in assembly?
> > >> > >
> > >> > > >> > 2. GNU_PROPERTY_UINT32_OR_LO..GNU_PROPERTY_UINT32_OR_HI
> > >> > > >> >
> > >> > > >> > #define GNU_PROPERTY_UINT32_OR_LO 0xb0008000
> > >> > > >> > #define GNU_PROPERTY_UINT32_OR_HI 0xb000ffff
> > >> > > >> >
> > >> > > >> > A bit in the output pr_data field is set if it is set in any
> > >> > > >> > relocatable input pr_data fields. If all bits in the the output
> > >> > > >> > pr_data field are zero, this property should be removed from output.
> > >> > > >> >
> > >> > > >> > If the bit is 1, some input relocatables have the feature. If the
> > >> > > >> > bit is 0 or the property is missing, the info is unknown.
> > >> > > >> >
> > >> > > >> > The PDF is at
> > >> > > >> >
> > >> > > >> > https://gitlab.com/x86-psABIs/Linux-ABI/-/wikis/uploads/0690db0a3b7e5d8a44e0271a4be54aa7/linux-gABI-and-or-2021-01-13.pdf
> > >> > > >> >
> > >> > > >> > --
> > >> > > >> > H.J.
> > >> > > >>
> > >> > > >> Here is the binutils patch to implement it.
> > >> > > >>
> > >> > > >
> > >> > > >If there are no objections, I will check it in tomorrow.
> > >> > >
> > >> > > If the use case is just ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA, it'd be
> > >> > > very kind of you if you can collect more use cases before generalizing
> > >> > > this into a non-arch-specific GNU PROPERTY.
> > >> > >
> > >> > > The "copy relocations on protected data symbols" thing is x86 specific
> > >> > > and only applies with gcc+GNU ld+glibc.
> > >> > > Non-x86 architectures don't have this thing.
> > >> > > gold doesn't have this thing.
> > >> > > clang doesn't have this thing.
> > >> >
> > >> > It will be used to remove copy relocation and implement canonical function
> > >> > pointers, which will benefit protected data and function.
> > >>
> > >> The action items in
> > >> Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
> > >> can be applied without a GNU PROPERTY.
> > >>
> > >> If we want to enforce the link-time check that a shared object is no longer
> > >> compatible with copy relocations, just make the shared object's non-weak
> > >> definitions protected, and add a GNU ld diagnostic like gold
> > >> (19823 – gold produces copy reloc of protected symbols)
> > >>
> > >> ---
> > >>
> > >> For functions,
> > >>
> > >> On x86-64, gcc -fpic has been using leaq addr()(%rip), %rax since at least
> > >> 4.1.2 (oldest gcc I can find on godbolt):
> > >>
> > >> __attribute__((visibility("protected")))
> > >> void *addr() { return (void*)addr; }
> > >>
> > >> // a protected non-definition declaration is the same.
> > >>
> > >> // while asm(".protected addr") can use GOT, it is super rare if ever exists
> > >> // outside glibc elf/vis*.c
> > >>
> > >> I have checked all of binutils 2.11, 2.16, 2.20, 2.24, 2.35. The have
> > >> the same diagnostic:
> > >>
> > >> relocation R_X86_64_PC32 against protected function `addr' can not
> > >> be used when making a shared object
> > >>
> > >> I think we can assert that taking the address of a protected function
> > >> never works with GNU ld.
> > >> So no compatibility concern.
> > >> Fixing it ([PATCH] x86-64: Allow direct access relocations referencing a protected symbol for -shared)
> > >> doesn't need any GNU PROPERTY.
> > >>
> > >> ---
> > >>
> > >> For variables, if an object file/archive member does not have GNU PROPERTY, do
> > >> you consider it incompatible with "single global definition"? That is why I
> > >> mentioned crt1.o crti.o crtbegin.o crtend.o crtn.o and libc_nonshared.a members
> > >> written in assembly.
> > >>
> > >> If you consider such an object compatible with "single global definition", I
> > >> don't see why a GNU PROPERTY is needed.
> > >>
> > >> If you consider such an object incompatible with "single global definition", I
> > >> don't see how "single global definition" benefits can be claimed giving so many
> > >> prebuilt object files without GNU PROPERTY.
> > >
> > >Please see the slides in
> > >
> > >Remove copy relocation and optimize locally defined symbol access (#8) · Issues · x86 psABIs / x86-64 psABI · GitLab
> > >
> > >which includes
> > >
> > >Dynamic Linker for Single Global Definition
> > >• Check the single global definition marker on all components, the executable
> > >and its dependency shared libraries.
> > >• Issue an error/warning if the marker is not consistent on all components.
> >
> > This is not appealing from a compatibility point of view.
> > It is common that a system has mixed shared objects:
> >
> > -fsingle-global-definition => a.so (marker value 1)
> > no -fsingle-global-definition => b.so (marker value 0 or no marker)
> > Issuing a warning will be annoying.
> >
>
> I updated my proposal to
>
> Dynamic Linker for Single Global Definition
> • Check the single global definition marker on all components, the executable
> and its dependency shared libraries.

I find that I forgot (in so many of my previous messages) to mention
that the name "single global definition" may give a false impression.
For example, a dynamic STV_DEFAULT STB_WEAK/STB_GLOBAL symbol defined
in a shared object can still be interposed.

> • Disallow copy relocation against definition with the STV_PROTECTED
> visibility in the shared library with the marker.

If this is for GNU ld x86 only, I'm fine with it:)

gold and ld.lld just emit an error unconditionally. I think non-x86
GNU ld ports which never support "copy relocations on protected data
symbols" may want to make the diagnostic unconditional as well.
Well, while (Michael Matz and ) I think compatibility check for "copy
relocations on protected data symbols" is over-engineering (and
Alan/Cary think it was a mistake), if you still want to add it, it is
fine for me...
For Clang, I hope we will not emit such a property, because Clang
never supports the "copy relocations on protected data symbols"
scheme.

The issue is that libfoo.so used in link-time can be different from
libfoo.so at run-time. The symbol, foobar, in libfoo.so at link-time
has the default visibility. But foobar in libfoo.so at run-time can be
protected. ld.so should detect such cases which can lead to run-time
failures.

> • For systems without function descriptor:
> • Disallow non-GOT function pointer reference in executable without
> the marker to the
> definition with the STV_PROTECTED visibility in a shared library with
> the marker.

I think this can be unconditional, because the "pointer equality for
STV_PROTECTED function address in -shared" case hasn't been working
for GNU ld for at least 20 years...
Many ports don't even produce a dynamic relocation.

True. But see above. You may not care about such use cases. But I believe
that ld.so should not knowingly and silently allow such run-time
failure to happen.

"single global definition" means that only one global definition will be used
at run-time. It doesn't mean that there are no multiple symbols with the same
name.

H.J.

Add GNU_PROPERTY_1_NEEDED:

#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.

Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:

#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.

The PDF file is at

Add GNU_PROPERTY_1_NEEDED:

#define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO

to indicate the needed properties by the object file.

I am fine with this logical OR style usage. But see below, do we need it
for ld.so runtime check?

(As I mentioned previously, I do not know how an AND-style property can
be used/deployed if old object files without the .note.gnu.property is
considered to have a value of 0.)

Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:

#define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)

to indicate that the object file requires canonical function pointers and
cannot be used with copy relocation.

In [llvm-dev] RFC: Add GNU_PROPERTY_UINT32_AND_XXX/GNU_PROPERTY_UINT32_OR_XXX you gave
a rationale

"The issue is that libfoo.so used in link-time can be different from
  libfoo.so at run-time. The symbol, foobar, in libfoo.so at link-time
  has the default visibility. But foobar in libfoo.so at run-time can be
  protected. ld.so should detect such cases which can lead to run-time
  failures."

First, I think such dynamic symbol visibility change is uncommon.

Second, if ld.so finds that a symbol lookup for (st_value==0
st_shndx==SHN_UNDEF) will bind to a STV_PROTECTED definition in a shared
object, can the diagnostic be moved there?
The compatibility property is per-symbol and the symbol lookup is a
perfect place for a diagnostic, like a symbol versioning error.

I guess GCC folks may get noticed if you start a thread adding
-fsingle-global-definition, otherwise many people who have opinions may
just ignore threads about GNU PROPERTY addition.

>Add GNU_PROPERTY_1_NEEDED:
>
> #define GNU_PROPERTY_1_NEEDED GNU_PROPERTY_UINT32_OR_LO
>
>to indicate the needed properties by the object file.
>

I am fine with this logical OR style usage. But see below, do we need it
for ld.so runtime check?

I implemented run-time check on users/hjl/single-global/master branch:

https://gitlab.com/x86-glibc/glibc/-/commits/users/hjl/single-global/master

with tests:

[hjl@gnu-cfl-2 build-x86_64-linux]$ elf/tst-protected1a
copy relocation against non-copyable protected symbol=protected1 in
file=/export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-protected1moda.so
[hjl@gnu-cfl-2 build-x86_64-linux]$ elf/tst-protected2a
`protected1' in main and moda doesn't have the same address
non-canonical reference to canonical protected function
symbol=protected1 in
file=/export/build/gnu/tools-build/glibc-cet-gitlab/build-x86_64-linux/elf/tst-protected2moda.so
[hjl@gnu-cfl-2 build-x86_64-linux]$

I prefer these over random run-time failures.

(As I mentioned previously, I do not know how an AND-style property can
be used/deployed if old object files without the .note.gnu.property is
considered to have a value of 0.)

>Add GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION:
>
> #define GNU_PROPERTY_1_NEEDED_SINGLE_GLOBAL_DEFINITION (1U << 0)
>
>to indicate that the object file requires canonical function pointers and
>cannot be used with copy relocation.

In [llvm-dev] RFC: Add GNU_PROPERTY_UINT32_AND_XXX/GNU_PROPERTY_UINT32_OR_XXX you gave
a rationale

"The issue is that libfoo.so used in link-time can be different from
  libfoo.so at run-time. The symbol, foobar, in libfoo.so at link-time
  has the default visibility. But foobar in libfoo.so at run-time can be
  protected. ld.so should detect such cases which can lead to run-time
  failures."

First, I think such dynamic symbol visibility change is uncommon.

I can imagine that some libraries want to switch to protected symbols.

Second, if ld.so finds that a symbol lookup for (st_value==0
st_shndx==SHN_UNDEF) will bind to a STV_PROTECTED definition in a shared
object, can the diagnostic be moved there?
The compatibility property is per-symbol and the symbol lookup is a
perfect place for a diagnostic, like a symbol versioning error.

I guess GCC folks may get noticed if you start a thread adding
-fsingle-global-definition, otherwise many people who have opinions may
just ignore threads about GNU PROPERTY addition.

Binutils changes are at

GCC changes are next.

Hello,

> > • Disallow copy relocation against definition with the STV_PROTECTED
> > visibility in the shared library with the marker.
>
> If this is for GNU ld x86 only, I'm fine with it:)
>
> gold and ld.lld just emit an error unconditionally. I think non-x86
> GNU ld ports which never support "copy relocations on protected data
> symbols" may want to make the diagnostic unconditional as well.
> Well, while (Michael Matz and ) I think compatibility check for "copy
> relocations on protected data symbols" is over-engineering (and
> Alan/Cary think it was a mistake), if you still want to add it, it is
> fine for me...
> For Clang, I hope we will not emit such a property, because Clang
> never supports the "copy relocations on protected data symbols"
> scheme.

The issue is that libfoo.so used in link-time can be different from
libfoo.so at run-time. The symbol, foobar, in libfoo.so at link-time
has the default visibility. But foobar in libfoo.so at run-time can be
protected. ld.so should detect such cases which can lead to run-time
failures.

Yes, but I think we can _unconditionally_ give an error in this case, even
without a marker. I view restricting visiblity of a symbol in furture
versions of shared libraries to be an ABI change, hence it has to be
something that either requires a soname bump or at the very least symbol
versioning with the old version staying on default visibility.

Compare the situation to one where the old libfoo.so provided a symbol
bar, and the new one doesn't (sort of very restricted visiblity). ld.so
will unconditionally give an error. I don't see this situation materially
different from bar's visibility be changed from default to protected.

> I think this can be unconditional, because the "pointer equality for
> STV_PROTECTED function address in -shared" case hasn't been working
> for GNU ld for at least 20 years... Many ports don't even produce a
> dynamic relocation.

True. But see above. You may not care about such use cases. But I
believe that ld.so should not knowingly and silently allow such run-time
failure to happen.

Agreed, but giving an error message unconditionally wouldn't be silent.

Ciao,
Michael.