-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking Issue for the C-cmse-nonsecure-call ABI #81391
Comments
What's the name of the actual underlying calling convention? Is it AAPCS? I think the extern name should contain it too somehow. |
It will use the C convention ultimately, the current implementation maps it to I think restricting it to only ever use the C ABI is not a bad thing: this is used to switch to functions that are defined in other executable files that could have been written in any programming language. |
Well, what I really want is for the underlying ABI to be explicit in the ABI string, whatever it is, so that it is more obvious that a transmute as given in the example above is… valid. It would also, as you mention, enable us to add non-secure options for other calling conventions if necessary. So a couple of proposals: |
Ok makes sense! Will modify the implementation PR and this with the |
…rror-messages, r=oli-obk `C-cmse-nonsecure-call`: improved error messages tracking issue: rust-lang#81391 issue for the error messages (partially implemented by this PR): rust-lang#81347 related, in that it also deals with CMSE: rust-lang#127766 When using the `C-cmse-nonsecure-call` ABI, both the arguments and return value must be passed via registers. Previously, when violating this constraint, an ugly LLVM error would be shown. Now, the rust compiler itself will print a pretty message and link to more information.
Rollup merge of rust-lang#127814 - folkertdev:c-cmse-nonsecure-call-error-messages, r=oli-obk `C-cmse-nonsecure-call`: improved error messages tracking issue: rust-lang#81391 issue for the error messages (partially implemented by this PR): rust-lang#81347 related, in that it also deals with CMSE: rust-lang#127766 When using the `C-cmse-nonsecure-call` ABI, both the arguments and return value must be passed via registers. Previously, when violating this constraint, an ugly LLVM error would be shown. Now, the rust compiler itself will print a pretty message and link to more information.
Request for StabilizationSummaryWe propose to stabilize the Usage examplehttps://godbolt.org/z/KT6hc5Y7W // `cargo build --target thumbv8m.main-none-eabi`
#![feature(abi_c_cmse_nonsecure_call)]
#![no_std]
#[no_mangle]
pub fn call_nonsecure(f: unsafe extern "C-cmse-nonsecure-call" fn(u8, u16, u32) -> f32) -> f32 {
unsafe { f(1, 2, 3) }
} Which produces this LLVM IR: ; Function Attrs: nounwind
define dso_local float @call_nonsecure(ptr %f) unnamed_addr #0 !dbg !5 {
start:
%_0 = call float %f(i8 zeroext 1, i16 zeroext 2, i32 3) #1, !dbg !10
ret float %_0, !dbg !11
}
attributes #0 = { nounwind "frame-pointer"="all" "target-cpu"="generic" }
attributes #1 = { nounwind "cmse_nonsecure_call" } Which produces this assembly: call_nonsecure:
push {r7, lr}
mov r7, sp
mov r3, r0
movs r0, #1
movs r1, #2
movs r2, #3
push.w {r4, r5, r6, r7, r8, r9, r10, r11}
bic r3, r3, #1
sub sp, #136
vlstm sp
mov r4, r3 ; <- All unused registers get cleared, to not leak information
mov r5, r3
mov r6, r3
mov r7, r3
mov r8, r3
mov r9, r3
mov r10, r3
mov r11, r3
mov r12, r3
msr apsr_nzcvq, r3
blxns r3 ; <- the expected non-secure call instruction
vlldm sp
add sp, #136
pop.w {r4, r5, r6, r7, r8, r9, r10, r11}
pop {r7, pc} Error messagesThe calling requirements for this ABI are checked within rustc to produce good error messsages. #![feature(abi_c_cmse_nonsecure_call)]
#![no_std]
#[no_mangle]
pub fn call_nonsecure(f: unsafe extern "C-cmse-nonsecure-call" fn(u64, u64, u64) -> (u64, u64)) {
unsafe { f(1, 2, 3) };
} Produces the following errors:
Documentation
TestsTest cases are in
The tests in the (as yet unmerged) PR for cmse-nonsecure-entry validate the assembly output of this ABI. C examplesClang: https://godbolt.org/z/7ch3xcz96 |
Nominating for both T-lang and T-compiler discussion: there is a request for the stabilization of the For T-compiler:
For T-lang:
For both T-compiler and T-lang:
@rustbot labels +I-compiler-nominated +I-lang-nominated |
…piler-errors fix ICE in CMSE type validation fixes rust-lang#129983 tracking issue: rust-lang#81391 r? `@compiler-errors`
…piler-errors fix ICE in CMSE type validation fixes rust-lang#129983 tracking issue: rust-lang#81391 r? ``@compiler-errors``
Rollup merge of rust-lang#130064 - folkertdev:fix-issue-129983, r=compiler-errors fix ICE in CMSE type validation fixes rust-lang#129983 tracking issue: rust-lang#81391 r? ``@compiler-errors``
…ouxu Improve assembly test for CMSE ABIs Tracking issues: rust-lang#75835 rust-lang#81391 This ensures the code-gen for these ABIs does not change silently. There is a small chance that this code-gen might change, however even GCC (https://godbolt.org/z/16arxab5x and https://godbolt.org/z/16arxab5x) generates almost the same assembly for these ABIs. I hope the notes in the comments should help fix the tests if it ever breaks.
Rollup merge of rust-lang#130752 - tdittr:cmse-assembly-tests, r=jieyouxu Improve assembly test for CMSE ABIs Tracking issues: rust-lang#75835 rust-lang#81391 This ensures the code-gen for these ABIs does not change silently. There is a small chance that this code-gen might change, however even GCC (https://godbolt.org/z/16arxab5x and https://godbolt.org/z/16arxab5x) generates almost the same assembly for these ABIs. I hope the notes in the comments should help fix the tests if it ever breaks.
I think this feature merits an RFC prior to stabilizing. It goes beyond "just another ABI", it requires specialized type-checking and includes some attributes that go along with it. I think an RFC is warranted showing the overall design and how it fits together (I know I myself am confused). @scottmcm pointed out that they might like the attribute to be namespaced, which seems like the kind of detail I'd rather hammer out in the context of an RFC thread. I'm 👍 on the idea of supporting these capabilities, though! |
Coming out of the @rust-lang/lang team meeting, our consensus was that an RFC is the right next step. |
To answer the nominated questions:
Yes. Please tag us on the RFC.
This is the tracking issue, so it'd be the right place for that. I'm unclear whether there's a broader discussion going on somewhere else, e.g. on Zulip, that might have more context. (If anyone here knows of that, please point to it.) |
This is a tracking issue for the PR #81346.
The feature gate for the issue is
#![feature(abi_c_cmse_nonsecure_call)]
.Description
The TrustZone-M feature is available for targets with the Armv8-M architecture profile (
thumbv8m
in their target name).LLVM, the Rust compiler and the linker are providing support for the TrustZone-M feature.
One of the things provided, with this unstable feature, is the
C-cmse-nonsecure-call
function ABI. This ABI is used on function pointers to non-secure code to mark a non-secure function call (see section 5.5 for details).With this ABI, the compiler will do the following to perform the call:
To avoid using the non-secure stack, the compiler will constrain the number and type of parameters/return value.
The
extern "C-cmse-nonsecure-call"
ABI is otherwise equivalent to theextern "C"
ABI.Example
Steps
The text was updated successfully, but these errors were encountered: