Skip to content

Comments

Refine CHERI macro and feature definitions#763

Merged
jrtc27 merged 7 commits intodevfrom
__CHERI__-means-purecap
Mar 17, 2025
Merged

Refine CHERI macro and feature definitions#763
jrtc27 merged 7 commits intodevfrom
__CHERI__-means-purecap

Conversation

@brooksdavis
Copy link
Member

@brooksdavis brooksdavis commented Feb 28, 2025
edited
Loading

This set of changes does three main things:

  • adds an __CHERI_HYBRID__ to indicate hybrid compilation
  • adds an __has_feature(cheri) to eventually replace the overly generic __has_feature(capabilities)
  • Makes __CHERI__ a synonym for __CHERI_PURE_CAPABILITY__ and adds an __CHERI_HYBRID__ This is a breaking change

Rationale: We strongly encourage all CHERI consumers to use a pure-capability ABI whenever possible. Therefore it should be the easiest thing to type and less preferred options should be longer. The existing macros date to the earliest compiler support which barely supported capability types. Before broad adoption of CHERI we should make the macros be sensible. We're past Stuart Feldman's too many users of make to change the tabs threshold (12), but few codebases will be effected and the required changes are simple and can be safely performed automatically. We shouldn't have to live with this aspect of history forever.

@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from 00f9977 to 4f38f04 Compare February 28, 2025 23:54
@brooksdavis brooksdavis mentioned this pull request Mar 1, 2025
Merged
@brooksdavis
Copy link
Member Author

brooksdavis commented Mar 1, 2025

This should probably be split into two changes, the backwards compatible changes to __CHERI__ use so we can pull them into CheriBSD and the breaking changes.

@arichardson
Copy link
Member

arichardson commented Mar 1, 2025

I do wonder if we want to use __has_feature(cheri) ? Capabilities seems rather generic and may be difficult to upstream

@heshamelmatary
Copy link
Member

heshamelmatary commented Mar 1, 2025

I do wonder if we want to use __has_feature(cheri) ? Capabilities seems rather generic and may be difficult to upstream

I agree on that. It's rather confusing for systems like seL4 that already have their own notion/definition/types for a capability.

arichardson
arichardson approved these changes Mar 3, 2025
View reviewed changes
Copy link
Member

@arichardson arichardson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically this is a major breaking change but I don't think there is much choice outside of cheribsd that uses it so LGTM if @jrtc27 is also happy with it

@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from 4f38f04 to b374716 Compare March 4, 2025 17:41
arichardson
arichardson reviewed Mar 4, 2025
View reviewed changes
arichardson
arichardson approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@arichardson arichardson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the new change, LGTM. Will wait for @jrtc27 for merging though

@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from b374716 to da8608d Compare March 4, 2025 21:40
@brooksdavis brooksdavis changed the title Make __CHERI__ mean purecap Refine CHERI macro and feature definitions Mar 4, 2025
@heshamelmatary
Copy link
Member

heshamelmatary commented Mar 5, 2025

I used to use __CHERI__ whenever I wanted to guard or do something that applies to both purecap and hybrid. Some compatibility issues arise with using __has_feature with (old) GCC etc and broke legacy GCC builds. Those required some workarounds. eg:

#ifndef __has_feature
#define __has_feature(x) 0
#endif

This assumes all projects have some sort of a global shared header where this could be defined, but unfortunately this is not always the case.

Existing projects such as muslc [1], newlib, CHERI-Linux also still use __CHERI__. While an easy fix, but probably worth notifying the maintainers and/or fixing it ourselves.

[1] https://git.morello-project.org/search?search=__CHERI__&nav_source=navbar&project_id=122&group_id=6&search_code=true&repository_ref=morello%2Fmaster

@bsdjhb
Copy link
Contributor

bsdjhb commented Mar 5, 2025

Note that this set of changes will actually make the GCC world happier as you can just use #if defined(__CHERI__) || defined(__CHERI_HYBRID__) in place of #if __has_feature(cheri) if desired once they are adopted.

@arichardson
Copy link
Member

arichardson commented Mar 5, 2025

Note that this set of changes will actually make the GCC world happier as you can just use #if defined(__CHERI__) || defined(__CHERI_HYBRID__) in place of #if __has_feature(cheri) if desired once they are adopted.

And that change can be made now even if they want to support the older compiler versions.

jrtc27
jrtc27 reviewed Mar 14, 2025
View reviewed changes
jrtc27
jrtc27 reviewed Mar 14, 2025
View reviewed changes
@brooksdavis
tests: prefer __has_feature(capabilities) to defined(__CHERI__)
f1e7c07
@brooksdavis
libunwind: prefer __has_feature(capabilities) to defined(__CHERI__)
e1cf582
@brooksdavis
libcxx: prefer __has_feature(capabilities) to defined(__CHERI__)
b8e7b99
@brooksdavis
Add __has_feature(cheri)
4ca7648 
This is intended to replace __has_feature(capabilities) which is almost
certainly too generic to upstream.  We'll support them side by side for
the long term in our tree, but projects should generally migrate to
__has_feature(cheri) as their need for older compilers passes.
@brooksdavis
Use __has_feature(cheri) in tests
e9c300b 
Migrate tests that aren't explicitly about __has_feature(capabilities)
to __has_feature(cheri).
@brooksdavis
Introduce __CHERI_HYBRID__ macro
9f009aa 
This is meant to replace expressions like:
    __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__)
or (currently(
    __CHERI__ && !defined(__CHERI_PURE_CAPABILITY__)
@brooksdavis
Make __CHERI__ a synonym for __CHERI_PURE_CAPABILITY__
67500fa 
WARNING: This is a breaking change for hybrid + standard C/C++ code.

Rationale: We strongly encourage all CHERI consumers to use a
pure-capability ABI whenever possible. Therefore it should be the
easiest thing to type and less preferred options should be longer. The
existing macros date to the earliest compiler support which barely
supported capability types. Before broad adoption of CHERI we should
make the macros be sensible. We're past Stuart Feldman's too many users
of make to change the tabs threshold (12), but few codebases will be
effected, the required changes are simple can be safely performed
without automatic review, and we shouldn't have to live with this aspect
of history forever.

Backwards compatible code transition:

For purecap + standard C/C++ code (no hybrid):
  No change required.

For hybrid + standard C/C++ (with or without purecap):
  defined(__CHERI__) -> __has_feature(capabilities)
or
  defined(__CHERI__) -> defined(__CHERI__) || defined(__CHERI_HYBRID__)

Once the need for compatability with old compilers is passed, further
simplication is possible.

For purecap + standard C/C++ code:
  __CHERI_PURE_CAPABILITY__ -> __CHERI__

For hybrid + standard C/C++ code:
  __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__) ->
      defined(__CHERI_HYBRID__)
@brooksdavis brooksdavis force-pushed the __CHERI__-means-purecap branch from da8608d to 67500fa Compare March 14, 2025 21:40
@jrtc27 jrtc27 merged commit 8e0436a into dev Mar 17, 2025
5 of 6 checks passed
@jrtc27 jrtc27 deleted the __CHERI__-means-purecap branch March 17, 2025 21:30
arichardson added a commit to CTSRD-CHERI/cheritest that referenced this pull request Mar 29, 2025
@arichardson
Fix build after CTSRD-CHERI/llvm-project#763
629269f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrtc27 jrtc27 jrtc27 approved these changes

@arichardson arichardson arichardson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@brooksdavis @arichardson @heshamelmatary @bsdjhb @jrtc27