evmone
evmone copied to clipboard
ethereum
cmake: Disable Control-Flow check instrumentation
Disable Control-Flow protection (CET) for the Baseline interpreter. This is controlled by -fcf-protection GCC/Clang compiler flag and may be enabled by default depending on the OS configuration.
This is disabled because it slightly affects performance and code size. If the CF protection is desired it should be enabled uniformly in all compilers which support it.
Somehow, applying [[nocf_check]] attribute has no desired effect.
See GCC documentation: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fcf-protection
GCC 13, Skylake
baseline/execute/main/blake2b_huff/empty_mean -0.0072 -0.0074 11 11 11 11
baseline/execute/main/blake2b_huff/8415nulls_mean -0.0107 -0.0108 697 690 697 690
baseline/execute/main/blake2b_shifts/8415nulls_mean -0.0069 -0.0070 6718 6671 6717 6670
baseline/execute/main/sha1_divs/empty_mean -0.0188 -0.0189 50 49 50 49
baseline/execute/main/sha1_divs/5311_mean -0.0160 -0.0161 4013 3949 4012 3948
baseline/execute/main/sha1_shifts/empty_mean -0.0316 -0.0317 24 23 24 23
baseline/execute/main/sha1_shifts/5311_mean -0.0358 -0.0359 1973 1902 1972 1901
baseline/execute/main/snailtracer/benchmark_mean -0.0247 -0.0248 39929 38944 39923 38935
baseline/execute/main/structarray_alloc/nfts_rank_mean -0.0140 -0.0141 445 438 445 438
baseline/execute/main/swap_math/spent_mean -0.0432 -0.0433 2 2 2 2
baseline/execute/main/swap_math/received_mean -0.0176 -0.0176 3 2 3 2
baseline/execute/main/swap_math/insufficient_liquidity_mean -0.0045 -0.0046 2 1 2 1
baseline/execute/main/weierstrudel/1_mean -0.0349 -0.0350 205 198 205 198
baseline/execute/main/weierstrudel/15_mean -0.0172 -0.0172 1996 1961 1995 1961
OVERALL_GEOMEAN -0.0203 -0.0204 0 0 0 0
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
d63fa8b) 97.33% compared to head (a6ebe60) 97.33%. Report is 238 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #649 +/- ##
=======================================
Coverage 97.33% 97.33%
=======================================
Files 80 80
Lines 7739 7739
=======================================
Hits 7533 7533
Misses 206 206
| Flag | Coverage Δ | |
|---|---|---|
| blockchaintests | 64.17% <ø> (ø) |
|
| statetests | 74.55% <ø> (ø) |
|
| unittests | 94.83% <ø> (ø) |
Flags with carried forward coverage won't be shown. Click here to find out more.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
GCC 12, Haswell
baseline/execute/main/blake2b_huff/empty_mean +0.0023 +0.0023 9 9 9 9
baseline/execute/main/blake2b_huff/8415nulls_mean -0.0030 -0.0030 581 579 581 579
baseline/execute/main/blake2b_shifts/8415nulls_mean -0.0076 -0.0076 5531 5489 5531 5489
baseline/execute/main/sha1_divs/empty_mean -0.0188 -0.0188 41 40 41 40
baseline/execute/main/sha1_divs/5311_mean -0.0162 -0.0162 3279 3226 3279 3226
baseline/execute/main/sha1_shifts/empty_mean -0.0286 -0.0286 20 19 20 19
baseline/execute/main/sha1_shifts/5311_mean -0.0322 -0.0322 1634 1582 1634 1582
baseline/execute/main/snailtracer/benchmark_mean -0.0087 -0.0087 31172 30902 31172 30902
baseline/execute/main/structarray_alloc/nfts_rank_mean -0.0123 -0.0123 358 353 358 353
baseline/execute/main/swap_math/spent_mean -0.0281 -0.0281 2 2 2 2
baseline/execute/main/swap_math/received_mean -0.0316 -0.0316 2 2 2 2
baseline/execute/main/swap_math/insufficient_liquidity_mean +0.0066 +0.0066 1 1 1 1
baseline/execute/main/weierstrudel/1_mean -0.0062 -0.0062 176 175 176 175
baseline/execute/main/weierstrudel/15_mean +0.0014 +0.0014 1673 1675 1673 1675
OVERALL_GEOMEAN -0.0132 -0.0132 0 0 0 0
The savings are impressive, but the description is scary:
Enable code instrumentation of control-flow transfers to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. This prevents diverting the flow of control to an unexpected target. This is intended to protect against such threats as Return-oriented Programming (ROP), and similarly call/jmp-oriented programming (COP/JOP).
The value branch tells the compiler to implement checking of validity of control-flow transfer at the point of indirect branch instructions, i.e. call/jmp instructions. The value return implements checking of validity at the point of returning from a function. The value full is an alias for specifying both branch and return. The value none turns off instrumentation.
The value check is used for the final link with link-time optimization (LTO). An error is issued if LTO object files are compiled with different -fcf-protection values. The value check is ignored at the compile time.
So ideally we could disable this, but enable is specifically at some places where risk is present?
So ideally we could disable this, but enable is specifically at some places where risk is present?
We need to consult this with some security experts.
Originally, I wanted to disable this only for baseline interpreter, but the attribute does not work. Probably worth to report a bug.
But we can also disable this per-file basis. It may have more sense to have this enabled for bytecode analysis.
The risk is that if there is a bug in EVM someone will be able to take over the process the EVM is running in and e.g. steal some information or mess up how it behave in the p2p network. This seems unlikely though. The attacker will be still able to crash the node.
Oh and the benchmarks are shaky. The improvements may come from smaller code size and code layout change.