-control_flow_integrity [Professional Edition only] [V2.08.00 or later]

[Format]

-control_flow_integrity

-	Interpretation when omitted

Code for the detection of illegal indirect function calls is not generated.

[Description]

-	This option generates code for the detection of illegal indirect function calls.

When this option is specified, code for the following processing is generated in the C/C++ source program.

(1) The __control_flow_integrity checking function is called with an indirect calling address as an argument immediately before indirect function calls.

(2) Within the checking function, the address given as the argument is checked against a list of the addresses of functions (hereafter referred to as the function list) which may be indirectly called. If the list does not include the address, the __control_flow_chk_fail function will be called since this is regarded as an illegal indirect function call.

The correctness of processing to change the flow of the program, such as through indirect function calls, is referred to as control flow integrity (CFI), and CFI techniques are used to verify this.

-	A checking function is defined as follows and provided as library functions.

void __control_flow_integrity(void *addr);

Calling the checking function in the same way as normal functions is prohibited.

-	The compiler automatically extracts the information on the functions which may be indirectly called from the C/C++ source program. The linker consolidates that information in creating the function list. For the linker to create a function list, the -cfi link option must be specified.

For details, refer to section 2.5.3 Optimizing Linkage Editor (rlink) Options.

-	The __control_flow_chk_fail function contains code for the processing which is to be executed when an illegal indirect function call is detected. The user must define this function.

Note the following when defining the __control_flow_chk_fail function.

-	Specify void as the type of the return value and parameter.

-	Do not define the function as static.

-	Calling the __control_flow_chk_fail function in the same way as a normal function is prohibited.

-	The __control_flow_chk_fail function is not for the creation of code for detecting illegal indirect function calls.

-	In the __control_flow_chk_fail function, note that execution must not be returned to the checking function, for example, by calling abort() to terminate the program.

-	When defining the __control_flow_chk_fail function in a C++ program, add 'extern "C"'.

-	If the -pic option is specified at the same time, an error will occur.

[Example]

-	<C source code>

#include <stdlib.h>

int glb;

void __control_flow_chk_fail(void)

  abort();

void func1(void) // Added to the function list.

  ++glb;

void func2(void) // Not added to the function list.

  --glb;

void (*pf)(void) = func1;

void main(void)

  pf(); // Indirect call of the function func1.

  func2();

-	<Output code>

When -isa=rxv2 -output=src -control_flow_integrity is specified for compilation

___control_flow_chk_fail:

  .STACK ___control_flow_chk_fail=4

  BRA _abort

_func1:

  .STACK _func1=4

  MOV.L #_glb, R14

  MOV.L [R14], R15

  ADD #01H, R15

  MOV.L R15, [R14]

RTS

_func2:

  .STACK _func2=4

  MOV.L #_glb, R14

  MOV.L [R14], R15

  SUB #01H, R15

  MOV.L R15, [R14]

RTS

_main:

  .STACK _main=8

  PUSH.L R6

  MOV.L #_pf, R6

  MOV.L [R6], R1

  BSR ___control_flow_integrity ; Call the checking function.

  MOV.L [R6], R14

  JSR R14 ; Indirect call of the function func1.

  BSR _func2 ; Direct call of the function func2.

  RTSD #04H, R6-R6

  .SECTION D,ROMDATA,ALIGN=4

_pf:

  .lword _func1

  .SECTION B,DATA,ALIGN=4

_glb:

  .blkl 1

  .END