docs/concepts/kernel/kernel_invariants.md - fuchsia - Git at Google

 # Zircon Kernel Invariants

 On x86, Zircon needs to maintain the following invariants for code running
 in ring 0 (kernel mode).

 These invariants are documented here because they are not necessarily easy
 to test -- breaking an invariant will not necessarily be caught by
 Zircon's test suite.

 * Flags register:

   * The direction flag (DF) should be 0.  This is required by the x86
     calling conventions.

     If this flag is set to 1, uses of x86 string instructions (e.g. `rep
     movs` in `memcpy()` or inlined by the compiler) can go wrong and copy
     in the wrong direction.  It is OK for a function to set this flag to 1
     temporarily as long as it changes it back to 0 before returning or
     calling other functions.

   * The alignment check flag (AC) should normally be 0.  On CPUs that
     support SMAP, this prevents the kernel from accidentally reading or
     writing userland data.

 * The `gs_base` register must point to the current CPU's `x86_percpu`
   struct whenever running in kernel mode with interrupts enabled.
   `gs_base` should only be changed to point to something else while
   interrupts are disabled.  For example, the `swapgs` instruction should
   only be used when interrupts are disabled.

 * The following are partially enforced by the compiler:

   * No use of extended registers (SSE, AVX, x87, etc.) is allowed, because
     that would clobber userland's register state.

     This is partially achieved by passing `-mno-sse` to the compiler.  This
     option is necessary to prevent the compiler from using SSE registers in
     optimizations (e.g. memory copies).

     We would like to prevent accidentally using the `float` or `double`
     types in kernel code, but GCC and Clang won't do that for us in all
     cases.  `-mno-sse` does not prevent using `float`/`double` with either
     compiler -- the compilers will use x87 instructions instead.

     We compile with `-msoft-float`, which seems to prevent GCC from
     generating x87 instructions (and hence using x87 registers): GCC 6.3.0
     will give an error on `float`/`double` arithmetic and return values,
     but it does not prevent passing these types around as arguments.
     However, passing `-msoft-float` to Clang seems to have no effect: Clang
     7.0.0 will still generate x87 instructions (and use x87 registers) for
     code using `float` or `double`.

   * No storing data below `%rsp` on the stack.  Note that userland code can
     do this: the SysV x86-64 ABI allows functions to store data in the "red
     zone", which is the 128 bytes below %rsp.  However, kernel code cannot
     use the red zone because interrupts may clobber this region -- the CPU
     pushes data onto the stack immediately below %rsp when it invokes an
     interrupt handler.

     This is generally enforced by passing `-mno-red-zone` to the compiler.
	# Zircon Kernel Invariants

	On x86, Zircon needs to maintain the following invariants for code running
	in ring 0 (kernel mode).

	These invariants are documented here because they are not necessarily easy
	to test -- breaking an invariant will not necessarily be caught by
	Zircon's test suite.

	* Flags register:

	* The direction flag (DF) should be 0. This is required by the x86
	calling conventions.

	If this flag is set to 1, uses of x86 string instructions (e.g. `rep
	movs` in `memcpy()` or inlined by the compiler) can go wrong and copy
	in the wrong direction. It is OK for a function to set this flag to 1
	temporarily as long as it changes it back to 0 before returning or
	calling other functions.

	* The alignment check flag (AC) should normally be 0. On CPUs that
	support SMAP, this prevents the kernel from accidentally reading or
	writing userland data.

	* The `gs_base` register must point to the current CPU's `x86_percpu`
	struct whenever running in kernel mode with interrupts enabled.
	`gs_base` should only be changed to point to something else while
	interrupts are disabled. For example, the `swapgs` instruction should
	only be used when interrupts are disabled.

	* The following are partially enforced by the compiler:

	* No use of extended registers (SSE, AVX, x87, etc.) is allowed, because
	that would clobber userland's register state.

	This is partially achieved by passing `-mno-sse` to the compiler. This
	option is necessary to prevent the compiler from using SSE registers in
	optimizations (e.g. memory copies).

	We would like to prevent accidentally using the `float` or `double`
	types in kernel code, but GCC and Clang won't do that for us in all
	cases. `-mno-sse` does not prevent using `float`/`double` with either
	compiler -- the compilers will use x87 instructions instead.

	We compile with `-msoft-float`, which seems to prevent GCC from
	generating x87 instructions (and hence using x87 registers): GCC 6.3.0
	will give an error on `float`/`double` arithmetic and return values,
	but it does not prevent passing these types around as arguments.
	However, passing `-msoft-float` to Clang seems to have no effect: Clang
	7.0.0 will still generate x87 instructions (and use x87 registers) for
	code using `float` or `double`.

	* No storing data below `%rsp` on the stack. Note that userland code can
	do this: the SysV x86-64 ABI allows functions to store data in the "red
	zone", which is the 128 bytes below %rsp. However, kernel code cannot
	use the red zone because interrupts may clobber this region -- the CPU
	pushes data onto the stack immediately below %rsp when it invokes an
	interrupt handler.

	This is generally enforced by passing `-mno-red-zone` to the compiler.