gh-139808: Add branch protections for aarch64 in asm_trampoline.S

[stratakis]

This builds on top of #128606

• Issue: asm_trampoline.S misses BTI/PAC protection flags for aarch64 #139808

[stratakis]

The current equivalent eh_frame for the aarch64 assembly code, generated by C code doesn't seem to properly match, although at the same time it works fine. Here is a comparison between x86_64 and aarch64.

x86_64 eh_frame:

00000000 0000000000000014 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 1
  Data alignment factor: -8
  Return address column: 16
  Augmentation data:     1b
  DW_CFA_def_cfa: r7 (rsp) ofs 8
  DW_CFA_offset: r16 (rip) at cfa-8
  DW_CFA_nop
  DW_CFA_nop

00000018 0000000000000014 0000001c FDE cie=00000000 pc=0000000000000000..000000000000000b
  DW_CFA_advance_loc: 4 to 0000000000000004
  DW_CFA_def_cfa_offset: 16
  DW_CFA_advance_loc: 6 to 000000000000000a
  DW_CFA_def_cfa_offset: 8
  DW_CFA_nop

Equivalent to:

cpython/Python/perf_jit_trampoline.c

Lines 474 to 478 in d0ecbdd

	#ifdef __x86_64__
	DWRF_U8(DWRF_CFA_advance_loc | 4);
	DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16);
	DWRF_U8(DWRF_CFA_advance_loc | 6);
	DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(8);

Whereas the eh_frame for aarch64:

00000000 0000000000000010 00000000 CIE
  Version:               1
  Augmentation:          "zR"
  Code alignment factor: 4
  Data alignment factor: -8
  Return address column: 30
  Augmentation data:     1b
  DW_CFA_def_cfa: r31 (sp) ofs 0

00000014 0000000000000020 00000018 FDE cie=00000000 pc=0000000000000000..0000000000000014
  DW_CFA_advance_loc: 4 to 0000000000000004
  DW_CFA_def_cfa_offset: 16
  DW_CFA_offset: r29 (x29) at cfa-16
  DW_CFA_offset: r30 (x30) at cfa-8
  DW_CFA_advance_loc: 12 to 0000000000000010
  DW_CFA_restore: r30 (x30)
  DW_CFA_restore: r29 (x29)
  DW_CFA_def_cfa_offset: 0
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop
  DW_CFA_nop

Equivalent to:

cpython/Python/perf_jit_trampoline.c

Lines 480 to 489 in d0ecbdd

	#elif defined(__aarch64__) && defined(__AARCH64EL__) && !defined(__ILP32__)
	DWRF_U8(DWRF_CFA_advance_loc | 1);
	DWRF_U8(DWRF_CFA_def_cfa_offset); DWRF_UV(16);
	DWRF_U8(DWRF_CFA_offset | 29); DWRF_UV(2);
	DWRF_U8(DWRF_CFA_offset | 30); DWRF_UV(1);
	DWRF_U8(DWRF_CFA_advance_loc | 3);
	DWRF_U8(DWRF_CFA_offset | -(64 - 29));
	DWRF_U8(DWRF_CFA_offset | -(64 - 30));
	DWRF_U8(DWRF_CFA_def_cfa_offset);
	DWRF_UV(0);

[stratakis]

Ah wasn't taking into account the code factor alignment for aarch64. Fixed that.

[stratakis]

eh_frame for the new assembly which should be implemented in C:

0000000 0000000000000010 0000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 4
Data alignment factor: -8
Return address column: 30
Augmentation data: 1b
DW_CFA_def_cfa: r31 (sp) ofs 0

00000014 0000000000000020 00000018 FDE cie=00000000 pc=0000000000000000..000000000000001c
DW_CFA_advance_loc: 4 to 0000000000000004
DW_CFA_AARCH64_negate_ra_state
DW_CFA_advance_loc: 4 to 0000000000000008
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r29 (x29) at cfa-16
DW_CFA_offset: r30 (x30) at cfa-8
DW_CFA_advance_loc: 12 to 0000000000000014
DW_CFA_restore: r30 (x30)
DW_CFA_restore: r29 (x29)
DW_CFA_def_cfa_offset: 0
DW_CFA_advance_loc: 4 to 0000000000000018
DW_CFA_AARCH64_negate_ra_state
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop

[vstinner]

You might add a NEWS entry using blurb or blurb-it, see: https://devguide.python.org/

[stratakis]

Noting here that while the protections are enabled with this PR, Perf unwinding which includes the Python functions does not work without Frame Pointers.

For that the hint 25 and hint 29 instructions have to be implemented here: https://github.com/python/cpython/blob/main/Python/perf_jit_trampoline.c#L882C1-L896C1

And they should match this .eh_frame:

https://github.com/python/cpython/commit/0000000003b38411e14b1216e442699bdbf03a15 0000000000000010 https://github.com/python/cpython/commit/0000000003b38411e14b1216e442699bdbf03a15 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 4
Data alignment factor: -8
Return address column: 30
Augmentation data: 1b
DW_CFA_def_cfa: r31 (sp) ofs 0

00000014 0000000000000020 00000018 FDE cie=00000000 pc=0000000000000000..000000000000001c
DW_CFA_advance_loc: 4 to 0000000000000004
DW_CFA_AARCH64_negate_ra_state
DW_CFA_advance_loc: 4 to 0000000000000008
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r29 (x29) at cfa-16
DW_CFA_offset: r30 (x30) at cfa-8
DW_CFA_advance_loc: 12 to 0000000000000014
DW_CFA_restore: r30 (x30)
DW_CFA_restore: r29 (x29)
DW_CFA_def_cfa_offset: 0
DW_CFA_advance_loc: 4 to 0000000000000018
DW_CFA_AARCH64_negate_ra_state
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop

Haven't yet figured the correct way to do that though as utilizing the way that the ARM abi describes it by using 0x2D for DW_CFA_AARCH64_negate_ra_state, doesn't work.

[encukou]

@diegorusso might be able to help, or at least know someone

[diegorusso]

@stratakis and I have been discussed this in the past. I'm not sure what the status is. Do you need further help?

[stratakis]

I haven't managed to make any progress yet. I took a look again recently but it's not possible to test it till #139544 is resolved.

[github-actions]

This PR is stale because it has been open for 30 days with no activity.

[billatarm]

This LGTM, still need to test, but just a few comments:

1. Do we need to support binutils older than 2.31? If we don't we can just use the mnemonics.
2. Do we need it added conditionally? We can just add the instructions, they're binary compatible with older machines so we can just do the PAC path and we get both. It will just NOP on unsupported machines. So if this can take the cost of a NOP, we can simplify this quite a bit.

Don't let my comments derail this, they can always be done in follow ups IMHO.

[stratakis]

The only OS that still has glibc < 2.31 is for RHEL8. While the buildbots do not compile python >= 3.12 on RHEL8, still someone trying to compile Python 3.13 and higher there won't have it compiled. Granted RHEL8 doesn't enable mbranch-protection by default, I'd rather have at least till RHEL8 goes out of support the old way for delaring pac and bti.

Regarding the if else conditions, while they can be simplified, the assembly code maps nicely somewhat 1on1 with the C code generating dwarf unwinding info for the non-frame pointer case, simplifying them there would make the visual comparisons a tad more cumbersome.

[read-the-docs-community]

Documentation build overview

📚 cpython-previews | 🛠️ Build #32657143 | 📁 Comparing ca0a356 against main (7a4c6df)

  🔍 Preview build  

67 files changed · ± 66 modified · - 1 deleted

± Modified

• index.html
• c-api/dict.html
• c-api/exceptions.html
• c-api/gcsupport.html
• c-api/index.html
• c-api/interp-lifecycle.html
• c-api/module.html
• c-api/sentinel.html
• c-api/slots.html
• c-api/stable.html
• and 56 more...

- Deleted

• whatsnew/3.16.html

[stratakis]

#139544 is resolved in the latest kernel releases, so I had time to extensively test this. The PR should be ready and I've rebased to account for the latest upstream changes with the jit_unwind.c.

Tested on aarch64 VMs running on a Neoverse-N1, the one hosting the aarch64 buildbots.

A Fedora Rawhide machine without PAC/BTI and then also on a QEMU TCG machine with PAC/BTI active (-cpu max).

Both machines had the latest kernel release 7.1.0-rc2 and GCC 16.1.1. I've also tested for good measure on a Fedora 43 machine with kernel 7.0.4 and GCC 15.2.1, the results were the same.

On the non-PAC/BTI machine:
Tested with debug, shared+LTO+PGO, with/without branch protection, with/without frame pointers. All test combinations were successful: -Xperf (fp unwinding), -Xperf_jit (DWARF unwinding), and test_perf_profiler.

On the emulated PAC/BTI machine which was the slowlest testing I've experienced:
Tested with debug, shared+LTO, with/without branch protection, with/without frame pointers. -Xperf (fp unwinding) works, -Xperf_jit (DWARF unwinding) does not work due to the kernel not supporting it and test_perf_profiler passes except the TestPerfProfilerWithDwarf case due to the aforementioned kernel bug. The kernel issue shouldn't be a blocker though for this PR.

Also the DW_CFA_AARCH64_negate_ra_state is correctly emitted in prologue and epilogue of the perf trampoline FDE.

And BTI, PAC, GCS are present on both libpython and python binary

[vstinner]

I built the Python main branch with this change on Fedora 43 AArch64 using:

./configure --enable-shared CFLAGS="-mbranch-protection=standard -fplugin=annobin -fstack-protector-strong -fstack-clash-protection -D_FORTIFY_SOURCE=3" LDFLAGS="-Wl,-z,now" EXE_LDFLAGS="-Wl,-pie -Wl,-z,now" --with-lto
make

I had to add many options to please annocheck.

annocheck

annocheck: pass on the Python executable, fail on libpython

$ annocheck --hardened ./python
annocheck: Version 12.99.
Hardened: python: PASS.

$ annocheck --hardened libpython3.16.so.1.0 
annocheck: Version 12.99.
Hardened: libpython3.16.so.1.0: FAIL: gaps test because gaps were detected in the annobin coverage 
Hardened: Rerun annocheck with --verbose to see more information on the tests.
Hardened: libpython3.16.so.1.0: Overall: FAIL.

I don't know how to fix the "gaps" issue, I already passed -fplugin=annobin to CFLAGS (solution suggested by the doc).

readelf

readelf: BTI and PAC are found in Python executable and libpython

$ readelf -n ./python | grep Properties
      Properties: AArch64 feature: BTI, PAC, GCS

$ readelf -n libpython3.16.so.1.0 | grep Properties
      Properties: AArch64 feature: BTI, PAC, GCS

test_perf_profiler: ./python -m test -v test_perf_profiler does pass.

But I got some random test_python_calls_appear_in_the_stack_if_perf_activated() failures because "Warning: Processed 381 events and lost 1 chunks! Check IO/CPU overload!" was logged.

Linux perf

perf: Python frames are recognized as expected.

my_script.py:

def foo(n):
    result = 0
    for _ in range(n):
        result += 1
    return result

def bar(n):
    foo(n)

def baz(n):
    bar(n)

if __name__ == "__main__":
    baz(1000000)

Commands:

LD_LIBRARY_PATH=$PWD perf record -F 9999 -g -o perf.data ./python -X perf my_script.py
perf report --stdio -n -g|grep py::

[vstinner]

Without this change, readelf -n libpython3.16.so.1.0 | grep Properties lacks BTI and PAC. readelf shows nothing:

$ readelf -n libpython3.16.so.1.0 | grep Properties

[vstinner]

LGTM. With this change, readelf reports BTI and PAC properties on the Python executable and libpython according to my manual tests. Without this change, BTI and PAC properties are missing.

[vstinner]

I'm not comfortable to backport this change to 3.13 and 3.14 stable branches, since I'm not an AArch64 export. But I'm fine with backporting the change to the 3.15 branch.

[stratakis]

I'm not comfortable to backport this change to 3.13 and 3.14 stable branches, since I'm not an AArch64 export. But I'm fine with backporting the change to the 3.15 branch.

This issue affects versions from 3.13 and up (although the dwarf code lives in perf_jit_trampoline.c there). The issue is quite isolated and resolves a security issue so I think backporting it makes sense.

[miss-islington-app]

Thanks @stratakis for the PR, and @vstinner for merging it 🌮🎉.. I'm working now to backport this PR to: 3.15.
🐍🍒⛏🤖

[bedevere-app]

GH-149730 is a backport of this pull request to the 3.15 branch.

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot iOS ARM64 Simulator 3.x (tier-3) has failed when building commit da8477b.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1380/builds/6619) and take a look at the build logs.
4. Check if the failure is related to this commit (da8477b) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1380/builds/6619

Summary of the results of the build (if available):

Click to see traceback logs

remote: Enumerating objects: 11, done.        
remote: Counting objects:  12% (1/8)        
remote: Counting objects:  25% (2/8)        
remote: Counting objects:  37% (3/8)        
remote: Counting objects:  50% (4/8)        
remote: Counting objects:  62% (5/8)        
remote: Counting objects:  75% (6/8)        
remote: Counting objects:  87% (7/8)        
remote: Counting objects: 100% (8/8)        
remote: Counting objects: 100% (8/8), done.        
remote: Compressing objects:  14% (1/7)        
remote: Compressing objects:  28% (2/7)        
remote: Compressing objects:  42% (3/7)        
remote: Compressing objects:  57% (4/7)        
remote: Compressing objects:  71% (5/7)        
remote: Compressing objects:  85% (6/7)        
remote: Compressing objects: 100% (7/7)        
remote: Compressing objects: 100% (7/7), done.        
remote: Total 11 (delta 1), reused 1 (delta 1), pack-reused 3 (from 2)        
From https://github.com/python/cpython
 * branch                    main       -> FETCH_HEAD
Note: switching to 'da8477b25c6124c961306d4d7cd5ec7dafda6be4'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at da8477b25c6 gh-139808: Add branch protections for aarch64 in asm_trampoline.S (#130864)
Switched to and reset branch 'main'

configure: WARNING: no system libmpdec found; falling back to pure-Python version for the decimal module
configure: WARNING: pkg-config is missing. Some dependencies may not be detected correctly.

configure: WARNING: pkg-config is missing. Some dependencies may not be detected correctly.
ld: warning: ignoring duplicate libraries: '-lm'
In file included from ../../Modules/_remote_debugging/module.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/gc_stats.c:7:
In file included from ../../Modules/_remote_debugging/gc_stats.h:14:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/object_reading.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/code_objects.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/frames.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/frame_cache.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
In file included from ../../Modules/_remote_debugging/threads.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/asyncio.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/binary_io_writer.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/binary_io_reader.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/interpreters.c:7:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/subprocess.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Modules/_remote_debugging/subprocess.c:100:1: warning: unused function 'find_children_bfs' [-Wunused-function]
  100 | find_children_bfs(pid_t target_pid, int recursive,
      | ^~~~~~~~~~~~~~~~~
2 warnings generated.
1 warning generated.
1 warning generated.
1 warning generated.
ld: warning: ignoring duplicate libraries: '-lm'
configure: WARNING: pkg-config is missing. Some dependencies may not be detected correctly.
ld: warning: ignoring duplicate libraries: '-lm'
In file included from ../../Modules/_remote_debugging/module.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/gc_stats.c:7:
In file included from ../../Modules/_remote_debugging/gc_stats.h:14:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/object_reading.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/frames.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/code_objects.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/frame_cache.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
In file included from ../../Modules/_remote_debugging/threads.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
In file included from ../../Modules/_remote_debugging/binary_io_writer.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/subprocess.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Modules/_remote_debugging/subprocess.c:100:1: warning: unused function 'find_children_bfs' [-Wunused-function]
  100 | find_children_bfs(pid_t target_pid, int recursive,
      | ^~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/asyncio.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/binary_io_reader.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
In file included from ../../Modules/_remote_debugging/interpreters.c:7:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
1 warning generated.
ld: warning: ignoring duplicate libraries: '-lm'
configure: WARNING: x86_64-apple-ios-simulator/clang is not supported
configure: WARNING: pkg-config is missing. Some dependencies may not be detected correctly.
configure: WARNING:

Platform "x86_64-apple-ios-simulator" with compiler "clang" is not supported by the
CPython core team, see https://peps.python.org/pep-0011/ for more information.

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(brc.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(dynamic_annotations.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(gc_free_threading.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(index_pool.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(jit.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(jit_publish.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(optimizer_analysis.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(optimizer_symbols.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(pystats.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(stackrefs.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(uniqueid.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(perf_jit_trampoline.o) has no symbols
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ranlib: file: libpython3.16.a(jit_unwind.o) has no symbols
ld: warning: ignoring duplicate libraries: '-lm'
In file included from ../../Modules/_remote_debugging/module.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/gc_stats.c:7:
In file included from ../../Modules/_remote_debugging/gc_stats.h:14:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
In file included from ../../Modules/_remote_debugging/object_reading.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/code_objects.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/frames.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
In file included from ../../Modules/_remote_debugging/frame_cache.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/threads.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
In file included from ../../Modules/_remote_debugging/asyncio.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/binary_io_writer.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/binary_io_reader.c:13:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../../Modules/_remote_debugging/subprocess.c:8:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Modules/_remote_debugging/subprocess.c:100:1: warning: unused function 'find_children_bfs' [-Wunused-function]
  100 | find_children_bfs(pid_t target_pid, int recursive,
      | ^~~~~~~~~~~~~~~~~
2 warnings generated.
In file included from ../../Modules/_remote_debugging/interpreters.c:7:
In file included from ../../Modules/_remote_debugging/_remote_debugging.h:34:
../../Modules/_remote_debugging/../../Python/remote_debug.h:165:1: warning: unused function '_Py_RemoteDebug_ValidatePyRuntimeCookie' [-Wunused-function]
  165 | _Py_RemoteDebug_ValidatePyRuntimeCookie(proc_handle_t *handle, uintptr_t address)
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
1 warning generated.
1 warning generated.
1 warning generated.
ld: warning: ignoring duplicate libraries: '-lm'

--- xcodebuild: WARNING: Using the first of multiple matching destinations:
{ platform:iOS Simulator, id:4F9AFDE7-A49A-46AD-B161-FCA22E48EA55, OS:18.3.1, name:iPhone SE (3rd generation) }
{ platform:iOS Simulator, id:4F9AFDE7-A49A-46AD-B161-FCA22E48EA55, OS:18.3.1, name:iPhone SE (3rd generation) }

[vstinner]

Merged, thanks for the fix. I backported it to 3.15.