Clarify operands of BRK, add tests

atrosinenko · atrosinenko · commit abe2b92bd354 · 2025-07-31T18:53:56.000+03:00
diff --git a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
@@ -1757,7 +1757,16 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
       // Explicit Pointer Authentication check failed, see
       // AArch64AsmPrinter::emitPtrauthCheckAuthenticatedValue().
       return true;
+    case 0x1:
+      // __builtin_trap(), as emitted by Clang.
+      return true;
+    case 0x3e8: // decimal 1000
+      // __builtin_trap(), as emitted by GCC.
+      return true;
     default:
+      // Some constants may indicate intentionally recoverable break-points.
+      // This is the case at least for 0xf000, which is used by
+      // __builtin_debugtrap() supported by Clang.
       return false;
     }
   }
diff --git a/bolt/test/binary-analysis/AArch64/trap-instructions.s b/bolt/test/binary-analysis/AArch64/trap-instructions.s
@@ -0,0 +1,213 @@
+// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe -Wl,--emit-relocs
+// RUN: llvm-bolt-binary-analysis --scanners=pauth %t.exe 2>&1 | FileCheck %s
+
+// Test what instructions can be used to terminate the program abnormally
+// on security violation.
+//
+// All test cases have the same structure:
+//
+//      cbz     x0, 1f    // [a], ensures [c] is never reported as unreachable
+//      autia   x2, x3
+//      cbz     x1, 2f    // [b]
+//      [instruction under test]
+// 1:
+//      ret               // [c]
+// 2:
+//      ldr     x0, [x2]
+//      ret
+//
+// This is to handle three possible cases: the instruction under test may be
+// considered by BOLT as
+// * trapping (and thus no-return): after being authenticated, x2 is ether
+//   checked by LDR (if [b] is taken) or the program is terminated
+//   immediately without leaking x2 (if [b] falls through to the trapping
+//   instruction under test). Nothing is reported.
+// * non-trapping, but no-return (such as calling abort()): x2 is leaked if [b]
+//   falls through. Authentication oracle is reported.
+// * non-trapping and falling-through (i.e. a regular instruction):
+//   x2 is leaked by [c]. Authentication oracle is reported.
+
+        .text
+
+        .globl  brk_key_ia
+        .type   brk_key_ia,@function
+brk_key_ia:
+// CHECK-NOT: brk_key_ia
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0xc470
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_key_ia, .-brk_key_ia
+
+        .globl  brk_key_ib
+        .type   brk_key_ib,@function
+brk_key_ib:
+// CHECK-NOT: brk_key_ib
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0xc471
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_key_ib, .-brk_key_ib
+
+        .globl  brk_key_da
+        .type   brk_key_da,@function
+brk_key_da:
+// CHECK-NOT: brk_key_da
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0xc472
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_key_da, .-brk_key_da
+
+        .globl  brk_key_db
+        .type   brk_key_db,@function
+brk_key_db:
+// CHECK-NOT: brk_key_db
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0xc473
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_key_db, .-brk_key_db
+
+// The immediate operand of BRK instruction may indicate whether the instruction
+// is intended to be a non-recoverable trap: for example, for this code
+//
+//     int test_trap(void) {
+//       __builtin_trap();
+//       return 42;
+//     }
+//     int test_debugtrap(void) {
+//       __builtin_debugtrap();
+//       return 42;
+//     }
+//
+// Clang produces the following assembly:
+//
+//     test_trap:
+//             brk     #0x1
+//     test_debugtrap:
+//             brk     #0xf000
+//             mov     w0, #42
+//             ret
+//
+// In GCC, __builtin_trap() uses "brk 0x3e8" (i.e. decimal 1000) and
+// __builtin_debugtrap() is not supported.
+//
+// At the time of writing these test cases, any BRK instruction is considered
+// no-return by BOLT, thus it ends its basic block and prevents falling through
+// to the next BB.
+// FIXME: Make BOLT handle __builtin_debugtrap() properly from the CFG point
+//        of view.
+
+        .globl  brk_gcc_builtin_trap
+        .type   brk_gcc_builtin_trap,@function
+brk_gcc_builtin_trap:
+// CHECK-NOT: brk_gcc_builtin_trap
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0x3e8     // __builtin_trap()
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_gcc_builtin_trap, .-brk_gcc_builtin_trap
+
+        .globl  brk_clang_builtin_trap
+        .type   brk_clang_builtin_trap,@function
+brk_clang_builtin_trap:
+// CHECK-NOT: brk_clang_builtin_trap
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0x1       // __builtin_trap()
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_clang_builtin_trap, .-brk_clang_builtin_trap
+
+        .globl  brk_clang_builtin_debugtrap
+        .type   brk_clang_builtin_debugtrap,@function
+brk_clang_builtin_debugtrap:
+// CHECK-LABEL: GS-PAUTH: authentication oracle found in function brk_clang_builtin_debugtrap, basic block {{[^,]+}}, at address
+// CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x2, x3
+// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0xf000    // __builtin_debugtrap()
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_clang_builtin_debugtrap, .-brk_clang_builtin_debugtrap
+
+// Conservatively assume BRK with an unknown immediate operand as not suitable
+// for terminating the program on security violation.
+        .globl  brk_unknown_imm
+        .type   brk_unknown_imm,@function
+brk_unknown_imm:
+// CHECK-LABEL: GS-PAUTH: authentication oracle found in function brk_unknown_imm, basic block {{[^,]+}}, at address
+// CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x2, x3
+// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        brk     0x3572
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   brk_unknown_imm, .-brk_unknown_imm
+
+// Conservatively assume calling the abort() function may be an unsafe way to
+// terminate the program, as there is some amount of instructions that would
+// be executed when the program state is already tampered with.
+        .globl  call_abort_fn
+        .type   call_abort_fn,@function
+call_abort_fn:
+// CHECK-LABEL: GS-PAUTH: authentication oracle found in function call_abort_fn, basic block {{[^,]+}}, at address
+// CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x2, x3
+// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+        cbz     x0, 1f
+        autia   x2, x3
+        cbz     x1, 2f
+        b       abort    // a no-return tail call to abort()
+1:
+        ret
+2:
+        ldr     x0, [x2]
+        ret
+        .size   call_abort_fn, .-call_abort_fn
+
+        .globl  main
+        .type   main,@function
+main:
+        mov     x0, 0
+        ret
+        .size   main, .-main
