[AArch64][PAC] Sign block addresses used in indirectbr. #97647
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
Enabled in clang using:
-fptrauth-indirect-gotos
and at the IR level using function attribute:
"ptrauth-indirect-gotos"
Signing uses IA and a per-function integer discriminator.
The discriminator isn't ABI-visible, and is currently:
ptrauth_string_discriminator("<function_name> blockaddress")
A sufficiently sophisticated frontend could benefit from
per-indirectbr discrimination, which would need additional
machinery, such as allowing "ptrauth" bundles on indirectbr.
For our purposes, the simple scheme above is sufficient.
ahmedbougacha
force-pushed
the
users/ahmedbougacha/ptrauth-indirectbr
branch
from
f0d8af8 to
5195708
Compare
|
Please make sure you have a testcase for computing the difference between two blockaddresses ( |
Oh yeah, we can't handle that at all, I don't think! The best we can do is probably to declare it disallowed and try to diagnose it in the frontend as best we can.. I don't think we ever looked into that, I'll give it a try edit: on second thought it might end up working out with the final add on the goto; the offsets won't make sense but I suppose that's unlikely to be a real problem. I didn't hit issues with this before, but that's probably only because we don't have this pattern ;) Let me think it through |
llvmbot
added
clang
|
@llvm/pr-subscribers-clang-codegen @llvm/pr-subscribers-clang Author: Ahmed Bougacha (ahmedbougacha) ChangesEnabled in clang using: and at the IR level using function attribute: Signing uses IA and a per-function integer discriminator. The discriminator isn't ABI-visible, and is currently: A sufficiently sophisticated frontend could benefit from per-indirectbr discrimination, which would need additional machinery, such as allowing "ptrauth" bundles on indirectbr. For our purposes, the simple scheme above is sufficient. Patch is 28.91 KiB, truncated to 20.00 KiB below, full version: https://github.com/llvm/llvm-project/pull/97647.diff 20 Files Affected:
diff --git a/clang/include/clang/Basic/Features.def b/clang/include/clang/Basic/Features.def
index 53f410d3cb4bd..cf800afe08557 100644
--- a/clang/include/clang/Basic/Features.def
+++ b/clang/include/clang/Basic/Features.def
@@ -108,6 +108,7 @@ FEATURE(ptrauth_calls, LangOpts.PointerAuthCalls)
FEATURE(ptrauth_returns, LangOpts.PointerAuthReturns)
FEATURE(ptrauth_vtable_pointer_address_discrimination, LangOpts.PointerAuthVTPtrAddressDiscrimination)
FEATURE(ptrauth_vtable_pointer_type_discrimination, LangOpts.PointerAuthVTPtrTypeDiscrimination)
+FEATURE(ptrauth_indirect_gotos, LangOpts.PointerAuthIndirectGotos)
FEATURE(ptrauth_member_function_pointer_type_discrimination, LangOpts.PointerAuthCalls)
FEATURE(ptrauth_init_fini, LangOpts.PointerAuthInitFini)
EXTENSION(swiftcc,
diff --git a/clang/include/clang/Basic/LangOptions.def b/clang/include/clang/Basic/LangOptions.def
index 491759e2fcdbb..bdf77a5b35208 100644
--- a/clang/include/clang/Basic/LangOptions.def
+++ b/clang/include/clang/Basic/LangOptions.def
@@ -165,6 +165,7 @@ LANGOPT(ExperimentalLibrary, 1, 0, "enable unstable and experimental library fea
LANGOPT(PointerAuthIntrinsics, 1, 0, "pointer authentication intrinsics")
LANGOPT(PointerAuthCalls , 1, 0, "function pointer authentication")
LANGOPT(PointerAuthReturns, 1, 0, "return pointer authentication")
+LANGOPT(PointerAuthIndirectGotos, 1, 0, "indirect gotos pointer authentication")
LANGOPT(PointerAuthAuthTraps, 1, 0, "pointer authentication failure traps")
LANGOPT(PointerAuthVTPtrAddressDiscrimination, 1, 0, "incorporate address discrimination in authenticated vtable pointers")
LANGOPT(PointerAuthVTPtrTypeDiscrimination, 1, 0, "incorporate type discrimination in authenticated vtable pointers")
diff --git a/clang/include/clang/Basic/PointerAuthOptions.h b/clang/include/clang/Basic/PointerAuthOptions.h
index 197d63642ca6d..2711639dbe299 100644
--- a/clang/include/clang/Basic/PointerAuthOptions.h
+++ b/clang/include/clang/Basic/PointerAuthOptions.h
@@ -154,6 +154,9 @@ class PointerAuthSchema {
};
struct PointerAuthOptions {
+ /// Do indirect goto label addresses need to be authenticated?
+ bool IndirectGotos = false;
+
/// The ABI for C function pointers.
PointerAuthSchema FunctionPointers;
diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td
index 58ca6f2bea9e4..791b7261ddbda 100644
--- a/clang/include/clang/Driver/Options.td
+++ b/clang/include/clang/Driver/Options.td
@@ -4228,6 +4228,8 @@ defm ptrauth_vtable_pointer_address_discrimination :
defm ptrauth_vtable_pointer_type_discrimination :
OptInCC1FFlag<"ptrauth-vtable-pointer-type-discrimination", "Enable type discrimination of vtable pointers">;
defm ptrauth_init_fini : OptInCC1FFlag<"ptrauth-init-fini", "Enable signing of function pointers in init/fini arrays">;
+defm ptrauth_indirect_gotos : OptInCC1FFlag<"ptrauth-indirect-gotos",
+ "Enable signing and authentication of indirect goto targets">;
}
def fenable_matrix : Flag<["-"], "fenable-matrix">, Group<f_Group>,
diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index 26deeca95d326..33cb07a5bc832 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -865,6 +865,8 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
const CodeGenOptions &CodeGenOpts = CGM.getCodeGenOpts();
if (CodeGenOpts.PointerAuth.FunctionPointers)
Fn->addFnAttr("ptrauth-calls");
+ if (CodeGenOpts.PointerAuth.IndirectGotos)
+ Fn->addFnAttr("ptrauth-indirect-gotos");
// Apply xray attributes to the function (as a string, for now)
bool AlwaysXRayAttr = false;
diff --git a/clang/lib/Driver/ToolChains/Clang.cpp b/clang/lib/Driver/ToolChains/Clang.cpp
index aa285c39f14b4..f9dba2c9f22cd 100644
--- a/clang/lib/Driver/ToolChains/Clang.cpp
+++ b/clang/lib/Driver/ToolChains/Clang.cpp
@@ -1789,6 +1789,9 @@ void Clang::AddAArch64TargetArgs(const ArgList &Args,
options::OPT_fno_ptrauth_vtable_pointer_type_discrimination);
Args.addOptInFlag(CmdArgs, options::OPT_fptrauth_init_fini,
options::OPT_fno_ptrauth_init_fini);
+
+ Args.addOptInFlag(CmdArgs, options::OPT_fptrauth_indirect_gotos,
+ options::OPT_fno_ptrauth_indirect_gotos);
}
void Clang::AddLoongArchTargetArgs(const ArgList &Args,
diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp
index f42e28ba7e629..a64e394a7754e 100644
--- a/clang/lib/Frontend/CompilerInvocation.cpp
+++ b/clang/lib/Frontend/CompilerInvocation.cpp
@@ -1480,13 +1480,14 @@ void CompilerInvocation::setDefaultPointerAuthOptions(
Opts.CXXVirtualFunctionPointers = Opts.CXXVirtualVariadicFunctionPointers =
PointerAuthSchema(Key::ASIA, true, Discrimination::Decl);
}
+ Opts.IndirectGotos = LangOpts.PointerAuthIndirectGotos;
}
static void parsePointerAuthOptions(PointerAuthOptions &Opts,
const LangOptions &LangOpts,
const llvm::Triple &Triple,
DiagnosticsEngine &Diags) {
- if (!LangOpts.PointerAuthCalls)
+ if (!LangOpts.PointerAuthCalls && !LangOpts.PointerAuthIndirectGotos)
return;
CompilerInvocation::setDefaultPointerAuthOptions(Opts, LangOpts, Triple);
@@ -3390,6 +3391,8 @@ static void GeneratePointerAuthArgs(const LangOptions &Opts,
GenerateArg(Consumer, OPT_fptrauth_calls);
if (Opts.PointerAuthReturns)
GenerateArg(Consumer, OPT_fptrauth_returns);
+ if (Opts.PointerAuthIndirectGotos)
+ GenerateArg(Consumer, OPT_fptrauth_indirect_gotos);
if (Opts.PointerAuthAuthTraps)
GenerateArg(Consumer, OPT_fptrauth_auth_traps);
if (Opts.PointerAuthVTPtrAddressDiscrimination)
@@ -3405,6 +3408,7 @@ static void ParsePointerAuthArgs(LangOptions &Opts, ArgList &Args,
Opts.PointerAuthIntrinsics = Args.hasArg(OPT_fptrauth_intrinsics);
Opts.PointerAuthCalls = Args.hasArg(OPT_fptrauth_calls);
Opts.PointerAuthReturns = Args.hasArg(OPT_fptrauth_returns);
+ Opts.PointerAuthIndirectGotos = Args.hasArg(OPT_fptrauth_indirect_gotos);
Opts.PointerAuthAuthTraps = Args.hasArg(OPT_fptrauth_auth_traps);
Opts.PointerAuthVTPtrAddressDiscrimination =
Args.hasArg(OPT_fptrauth_vtable_pointer_address_discrimination);
diff --git a/clang/test/CodeGen/ptrauth-function-attributes.c b/clang/test/CodeGen/ptrauth-function-attributes.c
index 7ec30498b9d35..7f93ccc7c4bce 100644
--- a/clang/test/CodeGen/ptrauth-function-attributes.c
+++ b/clang/test/CodeGen/ptrauth-function-attributes.c
@@ -4,10 +4,15 @@
// RUN: %clang_cc1 -triple arm64-apple-ios -fptrauth-calls -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,CALLS
// RUN: %clang_cc1 -triple aarch64-linux-gnu -fptrauth-calls -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,CALLS
+// RUN: %clang_cc1 -triple arm64-apple-ios -fptrauth-indirect-gotos -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,GOTOS
+// RUN: %clang_cc1 -triple arm64e-apple-ios -fptrauth-indirect-gotos -emit-llvm %s -o - | FileCheck %s --check-prefixes=ALL,GOTOS
+
// ALL: define {{(dso_local )?}}void @test() #0
void test() {
}
// CALLS: attributes #0 = {{{.*}} "ptrauth-calls" {{.*}}}
+// GOTOS: attributes #0 = {{{.*}} "ptrauth-indirect-gotos" {{.*}}}
+
// OFF-NOT: attributes {{.*}} "ptrauth-
diff --git a/llvm/docs/PointerAuth.md b/llvm/docs/PointerAuth.md
index cf2cc6305f130..e027c902e58e1 100644
--- a/llvm/docs/PointerAuth.md
+++ b/llvm/docs/PointerAuth.md
@@ -18,6 +18,9 @@ At the IR level, it is represented using:
* a [set of intrinsics](#intrinsics) (to sign/authenticate pointers)
* a [signed pointer constant](#constant) (to sign globals)
* a [call operand bundle](#operand-bundle) (to authenticate called pointers)
+* a [set of function attributes](#function-attributes) (to describe what
+ pointers are signed and how, to control implicit codegen in the backend, as
+ well as preserve invariants in the mid-level optimizer)
The current implementation leverages the
[Armv8.3-A PAuth/Pointer Authentication Code](#armv8-3-a-pauth-pointer-authentication-code)
@@ -287,6 +290,27 @@ but with the added guarantee that `%fp_i`, `%fp_auth`, and `%fp_auth_p`
are not stored to (and reloaded from) memory.
+### Function Attributes
+
+Some function attributes are used to describe other pointer authentication
+operations that are not otherwise explicitly expressed in IR.
+
+#### ``ptrauth-indirect-gotos``
+
+``ptrauth-indirect-gotos`` specifies that indirect gotos in this function
+should authenticate their target. At the IR level, no other change is needed.
+When lowering [``blockaddress`` constants](https://llvm.org/docs/LangRef.html#blockaddress),
+and [``indirectbr`` instructions](https://llvm.org/docs/LangRef.html#i-indirectbr),
+this tells the backend to respectively sign and authenticate the pointers.
+
+The specific scheme isn't ABI-visible. Currently, the AArch64 backend
+signs blockaddresses using the `ASIA` key, with an integer discriminator
+derived from the parent function's name, using the SipHash stable discriminator:
+```
+ ptrauth_string_discriminator("<function_name> blockaddress")
+```
+
+
## AArch64 Support
AArch64 is currently the only architecture with full support of the pointer
diff --git a/llvm/include/llvm/CodeGen/AsmPrinter.h b/llvm/include/llvm/CodeGen/AsmPrinter.h
index a60dce30c4a6c..290da83cee35f 100644
--- a/llvm/include/llvm/CodeGen/AsmPrinter.h
+++ b/llvm/include/llvm/CodeGen/AsmPrinter.h
@@ -577,6 +577,9 @@ class AsmPrinter : public MachineFunctionPass {
report_fatal_error("ptrauth constant lowering not implemented");
}
+ /// Lower the specified BlockAddress to an MCExpr.
+ virtual const MCExpr *lowerBlockAddressConstant(const BlockAddress &BA);
+
/// Return true if the basic block has exactly one predecessor and the control
/// transfer mechanism between the predecessor and this block is a
/// fall-through.
diff --git a/llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp b/llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
index c52cbff689dc5..724b7cd94adee 100644
--- a/llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
+++ b/llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
@@ -3139,7 +3139,7 @@ const MCExpr *AsmPrinter::lowerConstant(const Constant *CV) {
return MCSymbolRefExpr::create(getSymbol(GV), Ctx);
if (const BlockAddress *BA = dyn_cast<BlockAddress>(CV))
- return MCSymbolRefExpr::create(GetBlockAddressSymbol(BA), Ctx);
+ return lowerBlockAddressConstant(*BA);
if (const auto *Equiv = dyn_cast<DSOLocalEquivalent>(CV))
return getObjFileLowering().lowerDSOLocalEquivalent(Equiv, TM);
@@ -3821,6 +3821,10 @@ MCSymbol *AsmPrinter::GetBlockAddressSymbol(const BasicBlock *BB) const {
return const_cast<AsmPrinter *>(this)->getAddrLabelSymbol(BB);
}
+const MCExpr *AsmPrinter::lowerBlockAddressConstant(const BlockAddress &BA) {
+ return MCSymbolRefExpr::create(GetBlockAddressSymbol(&BA), OutContext);
+}
+
/// GetCPISymbol - Return the symbol for the specified constant pool entry.
MCSymbol *AsmPrinter::GetCPISymbol(unsigned CPID) const {
if (getSubtargetInfo().getTargetTriple().isWindowsMSVCEnvironment()) {
diff --git a/llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp b/llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
index 64d41d4147644..093208bf70cda 100644
--- a/llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
+++ b/llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
@@ -93,6 +93,8 @@ class AArch64AsmPrinter : public AsmPrinter {
const MCExpr *lowerConstantPtrAuth(const ConstantPtrAuth &CPA) override;
+ const MCExpr *lowerBlockAddressConstant(const BlockAddress &BA) override;
+
void emitStartOfAsmFile(Module &M) override;
void emitJumpTableInfo() override;
std::tuple<const MCSymbol *, uint64_t, const MCSymbol *,
@@ -128,7 +130,7 @@ class AArch64AsmPrinter : public AsmPrinter {
void emitSled(const MachineInstr &MI, SledKind Kind);
- // Emit the sequence for BLRA (authenticate + branch).
+ // Emit the sequence for BRA/BLRA (authenticate + branch/call).
void emitPtrauthBranch(const MachineInstr *MI);
// Emit the sequence to compute a discriminator into x17, or reuse AddrDisc.
unsigned emitPtrauthDiscriminator(uint16_t Disc, unsigned AddrDisc,
@@ -1581,6 +1583,7 @@ unsigned AArch64AsmPrinter::emitPtrauthDiscriminator(uint16_t Disc,
void AArch64AsmPrinter::emitPtrauthBranch(const MachineInstr *MI) {
unsigned InstsEmitted = 0;
+ bool IsCall = MI->getOpcode() == AArch64::BLRA;
unsigned BrTarget = MI->getOperand(0).getReg();
auto Key = (AArch64PACKey::ID)MI->getOperand(1).getImm();
@@ -1597,10 +1600,17 @@ void AArch64AsmPrinter::emitPtrauthBranch(const MachineInstr *MI) {
bool IsZeroDisc = DiscReg == AArch64::XZR;
unsigned Opc;
- if (Key == AArch64PACKey::IA)
- Opc = IsZeroDisc ? AArch64::BLRAAZ : AArch64::BLRAA;
- else
- Opc = IsZeroDisc ? AArch64::BLRABZ : AArch64::BLRAB;
+ if (IsCall) {
+ if (Key == AArch64PACKey::IA)
+ Opc = IsZeroDisc ? AArch64::BLRAAZ : AArch64::BLRAA;
+ else
+ Opc = IsZeroDisc ? AArch64::BLRABZ : AArch64::BLRAB;
+ } else {
+ if (Key == AArch64PACKey::IA)
+ Opc = IsZeroDisc ? AArch64::BRAAZ : AArch64::BRAA;
+ else
+ Opc = IsZeroDisc ? AArch64::BRABZ : AArch64::BRAB;
+ }
MCInst BRInst;
BRInst.setOpcode(Opc);
@@ -1866,6 +1876,20 @@ void AArch64AsmPrinter::LowerMOVaddrPAC(const MachineInstr &MI) {
assert(STI->getInstrInfo()->getInstSizeInBytes(MI) >= InstsEmitted * 4);
}
+const MCExpr *
+AArch64AsmPrinter::lowerBlockAddressConstant(const BlockAddress &BA) {
+ const MCExpr *BAE = AsmPrinter::lowerBlockAddressConstant(BA);
+ const Function &Fn = *BA.getFunction();
+
+ if (std::optional<uint16_t> BADisc =
+ STI->getPtrAuthBlockAddressDiscriminator(Fn))
+ return AArch64AuthMCExpr::create(BAE, *BADisc, AArch64PACKey::IA,
+ /* HasAddressDiversity= */ false,
+ OutContext);
+
+ return BAE;
+}
+
// Simple pseudo-instructions have their lowering (with expansion to real
// instructions) auto-generated.
#include "AArch64GenMCPseudoLowering.inc"
@@ -2010,6 +2034,7 @@ void AArch64AsmPrinter::emitInstruction(const MachineInstr *MI) {
LowerMOVaddrPAC(*MI);
return;
+ case AArch64::BRA:
case AArch64::BLRA:
emitPtrauthBranch(MI);
return;
diff --git a/llvm/lib/Target/AArch64/AArch64FastISel.cpp b/llvm/lib/Target/AArch64/AArch64FastISel.cpp
index e3c5a143b2889..1a99a905a47d8 100644
--- a/llvm/lib/Target/AArch64/AArch64FastISel.cpp
+++ b/llvm/lib/Target/AArch64/AArch64FastISel.cpp
@@ -2516,6 +2516,10 @@ bool AArch64FastISel::selectIndirectBr(const Instruction *I) {
if (AddrReg == 0)
return false;
+ // Authenticated indirectbr is not implemented yet.
+ if (FuncInfo.MF->getFunction().hasFnAttribute("ptrauth-indirect-gotos"))
+ return false;
+
// Emit the indirect branch.
const MCInstrDesc &II = TII.get(AArch64::BR);
AddrReg = constrainOperandRegClass(II, AddrReg, II.getNumDefs());
diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
index e0c3cc5eddb82..8978b254f40a3 100644
--- a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
+++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
@@ -85,6 +85,7 @@
#include "llvm/Support/InstructionCost.h"
#include "llvm/Support/KnownBits.h"
#include "llvm/Support/MathExtras.h"
+#include "llvm/Support/SipHash.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/Target/TargetMachine.h"
#include "llvm/Target/TargetOptions.h"
@@ -509,6 +510,7 @@ AArch64TargetLowering::AArch64TargetLowering(const TargetMachine &TM,
setOperationAction(ISD::SELECT_CC, MVT::f64, Custom);
setOperationAction(ISD::BR_JT, MVT::Other, Custom);
setOperationAction(ISD::JumpTable, MVT::i64, Custom);
+ setOperationAction(ISD::BRIND, MVT::Other, Custom);
setOperationAction(ISD::SETCCCARRY, MVT::i64, Custom);
setOperationAction(ISD::PtrAuthGlobalAddress, MVT::i64, Custom);
@@ -6694,6 +6696,8 @@ SDValue AArch64TargetLowering::LowerOperation(SDValue Op,
return LowerJumpTable(Op, DAG);
case ISD::BR_JT:
return LowerBR_JT(Op, DAG);
+ case ISD::BRIND:
+ return LowerBRIND(Op, DAG);
case ISD::ConstantPool:
return LowerConstantPool(Op, DAG);
case ISD::BlockAddress:
@@ -10685,6 +10689,26 @@ SDValue AArch64TargetLowering::LowerBR_JT(SDValue Op,
return DAG.getNode(ISD::BRIND, DL, MVT::Other, JTInfo, SDValue(Dest, 0));
}
+SDValue AArch64TargetLowering::LowerBRIND(SDValue Op, SelectionDAG &DAG) const {
+ MachineFunction &MF = DAG.getMachineFunction();
+ std::optional<uint16_t> BADisc =
+ Subtarget->getPtrAuthBlockAddressDiscriminator(MF.getFunction());
+ if (!BADisc)
+ return SDValue();
+
+ SDLoc DL(Op);
+ SDValue Chain = Op.getOperand(0);
+ SDValue Dest = Op.getOperand(1);
+
+ SDValue Disc = DAG.getTargetConstant(*BADisc, DL, MVT::i64);
+ SDValue Key = DAG.getTargetConstant(AArch64PACKey::IA, DL, MVT::i32);
+ SDValue AddrDisc = DAG.getRegister(AArch64::XZR, MVT::i64);
+
+ SDNode *BrA = DAG.getMachineNode(AArch64::BRA, DL, MVT::Other,
+ {Dest, Key, Disc, AddrDisc, Chain});
+ return SDValue(BrA, 0);
+}
+
SDValue AArch64TargetLowering::LowerConstantPool(SDValue Op,
SelectionDAG &DAG) const {
ConstantPoolSDNode *CP = cast<ConstantPoolSDNode>(Op);
@@ -10704,15 +10728,36 @@ SDValue AArch64TargetLowering::LowerConstantPool(SDValue Op,
SDValue AArch64TargetLowering::LowerBlockAddress(SDValue Op,
SelectionDAG &DAG) const {
- BlockAddressSDNode *BA = cast<BlockAddressSDNode>(Op);
+ BlockAddressSDNode *BAN = cast<BlockAddressSDNode>(Op);
+ const BlockAddress *BA = BAN->getBlockAddress();
+
+ if (std::optional<uint16_t> BADisc =
+ Subtarget->getPtrAuthBlockAddressDiscriminator(*BA->getFunction())) {
+ SDLoc DL(Op);
+
+ // This isn't cheap, but BRIND is rare.
+ SDValue TargetBA = DAG.getTargetBlockAddress(BA, BAN->getValueType(0));
+
+ SDValue Disc = DAG.getTargetConstant(*BADisc, DL, MVT::i64);
+
+ SDValue Key = DAG.getTargetConstant(AArch64PACKey::IA, DL, MVT::i32);
+ SDValue AddrDisc = DAG.getRegister(AArch64::XZR, MVT::i64);
+
+ SDNode *MOV =
+ DAG.getMachineNode(AArch64::MOVaddrPAC, DL, {MVT::Other, MVT::Glue},
+ {TargetBA, Key, AddrDisc, Disc});
+ return DAG.getCopyFromReg(SDValue(MOV, 0), DL, AArch64::X16, MVT::i64,
+ SDValue(MOV, 1));
+ }
+
CodeModel::Model CM = getTargetMachine().getCodeModel();
if (CM == CodeModel::Large && !Subtarget->isTargetMachO()) {
if (!getTargetMachine().isPositionIndependent())
- return getAddrLarge(BA, DAG);
+ return getAddrLarge(BAN, DAG);
} else if (CM == CodeModel::Tiny) {
- return getAddrTiny(BA, DAG);
+ return getAddrTiny(BAN, DAG);
}
- return getAddr(BA, DAG);
+ return getAddr(BAN, DAG);
}
SDValue AArch64TargetLowering::LowerDarwin_VASTART(SDValue Op,
diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.h b/llvm/lib/Target/AArch64/AArch64ISelLowering.h
index 047c852bb01d2..69386dac318ca 100644
--- a/llvm/lib/Target/AArch64/AArch64ISelLowering.h
+++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.h
@@ -1143,6 +1143,7 @@ class AArch64TargetLowering : public TargetLowering {
SelectionDAG &DAG) const;
SDValue LowerJumpTable(SDValue Op, SelectionDAG &DAG) const;
SDValue LowerBR_JT(SDValue Op, SelectionDAG &DAG) const;
+ SDValue LowerBRIND(SDValue Op, SelectionDAG &DAG) const;
SDValue LowerConstantPool(SDValue Op, SelectionDAG &DAG) const;
SDValue LowerBlockAddress(SDValue Op, SelectionDAG &DAG) const;
SDValue LowerAAPCS_VASTART(SDValue Op, SelectionDAG &DAG) const;
diff --git a/llvm/lib/Target/AArch64/AArch64InstrInfo.td b/llvm/lib/Target/AArch64/AArch64InstrInfo.td
index 1e06d5fdc7562..a65e5c68a24ad 100644
--- a/llvm/lib/Target/AArch64/AArch64InstrInfo.td
+++ b/llvm/lib/Target/AArch64/AArch64InstrInfo.td
@@ -1755,6 +1755,24 @@ let Predicates = [HasPAuth] in {
let Uses = [SP];
}
+ // BRA pseudo, generalized version of BRAA/BRAB/Z.
+ // This directly manipulates x16/x17, which are the only registers the OS
+ // guarantees are safe to use for sensit...
[truncated]
|
kovdan01
reviewed
Jul 8, 2024
There was a problem hiding this comment.
LGTM with several nits, but @efriedma-quic 's concern about computing the difference between two blockaddresses should be addressed before merging this. I suppose it might be OK just to explicitly do not support this as for now and implement+test a proper error message (if it's too time-consuming to have full support right now).
| @@ -1789,6 +1789,9 @@ void Clang::AddAArch64TargetArgs(const ArgList &Args, | |||
| options::OPT_fno_ptrauth_vtable_pointer_type_discrimination); | |||
| Args.addOptInFlag(CmdArgs, options::OPT_fptrauth_init_fini, | |||
| options::OPT_fno_ptrauth_init_fini); | |||
|
|
|||
There was a problem hiding this comment.
Nit: there is no empty line between previous Args.addOptInFlag(...) invocations, so probably this new line should also be deleted.
Feel free to ignore
There was a problem hiding this comment.
The whitespaces help differentiate the different classes of fptrauth features (here frontendy vs backendy); TBH we should probably have more, not less
| @@ -412,6 +412,15 @@ class AArch64Subtarget final : public AArch64GenSubtargetInfo { | |||
| /// Choose a method of checking LR before performing a tail call. | |||
| AArch64PAuth::AuthCheckMethod getAuthenticatedLRCheckMethod() const; | |||
|
|
|||
| /// Compute the integer discriminator for a given BlockAddress constant, if | |||
| /// blockaddress signing is enabled (using function attribute | |||
| /// "ptrauth-indirect-gotos"). | |||
There was a problem hiding this comment.
Nit: it might be worth explicitly saying that std::nullopt return value stands for disabled indirect gotos signing: someone might mistakenly think that std::nullopt might indicate absent discriminator (say, zero discr by default) with signing enabled.
Alternatively, you might consider adding a separate function for determining presence of "ptrauth-indirect-gotos" attribute and use just uint16_t as a return value for getPtrAuthBlockAddressDiscriminator (with an assertion inserted against presence of "ptrauth-indirect-gotos"). A drawback of such approach is that we might occasionally forget to check if indirect gotos are signed before calling get discr function, but a benefit is that function names will be more expressive IMHO - getPtrAuthBlockAddressDiscriminator will only get the discriminator and it'll not have a responsibility to check if the signing is enabled.
Feel free to ignore.
There was a problem hiding this comment.
I added IfNeeded to make the function name more explicit?
|
@ahmedbougacha I've updated my review: I've misinterpreted logic a bit previously, and thought that a couple of codepaths are not covered by tests. It's not true, everything is OK, but please address @efriedma-quic 's concern described above so this can be approved and merged. |
Will you please clarify what is the problem here? in some constructor routine, then both |
|
Under the proposed ABI, |
Right. The difference should be not be signed IMO as stated above. |
|
The issue is just that clang expects the following to compile. And with the current version of the patch, I think we end up crashing in the backend. |
We discussed this in the sync-up, but for the record I don't think we can get away with not signing and nothing else. It defeats the purpose of signing these in the first place: an arbitrary write becomes a branch to an arbitrary destination. One alternative would be to sign the difference, though we would want to have a specific way for people to write it to make it predictable (single expression, 64-bit result; maybe explicitly as a builtin). Doesn't help existing code, but there's already a high adoption cost for all of these ptrauth changes, this seems almost trivial in comparison ;) A radically different solution could be to lower the blockaddresses without signing, then turn the goto into a checked switch. That allows substitution, but that's already the case for signed blockaddresses. In the meantime, for this PR, I'll look into more actionable errors for the unencodable constant expressions, and the single-expression difference, when we can diagnose it. But at the end of the day they'll still be errors. |
jroelofs
reviewed
Jul 17, 2024
|
FWIW, we are seeing authentication fails when running musl with pauth enabled and this PR. Working on reproducer. |
- add IfEnabled to function name - test fast-isel, elf - various nits
asl
requested changes
Jul 22, 2024
| SDValue Key = DAG.getTargetConstant(AArch64PACKey::IA, DL, MVT::i32); | ||
| SDValue AddrDisc = DAG.getRegister(AArch64::XZR, MVT::i64); | ||
|
|
||
| SDNode *BrA = DAG.getMachineNode(AArch64::BRA, DL, MVT::Other, |
There was a problem hiding this comment.
This is a problematic piece of code. If jump table hardening is not enabled, then jump tables will be codegenerated using BRIND (see the code few lines above – directly at the end of LowerBR_JT) and the code here does not distinguish between indirect branches that has "register" destination and indirect branches as a result of jump table lowering...
The code above might check if Dest is AArch64::JumpTableDest32 and do nothing in such case.
There was a problem hiding this comment.
Interesting, that explains it. I'd rather have the BR_JT survive as a BR_JT (or really, an AArch64 BR_JT that's analogous to ISD::BRIND, so that we can still do what we do on JumpTableDests), but that's a more serious change for the whole backend; let's do it separately. For now checking the target seems iffy but probably workable
There was a problem hiding this comment.
yeah, having BR_JT nodes is certainly more correct way, but seems to be more invasive. Worth a TODO added, yes.
asl
approved these changes
Jul 22, 2024
| @@ -10909,6 +10909,14 @@ QualType Sema::CheckAdditionOperands(ExprResult &LHS, ExprResult &RHS, | |||
| if (isObjCPointer && checkArithmeticOnObjCPointer(*this, Loc, PExp)) | |||
| return QualType(); | |||
|
|
|||
| // Arithmetic on label addresses is normally allowed, except when we add | |||
| // a ptrauth signature to the addresses. | |||
| if (isa<AddrLabelExpr>(PExp) && getLangOpts().PointerAuthIndirectGotos) { | |||
There was a problem hiding this comment.
I don't think this catches all the relevant cases: there are various ways you could "hide" an address-of-label from this check. Parentheses, a conditional operator, a constexpr variable, etc.
Maybe the check should be in IntExprEvaluator::VisitBinaryOperator.
There was a problem hiding this comment.
Yeah, this only catches the obvious cases to start. I did try having this in IntExprEvaluator, but only got it to behave as I expected (without dupes) with what I'm pretty sure is a gross misuse of noteFailure ;) Let me look into it some more separately
Also add a basic no-diagnostic case.
kovdan01
added a commit
to kovdan01/llvm-project
that referenced
this pull request
Jul 23, 2024
Implement tests for the following PAuth-related features: - driver, preprocessor and ELF codegen tests for type_info vtable pointer discrimination llvm#99726; - driver, preprocessor, and ELF codegen (emitting function attributes) + sema (emitting errors) tests for indirect gotos signing llvm#97647; - ELF codegen tests for ubsan type checks + auth llvm#99590; - ELF codegen tests for constant global init with polymorphic MI llvm#99741; - ELF codegen tests for C++ member function pointers auth llvm#99576.
kovdan01
added a commit
that referenced
this pull request
Jul 24, 2024
…100206) Implement tests for the following PAuth-related features: - driver, preprocessor and ELF codegen tests for type_info vtable pointer discrimination #99726; - driver, preprocessor, and ELF codegen (emitting function attributes) + sema (emitting errors) tests for indirect gotos signing #97647; - ELF codegen tests for ubsan type checks + auth #99590; - ELF codegen tests for constant global init with polymorphic MI #99741; - ELF codegen tests for C++ member function pointers auth #99576.
yuxuanchen1997
pushed a commit
that referenced
this pull request
Jul 25, 2024
Summary:
Enabled in clang using:
-fptrauth-indirect-gotos
and at the IR level using function attribute:
"ptrauth-indirect-gotos"
Signing uses IA and a per-function integer discriminator. The
discriminator isn't ABI-visible, and is currently:
ptrauth_string_discriminator("<function_name> blockaddress")
A sufficiently sophisticated frontend could benefit from per-indirectbr
discrimination, which would need additional machinery, such as allowing
"ptrauth" bundles on indirectbr. For our purposes, the simple scheme
above is sufficient.
This approach doesn't support subtracting label addresses and using
the result as offsets, because each label address is signed.
Pointer arithmetic on signed pointers corrupts the signature bits,
and because label address expressions aren't typed beyond void*,
we can't do anything reliably intelligent on the arithmetic exprs.
Not signing addresses when used to form offsets would allow
easily hijacking control flow by overwriting the offset.
This diagnoses the basic cases (`&&lbl2 - &&lbl1`) in the frontend,
while we evaluate either alternative implementations (e.g., lowering
blockaddress to a bb number, and indirectbr to a checked jump-table),
or better diagnostics (both at the frontend level and on unencodable
IR constants).
Test Plan:
Reviewers:
Subscribers:
Tasks:
Tags:
Differential Revision: https://phabricator.intern.facebook.com/D60251245
yuxuanchen1997
pushed a commit
that referenced
this pull request
Jul 25, 2024
…100206) Summary: Implement tests for the following PAuth-related features: - driver, preprocessor and ELF codegen tests for type_info vtable pointer discrimination #99726; - driver, preprocessor, and ELF codegen (emitting function attributes) + sema (emitting errors) tests for indirect gotos signing #97647; - ELF codegen tests for ubsan type checks + auth #99590; - ELF codegen tests for constant global init with polymorphic MI #99741; - ELF codegen tests for C++ member function pointers auth #99576. Test Plan: Reviewers: Subscribers: Tasks: Tags: Differential Revision: https://phabricator.intern.facebook.com/D60250599
llvmbot
pushed a commit
to llvmbot/llvm-project
that referenced
this pull request
Jul 29, 2024
…lvm#100206) Implement tests for the following PAuth-related features: - driver, preprocessor and ELF codegen tests for type_info vtable pointer discrimination llvm#99726; - driver, preprocessor, and ELF codegen (emitting function attributes) + sema (emitting errors) tests for indirect gotos signing llvm#97647; - ELF codegen tests for ubsan type checks + auth llvm#99590; - ELF codegen tests for constant global init with polymorphic MI llvm#99741; - ELF codegen tests for C++ member function pointers auth llvm#99576. (cherry picked from commit 70c6e79)
tru
pushed a commit
to llvmbot/llvm-project
that referenced
this pull request
Jul 30, 2024
…lvm#100206) Implement tests for the following PAuth-related features: - driver, preprocessor and ELF codegen tests for type_info vtable pointer discrimination llvm#99726; - driver, preprocessor, and ELF codegen (emitting function attributes) + sema (emitting errors) tests for indirect gotos signing llvm#97647; - ELF codegen tests for ubsan type checks + auth llvm#99590; - ELF codegen tests for constant global init with polymorphic MI llvm#99741; - ELF codegen tests for C++ member function pointers auth llvm#99576. (cherry picked from commit 70c6e79)
searlmc1
pushed a commit
to ROCm/llvm-project
that referenced
this pull request
Sep 23, 2024
add back -fallow-half-arguments-and-returns for hipRuntime builds. ---------------------------------------------------------------------- Revert "[PAC][AArch64] Lower ptrauth constants in code (llvm#96879)" This reverts commit 88dd10c. ---------------------------------------------------------------------- [PAC][AArch64] Lower ptrauth constants in code (llvm#96879) This re-applies llvm#94241 after fixing buildbot failure, see https://lab.llvm.org/buildbot/#/builders/51/builds/570 According to standard, `constexpr` variables and `const` variables initialized with constant expressions can be used in lambdas w/o capturing - see https://en.cppreference.com/w/cpp/language/lambda. However, MSVC used on buildkite seems to ignore that rule and does not allow using such uncaptured variables in lambdas: we have "error C3493: 'Mask16' cannot be implicitly captured because no default capture mode has been specified" - see https://buildkite.com/llvm-project/github-pull-requests/builds/73238 Explicitly capturing such a variable, however, makes buildbot fail with "error: lambda capture 'Mask16' is not required to be captured for this use [-Werror,-Wunused-lambda-capture]" - see https://lab.llvm.org/buildbot/#/builders/51/builds/570. Fix both cases by using `0xffff` value directly instead of giving a name to it. Original PR description below. Depends on llvm#94240. Define the following pseudos for lowering ptrauth constants in code: - non-`extern_weak`: - no GOT load needed: `MOVaddrPAC` - similar to `MOVaddr`, with added PAC; - GOT load needed: `LOADgotPAC` - similar to `LOADgot`, with added PAC; - `extern_weak`: `LOADauthptrstatic` - similar to `LOADgot`, but use a special stub slot named `sym$auth_ptr$key$disc` filled by dynamic linker during relocation resolving instead of a GOT slot. --------- Co-authored-by: Ahmed Bougacha <[email protected]> (cherry picked from commit 1488fb4) ---------------------------------------------------------------------- [AArch64][PAC] Lower ptrauth constants in code for MachO. (llvm#97665) This also adds support for auth stubs on MachO using __DATA,__auth_ptr. Some of the machinery for auth stubs is already implemented; this generalizes that a bit to support MachO, and moves some of the shared logic into MMIImpls. In particular, this originally had an AuthStubInfo struct, but we no longer need it beyond a single MCExpr. So this provides variants of the symbol stub helper type declarations and functions for "expr stubs", where a stub points at an arbitrary MCExpr, rather than a simple MCSymbol (and a bit). (cherry picked from commit 5f1bb62) ---------------------------------------------------------------------- [AArch64][PAC] Sign block addresses used in indirectbr. (llvm#97647) Enabled in clang using: -fptrauth-indirect-gotos and at the IR level using function attribute: "ptrauth-indirect-gotos" Signing uses IA and a per-function integer discriminator. The discriminator isn't ABI-visible, and is currently: ptrauth_string_discriminator("<function_name> blockaddress") A sufficiently sophisticated frontend could benefit from per-indirectbr discrimination, which would need additional machinery, such as allowing "ptrauth" bundles on indirectbr. For our purposes, the simple scheme above is sufficient. This approach doesn't support subtracting label addresses and using the result as offsets, because each label address is signed. Pointer arithmetic on signed pointers corrupts the signature bits, and because label address expressions aren't typed beyond void*, we can't do anything reliably intelligent on the arithmetic exprs. Not signing addresses when used to form offsets would allow easily hijacking control flow by overwriting the offset. This diagnoses the basic cases (`&&lbl2 - &&lbl1`) in the frontend, while we evaluate either alternative implementations (e.g., lowering blockaddress to a bb number, and indirectbr to a checked jump-table), or better diagnostics (both at the frontend level and on unencodable IR constants). (cherry picked from commit b8721fa) ---------------------------------------------------------------------- [AArch64][PAC] Lower auth/resign into checked sequence. (llvm#79024) This introduces 3 hardening modes in the authentication step of auth/resign lowering: - unchecked, which uses the AUT instructions as-is - poison, which detects authentication failure (using an XPAC+CMP sequence), explicitly yielding the XPAC result rather than the AUT result, to avoid leaking - trap, which additionally traps on authentication failure, using BRK #0xC470 + key (IA C470, IB C471, DA C472, DB C473.) Not all modes are necessarily useful in all contexts, and there are more performant alternative lowerings in specific contexts (e.g., when I/D TBI enablement is a target ABI guarantee.) These will be implemented separately. This is controlled by the `ptrauth-auth-traps` function attributes, and can be overridden using `-aarch64-ptrauth-auth-checks=`. This also adds the FPAC extension, which we haven't needed before, to improve isel when we can rely on HW checking. (cherry picked from commit d7e8a74) ---------------------------------------------------------------------- [Clang][Arm] Convert -fallow-half-arguments-and-returns to a target option. NFC This cc1 option -fallow-half-arguments-and-returns allows __fp16 to be passed by argument and returned, without giving an error. It is currently always enabled for Arm and AArch64, by forcing the option in the driver. This means any cc1 tests (especially those needing arm_neon.h) need to specify the option too, to prevent the error from being emitted. This changes it to a target option instead, set to true for Arm and AArch64. This allows the option to be removed. Previously it was implied by -fnative_half_arguments_and_returns, which is set for certain languages like open_cl, renderscript and hlsl, so that option now too controls the errors. There were are few other non-arm uses of -fallow-half-arguments-and-returns but I believe they were unnecessary. The strictfp_builtins.c tests were converted from __fp16 to _Float16 to avoid the issues. Differential Revision: https://reviews.llvm.org/D133885 (cherry picked from commit 9ef11036505c0ae6cdb56ff49f39ab7abcded3cf) ---------------------------------------------------------------------- [clang] XFAIL a few tests due to 'noundef' etc Not all, but most of these are failing due to the presence of a 'noundef' call return attribute on some intrinsics. This is not present on upstream 'main' due to the AlwaysInliner pass being run. See commit 1a2e77c. ---------------------------------------------------------------------- [DebugInfo] Restore missing disabled ptrauth support See "[DebugInfo] Teach LLVM and LLDB about ptrauth in DWARF": commit a8c3d98 Author: Jonas Devlieghere <[email protected]> Date: Wed Jul 27 10:44:15 2022 -0700 ---------------------------------------------------------------------- Apply simple-do.ll test change from b46c085 ---------------------------------------------------------------------- Adjust ptrauth.s test for ptrauth_authentication_mode encoding ---------------------------------------------------------------------- Fix dwarf-eh-prepare-dbg.ll test: dwarfAddressSpace=>addressSpace ---------------------------------------------------------------------- Update some SLPVectorizer/AArch64 tests from upstream ---------------------------------------------------------------------- Regenerate assertions in arm_mult_q15.ll ---------------------------------------------------------------------- [AsmPrinter] Handle null extracted addr class ---------------------------------------------------------------------- [PowerPC] Account for custom LLVM moniker in aix tests ---------------------------------------------------------------------- [LoongArch] Add "Verify Heterogeneous Debug Preconditions" to pipeline test ---------------------------------------------------------------------- [JITLink][RISCV] Un-XFAIL ELF_pc_indirect.s ---------------------------------------------------------------------- Change-Id: Ie6ab500b2451b3ed070dfad0bc16d003e5e2fe10
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Enabled in clang using:
and at the IR level using function attribute:
Signing uses IA and a per-function integer discriminator. The discriminator isn't ABI-visible, and is currently:
A sufficiently sophisticated frontend could benefit from per-indirectbr discrimination, which would need additional machinery, such as allowing "ptrauth" bundles on indirectbr. For our purposes, the simple scheme above is sufficient.