This is an archive of the discontinued LLVM Phabricator instance.

Differential D102428

[StopInfoMachException] Summarize arm64e BLRAx/LDRAx auth failures
ClosedPublic

Authored by vsk on May 13 2021, 11:05 AM.

Details

Reviewers
JDevlieghere
jingham
jasonmolenda
DavidSpickett
omjavaid
Commits
rG66902a32c838: [StopInfoMachException] Summarize arm64e BLRAx/LDRAx auth failures
Summary

Upstream lldb support for summarizing BLRAx and LDRAx auth failures.

rdar://41615322

Diff Detail

Event Timeline

vsk created this revision.May 13 2021, 11:05 AM
Herald added subscribers: omjavaid, kristof.beyls. · View Herald TranscriptMay 13 2021, 11:05 AM
vsk requested review of this revision.May 13 2021, 11:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 13 2021, 11:05 AM
tschuett added a subscriber: tschuett.May 13 2021, 11:13 AM
Harbormaster completed remote builds in B104343: Diff 345224.May 13 2021, 12:22 PM
DavidSpickett added a reviewer: DavidSpickett.May 14 2021, 2:20 AM
DavidSpickett added a subscriber: DavidSpickett.

I think the test files should go in test/API/functionalities/ptrauth_diagnostics/ instead.

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/BLRAA_error/blraa.c
19 ↗(On Diff #345224)

What is the purpose of the // Before: blocks here? Simply to give you a clue what happened if the test fails, or something else?

(I guess I'm really saying "Before", before what exactly)

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/LDRAA_error/TestPtrauthLDRAADiagnostic.py
5 ↗(On Diff #345224)

If you're on/connecting to arm64e you can assume a toolchain that supports ptrauth, correct?

(we (Linaro) will probably extend these tests for to run on AArch64 Linux and there we would need to check toolchain support or use hint space)

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/brkC47x_code/brkC47x.c
10 ↗(On Diff #345224)

Can you explain in this test what brk 0xc470 means?

lldb/source/Plugins/Disassembler/LLVMC/DisassemblerLLVMC.cpp
1055

Comment what the meaning of the break code is. (or range of codes, 0-4 I guess)

Best guess is that this brk causes the cpu to authenticate a code held in x16, some kind of control flow check?

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
92

Worth asserting that abi_sp is valid? Though for Mach it's probably going to be all of the time.

121

Are you comparing against LLDB_INVALID_ADDRESS to check whether you were able to read x16, or do you not expect to see UINT64_MAX to ever fail to authenticate in this context?

Seems to me like 0xF....F ending up in a register would likely cause an auth failure but I could have the wrong end of the stick here.

124

Do we know that the address in x16 is always a code address?

Though if MacOS isn't using separate ptrauth masks maybe it doesn't matter.

126

What does it mean here that the address failed to resolve?

179

I would add something like:

The current PC which points to the address we tried to branch to.

Which gives some context to the return_pc - 4 earlier.

185

Again what would it mean if this doesn't resolve? (just wondering if there's some handling to be done or ignoring it is fine)

Guessing that it could mean that the branch was to some random address that isn't in any memory currently mapped.

204

I don't know if you only want "correct" code but I've mistakenly clobbered LR in inline assembly before without putting it in the clobber list. Would that count?

vsk updated this revision to Diff 345513.May 14 2021, 11:37 AM

Address code review feedback.

vsk added a comment.May 14 2021, 11:37 AM

Thanks for the review!

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/BLRAA_error/blraa.c
19 ↗(On Diff #345224)

These 'Before' blocks show the reader how lldb interpreted auth-related exceptions prior to this change, and show the expected codegen (handy if the test ever regresses).

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/LDRAA_error/TestPtrauthLDRAADiagnostic.py
5 ↗(On Diff #345224)

Yes, that's right. I don't believe there's anything Darwin-specific hardcoded into these test cases, and hope that they're reusable for AArch64 Linux testing.

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/brkC47x_code/brkC47x.c
10 ↗(On Diff #345224)

In certain cases, AppleClang may insert auth traps in software: Use brk 0xc470 + aut key, where 0x70 == 'p', 0xc4 == 'a' + 'c'.

lldb/source/Plugins/Disassembler/LLVMC/DisassemblerLLVMC.cpp
1055

Will do.

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
92

I went ahead and added the assert.

121

RegisterValue::GetAsUInt64() should return UINT64_MAX if it fails. I'll clean this up by checking whether the earlier ReadRegister call succeeded.

124

For now we assume that the code address fixup is always appropriate for Darwin/arm64e.

126

It's possible that lldb doesn't know about the image the fixed address points to (it could be a garbage value). In this case we conservatively don't hint that there's a ptrauth issue.

179

Will do.

185

Ignoring it (i.e. declining to hint at ptrauth failure) seems fine.

204

We'd like to have lldb be smart enough to diagnose this. It's just that, early on, in our survey of auth issues encountered during bringup, this wasn't a common case.

Harbormaster completed remote builds in B104554: Diff 345513.May 14 2021, 12:24 PM
DavidSpickett added a comment.May 17 2021, 2:10 AM

I think some of my questions are too detailed for this initial patch, I'm sure we can improve the diagnostics over time as situations come up. Glad to see this being upstreamed.

Not very knowledgeable on Mach specifics so I'll leave the final review to others.

lldb/packages/Python/lldbsuite/test/functionalities/ptrauth_diagnostics/BLRAA_error/blraa.c
19 ↗(On Diff #345224)

Cool, but could you reword it? something like:

// Without PAuth diagnostics we got:

Or "expected codegen and lldb output used to be", so readers have context if they're just looking at this test because it failed and they're not working on pauth specifically.

Also you could put the text in comments instead of an ifdef: (/// instead of // so they look different to check lines)

/// * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2000000100007f9c)
///    frame #0: 0x0000000100007f9c blraa2`foo

I don't think FileCheck will trip up on anything in this.

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
126

So in that case we would report stopped due to a breakpoint, that's a special pac breakpoint but no pointer authentication issue? Isn't that confusing for the user?

Maybe not because it's hinting at accidental corruption vs. deliberate misdirection, you probably have the experiences to inform that.

This is an improvement as is so no need to change it I'm just curious.

Can you add a test for this situation? Assuming you can find an address you know would never be valid.

lldb/test/API/functionalities/ptrauth_diagnostics/BRAA_error/braa.c
20

This one needs a comment like the others:

/// Without PAuth diagnostics ...
vsk updated this revision to Diff 345940.May 17 2021, 10:54 AM

Address review feedback.

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
126

The image containing the fixed address from x16 is usually loaded. If it's not, that's indeed a very confusing situation (& would more likely than not implicate an AppleClang bug). I don't believe the situation is made *more* confusing because lldb declines to print a ptrauth hint. I've added a test for this (it just sets x16 = 0xbad).

Harbormaster completed remote builds in B104866: Diff 345940.May 17 2021, 12:05 PM
DavidSpickett added inline comments.May 18 2021, 1:29 AM
lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
126

Thanks, reading the test I see what you mean.

You convert to EXC_BAD_ACCESS even if the x16 address isn't loaded, so I'm not seeing EXC_BREAKPOINT and wondering why I hit this breakpoint that I didn't add. (didn't add manually at least)

vsk added a comment.May 25 2021, 11:12 AM

Friendly ping.

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
126

I see what you mean. In this scenario, EXC_BAD_ACCESS seems a bit more to the point (to me, at least -- since with that particular trap code, there's no way this is a debugger breakpoint).

DavidSpickett added a reviewer: omjavaid.Jul 16 2021, 3:36 AM

Apologies, I missed the ping. A couple of minor comments otherwise this looks good to me.

@omjavaid Should take a look too as he's doing/did the PAC work for Arm Linux. I figure this can go in for Mac and be made generic later as needed. (e.g. Arm Linux won't have the special brk bits)

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp
259

Don't need the {} here.

375

Also unneeded {} here.

vsk updated this revision to Diff 360180.Jul 20 2021, 9:43 AM

Drop unneeded braces in switch cases.

Harbormaster completed remote builds in B115130: Diff 360180.Jul 20 2021, 11:17 AM
DavidSpickett accepted this revision.Sep 8 2021, 2:29 AM

Apologies, I forgot about this for way too long. I don't think Omair is going to object anyway so let's get this in.

This revision is now accepted and ready to land.Sep 8 2021, 2:29 AM
This revision was landed with ongoing or failed builds.Sep 14 2021, 2:04 PM
Closed by commit rG66902a32c838: [StopInfoMachException] Summarize arm64e BLRAx/LDRAx auth failures (authored by vsk). · Explain Why
This revision was automatically updated to reflect the committed changes.
vsk added a commit: rG66902a32c838: [StopInfoMachException] Summarize arm64e BLRAx/LDRAx auth failures.

Revision Contents

PathSize
lldb/
include/
lldb/
Core/
4 lines
8 lines
source/
Core/
13 lines
4 lines
Plugins/
Disassembler/
LLVMC/
39 lines
Process/
Utility/
5 lines
187 lines
test/
API/
functionalities/
ptrauth_diagnostics/
BLRAA_error/
2 lines
5 lines
28 lines
BRAA_error/
2 lines
5 lines
29 lines
LDRAA_error/
2 lines
5 lines
31 lines
brkC47x_code/
2 lines
5 lines
17 lines
brkC47x_x16_invalid/
2 lines
5 lines
14 lines

Diff 372562

lldb/include/lldb/Core/Address.h

Show First 20 LinesShow All 204 Lines▼ Show 20 Lines/// A const Address object reference to \a this.
public: public:
ModulePointerAndOffsetLessThanFunctionObject() = default; ModulePointerAndOffsetLessThanFunctionObject() = default;
bool operator()(const Address &a, const Address &b) const { bool operator()(const Address &a, const Address &b) const {
return Address::CompareModulePointerAndOffset(a, b) < 0; return Address::CompareModulePointerAndOffset(a, b) < 0;
} }
}; };
/// Write a description of this object to a Stream.
bool GetDescription(Stream &s, Target &target,
lldb::DescriptionLevel level) const;
/// Dump a description of this object to a Stream. /// Dump a description of this object to a Stream.
/// ///
/// Dump a description of the contents of this object to the supplied stream /// Dump a description of the contents of this object to the supplied stream
/// \a s. There are many ways to display a section offset based address, and /// \a s. There are many ways to display a section offset based address, and
/// \a style lets the user choose. /// \a style lets the user choose.
/// ///
/// \param[in] s /// \param[in] s
/// The stream to which to dump the object description. /// The stream to which to dump the object description.
▲ Show 20 LinesShow All 299 LinesShow Last 20 Lines

lldb/include/lldb/Core/Disassembler.h

Show First 20 LinesShow All 144 Lines▼ Show 20 Lines virtual void Dump(Stream *s, uint32_t max_opcode_byte_size, bool show_address,
const SymbolContext *prev_sym_ctx, const SymbolContext *prev_sym_ctx,
const FormatEntity::Entry *disassembly_addr_format, const FormatEntity::Entry *disassembly_addr_format,
size_t max_address_text_size); size_t max_address_text_size);
virtual bool DoesBranch() = 0; virtual bool DoesBranch() = 0;
virtual bool HasDelaySlot(); virtual bool HasDelaySlot();
virtual bool IsLoad() = 0;
virtual bool IsAuthenticated() = 0;
bool CanSetBreakpoint (); bool CanSetBreakpoint ();
virtual size_t Decode(const Disassembler &disassembler, virtual size_t Decode(const Disassembler &disassembler,
const DataExtractor &data, const DataExtractor &data,
lldb::offset_t data_offset) = 0; lldb::offset_t data_offset) = 0;
virtual void SetDescription(llvm::StringRef) { virtual void SetDescription(llvm::StringRef) {
} // May be overridden in sub-classes that have descriptions. } // May be overridden in sub-classes that have descriptions.
▲ Show 20 LinesShow All 170 Lines▼ Show 20 Linespublic:
PseudoInstruction(); PseudoInstruction();
~PseudoInstruction() override; ~PseudoInstruction() override;
bool DoesBranch() override; bool DoesBranch() override;
bool HasDelaySlot() override; bool HasDelaySlot() override;
bool IsLoad() override;
bool IsAuthenticated() override;
void CalculateMnemonicOperandsAndComment( void CalculateMnemonicOperandsAndComment(
const ExecutionContext *exe_ctx) override { const ExecutionContext *exe_ctx) override {
// TODO: fill this in and put opcode name into Instruction::m_opcode_name, // TODO: fill this in and put opcode name into Instruction::m_opcode_name,
// mnemonic into Instruction::m_mnemonics, and any comment into // mnemonic into Instruction::m_mnemonics, and any comment into
// Instruction::m_comment // Instruction::m_comment
} }
size_t Decode(const Disassembler &disassembler, const DataExtractor &data, size_t Decode(const Disassembler &disassembler, const DataExtractor &data,
▲ Show 20 LinesShow All 186 LinesShow Last 20 Lines

lldb/source/Core/Address.cpp

Show First 20 LinesShow All 383 Lines▼ Show 20 Lines if (target) {
addr_class = GetAddressClass(); addr_class = GetAddressClass();
m_offset = target->GetOpcodeLoadAddress(m_offset, addr_class); m_offset = target->GetOpcodeLoadAddress(m_offset, addr_class);
} }
return true; return true;
} }
return false; return false;
} }
bool Address::GetDescription(Stream &s, Target &target,
DescriptionLevel level) const {
assert(level == eDescriptionLevelBrief &&
"Non-brief descriptions not implemented");
LineEntry line_entry;
if (CalculateSymbolContextLineEntry(line_entry)) {
s.Printf(" (%s:%u:%u)", line_entry.file.GetFilename().GetCString(),
line_entry.line, line_entry.column);
return true;
}
return false;
}
bool Address::Dump(Stream *s, ExecutionContextScope *exe_scope, DumpStyle style, bool Address::Dump(Stream *s, ExecutionContextScope *exe_scope, DumpStyle style,
DumpStyle fallback_style, uint32_t addr_size) const { DumpStyle fallback_style, uint32_t addr_size) const {
// If the section was nullptr, only load address is going to work unless we // If the section was nullptr, only load address is going to work unless we
// are trying to deref a pointer // are trying to deref a pointer
SectionSP section_sp(GetSection()); SectionSP section_sp(GetSection());
if (!section_sp && style != DumpStyleResolvedPointerDescription) if (!section_sp && style != DumpStyleResolvedPointerDescription)
style = DumpStyleLoadAddress; style = DumpStyleLoadAddress;
▲ Show 20 LinesShow All 619 LinesShow Last 20 Lines

lldb/source/Core/Disassembler.cpp

Show First 20 LinesShow All 1,117 Lines▼ Show 20 Linesbool PseudoInstruction::DoesBranch() {
return false; return false;
} }
bool PseudoInstruction::HasDelaySlot() { bool PseudoInstruction::HasDelaySlot() {
// This is NOT a valid question for a pseudo instruction. // This is NOT a valid question for a pseudo instruction.
return false; return false;
} }
bool PseudoInstruction::IsLoad() { return false; }
bool PseudoInstruction::IsAuthenticated() { return false; }
size_t PseudoInstruction::Decode(const lldb_private::Disassembler &disassembler, size_t PseudoInstruction::Decode(const lldb_private::Disassembler &disassembler,
const lldb_private::DataExtractor &data, const lldb_private::DataExtractor &data,
lldb::offset_t data_offset) { lldb::offset_t data_offset) {
return m_opcode.GetByteSize(); return m_opcode.GetByteSize();
} }
void PseudoInstruction::SetOpcode(size_t opcode_size, void *opcode_data) { void PseudoInstruction::SetOpcode(size_t opcode_size, void *opcode_data) {
if (!opcode_data) if (!opcode_data)
▲ Show 20 LinesShow All 154 LinesShow Last 20 Lines

lldb/source/Plugins/Disassembler/LLVMC/DisassemblerLLVMC.cpp

Show First 20 LinesShow All 55 Lines▼ Show 20 Linespublic:
uint64_t GetMCInst(const uint8_t *opcode_data, size_t opcode_data_len, uint64_t GetMCInst(const uint8_t *opcode_data, size_t opcode_data_len,
lldb::addr_t pc, llvm::MCInst &mc_inst) const; lldb::addr_t pc, llvm::MCInst &mc_inst) const;
void PrintMCInst(llvm::MCInst &mc_inst, std::string &inst_string, void PrintMCInst(llvm::MCInst &mc_inst, std::string &inst_string,
std::string &comments_string); std::string &comments_string);
void SetStyle(bool use_hex_immed, HexImmediateStyle hex_style); void SetStyle(bool use_hex_immed, HexImmediateStyle hex_style);
bool CanBranch(llvm::MCInst &mc_inst) const; bool CanBranch(llvm::MCInst &mc_inst) const;
bool HasDelaySlot(llvm::MCInst &mc_inst) const; bool HasDelaySlot(llvm::MCInst &mc_inst) const;
bool IsCall(llvm::MCInst &mc_inst) const; bool IsCall(llvm::MCInst &mc_inst) const;
bool IsLoad(llvm::MCInst &mc_inst) const;
bool IsAuthenticated(llvm::MCInst &mc_inst) const;
private: private:
MCDisasmInstance(std::unique_ptr<llvm::MCInstrInfo> &&instr_info_up, MCDisasmInstance(std::unique_ptr<llvm::MCInstrInfo> &&instr_info_up,
std::unique_ptr<llvm::MCRegisterInfo> &&reg_info_up, std::unique_ptr<llvm::MCRegisterInfo> &&reg_info_up,
std::unique_ptr<llvm::MCSubtargetInfo> &&subtarget_info_up, std::unique_ptr<llvm::MCSubtargetInfo> &&subtarget_info_up,
std::unique_ptr<llvm::MCAsmInfo> &&asm_info_up, std::unique_ptr<llvm::MCAsmInfo> &&asm_info_up,
std::unique_ptr<llvm::MCContext> &&context_up, std::unique_ptr<llvm::MCContext> &&context_up,
std::unique_ptr<llvm::MCDisassembler> &&disasm_up, std::unique_ptr<llvm::MCDisassembler> &&disasm_up,
Show All 25 Lines bool DoesBranch() override {
return m_does_branch; return m_does_branch;
} }
bool HasDelaySlot() override { bool HasDelaySlot() override {
VisitInstruction(); VisitInstruction();
return m_has_delay_slot; return m_has_delay_slot;
} }
bool IsLoad() override {
VisitInstruction();
return m_is_load;
}
bool IsAuthenticated() override {
VisitInstruction();
return m_is_authenticated;
}
DisassemblerLLVMC::MCDisasmInstance *GetDisasmToUse(bool &is_alternate_isa) { DisassemblerLLVMC::MCDisasmInstance *GetDisasmToUse(bool &is_alternate_isa) {
DisassemblerScope disasm(*this); DisassemblerScope disasm(*this);
return GetDisasmToUse(is_alternate_isa, disasm); return GetDisasmToUse(is_alternate_isa, disasm);
} }
size_t Decode(const lldb_private::Disassembler &disassembler, size_t Decode(const lldb_private::Disassembler &disassembler,
const lldb_private::DataExtractor &data, const lldb_private::DataExtractor &data,
lldb::offset_t data_offset) override { lldb::offset_t data_offset) override {
▲ Show 20 LinesShow All 699 Lines▼ Show 20 Linesprotected:
bool m_is_valid = false; bool m_is_valid = false;
bool m_using_file_addr; bool m_using_file_addr;
bool m_has_visited_instruction = false; bool m_has_visited_instruction = false;
// Be conservative. If we didn't understand the instruction, say it: // Be conservative. If we didn't understand the instruction, say it:
// - Might branch // - Might branch
// - Does not have a delay slot // - Does not have a delay slot
// - Is not a call // - Is not a call
// - Is not a load
// - Is not an authenticated instruction
bool m_does_branch = true; bool m_does_branch = true;
bool m_has_delay_slot = false; bool m_has_delay_slot = false;
bool m_is_call = false; bool m_is_call = false;
bool m_is_load = false;
bool m_is_authenticated = false;
void VisitInstruction() { void VisitInstruction() {
if (m_has_visited_instruction) if (m_has_visited_instruction)
return; return;
DisassemblerScope disasm(*this); DisassemblerScope disasm(*this);
if (!disasm) if (!disasm)
return; return;
Show All 13 Lines const size_t inst_size =
mc_disasm_ptr->GetMCInst(opcode_data, opcode_data_len, pc, inst); mc_disasm_ptr->GetMCInst(opcode_data, opcode_data_len, pc, inst);
if (inst_size == 0) if (inst_size == 0)
return; return;
m_has_visited_instruction = true; m_has_visited_instruction = true;
m_does_branch = mc_disasm_ptr->CanBranch(inst); m_does_branch = mc_disasm_ptr->CanBranch(inst);
m_has_delay_slot = mc_disasm_ptr->HasDelaySlot(inst); m_has_delay_slot = mc_disasm_ptr->HasDelaySlot(inst);
m_is_call = mc_disasm_ptr->IsCall(inst); m_is_call = mc_disasm_ptr->IsCall(inst);
m_is_load = mc_disasm_ptr->IsLoad(inst);
m_is_authenticated = mc_disasm_ptr->IsAuthenticated(inst);
} }
private: private:
DisassemblerLLVMC::MCDisasmInstance * DisassemblerLLVMC::MCDisasmInstance *
GetDisasmToUse(bool &is_alternate_isa, DisassemblerScope &disasm) { GetDisasmToUse(bool &is_alternate_isa, DisassemblerScope &disasm) {
is_alternate_isa = false; is_alternate_isa = false;
if (disasm) { if (disasm) {
if (disasm->m_alternate_disasm_up) { if (disasm->m_alternate_disasm_up) {
▲ Show 20 LinesShow All 162 Lines▼ Show 20 Linesbool DisassemblerLLVMC::MCDisasmInstance::HasDelaySlot(
llvm::MCInst &mc_inst) const { llvm::MCInst &mc_inst) const {
return m_instr_info_up->get(mc_inst.getOpcode()).hasDelaySlot(); return m_instr_info_up->get(mc_inst.getOpcode()).hasDelaySlot();
} }
bool DisassemblerLLVMC::MCDisasmInstance::IsCall(llvm::MCInst &mc_inst) const { bool DisassemblerLLVMC::MCDisasmInstance::IsCall(llvm::MCInst &mc_inst) const {
return m_instr_info_up->get(mc_inst.getOpcode()).isCall(); return m_instr_info_up->get(mc_inst.getOpcode()).isCall();
} }
bool DisassemblerLLVMC::MCDisasmInstance::IsLoad(llvm::MCInst &mc_inst) const {
return m_instr_info_up->get(mc_inst.getOpcode()).mayLoad();
}
bool DisassemblerLLVMC::MCDisasmInstance::IsAuthenticated(
llvm::MCInst &mc_inst) const {
auto InstrDesc = m_instr_info_up->get(mc_inst.getOpcode());
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Comment what the meaning of the break code is. (or range of codes, 0-4 I guess)

Best guess is that this brk causes the cpu to authenticate a code held in x16, some kind of control flow check?

DavidSpickett: Comment what the meaning of the break code is. (or range of codes, 0-4 I guess) Best guess is…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Will do.

vsk: Will do.
// Treat software auth traps (brk 0xc470 + aut key, where 0x70 == 'p', 0xc4
// == 'a' + 'c') as authenticated instructions for reporting purposes, in
// addition to the standard authenticated instructions specified in ARMv8.3.
bool IsBrkC47x = false;
if (InstrDesc.isTrap() && mc_inst.getNumOperands() == 1) {
const llvm::MCOperand &Op0 = mc_inst.getOperand(0);
if (Op0.isImm() && Op0.getImm() >= 0xc470 && Op0.getImm() <= 0xc474)
IsBrkC47x = true;
}
return InstrDesc.isAuthenticated() || IsBrkC47x;
}
DisassemblerLLVMC::DisassemblerLLVMC(const ArchSpec &arch, DisassemblerLLVMC::DisassemblerLLVMC(const ArchSpec &arch,
const char *flavor_string) const char *flavor_string)
: Disassembler(arch, flavor_string), m_exe_ctx(nullptr), m_inst(nullptr), : Disassembler(arch, flavor_string), m_exe_ctx(nullptr), m_inst(nullptr),
m_data_from_file(false), m_adrp_address(LLDB_INVALID_ADDRESS), m_data_from_file(false), m_adrp_address(LLDB_INVALID_ADDRESS),
m_adrp_insn() { m_adrp_insn() {
if (!FlavorValidForArchSpec(arch, m_flavor.c_str())) { if (!FlavorValidForArchSpec(arch, m_flavor.c_str())) {
m_flavor.assign("default"); m_flavor.assign("default");
} }
▲ Show 20 LinesShow All 390 LinesShow Last 20 Lines

lldb/source/Plugins/Process/Utility/StopInfoMachException.h

Show All 10 Lines
#include <string> #include <string>
#include "lldb/Target/StopInfo.h" #include "lldb/Target/StopInfo.h"
namespace lldb_private { namespace lldb_private {
class StopInfoMachException : public StopInfo { class StopInfoMachException : public StopInfo {
/// Determine the pointer-authentication related failure that caused this
/// exception. Returns true and fills out the failure description if there
/// is auth-related failure, and returns false otherwise.
bool DeterminePtrauthFailure(ExecutionContext &exe_ctx);
public: public:
// Constructors and Destructors // Constructors and Destructors
StopInfoMachException(Thread &thread, uint32_t exc_type, StopInfoMachException(Thread &thread, uint32_t exc_type,
uint32_t exc_data_count, uint64_t exc_code, uint32_t exc_data_count, uint64_t exc_code,
uint64_t exc_subcode) uint64_t exc_subcode)
: StopInfo(thread, exc_type), m_exc_data_count(exc_data_count), : StopInfo(thread, exc_type), m_exc_data_count(exc_data_count),
m_exc_code(exc_code), m_exc_subcode(exc_subcode) {} m_exc_code(exc_code), m_exc_subcode(exc_subcode) {}
Show All 25 Lines

lldb/source/Plugins/Process/Utility/StopInfoMachException.cpp

Show All 11 Lines
#if defined(__APPLE__) #if defined(__APPLE__)
// Needed for the EXC_RESOURCE interpretation macros // Needed for the EXC_RESOURCE interpretation macros
#include <kern/exc_resource.h> #include <kern/exc_resource.h>
#endif #endif
#include "lldb/Breakpoint/Watchpoint.h" #include "lldb/Breakpoint/Watchpoint.h"
#include "lldb/Symbol/Symbol.h" #include "lldb/Symbol/Symbol.h"
#include "lldb/Target/ABI.h"
#include "lldb/Target/DynamicLoader.h" #include "lldb/Target/DynamicLoader.h"
#include "lldb/Target/ExecutionContext.h" #include "lldb/Target/ExecutionContext.h"
#include "lldb/Target/Process.h" #include "lldb/Target/Process.h"
#include "lldb/Target/RegisterContext.h" #include "lldb/Target/RegisterContext.h"
#include "lldb/Target/Target.h" #include "lldb/Target/Target.h"
#include "lldb/Target/Thread.h" #include "lldb/Target/Thread.h"
#include "lldb/Target/ThreadPlan.h" #include "lldb/Target/ThreadPlan.h"
#include "lldb/Target/UnixSignals.h" #include "lldb/Target/UnixSignals.h"
#include "lldb/Utility/StreamString.h" #include "lldb/Utility/StreamString.h"
using namespace lldb; using namespace lldb;
using namespace lldb_private; using namespace lldb_private;
/// Information about a pointer-authentication related instruction.
struct PtrauthInstructionInfo {
bool IsAuthenticated;
bool IsLoad;
bool DoesBranch;
};
/// Get any pointer-authentication related information about the instruction
/// at address \p at_addr.
static llvm::Optional<PtrauthInstructionInfo>
GetPtrauthInstructionInfo(Target &target, const ArchSpec &arch,
const Address &at_addr) {
const char *plugin_name = nullptr;
const char *flavor = nullptr;
AddressRange range_bounds(at_addr, 4);
const bool prefer_file_cache = true;
DisassemblerSP disassembler_sp = Disassembler::DisassembleRange(
arch, plugin_name, flavor, target, range_bounds, prefer_file_cache);
if (!disassembler_sp)
return llvm::None;
InstructionList &insn_list = disassembler_sp->GetInstructionList();
InstructionSP insn = insn_list.GetInstructionAtIndex(0);
if (!insn)
return llvm::None;
return PtrauthInstructionInfo{insn->IsAuthenticated(), insn->IsLoad(),
insn->DoesBranch()};
}
/// Describe the load address of \p addr using the format filename:line:col.
static void DescribeAddressBriefly(Stream &strm, const Address &addr,
Target &target) {
strm.Printf("at address=0x%" PRIx64, addr.GetLoadAddress(&target));
StreamString s;
if (addr.GetDescription(s, target, eDescriptionLevelBrief))
strm.Printf(" %s", s.GetString().data());
strm.Printf(".\n");
}
bool StopInfoMachException::DeterminePtrauthFailure(ExecutionContext &exe_ctx) {
bool IsBreakpoint = m_value == 6; // EXC_BREAKPOINT
bool IsBadAccess = m_value == 1; // EXC_BAD_ACCESS
if (!IsBreakpoint && !IsBadAccess)
return false;
// Check that we have a live process.
if (!exe_ctx.HasProcessScope() || !exe_ctx.HasThreadScope() ||
!exe_ctx.HasTargetScope())
return false;
Thread &thread = *exe_ctx.GetThreadPtr();
StackFrameSP current_frame = thread.GetStackFrameAtIndex(0);
if (!current_frame)
return false;
Target &target = *exe_ctx.GetTargetPtr();
Process &process = *exe_ctx.GetProcessPtr();
ABISP abi_sp = process.GetABI();
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Worth asserting that abi_sp is valid? Though for Mach it's probably going to be all of the time.

DavidSpickett: Worth asserting that abi_sp is valid? Though for Mach it's probably going to be all of the time.
vskAuthorUnsubmitted
Done
ReplyInline Actions

I went ahead and added the assert.

vsk: I went ahead and added the assert.
const ArchSpec &arch = target.GetArchitecture();
assert(abi_sp && "Missing ABI info");
// Check for a ptrauth-enabled target.
const bool ptrauth_enabled_target =
arch.GetCore() == ArchSpec::eCore_arm_arm64e;
if (!ptrauth_enabled_target)
return false;
// Set up a stream we can write a diagnostic into.
StreamString strm;
auto emit_ptrauth_prologue = [&](uint64_t at_address) {
strm.Printf("EXC_BAD_ACCESS (code=%" PRIu64 ", address=0x%" PRIx64 ")\n",
m_exc_code, at_address);
strm.Printf("Note: Possible pointer authentication failure detected.\n");
};
// Check if we have a "brk 0xc47x" trap, where the value that failed to
// authenticate is in x16.
Address current_address = current_frame->GetFrameCodeAddress();
if (IsBreakpoint) {
RegisterContext *reg_ctx = exe_ctx.GetRegisterContext();
if (!reg_ctx)
return false;
const RegisterInfo *X16Info = reg_ctx->GetRegisterInfoByName("x16");
RegisterValue X16Val;
if (!reg_ctx->ReadRegister(X16Info, X16Val))
return false;
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Are you comparing against LLDB_INVALID_ADDRESS to check whether you were able to read x16, or do you not expect to see UINT64_MAX to ever fail to authenticate in this context?

Seems to me like 0xF....F ending up in a register would likely cause an auth failure but I could have the wrong end of the stick here.

DavidSpickett: Are you comparing against `LLDB_INVALID_ADDRESS` to check whether you were able to read x16, or…
vskAuthorUnsubmitted
Done
ReplyInline Actions

RegisterValue::GetAsUInt64() should return UINT64_MAX if it fails. I'll clean this up by checking whether the earlier ReadRegister call succeeded.

vsk: RegisterValue::GetAsUInt64() should return UINT64_MAX if it fails. I'll clean this up by…
uint64_t bad_address = X16Val.GetAsUInt64();
uint64_t fixed_bad_address = abi_sp->FixCodeAddress(bad_address);
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Do we know that the address in x16 is always a code address?

Though if MacOS isn't using separate ptrauth masks maybe it doesn't matter.

DavidSpickett: Do we know that the address in x16 is always a code address? Though if MacOS isn't using…
vskAuthorUnsubmitted
Done
ReplyInline Actions

For now we assume that the code address fixup is always appropriate for Darwin/arm64e.

vsk: For now we assume that the code address fixup is always appropriate for Darwin/arm64e.
Address brk_address;
if (!target.ResolveLoadAddress(fixed_bad_address, brk_address))
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

What does it mean here that the address failed to resolve?

DavidSpickett: What does it mean here that the address failed to resolve?
vskAuthorUnsubmitted
Done
ReplyInline Actions

It's possible that lldb doesn't know about the image the fixed address points to (it could be a garbage value). In this case we conservatively don't hint that there's a ptrauth issue.

vsk: It's possible that lldb doesn't know about the image the fixed address points to (it could be a…
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

So in that case we would report stopped due to a breakpoint, that's a special pac breakpoint but no pointer authentication issue? Isn't that confusing for the user?

Maybe not because it's hinting at accidental corruption vs. deliberate misdirection, you probably have the experiences to inform that.

This is an improvement as is so no need to change it I'm just curious.

Can you add a test for this situation? Assuming you can find an address you know would never be valid.

DavidSpickett: So in that case we would report stopped due to a breakpoint, that's a special pac breakpoint…
vskAuthorUnsubmitted
Done
ReplyInline Actions

The image containing the fixed address from x16 is usually loaded. If it's not, that's indeed a very confusing situation (& would more likely than not implicate an AppleClang bug). I don't believe the situation is made *more* confusing because lldb declines to print a ptrauth hint. I've added a test for this (it just sets x16 = 0xbad).

vsk: The image containing the fixed address from x16 is usually loaded. If it's not, that's indeed a…
DavidSpickettUnsubmitted
Done
ReplyInline Actions

Thanks, reading the test I see what you mean.

You convert to EXC_BAD_ACCESS even if the x16 address isn't loaded, so I'm not seeing EXC_BREAKPOINT and wondering why I hit this breakpoint that I didn't add. (didn't add manually at least)

DavidSpickett: Thanks, reading the test I see what you mean. You convert to `EXC_BAD_ACCESS` even if the x16…
vskAuthorUnsubmitted
Done
ReplyInline Actions

I see what you mean. In this scenario, EXC_BAD_ACCESS seems a bit more to the point (to me, at least -- since with that particular trap code, there's no way this is a debugger breakpoint).

vsk: I see what you mean. In this scenario, EXC_BAD_ACCESS seems a bit more to the point (to me, at…
return false;
auto brk_ptrauth_info =
GetPtrauthInstructionInfo(target, arch, current_address);
if (brk_ptrauth_info && brk_ptrauth_info->IsAuthenticated) {
emit_ptrauth_prologue(bad_address);
strm.Printf("Found value that failed to authenticate ");
DescribeAddressBriefly(strm, brk_address, target);
m_description = std::string(strm.GetString());
return true;
}
return false;
}
assert(IsBadAccess && "Handle EXC_BAD_ACCESS only after this point");
// Check that we have the "bad address" from an EXC_BAD_ACCESS.
if (m_exc_data_count < 2)
return false;
// Ok, we know the Target is valid and that it describes a ptrauth-enabled
// device. Now, we need to determine whether this exception was caused by a
// ptrauth failure.
uint64_t bad_address = m_exc_subcode;
uint64_t fixed_bad_address = abi_sp->FixCodeAddress(bad_address);
uint64_t current_pc = current_address.GetLoadAddress(&target);
// Detect: LDRAA, LDRAB (Load Register, with pointer authentication).
//
// If an authenticated load results in an exception, the instruction at the
// current PC should be one of LDRAx.
if (bad_address != current_pc && fixed_bad_address != current_pc) {
auto ptrauth_info =
GetPtrauthInstructionInfo(target, arch, current_address);
if (ptrauth_info && ptrauth_info->IsAuthenticated && ptrauth_info->IsLoad) {
emit_ptrauth_prologue(bad_address);
strm.Printf("Found authenticated load instruction ");
DescribeAddressBriefly(strm, current_address, target);
m_description = std::string(strm.GetString());
return true;
}
}
// Detect: BLRAA, BLRAAZ, BLRAB, BLRABZ (Branch with Link to Register, with
// pointer authentication).
//
// TODO: Detect: BRAA, BRAAZ, BRAB, BRABZ (Branch to Register, with pointer
// authentication). At a minimum, this requires call site info support for
// indirect calls.
//
// If an authenticated call or tail call results in an exception, stripping
// the bad address should give the current PC, which points to the address
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

I would add something like:

The current PC which points to the address we tried to branch to.

Which gives some context to the return_pc - 4 earlier.

DavidSpickett: I would add something like: ``` The current PC which points to the address we tried to branch…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Will do.

vsk: Will do.
// we tried to branch to.
if (bad_address != current_pc && fixed_bad_address == current_pc) {
if (StackFrameSP parent_frame = thread.GetStackFrameAtIndex(1)) {
addr_t return_pc =
parent_frame->GetFrameCodeAddress().GetLoadAddress(&target);
Address blr_address;
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Again what would it mean if this doesn't resolve? (just wondering if there's some handling to be done or ignoring it is fine)

Guessing that it could mean that the branch was to some random address that isn't in any memory currently mapped.

DavidSpickett: Again what would it mean if this doesn't resolve? (just wondering if there's some handling to…
vskAuthorUnsubmitted
Done
ReplyInline Actions

Ignoring it (i.e. declining to hint at ptrauth failure) seems fine.

vsk: Ignoring it (i.e. declining to hint at ptrauth failure) seems fine.
if (!target.ResolveLoadAddress(return_pc - 4, blr_address))
return false;
auto blr_ptrauth_info =
GetPtrauthInstructionInfo(target, arch, blr_address);
if (blr_ptrauth_info && blr_ptrauth_info->IsAuthenticated &&
blr_ptrauth_info->DoesBranch) {
emit_ptrauth_prologue(bad_address);
strm.Printf("Found authenticated indirect branch ");
DescribeAddressBriefly(strm, blr_address, target);
m_description = std::string(strm.GetString());
return true;
}
}
}
// TODO: Detect: RETAA, RETAB (Return from subroutine, with pointer
// authentication).
//
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

I don't know if you only want "correct" code but I've mistakenly clobbered LR in inline assembly before without putting it in the clobber list. Would that count?

DavidSpickett: I don't know if you only want "correct" code but I've mistakenly clobbered LR in inline…
vskAuthorUnsubmitted
Done
ReplyInline Actions

We'd like to have lldb be smart enough to diagnose this. It's just that, early on, in our survey of auth issues encountered during bringup, this wasn't a common case.

vsk: We'd like to have lldb be smart enough to diagnose this. It's just that, early on, in our…
// Is there a motivating, non-malicious code snippet that corrupts LR?
return false;
}
const char *StopInfoMachException::GetDescription() { const char *StopInfoMachException::GetDescription() {
if (!m_description.empty()) if (!m_description.empty())
return m_description.c_str(); return m_description.c_str();
if (GetValue() == eStopReasonInvalid) if (GetValue() == eStopReasonInvalid)
return "invalid stop reason!"; return "invalid stop reason!";
ExecutionContext exe_ctx(m_thread_wp.lock()); ExecutionContext exe_ctx(m_thread_wp.lock());
Target *target = exe_ctx.GetTargetPtr(); Target *target = exe_ctx.GetTargetPtr();
Show All 33 Lines case llvm::Triple::thumb:
code_desc = "EXC_ARM_DA_ALIGN"; code_desc = "EXC_ARM_DA_ALIGN";
break; break;
case 0x102: case 0x102:
code_desc = "EXC_ARM_DA_DEBUG"; code_desc = "EXC_ARM_DA_DEBUG";
break; break;
} }
break; break;
case llvm::Triple::aarch64:
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Don't need the {} here.

DavidSpickett: Don't need the {} here.
if (DeterminePtrauthFailure(exe_ctx))
return m_description.c_str();
break;
default: default:
break; break;
} }
break; break;
case 2: // EXC_BAD_INSTRUCTION case 2: // EXC_BAD_INSTRUCTION
exc_desc = "EXC_BAD_INSTRUCTION"; exc_desc = "EXC_BAD_INSTRUCTION";
switch (cpu) { switch (cpu) {
▲ Show 20 LinesShow All 95 Lines▼ Show 20 Lines case llvm::Triple::thumb:
// FIXME temporary workaround, exc_code 0 does not really mean // FIXME temporary workaround, exc_code 0 does not really mean
// EXC_ARM_BREAKPOINT // EXC_ARM_BREAKPOINT
case 0: case 0:
code_desc = "EXC_ARM_BREAKPOINT"; code_desc = "EXC_ARM_BREAKPOINT";
break; break;
} }
break; break;
case llvm::Triple::aarch64:
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Also unneeded {} here.

DavidSpickett: Also unneeded {} here.
if (DeterminePtrauthFailure(exe_ctx))
return m_description.c_str();
break;
default: default:
break; break;
} }
} break; } break;
case 7: case 7:
exc_desc = "EXC_SYSCALL"; exc_desc = "EXC_SYSCALL";
break; break;
▲ Show 20 LinesShow All 339 LinesShow Last 20 Lines

lldb/test/API/functionalities/ptrauth_diagnostics/BLRAA_error/Makefile

  • This file was added.
C_SOURCES := blraa.c
include Makefile.rules

lldb/test/API/functionalities/ptrauth_diagnostics/BLRAA_error/TestPtrauthBLRAADiagnostic.py

  • This file was added.
from lldbsuite.test import lldbinline
from lldbsuite.test import decorators
lldbinline.MakeInlineTest(__file__, globals(),
[decorators.skipIf(archs=decorators.no_match(['arm64e']))])

lldb/test/API/functionalities/ptrauth_diagnostics/BLRAA_error/blraa.c

  • This file was added.
void foo() {}
int main() {
//% self.filecheck("c", "blraa.c")
// CHECK: stop reason = EXC_BAD_ACCESS
// CHECK-NEXT: Note: Possible pointer authentication failure detected.
// CHECK-NEXT: Found authenticated indirect branch at address=0x{{.*}} (blraa.c:[[@LINE+1]]:3).
asm volatile (
"mov x9, #0xbad \n"
"blraa %[target], x9 \n"
/* Outputs */ :
/* Inputs */ : [target] "r"(&foo)
/* Clobbers */ : "x9"
);
return 1;
}
// Expected codegen and exception message without ptrauth diagnostics:
// * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2000000100007f9c)
// frame #0: 0x0000000100007f9c blraa2`foo
// blraa2`foo:
// 0x100007f9c <+0>: ret
//
// blraa2`main:
// 0x100007fa0 <+0>: nop
// 0x100007fa4 <+4>: ldr x8, #0x5c
// 0x100007fa8 <+8>: mov x9, #0xbad

lldb/test/API/functionalities/ptrauth_diagnostics/BRAA_error/Makefile

  • This file was added.
C_SOURCES := braa.c
include Makefile.rules

lldb/test/API/functionalities/ptrauth_diagnostics/BRAA_error/TestPtrauthBRAADiagnostic.py

  • This file was added.
from lldbsuite.test import lldbinline
from lldbsuite.test import decorators
lldbinline.MakeInlineTest(__file__, globals(),
[decorators.skipIf(archs=decorators.no_match(['arm64e']))])

lldb/test/API/functionalities/ptrauth_diagnostics/BRAA_error/braa.c

  • This file was added.
void foo() {}
int main() {
//% self.filecheck("c", "braa.c")
// CHECK: stop reason = EXC_BAD_ACCESS
//
// TODO: We need call site info support for indirect calls to make this work.
// CHECK-NOT: pointer authentication failure
asm volatile (
"mov x9, #0xbad \n"
"braa %[target], x9 \n"
/* Outputs */ :
/* Inputs */ : [target] "r"(&foo)
/* Clobbers */ : "x9"
);
return 1;
}
// Expected codegen and exception message without ptrauth diagnostics:
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

This one needs a comment like the others:

/// Without PAuth diagnostics ...
DavidSpickett: This one needs a comment like the others: ``` /// Without PAuth diagnostics ... ```
// * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2000000100007f9c)
// frame #0: 0x0000000100007f9c braa`foo
// braa`foo:
// 0x100007f9c <+0>: ret
//
// braa`main:
// 0x100007fa0 <+0>: nop
// 0x100007fa4 <+4>: ldr x8, #0x5c
// 0x100007fa8 <+8>: mov x9, #0xbad

lldb/test/API/functionalities/ptrauth_diagnostics/LDRAA_error/Makefile

  • This file was added.
C_SOURCES := ldraa.c
include Makefile.rules

lldb/test/API/functionalities/ptrauth_diagnostics/LDRAA_error/TestPtrauthLDRAADiagnostic.py

  • This file was added.
from lldbsuite.test import lldbinline
from lldbsuite.test import decorators
lldbinline.MakeInlineTest(__file__, globals(),
[decorators.skipIf(archs=decorators.no_match(['arm64e']))])

lldb/test/API/functionalities/ptrauth_diagnostics/LDRAA_error/ldraa.c

  • This file was added.
int main() {
//% self.filecheck("c", "ldraa.c")
// CHECK: EXC_BAD_ACCESS
// CHECK-NEXT: Note: Possible pointer authentication failure detected.
// CHECK-NEXT: Found authenticated load instruction at address=0x{{.*}} (ldraa.c:[[@LINE+3]]:3).
long long foo = 0;
asm volatile (
"ldraa x9, [%[target]] \n"
/* Outputs */ :
/* Inputs */ : [target] "r"(&foo)
/* Clobbers */ :
);
return 1;
}
// Expected codegen, register state, and exception message without ptrauth diagnostics:
// * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2000016fdffc38)
// frame #0: 0x0000000100007fa8 ldraa`main + 12
// ldraa`main:
// -> 0x100007fa8 <+12>: ldraa x9, [x8]
// 0x100007fac <+16>: orr w0, wzr, #0x1
// 0x100007fb0 <+20>: add sp, sp, #0x10 ; =0x10
// 0x100007fb4 <+24>: ret
// Target 0: (ldraa) stopped.
// (lldb) p/x $x8
// (unsigned long) $0 = 0x000000016fdffc38
// (lldb) x/8 $x8
// 0x16fdffc38: 0x00000000 0x00000000 0x80254f30 0x00000001
// 0x16fdffc48: 0x00000000 0x00000000 0x00000000 0x00000000

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_code/Makefile

  • This file was added.
C_SOURCES := brkC47x.c
include Makefile.rules

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_code/TestPtrauthBRKc47xDiagnostic.py

  • This file was added.
from lldbsuite.test import lldbinline
from lldbsuite.test import decorators
lldbinline.MakeInlineTest(__file__, globals(),
[decorators.skipIf(archs=decorators.no_match(['arm64e']))])

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_code/brkC47x.c

  • This file was added.
void foo() {}
int main() {
//% self.filecheck("c", "brkC47x.c")
// CHECK: stop reason = EXC_BAD_ACCESS
// CHECK-NEXT: Note: Possible pointer authentication failure detected.
// CHECK-NEXT: Found value that failed to authenticate at address=0x{{.*}} (brkC47x.c:1:13).
asm volatile (
"mov x16, %[target] \n"
"brk 0xc470 \n"
/* Outputs */ :
/* Inputs */ : [target] "r"(&foo)
/* Clobbers */ : "x16"
);
return 1;
}

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_x16_invalid/Makefile

  • This file was added.
C_SOURCES := brkC47x.c
include Makefile.rules

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_x16_invalid/TestPtrauthBRKc47xX16Invalid.py

  • This file was added.
from lldbsuite.test import lldbinline
from lldbsuite.test import decorators
lldbinline.MakeInlineTest(__file__, globals(),
[decorators.skipIf(archs=decorators.no_match(['arm64e']))])

lldb/test/API/functionalities/ptrauth_diagnostics/brkC47x_x16_invalid/brkC47x.c

  • This file was added.
int main() {
//% self.filecheck("c", "brkC47x.c")
// CHECK: stop reason = EXC_BAD_ACCESS
// CHECK-NOT: Note: Possible pointer authentication failure detected.
asm volatile (
"mov x16, #0xbad \n"
"brk 0xc470 \n"
/* Outputs */ :
/* Inputs */ :
/* Clobbers */ : "x16"
);
return 1;
}