This is an archive of the discontinued LLVM Phabricator instance.

[X86] Fix fentry handling in X86IndirectBranchTracking.cpp
ClosedPublic

Authored by joaomoreira on Oct 4 2021, 6:57 PM.

Download Raw Diff

Details

Reviewers

craig.topper
xiangzhangllvm
oren_ben_simhon
amilburn
pengfei

Commits

rGdfcf69770bc5: [X86] Fix fentry handling in X86IndirectBranchTracking.cpp

Summary

When compiling with indirect branch tracking and fentry (-fcf-protection=branch -mfentry -pg) the X86IndirectBranchTrackingPass will attempt to place endbr in basic blocks, checking for Calls/IsCallReturnTwice. For calling the function IsCallReturnTwice(), the pass attempts to retrieve the first operand of the respective machine instruction. Since FENTRY_CALL is considered a call, and it does not have any argument, the condition inside the pass will attempt to call IsCallReturnTwice on the machine instruction, but since it does not have operands, it will lead into a crash.

Kudos to Alyssa Milburn for helping in the issue triage. The diff brings a test, but to reproduce the problem, follow the steps below.

echo "int main() {};" > repro.c
clang repro.c -fcf-protection=branch -mfentry -pg

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

joaomoreira created this revision.Oct 4 2021, 6:57 PM

Herald added subscribers: pengfei, hiraditya. · View Herald TranscriptOct 4 2021, 6:57 PM

joaomoreira requested review of this revision.Oct 4 2021, 6:57 PM

Herald added a subscriber: llvm-commits. · View Herald TranscriptOct 4 2021, 6:57 PM

joaomoreira edited the summary of this revision. (Show Details)Oct 4 2021, 6:59 PM

craig.topper added a reviewer: pengfei.Oct 4 2021, 7:06 PM

LGTM

This revision is now accepted and ready to land.Oct 4 2021, 7:13 PM

Harbormaster completed remote builds in B126957: Diff 377067.Oct 4 2021, 7:45 PM

It seems this was not merged yet. Is there anything else needed?

In D111108#3174689, @joaomoreira wrote:

It seems this was not merged yet. Is there anything else needed?

I probably just forgot you don't have commit access. @pengfei do you mind committing this?

Closed by commit rGdfcf69770bc5: [X86] Fix fentry handling in X86IndirectBranchTracking.cpp (authored by joaomoreira, committed by pengfei). · Explain WhyDec 6 2021, 8:10 PM

This revision was automatically updated to reflect the committed changes.

pengfei added a commit: rGdfcf69770bc5: [X86] Fix fentry handling in X86IndirectBranchTracking.cpp.

In D111108#3174721, @craig.topper wrote:

In D111108#3174689, @joaomoreira wrote:

It seems this was not merged yet. Is there anything else needed?

I probably just forgot you don't have commit access. @pengfei do you mind committing this?

Done~

I added the x86 triple from the other existing test to this new one since on any other Arch it was choosing native arch and failing.

https://lab.llvm.org/buildbot/#/builders/179/builds/2046

It passed with that but feel free to fix what I did if you intended something else.

https://reviews.llvm.org/rGdb490ad3852c

In D111108#3175787, @DavidSpickett wrote:

I added the x86 triple from the other existing test to this new one since on any other Arch it was choosing native arch and failing.

https://lab.llvm.org/buildbot/#/builders/179/builds/2046

It passed with that but feel free to fix what I did if you intended something else.

https://reviews.llvm.org/rGdb490ad3852c

I believe it's the right fix. Thanks @DavidSpickett !

FWIIW, looks correct to me too. Tks @DavidSpickett

Revision Contents

Path

Size

llvm/

lib/

Target/

X86/

X86IndirectBranchTracking.cpp

4 lines

test/

CodeGen/

X86/

fentry-ibt.ll

17 lines

Diff 392270

llvm/lib/Target/X86/X86IndirectBranchTracking.cpp

Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines	#endif

for (auto &MBB : MF) {		for (auto &MBB : MF) {
// Find all basic blocks that their address was taken (for example		// Find all basic blocks that their address was taken (for example
// in the case of indirect jump) and add ENDBR instruction.		// in the case of indirect jump) and add ENDBR instruction.
if (MBB.hasAddressTaken())		if (MBB.hasAddressTaken())
Changed \|= addENDBR(MBB, MBB.begin());		Changed \|= addENDBR(MBB, MBB.begin());

for (MachineBasicBlock::iterator I = MBB.begin(); I != MBB.end(); ++I) {		for (MachineBasicBlock::iterator I = MBB.begin(); I != MBB.end(); ++I) {
if (I->isCall() && IsCallReturnTwice(I->getOperand(0)))		if (I->isCall() && I->getNumOperands() > 0 &&
		IsCallReturnTwice(I->getOperand(0))) {
Changed \|= addENDBR(MBB, std::next(I));		Changed \|= addENDBR(MBB, std::next(I));
}		}
		}

// Exception handle may indirectly jump to catch pad, So we should add		// Exception handle may indirectly jump to catch pad, So we should add
// ENDBR before catch pad instructions. For SjLj exception model, it will		// ENDBR before catch pad instructions. For SjLj exception model, it will
// create a new BB(new landingpad) indirectly jump to the old landingpad.		// create a new BB(new landingpad) indirectly jump to the old landingpad.
if (TM->Options.ExceptionModel == ExceptionHandling::SjLj) {		if (TM->Options.ExceptionModel == ExceptionHandling::SjLj) {
for (MachineBasicBlock::iterator I = MBB.begin(); I != MBB.end(); ++I) {		for (MachineBasicBlock::iterator I = MBB.begin(); I != MBB.end(); ++I) {
// New Landingpad BB without EHLabel.		// New Landingpad BB without EHLabel.
if (MBB.isEHPad()) {		if (MBB.isEHPad()) {
Show All 25 Lines

llvm/test/CodeGen/X86/fentry-ibt.ll

This file was added.

				; RUN: llc %s -o - -verify-machineinstrs \| FileCheck %s

				define void @test1() #0 {
				entry:
				ret void

				; CHECK-LABEL: @test1
				; CHECK: endbr64
				; CHECK: callq __fentry__
				; CHECK-NOT: mcount
				; CHECK: retq
				}

				!llvm.module.flags = !{!0}

				attributes #0 = { "fentry-call"="true" }
				!0 = !{i32 4, !"cf-protection-branch", i32 1}