This is an archive of the discontinued LLVM Phabricator instance.

Differential D111631

[AArch64][SVE] Fix handling of stack protection with SVE
ClosedPublic

Authored by john.brawn on Oct 12 2021, 4:39 AM.

Details

Reviewers
sdesmalen
aemerson
t.p.northover
bsmith
efriedma
Commits
rGdc9f65be4555: [AArch64][SVE] Fix handling of stack protection with SVE
Summary

Fix a couple of things that were causing stack protection to not work correctly in functions that have scalable vectors on the stack:

  • Fix an assertion failure in the StackProtector pass caused by trying to call getTypeAllocSize on a scalable vector.
  • When stack protection is enabled move the stack protector location to the top of the SVE locals, so that any overflow in them (or the other locals which are below that) will be detected.

Fixes PR51795.

Diff Detail

Unit TestsFailed

TimeTest
60 msx64 debian > Polly.CodeGen::aliasing_different_pointer_types.ll
60 msx64 debian > Polly.CodeGen::aliasing_parametric_simple_1.ll
80 msx64 debian > Polly.CodeGen::aliasing_parametric_simple_2.ll
100 msx64 debian > Polly.CodeGen::exprModDiv.ll
130 msx64 debian > Polly.CodeGen::invariant_load_base_pointer_conditional_2.ll
View Full Test Results (21 Failed)

Event Timeline

john.brawn created this revision.Oct 12 2021, 4:39 AM
Herald added a reviewer: efriedma. · View Herald TranscriptOct 12 2021, 4:39 AM
Herald added subscribers: ctetreau, psnobl, hiraditya and 2 others. · View Herald Transcript
john.brawn requested review of this revision.Oct 12 2021, 4:39 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 12 2021, 4:39 AM
danielkiss added a subscriber: danielkiss.Oct 12 2021, 4:55 AM
Harbormaster completed remote builds in B128331: Diff 378967.Oct 12 2021, 5:47 AM
Matt added a subscriber: Matt.Oct 13 2021, 2:57 PM
sdesmalen added a comment.Oct 19 2021, 8:55 AM

Thanks for working on this @john.brawn. I've left some suggestions on your patch.

llvm/lib/CodeGen/StackProtector.cpp
356–358

I'd suggest changing the interface HasAddressTaken to take a TypeSize.

llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
110

In your patch you've changed the frame-layout by swapping the areas of fixed-width locals and SVE locals and always requiring/reserving x19 as a base pointer. An alternative idea is to allocate vscale x 16 bytes (i.e. size of one SVE vector) for the stack protector slot, and have that as the first SVE slot after the SVE callee saves:

+-----------------------+
|     Callee Saves      |
+ - - - - - - - - - - - +
|  Frame record (LR/FP) |
+ - - - - - - - - - - - + <- FP
| Neon/SVE callee saves |
+ - - - - - - - - - - - +
|    Stack protector    |
| . . . . . . . . . . . | <- FP - sizeof(Neon/SVE callee saves) - 1*sizeof(SVE vector)
|                       |
| SVE locals/spill-slots|
|                       |
+ - - - - - - - - - - - + 
|                       | 
|        Locals         | 
|                       | 
+------------------------ <- SP/BP

This way, we'd trade a bit of redundant stack space, but we'd avoid having to always reserve x19. We also have the benefit of using the same layout (reducing possibility of bugs being introduced by any new layout which is only enabled through a compile flag). Like with your current patch, we can still access SVE locals directly at <pointer> + <ScalableOffset>, where <pointer> in this case will be FP instead of BP.

I'm not too familiar with the exact requirements for the position of the stack protector slot, but my preliminary understanding is that it must live somewhere below the frame-record and above the locals. The above suggestion would satisfy that requirement.

Can you think of any reason why this might not be feasible?

1121

Could this use hasStackProtectorIndex instead?

john.brawn added inline comments.Oct 26 2021, 6:49 AM
llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
110

I hadn't though about doing it this way, but it looks like it should be feasible and would definitely simplify things. I'll give it a go and see if I can get it working.

john.brawn updated this revision to Diff 382687.Oct 27 2021, 9:11 AM
john.brawn edited the summary of this revision. (Show Details)

Moved the stack protector to above the SVE locals instead of moving SVE locals below the stack protector, and also make use of TypeSize.

Harbormaster completed remote builds in B130969: Diff 382687.Oct 27 2021, 10:02 AM
john.brawn added a comment.Nov 8 2021, 5:34 AM

Ping.

sdesmalen added a comment.Nov 11 2021, 3:59 AM

Hi @john.brawn, thanks for updating your patch, this approach seems like a good improvement! Just left a few more comments.

llvm/lib/CodeGen/PrologEpilogInserter.cpp
969

nit: unnecessary curly braces

970

Do we need to some way to ensure that the LocalStackSlotAllocationPass doesn't pre-allocate the stack protector value if we know it will be allocated to a different StackID?

llvm/lib/CodeGen/StackProtector.cpp
175

This should use TypeSize::isKnownGT(Typesize::getFixed(MemLoc->Size.getValue()), AllocSize).

I doubt it would ever return true when AllocSize is scalable though, becuase from what I can see in the code, MemLoc.hasValue() will return false if I accesses a scalable size, because MemoryLocation will not be precise.

214

If the gep is indexing into a scalable vector type, then OffsetSize cannot be fixed size?

340

unnecessary change?

356

same here, perhaps just move this into NFC patch and submit it separately.

llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
2960

I think this patch also needs some code to determineSVEStackObjectOffsets to ensure that the stack protector value is ordered before all other objects when allocating their offsets. (this is probably best tested with an MIR test)

llvm/test/CodeGen/AArch64/stack-guard-sve.ll
16

nit: To simplify the test, you could also write:

store <vscale x 4 x float> zeroinitializer, <vscale x 4 x float>* %x, align 16
john.brawn added inline comments.Nov 11 2021, 9:23 AM
llvm/lib/CodeGen/PrologEpilogInserter.cpp
969

That's done for consistency with the preceding if (which has braces because of the nested if/else).

970

I'll add an assertion to LocalStackSlotAllocationPass to check for that.

llvm/lib/CodeGen/StackProtector.cpp
214

Indexing into a scalable vector depends only on the size of the element type, which is known.

340

A relic of the previous version of this patch, I'll remove.

llvm/lib/Target/AArch64/AArch64FrameLowering.cpp
2960

Will do.

john.brawn updated this revision to Diff 388177.Nov 18 2021, 6:46 AM

Looking into the interaction with LocalStackSlotAllocation it turned out things were more complicated than I thought as it's run before we had decided to put the stack protector in the SVE stack area. I've gone with moving that decision much earlier (instead of attempting to undo what LocalStackSlotAllocation had done).

The getelementptr interaction in HasAddressTaken also wasn't right. Instead of doing "isKnownLT" we have to do "!isKnownGE" as these functions false in the "don't know" case. We also have to be more careful about the subtraction, as you can't subtract a fixed value from a scalable value.

Harbormaster completed remote builds in B134891: Diff 388177.Nov 18 2021, 7:33 AM
john.brawn added a comment.Dec 2 2021, 2:12 AM

Ping.

sdesmalen added a comment.Dec 12 2021, 3:57 AM

Thanks for the update, the patch looks structurally good to me. Just left a few nits and a request for an extra test.

llvm/lib/CodeGen/StackProtector.cpp
175

nit: TypeSize::isKnownLT ?

217–218

nit: This can just be:

TypeSize NewAllocSize = TypeSize::Fixed(AllocSize.getKnownMinValue()) - OffsetSize;

Can you also add a test for this case? I guess that would require something like:

%ptr = alloca <vscale x 4 x i32>
%ptr.bc = bitcast <vscale x 4 x i32>* to i32*
%gep = getelementptr i32, i32* %ptr.bc, i64 2 ; no stack protector needed
                                              ; (2*sizeof(i32)) < (vscale x 4 x sizeof(i32))
store i32 %something, i32* %gep
%gep2 = getelementptr i32, i32* %gep, i64 2   ; now a stack protector is needed because
                                              ; it exceeds `sizeof(4 x i32) - 2 x sizeof(i32)`
store i32 %something, i32* %gep2
llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
18431 ↗(On Diff #388177)

Is it worth adding a FIXME saying that it would be nice to have this in a new interface, something like getStackIDForStackProtectorIndex, rather than doing it in finalizeLowering?

llvm/test/CodeGen/AArch64/stack-guard-reassign-sve.mir
20 ↗(On Diff #388177)

nit: It would be better to reorder these objects so that the StackGuardSlot is not the first object, so that you can test it still gets allocated at the top of the frame. (because the algorithm processes the objects in order of id)

john.brawn marked 3 inline comments as done.Dec 13 2021, 6:40 AM
john.brawn added inline comments.
llvm/lib/CodeGen/StackProtector.cpp
175

It needs to be a negated comparison because the TypeSize::isKnownXY functions return false for "I don't know" and in those cases we should assume the access is larger than AllocSize.

john.brawn updated this revision to Diff 393874.Dec 13 2021, 6:50 AM

Adjusted based on review comments.

Harbormaster completed remote builds in B138961: Diff 393874.Dec 13 2021, 7:26 AM
sdesmalen accepted this revision.Dec 14 2021, 1:43 AM

Thanks, LGTM!

This revision is now accepted and ready to land.Dec 14 2021, 1:43 AM
This revision was landed with ongoing or failed builds.Dec 14 2021, 3:31 AM
Closed by commit rGdc9f65be4555: [AArch64][SVE] Fix handling of stack protection with SVE (authored by john.brawn). · Explain Why
This revision was automatically updated to reflect the committed changes.
john.brawn added a commit: rGdc9f65be4555: [AArch64][SVE] Fix handling of stack protection with SVE.

Revision Contents

PathSize
llvm/
include/
llvm/
CodeGen/
2 lines
lib/
CodeGen/
16 lines
20 lines
Target/
AArch64/
9 lines
test/
CodeGen/
AArch64/
147 lines

Diff 382687

llvm/include/llvm/CodeGen/StackProtector.h

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesprivate:
/// for it. /// for it.
/// \param [out] IsLarge is set to true if a protectable array is found and /// \param [out] IsLarge is set to true if a protectable array is found and
/// it is "large" ( >= ssp-buffer-size). In the case of a structure with /// it is "large" ( >= ssp-buffer-size). In the case of a structure with
/// multiple arrays, this gets set if any of them is large. /// multiple arrays, this gets set if any of them is large.
bool ContainsProtectableArray(Type *Ty, bool &IsLarge, bool Strong = false, bool ContainsProtectableArray(Type *Ty, bool &IsLarge, bool Strong = false,
bool InStruct = false) const; bool InStruct = false) const;
/// Check whether a stack allocation has its address taken. /// Check whether a stack allocation has its address taken.
bool HasAddressTaken(const Instruction *AI, uint64_t AllocSize); bool HasAddressTaken(const Instruction *AI, TypeSize AllocSize);
/// RequiresStackProtector - Check whether or not this function needs a /// RequiresStackProtector - Check whether or not this function needs a
/// stack protector based upon the stack protector level. /// stack protector based upon the stack protector level.
bool RequiresStackProtector(); bool RequiresStackProtector();
public: public:
static char ID; // Pass identification, replacement for typeid. static char ID; // Pass identification, replacement for typeid.
Show All 15 Lines

llvm/lib/CodeGen/PrologEpilogInserter.cpp

Show First 20 LinesShow All 950 Lines▼ Show 20 Lines if (MFI.hasStackProtectorIndex()) {
StackObjSet LargeArrayObjs; StackObjSet LargeArrayObjs;
StackObjSet SmallArrayObjs; StackObjSet SmallArrayObjs;
StackObjSet AddrOfObjs; StackObjSet AddrOfObjs;
// If we need a stack protector, we need to make sure that // If we need a stack protector, we need to make sure that
// LocalStackSlotPass didn't already allocate a slot for it. // LocalStackSlotPass didn't already allocate a slot for it.
// If we are told to use the LocalStackAllocationBlock, the stack protector // If we are told to use the LocalStackAllocationBlock, the stack protector
// is expected to be already pre-allocated. // is expected to be already pre-allocated.
if (!MFI.getUseLocalStackAllocationBlock()) if (!MFI.getUseLocalStackAllocationBlock()) {
AdjustStackOffset(MFI, StackProtectorFI, StackGrowsDown, Offset, MaxAlign, // If the stack protector isn't on the default stack then it's up to the
Skew); // target to set the stack offset.
else if (!MFI.isObjectPreAllocated(MFI.getStackProtectorIndex())) if (MFI.getStackID(StackProtectorFI) == TargetStackID::Default)
AdjustStackOffset(MFI, StackProtectorFI, StackGrowsDown, Offset,
MaxAlign, Skew);
else
assert(MFI.getObjectOffset(StackProtectorFI) != 0 &&
"Offset of stack protector on non-default stack expected to be "
"already set.");
} else if (!MFI.isObjectPreAllocated(MFI.getStackProtectorIndex())) {
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

nit: unnecessary curly braces

sdesmalen: nit: unnecessary curly braces
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

That's done for consistency with the preceding if (which has braces because of the nested if/else).

john.brawn: That's done for consistency with the preceding if (which has braces because of the nested…
llvm_unreachable( llvm_unreachable(
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

Do we need to some way to ensure that the LocalStackSlotAllocationPass doesn't pre-allocate the stack protector value if we know it will be allocated to a different StackID?

sdesmalen: Do we need to some way to ensure that the LocalStackSlotAllocationPass doesn't pre-allocate the…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I'll add an assertion to LocalStackSlotAllocationPass to check for that.

john.brawn: I'll add an assertion to LocalStackSlotAllocationPass to check for that.
"Stack protector not pre-allocated by LocalStackSlotPass."); "Stack protector not pre-allocated by LocalStackSlotPass.");
}
// Assign large stack objects first. // Assign large stack objects first.
for (unsigned i = 0, e = MFI.getObjectIndexEnd(); i != e; ++i) { for (unsigned i = 0, e = MFI.getObjectIndexEnd(); i != e; ++i) {
if (MFI.isObjectPreAllocated(i) && MFI.getUseLocalStackAllocationBlock()) if (MFI.isObjectPreAllocated(i) && MFI.getUseLocalStackAllocationBlock())
continue; continue;
if (i >= MinCSFrameIndex && i <= MaxCSFrameIndex) if (i >= MinCSFrameIndex && i <= MaxCSFrameIndex)
continue; continue;
if (RS && RS->isScavengingFrameIndex((int)i)) if (RS && RS->isScavengingFrameIndex((int)i))
▲ Show 20 LinesShow All 388 LinesShow Last 20 Lines

llvm/lib/CodeGen/StackProtector.cpp

Show First 20 LinesShow All 158 Lines▼ Show 20 Lines if (ContainsProtectableArray(*I, IsLarge, Strong, true)) {
return true; return true;
NeedsProtector = true; NeedsProtector = true;
} }
return NeedsProtector; return NeedsProtector;
} }
bool StackProtector::HasAddressTaken(const Instruction *AI, bool StackProtector::HasAddressTaken(const Instruction *AI,
uint64_t AllocSize) { TypeSize AllocSize) {
const DataLayout &DL = M->getDataLayout(); const DataLayout &DL = M->getDataLayout();
for (const User *U : AI->users()) { for (const User *U : AI->users()) {
const auto *I = cast<Instruction>(U); const auto *I = cast<Instruction>(U);
// If this instruction accesses memory make sure it doesn't access beyond // If this instruction accesses memory make sure it doesn't access beyond
// the bounds of the allocated object. // the bounds of the allocated object.
Optional<MemoryLocation> MemLoc = MemoryLocation::getOrNone(I); Optional<MemoryLocation> MemLoc = MemoryLocation::getOrNone(I);
if (MemLoc.hasValue() && MemLoc->Size.hasValue() && if (MemLoc.hasValue() && MemLoc->Size.hasValue() &&
MemLoc->Size.getValue() > AllocSize) MemLoc->Size.getValue() > AllocSize.getKnownMinValue())
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

This should use TypeSize::isKnownGT(Typesize::getFixed(MemLoc->Size.getValue()), AllocSize).

I doubt it would ever return true when AllocSize is scalable though, becuase from what I can see in the code, MemLoc.hasValue() will return false if I accesses a scalable size, because MemoryLocation will not be precise.

sdesmalen: This should use `TypeSize::isKnownGT(Typesize::getFixed(MemLoc->Size.getValue()), AllocSize)`.
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

nit: TypeSize::isKnownLT ?

sdesmalen: nit: `TypeSize::isKnownLT` ?
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

It needs to be a negated comparison because the TypeSize::isKnownXY functions return false for "I don't know" and in those cases we should assume the access is larger than AllocSize.

john.brawn: It needs to be a negated comparison because the TypeSize::isKnownXY functions return false for…
return true; return true;
switch (I->getOpcode()) { switch (I->getOpcode()) {
case Instruction::Store: case Instruction::Store:
if (AI == cast<StoreInst>(I)->getValueOperand()) if (AI == cast<StoreInst>(I)->getValueOperand())
return true; return true;
break; break;
case Instruction::AtomicCmpXchg: case Instruction::AtomicCmpXchg:
// cmpxchg conceptually includes both a load and store from the same // cmpxchg conceptually includes both a load and store from the same
Show All 16 Lines for (const User *U : AI->users()) {
case Instruction::Invoke: case Instruction::Invoke:
return true; return true;
case Instruction::GetElementPtr: { case Instruction::GetElementPtr: {
// If the GEP offset is out-of-bounds, or is non-constant and so has to be // If the GEP offset is out-of-bounds, or is non-constant and so has to be
// assumed to be potentially out-of-bounds, then any memory access that // assumed to be potentially out-of-bounds, then any memory access that
// would use it could also be out-of-bounds meaning stack protection is // would use it could also be out-of-bounds meaning stack protection is
// required. // required.
const GetElementPtrInst *GEP = cast<GetElementPtrInst>(I); const GetElementPtrInst *GEP = cast<GetElementPtrInst>(I);
unsigned TypeSize = DL.getIndexTypeSizeInBits(I->getType()); unsigned IndexSize = DL.getIndexTypeSizeInBits(I->getType());
APInt Offset(TypeSize, 0); APInt Offset(IndexSize, 0);
APInt MaxOffset(TypeSize, AllocSize); APInt MaxOffset(IndexSize, AllocSize);
if (!GEP->accumulateConstantOffset(DL, Offset) || Offset.ugt(MaxOffset)) if (!GEP->accumulateConstantOffset(DL, Offset) || Offset.ugt(MaxOffset))
return true; return true;
// Adjust AllocSize to be the space remaining after this offset. // Adjust AllocSize to be the space remaining after this offset.
if (HasAddressTaken(I, AllocSize - Offset.getLimitedValue())) TypeSize OffsetSize = TypeSize::Fixed(Offset.getLimitedValue());
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

If the gep is indexing into a scalable vector type, then OffsetSize cannot be fixed size?

sdesmalen: If the gep is indexing into a scalable vector type, then OffsetSize cannot be fixed size?
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

Indexing into a scalable vector depends only on the size of the element type, which is known.

john.brawn: Indexing into a scalable vector depends only on the size of the element type, which is known.
if (HasAddressTaken(I, AllocSize - OffsetSize))
return true; return true;
break; break;
} }
sdesmalenUnsubmitted
Done
ReplyInline Actions

nit: This can just be:

TypeSize NewAllocSize = TypeSize::Fixed(AllocSize.getKnownMinValue()) - OffsetSize;

Can you also add a test for this case? I guess that would require something like:

%ptr = alloca <vscale x 4 x i32>
%ptr.bc = bitcast <vscale x 4 x i32>* to i32*
%gep = getelementptr i32, i32* %ptr.bc, i64 2 ; no stack protector needed
                                              ; (2*sizeof(i32)) < (vscale x 4 x sizeof(i32))
store i32 %something, i32* %gep
%gep2 = getelementptr i32, i32* %gep, i64 2   ; now a stack protector is needed because
                                              ; it exceeds `sizeof(4 x i32) - 2 x sizeof(i32)`
store i32 %something, i32* %gep2
sdesmalen: nit: This can just be: TypeSize NewAllocSize = TypeSize::Fixed(AllocSize.getKnownMinValue())…
case Instruction::BitCast: case Instruction::BitCast:
case Instruction::Select: case Instruction::Select:
case Instruction::AddrSpaceCast: case Instruction::AddrSpaceCast:
if (HasAddressTaken(I, AllocSize)) if (HasAddressTaken(I, AllocSize))
return true; return true;
break; break;
case Instruction::PHI: { case Instruction::PHI: {
// Keep track of what PHI nodes we have already visited to ensure // Keep track of what PHI nodes we have already visited to ensure
▲ Show 20 LinesShow All 105 Lines▼ Show 20 Lines for (const Instruction &I : BB) {
MachineFrameInfo::SSPLK_LargeArray)); MachineFrameInfo::SSPLK_LargeArray));
ORE.emit(RemarkBuilder); ORE.emit(RemarkBuilder);
NeedsProtector = true; NeedsProtector = true;
} }
continue; continue;
} }
bool IsLarge = false; bool IsLarge = false;
if (ContainsProtectableArray(AI->getAllocatedType(), IsLarge, Strong)) { Type *AllocType = AI->getAllocatedType();
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

unnecessary change?

sdesmalen: unnecessary change?
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

A relic of the previous version of this patch, I'll remove.

john.brawn: A relic of the previous version of this patch, I'll remove.
if (ContainsProtectableArray(AllocType, IsLarge, Strong)) {
Layout.insert(std::make_pair(AI, IsLarge Layout.insert(std::make_pair(AI, IsLarge
? MachineFrameInfo::SSPLK_LargeArray ? MachineFrameInfo::SSPLK_LargeArray
: MachineFrameInfo::SSPLK_SmallArray)); : MachineFrameInfo::SSPLK_SmallArray));
ORE.emit([&]() { ORE.emit([&]() {
return OptimizationRemark(DEBUG_TYPE, "StackProtectorBuffer", &I) return OptimizationRemark(DEBUG_TYPE, "StackProtectorBuffer", &I)
<< "Stack protection applied to function " << "Stack protection applied to function "
<< ore::NV("Function", F) << ore::NV("Function", F)
<< " due to a stack allocated buffer or struct containing a " << " due to a stack allocated buffer or struct containing a "
"buffer"; "buffer";
}); });
NeedsProtector = true; NeedsProtector = true;
continue; continue;
} }
if (Strong && HasAddressTaken(AI, M->getDataLayout().getTypeAllocSize( TypeSize AllocSize = M->getDataLayout().getTypeAllocSize(AllocType);
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

same here, perhaps just move this into NFC patch and submit it separately.

sdesmalen: same here, perhaps just move this into NFC patch and submit it separately.
AI->getAllocatedType()))) { if (Strong && HasAddressTaken(AI, AllocSize)) {
++NumAddrTaken; ++NumAddrTaken;
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

I'd suggest changing the interface HasAddressTaken to take a TypeSize.

sdesmalen: I'd suggest changing the interface HasAddressTaken to take a TypeSize.
Layout.insert(std::make_pair(AI, MachineFrameInfo::SSPLK_AddrOf)); Layout.insert(std::make_pair(AI, MachineFrameInfo::SSPLK_AddrOf));
ORE.emit([&]() { ORE.emit([&]() {
return OptimizationRemark(DEBUG_TYPE, "StackProtectorAddressTaken", return OptimizationRemark(DEBUG_TYPE, "StackProtectorAddressTaken",
&I) &I)
<< "Stack protection applied to function " << "Stack protection applied to function "
<< ore::NV("Function", F) << ore::NV("Function", F)
<< " due to the address of a local variable being taken"; << " due to the address of a local variable being taken";
}); });
▲ Show 20 LinesShow All 250 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64FrameLowering.cpp

Show First 20 LinesShow All 101 Lines▼ Show 20 Lines
// '#-7 mul vl' is an offset that can only be evaluated at runtime. With this // '#-7 mul vl' is an offset that can only be evaluated at runtime. With this
// layout, we don't need to add an unscaled offset to the framepointer before // layout, we don't need to add an unscaled offset to the framepointer before
// accessing the SVE object in the frame. // accessing the SVE object in the frame.
// //
// In some cases when a base pointer is not strictly needed, it is generated // In some cases when a base pointer is not strictly needed, it is generated
// anyway when offsets from the frame pointer to access local variables become // anyway when offsets from the frame pointer to access local variables become
// so large that the offset can't be encoded in the immediate fields of loads // so large that the offset can't be encoded in the immediate fields of loads
// or stores. // or stores.
// //
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

In your patch you've changed the frame-layout by swapping the areas of fixed-width locals and SVE locals and always requiring/reserving x19 as a base pointer. An alternative idea is to allocate vscale x 16 bytes (i.e. size of one SVE vector) for the stack protector slot, and have that as the first SVE slot after the SVE callee saves:

+-----------------------+
|     Callee Saves      |
+ - - - - - - - - - - - +
|  Frame record (LR/FP) |
+ - - - - - - - - - - - + <- FP
| Neon/SVE callee saves |
+ - - - - - - - - - - - +
|    Stack protector    |
| . . . . . . . . . . . | <- FP - sizeof(Neon/SVE callee saves) - 1*sizeof(SVE vector)
|                       |
| SVE locals/spill-slots|
|                       |
+ - - - - - - - - - - - + 
|                       | 
|        Locals         | 
|                       | 
+------------------------ <- SP/BP

This way, we'd trade a bit of redundant stack space, but we'd avoid having to always reserve x19. We also have the benefit of using the same layout (reducing possibility of bugs being introduced by any new layout which is only enabled through a compile flag). Like with your current patch, we can still access SVE locals directly at <pointer> + <ScalableOffset>, where <pointer> in this case will be FP instead of BP.

I'm not too familiar with the exact requirements for the position of the stack protector slot, but my preliminary understanding is that it must live somewhere below the frame-record and above the locals. The above suggestion would satisfy that requirement.

Can you think of any reason why this might not be feasible?

sdesmalen: In your patch you've changed the frame-layout by swapping the areas of fixed-width locals and…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

I hadn't though about doing it this way, but it looks like it should be feasible and would definitely simplify things. I'll give it a go and see if I can get it working.

john.brawn: I hadn't though about doing it this way, but it looks like it should be feasible and would…
// Outgoing function arguments must be at the bottom of the stack frame when // Outgoing function arguments must be at the bottom of the stack frame when
// calling another function. If we do not have variable-sized stack objects, we // calling another function. If we do not have variable-sized stack objects, we
// can allocate a "reserved call frame" area at the bottom of the local // can allocate a "reserved call frame" area at the bottom of the local
// variable area, large enough for all outgoing calls. If we do have VLAs, then // variable area, large enough for all outgoing calls. If we do have VLAs, then
// the stack pointer must be decremented and incremented around each call to // the stack pointer must be decremented and incremented around each call to
// make space for the arguments below the VLAs. // make space for the arguments below the VLAs.
// //
// FIXME: also explain the redzone concept. // FIXME: also explain the redzone concept.
▲ Show 20 LinesShow All 994 Lines▼ Show 20 Lines bool needsFrameMoves =
MF.needsFrameMoves() && !MF.getTarget().getMCAsmInfo()->usesWindowsCFI(); MF.needsFrameMoves() && !MF.getTarget().getMCAsmInfo()->usesWindowsCFI();
bool HasFP = hasFP(MF); bool HasFP = hasFP(MF);
bool NeedsWinCFI = needsWinCFI(MF); bool NeedsWinCFI = needsWinCFI(MF);
bool HasWinCFI = false; bool HasWinCFI = false;
auto Cleanup = make_scope_exit([&]() { MF.setHasWinCFI(HasWinCFI); }); auto Cleanup = make_scope_exit([&]() { MF.setHasWinCFI(HasWinCFI); });
bool IsFunclet = MBB.isEHFuncletEntry(); bool IsFunclet = MBB.isEHFuncletEntry();
// At this point, we're going to decide whether or not the function uses a // At this point, we're going to decide whether or not the function uses a
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

Could this use hasStackProtectorIndex instead?

sdesmalen: Could this use `hasStackProtectorIndex` instead?
// redzone. In most cases, the function doesn't have a redzone so let's // redzone. In most cases, the function doesn't have a redzone so let's
// assume that's false and set it to true in the case that there's a redzone. // assume that's false and set it to true in the case that there's a redzone.
AFI->setHasRedZone(false); AFI->setHasRedZone(false);
// Debug location must be unknown since the first debug location is used // Debug location must be unknown since the first debug location is used
// to determine the end of the prologue. // to determine the end of the prologue.
DebugLoc DL; DebugLoc DL;
▲ Show 20 LinesShow All 1,815 Lines▼ Show 20 Linesbool AArch64FrameLowering::assignCalleeSavedSpillSlots(
if (CSI.empty()) if (CSI.empty())
return true; // Early exit if no callee saved registers are modified! return true; // Early exit if no callee saved registers are modified!
// Now that we know which registers need to be saved and restored, allocate // Now that we know which registers need to be saved and restored, allocate
// stack slots for them. // stack slots for them.
MachineFrameInfo &MFI = MF.getFrameInfo(); MachineFrameInfo &MFI = MF.getFrameInfo();
auto *AFI = MF.getInfo<AArch64FunctionInfo>(); auto *AFI = MF.getInfo<AArch64FunctionInfo>();
// When using a stack protector with SVE it needs to be placed at the top of
// the SVE stack area, as the SVE locals are placed above the other locals, so
// we allocate it as if it were a scalable vector.
if (MFI.hasStackProtectorIndex() && estimateSVEStackObjectOffsets(MFI) > 0) {
MFI.setStackID(MFI.getStackProtectorIndex(), TargetStackID::ScalableVector);
MFI.setObjectAlignment(MFI.getStackProtectorIndex(), Align(16));
}
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

I think this patch also needs some code to determineSVEStackObjectOffsets to ensure that the stack protector value is ordered before all other objects when allocating their offsets. (this is probably best tested with an MIR test)

sdesmalen: I think this patch also needs some code to `determineSVEStackObjectOffsets` to ensure that the…
john.brawnAuthorUnsubmitted
Done
ReplyInline Actions

Will do.

john.brawn: Will do.
for (auto &CS : CSI) { for (auto &CS : CSI) {
Register Reg = CS.getReg(); Register Reg = CS.getReg();
const TargetRegisterClass *RC = RegInfo->getMinimalPhysRegClass(Reg); const TargetRegisterClass *RC = RegInfo->getMinimalPhysRegClass(Reg);
unsigned Size = RegInfo->getSpillSize(*RC); unsigned Size = RegInfo->getSpillSize(*RC);
Align Alignment(RegInfo->getSpillAlign(*RC)); Align Alignment(RegInfo->getSpillAlign(*RC));
int FrameIdx = MFI.CreateStackObject(Size, Alignment, true); int FrameIdx = MFI.CreateStackObject(Size, Alignment, true);
CS.setFrameIdx(FrameIdx); CS.setFrameIdx(FrameIdx);
▲ Show 20 LinesShow All 761 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/stack-guard-sve.ll

  • This file was added.
; RUN: llc -mtriple=aarch64--linux-gnu -mattr=+sve < %s | FileCheck %s
declare dso_local void @val_fn(<vscale x 4 x float>)
declare dso_local void @ptr_fn(<vscale x 4 x float>*)
; An alloca of a scalable vector shouldn't trigger stack protection.
; CHECK-LABEL: call_value:
; CHECK-NOT: mov x19, sp
; CHECK: addvl sp, sp, #-1
; CHECK-NOT: __stack_chk_guard
; CHECK: st1w { {{z[0-9]+.s}} }, {{p[0-9]+}}, [x29, #-1, mul vl]
define void @call_value() #0 {
entry:
%x = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> shufflevector (<vscale x 4 x float> insertelement (<vscale x 4 x float> poison, float 0.000000e+00, i32 0), <vscale x 4 x float> poison, <vscale x 4 x i32> zeroinitializer), <vscale x 4 x float>* %x, align 16
sdesmalenUnsubmitted
Not Done
ReplyInline Actions

nit: To simplify the test, you could also write:

store <vscale x 4 x float> zeroinitializer, <vscale x 4 x float>* %x, align 16
sdesmalen: nit: To simplify the test, you could also write: store <vscale x 4 x float> zeroinitializer…
%0 = load <vscale x 4 x float>, <vscale x 4 x float>* %x, align 16
call void @val_fn(<vscale x 4 x float> %0)
ret void
}
; CHECK-LABEL: call_value_strong:
; CHECK-NOT: mov x19, sp
; CHECK: addvl sp, sp, #-1
; CHECK-NOT: __stack_chk_guard
; CHECK: st1w { {{z[0-9]+.s}} }, {{p[0-9]+}}, [x29, #-1, mul vl]
define void @call_value_strong() #1 {
entry:
%x = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> shufflevector (<vscale x 4 x float> insertelement (<vscale x 4 x float> poison, float 0.000000e+00, i32 0), <vscale x 4 x float> poison, <vscale x 4 x i32> zeroinitializer), <vscale x 4 x float>* %x, align 16
%0 = load <vscale x 4 x float>, <vscale x 4 x float>* %x, align 16
call void @val_fn(<vscale x 4 x float> %0)
ret void
}
; Address-taking of a scalable vector should trigger stack protection only with
; sspstrong, and the scalable vector should be be placed below the stack guard.
; CHECK-LABEL: call_ptr:
; CHECK-NOT: mov x19, sp
; CHECK: addvl sp, sp, #-1
; CHECK-NOT: __stack_chk_guard
; CHECK: addvl x0, x29, #-1
; CHECK: bl ptr_fn
define void @call_ptr() #0 {
entry:
%x = alloca <vscale x 4 x float>, align 16
call void @ptr_fn(<vscale x 4 x float>* %x)
ret void
}
; CHECK-LABEL: call_ptr_strong:
; CHECK: mov x29, sp
; CHECK: addvl sp, sp, #-2
; CHECK-DAG: addvl [[ADDR:x[0-9]+]], x29, #-1
; CHECK-DAG: ldr [[VAL:x[0-9]+]], [{{x[0-9]+}}, :lo12:__stack_chk_guard]
; CHECK-DAG: str [[VAL]], {{\[}}[[ADDR]]]
; CHECK-DAG: addvl x0, x29, #-2
; CHECK: bl ptr_fn
define void @call_ptr_strong() #1 {
entry:
%x = alloca <vscale x 4 x float>, align 16
call void @ptr_fn(<vscale x 4 x float>* %x)
ret void
}
; Check that both variables are addressed in the same way
; CHECK-LABEL: call_both:
; CHECK: mov x29, sp
; CHECK: addvl sp, sp, #-2
; CHECK-NOT: __stack_chk_guard
; CHECK: st1w { {{z[0-9]+.s}} }, {{p[0-9]+}}, [x29, #-1, mul vl]
; CHECK: bl val_fn
; CHECK: addvl x0, x29, #-2
; CHECK: bl ptr_fn
define void @call_both() #0 {
entry:
%x = alloca <vscale x 4 x float>, align 16
%y = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> shufflevector (<vscale x 4 x float> insertelement (<vscale x 4 x float> poison, float 0.000000e+00, i32 0), <vscale x 4 x float> poison, <vscale x 4 x i32> zeroinitializer), <vscale x 4 x float>* %x, align 16
%0 = load <vscale x 4 x float>, <vscale x 4 x float>* %x, align 16
call void @val_fn(<vscale x 4 x float> %0)
call void @ptr_fn(<vscale x 4 x float>* %y)
ret void
}
; CHECK-LABEL: call_both_strong:
; CHECK: mov x29, sp
; CHECK: addvl sp, sp, #-3
; CHECK-DAG: addvl [[ADDR:x[0-9]+]], x29, #-1
; CHECK-DAG: ldr [[VAL:x[0-9]+]], [{{x[0-9]+}}, :lo12:__stack_chk_guard]
; CHECK-DAG: str [[VAL]], {{\[}}[[ADDR]]]
; CHECK-DAG: st1w { {{z[0-9]+.s}} }, {{p[0-9]+}}, [x29, #-2, mul vl]
; CHECK: bl val_fn
; CHECK: addvl x0, x29, #-3
; CHECK: bl ptr_fn
define void @call_both_strong() #1 {
entry:
%x = alloca <vscale x 4 x float>, align 16
%y = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> shufflevector (<vscale x 4 x float> insertelement (<vscale x 4 x float> poison, float 0.000000e+00, i32 0), <vscale x 4 x float> poison, <vscale x 4 x i32> zeroinitializer), <vscale x 4 x float>* %x, align 16
%0 = load <vscale x 4 x float>, <vscale x 4 x float>* %x, align 16
call void @val_fn(<vscale x 4 x float> %0)
call void @ptr_fn(<vscale x 4 x float>* %y)
ret void
}
; Pushed callee-saved regs should be above the stack guard
; CHECK-LABEL: callee_save:
; CHECK: mov x29, sp
; CHECK: addvl sp, sp, #-18
; CHECK: str {{z[0-9]+}}, [sp, #{{[0-9]+}}, mul vl]
; CHECK-NOT: mov x29, sp
; CHECK: addvl sp, sp, #-1
; CHECK-NOT: __stack_chk_guard
; CHECK: addvl [[REG:x[0-9]+]], x29, #-11
; CHECK: st1w { {{z[0-9]+.s}} }, {{p[0-9]+}}, {{\[}}[[REG]], #-8, mul vl]
define void @callee_save(<vscale x 4 x float> %x) #0 {
entry:
%x.addr = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> %x, <vscale x 4 x float>* %x.addr, align 16
call void @ptr_fn(<vscale x 4 x float>* %x.addr)
ret void
}
; CHECK-LABEL: callee_save_strong:
; CHECK: mov x29, sp
; CHECK: addvl sp, sp, #-18
; CHECK: str {{z[0-9]+}}, [sp, #{{[0-9]+}}, mul vl]
; CHECK: addvl sp, sp, #-2
; CHECK-DAG: addvl [[ADDR:x[0-9]+]], x29, #-19
; CHECK-DAG: ldr [[VAL:x[0-9]+]], [{{x[0-9]+}}, :lo12:__stack_chk_guard]
; CHECK-DAG: str [[VAL]], {{\[}}[[ADDR]]]
; CHECK-DAG: addvl [[ADDR2:x[0-9]+]], x29, #-12
; CHECK-DAG: st1w { z0.s }, p0, {{\[}}[[ADDR2]], #-8, mul vl]
define void @callee_save_strong(<vscale x 4 x float> %x) #1 {
entry:
%x.addr = alloca <vscale x 4 x float>, align 16
store <vscale x 4 x float> %x, <vscale x 4 x float>* %x.addr, align 16
call void @ptr_fn(<vscale x 4 x float>* %x.addr)
ret void
}
attributes #0 = { ssp "frame-pointer"="non-leaf" }
attributes #1 = { sspstrong "frame-pointer"="non-leaf" }