This is an archive of the discontinued LLVM Phabricator instance.

[ARM] Implement BTI placement pass for PACBTI-M

Authored by stuij on Oct 25 2021, 3:26 AM.



This patch implements a new MachineFunction in the ARM backend for
placing BTI instructions. It is similar to the existing AArch64
aarch64-branch-targets pass.

BTI instructions are inserted into basic blocks that:

  • Have their address taken
  • Are the entry block of a function, if the function has external linkage or has its address taken
  • Are mentioned in jump tables
  • Are exception/cleanup landing pads

Each BTI instructions is placed in the beginning of a BB after the
so-called meta instructions (e.g. exception handler labels).

Each outlining candidate and the outlined function need to be in agreement about
whether BTI placement is enabled or not. If branch target enforcement is
disabled for a function, the outliner should not covertly enable it by emitting
a call to an outlined function, which begins with BTI.

The cost mode of the outliner is adjusted to account for the extra BTI
instructions in the outlined function.

The ARM Constant Islands pass will maintain the count of the jump tables, which
reference a block. A BTI instruction is removed from a block only if the
reference count reaches zero.

PAC instructions in entry blocks are replaced with PACBTI instructions (tests
for this case will be added in a later patch because the compiler currently does
not generate PAC instructions).

The ARM Constant Island pass is adjusted to handle BTI
instructions correctly.

Functions with static linkage that don't have their address taken can
still be called indirectly by linker-generated veneers and thus their
entry points need be marked with BTI or PACBTI.

The changes are tested using "LLVM IR -> assembly" tests, jump tables
also have a MIR test. Unfortunately it is not possible add MIR tests
for exception handling and computed gotos because of MIR parser

This patch is part of a series that adds support for the PACBTI-M extension of
the Armv8.1-M architecture, as detailed here:

The PACBTI-M specification can be found in the Armv8-M Architecture Reference

The following people contributed to this patch:

  • Mikhail Maltsev
  • Momchil Velikov
  • Ties Stuij

Diff Detail

Event Timeline

stuij created this revision.Oct 25 2021, 3:26 AM
stuij requested review of this revision.Oct 25 2021, 3:26 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 25 2021, 3:26 AM
ostannard accepted this revision.Oct 28 2021, 4:24 AM
ostannard added a subscriber: ostannard.

LGTM, just a few nit-picks.


Please add a comment explaining that branch-target-enforcement is guaranteed to be consistent between all candidates, so we only need to look at one.


Extra word "static" here



This revision is now accepted and ready to land.Oct 28 2021, 4:24 AM
stuij updated this revision to Diff 390323.Nov 29 2021, 6:04 AM
stuij marked 3 inline comments as done.

address review comments, and obey clang-format

This revision was automatically updated to reflect the committed changes.