This is an archive of the discontinued LLVM Phabricator instance.

Differential D112768

[ARM] implement support for TLS register based stack protector
ClosedPublic

Authored by ardb on Oct 28 2021, 4:09 PM.

Details

Reviewers
nickdesaulniers
peter.smith
nathanchance
kees
rengolin
ostannard
DavidSpickett
danielkiss
Commits
rGa19da876ab93: [ARM] implement support for TLS register based stack protector
Summary

Implement support for loading the stack canary from a memory location held in
the TLS register, with an optional offset applied. This is used by the Linux
kernel to implement per-task stack canaries, which is impossible on SMP systems
when using a global variable for the stack canary.

Suggestions for how to test this and where to insert the test code into the
tree are kindly welcomed.

Diff Detail

Event Timeline

ardb created this revision.Oct 28 2021, 4:09 PM
Herald added subscribers: hiraditya, kristof.beyls. · View Herald TranscriptOct 28 2021, 4:09 PM
ardb requested review of this revision.Oct 28 2021, 4:09 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptOct 28 2021, 4:09 PM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B131316: Diff 383188.Oct 28 2021, 4:47 PM
nickdesaulniers added a comment.Oct 28 2021, 4:49 PM

Nice job! This looks like it hits every place that I was looking at for this.

In terms of tests, https://reviews.llvm.org/D100919 and https://reviews.llvm.org/D102742 are probably interesting.

In particular, we should test that clang no longer rejects -mstack-protector-guard=tls -mstack-protector-guard-offset=0 for --target=arm-linux-gnueabihf and --target=arm-linux-gnueabihf -mthumb. (clang/test/Driver/stack-protector-guard.c
)

Then we should test

target triple = "arm-unknown-linux-gnueabihf"

declare void @baz(i32*)

define void @foo(i64 %t) sspstrong {
  %vla = alloca i32, i64 %t, align 4
  call void @baz(i32* nonnull %vla)
  ret void
}
!llvm.module.flags = !{!1, !2}
!1 = !{i32 2, !"stack-protector-guard", !"tls"}
!2 = !{i32 2, !"stack-protector-guard-offset", !"0"}

generates mrc (and test again with "thumbv7-linux-gnu"). We can use -mtriple= flags to llc rather than hard coding the triple in IR. (create llvm/test/CodeGen/ARM/stack-guard-sysreg.ll)

This also involves implementing LOAD_STACK_GUARD for other ARM targets than
Mach-O.

It might be worthwhile to break this up into 2 commits; one that does just that, so that we can isolate any test changes or possible build breakages to that, then have this patch implementing support for tls stack guards on top.

llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp
4903

I think we want to use Reg in this instruction, in order to load into the specified destination?

4907

do we need to add al?

llvm/lib/Target/ARM/ARMInstrInfo.cpp
102

do we have to worry about soft tp, ie. __aeabi_read_tp vs mrc?

nickdesaulniers added inline comments.Oct 28 2021, 4:57 PM
llvm/lib/Target/ARM/Thumb2InstrInfo.cpp
250

what about Thumb1InstrInfo::expandLoadStackGuard? Do we have mrc available in Thumb[1] as well?

nickdesaulniers added a reviewer: rengolin.Oct 28 2021, 5:06 PM
ardb added a comment.Oct 29 2021, 7:28 AM

I have split off the LOAD_STACK_GUARD changes into

[ARM] implement LOAD_STACK_GUARD for remaining targets
llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp
4903

We use Reg, no? MRC does not take reg operands, but I pass it as the target register.

4907

It appears so.

llvm/lib/Target/ARM/ARMInstrInfo.cpp
102

I think we should only allow this hard TP is supported in the first place. I'll add a check somewhere.
Calling a helper in both the prologue and the epilogue for emulated TLS seems a bit too heavyweight to me, and the Linux kernel will not use it in that way anyway.

llvm/lib/Target/ARM/Thumb2InstrInfo.cpp
250

No Thumb1 does not have an encoding for MRC so we can ignore it here. It does mean we should not allow this feature to be turned out for such targets.

ardb updated this revision to Diff 383390.Oct 29 2021, 9:29 AM
ardb edited the summary of this revision. (Show Details)
  • split off LOAD_STACK_GUARD conversion
  • deal with guard offsets >= 4096 bytes
  • reject offsets < 0 or >= 1 MiB
  • add backend test to check that the MRC/LDR sequence is emitted twice
Harbormaster completed remote builds in B131452: Diff 383390.Oct 29 2021, 9:29 AM
ardb added a parent revision: D112811: [ARM] implement LOAD_STACK_GUARD for remaining targets.Oct 29 2021, 9:34 AM
nickdesaulniers added a comment.Oct 29 2021, 2:01 PM

Codegen looks good, probably just need an additional conditional on ARMSubtarget::isReadTPHard(). With that and some more tests for cases we don't intend to support (thumb[1], soft tp) this LGTM. Great job @ardb !

llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp
4903

ah, yep, sorry, LGTM.

llvm/lib/Target/ARM/ARMInstrInfo.cpp
102

I agree. Let's add a test that this only works with the -mattr=+read-tp-hard llc flag or "target-features"="+read-tp-hard" function attribute (one or the other, I don't think we need to exhaustively test both). But it would be good to verify what happens when +read-tp-hard is not set, in case someone else cares to add soft tp support here in the future. (They may never, it's more so to highlight whether such a change would be intentional).

ARMSubtarget::isReadTPHard() should be able to help us differentiate this case.

llvm/lib/Target/ARM/Thumb2InstrInfo.cpp
250

Let's add a test for such case.

llvm/test/CodeGen/ARM/stack-guard-tls.ll
6–12

You can convert --check-prefix=CHECK --check-prefix=CHECK-SMALL to --check-prefixes=CHECK,CHECK-SMALL.

ardb added inline comments.Oct 29 2021, 3:25 PM
llvm/lib/Target/ARM/ARMInstrInfo.cpp
102

I agree. Let's add a test that this only works with the -mattr=+read-tp-hard llc flag or "target-features"="+read-tp-hard" function attribute (one or the other, I don't think we need to exhaustively test both). But it would be good to verify what happens when +read-tp-hard is not set, in case someone else cares to add soft tp support here in the future. (They may never, it's more so to highlight whether such a change would be intentional).

ARMSubtarget::isReadTPHard() should be able to help us differentiate this case.

I could not figure out how to check this at command line parsing time. If we check it later, we basically crash the compiler, right? Not very elegant ...

llvm/lib/Target/ARM/Thumb2InstrInfo.cpp
250

Let's add a test for such case.

Same problem: I could not figure out how to decide early enough whether we are targetting Thumb1 or Thumb2/ARM

peter.smith added a reviewer: ostannard.Oct 31 2021, 1:34 PM

Adding ostannard to reviewers list. I'm going to be on vacation next week and Oliver is more familiar with this area than I am.

To prevent the option in Clang for targets that don't support Thumb2 it may be worth looking into clang/lib/Basic/Targets/ARM.cpp for example https://github.com/llvm/llvm-project/blob/main/clang/lib/Basic/Targets/ARM.cpp#L174

ardb updated this revision to Diff 384116.Nov 2 2021, 8:35 AM
  • add diagnostics to the frontend and asserts to the backend to ensure that the TLS stack protector is only used on target subarchs that implement the hardware TLS register to begin with
  • ensure that the offset parameter is not omitted, as the default is INT_MAX which is out of bounds
ardb marked 7 inline comments as done.Nov 2 2021, 8:36 AM
Harbormaster completed remote builds in B131991: Diff 384116.Nov 2 2021, 9:18 AM
ardb added a child revision: D113026: [ARM] reject -mtp=cp15 if target subarch does not support it.Nov 2 2021, 9:26 AM
ardb updated this revision to Diff 384154.Nov 2 2021, 10:28 AM
  • fix failure in newly added LLVM test
Harbormaster completed remote builds in B132007: Diff 384154.Nov 2 2021, 11:15 AM
nickdesaulniers added inline comments.Nov 2 2021, 11:29 AM
clang/lib/Driver/ToolChains/Clang.cpp
3178–3180

Does GCC require these flags to be paired (-mstack-protector-guard= and -mstack-protector-guard-offset) ? Only for ARM and THUMB? Doesn't the offset only make sense for sysreg and tls, or global, too?

Seems to me like 0 would be a good default offset, if unspecified.

Perhaps this would good to check then warn on for all supported architectures, and perhaps as another child patch? (or just default to 0 and not require -mstack-protector-offset=).

3191–3192

Isn't this redundant/set elsewhere?

ardb added inline comments.Nov 2 2021, 11:37 AM
clang/lib/Driver/ToolChains/Clang.cpp
3178–3180

Does GCC require these flags to be paired (-mstack-protector-guard= and -mstack-protector-guard-offset) ? Only for ARM and THUMB? Doesn't the offset only make sense for sysreg and tls, or global, too?

GCC does not implement this for ARM yet. For AArch64, it requires all three options: guard, guard-reg and guard-offset.

Seems to me like 0 would be a good default offset, if unspecified.

The default is INT_MAX at the moment, and I wasn't sure if we can simply change that without breaking users.

Perhaps this would good to check then warn on for all supported architectures, and perhaps as another child patch? (or just default to 0 and not require -mstack-protector-offset=).

Yes, I think it makes sense to check this for AAch64 as well.

3191–3192

No, it is not. The alternative is requiring the user to pass -mtp=cp15 when using the TLS stack protector, which is silly because it is implied.

nickdesaulniers added inline comments.Nov 3 2021, 10:36 AM
clang/lib/Driver/ToolChains/Clang.cpp
3191–3192

Right. Perhaps we could emit diag::err_drv_argument_not_allowed_with if the user specified -mtp=soft with -mstack-protector-guard=tls.

It looks like a call to clang::driver::tools::arm::getReadTPMode() should being able to tell us whether someone explicitly tried to use soft.

nickdesaulniers added reviewers: DavidSpickett, danielkiss.Nov 3 2021, 10:38 AM
ardb updated this revision to Diff 384564.Nov 3 2021, 1:00 PM
  • disallow -mtp=soft when TLS based stack protector is enabled
ardb marked 2 inline comments as done.Nov 3 2021, 1:01 PM
ardb added inline comments.
clang/lib/Driver/ToolChains/Clang.cpp
3191–3192

Right. Perhaps we could emit diag::err_drv_argument_not_allowed_with if the user specified -mtp=soft with -mstack-protector-guard=tls.

It looks like a call to clang::driver::tools::arm::getReadTPMode() should being able to tell us whether someone explicitly tried to use soft.

nickdesaulniers accepted this revision.Nov 3 2021, 1:04 PM

Looks great! Nice job!

This revision is now accepted and ready to land.Nov 3 2021, 1:04 PM
Harbormaster completed remote builds in B132314: Diff 384564.Nov 3 2021, 1:57 PM
Closed by commit rGa19da876ab93: [ARM] implement support for TLS register based stack protector (authored by ardb). · Explain WhyNov 9 2021, 9:23 AM
This revision was automatically updated to reflect the committed changes.
ardb marked an inline comment as done.
ardb added a commit: rGa19da876ab93: [ARM] implement support for TLS register based stack protector.
nickdesaulniers mentioned this in D112811: [ARM] implement LOAD_STACK_GUARD for remaining targets.Nov 29 2021, 5:43 PM

Revision Contents

PathSize
clang/
include/
clang/
Basic/
2 lines
3 lines
lib/
Driver/
ToolChains/
43 lines
test/
Driver/
24 lines
llvm/
lib/
Target/
ARM/
82 lines
6 lines
5 lines
7 lines
test/
CodeGen/
ARM/
38 lines

Diff 385848

clang/include/clang/Basic/DiagnosticCommonKinds.td

Show First 20 LinesShow All 292 Lines▼ Show 20 Linesdef err_mips_fp64_req : Error<
"'%0' can only be used if the target supports the mfhc1 and mthc1 instructions">; "'%0' can only be used if the target supports the mfhc1 and mthc1 instructions">;
def err_target_unknown_fpmath : Error<"unknown FP unit '%0'">; def err_target_unknown_fpmath : Error<"unknown FP unit '%0'">;
def err_target_unsupported_fpmath : Error< def err_target_unsupported_fpmath : Error<
"the '%0' unit is not supported with this instruction set">; "the '%0' unit is not supported with this instruction set">;
def err_target_unsupported_unaligned : Error< def err_target_unsupported_unaligned : Error<
"the %0 sub-architecture does not support unaligned accesses">; "the %0 sub-architecture does not support unaligned accesses">;
def err_target_unsupported_execute_only : Error< def err_target_unsupported_execute_only : Error<
"execute only is not supported for the %0 sub-architecture">; "execute only is not supported for the %0 sub-architecture">;
def err_target_unsupported_tp_hard : Error<
"hardware TLS register is not supported for the %0 sub-architecture">;
def err_target_unsupported_mcmse : Error< def err_target_unsupported_mcmse : Error<
"-mcmse is not supported for %0">; "-mcmse is not supported for %0">;
def err_opt_not_valid_with_opt : Error< def err_opt_not_valid_with_opt : Error<
"option '%0' cannot be specified with '%1'">; "option '%0' cannot be specified with '%1'">;
def err_opt_not_valid_without_opt : Error< def err_opt_not_valid_without_opt : Error<
"option '%0' cannot be specified without '%1'">; "option '%0' cannot be specified without '%1'">;
def err_opt_not_valid_on_target : Error< def err_opt_not_valid_on_target : Error<
"option '%0' cannot be specified on this target">; "option '%0' cannot be specified on this target">;
▲ Show 20 LinesShow All 68 LinesShow Last 20 Lines

clang/include/clang/Basic/DiagnosticDriverKinds.td

Show First 20 LinesShow All 586 Lines▼ Show 20 Lines
def remark_cc1_round_trip_generated : Remark< def remark_cc1_round_trip_generated : Remark<
"generated arguments #%0 in round-trip: %1">, InGroup<RoundTripCC1Args>; "generated arguments #%0 in round-trip: %1">, InGroup<RoundTripCC1Args>;
def err_cc1_round_trip_fail_then_ok : Error< def err_cc1_round_trip_fail_then_ok : Error<
"original arguments parse failed, then succeeded in round-trip">; "original arguments parse failed, then succeeded in round-trip">;
def err_cc1_round_trip_ok_then_fail : Error< def err_cc1_round_trip_ok_then_fail : Error<
"generated arguments parse failed in round-trip">; "generated arguments parse failed in round-trip">;
def err_cc1_round_trip_mismatch : Error< def err_cc1_round_trip_mismatch : Error<
"generated arguments do not match in round-trip">; "generated arguments do not match in round-trip">;
def err_drv_ssp_missing_offset_argument : Error<
"'%0' is used without '-mstack-protector-guard-offset', and there is no default">;
} }

clang/lib/Driver/ToolChains/Clang.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 3,156 Lines▼ Show 20 Lines if (Str.startswith("ssp-buffer-size=")) {
} }
A->claim(); A->claim();
} }
} }
const std::string &TripleStr = EffectiveTriple.getTriple(); const std::string &TripleStr = EffectiveTriple.getTriple();
if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_EQ)) { if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_EQ)) {
StringRef Value = A->getValue(); StringRef Value = A->getValue();
if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64()) if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64() &&
!EffectiveTriple.isARM() && !EffectiveTriple.isThumb())
D.Diag(diag::err_drv_unsupported_opt_for_target) D.Diag(diag::err_drv_unsupported_opt_for_target)
<< A->getAsString(Args) << TripleStr; << A->getAsString(Args) << TripleStr;
if (EffectiveTriple.isX86() && Value != "tls" && Value != "global") { if ((EffectiveTriple.isX86() || EffectiveTriple.isARM() ||
EffectiveTriple.isThumb()) &&
Value != "tls" && Value != "global") {
D.Diag(diag::err_drv_invalid_value_with_suggestion) D.Diag(diag::err_drv_invalid_value_with_suggestion)
<< A->getOption().getName() << Value << "tls global"; << A->getOption().getName() << Value << "tls global";
return; return;
} }
if ((EffectiveTriple.isARM() || EffectiveTriple.isThumb()) &&
Value == "tls") {
if (!Args.hasArg(options::OPT_mstack_protector_guard_offset_EQ)) {
D.Diag(diag::err_drv_ssp_missing_offset_argument)
<< A->getAsString(Args);
nickdesaulniersUnsubmitted
Not Done
ReplyInline Actions

Does GCC require these flags to be paired (-mstack-protector-guard= and -mstack-protector-guard-offset) ? Only for ARM and THUMB? Doesn't the offset only make sense for sysreg and tls, or global, too?

Seems to me like 0 would be a good default offset, if unspecified.

Perhaps this would good to check then warn on for all supported architectures, and perhaps as another child patch? (or just default to 0 and not require -mstack-protector-offset=).

nickdesaulniers: Does GCC require these flags to be paired (`-mstack-protector-guard=` and `-mstack-protector…
ardbAuthorUnsubmitted
Done
ReplyInline Actions

Does GCC require these flags to be paired (-mstack-protector-guard= and -mstack-protector-guard-offset) ? Only for ARM and THUMB? Doesn't the offset only make sense for sysreg and tls, or global, too?

GCC does not implement this for ARM yet. For AArch64, it requires all three options: guard, guard-reg and guard-offset.

Seems to me like 0 would be a good default offset, if unspecified.

The default is INT_MAX at the moment, and I wasn't sure if we can simply change that without breaking users.

Perhaps this would good to check then warn on for all supported architectures, and perhaps as another child patch? (or just default to 0 and not require -mstack-protector-offset=).

Yes, I think it makes sense to check this for AAch64 as well.

ardb: > Does GCC require these flags to be paired (`-mstack-protector-guard=` and `-mstack-protector…
return;
}
// Check whether the target subarch supports the hardware TLS register
if (arm::getARMSubArchVersionNumber(EffectiveTriple) < 7 &&
llvm::ARM::parseArch(EffectiveTriple.getArchName()) !=
llvm::ARM::ArchKind::ARMV6T2) {
D.Diag(diag::err_target_unsupported_tp_hard)
<< EffectiveTriple.getArchName();
return;
}
// Check whether the user asked for something other than -mtp=cp15
if (Arg *A = Args.getLastArg(options::OPT_mtp_mode_EQ)) {
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

Isn't this redundant/set elsewhere?

nickdesaulniers: Isn't this redundant/set elsewhere?
ardbAuthorUnsubmitted
Done
ReplyInline Actions

No, it is not. The alternative is requiring the user to pass -mtp=cp15 when using the TLS stack protector, which is silly because it is implied.

ardb: No, it is not. The alternative is requiring the user to pass -mtp=cp15 when using the TLS stack…
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

Right. Perhaps we could emit diag::err_drv_argument_not_allowed_with if the user specified -mtp=soft with -mstack-protector-guard=tls.

It looks like a call to clang::driver::tools::arm::getReadTPMode() should being able to tell us whether someone explicitly tried to use soft.

nickdesaulniers: Right. Perhaps we could emit `diag::err_drv_argument_not_allowed_with` if the user specified `…
ardbAuthorUnsubmitted
Done
ReplyInline Actions

Right. Perhaps we could emit diag::err_drv_argument_not_allowed_with if the user specified -mtp=soft with -mstack-protector-guard=tls.

It looks like a call to clang::driver::tools::arm::getReadTPMode() should being able to tell us whether someone explicitly tried to use soft.

ardb: > Right. Perhaps we could emit `diag::err_drv_argument_not_allowed_with` if the user specified…
StringRef Value = A->getValue();
if (Value != "cp15") {
D.Diag(diag::err_drv_argument_not_allowed_with)
<< A->getAsString(Args) << "-mstack-protector-guard=tls";
return;
}
}
CmdArgs.push_back("-target-feature");
CmdArgs.push_back("+read-tp-hard");
}
if (EffectiveTriple.isAArch64() && Value != "sysreg" && Value != "global") { if (EffectiveTriple.isAArch64() && Value != "sysreg" && Value != "global") {
D.Diag(diag::err_drv_invalid_value_with_suggestion) D.Diag(diag::err_drv_invalid_value_with_suggestion)
<< A->getOption().getName() << Value << "sysreg global"; << A->getOption().getName() << Value << "sysreg global";
return; return;
} }
A->render(Args, CmdArgs); A->render(Args, CmdArgs);
} }
if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_offset_EQ)) { if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_offset_EQ)) {
StringRef Value = A->getValue(); StringRef Value = A->getValue();
if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64()) if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64() &&
!EffectiveTriple.isARM() && !EffectiveTriple.isThumb())
D.Diag(diag::err_drv_unsupported_opt_for_target) D.Diag(diag::err_drv_unsupported_opt_for_target)
<< A->getAsString(Args) << TripleStr; << A->getAsString(Args) << TripleStr;
int Offset; int Offset;
if (Value.getAsInteger(10, Offset)) { if (Value.getAsInteger(10, Offset)) {
D.Diag(diag::err_drv_invalid_value) << A->getOption().getName() << Value; D.Diag(diag::err_drv_invalid_value) << A->getOption().getName() << Value;
return; return;
} }
if ((EffectiveTriple.isARM() || EffectiveTriple.isThumb()) &&
(Offset < 0 || Offset > 0xfffff)) {
D.Diag(diag::err_drv_invalid_int_value)
<< A->getOption().getName() << Value;
return;
}
A->render(Args, CmdArgs); A->render(Args, CmdArgs);
} }
if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_reg_EQ)) { if (Arg *A = Args.getLastArg(options::OPT_mstack_protector_guard_reg_EQ)) {
StringRef Value = A->getValue(); StringRef Value = A->getValue();
if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64()) if (!EffectiveTriple.isX86() && !EffectiveTriple.isAArch64())
D.Diag(diag::err_drv_unsupported_opt_for_target) D.Diag(diag::err_drv_unsupported_opt_for_target)
<< A->getAsString(Args) << TripleStr; << A->getAsString(Args) << TripleStr;
▲ Show 20 LinesShow All 4,759 LinesShow Last 20 Lines

clang/test/Driver/stack-protector-guard.c

Show All 9 Lines
// INVALID-VALUE: error: invalid value 'local' in 'mstack-protector-guard=', expected one of: tls global // INVALID-VALUE: error: invalid value 'local' in 'mstack-protector-guard=', expected one of: tls global
// RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-reg=fs %s 2>&1 | \ // RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-reg=fs %s 2>&1 | \
// RUN: FileCheck -check-prefix=CHECK-FS %s // RUN: FileCheck -check-prefix=CHECK-FS %s
// RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-reg=gs %s 2>&1 | \ // RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-reg=gs %s 2>&1 | \
// RUN: FileCheck -check-prefix=CHECK-GS %s // RUN: FileCheck -check-prefix=CHECK-GS %s
// Invalid arch // Invalid arch
// RUN: not %clang -target arm-eabi-c -mstack-protector-guard=tls %s 2>&1 | \ // RUN: not %clang -target powerpc64le-linux-gnu -mstack-protector-guard=tls %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-ARCH %s // RUN: FileCheck -check-prefix=INVALID-ARCH %s
// INVALID-ARCH: unsupported option '-mstack-protector-guard=tls' for target // INVALID-ARCH: unsupported option '-mstack-protector-guard=tls' for target
// RUN: not %clang -target powerpc64le-linux-gnu -mstack-protector-guard-reg=fs %s 2>&1 | \ // RUN: not %clang -target powerpc64le-linux-gnu -mstack-protector-guard-reg=fs %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-ARCH2 %s // RUN: FileCheck -check-prefix=INVALID-ARCH2 %s
// INVALID-ARCH2: unsupported option '-mstack-protector-guard-reg=fs' for target // INVALID-ARCH2: unsupported option '-mstack-protector-guard-reg=fs' for target
// RUN: not %clang -target arm-linux-gnueabi -mstack-protector-guard-offset=10 %s 2>&1 | \ // RUN: not %clang -target powerpc64le-linux-gnu -mstack-protector-guard-offset=10 %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-ARCH3 %s // RUN: FileCheck -check-prefix=INVALID-ARCH3 %s
// INVALID-ARCH3: unsupported option '-mstack-protector-guard-offset=10' for target // INVALID-ARCH3: unsupported option '-mstack-protector-guard-offset=10' for target
// Invalid option value // Invalid option value
// RUN: not %clang -target x86_64-unknown-unknown -c -mstack-protector-guard-reg=cs %s 2>&1 | \ // RUN: not %clang -target x86_64-unknown-unknown -c -mstack-protector-guard-reg=cs %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-REG %s // RUN: FileCheck -check-prefix=INVALID-REG %s
// RUN: not %clang -target x86_64-unknown-unknown -c -mstack-protector-guard-reg=ds %s 2>&1 | \ // RUN: not %clang -target x86_64-unknown-unknown -c -mstack-protector-guard-reg=ds %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-REG %s // RUN: FileCheck -check-prefix=INVALID-REG %s
// CHECK-FS: "-cc1" {{.*}}"-mstack-protector-guard-reg=fs" // CHECK-FS: "-cc1" {{.*}}"-mstack-protector-guard-reg=fs"
// CHECK-GS: "-cc1" {{.*}}"-mstack-protector-guard-reg=gs" // CHECK-GS: "-cc1" {{.*}}"-mstack-protector-guard-reg=gs"
// INVALID-REG: error: invalid value {{.*}} in 'mstack-protector-guard-reg=', expected one of: fs gs // INVALID-REG: error: invalid value {{.*}} in 'mstack-protector-guard-reg=', expected one of: fs gs
// RUN: not %clang -target arm-eabi-c -mstack-protector-guard=tls %s 2>&1 | \
// RUN: FileCheck -check-prefix=MISSING-OFFSET %s
// MISSING-OFFSET: error: '-mstack-protector-guard=tls' is used without '-mstack-protector-guard-offset', and there is no default
// RUN: not %clang -target arm-eabi-c -mstack-protector-guard-offset=1048576 %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-OFFSET %s
// INVALID-OFFSET: invalid integral value '1048576' in 'mstack-protector-guard-offset='
// RUN: not %clang -target arm-eabi-c -mstack-protector-guard=sysreg %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-VALUE2 %s
// INVALID-VALUE2: error: invalid value 'sysreg' in 'mstack-protector-guard=', expected one of: tls global
// RUN: not %clang -target thumbv6-eabi-c -mthumb -mstack-protector-guard=tls -mstack-protector-guard-offset=0 %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-ARCH4 %s
// INVALID-ARCH4: error: hardware TLS register is not supported for the thumbv6 sub-architecture
// RUN: not %clang -target thumbv7-eabi-c -mtp=soft -mstack-protector-guard=tls -mstack-protector-guard-offset=0 %s 2>&1 | \
// RUN: FileCheck -check-prefix=INVALID-TP %s
// INVALID-TP: error: invalid argument '-mtp=soft' not allowed with '-mstack-protector-guard=tls'
// RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-offset=30 %s 2>&1 | \ // RUN: %clang -### -target x86_64-unknown-unknown -mstack-protector-guard-offset=30 %s 2>&1 | \
// RUN: FileCheck -check-prefix=CHECK-OFFSET %s // RUN: FileCheck -check-prefix=CHECK-OFFSET %s
// CHECK-OFFSET: "-cc1" {{.*}}"-mstack-protector-guard-offset=30" // CHECK-OFFSET: "-cc1" {{.*}}"-mstack-protector-guard-offset=30"
// RUN: %clang -### -target aarch64-linux-gnu -mstack-protector-guard=sysreg \ // RUN: %clang -### -target aarch64-linux-gnu -mstack-protector-guard=sysreg \
// RUN: -mstack-protector-guard-reg=sp_el0 \ // RUN: -mstack-protector-guard-reg=sp_el0 \
// RUN: -mstack-protector-guard-offset=0 %s 2>&1 | \ // RUN: -mstack-protector-guard-offset=0 %s 2>&1 | \
Show All 12 Lines

llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp

Show First 20 LinesShow All 4,884 Lines▼ Show 20 Linesvoid ARMBaseInstrInfo::expandLoadStackGuardBase(MachineBasicBlock::iterator MI,
unsigned LoadImmOpc, unsigned LoadImmOpc,
unsigned LoadOpc) const { unsigned LoadOpc) const {
assert(!Subtarget.isROPI() && !Subtarget.isRWPI() && assert(!Subtarget.isROPI() && !Subtarget.isRWPI() &&
"ROPI/RWPI not currently supported with stack guard"); "ROPI/RWPI not currently supported with stack guard");
MachineBasicBlock &MBB = *MI->getParent(); MachineBasicBlock &MBB = *MI->getParent();
DebugLoc DL = MI->getDebugLoc(); DebugLoc DL = MI->getDebugLoc();
Register Reg = MI->getOperand(0).getReg(); Register Reg = MI->getOperand(0).getReg();
MachineInstrBuilder MIB;
unsigned int Offset = 0;
if (LoadImmOpc == ARM::MRC || LoadImmOpc == ARM::t2MRC) {
assert(Subtarget.isReadTPHard() &&
"TLS stack protector requires hardware TLS register");
BuildMI(MBB, MI, DL, get(LoadImmOpc), Reg)
.addImm(15)
.addImm(0)
.addImm(13)
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

I think we want to use Reg in this instruction, in order to load into the specified destination?

nickdesaulniers: I think we want to use `Reg` in this instruction, in order to load into the specified…
ardbAuthorUnsubmitted
Done
ReplyInline Actions

We use Reg, no? MRC does not take reg operands, but I pass it as the target register.

ardb: We use Reg, no? MRC does not take reg operands, but I pass it as the target register.
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

ah, yep, sorry, LGTM.

nickdesaulniers: ah, yep, sorry, LGTM.
.addImm(0)
.addImm(3)
.add(predOps(ARMCC::AL));
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

do we need to add al?

nickdesaulniers: do we need to add `al`?
ardbAuthorUnsubmitted
Done
ReplyInline Actions

It appears so.

ardb: It appears so.
Module &M = *MBB.getParent()->getFunction().getParent();
Offset = M.getStackProtectorGuardOffset();
if (Offset & ~0xfffU) {
// The offset won't fit in the LDR's 12-bit immediate field, so emit an
// extra ADD to cover the delta. This gives us a guaranteed 8 additional
// bits, resulting in a range of 0 to +1 MiB for the guard offset.
unsigned AddOpc = (LoadImmOpc == ARM::MRC) ? ARM::ADDri : ARM::t2ADDri;
BuildMI(MBB, MI, DL, get(AddOpc), Reg)
.addReg(Reg, RegState::Kill)
.addImm(Offset & ~0xfffU)
.add(predOps(ARMCC::AL))
.addReg(0);
Offset &= 0xfffU;
}
} else {
const GlobalValue *GV = const GlobalValue *GV =
cast<GlobalValue>((*MI->memoperands_begin())->getValue()); cast<GlobalValue>((*MI->memoperands_begin())->getValue());
bool IsIndirect = Subtarget.isGVIndirectSymbol(GV); bool IsIndirect = Subtarget.isGVIndirectSymbol(GV);
MachineInstrBuilder MIB;
unsigned TargetFlags = ARMII::MO_NO_FLAG; unsigned TargetFlags = ARMII::MO_NO_FLAG;
if (Subtarget.isTargetMachO()) { if (Subtarget.isTargetMachO()) {
TargetFlags |= ARMII::MO_NONLAZY; TargetFlags |= ARMII::MO_NONLAZY;
} else if (Subtarget.isTargetCOFF()) { } else if (Subtarget.isTargetCOFF()) {
if (GV->hasDLLImportStorageClass()) if (GV->hasDLLImportStorageClass())
TargetFlags |= ARMII::MO_DLLIMPORT; TargetFlags |= ARMII::MO_DLLIMPORT;
else if (IsIndirect) else if (IsIndirect)
TargetFlags |= ARMII::MO_COFFSTUB; TargetFlags |= ARMII::MO_COFFSTUB;
} else if (Subtarget.isGVInGOT(GV)) { } else if (Subtarget.isGVInGOT(GV)) {
TargetFlags |= ARMII::MO_GOT; TargetFlags |= ARMII::MO_GOT;
} }
BuildMI(MBB, MI, DL, get(LoadImmOpc), Reg) BuildMI(MBB, MI, DL, get(LoadImmOpc), Reg)
.addGlobalAddress(GV, 0, TargetFlags); .addGlobalAddress(GV, 0, TargetFlags);
if (IsIndirect) { if (IsIndirect) {
MIB = BuildMI(MBB, MI, DL, get(LoadOpc), Reg); MIB = BuildMI(MBB, MI, DL, get(LoadOpc), Reg);
MIB.addReg(Reg, RegState::Kill).addImm(0); MIB.addReg(Reg, RegState::Kill).addImm(0);
auto Flags = MachineMemOperand::MOLoad | auto Flags = MachineMemOperand::MOLoad |
MachineMemOperand::MODereferenceable | MachineMemOperand::MODereferenceable |
MachineMemOperand::MOInvariant; MachineMemOperand::MOInvariant;
MachineMemOperand *MMO = MBB.getParent()->getMachineMemOperand( MachineMemOperand *MMO = MBB.getParent()->getMachineMemOperand(
MachinePointerInfo::getGOT(*MBB.getParent()), Flags, 4, Align(4)); MachinePointerInfo::getGOT(*MBB.getParent()), Flags, 4, Align(4));
MIB.addMemOperand(MMO).add(predOps(ARMCC::AL)); MIB.addMemOperand(MMO).add(predOps(ARMCC::AL));
} }
}
MIB = BuildMI(MBB, MI, DL, get(LoadOpc), Reg); MIB = BuildMI(MBB, MI, DL, get(LoadOpc), Reg);
MIB.addReg(Reg, RegState::Kill) MIB.addReg(Reg, RegState::Kill)
.addImm(0) .addImm(Offset)
.cloneMemRefs(*MI) .cloneMemRefs(*MI)
.add(predOps(ARMCC::AL)); .add(predOps(ARMCC::AL));
} }
bool bool
ARMBaseInstrInfo::isFpMLxInstruction(unsigned Opcode, unsigned &MulOpc, ARMBaseInstrInfo::isFpMLxInstruction(unsigned Opcode, unsigned &MulOpc,
unsigned &AddSubOpc, unsigned &AddSubOpc,
bool &NegAcc, bool &HasLane) const { bool &NegAcc, bool &HasLane) const {
▲ Show 20 LinesShow All 1,637 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMInstrInfo.cpp

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesunsigned ARMInstrInfo::getUnindexedOpcode(unsigned Opc) const {
return 0; return 0;
} }
void ARMInstrInfo::expandLoadStackGuard(MachineBasicBlock::iterator MI) const { void ARMInstrInfo::expandLoadStackGuard(MachineBasicBlock::iterator MI) const {
MachineFunction &MF = *MI->getParent()->getParent(); MachineFunction &MF = *MI->getParent()->getParent();
const ARMSubtarget &Subtarget = MF.getSubtarget<ARMSubtarget>(); const ARMSubtarget &Subtarget = MF.getSubtarget<ARMSubtarget>();
const TargetMachine &TM = MF.getTarget(); const TargetMachine &TM = MF.getTarget();
Module &M = *MF.getFunction().getParent();
if (M.getStackProtectorGuard() == "tls") {
expandLoadStackGuardBase(MI, ARM::MRC, ARM::LDRi12);
return;
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

do we have to worry about soft tp, ie. __aeabi_read_tp vs mrc?

nickdesaulniers: do we have to worry about soft tp, ie. `__aeabi_read_tp` vs `mrc`?
ardbAuthorUnsubmitted
Done
ReplyInline Actions

I think we should only allow this hard TP is supported in the first place. I'll add a check somewhere.
Calling a helper in both the prologue and the epilogue for emulated TLS seems a bit too heavyweight to me, and the Linux kernel will not use it in that way anyway.

ardb: I think we should only allow this hard TP is supported in the first place. I'll add a check…
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

I agree. Let's add a test that this only works with the -mattr=+read-tp-hard llc flag or "target-features"="+read-tp-hard" function attribute (one or the other, I don't think we need to exhaustively test both). But it would be good to verify what happens when +read-tp-hard is not set, in case someone else cares to add soft tp support here in the future. (They may never, it's more so to highlight whether such a change would be intentional).

ARMSubtarget::isReadTPHard() should be able to help us differentiate this case.

nickdesaulniers: I agree. Let's add a test that this only works with the `-mattr=+read-tp-hard` llc flag or…
ardbAuthorUnsubmitted
Done
ReplyInline Actions

I agree. Let's add a test that this only works with the -mattr=+read-tp-hard llc flag or "target-features"="+read-tp-hard" function attribute (one or the other, I don't think we need to exhaustively test both). But it would be good to verify what happens when +read-tp-hard is not set, in case someone else cares to add soft tp support here in the future. (They may never, it's more so to highlight whether such a change would be intentional).

ARMSubtarget::isReadTPHard() should be able to help us differentiate this case.

I could not figure out how to check this at command line parsing time. If we check it later, we basically crash the compiler, right? Not very elegant ...

ardb: > I agree. Let's add a test that this only works with the `-mattr=+read-tp-hard` llc flag or…
}
const GlobalValue *GV = const GlobalValue *GV =
cast<GlobalValue>((*MI->memoperands_begin())->getValue()); cast<GlobalValue>((*MI->memoperands_begin())->getValue());
if (!Subtarget.useMovt() || Subtarget.isGVInGOT(GV)) { if (!Subtarget.useMovt() || Subtarget.isGVInGOT(GV)) {
if (TM.isPositionIndependent()) if (TM.isPositionIndependent())
expandLoadStackGuardBase(MI, ARM::LDRLIT_ga_pcrel, ARM::LDRi12); expandLoadStackGuardBase(MI, ARM::LDRLIT_ga_pcrel, ARM::LDRi12);
else else
Show All 33 Lines

llvm/lib/Target/ARM/Thumb1InstrInfo.cpp

Show First 20 LinesShow All 129 Lines▼ Show 20 Lines BuildMI(MBB, I, DL, get(ARM::tLDRspi), DestReg)
.add(predOps(ARMCC::AL)); .add(predOps(ARMCC::AL));
} }
} }
void Thumb1InstrInfo::expandLoadStackGuard( void Thumb1InstrInfo::expandLoadStackGuard(
MachineBasicBlock::iterator MI) const { MachineBasicBlock::iterator MI) const {
MachineFunction &MF = *MI->getParent()->getParent(); MachineFunction &MF = *MI->getParent()->getParent();
const TargetMachine &TM = MF.getTarget(); const TargetMachine &TM = MF.getTarget();
Module &M = *MF.getFunction().getParent();
assert(M.getStackProtectorGuard() != "tls" &&
"TLS stack protector not supported for Thumb1 targets");
if (TM.isPositionIndependent()) if (TM.isPositionIndependent())
expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_pcrel, ARM::tLDRi); expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_pcrel, ARM::tLDRi);
else else
expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_abs, ARM::tLDRi); expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_abs, ARM::tLDRi);
} }
bool Thumb1InstrInfo::canCopyGluedNodeDuringSchedule(SDNode *N) const { bool Thumb1InstrInfo::canCopyGluedNodeDuringSchedule(SDNode *N) const {
// In Thumb1 the scheduler may need to schedule a cross-copy between GPRS and CPSR // In Thumb1 the scheduler may need to schedule a cross-copy between GPRS and CPSR
Show All 10 Lines

llvm/lib/Target/ARM/Thumb2InstrInfo.cpp

Show First 20 LinesShow All 241 Lines▼ Show 20 Lines if (ARM::GPRPairRegClass.hasSubClassEq(RC)) {
if (Register::isPhysicalRegister(DestReg)) if (Register::isPhysicalRegister(DestReg))
MIB.addReg(DestReg, RegState::ImplicitDefine); MIB.addReg(DestReg, RegState::ImplicitDefine);
return; return;
} }
ARMBaseInstrInfo::loadRegFromStackSlot(MBB, I, DestReg, FI, RC, TRI); ARMBaseInstrInfo::loadRegFromStackSlot(MBB, I, DestReg, FI, RC, TRI);
} }
void Thumb2InstrInfo::expandLoadStackGuard( void Thumb2InstrInfo::expandLoadStackGuard(
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

what about Thumb1InstrInfo::expandLoadStackGuard? Do we have mrc available in Thumb[1] as well?

nickdesaulniers: what about `Thumb1InstrInfo::expandLoadStackGuard`? Do we have `mrc` available in Thumb[1] as…
ardbAuthorUnsubmitted
Done
ReplyInline Actions

No Thumb1 does not have an encoding for MRC so we can ignore it here. It does mean we should not allow this feature to be turned out for such targets.

ardb: No Thumb1 does not have an encoding for MRC so we can ignore it here. It does mean we should…
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

Let's add a test for such case.

nickdesaulniers: Let's add a test for such case.
ardbAuthorUnsubmitted
Done
ReplyInline Actions

Let's add a test for such case.

Same problem: I could not figure out how to decide early enough whether we are targetting Thumb1 or Thumb2/ARM

ardb: > Let's add a test for such case. Same problem: I could not figure out how to decide early…
MachineBasicBlock::iterator MI) const { MachineBasicBlock::iterator MI) const {
MachineFunction &MF = *MI->getParent()->getParent(); MachineFunction &MF = *MI->getParent()->getParent();
Module &M = *MF.getFunction().getParent();
if (M.getStackProtectorGuard() == "tls") {
expandLoadStackGuardBase(MI, ARM::t2MRC, ARM::t2LDRi12);
return;
}
const GlobalValue *GV = const GlobalValue *GV =
cast<GlobalValue>((*MI->memoperands_begin())->getValue()); cast<GlobalValue>((*MI->memoperands_begin())->getValue());
if (MF.getSubtarget<ARMSubtarget>().isGVInGOT(GV)) if (MF.getSubtarget<ARMSubtarget>().isGVInGOT(GV))
expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_pcrel, ARM::t2LDRi12); expandLoadStackGuardBase(MI, ARM::tLDRLIT_ga_pcrel, ARM::t2LDRi12);
else if (MF.getTarget().isPositionIndependent()) else if (MF.getTarget().isPositionIndependent())
expandLoadStackGuardBase(MI, ARM::t2MOV_ga_pcrel, ARM::t2LDRi12); expandLoadStackGuardBase(MI, ARM::t2MOV_ga_pcrel, ARM::t2LDRi12);
else else
▲ Show 20 LinesShow All 567 LinesShow Last 20 Lines

llvm/test/CodeGen/ARM/stack-guard-tls.ll

  • This file was added.
; RUN: split-file %s %t
; RUN: cat %t/main.ll %t/a.ll > %t/a2.ll
; RUN: cat %t/main.ll %t/b.ll > %t/b2.ll
; RUN: llc %t/a2.ll -mtriple=armv7-unknown-linux-gnueabihf -mattr=+read-tp-hard -o - | \
; RUN: FileCheck --check-prefixes=CHECK,CHECK-SMALL %s
; RUN: llc %t/a2.ll -mtriple=thumbv7-unknown-linux-gnueabihf -mattr=+read-tp-hard -o - | \
; RUN: FileCheck --check-prefixes=CHECK,CHECK-SMALL %s
; RUN: llc %t/b2.ll -mtriple=armv7-unknown-linux-gnueabihf -mattr=+read-tp-hard -o - | \
; RUN: FileCheck --check-prefixes=CHECK,CHECK-LARGE %s
; RUN: llc %t/b2.ll -mtriple=thumbv7-unknown-linux-gnueabihf -mattr=+read-tp-hard -o - | \
; RUN: FileCheck --check-prefixes=CHECK,CHECK-LARGE %s
nickdesaulniersUnsubmitted
Done
ReplyInline Actions

You can convert --check-prefix=CHECK --check-prefix=CHECK-SMALL to --check-prefixes=CHECK,CHECK-SMALL.

nickdesaulniers: You can convert `--check-prefix=CHECK --check-prefix=CHECK-SMALL` to `--check-prefixes=CHECK…
;--- main.ll
declare void @baz(i32*)
define void @foo(i64 %t) sspstrong {
%vla = alloca i32, i64 %t, align 4
call void @baz(i32* nonnull %vla)
ret void
}
!llvm.module.flags = !{!1, !2}
!1 = !{i32 2, !"stack-protector-guard", !"tls"}
;--- a.ll
!2 = !{i32 2, !"stack-protector-guard-offset", i32 1296}
;--- b.ll
!2 = !{i32 2, !"stack-protector-guard-offset", i32 4296}
; CHECK: mrc p15, #0, [[REG1:r[0-9]+]], c13, c0, #3
; CHECK-SMALL-NEXT: ldr{{(\.w)?}} [[REG1]], {{\[}}[[REG1]], #1296]
; CHECK-LARGE-NEXT: add{{(\.w)?}} [[REG1]], [[REG1]], #4096
; CHECK-LARGE-NEXT: ldr{{(\.w)?}} [[REG1]], {{\[}}[[REG1]], #200]
; CHECK: bl baz
; CHECK: mrc p15, #0, [[REG2:r[0-9]+]], c13, c0, #3
; CHECK-SMALL-NEXT: ldr{{(\.w)?}} [[REG2]], {{\[}}[[REG2]], #1296]
; CHECK-LARGE-NEXT: add{{(\.w)?}} [[REG2]], [[REG2]], #4096
; CHECK-LARGE-NEXT: ldr{{(\.w)?}} [[REG2]], {{\[}}[[REG2]], #200]