This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
libunwind/
-
src/
4/5
DwarfInstructions.hpp
-
test/
7/8
aarch64.ra_sign_state.pass.cpp

Differential D123692

[libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE.
ClosedPublic

Authored by danielkiss on Apr 13 2022, 10:28 AM.

Download Raw Diff

Details

Reviewers

MaskRay
ldionne
mstorsjo

Group Reviewers

Restricted Project

Commits

rGc218fd3d7d37: [libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE.
rGf6366ef7f4f3: [libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE.

Summary

Program may set the RA_SIGN_STATE pseudo register by expressions.
Libunwind expected only the DW_CFA_AARCH64_negate_ra_state could change the value
of the register which leads to runtime errors on PAC enabled systems.
In the recent version of the aadwarf64[1] a limitation is added[2] to forbid the mixing the
DW_CFA_AARCH64_negate_ra_state with other DWARF Register Rule Instructions.

[1] https://github.com/ARM-software/abi-aa/releases/tag/2022Q1
[2] https://github.com/ARM-software/abi-aa/pull/129

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

danielkiss created this revision.Apr 13 2022, 10:28 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 13 2022, 10:28 AM

Herald added a subscriber: kristof.beyls. · View Herald Transcript

danielkiss requested review of this revision.Apr 13 2022, 10:28 AM

Harbormaster completed remote builds in B159475: Diff 422556.Apr 13 2022, 10:57 AM

danielkiss added reviewers: MaskRay, ldionne, mstorsjo.Apr 27 2022, 8:00 AM

Herald added a subscriber: StephenFan. · View Herald TranscriptApr 27 2022, 8:00 AM

ping?

I only have basic understanding of PAC, but I tried reading through and the implementation looks good.

libunwind/src/DwarfInstructions.hpp
177	Perhaps raSignState to stick with the variable naming convention.
179	I assume that both branches are tested.
libunwind/test/aarch64.ra_sign_state.pass.cpp
16	Prefer `()` for C++.
22	Reword the comment to describe what `foo` tests first.
23	dwarf => DWARF
25	Space after `//`
29	add sp, sp, 16 has an assumption that sp cannot be used as the CFA. I presume that this is always guaranteed because fp/lr are always stored together(?) and therefore fp is the CFA.
41	Test that .cfi_negate_ra_state emitted by the compiler can be handled.

This revision is now accepted and ready to land.May 4 2022, 10:52 AM

@MaskRay thanks so much.

libunwind/src/DwarfInstructions.hpp
179	correct, the test unwind a function with `".cfi_negate_ra_state"` and in this case the register location is 'unused'.
libunwind/test/aarch64.ra_sign_state.pass.cpp
29	"add sp, sp, 16\n" assumes only the stack alignment https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst#6221universal-stack-constraints. FP might not saved ( I'll change the restore line ) but the frame will be adjusted always by 16bytes.
41	unwinder will walk back to main therefore it will see the `.cfi_negate_ra_state` because it is enforced by `branch-protection=pac-ret` attribute.

Harbormaster completed remote builds in B162860: Diff 427241.May 5 2022, 7:22 AM

MaskRay accepted this revision.May 12 2022, 4:35 PM

This revision was landed with ongoing or failed builds.May 13 2022, 1:06 AM

Closed by commit rGf6366ef7f4f3: [libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE. (authored by danielkiss). · Explain Why

This revision was automatically updated to reflect the committed changes.

danielkiss added a commit: rGf6366ef7f4f3: [libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE..

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMay 13 2022, 1:06 AM

Herald added subscribers: libcxx-commits, llvm-commits. · View Herald Transcript

Hi @danielkiss,

the FAIL: llvm-libunwind-static.cfg.in:: aarch64.ra_sign_state.pass.cpp test is getting failed on Linux Ubuntu/Aarch64 toolchain builders with the following output:

terminate called after throwing an instance of 'int'
terminate called recursively

here is more details: https://lab.llvm.org/buildbot/#/builders/119/builds/8501/steps/12/logs/FAIL__llvm-libunwind-static_cfg_in___aarch64_ra_si

https://lab.llvm.org/buildbot/#/builders/119/builds/8501

In D123692#3512996, @vvereschaka wrote:
Hi @danielkiss,

the FAIL: llvm-libunwind-static.cfg.in:: aarch64.ra_sign_state.pass.cpp test is getting failed on Linux Ubuntu/Aarch64 toolchain builders with the following output:
terminate called after throwing an instance of 'int'
terminate called recursively
here is more details: https://lab.llvm.org/buildbot/#/builders/119/builds/8501/steps/12/logs/FAIL__llvm-libunwind-static_cfg_in___aarch64_ra_si

https://lab.llvm.org/buildbot/#/builders/119/builds/8501

Sorry for that, reverted until I can reproduces it locally, I will do this this coming week.

danielkiss added a commit: rGc218fd3d7d37: [libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE..May 18 2022, 9:02 AM

Mordante added a subscriber: Mordante.May 18 2022, 12:27 PM

Mordante added inline comments.

libunwind/src/DwarfInstructions.hpp

180

In the libc++ pre-commit CI I see some failures https://buildkite.com/llvm-project/libcxx-ci/builds/10887#fb4448a3-a3f7-4a0a-8997-ccbdfd1b35a3

/home/tcwg-buildbot/worker/linaro-aarch64-libcxx-01/llvm-project/libcxx-ci/libunwind/src/DwarfInstructions.hpp:180:26: error: implicit conversion changes signedness: 'int64_t' (aka 'long') to 'libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_arm64>::pint_t' (aka 'unsigned long') [-Werror,-Wsign-conversion]
    raSignState = regloc.value;

I didn't verify this patch caused it, but it seems very likely to me.

danielkiss marked an inline comment as done.May 19 2022, 12:44 AM

danielkiss added inline comments.

libunwind/src/DwarfInstructions.hpp
180	Yes, it did. Revert reverted this too, so it is relanded. https://github.com/llvm/llvm-project/commit/6716e2055ddeac304f47adc5ae39086381016ba7

c218fd3d7d3764eb123c8429bbcd33bacfe2e633 added libcxxabi/test/native/AArch64/ra_sign_state.pass.cpp -- was that intended, or should it have been added to libunwind/test/[...]? It also started failing in the CI in the -fno-exceptions configuration -- I think it is just missing a XFAIL so I'll add it, but please investigate whether the file needs to be moved (I think it does). If so, please make sure to open a code review for that change since it will cause our pre-commit CI to run, and please don't commit the change until it is green :-).

In D123692#3527595, @ldionne wrote:

c218fd3d7d3764eb123c8429bbcd33bacfe2e633 added libcxxabi/test/native/AArch64/ra_sign_state.pass.cpp -- was that intended, or should it have been added to libunwind/test/[...]? It also started failing in the CI in the -fno-exceptions configuration -- I think it is just missing a XFAIL so I'll add it, but please investigate whether the file needs to be moved (I think it does).

Tests in libunwind can't depend on libcxx (failed in llvm-libunwind-static.cfg.in) so the test is moved to libcxxabi, because test test case needs exception. (simple backtrace won't trigger the problem)

If so, please make sure to open a code review for that change since it will cause our pre-commit CI to run, and please don't commit the change until it is green :-).

Sure will do.

Revision Contents

Path

Size

libunwind/

src/

DwarfInstructions.hpp

21 lines

test/

aarch64.ra_sign_state.pass.cpp

63 lines

Diff 429158

libunwind/src/DwarfInstructions.hpp

Show First 20 Lines • Show All 66 Lines • ▼ Show 20 Lines	if (prolog.cfaRegister != 0)
return (pint_t)((sint_t)registers.getRegister((int)prolog.cfaRegister) +		return (pint_t)((sint_t)registers.getRegister((int)prolog.cfaRegister) +
prolog.cfaRegisterOffset);		prolog.cfaRegisterOffset);
if (prolog.cfaExpression != 0)		if (prolog.cfaExpression != 0)
return evaluateExpression((pint_t)prolog.cfaExpression, addressSpace,		return evaluateExpression((pint_t)prolog.cfaExpression, addressSpace,
registers, 0);		registers, 0);
assert(0 && "getCFA(): unknown location");		assert(0 && "getCFA(): unknown location");
__builtin_unreachable();		__builtin_unreachable();
}		}
		#if defined(_LIBUNWIND_TARGET_AARCH64)
		static bool getRA_SIGN_STATE(A &addressSpace, R registers, pint_t cfa,
		PrologInfo &prolog);
		#endif
};		};

template <typename R>		template <typename R>
auto getSparcWCookie(const R &r, int) -> decltype(r.getWCookie()) {		auto getSparcWCookie(const R &r, int) -> decltype(r.getWCookie()) {
return r.getWCookie();		return r.getWCookie();
}		}
template <typename R> uint64_t getSparcWCookie(const R &, long) {		template <typename R> uint64_t getSparcWCookie(const R &, long) {
return 0;		return 0;
▲ Show 20 Lines • Show All 78 Lines • ▼ Show 20 Lines	v128 DwarfInstructions<A, R>::getSavedVectorRegister(
case CFI_Parser<A>::kRegisterOffsetFromCFA:		case CFI_Parser<A>::kRegisterOffsetFromCFA:
case CFI_Parser<A>::kRegisterInRegister:		case CFI_Parser<A>::kRegisterInRegister:
case CFI_Parser<A>::kRegisterInCFADecrypt:		case CFI_Parser<A>::kRegisterInCFADecrypt:
// FIX ME		// FIX ME
break;		break;
}		}
_LIBUNWIND_ABORT("unsupported restore location for vector register");		_LIBUNWIND_ABORT("unsupported restore location for vector register");
}		}
		#if defined(_LIBUNWIND_TARGET_AARCH64)
		template <typename A, typename R>
		bool DwarfInstructions<A, R>::getRA_SIGN_STATE(A &addressSpace, R registers,
		pint_t cfa, PrologInfo &prolog) {
		pint_t raSignState;
		MaskRayUnsubmitted Done Reply Inline Actions Perhaps raSignState to stick with the variable naming convention. MaskRay: Perhaps raSignState to stick with the variable naming convention.
		auto regloc = prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE];
		if (regloc.location == CFI_Parser<A>::kRegisterUnused)
		MaskRayUnsubmitted Not Done Reply Inline Actions I assume that both branches are tested. MaskRay: I assume that both branches are tested.
		danielkissAuthorUnsubmitted Done Reply Inline Actions correct, the test unwind a function with `".cfi_negate_ra_state"` and in this case the register location is 'unused'. danielkiss: correct, the test unwind a function with `".cfi_negate_ra_state"` and in this case the…
		raSignState = regloc.value;
		MordanteUnsubmitted Done Reply Inline Actions In the libc++ pre-commit CI I see some failures https://buildkite.com/llvm-project/libcxx-ci/builds/10887#fb4448a3-a3f7-4a0a-8997-ccbdfd1b35a3 /home/tcwg-buildbot/worker/linaro-aarch64-libcxx-01/llvm-project/libcxx-ci/libunwind/src/DwarfInstructions.hpp:180:26: error: implicit conversion changes signedness: 'int64_t' (aka 'long') to 'libunwind::DwarfInstructions<libunwind::LocalAddressSpace, libunwind::Registers_arm64>::pint_t' (aka 'unsigned long') [-Werror,-Wsign-conversion] raSignState = regloc.value; I didn't verify this patch caused it, but it seems very likely to me. Mordante: In the libc++ pre-commit CI I see some failures https://buildkite.com/llvm-project/libcxx…
		danielkissAuthorUnsubmitted Done Reply Inline Actions Yes, it did. Revert reverted this too, so it is relanded. https://github.com/llvm/llvm-project/commit/6716e2055ddeac304f47adc5ae39086381016ba7 danielkiss: Yes, it did. Revert reverted this too, so it is relanded. https://github.com/llvm/llvm…
		else
		raSignState = getSavedRegister(addressSpace, registers, cfa, regloc);

		// Only bit[0] is meaningful.
		return raSignState & 0x01;
		}
		#endif

template <typename A, typename R>		template <typename A, typename R>
int DwarfInstructions<A, R>::stepWithDwarf(A &addressSpace, pint_t pc,		int DwarfInstructions<A, R>::stepWithDwarf(A &addressSpace, pint_t pc,
pint_t fdeStart, R &registers,		pint_t fdeStart, R &registers,
bool &isSignalFrame) {		bool &isSignalFrame) {
FDE_Info fdeInfo;		FDE_Info fdeInfo;
CIE_Info cieInfo;		CIE_Info cieInfo;
if (CFI_Parser<A>::decodeFDE(addressSpace, fdeStart, &fdeInfo,		if (CFI_Parser<A>::decodeFDE(addressSpace, fdeStart, &fdeInfo,
▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines

#if defined(_LIBUNWIND_TARGET_AARCH64)		#if defined(_LIBUNWIND_TARGET_AARCH64)
// If the target is aarch64 then the return address may have been signed		// If the target is aarch64 then the return address may have been signed
// using the v8.3 pointer authentication extensions. The original		// using the v8.3 pointer authentication extensions. The original
// return address needs to be authenticated before the return address is		// return address needs to be authenticated before the return address is
// restored. autia1716 is used instead of autia as autia1716 assembles		// restored. autia1716 is used instead of autia as autia1716 assembles
// to a NOP on pre-v8.3a architectures.		// to a NOP on pre-v8.3a architectures.
if ((R::getArch() == REGISTERS_ARM64) &&		if ((R::getArch() == REGISTERS_ARM64) &&
prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE].value &&		getRA_SIGN_STATE(addressSpace, registers, cfa, prolog) &&
returnAddress != 0) {		returnAddress != 0) {
#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)		#if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
return UNW_ECROSSRASIGNING;		return UNW_ECROSSRASIGNING;
#else		#else
register unsigned long long x17 __asm("x17") = returnAddress;		register unsigned long long x17 __asm("x17") = returnAddress;
register unsigned long long x16 __asm("x16") = cfa;		register unsigned long long x16 __asm("x16") = cfa;

// These are the autia1716/autib1716 instructions. The hint instructions		// These are the autia1716/autib1716 instructions. The hint instructions
▲ Show 20 Lines • Show All 625 Lines • Show Last 20 Lines

libunwind/test/aarch64.ra_sign_state.pass.cpp

This file was added.

				// -- C++ --
				//===----------------------------------------------------------------------===//
				//
				// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
				// See https://llvm.org/LICENSE.txt for license information.
				// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
				//
				//===----------------------------------------------------------------------===//

				// REQUIRES: linux && target={{aarch64-.+}}

				// This test ensures the .cfi_negate_ra_state the RA_SIGN_STATE pseudo register
				// could be set directly set by a DWARF expression and the unwinder handles it
				// correctly. The two directives can't be mixed in one CIE/FDE sqeuence.

				#include <stdlib.h>
				MaskRayUnsubmitted Done Reply Inline Actions Prefer `()` for C++. MaskRay: Prefer `()` for C++.

				__attribute__((noinline, target("branch-protection=pac-ret+leaf")))
				void bar() {
				// ".cfi_negate_ra_state" is emitted by the compiler.
				throw 1;
				}
				MaskRayUnsubmitted Done Reply Inline Actions Reword the comment to describe what `foo` tests first. MaskRay: Reword the comment to describe what `foo` tests first.

				MaskRayUnsubmitted Done Reply Inline Actions dwarf => DWARF MaskRay: dwarf => DWARF
				__attribute__((noinline, target("branch-protection=none")))
				void foo() {
				MaskRayUnsubmitted Done Reply Inline Actions Space after `//` MaskRay: Space after `//`
				// Here a DWARF expression sets RA_SIGN_STATE.
				// The LR is signed manually and stored on the stack.
				asm volatile(
				".cfi_escape 0x16," // DW_CFA_val_expression
				MaskRayUnsubmitted Not Done Reply Inline Actions add sp, sp, 16 has an assumption that sp cannot be used as the CFA. I presume that this is always guaranteed because fp/lr are always stored together(?) and therefore fp is the CFA. MaskRay: add sp, sp, 16 has an assumption that sp cannot be used as the CFA. I presume that this is…
				danielkissAuthorUnsubmitted Done Reply Inline Actions "add sp, sp, 16\n" assumes only the stack alignment https://github.com/ARM-software/abi-aa/blob/main/aapcs64/aapcs64.rst#6221universal-stack-constraints. FP might not saved ( I'll change the restore line ) but the frame will be adjusted always by 16bytes. danielkiss: "add sp, sp, 16\n" assumes only the stack alignment https://github.com/ARM-software/abi…
				"34," // REG_34(RA_SIGN_STATE)
				"1," // expression_length(1)
				"0x31\n" // DW_OP_lit1
				"add sp, sp, 16\n" // Restore SP's value before the stack frame is
				// created.
				"paciasp\n" // Sign the LR.
				"str lr, [sp, -0x8]\n" // Overwrite LR on the stack.
				"sub sp, sp, 16\n" // Restore SP's value.
				);
				bar();
				_Exit(-1);
				}
				MaskRayUnsubmitted Done Reply Inline Actions Test that .cfi_negate_ra_state emitted by the compiler can be handled. MaskRay: Test that .cfi_negate_ra_state emitted by the compiler can be handled.
				danielkissAuthorUnsubmitted Done Reply Inline Actions unwinder will walk back to main therefore it will see the `.cfi_negate_ra_state` because it is enforced by `branch-protection=pac-ret` attribute. danielkiss: unwinder will walk back to main therefore it will see the `.cfi_negate_ra_state` because it is…

				__attribute__((noinline, target("branch-protection=pac-ret")))
				void bazz() {
				// ".cfi_negate_ra_state" is emitted by the compiler.
				try {
				foo();
				} catch (int i) {
				if (i == 1)
				throw i;
				throw 2;
				}
				}

				int main() {
				try {
				bazz();
				} catch (int i) {
				if (i == 1)
				_Exit(0);
				}
				return -1;
				}

This is an archive of the discontinued LLVM Phabricator instance.

[libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 429158

libunwind/src/DwarfInstructions.hpp

libunwind/test/aarch64.ra_sign_state.pass.cpp

[libunwind][AArch64] Add support for DWARF expression for RA_SIGN_STATE.
ClosedPublic