This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/MC/
-
MC/
4
MCWin64EH.cpp
-
test/MC/AArch64/
-
MC/
-
AArch64/
1
seh-packed-unwind.s

Differential D125433

[ARM64][SEH] PR54879: Packed Unwind Info when Homing Int Param Regs
AbandonedPublic

Authored by zzheng on May 11 2022, 4:54 PM.

Download Raw Diff

Details

Reviewers

apazos
efriedma
steplong
mstorsjo

Summary

Try to fix: https://github.com/llvm/llvm-project/issues/54879

When checking if the epilogue is symmetric to or a subset of the prologue,
unwinding NOP should be skipped.

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	60,040 ms	x64 debian > ThreadSanitizer-x86_64.ThreadSanitizer-x86_64::restore_stack.cpp
	60,050 ms	x64 debian > libFuzzer.libFuzzer::fuzzer-leak.test

Event Timeline

zzheng created this revision.May 11 2022, 4:54 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 11 2022, 4:54 PM

Herald added subscribers: hiraditya, kristof.beyls. · View Herald Transcript

zzheng requested review of this revision.May 11 2022, 4:54 PM

Herald added a project: Restricted Project. · View Herald TranscriptMay 11 2022, 4:54 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

apazos added inline comments.May 11 2022, 5:25 PM

llvm/lib/MC/MCWin64EH.cpp
652	Can you add a comment for checking the number of nops is 4, to be clear the pattern you are looking for

efriedma added inline comments.May 11 2022, 6:27 PM

llvm/lib/MC/MCWin64EH.cpp
640	We also use checkPackedEpilog() for to compute the epilogue offset in xdata records; we can't mess with the result for the sake of analyzing packed unwind. If you need a different analysis, please split it into a separate function, or use a flag. (Probably easier to understand if you split it into a separate function?)
855	Could use a comment explaining where "5" here comes from. I think if H == 1, we need to reject PackedEpilogOffset == 0 and PackedEpilogOffset == 1. If the unwinder sees packed unwind, it will assume the epilogue doesn't contain any nops. So if the epilogue does in fact contain nops for some reason, the stack offsets will get messed up.

Harbormaster completed remote builds in B164015: Diff 428818.May 11 2022, 8:14 PM

mstorsjo added inline comments.May 12 2022, 4:28 AM

llvm/lib/MC/MCWin64EH.cpp
640	+1, indeed. If we should tolerate a differing epilogue for the case of packed unwind info, we need a separate function to determine if an epilogue matches a prologue, for a specific packed form. Otherwise, we'd end up trying to share epilogues with prologues (for the non-packed format) where they actually don't match. However, I'd like to take this whole issue back to the drawing board first; let me follow up on the bug report, to first exactly nail the expected behaviour.
llvm/test/MC/AArch64/seh-packed-unwind.s
509	If we would proceed with this patch, then we must also change the behaviour for the existing testcase for `func5`. For a specific packed form of unwind data, there can't be any ambiguity whether an epilog contains nops or not - we can't allow both cases. Let me follow up on the original bug report on that topic.

As discussed in https://github.com/llvm/llvm-project/issues/54879, we decide not to pack unwind info when homing int param regs.
See: https://reviews.llvm.org/D125876

Revision Contents

Path

Size

llvm/

lib/

MC/

MCWin64EH.cpp

72 lines

test/

MC/

AArch64/

seh-packed-unwind.s

104 lines

Diff 428818

llvm/lib/MC/MCWin64EH.cpp

Show First 20 Lines • Show All 607 Lines • ▼ Show 20 Lines
}		}

static int checkPackedEpilog(MCStreamer &streamer, WinEH::FrameInfo *info,		static int checkPackedEpilog(MCStreamer &streamer, WinEH::FrameInfo *info,
int PrologCodeBytes) {		int PrologCodeBytes) {
// Can only pack if there's one single epilog		// Can only pack if there's one single epilog
if (info->EpilogMap.size() != 1)		if (info->EpilogMap.size() != 1)
return -1;		return -1;

		const std::vector<WinEH::Instruction> &Prolog = info->Instructions;
const std::vector<WinEH::Instruction> &Epilog =		const std::vector<WinEH::Instruction> &Epilog =
info->EpilogMap.begin()->second;		info->EpilogMap.begin()->second;

// Can pack if the epilog is a subset of the prolog but not vice versa		// Can pack if the epilog is a subset of the prolog but not vice versa
if (Epilog.size() > info->Instructions.size())		if (Epilog.size() > Prolog.size())
return -1;		return -1;

// Check that the epilog actually is a perfect match for the end (backwrds)		// Check that the epilog actually matches the prolog with nops skipped
// of the prolog.		// in both.
for (int I = Epilog.size() - 1; I >= 0; I--) {		unsigned PNops = 0, ENops = 0;
if (info->Instructions[I] != Epilog[Epilog.size() - 1 - I])		for (int EI = Epilog.size() - 1, PI = 0; EI >= 0; ) {
		assert(PI < Prolog.size() && "Prolog overflow!");
		// Unwinding ops in prolog and epilog match.
		if (Prolog[PI] == Epilog[EI]) {
		PI++; EI--;
		continue;
		}
		// Skip UOP_Nops in either prolog or epilog.
		if (Prolog[PI].Operation == Win64EH::UOP_Nop) {
		PNops++; PI++; continue;
		}
		if (Epilog[EI].Operation == Win64EH::UOP_Nop) {
		ENops++; EI--; continue;
		}
		efriedmaUnsubmitted Not Done Reply Inline Actions We also use checkPackedEpilog() for to compute the epilogue offset in xdata records; we can't mess with the result for the sake of analyzing packed unwind. If you need a different analysis, please split it into a separate function, or use a flag. (Probably easier to understand if you split it into a separate function?) efriedma: We also use checkPackedEpilog() for to compute the epilogue offset in xdata records; we can't…
		mstorsjoUnsubmitted Not Done Reply Inline Actions +1, indeed. If we should tolerate a differing epilogue for the case of packed unwind info, we need a separate function to determine if an epilogue matches a prologue, for a specific packed form. Otherwise, we'd end up trying to share epilogues with prologues (for the non-packed format) where they actually don't match. However, I'd like to take this whole issue back to the drawing board first; let me follow up on the bug report, to first exactly nail the expected behaviour. mstorsjo: +1, indeed. If we should tolerate a differing epilogue for the case of packed unwind info, we…
		// If we reach here, we find unmatching ops that are NOT UOP_Nop.
return -1;		return -1;
}		}

// Check that the epilog actually is at the very end of the function,		// Check that the epilog actually is at the very end of the function,
// otherwise it can't be packed.		// otherwise it can't be packed.
uint32_t DistanceFromEnd = (uint32_t)GetAbsDifference(		uint32_t DistanceFromEnd = (uint32_t)GetAbsDifference(
streamer, info->FuncletOrFuncEnd, info->EpilogMap.begin()->first);		streamer, info->FuncletOrFuncEnd, info->EpilogMap.begin()->first);
if (DistanceFromEnd / 4 != Epilog.size())		if (DistanceFromEnd / 4 != Epilog.size())
return -1;		return -1;

int Offset = Epilog.size() == info->Instructions.size()		int PH = PNops == 4, EH = ENops == 4;
		apazosUnsubmitted Not Done Reply Inline Actions Can you add a comment for checking the number of nops is 4, to be clear the pattern you are looking for apazos: Can you add a comment for checking the number of nops is 4, to be clear the pattern you are…
		int Offset = (Epilog.size() - (EH * 4)) == (Prolog.size() - (PH * 4))
? 0		? 0
: ARM64CountOfUnwindCodes(ArrayRef<WinEH::Instruction>(		: ARM64CountOfUnwindCodes(ArrayRef<WinEH::Instruction>(
&info->Instructions[Epilog.size()],		&Prolog[0], Prolog.size())) -
info->Instructions.size() - Epilog.size()));		ARM64CountOfUnwindCodes(ArrayRef<WinEH::Instruction>(
		&Epilog[0], Epilog.size()));
// Check that the offset and prolog size fits in the first word; it's		// Check that the offset and prolog size fits in the first word; it's
// unclear whether the epilog count in the extension word can be taken		// unclear whether the epilog count in the extension word can be taken
// as packed epilog offset.		// as packed epilog offset.
if (Offset > 31 \|\| PrologCodeBytes > 124)		if (Offset > 31 \|\| PrologCodeBytes > 124)
return -1;		return -1;

info->EpilogMap.clear();		info->EpilogMap.clear();
return Offset;		return Offset;
}		}

static bool tryPackedUnwind(WinEH::FrameInfo *info, uint32_t FuncLength,		static bool tryPackedUnwind(WinEH::FrameInfo *info, uint32_t FuncLength,
int PackedEpilogOffset) {		int PackedEpilogOffset) {
if (PackedEpilogOffset == 0) {
// Fully symmetric prolog and epilog, should be ok for packed format.
// For CR=3, the corresponding synthesized epilog actually lacks the
// SetFP opcode, but unwinding should work just fine despite that
// (if at the SetFP opcode, the unwinder considers it as part of the
// function body and just unwinds the full prolog instead).
} else if (PackedEpilogOffset == 1) {
// One single case of differences between prolog and epilog is allowed:
// The epilog can lack a single SetFP that is the last opcode in the
// prolog, for the CR=3 case.
if (info->Instructions.back().Operation != Win64EH::UOP_SetFP)
return false;
} else {
// Too much difference between prolog and epilog.
return false;
}
unsigned RegI = 0, RegF = 0;		unsigned RegI = 0, RegF = 0;
int Predecrement = 0;		int Predecrement = 0;
enum {		enum {
Start,		Start,
Start2,		Start2,
IntRegs,		IntRegs,
FloatRegs,		FloatRegs,
InputArgs,		InputArgs,
▲ Show 20 Lines • Show All 159 Lines • ▼ Show 20 Lines	if (RegI > 10 \|\| RegF > 8)
return false;		return false;
if (StandaloneLR && FPLRPair)		if (StandaloneLR && FPLRPair)
return false;		return false;
if (FPLRPair && Location != End)		if (FPLRPair && Location != End)
return false;		return false;
if (Nops != 0 && Nops != 4)		if (Nops != 0 && Nops != 4)
return false;		return false;
int H = Nops == 4;		int H = Nops == 4;

		if (PackedEpilogOffset == 0) {
		// Fully symmetric prolog and epilog, should be ok for packed format.
		// For CR=3, the corresponding synthesized epilog actually lacks the
		// SetFP opcode, but unwinding should work just fine despite that
		// (if at the SetFP opcode, the unwinder considers it as part of the
		// function body and just unwinds the full prolog instead).
		} else if ((PackedEpilogOffset == 1) \|\|
		// Homing int param regs
		(PackedEpilogOffset == 5 && H == 1)) {
		efriedmaUnsubmitted Not Done Reply Inline Actions Could use a comment explaining where "5" here comes from. I think if H == 1, we need to reject PackedEpilogOffset == 0 and PackedEpilogOffset == 1. If the unwinder sees packed unwind, it will assume the epilogue doesn't contain any nops. So if the epilogue does in fact contain nops for some reason, the stack offsets will get messed up. efriedma: Could use a comment explaining where "5" here comes from. I think if H == 1, we need to reject…
		// One single case of differences between prolog and epilog is allowed:
		// The epilog can lack a single SetFP that is the last opcode in the
		// prolog, for the CR=3 case.
		if (info->Instructions.back().Operation != Win64EH::UOP_SetFP)
		return false;
		} else {
		// Too much difference between prolog and epilog.
		return false;
		}

int IntSZ = 8 * RegI;		int IntSZ = 8 * RegI;
if (StandaloneLR)		if (StandaloneLR)
IntSZ += 8;		IntSZ += 8;
int FpSZ = 8 * RegF; // RegF not yet decremented		int FpSZ = 8 * RegF; // RegF not yet decremented
int SavSZ = (IntSZ + FpSZ + 8 * 8 * H + 0xF) & ~0xF;		int SavSZ = (IntSZ + FpSZ + 8 * 8 * H + 0xF) & ~0xF;
if (Predecrement != SavSZ)		if (Predecrement != SavSZ)
return false;		return false;
if (FPLRPair && StackOffset < 16)		if (FPLRPair && StackOffset < 16)
▲ Show 20 Lines • Show All 275 Lines • Show Last 20 Lines

llvm/test/MC/AArch64/seh-packed-unwind.s

Show First 20 Lines • Show All 94 Lines • ▼ Show 20 Lines
// CHECK-NEXT: stp x4, x5, [sp, #40]		// CHECK-NEXT: stp x4, x5, [sp, #40]
// CHECK-NEXT: stp x2, x3, [sp, #24]		// CHECK-NEXT: stp x2, x3, [sp, #24]
// CHECK-NEXT: stp x0, x1, [sp, #8]		// CHECK-NEXT: stp x0, x1, [sp, #8]
// CHECK-NEXT: str x19, [sp, #-80]!		// CHECK-NEXT: str x19, [sp, #-80]!
// CHECK-NEXT: end		// CHECK-NEXT: end
// CHECK-NEXT: ]		// CHECK-NEXT: ]
// CHECK-NEXT: }		// CHECK-NEXT: }
// CHECK-NEXT: RuntimeFunction {		// CHECK-NEXT: RuntimeFunction {
		// CHECK-NEXT: Function: func5b
		// CHECK-NEXT: Fragment: No
		// CHECK-NEXT: FunctionLength: 40
		// CHECK-NEXT: RegF: 0
		// CHECK-NEXT: RegI: 1
		// CHECK-NEXT: HomedParameters: Yes
		// CHECK-NEXT: CR: 0
		// CHECK-NEXT: FrameSize: 112
		// CHECK-NEXT: Prologue [
		// CHECK-NEXT: sub sp, sp, #32
		// CHECK-NEXT: stp x6, x7, [sp, #56]
		// CHECK-NEXT: stp x4, x5, [sp, #40]
		// CHECK-NEXT: stp x2, x3, [sp, #24]
		// CHECK-NEXT: stp x0, x1, [sp, #8]
		// CHECK-NEXT: str x19, [sp, #-80]!
		// CHECK-NEXT: end
		// CHECK-NEXT: ]
		// CHECK-NEXT: }
		// CHECK-NEXT: RuntimeFunction {
		// CHECK-NEXT: Function: func5c
		// CHECK-NEXT: Fragment: No
		// CHECK-NEXT: FunctionLength: 60
		// CHECK-NEXT: RegF: 0
		// CHECK-NEXT: RegI: 2
		// CHECK-NEXT: HomedParameters: Yes
		// CHECK-NEXT: CR: 3
		// CHECK-NEXT: FrameSize: 96
		// CHECK-NEXT: Prologue [
		// CHECK-NEXT: mov x29, sp
		// CHECK-NEXT: stp x29, lr, [sp, #-16]!
		// CHECK-NEXT: stp x6, x7, [sp, #64]
		// CHECK-NEXT: stp x4, x5, [sp, #48]
		// CHECK-NEXT: stp x2, x3, [sp, #32]
		// CHECK-NEXT: stp x0, x1, [sp, #16]
		// CHECK-NEXT: stp x19, x20, [sp, #-80]!
		// CHECK-NEXT: end
		// CHECK-NEXT: ]
		// CHECK-NEXT: }
		// CHECK-NEXT: RuntimeFunction {
// CHECK-NEXT: Function: func6		// CHECK-NEXT: Function: func6
// CHECK-NEXT: Fragment: No		// CHECK-NEXT: Fragment: No
// CHECK-NEXT: FunctionLength: 24		// CHECK-NEXT: FunctionLength: 24
// CHECK-NEXT: RegF: 0		// CHECK-NEXT: RegF: 0
// CHECK-NEXT: RegI: 0		// CHECK-NEXT: RegI: 0
// CHECK-NEXT: HomedParameters: No		// CHECK-NEXT: HomedParameters: No
// CHECK-NEXT: CR: 1		// CHECK-NEXT: CR: 1
// CHECK-NEXT: FrameSize: 32		// CHECK-NEXT: FrameSize: 32
▲ Show 20 Lines • Show All 351 Lines • ▼ Show 20 Lines	func5:
.seh_stackalloc 32		.seh_stackalloc 32
nop		nop
.seh_nop		.seh_nop
nop		nop
.seh_nop		.seh_nop
nop		nop
.seh_nop		.seh_nop
nop		nop
.seh_nop		.seh_nop
		mstorsjoUnsubmitted Not Done Reply Inline Actions If we would proceed with this patch, then we must also change the behaviour for the existing testcase for `func5`. For a specific packed form of unwind data, there can't be any ambiguity whether an epilog contains nops or not - we can't allow both cases. Let me follow up on the original bug report on that topic. mstorsjo: If we would proceed with this patch, then we must also change the behaviour for the existing…
ldr x19, [sp], #80		ldr x19, [sp], #80
.seh_save_reg_x x19, 80		.seh_save_reg_x x19, 80
.seh_endepilogue		.seh_endepilogue
ret		ret
.seh_endproc		.seh_endproc

		// [PRi54879]: homing int param regs, but no nops in epilog
		func5b:
		.seh_proc func5b
		str x19, [sp, #-80]!
		.seh_save_reg_x x19, 80
		stp x0, x1, [sp, #8]
		.seh_nop
		stp x2, x3, [sp, #24]
		.seh_nop
		stp x4, x5, [sp, #40]
		.seh_nop
		stp x6, x7, [sp, #56]
		.seh_nop
		sub sp, sp, #32
		.seh_stackalloc 32
		.seh_endprologue
		nop
		.seh_startepilogue
		add sp, sp, #32
		.seh_stackalloc 32
		ldr x19, [sp], #80
		.seh_save_reg_x x19, 80
		.seh_endepilogue
		ret
		.seh_endproc

		// [PRi54879]: homing int param regs, nops in epilog, only difference between
		// prolog and epilog is set_fp
		func5c:
		.seh_proc func5c
		stp x19, x20,[sp,#-0x50]!
		.seh_save_regp_x x19, 0x50
		stp x0, x1, [sp, #0x10]
		.seh_nop
		stp x2, x3, [sp, #0x20]
		.seh_nop
		stp x4, x5, [sp, #0x30]
		.seh_nop
		stp x6, x7, [sp, #0x40]
		.seh_nop
		stp fp, lr, [sp, #-0x10]!
		.seh_save_fplr_x 0x10
		mov fp, sp
		.seh_set_fp
		.seh_endprologue
		//return success
		mov w0, wzr
		.seh_startepilogue
		ldp fp, lr, [sp], #0x10
		.seh_save_fplr_x 0x10
		nop
		.seh_nop
		nop
		.seh_nop
		nop
		.seh_nop
		nop
		.seh_nop
		ldp x19, x20, [sp], #0x50
		.seh_save_regp_x x19, 0x50
		.seh_endepilogue
		ret
		.seh_endfunclet
		.seh_endproc

func6:		func6:
.seh_proc func6		.seh_proc func6
str lr, [sp, #-16]!		str lr, [sp, #-16]!
.seh_save_reg_x lr, 16		.seh_save_reg_x lr, 16
sub sp, sp, #16		sub sp, sp, #16
.seh_stackalloc 16		.seh_stackalloc 16
.seh_endprologue		.seh_endprologue
nop		nop
▲ Show 20 Lines • Show All 463 Lines • Show Last 20 Lines