This is an archive of the discontinued LLVM Phabricator instance.

Differential D129016

[PowerPC] implemented @llvm.ppc.kill.canary to corrupt stack guard
AcceptedPublic

Authored by pscoro on Jul 1 2022, 2:30 PM.

Details

Reviewers
shchenz
rzurob
nemanjai
Group Reviewers
Restricted Project
Summary

If stack protection is enabled, the @llvm.ppc.kill.canary() intrinsic will load the stack guard canary word, corrupt it, and store it back. This feature exists for debugging/testing stack protection.

Diff Detail

Unit TestsFailed

TimeTest
60,090 msx64 debian > AddressSanitizer-x86_64-linux-dynamic.TestCases::scariness_score_test.cpp
60,140 msx64 debian > AddressSanitizer-x86_64-linux.TestCases::scariness_score_test.cpp

Event Timeline

pscoro created this revision.Jul 1 2022, 2:30 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 1 2022, 2:30 PM
Herald added subscribers: shchenz, kbarton, hiraditya, nemanjai. · View Herald Transcript
pscoro requested review of this revision.Jul 1 2022, 2:30 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJul 1 2022, 2:30 PM
Herald added subscribers: llvm-commits, cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B173310: Diff 441787.Jul 1 2022, 2:30 PM
pscoro edited the summary of this revision. (Show Details)Jul 1 2022, 2:33 PM
pscoro added reviewers: shchenz, rzurob.
pscoro added a comment.Jul 1 2022, 2:35 PM

Sorry about making a separate review for this again, I encountered some troubles with git and decided that moving my code to a fresh branch would be quicker than figuring out how to fix the problem, the previous review will be abandoned.

pscoro added inline comments.Jul 1 2022, 2:42 PM
llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10718

To address a comment on the previous review, I fixed the XOR to do what I intended. When you XOR bits against 1, you are guaranteed to not return the same bit because of exclusivity. Therefore XORing the canary word against 0xFFFFFFFF (0b1111...111) guarantees that the corrupted canary word is never the same as the original

10725

Addressing a comment from the previous review, GV != nullptr can not be an assert because linux implements stack guard loading differently than aix. This review now also supports linux as well

pscoro added a reviewer: nemanjai.Jul 1 2022, 2:43 PM
pscoro updated this revision to Diff 441793.Jul 1 2022, 3:08 PM

Combined aix and linux IR lit tests into a single file

Harbormaster completed remote builds in B173315: Diff 441793.Jul 1 2022, 3:09 PM
Kai added a subscriber: Kai.Jul 5 2022, 6:55 AM

Did you consider to make this more generalized? From skimming through the change, I see only 2 ppc-specific things:

  • Loading of the canary word
  • Value of XORWord

The first bullet is solved by the the other inline comment I made.
The second bullet can be solved by using all 64 bits. If a 32 bit value is used, the upper bits are ignored because the VT should be MVT::i32 in this case.

llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10722–10724

I think this can be simplified using getSDagStackGuard().

10725

You can simplify the code by reordering the conditions:

if (useLoadStackGuardNode()) {
  // LOAD_STACK_GUARD
} else if (Value *GV = getSDagStackGuard(M)) {
  // AIX implementation
} else
  llvm_unreachable("Unhandled stack guard case");
pscoro updated this revision to Diff 442320.Jul 5 2022, 8:48 AM

small revisions

Harbormaster completed remote builds in B173720: Diff 442320.Jul 5 2022, 8:49 AM
pscoro marked 2 inline comments as done.Jul 5 2022, 8:56 AM
pscoro updated this revision to Diff 442368.Jul 5 2022, 11:40 AM

removed commented code

Harbormaster completed remote builds in B173750: Diff 442368.Jul 5 2022, 11:40 AM
Kai added a comment.Jul 5 2022, 12:04 PM

Some more nits, otherwise LGTM.

llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10718

Line too long.

10725

Please remove dead code.

10726

Line too long.

10753

Line too long.

10756

Line too long.

nemanjai requested changes to this revision.Jul 5 2022, 12:08 PM

Please run clang-format, rebase and re-upload. It doesn't apply cleanly to ToT.

This revision now requires changes to proceed.Jul 5 2022, 12:08 PM
pscoro updated this revision to Diff 442598.Jul 6 2022, 8:40 AM

clean up

Harbormaster completed remote builds in B173919: Diff 442598.Jul 6 2022, 8:41 AM
pscoro updated this revision to Diff 442611.Jul 6 2022, 9:27 AM

undo full file clang-format, localized clang-format

Harbormaster completed remote builds in B173927: Diff 442611.Jul 6 2022, 9:28 AM
pscoro updated this revision to Diff 442615.Jul 6 2022, 9:39 AM

trying to localize calng-format again

Harbormaster completed remote builds in B173932: Diff 442615.Jul 6 2022, 9:40 AM
pscoro updated this revision to Diff 442627.Jul 6 2022, 10:20 AM

rebased

Harbormaster completed remote builds in B173939: Diff 442627.Jul 6 2022, 10:20 AM
pscoro updated this revision to Diff 442630.Jul 6 2022, 10:26 AM

patch appication troubleshooting

Harbormaster completed remote builds in B173941: Diff 442630.Jul 6 2022, 10:27 AM
pscoro updated this revision to Diff 442640.Jul 6 2022, 11:09 AM

trying to get patch to apply

Harbormaster completed remote builds in B173950: Diff 442640.Jul 6 2022, 11:09 AM
pscoro updated this revision to Diff 442643.Jul 6 2022, 11:11 AM

patch application

Harbormaster completed remote builds in B173953: Diff 442643.Jul 6 2022, 11:12 AM
pscoro abandoned this revision.Jul 6 2022, 12:06 PM
pscoro updated this revision to Diff 442678.Jul 6 2022, 1:41 PM

patch fix

pscoro added inline comments.Jul 6 2022, 1:56 PM
llvm/include/llvm/Debuginfod/Debuginfod.h
34 ↗(On Diff #442678)

Im really unsure how this change got in here, this is not added by me and on a freshly created branch and pull

Any ideas? I'll look into this tomorrow

Harbormaster completed remote builds in B173975: Diff 442678.Jul 6 2022, 3:17 PM
pscoro updated this revision to Diff 443630.Jul 11 2022, 7:10 AM

fixed lit test

Harbormaster completed remote builds in B174661: Diff 443630.Jul 11 2022, 7:54 AM
pscoro added a reviewer: power-llvm-team.Jul 19 2022, 7:12 AM
pscoro updated this revision to Diff 445853.Jul 19 2022, 9:37 AM

formatted comments

Harbormaster completed remote builds in B176279: Diff 445853.Jul 19 2022, 9:37 AM
shchenz edited reviewers, added: Restricted Project; removed: power-llvm-team.Jul 19 2022, 10:29 PM
shchenz added a subscriber: power-llvm-team.
shchenz added a comment.Jul 19 2022, 10:36 PM

Seems current revision is not right. You select the wrong base commit when you create the diff?

pscoro updated this revision to Diff 447102.Jul 23 2022, 5:40 PM

rebase

Harbormaster completed remote builds in B177204: Diff 447102.Jul 23 2022, 6:38 PM
lei added a subscriber: lei.Jul 28 2022, 6:08 AM
lei added inline comments.
llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll
5

missing LE run test line?

shchenz added inline comments.Jul 28 2022, 11:19 PM
clang/test/CodeGen/PowerPC/builtins-ppc-stackprotect.c
12

nit: do we need -O2?

llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10702

Is it possible to handle this when we generate Intrinsic::ppc_kill_canary, for example in the FE? Passing and handling this useless intrinsic in all the opt passes should be avoided?

10718

nit: we may don't need this magic number here, we can use DAG.getAllOnesConstant() when we generate the XOR below?

llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll
6

+1, we should add a RUN line for 64bit Linux LE for -mtriple=powerpc64le-unknown-linux-gnu

and for 32-bit AIX too.

22

nit: we may can add nounwind attribute to the function to remove the unnecessary cfi related instructions in the test.

35

The functionality here seems wrong, AFAIK, we should overwrite the content in the slack slot instead of the data csect. Which means the store here should be std r4, 120(r1) instead of std r4, 0(r3). Stack protection aims to check that the stack content is not changed unexpectedly.

60

Linux seems right...

pscoro updated this revision to Diff 449299.Aug 2 2022, 8:36 AM
pscoro marked 3 inline comments as done.

Fixed test cases and AIX implementation

pscoro marked 8 inline comments as done.Aug 2 2022, 8:41 AM
pscoro added inline comments.
llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll
12

How many test cases should I include? I tested all these machine triples on Power 7-10, bought I thought having 16 run lines may be too much, so I only included the power 7 and 8 run lines in the review.

Harbormaster completed remote builds in B178774: Diff 449299.Aug 2 2022, 9:52 AM
pscoro updated this revision to Diff 449683.Aug 3 2022, 9:18 AM

removed comments

Harbormaster completed remote builds in B179044: Diff 449683.Aug 3 2022, 11:09 AM
nemanjai added inline comments.Aug 9 2022, 5:46 AM
llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10702

Again, this comment is nothing more than a re-reading of the code. As such, it is not useful. The comment should say what is happening and why. Something along the lines of:

// The kill_canary intrinsic only makes sense when the Stack Protector
// feature is on in the function. It can also not be used in conjunction
// with safe stack because the latter splits the stack and the canary
// value isn't used (i.e. safe stack supersedes stack protector).
// In situations where the kill_canary intrinsic is not supported,
// we simply replace uses of its chain with its input chain, causing
// the SDAG CSE to remove the node.
10720–10749

The common code should just be common. Seems like the only thing that changes is how we load the value. Please refactor this to something like:

if (useLoadStackGuardNode()) {
  ...
  Load = ... // stack guard load
} else if (Value *GV = getSDagStackGuard(*M)) {
  ...
  Load = ... // canary word global load
} else
  llvm_unreachable("Unhandled stack guard case");

Store = ... // common store
return Store; // (or you can just create the store in-line and return it directly)
llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll
3

Please add one RUN line with -O0 to ensure that this works as expected with Fast ISel.

pscoro updated this revision to Diff 451133.Aug 9 2022, 6:35 AM

Small revisions

pscoro marked 3 inline comments as done.Aug 9 2022, 6:37 AM
nemanjai accepted this revision.Aug 9 2022, 7:58 AM

LGTM.

This revision is now accepted and ready to land.Aug 9 2022, 7:58 AM
Harbormaster completed remote builds in B180160: Diff 451133.Aug 9 2022, 10:38 AM
shchenz added inline comments.Aug 9 2022, 6:52 PM
llvm/lib/Target/PowerPC/PPCISelLowering.cpp
10744

Nit: Maybe we need to set the chain input for store as the chain output of the load.

Op->getOperand(0) -> Load->getValue(1)

There is data dependency between the load and the store, so above change will not impact the correctness. But that makes more sense from memory access order part.

llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll
191

We may need to check why we are not storing not r3, r3 directly to 120(r1) at -O0, like std r3, 120(r1). Seems now we are storing to 119(r1)

pscoro updated this revision to Diff 452740.Aug 15 2022, 10:39 AM

chain input fix

pscoro marked an inline comment as done.Aug 15 2022, 10:40 AM
Harbormaster completed remote builds in B181331: Diff 452740.Aug 15 2022, 1:08 PM
pscoro updated this revision to Diff 452990.Aug 16 2022, 6:52 AM

reverted previous fix

Harbormaster completed remote builds in B181515: Diff 452990.Aug 16 2022, 8:39 AM
pscoro updated this revision to Diff 453105.Aug 16 2022, 1:05 PM

Re added chain fix

Harbormaster completed remote builds in B181608: Diff 453105.Aug 16 2022, 2:51 PM
pscoro updated this revision to Diff 453272.Aug 17 2022, 6:32 AM

Reverted chain revision again, final

Harbormaster completed remote builds in B181726: Diff 453272.Aug 17 2022, 7:53 AM

Revision Contents

PathSize
clang/
include/
clang/
Basic/
1 line
lib/
Basic/
Targets/
1 line
test/
CodeGen/
PowerPC/
23 lines
llvm/
include/
llvm/
IR/
5 lines
lib/
Target/
PowerPC/
52 lines
test/
CodeGen/
PowerPC/
206 lines

Diff 453272

clang/include/clang/Basic/BuiltinsPPC.def

Show First 20 LinesShow All 66 Lines▼ Show 20 Lines
BUILTIN(__builtin_ppc_fetch_and_add, "iiD*i", "") BUILTIN(__builtin_ppc_fetch_and_add, "iiD*i", "")
BUILTIN(__builtin_ppc_fetch_and_addlp, "LiLiD*Li", "") BUILTIN(__builtin_ppc_fetch_and_addlp, "LiLiD*Li", "")
BUILTIN(__builtin_ppc_fetch_and_and, "UiUiD*Ui", "") BUILTIN(__builtin_ppc_fetch_and_and, "UiUiD*Ui", "")
BUILTIN(__builtin_ppc_fetch_and_andlp, "ULiULiD*ULi", "") BUILTIN(__builtin_ppc_fetch_and_andlp, "ULiULiD*ULi", "")
BUILTIN(__builtin_ppc_fetch_and_or, "UiUiD*Ui", "") BUILTIN(__builtin_ppc_fetch_and_or, "UiUiD*Ui", "")
BUILTIN(__builtin_ppc_fetch_and_orlp, "ULiULiD*ULi", "") BUILTIN(__builtin_ppc_fetch_and_orlp, "ULiULiD*ULi", "")
BUILTIN(__builtin_ppc_fetch_and_swap, "UiUiD*Ui", "") BUILTIN(__builtin_ppc_fetch_and_swap, "UiUiD*Ui", "")
BUILTIN(__builtin_ppc_fetch_and_swaplp, "ULiULiD*ULi", "") BUILTIN(__builtin_ppc_fetch_and_swaplp, "ULiULiD*ULi", "")
BUILTIN(__builtin_ppc_kill_canary, "v", "")
BUILTIN(__builtin_ppc_ldarx, "LiLiD*", "") BUILTIN(__builtin_ppc_ldarx, "LiLiD*", "")
BUILTIN(__builtin_ppc_lwarx, "iiD*", "") BUILTIN(__builtin_ppc_lwarx, "iiD*", "")
BUILTIN(__builtin_ppc_lharx, "ssD*", "") BUILTIN(__builtin_ppc_lharx, "ssD*", "")
BUILTIN(__builtin_ppc_lbarx, "ccD*", "") BUILTIN(__builtin_ppc_lbarx, "ccD*", "")
BUILTIN(__builtin_ppc_stdcx, "iLiD*Li", "") BUILTIN(__builtin_ppc_stdcx, "iLiD*Li", "")
BUILTIN(__builtin_ppc_stwcx, "iiD*i", "") BUILTIN(__builtin_ppc_stwcx, "iiD*i", "")
BUILTIN(__builtin_ppc_sthcx, "isD*s", "") BUILTIN(__builtin_ppc_sthcx, "isD*s", "")
BUILTIN(__builtin_ppc_stbcx, "icD*i", "") BUILTIN(__builtin_ppc_stbcx, "icD*i", "")
▲ Show 20 LinesShow All 856 LinesShow Last 20 Lines

clang/lib/Basic/Targets/PPC.cpp

//===--- PPC.cpp - Implement PPC target feature support -------------------===// //===--- PPC.cpp - Implement PPC target feature support -------------------===//
Lint: Lint
Inline Actions

clang-format not found in user’s local PATH; not linting file.

Lint: Lint: clang-format not found in user’s local PATH; not linting file.
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
▲ Show 20 LinesShow All 108 Lines▼ Show 20 Linesstatic void defineXLCompatMacros(MacroBuilder &Builder) {
Builder.defineMacro("__fetch_and_add", "__builtin_ppc_fetch_and_add"); Builder.defineMacro("__fetch_and_add", "__builtin_ppc_fetch_and_add");
Builder.defineMacro("__fetch_and_addlp", "__builtin_ppc_fetch_and_addlp"); Builder.defineMacro("__fetch_and_addlp", "__builtin_ppc_fetch_and_addlp");
Builder.defineMacro("__fetch_and_and", "__builtin_ppc_fetch_and_and"); Builder.defineMacro("__fetch_and_and", "__builtin_ppc_fetch_and_and");
Builder.defineMacro("__fetch_and_andlp", "__builtin_ppc_fetch_and_andlp"); Builder.defineMacro("__fetch_and_andlp", "__builtin_ppc_fetch_and_andlp");
Builder.defineMacro("__fetch_and_or", "__builtin_ppc_fetch_and_or"); Builder.defineMacro("__fetch_and_or", "__builtin_ppc_fetch_and_or");
Builder.defineMacro("__fetch_and_orlp", "__builtin_ppc_fetch_and_orlp"); Builder.defineMacro("__fetch_and_orlp", "__builtin_ppc_fetch_and_orlp");
Builder.defineMacro("__fetch_and_swap", "__builtin_ppc_fetch_and_swap"); Builder.defineMacro("__fetch_and_swap", "__builtin_ppc_fetch_and_swap");
Builder.defineMacro("__fetch_and_swaplp", "__builtin_ppc_fetch_and_swaplp"); Builder.defineMacro("__fetch_and_swaplp", "__builtin_ppc_fetch_and_swaplp");
Builder.defineMacro("__kill_canary", "__builtin_ppc_kill_canary");
Builder.defineMacro("__ldarx", "__builtin_ppc_ldarx"); Builder.defineMacro("__ldarx", "__builtin_ppc_ldarx");
Builder.defineMacro("__lwarx", "__builtin_ppc_lwarx"); Builder.defineMacro("__lwarx", "__builtin_ppc_lwarx");
Builder.defineMacro("__lharx", "__builtin_ppc_lharx"); Builder.defineMacro("__lharx", "__builtin_ppc_lharx");
Builder.defineMacro("__lbarx", "__builtin_ppc_lbarx"); Builder.defineMacro("__lbarx", "__builtin_ppc_lbarx");
Builder.defineMacro("__stfiw", "__builtin_ppc_stfiw"); Builder.defineMacro("__stfiw", "__builtin_ppc_stfiw");
Builder.defineMacro("__stdcx", "__builtin_ppc_stdcx"); Builder.defineMacro("__stdcx", "__builtin_ppc_stdcx");
Builder.defineMacro("__stwcx", "__builtin_ppc_stwcx"); Builder.defineMacro("__stwcx", "__builtin_ppc_stwcx");
Builder.defineMacro("__sthcx", "__builtin_ppc_sthcx"); Builder.defineMacro("__sthcx", "__builtin_ppc_sthcx");
▲ Show 20 LinesShow All 725 LinesShow Last 20 Lines

clang/test/CodeGen/PowerPC/builtins-ppc-stackprotect.c

  • This file was added.
// REQUIRES: powerpc-registered-target
// RUN: %clang_cc1 -triple powerpc64-unknown-linux-gnu \
// RUN: -emit-llvm %s -o - -target-cpu pwr7 | \
// RUN: FileCheck %s
// RUN: %clang_cc1 -triple powerpc64le-unknown-linux-gnu \
// RUN: -emit-llvm %s -o - -target-cpu pwr8 | \
// RUN: FileCheck %s
// RUN: %clang_cc1 -triple powerpc-unknown-aix \
// RUN: -emit-llvm %s -o - -target-cpu pwr7 | \
// RUN: FileCheck %s
// RUN: %clang_cc1 -triple powerpc64-unknown-aix \
// RUN: -emit-llvm %s -o - -target-cpu pwr7 | \
shchenzUnsubmitted
Done
ReplyInline Actions

nit: do we need -O2?

shchenz: nit: do we need -O2?
// RUN: FileCheck %s
void test_builtin_ppc_kill_canary() {
// CHECK: call void @llvm.ppc.kill.canary()
__builtin_ppc_kill_canary();
}
void test_kill_canary() {
// CHECK: call void @llvm.ppc.kill.canary()
__kill_canary();
}

llvm/include/llvm/IR/IntrinsicsPowerPC.td

Show First 20 LinesShow All 188 Lines▼ Show 20 Lines def int_ppc_minfl
: Intrinsic< : Intrinsic<
[llvm_double_ty], [llvm_double_ty],
[llvm_double_ty, llvm_double_ty, llvm_double_ty, llvm_vararg_ty], [llvm_double_ty, llvm_double_ty, llvm_double_ty, llvm_vararg_ty],
[IntrNoMem]>; [IntrNoMem]>;
def int_ppc_minfs def int_ppc_minfs
: Intrinsic<[llvm_float_ty], : Intrinsic<[llvm_float_ty],
[llvm_float_ty, llvm_float_ty, llvm_float_ty, llvm_vararg_ty], [llvm_float_ty, llvm_float_ty, llvm_float_ty, llvm_vararg_ty],
[IntrNoMem]>; [IntrNoMem]>;
def int_ppc_kill_canary
: ClangBuiltin<"__builtin_ppc_kill_canary">,
Intrinsic<[],
[],
[IntrWriteMem, IntrHasSideEffects]>;
} }
let TargetPrefix = "ppc" in { // All PPC intrinsics start with "llvm.ppc.". let TargetPrefix = "ppc" in { // All PPC intrinsics start with "llvm.ppc.".
/// PowerPC_Vec_Intrinsic - Base class for all altivec intrinsics. /// PowerPC_Vec_Intrinsic - Base class for all altivec intrinsics.
class PowerPC_Vec_Intrinsic<string GCCIntSuffix, list<LLVMType> ret_types, class PowerPC_Vec_Intrinsic<string GCCIntSuffix, list<LLVMType> ret_types,
list<LLVMType> param_types, list<LLVMType> param_types,
list<IntrinsicProperty> properties> list<IntrinsicProperty> properties>
: ClangBuiltin<!strconcat("__builtin_altivec_", GCCIntSuffix)>, : ClangBuiltin<!strconcat("__builtin_altivec_", GCCIntSuffix)>,
▲ Show 20 LinesShow All 1,643 LinesShow Last 20 Lines

llvm/lib/Target/PowerPC/PPCISelLowering.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
//===-- PPCISelLowering.cpp - PPC DAG Lowering Implementation -------------===// //===-- PPCISelLowering.cpp - PPC DAG Lowering Implementation -------------===//
Lint: Lint
Inline Actions

clang-format not found in user’s local PATH; not linting file.

Lint: Lint: clang-format not found in user’s local PATH; not linting file.
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
▲ Show 20 LinesShow All 10,681 Lines▼ Show 20 Lines if (Ty == MVT::i128) {
Val = DAG.getNode(ISD::TRUNCATE, DL, MVT::i64, Val); Val = DAG.getNode(ISD::TRUNCATE, DL, MVT::i64, Val);
} }
return SDValue( return SDValue(
DAG.getMachineNode(PPC::CFENCE8, DL, MVT::Other, DAG.getMachineNode(PPC::CFENCE8, DL, MVT::Other,
DAG.getNode(ISD::ANY_EXTEND, DL, MVT::i64, Val), DAG.getNode(ISD::ANY_EXTEND, DL, MVT::i64, Val),
Op.getOperand(0)), Op.getOperand(0)),
0); 0);
} }
case Intrinsic::ppc_kill_canary: {
MachineFunction &MF = DAG.getMachineFunction();
const Module *M = MF.getMMI().getModule();
// The kill_canary intrinsic only makes sense when the Stack Protector
shchenzUnsubmitted
Done
ReplyInline Actions

Is it possible to handle this when we generate Intrinsic::ppc_kill_canary, for example in the FE? Passing and handling this useless intrinsic in all the opt passes should be avoided?

shchenz: Is it possible to handle this when we generate `Intrinsic::ppc_kill_canary`, for example in the…
nemanjaiUnsubmitted
Done
ReplyInline Actions

Again, this comment is nothing more than a re-reading of the code. As such, it is not useful. The comment should say what is happening and why. Something along the lines of:

// The kill_canary intrinsic only makes sense when the Stack Protector
// feature is on in the function. It can also not be used in conjunction
// with safe stack because the latter splits the stack and the canary
// value isn't used (i.e. safe stack supersedes stack protector).
// In situations where the kill_canary intrinsic is not supported,
// we simply replace uses of its chain with its input chain, causing
// the SDAG CSE to remove the node.
nemanjai: Again, this comment is nothing more than a re-reading of the code. As such, it is not useful.
// feature is on in the function. It can also not be used in conjunction
// with safe stack because the latter splits the stack and the canary
// value isn't used (i.e. safe stack supersedes stack protector).
// In situations where the kill_canary intrinsic is not supported,
// we simply replace uses of its chain with its input chain, causing
// the SDAG CSE to remove the node.
if (MF.getFunction().hasFnAttribute(Attribute::SafeStack) ||
!MF.getFunction().hasStackProtectorFnAttr()) {
DAG.ReplaceAllUsesOfValueWith(
SDValue(Op.getNode(), 0),
Op->getOperand(0));
break;
}
EVT VT = DAG.getTargetLoweringInfo().getPointerTy(DAG.getDataLayout());
SDValue Load;
pscoroAuthorUnsubmitted
Done
ReplyInline Actions

To address a comment on the previous review, I fixed the XOR to do what I intended. When you XOR bits against 1, you are guaranteed to not return the same bit because of exclusivity. Therefore XORing the canary word against 0xFFFFFFFF (0b1111...111) guarantees that the corrupted canary word is never the same as the original

pscoro: To address a comment on the previous review, I fixed the XOR to do what I intended. When you…
KaiUnsubmitted
Done
ReplyInline Actions

Line too long.

Kai: Line too long.
shchenzUnsubmitted
Done
ReplyInline Actions

nit: we may don't need this magic number here, we can use DAG.getAllOnesConstant() when we generate the XOR below?

shchenz: nit: we may don't need this magic number here, we can use `DAG.getAllOnesConstant()` when we…
SDValue Store;
MachineFrameInfo &MFI = MF.getFrameInfo();
int SPI = MFI.getStackProtectorIndex();
PPCFunctionInfo *FuncInfo = MF.getInfo<PPCFunctionInfo>();
SDValue FIN = DAG.getFrameIndex(FuncInfo->getVarArgsFrameIndex(), VT);
KaiUnsubmitted
Done
ReplyInline Actions
// try getting canary word as global value if it exists
- GlobalValue *GV = (Subtarget.isAIXABI())
- ? M->getGlobalVariable(AIXSSPCanaryWordName)
- : M->getNamedValue("__stack_chk_guard");
+ Value *GV = getSDagStackGuard(M);
if (GV == nullptr) { // linux uses LOAD_STACK_GUARD node instead of having a

I think this can be simplified using getSDagStackGuard().

Kai: I think this can be simplified using `getSDagStackGuard()`.
// Linux uses LOAD_STACK_GUARD node instead of a canary global value.
pscoroAuthorUnsubmitted
Done
ReplyInline Actions

Addressing a comment from the previous review, GV != nullptr can not be an assert because linux implements stack guard loading differently than aix. This review now also supports linux as well

pscoro: Addressing a comment from the previous review, GV != nullptr can not be an assert because linux…
KaiUnsubmitted
Done
ReplyInline Actions

Please remove dead code.

Kai: Please remove dead code.
KaiUnsubmitted
Done
ReplyInline Actions

You can simplify the code by reordering the conditions:

if (useLoadStackGuardNode()) {
  // LOAD_STACK_GUARD
} else if (Value *GV = getSDagStackGuard(M)) {
  // AIX implementation
} else
  llvm_unreachable("Unhandled stack guard case");
Kai: You can simplify the code by reordering the conditions: ``` if (useLoadStackGuardNode()) {…
if (useLoadStackGuardNode()) {
KaiUnsubmitted
Done
ReplyInline Actions

Line too long.

Kai: Line too long.
MachineSDNode *LSG =
DAG.getMachineNode(PPC::LOAD_STACK_GUARD, DL, VT, Op->getOperand(0));
Load = SDValue(LSG, 0);
} else if (Value *GV = getSDagStackGuard(*M)) {
// AIX load from global value.
VT = DAG.getTargetLoweringInfo().getValueType(DAG.getDataLayout(),
GV->getType(), true);
SDValue CanaryLoc =
DAG.getGlobalAddress(dyn_cast<GlobalValue>(GV), DL, VT);
Load = DAG.getLoad(VT, DL, Op->getOperand(0), CanaryLoc,
MachinePointerInfo());
} else {
llvm_unreachable("Unhandled stack guard case");
}
Store = DAG.getStore(
Op->getOperand(0), DL,
shchenzUnsubmitted
Done
ReplyInline Actions

Nit: Maybe we need to set the chain input for store as the chain output of the load.

Op->getOperand(0) -> Load->getValue(1)

There is data dependency between the load and the store, so above change will not impact the correctness. But that makes more sense from memory access order part.

shchenz: Nit: Maybe we need to set the chain input for store as the chain output of the load. `Op…
DAG.getNode(ISD::XOR, DL, VT, Load, DAG.getAllOnesConstant(DL, VT)),
DAG.getNode(ISD::ADD, DL, VT, FIN, DAG.getConstant(SPI, DL, VT)),
MachinePointerInfo());
return Store;
}
nemanjaiUnsubmitted
Not Done
ReplyInline Actions

The common code should just be common. Seems like the only thing that changes is how we load the value. Please refactor this to something like:

if (useLoadStackGuardNode()) {
  ...
  Load = ... // stack guard load
} else if (Value *GV = getSDagStackGuard(*M)) {
  ...
  Load = ... // canary word global load
} else
  llvm_unreachable("Unhandled stack guard case");

Store = ... // common store
return Store; // (or you can just create the store in-line and return it directly)
nemanjai: The common code should just be common. Seems like the only thing that changes is how we load…
default: default:
break; break;
} }
return SDValue(); return SDValue();
KaiUnsubmitted
Done
ReplyInline Actions

Line too long.

Kai: Line too long.
} }
// Lower scalar BSWAP64 to xxbrd. // Lower scalar BSWAP64 to xxbrd.
KaiUnsubmitted
Done
ReplyInline Actions

Line too long.

Kai: Line too long.
SDValue PPCTargetLowering::LowerBSWAP(SDValue Op, SelectionDAG &DAG) const { SDValue PPCTargetLowering::LowerBSWAP(SDValue Op, SelectionDAG &DAG) const {
SDLoc dl(Op); SDLoc dl(Op);
if (!Subtarget.isPPC64()) if (!Subtarget.isPPC64())
return Op; return Op;
// MTVSRDD // MTVSRDD
Op = DAG.getNode(ISD::BUILD_VECTOR, dl, MVT::v2i64, Op.getOperand(0), Op = DAG.getNode(ISD::BUILD_VECTOR, dl, MVT::v2i64, Op.getOperand(0),
Op.getOperand(0)); Op.getOperand(0));
// XXBRD // XXBRD
▲ Show 20 LinesShow All 7,485 LinesShow Last 20 Lines

llvm/test/CodeGen/PowerPC/kill-canary-intrinsic.ll

  • This file was added.
; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py
; RUN: llc -verify-machineinstrs -mtriple=powerpc-unknown-aix -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-AIX
nemanjaiUnsubmitted
Done
ReplyInline Actions

Please add one RUN line with -O0 to ensure that this works as expected with Fast ISel.

nemanjai: Please add one RUN line with `-O0` to ensure that this works as expected with Fast ISel.
; RUN: llc -verify-machineinstrs -mtriple=powerpc64-unknown-linux-gnu -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s
leiUnsubmitted
Done
ReplyInline Actions

missing LE run test line?

lei: missing LE run test line?
; RUN: llc -verify-machineinstrs -mtriple=powerpc64-unknown-aix -ppc-vsr-nums-as-vr \
shchenzUnsubmitted
Done
ReplyInline Actions

+1, we should add a RUN line for 64bit Linux LE for -mtriple=powerpc64le-unknown-linux-gnu

and for 32-bit AIX too.

shchenz: +1, we should add a RUN line for 64bit Linux LE for `-mtriple=powerpc64le-unknown-linux-gnu`…
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-AIX64
; RUN: llc -verify-machineinstrs -mtriple=powerpc64le-unknown-linux-gnu -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-LINUX-LE
; RUN: llc -verify-machineinstrs -mtriple=powerpc-unknown-aix -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr8 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-AIX
pscoroAuthorUnsubmitted
Done
ReplyInline Actions

How many test cases should I include? I tested all these machine triples on Power 7-10, bought I thought having 16 run lines may be too much, so I only included the power 7 and 8 run lines in the review.

pscoro: How many test cases should I include? I tested all these machine triples on Power 7-10, bought…
; RUN: llc -verify-machineinstrs -mtriple=powerpc64-unknown-linux-gnu -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr8 --ppc-asm-full-reg-names < %s | FileCheck %s
; RUN: llc -verify-machineinstrs -mtriple=powerpc64-unknown-aix -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr8 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-AIX64
; RUN: llc -verify-machineinstrs -mtriple=powerpc64le-unknown-linux-gnu -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr8 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-LINUX-LE
; RUN: llc -verify-machineinstrs -O0 -mtriple=powerpc-unknown-aix -ppc-vsr-nums-as-vr \
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-AIX-FAST
; RUN: llc -verify-machineinstrs -O0 -mtriple=powerpc64-unknown-linux-gnu -ppc-vsr-nums-as-vr \
shchenzUnsubmitted
Not Done
ReplyInline Actions

nit: we may can add nounwind attribute to the function to remove the unnecessary cfi related instructions in the test.

shchenz: nit: we may can add `nounwind` attribute to the function to remove the unnecessary `cfi`…
; RUN: -mcpu=pwr7 --ppc-asm-full-reg-names < %s | FileCheck %s -check-prefix=CHECK-FAST
attributes #1 = { nounwind }
declare void @llvm.ppc.kill.canary()
define dso_local void @test_kill_canary() #1 {
; CHECK-AIX-LABEL: test_kill_canary:
; CHECK-AIX: # %bb.0: # %entry
; CHECK-AIX-NEXT: blr
;
; CHECK-LABEL: test_kill_canary:
; CHECK: # %bb.0: # %entry
; CHECK-NEXT: blr
;
shchenzUnsubmitted
Done
ReplyInline Actions

The functionality here seems wrong, AFAIK, we should overwrite the content in the slack slot instead of the data csect. Which means the store here should be std r4, 120(r1) instead of std r4, 0(r3). Stack protection aims to check that the stack content is not changed unexpectedly.

shchenz: The functionality here seems wrong, AFAIK, we should overwrite the content in the slack slot…
; CHECK-AIX64-LABEL: test_kill_canary:
; CHECK-AIX64: # %bb.0: # %entry
; CHECK-AIX64-NEXT: blr
;
; CHECK-LINUX-LE-LABEL: test_kill_canary:
; CHECK-LINUX-LE: # %bb.0: # %entry
; CHECK-LINUX-LE-NEXT: blr
;
; CHECK-AIX-FAST-LABEL: test_kill_canary:
; CHECK-AIX-FAST: # %bb.0: # %entry
; CHECK-AIX-FAST-NEXT: blr
;
; CHECK-FAST-LABEL: test_kill_canary:
; CHECK-FAST: # %bb.0: # %entry
; CHECK-FAST-NEXT: blr
entry:
call void @llvm.ppc.kill.canary()
ret void
}
attributes #0 = { sspreq }
; Function Attrs: sspreq
define dso_local void @test_kill_canary_ssp() #0 #1 {
; CHECK-AIX-LABEL: test_kill_canary_ssp:
; CHECK-AIX: # %bb.0: # %entry
shchenzUnsubmitted
Done
ReplyInline Actions

Linux seems right...

shchenz: Linux seems right...
; CHECK-AIX-NEXT: mflr r0
; CHECK-AIX-NEXT: stw r0, 8(r1)
; CHECK-AIX-NEXT: stwu r1, -64(r1)
; CHECK-AIX-NEXT: lwz r3, L..C0(r2) # @__ssp_canary_word
; CHECK-AIX-NEXT: lwz r4, 0(r3)
; CHECK-AIX-NEXT: stw r4, 60(r1)
; CHECK-AIX-NEXT: lwz r4, 0(r3)
; CHECK-AIX-NEXT: not r4, r4
; CHECK-AIX-NEXT: stw r4, 60(r1)
; CHECK-AIX-NEXT: lwz r3, 0(r3)
; CHECK-AIX-NEXT: lwz r4, 60(r1)
; CHECK-AIX-NEXT: cmplw r3, r4
; CHECK-AIX-NEXT: bne cr0, L..BB1_2
; CHECK-AIX-NEXT: # %bb.1: # %entry
; CHECK-AIX-NEXT: addi r1, r1, 64
; CHECK-AIX-NEXT: lwz r0, 8(r1)
; CHECK-AIX-NEXT: mtlr r0
; CHECK-AIX-NEXT: blr
; CHECK-AIX-NEXT: L..BB1_2: # %entry
; CHECK-AIX-NEXT: bl .__stack_chk_fail[PR]
; CHECK-AIX-NEXT: nop
;
; CHECK-LABEL: test_kill_canary_ssp:
; CHECK: # %bb.0: # %entry
; CHECK-NEXT: mflr r0
; CHECK-NEXT: std r0, 16(r1)
; CHECK-NEXT: stdu r1, -128(r1)
; CHECK-NEXT: ld r3, -28688(r13)
; CHECK-NEXT: std r3, 120(r1)
; CHECK-NEXT: ld r3, -28688(r13)
; CHECK-NEXT: not r3, r3
; CHECK-NEXT: std r3, 120(r1)
; CHECK-NEXT: ld r3, 120(r1)
; CHECK-NEXT: ld r4, -28688(r13)
; CHECK-NEXT: cmpld r4, r3
; CHECK-NEXT: bne cr0, .LBB1_2
; CHECK-NEXT: # %bb.1: # %entry
; CHECK-NEXT: addi r1, r1, 128
; CHECK-NEXT: ld r0, 16(r1)
; CHECK-NEXT: mtlr r0
; CHECK-NEXT: blr
; CHECK-NEXT: .LBB1_2: # %entry
; CHECK-NEXT: bl __stack_chk_fail
; CHECK-NEXT: nop
;
; CHECK-AIX64-LABEL: test_kill_canary_ssp:
; CHECK-AIX64: # %bb.0: # %entry
; CHECK-AIX64-NEXT: mflr r0
; CHECK-AIX64-NEXT: std r0, 16(r1)
; CHECK-AIX64-NEXT: stdu r1, -128(r1)
; CHECK-AIX64-NEXT: ld r3, L..C0(r2) # @__ssp_canary_word
; CHECK-AIX64-NEXT: ld r4, 0(r3)
; CHECK-AIX64-NEXT: std r4, 120(r1)
; CHECK-AIX64-NEXT: ld r4, 0(r3)
; CHECK-AIX64-NEXT: not r4, r4
; CHECK-AIX64-NEXT: std r4, 120(r1)
; CHECK-AIX64-NEXT: ld r3, 0(r3)
; CHECK-AIX64-NEXT: ld r4, 120(r1)
; CHECK-AIX64-NEXT: cmpld r3, r4
; CHECK-AIX64-NEXT: bne cr0, L..BB1_2
; CHECK-AIX64-NEXT: # %bb.1: # %entry
; CHECK-AIX64-NEXT: addi r1, r1, 128
; CHECK-AIX64-NEXT: ld r0, 16(r1)
; CHECK-AIX64-NEXT: mtlr r0
; CHECK-AIX64-NEXT: blr
; CHECK-AIX64-NEXT: L..BB1_2: # %entry
; CHECK-AIX64-NEXT: bl .__stack_chk_fail[PR]
; CHECK-AIX64-NEXT: nop
;
; CHECK-LINUX-LE-LABEL: test_kill_canary_ssp:
; CHECK-LINUX-LE: # %bb.0: # %entry
; CHECK-LINUX-LE-NEXT: mflr r0
; CHECK-LINUX-LE-NEXT: std r0, 16(r1)
; CHECK-LINUX-LE-NEXT: stdu r1, -48(r1)
; CHECK-LINUX-LE-NEXT: ld r3, -28688(r13)
; CHECK-LINUX-LE-NEXT: std r3, 40(r1)
; CHECK-LINUX-LE-NEXT: ld r3, -28688(r13)
; CHECK-LINUX-LE-NEXT: not r3, r3
; CHECK-LINUX-LE-NEXT: std r3, 40(r1)
; CHECK-LINUX-LE-NEXT: ld r3, 40(r1)
; CHECK-LINUX-LE-NEXT: ld r4, -28688(r13)
; CHECK-LINUX-LE-NEXT: cmpld r4, r3
; CHECK-LINUX-LE-NEXT: bne cr0, .LBB1_2
; CHECK-LINUX-LE-NEXT: # %bb.1: # %entry
; CHECK-LINUX-LE-NEXT: addi r1, r1, 48
; CHECK-LINUX-LE-NEXT: ld r0, 16(r1)
; CHECK-LINUX-LE-NEXT: mtlr r0
; CHECK-LINUX-LE-NEXT: blr
; CHECK-LINUX-LE-NEXT: .LBB1_2: # %entry
; CHECK-LINUX-LE-NEXT: bl __stack_chk_fail
; CHECK-LINUX-LE-NEXT: nop
;
; CHECK-AIX-FAST-LABEL: test_kill_canary_ssp:
; CHECK-AIX-FAST: # %bb.0: # %entry
; CHECK-AIX-FAST-NEXT: mflr r0
; CHECK-AIX-FAST-NEXT: stw r0, 8(r1)
; CHECK-AIX-FAST-NEXT: stwu r1, -64(r1)
; CHECK-AIX-FAST-NEXT: lwz r3, L..C0(r2) # @__ssp_canary_word
; CHECK-AIX-FAST-NEXT: lwz r4, 0(r3)
; CHECK-AIX-FAST-NEXT: stw r4, 60(r1)
; CHECK-AIX-FAST-NEXT: lwz r4, 0(r3)
; CHECK-AIX-FAST-NEXT: not r4, r4
; CHECK-AIX-FAST-NEXT: stw r4, 60(r1)
; CHECK-AIX-FAST-NEXT: lwz r3, 0(r3)
; CHECK-AIX-FAST-NEXT: lwz r4, 60(r1)
; CHECK-AIX-FAST-NEXT: cmplw r3, r4
; CHECK-AIX-FAST-NEXT: bne cr0, L..BB1_2
; CHECK-AIX-FAST-NEXT: b L..BB1_1
; CHECK-AIX-FAST-NEXT: L..BB1_1: # %SP_return
; CHECK-AIX-FAST-NEXT: addi r1, r1, 64
; CHECK-AIX-FAST-NEXT: lwz r0, 8(r1)
; CHECK-AIX-FAST-NEXT: mtlr r0
; CHECK-AIX-FAST-NEXT: blr
; CHECK-AIX-FAST-NEXT: L..BB1_2: # %CallStackCheckFailBlk
; CHECK-AIX-FAST-NEXT: bl .__stack_chk_fail[PR]
; CHECK-AIX-FAST-NEXT: nop
;
; CHECK-FAST-LABEL: test_kill_canary_ssp:
; CHECK-FAST: # %bb.0: # %entry
; CHECK-FAST-NEXT: mflr r0
; CHECK-FAST-NEXT: std r0, 16(r1)
; CHECK-FAST-NEXT: stdu r1, -128(r1)
; CHECK-FAST-NEXT: ld r3, -28688(r13)
; CHECK-FAST-NEXT: ld r3, -28688(r13)
; CHECK-FAST-NEXT: std r3, 120(r1)
; CHECK-FAST-NEXT: ld r3, -28688(r13)
; CHECK-FAST-NEXT: not r3, r3
; CHECK-FAST-NEXT: li r5, -1
; CHECK-FAST-NEXT: addi r4, r1, 120
; CHECK-FAST-NEXT: stdx r3, r4, r5
; CHECK-FAST-NEXT: ld r3, -28688(r13)
shchenzUnsubmitted
Not Done
ReplyInline Actions

We may need to check why we are not storing not r3, r3 directly to 120(r1) at -O0, like std r3, 120(r1). Seems now we are storing to 119(r1)

shchenz: We may need to check why we are not storing `not r3, r3` directly to `120(r1)` at -O0, like…
; CHECK-FAST-NEXT: ld r4, 120(r1)
; CHECK-FAST-NEXT: cmpd r3, r4
; CHECK-FAST-NEXT: bne cr0, .LBB1_2
; CHECK-FAST-NEXT: # %bb.1: # %SP_return
; CHECK-FAST-NEXT: addi r1, r1, 128
; CHECK-FAST-NEXT: ld r0, 16(r1)
; CHECK-FAST-NEXT: mtlr r0
; CHECK-FAST-NEXT: blr
; CHECK-FAST-NEXT: .LBB1_2: # %CallStackCheckFailBlk
; CHECK-FAST-NEXT: bl __stack_chk_fail
; CHECK-FAST-NEXT: nop
entry:
call void @llvm.ppc.kill.canary()
ret void
}