This is an archive of the discontinued LLVM Phabricator instance.

Android support for SafeStack
ClosedPublic

Authored by eugenis on Sep 17 2015, 5:31 PM.

Download Raw Diff

Details

Reviewers

pcc
echristo

Summary

Add two new ways of accessing the unsafe stack pointer:

at a fixed offset from the thread TLS base. This is very similar to StackProtector cookies, but we plan to extend it to other backends (ARM in particular) soon. Bionic-side implementation here: https://android-review.googlesource.com/170988
via a function call, as a fallback for platforms that provide neither a fixed TLS slot, nor a reasonable TLS implementation (i.e. not emutls).

Diff Detail

Repository: rL LLVM

Event Timeline

eugenis updated this revision to Diff 35050.Sep 17 2015, 5:31 PM

eugenis retitled this revision from to Android support for SafeStack.

eugenis updated this object.

eugenis added reviewers: pcc, echristo.

eugenis set the repository for this revision to rL LLVM.

eugenis added a subscriber: llvm-commits.

Herald added subscribers: srhines, danalbert, tberghammer, aemerson. · View Herald TranscriptSep 17 2015, 5:31 PM

Some inline comments :)

-eric

include/llvm/LinkAllPasses.h
136 ↗	(On Diff #35050)	Default = nullptr to avoid this?
include/llvm/Transforms/Instrumentation.h
19	Can probably just forward declare right?
lib/Target/X86/X86ISelLowering.cpp
2084	Block point explaining the idea behind it? (Also might want the same sort of thing on the function just above if you wouldn't mind.)
lib/Transforms/Instrumentation/SafeStack.cpp
21–23	?
21–23	Can you remove the dependence on TTI separately? I don't see any use otherwise?
226–227	const?
263–268	Needs a comment. Also, can we do this in such a way that we don't need to check for android? Similar to the stack protector pattern?
385–386	?

eugenis updated this revision to Diff 35335.Sep 21 2015, 6:10 PM

eugenis edited edge metadata.

eugenis marked 6 inline comments as done.

eugenis added inline comments.

lib/Transforms/Instrumentation/SafeStack.cpp
21–23	Passes.h needed for INITIALIZE_TM_PASS_BEGIN
263–268	We could move this logic to TargetLowering.h, making the X86 implementation delegate to the common implementation if not android, but it does not improve anything.
385–386	Simplified. This code moved insertion point after the calculation of UnsafeStackPtr, unless that's a constant.

LGTM.

Thanks!

-eric

This revision is now accepted and ready to land.Sep 22 2015, 5:05 PM

Thanks for the review! Submitted as r248357.

Revision Contents

Path

Size

include/

llvm/

Target/

TargetLowering.h

8 lines

Transforms/

Instrumentation.h

4 lines

lib/

CodeGen/

Passes.cpp

2 lines

Target/

X86/

X86ISelLowering.h

6 lines

X86ISelLowering.cpp

23 lines

X86Subtarget.h

3 lines

Transforms/

Instrumentation/

SafeStack.cpp

109 lines

test/

Transforms/

SafeStack/

abi.ll

38 lines

Diff 35335

include/llvm/Target/TargetLowering.h

Show First 20 Lines • Show All 989 Lines • ▼ Show 20 Lines	public:
/// Return true if the target stores stack protector cookies at a fixed offset		/// Return true if the target stores stack protector cookies at a fixed offset
/// in some non-standard address space, and populates the address space and		/// in some non-standard address space, and populates the address space and
/// offset as appropriate.		/// offset as appropriate.
virtual bool getStackCookieLocation(unsigned &/AddressSpace/,		virtual bool getStackCookieLocation(unsigned &/AddressSpace/,
unsigned &/Offset/) const {		unsigned &/Offset/) const {
return false;		return false;
}		}

		/// Return true if the target stores SafeStack pointer at a fixed offset in
		/// some non-standard address space, and populates the address space and
		/// offset as appropriate.
		virtual bool getSafeStackPointerLocation(unsigned & /AddressSpace/,
		unsigned & /Offset/) const {
		return false;
		}

/// Returns true if a cast between SrcAS and DestAS is a noop.		/// Returns true if a cast between SrcAS and DestAS is a noop.
virtual bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const {		virtual bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const {
return false;		return false;
}		}

/// Return true if the pointer arguments to CI should be aligned by aligning		/// Return true if the pointer arguments to CI should be aligned by aligning
/// the object whose address is being passed. If so then MinSize is set to the		/// the object whose address is being passed. If so then MinSize is set to the
/// minimum size the object must be to be aligned and PrefAlign is set to the		/// minimum size the object must be to be aligned and PrefAlign is set to the
▲ Show 20 Lines • Show All 1,834 Lines • Show Last 20 Lines

include/llvm/Transforms/Instrumentation.h

	Show All 10 Lines
	//			//
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#ifndef LLVM_TRANSFORMS_INSTRUMENTATION_H			#ifndef LLVM_TRANSFORMS_INSTRUMENTATION_H
	#define LLVM_TRANSFORMS_INSTRUMENTATION_H			#define LLVM_TRANSFORMS_INSTRUMENTATION_H

	#include "llvm/ADT/StringRef.h"			#include "llvm/ADT/StringRef.h"
	#include "llvm/IR/BasicBlock.h"			#include "llvm/IR/BasicBlock.h"
	#include <vector>			#include <vector>
				echristoUnsubmitted Done Reply Inline Actions Can probably just forward declare right? echristo: Can probably just forward declare right?

	#if defined(__GNUC__) && defined(__linux__) && !defined(ANDROID)			#if defined(__GNUC__) && defined(__linux__) && !defined(ANDROID)
	inline void *getDFSanArgTLSPtrForJIT() {			inline void *getDFSanArgTLSPtrForJIT() {
	extern __thread __attribute__((tls_model("initial-exec")))			extern __thread __attribute__((tls_model("initial-exec")))
	void *__dfsan_arg_tls;			void *__dfsan_arg_tls;
	return (void *)&__dfsan_arg_tls;			return (void *)&__dfsan_arg_tls;
	}			}

	inline void *getDFSanRetValTLSPtrForJIT() {			inline void *getDFSanRetValTLSPtrForJIT() {
	extern __thread __attribute__((tls_model("initial-exec")))			extern __thread __attribute__((tls_model("initial-exec")))
	void *__dfsan_retval_tls;			void *__dfsan_retval_tls;
	return (void *)&__dfsan_retval_tls;			return (void *)&__dfsan_retval_tls;
	}			}
	#endif			#endif

	namespace llvm {			namespace llvm {

				class TargetMachine;

	/// Instrumentation passes often insert conditional checks into entry blocks.			/// Instrumentation passes often insert conditional checks into entry blocks.
	/// Call this function before splitting the entry block to move instructions			/// Call this function before splitting the entry block to move instructions
	/// that must remain in the entry block up before the split point. Static			/// that must remain in the entry block up before the split point. Static
	/// allocas and llvm.localescape calls, for example, must remain in the entry			/// allocas and llvm.localescape calls, for example, must remain in the entry
	/// block.			/// block.
	BasicBlock::iterator PrepareToSplitEntryBlock(BasicBlock &BB,			BasicBlock::iterator PrepareToSplitEntryBlock(BasicBlock &BB,
	BasicBlock::iterator IP);			BasicBlock::iterator IP);

	▲ Show 20 Lines • Show All 93 Lines • ▼ Show 20 Lines
	#endif			#endif

	// BoundsChecking - This pass instruments the code to perform run-time bounds			// BoundsChecking - This pass instruments the code to perform run-time bounds
	// checking on loads, stores, and other memory intrinsics.			// checking on loads, stores, and other memory intrinsics.
	FunctionPass *createBoundsCheckingPass();			FunctionPass *createBoundsCheckingPass();

	/// \brief This pass splits the stack into a safe stack and an unsafe stack to			/// \brief This pass splits the stack into a safe stack and an unsafe stack to
	/// protect against stack-based overflow vulnerabilities.			/// protect against stack-based overflow vulnerabilities.
	FunctionPass *createSafeStackPass();			FunctionPass createSafeStackPass(const TargetMachine TM = nullptr);

	} // End llvm namespace			} // End llvm namespace

	#endif			#endif

lib/CodeGen/Passes.cpp

	Show First 20 Lines • Show All 460 Lines • ▼ Show 20 Lines

	/// Add common passes that perform LLVM IR to IR transforms in preparation for			/// Add common passes that perform LLVM IR to IR transforms in preparation for
	/// instruction selection.			/// instruction selection.
	void TargetPassConfig::addISelPrepare() {			void TargetPassConfig::addISelPrepare() {
	addPreISel();			addPreISel();

	// Add both the safe stack and the stack protection passes: each of them will			// Add both the safe stack and the stack protection passes: each of them will
	// only protect functions that have corresponding attributes.			// only protect functions that have corresponding attributes.
	addPass(createSafeStackPass());			addPass(createSafeStackPass(TM));
	addPass(createStackProtectorPass(TM));			addPass(createStackProtectorPass(TM));

	if (PrintISelInput)			if (PrintISelInput)
	addPass(createPrintFunctionPass(			addPass(createPrintFunctionPass(
	dbgs(), "\n\n* Final LLVM Code input to ISel *\n"));			dbgs(), "\n\n* Final LLVM Code input to ISel *\n"));

	// All passes which modify the LLVM IR are now complete; run the verifier			// All passes which modify the LLVM IR are now complete; run the verifier
	// to ensure that the IR is valid.			// to ensure that the IR is valid.
	▲ Show 20 Lines • Show All 324 Lines • Show Last 20 Lines

lib/Target/X86/X86ISelLowering.h

Show First 20 Lines • Show All 885 Lines • ▼ Show 20 Lines	FastISel *createFastISel(FunctionLoweringInfo &funcInfo,
const TargetLibraryInfo *libInfo) const override;		const TargetLibraryInfo *libInfo) const override;

/// Return true if the target stores stack protector cookies at a fixed		/// Return true if the target stores stack protector cookies at a fixed
/// offset in some non-standard address space, and populates the address		/// offset in some non-standard address space, and populates the address
/// space and offset as appropriate.		/// space and offset as appropriate.
bool getStackCookieLocation(unsigned &AddressSpace,		bool getStackCookieLocation(unsigned &AddressSpace,
unsigned &Offset) const override;		unsigned &Offset) const override;

		/// Return true if the target stores SafeStack pointer at a fixed offset in
		/// some non-standard address space, and populates the address space and
		/// offset as appropriate.
		bool getSafeStackPointerLocation(unsigned &AddressSpace,
		unsigned &Offset) const override;

SDValue BuildFILD(SDValue Op, EVT SrcVT, SDValue Chain, SDValue StackSlot,		SDValue BuildFILD(SDValue Op, EVT SrcVT, SDValue Chain, SDValue StackSlot,
SelectionDAG &DAG) const;		SelectionDAG &DAG) const;

bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const override;		bool isNoopAddrSpaceCast(unsigned SrcAS, unsigned DestAS) const override;

bool useLoadStackGuardNode() const override;		bool useLoadStackGuardNode() const override;
/// \brief Customize the preferred legalization strategy for certain types.		/// \brief Customize the preferred legalization strategy for certain types.
LegalizeTypeAction getPreferredVectorAction(EVT VT) const override;		LegalizeTypeAction getPreferredVectorAction(EVT VT) const override;
▲ Show 20 Lines • Show All 240 Lines • Show Last 20 Lines

lib/Target/X86/X86ISelLowering.cpp

This file is larger than 256 KB, so syntax highlighting is disabled by default.

Show First 20 Lines • Show All 2,075 Lines • ▼ Show 20 Lines	bool X86TargetLowering::getStackCookieLocation(unsigned &AddressSpace,
} else {		} else {
// %gs:0x14 on i386		// %gs:0x14 on i386
Offset = 0x14;		Offset = 0x14;
AddressSpace = 256;		AddressSpace = 256;
}		}
return true;		return true;
}		}

		/// Android provides a fixed TLS slot for the SafeStack pointer.
		echristoUnsubmitted Done Reply Inline Actions Block point explaining the idea behind it? (Also might want the same sort of thing on the function just above if you wouldn't mind.) echristo: Block point explaining the idea behind it? (Also might want the same sort of thing on the…
		/// See the definition of TLS_SLOT_SAFESTACK in
		/// https://android.googlesource.com/platform/bionic/+/master/libc/private/bionic_tls.h
		bool X86TargetLowering::getSafeStackPointerLocation(unsigned &AddressSpace,
		unsigned &Offset) const {
		if (!Subtarget->isTargetAndroid())
		return false;

		if (Subtarget->is64Bit()) {
		// %fs:0x48, unless we're using a Kernel code model, in which case it's %gs:
		Offset = 0x48;
		if (getTargetMachine().getCodeModel() == CodeModel::Kernel)
		AddressSpace = 256;
		else
		AddressSpace = 257;
		} else {
		// %gs:0x24 on i386
		Offset = 0x24;
		AddressSpace = 256;
		}
		return true;
		}

bool X86TargetLowering::isNoopAddrSpaceCast(unsigned SrcAS,		bool X86TargetLowering::isNoopAddrSpaceCast(unsigned SrcAS,
unsigned DestAS) const {		unsigned DestAS) const {
assert(SrcAS != DestAS && "Expected different address spaces!");		assert(SrcAS != DestAS && "Expected different address spaces!");

return SrcAS < 256 && DestAS < 256;		return SrcAS < 256 && DestAS < 256;
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
▲ Show 20 Lines • Show All 24,927 Lines • Show Last 20 Lines

lib/Target/X86/X86Subtarget.h

Show First 20 Lines • Show All 388 Lines • ▼ Show 20 Lines	public:
bool isTargetSolaris() const { return TargetTriple.isOSSolaris(); }		bool isTargetSolaris() const { return TargetTriple.isOSSolaris(); }
bool isTargetPS4() const { return TargetTriple.isPS4(); }		bool isTargetPS4() const { return TargetTriple.isPS4(); }

bool isTargetELF() const { return TargetTriple.isOSBinFormatELF(); }		bool isTargetELF() const { return TargetTriple.isOSBinFormatELF(); }
bool isTargetCOFF() const { return TargetTriple.isOSBinFormatCOFF(); }		bool isTargetCOFF() const { return TargetTriple.isOSBinFormatCOFF(); }
bool isTargetMachO() const { return TargetTriple.isOSBinFormatMachO(); }		bool isTargetMachO() const { return TargetTriple.isOSBinFormatMachO(); }

bool isTargetLinux() const { return TargetTriple.isOSLinux(); }		bool isTargetLinux() const { return TargetTriple.isOSLinux(); }
		bool isTargetAndroid() const {
		return TargetTriple.getEnvironment() == Triple::Android;
		}
bool isTargetNaCl() const { return TargetTriple.isOSNaCl(); }		bool isTargetNaCl() const { return TargetTriple.isOSNaCl(); }
bool isTargetNaCl32() const { return isTargetNaCl() && !is64Bit(); }		bool isTargetNaCl32() const { return isTargetNaCl() && !is64Bit(); }
bool isTargetNaCl64() const { return isTargetNaCl() && is64Bit(); }		bool isTargetNaCl64() const { return isTargetNaCl() && is64Bit(); }

bool isTargetWindowsMSVC() const {		bool isTargetWindowsMSVC() const {
return TargetTriple.isWindowsMSVCEnvironment();		return TargetTriple.isWindowsMSVCEnvironment();
}		}

▲ Show 20 Lines • Show All 113 Lines • Show Last 20 Lines

lib/Transforms/Instrumentation/SafeStack.cpp

Show All 12 Lines
//		//
// http://clang.llvm.org/docs/SafeStack.html		// http://clang.llvm.org/docs/SafeStack.html
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "llvm/Transforms/Instrumentation.h"		#include "llvm/Transforms/Instrumentation.h"
#include "llvm/ADT/Statistic.h"		#include "llvm/ADT/Statistic.h"
#include "llvm/ADT/Triple.h"		#include "llvm/ADT/Triple.h"
#include "llvm/Analysis/AliasAnalysis.h"		#include "llvm/Analysis/AliasAnalysis.h"
		#include "llvm/CodeGen/Passes.h"
#include "llvm/IR/Constants.h"		#include "llvm/IR/Constants.h"
		echristoUnsubmitted Done Reply Inline Actions ? echristo: ?
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions Passes.h needed for INITIALIZE_TM_PASS_BEGIN eugenis: Passes.h needed for INITIALIZE_TM_PASS_BEGIN
		echristoUnsubmitted Done Reply Inline Actions Can you remove the dependence on TTI separately? I don't see any use otherwise? echristo: Can you remove the dependence on TTI separately? I don't see any use otherwise?
#include "llvm/IR/DataLayout.h"		#include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h"		#include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/DIBuilder.h"		#include "llvm/IR/DIBuilder.h"
#include "llvm/IR/Function.h"		#include "llvm/IR/Function.h"
#include "llvm/IR/InstIterator.h"		#include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h"		#include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h"		#include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/Intrinsics.h"		#include "llvm/IR/Intrinsics.h"
#include "llvm/IR/IRBuilder.h"		#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Module.h"		#include "llvm/IR/Module.h"
#include "llvm/Pass.h"		#include "llvm/Pass.h"
#include "llvm/Support/CommandLine.h"		#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"		#include "llvm/Support/Debug.h"
#include "llvm/Support/Format.h"		#include "llvm/Support/Format.h"
#include "llvm/Support/MathExtras.h"		#include "llvm/Support/MathExtras.h"
#include "llvm/Support/raw_os_ostream.h"		#include "llvm/Support/raw_os_ostream.h"
		#include "llvm/Target/TargetLowering.h"
		#include "llvm/Target/TargetSubtargetInfo.h"
#include "llvm/Transforms/Utils/Local.h"		#include "llvm/Transforms/Utils/Local.h"
#include "llvm/Transforms/Utils/ModuleUtils.h"		#include "llvm/Transforms/Utils/ModuleUtils.h"

using namespace llvm;		using namespace llvm;

#define DEBUG_TYPE "safestack"		#define DEBUG_TYPE "safestack"

		static const char *const kUnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";
		static const char *const kUnsafeStackPtrAddrFn = "__safestack_pointer_address";

namespace llvm {		namespace llvm {

STATISTIC(NumFunctions, "Total number of functions");		STATISTIC(NumFunctions, "Total number of functions");
STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");		STATISTIC(NumUnsafeStackFunctions, "Number of functions with unsafe stack");
STATISTIC(NumUnsafeStackRestorePointsFunctions,		STATISTIC(NumUnsafeStackRestorePointsFunctions,
"Number of functions that use setjmp or exceptions");		"Number of functions that use setjmp or exceptions");

STATISTIC(NumAllocas, "Total number of allocas");		STATISTIC(NumAllocas, "Total number of allocas");
▲ Show 20 Lines • Show All 98 Lines • ▼ Show 20 Lines	bool IsSafeStackAlloca(const AllocaInst *AI) {
return true;		return true;
}		}

/// The SafeStack pass splits the stack of each function into the		/// The SafeStack pass splits the stack of each function into the
/// safe stack, which is only accessed through memory safe dereferences		/// safe stack, which is only accessed through memory safe dereferences
/// (as determined statically), and the unsafe stack, which contains all		/// (as determined statically), and the unsafe stack, which contains all
/// local variables that are accessed in unsafe ways.		/// local variables that are accessed in unsafe ways.
class SafeStack : public FunctionPass {		class SafeStack : public FunctionPass {
		const TargetMachine *TM;
		const TargetLoweringBase *TLI;
const DataLayout *DL;		const DataLayout *DL;

Type *StackPtrTy;		Type *StackPtrTy;
Type *IntPtrTy;		Type *IntPtrTy;
Type *Int32Ty;		Type *Int32Ty;
Type *Int8Ty;		Type *Int8Ty;

Constant *UnsafeStackPtr = nullptr;		Value *UnsafeStackPtr = nullptr;

/// Unsafe stack alignment. Each stack frame must ensure that the stack is		/// Unsafe stack alignment. Each stack frame must ensure that the stack is
/// aligned to this value. We need to re-align the unsafe stack if the		/// aligned to this value. We need to re-align the unsafe stack if the
/// alignment of any object on the stack exceeds this value.		/// alignment of any object on the stack exceeds this value.
///		///
/// 16 seems like a reasonable upper bound on the alignment of objects that we		/// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets.		/// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 };		enum { StackAlignment = 16 };

/// \brief Build a constant representing a pointer to the unsafe stack		/// \brief Build a constant representing a pointer to the unsafe stack
/// pointer.		/// pointer.
Constant *getOrCreateUnsafeStackPtr(Module &M);		Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);

/// \brief Find all static allocas, dynamic allocas, return instructions and		/// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the		/// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors.		/// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,		void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,		SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,		SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints);		SmallVectorImpl<Instruction *> &StackRestorePoints);

/// \brief Allocate space for all static allocas in \p StaticAllocas,		/// \brief Allocate space for all static allocas in \p StaticAllocas,
/// replace allocas with pointers into the unsafe stack and generate code to		/// replace allocas with pointers into the unsafe stack and generate code to
/// restore the stack pointer before all return instructions in \p Returns.		/// restore the stack pointer before all return instructions in \p Returns.
///		///
/// \returns A pointer to the top of the unsafe stack after all unsafe static		/// \returns A pointer to the top of the unsafe stack after all unsafe static
/// allocas are allocated.		/// allocas are allocated.
Value *moveStaticAllocasToUnsafeStack(Function &F,		Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas,		ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<ReturnInst *> Returns);		ArrayRef<ReturnInst *> Returns);

/// \brief Generate code to restore the stack after all stack restore points		/// \brief Generate code to restore the stack after all stack restore points
/// in \p StackRestorePoints.		/// in \p StackRestorePoints.
///		///
/// \returns A local variable in which to maintain the dynamic top of the		/// \returns A local variable in which to maintain the dynamic top of the
/// unsafe stack if needed.		/// unsafe stack if needed.
AllocaInst *		AllocaInst *
createStackRestorePoints(Function &F,		createStackRestorePoints(Function &F,
ArrayRef<Instruction *> StackRestorePoints,		ArrayRef<Instruction *> StackRestorePoints,
Value *StaticTop, bool NeedDynamicTop);		Value *StaticTop, bool NeedDynamicTop);

/// \brief Replace all allocas in \p DynamicAllocas with code to allocate		/// \brief Replace all allocas in \p DynamicAllocas with code to allocate
/// space dynamically on the unsafe stack and store the dynamic unsafe stack		/// space dynamically on the unsafe stack and store the dynamic unsafe stack
/// top to \p DynamicTop if non-null.		/// top to \p DynamicTop if non-null.
void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,		void moveDynamicAllocasToUnsafeStack(Function &F, Value *UnsafeStackPtr,
AllocaInst *DynamicTop,		AllocaInst *DynamicTop,
ArrayRef<AllocaInst *> DynamicAllocas);		ArrayRef<AllocaInst *> DynamicAllocas);

public:		public:
static char ID; // Pass identification, replacement for typeid.		static char ID; // Pass identification, replacement for typeid.
SafeStack() : FunctionPass(ID), DL(nullptr) {		SafeStack(const TargetMachine *TM)
		: FunctionPass(ID), TM(TM), TLI(nullptr), DL(nullptr) {
		echristoUnsubmitted Done Reply Inline Actions const? echristo: const?
initializeSafeStackPass(*PassRegistry::getPassRegistry());		initializeSafeStackPass(*PassRegistry::getPassRegistry());
}		}
		SafeStack() : SafeStack(nullptr) {}

void getAnalysisUsage(AnalysisUsage &AU) const override {		void getAnalysisUsage(AnalysisUsage &AU) const override {
AU.addRequired<AAResultsWrapperPass>();		AU.addRequired<AAResultsWrapperPass>();
}		}

bool doInitialization(Module &M) override {		bool doInitialization(Module &M) override {
DL = &M.getDataLayout();		DL = &M.getDataLayout();

StackPtrTy = Type::getInt8PtrTy(M.getContext());		StackPtrTy = Type::getInt8PtrTy(M.getContext());
IntPtrTy = DL->getIntPtrType(M.getContext());		IntPtrTy = DL->getIntPtrType(M.getContext());
Int32Ty = Type::getInt32Ty(M.getContext());		Int32Ty = Type::getInt32Ty(M.getContext());
Int8Ty = Type::getInt8Ty(M.getContext());		Int8Ty = Type::getInt8Ty(M.getContext());

return false;		return false;
}		}

bool runOnFunction(Function &F) override;		bool runOnFunction(Function &F) override;
}; // class SafeStack		}; // class SafeStack

Constant *SafeStack::getOrCreateUnsafeStackPtr(Module &M) {		Value *SafeStack::getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F) {
// The unsafe stack pointer is stored in a global variable with a magic name.		Module &M = *F.getParent();
const char *kUnsafeStackPtrVar = "__safestack_unsafe_stack_ptr";		Triple TargetTriple(M.getTargetTriple());

		unsigned Offset;
		unsigned AddressSpace;
		// Check if the target keeps the unsafe stack pointer at a fixed offset.
		if (TLI->getSafeStackPointerLocation(Offset, AddressSpace)) {
		Constant *OffsetVal =
		ConstantInt::get(Type::getInt32Ty(F.getContext()), Offset);
		return ConstantExpr::getIntToPtr(OffsetVal,
		StackPtrTy->getPointerTo(AddressSpace));
		}

		// Android provides a libc function that returns the stack pointer address.
		if (TargetTriple.getEnvironment() == llvm::Triple::Android) {
		Value *Fn = M.getOrInsertFunction(kUnsafeStackPtrAddrFn,
		StackPtrTy->getPointerTo(0), nullptr);
		return IRB.CreateCall(Fn);
		echristoUnsubmitted Not Done Reply Inline Actions Needs a comment. Also, can we do this in such a way that we don't need to check for android? Similar to the stack protector pattern? echristo: Needs a comment. Also, can we do this in such a way that we don't need to check for android?
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions We could move this logic to TargetLowering.h, making the X86 implementation delegate to the common implementation if not android, but it does not improve anything. eugenis: We could move this logic to TargetLowering.h, making the X86 implementation delegate to the…
		} else {
		// Otherwise, declare a thread-local variable with a magic name.
auto UnsafeStackPtr =		auto UnsafeStackPtr =
dyn_cast_or_null<GlobalVariable>(M.getNamedValue(kUnsafeStackPtrVar));		dyn_cast_or_null<GlobalVariable>(M.getNamedValue(kUnsafeStackPtrVar));

if (!UnsafeStackPtr) {		if (!UnsafeStackPtr) {
// The global variable is not defined yet, define it ourselves.		// The global variable is not defined yet, define it ourselves.
// We use the initial-exec TLS model because we do not support the variable		// We use the initial-exec TLS model because we do not support the
		// variable
// living anywhere other than in the main executable.		// living anywhere other than in the main executable.
UnsafeStackPtr = new GlobalVariable(		UnsafeStackPtr = new GlobalVariable(
/Module=/M, /Type=/StackPtrTy,		/Module=/M, /Type=/StackPtrTy,
/isConstant=/false, /Linkage=/GlobalValue::ExternalLinkage,		/isConstant=/false, /Linkage=/GlobalValue::ExternalLinkage,
/Initializer=/0, /Name=/kUnsafeStackPtrVar,		/Initializer=/0, /Name=/kUnsafeStackPtrVar,
/InsertBefore=/nullptr,		/InsertBefore=/nullptr,
/ThreadLocalMode=/GlobalValue::InitialExecTLSModel);		/ThreadLocalMode=/GlobalValue::InitialExecTLSModel);
} else {		} else {
// The variable exists, check its type and attributes.		// The variable exists, check its type and attributes.
if (UnsafeStackPtr->getValueType() != StackPtrTy) {		if (UnsafeStackPtr->getValueType() != StackPtrTy) {
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must have void* type");		report_fatal_error(Twine(kUnsafeStackPtrVar) + " must have void* type");
}		}

if (!UnsafeStackPtr->isThreadLocal()) {		if (!UnsafeStackPtr->isThreadLocal()) {
report_fatal_error(Twine(kUnsafeStackPtrVar) + " must be thread-local");		report_fatal_error(Twine(kUnsafeStackPtrVar) + " must be thread-local");
}		}
}		}

return UnsafeStackPtr;		return UnsafeStackPtr;
}		}
		}

void SafeStack::findInsts(Function &F,		void SafeStack::findInsts(Function &F,
SmallVectorImpl<AllocaInst *> &StaticAllocas,		SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas,		SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<ReturnInst *> &Returns,		SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints) {		SmallVectorImpl<Instruction *> &StackRestorePoints) {
for (Instruction &I : instructions(&F)) {		for (Instruction &I : instructions(&F)) {
if (auto AI = dyn_cast<AllocaInst>(&I)) {		if (auto AI = dyn_cast<AllocaInst>(&I)) {
▲ Show 20 Lines • Show All 66 Lines • ▼ Show 20 Lines	for (Instruction *I : StackRestorePoints) {
Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop;		Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop;
IRB.CreateStore(CurrentTop, UnsafeStackPtr);		IRB.CreateStore(CurrentTop, UnsafeStackPtr);
}		}

return DynamicTop;		return DynamicTop;
}		}

Value *		Value *
SafeStack::moveStaticAllocasToUnsafeStack(Function &F,		SafeStack::moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas,		ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<ReturnInst *> Returns) {		ArrayRef<ReturnInst *> Returns) {
if (StaticAllocas.empty())		if (StaticAllocas.empty())
return nullptr;		return nullptr;

IRBuilder<> IRB(F.getEntryBlock().getFirstInsertionPt());
DIBuilder DIB(*F.getParent());		DIBuilder DIB(*F.getParent());
		echristoUnsubmitted Not Done Reply Inline Actions ? echristo: ?
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions Simplified. This code moved insertion point after the calculation of UnsafeStackPtr, unless that's a constant. eugenis: Simplified. This code moved insertion point after the calculation of UnsafeStackPtr, unless…

// We explicitly compute and set the unsafe stack layout for all unsafe		// We explicitly compute and set the unsafe stack layout for all unsafe
// static alloca instructions. We save the unsafe "base pointer" in the		// static alloca instructions. We save the unsafe "base pointer" in the
// prologue into a local variable and restore it in the epilogue.		// prologue into a local variable and restore it in the epilogue.

// Load the current stack pointer (we'll also use it as a base pointer).		// Load the current stack pointer (we'll also use it as a base pointer).
// FIXME: use a dedicated register for it ?		// FIXME: use a dedicated register for it ?
Instruction *BasePointer =		Instruction *BasePointer =
▲ Show 20 Lines • Show All 140 Lines • ▼ Show 20 Lines	for (inst_iterator It = inst_begin(&F), Ie = inst_end(&F); It != Ie;) {
}		}
}		}
}		}
}		}

bool SafeStack::runOnFunction(Function &F) {		bool SafeStack::runOnFunction(Function &F) {
auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();		auto AA = &getAnalysis<AAResultsWrapperPass>().getAAResults();

		TLI = TM->getSubtargetImpl(F)->getTargetLowering();

DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");		DEBUG(dbgs() << "[SafeStack] Function: " << F.getName() << "\n");

if (!F.hasFnAttribute(Attribute::SafeStack)) {		if (!F.hasFnAttribute(Attribute::SafeStack)) {
DEBUG(dbgs() << "[SafeStack] safestack is not requested"		DEBUG(dbgs() << "[SafeStack] safestack is not requested"
" for this function\n");		" for this function\n");
return false;		return false;
}		}

▲ Show 20 Lines • Show All 43 Lines • ▼ Show 20 Lines	if (StaticAllocas.empty() && DynamicAllocas.empty() &&
return false; // Nothing to do in this function.		return false; // Nothing to do in this function.

if (!StaticAllocas.empty() \|\| !DynamicAllocas.empty())		if (!StaticAllocas.empty() \|\| !DynamicAllocas.empty())
++NumUnsafeStackFunctions; // This function has the unsafe stack.		++NumUnsafeStackFunctions; // This function has the unsafe stack.

if (!StackRestorePoints.empty())		if (!StackRestorePoints.empty())
++NumUnsafeStackRestorePointsFunctions;		++NumUnsafeStackRestorePointsFunctions;

if (!UnsafeStackPtr)		IRBuilder<> IRB(F.begin()->getFirstInsertionPt());
UnsafeStackPtr = getOrCreateUnsafeStackPtr(*F.getParent());		UnsafeStackPtr = getOrCreateUnsafeStackPtr(IRB, F);

// The top of the unsafe stack after all unsafe static allocas are allocated.		// The top of the unsafe stack after all unsafe static allocas are allocated.
Value *StaticTop = moveStaticAllocasToUnsafeStack(F, StaticAllocas, Returns);		Value *StaticTop = moveStaticAllocasToUnsafeStack(IRB, F, StaticAllocas, Returns);

// Safe stack object that stores the current unsafe stack top. It is updated		// Safe stack object that stores the current unsafe stack top. It is updated
// as unsafe dynamic (non-constant-sized) allocas are allocated and freed.		// as unsafe dynamic (non-constant-sized) allocas are allocated and freed.
// This is only needed if we need to restore stack pointer after longjmp		// This is only needed if we need to restore stack pointer after longjmp
// or exceptions, and we have dynamic allocations.		// or exceptions, and we have dynamic allocations.
// FIXME: a better alternative might be to store the unsafe stack pointer		// FIXME: a better alternative might be to store the unsafe stack pointer
// before setjmp / invoke instructions.		// before setjmp / invoke instructions.
AllocaInst *DynamicTop = createStackRestorePoints(		AllocaInst *DynamicTop = createStackRestorePoints(
F, StackRestorePoints, StaticTop, !DynamicAllocas.empty());		F, StackRestorePoints, StaticTop, !DynamicAllocas.empty());

// Handle dynamic allocas.		// Handle dynamic allocas.
moveDynamicAllocasToUnsafeStack(F, UnsafeStackPtr, DynamicTop,		moveDynamicAllocasToUnsafeStack(F, UnsafeStackPtr, DynamicTop,
DynamicAllocas);		DynamicAllocas);

DEBUG(dbgs() << "[SafeStack] safestack applied\n");		DEBUG(dbgs() << "[SafeStack] safestack applied\n");
return true;		return true;
}		}

} // end anonymous namespace		} // end anonymous namespace

char SafeStack::ID = 0;		char SafeStack::ID = 0;
INITIALIZE_PASS_BEGIN(SafeStack, "safe-stack",		INITIALIZE_TM_PASS_BEGIN(SafeStack, "safe-stack",
		"Safe Stack instrumentation pass", false, false)
		INITIALIZE_TM_PASS_END(SafeStack, "safe-stack",
"Safe Stack instrumentation pass", false, false)		"Safe Stack instrumentation pass", false, false)
INITIALIZE_PASS_END(SafeStack, "safe-stack", "Safe Stack instrumentation pass",
false, false)

FunctionPass *llvm::createSafeStackPass() { return new SafeStack(); }		FunctionPass llvm::createSafeStackPass(const llvm::TargetMachine TM) {
		return new SafeStack(TM);
		}

test/Transforms/SafeStack/abi.ll

This file was added.

				; RUN: opt -safe-stack -S -mtriple=i386-pc-linux-gnu < %s -o - \| FileCheck %s --check-prefix=TLS
				; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - \| FileCheck %s --check-prefix=TLS
				; RUN: opt -safe-stack -S -mtriple=i686-linux-android < %s -o - \| FileCheck %s --check-prefix=DIRECT-TLS32
				; RUN: opt -safe-stack -S -mtriple=x86_64-linux-android < %s -o - \| FileCheck %s --check-prefix=DIRECT-TLS64
				; RUN: opt -safe-stack -S -mtriple=arm-linux-android < %s -o - \| FileCheck %s --check-prefix=CALL
				; RUN: opt -safe-stack -S -mtriple=aarch64-linux-android < %s -o - \| FileCheck %s --check-prefix=CALL


				define void @foo() nounwind uwtable safestack {
				entry:
				; TLS: %[[USP:.]] = load i8, i8** @__safestack_unsafe_stack_ptr
				; TLS: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16
				; TLS: store i8* %[[USST]], i8** @__safestack_unsafe_stack_ptr

				; DIRECT-TLS32: %[[USP:.]] = load i8, i8* addrspace(36)* inttoptr (i32 256 to i8* addrspace(36)*)
				; DIRECT-TLS32: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16
				; DIRECT-TLS32: store i8* %[[USST]], i8* addrspace(36)* inttoptr (i32 256 to i8* addrspace(36)*)

				; DIRECT-TLS64: %[[USP:.]] = load i8, i8* addrspace(72)* inttoptr (i32 257 to i8* addrspace(72)*)
				; DIRECT-TLS64: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16
				; DIRECT-TLS64: store i8* %[[USST]], i8* addrspace(72)* inttoptr (i32 257 to i8* addrspace(72)*)

				; CALL: %[[SPA:.]] = call i8* @__safestack_pointer_address()
				; CALL: %[[USP:.]] = load i8, i8** %[[SPA]]
				; CALL: %[[USST:.]] = getelementptr i8, i8 %[[USP]], i32 -16
				; CALL: store i8* %[[USST]], i8** %[[SPA]]

				%a = alloca i8, align 8
				call void @Capture(i8* %a)

				; TLS: store i8* %[[USP]], i8** @__safestack_unsafe_stack_ptr
				; DIRECT-TLS32: store i8* %[[USP]], i8* addrspace(36)* inttoptr (i32 256 to i8* addrspace(36)*)
				; DIRECT-TLS64: store i8* %[[USP]], i8* addrspace(72)* inttoptr (i32 257 to i8* addrspace(72)*)
				; CALL: store i8* %[[USP]], i8** %[[SPA]]
				ret void
				}

				declare void @Capture(i8*)

This is an archive of the discontinued LLVM Phabricator instance.

Android support for SafeStackClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 35335

include/llvm/Target/TargetLowering.h

include/llvm/Transforms/Instrumentation.h

lib/CodeGen/Passes.cpp

lib/Target/X86/X86ISelLowering.h

lib/Target/X86/X86ISelLowering.cpp

lib/Target/X86/X86Subtarget.h

lib/Transforms/Instrumentation/SafeStack.cpp

test/Transforms/SafeStack/abi.ll

Android support for SafeStack
ClosedPublic