This is an archive of the discontinued LLVM Phabricator instance.

Differential D129693

[ARM] Don't emit Arm speculation hardening thunks under Thumb and vice-versa
ClosedPublic

Authored by dmgreen on Jul 13 2022, 1:56 PM.

Details

Reviewers
kristof.beyls
ostannard
miyuki
momchil.velikov
samtebbs
DavidSpickett
Commits
rG3770b4aa3c5a: [ARM] Don't emit Arm speculation hardening thunks under Thumb and vice-versa
Summary

Given a patch like D129506, using instructions not valid for the current target feature set becomes an error. This means that emitting Arm instructions in a Thumb target (or vice versa) becomes an error. As far as I can tell when running in Thumb mode only thumb thunks will be needed though, and in Arm mode only arm thunks are needed. This patch limits the emitted thunks to just the ones valid for the current architecture.

Diff Detail

Event Timeline

dmgreen created this revision.Jul 13 2022, 1:56 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 13 2022, 1:56 PM
Herald added subscribers: jsji, pengfei, hiraditya. · View Herald Transcript
dmgreen requested review of this revision.Jul 13 2022, 1:56 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 13 2022, 1:56 PM
Harbormaster completed remote builds in B175233: Diff 444414.Jul 13 2022, 4:59 PM
dmgreen updated this revision to Diff 451167.Aug 9 2022, 8:53 AM

The old version of this was only inserting one set of thunks even if the file contained multiple subtargets. This now uses InsertedThunks as a bitvector to distinguish between Thumb and Arm thunks being added. It should still only add each thunk once, but won't add both sets (arm/thumb) if they are not required.

Harbormaster completed remote builds in B180189: Diff 451167.Aug 9 2022, 11:39 AM
dmgreen added a comment.Sep 14 2022, 4:00 AM

Ping - it would be good to get this in, it will allow us enables more testing for the valid instructions in the Arm backend. Thanks

dmgreen added reviewers: miyuki, momchil.velikov.Oct 4 2022, 8:18 AM

Ping.

dmgreen added reviewers: ARMDavidSpickett, samtebbs.Dec 6 2022, 8:31 AM

ping

DavidSpickett edited reviewers, added: DavidSpickett; removed: ARMDavidSpickett.Dec 6 2022, 8:47 AM
DavidSpickett added a subscriber: DavidSpickett.

I can't claim to know what these thunks are doing in the first place, so just some general comments.

llvm/include/llvm/CodeGen/IndirectThunks.h
29–33

Can we document what this contains? Now that it's more than did or did not insert something.

98

inserted

llvm/lib/Target/ARM/ARMSLSHardening.cpp
179

Magic number detector says why are we looking for numbers instead of named values?

Off the top of my head - because there's no good place to store such an enum/define that can be used in all the places it's needed.

llvm/test/CodeGen/ARM/speculation-hardening-sls-boththunks.ll
4

Thumb

5

Is there reason to check that with only one of arm and thumb you only get thunks for that one?

kristof.beyls added a comment.Dec 7 2022, 12:37 AM

My apologies for missing this outstanding review for so long.

llvm/include/llvm/CodeGen/IndirectThunks.h
29–33

This ThunkInserter is a base class combining the shared logic needed to insert thunks for a few more specific transformation passes.

Exactly what needs to be tracked for "InsertedThunks" with this patch starts to depend on the more specific transformation pass. IIUC, with this pass what needs to be tracked is:

  • For thunk-inserting transformation passes that target 32-bit Arm: whether A32 vs T32 thunk variants have been inserted.
  • For thunk-inserting transformation passes for other architectures: whether thunks relevant for that transformation pass has been inserted.

Given that what needs to be tracked is becoming depending on the class deriving from this base class, I wonder if it wouldn't be better to get the type needed for InsertedThunks from the Derived class?
Either by having an additional template argument, e.g. template <typename Derived, typename InsertedThunksType> class ThunkInserter.
Or by requiring there to be a type in the derived class, e.g. Derived::InsertedThunksType InsertedThunks?

dmgreen updated this revision to Diff 482052.Dec 12 2022, 3:16 AM

Thanks for the suggestions. This now changes the type to be a parameter passed to the base class, which can be an enum for Arm so long as we can still treat it like a bitmask.

dmgreen added inline comments.Dec 12 2022, 3:17 AM
llvm/test/CodeGen/ARM/speculation-hardening-sls-boththunks.ll
5

The idea is that we should be checking that if we emitting instructions which require a target feature, that target feature should be present. Think of things like accidentally emitting NEON instructions when compiling for MVE, or emitting SVE2 instructions when you only have SVE. So we can't emit Thumb instructions if the target is for Arm. (Without constructing a subtarget with Thumb present).

If you search for "verifyInstructionPredicates", you will see that most architectures have this check enabled, but Arm has always been missing. That is what I am attempting to fix. Improving how much we test emitted instruction features by enabling the option for Arm.

In this case, as far as I understand, If we are in a Arm context then we will only need arm thunks. And Thumb will only ever use thumb thunks. This tests makes sure that in a module with both, we still end up with both sets of thunks.

Harbormaster completed remote builds in B202533: Diff 482052.Dec 12 2022, 3:55 AM
dmgreen added a comment.Jan 9 2023, 5:30 AM

ping

kristof.beyls added a comment.Jan 9 2023, 5:58 AM

I just have a few more very minor nit-picky comments. Feel free to disagree with them.
I'm happy for this to go in.
I haven't looked in detail into the comments @DavidSpickett mad , so please also explicitly get his approval before committing.

Thank you!

llvm/include/llvm/CodeGen/IndirectThunks.h
24–25

I see later in the code that InsertedThunksTy must support operator |= and that the semantics of the |= operation must be somewhat like doing a union/max kind-of operation.
Not sure if it would be worthwhile to document that at this location, or if there is a way in modern C++ to somehow enforce that.
Probably best action is not to change anything in the patch - I thought I'd just share my thought in case there is anything about it that can be improved in this patch.

29–34

Extreme nit-pick: I'd add "so far" to the end of the sentence.

llvm/lib/Target/ARM/ARMSLSHardening.cpp
164

Maybe InsertedThunkKind would be a little bit more descriptive than ArmInsertedThunks for what this enum is modelling?

174–175

Could it be that this has not been clang-formatted?

DavidSpickett added a comment.Jan 12 2023, 2:42 AM

My comments were addressed.

dmgreen updated this revision to Diff 489576.Jan 16 2023, 8:54 AM

Update as per suggestions. Thanks.

Harbormaster completed remote builds in B208071: Diff 489576.Jan 16 2023, 10:25 AM
kristof.beyls accepted this revision.Jan 17 2023, 5:46 AM

LGTM, thank you!

This revision is now accepted and ready to land.Jan 17 2023, 5:46 AM
This revision was landed with ongoing or failed builds.Jan 23 2023, 3:22 AM
Closed by commit rG3770b4aa3c5a: [ARM] Don't emit Arm speculation hardening thunks under Thumb and vice-versa (authored by dmgreen). · Explain Why
This revision was automatically updated to reflect the committed changes.
dmgreen added a commit: rG3770b4aa3c5a: [ARM] Don't emit Arm speculation hardening thunks under Thumb and vice-versa.
simonwallis2 added a subscriber: simonwallis2.Mar 30 2023, 7:10 AM

Revision Contents

PathSize
llvm/
include/
llvm/
CodeGen/
35 lines
lib/
Target/
AArch64/
10 lines
ARM/
30 lines
X86/
17 lines
test/
CodeGen/
ARM/
17 lines
3 lines

Diff 491277

llvm/include/llvm/CodeGen/IndirectThunks.h

Show All 15 Lines
#include "llvm/CodeGen/MachineFunction.h" #include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineModuleInfo.h" #include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
namespace llvm { namespace llvm {
template <typename Derived> class ThunkInserter { template <typename Derived, typename InsertedThunksTy = bool>
class ThunkInserter {
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

I see later in the code that InsertedThunksTy must support operator |= and that the semantics of the |= operation must be somewhat like doing a union/max kind-of operation.
Not sure if it would be worthwhile to document that at this location, or if there is a way in modern C++ to somehow enforce that.
Probably best action is not to change anything in the patch - I thought I'd just share my thought in case there is anything about it that can be improved in this patch.

kristof.beyls: I see later in the code that InsertedThunksTy must support operator |= and that the semantics…
Derived &getDerived() { return *static_cast<Derived *>(this); } Derived &getDerived() { return *static_cast<Derived *>(this); }
protected: protected:
bool InsertedThunks; // A variable used to track whether (and possible which) thunks have been
// inserted so far. InsertedThunksTy is usually a bool, but can be other types
// to represent more than one type of thunk. Requires an |= operator to
// accumulate results.
InsertedThunksTy InsertedThunks;
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Can we document what this contains? Now that it's more than did or did not insert something.

DavidSpickett: Can we document what this contains? Now that it's more than did or did not insert something.
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

This ThunkInserter is a base class combining the shared logic needed to insert thunks for a few more specific transformation passes.

Exactly what needs to be tracked for "InsertedThunks" with this patch starts to depend on the more specific transformation pass. IIUC, with this pass what needs to be tracked is:

  • For thunk-inserting transformation passes that target 32-bit Arm: whether A32 vs T32 thunk variants have been inserted.
  • For thunk-inserting transformation passes for other architectures: whether thunks relevant for that transformation pass has been inserted.

Given that what needs to be tracked is becoming depending on the class deriving from this base class, I wonder if it wouldn't be better to get the type needed for InsertedThunks from the Derived class?
Either by having an additional template argument, e.g. template <typename Derived, typename InsertedThunksType> class ThunkInserter.
Or by requiring there to be a type in the derived class, e.g. Derived::InsertedThunksType InsertedThunks?

kristof.beyls: This ThunkInserter is a base class combining the shared logic needed to insert thunks for a few…
void doInitialization(Module &M) {} void doInitialization(Module &M) {}
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

Extreme nit-pick: I'd add "so far" to the end of the sentence.

kristof.beyls: Extreme nit-pick: I'd add "so far" to the end of the sentence.
void createThunkFunction(MachineModuleInfo &MMI, StringRef Name, void createThunkFunction(MachineModuleInfo &MMI, StringRef Name,
bool Comdat = true); bool Comdat = true);
public: public:
void init(Module &M) { void init(Module &M) {
InsertedThunks = false; InsertedThunks = InsertedThunksTy{};
getDerived().doInitialization(M); getDerived().doInitialization(M);
} }
// return `true` if `MMI` or `MF` was modified // return `true` if `MMI` or `MF` was modified
bool run(MachineModuleInfo &MMI, MachineFunction &MF); bool run(MachineModuleInfo &MMI, MachineFunction &MF);
}; };
template <typename Derived> template <typename Derived, typename InsertedThunksTy>
void ThunkInserter<Derived>::createThunkFunction(MachineModuleInfo &MMI, void ThunkInserter<Derived, InsertedThunksTy>::createThunkFunction(
StringRef Name, bool Comdat) { MachineModuleInfo &MMI, StringRef Name, bool Comdat) {
assert(Name.startswith(getDerived().getThunkPrefix()) && assert(Name.startswith(getDerived().getThunkPrefix()) &&
"Created a thunk with an unexpected prefix!"); "Created a thunk with an unexpected prefix!");
Module &M = const_cast<Module &>(*MMI.getModule()); Module &M = const_cast<Module &>(*MMI.getModule());
LLVMContext &Ctx = M.getContext(); LLVMContext &Ctx = M.getContext();
auto Type = FunctionType::get(Type::getVoidTy(Ctx), false); auto Type = FunctionType::get(Type::getVoidTy(Ctx), false);
Function *F = Function::Create(Type, Function *F = Function::Create(Type,
Comdat ? GlobalValue::LinkOnceODRLinkage Comdat ? GlobalValue::LinkOnceODRLinkage
Show All 24 Linesvoid ThunkInserter<Derived, InsertedThunksTy>::createThunkFunction(
// generation from an empty naked function in C source code also does not // generation from an empty naked function in C source code also does not
// generate one. At least GlobalISel asserts if this invariant isn't // generate one. At least GlobalISel asserts if this invariant isn't
// respected. // respected.
// Set MF properties. We never use vregs... // Set MF properties. We never use vregs...
MF.getProperties().set(MachineFunctionProperties::Property::NoVRegs); MF.getProperties().set(MachineFunctionProperties::Property::NoVRegs);
} }
template <typename Derived> template <typename Derived, typename InsertedThunksTy>
bool ThunkInserter<Derived>::run(MachineModuleInfo &MMI, MachineFunction &MF) { bool ThunkInserter<Derived, InsertedThunksTy>::run(MachineModuleInfo &MMI,
MachineFunction &MF) {
// If MF is not a thunk, check to see if we need to insert a thunk. // If MF is not a thunk, check to see if we need to insert a thunk.
if (!MF.getName().startswith(getDerived().getThunkPrefix())) { if (!MF.getName().startswith(getDerived().getThunkPrefix())) {
// If we've already inserted a thunk, nothing else to do.
if (InsertedThunks)
return false;
// Only add a thunk if one of the functions has the corresponding feature // Only add a thunk if one of the functions has the corresponding feature
// enabled in its subtarget, and doesn't enable external thunks. // enabled in its subtarget, and doesn't enable external thunks. The target
// can use InsertedThunks to detect whether relevant thunks have already
// been inserted.
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

inserted

DavidSpickett: `inserted`
// FIXME: Conditionalize on indirect calls so we don't emit a thunk when // FIXME: Conditionalize on indirect calls so we don't emit a thunk when
// nothing will end up calling it. // nothing will end up calling it.
// FIXME: It's a little silly to look at every function just to enumerate // FIXME: It's a little silly to look at every function just to enumerate
// the subtargets, but eventually we'll want to look at them for indirect // the subtargets, but eventually we'll want to look at them for indirect
// calls, so maybe this is OK. // calls, so maybe this is OK.
if (!getDerived().mayUseThunk(MF)) if (!getDerived().mayUseThunk(MF, InsertedThunks))
return false; return false;
getDerived().insertThunks(MMI); InsertedThunks |= getDerived().insertThunks(MMI, MF);
InsertedThunks = true;
return true; return true;
} }
// If this *is* a thunk function, we need to populate it with the correct MI. // If this *is* a thunk function, we need to populate it with the correct MI.
getDerived().populateThunk(MF); getDerived().populateThunk(MF);
return true; return true;
} }
} // namespace llvm } // namespace llvm
#endif #endif

llvm/lib/Target/AArch64/AArch64SLSHardening.cpp

Show First 20 LinesShow All 179 Lines▼ Show 20 Linesstatic const struct ThunkNameAndReg {
// X30 is deliberately missing, for similar reasons as X16 and X17 are // X30 is deliberately missing, for similar reasons as X16 and X17 are
// missing. // missing.
{ "__llvm_slsblr_thunk_x31", AArch64::XZR}, { "__llvm_slsblr_thunk_x31", AArch64::XZR},
}; };
namespace { namespace {
struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> { struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> {
const char *getThunkPrefix() { return SLSBLRNamePrefix; } const char *getThunkPrefix() { return SLSBLRNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) { bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
if (InsertedThunks)
return false;
ComdatThunks &= !MF.getSubtarget<AArch64Subtarget>().hardenSlsNoComdat(); ComdatThunks &= !MF.getSubtarget<AArch64Subtarget>().hardenSlsNoComdat();
// FIXME: This could also check if there are any BLRs in the function // FIXME: This could also check if there are any BLRs in the function
// to more accurately reflect if a thunk will be needed. // to more accurately reflect if a thunk will be needed.
return MF.getSubtarget<AArch64Subtarget>().hardenSlsBlr(); return MF.getSubtarget<AArch64Subtarget>().hardenSlsBlr();
} }
void insertThunks(MachineModuleInfo &MMI); bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF);
void populateThunk(MachineFunction &MF); void populateThunk(MachineFunction &MF);
private: private:
bool ComdatThunks = true; bool ComdatThunks = true;
}; };
} // namespace } // namespace
void SLSBLRThunkInserter::insertThunks(MachineModuleInfo &MMI) { bool SLSBLRThunkInserter::insertThunks(MachineModuleInfo &MMI,
MachineFunction &MF) {
// FIXME: It probably would be possible to filter which thunks to produce // FIXME: It probably would be possible to filter which thunks to produce
// based on which registers are actually used in BLR instructions in this // based on which registers are actually used in BLR instructions in this
// function. But would that be a worthwhile optimization? // function. But would that be a worthwhile optimization?
for (auto T : SLSBLRThunks) for (auto T : SLSBLRThunks)
createThunkFunction(MMI, T.Name, ComdatThunks); createThunkFunction(MMI, T.Name, ComdatThunks);
return true;
} }
void SLSBLRThunkInserter::populateThunk(MachineFunction &MF) { void SLSBLRThunkInserter::populateThunk(MachineFunction &MF) {
// FIXME: How to better communicate Register number, rather than through // FIXME: How to better communicate Register number, rather than through
// name and lookup table? // name and lookup table?
assert(MF.getName().startswith(getThunkPrefix())); assert(MF.getName().startswith(getThunkPrefix()));
auto ThunkIt = llvm::find_if( auto ThunkIt = llvm::find_if(
SLSBLRThunks, [&MF](auto T) { return T.Name == MF.getName(); }); SLSBLRThunks, [&MF](auto T) { return T.Name == MF.getName(); });
▲ Show 20 LinesShow All 232 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMSLSHardening.cpp

Show First 20 LinesShow All 155 Lines▼ Show 20 Lines bool isThumb;
{"__llvm_slsblr_thunk_thumb_r8", ARM::R8, true}, {"__llvm_slsblr_thunk_thumb_r8", ARM::R8, true},
{"__llvm_slsblr_thunk_thumb_r9", ARM::R9, true}, {"__llvm_slsblr_thunk_thumb_r9", ARM::R9, true},
{"__llvm_slsblr_thunk_thumb_r10", ARM::R10, true}, {"__llvm_slsblr_thunk_thumb_r10", ARM::R10, true},
{"__llvm_slsblr_thunk_thumb_r11", ARM::R11, true}, {"__llvm_slsblr_thunk_thumb_r11", ARM::R11, true},
{"__llvm_slsblr_thunk_thumb_sp", ARM::SP, true}, {"__llvm_slsblr_thunk_thumb_sp", ARM::SP, true},
{"__llvm_slsblr_thunk_thumb_pc", ARM::PC, true}, {"__llvm_slsblr_thunk_thumb_pc", ARM::PC, true},
}; };
// An enum for tracking whether Arm and Thumb thunks have been inserted into the
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

Maybe InsertedThunkKind would be a little bit more descriptive than ArmInsertedThunks for what this enum is modelling?

kristof.beyls: Maybe InsertedThunkKind would be a little bit more descriptive than ArmInsertedThunks for what…
// current module so far.
enum ArmInsertedThunks { ArmThunk = 1, ThumbThunk = 2 };
inline ArmInsertedThunks &operator|=(ArmInsertedThunks &X,
ArmInsertedThunks Y) {
return X = static_cast<ArmInsertedThunks>(X | Y);
}
namespace { namespace {
struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> { struct SLSBLRThunkInserter
: ThunkInserter<SLSBLRThunkInserter, ArmInsertedThunks> {
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

Could it be that this has not been clang-formatted?

kristof.beyls: Could it be that this has not been clang-formatted?
const char *getThunkPrefix() { return SLSBLRNamePrefix; } const char *getThunkPrefix() { return SLSBLRNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) { bool mayUseThunk(const MachineFunction &MF,
ArmInsertedThunks InsertedThunks) {
if ((InsertedThunks & ArmThunk &&
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Magic number detector says why are we looking for numbers instead of named values?

Off the top of my head - because there's no good place to store such an enum/define that can be used in all the places it's needed.

DavidSpickett: Magic number detector says why are we looking for numbers instead of named values? Off the top…
!MF.getSubtarget<ARMSubtarget>().isThumb()) ||
(InsertedThunks & ThumbThunk &&
MF.getSubtarget<ARMSubtarget>().isThumb()))
return false;
ComdatThunks &= !MF.getSubtarget<ARMSubtarget>().hardenSlsNoComdat(); ComdatThunks &= !MF.getSubtarget<ARMSubtarget>().hardenSlsNoComdat();
// FIXME: This could also check if there are any indirect calls in the // FIXME: This could also check if there are any indirect calls in the
// function to more accurately reflect if a thunk will be needed. // function to more accurately reflect if a thunk will be needed.
return MF.getSubtarget<ARMSubtarget>().hardenSlsBlr(); return MF.getSubtarget<ARMSubtarget>().hardenSlsBlr();
} }
void insertThunks(MachineModuleInfo &MMI); ArmInsertedThunks insertThunks(MachineModuleInfo &MMI, MachineFunction &MF);
void populateThunk(MachineFunction &MF); void populateThunk(MachineFunction &MF);
private: private:
bool ComdatThunks = true; bool ComdatThunks = true;
}; };
} // namespace } // namespace
void SLSBLRThunkInserter::insertThunks(MachineModuleInfo &MMI) { ArmInsertedThunks SLSBLRThunkInserter::insertThunks(MachineModuleInfo &MMI,
MachineFunction &MF) {
// FIXME: It probably would be possible to filter which thunks to produce // FIXME: It probably would be possible to filter which thunks to produce
// based on which registers are actually used in indirect calls in this // based on which registers are actually used in indirect calls in this
// function. But would that be a worthwhile optimization? // function. But would that be a worthwhile optimization?
const ARMSubtarget *ST = &MF.getSubtarget<ARMSubtarget>();
for (auto T : SLSBLRThunks) for (auto T : SLSBLRThunks)
if (ST->isThumb() == T.isThumb)
createThunkFunction(MMI, T.Name, ComdatThunks); createThunkFunction(MMI, T.Name, ComdatThunks);
return ST->isThumb() ? ThumbThunk : ArmThunk;
} }
void SLSBLRThunkInserter::populateThunk(MachineFunction &MF) { void SLSBLRThunkInserter::populateThunk(MachineFunction &MF) {
// FIXME: How to better communicate Register number, rather than through // FIXME: How to better communicate Register number, rather than through
// name and lookup table? // name and lookup table?
assert(MF.getName().startswith(getThunkPrefix())); assert(MF.getName().startswith(getThunkPrefix()));
auto ThunkIt = llvm::find_if( auto ThunkIt = llvm::find_if(
SLSBLRThunks, [&MF](auto T) { return T.Name == MF.getName(); }); SLSBLRThunks, [&MF](auto T) { return T.Name == MF.getName(); });
▲ Show 20 LinesShow All 226 LinesShow Last 20 Lines

llvm/lib/Target/X86/X86IndirectThunks.cpp

Show First 20 LinesShow All 55 Lines▼ Show 20 Lines
static const char EDIRetpolineName[] = "__llvm_retpoline_edi"; static const char EDIRetpolineName[] = "__llvm_retpoline_edi";
static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_"; static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";
static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11"; static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";
namespace { namespace {
struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> { struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {
const char *getThunkPrefix() { return RetpolineNamePrefix; } const char *getThunkPrefix() { return RetpolineNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) { bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
if (InsertedThunks)
return false;
const auto &STI = MF.getSubtarget<X86Subtarget>(); const auto &STI = MF.getSubtarget<X86Subtarget>();
return (STI.useRetpolineIndirectCalls() || return (STI.useRetpolineIndirectCalls() ||
STI.useRetpolineIndirectBranches()) && STI.useRetpolineIndirectBranches()) &&
!STI.useRetpolineExternalThunk(); !STI.useRetpolineExternalThunk();
} }
void insertThunks(MachineModuleInfo &MMI); bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF);
void populateThunk(MachineFunction &MF); void populateThunk(MachineFunction &MF);
}; };
struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> { struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {
const char *getThunkPrefix() { return LVIThunkNamePrefix; } const char *getThunkPrefix() { return LVIThunkNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) { bool mayUseThunk(const MachineFunction &MF, bool InsertedThunks) {
if (InsertedThunks)
return false;
return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity(); return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();
} }
void insertThunks(MachineModuleInfo &MMI) { bool insertThunks(MachineModuleInfo &MMI, MachineFunction &MF) {
createThunkFunction(MMI, R11LVIThunkName); createThunkFunction(MMI, R11LVIThunkName);
return true;
} }
void populateThunk(MachineFunction &MF) { void populateThunk(MachineFunction &MF) {
assert (MF.size() == 1); assert (MF.size() == 1);
MachineBasicBlock *Entry = &MF.front(); MachineBasicBlock *Entry = &MF.front();
Entry->clear(); Entry->clear();
// This code mitigates LVI by replacing each indirect call/jump with a // This code mitigates LVI by replacing each indirect call/jump with a
// direct call/jump to a thunk that looks like: // direct call/jump to a thunk that looks like:
Show All 38 Lines static bool runTIs(MachineModuleInfo &MMI, MachineFunction &MF,
(void)std::initializer_list<int>{ (void)std::initializer_list<int>{
Modified |= std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF)...}; Modified |= std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF)...};
return Modified; return Modified;
} }
}; };
} // end anonymous namespace } // end anonymous namespace
void RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI) { bool RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI,
MachineFunction &MF) {
if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64) if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)
createThunkFunction(MMI, R11RetpolineName); createThunkFunction(MMI, R11RetpolineName);
else else
for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName, for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,
EDIRetpolineName}) EDIRetpolineName})
createThunkFunction(MMI, Name); createThunkFunction(MMI, Name);
return true;
} }
void RetpolineThunkInserter::populateThunk(MachineFunction &MF) { void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {
bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64; bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;
Register ThunkReg; Register ThunkReg;
if (Is64Bit) { if (Is64Bit) {
assert(MF.getName() == "__llvm_retpoline_r11" && assert(MF.getName() == "__llvm_retpoline_r11" &&
"Should only have an r11 thunk on 64-bit targets"); "Should only have an r11 thunk on 64-bit targets");
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines

llvm/test/CodeGen/ARM/speculation-hardening-sls-boththunks.ll

  • This file was added.
; RUN: llc -mattr=harden-sls-retbr -mattr=harden-sls-blr -verify-machineinstrs -mtriple=armv8-linux-gnueabi < %s | FileCheck %s
; Given both Arm and Thumb functions in the same compilation unit, we should
; get both arm and thumb thunks.
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Thumb

DavidSpickett: `Thumb`
DavidSpickettUnsubmitted
Not Done
ReplyInline Actions

Is there reason to check that with only one of arm and thumb you only get thunks for that one?

DavidSpickett: Is there reason to check that with only one of arm and thumb you only get thunks for that one?
dmgreenAuthorUnsubmitted
Done
ReplyInline Actions

The idea is that we should be checking that if we emitting instructions which require a target feature, that target feature should be present. Think of things like accidentally emitting NEON instructions when compiling for MVE, or emitting SVE2 instructions when you only have SVE. So we can't emit Thumb instructions if the target is for Arm. (Without constructing a subtarget with Thumb present).

If you search for "verifyInstructionPredicates", you will see that most architectures have this check enabled, but Arm has always been missing. That is what I am attempting to fix. Improving how much we test emitted instruction features by enabling the option for Arm.

In this case, as far as I understand, If we are in a Arm context then we will only need arm thunks. And Thumb will only ever use thumb thunks. This tests makes sure that in a module with both, we still end up with both sets of thunks.

dmgreen: The idea is that we should be checking that if we emitting instructions which require a target…
define i32 @test1(i32 %a, i32 %b) {
ret i32 %a
}
define i32 @test2(i32 %a, i32 %b) "target-features"="+thumb-mode" {
ret i32 %a
}
; CHECK: test1
; CHECK: test2
; CHECK: __llvm_slsblr_thunk_arm_sp
; CHECK: __llvm_slsblr_thunk_thumb_sp
No newline at end of file

llvm/test/CodeGen/ARM/speculation-hardening-sls.ll

Show First 20 LinesShow All 250 Lines▼ Show 20 Lines
; HARDEN-label: {{__llvm_slsblr_thunk_(arm|thumb)_r5}}: ; HARDEN-label: {{__llvm_slsblr_thunk_(arm|thumb)_r5}}:
; HARDEN: bx r5 ; HARDEN: bx r5
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: dsb sy ; SB-NEXT: dsb sy
; SB-NEXT: isb ; SB-NEXT: isb
; HARDEN-NEXT: .Lfunc_end ; HARDEN-NEXT: .Lfunc_end
; THUMB-NOT: __llvm_slsblr_thunk_arm
; ARM-NOT: __llvm_slsblr_thunk_thumb