This is an archive of the discontinued LLVM Phabricator instance.

Differential D130431

[BOLT] Ignore functions accessing false positive jump tables
ClosedPublic

Authored by nhuhuan on Jul 23 2022, 2:20 PM.

Details

Reviewers
rafauler
Amir
maksfb
Commits
rG52cd00cabf47: [BOLT] Ignore functions accessing false positive jump tables
Summary

Disassembly and branch target analysis are not decoupled, so any
analysis that depends on disassembly may not operate properly.

In specific, analyzeJumpTable uses instruction bounds check property.
A jump table was analyzed twice: (a) during disassembly, and (b) after
disassembly, so there are potentially some mismatched results.

In this update, functions that access JTs which fail the second check
will be marked as ignored.

Test Plan:

ninja check-bolt

Diff Detail

Event Timeline

nhuhuan created this revision.Jul 23 2022, 2:20 PM
Herald added a reviewer: rafauler. · View Herald TranscriptJul 23 2022, 2:20 PM
Herald added a reviewer: Amir. · View Herald Transcript
Herald added a reviewer: maksfb. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added a subscriber: ayermolo. · View Herald Transcript
nhuhuan requested review of this revision.Jul 23 2022, 2:20 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 23 2022, 2:20 PM
Herald added subscribers: llvm-commits, yota9. · View Herald Transcript
Harbormaster completed remote builds in B177202: Diff 447099.Jul 23 2022, 2:20 PM
nhuhuan edited the summary of this revision. (Show Details)Jul 23 2022, 2:25 PM
nhuhuan added a parent revision: D129974: [BOLT] Improve jump table entry validation for split jump table.Jul 24 2022, 3:48 PM
Amir added a comment.Jul 25 2022, 12:19 PM

Good findings, and the code looks good generally.
The summary lists three separate issues, can you please split up this diff so that each is addressed separately?

bolt/lib/Core/BinaryContext.cpp
623

Please add a context for this vector (e.g. "collect jump tables that failed analyzeJumpTable checks") and run clang-format on this commit.

704
nhuhuan updated this revision to Diff 448194.Jul 27 2022, 4:00 PM

Split this diff into a few diffs.

nhuhuan updated this revision to Diff 448197.Jul 27 2022, 4:03 PM
nhuhuan marked an inline comment as done.

Add description for AbortedJTs

nhuhuan marked an inline comment as done.Jul 27 2022, 4:04 PM
nhuhuan retitled this revision from [BOLT] Fix split jump table issues to [BOLT] Handle false positive jump tables.Jul 27 2022, 4:07 PM
nhuhuan edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B177980: Diff 448197.Jul 27 2022, 4:10 PM
nhuhuan updated this revision to Diff 448209.Jul 27 2022, 4:34 PM

Added the manual test back

Harbormaster completed remote builds in B177989: Diff 448209.Jul 27 2022, 4:42 PM
nhuhuan updated this revision to Diff 448510.Jul 28 2022, 10:20 PM

Rebase.

Harbormaster completed remote builds in B178197: Diff 448510.Jul 28 2022, 10:27 PM
Amir accepted this revision.Jul 28 2022, 11:01 PM

LGTM

This revision is now accepted and ready to land.Jul 28 2022, 11:01 PM
Amir added a comment.Jul 28 2022, 11:03 PM

Let's retitle as "[BOLT] Ignore functions accessing false positive jump tables"

nhuhuan retitled this revision from [BOLT] Handle false positive jump tables to [BOLT] Ignore functions accessing false positive jump tables.Jul 28 2022, 11:08 PM
Closed by commit rG52cd00cabf47: [BOLT] Ignore functions accessing false positive jump tables (authored by nhuhuan, committed by Amir). · Explain WhyJul 28 2022, 11:22 PM
This revision was automatically updated to reflect the committed changes.
Amir added a commit: rG52cd00cabf47: [BOLT] Ignore functions accessing false positive jump tables.
Amir added a reverting change: rG468d4f6d188d: Revert "[BOLT] Ignore functions accessing false positive jump tables".Jul 30 2022, 10:40 AM
Amir added inline comments.Aug 4 2022, 11:35 PM
bolt/lib/Core/BinaryContext.cpp
673

Sorry, let's not reland this diff.
We want to preserve this llvm_unreachable here to crash in cases we failed to recognize the jump table.

Revision Contents

PathSize
bolt/
lib/
Core/
23 lines
test/
X86/
49 lines

Diff 448522

bolt/lib/Core/BinaryContext.cpp

Show First 20 LinesShow All 614 Lines▼ Show 20 Linesbool BinaryContext::analyzeJumpTable(
// It's a jump table if the number of real entries is more than 1, or there's // It's a jump table if the number of real entries is more than 1, or there's
// one real entry and "unreachable" targets. If there are only multiple // one real entry and "unreachable" targets. If there are only multiple
// "unreachable" targets, then it's not a jump table. // "unreachable" targets, then it's not a jump table.
return NumRealEntries + HasUnreachable >= 2; return NumRealEntries + HasUnreachable >= 2;
} }
void BinaryContext::populateJumpTables() { void BinaryContext::populateJumpTables() {
LLVM_DEBUG(dbgs() << "DataPCRelocations: " << DataPCRelocations.size() LLVM_DEBUG(dbgs() << "DataPCRelocations: " << DataPCRelocations.size()
AmirUnsubmitted
Done
ReplyInline Actions
void BinaryContext::populateJumpTables() {
- SmallVector<JumpTable*,1> JTableRemoveList;
+ SmallVector<JumpTable*, 1> AbortedJT;
LLVM_DEBUG(dbgs() << "DataPCRelocations: " << DataPCRelocations.size()

Please add a context for this vector (e.g. "collect jump tables that failed analyzeJumpTable checks") and run clang-format on this commit.

Amir: Please add a context for this vector (e.g. "collect jump tables that failed analyzeJumpTable…
<< '\n'); << '\n');
// Collect jump tables that pass the analyzeJumpTable's first check,
// but fail the analyzeJumpTable's second check
SmallVector<JumpTable *, 1> AbortedJTs;
for (auto JTI = JumpTables.begin(), JTE = JumpTables.end(); JTI != JTE; for (auto JTI = JumpTables.begin(), JTE = JumpTables.end(); JTI != JTE;
++JTI) { ++JTI) {
JumpTable *JT = JTI->second; JumpTable *JT = JTI->second;
bool NonSimpleParent = false; bool NonSimpleParent = false;
for (BinaryFunction *BF : JT->Parents) for (BinaryFunction *BF : JT->Parents)
NonSimpleParent |= !BF->isSimple(); NonSimpleParent |= !BF->isSimple();
if (NonSimpleParent) if (NonSimpleParent)
continue; continue;
uint64_t NextJTAddress = 0; uint64_t NextJTAddress = 0;
auto NextJTI = std::next(JTI); auto NextJTI = std::next(JTI);
if (NextJTI != JTE) if (NextJTI != JTE)
NextJTAddress = NextJTI->second->getAddress(); NextJTAddress = NextJTI->second->getAddress();
const bool Success = const bool Success =
analyzeJumpTable(JT->getAddress(), JT->Type, *(JT->Parents[0]), analyzeJumpTable(JT->getAddress(), JT->Type, *(JT->Parents[0]),
NextJTAddress, &JT->EntriesAsAddress); NextJTAddress, &JT->EntriesAsAddress);
// !Success means a false positive from earlier analysis run due to
// different context. A possible culprit is instruction bounds check.
// Previous run happens during disassembly. If the target function
// is not disassembled, the check will be skipped, leading to a false
// positive
//
// Solution: Ignore fragments accessing JT that fails the check
if (!Success) { if (!Success) {
LLVM_DEBUG(ListSeparator LS; LLVM_DEBUG(ListSeparator LS;
dbgs() << "failed to analyze jump table in function "; dbgs() << "failed to analyze jump table in function ";
for (BinaryFunction *Frag for (BinaryFunction *Frag
: JT->Parents) dbgs() : JT->Parents) dbgs()
<< LS << *Frag; << LS << *Frag;
dbgs() << '\n';); dbgs() << '\n';);
JT->print(dbgs()); JT->print(dbgs());
if (NextJTI != JTE) { if (NextJTI != JTE) {
LLVM_DEBUG(ListSeparator LS; LLVM_DEBUG(ListSeparator LS;
dbgs() << "next jump table at 0x" dbgs() << "next jump table at 0x"
<< Twine::utohexstr(NextJTI->second->getAddress()) << Twine::utohexstr(NextJTI->second->getAddress())
<< " belongs to function "; << " belongs to function ";
for (BinaryFunction *Frag for (BinaryFunction *Frag
: NextJTI->second->Parents) dbgs() : NextJTI->second->Parents) dbgs()
<< LS << *Frag; << LS << *Frag;
dbgs() << "\n";); dbgs() << "\n";);
NextJTI->second->print(dbgs()); NextJTI->second->print(dbgs());
} }
llvm_unreachable("jump table heuristic failure"); AbortedJTs.push_back(JT);
AmirUnsubmitted
Not Done
ReplyInline Actions

Sorry, let's not reland this diff.
We want to preserve this llvm_unreachable here to crash in cases we failed to recognize the jump table.

Amir: Sorry, let's not reland this diff. We want to preserve this `llvm_unreachable` here to crash in…
continue;
} }
for (BinaryFunction *Frag : JT->Parents) { for (BinaryFunction *Frag : JT->Parents) {
for (uint64_t EntryAddress : JT->EntriesAsAddress) for (uint64_t EntryAddress : JT->EntriesAsAddress)
// if target is builtin_unreachable // if target is builtin_unreachable
if (EntryAddress == Frag->getAddress() + Frag->getSize()) { if (EntryAddress == Frag->getAddress() + Frag->getSize()) {
Frag->IgnoredBranches.emplace_back(EntryAddress - Frag->getAddress(), Frag->IgnoredBranches.emplace_back(EntryAddress - Frag->getAddress(),
Frag->getSize()); Frag->getSize());
} else if (EntryAddress >= Frag->getAddress() && } else if (EntryAddress >= Frag->getAddress() &&
Show All 13 Lines for (auto JTI = JumpTables.begin(), JTE = JumpTables.end(); JTI != JTE;
} }
// Mark to skip the function and all its fragments. // Mark to skip the function and all its fragments.
for (BinaryFunction *Frag : JT->Parents) for (BinaryFunction *Frag : JT->Parents)
if (Frag->hasIndirectTargetToSplitFragment()) if (Frag->hasIndirectTargetToSplitFragment())
addFragmentsToSkip(Frag); addFragmentsToSkip(Frag);
} }
// Ignore fragments accessing JT that fails analyzeJumpTable check
AmirUnsubmitted
Done
ReplyInline Actions
addFragmentsToSkip(Frag);
}
- // Ignore invalid jump tables
+ // Ignore fragments pointing to JT that failed `analyzeJumpTable` checks
for (JumpTable *JT : JTableRemoveList) {
Amir:
for (JumpTable *JT : AbortedJTs) {
for (BinaryFunction *Frag : JT->Parents) {
Frag->setIgnored();
Frag->JumpTables.erase(Frag->JumpTables.find(JT->getAddress()));
}
JumpTables.erase(JumpTables.find(JT->getAddress()));
}
if (opts::StrictMode && DataPCRelocations.size()) { if (opts::StrictMode && DataPCRelocations.size()) {
LLVM_DEBUG({ LLVM_DEBUG({
dbgs() << DataPCRelocations.size() dbgs() << DataPCRelocations.size()
<< " unclaimed PC-relative relocations left in data:\n"; << " unclaimed PC-relative relocations left in data:\n";
for (uint64_t Reloc : DataPCRelocations) for (uint64_t Reloc : DataPCRelocations)
dbgs() << Twine::utohexstr(Reloc) << '\n'; dbgs() << Twine::utohexstr(Reloc) << '\n';
}); });
assert(0 && "unclaimed PC-relative relocations left in data\n"); assert(0 && "unclaimed PC-relative relocations left in data\n");
▲ Show 20 LinesShow All 1,636 LinesShow Last 20 Lines

bolt/test/X86/fake_jump_table.s

  • This file was added.
# Currently disassembly is not decoupled from branch target analysis.
# This causes a few checks related to availability of target insn to
# fail for stripped binaries:
# (a) analyzeJumpTable
# (b) postProcessEntryPoints
# This test checks if BOLT can safely support instruction bounds check
# for cross-function targets.
# REQUIRES: system-linux
# RUN: llvm-mc -filetype=obj -triple x86_64-unknown-unknown %s -o %t.o
# RUN: %clang %cflags %t.o -o %t.exe -Wl,-q
# RUN: llvm-bolt %t.exe -o %t.out -v=1 -print-cfg
.text
.globl main
.type main, %function
.p2align 2
main:
LBB0:
.cfi_startproc
andl $0xf, %ecx
cmpb $0x4, %cl
ja .main.cold.1
LBB1:
leaq FAKE_JUMP_TABLE(%rip), %r8
cmpq %r8, %r9
LBB2:
xorq %rax, %rax
ret
.cfi_endproc
.size main, .-main
.globl main.cold.1
.type main.cold.1, %function
.p2align 2
main.cold.1:
.cfi_startproc
nop
LBB3:
callq abort
.cfi_endproc
.size main.cold.1, .-main.cold.1
.rodata
.globl FAKE_JUMP_TABLE
FAKE_JUMP_TABLE:
.long LBB2-FAKE_JUMP_TABLE
.long LBB3-FAKE_JUMP_TABLE+0x1