This is an archive of the discontinued LLVM Phabricator instance.

Differential D130815

[BOLT] Handle unclaimed PC data relocation related to jump table
Needs ReviewPublic

Authored by nhuhuan on Jul 29 2022, 7:38 PM.

Details

Reviewers
rafauler
Amir
maksfb
Summary

The limit in current implementation of jump table analysis causes some
jump tables, or parts of a jump table to be mishandled. Optimizing
functions pointing to/pointed by such jump table lead to incorrect
binaries. Therefore, some efforts are needed to handle such unclaimed
relocations.

The main idea is (a) finding the jump table base potentially associated
to the unclaimed relocation, and (b) conservatively ignoring functions
pointing to/pointed by such possible jump table entry.

To avoid skipping many unrelated functions, we only process potential
entries within a range from the jump table base.

Test Plan:

ninja check-bolt

Diff Detail

Event Timeline

nhuhuan created this revision.Jul 29 2022, 7:38 PM
Herald added a reviewer: rafauler. · View Herald TranscriptJul 29 2022, 7:38 PM
Herald added a reviewer: Amir. · View Herald Transcript
Herald added a reviewer: maksfb. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added a subscriber: ayermolo. · View Herald Transcript
nhuhuan requested review of this revision.Jul 29 2022, 7:38 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 29 2022, 7:38 PM
Herald added subscribers: llvm-commits, yota9. · View Herald Transcript
nhuhuan added a parent revision: D129974: [BOLT] Improve jump table entry validation for split jump table.Jul 29 2022, 7:41 PM
Harbormaster completed remote builds in B178375: Diff 448762.Jul 29 2022, 7:46 PM
nhuhuan updated this revision to Diff 448838.Jul 31 2022, 12:17 AM

Improve checks to reduce unnecessary ignoring of functions

Herald added a subscriber: mgrang. · View Herald TranscriptJul 31 2022, 12:17 AM
Harbormaster completed remote builds in B178434: Diff 448838.Jul 31 2022, 12:18 AM
nhuhuan updated this revision to Diff 448884.Jul 31 2022, 1:26 PM

Improve the acceptable range of potental jump table entry

Harbormaster completed remote builds in B178473: Diff 448884.Jul 31 2022, 1:27 PM
nhuhuan updated this revision to Diff 448910.Jul 31 2022, 9:31 PM

Fixed the acceptable range

Harbormaster completed remote builds in B178493: Diff 448910.Jul 31 2022, 9:31 PM
nhuhuan updated this revision to Diff 448937.Aug 1 2022, 12:53 AM

Fix misidentifying jump table entries to be ignored

Harbormaster completed remote builds in B178513: Diff 448937.Aug 1 2022, 12:53 AM
tschuett added a subscriber: tschuett.Aug 2 2022, 11:02 PM
tschuett added inline comments.
bolt/lib/Core/BinaryContext.cpp
774

LLVM doesn't like really unordered_set because it is expensive. Maybe you like some of the alternatives that LLVM offers:
https://llvm.org/docs/ProgrammersManual.html#set-like-containers-std-set-smallset-setvector-etc

Revision Contents

PathSize
bolt/
lib/
Core/
100 lines

Diff 448910

bolt/lib/Core/BinaryContext.cpp

Show First 20 LinesShow All 717 Lines▼ Show 20 Lines if (!Success) {
: NextJTI->second->Parents) dbgs() : NextJTI->second->Parents) dbgs()
<< LS << *Frag; << LS << *Frag;
dbgs() << "\n";); dbgs() << "\n";);
NextJTI->second->print(dbgs()); NextJTI->second->print(dbgs());
} }
AbortedJTs.push_back(JT); AbortedJTs.push_back(JT);
continue; continue;
} }
for (BinaryFunction *Frag : JT->Parents) { for (BinaryFunction *Frag : JT->Parents) {
for (uint64_t EntryAddress : JT->EntriesAsAddress) for (uint64_t EntryAddress : JT->EntriesAsAddress)
// if target is builtin_unreachable // if target is builtin_unreachable
if (EntryAddress == Frag->getAddress() + Frag->getSize()) { if (EntryAddress == Frag->getAddress() + Frag->getSize()) {
Frag->IgnoredBranches.emplace_back(EntryAddress - Frag->getAddress(), Frag->IgnoredBranches.emplace_back(EntryAddress - Frag->getAddress(),
Frag->getSize()); Frag->getSize());
} else if (EntryAddress >= Frag->getAddress() && } else if (EntryAddress >= Frag->getAddress() &&
EntryAddress < Frag->getAddress() + Frag->getSize()) { EntryAddress < Frag->getAddress() + Frag->getSize()) {
Frag->registerReferencedOffset(EntryAddress - Frag->getAddress()); Frag->registerReferencedOffset(EntryAddress - Frag->getAddress());
} }
} }
// In strict mode, erase PC-relative relocation record. Later we check that // For nonstripped binaries, erase identified PC-relative relocations
// all such records are erased and thus have been accounted for. // Later, account for unclaimed relocations possibly related to jump table
if (opts::StrictMode && JT->Type == JumpTable::JTT_PIC) { // In strict mode, check if all such relocations have been accounted for
if (!DataPCRelocations.empty() && JT->Type == JumpTable::JTT_PIC) {
for (uint64_t Address = JT->getAddress(); for (uint64_t Address = JT->getAddress();
Address < JT->getAddress() + JT->getSize(); Address < JT->getAddress() + JT->getSize();
Address += JT->EntrySize) { Address += JT->EntrySize) {
DataPCRelocations.erase(DataPCRelocations.find(Address)); DataPCRelocations.erase(DataPCRelocations.find(Address));
} }
} }
// Mark to skip the function and all its fragments. // Mark to skip the function and all its fragments.
for (BinaryFunction *Frag : JT->Parents) for (BinaryFunction *Frag : JT->Parents)
if (Frag->hasIndirectTargetToSplitFragment()) if (Frag->hasIndirectTargetToSplitFragment())
addFragmentsToSkip(Frag); addFragmentsToSkip(Frag);
} }
// Ignore fragments accessing JT that fails analyzeJumpTable check // Ignore fragments accessing JT that fails analyzeJumpTable check
for (JumpTable *JT : AbortedJTs) { for (JumpTable *JT : AbortedJTs) {
for (BinaryFunction *Frag : JT->Parents) { for (BinaryFunction *Frag : JT->Parents) {
Frag->setIgnored(); Frag->setIgnored();
Frag->JumpTables.erase(Frag->JumpTables.find(JT->getAddress())); Frag->JumpTables.erase(Frag->JumpTables.find(JT->getAddress()));
} }
JumpTables.erase(JumpTables.find(JT->getAddress())); JumpTables.erase(JumpTables.find(JT->getAddress()));
} }
// Scan for unclaimed PC-relative relocations related to jump table only
// 1. Find the PIC jump table preceding the relocation address
// Must be (a) the first potential entry of the jump table, or
// (b) successor of a potential entry of the jump table
// 2. Compute jump table target with respect to jump table base
// 3. Perform instruction boundary checks to prune invalid targets
// Mark the end for the jump table if invalid target
// 4. Ignore the function contains the jump table target instruction
// 5. Ignore all functions that access to the jump table
if (!JumpTables.empty()) {
tschuettUnsubmitted
Not Done
ReplyInline Actions

LLVM doesn't like really unordered_set because it is expensive. Maybe you like some of the alternatives that LLVM offers:
https://llvm.org/docs/ProgrammersManual.html#set-like-containers-std-set-smallset-setvector-etc

tschuett: LLVM doesn't like really `unordered_set` because it is expensive. Maybe you like some of the…
std::vector<uint64_t> Relocs(DataPCRelocations.begin(),
DataPCRelocations.end());
std::sort(Relocs.begin(), Relocs.end());
std::unordered_map<JumpTable *, uint64_t> JTLastReloc;
const uint64_t INVALID_RELOC = 0xffffffffffffffff;
// Iterate in ascending order
for (uint64_t Reloc : Relocs) {
JumpTable *JT = nullptr;
// Reloc does not belong to any jump table
if (Reloc < JumpTables.begin()->first)
continue;
// Reloc is an entry in the last jump table
else if (JumpTables.rbegin()->first <= Reloc)
JT = JumpTables.rbegin()->second;
// Reloc is an entry in the jump table preceding Reloc
else {
auto Iter = JumpTables.upper_bound(Reloc);
--Iter;
JT = Iter->second;
}
// Found a PIC jump table candidate
if (JT != nullptr && JT->Type == JumpTable::JTT_PIC) {
// Check if Reloc is within an acceptable range
const uint64_t EntrySize = getJumpTableEntrySize(JT->Type);
if (JT->getAddress() + JT->getSize() + 2000 < Reloc)
continue;
// First potential entry for the jump table
// Mark now, verify later
if (Reloc == JT->getAddress() + JT->getSize())
JTLastReloc[JT] = Reloc;
else if (JTLastReloc.find(JT) != JTLastReloc.end()) {
uint64_t LastReloc = JTLastReloc[JT];
// Jump table was already marked ended
if (LastReloc == INVALID_RELOC)
continue;
// Mark ended if not successor of a potential entry
else if (JTLastReloc[JT] + EntrySize != Reloc) {
JTLastReloc[JT] = INVALID_RELOC;
continue;
}
// Successor of a potential entry for the jump table
// Mark now, verify later
JTLastReloc[JT] = Reloc;
}
// Compute jump table target
uint64_t Address =
JT->getAddress() + *getSignedValueAtAddress(Reloc, EntrySize);
// Point to a valid function
BinaryFunction *TargetBF = getBinaryFunctionContainingAddress(Address);
if (TargetBF != nullptr) {
// Point to disassembled function
if (TargetBF->getState() == BinaryFunction::State::Disassembled) {
// Instruction bounds check
if (TargetBF->getInstructionAtOffset(Address -
TargetBF->getAddress())) {
TargetBF->setIgnored();
for (BinaryFunction *BF : JT->Parents)
BF->setIgnored();
}
// Mark the end of jump table if failed
else
JTLastReloc[JT] = INVALID_RELOC;
}
// Point to skipped function
else {
TargetBF->setIgnored();
for (BinaryFunction *BF : JT->Parents)
BF->setIgnored();
}
}
// Not point to a valid function, mark the end of jump table
else
JTLastReloc[JT] = INVALID_RELOC;
}
}
}
if (opts::StrictMode && DataPCRelocations.size()) { if (opts::StrictMode && DataPCRelocations.size()) {
LLVM_DEBUG({ LLVM_DEBUG({
dbgs() << DataPCRelocations.size() dbgs() << DataPCRelocations.size()
<< " unclaimed PC-relative relocations left in data:\n"; << " unclaimed PC-relative relocations left in data:\n";
for (uint64_t Reloc : DataPCRelocations) for (uint64_t Reloc : DataPCRelocations)
dbgs() << Twine::utohexstr(Reloc) << '\n'; dbgs() << Twine::utohexstr(Reloc) << '\n';
}); });
assert(0 && "unclaimed PC-relative relocations left in data\n"); assert(0 && "unclaimed PC-relative relocations left in data\n");
▲ Show 20 LinesShow All 1,641 LinesShow Last 20 Lines