This is an archive of the discontinued LLVM Phabricator instance.

Differential D132592

[Clang] Implement function attribute nouwtable
ClosedPublic

Authored by ychen on Aug 24 2022, 12:30 PM.

Details

Reviewers
aaron.ballman
rnk
rsmith
Commits
rG70248bfdea6c: [Clang] Implement function attribute nouwtable
Summary

To have finer control of IR uwtable attribute generation. For target code generation,
IR nounwind and uwtable may have some interaction. However, for frontend, there are
no semantic interactions so the this new nouwtable is marked "SimpleHandler = 1".

Diff Detail

Event Timeline

ychen created this revision.Aug 24 2022, 12:30 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2022, 12:30 PM
ychen requested review of this revision.Aug 24 2022, 12:30 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2022, 12:30 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
ychen retitled this revision from Clang] Implement function attribute nouwtable to [Clang] Implement function attribute nouwtable.Aug 24 2022, 12:30 PM
Harbormaster completed remote builds in B183192: Diff 455328.Aug 24 2022, 2:07 PM
ychen updated this revision to Diff 455395.Aug 24 2022, 3:14 PM
  • update test
Herald added a subscriber: jdoerfert. · View Herald TranscriptAug 24 2022, 3:14 PM
Harbormaster completed remote builds in B183245: Diff 455395.Aug 24 2022, 5:52 PM
aaron.ballman added a comment.Aug 25 2022, 8:58 AM

Do we have any evidence that users need this level of control or will understand how to properly use the attribute? The command line option makes sense to me because it's an all-or-nothing flag, but I'm not certain I understand the need for per-function control. Also, if a user gets this wrong (applies the attribute where they shouldn't), what is the failure mode (does it introduce any exploitable behavior)?

ychen added a comment.Aug 25 2022, 10:28 AM

Thanks for taking a look!

In D132592#3749261, @aaron.ballman wrote:

Do we have any evidence that users need this level of control or will understand how to properly use the attribute? The command line option makes sense to me because it's an all-or-nothing flag, but I'm not certain I understand the need for per-function control.

https://github.com/llvm/llvm-project/blob/064a08cd955019da9130f1109bfa534e79b8ec7c/llvm/include/llvm/IR/Function.h#L639-L641, per-function unwind table entry depends on both nounwind and uwtable. We have nothrow attribute for nounwind but not nouwtable for uwtable. With this, a user could use function attributes to control unwind table entry generation which could only be achieved by inline assembly or writing assembly files directly. I'd consider this a companion of nothrow. So making them both per-function attribute seems natural?

Also, if a user gets this wrong (applies the attribute where they shouldn't), what is the failure mode (does it introduce any exploitable behavior)?

The flag may only suppress unwind table emission instead of causing more, the lack of unwind table may only stop control flow rather than giving it more freedom. So I think this is safe from a security perspective. Using it wrong may cause unnecessary crashes just like any other memory bugs, but not a malicious binary.

aaron.ballman added a comment.Aug 26 2022, 5:02 AM
In D132592#3749567, @ychen wrote:

Thanks for taking a look!

In D132592#3749261, @aaron.ballman wrote:

Do we have any evidence that users need this level of control or will understand how to properly use the attribute? The command line option makes sense to me because it's an all-or-nothing flag, but I'm not certain I understand the need for per-function control.

https://github.com/llvm/llvm-project/blob/064a08cd955019da9130f1109bfa534e79b8ec7c/llvm/include/llvm/IR/Function.h#L639-L641, per-function unwind table entry depends on both nounwind and uwtable. We have nothrow attribute for nounwind but not nouwtable for uwtable. With this, a user could use function attributes to control unwind table entry generation which could only be achieved by inline assembly or writing assembly files directly. I'd consider this a companion of nothrow. So making them both per-function attribute seems natural?

Also, if a user gets this wrong (applies the attribute where they shouldn't), what is the failure mode (does it introduce any exploitable behavior)?

The flag may only suppress unwind table emission instead of causing more, the lack of unwind table may only stop control flow rather than giving it more freedom. So I think this is safe from a security perspective. Using it wrong may cause unnecessary crashes just like any other memory bugs, but not a malicious binary.

Thank you for the explanations, that helped. :-)

You're missing all of the semantic tests (that the attr takes no arguments, only applies to function-like things, etc). Also, the subject you picked is FunctionLike so you should have some test coverage showing how this works when calling through a function pointer with the attribute (or you should pick a more appropriate subject if that one is wrong).

clang/include/clang/Basic/AttrDocs.td
4545–4546
ychen updated this revision to Diff 456069.Aug 26 2022, 6:06 PM
  • change from FunctionLike to Function
  • add a Sema test
  • update doc
ychen marked an inline comment as done.Aug 26 2022, 6:06 PM
In D132592#3751561, @aaron.ballman wrote:
In D132592#3749567, @ychen wrote:

Thanks for taking a look!

In D132592#3749261, @aaron.ballman wrote:

Do we have any evidence that users need this level of control or will understand how to properly use the attribute? The command line option makes sense to me because it's an all-or-nothing flag, but I'm not certain I understand the need for per-function control.

https://github.com/llvm/llvm-project/blob/064a08cd955019da9130f1109bfa534e79b8ec7c/llvm/include/llvm/IR/Function.h#L639-L641, per-function unwind table entry depends on both nounwind and uwtable. We have nothrow attribute for nounwind but not nouwtable for uwtable. With this, a user could use function attributes to control unwind table entry generation which could only be achieved by inline assembly or writing assembly files directly. I'd consider this a companion of nothrow. So making them both per-function attribute seems natural?

Also, if a user gets this wrong (applies the attribute where they shouldn't), what is the failure mode (does it introduce any exploitable behavior)?

The flag may only suppress unwind table emission instead of causing more, the lack of unwind table may only stop control flow rather than giving it more freedom. So I think this is safe from a security perspective. Using it wrong may cause unnecessary crashes just like any other memory bugs, but not a malicious binary.

Thank you for the explanations, that helped. :-)

You're missing all of the semantic tests (that the attr takes no arguments, only applies to function-like things, etc). Also, the subject you picked is FunctionLike so you should have some test coverage showing how this works when calling through a function pointer with the attribute (or you should pick a more appropriate subject if that one is wrong).

Yes, Function is more proper than FunctionLike.

Harbormaster completed remote builds in B183715: Diff 456069.Aug 26 2022, 7:17 PM
aaron.ballman accepted this revision.Aug 29 2022, 5:14 AM

LGTM, though please add a release note for the new attribute.

This revision is now accepted and ready to land.Aug 29 2022, 5:14 AM
ychen updated this revision to Diff 456403.Aug 29 2022, 10:51 AM
  • add a release note.
This revision was landed with ongoing or failed builds.Aug 29 2022, 12:13 PM
Closed by commit rG70248bfdea6c: [Clang] Implement function attribute nouwtable (authored by Yuanfang Chen <yuanfang.chen@sony.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
ychen added a commit: rG70248bfdea6c: [Clang] Implement function attribute nouwtable.
Harbormaster completed remote builds in B183969: Diff 456403.Aug 29 2022, 1:21 PM

Revision Contents

PathSize
clang/
docs/
3 lines
include/
clang/
Basic/
7 lines
10 lines
lib/
CodeGen/
2 lines
test/
CodeGen/
9 lines
Misc/
1 line

Diff 456433

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 143 Lines▼ Show 20 Lines
-------------------------- --------------------------
- Added support for ``__attribute__((guard(nocf)))`` and C++-style - Added support for ``__attribute__((guard(nocf)))`` and C++-style
``[[clang::guard(nocf)]]``, which is equivalent to ``__declspec(guard(nocf))`` ``[[clang::guard(nocf)]]``, which is equivalent to ``__declspec(guard(nocf))``
when using the MSVC environment. This is to support enabling Windows Control when using the MSVC environment. This is to support enabling Windows Control
Flow Guard checks with the ability to disable them for specific functions when Flow Guard checks with the ability to disable them for specific functions when
using the MinGW environment. This attribute is only available for Windows using the MinGW environment. This attribute is only available for Windows
targets. targets.
- Introduced a new function attribute ``__attribute__((nouwtable))`` to suppress
LLVM IR ``uwtable`` function attribute.
Windows Support Windows Support
--------------- ---------------
AIX Support AIX Support
----------- -----------
C Language Changes in Clang C Language Changes in Clang
--------------------------- ---------------------------
▲ Show 20 LinesShow All 151 LinesShow Last 20 Lines

clang/include/clang/Basic/Attr.td

Show First 20 LinesShow All 2,086 Lines▼ Show 20 Lines
} }
def NoThrow : InheritableAttr { def NoThrow : InheritableAttr {
let Spellings = [GCC<"nothrow">, Declspec<"nothrow">]; let Spellings = [GCC<"nothrow">, Declspec<"nothrow">];
let Subjects = SubjectList<[FunctionLike]>; let Subjects = SubjectList<[FunctionLike]>;
let Documentation = [NoThrowDocs]; let Documentation = [NoThrowDocs];
} }
def NoUwtable : InheritableAttr {
let Spellings = [Clang<"nouwtable">];
let Subjects = SubjectList<[FunctionLike]>;
let Documentation = [NoUwtableDocs];
let SimpleHandler = 1;
}
def NvWeak : IgnoredAttr { def NvWeak : IgnoredAttr {
// No Declspec spelling of this attribute; the CUDA headers use // No Declspec spelling of this attribute; the CUDA headers use
// __attribute__((nv_weak)) unconditionally. Does not receive an [[]] // __attribute__((nv_weak)) unconditionally. Does not receive an [[]]
// spelling because it is a CUDA attribute. // spelling because it is a CUDA attribute.
let Spellings = [GNU<"nv_weak">]; let Spellings = [GNU<"nv_weak">];
let LangOpts = [CUDA]; let LangOpts = [CUDA];
} }
▲ Show 20 LinesShow All 1,986 LinesShow Last 20 Lines

clang/include/clang/Basic/AttrDocs.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 4,531 Lines▼ Show 20 Lines
``__declspec(nothrow)`` attribute as an equivalent of ``noexcept`` on function ``__declspec(nothrow)`` attribute as an equivalent of ``noexcept`` on function
declarations. This attribute informs the compiler that the annotated function declarations. This attribute informs the compiler that the annotated function
does not throw an exception. This prevents exception-unwinding. This attribute does not throw an exception. This prevents exception-unwinding. This attribute
is particularly useful on functions in the C Standard Library that are is particularly useful on functions in the C Standard Library that are
guaranteed to not throw an exception. guaranteed to not throw an exception.
}]; }];
} }
def NoUwtableDocs : Documentation {
let Category = DocCatFunction;
let Content = [{
Clang supports the ``nouwtable`` attribute which skips emitting
the unwind table entry for the specified function. This attribute is useful for
selectively emitting the unwind table entry on some functions when building with
``-funwind-tables`` compiler option.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
the unwind table entry for the specified function. This attribute is useful for
- selectively emitting the unwind table entry on some functions when building with
- ``-funwind-tables`` compiler option.
+ selectively suppressing the unwind table entry on some functions when building
+ with the ``-funwind-tables`` compiler option.
}];
}
aaron.ballman:
}];
}
def InternalLinkageDocs : Documentation { def InternalLinkageDocs : Documentation {
let Category = DocCatFunction; let Category = DocCatFunction;
let Content = [{ let Content = [{
The ``internal_linkage`` attribute changes the linkage type of the declaration The ``internal_linkage`` attribute changes the linkage type of the declaration
to internal. This is similar to C-style ``static``, but can be used on classes to internal. This is similar to C-style ``static``, but can be used on classes
and class methods. When applied to a class definition, this attribute affects and class methods. When applied to a class definition, this attribute affects
all methods and static data members of that class. This can be used to contain all methods and static data members of that class. This can be used to contain
the ABI of a C++ library by excluding unwanted class methods from the export the ABI of a C++ library by excluding unwanted class methods from the export
▲ Show 20 LinesShow All 2,133 LinesShow Last 20 Lines

clang/lib/CodeGen/CodeGenModule.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,957 Lines▼ Show 20 LinesCodeGenModule::GetOrCreateRTTIProxyGlobalVariable(llvm::Constant *Addr) {
RTTIProxyMap[Addr] = FTRTTIProxy; RTTIProxyMap[Addr] = FTRTTIProxy;
return FTRTTIProxy; return FTRTTIProxy;
} }
void CodeGenModule::SetLLVMFunctionAttributesForDefinition(const Decl *D, void CodeGenModule::SetLLVMFunctionAttributesForDefinition(const Decl *D,
llvm::Function *F) { llvm::Function *F) {
llvm::AttrBuilder B(F->getContext()); llvm::AttrBuilder B(F->getContext());
if (CodeGenOpts.UnwindTables) if ((!D || !D->hasAttr<NoUwtableAttr>()) && CodeGenOpts.UnwindTables)
B.addUWTableAttr(llvm::UWTableKind(CodeGenOpts.UnwindTables)); B.addUWTableAttr(llvm::UWTableKind(CodeGenOpts.UnwindTables));
if (CodeGenOpts.StackClashProtector) if (CodeGenOpts.StackClashProtector)
B.addAttribute("probe-stack", "inline-asm"); B.addAttribute("probe-stack", "inline-asm");
if (!hasUnwindExceptions(LangOpts)) if (!hasUnwindExceptions(LangOpts))
B.addAttribute(llvm::Attribute::NoUnwind); B.addAttribute(llvm::Attribute::NoUnwind);
▲ Show 20 LinesShow All 5,120 LinesShow Last 20 Lines

clang/test/CodeGen/attr-nouwtable.c

  • This file was added.
// RUN: %clang_cc1 -funwind-tables=2 -S -emit-llvm %s -o - | FileCheck %s
__attribute__((nouwtable))
int test1(void) { return 0; }
// CHECK: @test1{{.*}}[[ATTR1:#[0-9]+]]
// CHECK: attributes [[ATTR1]] = {
// CHECK-NOT: uwtable
// CHECK: }

clang/test/Misc/pragma-attribute-supported-attributes-list.test

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
// CHECK-NEXT: NoRandomizeLayout (SubjectMatchRule_record) // CHECK-NEXT: NoRandomizeLayout (SubjectMatchRule_record)
// CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSanitize (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_variable_is_global)
// CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global) // CHECK-NEXT: NoSanitizeSpecific (SubjectMatchRule_function, SubjectMatchRule_variable_is_global)
// CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method) // CHECK-NEXT: NoSpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method)
// CHECK-NEXT: NoSplitStack (SubjectMatchRule_function) // CHECK-NEXT: NoSplitStack (SubjectMatchRule_function)
// CHECK-NEXT: NoStackProtector (SubjectMatchRule_function) // CHECK-NEXT: NoStackProtector (SubjectMatchRule_function)
// CHECK-NEXT: NoThreadSafetyAnalysis (SubjectMatchRule_function) // CHECK-NEXT: NoThreadSafetyAnalysis (SubjectMatchRule_function)
// CHECK-NEXT: NoThrow (SubjectMatchRule_hasType_functionType) // CHECK-NEXT: NoThrow (SubjectMatchRule_hasType_functionType)
// CHECK-NEXT: NoUwtable (SubjectMatchRule_hasType_functionType)
// CHECK-NEXT: NotTailCalled (SubjectMatchRule_function) // CHECK-NEXT: NotTailCalled (SubjectMatchRule_function)
// CHECK-NEXT: OSConsumed (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: OSConsumed (SubjectMatchRule_variable_is_parameter)
// CHECK-NEXT: OSReturnsNotRetained (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_objc_property, SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: OSReturnsNotRetained (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_objc_property, SubjectMatchRule_variable_is_parameter)
// CHECK-NEXT: OSReturnsRetained (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_objc_property, SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: OSReturnsRetained (SubjectMatchRule_function, SubjectMatchRule_objc_method, SubjectMatchRule_objc_property, SubjectMatchRule_variable_is_parameter)
// CHECK-NEXT: OSReturnsRetainedOnNonZero (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: OSReturnsRetainedOnNonZero (SubjectMatchRule_variable_is_parameter)
// CHECK-NEXT: OSReturnsRetainedOnZero (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: OSReturnsRetainedOnZero (SubjectMatchRule_variable_is_parameter)
// CHECK-NEXT: ObjCBoxable (SubjectMatchRule_record) // CHECK-NEXT: ObjCBoxable (SubjectMatchRule_record)
// CHECK-NEXT: ObjCBridge (SubjectMatchRule_record, SubjectMatchRule_type_alias) // CHECK-NEXT: ObjCBridge (SubjectMatchRule_record, SubjectMatchRule_type_alias)
▲ Show 20 LinesShow All 76 LinesShow Last 20 Lines