This is an archive of the discontinued LLVM Phabricator instance.

Differential D132725

[llvm][CodeGen] Skip WinCFGuard on non-Windows targets
AbandonedPublic

Authored by alvinhochun on Aug 26 2022, 2:44 AM.

Details

Reviewers
rnk
ajpaverd
mstorsjo
aaron.ballman
rjmccall
efriedma
Summary

This fixes a crash when passing -cfguard to the clang frontend while not
targeting Windows. Control Flow Guard is only supported on Windows.

Diff Detail

Event Timeline

alvinhochun created this revision.Aug 26 2022, 2:44 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 26 2022, 2:44 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
alvinhochun requested review of this revision.Aug 26 2022, 2:44 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 26 2022, 2:44 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B183549: Diff 455839.Aug 26 2022, 3:25 AM
aaron.ballman added reviewers: rjmccall, efriedma.Aug 26 2022, 4:52 AM
aaron.ballman added inline comments.
llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
588–589

CodeGen is not my area of strength, so this might be a silly question, but wouldn't it be better to prevent cfguard from being added to the module flags in the first place?

rnk added inline comments.Aug 26 2022, 11:24 AM
llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
588–589

I believe cfguard is an Xclang flag, so this is already protected in some ways. We generally add logic to the driver to defend against misusage, but the cc1 interface is relatively raw and unchecked.

So, I guess in conclusion, I think we probably have enough checking, and it makes sense for us to add this check to guard against crashing (assuming that's what happens later).

nit: make the condition isOSBinFormatCOFF just to guard against some obscure Windows ELF configurations.

aaron.ballman added inline comments.Aug 26 2022, 11:41 AM
llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp
588–589

SGTM, though I don't really want us to go overboard protecting against -Xclang misuse (when someone does that and gets a crash, I don't lose a whole lot of sleep because -Xclang voids all warranties).

rjmccall added a comment.Aug 26 2022, 12:12 PM

Emitting IR to support CFGuard but then ignoring it in hacky ways in the backend just seems wrong. If there's never going to be an effort to support it outside of Windows, then it shouldn't go into the IR at all; if there is, then all parts of the systems should do their best, with an understanding that it may not work because it's experimental at best.

There are three reasonable alternatives here, and we should pick one of them:

  1. CFGuard on non-Windows is an unwanted feature, and we should handle frontend requests for it by emitting an error.
  2. CFGuard on non-Windows is an unwanted feature, and we should handle frontend requests for it by ignoring them.
  3. CFGuard on non-Windows is an unsupported, experimental feature that users shouldn't request unless they're willing to accept that things will break because it's not complete yet (and may not be for the indefinite future).
alvinhochun abandoned this revision.Sep 23 2022, 2:28 AM

I do agree that misusing cc1 flags voids all warranties so I don't want to spend too much effort in adding checks. Looking at clang/lib/CodeGen/CodeGenModule.cpp there aren't any existing checks guarding other Windows-specific flags either, so I guess I will just leave it as is.

Revision Contents

PathSize
llvm/
lib/
CodeGen/
AsmPrinter/
3 lines
test/
CodeGen/
WinCFGuard/
51 lines

Diff 455839

llvm/lib/CodeGen/AsmPrinter/AsmPrinter.cpp

Show First 20 LinesShow All 579 Lines▼ Show 20 Lines case ExceptionHandling::AIX:
break; break;
} }
if (ES) if (ES)
Handlers.emplace_back(std::unique_ptr<EHStreamer>(ES), EHTimerName, Handlers.emplace_back(std::unique_ptr<EHStreamer>(ES), EHTimerName,
EHTimerDescription, DWARFGroupName, EHTimerDescription, DWARFGroupName,
DWARFGroupDescription); DWARFGroupDescription);
// Emit tables for any value of cfguard flag (i.e. cfguard=1 or cfguard=2). // Emit tables for any value of cfguard flag (i.e. cfguard=1 or cfguard=2).
if (mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard"))) if (Target.isOSWindows() &&
mdconst::extract_or_null<ConstantInt>(M.getModuleFlag("cfguard")))
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

CodeGen is not my area of strength, so this might be a silly question, but wouldn't it be better to prevent cfguard from being added to the module flags in the first place?

aaron.ballman: CodeGen is not my area of strength, so this might be a silly question, but wouldn't it be…
rnkUnsubmitted
Not Done
ReplyInline Actions

I believe cfguard is an Xclang flag, so this is already protected in some ways. We generally add logic to the driver to defend against misusage, but the cc1 interface is relatively raw and unchecked.

So, I guess in conclusion, I think we probably have enough checking, and it makes sense for us to add this check to guard against crashing (assuming that's what happens later).

nit: make the condition isOSBinFormatCOFF just to guard against some obscure Windows ELF configurations.

rnk: I believe cfguard is an Xclang flag, so this is already protected in some ways. We generally…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

SGTM, though I don't really want us to go overboard protecting against -Xclang misuse (when someone does that and gets a crash, I don't lose a whole lot of sleep because -Xclang voids all warranties).

aaron.ballman: SGTM, though I don't really want us to go overboard protecting against `-Xclang` misuse (when…
Handlers.emplace_back(std::make_unique<WinCFGuard>(this), CFGuardName, Handlers.emplace_back(std::make_unique<WinCFGuard>(this), CFGuardName,
CFGuardDescription, DWARFGroupName, CFGuardDescription, DWARFGroupName,
DWARFGroupDescription); DWARFGroupDescription);
for (const HandlerInfo &HI : Handlers) { for (const HandlerInfo &HI : Handlers) {
NamedRegionTimer T(HI.TimerName, HI.TimerDescription, HI.TimerGroupName, NamedRegionTimer T(HI.TimerName, HI.TimerDescription, HI.TimerGroupName,
HI.TimerGroupDescription, TimePassesIsEnabled); HI.TimerGroupDescription, TimePassesIsEnabled);
HI.Handler->beginModule(&M); HI.Handler->beginModule(&M);
▲ Show 20 LinesShow All 3,334 LinesShow Last 20 Lines

llvm/test/CodeGen/WinCFGuard/cfguard-unsupported.ll

  • This file was added.
; RUN: llc < %s -mtriple=x86_64-linux-gnu
; Control Flow Guard is currently only available on Windows
; This test checks that the cfguard attribute does not crash on non-Windows
; target.
; This file was generated from the following source, using this command line:
; clang -target x86_64-linux-gnu cfguard-unsupported.c -S -emit-llvm -o cfguard-unsupported.ll -O -Xclang -cfguard
;-------------------------------------------------------------------------------
; extern void address_taken(void);
;
; void (*get_ptr(void))(void) {
; return &address_taken;
; }
;
; void call_ptr(void (*p)(void)) {
; p();
; }
;-------------------------------------------------------------------------------
; ModuleID = 'cfguard-unsupported.c'
source_filename = "cfguard-unsupported.c"
target datalayout = "e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
; Function Attrs: mustprogress nofree norecurse nosync nounwind readnone willreturn uwtable
define dso_local nonnull ptr @get_ptr() local_unnamed_addr #0 {
ret ptr @address_taken
}
declare void @address_taken() #1
; Function Attrs: nounwind uwtable
define dso_local void @call_ptr(ptr nocapture noundef readonly %0) local_unnamed_addr #2 {
tail call void %0() #3
ret void
}
attributes #0 = { mustprogress nofree norecurse nosync nounwind readnone willreturn uwtable "frame-pointer"="none" "min-legal-vector-width"="0" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" }
attributes #1 = { "frame-pointer"="none" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" }
attributes #2 = { nounwind uwtable "frame-pointer"="none" "min-legal-vector-width"="0" "no-trapping-math"="true" "stack-protector-buffer-size"="8" "target-cpu"="x86-64" "target-features"="+cx8,+fxsr,+mmx,+sse,+sse2,+x87" "tune-cpu"="generic" }
attributes #3 = { nounwind }
!llvm.module.flags = !{!0, !1, !2, !3, !4}
!llvm.ident = !{!5}
!0 = !{i32 2, !"cfguard", i32 2}
!1 = !{i32 1, !"wchar_size", i32 4}
!2 = !{i32 8, !"PIC Level", i32 2}
!3 = !{i32 7, !"PIE Level", i32 2}
!4 = !{i32 7, !"uwtable", i32 2}
!5 = !{!"clang version 16.0.0"}