This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/Transforms/IPO/
-
Transforms/
-
IPO/
5/5
LowerTypeTests.cpp
-
test/Transforms/LowerTypeTests/
-
Transforms/
-
LowerTypeTests/
-
function.ll
-
x86-jumptable.ll

Differential D140655

[LowerTypeTests] Add ENDBR to .cfi.jumptable for x86 Indirect Branch Tracking
ClosedPublic

Authored by MaskRay on Dec 24 2022, 1:24 PM.

Download Raw Diff

Details

Reviewers

eugenis
pcc
tejohnson

Commits

rG73c9f167ffed: [LowerTypeTests] Add ENDBR to .cfi.jumptable for x86 Indirect Branch Tracking

Summary

Similar to D81251 for AArch64 BTI. This fixes ./a.out test for

void foo(void) {}
void bar(void) {}
static void (*fptr)(void);
int main(int argc, char **argv) {
  if (argv[1]) fptr = foo;
  else fptr = bar;
  fptr();
}

clang -flto=thin -fvisibility=hidden -fsanitize=cfi-icall -fcf-protection=branch -fuse-ld=lld a.cc

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

MaskRay created this revision.Dec 24 2022, 1:24 PM

Herald added a project: Restricted Project. · View Herald TranscriptDec 24 2022, 1:24 PM

Herald added subscribers: ormris, StephenFan, hiraditya, kristof.beyls. · View Herald Transcript

MaskRay requested review of this revision.Dec 24 2022, 1:24 PM

Herald added a project: Restricted Project. · View Herald TranscriptDec 24 2022, 1:24 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

MaskRay edited the summary of this revision. (Show Details)Dec 24 2022, 1:29 PM

tested here and works great

Harbormaster completed remote builds in B204856: Diff 485208.Dec 24 2022, 3:26 PM

I looked up x86 ENDBR and the adding of that instruction seems fine to me, but I have a couple questions on the related changes in the patch.

llvm/lib/Transforms/IPO/LowerTypeTests.cpp
1231	Why is this needed only in the endbr case?
1419	Add comment about why this attribute is needed. I see that the attribute is only checked for the x86 backends. But can be queried on the function for any arch - is there any possibility this feature will be implemented for non-x86 in the future? If so, I suggest adding the attribute unconditionally here. Also, is this needed in the non-endbr case for x86? I.e. it is being added here for all x86 which presumably also changes the pre-existing non-endbr x86 handling.

MaskRay marked 2 inline comments as done.Dec 27 2022, 10:53 AM

MaskRay added inline comments.

llvm/lib/Transforms/IPO/LowerTypeTests.cpp
1231	The endbr case has a larger jump table entry size (16 bytes). We can add as many INT3 as needed, but `.balign 16, 0xcc` seems easier.
1419	This is similar to `F->addFnAttr("branch-target-enforcement", "false");` for AArch64 BTI (D81251). Without this attribute, the function will have 2 consecutive endbr64 at the function start (one from the BTI instrumentation, the other from the first instruction of the inline asm instruction).

lgtm with comment or change suggested below.

llvm/lib/Transforms/IPO/LowerTypeTests.cpp
1419	Please add a comment about why it is needed and that it does not have any effect in the case where CF branch protection is not enabled (alternatively, just guard this with whether the cf-protection-branch module flag is set).

This revision is now accepted and ready to land.Jan 4 2023, 8:16 AM

add comments for ENDBR and BTI

This revision was landed with ongoing or failed builds.Jan 4 2023, 12:28 PM

Closed by commit rG73c9f167ffed: [LowerTypeTests] Add ENDBR to .cfi.jumptable for x86 Indirect Branch Tracking (authored by MaskRay). · Explain Why

This revision was automatically updated to reflect the committed changes.

MaskRay added a commit: rG73c9f167ffed: [LowerTypeTests] Add ENDBR to .cfi.jumptable for x86 Indirect Branch Tracking.

Harbormaster completed remote builds in B205756: Diff 486365.Jan 4 2023, 1:34 PM

Revision Contents

Path

Size

llvm/

lib/

Transforms/

IPO/

LowerTypeTests.cpp

24 lines

test/

Transforms/

LowerTypeTests/

function.ll

4 lines

x86-jumptable.ll

31 lines

Diff 486366

llvm/lib/Transforms/IPO/LowerTypeTests.cpp

Show First 20 Lines • Show All 1,173 Lines • ▼ Show 20 Lines	void LowerTypeTestsModule::verifyTypeMDNode(GlobalObject GO, MDNode Type) {
if (!OffsetConstMD)		if (!OffsetConstMD)
report_fatal_error("Type offset must be a constant");		report_fatal_error("Type offset must be a constant");
auto OffsetInt = dyn_cast<ConstantInt>(OffsetConstMD->getValue());		auto OffsetInt = dyn_cast<ConstantInt>(OffsetConstMD->getValue());
if (!OffsetInt)		if (!OffsetInt)
report_fatal_error("Type offset must be an integer constant");		report_fatal_error("Type offset must be an integer constant");
}		}

static const unsigned kX86JumpTableEntrySize = 8;		static const unsigned kX86JumpTableEntrySize = 8;
		static const unsigned kX86IBTJumpTableEntrySize = 16;
static const unsigned kARMJumpTableEntrySize = 4;		static const unsigned kARMJumpTableEntrySize = 4;
static const unsigned kARMBTIJumpTableEntrySize = 8;		static const unsigned kARMBTIJumpTableEntrySize = 8;
static const unsigned kRISCVJumpTableEntrySize = 8;		static const unsigned kRISCVJumpTableEntrySize = 8;

unsigned LowerTypeTestsModule::getJumpTableEntrySize() {		unsigned LowerTypeTestsModule::getJumpTableEntrySize() {
switch (Arch) {		switch (Arch) {
case Triple::x86:		case Triple::x86:
case Triple::x86_64:		case Triple::x86_64:
		if (const auto *MD = mdconst::extract_or_null<ConstantInt>(
		M.getModuleFlag("cf-protection-branch")))
		if (MD->getZExtValue())
		return kX86IBTJumpTableEntrySize;
return kX86JumpTableEntrySize;		return kX86JumpTableEntrySize;
case Triple::arm:		case Triple::arm:
case Triple::thumb:		case Triple::thumb:
return kARMJumpTableEntrySize;		return kARMJumpTableEntrySize;
case Triple::aarch64:		case Triple::aarch64:
if (const auto *BTE = mdconst::extract_or_null<ConstantInt>(		if (const auto *BTE = mdconst::extract_or_null<ConstantInt>(
M.getModuleFlag("branch-target-enforcement")))		M.getModuleFlag("branch-target-enforcement")))
if (BTE->getZExtValue())		if (BTE->getZExtValue())
Show All 12 Lines
// constraints and arguments to AsmOS, ConstraintOS and AsmArgs.		// constraints and arguments to AsmOS, ConstraintOS and AsmArgs.
void LowerTypeTestsModule::createJumpTableEntry(		void LowerTypeTestsModule::createJumpTableEntry(
raw_ostream &AsmOS, raw_ostream &ConstraintOS,		raw_ostream &AsmOS, raw_ostream &ConstraintOS,
Triple::ArchType JumpTableArch, SmallVectorImpl<Value *> &AsmArgs,		Triple::ArchType JumpTableArch, SmallVectorImpl<Value *> &AsmArgs,
Function *Dest) {		Function *Dest) {
unsigned ArgIndex = AsmArgs.size();		unsigned ArgIndex = AsmArgs.size();

if (JumpTableArch == Triple::x86 \|\| JumpTableArch == Triple::x86_64) {		if (JumpTableArch == Triple::x86 \|\| JumpTableArch == Triple::x86_64) {
		bool Endbr = false;
		if (const auto *MD = mdconst::extract_or_null<ConstantInt>(
		Dest->getParent()->getModuleFlag("cf-protection-branch")))
		Endbr = MD->getZExtValue() != 0;
		if (Endbr)
		AsmOS << (JumpTableArch == Triple::x86 ? "endbr32\n" : "endbr64\n");
AsmOS << "jmp ${" << ArgIndex << ":c}@plt\n";		AsmOS << "jmp ${" << ArgIndex << ":c}@plt\n";
		if (Endbr)
		AsmOS << ".balign 16, 0xcc\n";
		tejohnsonUnsubmitted Done Reply Inline Actions Why is this needed only in the endbr case? tejohnson: Why is this needed only in the endbr case?
		MaskRayAuthorUnsubmitted Done Reply Inline Actions The endbr case has a larger jump table entry size (16 bytes). We can add as many INT3 as needed, but `.balign 16, 0xcc` seems easier. MaskRay: The endbr case has a larger jump table entry size (16 bytes). We can add as many INT3 as needed…
		else
AsmOS << "int3\nint3\nint3\n";		AsmOS << "int3\nint3\nint3\n";
} else if (JumpTableArch == Triple::arm) {		} else if (JumpTableArch == Triple::arm) {
AsmOS << "b $" << ArgIndex << "\n";		AsmOS << "b $" << ArgIndex << "\n";
} else if (JumpTableArch == Triple::aarch64) {		} else if (JumpTableArch == Triple::aarch64) {
if (const auto *BTE = mdconst::extract_or_null<ConstantInt>(		if (const auto *BTE = mdconst::extract_or_null<ConstantInt>(
Dest->getParent()->getModuleFlag("branch-target-enforcement")))		Dest->getParent()->getModuleFlag("branch-target-enforcement")))
if (BTE->getZExtValue())		if (BTE->getZExtValue())
AsmOS << "bti c\n";		AsmOS << "bti c\n";
AsmOS << "b $" << ArgIndex << "\n";		AsmOS << "b $" << ArgIndex << "\n";
▲ Show 20 Lines • Show All 156 Lines • ▼ Show 20 Lines	void LowerTypeTestsModule::createJumpTable(
if (JumpTableArch == Triple::arm)		if (JumpTableArch == Triple::arm)
F->addFnAttr("target-features", "-thumb-mode");		F->addFnAttr("target-features", "-thumb-mode");
if (JumpTableArch == Triple::thumb) {		if (JumpTableArch == Triple::thumb) {
F->addFnAttr("target-features", "+thumb-mode");		F->addFnAttr("target-features", "+thumb-mode");
// Thumb jump table assembly needs Thumb2. The following attribute is added		// Thumb jump table assembly needs Thumb2. The following attribute is added
// by Clang for -march=armv7.		// by Clang for -march=armv7.
F->addFnAttr("target-cpu", "cortex-a8");		F->addFnAttr("target-cpu", "cortex-a8");
}		}
		// When -mbranch-protection= is used, the inline asm adds a BTI. Suppress BTI
		// for the function to avoid double BTI. This is a no-op without
		// -mbranch-protection=.
if (JumpTableArch == Triple::aarch64) {		if (JumpTableArch == Triple::aarch64) {
F->addFnAttr("branch-target-enforcement", "false");		F->addFnAttr("branch-target-enforcement", "false");
F->addFnAttr("sign-return-address", "none");		F->addFnAttr("sign-return-address", "none");
}		}
if (JumpTableArch == Triple::riscv32 \|\| JumpTableArch == Triple::riscv64) {		if (JumpTableArch == Triple::riscv32 \|\| JumpTableArch == Triple::riscv64) {
// Make sure the jump table assembly is not modified by the assembler or		// Make sure the jump table assembly is not modified by the assembler or
// the linker.		// the linker.
F->addFnAttr("target-features", "-c,-relax");		F->addFnAttr("target-features", "-c,-relax");
}		}
		// When -fcf-protection= is used, the inline asm adds an ENDBR. Suppress ENDBR
		// for the function to avoid double ENDBR. This is a no-op without
		tejohnsonUnsubmitted Done Reply Inline Actions Add comment about why this attribute is needed. I see that the attribute is only checked for the x86 backends. But can be queried on the function for any arch - is there any possibility this feature will be implemented for non-x86 in the future? If so, I suggest adding the attribute unconditionally here. Also, is this needed in the non-endbr case for x86? I.e. it is being added here for all x86 which presumably also changes the pre-existing non-endbr x86 handling. tejohnson: Add comment about why this attribute is needed. I see that the attribute is only checked for…
		MaskRayAuthorUnsubmitted Done Reply Inline Actions This is similar to `F->addFnAttr("branch-target-enforcement", "false");` for AArch64 BTI (D81251). Without this attribute, the function will have 2 consecutive endbr64 at the function start (one from the BTI instrumentation, the other from the first instruction of the inline asm instruction). MaskRay: This is similar to ` F->addFnAttr("branch-target-enforcement", "false");` for AArch64 BTI…
		tejohnsonUnsubmitted Done Reply Inline Actions Please add a comment about why it is needed and that it does not have any effect in the case where CF branch protection is not enabled (alternatively, just guard this with whether the cf-protection-branch module flag is set). tejohnson: Please add a comment about why it is needed and that it does not have any effect in the case…
		// -fcf-protection=.
		if (JumpTableArch == Triple::x86 \|\| JumpTableArch == Triple::x86_64)
		F->addFnAttr(Attribute::NoCfCheck);
// Make sure we don't emit .eh_frame for this function.		// Make sure we don't emit .eh_frame for this function.
F->addFnAttr(Attribute::NoUnwind);		F->addFnAttr(Attribute::NoUnwind);

BasicBlock *BB = BasicBlock::Create(M.getContext(), "entry", F);		BasicBlock *BB = BasicBlock::Create(M.getContext(), "entry", F);
IRBuilder<> IRB(BB);		IRBuilder<> IRB(BB);

SmallVector<Type *, 16> ArgTypes;		SmallVector<Type *, 16> ArgTypes;
ArgTypes.reserve(AsmArgs.size());		ArgTypes.reserve(AsmArgs.size());
▲ Show 20 Lines • Show All 879 Lines • Show Last 20 Lines

llvm/test/Transforms/LowerTypeTests/function.ll

	Show First 20 Lines • Show All 71 Lines • ▼ Show 20 Lines
	; THUMB: b.w $0			; THUMB: b.w $0
	; THUMB-SAME: b.w $1			; THUMB-SAME: b.w $1

	; RISCV: tail $0@plt			; RISCV: tail $0@plt
	; RISCV-SAME: tail $1@plt			; RISCV-SAME: tail $1@plt

	; NATIVE-SAME: "s,s"(ptr @f.cfi, ptr @g.cfi)			; NATIVE-SAME: "s,s"(ptr @f.cfi, ptr @g.cfi)

	; X86-LINUX: attributes #[[ATTR]] = { naked nounwind }			; X86-LINUX: attributes #[[ATTR]] = { naked nocf_check nounwind }
	; X86-WIN32: attributes #[[ATTR]] = { nounwind }			; X86-WIN32: attributes #[[ATTR]] = { nocf_check nounwind }
	; ARM: attributes #[[ATTR]] = { naked nounwind			; ARM: attributes #[[ATTR]] = { naked nounwind
	; THUMB: attributes #[[ATTR]] = { naked nounwind "target-cpu"="cortex-a8" "target-features"="+thumb-mode" }			; THUMB: attributes #[[ATTR]] = { naked nounwind "target-cpu"="cortex-a8" "target-features"="+thumb-mode" }
	; RISCV: attributes #[[ATTR]] = { naked nounwind "target-features"="-c,-relax" }			; RISCV: attributes #[[ATTR]] = { naked nounwind "target-features"="-c,-relax" }

	; WASM32: ![[I0]] = !{i64 1}			; WASM32: ![[I0]] = !{i64 1}
	; WASM32: ![[I1]] = !{i64 2}			; WASM32: ![[I1]] = !{i64 2}

llvm/test/Transforms/LowerTypeTests/x86-jumptable.ll

This file was added.

				;; Test jump table generation with Indirect Branch Tracking on x86.
				; RUN: opt -S -passes=lowertypetests -mtriple=i686 %s \| FileCheck --check-prefixes=X86,X86_32 %s
				; RUN: opt -S -passes=lowertypetests -mtriple=x86_64 %s \| FileCheck --check-prefixes=X86,X86_64 %s

				@0 = private unnamed_addr constant [2 x ptr] [ptr @f, ptr @g], align 16

				define void @f() !type !0 {
				ret void
				}

				define internal void @g() !type !0 {
				ret void
				}

				declare i1 @llvm.type.test(ptr %ptr, metadata %bitset) nounwind readnone

				define i1 @foo(ptr %p) {
				%x = call i1 @llvm.type.test(ptr %p, metadata !"typeid1")
				ret i1 %x
				}

				!llvm.module.flags = !{!1}
				!0 = !{i32 0, !"typeid1"}
				!1 = !{i32 8, !"cf-protection-branch", i32 1}

				; X86: define private void @.cfi.jumptable() #[[#ATTR:]] align 16 {
				; X86-NEXT: entry:
				; X86_32-NEXT: call void asm sideeffect "endbr32\0Ajmp ${0:c}@plt\0A.balign 16, 0xcc\0Aendbr32\0Ajmp ${1:c}@plt\0A.balign 16, 0xcc\0A", "s,s"(ptr @f.cfi, ptr @g.cfi)
				; X86_64-NEXT: call void asm sideeffect "endbr64\0Ajmp ${0:c}@plt\0A.balign 16, 0xcc\0Aendbr64\0Ajmp ${1:c}@plt\0A.balign 16, 0xcc\0A", "s,s"(ptr @f.cfi, ptr @g.cfi)

				; X86_64: attributes #[[#ATTR]] = { naked nocf_check nounwind }