This is an archive of the discontinued LLVM Phabricator instance.

Differential D146339

[StackProtector] attribute __stack_chk_fail as NoReturn
ClosedPublic

Authored by nickdesaulniers on Mar 17 2023, 4:51 PM.

Details

Reviewers
efriedma
jyknight
void
nikic
Commits
rGd10110a8a601: [StackProtector] attribute __stack_chk_fail as NoReturn
Summary

When GCC added support for stack smashing protections, it was defined
that:

This hook returns a CALL_EXPR that alerts the runtime that the stack
protect guard variable has been modified. This expression should
involve a call to a noreturn function.
The default version of this hook invokes a function called
‘__stack_chk_fail’, taking no arguments.

Do so as well for __stack_smash_handler for OpenBSD.

Every libc implementation I could find has __stack_chk_fail marked
noreturn, or the implementation calls abort, exit, or panic (which
themselves are noreturn).

Glibc: https://sourceware.org/git/?p=glibc.git;a=blob;f=debug/stack_chk_fail.c
Musl: https://git.musl-libc.org/cgit/musl/tree/src/env/__stack_chk_fail.c
Bionic: https://android.googlesource.com/platform/bionic/+/refs/heads/master/libc/bionic/__stack_chk_fail.cpp
FreeBSD: https://cgit.freebsd.org/src/tree/lib/libc/secure/stack_protector.c
OpenBSD: https://github.com/openbsd/src/blob/master/lib/libc/sys/stack_protector.c
NetBSD: https://github.com/NetBSD/src/blob/trunk/lib/libc/misc/stack_protector.c
Linux Kernel: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/panic.c
Apple: https://opensource.apple.com/source/Libc/Libc-1439.40.11/sys/OpenBSD/stack_protector.c.auto.html

Link: https://gcc.gnu.org/onlinedocs/gccint/Stack-Smashing-Protection.html#Stack-Smashing-Protection

This will later help us diagnose functions that fall through to other
functions vs end in calls to functions that are noreturn.

Diff Detail

Event Timeline

nickdesaulniers created this revision.Mar 17 2023, 4:51 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 17 2023, 4:51 PM
Herald added subscribers: pengfei, hiraditya, krytarowski and 2 others. · View Herald Transcript
nickdesaulniers requested review of this revision.Mar 17 2023, 4:51 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 17 2023, 4:51 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
nickdesaulniers added a subscriber: nathanchance.Mar 17 2023, 4:54 PM
nickdesaulniers updated this revision to Diff 506231.Mar 17 2023, 5:01 PM
  • refactor
nickdesaulniers updated this revision to Diff 506232.Mar 17 2023, 5:02 PM
  • set SmallVector size to 1
Harbormaster completed remote builds in B220170: Diff 506232.Mar 17 2023, 6:00 PM
nickdesaulniers added reviewers: void, nikic.Mar 20 2023, 11:53 AM
Herald added a subscriber: StephenFan. · View Herald TranscriptMar 20 2023, 11:53 AM
efriedma accepted this revision.Mar 20 2023, 12:04 PM

LGTM

This revision is now accepted and ready to land.Mar 20 2023, 12:04 PM
nickdesaulniers added a parent revision: D146466: [clang] diagnose function fallthrough.Mar 20 2023, 4:03 PM
nickdesaulniers added inline comments.Mar 23 2023, 11:02 AM
llvm/lib/CodeGen/StackProtector.cpp
637

@efriedma I wonder if we can avoid this unreachable? (maybe as a follow up commit to this)

I had tried it and a bunch of stack check related tests crashed; I didn't investigate, but suspect maybe some other code expects there to be an instruction after the call.

Or can you think of any reason why an unreachable needs to be added here? Is there something implicit about noreturn functions needing to be followed by unreachable in IR?

(even if the child patches don't land, D146339 alone is still probably worthwhile to land)

efriedma added inline comments.Mar 23 2023, 11:12 AM
llvm/lib/CodeGen/StackProtector.cpp
637

Every basic block must end in a terminator, and call isn't a terminator, so we have to put something after the call. "unreachable" is the terminator we use when we know control can't actually flow anywhere else in the function. Not sure what you'd want to replace it with.

Yes, this patch makes sense even without the other changes.

Closed by commit rGd10110a8a601: [StackProtector] attribute __stack_chk_fail as NoReturn (authored by nickdesaulniers). · Explain WhyMar 23 2023, 12:45 PM
This revision was automatically updated to reflect the committed changes.
nickdesaulniers added a commit: rGd10110a8a601: [StackProtector] attribute __stack_chk_fail as NoReturn.

Revision Contents

PathSize
llvm/
lib/
CodeGen/
18 lines
test/
CodeGen/
X86/
1 line
2 lines

Diff 507850

llvm/lib/CodeGen/StackProtector.cpp

Show All 9 Lines
// with a random value in it is stored onto the stack before the local variables // with a random value in it is stored onto the stack before the local variables
// are allocated. Upon exiting the block, the stored value is checked. If it's // are allocated. Upon exiting the block, the stored value is checked. If it's
// changed, then there was some sort of violation and the program aborts. // changed, then there was some sort of violation and the program aborts.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/CodeGen/StackProtector.h" #include "llvm/CodeGen/StackProtector.h"
#include "llvm/ADT/SmallPtrSet.h" #include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Analysis/BranchProbabilityInfo.h" #include "llvm/Analysis/BranchProbabilityInfo.h"
#include "llvm/Analysis/MemoryLocation.h" #include "llvm/Analysis/MemoryLocation.h"
#include "llvm/Analysis/OptimizationRemarkEmitter.h" #include "llvm/Analysis/OptimizationRemarkEmitter.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/CodeGen/TargetLowering.h" #include "llvm/CodeGen/TargetLowering.h"
#include "llvm/CodeGen/TargetPassConfig.h" #include "llvm/CodeGen/TargetPassConfig.h"
#include "llvm/CodeGen/TargetSubtargetInfo.h" #include "llvm/CodeGen/TargetSubtargetInfo.h"
▲ Show 20 LinesShow All 589 Lines▼ Show 20 Lines
/// check fails. /// check fails.
BasicBlock *StackProtector::CreateFailBB() { BasicBlock *StackProtector::CreateFailBB() {
LLVMContext &Context = F->getContext(); LLVMContext &Context = F->getContext();
BasicBlock *FailBB = BasicBlock::Create(Context, "CallStackCheckFailBlk", F); BasicBlock *FailBB = BasicBlock::Create(Context, "CallStackCheckFailBlk", F);
IRBuilder<> B(FailBB); IRBuilder<> B(FailBB);
if (F->getSubprogram()) if (F->getSubprogram())
B.SetCurrentDebugLocation( B.SetCurrentDebugLocation(
DILocation::get(Context, 0, 0, F->getSubprogram())); DILocation::get(Context, 0, 0, F->getSubprogram()));
FunctionCallee StackChkFail;
SmallVector<Value *, 1> Args;
if (Trip.isOSOpenBSD()) { if (Trip.isOSOpenBSD()) {
FunctionCallee StackChkFail = M->getOrInsertFunction( StackChkFail = M->getOrInsertFunction("__stack_smash_handler",
"__stack_smash_handler", Type::getVoidTy(Context), Type::getVoidTy(Context),
Type::getInt8PtrTy(Context)); Type::getInt8PtrTy(Context));
Args.push_back(B.CreateGlobalStringPtr(F->getName(), "SSH"));
B.CreateCall(StackChkFail, B.CreateGlobalStringPtr(F->getName(), "SSH"));
} else { } else {
FunctionCallee StackChkFail = StackChkFail =
M->getOrInsertFunction("__stack_chk_fail", Type::getVoidTy(Context)); M->getOrInsertFunction("__stack_chk_fail", Type::getVoidTy(Context));
B.CreateCall(StackChkFail, {});
} }
cast<Function>(StackChkFail.getCallee())->addFnAttr(Attribute::NoReturn);
B.CreateCall(StackChkFail, Args);
B.CreateUnreachable(); B.CreateUnreachable();
nickdesaulniersAuthorUnsubmitted
Not Done
ReplyInline Actions

@efriedma I wonder if we can avoid this unreachable? (maybe as a follow up commit to this)

I had tried it and a bunch of stack check related tests crashed; I didn't investigate, but suspect maybe some other code expects there to be an instruction after the call.

Or can you think of any reason why an unreachable needs to be added here? Is there something implicit about noreturn functions needing to be followed by unreachable in IR?

(even if the child patches don't land, D146339 alone is still probably worthwhile to land)

nickdesaulniers: @efriedma I wonder if we can avoid this unreachable? (maybe as a follow up commit to this) I…
efriedmaUnsubmitted
Not Done
ReplyInline Actions

Every basic block must end in a terminator, and call isn't a terminator, so we have to put something after the call. "unreachable" is the terminator we use when we know control can't actually flow anywhere else in the function. Not sure what you'd want to replace it with.

Yes, this patch makes sense even without the other changes.

efriedma: Every basic block must end in a terminator, and call isn't a terminator, so we have to put…
return FailBB; return FailBB;
} }
bool StackProtector::shouldEmitSDCheck(const BasicBlock &BB) const { bool StackProtector::shouldEmitSDCheck(const BasicBlock &BB) const {
return HasPrologue && !HasIRCheck && isa<ReturnInst>(BB.getTerminator()); return HasPrologue && !HasIRCheck && isa<ReturnInst>(BB.getTerminator());
} }
void StackProtector::copyToMachineFrameInfo(MachineFrameInfo &MFI) const { void StackProtector::copyToMachineFrameInfo(MachineFrameInfo &MFI) const {
Show All 18 Lines

llvm/test/CodeGen/X86/2009-04-14-IllegalRegs.ll

Show First 20 LinesShow All 47 Lines▼ Show 20 Lines
; CHECK-NEXT: ## %bb.2: ## %SP_return ; CHECK-NEXT: ## %bb.2: ## %SP_return
; CHECK-NEXT: movl {{[-0-9]+}}(%e{{[sb]}}p), %eax ## 4-byte Reload ; CHECK-NEXT: movl {{[-0-9]+}}(%e{{[sb]}}p), %eax ## 4-byte Reload
; CHECK-NEXT: addl $148, %esp ; CHECK-NEXT: addl $148, %esp
; CHECK-NEXT: popl %esi ; CHECK-NEXT: popl %esi
; CHECK-NEXT: popl %edi ; CHECK-NEXT: popl %edi
; CHECK-NEXT: retl ; CHECK-NEXT: retl
; CHECK-NEXT: LBB0_3: ## %CallStackCheckFailBlk ; CHECK-NEXT: LBB0_3: ## %CallStackCheckFailBlk
; CHECK-NEXT: calll ___stack_chk_fail ; CHECK-NEXT: calll ___stack_chk_fail
; CHECK-NEXT: ud2
entry: entry:
%retval = alloca i32 ; <ptr> [#uses=2] %retval = alloca i32 ; <ptr> [#uses=2]
%xxx = alloca %struct.X ; <ptr> [#uses=6] %xxx = alloca %struct.X ; <ptr> [#uses=6]
%0 = alloca i32 ; <ptr> [#uses=2] %0 = alloca i32 ; <ptr> [#uses=2]
%"alloca point" = bitcast i32 0 to i32 ; <i32> [#uses=0] %"alloca point" = bitcast i32 0 to i32 ; <i32> [#uses=0]
%1 = getelementptr %struct.X, ptr %xxx, i32 0, i32 1 ; <ptr> [#uses=1] %1 = getelementptr %struct.X, ptr %xxx, i32 0, i32 1 ; <ptr> [#uses=1]
%2 = getelementptr [32 x i8], ptr %1, i32 0, i32 31 ; <ptr> [#uses=1] %2 = getelementptr [32 x i8], ptr %1, i32 0, i32 31 ; <ptr> [#uses=1]
store i8 48, ptr %2, align 1 store i8 48, ptr %2, align 1
Show All 20 Lines

llvm/test/CodeGen/X86/stack-protector-weight.ll

; RUN: llc -mtriple=x86_64-apple-darwin -print-after=finalize-isel -enable-selectiondag-sp=true %s -o /dev/null 2>&1 | FileCheck %s --check-prefix=DARWIN-SELDAG ; RUN: llc -mtriple=x86_64-apple-darwin -print-after=finalize-isel -enable-selectiondag-sp=true %s -o /dev/null 2>&1 | FileCheck %s --check-prefix=DARWIN-SELDAG
; RUN: llc -mtriple=x86_64-apple-darwin -print-after=finalize-isel -enable-selectiondag-sp=false %s -o /dev/null 2>&1 | FileCheck %s --check-prefix=DARWIN-IR ; RUN: llc -mtriple=x86_64-apple-darwin -print-after=finalize-isel -enable-selectiondag-sp=false %s -o /dev/null 2>&1 | FileCheck %s --check-prefix=DARWIN-IR
; RUN: llc -mtriple=i386-pc-windows-msvc -print-after=finalize-isel -enable-selectiondag-sp=true %s -o /dev/null 2>&1 | FileCheck %s -check-prefix=MSVC-SELDAG ; RUN: llc -mtriple=i386-pc-windows-msvc -print-after=finalize-isel -enable-selectiondag-sp=true %s -o /dev/null 2>&1 | FileCheck %s -check-prefix=MSVC-SELDAG
; RUN: llc -mtriple=i386-pc-windows-msvc -print-after=finalize-isel -enable-selectiondag-sp=false %s -o /dev/null 2>&1 | FileCheck %s -check-prefix=MSVC-IR ; RUN: llc -mtriple=i386-pc-windows-msvc -print-after=finalize-isel -enable-selectiondag-sp=false %s -o /dev/null 2>&1 | FileCheck %s -check-prefix=MSVC-IR
; DARWIN-SELDAG: # Machine code for function test_branch_weights: ; DARWIN-SELDAG: # Machine code for function test_branch_weights:
; DARWIN-SELDAG: successors: %bb.[[SUCCESS:[0-9]+]](0x7ffff800), %bb.[[FAILURE:[0-9]+]] ; DARWIN-SELDAG: successors: %bb.[[SUCCESS:[0-9]+]](0x7ffff800), %bb.[[FAILURE:[0-9]+]]
; DARWIN-SELDAG: bb.[[FAILURE]]{{[0-9a-zA-Z_.]+}}: ; DARWIN-SELDAG: bb.[[FAILURE]]{{[0-9a-zA-Z_.]+}}:
; DARWIN-SELDAG: CALL64pcrel32 &__stack_chk_fail ; DARWIN-SELDAG: CALL64pcrel32 &__stack_chk_fail
; DARWIN-SELDAG: bb.[[SUCCESS]]{{[0-9a-zA-Z_.]+}}: ; DARWIN-SELDAG: bb.[[SUCCESS]]{{[0-9a-zA-Z_.]+}}:
; DARWIN-IR: # Machine code for function test_branch_weights: ; DARWIN-IR: # Machine code for function test_branch_weights:
; DARWIN-IR: successors: %bb.[[SUCCESS:[0-9]+]](0x7fffffff), %bb.[[FAILURE:[0-9]+]] ; DARWIN-IR: successors: %bb.[[SUCCESS:[0-9]+]](0x7ffff800), %bb.[[FAILURE:[0-9]+]]
; DARWIN-IR: bb.[[SUCCESS]]{{[0-9a-zA-Z_.]+}}: ; DARWIN-IR: bb.[[SUCCESS]]{{[0-9a-zA-Z_.]+}}:
; DARWIN-IR: bb.[[FAILURE]]{{[0-9a-zA-Z_.]+}}: ; DARWIN-IR: bb.[[FAILURE]]{{[0-9a-zA-Z_.]+}}:
; DARWIN-IR: CALL64pcrel32 @__stack_chk_fail ; DARWIN-IR: CALL64pcrel32 @__stack_chk_fail
; MSVC-SELDAG: # Machine code for function test_branch_weights: ; MSVC-SELDAG: # Machine code for function test_branch_weights:
; MSVC-SELDAG: :: (volatile load (s32) from @__security_cookie) ; MSVC-SELDAG: :: (volatile load (s32) from @__security_cookie)
; MSVC-SELDAG: (store (s32) into stack) ; MSVC-SELDAG: (store (s32) into stack)
; MSVC-SELDAG: (volatile load (s32) from %stack.0.StackGuardSlot) ; MSVC-SELDAG: (volatile load (s32) from %stack.0.StackGuardSlot)
Show All 28 Lines