This is an archive of the discontinued LLVM Phabricator instance.

Differential D146463

[CodeGen][RISCV] Change Shadow Call Stack Register to X3
ClosedPublic

Authored by paulkirth on Mar 20 2023, 3:08 PM.

Details

Reviewers
asb
phosek
hiraditya
jrtc27
mcgrathr
craig.topper
Commits
rGaa1d2693c256: [CodeGen][RISCV] Change Shadow Call Stack Register to X3
Summary

ShadowCallStack implementation uses s2 register on RISC-V, but that
choice is problematic for reasons described in:

https://lists.riscv.org/g/sig-toolchains/message/544,
https://github.com/riscv-non-isa/riscv-elf-psabi-doc/issues/370, and
https://github.com/google/android-riscv64/issues/72

The concern over the register choice was also brought up in
https://reviews.llvm.org/D84414.

https://reviews.llvm.org/D84414#2228666 said:

"If the register choice is the only concern about this work, then I think
we can probably land it as-is and fixup the register choice if we see
major drawbacks later. Yes, it's an ABI issue, but on the other hand the
shadow call stack is not a standard ABI anyway.""

Since we have now found a sufficient reason to fixup the register
choice, we should go ahead and update the implementation. We propose
using x3(gp) which is now the platform register in the RISC-V ABI.

Diff Detail

Event Timeline

paulkirth created this revision.Mar 20 2023, 3:08 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 20 2023, 3:08 PM
Herald added subscribers: jobnoorman, luke, Enna1 and 28 others. · View Herald Transcript
paulkirth requested review of this revision.Mar 20 2023, 3:08 PM
Herald added projects: Restricted Project, Restricted Project, Restricted Project. · View Herald TranscriptMar 20 2023, 3:08 PM
Herald added subscribers: llvm-commits, Restricted Project, cfe-commits and 3 others. · View Herald Transcript
craig.topper added a subscriber: craig.topper.Mar 20 2023, 3:17 PM
craig.topper added inline comments.
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
50–51

Can you add a FIXME here? Using x27 should hopefully remove this restriction

llvm/lib/TargetParser/RISCVTargetParser.cpp
87–88

X18->X27

paulkirth updated this revision to Diff 506762.Mar 20 2023, 4:12 PM

Fix comment and add FIXME

paulkirth marked 2 inline comments as done.Mar 20 2023, 4:13 PM
paulkirth added inline comments.
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
50–51

I've added the FIXME, but do we just want to remove this now? or is there some issues or chang under review I can ref in the FIXME?

craig.topper added inline comments.Mar 20 2023, 4:20 PM
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
50–51

We can remove it, but we should add a test for it.

paulkirth marked an inline comment as done.Mar 20 2023, 4:33 PM
paulkirth added inline comments.
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
50–51

That makes sense. Thanks.

Harbormaster completed remote builds in B220573: Diff 506762.Mar 20 2023, 4:54 PM
paulkirth updated this revision to Diff 506790.Mar 20 2023, 5:23 PM

Remove outdated diagnostics and add tests for SCS + save/restore.

I'm not 100% on if this is the right approach for save/restore testing, so I'm hapy to back this bit out or add more cases.

hiraditya accepted this revision.Mar 20 2023, 5:45 PM

Thanks for putting the patch.

This revision is now accepted and ready to land.Mar 20 2023, 5:45 PM
craig.topper added inline comments.Mar 20 2023, 5:55 PM
llvm/test/CodeGen/RISCV/shadowcallstack.ll
184

Can we split this to a separate file? It doesn't look like it was generated by update_llc_test_checks.py and we don't want these checks on the test cases above.

Harbormaster completed remote builds in B220588: Diff 506790.Mar 20 2023, 6:08 PM
paulkirth added inline comments.Mar 20 2023, 9:23 PM
llvm/test/CodeGen/RISCV/shadowcallstack.ll
184

Good point. This was taken directly from what looked to be the only relevant case in saverestore.ll. Tomorrow I will split this off into a standalone file. Do you know if there would be other relevant cases to consider from the save/restore tests?

paulkirth updated this revision to Diff 507048.Mar 21 2023, 10:44 AM

Split out save/restore tests for SCS into its own file

paulkirth marked an inline comment as done.Mar 21 2023, 10:45 AM
paulkirth marked an inline comment as done.
hiraditya added inline comments.Mar 21 2023, 11:06 AM
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
62

asb added a comment.Mar 21 2023, 11:27 AM

In principle I think this is good, but I see two considerations:

  1. Sam was right that there's an ability to change the register after the fact, but 2.5 years have passed since then. We should make a good faith attempt to see if any downstream users are relying on the current ABI (e.g. the original contributors - @zzheng and @apazos).
  2. Now that the issue has been raised in the psABI / toolchain-sig, it would be good if there were consensus on the "platform register" rather than changing this multiple times if some different register is decided.

I'd hope we can resolve this quickly enough that we don't need to consider e.g. adding a way to select the shadow call stack register, but if you _need_ this quickly to iterate on Android/Fuchsia then that might be the easiest route to land something very rapidly.

Harbormaster completed remote builds in B220773: Diff 507048.Mar 21 2023, 11:49 AM
hiraditya added a comment.Mar 22 2023, 2:30 PM

https://lists.riscv.org/g/sig-toolchains/message/548 has a proposal where X27 is one of the registers.

MaskRay added inline comments.Mar 22 2023, 2:49 PM
llvm/lib/Target/RISCV/RISCVFrameLowering.cpp
50–51

Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.html#error-and-warning-messages

105–106

Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.html#error-and-warning-messages

llvm/test/CodeGen/RISCV/saverestore-scs.ll
2

;; appears a useful prefix to highlight non-RUN-non-CHECK comments. It also makes it clear Check is not a typo for CHECK: when we have some automation tools to detect stale CHECK lines.

paulkirth updated this revision to Diff 507801.Mar 23 2023, 10:31 AM

Address comments.

  • Remove . from warning message
  • use ;; prefix in test
paulkirth marked 3 inline comments as done.Mar 23 2023, 10:32 AM
paulkirth added a comment.Mar 23 2023, 10:36 AM

ugh. I accidentally commited some temporary work here.

paulkirth updated this revision to Diff 507805.Mar 23 2023, 10:39 AM

Remove unrelated changes, due to bad commit.

paulkirth updated this revision to Diff 507811.Mar 23 2023, 10:46 AM

Restore check lines in test.

Harbormaster completed remote builds in B221363: Diff 507811.Mar 25 2023, 9:34 AM
asb added a comment.Mar 27 2023, 2:27 AM

I've flagged this proposed change on Discourse (more the fact we're looking to change it, rather than the precise register we end up with).

kito-cheng added a comment.Mar 27 2023, 7:13 PM

Sorry for cross post, but I guess some people might not follow closely in discourse (like me :P):

Another proposal from me is using gp as platform register: https://github.com/riscv-non-isa/riscv-elf-psabi-doc/pull/371

Some advantage on taking gp as platform register rather than other GPRs:

  • Compiler doesn’t use gp register anywhere for now.
  • All assembly files (which conform with current ABI) didn’t use that except the __global_pointer$ initialization code in CRT files.
  • The main user is linker, linker will use that to perform linker relaxation, and we already have the command option to tune that off.

Potential issues:

  • Loss the code size and performance gain from gp relaxation
    • The most gain from gp relaxation is embedded application, it’s different target audience as SCS, so this should not blocker issues.
    • Android is an example, it’s already disable GP relaxation at all, so we don’t have any loss for this case.
  • Will it break any existing platform?
    • Treat gp as platform register is optional, it’s still default use as gp relaxation, so NO breakage on existing platform, but give the freedom of the platform to use gp register as other purpose if they don’t want gp relxation.
    • Added an attribute to let linker to help mixing up different gp usage objects, also linker could check that attribute to make sure gp relaxation is do-able or not.
paulkirth updated this revision to Diff 509508.Mar 29 2023, 5:14 PM
paulkirth retitled this revision from [CodeGen][RISCV] Change Shadow Call Stack Register to S11 to [CodeGen][RISCV] Change Shadow Call Stack Register to X3.
paulkirth edited the summary of this revision. (Show Details)

update to use gp since it was chosen in psABI and sig-toolchain.

craig.topper added a comment.Mar 29 2023, 5:16 PM

Does the kernel populate the initial value of the register for the shadow stack or is that done by a runtime inside the application?

mcgrathr added a comment.Mar 29 2023, 5:27 PM
In D146463#4232214, @craig.topper wrote:

Does the kernel populate the initial value of the register for the shadow stack or is that done by a runtime inside the application?

This is a change to code generation and is orthogonal to how the runtime environment supports the ABI requirement. The details depend on the particular runtime environment, which is not the province of the compiler backend.

craig.topper added a comment.Mar 29 2023, 5:41 PM
In D146463#4232221, @mcgrathr wrote:
In D146463#4232214, @craig.topper wrote:

Does the kernel populate the initial value of the register for the shadow stack or is that done by a runtime inside the application?

This is a change to code generation and is orthogonal to how the runtime environment supports the ABI requirement. The details depend on the particular runtime environment, which is not the province of the compiler backend.

I ask because GP is set in crtbegin.o on Linux today. So if its the kernel that populates it, then GP isn't valid choice for Linux without changing crtbegin.

mcgrathr added a comment.Mar 29 2023, 6:02 PM
In D146463#4232252, @craig.topper wrote:
In D146463#4232221, @mcgrathr wrote:
In D146463#4232214, @craig.topper wrote:

Does the kernel populate the initial value of the register for the shadow stack or is that done by a runtime inside the application?

This is a change to code generation and is orthogonal to how the runtime environment supports the ABI requirement. The details depend on the particular runtime environment, which is not the province of the compiler backend.

I ask because GP is set in crtbegin.o on Linux today. So if its the kernel that populates it, then GP isn't valid choice for Linux without changing crtbegin.

To use ShadowCallStack, executables need to be built with -msmall-data-limit=0 and the runtime environment they use needs to meet the ABI. Neither of those things is provided out of the box for Linux, just as on AArch64 neither building with -ffixed-x18 nor a runtime environment meeting the ABI exists out of the box on Linux. If a runtime environment for Linux were to support the ShadowCallStack ABI, that would be done in startup code that runs after the code injected by crtbegin.o and before any code built for the ShadowCallStack is expected to be usable, such as in the libc startup code.

Harbormaster completed remote builds in B222621: Diff 509508.Mar 29 2023, 7:15 PM
paulkirth updated this revision to Diff 509811.Mar 30 2023, 2:08 PM

Remove blank lines added to test file.

Harbormaster completed remote builds in B222845: Diff 509811.Mar 30 2023, 3:56 PM
paulkirth added a comment.Apr 5 2023, 2:34 PM

@asb, @craig.topper, @jrtc27 Are there any remaining considerations for us here? From the discussions in psABI and sig-toolchain, I think we have a consensus that this is the approach we'll be taking for RISC-V. We'd prefer to correct this ASAP, so as to prevent future incompatibility/continuing to use a non-standard register.

craig.topper accepted this revision.Apr 5 2023, 3:35 PM

LGTM other than that one comment.

llvm/lib/Target/RISCV/RISCVSubtarget.cpp
85–86

Drop the blank line here.

mcgrathr added a comment.Apr 5 2023, 4:32 PM

I don't see changes here to make the Fuchsia & Android targets stop doing implicit -ffixed-x18 and to make them start doing implicit -msmall-data-limit=0 for non-PIC modes.

clang/lib/Driver/SanitizerArgs.cpp
547–548

For RISC-V this needs a similar check that the equivalent of -msmall-data-limit=0 is in force (that's the default under -fPIC but not other modes).

llvm/test/CodeGen/RISCV/reserved-regs.ll
59–60

gp is a fixed register for all RISC-V targets. What's important to check is that Fuchsia and Android disable the small-data-section behavior.

paulkirth added a comment.EditedApr 5 2023, 6:43 PM
This comment has been deleted.
clang/lib/Driver/SanitizerArgs.cpp
547–548

I'll look into adding support for that.

llvm/lib/Target/RISCV/RISCVSubtarget.cpp
86

@mcgrathr This stops Fuchsia and Android from reserving X18. I'll look at doing something similar for -msmall-data-limit=0.

jrtc27 added a comment.Apr 5 2023, 9:22 PM

From an ABI/codegen perspective the small data limit doesn’t matter here, all it does is govern whether things go in .sdata or not. The linker is what chooses whether to use GP, which happens regardless of whether something is in .sdata, just things in .sdata are more likely to be picked, since GP is defined to be 0x800 from its start. What matters is that the linker is told not to do GP relaxation.

asb added a comment.Apr 5 2023, 10:58 PM
In D146463#4247050, @paulkirth wrote:

@asb, @craig.topper, @jrtc27 Are there any remaining considerations for us here? From the discussions in psABI and sig-toolchain, I think we have a consensus that this is the approach we'll be taking for RISC-V. We'd prefer to correct this ASAP, so as to prevent future incompatibility/continuing to use a non-standard register.

It looks like we have strong consensus here. Could you update the patch to add a release note about this change please? (I guess it might merit inclusion in both the LLVM and the Clang release notes).

The RFC to check nobody downstream is concerned about changing the SCS register has been up for a week and a half with no concerns. You might consider leaving merging this until Monday to give it a full 2 week period, but I'm not opposed to going ahead before that. With the level of agreement we have it's hard to imagine changing direction and we want to change this default anyway - if there's a downstream user who needs to continue supporting the old SCS register then the logical path of action would be to add a new compiler option to enable that.

asb added a comment.Apr 6 2023, 8:46 AM

Ok, looks like the consensus I thought we had isn't quite there on the psABI thread - Andrew Waterman has some concerns. We should let that discussion play out some more.

paulkirth updated this revision to Diff 511458.Apr 6 2023, 9:51 AM

Fix formatting and update documentation.

paulkirth updated this revision to Diff 511466.Apr 6 2023, 10:19 AM
paulkirth marked 2 inline comments as done.

Remove extra line.

Harbormaster completed remote builds in B224052: Diff 511466.Apr 6 2023, 12:33 PM
paulkirth updated this revision to Diff 511575.Apr 6 2023, 5:51 PM
paulkirth marked an inline comment as done.

Add default small-data-limit for Android and Fuchsia.

  • update tests
  • update clang driver
Harbormaster completed remote builds in B224140: Diff 511575.Apr 6 2023, 7:36 PM
paulkirth updated this revision to Diff 511704.Apr 7 2023, 9:13 AM
paulkirth marked an inline comment as done.

Remove unrelated whitespace changes.

Harbormaster completed remote builds in B224223: Diff 511704.Apr 7 2023, 11:36 AM
paulkirth added a comment.Apr 10 2023, 11:00 AM

@asb Are we happy with the state of consensus w.r.t. using x3? I think the lingering concerns from the psABI discussion have been resolved.

asb accepted this revision.Apr 10 2023, 11:53 AM
In D146463#4255927, @paulkirth wrote:

@asb Are we happy with the state of consensus w.r.t. using x3? I think the lingering concerns from the psABI discussion have been resolved.

Yes, all LGTM now.

clang/lib/Driver/ToolChains/Clang.cpp
2062 ↗(On Diff #511704)

Nit: Missing space after platforms

mcgrathr accepted this revision.Apr 10 2023, 1:44 PM

lgtm with some nits and a few more test cases.

clang/docs/ShadowCallStack.rst
61

I think it would be worthwhile to say x3 (gp) here and perhaps everywhere that x3 is mentioned.
Since gp is always a reserved register from the compiler point of view, I think some different verbiage here about the RISC-V case and the interactions with -msmall-data-limit and linker behavior make sense.

clang/lib/Driver/SanitizerArgs.cpp
308

I'm guessing that "DSL" stands for "data small limit" or something, which is confusing since the thing is called small-data-limit, not data-small-limit. Anyway, this is the first use I've seen of DSL as an abbreviation related to any of this. I think it would be clear enough to just call it shadowCallStackConflicts since it's responsible for detecting conflicts between shadow-call-stack and whatever is relevant to that in the particular target.

315

This seems like it ought to parse the integer and then compare it to zero as an integer, rather than relying on one exact string representation of zero.

553

I'd just move all this per-target logic inside shadowCallStackConflicts and maybe just make it a void function called checkShadowCallStackConflcits or something.

clang/lib/Driver/ToolChains/Clang.cpp
2063 ↗(On Diff #511704)

typo: "it's"

2065 ↗(On Diff #511704)

I wonder if it wouldn't be more natural for the target hook to be defaultSmallDataLimit and return an integer where the base class returns 8 and the android/fuchsia subclasses return 0. It seems quite plausible that eventually different subtargets might have other tunings (for subtargets that do want to use gp relaxation).

clang/test/Driver/sanitizer-ld.c
746

I'd also add tests here for android and fuchsia targets with explicit -msmall-data-limit=<nonzero> being rejected by default but being allowed with -fno-sanitize=shadow-call-stack.

There should also be tests independent of shadow-call-stack that just verify at least for fuchsia targets that -msmall-data-limit=0 is passed by default for the default (PIE) case. Actually, it should also test that this remains so when -fno-sanitize=shadow-call-stack is passed, because it's still the standard target ABI that gp might be used for shadow-call-stack by interoperating code and so gp should never be used for something else without explicit -msmall-data-limit=... on fuchsia.

llvm/docs/ReleaseNotes.rst
158

Spaces before the parenthetical clauses.

llvm/include/llvm/TargetParser/RISCVTargetParser.h
42–43

Why not return an integer value instead of "is zero"?

jrtc27 added inline comments.Apr 10 2023, 1:51 PM
clang/docs/ShadowCallStack.rst
155

This doesn't really achieve anything other than not do one optimisation (which may or not matter; the grouping of small data may have a noticeable cache locality effect)

clang/lib/Driver/SanitizerArgs.cpp
566

Why is this an error? It may be a misguided thing to enable but it is 100% supported to combine this. All the limit does is put things in .sdata, but they can still be addressed just fine.

clang/lib/Driver/ToolChains/Clang.cpp
2072 ↗(On Diff #511704)

If you're modelling it on this warning (note, not an error) then this is crap too, there are legitimate reasons to use -G with -fPIC (and the -shared handling is even more questionable).

paulkirth added inline comments.Apr 10 2023, 2:47 PM
clang/lib/Driver/SanitizerArgs.cpp
308

Oops. Seems to be a typo. Thank you.

566

My understanding is that (whether they should or not) linkers are using the presence of the .sdata section to enable gp relaxation.

jrtc27 added inline comments.Apr 10 2023, 2:49 PM
clang/lib/Driver/SanitizerArgs.cpp
566

That is not true

jrtc27 added inline comments.Apr 10 2023, 2:53 PM
clang/lib/Driver/SanitizerArgs.cpp
566

Putting variables in .sdata merely makes it more likely that the linker will be able to relax accesses to them to use GP. Variables outside .sdata still can and will be relaxed if within range of whatever gets picked for __global_pointer$.

paulkirth updated this revision to Diff 512276.Apr 10 2023, 3:51 PM
paulkirth marked 7 inline comments as done.

Remove -msmall-data-limit related changes. There was a misunderstanding on my part about default linker behavior.

clang/lib/Driver/SanitizerArgs.cpp
566

Yes, I seem to have had been under the wrong impression. I've dropped everything regarding -msmall-data-limit.

paulkirth updated this revision to Diff 512277.Apr 10 2023, 3:58 PM

Remove dead declaration.

Harbormaster completed remote builds in B224660: Diff 512277.Apr 10 2023, 4:41 PM
paulkirth updated this revision to Diff 512489.Apr 11 2023, 9:14 AM
paulkirth marked 2 inline comments as done.

Add spaces to parantheticals. Shorten link to discussion on psABI.

Harbormaster completed remote builds in B224803: Diff 512489.Apr 11 2023, 11:10 AM
Closed by commit rGaa1d2693c256: [CodeGen][RISCV] Change Shadow Call Stack Register to X3 (authored by paulkirth). · Explain WhyApr 12 2023, 2:06 PM
This revision was automatically updated to reflect the committed changes.
paulkirth added a commit: rGaa1d2693c256: [CodeGen][RISCV] Change Shadow Call Stack Register to X3.

Revision Contents

PathSize
clang/
docs/
51 lines
lib/
Driver/
8 lines
test/
Driver/
4 lines
compiler-rt/
test/
shadowcallstack/
2 lines
llvm/
docs/
5 lines
include/
llvm/
TargetParser/
2 lines
lib/
Target/
RISCV/
MCTargetDesc/
2 lines
44 lines
3 lines
TargetParser/
5 lines
test/
CodeGen/
RISCV/
3 lines
40 lines
88 lines

Diff 512972

clang/docs/ShadowCallStack.rst

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines
Compatibility Compatibility
------------- -------------
A runtime is not provided in compiler-rt so one must be provided by the A runtime is not provided in compiler-rt so one must be provided by the
compiled application or the operating system. Integrating the runtime into compiled application or the operating system. Integrating the runtime into
the operating system should be preferred since otherwise all thread creation the operating system should be preferred since otherwise all thread creation
and destruction would need to be intercepted by the application. and destruction would need to be intercepted by the application.
The instrumentation makes use of the platform register ``x18``. On some The instrumentation makes use of the platform register ``x18`` on AArch64 and
platforms, ``x18`` is reserved, and on others, it is designated as a scratch ``x3`` (``gp``) on RISC-V. For simplicity we will refer to this as the
mcgrathrUnsubmitted
Done
ReplyInline Actions

I think it would be worthwhile to say x3 (gp) here and perhaps everywhere that x3 is mentioned.
Since gp is always a reserved register from the compiler point of view, I think some different verbiage here about the RISC-V case and the interactions with -msmall-data-limit and linker behavior make sense.

mcgrathr: I think it would be worthwhile to say `x3 (gp)` here and perhaps everywhere that `x3` is…
register. This generally means that any code that may run on the same thread ``SCSReg``. On some platforms, ``SCSReg`` is reserved, and on others, it is
as code compiled with ShadowCallStack must either target one of the platforms designated as a scratch register. This generally means that any code that may
whose ABI reserves ``x18`` (currently Android, Darwin, Fuchsia and Windows) run on the same thread as code compiled with ShadowCallStack must either target
or be compiled with the flag ``-ffixed-x18``. If absolutely necessary, code one of the platforms whose ABI reserves ``SCSReg`` (currently Android, Darwin,
compiled without ``-ffixed-x18`` may be run on the same thread as code that Fuchsia and Windows) or be compiled with a flag to reserve that register (e.g.,
uses ShadowCallStack by saving the register value temporarily on the stack ``-ffixed-x18``). If absolutely necessary, code compiled without reserving the
(`example in Android`_) but this should be done with care since it risks register may be run on the same thread as code that uses ShadowCallStack by
leaking the shadow call stack address. saving the register value temporarily on the stack (`example in Android`_) but
this should be done with care since it risks leaking the shadow call stack
address.
.. _`example in Android`: https://android-review.googlesource.com/c/platform/frameworks/base/+/803717 .. _`example in Android`: https://android-review.googlesource.com/c/platform/frameworks/base/+/803717
Because of the use of register ``x18``, the ShadowCallStack feature is Because it requires a dedicated register, the ShadowCallStack feature is
incompatible with any other feature that may use ``x18``. However, there incompatible with any other feature that may use ``SCSReg``. However, there is
is no inherent reason why ShadowCallStack needs to use register ``x18`` no inherent reason why ShadowCallStack needs to use a specific register; in
specifically; in principle, a platform could choose to reserve and use another principle, a platform could choose to reserve and use another register for
register for ShadowCallStack, but this would be incompatible with the AAPCS64. ShadowCallStack, but this would be incompatible with the ABI standards
published in AAPCS64 and the RISC-V psABI.
Special unwind information is required on functions that are compiled Special unwind information is required on functions that are compiled
with ShadowCallStack and that may be unwound, i.e. functions compiled with with ShadowCallStack and that may be unwound, i.e. functions compiled with
``-fexceptions`` (which is the default in C++). Some unwinders (such as the ``-fexceptions`` (which is the default in C++). Some unwinders (such as the
libgcc 4.9 unwinder) do not understand this unwind info and will segfault libgcc 4.9 unwinder) do not understand this unwind info and will segfault
when encountering it. LLVM libunwind processes this unwind info correctly, when encountering it. LLVM libunwind processes this unwind info correctly,
however. This means that if exceptions are used together with ShadowCallStack, however. This means that if exceptions are used together with ShadowCallStack,
the program must use a compatible unwinder. the program must use a compatible unwinder.
Security Security
======== ========
ShadowCallStack is intended to be a stronger alternative to ShadowCallStack is intended to be a stronger alternative to
``-fstack-protector``. It protects from non-linear overflows and arbitrary ``-fstack-protector``. It protects from non-linear overflows and arbitrary
memory writes to the return address slot. memory writes to the return address slot.
The instrumentation makes use of the ``x18`` register to reference the shadow The instrumentation makes use of the ``SCSReg`` register to reference the shadow
call stack, meaning that references to the shadow call stack do not have call stack, meaning that references to the shadow call stack do not have
to be stored in memory. This makes it possible to implement a runtime that to be stored in memory. This makes it possible to implement a runtime that
avoids exposing the address of the shadow call stack to attackers that can avoids exposing the address of the shadow call stack to attackers that can
read arbitrary memory. However, attackers could still try to exploit side read arbitrary memory. However, attackers could still try to exploit side
channels exposed by the operating system `[1]`_ `[2]`_ or processor `[3]`_ channels exposed by the operating system `[1]`_ `[2]`_ or processor `[3]`_
to discover the address of the shadow call stack. to discover the address of the shadow call stack.
.. _`[1]`: https://eyalitkin.wordpress.com/2017/09/01/cartography-lighting-up-the-shadows/ .. _`[1]`: https://eyalitkin.wordpress.com/2017/09/01/cartography-lighting-up-the-shadows/
Show All 12 Lines
memory allocations in certain processes, as this also limits the number of memory allocations in certain processes, as this also limits the number of
guard regions that can be allocated. guard regions that can be allocated.
.. _`will do this`: https://android-review.googlesource.com/c/platform/bionic/+/891622 .. _`will do this`: https://android-review.googlesource.com/c/platform/bionic/+/891622
.. _`changed`: https://android-review.googlesource.com/c/platform/frameworks/av/+/837745 .. _`changed`: https://android-review.googlesource.com/c/platform/frameworks/av/+/837745
The runtime will need the address of the shadow call stack in order to The runtime will need the address of the shadow call stack in order to
deallocate it when destroying the thread. If the entire program is compiled deallocate it when destroying the thread. If the entire program is compiled
with ``-ffixed-x18``, this is trivial: the address can be derived from the with ``SCSReg`` reserved, this is trivial: the address can be derived from the
value stored in ``x18`` (e.g. by masking out the lower bits). If a guard value stored in ``SCSReg`` (e.g. by masking out the lower bits). If a guard
region is used, the address of the start of the guard region could then be region is used, the address of the start of the guard region could then be
stored at the start of the shadow call stack itself. But if it is possible stored at the start of the shadow call stack itself. But if it is possible
for code compiled without ``-ffixed-x18`` to run on a thread managed by the for code compiled without reserving ``SCSReg`` to run on a thread managed by the
runtime, which is the case on Android for example, the address must be stored runtime, which is the case on Android for example, the address must be stored
somewhere else instead. On Android we store the address of the start of the somewhere else instead. On Android we store the address of the start of the
guard region in TLS and deallocate the entire guard region including the guard region in TLS and deallocate the entire guard region including the
shadow call stack at thread exit. This is considered acceptable given that shadow call stack at thread exit. This is considered acceptable given that
the address of the start of the guard region is already somewhat guessable. the address of the start of the guard region is already somewhat guessable.
One way in which the address of the shadow call stack could leak is in the One way in which the address of the shadow call stack could leak is in the
``jmp_buf`` data structure used by ``setjmp`` and ``longjmp``. The Android ``jmp_buf`` data structure used by ``setjmp`` and ``longjmp``. The Android
runtime `avoids this`_ by only storing the low bits of ``x18`` in the runtime `avoids this`_ by only storing the low bits of ``SCSReg`` in the
``jmp_buf``, which requires the address of the shadow call stack to be ``jmp_buf``, which requires the address of the shadow call stack to be
aligned to its size. aligned to its size.
.. _`avoids this`: https://android.googlesource.com/platform/bionic/+/808d176e7e0dd727c7f929622ec017f6e065c582/libc/arch-arm64/bionic/setjmp.S#49 .. _`avoids this`: https://android.googlesource.com/platform/bionic/+/808d176e7e0dd727c7f929622ec017f6e065c582/libc/arch-arm64/bionic/setjmp.S#49
The architecture's call and return instructions (``bl`` and ``ret``) operate on The architecture's call and return instructions (``bl`` and ``ret``) operate on
a register rather than the stack, which means that leaf functions are generally a register rather than the stack, which means that leaf functions are generally
protected from return address overwrites even without ShadowCallStack. protected from return address overwrites even without ShadowCallStack.
Usage Usage
===== =====
To enable ShadowCallStack, just pass the ``-fsanitize=shadow-call-stack`` To enable ShadowCallStack, just pass the ``-fsanitize=shadow-call-stack`` flag
flag to both compile and link command lines. On aarch64, you also need to pass to both compile and link command lines. On aarch64, you also need to pass
``-ffixed-x18`` unless your target already reserves ``x18``. ``-ffixed-x18`` unless your target already reserves ``x18``. On RISC-V, ``x3``
(``gp``) is always reserved. It is, however, important to disable GP relaxation
jrtc27Unsubmitted
Done
ReplyInline Actions

This doesn't really achieve anything other than not do one optimisation (which may or not matter; the grouping of small data may have a noticeable cache locality effect)

jrtc27: This doesn't really achieve anything other than not do one optimisation (which may or not…
in the linker. This can be done with the ``--no-relax-gp`` flag in GNU ld.
Low-level API Low-level API
------------- -------------
``__has_feature(shadow_call_stack)`` ``__has_feature(shadow_call_stack)``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In some cases one may need to execute different code depending on whether In some cases one may need to execute different code depending on whether
▲ Show 20 LinesShow All 52 LinesShow Last 20 Lines

clang/lib/Driver/SanitizerArgs.cpp

//===--- SanitizerArgs.cpp - Arguments for sanitizer tools ---------------===// //===--- SanitizerArgs.cpp - Arguments for sanitizer tools ---------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/Driver/SanitizerArgs.h" #include "clang/Driver/SanitizerArgs.h"
#include "ToolChains/CommonArgs.h" #include "ToolChains/CommonArgs.h"
#include "clang/Basic/Sanitizers.h" #include "clang/Basic/Sanitizers.h"
#include "clang/Driver/Driver.h" #include "clang/Driver/Driver.h"
#include "clang/Driver/DriverDiagnostic.h" #include "clang/Driver/DriverDiagnostic.h"
#include "clang/Driver/Options.h" #include "clang/Driver/Options.h"
#include "clang/Driver/ToolChain.h" #include "clang/Driver/ToolChain.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
#include "llvm/Support/SpecialCaseList.h" #include "llvm/Support/SpecialCaseList.h"
#include "llvm/Support/VirtualFileSystem.h" #include "llvm/Support/VirtualFileSystem.h"
#include "llvm/TargetParser/AArch64TargetParser.h" #include "llvm/TargetParser/AArch64TargetParser.h"
#include "llvm/TargetParser/RISCVTargetParser.h" #include "llvm/TargetParser/RISCVTargetParser.h"
#include "llvm/TargetParser/TargetParser.h" #include "llvm/TargetParser/TargetParser.h"
#include "llvm/Transforms/Instrumentation/AddressSanitizerOptions.h" #include "llvm/Transforms/Instrumentation/AddressSanitizerOptions.h"
▲ Show 20 LinesShow All 275 Lines▼ Show 20 Lines
bool SanitizerArgs::needsUnwindTables() const { bool SanitizerArgs::needsUnwindTables() const {
return static_cast<bool>(Sanitizers.Mask & NeedsUnwindTables); return static_cast<bool>(Sanitizers.Mask & NeedsUnwindTables);
} }
bool SanitizerArgs::needsLTO() const { bool SanitizerArgs::needsLTO() const {
return static_cast<bool>(Sanitizers.Mask & NeedsLTO); return static_cast<bool>(Sanitizers.Mask & NeedsLTO);
} }
SanitizerArgs::SanitizerArgs(const ToolChain &TC, SanitizerArgs::SanitizerArgs(const ToolChain &TC,
mcgrathrUnsubmitted
Not Done
ReplyInline Actions

I'm guessing that "DSL" stands for "data small limit" or something, which is confusing since the thing is called small-data-limit, not data-small-limit. Anyway, this is the first use I've seen of DSL as an abbreviation related to any of this. I think it would be clear enough to just call it shadowCallStackConflicts since it's responsible for detecting conflicts between shadow-call-stack and whatever is relevant to that in the particular target.

mcgrathr: I'm guessing that "DSL" stands for "data small limit" or something, which is confusing since…
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

Oops. Seems to be a typo. Thank you.

paulkirth: Oops. Seems to be a typo. Thank you.
const llvm::opt::ArgList &Args, const llvm::opt::ArgList &Args,
bool DiagnoseErrors) { bool DiagnoseErrors) {
SanitizerMask AllRemove; // During the loop below, the accumulated set of SanitizerMask AllRemove; // During the loop below, the accumulated set of
// sanitizers disabled by the current sanitizer // sanitizers disabled by the current sanitizer
// argument or any argument after it. // argument or any argument after it.
SanitizerMask AllAddedKinds; // Mask of all sanitizers ever enabled by SanitizerMask AllAddedKinds; // Mask of all sanitizers ever enabled by
// -fsanitize= flags (directly or via group // -fsanitize= flags (directly or via group
mcgrathrUnsubmitted
Done
ReplyInline Actions

This seems like it ought to parse the integer and then compare it to zero as an integer, rather than relying on one exact string representation of zero.

mcgrathr: This seems like it ought to parse the integer and then compare it to zero as an integer, rather…
// expansion), some of which may be disabled // expansion), some of which may be disabled
// later. Used to carefully prune // later. Used to carefully prune
// unused-argument diagnostics. // unused-argument diagnostics.
SanitizerMask DiagnosedKinds; // All Kinds we have diagnosed up to now. SanitizerMask DiagnosedKinds; // All Kinds we have diagnosed up to now.
// Used to deduplicate diagnostics. // Used to deduplicate diagnostics.
SanitizerMask Kinds; SanitizerMask Kinds;
const SanitizerMask Supported = setGroupBits(TC.getSupportedSanitizers()); const SanitizerMask Supported = setGroupBits(TC.getSupportedSanitizers());
▲ Show 20 LinesShow All 215 Lines▼ Show 20 LinesSanitizerArgs::SanitizerArgs(const ToolChain &TC,
} }
// Check that LTO is enabled if we need it. // Check that LTO is enabled if we need it.
if ((Kinds & NeedsLTO) && !D.isUsingLTO() && DiagnoseErrors) { if ((Kinds & NeedsLTO) && !D.isUsingLTO() && DiagnoseErrors) {
D.Diag(diag::err_drv_argument_only_allowed_with) D.Diag(diag::err_drv_argument_only_allowed_with)
<< lastArgumentForMask(D, Args, Kinds & NeedsLTO) << "-flto"; << lastArgumentForMask(D, Args, Kinds & NeedsLTO) << "-flto";
} }
if ((Kinds & SanitizerKind::ShadowCallStack) && if ((Kinds & SanitizerKind::ShadowCallStack) && TC.getTriple().isAArch64() &&
((TC.getTriple().isAArch64() && !llvm::AArch64::isX18ReservedByDefault(TC.getTriple()) &&
mcgrathrUnsubmitted
Done
ReplyInline Actions

For RISC-V this needs a similar check that the equivalent of -msmall-data-limit=0 is in force (that's the default under -fPIC but not other modes).

mcgrathr: For RISC-V this needs a similar check that the equivalent of `-msmall-data-limit=0` is in force…
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

I'll look into adding support for that.

paulkirth: I'll look into adding support for that.
!llvm::AArch64::isX18ReservedByDefault(TC.getTriple())) ||
(TC.getTriple().isRISCV() &&
!llvm::RISCV::isX18ReservedByDefault(TC.getTriple()))) &&
!Args.hasArg(options::OPT_ffixed_x18) && DiagnoseErrors) { !Args.hasArg(options::OPT_ffixed_x18) && DiagnoseErrors) {
D.Diag(diag::err_drv_argument_only_allowed_with) D.Diag(diag::err_drv_argument_only_allowed_with)
<< lastArgumentForMask(D, Args, Kinds & SanitizerKind::ShadowCallStack) << lastArgumentForMask(D, Args, Kinds & SanitizerKind::ShadowCallStack)
<< "-ffixed-x18"; << "-ffixed-x18";
} }
mcgrathrUnsubmitted
Not Done
ReplyInline Actions

I'd just move all this per-target logic inside shadowCallStackConflicts and maybe just make it a void function called checkShadowCallStackConflcits or something.

mcgrathr: I'd just move all this per-target logic inside `shadowCallStackConflicts` and maybe just make…
// Report error if there are non-trapping sanitizers that require // Report error if there are non-trapping sanitizers that require
// c++abi-specific parts of UBSan runtime, and they are not provided by the // c++abi-specific parts of UBSan runtime, and they are not provided by the
// toolchain. We don't have a good way to check the latter, so we just // toolchain. We don't have a good way to check the latter, so we just
// check if the toolchan supports vptr. // check if the toolchan supports vptr.
if (~Supported & SanitizerKind::Vptr) { if (~Supported & SanitizerKind::Vptr) {
SanitizerMask KindsToDiagnose = Kinds & ~TrappingKinds & NeedsUbsanCxxRt; SanitizerMask KindsToDiagnose = Kinds & ~TrappingKinds & NeedsUbsanCxxRt;
// The runtime library supports the Microsoft C++ ABI, but only well enough // The runtime library supports the Microsoft C++ ABI, but only well enough
// for CFI. FIXME: Remove this once we support vptr on Windows. // for CFI. FIXME: Remove this once we support vptr on Windows.
if (TC.getTriple().isOSWindows()) if (TC.getTriple().isOSWindows())
KindsToDiagnose &= ~SanitizerKind::CFI; KindsToDiagnose &= ~SanitizerKind::CFI;
if (KindsToDiagnose) { if (KindsToDiagnose) {
SanitizerSet S; SanitizerSet S;
jrtc27Unsubmitted
Done
ReplyInline Actions

Why is this an error? It may be a misguided thing to enable but it is 100% supported to combine this. All the limit does is put things in .sdata, but they can still be addressed just fine.

jrtc27: Why is this an error? It may be a misguided thing to enable but it is 100% supported to combine…
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

My understanding is that (whether they should or not) linkers are using the presence of the .sdata section to enable gp relaxation.

paulkirth: My understanding is that (whether they should or not) linkers are using the presence of the `.
jrtc27Unsubmitted
Done
ReplyInline Actions

That is not true

jrtc27: That is not true
jrtc27Unsubmitted
Done
ReplyInline Actions

Putting variables in .sdata merely makes it more likely that the linker will be able to relax accesses to them to use GP. Variables outside .sdata still can and will be relaxed if within range of whatever gets picked for __global_pointer$.

jrtc27: Putting variables in .sdata merely makes it more likely that the linker will be able to relax…
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

Yes, I seem to have had been under the wrong impression. I've dropped everything regarding -msmall-data-limit.

paulkirth: Yes, I seem to have had been under the wrong impression. I've dropped everything regarding `…
S.Mask = KindsToDiagnose; S.Mask = KindsToDiagnose;
if (DiagnoseErrors) if (DiagnoseErrors)
D.Diag(diag::err_drv_unsupported_opt_for_target) D.Diag(diag::err_drv_unsupported_opt_for_target)
<< ("-fno-sanitize-trap=" + toString(S)) << TC.getTriple().str(); << ("-fno-sanitize-trap=" + toString(S)) << TC.getTriple().str();
Kinds &= ~KindsToDiagnose; Kinds &= ~KindsToDiagnose;
} }
} }
▲ Show 20 LinesShow All 900 LinesShow Last 20 Lines

clang/test/Driver/sanitizer-ld.c

Show First 20 LinesShow All 730 Lines▼ Show 20 Lines
// RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \ // RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \
// RUN: --target=aarch64-unknown-linux -fuse-ld=ld \ // RUN: --target=aarch64-unknown-linux -fuse-ld=ld \
// RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-LINUX-AARCH64 %s // RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-LINUX-AARCH64 %s
// CHECK-SHADOWCALLSTACK-LINUX-AARCH64: '-fsanitize=shadow-call-stack' only allowed with '-ffixed-x18' // CHECK-SHADOWCALLSTACK-LINUX-AARCH64: '-fsanitize=shadow-call-stack' only allowed with '-ffixed-x18'
// RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \ // RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \
// RUN: --target=riscv32-unknown-elf -fuse-ld=ld \ // RUN: --target=riscv32-unknown-elf -fuse-ld=ld \
// RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-ELF-RISCV32 %s // RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-ELF-RISCV32 %s
// CHECK-SHADOWCALLSTACK-ELF-RISCV32: '-fsanitize=shadow-call-stack' only allowed with '-ffixed-x18' // CHECK-SHADOWCALLSTACK-ELF-RISCV32-NOT: error:
// RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \ // RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \
// RUN: --target=riscv64-unknown-linux -fuse-ld=ld \ // RUN: --target=riscv64-unknown-linux -fuse-ld=ld \
// RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-LINUX-RISCV64 %s // RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-LINUX-RISCV64 %s
// CHECK-SHADOWCALLSTACK-LINUX-RISCV64: '-fsanitize=shadow-call-stack' only allowed with '-ffixed-x18' // CHECK-SHADOWCALLSTACK-LINUX-RISCV64-NOT: error:
// RUN: %clang -target riscv64-linux-android -fsanitize=shadow-call-stack %s -### 2>&1 \ // RUN: %clang -target riscv64-linux-android -fsanitize=shadow-call-stack %s -### 2>&1 \
mcgrathrUnsubmitted
Done
ReplyInline Actions

I'd also add tests here for android and fuchsia targets with explicit -msmall-data-limit=<nonzero> being rejected by default but being allowed with -fno-sanitize=shadow-call-stack.

There should also be tests independent of shadow-call-stack that just verify at least for fuchsia targets that -msmall-data-limit=0 is passed by default for the default (PIE) case. Actually, it should also test that this remains so when -fno-sanitize=shadow-call-stack is passed, because it's still the standard target ABI that gp might be used for shadow-call-stack by interoperating code and so gp should never be used for something else without explicit -msmall-data-limit=... on fuchsia.

mcgrathr: I'd also add tests here for android and fuchsia targets with explicit `-msmall-data…
// RUN: | FileCheck %s --check-prefix=CHECK-SHADOWCALLSTACK-ANDROID-RISCV64 // RUN: | FileCheck %s --check-prefix=CHECK-SHADOWCALLSTACK-ANDROID-RISCV64
// CHECK-SHADOWCALLSTACK-ANDROID-RISCV64-NOT: error: // CHECK-SHADOWCALLSTACK-ANDROID-RISCV64-NOT: error:
// RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \ // RUN: %clang -fsanitize=shadow-call-stack -### %s 2>&1 \
// RUN: --target=riscv64-unknown-fuchsia -fuse-ld=ld \ // RUN: --target=riscv64-unknown-fuchsia -fuse-ld=ld \
// RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-FUCHSIA-RISCV64 %s // RUN: | FileCheck --check-prefix=CHECK-SHADOWCALLSTACK-FUCHSIA-RISCV64 %s
// CHECK-SHADOWCALLSTACK-FUCHSIA-RISCV64-NOT: error: // CHECK-SHADOWCALLSTACK-FUCHSIA-RISCV64-NOT: error:
▲ Show 20 LinesShow All 306 LinesShow Last 20 Lines

compiler-rt/test/shadowcallstack/lit.cfg.py

Show All 13 Lines
# Add clang substitutions. # Add clang substitutions.
config.substitutions.append( ("%clang_noscs ", config.clang + ' -O0 -fno-sanitize=shadow-call-stack ' + config.target_cflags + ' ') ) config.substitutions.append( ("%clang_noscs ", config.clang + ' -O0 -fno-sanitize=shadow-call-stack ' + config.target_cflags + ' ') )
scs_arch_cflags = config.target_cflags scs_arch_cflags = config.target_cflags
if config.target_arch == 'aarch64': if config.target_arch == 'aarch64':
scs_arch_cflags += ' -ffixed-x18 ' scs_arch_cflags += ' -ffixed-x18 '
config.substitutions.append( ("%clang_scs ", config.clang + ' -O0 -fsanitize=shadow-call-stack ' + scs_arch_cflags + ' ') ) config.substitutions.append( ("%clang_scs ", config.clang + ' -O0 -fsanitize=shadow-call-stack ' + scs_arch_cflags + ' ') )
if config.host_os not in ['Linux'] or config.target_arch not in ['aarch64']: if config.host_os not in ['Linux'] or config.target_arch not in ['aarch64','riscv64']:
config.unsupported = True config.unsupported = True

llvm/docs/ReleaseNotes.rst

Show First 20 LinesShow All 149 Lines▼ Show 20 Lines
* Added support for the vendor-defined XTHeadMemIdx (indexed memory operations) * Added support for the vendor-defined XTHeadMemIdx (indexed memory operations)
extension disassembler/assembler. extension disassembler/assembler.
* Added support for the vendor-defined Xsfvcp (SiFive VCIX) extension * Added support for the vendor-defined Xsfvcp (SiFive VCIX) extension
disassembler/assembler. disassembler/assembler.
* Support for the now-ratified Zawrs extension is no longer experimental. * Support for the now-ratified Zawrs extension is no longer experimental.
* Adds support for the vendor-defined XTHeadCmo (cache management operations) extension. * Adds support for the vendor-defined XTHeadCmo (cache management operations) extension.
* Adds support for the vendor-defined XTHeadSync (multi-core synchronization instructions) extension. * Adds support for the vendor-defined XTHeadSync (multi-core synchronization instructions) extension.
* Added support for the vendor-defined XTHeadFMemIdx (indexed memory operations for floating point) extension. * Added support for the vendor-defined XTHeadFMemIdx (indexed memory operations for floating point) extension.
* Assembler support for RV64E was added. * Assembler support for RV64E was added.
mcgrathrUnsubmitted
Done
ReplyInline Actions

Spaces before the parenthetical clauses.

mcgrathr: Spaces before the parenthetical clauses.
* Assembler support was added for the experimental Zicond (integer conditional * Assembler support was added for the experimental Zicond (integer conditional
operations) extension. operations) extension.
* I, F, D, and A extension versions have been update to the 20191214 spec versions. * I, F, D, and A extension versions have been update to the 20191214 spec versions.
New version I2.1, F2.2, D2.2, A2.1. This should not impact code generation. New version I2.1, F2.2, D2.2, A2.1. This should not impact code generation.
Immpacts versions accepted in ``-march`` and reported in ELF attributes. Immpacts versions accepted in ``-march`` and reported in ELF attributes.
* Changed the ShadowCallStack register from ``x18`` (``s2``) to ``x3``
(``gp``). Note this breaks the existing non-standard ABI for ShadowCallStack
on RISC-V, but conforms with the new "platform register" defined in the
RISC-V psABI (for more details see the
`psABI discussion <https://github.com/riscv-non-isa/riscv-elf-psabi-doc/issues/370>`_).
Changes to the WebAssembly Backend Changes to the WebAssembly Backend
---------------------------------- ----------------------------------
* ... * ...
Changes to the Windows Target Changes to the Windows Target
----------------------------- -----------------------------
▲ Show 20 LinesShow All 115 LinesShow Last 20 Lines

llvm/include/llvm/TargetParser/RISCVTargetParser.h

Show All 33 Lines
bool checkCPUKind(CPUKind Kind, bool IsRV64); bool checkCPUKind(CPUKind Kind, bool IsRV64);
bool checkTuneCPUKind(CPUKind Kind, bool IsRV64); bool checkTuneCPUKind(CPUKind Kind, bool IsRV64);
CPUKind parseCPUKind(StringRef CPU); CPUKind parseCPUKind(StringRef CPU);
CPUKind parseTuneCPUKind(StringRef CPU, bool IsRV64); CPUKind parseTuneCPUKind(StringRef CPU, bool IsRV64);
StringRef getMArchFromMcpu(StringRef CPU); StringRef getMArchFromMcpu(StringRef CPU);
void fillValidCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64); void fillValidCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64);
void fillValidTuneCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64); void fillValidTuneCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64);
bool isX18ReservedByDefault(const Triple &TT);
} // namespace RISCV } // namespace RISCV
mcgrathrUnsubmitted
Done
ReplyInline Actions

Why not return an integer value instead of "is zero"?

mcgrathr: Why not return an integer value instead of "is zero"?
} // namespace llvm } // namespace llvm
#endif #endif

llvm/lib/Target/RISCV/MCTargetDesc/RISCVBaseInfo.cpp

Show First 20 LinesShow All 92 Lines▼ Show 20 Lines
} }
// To avoid the BP value clobbered by a function call, we need to choose a // To avoid the BP value clobbered by a function call, we need to choose a
// callee saved register to save the value. RV32E only has X8 and X9 as callee // callee saved register to save the value. RV32E only has X8 and X9 as callee
// saved registers and X8 will be used as fp. So we choose X9 as bp. // saved registers and X8 will be used as fp. So we choose X9 as bp.
MCRegister getBPReg() { return RISCV::X9; } MCRegister getBPReg() { return RISCV::X9; }
// Returns the register holding shadow call stack pointer. // Returns the register holding shadow call stack pointer.
MCRegister getSCSPReg() { return RISCV::X18; } MCRegister getSCSPReg() { return RISCV::X3; }
} // namespace RISCVABI } // namespace RISCVABI
namespace RISCVFeatures { namespace RISCVFeatures {
void validate(const Triple &TT, const FeatureBitset &FeatureBits) { void validate(const Triple &TT, const FeatureBitset &FeatureBits) {
if (TT.isArch64Bit() && !FeatureBits[RISCV::Feature64Bit]) if (TT.isArch64Bit() && !FeatureBits[RISCV::Feature64Bit])
report_fatal_error("RV64 target requires an RV64 CPU"); report_fatal_error("RV64 target requires an RV64 CPU");
▲ Show 20 LinesShow All 189 LinesShow Last 20 Lines

llvm/lib/Target/RISCV/RISCVFrameLowering.cpp

Show All 21 Lines
#include "llvm/IR/DiagnosticInfo.h" #include "llvm/IR/DiagnosticInfo.h"
#include "llvm/MC/MCDwarf.h" #include "llvm/MC/MCDwarf.h"
#include "llvm/Support/LEB128.h" #include "llvm/Support/LEB128.h"
#include <algorithm> #include <algorithm>
using namespace llvm; using namespace llvm;
// For now we use x18, a.k.a s2, as pointer to shadow call stack. // For now we use x3, a.k.a gp, as pointer to shadow call stack.
// User should explicitly set -ffixed-x18 and not use x18 in their asm. // User should not use x3 in their asm.
static void emitSCSPrologue(MachineFunction &MF, MachineBasicBlock &MBB, static void emitSCSPrologue(MachineFunction &MF, MachineBasicBlock &MBB,
MachineBasicBlock::iterator MI, MachineBasicBlock::iterator MI,
const DebugLoc &DL) { const DebugLoc &DL) {
if (!MF.getFunction().hasFnAttribute(Attribute::ShadowCallStack)) if (!MF.getFunction().hasFnAttribute(Attribute::ShadowCallStack))
return; return;
const auto &STI = MF.getSubtarget<RISCVSubtarget>(); const auto &STI = MF.getSubtarget<RISCVSubtarget>();
const llvm::RISCVRegisterInfo *TRI = STI.getRegisterInfo(); const llvm::RISCVRegisterInfo *TRI = STI.getRegisterInfo();
Register RAReg = TRI->getRARegister(); Register RAReg = TRI->getRARegister();
// Do not save RA to the SCS if it's not saved to the regular stack, // Do not save RA to the SCS if it's not saved to the regular stack,
// i.e. RA is not at risk of being overwritten. // i.e. RA is not at risk of being overwritten.
std::vector<CalleeSavedInfo> &CSI = MF.getFrameInfo().getCalleeSavedInfo(); std::vector<CalleeSavedInfo> &CSI = MF.getFrameInfo().getCalleeSavedInfo();
if (llvm::none_of( if (llvm::none_of(
CSI, [&](CalleeSavedInfo &CSR) { return CSR.getReg() == RAReg; })) CSI, [&](CalleeSavedInfo &CSR) { return CSR.getReg() == RAReg; }))
return; return;
Register SCSPReg = RISCVABI::getSCSPReg(); Register SCSPReg = RISCVABI::getSCSPReg();
auto &Ctx = MF.getFunction().getContext();
if (!STI.isRegisterReservedByUser(SCSPReg)) {
Ctx.diagnose(DiagnosticInfoUnsupported{
MF.getFunction(), "x18 not reserved by user for Shadow Call Stack."});
return;
}
const auto *RVFI = MF.getInfo<RISCVMachineFunctionInfo>();
if (RVFI->useSaveRestoreLibCalls(MF)) {
Ctx.diagnose(DiagnosticInfoUnsupported{
MF.getFunction(),
"Shadow Call Stack cannot be combined with Save/Restore LibCalls."});
hiradityaUnsubmitted
Done
ReplyInline Actions

hiraditya:
return;
}
const RISCVInstrInfo *TII = STI.getInstrInfo(); const RISCVInstrInfo *TII = STI.getInstrInfo();
craig.topperUnsubmitted
Done
ReplyInline Actions

Can you add a FIXME here? Using x27 should hopefully remove this restriction

craig.topper: Can you add a FIXME here? Using x27 should hopefully remove this restriction
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

I've added the FIXME, but do we just want to remove this now? or is there some issues or chang under review I can ref in the FIXME?

paulkirth: I've added the FIXME, but do we just want to remove this now? or is there some issues or chang…
craig.topperUnsubmitted
Done
ReplyInline Actions

We can remove it, but we should add a test for it.

craig.topper: We can remove it, but we should add a test for it.
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

That makes sense. Thanks.

paulkirth: That makes sense. Thanks.
MaskRayUnsubmitted
Done
ReplyInline Actions

Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.html#error-and-warning-messages

MaskRay: Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.
bool IsRV64 = STI.hasFeature(RISCV::Feature64Bit); bool IsRV64 = STI.hasFeature(RISCV::Feature64Bit);
int64_t SlotSize = STI.getXLen() / 8; int64_t SlotSize = STI.getXLen() / 8;
// Store return address to shadow call stack // Store return address to shadow call stack
// s[w|d] ra, 0(s2) // s[w|d] ra, 0(gp)
// addi s2, s2, [4|8] // addi gp, gp, [4|8]
BuildMI(MBB, MI, DL, TII->get(IsRV64 ? RISCV::SD : RISCV::SW)) BuildMI(MBB, MI, DL, TII->get(IsRV64 ? RISCV::SD : RISCV::SW))
.addReg(RAReg) .addReg(RAReg)
.addReg(SCSPReg) .addReg(SCSPReg)
.addImm(0) .addImm(0)
.setMIFlag(MachineInstr::FrameSetup); .setMIFlag(MachineInstr::FrameSetup);
BuildMI(MBB, MI, DL, TII->get(RISCV::ADDI)) BuildMI(MBB, MI, DL, TII->get(RISCV::ADDI))
.addReg(SCSPReg, RegState::Define) .addReg(SCSPReg, RegState::Define)
.addReg(SCSPReg) .addReg(SCSPReg)
.addImm(SlotSize) .addImm(SlotSize)
.setMIFlag(MachineInstr::FrameSetup); .setMIFlag(MachineInstr::FrameSetup);
// Emit a CFI instruction that causes SlotSize to be subtracted from the value // Emit a CFI instruction that causes SlotSize to be subtracted from the value
// of the shadow stack pointer when unwinding past this frame. // of the shadow stack pointer when unwinding past this frame.
char DwarfSCSReg = TRI->getDwarfRegNum(SCSPReg, /*IsEH*/ true); char DwarfSCSReg = TRI->getDwarfRegNum(SCSPReg, /*IsEH*/ true);
assert(DwarfSCSReg < 32 && "SCS Register should be < 32 (X18)."); assert(DwarfSCSReg < 32 && "SCS Register should be < 32 (X3).");
char Offset = static_cast<char>(-SlotSize) & 0x7f; char Offset = static_cast<char>(-SlotSize) & 0x7f;
const char CFIInst[] = { const char CFIInst[] = {
dwarf::DW_CFA_val_expression, dwarf::DW_CFA_val_expression,
DwarfSCSReg, // register DwarfSCSReg, // register
2, // length 2, // length
static_cast<char>(unsigned(dwarf::DW_OP_breg0 + DwarfSCSReg)), static_cast<char>(unsigned(dwarf::DW_OP_breg0 + DwarfSCSReg)),
Offset, // addend (sleb128) Offset, // addend (sleb128)
Show All 17 Linesstatic void emitSCSEpilogue(MachineFunction &MF, MachineBasicBlock &MBB,
// See emitSCSPrologue() above. // See emitSCSPrologue() above.
std::vector<CalleeSavedInfo> &CSI = MF.getFrameInfo().getCalleeSavedInfo(); std::vector<CalleeSavedInfo> &CSI = MF.getFrameInfo().getCalleeSavedInfo();
if (llvm::none_of( if (llvm::none_of(
CSI, [&](CalleeSavedInfo &CSR) { return CSR.getReg() == RAReg; })) CSI, [&](CalleeSavedInfo &CSR) { return CSR.getReg() == RAReg; }))
return; return;
Register SCSPReg = RISCVABI::getSCSPReg(); Register SCSPReg = RISCVABI::getSCSPReg();
auto &Ctx = MF.getFunction().getContext();
if (!STI.isRegisterReservedByUser(SCSPReg)) {
Ctx.diagnose(DiagnosticInfoUnsupported{
MF.getFunction(), "x18 not reserved by user for Shadow Call Stack."});
return;
}
const auto *RVFI = MF.getInfo<RISCVMachineFunctionInfo>();
if (RVFI->useSaveRestoreLibCalls(MF)) {
Ctx.diagnose(DiagnosticInfoUnsupported{
MF.getFunction(),
"Shadow Call Stack cannot be combined with Save/Restore LibCalls."});
return;
}
const RISCVInstrInfo *TII = STI.getInstrInfo(); const RISCVInstrInfo *TII = STI.getInstrInfo();
MaskRayUnsubmitted
Done
ReplyInline Actions

Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.html#error-and-warning-messages

MaskRay: Nit: Drop the period while updating the message. See https://llvm.org/docs/CodingStandards.
bool IsRV64 = STI.hasFeature(RISCV::Feature64Bit); bool IsRV64 = STI.hasFeature(RISCV::Feature64Bit);
int64_t SlotSize = STI.getXLen() / 8; int64_t SlotSize = STI.getXLen() / 8;
// Load return address from shadow call stack // Load return address from shadow call stack
// l[w|d] ra, -[4|8](s2) // l[w|d] ra, -[4|8](gp)
// addi s2, s2, -[4|8] // addi gp, gp, -[4|8]
BuildMI(MBB, MI, DL, TII->get(IsRV64 ? RISCV::LD : RISCV::LW)) BuildMI(MBB, MI, DL, TII->get(IsRV64 ? RISCV::LD : RISCV::LW))
.addReg(RAReg, RegState::Define) .addReg(RAReg, RegState::Define)
.addReg(SCSPReg) .addReg(SCSPReg)
.addImm(-SlotSize) .addImm(-SlotSize)
.setMIFlag(MachineInstr::FrameDestroy); .setMIFlag(MachineInstr::FrameDestroy);
BuildMI(MBB, MI, DL, TII->get(RISCV::ADDI)) BuildMI(MBB, MI, DL, TII->get(RISCV::ADDI))
.addReg(SCSPReg, RegState::Define) .addReg(SCSPReg, RegState::Define)
.addReg(SCSPReg) .addReg(SCSPReg)
▲ Show 20 LinesShow All 1,247 LinesShow Last 20 Lines

llvm/lib/Target/RISCV/RISCVSubtarget.cpp

Show First 20 LinesShow All 76 Lines▼ Show 20 LinesRISCVSubtarget::RISCVSubtarget(const Triple &TT, StringRef CPU,
StringRef TuneCPU, StringRef FS, StringRef TuneCPU, StringRef FS,
StringRef ABIName, unsigned RVVVectorBitsMin, StringRef ABIName, unsigned RVVVectorBitsMin,
unsigned RVVVectorBitsMax, unsigned RVVVectorBitsMax,
const TargetMachine &TM) const TargetMachine &TM)
: RISCVGenSubtargetInfo(TT, CPU, TuneCPU, FS), : RISCVGenSubtargetInfo(TT, CPU, TuneCPU, FS),
RVVVectorBitsMin(RVVVectorBitsMin), RVVVectorBitsMax(RVVVectorBitsMax), RVVVectorBitsMin(RVVVectorBitsMin), RVVVectorBitsMax(RVVVectorBitsMax),
FrameLowering( FrameLowering(
initializeSubtargetDependencies(TT, CPU, TuneCPU, FS, ABIName)), initializeSubtargetDependencies(TT, CPU, TuneCPU, FS, ABIName)),
InstrInfo(*this), RegInfo(getHwMode()), TLInfo(TM, *this) { InstrInfo(*this), RegInfo(getHwMode()), TLInfo(TM, *this) {
if (RISCV::isX18ReservedByDefault(TT))
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

@mcgrathr This stops Fuchsia and Android from reserving X18. I'll look at doing something similar for -msmall-data-limit=0.

paulkirth: @mcgrathr This stops Fuchsia and Android from reserving X18. I'll look at doing something…
UserReservedRegister.set(RISCV::X18);
CallLoweringInfo.reset(new RISCVCallLowering(*getTargetLowering())); CallLoweringInfo.reset(new RISCVCallLowering(*getTargetLowering()));
craig.topperUnsubmitted
Done
ReplyInline Actions

Drop the blank line here.

craig.topper: Drop the blank line here.
Legalizer.reset(new RISCVLegalizerInfo(*this)); Legalizer.reset(new RISCVLegalizerInfo(*this));
auto *RBI = new RISCVRegisterBankInfo(*getRegisterInfo()); auto *RBI = new RISCVRegisterBankInfo(*getRegisterInfo());
RegBankInfo.reset(RBI); RegBankInfo.reset(RBI);
InstSelector.reset(createRISCVInstructionSelector( InstSelector.reset(createRISCVInstructionSelector(
*static_cast<const RISCVTargetMachine *>(&TM), *this, *RBI)); *static_cast<const RISCVTargetMachine *>(&TM), *this, *RBI));
} }
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

llvm/lib/TargetParser/RISCVTargetParser.cpp

Show First 20 LinesShow All 78 Lines▼ Show 20 Lines
void fillValidTuneCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64) { void fillValidTuneCPUArchList(SmallVectorImpl<StringRef> &Values, bool IsRV64) {
for (const auto &C : RISCVCPUInfo) { for (const auto &C : RISCVCPUInfo) {
if (C.Kind != CK_INVALID && IsRV64 == C.is64Bit()) if (C.Kind != CK_INVALID && IsRV64 == C.is64Bit())
Values.emplace_back(C.Name); Values.emplace_back(C.Name);
} }
#define TUNE_PROC(ENUM, NAME) Values.emplace_back(StringRef(NAME)); #define TUNE_PROC(ENUM, NAME) Values.emplace_back(StringRef(NAME));
#include "llvm/TargetParser/RISCVTargetParserDef.inc" #include "llvm/TargetParser/RISCVTargetParserDef.inc"
} }
bool isX18ReservedByDefault(const Triple &TT) {
// X18 is reserved for the ShadowCallStack ABI (even when not enabled).
return TT.isOSFuchsia() || TT.isAndroid();
}
} // namespace RISCV } // namespace RISCV
craig.topperUnsubmitted
Done
ReplyInline Actions

X18->X27

craig.topper: X18->X27
} // namespace llvm } // namespace llvm

llvm/test/CodeGen/RISCV/reserved-regs.ll

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x28 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X28 ; RUN: llc -mtriple=riscv32 -mattr=+reserve-x28 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X28
; RUN: llc -mtriple=riscv64 -mattr=+reserve-x28 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X28 ; RUN: llc -mtriple=riscv64 -mattr=+reserve-x28 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X28
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x29 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X29 ; RUN: llc -mtriple=riscv32 -mattr=+reserve-x29 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X29
; RUN: llc -mtriple=riscv64 -mattr=+reserve-x29 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X29 ; RUN: llc -mtriple=riscv64 -mattr=+reserve-x29 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X29
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x30 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X30 ; RUN: llc -mtriple=riscv32 -mattr=+reserve-x30 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X30
; RUN: llc -mtriple=riscv64 -mattr=+reserve-x30 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X30 ; RUN: llc -mtriple=riscv64 -mattr=+reserve-x30 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X30
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x31 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X31 ; RUN: llc -mtriple=riscv32 -mattr=+reserve-x31 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X31
; RUN: llc -mtriple=riscv64 -mattr=+reserve-x31 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X31 ; RUN: llc -mtriple=riscv64 -mattr=+reserve-x31 -verify-machineinstrs < %s | FileCheck %s -check-prefix=X31
; RUN: llc -mtriple=riscv64-fuchsia -verify-machineinstrs < %s | FileCheck %s -check-prefix=X18
; RUN: llc -mtriple=riscv64-linux-android -verify-machineinstrs < %s | FileCheck %s -check-prefix=X18
; This program is free to use all registers, but needs a stack pointer for ; This program is free to use all registers, but needs a stack pointer for
mcgrathrUnsubmitted
Done
ReplyInline Actions

gp is a fixed register for all RISC-V targets. What's important to check is that Fuchsia and Android disable the small-data-section behavior.

mcgrathr: gp is a fixed register for all RISC-V targets. What's important to check is that Fuchsia and…
; spill values, so do not test for reserving the stack pointer. ; spill values, so do not test for reserving the stack pointer.
; Used to exhaust all registers ; Used to exhaust all registers
@var = global [32 x i64] zeroinitializer @var = global [32 x i64] zeroinitializer
define void @foo() { define void @foo() {
%1 = load volatile [32 x i64], ptr @var %1 = load volatile [32 x i64], ptr @var
store volatile [32 x i64] %1, ptr @var store volatile [32 x i64] %1, ptr @var
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines

llvm/test/CodeGen/RISCV/saverestore-scs.ll

  • This file was added.
;; Check that shadow call stack doesn't interfere with save/restore
MaskRayUnsubmitted
Done
ReplyInline Actions
- ; Check that shadow call stack doesn't interfere with save/restore
+ ;; Check that shadow call stack doesn't interfere with save/restore.
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x27 < %s | FileCheck %s -check-prefix=RV32I

;; appears a useful prefix to highlight non-RUN-non-CHECK comments. It also makes it clear Check is not a typo for CHECK: when we have some automation tools to detect stale CHECK lines.

MaskRay: `;; ` appears a useful prefix to highlight non-RUN-non-CHECK comments. It also makes it clear…
; RUN: llc -mtriple=riscv32 < %s | FileCheck %s -check-prefix=RV32I
; RUN: llc -mtriple=riscv64 < %s | FileCheck %s -check-prefix=RV64I
; RUN: llc -mtriple=riscv32 -mattr=+save-restore < %s | FileCheck %s -check-prefix=RV32I-SR
; RUN: llc -mtriple=riscv64 -mattr=+save-restore < %s | FileCheck %s -check-prefix=RV64I-SR
; RUN: llc -mtriple=riscv32 -mattr=+f,+save-restore -target-abi=ilp32f < %s | FileCheck %s -check-prefix=RV32I-FP-SR
; RUN: llc -mtriple=riscv64 -mattr=+f,+d,+save-restore -target-abi=lp64d < %s | FileCheck %s -check-prefix=RV64I-FP-SR
@var2 = global [30 x i32] zeroinitializer
define void @callee_scs() nounwind shadowcallstack {
; RV32I-LABEL: callee_scs:
; RV32I-NOT: call t0, __riscv_save
; RV32I-NOT: tail __riscv_restore
;
; RV64I-LABEL: callee_scs:
; RV64I-NOT: call t0, __riscv_save
; RV64I-NOT: tail __riscv_restore
;
; RV32I-SR-LABEL: callee_scs:
; RV32I-SR: call t0, __riscv_save_12
; RV32I-SR: tail __riscv_restore_12
;
; RV64I-SR-LABEL: callee_scs:
; RV64I-SR: call t0, __riscv_save_12
; RV64I-SR: tail __riscv_restore_12
;
; RV32I-FP-SR-LABEL: callee_scs:
; RV32I-FP-SR: call t0, __riscv_save_12
; RV32I-FP-SR: tail __riscv_restore_12
;
; RV64I-FP-SR-LABEL: callee_scs:
; RV64I-FP-SR: call t0, __riscv_save_12
; RV64I-FP-SR: tail __riscv_restore_12
%val = load [30 x i32], ptr @var2
store volatile [30 x i32] %val, ptr @var2
ret void
}

llvm/test/CodeGen/RISCV/shadowcallstack.ll

; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py ; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py
; RUN: llc -mtriple=riscv32 -mattr=+reserve-x18 -verify-machineinstrs < %s \ ; RUN: llc -mtriple=riscv32 -verify-machineinstrs < %s \
; RUN: | FileCheck %s --check-prefix=RV32 ; RUN: | FileCheck %s --check-prefix=RV32
; RUN: llc -mtriple=riscv64 -mattr=+reserve-x18 -verify-machineinstrs < %s \ ; RUN: llc -mtriple=riscv64 -verify-machineinstrs < %s \
; RUN: | FileCheck %s --check-prefix=RV64 ; RUN: | FileCheck %s --check-prefix=RV64
define void @f1() shadowcallstack { define void @f1() shadowcallstack {
; RV32-LABEL: f1: ; RV32-LABEL: f1:
; RV32: # %bb.0: ; RV32: # %bb.0:
; RV32-NEXT: ret ; RV32-NEXT: ret
; ;
; RV64-LABEL: f1: ; RV64-LABEL: f1:
Show All 16 Lines; RV64-NEXT: tail foo@plt
ret void ret void
} }
declare i32 @bar() declare i32 @bar()
define i32 @f3() shadowcallstack { define i32 @f3() shadowcallstack {
; RV32-LABEL: f3: ; RV32-LABEL: f3:
; RV32: # %bb.0: ; RV32: # %bb.0:
; RV32-NEXT: sw ra, 0(s2) ; RV32-NEXT: sw ra, 0(gp)
; RV32-NEXT: addi s2, s2, 4 ; RV32-NEXT: addi gp, gp, 4
; RV32-NEXT: .cfi_escape 0x16, 0x12, 0x02, 0x82, 0x7c # ; RV32-NEXT: .cfi_escape 0x16, 0x03, 0x02, 0x73, 0x7c #
; RV32-NEXT: addi sp, sp, -16 ; RV32-NEXT: addi sp, sp, -16
; RV32-NEXT: .cfi_def_cfa_offset 16 ; RV32-NEXT: .cfi_def_cfa_offset 16
; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill ; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill
; RV32-NEXT: .cfi_offset ra, -4 ; RV32-NEXT: .cfi_offset ra, -4
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload ; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload
; RV32-NEXT: addi sp, sp, 16 ; RV32-NEXT: addi sp, sp, 16
; RV32-NEXT: lw ra, -4(s2) ; RV32-NEXT: lw ra, -4(gp)
; RV32-NEXT: addi s2, s2, -4 ; RV32-NEXT: addi gp, gp, -4
; RV32-NEXT: .cfi_restore s2 ; RV32-NEXT: .cfi_restore gp
; RV32-NEXT: ret ; RV32-NEXT: ret
; ;
; RV64-LABEL: f3: ; RV64-LABEL: f3:
; RV64: # %bb.0: ; RV64: # %bb.0:
; RV64-NEXT: sd ra, 0(s2) ; RV64-NEXT: sd ra, 0(gp)
; RV64-NEXT: addi s2, s2, 8 ; RV64-NEXT: addi gp, gp, 8
; RV64-NEXT: .cfi_escape 0x16, 0x12, 0x02, 0x82, 0x78 # ; RV64-NEXT: .cfi_escape 0x16, 0x03, 0x02, 0x73, 0x78 #
; RV64-NEXT: addi sp, sp, -16 ; RV64-NEXT: addi sp, sp, -16
; RV64-NEXT: .cfi_def_cfa_offset 16 ; RV64-NEXT: .cfi_def_cfa_offset 16
; RV64-NEXT: sd ra, 8(sp) # 8-byte Folded Spill ; RV64-NEXT: sd ra, 8(sp) # 8-byte Folded Spill
; RV64-NEXT: .cfi_offset ra, -8 ; RV64-NEXT: .cfi_offset ra, -8
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: ld ra, 8(sp) # 8-byte Folded Reload ; RV64-NEXT: ld ra, 8(sp) # 8-byte Folded Reload
; RV64-NEXT: addi sp, sp, 16 ; RV64-NEXT: addi sp, sp, 16
; RV64-NEXT: ld ra, -8(s2) ; RV64-NEXT: ld ra, -8(gp)
; RV64-NEXT: addi s2, s2, -8 ; RV64-NEXT: addi gp, gp, -8
; RV64-NEXT: .cfi_restore s2 ; RV64-NEXT: .cfi_restore gp
; RV64-NEXT: ret ; RV64-NEXT: ret
%res = call i32 @bar() %res = call i32 @bar()
%res1 = add i32 %res, 1 %res1 = add i32 %res, 1
ret i32 %res ret i32 %res
} }
define i32 @f4() shadowcallstack { define i32 @f4() shadowcallstack {
; RV32-LABEL: f4: ; RV32-LABEL: f4:
; RV32: # %bb.0: ; RV32: # %bb.0:
; RV32-NEXT: sw ra, 0(s2) ; RV32-NEXT: sw ra, 0(gp)
; RV32-NEXT: addi s2, s2, 4 ; RV32-NEXT: addi gp, gp, 4
; RV32-NEXT: .cfi_escape 0x16, 0x12, 0x02, 0x82, 0x7c # ; RV32-NEXT: .cfi_escape 0x16, 0x03, 0x02, 0x73, 0x7c #
; RV32-NEXT: addi sp, sp, -16 ; RV32-NEXT: addi sp, sp, -16
; RV32-NEXT: .cfi_def_cfa_offset 16 ; RV32-NEXT: .cfi_def_cfa_offset 16
; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill ; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill
; RV32-NEXT: sw s0, 8(sp) # 4-byte Folded Spill ; RV32-NEXT: sw s0, 8(sp) # 4-byte Folded Spill
; RV32-NEXT: sw s1, 4(sp) # 4-byte Folded Spill ; RV32-NEXT: sw s1, 4(sp) # 4-byte Folded Spill
; RV32-NEXT: sw s3, 0(sp) # 4-byte Folded Spill ; RV32-NEXT: sw s2, 0(sp) # 4-byte Folded Spill
; RV32-NEXT: .cfi_offset ra, -4 ; RV32-NEXT: .cfi_offset ra, -4
; RV32-NEXT: .cfi_offset s0, -8 ; RV32-NEXT: .cfi_offset s0, -8
; RV32-NEXT: .cfi_offset s1, -12 ; RV32-NEXT: .cfi_offset s1, -12
; RV32-NEXT: .cfi_offset s3, -16 ; RV32-NEXT: .cfi_offset s2, -16
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: mv s0, a0 ; RV32-NEXT: mv s0, a0
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: mv s1, a0 ; RV32-NEXT: mv s1, a0
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: mv s3, a0 ; RV32-NEXT: mv s2, a0
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: add s0, s0, s1 ; RV32-NEXT: add s0, s0, s1
; RV32-NEXT: add a0, s3, a0 ; RV32-NEXT: add a0, s2, a0
; RV32-NEXT: add a0, s0, a0 ; RV32-NEXT: add a0, s0, a0
; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload ; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload
; RV32-NEXT: lw s0, 8(sp) # 4-byte Folded Reload ; RV32-NEXT: lw s0, 8(sp) # 4-byte Folded Reload
; RV32-NEXT: lw s1, 4(sp) # 4-byte Folded Reload ; RV32-NEXT: lw s1, 4(sp) # 4-byte Folded Reload
; RV32-NEXT: lw s3, 0(sp) # 4-byte Folded Reload ; RV32-NEXT: lw s2, 0(sp) # 4-byte Folded Reload
; RV32-NEXT: addi sp, sp, 16 ; RV32-NEXT: addi sp, sp, 16
; RV32-NEXT: lw ra, -4(s2) ; RV32-NEXT: lw ra, -4(gp)
; RV32-NEXT: addi s2, s2, -4 ; RV32-NEXT: addi gp, gp, -4
; RV32-NEXT: .cfi_restore s2 ; RV32-NEXT: .cfi_restore gp
; RV32-NEXT: ret ; RV32-NEXT: ret
; ;
; RV64-LABEL: f4: ; RV64-LABEL: f4:
; RV64: # %bb.0: ; RV64: # %bb.0:
; RV64-NEXT: sd ra, 0(s2) ; RV64-NEXT: sd ra, 0(gp)
; RV64-NEXT: addi s2, s2, 8 ; RV64-NEXT: addi gp, gp, 8
; RV64-NEXT: .cfi_escape 0x16, 0x12, 0x02, 0x82, 0x78 # ; RV64-NEXT: .cfi_escape 0x16, 0x03, 0x02, 0x73, 0x78 #
; RV64-NEXT: addi sp, sp, -32 ; RV64-NEXT: addi sp, sp, -32
; RV64-NEXT: .cfi_def_cfa_offset 32 ; RV64-NEXT: .cfi_def_cfa_offset 32
; RV64-NEXT: sd ra, 24(sp) # 8-byte Folded Spill ; RV64-NEXT: sd ra, 24(sp) # 8-byte Folded Spill
; RV64-NEXT: sd s0, 16(sp) # 8-byte Folded Spill ; RV64-NEXT: sd s0, 16(sp) # 8-byte Folded Spill
; RV64-NEXT: sd s1, 8(sp) # 8-byte Folded Spill ; RV64-NEXT: sd s1, 8(sp) # 8-byte Folded Spill
; RV64-NEXT: sd s3, 0(sp) # 8-byte Folded Spill ; RV64-NEXT: sd s2, 0(sp) # 8-byte Folded Spill
; RV64-NEXT: .cfi_offset ra, -8 ; RV64-NEXT: .cfi_offset ra, -8
; RV64-NEXT: .cfi_offset s0, -16 ; RV64-NEXT: .cfi_offset s0, -16
; RV64-NEXT: .cfi_offset s1, -24 ; RV64-NEXT: .cfi_offset s1, -24
; RV64-NEXT: .cfi_offset s3, -32 ; RV64-NEXT: .cfi_offset s2, -32
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: mv s0, a0 ; RV64-NEXT: mv s0, a0
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: mv s1, a0 ; RV64-NEXT: mv s1, a0
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: mv s3, a0 ; RV64-NEXT: mv s2, a0
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: add s0, s0, s1 ; RV64-NEXT: add s0, s0, s1
; RV64-NEXT: add a0, s3, a0 ; RV64-NEXT: add a0, s2, a0
; RV64-NEXT: addw a0, s0, a0 ; RV64-NEXT: addw a0, s0, a0
; RV64-NEXT: ld ra, 24(sp) # 8-byte Folded Reload ; RV64-NEXT: ld ra, 24(sp) # 8-byte Folded Reload
; RV64-NEXT: ld s0, 16(sp) # 8-byte Folded Reload ; RV64-NEXT: ld s0, 16(sp) # 8-byte Folded Reload
; RV64-NEXT: ld s1, 8(sp) # 8-byte Folded Reload ; RV64-NEXT: ld s1, 8(sp) # 8-byte Folded Reload
; RV64-NEXT: ld s3, 0(sp) # 8-byte Folded Reload ; RV64-NEXT: ld s2, 0(sp) # 8-byte Folded Reload
; RV64-NEXT: addi sp, sp, 32 ; RV64-NEXT: addi sp, sp, 32
; RV64-NEXT: ld ra, -8(s2) ; RV64-NEXT: ld ra, -8(gp)
; RV64-NEXT: addi s2, s2, -8 ; RV64-NEXT: addi gp, gp, -8
; RV64-NEXT: .cfi_restore s2 ; RV64-NEXT: .cfi_restore gp
; RV64-NEXT: ret ; RV64-NEXT: ret
%res1 = call i32 @bar() %res1 = call i32 @bar()
%res2 = call i32 @bar() %res2 = call i32 @bar()
%res3 = call i32 @bar() %res3 = call i32 @bar()
%res4 = call i32 @bar() %res4 = call i32 @bar()
%res12 = add i32 %res1, %res2 %res12 = add i32 %res1, %res2
%res34 = add i32 %res3, %res4 %res34 = add i32 %res3, %res4
%res1234 = add i32 %res12, %res34 %res1234 = add i32 %res12, %res34
ret i32 %res1234 ret i32 %res1234
} }
define i32 @f5() shadowcallstack nounwind { define i32 @f5() shadowcallstack nounwind {
; RV32-LABEL: f5: ; RV32-LABEL: f5:
; RV32: # %bb.0: ; RV32: # %bb.0:
; RV32-NEXT: sw ra, 0(s2) ; RV32-NEXT: sw ra, 0(gp)
; RV32-NEXT: addi s2, s2, 4 ; RV32-NEXT: addi gp, gp, 4
; RV32-NEXT: addi sp, sp, -16 ; RV32-NEXT: addi sp, sp, -16
; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill ; RV32-NEXT: sw ra, 12(sp) # 4-byte Folded Spill
; RV32-NEXT: call bar@plt ; RV32-NEXT: call bar@plt
; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload ; RV32-NEXT: lw ra, 12(sp) # 4-byte Folded Reload
; RV32-NEXT: addi sp, sp, 16 ; RV32-NEXT: addi sp, sp, 16
; RV32-NEXT: lw ra, -4(s2) ; RV32-NEXT: lw ra, -4(gp)
; RV32-NEXT: addi s2, s2, -4 ; RV32-NEXT: addi gp, gp, -4
; RV32-NEXT: ret ; RV32-NEXT: ret
; ;
; RV64-LABEL: f5: ; RV64-LABEL: f5:
; RV64: # %bb.0: ; RV64: # %bb.0:
; RV64-NEXT: sd ra, 0(s2) ; RV64-NEXT: sd ra, 0(gp)
; RV64-NEXT: addi s2, s2, 8 ; RV64-NEXT: addi gp, gp, 8
; RV64-NEXT: addi sp, sp, -16 ; RV64-NEXT: addi sp, sp, -16
; RV64-NEXT: sd ra, 8(sp) # 8-byte Folded Spill ; RV64-NEXT: sd ra, 8(sp) # 8-byte Folded Spill
; RV64-NEXT: call bar@plt ; RV64-NEXT: call bar@plt
; RV64-NEXT: ld ra, 8(sp) # 8-byte Folded Reload ; RV64-NEXT: ld ra, 8(sp) # 8-byte Folded Reload
; RV64-NEXT: addi sp, sp, 16 ; RV64-NEXT: addi sp, sp, 16
; RV64-NEXT: ld ra, -8(s2) ; RV64-NEXT: ld ra, -8(gp)
; RV64-NEXT: addi s2, s2, -8 ; RV64-NEXT: addi gp, gp, -8
; RV64-NEXT: ret ; RV64-NEXT: ret
%res = call i32 @bar() %res = call i32 @bar()
%res1 = add i32 %res, 1 %res1 = add i32 %res, 1
ret i32 %res ret i32 %res
} }
craig.topperUnsubmitted
Done
ReplyInline Actions

Can we split this to a separate file? It doesn't look like it was generated by update_llc_test_checks.py and we don't want these checks on the test cases above.

craig.topper: Can we split this to a separate file? It doesn't look like it was generated by…
paulkirthAuthorUnsubmitted
Done
ReplyInline Actions

Good point. This was taken directly from what looked to be the only relevant case in saverestore.ll. Tomorrow I will split this off into a standalone file. Do you know if there would be other relevant cases to consider from the save/restore tests?

paulkirth: Good point. This was taken directly from what looked to be the only relevant case in…