This is an archive of the discontinued LLVM Phabricator instance.

Differential D152484

[KCFI] Fix hash offset calculation in Thumb mode
ClosedPublic

Authored by samitolvanen on Jun 8 2023, 4:18 PM.

Details

Reviewers
nickdesaulniers
MaskRay
simon_tatham
Commits
rGce4bb083c043: [KCFI] Fix hash offset calculation in Thumb mode
Summary

ARM stores the Thumb state in the least significant bit of the
function pointers. When compiling for ARM or Thumb, as all
instructions are at least 16-bit aligned, ignore the LSB when
computing the prefix hash location, so we can support both
pure Thumb and mixed ARM/Thumb binaries.

Diff Detail

Event Timeline

samitolvanen created this revision.Jun 8 2023, 4:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2023, 4:18 PM
Herald added subscribers: Enna1, hiraditya, kristof.beyls. · View Herald Transcript
samitolvanen requested review of this revision.Jun 8 2023, 4:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2023, 4:18 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
samitolvanen added reviewers: nickdesaulniers, MaskRay.Jun 8 2023, 4:19 PM
pirama added a subscriber: pirama.Jun 8 2023, 4:29 PM
Harbormaster completed remote builds in B237620: Diff 529770.Jun 8 2023, 5:15 PM
MaskRay accepted this revision.Jun 8 2023, 8:11 PM
This revision is now accepted and ready to land.Jun 8 2023, 8:11 PM
MaskRay added a subscriber: simon_tatham.Jun 8 2023, 8:11 PM

@simon_tatham

simon_tatham accepted this revision.Jun 9 2023, 1:10 AM

Thanks! This should fix https://github.com/llvm/llvm-project/issues/62936.

I agree that it's better to do the fix here, instead of adding dedicated support in the backend the way AArch64 does it, because as far as I can see backend KCFI checks are inserted after register allocation and have to use registers that are already dead. And in at least one Arm situation (namely Armv6-M) no such registers are conveniently available, so the check would become more expensive.

Closed by commit rGce4bb083c043: [KCFI] Fix hash offset calculation in Thumb mode (authored by samitolvanen). · Explain WhyJun 12 2023, 12:44 PM
This revision was automatically updated to reflect the committed changes.
samitolvanen added a commit: rGce4bb083c043: [KCFI] Fix hash offset calculation in Thumb mode.

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
15 lines
test/
Transforms/
KCFI/
9 lines

Diff 529770

llvm/lib/Transforms/Instrumentation/KCFI.cpp

Show First 20 LinesShow All 67 Lines▼ Show 20 LinesPreservedAnalyses KCFIPass::run(Function &F, FunctionAnalysisManager &AM) {
if (F.hasFnAttribute("patchable-function-prefix")) if (F.hasFnAttribute("patchable-function-prefix"))
Ctx.diagnose( Ctx.diagnose(
DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not " DiagnosticInfoKCFI("-fpatchable-function-entry=N,M, where M>0 is not "
"compatible with -fsanitize=kcfi on this target")); "compatible with -fsanitize=kcfi on this target"));
IntegerType *Int32Ty = Type::getInt32Ty(Ctx); IntegerType *Int32Ty = Type::getInt32Ty(Ctx);
MDNode *VeryUnlikelyWeights = MDNode *VeryUnlikelyWeights =
MDBuilder(Ctx).createBranchWeights(1, (1U << 20) - 1); MDBuilder(Ctx).createBranchWeights(1, (1U << 20) - 1);
Triple T(M.getTargetTriple());
for (CallInst *CI : KCFICalls) { for (CallInst *CI : KCFICalls) {
// Get the expected hash value. // Get the expected hash value.
const uint32_t ExpectedHash = const uint32_t ExpectedHash =
cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0]) cast<ConstantInt>(CI->getOperandBundle(LLVMContext::OB_kcfi)->Inputs[0])
->getZExtValue(); ->getZExtValue();
// Drop the KCFI operand bundle. // Drop the KCFI operand bundle.
CallBase *Call = CallBase *Call =
CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi, CI); CallBase::removeOperandBundle(CI, LLVMContext::OB_kcfi, CI);
assert(Call != CI); assert(Call != CI);
Call->copyMetadata(*CI); Call->copyMetadata(*CI);
CI->replaceAllUsesWith(Call); CI->replaceAllUsesWith(Call);
CI->eraseFromParent(); CI->eraseFromParent();
if (!Call->isIndirectCall()) if (!Call->isIndirectCall())
continue; continue;
// Emit a check and trap if the target hash doesn't match. // Emit a check and trap if the target hash doesn't match.
IRBuilder<> Builder(Call); IRBuilder<> Builder(Call);
Value *HashPtr = Builder.CreateConstInBoundsGEP1_32( Value *FuncPtr = Call->getCalledOperand();
Int32Ty, Call->getCalledOperand(), -1); // ARM uses the least significant bit of the function pointer to select
// between ARM and Thumb modes for the callee. Instructions are always
// at least 16-bit aligned, so clear the LSB before we compute the hash
// location.
if (T.isARM() || T.isThumb()) {
FuncPtr = Builder.CreateIntToPtr(
Builder.CreateAnd(Builder.CreatePtrToInt(FuncPtr, Int32Ty),
ConstantInt::get(Int32Ty, -2)),
FuncPtr->getType());
}
Value *HashPtr = Builder.CreateConstInBoundsGEP1_32(Int32Ty, FuncPtr, -1);
Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr), Value *Test = Builder.CreateICmpNE(Builder.CreateLoad(Int32Ty, HashPtr),
ConstantInt::get(Int32Ty, ExpectedHash)); ConstantInt::get(Int32Ty, ExpectedHash));
Instruction *ThenTerm = Instruction *ThenTerm =
SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights); SplitBlockAndInsertIfThen(Test, Call, false, VeryUnlikelyWeights);
Builder.SetInsertPoint(ThenTerm); Builder.SetInsertPoint(ThenTerm);
Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::debugtrap)); Builder.CreateCall(Intrinsic::getDeclaration(&M, Intrinsic::debugtrap));
++NumKCFIChecks; ++NumKCFIChecks;
} }
return PreservedAnalyses::none(); return PreservedAnalyses::none();
} }

llvm/test/Transforms/KCFI/kcfi.ll

; RUN: opt -S -passes=kcfi %s | FileCheck %s ; RUN: opt -S -passes=kcfi %s | FileCheck --check-prefixes=CHECK,NOARM %s
; RUN: %if arm-registered-target %{ opt -S -passes=kcfi -mtriple=thumbv7m-unknown-linux-gnu %s | FileCheck --check-prefixes=CHECK,ARM %s %}
; CHECK-LABEL: define void @f1( ; CHECK-LABEL: define void @f1(
define void @f1(ptr noundef %x) { define void @f1(ptr noundef %x) {
; CHECK: %[[#GEPI:]] = getelementptr inbounds i32, ptr %x, i32 -1 ; ARM: %[[#FINT:]] = ptrtoint ptr %x to i32
; ARM-NEXT: %[[#FAND:]] = and i32 %[[#FINT]], -2
; ARM-NEXT: %[[#FPTR:]] = inttoptr i32 %[[#FAND]] to ptr
; ARM-NEXT: %[[#GEPI:]] = getelementptr inbounds i32, ptr %[[#FPTR]], i32 -1
; NOARM: %[[#GEPI:]] = getelementptr inbounds i32, ptr %x, i32 -1
; CHECK-NEXT: %[[#LOAD:]] = load i32, ptr %[[#GEPI]], align 4 ; CHECK-NEXT: %[[#LOAD:]] = load i32, ptr %[[#GEPI]], align 4
; CHECK-NEXT: %[[#ICMP:]] = icmp ne i32 %[[#LOAD]], 12345678 ; CHECK-NEXT: %[[#ICMP:]] = icmp ne i32 %[[#LOAD]], 12345678
; CHECK-NEXT: br i1 %[[#ICMP]], label %[[#TRAP:]], label %[[#CALL:]], !prof ![[#WEIGHTS:]] ; CHECK-NEXT: br i1 %[[#ICMP]], label %[[#TRAP:]], label %[[#CALL:]], !prof ![[#WEIGHTS:]]
; CHECK: [[#TRAP]]: ; CHECK: [[#TRAP]]:
; CHECK-NEXT: call void @llvm.debugtrap() ; CHECK-NEXT: call void @llvm.debugtrap()
; CHECK-NEXT: br label %[[#CALL]] ; CHECK-NEXT: br label %[[#CALL]]
; CHECK: [[#CALL]]: ; CHECK: [[#CALL]]:
; CHECK-NEXT: call void %x() ; CHECK-NEXT: call void %x()
; CHECK-NOT: [ "kcfi"(i32 12345678) ] ; CHECK-NOT: [ "kcfi"(i32 12345678) ]
call void %x() [ "kcfi"(i32 12345678) ] call void %x() [ "kcfi"(i32 12345678) ]
ret void ret void
} }
!llvm.module.flags = !{!0} !llvm.module.flags = !{!0}
!0 = !{i32 4, !"kcfi", i32 1} !0 = !{i32 4, !"kcfi", i32 1}
; CHECK: ![[#WEIGHTS]] = !{!"branch_weights", i32 1, i32 1048575} ; CHECK: ![[#WEIGHTS]] = !{!"branch_weights", i32 1, i32 1048575}