This is an archive of the discontinued LLVM Phabricator instance.

Differential D153264

[lld][AArch64] Add BTI landing pad to PLT entries when the symbol is exported.
ClosedPublic

Authored by danielkiss on Jun 19 2023, 4:17 AM.

Details

Reviewers
peter.smith
MaskRay
phosek
leonardchan
Commits
rG92fbb602f3b6: [lld][AArch64] Add BTI landing pad to PLT entries when the symbol is exported.
Summary

With relative vtables the caller jumps directly to the plt entries in the shared object,
therefore landing pad is need for these entries.

Reproducer:
main.cpp

#include "v.hpp"
int main() {
    A* a = new B();
    a->do_something2();
    return 0;
}

v.hpp

struct A {
    virtual void do_something() = 0;
    virtual void do_something2();
};
struct B : public A {
    void do_something() override;
    void do_something2() override;
};

v.cpp

#include "v.hpp"
void A::do_something2() { }
void B::do_something() { }
void B::do_something2() { }
CC="clang++ --target=aarch64-unknown-linux-gnu -fuse-ld=lld -mbranch-protection=bti"
F=-fexperimental-relative-c++-abi-vtables
${=CC} $F -shared v.cpp -o v.so -z force-bti
${=CC} $F main.cpp -L./ v.so -Wl,-rpath=. -z force-bti
qemu-aarch64-static -L /usr/aarch64-linux-gnu -cpu max ./a.out

For v.so, the regular vtable entry is relocated by an R_AARCH64_ABS64 relocation referencing _ZN1B13do_something2Ev.

_ZTV1B:
.xword  _ZN1B13do_something2Ev

Using relative vtable entry for a DSO has a downside of creating many PLT entries and making their addresses escape.
The relative vtable entry references a PLT entry _ZN1B13do_something2Ev@plt.

.L_ZTV1A.local:
        .word   (_ZN1A13do_something2Ev@PLT-.L_ZTV1A.local)-8

fixes: #63580

Diff Detail

Event Timeline

danielkiss created this revision.Jun 19 2023, 4:17 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 19 2023, 4:17 AM
Herald added subscribers: kristof.beyls, arichardson, emaste. · View Herald Transcript
danielkiss requested review of this revision.Jun 19 2023, 4:17 AM
Harbormaster completed remote builds in B239769: Diff 532596.Jun 19 2023, 4:28 AM
danielkiss added a comment.Jun 19 2023, 7:16 AM

minimised reproducer (crashes on a BTI enabled system without the patch, work with the patch)

main.cpp

#include "v.hpp"

int main()
{
    A* a = new B();
    a->do_something2();
    return 0;
}

v.hpp

struct A
{
    virtual void do_something() = 0;
    virtual void do_something2();
};

struct B : public A
{
    void do_something() override;
    void do_something2() override;
};

v.cpp

#include "v.hpp"
void A::do_something2() { }
void B::do_something() { }
void B::do_something2() { }

bin/clang++ -O0 -fuse-ld=lld -mbranch-protection=bti -fexperimental-relative-c++-abi-vtables -shared v.cpp -o v.so
bin/clang++ -O0 -fuse-ld=lld -mbranch-protection=bti -fexperimental-relative-c++-abi-vtables vmain.cpp -L./ v.so -Wl,-rpath=./
qemu-aarch64 -cpu max a.out

peter.smith added a comment.Jun 19 2023, 8:23 AM

Thanks for the example (needs a --target=aarch64-linux-gnu if cross-compiling). IIUC the problem is mostly visible within v.so. The relative vtable has an offset to the PLT entry for the virtual functions as these can be pre-empted by an interposing shared object. The code in vmain will use the relative vtable entry and indirectly branch to the PLT which without the patch doesn't have a PLT entry.

I've left a suggestion that if it is simple to implement should be more specific. It may not be worth the complexity if it is a lot of work though.

lld/ELF/Arch/AArch64.cpp
918

Could you alter the comment to include the condition. Something like.

// NEEDS_COPY indicates a non-ifunc canonical PLT entry whose address may
// escape to shared objects. isInIplt indicates a non-preemptible ifunc. Its
// address may escape if referenced by a direct relocation. If relative vtables
// are used then if the vtable is in a shared object the offsets will be to the PLT entry.
// The condition is conservative.
919

IIUC this will put BTI at the start of most PLT entries in a shared object. One possibility is to overload thunkAccessed (a relative vtable is kind of thunk :-) , or rename it) so that in Relocations.cpp we can follow the R_AARCH64_PLT32 relocations (specific to relative vtables) and tag affected symbols with thunkAccessed.

peter.smith added a reviewer: phosek.Jun 19 2023, 8:42 AM

Adding Petr Hosek as a reviewer as I think Fuchsia uses relative vtables by default.

danielkiss planned changes to this revision.Jun 19 2023, 1:13 PM
danielkiss added inline comments.
lld/ELF/Arch/AArch64.cpp
919

Looks, could be done in that way too, hopefully with less impact on the number of landing pads.

phosek added a reviewer: leonardchan.Jun 19 2023, 11:17 PM
MaskRay added a comment.Jun 21 2023, 8:39 PM

Adding the example to the description will be useful.

Thank you for the example. I managed to reproduce with:

CC="/tmp/Rel/bin/clang++ --target=aarch64-unknown-linux-gnu -fuse-ld=lld -mbranch-protection=bti"
F=-fexperimental-relative-c++-abi-vtables

${=CC} $F -shared v.cpp -o v.so -z force-bti
${=CC} $F main.cpp -L./ v.so -Wl,-rpath=. -z force-bti
qemu-aarch64-static -L /usr/aarch64-linux-gnu -cpu max ./a.out

For v.so, the regular vtable entry is relocated by an R_AARCH64_ABS64 relocation referencing _ZN1B13do_something2Ev.

_ZTV1B:
...
.xword  _ZN1B13do_something2Ev

Using relative vtable entry for a DSO has a downside of creating many PLT entries and making their addresses escape.
The relative vtable entry references a PLT entry _ZN1B13do_something2Ev@plt.

.L_ZTV1A.local:
...
        .word   (_ZN1A13do_something2Ev@PLT-.L_ZTV1A.local)-8

I agree that we can reuse thunkAccessed. We can do:

case R_AARCH64_PLT32:
  const_cast<Symbol &>(sym).thunkAccessed = true;
  return R_PLT_PC;
danielkiss updated this revision to Diff 535360.Jun 28 2023, 6:24 AM
danielkiss edited the summary of this revision. (Show Details)

@peter.smith & @MaskRay Thanks for the comments, patch is updated.
Moved the example to a bug.

Harbormaster completed remote builds in B241764: Diff 535360.Jun 28 2023, 6:36 AM
MaskRay accepted this revision.Jun 28 2023, 1:47 PM
In D153264#4455888, @danielkiss wrote:

@peter.smith & @MaskRay Thanks for the comments, patch is updated.
Moved the example to a bug.

LGTM. I think some description from https://reviews.llvm.org/D153264#4439762 will be useful in the summary. Feel free to add them.

lld/test/ELF/aarch64-feature-bti.s
164

Indent to align with -NEXT: directives below.

# RELV-LABEL: <func1>:
# RELV-NEXT:    10380: bl     0x103b0 <func2@plt>

The idea is, <func1> will always match. If the section layout has a small disturbance, FileCheck will know for sure that the issue is on # RELV-NEXT: 10380: bl 0x103b0 <func2@plt>, and it will be straightforward to update it.

If you do # RELV: 0000000000010380 <func1>:, there is some chance that FileCheck isn't smart enough to locate the <func1> line

This revision is now accepted and ready to land.Jun 28 2023, 1:47 PM
MaskRay mentioned this in D153772: [ARM] armv6m eXecute Only (XO) long branch Thunk.Jun 28 2023, 3:45 PM
danielkiss updated this revision to Diff 535836.Jun 29 2023, 9:02 AM
danielkiss edited the summary of this revision. (Show Details)
danielkiss marked an inline comment as done.
MaskRay accepted this revision.Jun 29 2023, 9:07 AM
MaskRay added inline comments.
lld/test/ELF/aarch64-feature-bti.s
169

If "Disassembly of section .text:" is kept, ensure that it aligns with <.plt>: and <.text>:. It will look nicer.

Harbormaster completed remote builds in B242120: Diff 535836.Jun 29 2023, 10:21 AM
danielkiss updated this revision to Diff 535880.Jun 29 2023, 10:27 AM
danielkiss marked an inline comment as done.
peter.smith accepted this revision.Jun 29 2023, 10:34 AM

LGTM too. Thanks for the update.

MaskRay accepted this revision.Jun 29 2023, 11:17 AM
MaskRay added inline comments.
lld/ELF/Arch/AArch64.cpp
919

I think the comment is still worth updating.

Harbormaster completed remote builds in B242148: Diff 535880.Jun 29 2023, 11:41 AM
danielkiss marked an inline comment as done.Jun 29 2023, 1:15 PM
danielkiss added inline comments.
lld/ELF/Arch/AArch64.cpp
919

I'll land it with the above comment.

Closed by commit rG92fbb602f3b6: [lld][AArch64] Add BTI landing pad to PLT entries when the symbol is exported. (authored by danielkiss). · Explain WhyJun 29 2023, 1:17 PM
This revision was automatically updated to reflect the committed changes.
danielkiss marked an inline comment as done.
danielkiss added a commit: rG92fbb602f3b6: [lld][AArch64] Add BTI landing pad to PLT entries when the symbol is exported..
Herald added a project: Restricted Project. · View Herald TranscriptJun 29 2023, 1:17 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

PathSize
lld/
ELF/
Arch/
2 lines
test/
ELF/
45 lines

Diff 535880

lld/ELF/Arch/AArch64.cpp

Show First 20 LinesShow All 130 Lines▼ Show 20 LinesRelExpr AArch64::getRelExpr(RelType type, const Symbol &s,
case R_AARCH64_TLSLE_MOVW_TPREL_G1: case R_AARCH64_TLSLE_MOVW_TPREL_G1:
case R_AARCH64_TLSLE_MOVW_TPREL_G1_NC: case R_AARCH64_TLSLE_MOVW_TPREL_G1_NC:
case R_AARCH64_TLSLE_MOVW_TPREL_G2: case R_AARCH64_TLSLE_MOVW_TPREL_G2:
return R_TPREL; return R_TPREL;
case R_AARCH64_CALL26: case R_AARCH64_CALL26:
case R_AARCH64_CONDBR19: case R_AARCH64_CONDBR19:
case R_AARCH64_JUMP26: case R_AARCH64_JUMP26:
case R_AARCH64_TSTBR14: case R_AARCH64_TSTBR14:
return R_PLT_PC;
case R_AARCH64_PLT32: case R_AARCH64_PLT32:
const_cast<Symbol &>(s).thunkAccessed = true;
return R_PLT_PC; return R_PLT_PC;
case R_AARCH64_PREL16: case R_AARCH64_PREL16:
case R_AARCH64_PREL32: case R_AARCH64_PREL32:
case R_AARCH64_PREL64: case R_AARCH64_PREL64:
case R_AARCH64_ADR_PREL_LO21: case R_AARCH64_ADR_PREL_LO21:
case R_AARCH64_LD_PREL_LO19: case R_AARCH64_LD_PREL_LO19:
case R_AARCH64_MOVW_PREL_G0: case R_AARCH64_MOVW_PREL_G0:
case R_AARCH64_MOVW_PREL_G0_NC: case R_AARCH64_MOVW_PREL_G0_NC:
▲ Show 20 LinesShow All 760 Lines▼ Show 20 Linesvoid AArch64BtiPac::writePlt(uint8_t *buf, const Symbol &sym,
}; };
const uint8_t nopData[] = { 0x1f, 0x20, 0x03, 0xd5 }; // nop const uint8_t nopData[] = { 0x1f, 0x20, 0x03, 0xd5 }; // nop
// NEEDS_COPY indicates a non-ifunc canonical PLT entry whose address may // NEEDS_COPY indicates a non-ifunc canonical PLT entry whose address may
// escape to shared objects. isInIplt indicates a non-preemptible ifunc. Its // escape to shared objects. isInIplt indicates a non-preemptible ifunc. Its
// address may escape if referenced by a direct relocation. The condition is // address may escape if referenced by a direct relocation. The condition is
// conservative. // conservative.
bool hasBti = btiHeader && bool hasBti = btiHeader &&
(sym.hasFlag(NEEDS_COPY) || sym.isInIplt || sym.thunkAccessed); (sym.hasFlag(NEEDS_COPY) || sym.isInIplt || sym.thunkAccessed);
peter.smithUnsubmitted
Not Done
ReplyInline Actions

Could you alter the comment to include the condition. Something like.

// NEEDS_COPY indicates a non-ifunc canonical PLT entry whose address may
// escape to shared objects. isInIplt indicates a non-preemptible ifunc. Its
// address may escape if referenced by a direct relocation. If relative vtables
// are used then if the vtable is in a shared object the offsets will be to the PLT entry.
// The condition is conservative.
peter.smith: Could you alter the comment to include the condition. Something like. ``` // NEEDS_COPY…
if (hasBti) { if (hasBti) {
peter.smithUnsubmitted
Not Done
ReplyInline Actions

IIUC this will put BTI at the start of most PLT entries in a shared object. One possibility is to overload thunkAccessed (a relative vtable is kind of thunk :-) , or rename it) so that in Relocations.cpp we can follow the R_AARCH64_PLT32 relocations (specific to relative vtables) and tag affected symbols with thunkAccessed.

peter.smith: IIUC this will put BTI at the start of most PLT entries in a shared object. One possibility is…
danielkissAuthorUnsubmitted
Done
ReplyInline Actions

Looks, could be done in that way too, hopefully with less impact on the number of landing pads.

danielkiss: Looks, could be done in that way too, hopefully with less impact on the number of landing pads.
MaskRayUnsubmitted
Done
ReplyInline Actions

I think the comment is still worth updating.

MaskRay: I think the comment is still worth updating.
danielkissAuthorUnsubmitted
Done
ReplyInline Actions

I'll land it with the above comment.

danielkiss: I'll land it with the above comment.
memcpy(buf, btiData, sizeof(btiData)); memcpy(buf, btiData, sizeof(btiData));
buf += sizeof(btiData); buf += sizeof(btiData);
pltEntryAddr += sizeof(btiData); pltEntryAddr += sizeof(btiData);
} }
uint64_t gotPltEntryAddr = sym.getGotPltVA(); uint64_t gotPltEntryAddr = sym.getGotPltVA();
memcpy(buf, addrInst, sizeof(addrInst)); memcpy(buf, addrInst, sizeof(addrInst));
relocateNoSym(buf, R_AARCH64_ADR_PREL_PG_HI21, relocateNoSym(buf, R_AARCH64_ADR_PREL_PG_HI21,
Show All 24 Lines

lld/test/ELF/aarch64-feature-bti.s

# REQUIRES: aarch64 # REQUIRES: aarch64
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %s -o %t.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %s -o %t.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu --defsym CANONICAL_PLT=1 %s -o %tcanon.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu --defsym CANONICAL_PLT=1 %s -o %tcanon.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu --defsym RELVTABLE_PLT=1 %s -o %trelvtable.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-bti1.s -o %t1.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-bti1.s -o %t1.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func3.s -o %t2.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func3.s -o %t2.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func3-bti.s -o %t3.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func3-bti.s -o %t3.o
# RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func2.s -o %tno.o # RUN: llvm-mc -filetype=obj -triple=aarch64-linux-gnu %p/Inputs/aarch64-func2.s -o %tno.o
## We do not add BTI support when the inputs don't have the .note.gnu.property ## We do not add BTI support when the inputs don't have the .note.gnu.property
## field. ## field.
▲ Show 20 LinesShow All 137 Lines▼ Show 20 Lines
# PIE: 0000000000010370 <func2@plt>: # PIE: 0000000000010370 <func2@plt>:
# PIE-NEXT: 10370: adrp x16, 0x30000 # PIE-NEXT: 10370: adrp x16, 0x30000
# PIE-NEXT: ldr x17, [x16, #1184] # PIE-NEXT: ldr x17, [x16, #1184]
# PIE-NEXT: add x16, x16, #1184 # PIE-NEXT: add x16, x16, #1184
# PIE-NEXT: br x17 # PIE-NEXT: br x17
# PIE-NEXT: nop # PIE-NEXT: nop
# PIE-NEXT: nop # PIE-NEXT: nop
## We expect the same for R_AARCH64_PLT32, as the address of an plt entry escapes
# RUN: ld.lld --shared %trelvtable.o -o %trelv.exe
# RUN: llvm-readelf -n %trelv.exe | FileCheck --check-prefix=BTIPROP %s
# RUN: llvm-readelf --dynamic-table -n %trelv.exe | FileCheck --check-prefix=BTIPROP %s
# RUN: llvm-objdump --no-print-imm-hex -d --mattr=+bti --no-show-raw-insn %trelv.exe | FileCheck --check-prefix=RELV %s
# RELV: Disassembly of section .text:
MaskRayUnsubmitted
Done
ReplyInline Actions

Indent to align with -NEXT: directives below.

# RELV-LABEL: <func1>:
# RELV-NEXT:    10380: bl     0x103b0 <func2@plt>

The idea is, <func1> will always match. If the section layout has a small disturbance, FileCheck will know for sure that the issue is on # RELV-NEXT: 10380: bl 0x103b0 <func2@plt>, and it will be straightforward to update it.

If you do # RELV: 0000000000010380 <func1>:, there is some chance that FileCheck isn't smart enough to locate the <func1> line

MaskRay: Indent to align with `-NEXT:` directives below. ``` # RELV-LABEL: <func1>: # RELV-NEXT…
# RELV-LABEL: <func1>:
# RELV-NEXT: 10380: bl 0x103b0 <func2@plt>
# RELV-NEXT: bl 0x103c8 <funcRelVtable@plt>
# RELV-NEXT: ret
# RELV: Disassembly of section .plt:
MaskRayUnsubmitted
Done
ReplyInline Actions

If "Disassembly of section .text:" is kept, ensure that it aligns with <.plt>: and <.text>:. It will look nicer.

MaskRay: If "Disassembly of section .text:" is kept, ensure that it aligns with `<.plt>:` and `<.text>:`.
# RELV-LABEL: <.plt>:
# RELV-NEXT: 10390: bti c
# RELV-NEXT: stp x16, x30, [sp, #-16]!
# RELV-NEXT: adrp x16, 0x30000
# RELV-NEXT: ldr x17, [x16, #1200]
# RELV-NEXT: add x16, x16, #1200
# RELV-NEXT: br x17
# RELV-NEXT: nop
# RELV-NEXT: nop
# RELV-LABEL: <func2@plt>:
# RELV-NEXT: 103b0: adrp x16, 0x30000
# RELV-NEXT: ldr x17, [x16, #1208]
# RELV-NEXT: add x16, x16, #1208
# RELV-NEXT: br x17
# RELV-NEXT: nop
# RELV-NEXT: nop
# RELV-LABEL: <funcRelVtable@plt>:
# RELV-NEXT: 103c8: bti c
# RELV-NEXT: adrp x16, 0x30000 <_DYNAMIC+0xfc20>
# RELV-NEXT: ldr x17, [x16, #1216]
# RELV-NEXT: add x16, x16, #1216
# RELV-NEXT: br x17
# RELV-NEXT: nop
## Build and executable with not all relocatable inputs having the BTI ## Build and executable with not all relocatable inputs having the BTI
## .note.property, expect no bti c and no .note.gnu.property entry ## .note.property, expect no bti c and no .note.gnu.property entry
# RUN: ld.lld %t.o %t2.o %t.so -o %tnobti.exe # RUN: ld.lld %t.o %t2.o %t.so -o %tnobti.exe
# RUN: llvm-readelf --dynamic-table %tnobti.exe | FileCheck --check-prefix NOBTIDYN %s # RUN: llvm-readelf --dynamic-table %tnobti.exe | FileCheck --check-prefix NOBTIDYN %s
# RUN: llvm-objdump --no-print-imm-hex -d --mattr=+bti --no-show-raw-insn %tnobti.exe | FileCheck --check-prefix=NOEX %s # RUN: llvm-objdump --no-print-imm-hex -d --mattr=+bti --no-show-raw-insn %tnobti.exe | FileCheck --check-prefix=NOEX %s
# NOEX: Disassembly of section .text: # NOEX: Disassembly of section .text:
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Lines
.type func1,%function .type func1,%function
func1: func1:
.ifdef CANONICAL_PLT .ifdef CANONICAL_PLT
adrp x0, func2 adrp x0, func2
add x0, x0, :lo12:func2 add x0, x0, :lo12:func2
.else .else
bl func2 bl func2
.endif .endif
.ifdef RELVTABLE_PLT
bl funcRelVtable
.endif
ret ret
.ifdef RELVTABLE_PLT
// R_AARCH64_PLT32
.word funcRelVtable@PLT - .
.endif