This is an archive of the discontinued LLVM Phabricator instance.

Differential D154119

Fix: Distinguish CFI Metadata Checks in MergeFunctions Pass
Changes PlannedPublic

Authored by oskarwirga on Jun 29 2023, 10:46 AM.

Details

Reviewers
smeenai
lanza
nikic
luqmana
dingxiangfei2009
eeckstein
dexonsmith
Summary

This diff fixes an issue in the MergeFunctions pass where two different Control Flow Integrity (CFI) metadata checks were incorrectly considered identical. These merges would lead to runtime violations down the line as two separate objects contained a single destructor which itself contained checks for only one of the objects.

Here I update the comparison logic to take into account the metadata at llvm.type.test checks. Now, only truly identical checks will be considered for merging, thus preserving the integrity of each check.

Diff Detail

Event Timeline

oskarwirga created this revision.Jun 29 2023, 10:46 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 29 2023, 10:46 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
oskarwirga requested review of this revision.Jun 29 2023, 10:46 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 29 2023, 10:46 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
nikic added a subscriber: nikic.Jun 29 2023, 12:17 PM
nikic added inline comments.
llvm/lib/Transforms/Utils/FunctionComparator.cpp
665

This doesn't looks like a problem specific to the type.test intrinsic. Other calls may have metadata operands as well.

oskarwirga added inline comments.Jun 29 2023, 1:33 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
665

Should I remove the intrinsic check and instead loop through the arg operands to check that they are the same?

nikic added inline comments.Jun 30 2023, 7:23 AM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
665

The caller cmpBasicBlocks() already does a loop over the operands and compares them via cmpValues(). So that's probably the place where MetadataAsValue needs to be handled.

oskarwirga updated this revision to Diff 536453.Jun 30 2023, 3:13 PM
oskarwirga added a reviewer: nikic.

Generalize the metadata checks

Herald added a subscriber: StephenFan. · View Herald TranscriptJun 30 2023, 3:13 PM
oskarwirga marked 2 inline comments as done.Jun 30 2023, 3:13 PM
smeenai added inline comments.Jun 30 2023, 4:15 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
879

Should this be inside cmpValues instead, since that has a bunch of other callers too?

881

Is it correct to just check for pointer equality here? https://llvm.org/docs/LangRef.html#metadata mentions !unique for avoiding content-baed metadata merging, but it wasn't clear if that merging would otherwise always take place.

Harbormaster completed remote builds in B242575: Diff 536453.Jun 30 2023, 5:24 PM
oskarwirga added inline comments.Jun 30 2023, 5:40 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
881

Yeah you know what maybe what we need to do is add !unique to type test metadata checks because this is too broad and its failing to merge functions with differing debug metadata. We need some way to prevent the CFI metadata as part of the cfi checks from getting merged but we need identical debug metadata (and perhaps other metadata) to get merged.

llvm/test/Transforms/MergeFunc/cfi-function-merging.ll
41

@smeenai @nikic This metadata is pretty generic and I am not entirely sure how CFI knows to populate it later with the correct vtable entry

oskarwirga updated this revision to Diff 536869.Jul 3 2023, 12:30 PM

Added checks for distinct metadata in operands to prevent merging unless it's just debug info. This ensures that distinct metadata, which should be treated as different, is not merged.

Harbormaster completed remote builds in B242872: Diff 536869.Jul 3 2023, 2:51 PM
oskarwirga added a comment.Jul 6 2023, 11:00 AM

ping :^)

oskarwirga added reviewers: luqmana, dingxiangfei2009, eeckstein.Jul 13 2023, 11:14 AM
oskarwirga added a comment.Jul 21 2023, 9:59 AM

ping

oskarwirga added a comment.Aug 3 2023, 2:26 AM

ping

oskarwirga added a comment.Aug 14 2023, 10:28 AM

ping

manmanren added subscribers: dexonsmith, manmanren.Aug 24 2023, 12:18 PM

This looks reasonable to me in the sense that it treats distinct metadata as being different but bypasses distinct debug info. CC @dexonsmith

oskarwirga updated this revision to Diff 553282.Aug 24 2023, 3:28 PM

Update to use cmpValues() instead of cmpBasicBlock

Harbormaster completed remote builds in B254740: Diff 553282.Aug 24 2023, 4:15 PM
kyulee added a subscriber: kyulee.Aug 24 2023, 8:58 PM

Thanks for fixing this! This seems a good case to cover.

llvm/lib/Transforms/Utils/FunctionComparator.cpp
802

Like the below Constant case below, can you run dyn_cast more explicit to ensure they're not null?.

auto *MDL = cast<MetadataAsValue>(L);
auto *MDR = cast<MetadataAsValue>(R);
if (MDL && MDR) {
878

This space seems unrelated.

kyulee added inline comments.Aug 24 2023, 8:59 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
802

Sorry. I meant dyn_cast not cast.

kyulee added inline comments.Aug 24 2023, 9:12 PM
llvm/test/Transforms/MergeFunc/cfi-function-merging.ll
35

Can you also simplify the test?
I think you can delete attributes like unnamed_addr #3, #6, align 8, etc.,, to focus on only relevant metadata..

kyulee added inline comments.Aug 24 2023, 9:26 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
808

I think you can drop llvm: as with others.

dexonsmith requested changes to this revision.Aug 28 2023, 9:46 AM
This revision now requires changes to proceed.Aug 28 2023, 9:46 AM
oskarwirga updated this revision to Diff 553971.Aug 28 2023, 9:54 AM

Address @kyulee 's comments

dexonsmith added a comment.Aug 28 2023, 9:54 AM

Sorry, Phabricator lost my comment somehow. Adding back a version of it now.

I don't think it's viable to have the two functions arbitrarily compare "less than" if they both have distinct metadata. That leads to assertions like this:

assert(!(V1<V2 && V2<V1) && "Both values are less than the other?");

firing.

It also makes it undefined behaviour to use the comparator in "sort" algorithms. Have a look at:
https://en.cppreference.com/w/cpp/named_req/LessThanComparable
https://en.wikipedia.org/wiki/Weak_ordering#Strict_weak_orderings

And I assume this is used for sorting somehow?

I suggest changing function merging to check for distinct metadata as a second step, after functions compare equal. But there might be another way.

llvm/lib/Transforms/Utils/FunctionComparator.cpp
810

This breaks strict weak ordering, which means compareValues can never be used for sorting, which I assume is the whole point.

oskarwirga marked 6 inline comments as done.Aug 28 2023, 9:55 AM
oskarwirga updated this revision to Diff 553973.Aug 28 2023, 9:58 AM

Remove more unnecessary metadata from test

oskarwirga marked an inline comment as done.Aug 28 2023, 9:58 AM
Harbormaster completed remote builds in B255253: Diff 553973.Aug 28 2023, 10:56 AM
oskarwirga added a comment.Sep 5 2023, 11:24 AM

ping

dexonsmith added a comment.Sep 5 2023, 2:15 PM
In D154119#4638649, @oskarwirga wrote:

ping

Looks like you're still breaking strict-weak ordering. Is there a reason that's not a problem?

In particular, is it somehow guaranteed that the comparator is never used in a sorting function (where it would lead to undefined behaviour)? If so, how?

oskarwirga added inline comments.Sep 5 2023, 2:48 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
810

I had to consult with ChatGPT about what strict weak ordering is, but IIUC what I am doing wrong here is that I am returning -1 no matter what rather than 1 vs -1 depending on L vs R and R vs L, is my understanding correct here?

dexonsmith added inline comments.Sep 5 2023, 3:03 PM
llvm/lib/Transforms/Utils/FunctionComparator.cpp
810

Correct. As I suggested in my longer comment, it I suspect it’s better to fix this outside of the compare function.

oskarwirga planned changes to this revision.Sep 6 2023, 5:47 AM
GitHub <noreply@github.com> mentioned this in rGe06fc2b2e065: Fix: Distinguish CFI Metadata Checks in MergeFunctions Pass (#65963).Sep 23 2023, 3:28 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Utils/
23 lines
test/
Transforms/
MergeFunc/
38 lines

Diff 553973

llvm/lib/Transforms/Utils/FunctionComparator.cpp

Show All 17 Lines
#include "llvm/ADT/Hashing.h" #include "llvm/ADT/Hashing.h"
#include "llvm/ADT/SmallPtrSet.h" #include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/IR/Attributes.h" #include "llvm/IR/Attributes.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Constant.h" #include "llvm/IR/Constant.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/DebugInfoMetadata.h"
#include "llvm/IR/DerivedTypes.h" #include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/GlobalValue.h" #include "llvm/IR/GlobalValue.h"
#include "llvm/IR/InlineAsm.h" #include "llvm/IR/InlineAsm.h"
#include "llvm/IR/InstrTypes.h" #include "llvm/IR/InstrTypes.h"
#include "llvm/IR/Instruction.h" #include "llvm/IR/Instruction.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h" #include "llvm/IR/LLVMContext.h"
▲ Show 20 LinesShow All 622 Lines▼ Show 20 Lines if (const InsertValueInst *IVI = dyn_cast<InsertValueInst>(L)) {
ArrayRef<unsigned> LIndices = IVI->getIndices(); ArrayRef<unsigned> LIndices = IVI->getIndices();
ArrayRef<unsigned> RIndices = cast<InsertValueInst>(R)->getIndices(); ArrayRef<unsigned> RIndices = cast<InsertValueInst>(R)->getIndices();
if (int Res = cmpNumbers(LIndices.size(), RIndices.size())) if (int Res = cmpNumbers(LIndices.size(), RIndices.size()))
return Res; return Res;
for (size_t i = 0, e = LIndices.size(); i != e; ++i) { for (size_t i = 0, e = LIndices.size(); i != e; ++i) {
if (int Res = cmpNumbers(LIndices[i], RIndices[i])) if (int Res = cmpNumbers(LIndices[i], RIndices[i]))
return Res; return Res;
} }
return 0; return 0;
nikicUnsubmitted
Done
ReplyInline Actions

This doesn't looks like a problem specific to the type.test intrinsic. Other calls may have metadata operands as well.

nikic: This doesn't looks like a problem specific to the type.test intrinsic. Other calls may have…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Should I remove the intrinsic check and instead loop through the arg operands to check that they are the same?

oskarwirga: Should I remove the intrinsic check and instead loop through the arg operands to check that…
nikicUnsubmitted
Done
ReplyInline Actions

The caller cmpBasicBlocks() already does a loop over the operands and compares them via cmpValues(). So that's probably the place where MetadataAsValue needs to be handled.

nikic: The caller cmpBasicBlocks() already does a loop over the operands and compares them via…
} }
if (const ExtractValueInst *EVI = dyn_cast<ExtractValueInst>(L)) { if (const ExtractValueInst *EVI = dyn_cast<ExtractValueInst>(L)) {
ArrayRef<unsigned> LIndices = EVI->getIndices(); ArrayRef<unsigned> LIndices = EVI->getIndices();
ArrayRef<unsigned> RIndices = cast<ExtractValueInst>(R)->getIndices(); ArrayRef<unsigned> RIndices = cast<ExtractValueInst>(R)->getIndices();
if (int Res = cmpNumbers(LIndices.size(), RIndices.size())) if (int Res = cmpNumbers(LIndices.size(), RIndices.size()))
return Res; return Res;
for (size_t i = 0, e = LIndices.size(); i != e; ++i) { for (size_t i = 0, e = LIndices.size(); i != e; ++i) {
if (int Res = cmpNumbers(LIndices[i], RIndices[i])) if (int Res = cmpNumbers(LIndices[i], RIndices[i]))
▲ Show 20 LinesShow All 117 Lines▼ Show 20 Linesint FunctionComparator::cmpInlineAsm(const InlineAsm *L,
return 0; return 0;
} }
/// Compare two values used by the two functions under pair-wise comparison. If /// Compare two values used by the two functions under pair-wise comparison. If
/// this is the first time the values are seen, they're added to the mapping so /// this is the first time the values are seen, they're added to the mapping so
/// that we will detect mismatches on next use. /// that we will detect mismatches on next use.
/// See comments in declaration for more details. /// See comments in declaration for more details.
int FunctionComparator::cmpValues(const Value *L, const Value *R) const { int FunctionComparator::cmpValues(const Value *L, const Value *R) const {
// Distinct metadata is different and shouldn't be merged unless it's
// just debug info
auto *MDL = dyn_cast<MetadataAsValue>(L);
auto *MDR = dyn_cast<MetadataAsValue>(R);
kyuleeUnsubmitted
Done
ReplyInline Actions

Like the below Constant case below, can you run dyn_cast more explicit to ensure they're not null?.

auto *MDL = cast<MetadataAsValue>(L);
auto *MDR = cast<MetadataAsValue>(R);
if (MDL && MDR) {
kyulee: Like the below Constant case below, can you run dyn_cast more explicit to ensure they're not…
kyuleeUnsubmitted
Done
ReplyInline Actions

Sorry. I meant dyn_cast not cast.

kyulee: Sorry. I meant `dyn_cast` not `cast`.
if (MDL && MDR) {
const MDNode *MDNodeL = dyn_cast<MDNode>(MDL->getMetadata());
const MDNode *MDNodeR = dyn_cast<MDNode>(MDR->getMetadata());
if (MDNodeL && MDNodeR) {
if (MDNodeL->isDistinct() && MDNodeR->isDistinct()) {
if (isa<DINode>(MDNodeL) && isa<DINode>(MDNodeR))
kyuleeUnsubmitted
Done
ReplyInline Actions

I think you can drop llvm: as with others.

kyulee: I think you can drop `llvm:` as with others.
return 0;
return -1;
dexonsmithUnsubmitted
Not Done
ReplyInline Actions

This breaks strict weak ordering, which means compareValues can never be used for sorting, which I assume is the whole point.

dexonsmith: This breaks strict weak ordering, which means compareValues can never be used for sorting…
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

I had to consult with ChatGPT about what strict weak ordering is, but IIUC what I am doing wrong here is that I am returning -1 no matter what rather than 1 vs -1 depending on L vs R and R vs L, is my understanding correct here?

oskarwirga: I had to consult with ChatGPT about what strict weak ordering is, but IIUC what I am doing…
dexonsmithUnsubmitted
Not Done
ReplyInline Actions

Correct. As I suggested in my longer comment, it I suspect it’s better to fix this outside of the compare function.

dexonsmith: Correct. As I suggested in my longer comment, it I suspect it’s better to fix this outside of…
}
if (MDNodeL->isDistinct()) {
return 1;
}
if (MDNodeR->isDistinct()) {
return -1;
}
}
}
// Catch self-reference case. // Catch self-reference case.
if (L == FnL) { if (L == FnL) {
if (R == FnR) if (R == FnR)
return 0; return 0;
return -1; return -1;
} }
if (R == FnR) { if (R == FnR) {
if (L == FnL) if (L == FnL)
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines do {
if (int Res = cmpOperations(&*InstL, &*InstR, needToCmpOperands)) if (int Res = cmpOperations(&*InstL, &*InstR, needToCmpOperands))
return Res; return Res;
if (needToCmpOperands) { if (needToCmpOperands) {
assert(InstL->getNumOperands() == InstR->getNumOperands()); assert(InstL->getNumOperands() == InstR->getNumOperands());
for (unsigned i = 0, e = InstL->getNumOperands(); i != e; ++i) { for (unsigned i = 0, e = InstL->getNumOperands(); i != e; ++i) {
Value *OpL = InstL->getOperand(i); Value *OpL = InstL->getOperand(i);
Value *OpR = InstR->getOperand(i); Value *OpR = InstR->getOperand(i);
if (int Res = cmpValues(OpL, OpR)) if (int Res = cmpValues(OpL, OpR))
kyuleeUnsubmitted
Done
ReplyInline Actions

This space seems unrelated.

kyulee: This space seems unrelated.
return Res; return Res;
smeenaiUnsubmitted
Done
ReplyInline Actions

Should this be inside cmpValues instead, since that has a bunch of other callers too?

smeenai: Should this be inside `cmpValues` instead, since that has a bunch of other callers too?
// cmpValues should ensure this is true. // cmpValues should ensure this is true.
assert(cmpTypes(OpL->getType(), OpR->getType()) == 0); assert(cmpTypes(OpL->getType(), OpR->getType()) == 0);
smeenaiUnsubmitted
Done
ReplyInline Actions

Is it correct to just check for pointer equality here? https://llvm.org/docs/LangRef.html#metadata mentions !unique for avoiding content-baed metadata merging, but it wasn't clear if that merging would otherwise always take place.

smeenai: Is it correct to just check for pointer equality here? https://llvm.org/docs/LangRef.
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

Yeah you know what maybe what we need to do is add !unique to type test metadata checks because this is too broad and its failing to merge functions with differing debug metadata. We need some way to prevent the CFI metadata as part of the cfi checks from getting merged but we need identical debug metadata (and perhaps other metadata) to get merged.

oskarwirga: Yeah you know what maybe what we need to do is add !unique to type test metadata checks because…
} }
} }
++InstL; ++InstL;
++InstR; ++InstR;
} while (InstL != InstLE && InstR != InstRE); } while (InstL != InstLE && InstR != InstRE);
if (InstL != InstLE && InstR == InstRE) if (InstL != InstLE && InstR == InstRE)
▲ Show 20 LinesShow All 94 LinesShow Last 20 Lines

llvm/test/Transforms/MergeFunc/cfi-function-merging.ll

  • This file was added.
;; Check the cases involving internal CFI instrumented functions where we do not expect functions to be merged.
; RUN: opt -S -passes=mergefunc < %s | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-none-linux-android28"
; Function Attrs: nocallback nofree nosync nounwind readnone speculatable willreturn
declare i1 @llvm.type.test(ptr, metadata) #6
define internal void @A__on_zero_sharedEv(ptr noundef nonnull align 8 dereferenceable(32) %this) {
; CHECK-LABEL: @A__on_zero_sharedEv
entry:
%this.addr = alloca ptr, align 8
store ptr %this, ptr %this.addr, align 8
%this1 = load ptr, ptr %this.addr, align 8
%vtable = load ptr, ptr %this1, align 8
%0 = call i1 @llvm.type.test(ptr %vtable, metadata !11), !nosanitize !47
ret void
}
; Function Attrs: mustprogress noinline nounwind optnone uwtable
define internal void @B__on_zero_sharedEv(ptr noundef nonnull align 8 dereferenceable(32) %this) {
; CHECK-LABEL: @B__on_zero_sharedEv
entry:
%this.addr = alloca ptr, align 8
store ptr %this, ptr %this.addr, align 8
%this1 = load ptr, ptr %this.addr, align 8
%vtable = load ptr, ptr %this1, align 8
%0 = call i1 @llvm.type.test(ptr %vtable, metadata !22), !nosanitize !47
ret void
}
!10 = !{i64 16, !11}
!11 = distinct !{}
kyuleeUnsubmitted
Done
ReplyInline Actions

Can you also simplify the test?
I think you can delete attributes like unnamed_addr #3, #6, align 8, etc.,, to focus on only relevant metadata..

kyulee: Can you also simplify the test? I think you can delete attributes like `unnamed_addr #3`…
!21 = !{i64 16, !22}
!22 = distinct !{}
!47 = !{}
oskarwirgaAuthorUnsubmitted
Done
ReplyInline Actions

@smeenai @nikic This metadata is pretty generic and I am not entirely sure how CFI knows to populate it later with the correct vtable entry

oskarwirga: @smeenai @nikic This metadata is pretty generic and I am not entirely sure how CFI knows to…