This is an archive of the discontinued LLVM Phabricator instance.

Differential D18846

[safestack] Add canary to unsafe stack frames
ClosedPublic

Authored by eugenis on Apr 6 2016, 4:11 PM.

Details

Reviewers
ed
pcc
timshen
Summary

Add StackProtector to SafeStack.
This adds limited protection against data corruption in the caller frame.
Current implementation treats all stack protector levels as -fstack-protector-all.

This depends on a clang change to allow both safestack and ssp* attributes on the same function.

Diff Detail

Repository
rL LLVM

Event Timeline

eugenis updated this revision to Diff 52863.Apr 6 2016, 4:11 PM
eugenis retitled this revision from to [safestack] Add canary to unsafe stack frames.
eugenis updated this object.
eugenis added reviewers: pcc, ed.
eugenis set the repository for this revision to rL LLVM.
eugenis added a subscriber: llvm-commits.
Herald added subscribers: srhines, danalbert, tberghammer. · View Herald TranscriptApr 6 2016, 4:11 PM
ed edited edge metadata.Apr 6 2016, 10:35 PM

Thanks for working on this! I know too little of LLVM internals to review this change properly, but I'd be more than happy to run our C library test suite against this. Could you also send out the patch for Clang you mentioned, so I can test this?

eugenis mentioned this in D18871: Allow simultaneous safestack and stack-protector attributes.Apr 7 2016, 2:42 PM
eugenis added a comment.Apr 7 2016, 2:45 PM

I've uploaded the clang part in http://reviews.llvm.org/D18871

pcc added a reviewer: timshen.Apr 7 2016, 3:08 PM

Tim might also want to look at this since he's been working on the stack protector.

lib/CodeGen/SafeStack.cpp
724

Please make this a local variable, or just do the attribute test in the one place you need it.

779

This line doesn't seem necessary.

test/CodeGen/X86/safestack_ssp.ll
2

Why is this a backend test rather than an opt test?

eugenis updated this revision to Diff 52970.Apr 7 2016, 4:13 PM
eugenis edited edge metadata.
eugenis marked 2 inline comments as done.
eugenis added inline comments.
test/CodeGen/X86/safestack_ssp.ll
2

Do you want me to remove it? I think it is useful as-is. I've added more opt tests.

pcc added inline comments.Apr 7 2016, 4:50 PM
test/CodeGen/X86/safestack_ssp.ll
2

Well, I mainly wanted you to tell me why you made this a backend test :) We don't normally test passes this way.

Anyway, if you're just trying to provide test coverage for the codegen pipeline, it looks like the existing test test/CodeGen/X86/safestack.ll is already covering that, so unless you have another reason to keep this test, it seems redundant with the opt tests you added.

eugenis added inline comments.Apr 7 2016, 4:55 PM
test/CodeGen/X86/safestack_ssp.ll
2

test/CodeGen/X86/safestack.ll does not cover the stack protector cookie code.

No other tests verify that StackProtector and SafeStack passes do not apply to the same function.

pcc accepted this revision.Apr 7 2016, 5:06 PM
pcc edited edge metadata.

LGTM

test/CodeGen/X86/safestack_ssp.ll
2

Okay, seems reasonable enough to me. Please add a comment explaining why this is a backend test.

This revision is now accepted and ready to land.Apr 7 2016, 5:06 PM
timshen added inline comments.Apr 8 2016, 1:34 PM
lib/CodeGen/SafeStack.cpp
399

Is this going to work correctly, for say, PowerPC? As of my knowledge on powerpc64le-linux-gnu, there is no "__stack_chk_guard", but similarly has a data member in TCB.

On SSP side I'm actively working on supporting PowerPC - more generally, allowing backends to lower LOAD_STACK_GUARD node manually.

504

OpenBSD doesn't have __stack_chk_fail. It has StackProtector::CreateFailBB.

I wonder if it's easy to share some code between SSP and safestack, though I have no idea what safestack is doing.

timshen added inline comments.Apr 8 2016, 1:44 PM
lib/CodeGen/SafeStack.cpp
399

To be specific, powerpc64le-linux-gnu is similar to AArch64, which has a stack guard as data member in TCB.

504

s/It has StackProtector::CreateFailBB/See StackProtector::CreateFailBB/.

eugenis added inline comments.Apr 8 2016, 2:02 PM
lib/CodeGen/SafeStack.cpp
504

SafeStack maintains a second stack, with the stack pointer either in a thread-local variable or a fixed TLS slot, and moves some locals to that stack.

Anything that may overflow is on the second stack. StackProtector + SafeStack should apply StackProtector cookies to that second stack, and not to the system stack.

It would be great to share more code between the two passes.

Would it be possible to extend the SDAG stuff to handle this case?

eugenis added inline comments.Apr 8 2016, 2:03 PM
lib/CodeGen/SafeStack.cpp
399

Then it should implement getStackCookieLocation - or is it only supported in the SelectionDAG code pass now?

timshen added inline comments.Apr 8 2016, 2:23 PM
lib/CodeGen/SafeStack.cpp
399

Yes, the plan is to only support it in SelectionDAG, because SelectionDAG can pick up tail call optimization (See StackProtectorDescriptor's comment).

Without SafeStack in mind, I was trying to minimize the use of IR approach, since the only reason we need to keep IR form is FastISel.

504

Thanks for the explaining!

It sounds like you want to teach StackProtector to allocate the canary in a different place (aka the second stack). It's currently created in StackProtector::CreatePrologue. Is it possible to call moveStaticAllocasToUnsafeStack to move the slot to the second stack?

eugenis added a comment.Apr 8 2016, 2:34 PM

moveStaticAllocasToUnsafeStack must be called once per function.

Also, there may be no unsafe stack frame at all, then there would be no need for the guard at all. SafeStack is currently smarter about this than StackProtector; it uses SCEV to prove that allocas can never overflow.

timshen edited edge metadata.Apr 8 2016, 3:02 PM
In D18846#395911, @eugenis wrote:

moveStaticAllocasToUnsafeStack must be called once per function.

As discussed, you may want to call moveStaticAllocasToUnsafeStack, then possibly in SDAG Intrinsic::stackprotector handling you need to handle non-Alloca cases explicitly.

Or if you think there are reasons to keep the code a little bit duplicated between SSP and SafeStack, I'm fine with it, since I'm not the owner of either. :)

Also, there may be no unsafe stack frame at all, then there would be no need for the guard at all. SafeStack is currently smarter about this than StackProtector; it uses SCEV to prove that allocas can never overflow.

What if the source code does overflow? Does SafeStack just fails to build (seems unlikely?), or SSP still needs to be inserted?

timshen added a comment.Apr 8 2016, 3:13 PM
In D18846#395946, @timshen wrote:

I'm fine with it, since I'm not the owner of either. :)

I don't mean that I don't care about the code quality, but to show the lack of domain knowledge of SafeStack. :P

ed accepted this revision.Apr 9 2016, 12:15 PM
ed edited edge metadata.

I've just built a copy of LLVM and Clang with these patches applied. With that compiler I did a full rebuild of all core CloudABI libraries, including the C library's unit test suite (~1000 tests), with -fstack-protector-all and SafeStack enabled. All unit tests still seem to pass.

eugenis added a comment.Apr 11 2016, 12:59 PM

Also, there may be no unsafe stack frame at all, then there would be no need for the guard at all. SafeStack is currently smarter about this than StackProtector; it uses SCEV to prove that allocas can never overflow.

What if the source code does overflow? Does SafeStack just fails to build (seems unlikely?), or SSP still needs to be inserted?

The unsafe frame consists of allocas that SafeStack could _not_ prove to not overflow. SSP is only needed such allocas exist.

I've looked into reducing code duplication, but it seems to make things a lot more complex. Basically, we could allow StackProtector to insert the cookie and then just move it to the unsafe stack along with other allocas, making sure that it ends up at the bottom of the frame. The problem is, StackProtector does not know if the cookie is needed or not - it needs to ask SafeStack for that. I've considered splitting SafeStack into an analysis pass that would answer this question, and an instrumentation pass, but that seems to add a lot of complexity and a few non-obvious inter-pass dependencies.

I'm inclined to commit this as is, and maybe revisit this point if code duplication becomes a problem.

eugenis closed this revision.Apr 11 2016, 3:34 PM

Thanks for the review, r266004

Revision Contents

PathSize
lib/
CodeGen/
95 lines
3 lines
IR/
8 lines
test/
CodeGen/
X86/
26 lines
Transforms/
SafeStack/
AArch64/
22 lines
X86/
19 lines
30 lines

Diff 52970

lib/CodeGen/SafeStack.cpp

Show All 11 Lines
// support library). // support library).
// //
// http://clang.llvm.org/docs/SafeStack.html // http://clang.llvm.org/docs/SafeStack.html
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/Triple.h" #include "llvm/ADT/Triple.h"
#include "llvm/Analysis/BranchProbabilityInfo.h"
#include "llvm/Analysis/ScalarEvolution.h" #include "llvm/Analysis/ScalarEvolution.h"
#include "llvm/Analysis/ScalarEvolutionExpressions.h" #include "llvm/Analysis/ScalarEvolutionExpressions.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/CodeGen/Passes.h" #include "llvm/CodeGen/Passes.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DIBuilder.h" #include "llvm/IR/DIBuilder.h"
#include "llvm/IR/DataLayout.h" #include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h" #include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/IRBuilder.h" #include "llvm/IR/IRBuilder.h"
#include "llvm/IR/InstIterator.h" #include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h" #include "llvm/IR/IntrinsicInst.h"
#include "llvm/IR/Intrinsics.h" #include "llvm/IR/Intrinsics.h"
#include "llvm/IR/MDBuilder.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/Pass.h" #include "llvm/Pass.h"
#include "llvm/Support/CommandLine.h" #include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h" #include "llvm/Support/Debug.h"
#include "llvm/Support/Format.h" #include "llvm/Support/Format.h"
#include "llvm/Support/MathExtras.h" #include "llvm/Support/MathExtras.h"
#include "llvm/Support/raw_os_ostream.h" #include "llvm/Support/raw_os_ostream.h"
#include "llvm/Target/TargetLowering.h" #include "llvm/Target/TargetLowering.h"
#include "llvm/Target/TargetSubtargetInfo.h" #include "llvm/Target/TargetSubtargetInfo.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
#include "llvm/Transforms/Utils/Local.h" #include "llvm/Transforms/Utils/Local.h"
#include "llvm/Transforms/Utils/ModuleUtils.h" #include "llvm/Transforms/Utils/ModuleUtils.h"
using namespace llvm; using namespace llvm;
#define DEBUG_TYPE "safestack" #define DEBUG_TYPE "safestack"
enum UnsafeStackPtrStorageVal { ThreadLocalUSP, SingleThreadUSP }; enum UnsafeStackPtrStorageVal { ThreadLocalUSP, SingleThreadUSP };
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Linesclass SafeStack : public FunctionPass {
/// ///
/// 16 seems like a reasonable upper bound on the alignment of objects that we /// 16 seems like a reasonable upper bound on the alignment of objects that we
/// might expect to appear on the stack on most common targets. /// might expect to appear on the stack on most common targets.
enum { StackAlignment = 16 }; enum { StackAlignment = 16 };
/// \brief Build a value representing a pointer to the unsafe stack pointer. /// \brief Build a value representing a pointer to the unsafe stack pointer.
Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F); Value *getOrCreateUnsafeStackPtr(IRBuilder<> &IRB, Function &F);
/// \brief Return the value of the stack canary.
Value *getStackGuard(IRBuilder<> &IRB, Function &F);
/// \brief Load stack guard from the frame and check if it has changed.
void checkStackGuard(IRBuilder<> &IRB, Function &F, ReturnInst &RI,
AllocaInst *StackGuardSlot, Value *StackGuard);
/// \brief Find all static allocas, dynamic allocas, return instructions and /// \brief Find all static allocas, dynamic allocas, return instructions and
/// stack restore points (exception unwind blocks and setjmp calls) in the /// stack restore points (exception unwind blocks and setjmp calls) in the
/// given function and append them to the respective vectors. /// given function and append them to the respective vectors.
void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas, void findInsts(Function &F, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas, SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<Argument *> &ByValArguments, SmallVectorImpl<Argument *> &ByValArguments,
SmallVectorImpl<ReturnInst *> &Returns, SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints); SmallVectorImpl<Instruction *> &StackRestorePoints);
/// \brief Calculate the allocation size of a given alloca. Returns 0 if the /// \brief Calculate the allocation size of a given alloca. Returns 0 if the
/// size can not be statically determined. /// size can not be statically determined.
uint64_t getStaticAllocaAllocationSize(const AllocaInst* AI); uint64_t getStaticAllocaAllocationSize(const AllocaInst* AI);
/// \brief Allocate space for all static allocas in \p StaticAllocas, /// \brief Allocate space for all static allocas in \p StaticAllocas,
/// replace allocas with pointers into the unsafe stack and generate code to /// replace allocas with pointers into the unsafe stack and generate code to
/// restore the stack pointer before all return instructions in \p Returns. /// restore the stack pointer before all return instructions in \p Returns.
/// ///
/// \returns A pointer to the top of the unsafe stack after all unsafe static /// \returns A pointer to the top of the unsafe stack after all unsafe static
/// allocas are allocated. /// allocas are allocated.
Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F, Value *moveStaticAllocasToUnsafeStack(IRBuilder<> &IRB, Function &F,
ArrayRef<AllocaInst *> StaticAllocas, ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<Argument *> ByValArguments, ArrayRef<Argument *> ByValArguments,
ArrayRef<ReturnInst *> Returns, ArrayRef<ReturnInst *> Returns,
Instruction *BasePointer); Instruction *BasePointer,
AllocaInst *StackGuardSlot);
/// \brief Generate code to restore the stack after all stack restore points /// \brief Generate code to restore the stack after all stack restore points
/// in \p StackRestorePoints. /// in \p StackRestorePoints.
/// ///
/// \returns A local variable in which to maintain the dynamic top of the /// \returns A local variable in which to maintain the dynamic top of the
/// unsafe stack if needed. /// unsafe stack if needed.
AllocaInst * AllocaInst *
createStackRestorePoints(IRBuilder<> &IRB, Function &F, createStackRestorePoints(IRBuilder<> &IRB, Function &F,
▲ Show 20 LinesShow All 217 Lines▼ Show 20 Lines if (UnsafeStackPtr->getValueType() != StackPtrTy)
report_fatal_error(Twine(UnsafeStackPtrVar) + " must have void* type"); report_fatal_error(Twine(UnsafeStackPtrVar) + " must have void* type");
if (UseTLS != UnsafeStackPtr->isThreadLocal()) if (UseTLS != UnsafeStackPtr->isThreadLocal())
report_fatal_error(Twine(UnsafeStackPtrVar) + " must " + report_fatal_error(Twine(UnsafeStackPtrVar) + " must " +
(UseTLS ? "" : "not ") + "be thread-local"); (UseTLS ? "" : "not ") + "be thread-local");
} }
return UnsafeStackPtr; return UnsafeStackPtr;
} }
Value *SafeStack::getStackGuard(IRBuilder<> &IRB, Function &F) {
Value *StackGuardVar = nullptr;
if (TL)
StackGuardVar = TL->getStackCookieLocation(IRB);
if (!StackGuardVar)
StackGuardVar =
F.getParent()->getOrInsertGlobal("__stack_chk_guard", StackPtrTy);
timshenUnsubmitted
Not Done
ReplyInline Actions

Is this going to work correctly, for say, PowerPC? As of my knowledge on powerpc64le-linux-gnu, there is no "__stack_chk_guard", but similarly has a data member in TCB.

On SSP side I'm actively working on supporting PowerPC - more generally, allowing backends to lower LOAD_STACK_GUARD node manually.

timshen: Is this going to work correctly, for say, PowerPC? As of my knowledge on powerpc64le-linux-gnu…
timshenUnsubmitted
Not Done
ReplyInline Actions

To be specific, powerpc64le-linux-gnu is similar to AArch64, which has a stack guard as data member in TCB.

timshen: To be specific, powerpc64le-linux-gnu is similar to AArch64, which has a stack guard as data…
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

Then it should implement getStackCookieLocation - or is it only supported in the SelectionDAG code pass now?

eugenis: Then it should implement getStackCookieLocation - or is it only supported in the SelectionDAG…
timshenUnsubmitted
Not Done
ReplyInline Actions

Yes, the plan is to only support it in SelectionDAG, because SelectionDAG can pick up tail call optimization (See StackProtectorDescriptor's comment).

Without SafeStack in mind, I was trying to minimize the use of IR approach, since the only reason we need to keep IR form is FastISel.

timshen: Yes, the plan is to only support it in SelectionDAG, because SelectionDAG can pick up tail call…
return IRB.CreateLoad(StackGuardVar, "StackGuard");
}
void SafeStack::findInsts(Function &F, void SafeStack::findInsts(Function &F,
SmallVectorImpl<AllocaInst *> &StaticAllocas, SmallVectorImpl<AllocaInst *> &StaticAllocas,
SmallVectorImpl<AllocaInst *> &DynamicAllocas, SmallVectorImpl<AllocaInst *> &DynamicAllocas,
SmallVectorImpl<Argument *> &ByValArguments, SmallVectorImpl<Argument *> &ByValArguments,
SmallVectorImpl<ReturnInst *> &Returns, SmallVectorImpl<ReturnInst *> &Returns,
SmallVectorImpl<Instruction *> &StackRestorePoints) { SmallVectorImpl<Instruction *> &StackRestorePoints) {
for (Instruction &I : instructions(&F)) { for (Instruction &I : instructions(&F)) {
if (auto AI = dyn_cast<AllocaInst>(&I)) { if (auto AI = dyn_cast<AllocaInst>(&I)) {
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines for (Instruction *I : StackRestorePoints) {
IRB.SetInsertPoint(I->getNextNode()); IRB.SetInsertPoint(I->getNextNode());
Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop; Value *CurrentTop = DynamicTop ? IRB.CreateLoad(DynamicTop) : StaticTop;
IRB.CreateStore(CurrentTop, UnsafeStackPtr); IRB.CreateStore(CurrentTop, UnsafeStackPtr);
} }
return DynamicTop; return DynamicTop;
} }
void SafeStack::checkStackGuard(IRBuilder<> &IRB, Function &F, ReturnInst &RI,
AllocaInst *StackGuardSlot, Value *StackGuard) {
Value *V = IRB.CreateLoad(StackGuardSlot);
Value *Cmp = IRB.CreateICmpNE(StackGuard, V);
auto SuccessProb = BranchProbabilityInfo::getBranchProbStackProtector(true);
auto FailureProb = BranchProbabilityInfo::getBranchProbStackProtector(false);
MDNode *Weights = MDBuilder(F.getContext())
.createBranchWeights(SuccessProb.getNumerator(),
FailureProb.getNumerator());
Instruction *CheckTerm =
SplitBlockAndInsertIfThen(Cmp, &RI,
/* Unreachable */ true, Weights);
IRBuilder<> IRBFail(CheckTerm);
// FIXME: respect -fsanitize-trap / -ftrap-function here?
Constant *StackChkFail = F.getParent()->getOrInsertFunction(
"__stack_chk_fail", IRB.getVoidTy(), nullptr);
timshenUnsubmitted
Not Done
ReplyInline Actions

OpenBSD doesn't have __stack_chk_fail. It has StackProtector::CreateFailBB.

I wonder if it's easy to share some code between SSP and safestack, though I have no idea what safestack is doing.

timshen: OpenBSD doesn't have __stack_chk_fail. It has StackProtector::CreateFailBB. I wonder if it's…
timshenUnsubmitted
Not Done
ReplyInline Actions

s/It has StackProtector::CreateFailBB/See StackProtector::CreateFailBB/.

timshen: s/It has StackProtector::CreateFailBB/See StackProtector::CreateFailBB/.
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

SafeStack maintains a second stack, with the stack pointer either in a thread-local variable or a fixed TLS slot, and moves some locals to that stack.

Anything that may overflow is on the second stack. StackProtector + SafeStack should apply StackProtector cookies to that second stack, and not to the system stack.

It would be great to share more code between the two passes.

Would it be possible to extend the SDAG stuff to handle this case?

eugenis: SafeStack maintains a second stack, with the stack pointer either in a thread-local variable or…
timshenUnsubmitted
Not Done
ReplyInline Actions

Thanks for the explaining!

It sounds like you want to teach StackProtector to allocate the canary in a different place (aka the second stack). It's currently created in StackProtector::CreatePrologue. Is it possible to call moveStaticAllocasToUnsafeStack to move the slot to the second stack?

timshen: Thanks for the explaining! It sounds like you want to teach StackProtector to allocate the…
IRBFail.CreateCall(StackChkFail, {});
}
/// We explicitly compute and set the unsafe stack layout for all unsafe /// We explicitly compute and set the unsafe stack layout for all unsafe
/// static alloca instructions. We save the unsafe "base pointer" in the /// static alloca instructions. We save the unsafe "base pointer" in the
/// prologue into a local variable and restore it in the epilogue. /// prologue into a local variable and restore it in the epilogue.
Value *SafeStack::moveStaticAllocasToUnsafeStack( Value *SafeStack::moveStaticAllocasToUnsafeStack(
IRBuilder<> &IRB, Function &F, ArrayRef<AllocaInst *> StaticAllocas, IRBuilder<> &IRB, Function &F, ArrayRef<AllocaInst *> StaticAllocas,
ArrayRef<Argument *> ByValArguments, ArrayRef<ReturnInst *> Returns, ArrayRef<Argument *> ByValArguments, ArrayRef<ReturnInst *> Returns,
Instruction *BasePointer) { Instruction *BasePointer, AllocaInst *StackGuardSlot) {
if (StaticAllocas.empty() && ByValArguments.empty()) if (StaticAllocas.empty() && ByValArguments.empty())
return BasePointer; return BasePointer;
DIBuilder DIB(*F.getParent()); DIBuilder DIB(*F.getParent());
// Compute maximum alignment among static objects on the unsafe stack. // Compute maximum alignment among static objects on the unsafe stack.
unsigned MaxAlignment = 0; unsigned MaxAlignment = 0;
for (Argument *Arg : ByValArguments) { for (Argument *Arg : ByValArguments) {
Show All 19 Lines BasePointer = cast<Instruction>(IRB.CreateIntToPtr(
IRB.CreateAnd(IRB.CreatePtrToInt(BasePointer, IntPtrTy), IRB.CreateAnd(IRB.CreatePtrToInt(BasePointer, IntPtrTy),
ConstantInt::get(IntPtrTy, ~uint64_t(MaxAlignment - 1))), ConstantInt::get(IntPtrTy, ~uint64_t(MaxAlignment - 1))),
StackPtrTy)); StackPtrTy));
} }
int64_t StaticOffset = 0; // Current stack top. int64_t StaticOffset = 0; // Current stack top.
IRB.SetInsertPoint(BasePointer->getNextNode()); IRB.SetInsertPoint(BasePointer->getNextNode());
if (StackGuardSlot) {
StaticOffset += getStaticAllocaAllocationSize(StackGuardSlot);
Value *Off = IRB.CreateGEP(BasePointer, // BasePointer is i8*
ConstantInt::get(Int32Ty, -StaticOffset));
Value *NewAI =
IRB.CreateBitCast(Off, StackGuardSlot->getType(), "StackGuardSlot");
// Replace alloc with the new location.
StackGuardSlot->replaceAllUsesWith(NewAI);
StackGuardSlot->eraseFromParent();
}
for (Argument *Arg : ByValArguments) { for (Argument *Arg : ByValArguments) {
Type *Ty = Arg->getType()->getPointerElementType(); Type *Ty = Arg->getType()->getPointerElementType();
uint64_t Size = DL->getTypeStoreSize(Ty); uint64_t Size = DL->getTypeStoreSize(Ty);
if (Size == 0) if (Size == 0)
Size = 1; // Don't create zero-sized stack objects. Size = 1; // Don't create zero-sized stack objects.
// Ensure the object is properly aligned. // Ensure the object is properly aligned.
▲ Show 20 LinesShow All 145 Lines▼ Show 20 Lines if (F.isDeclaration()) {
DEBUG(dbgs() << "[SafeStack] function definition" DEBUG(dbgs() << "[SafeStack] function definition"
" is not available\n"); " is not available\n");
return false; return false;
} }
TL = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr; TL = TM ? TM->getSubtargetImpl(F)->getTargetLowering() : nullptr;
SE = &getAnalysis<ScalarEvolutionWrapperPass>().getSE(); SE = &getAnalysis<ScalarEvolutionWrapperPass>().getSE();
{
// Make sure the regular stack protector won't run on this function
// (safestack attribute takes precedence).
AttrBuilder B;
B.addAttribute(Attribute::StackProtect)
.addAttribute(Attribute::StackProtectReq)
.addAttribute(Attribute::StackProtectStrong);
F.removeAttributes(
AttributeSet::FunctionIndex,
AttributeSet::get(F.getContext(), AttributeSet::FunctionIndex, B));
}
++NumFunctions; ++NumFunctions;
pccUnsubmitted
Done
ReplyInline Actions

Please make this a local variable, or just do the attribute test in the one place you need it.

pcc: Please make this a local variable, or just do the attribute test in the one place you need it.
SmallVector<AllocaInst *, 16> StaticAllocas; SmallVector<AllocaInst *, 16> StaticAllocas;
SmallVector<AllocaInst *, 4> DynamicAllocas; SmallVector<AllocaInst *, 4> DynamicAllocas;
SmallVector<Argument *, 4> ByValArguments; SmallVector<Argument *, 4> ByValArguments;
SmallVector<ReturnInst *, 4> Returns; SmallVector<ReturnInst *, 4> Returns;
// Collect all points where stack gets unwound and needs to be restored // Collect all points where stack gets unwound and needs to be restored
// This is only necessary because the runtime (setjmp and unwind code) is // This is only necessary because the runtime (setjmp and unwind code) is
// not aware of the unsafe stack and won't unwind/restore it prorerly. // not aware of the unsafe stack and won't unwind/restore it prorerly.
Show All 18 Lines if (!StackRestorePoints.empty())
++NumUnsafeStackRestorePointsFunctions; ++NumUnsafeStackRestorePointsFunctions;
IRBuilder<> IRB(&F.front(), F.begin()->getFirstInsertionPt()); IRBuilder<> IRB(&F.front(), F.begin()->getFirstInsertionPt());
UnsafeStackPtr = getOrCreateUnsafeStackPtr(IRB, F); UnsafeStackPtr = getOrCreateUnsafeStackPtr(IRB, F);
// Load the current stack pointer (we'll also use it as a base pointer). // Load the current stack pointer (we'll also use it as a base pointer).
// FIXME: use a dedicated register for it ? // FIXME: use a dedicated register for it ?
Instruction *BasePointer = Instruction *BasePointer =
IRB.CreateLoad(UnsafeStackPtr, false, "unsafe_stack_ptr"); IRB.CreateLoad(UnsafeStackPtr, false, "unsafe_stack_ptr");
assert(BasePointer->getType() == StackPtrTy); assert(BasePointer->getType() == StackPtrTy);
// The top of the unsafe stack after all unsafe static allocas are allocated. AllocaInst *StackGuardSlot = nullptr;
Value *StaticTop = moveStaticAllocasToUnsafeStack(IRB, F, StaticAllocas, // FIXME: implement weaker forms of stack protector.
ByValArguments, Returns, if (F.hasFnAttribute(Attribute::StackProtect) ||
BasePointer); F.hasFnAttribute(Attribute::StackProtectStrong) ||
F.hasFnAttribute(Attribute::StackProtectReq)) {
Value *StackGuard = getStackGuard(IRB, F);
StackGuardSlot = IRB.CreateAlloca(StackPtrTy, nullptr);
IRB.CreateStore(StackGuard, StackGuardSlot);
for (ReturnInst *RI : Returns) {
IRBuilder<> IRBRet(RI);
checkStackGuard(IRBRet, F, *RI, StackGuardSlot, StackGuard);
}
}
// The top of the unsafe stack after all unsafe static allocas are
// allocated.
Value *StaticTop =
pccUnsubmitted
Done
ReplyInline Actions

This line doesn't seem necessary.

pcc: This line doesn't seem necessary.
moveStaticAllocasToUnsafeStack(IRB, F, StaticAllocas, ByValArguments,
Returns, BasePointer, StackGuardSlot);
// Safe stack object that stores the current unsafe stack top. It is updated // Safe stack object that stores the current unsafe stack top. It is updated
// as unsafe dynamic (non-constant-sized) allocas are allocated and freed. // as unsafe dynamic (non-constant-sized) allocas are allocated and freed.
// This is only needed if we need to restore stack pointer after longjmp // This is only needed if we need to restore stack pointer after longjmp
// or exceptions, and we have dynamic allocations. // or exceptions, and we have dynamic allocations.
// FIXME: a better alternative might be to store the unsafe stack pointer // FIXME: a better alternative might be to store the unsafe stack pointer
// before setjmp / invoke instructions. // before setjmp / invoke instructions.
AllocaInst *DynamicTop = createStackRestorePoints( AllocaInst *DynamicTop = createStackRestorePoints(
Show All 27 Lines

lib/CodeGen/StackProtector.cpp

Show First 20 LinesShow All 194 Lines▼ Show 20 Lines
/// strong heuristic will add a guard variables to functions that call alloca /// strong heuristic will add a guard variables to functions that call alloca
/// regardless of size, functions with any buffer regardless of type and size, /// regardless of size, functions with any buffer regardless of type and size,
/// functions with aggregates that contain any buffer regardless of type and /// functions with aggregates that contain any buffer regardless of type and
/// size, and functions that contain stack-based variables that have had their /// size, and functions that contain stack-based variables that have had their
/// address taken. /// address taken.
bool StackProtector::RequiresStackProtector() { bool StackProtector::RequiresStackProtector() {
bool Strong = false; bool Strong = false;
bool NeedsProtector = false; bool NeedsProtector = false;
if (F->hasFnAttribute(Attribute::SafeStack))
return false;
if (F->hasFnAttribute(Attribute::StackProtectReq)) { if (F->hasFnAttribute(Attribute::StackProtectReq)) {
NeedsProtector = true; NeedsProtector = true;
Strong = true; // Use the same heuristic as strong to determine SSPLayout Strong = true; // Use the same heuristic as strong to determine SSPLayout
} else if (F->hasFnAttribute(Attribute::StackProtectStrong)) } else if (F->hasFnAttribute(Attribute::StackProtectStrong))
Strong = true; Strong = true;
else if (!F->hasFnAttribute(Attribute::StackProtect)) else if (!F->hasFnAttribute(Attribute::StackProtect))
return false; return false;
▲ Show 20 LinesShow All 279 LinesShow Last 20 Lines

lib/IR/Attributes.cpp

Show First 20 LinesShow All 1,471 Lines▼ Show 20 Linesstatic void adjustCallerSSPLevel(Function &Caller, const Function &Callee) {
AttrBuilder B; AttrBuilder B;
B.addAttribute(Attribute::StackProtect) B.addAttribute(Attribute::StackProtect)
.addAttribute(Attribute::StackProtectStrong) .addAttribute(Attribute::StackProtectStrong)
.addAttribute(Attribute::StackProtectReq); .addAttribute(Attribute::StackProtectReq);
AttributeSet OldSSPAttr = AttributeSet::get(Caller.getContext(), AttributeSet OldSSPAttr = AttributeSet::get(Caller.getContext(),
AttributeSet::FunctionIndex, AttributeSet::FunctionIndex,
B); B);
if (Callee.hasFnAttribute(Attribute::SafeStack)) { if (Callee.hasFnAttribute(Attribute::StackProtectReq)) {
Caller.removeAttributes(AttributeSet::FunctionIndex, OldSSPAttr);
Caller.addFnAttr(Attribute::SafeStack);
} else if (Callee.hasFnAttribute(Attribute::StackProtectReq) &&
!Caller.hasFnAttribute(Attribute::SafeStack)) {
Caller.removeAttributes(AttributeSet::FunctionIndex, OldSSPAttr); Caller.removeAttributes(AttributeSet::FunctionIndex, OldSSPAttr);
Caller.addFnAttr(Attribute::StackProtectReq); Caller.addFnAttr(Attribute::StackProtectReq);
} else if (Callee.hasFnAttribute(Attribute::StackProtectStrong) && } else if (Callee.hasFnAttribute(Attribute::StackProtectStrong) &&
!Caller.hasFnAttribute(Attribute::SafeStack) &&
!Caller.hasFnAttribute(Attribute::StackProtectReq)) { !Caller.hasFnAttribute(Attribute::StackProtectReq)) {
Caller.removeAttributes(AttributeSet::FunctionIndex, OldSSPAttr); Caller.removeAttributes(AttributeSet::FunctionIndex, OldSSPAttr);
Caller.addFnAttr(Attribute::StackProtectStrong); Caller.addFnAttr(Attribute::StackProtectStrong);
} else if (Callee.hasFnAttribute(Attribute::StackProtect) && } else if (Callee.hasFnAttribute(Attribute::StackProtect) &&
!Caller.hasFnAttribute(Attribute::SafeStack) &&
!Caller.hasFnAttribute(Attribute::StackProtectReq) && !Caller.hasFnAttribute(Attribute::StackProtectReq) &&
!Caller.hasFnAttribute(Attribute::StackProtectStrong)) !Caller.hasFnAttribute(Attribute::StackProtectStrong))
Caller.addFnAttr(Attribute::StackProtect); Caller.addFnAttr(Attribute::StackProtect);
} }
#define GET_ATTR_COMPAT_FUNC #define GET_ATTR_COMPAT_FUNC
#include "AttributesCompatFunc.inc" #include "AttributesCompatFunc.inc"
Show All 10 Lines

test/CodeGen/X86/safestack_ssp.ll

  • This file was added.
; RUN: llc -mtriple=i386-linux < %s -o - | FileCheck --check-prefix=LINUX-I386 %s
; RUN: llc -mtriple=x86_64-linux < %s -o - | FileCheck --check-prefix=LINUX-X64 %s
pccUnsubmitted
Not Done
ReplyInline Actions

Why is this a backend test rather than an opt test?

pcc: Why is this a backend test rather than an opt test?
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

Do you want me to remove it? I think it is useful as-is. I've added more opt tests.

eugenis: Do you want me to remove it? I think it is useful as-is. I've added more opt tests.
pccUnsubmitted
Not Done
ReplyInline Actions

Well, I mainly wanted you to tell me why you made this a backend test :) We don't normally test passes this way.

Anyway, if you're just trying to provide test coverage for the codegen pipeline, it looks like the existing test test/CodeGen/X86/safestack.ll is already covering that, so unless you have another reason to keep this test, it seems redundant with the opt tests you added.

pcc: Well, I mainly wanted you to tell me why you made this a backend test :) We don't normally test…
eugenisAuthorUnsubmitted
Not Done
ReplyInline Actions

test/CodeGen/X86/safestack.ll does not cover the stack protector cookie code.

No other tests verify that StackProtector and SafeStack passes do not apply to the same function.

eugenis: test/CodeGen/X86/safestack.ll does not cover the stack protector cookie code. No other tests…
pccUnsubmitted
Not Done
ReplyInline Actions

Okay, seems reasonable enough to me. Please add a comment explaining why this is a backend test.

pcc: Okay, seems reasonable enough to me. Please add a comment explaining why this is a backend test.
define void @_Z1fv() safestack sspreq {
entry:
%x = alloca i32, align 4
%0 = bitcast i32* %x to i8*
call void @_Z7CapturePi(i32* nonnull %x)
ret void
}
declare void @_Z7CapturePi(i32*)
; LINUX-X64-DAG: movq __safestack_unsafe_stack_ptr@GOTTPOFF(%rip), %[[A:.*]]
; LINUX-X64-DAG: movq %fs:(%[[A]]), %[[B:.*]]
; LINUX-X64-DAG: movq %fs:40, %[[COOKIE:.*]]
; LINUX-X64-DAG: leaq -16(%[[B]]), %[[C:.*]]
; LINUX-X64-DAG: movq %[[C]], %fs:(%[[A]])
; LINUX-X64-DAG: movq %[[COOKIE]], -8(%[[B]])
; LINUX-I386-DAG: movl __safestack_unsafe_stack_ptr@INDNTPOFF, %[[A:.*]]
; LINUX-I386-DAG: movl %gs:(%[[A]]), %[[B:.*]]
; LINUX-I386-DAG: movl %gs:20, %[[COOKIE:.*]]
; LINUX-I386-DAG: leal -16(%[[B]]), %[[C:.*]]
; LINUX-I386-DAG: movl %[[C]], %gs:(%[[A]])
; LINUX-I386-DAG: movl %[[COOKIE]], -4(%[[B]])

test/Transforms/SafeStack/AArch64/abi_ssp.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=aarch64-linux-android < %s -o - | FileCheck --check-prefix=TLS %s
define void @foo() nounwind uwtable safestack sspreq {
entry:
; The first @llvm.aarch64.thread.pointer is for the unsafe stack pointer, skip it.
; TLS: call i8* @llvm.aarch64.thread.pointer()
; TLS: %[[TP2:.*]] = call i8* @llvm.aarch64.thread.pointer()
; TLS: %[[B:.*]] = getelementptr i8, i8* %[[TP2]], i32 40
; TLS: %[[C:.*]] = bitcast i8* %[[B]] to i8**
; TLS: %[[StackGuard:.*]] = load i8*, i8** %[[C]]
; TLS: store i8* %[[StackGuard]], i8** %[[StackGuardSlot:.*]]
%a = alloca i128, align 16
call void @Capture(i128* %a)
; TLS: %[[A:.*]] = load i8*, i8** %[[StackGuardSlot]]
; TLS: icmp ne i8* %[[StackGuard]], %[[A]]
ret void
}
declare void @Capture(i128*)

test/Transforms/SafeStack/X86/abi_ssp.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=i686-pc-linux-gnu < %s -o - | FileCheck --check-prefix=TLS --check-prefix=TLS32 %s
; RUN: opt -safe-stack -S -mtriple=x86_64-pc-linux-gnu < %s -o - | FileCheck --check-prefix=TLS --check-prefix=TLS64 %s
; RUN: opt -safe-stack -S -mtriple=i686-linux-android < %s -o - | FileCheck --check-prefix=TLS --check-prefix=TLS32 %s
; RUN: opt -safe-stack -S -mtriple=x86_64-linux-android < %s -o - | FileCheck --check-prefix=TLS --check-prefix=TLS64 %s
define void @foo() safestack sspreq {
entry:
; TLS32: %[[StackGuard:.*]] = load i8*, i8* addrspace(256)* inttoptr (i32 20 to i8* addrspace(256)*)
; TLS64: %[[StackGuard:.*]] = load i8*, i8* addrspace(257)* inttoptr (i32 40 to i8* addrspace(257)*)
; TLS: store i8* %[[StackGuard]], i8** %[[StackGuardSlot:.*]]
%a = alloca i8, align 1
call void @Capture(i8* %a)
; TLS: %[[A:.*]] = load i8*, i8** %[[StackGuardSlot]]
; TLS: icmp ne i8* %[[StackGuard]], %[[A]]
ret void
}
declare void @Capture(i8*)

test/Transforms/SafeStack/X86/ssp.ll

  • This file was added.
; RUN: opt -safe-stack -S -mtriple=x86_64-unknown < %s -o - | FileCheck %s
define void @foo() safestack sspreq {
entry:
; CHECK: %[[USP:.*]] = load i8*, i8** @__safestack_unsafe_stack_ptr
; CHECK: %[[USST:.*]] = getelementptr i8, i8* %[[USP]], i32 -16
; CHECK: store i8* %[[USST]], i8** @__safestack_unsafe_stack_ptr
; CHECK: %[[A:.*]] = getelementptr i8, i8* %[[USP]], i32 -8
; CHECK: %[[StackGuardSlot:.*]] = bitcast i8* %[[A]] to i8**
; CHECK: %[[StackGuard:.*]] = load i8*, i8** @__stack_chk_guard
; CHECK: store i8* %[[StackGuard]], i8** %[[StackGuardSlot]]
%a = alloca i8, align 1
; CHECK: call void @Capture
call void @Capture(i8* %a)
; CHECK: %[[B:.*]] = load i8*, i8** %[[StackGuardSlot]]
; CHECK: %[[COND:.*]] = icmp ne i8* %[[StackGuard]], %[[B]]
; CHECK: br i1 %[[COND]], {{.*}} !prof
; CHECK: call void @__stack_chk_fail()
; CHECK-NEXT: unreachable
; CHECK: store i8* %[[USP]], i8** @__safestack_unsafe_stack_ptr
; CHECK-NEXT: ret void
ret void
}
declare void @Capture(i8*)