This is an archive of the discontinued LLVM Phabricator instance.

Differential D23312

[Thumb] Validate branch target for CBZ/CBNZ instructions.
ClosedPublic

Authored by prakhar on Aug 9 2016, 5:27 AM.

Details

Reviewers
rengolin
t.p.northover
olista01
Commits
rG15ed7ec5aab8: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rGa305a435a656: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rL278788: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rL278659: [Thumb] Validate branch target for CBZ/CBNZ instructions.
Summary

The assembler currently does not check the branch target for CBZ/CBNZ
instructions, which only permit branching forwards with a positive offset. This
adds validation for the branch target to ensure negative PC-relative offsets are
not encoded into the instruction, whether specified as a literal or as an
assembler symbol.

Diff Detail

Event Timeline

prakhar updated this revision to Diff 67323.Aug 9 2016, 5:27 AM
prakhar retitled this revision from to [Thumb] Validate branch target for CBZ/CBNZ instructions..
prakhar updated this object.
prakhar added reviewers: rengolin, t.p.northover.
prakhar added a subscriber: llvm-commits.
Herald added a subscriber: rengolin. · View Herald TranscriptAug 9 2016, 5:27 AM
prakhar set the repository for this revision to rL LLVM.Aug 9 2016, 5:37 AM
olista01 added a subscriber: olista01.Aug 9 2016, 5:40 AM
olista01 added inline comments.
lib/Target/ARM/AsmParser/ARMAsmParser.cpp
863

Why don't you use isUnsignedOffset, which would also check the upper limit and alignment?

lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp
582

We should also check the upper bound and alignment here.

prakhar updated this revision to Diff 67331.Aug 9 2016, 6:52 AM
prakhar marked an inline comment as done.

Use isUnsignedOffset() directly and add upper bound checking with tests.

prakhar marked an inline comment as done.Aug 9 2016, 6:54 AM
olista01 added inline comments.Aug 9 2016, 7:34 AM
lib/Target/ARM/AsmParser/ARMAsmParser.cpp
6689

These instructions accept a 6-bit immediate (shifted by one bit), not 5-bit. This should allow all even numbers in the range 0 to 126 (inclusive at both ends).

lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp
582

We should also be checking that the low bit is clear (and see my comment above about the immediate being 6 bits).

test/MC/ARM/thumb-diagnostics.s
241

It would be better to test as close to the bounds as possible, and add some tests for valid immediates close to the boundary. I think these should cover it:
-2 (invalid)
0 (lowest valid)
17 (invalid due to alignment)
126 (highest valid)
128 (invalid)

prakhar updated this revision to Diff 67495.Aug 10 2016, 3:05 AM

Immediate operand is 6 bits and should have cleared LSB.

prakhar marked 3 inline comments as done.Aug 10 2016, 3:51 AM
olista01 accepted this revision.Aug 12 2016, 5:42 AM
olista01 added a reviewer: olista01.

LGTM

This revision is now accepted and ready to land.Aug 12 2016, 5:42 AM
Closed by commit rL278659: [Thumb] Validate branch target for CBZ/CBNZ instructions. (authored by prakhar). · Explain WhyAug 15 2016, 1:05 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
Target/
ARM/
AsmParser/
6 lines
MCTargetDesc/
5 lines
test/
MC/
ARM/
19 lines
17 lines

Diff 67495

lib/Target/ARM/AsmParser/ARMAsmParser.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 854 Lines▼ Show 20 Linespublic:
bool isThumbBranchTarget() const { bool isThumbBranchTarget() const {
if (!isImm()) return false; if (!isImm()) return false;
if (const MCConstantExpr *CE = dyn_cast<MCConstantExpr>(getImm())) if (const MCConstantExpr *CE = dyn_cast<MCConstantExpr>(getImm()))
return CE->getValue() % 2 == 0; return CE->getValue() % 2 == 0;
return true; return true;
} }
// checks whether this operand is an unsigned offset which fits is a field // checks whether this operand is an unsigned offset which fits is a field
olista01Unsubmitted
Done
ReplyInline Actions

Why don't you use isUnsignedOffset, which would also check the upper limit and alignment?

olista01: Why don't you use isUnsignedOffset, which would also check the upper limit and alignment?
// of specified width and scaled by a specific number of bits // of specified width and scaled by a specific number of bits
template<unsigned width, unsigned scale> template<unsigned width, unsigned scale>
bool isUnsignedOffset() const { bool isUnsignedOffset() const {
if (!isImm()) return false; if (!isImm()) return false;
if (isa<MCSymbolRefExpr>(Imm.Val)) return true; if (isa<MCSymbolRefExpr>(Imm.Val)) return true;
if (const MCConstantExpr *CE = dyn_cast<MCConstantExpr>(Imm.Val)) { if (const MCConstantExpr *CE = dyn_cast<MCConstantExpr>(Imm.Val)) {
int64_t Val = CE->getValue(); int64_t Val = CE->getValue();
int64_t Align = 1LL << scale; int64_t Align = 1LL << scale;
▲ Show 20 LinesShow All 5,807 Lines▼ Show 20 Lines if (!static_cast<ARMOperand &>(*Operands[2]).isSignedOffset<8, 1>())
return Error(Operands[2]->getStartLoc(), "branch target out of range"); return Error(Operands[2]->getStartLoc(), "branch target out of range");
break; break;
case ARM::t2Bcc: { case ARM::t2Bcc: {
int Op = (Operands[2]->isImm()) ? 2 : 3; int Op = (Operands[2]->isImm()) ? 2 : 3;
if (!static_cast<ARMOperand &>(*Operands[Op]).isSignedOffset<20, 1>()) if (!static_cast<ARMOperand &>(*Operands[Op]).isSignedOffset<20, 1>())
return Error(Operands[Op]->getStartLoc(), "branch target out of range"); return Error(Operands[Op]->getStartLoc(), "branch target out of range");
break; break;
} }
case ARM::tCBZ:
case ARM::tCBNZ: {
if (!static_cast<ARMOperand &>(*Operands[2]).isUnsignedOffset<6, 1>())
olista01Unsubmitted
Done
ReplyInline Actions

These instructions accept a 6-bit immediate (shifted by one bit), not 5-bit. This should allow all even numbers in the range 0 to 126 (inclusive at both ends).

olista01: These instructions accept a 6-bit immediate (shifted by one bit), not 5-bit. This should allow…
return Error(Operands[2]->getStartLoc(), "branch target out of range");
break;
}
case ARM::MOVi16: case ARM::MOVi16:
case ARM::t2MOVi16: case ARM::t2MOVi16:
case ARM::t2MOVTi16: case ARM::t2MOVTi16:
{ {
// We want to avoid misleadingly allowing something like "mov r0, <symbol>" // We want to avoid misleadingly allowing something like "mov r0, <symbol>"
// especially when we turn it into a movw and the expression <symbol> does // especially when we turn it into a movw and the expression <symbol> does
// not have a :lower16: or :upper16 as part of the expression. We don't // not have a :lower16: or :upper16 as part of the expression. We don't
// want the behavior of silently truncating, which can be unexpected and // want the behavior of silently truncating, which can be unexpected and
▲ Show 20 LinesShow All 3,902 LinesShow Last 20 Lines

lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp

Show First 20 LinesShow All 572 Lines▼ Show 20 Lines if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] && IsResolved) {
if (FixupDiagnostic) { if (FixupDiagnostic) {
Ctx->reportError(Fixup.getLoc(), FixupDiagnostic); Ctx->reportError(Fixup.getLoc(), FixupDiagnostic);
return 0; return 0;
} }
} }
// Offset by 4, and don't encode the low two bits. // Offset by 4, and don't encode the low two bits.
return ((Value - 4) >> 2) & 0xff; return ((Value - 4) >> 2) & 0xff;
case ARM::fixup_arm_thumb_cb: { case ARM::fixup_arm_thumb_cb: {
// CB instructions can only branch to offsets in [0, 126] in multiples of 2
if (Ctx && ((int64_t)Value < 0 || Value > 0x3e || Value & 1)) {
olista01Unsubmitted
Done
ReplyInline Actions

We should also check the upper bound and alignment here.

olista01: We should also check the upper bound and alignment here.
olista01Unsubmitted
Done
ReplyInline Actions

We should also be checking that the low bit is clear (and see my comment above about the immediate being 6 bits).

olista01: We should also be checking that the low bit is clear (and see my comment above about the…
Ctx->reportError(Fixup.getLoc(), "out of range pc-relative fixup value");
return 0;
}
// Offset by 4 and don't encode the lower bit, which is always 0. // Offset by 4 and don't encode the lower bit, which is always 0.
// FIXME: diagnose if no Thumb2 // FIXME: diagnose if no Thumb2
uint32_t Binary = (Value - 4) >> 1; uint32_t Binary = (Value - 4) >> 1;
return ((Binary & 0x20) << 4) | ((Binary & 0x1f) << 3); return ((Binary & 0x20) << 4) | ((Binary & 0x1f) << 3);
} }
case ARM::fixup_arm_thumb_br: case ARM::fixup_arm_thumb_br:
// Offset by 4 and don't encode the lower bit, which is always 0. // Offset by 4 and don't encode the lower bit, which is always 0.
if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] && if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] &&
▲ Show 20 LinesShow All 571 LinesShow Last 20 Lines

test/MC/ARM/thumb-cb-negative-offsets.s

  • This file was added.
@ RUN: not llvm-mc -triple thumbv7m-none-eabi -filetype=obj -o /dev/null %s 2>&1 | FileCheck %s
@ RUN: not llvm-mc -triple thumbv8m.base-none-eabi -filetype=obj -o /dev/null %s 2>&1 | FileCheck %s
label0:
.word 4
@ CHECK: out of range pc-relative fixup value
cbz r0, label0
@ CHECK: out of range pc-relative fixup value
cbnz r0, label0
@ CHECK: out of range pc-relative fixup value
cbz r0, label1
@ CHECK: out of range pc-relative fixup value
cbnz r0, label1
.space 1000
label1:
.word 4

test/MC/ARM/thumb-diagnostics.s

Show First 20 LinesShow All 229 Lines▼ Show 20 Lines
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@------------------------------------------------------------------------------ @------------------------------------------------------------------------------
@ CBZ/CBNZ - out of range immediates for branches
@------------------------------------------------------------------------------
cbz r0, #-2
olista01Unsubmitted
Done
ReplyInline Actions

It would be better to test as close to the bounds as possible, and add some tests for valid immediates close to the boundary. I think these should cover it:
-2 (invalid)
0 (lowest valid)
17 (invalid due to alignment)
126 (highest valid)
128 (invalid)

olista01: It would be better to test as close to the bounds as possible, and add some tests for valid…
cbz r0, #0
cbz r0, #17
cbnz r0, #126
cbnz r0, #128
@ CHECK-ERRORS-V7M: error: branch target out of range
@ CHECK-ERRORS-V7M: error: invalid operand for instruction
@ CHECK-ERRORS-V7M: error: branch target out of range
@ CHECK-ERRORS-V8: error: branch target out of range
@ CHECK-ERRORS-V8: error: invalid operand for instruction
@ CHECK-ERRORS-V8: error: branch target out of range
@------------------------------------------------------------------------------
@ SEV/WFE/WFI/YIELD - are not supported pre v6M or v6T2 @ SEV/WFE/WFI/YIELD - are not supported pre v6M or v6T2
@------------------------------------------------------------------------------ @------------------------------------------------------------------------------
sev sev
wfe wfe
wfi wfi
yield yield
@ CHECK-ERRORS: error: instruction requires: armv6m or armv6t2 @ CHECK-ERRORS: error: instruction requires: armv6m or armv6t2
Show All 36 Lines