This is an archive of the discontinued LLVM Phabricator instance.

Differential D23312

[Thumb] Validate branch target for CBZ/CBNZ instructions.
ClosedPublic

Authored by prakhar on Aug 9 2016, 5:27 AM.

Details

Reviewers
rengolin
t.p.northover
olista01
Commits
rG15ed7ec5aab8: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rGa305a435a656: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rL278788: [Thumb] Validate branch target for CBZ/CBNZ instructions.
rL278659: [Thumb] Validate branch target for CBZ/CBNZ instructions.
Summary

The assembler currently does not check the branch target for CBZ/CBNZ
instructions, which only permit branching forwards with a positive offset. This
adds validation for the branch target to ensure negative PC-relative offsets are
not encoded into the instruction, whether specified as a literal or as an
assembler symbol.

Diff Detail

Repository
rL LLVM

Event Timeline

prakhar updated this revision to Diff 67323.Aug 9 2016, 5:27 AM
prakhar retitled this revision from to [Thumb] Validate branch target for CBZ/CBNZ instructions..
prakhar updated this object.
prakhar added reviewers: rengolin, t.p.northover.
prakhar added a subscriber: llvm-commits.
Herald added a subscriber: rengolin. · View Herald TranscriptAug 9 2016, 5:27 AM
prakhar set the repository for this revision to rL LLVM.Aug 9 2016, 5:37 AM
olista01 added a subscriber: olista01.Aug 9 2016, 5:40 AM
olista01 added inline comments.
lib/Target/ARM/AsmParser/ARMAsmParser.cpp
863 ↗(On Diff #67323)

Why don't you use isUnsignedOffset, which would also check the upper limit and alignment?

lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp
582 ↗(On Diff #67323)

We should also check the upper bound and alignment here.

prakhar updated this revision to Diff 67331.Aug 9 2016, 6:52 AM
prakhar marked an inline comment as done.

Use isUnsignedOffset() directly and add upper bound checking with tests.

prakhar marked an inline comment as done.Aug 9 2016, 6:54 AM
olista01 added inline comments.Aug 9 2016, 7:34 AM
lib/Target/ARM/AsmParser/ARMAsmParser.cpp
6689 ↗(On Diff #67331)

These instructions accept a 6-bit immediate (shifted by one bit), not 5-bit. This should allow all even numbers in the range 0 to 126 (inclusive at both ends).

lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp
582 ↗(On Diff #67331)

We should also be checking that the low bit is clear (and see my comment above about the immediate being 6 bits).

test/MC/ARM/thumb-diagnostics.s
241 ↗(On Diff #67331)

It would be better to test as close to the bounds as possible, and add some tests for valid immediates close to the boundary. I think these should cover it:
-2 (invalid)
0 (lowest valid)
17 (invalid due to alignment)
126 (highest valid)
128 (invalid)

prakhar updated this revision to Diff 67495.Aug 10 2016, 3:05 AM

Immediate operand is 6 bits and should have cleared LSB.

prakhar marked 3 inline comments as done.Aug 10 2016, 3:51 AM
olista01 accepted this revision.Aug 12 2016, 5:42 AM
olista01 added a reviewer: olista01.

LGTM

This revision is now accepted and ready to land.Aug 12 2016, 5:42 AM
Closed by commit rL278659: [Thumb] Validate branch target for CBZ/CBNZ instructions. (authored by prakhar). · Explain WhyAug 15 2016, 1:05 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Target/
ARM/
AsmParser/
6 lines
MCTargetDesc/
5 lines
test/
MC/
ARM/
19 lines
17 lines

Diff 68000

llvm/trunk/lib/Target/ARM/AsmParser/ARMAsmParser.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 6,678 Lines▼ Show 20 Lines if (!static_cast<ARMOperand &>(*Operands[2]).isSignedOffset<8, 1>())
return Error(Operands[2]->getStartLoc(), "branch target out of range"); return Error(Operands[2]->getStartLoc(), "branch target out of range");
break; break;
case ARM::t2Bcc: { case ARM::t2Bcc: {
int Op = (Operands[2]->isImm()) ? 2 : 3; int Op = (Operands[2]->isImm()) ? 2 : 3;
if (!static_cast<ARMOperand &>(*Operands[Op]).isSignedOffset<20, 1>()) if (!static_cast<ARMOperand &>(*Operands[Op]).isSignedOffset<20, 1>())
return Error(Operands[Op]->getStartLoc(), "branch target out of range"); return Error(Operands[Op]->getStartLoc(), "branch target out of range");
break; break;
} }
case ARM::tCBZ:
case ARM::tCBNZ: {
if (!static_cast<ARMOperand &>(*Operands[2]).isUnsignedOffset<6, 1>())
return Error(Operands[2]->getStartLoc(), "branch target out of range");
break;
}
case ARM::MOVi16: case ARM::MOVi16:
case ARM::t2MOVi16: case ARM::t2MOVi16:
case ARM::t2MOVTi16: case ARM::t2MOVTi16:
{ {
// We want to avoid misleadingly allowing something like "mov r0, <symbol>" // We want to avoid misleadingly allowing something like "mov r0, <symbol>"
// especially when we turn it into a movw and the expression <symbol> does // especially when we turn it into a movw and the expression <symbol> does
// not have a :lower16: or :upper16 as part of the expression. We don't // not have a :lower16: or :upper16 as part of the expression. We don't
// want the behavior of silently truncating, which can be unexpected and // want the behavior of silently truncating, which can be unexpected and
▲ Show 20 LinesShow All 3,902 LinesShow Last 20 Lines

llvm/trunk/lib/Target/ARM/MCTargetDesc/ARMAsmBackend.cpp

Show First 20 LinesShow All 572 Lines▼ Show 20 Lines if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] && IsResolved) {
if (FixupDiagnostic) { if (FixupDiagnostic) {
Ctx->reportError(Fixup.getLoc(), FixupDiagnostic); Ctx->reportError(Fixup.getLoc(), FixupDiagnostic);
return 0; return 0;
} }
} }
// Offset by 4, and don't encode the low two bits. // Offset by 4, and don't encode the low two bits.
return ((Value - 4) >> 2) & 0xff; return ((Value - 4) >> 2) & 0xff;
case ARM::fixup_arm_thumb_cb: { case ARM::fixup_arm_thumb_cb: {
// CB instructions can only branch to offsets in [0, 126] in multiples of 2
if (Ctx && ((int64_t)Value < 0 || Value > 0x3e || Value & 1)) {
Ctx->reportError(Fixup.getLoc(), "out of range pc-relative fixup value");
return 0;
}
// Offset by 4 and don't encode the lower bit, which is always 0. // Offset by 4 and don't encode the lower bit, which is always 0.
// FIXME: diagnose if no Thumb2 // FIXME: diagnose if no Thumb2
uint32_t Binary = (Value - 4) >> 1; uint32_t Binary = (Value - 4) >> 1;
return ((Binary & 0x20) << 4) | ((Binary & 0x1f) << 3); return ((Binary & 0x20) << 4) | ((Binary & 0x1f) << 3);
} }
case ARM::fixup_arm_thumb_br: case ARM::fixup_arm_thumb_br:
// Offset by 4 and don't encode the lower bit, which is always 0. // Offset by 4 and don't encode the lower bit, which is always 0.
if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] && if (Ctx && !STI->getFeatureBits()[ARM::FeatureThumb2] &&
▲ Show 20 LinesShow All 571 LinesShow Last 20 Lines

llvm/trunk/test/MC/ARM/thumb-cb-negative-offsets.s

@ RUN: not llvm-mc -triple thumbv7m-none-eabi -filetype=obj -o /dev/null %s 2>&1 | FileCheck %s
@ RUN: not llvm-mc -triple thumbv8m.base-none-eabi -filetype=obj -o /dev/null %s 2>&1 | FileCheck %s
label0:
.word 4
@ CHECK: out of range pc-relative fixup value
cbz r0, label0
@ CHECK: out of range pc-relative fixup value
cbnz r0, label0
@ CHECK: out of range pc-relative fixup value
cbz r0, label1
@ CHECK: out of range pc-relative fixup value
cbnz r0, label1
.space 1000
label1:
.word 4

llvm/trunk/test/MC/ARM/thumb-diagnostics.s

Show First 20 LinesShow All 229 Lines▼ Show 20 Lines
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@ CHECK-ERRORS: error: branch target out of range @ CHECK-ERRORS: error: branch target out of range
@------------------------------------------------------------------------------ @------------------------------------------------------------------------------
@ CBZ/CBNZ - out of range immediates for branches
@------------------------------------------------------------------------------
cbz r0, #-2
cbz r0, #0
cbz r0, #17
cbnz r0, #126
cbnz r0, #128
@ CHECK-ERRORS-V7M: error: branch target out of range
@ CHECK-ERRORS-V7M: error: invalid operand for instruction
@ CHECK-ERRORS-V7M: error: branch target out of range
@ CHECK-ERRORS-V8: error: branch target out of range
@ CHECK-ERRORS-V8: error: invalid operand for instruction
@ CHECK-ERRORS-V8: error: branch target out of range
@------------------------------------------------------------------------------
@ SEV/WFE/WFI/YIELD - are not supported pre v6M or v6T2 @ SEV/WFE/WFI/YIELD - are not supported pre v6M or v6T2
@------------------------------------------------------------------------------ @------------------------------------------------------------------------------
sev sev
wfe wfe
wfi wfi
yield yield
@ CHECK-ERRORS: error: instruction requires: armv6m or armv6t2 @ CHECK-ERRORS: error: instruction requires: armv6m or armv6t2
Show All 36 Lines