This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/CodeGen/
-
CodeGen/
5/11
CGExpr.cpp
-
CodeGenFunction.h
-
CodeGenModule.cpp
-
test/CodeGen/
-
CodeGen/
-
cfi-check-fail.c

Differential D31796

[cfi] Emit __cfi_check stub in the frontend
ClosedPublic

Authored by eugenis on Apr 6 2017, 4:22 PM.

Download Raw Diff

Details

Reviewers

pcc

Summary

Previously cfi_check was created in LTO optimization pipeline, which
means LLD has no way of knowing about the existence of this symbol
without rescanning the LTO output object. As a result, LLD fails to
export cfi_check, even when given --export-dynamic-symbol flag.

Diff Detail

Repository: rL LLVM

Event Timeline

eugenis created this revision.Apr 6 2017, 4:22 PM

Herald added a subscriber: mehdi_amini. · View Herald TranscriptApr 6 2017, 4:22 PM

pcc added inline comments.Apr 6 2017, 4:57 PM

lib/CodeGen/CGExpr.cpp
2786	Please add a comment explaining why we are creating this function.
2788	What will happen in the CrossDSOCFI pass if it is given a module with this function definition? It looks like it will append its basic blocks to the end of the definition. Because the entry block you are creating here returns immediately, all of the blocks it adds will be unreachable. Probably the easiest thing to do is to change CrossDSOCFI to replace any `__cfi_check` definition it sees with its own definition.
2790	Although this linkage may prevent inlining for now, we may in the future change the LTO implementation to promote weak functions to strong if the linker knows that a particular definition of a symbol is the final definition for the symbol. That will mean that this dummy definition may be inlined into callers. This is a largely theoretical problem because we never create a direct call to the `__cfi_check` function. But if we wanted to fix this I can imagine creating an intrinsic that the CrossDSOCFI pass expands to the definition of `__cfi_check`.
2885	remove this line

eugenis added inline comments.Apr 6 2017, 5:46 PM

lib/CodeGen/CGExpr.cpp
2788	Yes, I've not uploaded the llvm patch yet, but it's a one liner: F->deleteBody(); after locating or creating __cfi_check.
2790	Do you mean "expands to a call to cfi_check"? We do need to have a definition of cfi_check before CrossDSOCFI for the linker.

pcc added inline comments.Apr 6 2017, 5:54 PM

lib/CodeGen/CGExpr.cpp
2788	I suppose that would work for now, but what the CrossDSOCFI pass is doing seems a little hackish because it will crash if the type of the existing definition (or declaration) does not exactly match the expected type.
2790	I mean basically that Clang would create a definition like this: define void @__cfi_check(i64 %0, i8* %1, i8* %2) { call void @llvm.cfi_check(i64 %0, i8* %1, i8* %2) ret void } and CrossDSOCFI would find all calls to `@llvm.cfi_check` and replace them with the code that the pass currently generates as the body of `__cfi_check`.

eugenis added inline comments.Apr 6 2017, 5:58 PM

lib/CodeGen/CGExpr.cpp
2790	Ah, that definitely makes sense. Let's mention this in a comment for now.

pcc added inline comments.Apr 6 2017, 6:01 PM

lib/CodeGen/CGExpr.cpp
2790	Works for me.

eugenis updated this revision to Diff 94467.Apr 6 2017, 6:02 PM

eugenis marked 4 inline comments as done.

LGTM

lib/CodeGen/CGExpr.cpp
2798	I would terminate this definition in an llvm.trap so that the program will crash if this definition were to survive LTO for some reason.

This revision is now accepted and ready to land.Apr 6 2017, 6:08 PM

eugenis updated this revision to Diff 94567.Apr 7 2017, 2:29 PM

eugenis marked an inline comment as done.

r299806
Thanks for the review!

Revision Contents

Path

Size

lib/

CodeGen/

CGExpr.cpp

18 lines

CodeGenFunction.h

3 lines

CodeGenModule.cpp

4 lines

test/

CodeGen/

cfi-check-fail.c

5 lines

Diff 94567

lib/CodeGen/CGExpr.cpp

Show First 20 Lines • Show All 2,777 Lines • ▼ Show 20 Lines	if (WithDiag) {
CheckCall = Builder.CreateCall(SlowPathFn, {TypeId, Ptr});		CheckCall = Builder.CreateCall(SlowPathFn, {TypeId, Ptr});
}		}

CheckCall->setDoesNotThrow();		CheckCall->setDoesNotThrow();

EmitBlock(Cont);		EmitBlock(Cont);
}		}

		// Emit a stub for __cfi_check function so that the linker knows about this
		pccUnsubmitted Done Reply Inline Actions Please add a comment explaining why we are creating this function. pcc: Please add a comment explaining why we are creating this function.
		// symbol in LTO mode.
		void CodeGenFunction::EmitCfiCheckStub() {
		pccUnsubmitted Not Done Reply Inline Actions What will happen in the CrossDSOCFI pass if it is given a module with this function definition? It looks like it will append its basic blocks to the end of the definition. Because the entry block you are creating here returns immediately, all of the blocks it adds will be unreachable. Probably the easiest thing to do is to change CrossDSOCFI to replace any `__cfi_check` definition it sees with its own definition. pcc: What will happen in the CrossDSOCFI pass if it is given a module with this function definition?
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions Yes, I've not uploaded the llvm patch yet, but it's a one liner: F->deleteBody(); after locating or creating __cfi_check. eugenis: Yes, I've not uploaded the llvm patch yet, but it's a one liner: F->deleteBody(); after…
		pccUnsubmitted Done Reply Inline Actions I suppose that would work for now, but what the CrossDSOCFI pass is doing seems a little hackish because it will crash if the type of the existing definition (or declaration) does not exactly match the expected type. pcc: I suppose that would work for now, but what the CrossDSOCFI pass is doing seems a little…
		llvm::Module *M = &CGM.getModule();
		auto &Ctx = M->getContext();
		pccUnsubmitted Not Done Reply Inline Actions Although this linkage may prevent inlining for now, we may in the future change the LTO implementation to promote weak functions to strong if the linker knows that a particular definition of a symbol is the final definition for the symbol. That will mean that this dummy definition may be inlined into callers. This is a largely theoretical problem because we never create a direct call to the `__cfi_check` function. But if we wanted to fix this I can imagine creating an intrinsic that the CrossDSOCFI pass expands to the definition of `__cfi_check`. pcc: Although this linkage may prevent inlining for now, we may in the future change the LTO…
		eugenisAuthorUnsubmitted Not Done Reply Inline Actions Do you mean "expands to a call to cfi_check"? We do need to have a definition of cfi_check before CrossDSOCFI for the linker. eugenis: Do you mean "expands to a call to __cfi_check"? We do need to have a definition of __cfi_check…
		pccUnsubmitted Not Done Reply Inline Actions I mean basically that Clang would create a definition like this: define void @__cfi_check(i64 %0, i8* %1, i8* %2) { call void @llvm.cfi_check(i64 %0, i8* %1, i8* %2) ret void } and CrossDSOCFI would find all calls to `@llvm.cfi_check` and replace them with the code that the pass currently generates as the body of `__cfi_check`. pcc: I mean basically that Clang would create a definition like this: ``` define void @__cfi_check…
		eugenisAuthorUnsubmitted Done Reply Inline Actions Ah, that definitely makes sense. Let's mention this in a comment for now. eugenis: Ah, that definitely makes sense. Let's mention this in a comment for now.
		pccUnsubmitted Not Done Reply Inline Actions Works for me. pcc: Works for me.
		llvm::Function *F = llvm::Function::Create(
		llvm::FunctionType::get(VoidTy, {Int64Ty, Int8PtrTy, Int8PtrTy}, false),
		llvm::GlobalValue::WeakAnyLinkage, "__cfi_check", M);
		llvm::BasicBlock *BB = llvm::BasicBlock::Create(Ctx, "entry", F);
		// FIXME: consider emitting an intrinsic call like
		// call void @llvm.cfi_check(i64 %0, i8* %1, i8* %2)
		// which can be lowered in CrossDSOCFI pass to the actual contents of
		// __cfi_check. This would allow inlining of __cfi_check calls.
		pccUnsubmitted Done Reply Inline Actions I would terminate this definition in an llvm.trap so that the program will crash if this definition were to survive LTO for some reason. pcc: I would terminate this definition in an llvm.trap so that the program will crash if this…
		llvm::CallInst::Create(
		llvm::Intrinsic::getDeclaration(M, llvm::Intrinsic::trap), "", BB);
		llvm::ReturnInst::Create(Ctx, nullptr, BB);
		}

// This function is basically a switch over the CFI failure kind, which is		// This function is basically a switch over the CFI failure kind, which is
// extracted from CFICheckFailData (1st function argument). Each case is either		// extracted from CFICheckFailData (1st function argument). Each case is either
// llvm.trap or a call to one of the two runtime handlers, based on		// llvm.trap or a call to one of the two runtime handlers, based on
// -fsanitize-trap and -fsanitize-recover settings. Default case (invalid		// -fsanitize-trap and -fsanitize-recover settings. Default case (invalid
// failure kind) traps, but this should really never happen. CFICheckFailData		// failure kind) traps, but this should really never happen. CFICheckFailData
// can be nullptr if the calling module has -fsanitize-trap behavior for this		// can be nullptr if the calling module has -fsanitize-trap behavior for this
// check kind; in this case __cfi_check_fail traps as well.		// check kind; in this case __cfi_check_fail traps as well.
void CodeGenFunction::EmitCfiCheckFail() {		void CodeGenFunction::EmitCfiCheckFail() {
▲ Show 20 Lines • Show All 65 Lines • ▼ Show 20 Lines	for (auto CheckKindMaskPair : CheckKinds) {
if (CGM.getLangOpts().Sanitize.has(Mask))		if (CGM.getLangOpts().Sanitize.has(Mask))
EmitCheck(std::make_pair(Cond, Mask), SanitizerHandler::CFICheckFail, {},		EmitCheck(std::make_pair(Cond, Mask), SanitizerHandler::CFICheckFail, {},
{Data, Addr, ValidVtable});		{Data, Addr, ValidVtable});
else		else
EmitTrapCheck(Cond);		EmitTrapCheck(Cond);
}		}

FinishFunction();		FinishFunction();
// The only reference to this function will be created during LTO link.		// The only reference to this function will be created during LTO link.
		pccUnsubmitted Done Reply Inline Actions remove this line pcc: remove this line
// Make sure it survives until then.		// Make sure it survives until then.
CGM.addUsedGlobal(F);		CGM.addUsedGlobal(F);
}		}

void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked) {		void CodeGenFunction::EmitTrapCheck(llvm::Value *Checked) {
llvm::BasicBlock *Cont = createBasicBlock("cont");		llvm::BasicBlock *Cont = createBasicBlock("cont");

// If we're optimizing, collapse all calls to trap down to just one per		// If we're optimizing, collapse all calls to trap down to just one per
▲ Show 20 Lines • Show All 1,599 Lines • Show Last 20 Lines

lib/CodeGen/CodeGenFunction.h

Show First 20 Lines • Show All 3,518 Lines • ▼ Show 20 Lines	public:
/// \brief Create a basic block that will call the trap intrinsic, and emit a		/// \brief Create a basic block that will call the trap intrinsic, and emit a
/// conditional branch to it, for the -ftrapv checks.		/// conditional branch to it, for the -ftrapv checks.
void EmitTrapCheck(llvm::Value *Checked);		void EmitTrapCheck(llvm::Value *Checked);

/// \brief Emit a call to trap or debugtrap and attach function attribute		/// \brief Emit a call to trap or debugtrap and attach function attribute
/// "trap-func-name" if specified.		/// "trap-func-name" if specified.
llvm::CallInst *EmitTrapCall(llvm::Intrinsic::ID IntrID);		llvm::CallInst *EmitTrapCall(llvm::Intrinsic::ID IntrID);

		/// \brief Emit a stub for the cross-DSO CFI check function.
		void EmitCfiCheckStub();

/// \brief Emit a cross-DSO CFI failure handling function.		/// \brief Emit a cross-DSO CFI failure handling function.
void EmitCfiCheckFail();		void EmitCfiCheckFail();

/// \brief Create a check for a function parameter that may potentially be		/// \brief Create a check for a function parameter that may potentially be
/// declared as non-null.		/// declared as non-null.
void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc,		void EmitNonNullArgCheck(RValue RV, QualType ArgType, SourceLocation ArgLoc,
AbstractCallee AC, unsigned ParmNum);		AbstractCallee AC, unsigned ParmNum);

▲ Show 20 Lines • Show All 300 Lines • Show Last 20 Lines

lib/CodeGen/CodeGenModule.cpp

Show First 20 Lines • Show All 400 Lines • ▼ Show 20 Lines	void CodeGenModule::Release() {
}		}
EmitCtorList(GlobalCtors, "llvm.global_ctors");		EmitCtorList(GlobalCtors, "llvm.global_ctors");
EmitCtorList(GlobalDtors, "llvm.global_dtors");		EmitCtorList(GlobalDtors, "llvm.global_dtors");
EmitGlobalAnnotations();		EmitGlobalAnnotations();
EmitStaticExternCAliases();		EmitStaticExternCAliases();
EmitDeferredUnusedCoverageMappings();		EmitDeferredUnusedCoverageMappings();
if (CoverageMapping)		if (CoverageMapping)
CoverageMapping->emit();		CoverageMapping->emit();
if (CodeGenOpts.SanitizeCfiCrossDso)		if (CodeGenOpts.SanitizeCfiCrossDso) {
CodeGenFunction(*this).EmitCfiCheckFail();		CodeGenFunction(*this).EmitCfiCheckFail();
		CodeGenFunction(*this).EmitCfiCheckStub();
		}
emitAtAvailableLinkGuard();		emitAtAvailableLinkGuard();
emitLLVMUsed();		emitLLVMUsed();
if (SanStats)		if (SanStats)
SanStats->finish();		SanStats->finish();

if (CodeGenOpts.Autolink &&		if (CodeGenOpts.Autolink &&
(Context.getLangOpts().Modules \|\| !LinkerOptionsMetadata.empty())) {		(Context.getLangOpts().Modules \|\| !LinkerOptionsMetadata.empty())) {
EmitModuleLinkOptions();		EmitModuleLinkOptions();
▲ Show 20 Lines • Show All 3,990 Lines • Show Last 20 Lines

test/CodeGen/cfi-check-fail.c

	Show First 20 Lines • Show All 66 Lines • ▼ Show 20 Lines
	// CHECK: br i1 %[[NOT_4]], label %[[CONT5:.]], label %[[HANDLE4:.]], !nosanitize			// CHECK: br i1 %[[NOT_4]], label %[[CONT5:.]], label %[[HANDLE4:.]], !nosanitize

	// CHECK: [[HANDLE4]]:			// CHECK: [[HANDLE4]]:
	// CHECK-NEXT: call void @llvm.trap()			// CHECK-NEXT: call void @llvm.trap()
	// CHECK-NEXT: unreachable			// CHECK-NEXT: unreachable

	// CHECK: [[CONT5]]:			// CHECK: [[CONT5]]:
	// CHECK: ret void			// CHECK: ret void

				// CHECK: define weak void @__cfi_check(i64, i8, i8)
				// CHECK-NOT: }
				// CHECK: call void @llvm.trap()
				// CHECK-NEXT: ret void