This is an archive of the discontinued LLVM Phabricator instance.

Differential D40478

Added control flow architecture protection Flag
ClosedPublic

Authored by oren_ben_simhon on Nov 27 2017, 12:51 AM.

Details

Reviewers
erichkeane
craig.topper
pavel.v.chupin
AndreiGrischenko
DavidKreitzer
pcc
Commits
rG57cc1a5d77d8: Added Control Flow Protection Flag
rL322063: Added Control Flow Protection Flag
rC322063: Added Control Flow Protection Flag
Summary

Instrument control flow is target independent flag that instructs the back-end to instrument control flow mechanisms.
Specifically in X86 this flag will be used to instrument Indirect Branch Tracking instructions.

Diff Detail

Repository
rC Clang

Event Timeline

oren_ben_simhon created this revision.Nov 27 2017, 12:51 AM
craig.topper added inline comments.Nov 29 2017, 12:08 AM
lib/Driver/ToolChains/Clang.cpp
4010

This should probably have a blank line above it. Right now it kinda looks like it goes with the OpenCL code.

oren_ben_simhon updated this revision to Diff 124742.Nov 29 2017, 6:39 AM

Implemented comments posted until 11/29 (Thanks Craig)

oren_ben_simhon marked an inline comment as done.Nov 29 2017, 6:42 AM
pcc added a subscriber: pcc.Nov 30 2017, 12:00 PM
pcc added inline comments.
include/clang/Driver/Options.td
1050

My comments about the attribute name in D40482 also apply to this flag name. GCC appears to have chosen a better name for this flag, -mcet. Can we use that name instead?

oren_ben_simhon added inline comments.Dec 7 2017, 12:52 AM
include/clang/Driver/Options.td
1050

Again, I am sorry for the late response, I was off for about a week.
GCC is only using -mcet as a super set for -mibt and -mshstk. I am planning to add it in a different review.
-mcet/-mibt/-mshstk only enables the HW technology (ISA/Intrinsics).
GCC is using -cf-protection for actually instrumenting the control flow.
I think it will be best to stay coherent with GCC (and ICC and soon MS) and use -cf-protection.
What do you think?

pcc added inline comments.Dec 7 2017, 2:01 PM
include/clang/Driver/Options.td
1050

I see. As far as I can tell, there are no released versions of GCC and ICC with the new flags, so I think there is still a possibility to change them. (MS is a different story, their flags are incompatible anyway.)

I took a closer look at what GCC does, and here are my thoughts:

  • As far as I can tell, IBT does not introduce any new instructions other than ENDBRANCH, and it doesn't seem to make sense for ENDBRANCH to be exposed via intrinsics (but rather via attributes, as you have done). That means that -mibt basically does nothing except for allowing the use of -fcf-protection.
  • SHSTK introduces ISA extensions that seem reasonable to expose via intrinsics, so it would probably be fine to have a -mshstk flag that enables the intrinsics.
  • In GCC, -fcf-protection means "emit code that is compatible with CET" and requires that the user pass -mibt or -mshstk. But the code that it emits is also compatible with non-CET processors, so it doesn't make sense to me to require the use of flags such as -mshstk which imply that SHSTK is required.

As for the name of the flag: there is nothing about the name -fcf-protection that implies hardware-based protection, so the presence of this flag could confuse users who want software-based protection. The hardware-based protection is sort of implied by the requirement to pass -mibt or -mshstk, but that is a little awkward, and I don't think it makes sense either for the reasons I mentioned. What we want is a clear way to say "I want to generate code that is compatible with (but does not require) this hardware feature", but there doesn't seem to be any precedent for how to express that. The most straightforward way to express it is to mention the name of the hardware feature in the flag.

So here are the changes that I would propose across compilers:

  • Remove the -mibt flag.
  • Change the flag that emits ENDBRANCH to something like -mcet-compatible and stop requiring the use of other flags.

Please let me know what you think.

oren_ben_simhon added inline comments.Dec 12 2017, 3:16 AM
include/clang/Driver/Options.td
1050

It is true that -mibt doesn't enable intrinsics however it is required for the case of inline asm.
The code that -cf-protection produce is not always compatible with non-CET processors.
For example, consider the required fix to the shadow stack in the case of setJmp/longJmp.
In that case, we need to use SHSTK instructions (like incssp) that are not compatible.
Would the flag -fcf-arch-protection make more sense (as it implies on HW support)?

oren_ben_simhon added a reviewer: AndreiGrischenko.Dec 12 2017, 3:16 AM
pcc added inline comments.Dec 12 2017, 5:38 PM
include/clang/Driver/Options.td
1050

It is true that -mibt doesn't enable intrinsics however it is required for the case of inline asm.

For enabling ENDBRANCH in inline asm? Would there be any harm in allowing ENDBRANCH unconditionally?

For example, consider the required fix to the shadow stack in the case of setJmp/longJmp.
In that case, we need to use SHSTK instructions (like incssp) that are not compatible.

I don't think that is true. I looked at the code that GCC emits for setjmp and longjmp, and it appears to quite cleverly avoid the need to execute SHSTK-required instructions on older processors by taking advantage of the fact that RDSSP is a NOP on older processors.

With this program:

#include <setjmp.h>

jmp_buf env;
void f() {
  __builtin_setjmp(env);
}

void g() {
  __builtin_longjmp(env, 1);
}

I get this asm for saving the SSP:

	movl	$0, %eax
	rdsspq	%rax
	movq	%rax, env+24(%rip)

and this asm for restoring it:

	movl	$0, %eax
	rdsspq	%rax
	subq	env+24(%rip), %rax
	je	.L5
	negq	%rax
	shrq	$3, %rax
	cmpq	$255, %rax
	jbe	.L6
.L7:
	incsspq	%rax
	subq	$255, %rax
	cmpq	$255, %rax
	ja	.L7
.L6:
	incsspq	%rax
.L5:

So on a non-SHSTK processor, we will store 0 to the slot reserved for SSP during setjmp, and then compare 0 to 0 during longjmp and bypass the entire loop.

Would the flag -fcf-arch-protection make more sense (as it implies on HW support)?

It isn't ideal to me, but it does at least seem better than -fcf-protection.

oren_ben_simhon added a reviewer: DavidKreitzer.Dec 13 2017, 1:37 AM
oren_ben_simhon updated this revision to Diff 126745.Dec 13 2017, 5:49 AM

Implemented some of the comments posted until 12/12 (Thanks Peter)

oren_ben_simhon added inline comments.Dec 13 2017, 6:02 AM
include/clang/Driver/Options.td
1050

You are correct, -mshstk flag should be used only for enabling the intrinsics that are not rdssp.
It shouldn't be a requirement for generating shadow stack fixes. Is that what you meant?

craig.topper edited subscribers, added: cfe-commits; removed: llvm-commits.Dec 13 2017, 9:50 AM
craig.topper added a comment.Dec 13 2017, 9:53 AM

-mibt isn't required for inline assembly, There's no AssemblePredicate defined with HasIBT in X86InstrInfo.td. We don't normally do fine grained assembler feature enabling so I believe we should always support it.

pcc added inline comments.Dec 13 2017, 9:55 AM
include/clang/Driver/Options.td
1050

Yes, exactly.

craig.topper added inline comments.Dec 13 2017, 12:29 PM
include/clang/Driver/Options.td
1050

I think the rdssp is a nop on older Intel processors, but its hard to say for sure. Older instruction manuals(I checked a 2001 version I had on my bookshelf) from Intel don't list anything in the opcode map for those instruction encodings. There are also other vendors that have made X86 CPUs that may not have implemented them as NOPs since they were undocumented. The "cleverness" is really there for CPUs that support CET instructions, but do not have OS support enabled via CR4.

oren_ben_simhon marked an inline comment as done.Dec 14 2017, 12:09 PM
oren_ben_simhon updated this revision to Diff 127008.Dec 14 2017, 12:12 PM

Implemented all comments posted until 12/14 (Thanks Peter)

oren_ben_simhon retitled this revision from Added Instrument Control Flow Flag to Added control flow architecture protection Flag.Dec 14 2017, 12:12 PM
oren_ben_simhon added a comment.Dec 17 2017, 6:10 AM

-mibt is currently in discussions with other compilers, any change will be uploaded to a different review.
If you have more comments i will appreciate it.

craig.topper added inline comments.Dec 18 2017, 1:13 PM
lib/CodeGen/CGCall.cpp
1737 ↗(On Diff #127008)

If the command line option is intended to be target independent, shouldn't these generically named?

lib/CodeGen/CodeGenFunction.cpp
890–891

Why this change?

oren_ben_simhon marked an inline comment as done.Dec 19 2017, 12:44 PM
oren_ben_simhon added inline comments.
lib/CodeGen/CodeGenFunction.cpp
890–891

Apparently, some compilers do strange optimizations on bit structures (like CodeGenOptions) that cause this code to be compiled wrongly.
I encountered this issue when i added a new Code Gen Option and compiled clang in windows.
In order to overcome this issue, i changed a bit the code and the wrong optimization didn't occur.

oren_ben_simhon updated this revision to Diff 127590.Dec 19 2017, 12:46 PM
oren_ben_simhon added a reviewer: pcc.

Implemented comments posted until 12/19 (Thanks Craig)

oren_ben_simhon added a comment.Dec 21 2017, 12:00 AM

ping

craig.topper added a comment.Dec 21 2017, 10:12 AM

Are we sure we want a different command line option name from gcc? From our internal conversations with the gcc folks I thought they were suggesting that -fcf-protection could imply a software mechanism if a hardware mechanism was not available thorugh -mibt or -march?

Should we emit an error to the user if -mibt isn't available? We should be able to add virtual methods on TargetInfo that X86 can customize to check for ibt and shstk.

Can you provide more information about the miscompile on MSVC? I think we should do more to understand that, this sounds like it could be a time bomb waiting to fail somewhere else.

oren_ben_simhon added a comment.Dec 25 2017, 6:28 AM
In D40478#962348, @craig.topper wrote:

Are we sure we want a different command line option name from gcc? From our internal conversations with the gcc folks I thought they were suggesting that -fcf-protection could imply a software mechanism if a hardware mechanism was not available thorugh -mibt or -march?

Should we emit an error to the user if -mibt isn't available? We should be able to add virtual methods on TargetInfo that X86 can customize to check for ibt and shstk.

Can you provide more information about the miscompile on MSVC? I think we should do more to understand that, this sounds like it could be a time bomb waiting to fail somewhere else.

LLVM already has a flag for SW mechanisms "-sanitize=*". Anyway I believe that GCC and LLVM should agree first before i change it. I restored cf-protection and will create a new patch review after an agreement with GCC will be made.

I added an error message.

I currently don't have more information. After seeing the issue I workaround it. I prefer not to open MSVC miscompilation issue in this code review and investigate it on a different thread.

oren_ben_simhon updated this revision to Diff 128141.Dec 25 2017, 6:33 AM

Implemented comments posted until 12/24 (Thanks Craig)
Moved cf-protection attributes from function attributes to module attributes.

oren_ben_simhon updated this revision to Diff 128143.Dec 25 2017, 6:42 AM

Reverted clang-format whitespaces updates

craig.topper added inline comments.Jan 3 2018, 10:45 AM
lib/CodeGen/CodeGenModule.cpp
506

Should we still be adding the module flag if the target says its not supported?

oren_ben_simhon updated this revision to Diff 128601.Jan 4 2018, 1:06 AM
oren_ben_simhon marked an inline comment as done.

Implemented comments posted until 01/04 (Thanks Craig)

craig.topper accepted this revision.Jan 4 2018, 12:20 PM

LGTM

This revision is now accepted and ready to land.Jan 4 2018, 12:20 PM
Closed by commit rC322063: Added Control Flow Protection Flag (authored by orenb). · Explain WhyJan 9 2018, 12:55 AM
This revision was automatically updated to reflect the committed changes.
alexfh added a subscriber: alexfh.Jan 9 2018, 6:36 AM
alexfh added inline comments.
test/CodeGen/x86-cf-protection.c
1

Any reason this test runs clang with "-S" and "-emit-llvm"? Neither of those seems to be needed for the actual checks being made below.

oren_ben_simhon added inline comments.Jan 9 2018, 6:56 AM
test/CodeGen/x86-cf-protection.c
1

I agree that -emit-llvm is redundant for the test checks. Without -S the command has no output on stdout or stderr. So the run fails and doesn't execute.

alexfh added inline comments.Jan 9 2018, 7:06 AM
test/CodeGen/x86-cf-protection.c
1

The specific problem I've stumbled upon is that the test fails when the source file is on a read-only partition:

[3250/3251] Running the Clang regression tests    
llvm-lit: /src/utils/lit/lit/llvm/config.py:334: note: using clang: /build/bin/clang
FAIL: Clang :: CodeGen/x86-cf-protection.c (2485 of 11862)
******************** TEST 'Clang :: CodeGen/x86-cf-protection.c' FAILED ********************
Script:                                           
--                                                
not /build/bin/clang -cc1 -internal-isystem /build/lib/clang/7.0.0/include -nostdsysteminc -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=return /src/tools/clang/test/CodeGen/x86-cf-protection.c 2>&1 | /build/bin/FileCheck /src/tools/clang/test/CodeGen/x86
-cf-protection.c --check-prefix=RETURN            
not /build/bin/clang -cc1 -internal-isystem /build/lib/clang/7.0.0/include -nostdsysteminc -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=branch /src/tools/clang/test/CodeGen/x86-cf-protection.c 2>&1 | /build/bin/FileCheck /src/tools/clang/test/CodeGen/x86
-cf-protection.c --check-prefix=BRANCH            
--                                                
Exit Code: 1                                      
                                                  
Command Output (stderr):                          
--                                                
/src/tools/clang/test/CodeGen/x86-cf-protection.c:4:12: error: expected string not found in input
// RETURN: error: option 'cf-protection=return' cannot be specified without '-mshstk'
           ^                                      
<stdin>:1:1: note: scanning from here             
error: unable to open output file '': 'Read-only file system'
^                                                 
                                                  
--

Adding -o %t solves the problem (r322082).

oren_ben_simhon marked an inline comment as done.Jan 9 2018, 7:38 AM
oren_ben_simhon added inline comments.
test/CodeGen/x86-cf-protection.c
1

I see. Thanks for the fix.

Revision Contents

PathSize
include/
clang/
Basic/
2 lines
12 lines
Driver/
5 lines
Frontend/
5 lines
lib/
Basic/
Targets/
6 lines
20 lines
CodeGen/
3 lines
14 lines
Driver/
ToolChains/
5 lines
Frontend/
15 lines
test/
CodeGen/
6 lines
Driver/
14 lines

Diff 129041

include/clang/Basic/DiagnosticCommonKinds.td

Show First 20 LinesShow All 197 Lines▼ Show 20 Lines
def err_target_unsupported_fpmath : Error< def err_target_unsupported_fpmath : Error<
"the '%0' unit is not supported with this instruction set">; "the '%0' unit is not supported with this instruction set">;
def err_target_unsupported_unaligned : Error< def err_target_unsupported_unaligned : Error<
"the %0 sub-architecture does not support unaligned accesses">; "the %0 sub-architecture does not support unaligned accesses">;
def err_target_unsupported_execute_only : Error< def err_target_unsupported_execute_only : Error<
"execute only is not supported for the %0 sub-architecture">; "execute only is not supported for the %0 sub-architecture">;
def err_opt_not_valid_with_opt : Error< def err_opt_not_valid_with_opt : Error<
"option '%0' cannot be specified with '%1'">; "option '%0' cannot be specified with '%1'">;
def err_opt_not_valid_without_opt : Error<
"option '%0' cannot be specified without '%1'">;
// Source manager // Source manager
def err_cannot_open_file : Error<"cannot open file '%0': %1">, DefaultFatal; def err_cannot_open_file : Error<"cannot open file '%0': %1">, DefaultFatal;
def err_file_modified : Error< def err_file_modified : Error<
"file '%0' modified since it was first processed">, DefaultFatal; "file '%0' modified since it was first processed">, DefaultFatal;
def err_unsupported_bom : Error<"%0 byte order mark detected in '%1', but " def err_unsupported_bom : Error<"%0 byte order mark detected in '%1', but "
"encoding is not supported">, DefaultFatal; "encoding is not supported">, DefaultFatal;
def err_unable_to_rename_temp : Error< def err_unable_to_rename_temp : Error<
Show All 22 Lines

include/clang/Basic/TargetInfo.h

Show First 20 LinesShow All 1,045 Lines▼ Show 20 Linespublic:
} }
/// Controls if __builtin_longjmp / __builtin_setjmp can be lowered to /// Controls if __builtin_longjmp / __builtin_setjmp can be lowered to
/// llvm.eh.sjlj.longjmp / llvm.eh.sjlj.setjmp. /// llvm.eh.sjlj.longjmp / llvm.eh.sjlj.setjmp.
virtual bool hasSjLjLowering() const { virtual bool hasSjLjLowering() const {
return false; return false;
} }
/// Check if the target supports CFProtection branch.
virtual bool
checkCFProtectionBranchSupported(DiagnosticsEngine &Diags) const {
return false;
}
/// Check if the target supports CFProtection branch.
virtual bool
checkCFProtectionReturnSupported(DiagnosticsEngine &Diags) const {
return false;
}
/// \brief Whether target allows to overalign ABI-specified preferred alignment /// \brief Whether target allows to overalign ABI-specified preferred alignment
virtual bool allowsLargerPreferedTypeAlignment() const { return true; } virtual bool allowsLargerPreferedTypeAlignment() const { return true; }
/// \brief Set supported OpenCL extensions and optional core features. /// \brief Set supported OpenCL extensions and optional core features.
virtual void setSupportedOpenCLOpts() {} virtual void setSupportedOpenCLOpts() {}
/// \brief Set supported OpenCL extensions as written on command line /// \brief Set supported OpenCL extensions as written on command line
virtual void setOpenCLExtensionOpts() { virtual void setOpenCLExtensionOpts() {
▲ Show 20 LinesShow All 69 LinesShow Last 20 Lines

include/clang/Driver/Options.td

Show First 20 LinesShow All 1,036 Lines▼ Show 20 Lines
def finput_charset_EQ : Joined<["-"], "finput-charset=">, Group<f_Group>; def finput_charset_EQ : Joined<["-"], "finput-charset=">, Group<f_Group>;
def fexec_charset_EQ : Joined<["-"], "fexec-charset=">, Group<f_Group>; def fexec_charset_EQ : Joined<["-"], "fexec-charset=">, Group<f_Group>;
def finstrument_functions : Flag<["-"], "finstrument-functions">, Group<f_Group>, Flags<[CC1Option]>, def finstrument_functions : Flag<["-"], "finstrument-functions">, Group<f_Group>, Flags<[CC1Option]>,
HelpText<"Generate calls to instrument function entry and exit">; HelpText<"Generate calls to instrument function entry and exit">;
def finstrument_functions_after_inlining : Flag<["-"], "finstrument-functions-after-inlining">, Group<f_Group>, Flags<[CC1Option]>, def finstrument_functions_after_inlining : Flag<["-"], "finstrument-functions-after-inlining">, Group<f_Group>, Flags<[CC1Option]>,
HelpText<"Like -finstrument-functions, but insert the calls after inlining">; HelpText<"Like -finstrument-functions, but insert the calls after inlining">;
def finstrument_function_entry_bare : Flag<["-"], "finstrument-function-entry-bare">, Group<f_Group>, Flags<[CC1Option]>, def finstrument_function_entry_bare : Flag<["-"], "finstrument-function-entry-bare">, Group<f_Group>, Flags<[CC1Option]>,
HelpText<"Instrument function entry only, after inlining, without arguments to the instrumentation call">; HelpText<"Instrument function entry only, after inlining, without arguments to the instrumentation call">;
def fcf_protection_EQ : Joined<["-"], "fcf-protection=">, Flags<[CoreOption, CC1Option]>, Group<f_Group>,
HelpText<"Instrument control-flow architecture protection. Options: return, branch, full, none.">, Values<"return,branch,full,none">;
def fcf_protection : Flag<["-"], "fcf-protection">, Group<f_Group>, Flags<[CoreOption, CC1Option]>,
Alias<fcf_protection_EQ>, AliasArgs<["full"]>,
HelpText<"Enable cf-protection in 'full' mode">;
pccUnsubmitted
Not Done
ReplyInline Actions

My comments about the attribute name in D40482 also apply to this flag name. GCC appears to have chosen a better name for this flag, -mcet. Can we use that name instead?

pcc: My comments about the attribute name in D40482 also apply to this flag name. GCC appears to…
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

Again, I am sorry for the late response, I was off for about a week.
GCC is only using -mcet as a super set for -mibt and -mshstk. I am planning to add it in a different review.
-mcet/-mibt/-mshstk only enables the HW technology (ISA/Intrinsics).
GCC is using -cf-protection for actually instrumenting the control flow.
I think it will be best to stay coherent with GCC (and ICC and soon MS) and use -cf-protection.
What do you think?

oren_ben_simhon: Again, I am sorry for the late response, I was off for about a week. GCC is only using -mcet as…
pccUnsubmitted
Not Done
ReplyInline Actions

I see. As far as I can tell, there are no released versions of GCC and ICC with the new flags, so I think there is still a possibility to change them. (MS is a different story, their flags are incompatible anyway.)

I took a closer look at what GCC does, and here are my thoughts:

  • As far as I can tell, IBT does not introduce any new instructions other than ENDBRANCH, and it doesn't seem to make sense for ENDBRANCH to be exposed via intrinsics (but rather via attributes, as you have done). That means that -mibt basically does nothing except for allowing the use of -fcf-protection.
  • SHSTK introduces ISA extensions that seem reasonable to expose via intrinsics, so it would probably be fine to have a -mshstk flag that enables the intrinsics.
  • In GCC, -fcf-protection means "emit code that is compatible with CET" and requires that the user pass -mibt or -mshstk. But the code that it emits is also compatible with non-CET processors, so it doesn't make sense to me to require the use of flags such as -mshstk which imply that SHSTK is required.

As for the name of the flag: there is nothing about the name -fcf-protection that implies hardware-based protection, so the presence of this flag could confuse users who want software-based protection. The hardware-based protection is sort of implied by the requirement to pass -mibt or -mshstk, but that is a little awkward, and I don't think it makes sense either for the reasons I mentioned. What we want is a clear way to say "I want to generate code that is compatible with (but does not require) this hardware feature", but there doesn't seem to be any precedent for how to express that. The most straightforward way to express it is to mention the name of the hardware feature in the flag.

So here are the changes that I would propose across compilers:

  • Remove the -mibt flag.
  • Change the flag that emits ENDBRANCH to something like -mcet-compatible and stop requiring the use of other flags.

Please let me know what you think.

pcc: I see. As far as I can tell, there are no released versions of GCC and ICC with the new flags…
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

It is true that -mibt doesn't enable intrinsics however it is required for the case of inline asm.
The code that -cf-protection produce is not always compatible with non-CET processors.
For example, consider the required fix to the shadow stack in the case of setJmp/longJmp.
In that case, we need to use SHSTK instructions (like incssp) that are not compatible.
Would the flag -fcf-arch-protection make more sense (as it implies on HW support)?

oren_ben_simhon: It is true that -mibt doesn't enable intrinsics however it is required for the case of inline…
pccUnsubmitted
Done
ReplyInline Actions

It is true that -mibt doesn't enable intrinsics however it is required for the case of inline asm.

For enabling ENDBRANCH in inline asm? Would there be any harm in allowing ENDBRANCH unconditionally?

For example, consider the required fix to the shadow stack in the case of setJmp/longJmp.
In that case, we need to use SHSTK instructions (like incssp) that are not compatible.

I don't think that is true. I looked at the code that GCC emits for setjmp and longjmp, and it appears to quite cleverly avoid the need to execute SHSTK-required instructions on older processors by taking advantage of the fact that RDSSP is a NOP on older processors.

With this program:

#include <setjmp.h>

jmp_buf env;
void f() {
  __builtin_setjmp(env);
}

void g() {
  __builtin_longjmp(env, 1);
}

I get this asm for saving the SSP:

	movl	$0, %eax
	rdsspq	%rax
	movq	%rax, env+24(%rip)

and this asm for restoring it:

	movl	$0, %eax
	rdsspq	%rax
	subq	env+24(%rip), %rax
	je	.L5
	negq	%rax
	shrq	$3, %rax
	cmpq	$255, %rax
	jbe	.L6
.L7:
	incsspq	%rax
	subq	$255, %rax
	cmpq	$255, %rax
	ja	.L7
.L6:
	incsspq	%rax
.L5:

So on a non-SHSTK processor, we will store 0 to the slot reserved for SSP during setjmp, and then compare 0 to 0 during longjmp and bypass the entire loop.

Would the flag -fcf-arch-protection make more sense (as it implies on HW support)?

It isn't ideal to me, but it does at least seem better than -fcf-protection.

pcc: > It is true that -mibt doesn't enable intrinsics however it is required for the case of inline…
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

You are correct, -mshstk flag should be used only for enabling the intrinsics that are not rdssp.
It shouldn't be a requirement for generating shadow stack fixes. Is that what you meant?

oren_ben_simhon: You are correct, -mshstk flag should be used only for enabling the intrinsics that are not…
pccUnsubmitted
Not Done
ReplyInline Actions

Yes, exactly.

pcc: Yes, exactly.
craig.topperUnsubmitted
Not Done
ReplyInline Actions

I think the rdssp is a nop on older Intel processors, but its hard to say for sure. Older instruction manuals(I checked a 2001 version I had on my bookshelf) from Intel don't list anything in the opcode map for those instruction encodings. There are also other vendors that have made X86 CPUs that may not have implemented them as NOPs since they were undocumented. The "cleverness" is really there for CPUs that support CET instructions, but do not have OS support enabled via CR4.

craig.topper: I think the rdssp is a nop on older Intel processors, but its hard to say for sure. Older…
def fxray_instrument : Flag<["-"], "fxray-instrument">, Group<f_Group>, def fxray_instrument : Flag<["-"], "fxray-instrument">, Group<f_Group>,
Flags<[CC1Option]>, Flags<[CC1Option]>,
HelpText<"Generate XRay instrumentation sleds on function entry and exit">; HelpText<"Generate XRay instrumentation sleds on function entry and exit">;
def fnoxray_instrument : Flag<["-"], "fno-xray-instrument">, Group<f_Group>, def fnoxray_instrument : Flag<["-"], "fno-xray-instrument">, Group<f_Group>,
Flags<[CC1Option]>; Flags<[CC1Option]>;
def fxray_instruction_threshold_EQ : def fxray_instruction_threshold_EQ :
JoinedOrSeparate<["-"], "fxray-instruction-threshold=">, JoinedOrSeparate<["-"], "fxray-instruction-threshold=">,
▲ Show 20 LinesShow All 1,738 LinesShow Last 20 Lines

include/clang/Frontend/CodeGenOptions.def

Show First 20 LinesShow All 74 Lines▼ Show 20 LinesCODEGENOPT(ForbidGuardVariables , 1, 0) ///< Issue errors if C++ guard variables
///< are required. ///< are required.
CODEGENOPT(FunctionSections , 1, 0) ///< Set when -ffunction-sections is enabled. CODEGENOPT(FunctionSections , 1, 0) ///< Set when -ffunction-sections is enabled.
CODEGENOPT(InstrumentFunctions , 1, 0) ///< Set when -finstrument-functions is CODEGENOPT(InstrumentFunctions , 1, 0) ///< Set when -finstrument-functions is
///< enabled. ///< enabled.
CODEGENOPT(InstrumentFunctionsAfterInlining , 1, 0) ///< Set when CODEGENOPT(InstrumentFunctionsAfterInlining , 1, 0) ///< Set when
///< -finstrument-functions-after-inlining is enabled. ///< -finstrument-functions-after-inlining is enabled.
CODEGENOPT(InstrumentFunctionEntryBare , 1, 0) ///< Set when CODEGENOPT(InstrumentFunctionEntryBare , 1, 0) ///< Set when
///< -finstrument-function-entry-bare is enabled. ///< -finstrument-function-entry-bare is enabled.
CODEGENOPT(CFProtectionReturn , 1, 0) ///< if -fcf-protection is
///< set to full or return.
CODEGENOPT(CFProtectionBranch , 1, 0) ///< if -fcf-protection is
///< set to full or branch.
CODEGENOPT(XRayInstrumentFunctions , 1, 0) ///< Set when -fxray-instrument is CODEGENOPT(XRayInstrumentFunctions , 1, 0) ///< Set when -fxray-instrument is
///< enabled. ///< enabled.
CODEGENOPT(StackSizeSection , 1, 0) ///< Set when -fstack-size-section is enabled. CODEGENOPT(StackSizeSection , 1, 0) ///< Set when -fstack-size-section is enabled.
///< Set when -fxray-always-emit-customevents is enabled. ///< Set when -fxray-always-emit-customevents is enabled.
CODEGENOPT(XRayAlwaysEmitCustomEvents , 1, 0) CODEGENOPT(XRayAlwaysEmitCustomEvents , 1, 0)
///< Set the minimum number of instructions in a function to determine selective ///< Set the minimum number of instructions in a function to determine selective
▲ Show 20 LinesShow All 224 LinesShow Last 20 Lines

lib/Basic/Targets/X86.h

Show First 20 LinesShow All 152 Lines▼ Show 20 Lines bool validateGlobalRegisterVariable(StringRef RegName, unsigned RegSize,
return false; return false;
} }
bool validateOutputSize(StringRef Constraint, unsigned Size) const override; bool validateOutputSize(StringRef Constraint, unsigned Size) const override;
bool validateInputSize(StringRef Constraint, unsigned Size) const override; bool validateInputSize(StringRef Constraint, unsigned Size) const override;
virtual bool
checkCFProtectionReturnSupported(DiagnosticsEngine &Diags) const override;
virtual bool
checkCFProtectionBranchSupported(DiagnosticsEngine &Diags) const override;
virtual bool validateOperandSize(StringRef Constraint, unsigned Size) const; virtual bool validateOperandSize(StringRef Constraint, unsigned Size) const;
std::string convertConstraint(const char *&Constraint) const override; std::string convertConstraint(const char *&Constraint) const override;
const char *getClobbers() const override { const char *getClobbers() const override {
return "~{dirflag},~{fpsr},~{flags}"; return "~{dirflag},~{fpsr},~{flags}";
} }
StringRef getConstraintRegister(const StringRef &Constraint, StringRef getConstraintRegister(const StringRef &Constraint,
▲ Show 20 LinesShow All 646 LinesShow Last 20 Lines

lib/Basic/Targets/X86.cpp

Show First 20 LinesShow All 95 Lines▼ Show 20 Linesbool X86TargetInfo::setFPMath(StringRef Name) {
} }
if (Name == "sse") { if (Name == "sse") {
FPMath = FP_SSE; FPMath = FP_SSE;
return true; return true;
} }
return false; return false;
} }
bool X86TargetInfo::checkCFProtectionReturnSupported(
DiagnosticsEngine &Diags) const {
if (HasSHSTK)
return true;
Diags.Report(diag::err_opt_not_valid_without_opt) << "cf-protection=return"
<< "-mshstk";
return false;
}
bool X86TargetInfo::checkCFProtectionBranchSupported(
DiagnosticsEngine &Diags) const {
if (HasIBT)
return true;
Diags.Report(diag::err_opt_not_valid_without_opt) << "cf-protection=branch"
<< "-mibt";
return false;
}
bool X86TargetInfo::initFeatureMap( bool X86TargetInfo::initFeatureMap(
llvm::StringMap<bool> &Features, DiagnosticsEngine &Diags, StringRef CPU, llvm::StringMap<bool> &Features, DiagnosticsEngine &Diags, StringRef CPU,
const std::vector<std::string> &FeaturesVec) const { const std::vector<std::string> &FeaturesVec) const {
// FIXME: This *really* should not be here. // FIXME: This *really* should not be here.
// X86_64 always has SSE2. // X86_64 always has SSE2.
if (getTriple().getArch() == llvm::Triple::x86_64) if (getTriple().getArch() == llvm::Triple::x86_64)
setFeatureEnabledImpl(Features, "sse2", true); setFeatureEnabledImpl(Features, "sse2", true);
▲ Show 20 LinesShow All 1,539 LinesShow Last 20 Lines

lib/CodeGen/CodeGenFunction.cpp

Show First 20 LinesShow All 881 Lines▼ Show 20 Lines#undef SANITIZER
// from void* to T* before object initialization completes. Don't match on the // from void* to T* before object initialization completes. Don't match on the
// namespace because not all allocators are in std:: // namespace because not all allocators are in std::
if (D && SanOpts.has(SanitizerKind::CFIUnrelatedCast)) { if (D && SanOpts.has(SanitizerKind::CFIUnrelatedCast)) {
if (matchesStlAllocatorFn(D, getContext())) if (matchesStlAllocatorFn(D, getContext()))
SanOpts.Mask &= ~SanitizerKind::CFIUnrelatedCast; SanOpts.Mask &= ~SanitizerKind::CFIUnrelatedCast;
} }
// Apply xray attributes to the function (as a string, for now) // Apply xray attributes to the function (as a string, for now)
if (D && ShouldXRayInstrumentFunction()) { bool InstrumentXray = ShouldXRayInstrumentFunction();
if (D && InstrumentXray) {
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Why this change?

craig.topper: Why this change?
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

Apparently, some compilers do strange optimizations on bit structures (like CodeGenOptions) that cause this code to be compiled wrongly.
I encountered this issue when i added a new Code Gen Option and compiled clang in windows.
In order to overcome this issue, i changed a bit the code and the wrong optimization didn't occur.

oren_ben_simhon: Apparently, some compilers do strange optimizations on bit structures (like CodeGenOptions)…
if (const auto *XRayAttr = D->getAttr<XRayInstrumentAttr>()) { if (const auto *XRayAttr = D->getAttr<XRayInstrumentAttr>()) {
if (XRayAttr->alwaysXRayInstrument()) if (XRayAttr->alwaysXRayInstrument())
Fn->addFnAttr("function-instrument", "xray-always"); Fn->addFnAttr("function-instrument", "xray-always");
if (XRayAttr->neverXRayInstrument()) if (XRayAttr->neverXRayInstrument())
Fn->addFnAttr("function-instrument", "xray-never"); Fn->addFnAttr("function-instrument", "xray-never");
if (const auto *LogArgs = D->getAttr<XRayLogArgsAttr>()) { if (const auto *LogArgs = D->getAttr<XRayLogArgsAttr>()) {
Fn->addFnAttr("xray-log-args", Fn->addFnAttr("xray-log-args",
llvm::utostr(LogArgs->getArgumentCount())); llvm::utostr(LogArgs->getArgumentCount()));
▲ Show 20 LinesShow All 1,469 LinesShow Last 20 Lines

lib/CodeGen/CodeGenModule.cpp

Show First 20 LinesShow All 496 Lines▼ Show 20 Lines if ( Arch == llvm::Triple::arm
getModule().addModuleFlag(llvm::Module::Error, "min_enum_size", EnumWidth); getModule().addModuleFlag(llvm::Module::Error, "min_enum_size", EnumWidth);
} }
if (CodeGenOpts.SanitizeCfiCrossDso) { if (CodeGenOpts.SanitizeCfiCrossDso) {
// Indicate that we want cross-DSO control flow integrity checks. // Indicate that we want cross-DSO control flow integrity checks.
getModule().addModuleFlag(llvm::Module::Override, "Cross-DSO CFI", 1); getModule().addModuleFlag(llvm::Module::Override, "Cross-DSO CFI", 1);
} }
if (CodeGenOpts.CFProtectionReturn &&
Target.checkCFProtectionReturnSupported(getDiags())) {
craig.topperUnsubmitted
Done
ReplyInline Actions

Should we still be adding the module flag if the target says its not supported?

craig.topper: Should we still be adding the module flag if the target says its not supported?
// Indicate that we want to instrument return control flow protection.
getModule().addModuleFlag(llvm::Module::Override, "cf-protection-return",
1);
}
if (CodeGenOpts.CFProtectionBranch &&
Target.checkCFProtectionBranchSupported(getDiags())) {
// Indicate that we want to instrument branch control flow protection.
getModule().addModuleFlag(llvm::Module::Override, "cf-protection-branch",
1);
}
if (LangOpts.CUDAIsDevice && getTriple().isNVPTX()) { if (LangOpts.CUDAIsDevice && getTriple().isNVPTX()) {
// Indicate whether __nvvm_reflect should be configured to flush denormal // Indicate whether __nvvm_reflect should be configured to flush denormal
// floating point values to 0. (This corresponds to its "__CUDA_FTZ" // floating point values to 0. (This corresponds to its "__CUDA_FTZ"
// property.) // property.)
getModule().addModuleFlag(llvm::Module::Override, "nvvm-reflect-ftz", getModule().addModuleFlag(llvm::Module::Override, "nvvm-reflect-ftz",
LangOpts.CUDADeviceFlushDenormalsToZero ? 1 : 0); LangOpts.CUDADeviceFlushDenormalsToZero ? 1 : 0);
} }
▲ Show 20 LinesShow All 4,340 LinesShow Last 20 Lines

lib/Driver/ToolChains/Clang.cpp

Show First 20 LinesShow All 4,001 Lines▼ Show 20 Lines if (A->getOption().matches(options::OPT_mrestrict_it)) {
Triple.getArch() == llvm::Triple::thumb)) { Triple.getArch() == llvm::Triple::thumb)) {
// Windows on ARM expects restricted IT blocks // Windows on ARM expects restricted IT blocks
CmdArgs.push_back("-backend-option"); CmdArgs.push_back("-backend-option");
CmdArgs.push_back("-arm-restrict-it"); CmdArgs.push_back("-arm-restrict-it");
} }
// Forward -cl options to -cc1 // Forward -cl options to -cc1
RenderOpenCLOptions(Args, CmdArgs); RenderOpenCLOptions(Args, CmdArgs);
craig.topperUnsubmitted
Done
ReplyInline Actions

This should probably have a blank line above it. Right now it kinda looks like it goes with the OpenCL code.

craig.topper: This should probably have a blank line above it. Right now it kinda looks like it goes with the…
if (Arg *A = Args.getLastArg(options::OPT_fcf_protection_EQ)) {
CmdArgs.push_back(
Args.MakeArgString(Twine("-fcf-protection=") + A->getValue()));
}
// Forward -f options with positive and negative forms; we translate // Forward -f options with positive and negative forms; we translate
// these by hand. // these by hand.
if (Arg *A = getLastProfileSampleUseArg(Args)) { if (Arg *A = getLastProfileSampleUseArg(Args)) {
StringRef fname = A->getValue(); StringRef fname = A->getValue();
if (!llvm::sys::fs::exists(fname)) if (!llvm::sys::fs::exists(fname))
D.Diag(diag::err_drv_no_such_file) << fname; D.Diag(diag::err_drv_no_such_file) << fname;
else else
A->render(Args, CmdArgs); A->render(Args, CmdArgs);
▲ Show 20 LinesShow All 1,465 LinesShow Last 20 Lines

lib/Frontend/CompilerInvocation.cpp

Show First 20 LinesShow All 792 Lines▼ Show 20 Linesstatic bool ParseCodeGenArgs(CodeGenOptions &Opts, ArgList &Args, InputKind IK,
Opts.XRayAlwaysEmitCustomEvents = Opts.XRayAlwaysEmitCustomEvents =
Args.hasArg(OPT_fxray_always_emit_customevents); Args.hasArg(OPT_fxray_always_emit_customevents);
Opts.XRayInstructionThreshold = Opts.XRayInstructionThreshold =
getLastArgIntValue(Args, OPT_fxray_instruction_threshold_EQ, 200, Diags); getLastArgIntValue(Args, OPT_fxray_instruction_threshold_EQ, 200, Diags);
Opts.InstrumentForProfiling = Args.hasArg(OPT_pg); Opts.InstrumentForProfiling = Args.hasArg(OPT_pg);
Opts.CallFEntry = Args.hasArg(OPT_mfentry); Opts.CallFEntry = Args.hasArg(OPT_mfentry);
Opts.EmitOpenCLArgMetadata = Args.hasArg(OPT_cl_kernel_arg_info); Opts.EmitOpenCLArgMetadata = Args.hasArg(OPT_cl_kernel_arg_info);
if (const Arg *A = Args.getLastArg(OPT_fcf_protection_EQ)) {
StringRef Name = A->getValue();
if (Name == "full") {
Opts.CFProtectionReturn = 1;
Opts.CFProtectionBranch = 1;
} else if (Name == "return")
Opts.CFProtectionReturn = 1;
else if (Name == "branch")
Opts.CFProtectionBranch = 1;
else if (Name != "none") {
Diags.Report(diag::err_drv_invalid_value) << A->getAsString(Args) << Name;
Success = false;
}
}
if (const Arg *A = Args.getLastArg(OPT_compress_debug_sections, if (const Arg *A = Args.getLastArg(OPT_compress_debug_sections,
OPT_compress_debug_sections_EQ)) { OPT_compress_debug_sections_EQ)) {
if (A->getOption().getID() == OPT_compress_debug_sections) { if (A->getOption().getID() == OPT_compress_debug_sections) {
// TODO: be more clever about the compression type auto-detection // TODO: be more clever about the compression type auto-detection
Opts.setCompressDebugSections(llvm::DebugCompressionType::GNU); Opts.setCompressDebugSections(llvm::DebugCompressionType::GNU);
} else { } else {
auto DCT = llvm::StringSwitch<llvm::DebugCompressionType>(A->getValue()) auto DCT = llvm::StringSwitch<llvm::DebugCompressionType>(A->getValue())
.Case("none", llvm::DebugCompressionType::None) .Case("none", llvm::DebugCompressionType::None)
▲ Show 20 LinesShow All 2,207 LinesShow Last 20 Lines

test/CodeGen/x86-cf-protection.c

// RUN: not %clang_cc1 -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=return %s 2>&1 | FileCheck %s --check-prefix=RETURN
alexfhUnsubmitted
Not Done
ReplyInline Actions

Any reason this test runs clang with "-S" and "-emit-llvm"? Neither of those seems to be needed for the actual checks being made below.

alexfh: Any reason this test runs clang with "-S" and "-emit-llvm"? Neither of those seems to be needed…
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

I agree that -emit-llvm is redundant for the test checks. Without -S the command has no output on stdout or stderr. So the run fails and doesn't execute.

oren_ben_simhon: I agree that -emit-llvm is redundant for the test checks. Without -S the command has no output…
alexfhUnsubmitted
Not Done
ReplyInline Actions

The specific problem I've stumbled upon is that the test fails when the source file is on a read-only partition:

[3250/3251] Running the Clang regression tests    
llvm-lit: /src/utils/lit/lit/llvm/config.py:334: note: using clang: /build/bin/clang
FAIL: Clang :: CodeGen/x86-cf-protection.c (2485 of 11862)
******************** TEST 'Clang :: CodeGen/x86-cf-protection.c' FAILED ********************
Script:                                           
--                                                
not /build/bin/clang -cc1 -internal-isystem /build/lib/clang/7.0.0/include -nostdsysteminc -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=return /src/tools/clang/test/CodeGen/x86-cf-protection.c 2>&1 | /build/bin/FileCheck /src/tools/clang/test/CodeGen/x86
-cf-protection.c --check-prefix=RETURN            
not /build/bin/clang -cc1 -internal-isystem /build/lib/clang/7.0.0/include -nostdsysteminc -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=branch /src/tools/clang/test/CodeGen/x86-cf-protection.c 2>&1 | /build/bin/FileCheck /src/tools/clang/test/CodeGen/x86
-cf-protection.c --check-prefix=BRANCH            
--                                                
Exit Code: 1                                      
                                                  
Command Output (stderr):                          
--                                                
/src/tools/clang/test/CodeGen/x86-cf-protection.c:4:12: error: expected string not found in input
// RETURN: error: option 'cf-protection=return' cannot be specified without '-mshstk'
           ^                                      
<stdin>:1:1: note: scanning from here             
error: unable to open output file '': 'Read-only file system'
^                                                 
                                                  
--

Adding -o %t solves the problem (r322082).

alexfh: The specific problem I've stumbled upon is that the test fails when the source file is on a…
oren_ben_simhonAuthorUnsubmitted
Not Done
ReplyInline Actions

I see. Thanks for the fix.

oren_ben_simhon: I see. Thanks for the fix.
// RUN: not %clang_cc1 -fsyntax-only -S -emit-llvm -triple i386-unknown-unknown -fcf-protection=branch %s 2>&1 | FileCheck %s --check-prefix=BRANCH
// RETURN: error: option 'cf-protection=return' cannot be specified without '-mshstk'
// BRANCH: error: option 'cf-protection=branch' cannot be specified without '-mibt'
void foo() {}

test/Driver/clang_f_opts.c

Show First 20 LinesShow All 497 Lines▼ Show 20 Lines
// RUN: %clang -### -S -fno-allow-editor-placeholders %s 2>&1 | FileCheck -check-prefix=CHECK-NO-ALLOW-PLACEHOLDERS %s // RUN: %clang -### -S -fno-allow-editor-placeholders %s 2>&1 | FileCheck -check-prefix=CHECK-NO-ALLOW-PLACEHOLDERS %s
// CHECK-ALLOW-PLACEHOLDERS: -fallow-editor-placeholders // CHECK-ALLOW-PLACEHOLDERS: -fallow-editor-placeholders
// CHECK-NO-ALLOW-PLACEHOLDERS-NOT: -fallow-editor-placeholders // CHECK-NO-ALLOW-PLACEHOLDERS-NOT: -fallow-editor-placeholders
// RUN: %clang -### -target x86_64-unknown-windows-msvc -fno-short-wchar %s 2>&1 | FileCheck -check-prefix CHECK-WINDOWS-ISO10646 %s // RUN: %clang -### -target x86_64-unknown-windows-msvc -fno-short-wchar %s 2>&1 | FileCheck -check-prefix CHECK-WINDOWS-ISO10646 %s
// CHECK-WINDOWS-ISO10646: "-fwchar-type=int" // CHECK-WINDOWS-ISO10646: "-fwchar-type=int"
// CHECK-WINDOWS-ISO10646: "-fsigned-wchar" // CHECK-WINDOWS-ISO10646: "-fsigned-wchar"
// RUN: %clang -### -S -fcf-protection %s 2>&1 | FileCheck -check-prefix=CHECK-CF-PROTECTION-FULL %s
// RUN: %clang -### -S %s 2>&1 | FileCheck -check-prefix=CHECK-NO-CF-PROTECTION-FULL %s
// RUN: %clang -### -S -fcf-protection=full %s 2>&1 | FileCheck -check-prefix=CHECK-CF-PROTECTION-FULL %s
// RUN: %clang -### -S %s 2>&1 | FileCheck -check-prefix=CHECK-NO-CF-PROTECTION-FULL %s
// CHECK-CF-PROTECTION-FULL: -fcf-protection=full
// CHECK-NO-CF-PROTECTION-FULL-NOT: -fcf-protection=full
// RUN: %clang -### -S -fcf-protection=return %s 2>&1 | FileCheck -check-prefix=CHECK-CF-PROTECTION-RETURN %s
// RUN: %clang -### -S %s 2>&1 | FileCheck -check-prefix=CHECK-NO-CF-PROTECTION-RETURN %s
// CHECK-CF-PROTECTION-RETURN: -fcf-protection=return
// CHECK-NO-CF-PROTECTION-RETURN-NOT: -fcf-protection=return
// RUN: %clang -### -S -fcf-protection=branch %s 2>&1 | FileCheck -check-prefix=CHECK-CF-PROTECTION-BRANCH %s
// RUN: %clang -### -S %s 2>&1 | FileCheck -check-prefix=CHECK-NO-CF-PROTECTION-BRANCH %s
// CHECK-CF-PROTECTION-BRANCH: -fcf-protection=branch
// CHECK-NO-CF-PROTECTION-BRANCH-NOT: -fcf-protection=branch