This is an archive of the discontinued LLVM Phabricator instance.

Differential D46181

[X86][CET] Shadow stack fix for setjmp/longjmp
ClosedPublic

Authored by mike.dvoretsky on Apr 27 2018, 5:12 AM.

Details

Reviewers
craig.topper
Commits
rGc47f79928952: [X86][CET] Shadow stack fix for setjmp/longjmp
rL331748: [X86][CET] Shadow stack fix for setjmp/longjmp
Summary

This patch adds a shadow stack fix when compiling setjmp/longjmp with the shadow stack enabled. This allows setjmp/longjmp to work correctly with CET.

Diff Detail

Event Timeline

mike.dvoretsky created this revision.Apr 27 2018, 5:12 AM
Herald added subscribers: llvm-commits, hiraditya. · View Herald TranscriptApr 27 2018, 5:12 AM
ashlykov added a subscriber: ashlykov.Apr 27 2018, 6:09 AM
craig.topper added inline comments.Apr 27 2018, 9:20 AM
llvm/lib/Target/X86/X86ISelLowering.cpp
27560

Variable names should be capitalized.

27800

Can we use MOV64ri32 instead of MOV64ri? That would only use 32-bits for the immediate instead of 64.

Or better yet, can you use XOR?

27810

Can the be "TEST reg, reg" instead of CMP? Should be shorter encoding that putting 0 in the immediate. Even if not CMP64ri8/CMP32ri8 should be shorter than the ri32/ri versions.

27866

Single shifts should use SHL64r1/SHL32r1

mike.dvoretsky updated this revision to Diff 144543.Apr 30 2018, 5:03 AM

Updated per comments.

hjl.tools added a subscriber: hjl.tools.Apr 30 2018, 6:12 AM
hjl.tools added inline comments.
llvm/test/CodeGen/X86/shadow-stack.ll
48

Why movabsq $128? incssp takes last 8 bits. "movl $255" works.

77

Why movl $128? incssp takes last 8 bits. "movl $255" works.

mike.dvoretsky updated this revision to Diff 144560.Apr 30 2018, 7:58 AM

Style fix.

llvm/test/CodeGen/X86/shadow-stack.ll
77

This part ensures that we increment the SSP beyond the value in the low 8 bits of ecx on the last incsspd use. This means that we need to further increment the SSP by ecx * 256 at the start of this block. We cannot express that 256 in 8 bits, so instead we increment by (2 * ecx) * 128. So using 255 doesn't fit the logic of this part. Same goes for the 64-bit version.

mike.dvoretsky updated this revision to Diff 144562.Apr 30 2018, 8:08 AM

Test fix.

mike.dvoretsky added a comment.May 7 2018, 9:00 AM

@craig.topper, please review the latest changes.

craig.topper accepted this revision.May 7 2018, 11:09 AM

LGTM

This revision is now accepted and ready to land.May 7 2018, 11:09 AM
Closed by commit rL331748: [X86][CET] Shadow stack fix for setjmp/longjmp (authored by aivchenk). · Explain WhyMay 8 2018, 2:08 AM
This revision was automatically updated to reflect the committed changes.
mike.dvoretsky mentioned this in D47311: [X86][CET] Shadow stack fix for setjmp/longjmp.May 24 2018, 12:57 AM
aivchenk mentioned this in rL333990: [X86][CET] Shadow stack fix for setjmp/longjmp.Jun 5 2018, 2:28 AM

Revision Contents

PathSize
llvm/
lib/
Target/
X86/
6 lines
250 lines
test/
CodeGen/
X86/
133 lines

Diff 144562

llvm/lib/Target/X86/X86ISelLowering.h

Show First 20 LinesShow All 1,324 Lines▼ Show 20 Lines MachineBasicBlock *EmitLoweredTLSCall(MachineInstr &MI,
MachineBasicBlock *BB) const; MachineBasicBlock *BB) const;
MachineBasicBlock *EmitLoweredRetpoline(MachineInstr &MI, MachineBasicBlock *EmitLoweredRetpoline(MachineInstr &MI,
MachineBasicBlock *BB) const; MachineBasicBlock *BB) const;
MachineBasicBlock *emitEHSjLjSetJmp(MachineInstr &MI, MachineBasicBlock *emitEHSjLjSetJmp(MachineInstr &MI,
MachineBasicBlock *MBB) const; MachineBasicBlock *MBB) const;
void emitSetJmpShadowStackFix(MachineInstr &MI,
MachineBasicBlock *MBB) const;
MachineBasicBlock *emitEHSjLjLongJmp(MachineInstr &MI, MachineBasicBlock *emitEHSjLjLongJmp(MachineInstr &MI,
MachineBasicBlock *MBB) const; MachineBasicBlock *MBB) const;
MachineBasicBlock *emitLongJmpShadowStackFix(MachineInstr &MI,
MachineBasicBlock *MBB) const;
MachineBasicBlock *emitFMA3Instr(MachineInstr &MI, MachineBasicBlock *emitFMA3Instr(MachineInstr &MI,
MachineBasicBlock *MBB) const; MachineBasicBlock *MBB) const;
MachineBasicBlock *EmitSjLjDispatchBlock(MachineInstr &MI, MachineBasicBlock *EmitSjLjDispatchBlock(MachineInstr &MI,
MachineBasicBlock *MBB) const; MachineBasicBlock *MBB) const;
/// Emit nodes that will be selected as "test Op0,Op0", or something /// Emit nodes that will be selected as "test Op0,Op0", or something
/// equivalent, for use with the given x86 condition code. /// equivalent, for use with the given x86 condition code.
▲ Show 20 LinesShow All 209 LinesShow Last 20 Lines

llvm/lib/Target/X86/X86ISelLowering.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 27,519 Lines▼ Show 20 Lines BuildMI(*BB, MI, DL, TII->get(TargetOpcode::COPY), AvailableReg)
.addReg(CalleeVReg); .addReg(CalleeVReg);
MI.getOperand(0).ChangeToES(Symbol); MI.getOperand(0).ChangeToES(Symbol);
MI.setDesc(TII->get(Opc)); MI.setDesc(TII->get(Opc));
MachineInstrBuilder(*BB->getParent(), &MI) MachineInstrBuilder(*BB->getParent(), &MI)
.addReg(AvailableReg, RegState::Implicit | RegState::Kill); .addReg(AvailableReg, RegState::Implicit | RegState::Kill);
return BB; return BB;
} }
/// SetJmp implies future control flow change upon calling the corresponding
/// LongJmp.
/// Instead of using the 'return' instruction, the long jump fixes the stack and
/// performs an indirect branch. To do so it uses the registers that were stored
/// in the jump buffer (when calling SetJmp).
/// In case the shadow stack is enabled we need to fix it as well, because some
/// return addresses will be skipped.
/// The function will save the SSP for future fixing in the function
/// emitLongJmpShadowStackFix.
/// \param [in] MI The temporary Machine Instruction for the builtin.
/// \param [in] MBB The Machine Basic Block that will be modified.
void X86TargetLowering::emitSetJmpShadowStackFix(MachineInstr &MI,
MachineBasicBlock *MBB) const {
DebugLoc DL = MI.getDebugLoc();
MachineFunction *MF = MBB->getParent();
const TargetInstrInfo *TII = Subtarget.getInstrInfo();
MachineRegisterInfo &MRI = MF->getRegInfo();
MachineInstrBuilder MIB;
// Memory Reference
MachineInstr::mmo_iterator MMOBegin = MI.memoperands_begin();
MachineInstr::mmo_iterator MMOEnd = MI.memoperands_end();
// Initialize a register with zero.
MVT PVT = getPointerTy(MF->getDataLayout());
const TargetRegisterClass *PtrRC = getRegClassFor(PVT);
unsigned ZReg = MRI.createVirtualRegister(PtrRC);
unsigned XorRROpc = (PVT == MVT::i64) ? X86::XOR64rr : X86::XOR32rr;
BuildMI(*MBB, MI, DL, TII->get(XorRROpc))
.addDef(ZReg)
.addReg(ZReg, RegState::Undef)
.addReg(ZReg, RegState::Undef);
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Variable names should be capitalized.

craig.topper: Variable names should be capitalized.
// Read the current SSP Register value to the zeroed register.
unsigned SSPCopyReg = MRI.createVirtualRegister(PtrRC);
unsigned RdsspOpc = (PVT == MVT::i64) ? X86::RDSSPQ : X86::RDSSPD;
BuildMI(*MBB, MI, DL, TII->get(RdsspOpc), SSPCopyReg).addReg(ZReg);
// Write the SSP register value to offset 3 in input memory buffer.
unsigned PtrStoreOpc = (PVT == MVT::i64) ? X86::MOV64mr : X86::MOV32mr;
MIB = BuildMI(*MBB, MI, DL, TII->get(PtrStoreOpc));
const int64_t SSPOffset = 3 * PVT.getStoreSize();
const unsigned MemOpndSlot = 1;
for (unsigned i = 0; i < X86::AddrNumOperands; ++i) {
if (i == X86::AddrDisp)
MIB.addDisp(MI.getOperand(MemOpndSlot + i), SSPOffset);
else
MIB.add(MI.getOperand(MemOpndSlot + i));
}
MIB.addReg(SSPCopyReg);
MIB.setMemRefs(MMOBegin, MMOEnd);
}
MachineBasicBlock * MachineBasicBlock *
X86TargetLowering::emitEHSjLjSetJmp(MachineInstr &MI, X86TargetLowering::emitEHSjLjSetJmp(MachineInstr &MI,
MachineBasicBlock *MBB) const { MachineBasicBlock *MBB) const {
DebugLoc DL = MI.getDebugLoc(); DebugLoc DL = MI.getDebugLoc();
MachineFunction *MF = MBB->getParent(); MachineFunction *MF = MBB->getParent();
const TargetInstrInfo *TII = Subtarget.getInstrInfo(); const TargetInstrInfo *TII = Subtarget.getInstrInfo();
const TargetRegisterInfo *TRI = Subtarget.getRegisterInfo(); const TargetRegisterInfo *TRI = Subtarget.getRegisterInfo();
MachineRegisterInfo &MRI = MF->getRegInfo(); MachineRegisterInfo &MRI = MF->getRegInfo();
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Lines for (unsigned i = 0; i < X86::AddrNumOperands; ++i) {
else else
MIB.add(MI.getOperand(MemOpndSlot + i)); MIB.add(MI.getOperand(MemOpndSlot + i));
} }
if (!UseImmLabel) if (!UseImmLabel)
MIB.addReg(LabelReg); MIB.addReg(LabelReg);
else else
MIB.addMBB(restoreMBB); MIB.addMBB(restoreMBB);
MIB.setMemRefs(MMOBegin, MMOEnd); MIB.setMemRefs(MMOBegin, MMOEnd);
if (Subtarget.hasSHSTK()) {
emitSetJmpShadowStackFix(MI, thisMBB);
}
// Setup // Setup
MIB = BuildMI(*thisMBB, MI, DL, TII->get(X86::EH_SjLj_Setup)) MIB = BuildMI(*thisMBB, MI, DL, TII->get(X86::EH_SjLj_Setup))
.addMBB(restoreMBB); .addMBB(restoreMBB);
const X86RegisterInfo *RegInfo = Subtarget.getRegisterInfo(); const X86RegisterInfo *RegInfo = Subtarget.getRegisterInfo();
MIB.addRegMask(RegInfo->getNoPreservedMask()); MIB.addRegMask(RegInfo->getNoPreservedMask());
thisMBB->addSuccessor(mainMBB); thisMBB->addSuccessor(mainMBB);
thisMBB->addSuccessor(restoreMBB); thisMBB->addSuccessor(restoreMBB);
Show All 25 LinesX86TargetLowering::emitEHSjLjSetJmp(MachineInstr &MI,
BuildMI(restoreMBB, DL, TII->get(X86::MOV32ri), restoreDstReg).addImm(1); BuildMI(restoreMBB, DL, TII->get(X86::MOV32ri), restoreDstReg).addImm(1);
BuildMI(restoreMBB, DL, TII->get(X86::JMP_1)).addMBB(sinkMBB); BuildMI(restoreMBB, DL, TII->get(X86::JMP_1)).addMBB(sinkMBB);
restoreMBB->addSuccessor(sinkMBB); restoreMBB->addSuccessor(sinkMBB);
MI.eraseFromParent(); MI.eraseFromParent();
return sinkMBB; return sinkMBB;
} }
/// Fix the shadow stack using the previously saved SSP pointer.
/// \sa emitSetJmpShadowStackFix
/// \param [in] MI The temporary Machine Instruction for the builtin.
/// \param [in] MBB The Machine Basic Block that will be modified.
/// \return The sink MBB that will perform the future indirect branch.
MachineBasicBlock *
X86TargetLowering::emitLongJmpShadowStackFix(MachineInstr &MI,
MachineBasicBlock *MBB) const {
DebugLoc DL = MI.getDebugLoc();
MachineFunction *MF = MBB->getParent();
const TargetInstrInfo *TII = Subtarget.getInstrInfo();
MachineRegisterInfo &MRI = MF->getRegInfo();
// Memory Reference
MachineInstr::mmo_iterator MMOBegin = MI.memoperands_begin();
MachineInstr::mmo_iterator MMOEnd = MI.memoperands_end();
MVT PVT = getPointerTy(MF->getDataLayout());
const TargetRegisterClass *PtrRC = getRegClassFor(PVT);
// checkSspMBB:
// xor vreg1, vreg1
// rdssp vreg1
// test vreg1, vreg1
// je sinkMBB # Jump if Shadow Stack is not supported
// fallMBB:
// mov buf+24/12(%rip), vreg2
// sub vreg1, vreg2
// jbe sinkMBB # No need to fix the Shadow Stack
// fixShadowMBB:
// shr 3/2, vreg2
// incssp vreg2 # fix the SSP according to the lower 8 bits
// shr 8, vreg2
// je sinkMBB
// fixShadowLoopPrepareMBB:
// shl vreg2
// mov 255, vreg3
// fixShadowLoopMBB:
// incssp vreg3
// dec vreg2
// jne fixShadowLoopMBB # Iterate until you finish fixing
// # the Shadow Stack
// sinkMBB:
MachineFunction::iterator I = ++MBB->getIterator();
const BasicBlock *BB = MBB->getBasicBlock();
MachineBasicBlock *checkSspMBB = MF->CreateMachineBasicBlock(BB);
MachineBasicBlock *fallMBB = MF->CreateMachineBasicBlock(BB);
MachineBasicBlock *fixShadowMBB = MF->CreateMachineBasicBlock(BB);
MachineBasicBlock *fixShadowLoopPrepareMBB = MF->CreateMachineBasicBlock(BB);
MachineBasicBlock *fixShadowLoopMBB = MF->CreateMachineBasicBlock(BB);
MachineBasicBlock *sinkMBB = MF->CreateMachineBasicBlock(BB);
MF->insert(I, checkSspMBB);
MF->insert(I, fallMBB);
MF->insert(I, fixShadowMBB);
MF->insert(I, fixShadowLoopPrepareMBB);
MF->insert(I, fixShadowLoopMBB);
MF->insert(I, sinkMBB);
MBB->addSuccessor(checkSspMBB);
// Initialize a register with zero.
unsigned ZReg = MRI.createVirtualRegister(PtrRC);
unsigned XorRROpc = (PVT == MVT::i64) ? X86::XOR64rr : X86::XOR32rr;
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Can we use MOV64ri32 instead of MOV64ri? That would only use 32-bits for the immediate instead of 64.

Or better yet, can you use XOR?

craig.topper: Can we use MOV64ri32 instead of MOV64ri? That would only use 32-bits for the immediate instead…
BuildMI(checkSspMBB, DL, TII->get(XorRROpc))
.addDef(ZReg)
.addReg(ZReg, RegState::Undef)
.addReg(ZReg, RegState::Undef);
// Read the current SSP Register value to the zeroed register.
unsigned SSPCopyReg = MRI.createVirtualRegister(PtrRC);
unsigned RdsspOpc = (PVT == MVT::i64) ? X86::RDSSPQ : X86::RDSSPD;
BuildMI(checkSspMBB, DL, TII->get(RdsspOpc), SSPCopyReg).addReg(ZReg);
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Can the be "TEST reg, reg" instead of CMP? Should be shorter encoding that putting 0 in the immediate. Even if not CMP64ri8/CMP32ri8 should be shorter than the ri32/ri versions.

craig.topper: Can the be "TEST reg, reg" instead of CMP? Should be shorter encoding that putting 0 in the…
// Check whether the result of the SSP register is zero and jump directly
// to the sink.
unsigned TestRROpc = (PVT == MVT::i64) ? X86::TEST64rr : X86::TEST32rr;
BuildMI(checkSspMBB, DL, TII->get(TestRROpc))
.addReg(SSPCopyReg)
.addReg(SSPCopyReg);
BuildMI(checkSspMBB, DL, TII->get(X86::JE_1)).addMBB(sinkMBB);
checkSspMBB->addSuccessor(sinkMBB);
checkSspMBB->addSuccessor(fallMBB);
// Reload the previously saved SSP register value.
unsigned PrevSSPReg = MRI.createVirtualRegister(PtrRC);
unsigned PtrLoadOpc = (PVT == MVT::i64) ? X86::MOV64rm : X86::MOV32rm;
const int64_t SPPOffset = 3 * PVT.getStoreSize();
MachineInstrBuilder MIB =
BuildMI(fallMBB, DL, TII->get(PtrLoadOpc), PrevSSPReg);
for (unsigned i = 0; i < X86::AddrNumOperands; ++i) {
if (i == X86::AddrDisp)
MIB.addDisp(MI.getOperand(i), SPPOffset);
else
MIB.add(MI.getOperand(i));
}
MIB.setMemRefs(MMOBegin, MMOEnd);
// Subtract the current SSP from the previous SSP.
unsigned SspSubReg = MRI.createVirtualRegister(PtrRC);
unsigned SubRROpc = (PVT == MVT::i64) ? X86::SUB64rr : X86::SUB32rr;
BuildMI(fallMBB, DL, TII->get(SubRROpc), SspSubReg)
.addReg(PrevSSPReg)
.addReg(SSPCopyReg);
// Jump to sink in case PrevSSPReg <= SSPCopyReg.
BuildMI(fallMBB, DL, TII->get(X86::JBE_1)).addMBB(sinkMBB);
fallMBB->addSuccessor(sinkMBB);
fallMBB->addSuccessor(fixShadowMBB);
// Shift right by 2/3 for 32/64 because incssp multiplies the argument by 4/8.
unsigned ShrRIOpc = (PVT == MVT::i64) ? X86::SHR64ri : X86::SHR32ri;
unsigned Offset = (PVT == MVT::i64) ? 3 : 2;
unsigned SspFirstShrReg = MRI.createVirtualRegister(PtrRC);
BuildMI(fixShadowMBB, DL, TII->get(ShrRIOpc), SspFirstShrReg)
.addReg(SspSubReg)
.addImm(Offset);
// Increase SSP when looking only on the lower 8 bits of the delta.
unsigned IncsspOpc = (PVT == MVT::i64) ? X86::INCSSPQ : X86::INCSSPD;
BuildMI(fixShadowMBB, DL, TII->get(IncsspOpc)).addReg(SspFirstShrReg);
// Reset the lower 8 bits.
unsigned SspSecondShrReg = MRI.createVirtualRegister(PtrRC);
BuildMI(fixShadowMBB, DL, TII->get(ShrRIOpc), SspSecondShrReg)
.addReg(SspFirstShrReg)
.addImm(8);
// Jump if the result of the shift is zero.
BuildMI(fixShadowMBB, DL, TII->get(X86::JE_1)).addMBB(sinkMBB);
craig.topperUnsubmitted
Not Done
ReplyInline Actions

Single shifts should use SHL64r1/SHL32r1

craig.topper: Single shifts should use SHL64r1/SHL32r1
fixShadowMBB->addSuccessor(sinkMBB);
fixShadowMBB->addSuccessor(fixShadowLoopPrepareMBB);
// Do a single shift left.
unsigned ShlR1Opc = (PVT == MVT::i64) ? X86::SHL64r1 : X86::SHL32r1;
unsigned SspAfterShlReg = MRI.createVirtualRegister(PtrRC);
BuildMI(fixShadowLoopPrepareMBB, DL, TII->get(ShlR1Opc), SspAfterShlReg)
.addReg(SspSecondShrReg);
// Save the value 128 to a register (will be used next with incssp).
unsigned Value128InReg = MRI.createVirtualRegister(PtrRC);
unsigned MovRIOpc = (PVT == MVT::i64) ? X86::MOV64ri32 : X86::MOV32ri;
BuildMI(fixShadowLoopPrepareMBB, DL, TII->get(MovRIOpc), Value128InReg)
.addImm(128);
fixShadowLoopPrepareMBB->addSuccessor(fixShadowLoopMBB);
// Since incssp only looks at the lower 8 bits, we might need to do several
// iterations of incssp until we finish fixing the shadow stack.
unsigned DecReg = MRI.createVirtualRegister(PtrRC);
unsigned CounterReg = MRI.createVirtualRegister(PtrRC);
BuildMI(fixShadowLoopMBB, DL, TII->get(X86::PHI), CounterReg)
.addReg(SspAfterShlReg)
.addMBB(fixShadowLoopPrepareMBB)
.addReg(DecReg)
.addMBB(fixShadowLoopMBB);
// Every iteration we increase the SSP by 128.
BuildMI(fixShadowLoopMBB, DL, TII->get(IncsspOpc)).addReg(Value128InReg);
// Every iteration we decrement the counter by 1.
unsigned DecROpc = (PVT == MVT::i64) ? X86::DEC64r : X86::DEC32r;
BuildMI(fixShadowLoopMBB, DL, TII->get(DecROpc), DecReg).addReg(CounterReg);
// Jump if the counter is not zero yet.
BuildMI(fixShadowLoopMBB, DL, TII->get(X86::JNE_1)).addMBB(fixShadowLoopMBB);
fixShadowLoopMBB->addSuccessor(sinkMBB);
fixShadowLoopMBB->addSuccessor(fixShadowLoopMBB);
return sinkMBB;
}
MachineBasicBlock * MachineBasicBlock *
X86TargetLowering::emitEHSjLjLongJmp(MachineInstr &MI, X86TargetLowering::emitEHSjLjLongJmp(MachineInstr &MI,
MachineBasicBlock *MBB) const { MachineBasicBlock *MBB) const {
DebugLoc DL = MI.getDebugLoc(); DebugLoc DL = MI.getDebugLoc();
MachineFunction *MF = MBB->getParent(); MachineFunction *MF = MBB->getParent();
const TargetInstrInfo *TII = Subtarget.getInstrInfo(); const TargetInstrInfo *TII = Subtarget.getInstrInfo();
MachineRegisterInfo &MRI = MF->getRegInfo(); MachineRegisterInfo &MRI = MF->getRegInfo();
Show All 16 LinesX86TargetLowering::emitEHSjLjLongJmp(MachineInstr &MI,
MachineInstrBuilder MIB; MachineInstrBuilder MIB;
const int64_t LabelOffset = 1 * PVT.getStoreSize(); const int64_t LabelOffset = 1 * PVT.getStoreSize();
const int64_t SPOffset = 2 * PVT.getStoreSize(); const int64_t SPOffset = 2 * PVT.getStoreSize();
unsigned PtrLoadOpc = (PVT == MVT::i64) ? X86::MOV64rm : X86::MOV32rm; unsigned PtrLoadOpc = (PVT == MVT::i64) ? X86::MOV64rm : X86::MOV32rm;
unsigned IJmpOpc = (PVT == MVT::i64) ? X86::JMP64r : X86::JMP32r; unsigned IJmpOpc = (PVT == MVT::i64) ? X86::JMP64r : X86::JMP32r;
MachineBasicBlock *thisMBB = MBB;
// When CET and shadow stack is enabled, we need to fix the Shadow Stack.
if (Subtarget.hasSHSTK()) {
thisMBB = emitLongJmpShadowStackFix(MI, thisMBB);
}
// Reload FP // Reload FP
MIB = BuildMI(*MBB, MI, DL, TII->get(PtrLoadOpc), FP); MIB = BuildMI(thisMBB, DL, TII->get(PtrLoadOpc), FP);
for (unsigned i = 0; i < X86::AddrNumOperands; ++i) for (unsigned i = 0; i < X86::AddrNumOperands; ++i)
MIB.add(MI.getOperand(i)); MIB.add(MI.getOperand(i));
MIB.setMemRefs(MMOBegin, MMOEnd); MIB.setMemRefs(MMOBegin, MMOEnd);
// Reload IP // Reload IP
MIB = BuildMI(*MBB, MI, DL, TII->get(PtrLoadOpc), Tmp); MIB = BuildMI(thisMBB, DL, TII->get(PtrLoadOpc), Tmp);
for (unsigned i = 0; i < X86::AddrNumOperands; ++i) { for (unsigned i = 0; i < X86::AddrNumOperands; ++i) {
if (i == X86::AddrDisp) if (i == X86::AddrDisp)
MIB.addDisp(MI.getOperand(i), LabelOffset); MIB.addDisp(MI.getOperand(i), LabelOffset);
else else
MIB.add(MI.getOperand(i)); MIB.add(MI.getOperand(i));
} }
MIB.setMemRefs(MMOBegin, MMOEnd); MIB.setMemRefs(MMOBegin, MMOEnd);
// Reload SP // Reload SP
MIB = BuildMI(*MBB, MI, DL, TII->get(PtrLoadOpc), SP); MIB = BuildMI(thisMBB, DL, TII->get(PtrLoadOpc), SP);
for (unsigned i = 0; i < X86::AddrNumOperands; ++i) { for (unsigned i = 0; i < X86::AddrNumOperands; ++i) {
if (i == X86::AddrDisp) if (i == X86::AddrDisp)
MIB.addDisp(MI.getOperand(i), SPOffset); MIB.addDisp(MI.getOperand(i), SPOffset);
else else
MIB.add(MI.getOperand(i)); MIB.add(MI.getOperand(i));
} }
MIB.setMemRefs(MMOBegin, MMOEnd); MIB.setMemRefs(MMOBegin, MMOEnd);
// Jump // Jump
BuildMI(*MBB, MI, DL, TII->get(IJmpOpc)).addReg(Tmp); BuildMI(thisMBB, DL, TII->get(IJmpOpc)).addReg(Tmp);
MI.eraseFromParent(); MI.eraseFromParent();
return MBB; return thisMBB;
} }
void X86TargetLowering::SetupEntryBlockForSjLj(MachineInstr &MI, void X86TargetLowering::SetupEntryBlockForSjLj(MachineInstr &MI,
MachineBasicBlock *MBB, MachineBasicBlock *MBB,
MachineBasicBlock *DispatchBB, MachineBasicBlock *DispatchBB,
int FI) const { int FI) const {
DebugLoc DL = MI.getDebugLoc(); DebugLoc DL = MI.getDebugLoc();
MachineFunction *MF = MBB->getParent(); MachineFunction *MF = MBB->getParent();
▲ Show 20 LinesShow All 12,183 LinesShow Last 20 Lines

llvm/test/CodeGen/X86/shadow-stack.ll

  • This file was added.
; RUN: llc -mtriple x86_64-unknown-unknown -mattr=+shstk < %s | FileCheck %s --check-prefix=X86_64
; RUN: llc -mtriple i386-unknown-unknown -mattr=+shstk < %s | FileCheck %s --check-prefix=X86
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; The IR was created using the following C code:
;; typedef void *jmp_buf;
;; jmp_buf *buf;
;;
;; __attribute__((noinline)) int bar (int i) {
;; int j = i - 111;
;; __builtin_longjmp (buf, 1);
;; return j;
;; }
;;
;; int foo (int i) {
;; int j = i * 11;
;; if (!__builtin_setjmp (buf)) {
;; j += 33 + bar (j);
;; }
;; return j + i;
;; }
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@buf = common local_unnamed_addr global i8* null, align 8
; Functions that use LongJmp should fix the Shadow Stack using previosuly saved
; ShadowStackPointer in the input buffer.
; The fix requires unwinding the shadow stack to the last SSP.
define i32 @bar(i32 %i) local_unnamed_addr {
; X86_64-LABEL: bar:
; X86_64: movq {{.*}}(%rip), %rax
; X86_64-NEXT: xorq %rdx, %rdx
; X86_64-NEXT: rdsspq %rdx
; X86_64-NEXT: testq %rdx, %rdx
; X86_64-NEXT: je .LBB0_5
; X86_64-NEXT: # %bb.1: # %entry
; X86_64-NEXT: movq 24(%rax), %rcx
; X86_64-NEXT: subq %rdx, %rcx
; X86_64-NEXT: jbe .LBB0_5
; X86_64-NEXT: # %bb.2: # %entry
; X86_64-NEXT: shrq $3, %rcx
; X86_64-NEXT: incsspq %rcx
; X86_64-NEXT: shrq $8, %rcx
; X86_64-NEXT: je .LBB0_5
; X86_64-NEXT: # %bb.3: # %entry
; X86_64-NEXT: shlq %rcx
; X86_64-NEXT: movq $128, %rdx
; X86_64-NEXT: .LBB0_4: # %entry
hjl.toolsUnsubmitted
Not Done
ReplyInline Actions

Why movabsq $128? incssp takes last 8 bits. "movl $255" works.

hjl.tools: Why movabsq $128? incssp takes last 8 bits. "movl $255" works.
; X86_64-NEXT: # =>This Inner Loop Header: Depth=1
; X86_64-NEXT: incsspq %rdx
; X86_64-NEXT: decq %rcx
; X86_64-NEXT: jne .LBB0_4
; X86_64-NEXT: .LBB0_5: # %entry
; X86_64-NEXT: movq (%rax), %rbp
; X86_64-NEXT: movq 8(%rax), %rcx
; X86_64-NEXT: movq 16(%rax), %rsp
; X86_64-NEXT: jmpq *%rcx
;
; X86-LABEL: bar:
; X86: movl buf, %eax
; X86-NEXT: xorl %edx, %edx
; X86-NEXT: rdsspd %edx
; X86-NEXT: testl %edx, %edx
; X86-NEXT: je .LBB0_5
; X86-NEXT: # %bb.1: # %entry
; X86-NEXT: movl 12(%eax), %ecx
; X86-NEXT: subl %edx, %ecx
; X86-NEXT: jbe .LBB0_5
; X86-NEXT: # %bb.2: # %entry
; X86-NEXT: shrl $2, %ecx
; X86-NEXT: incsspd %ecx
; X86-NEXT: shrl $8, %ecx
; X86-NEXT: je .LBB0_5
; X86-NEXT: # %bb.3: # %entry
; X86-NEXT: shll %ecx
; X86-NEXT: movl $128, %edx
; X86-NEXT: .LBB0_4: # %entry
hjl.toolsUnsubmitted
Not Done
ReplyInline Actions

Why movl $128? incssp takes last 8 bits. "movl $255" works.

hjl.tools: Why movl $128? incssp takes last 8 bits. "movl $255" works.
mike.dvoretskyAuthorUnsubmitted
Not Done
ReplyInline Actions

This part ensures that we increment the SSP beyond the value in the low 8 bits of ecx on the last incsspd use. This means that we need to further increment the SSP by ecx * 256 at the start of this block. We cannot express that 256 in 8 bits, so instead we increment by (2 * ecx) * 128. So using 255 doesn't fit the logic of this part. Same goes for the 64-bit version.

mike.dvoretsky: This part ensures that we increment the SSP beyond the value in the low 8 bits of ecx on the…
; X86-NEXT: # =>This Inner Loop Header: Depth=1
; X86-NEXT: incsspd %edx
; X86-NEXT: decl %ecx
; X86-NEXT: jne .LBB0_4
; X86-NEXT: .LBB0_5: # %entry
; X86-NEXT: movl (%eax), %ebp
; X86-NEXT: movl 4(%eax), %ecx
; X86-NEXT: movl 8(%eax), %esp
; X86-NEXT: jmpl *%ecx
entry:
%0 = load i8*, i8** @buf, align 8
tail call void @llvm.eh.sjlj.longjmp(i8* %0)
unreachable
}
declare void @llvm.eh.sjlj.longjmp(i8*)
; Functions that call SetJmp should save the current ShadowStackPointer for
; future fixing of the Shadow Stack.
define i32 @foo(i32 %i) local_unnamed_addr {
; X86_64-LABEL: foo:
; X86_64: xorq %rcx, %rcx
; X86_64-NEXT: rdsspq %rcx
; X86_64-NEXT: movq %rcx, 24(%rax)
; X86_64: callq bar
;
; X86-LABEL: foo:
; X86: xorl %ecx, %ecx
; X86-NEXT: rdsspd %ecx
; X86-NEXT: movl %ecx, 12(%eax)
; X86: calll bar
entry:
%0 = load i8*, i8** @buf, align 8
%1 = bitcast i8* %0 to i8**
%2 = tail call i8* @llvm.frameaddress(i32 0)
store i8* %2, i8** %1, align 8
%3 = tail call i8* @llvm.stacksave()
%4 = getelementptr inbounds i8, i8* %0, i64 16
%5 = bitcast i8* %4 to i8**
store i8* %3, i8** %5, align 8
%6 = tail call i32 @llvm.eh.sjlj.setjmp(i8* %0)
%tobool = icmp eq i32 %6, 0
br i1 %tobool, label %if.then, label %if.end
if.then: ; preds = %entry
%call = tail call i32 @bar(i32 undef)
unreachable
if.end: ; preds = %entry
%add2 = mul nsw i32 %i, 12
ret i32 %add2
}
declare i8* @llvm.frameaddress(i32)
declare i8* @llvm.stacksave()
declare i32 @llvm.eh.sjlj.setjmp(i8*)