This is an archive of the discontinued LLVM Phabricator instance.

Differential D49791

[AArch64] - Generate pointer authentication instructions
ClosedPublic

Authored by LukeCheeseman on Jul 25 2018, 5:30 AM.

Details

Reviewers
kcc
pcc
eugenis
vlad.tsyrklevich
javed.absar
olista01
Summary

Generate pointer authentication instructions

  • The functions instrumented depend on function attribtues: all (all functions instrumentent), non-leaf (only those that spill LR), none
  • Function epilogues sign the LR before spilling to the stack and authenticate the LR once restored
  • If the target is v8.3a or greater than can use the combined authenticate and return instruction

Diff Detail

Event Timeline

LukeCheeseman created this revision.Jul 25 2018, 5:30 AM
Herald added a reviewer: javed.absar. · View Herald TranscriptJul 25 2018, 5:30 AM
Herald added subscribers: llvm-commits, kristof.beyls. · View Herald Transcript
javed.absar added inline comments.Jul 25 2018, 6:53 AM
lib/Target/AArch64/AArch64FrameLowering.cpp
299

Please add reason string to the assert e.g. asset(... && "expected one of none|all|partial");

LukeCheeseman updated this revision to Diff 157270.Jul 25 2018, 8:02 AM
LukeCheeseman marked an inline comment as done.
olista01 added a subscriber: olista01.Jul 25 2018, 8:28 AM
olista01 added inline comments.
lib/Target/AArch64/AArch64FrameLowering.cpp
286

This comment and the gcc/clang command line options use "non-leaf", but you check for "partial" in the function attribute. I think it would be better to use "non-leaf" everywhere, unless there's a good reason to switch to "partial".

293

I can't find any other places where we do case-insensitive checks of function attributes, so I think we should stick to doing an exact string-compare here.

880

I think this could do with a comment explaining the different pre-v8.3 and post-v8.3 code.

test/CodeGen/AArch64/sign-return-address.ll
7

Most of the code in these tests can be removed (e.g. this one could be "ret i32 %x", or just "ret void").

69

It would be clearer to add an external function to call, rather than having the tests call each other.

113

Putting these attributes directly on the function definitions (in place of the #<n> reference) would make the tests a bit easier to read.

eugenis added a comment.Jul 25 2018, 2:38 PM

What happens if a function with signed LR tail calls a function with unsigned LR, or vice versa?

LukeCheeseman updated this revision to Diff 157432.Jul 26 2018, 1:38 AM
  • Address reviewer points
  • Add a test for when a tail call occurs in a function that signs the LR
LukeCheeseman marked 6 inline comments as done and an inline comment as not done.Jul 26 2018, 1:38 AM
In D49791#1175839, @eugenis wrote:

What happens if a function with signed LR tail calls a function with unsigned LR, or vice versa?

I've added a test for what I think is meant here, see spill_lr_and_tail call.

The LR is authenticated before the tail call happens.

LukeCheeseman marked an inline comment as done.Jul 26 2018, 2:30 AM
ab added a subscriber: ab.Jul 26 2018, 10:41 AM

A few minor comments inline, and one question: it sounds like this is based on a GCC feature; what's the expected behavior for __builtin_returnaddress ? Shouldn't it xpaci the result?

Also, that's one of the reasons why I'm not sure it's wise to emit the instructions always, even if we're not explicitly targeting v8.3a. You run the risk of having some parts of the code (__builtin_returnaddress, backtrace, unwind, ...) be built for v8, not knowing that they need to strip, even though some other part might have enabled this LR signing. I'm not sure there's much to be done about that, though ;)

lib/Target/AArch64/AArch64FrameLowering.cpp
297

Is this actually necessary? "all" is still only functions that actually save LR, no? Why sign it if it's not saved?

1007

One trick to make sure this covers all 'return' paths (even when the code changes) is to use 'make_scope_exit' to guarantee the code is run.

test/CodeGen/AArch64/sign-return-address.ll
6

To expand on Oliver's comments, you can also remove the basic block names, and 'dso_local' (unless its semantics matter, which doesn't seem to be the case here)

Also, another nit: having the check lines away from the check-label is kinda confusing, maybe put it all before the IR?

43

The ordering of the instructions is critical here, no? Whether the PAC/AUT occur before (resp. after) SP updates (or, for that matter, the LR save) is crucial to the feature. Maybe have explicit CHECK-NEXT for the rest of the prologue/epilogue?

LukeCheeseman updated this revision to Diff 157694.Jul 27 2018, 7:44 AM

Update patch based on comments

LukeCheeseman marked 3 inline comments as done.Jul 27 2018, 7:45 AM
LukeCheeseman added inline comments.
lib/Target/AArch64/AArch64FrameLowering.cpp
297

Yes, it is necessary. "all" is all functions, even those that don't save the LR. Assume you are in a context where you have managed to gain control over the flow of execution, if you don't sign the LR in any function that doesn't save the LR then these functions becomes the ideal place to find gadgets.

vlad.tsyrklevich added inline comments.Jul 30 2018, 6:29 PM
lib/Target/AArch64/AArch64FrameLowering.cpp
289

nit: clang-format this change

LukeCheeseman updated this revision to Diff 158489.Aug 1 2018, 3:54 AM

Ran through clang-format

LukeCheeseman updated this revision to Diff 159519.Aug 7 2018, 8:48 AM

When the basic block has no terminator (as it will fall through to the next block), don't bail out of inserting an authentication instruction.

LukeCheeseman added a comment.Aug 16 2018, 2:40 AM

ping

olista01 accepted this revision.Aug 17 2018, 5:33 AM

LGTM, thanks!

This revision is now accepted and ready to land.Aug 17 2018, 5:33 AM
emaste added a subscriber: emaste.Sep 18 2018, 2:13 PM
LukeCheeseman closed this revision.Sep 26 2018, 3:53 AM

This was closed by r340018 (I attached the wrong differential revision to the commit and so this was not automatically closed)

Revision Contents

PathSize
lib/
Target/
AArch64/
59 lines
test/
CodeGen/
AArch64/
86 lines

Diff 159519

lib/Target/AArch64/AArch64FrameLowering.cpp

Show First 20 LinesShow All 92 Lines▼ Show 20 Lines
#include "AArch64FrameLowering.h" #include "AArch64FrameLowering.h"
#include "AArch64InstrInfo.h" #include "AArch64InstrInfo.h"
#include "AArch64MachineFunctionInfo.h" #include "AArch64MachineFunctionInfo.h"
#include "AArch64RegisterInfo.h" #include "AArch64RegisterInfo.h"
#include "AArch64Subtarget.h" #include "AArch64Subtarget.h"
#include "AArch64TargetMachine.h" #include "AArch64TargetMachine.h"
#include "MCTargetDesc/AArch64AddressingModes.h" #include "MCTargetDesc/AArch64AddressingModes.h"
#include "llvm/ADT/ScopeExit.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/LivePhysRegs.h" #include "llvm/CodeGen/LivePhysRegs.h"
#include "llvm/CodeGen/MachineBasicBlock.h" #include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineFrameInfo.h" #include "llvm/CodeGen/MachineFrameInfo.h"
#include "llvm/CodeGen/MachineFunction.h" #include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineInstr.h" #include "llvm/CodeGen/MachineInstr.h"
#include "llvm/CodeGen/MachineInstrBuilder.h" #include "llvm/CodeGen/MachineInstrBuilder.h"
▲ Show 20 LinesShow All 165 Lines▼ Show 20 Lines if (!TFI->hasReservedCallFrame(MF)) {
// stack, we want to add it back if we have a reserved call frame. // stack, we want to add it back if we have a reserved call frame.
assert(CalleePopAmount < 0xffffff && "call frame too large"); assert(CalleePopAmount < 0xffffff && "call frame too large");
emitFrameOffset(MBB, I, DL, AArch64::SP, AArch64::SP, -CalleePopAmount, emitFrameOffset(MBB, I, DL, AArch64::SP, AArch64::SP, -CalleePopAmount,
TII); TII);
} }
return MBB.erase(I); return MBB.erase(I);
} }
static bool ShouldSignReturnAddress(MachineFunction &MF) {
// The function should be signed in the following situations:
// - sign-return-address=all
// - sign-return-address=non-leaf and the functions spills the LR
olista01Unsubmitted
Done
ReplyInline Actions

This comment and the gcc/clang command line options use "non-leaf", but you check for "partial" in the function attribute. I think it would be better to use "non-leaf" everywhere, unless there's a good reason to switch to "partial".

olista01: This comment and the gcc/clang command line options use "non-leaf", but you check for "partial"…
const Function &F = MF.getFunction();
if (!F.hasFnAttribute("sign-return-address"))
vlad.tsyrklevichUnsubmitted
Not Done
ReplyInline Actions

nit: clang-format this change

vlad.tsyrklevich: nit: clang-format this change
return false;
StringRef Scope = F.getFnAttribute("sign-return-address").getValueAsString();
if (Scope.equals("none"))
olista01Unsubmitted
Done
ReplyInline Actions

I can't find any other places where we do case-insensitive checks of function attributes, so I think we should stick to doing an exact string-compare here.

olista01: I can't find any other places where we do case-insensitive checks of function attributes, so I…
return false;
if (Scope.equals("all"))
return true;
abUnsubmitted
Not Done
ReplyInline Actions

Is this actually necessary? "all" is still only functions that actually save LR, no? Why sign it if it's not saved?

ab: Is this actually necessary? "all" is still only functions that actually save LR, no? Why sign…
LukeCheesemanAuthorUnsubmitted
Not Done
ReplyInline Actions

Yes, it is necessary. "all" is all functions, even those that don't save the LR. Assume you are in a context where you have managed to gain control over the flow of execution, if you don't sign the LR in any function that doesn't save the LR then these functions becomes the ideal place to find gadgets.

LukeCheeseman: Yes, it is necessary. "all" is all functions, even those that don't save the LR. Assume you…
assert(Scope.equals("non-leaf") && "Expected all, none or non-leaf");
javed.absarUnsubmitted
Done
ReplyInline Actions

Please add reason string to the assert e.g. asset(... && "expected one of none|all|partial");

javed.absar: Please add reason string to the assert e.g. asset(... && "expected one of none|all|partial");
for (const auto &Info : MF.getFrameInfo().getCalleeSavedInfo())
if (Info.getReg() == AArch64::LR)
return true;
return false;
}
void AArch64FrameLowering::emitCalleeSavedFrameMoves( void AArch64FrameLowering::emitCalleeSavedFrameMoves(
MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI) const { MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI) const {
MachineFunction &MF = *MBB.getParent(); MachineFunction &MF = *MBB.getParent();
MachineFrameInfo &MFI = MF.getFrameInfo(); MachineFrameInfo &MFI = MF.getFrameInfo();
const TargetSubtargetInfo &STI = MF.getSubtarget(); const TargetSubtargetInfo &STI = MF.getSubtarget();
const MCRegisterInfo *MRI = STI.getRegisterInfo(); const MCRegisterInfo *MRI = STI.getRegisterInfo();
const TargetInstrInfo *TII = STI.getInstrInfo(); const TargetInstrInfo *TII = STI.getInstrInfo();
DebugLoc DL = MBB.findDebugLoc(MBBI); DebugLoc DL = MBB.findDebugLoc(MBBI);
▲ Show 20 LinesShow All 273 Lines▼ Show 20 Linesvoid AArch64FrameLowering::emitPrologue(MachineFunction &MF,
// redzone. In most cases, the function doesn't have a redzone so let's // redzone. In most cases, the function doesn't have a redzone so let's
// assume that's false and set it to true in the case that there's a redzone. // assume that's false and set it to true in the case that there's a redzone.
AFI->setHasRedZone(false); AFI->setHasRedZone(false);
// Debug location must be unknown since the first debug location is used // Debug location must be unknown since the first debug location is used
// to determine the end of the prologue. // to determine the end of the prologue.
DebugLoc DL; DebugLoc DL;
if (ShouldSignReturnAddress(MF)) {
BuildMI(MBB, MBBI, DL, TII->get(AArch64::PACIASP))
.setMIFlag(MachineInstr::FrameSetup);
}
// All calls are tail calls in GHC calling conv, and functions have no // All calls are tail calls in GHC calling conv, and functions have no
// prologue/epilogue. // prologue/epilogue.
if (MF.getFunction().getCallingConv() == CallingConv::GHC) if (MF.getFunction().getCallingConv() == CallingConv::GHC)
return; return;
int NumBytes = (int)MFI.getStackSize(); int NumBytes = (int)MFI.getStackSize();
if (!AFI->hasStackFrame() && !windowsRequiresStackProbe(MF, NumBytes)) { if (!AFI->hasStackFrame() && !windowsRequiresStackProbe(MF, NumBytes)) {
assert(!HasFP && "unexpected function without stack frame but with FP"); assert(!HasFP && "unexpected function without stack frame but with FP");
▲ Show 20 LinesShow All 248 Lines▼ Show 20 Lines if (needsFrameMoves) {
} }
// Now emit the moves for whatever callee saved regs we have (including FP, // Now emit the moves for whatever callee saved regs we have (including FP,
// LR if those are saved). // LR if those are saved).
emitCalleeSavedFrameMoves(MBB, MBBI); emitCalleeSavedFrameMoves(MBB, MBBI);
} }
} }
static void InsertReturnAddressAuth(MachineFunction &MF,
MachineBasicBlock &MBB) {
if (!ShouldSignReturnAddress(MF))
return;
const AArch64Subtarget &Subtarget = MF.getSubtarget<AArch64Subtarget>();
const TargetInstrInfo *TII = Subtarget.getInstrInfo();
MachineBasicBlock::iterator MBBI = MBB.getFirstTerminator();
DebugLoc DL;
if (MBBI != MBB.end())
DL = MBBI->getDebugLoc();
// The AUTIASP instruction assembles to a hint instruction before v8.3a so
// this instruction can safely used for any v8a architecture.
// From v8.3a onwards there are optimised authenticate LR and return
olista01Unsubmitted
Done
ReplyInline Actions

I think this could do with a comment explaining the different pre-v8.3 and post-v8.3 code.

olista01: I think this could do with a comment explaining the different pre-v8.3 and post-v8.3 code.
// instructions, namely RETA{A,B}, that can be used instead.
if (Subtarget.hasV8_3aOps() && MBBI != MBB.end() &&
MBBI->getOpcode() == AArch64::RET_ReallyLR) {
BuildMI(MBB, MBBI, DL, TII->get(AArch64::RETAA)).copyImplicitOps(*MBBI);
MBB.erase(MBBI);
} else {
BuildMI(MBB, MBBI, DL, TII->get(AArch64::AUTIASP))
.setMIFlag(MachineInstr::FrameDestroy);
}
}
void AArch64FrameLowering::emitEpilogue(MachineFunction &MF, void AArch64FrameLowering::emitEpilogue(MachineFunction &MF,
MachineBasicBlock &MBB) const { MachineBasicBlock &MBB) const {
MachineBasicBlock::iterator MBBI = MBB.getLastNonDebugInstr(); MachineBasicBlock::iterator MBBI = MBB.getLastNonDebugInstr();
MachineFrameInfo &MFI = MF.getFrameInfo(); MachineFrameInfo &MFI = MF.getFrameInfo();
const AArch64Subtarget &Subtarget = MF.getSubtarget<AArch64Subtarget>(); const AArch64Subtarget &Subtarget = MF.getSubtarget<AArch64Subtarget>();
const TargetInstrInfo *TII = Subtarget.getInstrInfo(); const TargetInstrInfo *TII = Subtarget.getInstrInfo();
DebugLoc DL; DebugLoc DL;
bool IsTailCallReturn = false; bool IsTailCallReturn = false;
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Linesvoid AArch64FrameLowering::emitEpilogue(MachineFunction &MF,
// ---------------------- --- --- // ---------------------- --- ---
// //
// So NumBytes = StackSize + BytesInStackArgArea - CalleeArgStackSize // So NumBytes = StackSize + BytesInStackArgArea - CalleeArgStackSize
// = StackSize + ArgumentPopSize // = StackSize + ArgumentPopSize
// //
// AArch64TargetLowering::LowerCall figures out ArgumentPopSize and keeps // AArch64TargetLowering::LowerCall figures out ArgumentPopSize and keeps
// it as the 2nd argument of AArch64ISD::TC_RETURN. // it as the 2nd argument of AArch64ISD::TC_RETURN.
auto Cleanup = make_scope_exit([&] { InsertReturnAddressAuth(MF, MBB); });
bool IsWin64 = bool IsWin64 =
Subtarget.isCallingConvWin64(MF.getFunction().getCallingConv()); Subtarget.isCallingConvWin64(MF.getFunction().getCallingConv());
unsigned FixedObject = IsWin64 ? alignTo(AFI->getVarArgsGPRSize(), 16) : 0; unsigned FixedObject = IsWin64 ? alignTo(AFI->getVarArgsGPRSize(), 16) : 0;
uint64_t AfterCSRPopSize = ArgumentPopSize; uint64_t AfterCSRPopSize = ArgumentPopSize;
auto PrologueSaveSize = AFI->getCalleeSavedStackSize() + FixedObject; auto PrologueSaveSize = AFI->getCalleeSavedStackSize() + FixedObject;
bool CombineSPBump = shouldCombineCSRLocalStackBump(MF, NumBytes); bool CombineSPBump = shouldCombineCSRLocalStackBump(MF, NumBytes);
// Assume we can't combine the last pop with the sp restore. // Assume we can't combine the last pop with the sp restore.
Show All 30 Lines if (!LastPopI->getFlag(MachineInstr::FrameDestroy)) {
fixupCalleeSaveRestoreStackOffset(*LastPopI, AFI->getLocalStackSize()); fixupCalleeSaveRestoreStackOffset(*LastPopI, AFI->getLocalStackSize());
} }
// If there is a single SP update, insert it before the ret and we're done. // If there is a single SP update, insert it before the ret and we're done.
if (CombineSPBump) { if (CombineSPBump) {
emitFrameOffset(MBB, MBB.getFirstTerminator(), DL, AArch64::SP, AArch64::SP, emitFrameOffset(MBB, MBB.getFirstTerminator(), DL, AArch64::SP, AArch64::SP,
NumBytes + AfterCSRPopSize, TII, NumBytes + AfterCSRPopSize, TII,
MachineInstr::FrameDestroy); MachineInstr::FrameDestroy);
return; return;
abUnsubmitted
Done
ReplyInline Actions

One trick to make sure this covers all 'return' paths (even when the code changes) is to use 'make_scope_exit' to guarantee the code is run.

ab: One trick to make sure this covers all 'return' paths (even when the code changes) is to use…
} }
NumBytes -= PrologueSaveSize; NumBytes -= PrologueSaveSize;
assert(NumBytes >= 0 && "Negative stack allocation size!?"); assert(NumBytes >= 0 && "Negative stack allocation size!?");
if (!hasFP(MF)) { if (!hasFP(MF)) {
bool RedZone = canUseRedZone(MF); bool RedZone = canUseRedZone(MF);
// If this was a redzone leaf function, we don't need to restore the // If this was a redzone leaf function, we don't need to restore the
▲ Show 20 LinesShow All 570 LinesShow Last 20 Lines

test/CodeGen/AArch64/sign-return-address.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-none-eabi < %s | FileCheck %s
; CHECK-LABEL: @leaf
; CHECK-NOT: paci{{[a,b]}}sp
; CHECK-NOT: auti{{[a,b]}}sp
define i32 @leaf(i32 %x) {
abUnsubmitted
Done
ReplyInline Actions

To expand on Oliver's comments, you can also remove the basic block names, and 'dso_local' (unless its semantics matter, which doesn't seem to be the case here)

Also, another nit: having the check lines away from the check-label is kinda confusing, maybe put it all before the IR?

ab: To expand on Oliver's comments, you can also remove the basic block names, and 'dso_local'…
ret i32 %x
olista01Unsubmitted
Done
ReplyInline Actions

Most of the code in these tests can be removed (e.g. this one could be "ret i32 %x", or just "ret void").

olista01: Most of the code in these tests can be removed (e.g. this one could be "ret i32 %x", or just…
}
; CHECK-LABEL: @leaf_sign_none
; CHECK-NOT: paci{{[a,b]}}sp
; CHECK-NOT: auti{{[a,b]}}sp
define i32 @leaf_sign_none(i32 %x) "sign-return-address"="none" {
ret i32 %x
}
; CHECK-LABEL: @leaf_sign_non_leaf
; CHECK-NOT: paci{{[a,b]}}sp
; CHECK-NOT: auti{{[a,b]}}sp
define i32 @leaf_sign_non_leaf(i32 %x) "sign-return-address"="non-leaf" {
ret i32 %x
}
; CHECK-LABEL: @leaf_sign_all
; CHECK: paciasp
; CHECK: autiasp
; CHECK-NEXT: ret
define i32 @leaf_sign_all(i32 %x) "sign-return-address"="all" {
ret i32 %x
}
; CHECK: @leaf_clobbers_lr
; CHECK: paciasp
; CHECK-NEXT: str x30, [sp, #-16]!
; CHECK: ldr x30, [sp], #16
; CHECK-NEXT: autiasp
; CHECK-NEXT: ret
define i64 @leaf_clobbers_lr(i64 %x) "sign-return-address"="non-leaf" {
call void asm sideeffect "mov x30, $0", "r,~{lr}"(i64 %x) #1
ret i64 %x
}
declare i32 @foo(i32)
abUnsubmitted
Done
ReplyInline Actions

The ordering of the instructions is critical here, no? Whether the PAC/AUT occur before (resp. after) SP updates (or, for that matter, the LR save) is crucial to the feature. Maybe have explicit CHECK-NEXT for the rest of the prologue/epilogue?

ab: The ordering of the instructions is critical here, no? Whether the PAC/AUT occur before (resp.
; CHECK: @non_leaf_sign_all
; CHECK: paciasp
; CHECK: autiasp
; CHECK-NEXT: ret
define i32 @non_leaf_sign_all(i32 %x) "sign-return-address"="all" {
%call = call i32 @foo(i32 %x)
ret i32 %call
}
; CHECK: @non_leaf_sign_non_leaf
; CHECK: paciasp
; CHECK-NEXT: str x30, [sp, #-16]!
; CHECK: ldr x30, [sp], #16
; CHECK-NEXT: autiasp
; CHECK-NEXT: ret
define i32 @non_leaf_sign_non_leaf(i32 %x) "sign-return-address"="non-leaf" {
%call = call i32 @foo(i32 %x)
ret i32 %call
}
; CHECK-LABEL: @leaf_sign_all_v83
; CHECK: paciasp
; CHECK-NOT: ret
; CHECK-NEXT: retaa
; CHECK-NOT: ret
olista01Unsubmitted
Done
ReplyInline Actions

It would be clearer to add an external function to call, rather than having the tests call each other.

olista01: It would be clearer to add an external function to call, rather than having the tests call each…
define i32 @leaf_sign_all_v83(i32 %x) "sign-return-address"="all" "target-features"="+v8.3a" {
ret i32 %x
}
declare fastcc i64 @bar(i64)
; CHECK-LABEL: @spill_lr_and_tail_call
; CHECK: paciasp
; CHECK-NEXT: str x30, [sp, #-16]!
; CHECK: ldr x30, [sp], #16
; CHECK-NEXT: autiasp
; CHECK-NEXT: b bar
define fastcc void @spill_lr_and_tail_call(i64 %x) "sign-return-address"="all" {
call void asm sideeffect "mov x30, $0", "r,~{lr}"(i64 %x) #1
tail call fastcc i64 @bar(i64 %x)
ret void
}
olista01Unsubmitted
Done
ReplyInline Actions

Putting these attributes directly on the function definitions (in place of the #<n> reference) would make the tests a bit easier to read.

olista01: Putting these attributes directly on the function definitions (in place of the #<n> reference)…