This is an archive of the discontinued LLVM Phabricator instance.

Differential D71019

[AArch64] Emit PAC/BTI .note.gnu.property flags
ClosedPublic

Authored by chill on Dec 4 2019, 8:11 AM.

Details

Reviewers
psmith
t.p.northover
peter.smith
Commits
rGd53e61863d48: [AArch64] Emit PAC/BTI .note.gnu.property flags
Summary
This patch make LLVM emit the processor specific program property types
defined in AArch64 ELF spec
https://developer.arm.com/docs/ihi0056/f/elf-for-the-arm-64-bit-architecture-aarch64-abi-2019q2-documentation
   
A file containing no functions gets both property flags.  Otherwise, a property
is set iff all the functions in the file have the corresponding attribute.
   
Patch by Daniel Kiss and Momchil Velikov.

Diff Detail

Event Timeline

chill created this revision.Dec 4 2019, 8:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 4 2019, 8:11 AM
Herald added subscribers: llvm-commits, hiraditya, kristof.beyls. · View Herald Transcript
chill added reviewers: psmith, t.p.northover.Dec 4 2019, 8:57 AM
peter.smith added a subscriber: peter.smith.Dec 6 2019, 10:23 AM

Apologies for the delay in responding. I've got a query about the alignment of the .note.gnu.property sections. As I understand it they should be 8-byte aligned for a 64-bit machine. I also think it would be helpful to warn that if at least one, but not all functions have the branch-target-enforcement attribute.

Other that that I think the change looks good.

Some links for other reviewers:

llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
190

There is a similar implementation in X86AsmPrinter that uses FeatureFlagsAnd rather than Flags, it may be worth using a similar naming convention as these are equivalent features. This isn't a strong opinion by any means, just a suggestion.

193

The case where at least one, but not all functions have the branch-target-enforcement attribute is somewhat problematic.

At the moment BTI can only be enabled per link-unit, and if there is any object not marked with the .note.gnu.property section the linker will refuse to propagate the property into the image (without a command-line --force-bti). With that in mind clearing the property clears it for the entire link-unit, rather negating the point of using it in the first place. On the other hand not-clearing the property means that not all functions have branch-target-enforcement so claiming that they do could result in a run-time error if they are indirectly called.

I think it would be worth a warning if at least one, but not all functions have branch-target-protection.

The same case exists for PAC, below, however as I understand it, it is less important for the whole link-unit to be covered as it is with BTI.

214

On 64-bit architectures SHT_NOTE sections have 8-byte alignment. For .note.gnu.property there has been some discussion about this as the actual section contents don't require 8-byte alignment. My understanding is that the consensus came out as 8-byte alignment. This is what has been implemented in the X86AsmPrinter::EmitStartOfAsmFile. The binutils AArch64 assembler tests have 8-byte alignment. see https://patches-gcc.linaro.org/patch/16268/ property-bti-pac1.s

In summary I think we need to double check what GCC has done here, and add EmitAlignment directives if they are necessary.

chill updated this revision to Diff 232829.Dec 9 2019, 6:06 AM
chill marked 4 inline comments as done.Dec 9 2019, 6:13 AM
chill added inline comments.
llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp
190

I don't see how that would be an improvement in readability. If the function manipulated several different kinds of flags, it'd be worth it renaming to, say, FeatureFlags, but then, if the function did more than one thing I'd separate the part that emitted the note section in a separate utility function ... and leave the name Flags. FeatureFlagsAnd is a rather unfortunate name, a) it is extremely long for a local variable name, and b) it makes me ask "... and what?" :D

peter.smith accepted this revision.Dec 10 2019, 12:24 AM

Looks good to me. Will be worth giving Tim or other reviewers a day for a last chance to comment before committing.

This revision is now accepted and ready to land.Dec 10 2019, 12:24 AM
danielkiss added a subscriber: danielkiss.Dec 11 2019, 2:47 AM
Closed by commit rGd53e61863d48: [AArch64] Emit PAC/BTI .note.gnu.property flags (authored by chill). · Explain WhyDec 13 2019, 9:39 AM
This revision was automatically updated to reflect the committed changes.
chill marked an inline comment as done.

Revision Contents

Diff 233825

llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp

Show First 20 LinesShow All 78 Lines▼ Show 20 Linespublic:
StringRef getPassName() const override { return "AArch64 Assembly Printer"; } StringRef getPassName() const override { return "AArch64 Assembly Printer"; }
/// Wrapper for MCInstLowering.lowerOperand() for the /// Wrapper for MCInstLowering.lowerOperand() for the
/// tblgen'erated pseudo lowering. /// tblgen'erated pseudo lowering.
bool lowerOperand(const MachineOperand &MO, MCOperand &MCOp) const { bool lowerOperand(const MachineOperand &MO, MCOperand &MCOp) const {
return MCInstLowering.lowerOperand(MO, MCOp); return MCInstLowering.lowerOperand(MO, MCOp);
} }
void EmitStartOfAsmFile(Module &M) override;
void EmitJumpTableInfo() override; void EmitJumpTableInfo() override;
void emitJumpTableEntry(const MachineJumpTableInfo *MJTI, void emitJumpTableEntry(const MachineJumpTableInfo *MJTI,
const MachineBasicBlock *MBB, unsigned JTI); const MachineBasicBlock *MBB, unsigned JTI);
void LowerJumpTableDestSmall(MCStreamer &OutStreamer, const MachineInstr &MI); void LowerJumpTableDestSmall(MCStreamer &OutStreamer, const MachineInstr &MI);
void LowerSTACKMAP(MCStreamer &OutStreamer, StackMaps &SM, void LowerSTACKMAP(MCStreamer &OutStreamer, StackMaps &SM,
const MachineInstr &MI); const MachineInstr &MI);
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Linesprivate:
using MInstToMCSymbol = std::map<const MachineInstr *, MCSymbol *>; using MInstToMCSymbol = std::map<const MachineInstr *, MCSymbol *>;
MInstToMCSymbol LOHInstToLabel; MInstToMCSymbol LOHInstToLabel;
}; };
} // end anonymous namespace } // end anonymous namespace
void AArch64AsmPrinter::EmitStartOfAsmFile(Module &M) {
if (!TM.getTargetTriple().isOSBinFormatELF())
return;
// Assemble feature flags that may require creation of a note section.
unsigned Flags = ELF::GNU_PROPERTY_AARCH64_FEATURE_1_BTI |
peter.smithUnsubmitted
Done
ReplyInline Actions

There is a similar implementation in X86AsmPrinter that uses FeatureFlagsAnd rather than Flags, it may be worth using a similar naming convention as these are equivalent features. This isn't a strong opinion by any means, just a suggestion.

peter.smith: There is a similar implementation in X86AsmPrinter that uses FeatureFlagsAnd rather than Flags…
chillAuthorUnsubmitted
Done
ReplyInline Actions

I don't see how that would be an improvement in readability. If the function manipulated several different kinds of flags, it'd be worth it renaming to, say, FeatureFlags, but then, if the function did more than one thing I'd separate the part that emitted the note section in a separate utility function ... and leave the name Flags. FeatureFlagsAnd is a rather unfortunate name, a) it is extremely long for a local variable name, and b) it makes me ask "... and what?" :D

chill: I don't see how that would be an improvement in readability. If the function manipulated…
ELF::GNU_PROPERTY_AARCH64_FEATURE_1_PAC;
if (any_of(M, [](const Function &F) {
peter.smithUnsubmitted
Done
ReplyInline Actions

The case where at least one, but not all functions have the branch-target-enforcement attribute is somewhat problematic.

At the moment BTI can only be enabled per link-unit, and if there is any object not marked with the .note.gnu.property section the linker will refuse to propagate the property into the image (without a command-line --force-bti). With that in mind clearing the property clears it for the entire link-unit, rather negating the point of using it in the first place. On the other hand not-clearing the property means that not all functions have branch-target-enforcement so claiming that they do could result in a run-time error if they are indirectly called.

I think it would be worth a warning if at least one, but not all functions have branch-target-protection.

The same case exists for PAC, below, however as I understand it, it is less important for the whole link-unit to be covered as it is with BTI.

peter.smith: The case where at least one, but not all functions have the branch-target-enforcement…
return !F.isDeclaration() &&
!F.hasFnAttribute("branch-target-enforcement");
})) {
Flags &= ~ELF::GNU_PROPERTY_AARCH64_FEATURE_1_BTI;
}
if ((Flags & ELF::GNU_PROPERTY_AARCH64_FEATURE_1_BTI) == 0 &&
any_of(M, [](const Function &F) {
return F.hasFnAttribute("branch-target-enforcement");
})) {
errs() << "warning: some functions compiled with BTI and some compiled "
"without BTI\n"
<< "warning: not setting BTI in feature flags\n";
}
if (any_of(M, [](const Function &F) {
if (F.isDeclaration())
return false;
Attribute A = F.getFnAttribute("sign-return-address");
return !A.isStringAttribute() || A.getValueAsString() == "none";
})) {
peter.smithUnsubmitted
Done
ReplyInline Actions

On 64-bit architectures SHT_NOTE sections have 8-byte alignment. For .note.gnu.property there has been some discussion about this as the actual section contents don't require 8-byte alignment. My understanding is that the consensus came out as 8-byte alignment. This is what has been implemented in the X86AsmPrinter::EmitStartOfAsmFile. The binutils AArch64 assembler tests have 8-byte alignment. see https://patches-gcc.linaro.org/patch/16268/ property-bti-pac1.s

In summary I think we need to double check what GCC has done here, and add EmitAlignment directives if they are necessary.

peter.smith: On 64-bit architectures SHT_NOTE sections have 8-byte alignment. For .note.gnu.property there…
Flags &= ~ELF::GNU_PROPERTY_AARCH64_FEATURE_1_PAC;
}
if (Flags == 0)
return;
// Emit a .note.gnu.property section with the flags.
MCSection *Cur = OutStreamer->getCurrentSectionOnly();
MCSection *Nt = MMI->getContext().getELFSection(
".note.gnu.property", ELF::SHT_NOTE, ELF::SHF_ALLOC);
OutStreamer->SwitchSection(Nt);
// Emit the note header.
EmitAlignment(Align(8));
OutStreamer->EmitIntValue(4, 4); // data size for "GNU\0"
OutStreamer->EmitIntValue(4 * 4, 4); // Elf_Prop size
OutStreamer->EmitIntValue(ELF::NT_GNU_PROPERTY_TYPE_0, 4);
OutStreamer->EmitBytes(StringRef("GNU", 4)); // note name
// Emit the PAC/BTI properties.
OutStreamer->EmitIntValue(ELF::GNU_PROPERTY_AARCH64_FEATURE_1_AND, 4);
OutStreamer->EmitIntValue(4, 4); // data size
OutStreamer->EmitIntValue(Flags, 4); // data
OutStreamer->EmitIntValue(0, 4); // pad
OutStreamer->endSection(Nt);
OutStreamer->SwitchSection(Cur);
}
void AArch64AsmPrinter::LowerPATCHABLE_FUNCTION_ENTER(const MachineInstr &MI) void AArch64AsmPrinter::LowerPATCHABLE_FUNCTION_ENTER(const MachineInstr &MI)
{ {
EmitSled(MI, SledKind::FUNCTION_ENTER); EmitSled(MI, SledKind::FUNCTION_ENTER);
} }
void AArch64AsmPrinter::LowerPATCHABLE_FUNCTION_EXIT(const MachineInstr &MI) void AArch64AsmPrinter::LowerPATCHABLE_FUNCTION_EXIT(const MachineInstr &MI)
{ {
EmitSled(MI, SledKind::FUNCTION_EXIT); EmitSled(MI, SledKind::FUNCTION_EXIT);
▲ Show 20 LinesShow All 1,037 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-0.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
@x = common dso_local global i32 0, align 4
attributes #0 = { "branch-target-enforcement" }
; Both attributes present in a file with no functions.
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 3
; OBJ: Properties: aarch64 feature: BTI, PAC

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-1.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
attributes #0 = { "branch-target-enforcement" }
; BTI attribute present
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 1
; OBJ: Properties: aarch64 feature: BTI

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-2.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
attributes #0 = { "sign-return-address"="all" }
; PAC attribute present
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 2
; OBJ: Properties: aarch64 feature: PAC

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-3.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
attributes #0 = { "branch-target-enforcement" "sign-return-address"="non-leaf" }
; Both attribute present
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 3
; OBJ: Properties: aarch64 feature: BTI, PAC

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-4.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
define dso_local i32 @g() #1 {
entry:
ret i32 0
}
attributes #0 = { "branch-target-enforcement" "sign-return-address"="non-leaf" }
attributes #1 = { "branch-target-enforcement" }
; Only the common atttribute (BTI)
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 1
; OBJ: Properties: aarch64 feature: BTI

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-5.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - 2>&1 | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
define dso_local i32 @g() #1 {
entry:
ret i32 0
}
attributes #0 = { "branch-target-enforcement" "sign-return-address"="non-leaf" }
attributes #1 = { "sign-return-address"="all" }
; Only the common atttribute (PAC)
; ASM: warning: not setting BTI in feature flags
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 2
; OBJ: Properties: aarch64 feature: PAC

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-6.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf -S | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
define dso_local i32 @g() #1 {
entry:
ret i32 0
}
attributes #0 = { "sign-return-address"="non-leaf" }
attributes #1 = { "sign-return-address"="none" }
; No common attribute, no note section
; ASM-NOT: .note.gnu.property
; OBJ-NOT: .note.gnu.property

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-7.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - 2>&1 | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf -S | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
ret i32 0
}
define dso_local i32 @g() #1 {
entry:
ret i32 0
}
attributes #0 = { "sign-return-address"="non-leaf" }
attributes #1 = { "branch-target-enforcement" }
; No common attribute, no note section
; ASM: warning: not setting BTI in feature flags
; ASM-NOT: .note.gnu.property
; OBJ-NOT: .note.gnu.property

llvm/test/CodeGen/AArch64/note-gnu-property-pac-bti-8.ll

  • This file was added.
; RUN: llc -mtriple=aarch64-linux %s -o - | \
; RUN: FileCheck %s --check-prefix=ASM
; RUN: llc -mtriple=aarch64-linux %s -filetype=obj -o - | \
; RUN: llvm-readelf --notes | FileCheck %s --check-prefix=OBJ
define dso_local i32 @f() #0 {
entry:
%r = tail call i32 @g()
ret i32 %r
}
declare dso_local i32 @g()
attributes #0 = { "branch-target-enforcement" }
; Declarations don't prevent setting BTI
; ASM: .word 3221225472
; ASM-NEXT: .word 4
; ASM-NEXT .word 1
; OBJ: Properties: aarch64 feature: BTI