This is an archive of the discontinued LLVM Phabricator instance.

Differential D72167

Add support for __declspec(guard(nocf))
ClosedPublic

Authored by ajpaverd on Jan 3 2020, 9:15 AM.

Details

Reviewers
rnk
dmajor
pcc
hans
aaron.ballman
Commits
rGbdd88b7ed395: Add support for __declspec(guard(nocf))
Summary

Avoid using the nocf_check attribute with Control Flow Guard. Instead, use a
new "guard_nocf" function attribute to indicate that checks should not be
added on indirect calls within that function. Add support for
__declspec(guard(nocf)) following the same syntax as MSVC.

Diff Detail

Event Timeline

ajpaverd created this revision.Jan 3 2020, 9:15 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJan 3 2020, 9:15 AM
Herald added subscribers: llvm-commits, cfe-commits, hiraditya. · View Herald Transcript
Harbormaster completed remote builds in B43247: Diff 236078.Jan 3 2020, 9:18 AM
ajpaverd mentioned this in D65761: Add Windows Control Flow Guard checks (/guard:cf)..Jan 3 2020, 9:31 AM
tomrittervg added a subscriber: tomrittervg.Jan 3 2020, 9:58 AM
dmajor added a comment.Jan 3 2020, 10:53 AM

Thanks for doing this!

When I applied this patch and added __declspec(guard(nocf)) to the function that was giving us trouble, I still crashed with a CFG failure in the caller, since the nocf function was inlined. When I additionally marked that function as noinline, then the CFG checks were omitted, as desired. Is this behavior with respect to inlining expected?

You may want to mention "PR44096" in the commit message.

aaron.ballman added a subscriber: aaron.ballman.Jan 3 2020, 11:44 AM

Can you please add some Sema tests that verify the attribute only appertains to functions, accepts the right number of arguments, etc? Also, some tests showing how this attribute works for things like redelcarations and virtual functions would help. e.g.,

void f();
__declspec(guard(nocf)) void f() {} // Is this fine?

__declspec(guard(nocf)) void g();
void g() {} // How about this?

struct S {
  __declspec(guard(nocf)) virtual void f();
};

struct T : S {
  void f() override; // Should this be guard(nocf) as well?
};
clang/include/clang/Basic/AttrDocs.td
4568

read only -> read-only

4569

read only -> read-only

clang/lib/Sema/SemaDeclAttr.cpp
6633

I think this should use err_attribute_argument_type instead, since there's only one argument.

clang/test/CodeGen/guard_nocf.c
54

Please add a newline to the end of the file.

clang/test/CodeGenCXX/guard_nocf.cpp
85

Please add a newline to the end of the file.

ajpaverd updated this revision to Diff 236572.Jan 7 2020, 6:14 AM
ajpaverd marked 5 inline comments as done.

Make guard_nocf an attribute of individual call instructions

Instead of using "guard_nocf" as a function attribute, make this an attribute on individual call instructions for which Control Flow Guard checks should not be added. This allows the attribute (or lack thereof) to be propagated with the call instructions if they are inlined into another function.

Harbormaster completed remote builds in B43424: Diff 236572.Jan 7 2020, 6:18 AM
ajpaverd added a comment.Jan 7 2020, 6:23 AM
In D72167#1803395, @aaron.ballman wrote:

Can you please add some Sema tests that verify the attribute only appertains to functions, accepts the right number of arguments, etc? Also, some tests showing how this attribute works for things like redelcarations and virtual functions would help.

Thanks for the feedback @aaron.ballman! I've added tests that should match the behaviour of MSVC for each of the cases you suggested (as well as function inlining). Any other test cases we should add?

ajpaverd added a comment.Jan 7 2020, 6:32 AM
In D72167#1803333, @dmajor wrote:

Thanks for doing this!

When I applied this patch and added __declspec(guard(nocf)) to the function that was giving us trouble, I still crashed with a CFG failure in the caller, since the nocf function was inlined. When I additionally marked that function as noinline, then the CFG checks were omitted, as desired. Is this behavior with respect to inlining expected?

You may want to mention "PR44096" in the commit message.

Thanks for testing this @dmajor! I think the expected behaviour is that the modifier (or lack thereof) should be preserved even if the function is inlined. The latest changes should achieve this by placing the "guard_nocf" attribute on the individual indirect call instructions rather than the function itself. Does this now work for your function without having to add noinline?

dmajor added a comment.Jan 7 2020, 3:24 PM

Is the current patch an interdiff? It would be helpful to have the diff against the master repo; Phabricator can take care of showing interdiffs if necessary.

ajpaverd updated this revision to Diff 236806.Jan 8 2020, 6:13 AM
  • Make guard_nocf an attribute of individual call instructions
Harbormaster completed remote builds in B43504: Diff 236806.Jan 8 2020, 6:16 AM
aaron.ballman added inline comments.Jan 8 2020, 12:09 PM
clang/include/clang/Basic/Attr.td
2914

Should we also support ObjC methods? What about things like lambdas or blocks?

(Note, these could all be handled in a follow-up patch, I just wasn't certain if this attribute was specific to functions or anything that executes code.)

clang/lib/CodeGen/CGCall.cpp
4421

const auto * because the type is spelled out in the initialization anyway.

4422–4427
if (const auto *A = FD->getAttr<CFGuardAttr>()) {
  if (A->getGuard() == CFGuardAttr::GuardArg::nocf && !CI->getCalledFunction())
    Attrs = ...
}

(This way you don't have to call hasAttr<> followed by getAttr<>.)

clang/test/Sema/attr-guard_nocf.cpp
1 ↗(On Diff #236806)

Since this test file is identical to the C test, I would remove the .cpp file and add its RUN line to the .c test instead. You can do this with:

// RUN: %clang_cc1 -triple %ms_abi_triple -fms-extensions -verify -std=c++11 -fsyntax-only -x c++ %s
dmajor added a comment.Jan 8 2020, 1:25 PM

I've confirmed that the current patch fixes our CFG failures. Thanks again!

ajpaverd updated this revision to Diff 236906.Jan 8 2020, 2:31 PM
ajpaverd marked 7 inline comments as done.
  • Address comments
Harbormaster completed remote builds in B43531: Diff 236906.Jan 8 2020, 2:32 PM
ajpaverd added a comment.Jan 8 2020, 2:33 PM

Thanks for the feedback @aaron.ballman and @dmajor!

clang/include/clang/Basic/Attr.td
2914

Good point! At the moment this attribute is only documented for functions, so I'll have to investigate the expected behaviour for lambdas, blocks, and ObjC methods and provide a follow-up patch.

clang/lib/CodeGen/CGCall.cpp
4422–4427

That's much nicer - thanks!

clang/test/Sema/attr-guard_nocf.cpp
1 ↗(On Diff #236806)

That saves a lot of repetition - thanks!

aaron.ballman accepted this revision.Jan 9 2020, 6:29 AM

LGTM!

clang/include/clang/Basic/Attr.td
2914

That sounds good to me, thanks!

This revision is now accepted and ready to land.Jan 9 2020, 6:29 AM
Closed by commit rGbdd88b7ed395: Add support for __declspec(guard(nocf)) (authored by ajpaverd, committed by theraven). · Explain WhyJan 10 2020, 8:05 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
Basic/
9 lines
20 lines
lib/
CodeGen/
11 lines
Sema/
22 lines
test/
CodeGen/
53 lines
CodeGenCXX/
84 lines
Sema/
27 lines
llvm/
lib/
Transforms/
CFGuard/
10 lines
test/
CodeGen/
AArch64/
10 lines
ARM/
22 lines
X86/
12 lines

Diff 237335

clang/include/clang/Basic/Attr.td

Show First 20 LinesShow All 2,901 Lines▼ Show 20 Lines
} }
def MSAllocator : InheritableAttr { def MSAllocator : InheritableAttr {
let Spellings = [Declspec<"allocator">]; let Spellings = [Declspec<"allocator">];
let Subjects = SubjectList<[Function]>; let Subjects = SubjectList<[Function]>;
let Documentation = [MSAllocatorDocs]; let Documentation = [MSAllocatorDocs];
} }
def CFGuard : InheritableAttr {
// Currently only the __declspec(guard(nocf)) modifier is supported. In future
// we might also want to support __declspec(guard(suppress)).
let Spellings = [Declspec<"guard">];
let Subjects = SubjectList<[Function]>;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Should we also support ObjC methods? What about things like lambdas or blocks?

(Note, these could all be handled in a follow-up patch, I just wasn't certain if this attribute was specific to functions or anything that executes code.)

aaron.ballman: Should we also support ObjC methods? What about things like lambdas or blocks? (Note, these…
ajpaverdAuthorUnsubmitted
Done
ReplyInline Actions

Good point! At the moment this attribute is only documented for functions, so I'll have to investigate the expected behaviour for lambdas, blocks, and ObjC methods and provide a follow-up patch.

ajpaverd: Good point! At the moment this attribute is only documented for functions, so I'll have to…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

That sounds good to me, thanks!

aaron.ballman: That sounds good to me, thanks!
let Args = [EnumArgument<"Guard", "GuardArg", ["nocf"], ["nocf"]>];
let Documentation = [CFGuardDocs];
}
def MSStruct : InheritableAttr { def MSStruct : InheritableAttr {
let Spellings = [GCC<"ms_struct">]; let Spellings = [GCC<"ms_struct">];
let Subjects = SubjectList<[Record]>; let Subjects = SubjectList<[Record]>;
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
def DLLExport : InheritableAttr, TargetSpecificAttr<TargetWindows> { def DLLExport : InheritableAttr, TargetSpecificAttr<TargetWindows> {
let Spellings = [Declspec<"dllexport">, GCC<"dllexport">]; let Spellings = [Declspec<"dllexport">, GCC<"dllexport">];
▲ Show 20 LinesShow All 580 LinesShow Last 20 Lines

clang/include/clang/Basic/AttrDocs.td

Show First 20 LinesShow All 4,552 Lines▼ Show 20 Lines
.. _profile memory usage: https://docs.microsoft.com/en-us/visualstudio/profiling/memory-usage .. _profile memory usage: https://docs.microsoft.com/en-us/visualstudio/profiling/memory-usage
This attribute does not affect optimizations in any way, unlike GCC's This attribute does not affect optimizations in any way, unlike GCC's
``__attribute__((malloc))``. ``__attribute__((malloc))``.
}]; }];
} }
def CFGuardDocs : Documentation {
let Category = DocCatFunction;
let Content = [{
Code can indicate CFG checks are not wanted with the ``__declspec(guard(nocf))``
attribute. This directs the compiler to not insert any CFG checks for the entire
function. This approach is typically used only sparingly in specific situations
where the programmer has manually inserted "CFG-equivalent" protection. The
programmer knows that they are calling through some read-only function table
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

read only -> read-only

aaron.ballman: read only -> read-only
whose address is obtained through read-only memory references and for which the
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

read only -> read-only

aaron.ballman: read only -> read-only
index is masked to the function table limit. This approach may also be applied
to small wrapper functions that are not inlined and that do nothing more than
make a call through a function pointer. Since incorrect usage of this directive
can compromise the security of CFG, the programmer must be very careful using
the directive. Typically, this usage is limited to very small functions that
only call one function.
`Control Flow Guard documentation <https://docs.microsoft.com/en-us/windows/win32/secbp/pe-metadata>`
}];
}
def HIPPinnedShadowDocs : Documentation { def HIPPinnedShadowDocs : Documentation {
let Category = DocCatType; let Category = DocCatType;
let Content = [{ let Content = [{
The GNU style attribute __attribute__((hip_pinned_shadow)) or MSVC style attribute The GNU style attribute __attribute__((hip_pinned_shadow)) or MSVC style attribute
__declspec(hip_pinned_shadow) can be added to the definition of a global variable __declspec(hip_pinned_shadow) can be added to the definition of a global variable
to indicate it is a HIP pinned shadow variable. A HIP pinned shadow variable can to indicate it is a HIP pinned shadow variable. A HIP pinned shadow variable can
be accessed on both device side and host side. It has external linkage and is be accessed on both device side and host side. It has external linkage and is
not initialized on device side. It has internal linkage and is initialized by not initialized on device side. It has internal linkage and is initialized by
▲ Show 20 LinesShow All 191 LinesShow Last 20 Lines

clang/lib/CodeGen/CGCall.cpp

Show First 20 LinesShow All 4,409 Lines▼ Show 20 Lines if (!InvokeDest) {
llvm::BasicBlock *Cont = createBasicBlock("invoke.cont"); llvm::BasicBlock *Cont = createBasicBlock("invoke.cont");
CI = Builder.CreateInvoke(IRFuncTy, CalleePtr, Cont, InvokeDest, IRCallArgs, CI = Builder.CreateInvoke(IRFuncTy, CalleePtr, Cont, InvokeDest, IRCallArgs,
BundleList); BundleList);
EmitBlock(Cont); EmitBlock(Cont);
} }
if (callOrInvoke) if (callOrInvoke)
*callOrInvoke = CI; *callOrInvoke = CI;
// If this is within a function that has the guard(nocf) attribute and is an
// indirect call, add the "guard_nocf" attribute to this call to indicate that
// Control Flow Guard checks should not be added, even if the call is inlined.
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(CurFuncDecl)) {
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

const auto * because the type is spelled out in the initialization anyway.

aaron.ballman: `const auto *` because the type is spelled out in the initialization anyway.
if (const auto *A = FD->getAttr<CFGuardAttr>()) {
if (A->getGuard() == CFGuardAttr::GuardArg::nocf && !CI->getCalledFunction())
Attrs = Attrs.addAttribute(
getLLVMContext(), llvm::AttributeList::FunctionIndex, "guard_nocf");
}
}
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
if (const auto *A = FD->getAttr<CFGuardAttr>()) {
  if (A->getGuard() == CFGuardAttr::GuardArg::nocf && !CI->getCalledFunction())
    Attrs = ...
}

(This way you don't have to call hasAttr<> followed by getAttr<>.)

aaron.ballman: ``` if (const auto *A = FD->getAttr<CFGuardAttr>()) { if (A->getGuard() == CFGuardAttr…
ajpaverdAuthorUnsubmitted
Done
ReplyInline Actions

That's much nicer - thanks!

ajpaverd: That's much nicer - thanks!
// Apply the attributes and calling convention. // Apply the attributes and calling convention.
CI->setAttributes(Attrs); CI->setAttributes(Attrs);
CI->setCallingConv(static_cast<llvm::CallingConv::ID>(CallingConv)); CI->setCallingConv(static_cast<llvm::CallingConv::ID>(CallingConv));
// Apply various metadata. // Apply various metadata.
if (!CI->getType()->isVoidTy()) if (!CI->getType()->isVoidTy())
CI->setName("call"); CI->setName("call");
▲ Show 20 LinesShow All 234 LinesShow Last 20 Lines

clang/lib/Sema/SemaDeclAttr.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 6,620 Lines▼ Show 20 Lines
template<typename Attr> template<typename Attr>
static void handleHandleAttr(Sema &S, Decl *D, const ParsedAttr &AL) { static void handleHandleAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
StringRef Argument; StringRef Argument;
if (!S.checkStringLiteralArgumentAttr(AL, 0, Argument)) if (!S.checkStringLiteralArgumentAttr(AL, 0, Argument))
return; return;
D->addAttr(Attr::Create(S.Context, Argument, AL)); D->addAttr(Attr::Create(S.Context, Argument, AL));
} }
static void handleCFGuardAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
// The guard attribute takes a single identifier argument.
if (!AL.isArgIdent(0)) {
S.Diag(AL.getLoc(), diag::err_attribute_argument_type)
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I think this should use err_attribute_argument_type instead, since there's only one argument.

aaron.ballman: I think this should use `err_attribute_argument_type` instead, since there's only one argument.
<< AL << AANT_ArgumentIdentifier;
return;
}
CFGuardAttr::GuardArg Arg;
IdentifierInfo *II = AL.getArgAsIdent(0)->Ident;
if (!CFGuardAttr::ConvertStrToGuardArg(II->getName(), Arg)) {
S.Diag(AL.getLoc(), diag::warn_attribute_type_not_supported) << AL << II;
return;
}
D->addAttr(::new (S.Context) CFGuardAttr(S.Context, AL, Arg));
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Top Level Sema Entry Points // Top Level Sema Entry Points
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ProcessDeclAttribute - Apply the specific attribute to the specified decl if /// ProcessDeclAttribute - Apply the specific attribute to the specified decl if
/// the attribute applies to decls. If the attribute is a type attribute, just /// the attribute applies to decls. If the attribute is a type attribute, just
/// silently ignore it if a GNU attribute. /// silently ignore it if a GNU attribute.
static void ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D, static void ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D,
▲ Show 20 LinesShow All 612 Lines▼ Show 20 Lines case ParsedAttr::AT_SelectAny:
break; break;
case ParsedAttr::AT_Thread: case ParsedAttr::AT_Thread:
handleDeclspecThreadAttr(S, D, AL); handleDeclspecThreadAttr(S, D, AL);
break; break;
case ParsedAttr::AT_AbiTag: case ParsedAttr::AT_AbiTag:
handleAbiTagAttr(S, D, AL); handleAbiTagAttr(S, D, AL);
break; break;
case ParsedAttr::AT_CFGuard:
handleCFGuardAttr(S, D, AL);
break;
// Thread safety attributes: // Thread safety attributes:
case ParsedAttr::AT_AssertExclusiveLock: case ParsedAttr::AT_AssertExclusiveLock:
handleAssertExclusiveLockAttr(S, D, AL); handleAssertExclusiveLockAttr(S, D, AL);
break; break;
case ParsedAttr::AT_AssertSharedLock: case ParsedAttr::AT_AssertSharedLock:
handleAssertSharedLockAttr(S, D, AL); handleAssertSharedLockAttr(S, D, AL);
break; break;
▲ Show 20 LinesShow All 1,478 LinesShow Last 20 Lines

clang/test/CodeGen/guard_nocf.c

  • This file was added.
// RUN: %clang_cc1 -triple %ms_abi_triple -fms-extensions -emit-llvm -O2 -o - %s | FileCheck %s
void target_func();
void (*func_ptr)() = &target_func;
// The "guard_nocf" attribute must be added.
__declspec(guard(nocf)) void nocf0() {
(*func_ptr)();
}
// CHECK-LABEL: nocf0
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// The "guard_nocf" attribute must *not* be added.
void cf0() {
(*func_ptr)();
}
// CHECK-LABEL: cf0
// CHECK: call{{.*}}[[CF:#[0-9]+]]
// If the modifier is present on either the function declaration or definition,
// the "guard_nocf" attribute must be added.
__declspec(guard(nocf)) void nocf1();
void nocf1() {
(*func_ptr)();
}
// CHECK-LABEL: nocf1
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
void nocf2();
__declspec(guard(nocf)) void nocf2() {
(*func_ptr)();
}
// CHECK-LABEL: nocf2
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// When inlining a function, the "guard_nocf" attribute on indirect calls must
// be preserved.
void nocf3() {
nocf0();
}
// CHECK-LABEL: nocf3
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// When inlining into a function marked as __declspec(guard(nocf)), the
// "guard_nocf" attribute must *not* be added to the inlined calls.
__declspec(guard(nocf)) void cf1() {
cf0();
}
// CHECK-LABEL: cf1
// CHECK: call{{.*}}[[CF:#[0-9]+]]
// CHECK: attributes [[NOCF]] = { {{.*}}"guard_nocf"{{.*}} }
// CHECK-NOT: attributes [[CF]] = { {{.*}}"guard_nocf"{{.*}} }
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Please add a newline to the end of the file.

aaron.ballman: Please add a newline to the end of the file.

clang/test/CodeGenCXX/guard_nocf.cpp

  • This file was added.
// RUN: %clang_cc1 -triple %ms_abi_triple -fms-extensions -std=c++11 -emit-llvm -O2 -o - %s | FileCheck %s
void target_func();
void (*func_ptr)() = &target_func;
// The "guard_nocf" attribute must be added.
__declspec(guard(nocf)) void nocf0() {
(*func_ptr)();
}
// CHECK-LABEL: nocf0
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// The "guard_nocf" attribute must *not* be added.
void cf0() {
(*func_ptr)();
}
// CHECK-LABEL: cf0
// CHECK: call{{.*}}[[CF:#[0-9]+]]
// If the modifier is present on either the function declaration or definition,
// the "guard_nocf" attribute must be added.
__declspec(guard(nocf)) void nocf1();
void nocf1() {
(*func_ptr)();
}
// CHECK-LABEL: nocf1
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
void nocf2();
__declspec(guard(nocf)) void nocf2() {
(*func_ptr)();
}
// CHECK-LABEL: nocf2
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// When inlining a function, the "guard_nocf" attribute on indirect calls must
// be preserved.
void nocf3() {
nocf0();
}
// CHECK-LABEL: nocf3
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// When inlining into a function marked as __declspec(guard(nocf)), the
// "guard_nocf" attribute must *not* be added to the inlined calls.
__declspec(guard(nocf)) void cf1() {
cf0();
}
// CHECK-LABEL: cf1
// CHECK: call{{.*}}[[CF:#[0-9]+]]
// When the __declspec(guard(nocf)) modifier is present on an override function,
// the "guard_nocf" attribute must be added.
struct Base {
virtual void nocf4();
};
struct Derived : Base {
__declspec(guard(nocf)) void nocf4() override {
(*func_ptr)();
}
};
Derived d;
// CHECK-LABEL: nocf4
// CHECK: call{{.*}}[[NOCF:#[0-9]+]]
// When the modifier is not present on an override function, the "guard_nocf"
// attribute must *not* be added, even if the modifier is present on the virtual
// function.
struct Base1 {
__declspec(guard(nocf)) virtual void cf2();
};
struct Derived1 : Base1 {
void cf2() override {
(*func_ptr)();
}
};
Derived1 d1;
// CHECK-LABEL: cf2
// CHECK: call{{.*}}[[CF:#[0-9]+]]
// CHECK: attributes [[NOCF]] = { {{.*}}"guard_nocf"{{.*}} }
// CHECK-NOT: attributes [[CF]] = { {{.*}}"guard_nocf"{{.*}} }
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Please add a newline to the end of the file.

aaron.ballman: Please add a newline to the end of the file.

clang/test/Sema/attr-guard_nocf.c

  • This file was added.
// RUN: %clang_cc1 -triple %ms_abi_triple -fms-extensions -verify -fsyntax-only %s
// RUN: %clang_cc1 -triple %ms_abi_triple -fms-extensions -verify -std=c++11 -fsyntax-only -x c++ %s
// Function definition.
__declspec(guard(nocf)) void testGuardNoCF() { // no warning
}
// Can not be used on variable, parameter, or function pointer declarations.
int __declspec(guard(nocf)) i; // expected-warning {{'guard' attribute only applies to functions}}
void testGuardNoCFFuncParam(double __declspec(guard(nocf)) i) {} // expected-warning {{'guard' attribute only applies to functions}}
__declspec(guard(nocf)) typedef void (*FuncPtrWithGuardNoCF)(void); // expected-warning {{'guard' attribute only applies to functions}}
// 'guard' Attribute requries an argument.
__declspec(guard) void testGuardNoCFParams() { // expected-error {{'guard' attribute takes one argument}}
}
// 'guard' Attribute requries an identifier as argument.
__declspec(guard(1)) void testGuardNoCFParamType() { // expected-error {{'guard' attribute requires an identifier}}
}
// 'guard' Attribute only takes a single argument.
__declspec(guard(nocf, nocf)) void testGuardNoCFTooManyParams() { // expected-error {{use of undeclared identifier 'nocf'}}
}
// 'guard' Attribute argument must be a supported identifier.
__declspec(guard(cf)) void testGuardNoCFInvalidParam() { // expected-warning {{'guard' attribute argument not supported: 'cf'}}
}

llvm/lib/Transforms/CFGuard/CFGuard.cpp

Show First 20 LinesShow All 248 Lines▼ Show 20 Lines GuardFnGlobal =
M.getOrInsertGlobal("__guard_dispatch_icall_fptr", GuardFnPtrType); M.getOrInsertGlobal("__guard_dispatch_icall_fptr", GuardFnPtrType);
} }
return true; return true;
} }
bool CFGuard::runOnFunction(Function &F) { bool CFGuard::runOnFunction(Function &F) {
// Skip modules and functions for which CFGuard checks have been disabled. // Skip modules for which CFGuard checks have been disabled.
if (cfguard_module_flag != 2 || F.hasFnAttribute(Attribute::NoCfCheck)) if (cfguard_module_flag != 2)
return false; return false;
SmallVector<CallBase *, 8> IndirectCalls; SmallVector<CallBase *, 8> IndirectCalls;
// Iterate over the instructions to find all indirect call/invoke/callbr // Iterate over the instructions to find all indirect call/invoke/callbr
// instructions. Make a separate list of pointers to indirect // instructions. Make a separate list of pointers to indirect
// call/invoke/callbr instructions because the original instructions will be // call/invoke/callbr instructions because the original instructions will be
// deleted as the checks are added. // deleted as the checks are added.
for (BasicBlock &BB : F.getBasicBlockList()) { for (BasicBlock &BB : F.getBasicBlockList()) {
for (Instruction &I : BB.getInstList()) { for (Instruction &I : BB.getInstList()) {
auto *CB = dyn_cast<CallBase>(&I); auto *CB = dyn_cast<CallBase>(&I);
if (CB && CB->isIndirectCall()) { if (CB && CB->isIndirectCall() && !CB->hasFnAttr("guard_nocf")) {
IndirectCalls.push_back(CB); IndirectCalls.push_back(CB);
CFGuardCounter++; CFGuardCounter++;
} }
} }
} }
// If no checks are needed, return early and add this attribute to indicate // If no checks are needed, return early.
// that subsequent CFGuard passes can skip this function.
if (IndirectCalls.empty()) { if (IndirectCalls.empty()) {
F.addFnAttr(Attribute::NoCfCheck);
return false; return false;
} }
// For each indirect call/invoke, add the appropriate dispatch or check. // For each indirect call/invoke, add the appropriate dispatch or check.
if (GuardMechanism == CF_Dispatch) { if (GuardMechanism == CF_Dispatch) {
for (CallBase *CB : IndirectCalls) { for (CallBase *CB : IndirectCalls) {
insertCFGuardDispatch(CB); insertCFGuardDispatch(CB);
} }
Show All 11 Lines
FunctionPass *llvm::createCFGuardCheckPass() { FunctionPass *llvm::createCFGuardCheckPass() {
return new CFGuard(CFGuard::CF_Check); return new CFGuard(CFGuard::CF_Check);
} }
FunctionPass *llvm::createCFGuardDispatchPass() { FunctionPass *llvm::createCFGuardDispatchPass() {
return new CFGuard(CFGuard::CF_Dispatch); return new CFGuard(CFGuard::CF_Dispatch);
} }
No newline at end of file No newline at end of file

llvm/test/CodeGen/AArch64/cfguard-checks.ll

; RUN: llc < %s -mtriple=aarch64-pc-windows-msvc | FileCheck %s ; RUN: llc < %s -mtriple=aarch64-pc-windows-msvc | FileCheck %s
; Control Flow Guard is currently only available on Windows ; Control Flow Guard is currently only available on Windows
; Test that Control Flow Guard checks are correctly added when required. ; Test that Control Flow Guard checks are correctly added when required.
declare i32 @target_func() declare i32 @target_func()
; Test that Control Flow Guard checks are not added to functions with nocf_checks attribute. ; Test that Control Flow Guard checks are not added on calls with the "guard_nocf" attribute.
define i32 @func_nocf_checks() #0 { define i32 @func_guard_nocf() {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
%1 = call i32 %0() %1 = call i32 %0() #0
ret i32 %1 ret i32 %1
; CHECK-LABEL: func_nocf_checks ; CHECK-LABEL: func_guard_nocf
; CHECK: adrp x8, target_func ; CHECK: adrp x8, target_func
; CHECK: add x8, x8, target_func ; CHECK: add x8, x8, target_func
; CHECK-NOT: __guard_check_icall_fptr ; CHECK-NOT: __guard_check_icall_fptr
; CHECK: blr x8 ; CHECK: blr x8
} }
attributes #0 = { nocf_check } attributes #0 = { "guard_nocf" }
; Test that Control Flow Guard checks are added even at -O0. ; Test that Control Flow Guard checks are added even at -O0.
define i32 @func_optnone_cf() #1 { define i32 @func_optnone_cf() #1 {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
▲ Show 20 LinesShow All 114 LinesShow Last 20 Lines

llvm/test/CodeGen/ARM/cfguard-checks.ll

; RUN: llc < %s -mtriple=arm-pc-windows-msvc | FileCheck %s ; RUN: llc < %s -mtriple=arm-pc-windows-msvc | FileCheck %s
; Control Flow Guard is currently only available on Windows ; Control Flow Guard is currently only available on Windows
; Test that Control Flow Guard checks are correctly added when required. ; Test that Control Flow Guard checks are correctly added when required.
declare i32 @target_func() declare i32 @target_func()
; Test that Control Flow Guard checks are not added to functions with nocf_checks attribute. ; Test that Control Flow Guard checks are not added on calls with the "guard_nocf" attribute.
define i32 @func_nocf_checks() #0 { define i32 @func_guard_nocf() #0 {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
%1 = call arm_aapcs_vfpcc i32 %0() %1 = call arm_aapcs_vfpcc i32 %0() #1
ret i32 %1 ret i32 %1
; CHECK-LABEL: func_nocf_checks ; CHECK-LABEL: func_guard_nocf
; CHECK: movw r0, :lower16:target_func ; CHECK: movw r0, :lower16:target_func
; CHECK: movt r0, :upper16:target_func ; CHECK: movt r0, :upper16:target_func
; CHECK-NOT: __guard_check_icall_fptr ; CHECK-NOT: __guard_check_icall_fptr
; CHECK: blx r0 ; CHECK: blx r0
} }
attributes #0 = { nocf_check "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"} attributes #0 = { "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}
attributes #1 = { "guard_nocf" }
; Test that Control Flow Guard checks are added even at -O0. ; Test that Control Flow Guard checks are added even at -O0.
define i32 @func_optnone_cf() #1 { define i32 @func_optnone_cf() #2 {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
%1 = call i32 %0() %1 = call i32 %0()
ret i32 %1 ret i32 %1
; The call to __guard_check_icall_fptr should come immediately before the call to the target function. ; The call to __guard_check_icall_fptr should come immediately before the call to the target function.
; CHECK-LABEL: func_optnone_cf ; CHECK-LABEL: func_optnone_cf
; CHECK: movw r0, :lower16:target_func ; CHECK: movw r0, :lower16:target_func
; CHECK: movt r0, :upper16:target_func ; CHECK: movt r0, :upper16:target_func
; CHECK: str r0, [sp] ; CHECK: str r0, [sp]
; CHECK: ldr r4, [sp] ; CHECK: ldr r4, [sp]
; CHECK: movw r0, :lower16:__guard_check_icall_fptr ; CHECK: movw r0, :lower16:__guard_check_icall_fptr
; CHECK: movt r0, :upper16:__guard_check_icall_fptr ; CHECK: movt r0, :upper16:__guard_check_icall_fptr
; CHECK: ldr r1, [r0] ; CHECK: ldr r1, [r0]
; CHECK: mov r0, r4 ; CHECK: mov r0, r4
; CHECK: blx r1 ; CHECK: blx r1
; CHECK-NEXT: blx r4 ; CHECK-NEXT: blx r4
} }
attributes #1 = { noinline optnone "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"} attributes #2 = { noinline optnone "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}
; Test that Control Flow Guard checks are correctly added in optimized code (common case). ; Test that Control Flow Guard checks are correctly added in optimized code (common case).
define i32 @func_cf() #2 { define i32 @func_cf() #0 {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
%1 = call i32 %0() %1 = call i32 %0()
ret i32 %1 ret i32 %1
; The call to __guard_check_icall_fptr should come immediately before the call to the target function. ; The call to __guard_check_icall_fptr should come immediately before the call to the target function.
; CHECK-LABEL: func_cf ; CHECK-LABEL: func_cf
; CHECK: movw r0, :lower16:__guard_check_icall_fptr ; CHECK: movw r0, :lower16:__guard_check_icall_fptr
; CHECK: movt r0, :upper16:__guard_check_icall_fptr ; CHECK: movt r0, :upper16:__guard_check_icall_fptr
; CHECK: ldr r1, [r0] ; CHECK: ldr r1, [r0]
; CHECK: movw r4, :lower16:target_func ; CHECK: movw r4, :lower16:target_func
; CHECK: movt r4, :upper16:target_func ; CHECK: movt r4, :upper16:target_func
; CHECK: mov r0, r4 ; CHECK: mov r0, r4
; CHECK: blx r1 ; CHECK: blx r1
; CHECK-NEXT: blx r4 ; CHECK-NEXT: blx r4
} }
attributes #2 = { "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}
; Test that Control Flow Guard checks are correctly added on invoke instructions. ; Test that Control Flow Guard checks are correctly added on invoke instructions.
define i32 @func_cf_invoke() #2 personality i8* bitcast (void ()* @h to i8*) { define i32 @func_cf_invoke() #0 personality i8* bitcast (void ()* @h to i8*) {
entry: entry:
%0 = alloca i32, align 4 %0 = alloca i32, align 4
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%1 = load i32 ()*, i32 ()** %func_ptr, align 8 %1 = load i32 ()*, i32 ()** %func_ptr, align 8
%2 = invoke i32 %1() %2 = invoke i32 %1()
to label %invoke.cont unwind label %lpad to label %invoke.cont unwind label %lpad
invoke.cont: ; preds = %entry invoke.cont: ; preds = %entry
Show All 21 Lines
declare void @h() declare void @h()
; Test that longjmp targets have public labels and are included in the .gljmp section. ; Test that longjmp targets have public labels and are included in the .gljmp section.
%struct._SETJMP_FLOAT128 = type { [2 x i64] } %struct._SETJMP_FLOAT128 = type { [2 x i64] }
@buf1 = internal global [16 x %struct._SETJMP_FLOAT128] zeroinitializer, align 16 @buf1 = internal global [16 x %struct._SETJMP_FLOAT128] zeroinitializer, align 16
define i32 @func_cf_setjmp() #2 { define i32 @func_cf_setjmp() #0 {
%1 = alloca i32, align 4 %1 = alloca i32, align 4
%2 = alloca i32, align 4 %2 = alloca i32, align 4
store i32 0, i32* %1, align 4 store i32 0, i32* %1, align 4
store i32 -1, i32* %2, align 4 store i32 -1, i32* %2, align 4
%3 = call i8* @llvm.frameaddress(i32 0) %3 = call i8* @llvm.frameaddress(i32 0)
%4 = call i32 @_setjmp(i8* bitcast ([16 x %struct._SETJMP_FLOAT128]* @buf1 to i8*), i8* %3) #3 %4 = call i32 @_setjmp(i8* bitcast ([16 x %struct._SETJMP_FLOAT128]* @buf1 to i8*), i8* %3) #3
; CHECK-LABEL: func_cf_setjmp ; CHECK-LABEL: func_cf_setjmp
Show All 28 Lines

llvm/test/CodeGen/X86/cfguard-checks.ll

; RUN: llc < %s -mtriple=i686-pc-windows-msvc | FileCheck %s -check-prefix=X32 ; RUN: llc < %s -mtriple=i686-pc-windows-msvc | FileCheck %s -check-prefix=X32
; RUN: llc < %s -mtriple=x86_64-pc-windows-msvc | FileCheck %s -check-prefix=X64 ; RUN: llc < %s -mtriple=x86_64-pc-windows-msvc | FileCheck %s -check-prefix=X64
; Control Flow Guard is currently only available on Windows ; Control Flow Guard is currently only available on Windows
; Test that Control Flow Guard checks are correctly added when required. ; Test that Control Flow Guard checks are correctly added when required.
declare i32 @target_func() declare i32 @target_func()
; Test that Control Flow Guard checks are not added to functions with nocf_checks attribute. ; Test that Control Flow Guard checks are not added on calls with the "guard_nocf" attribute.
define i32 @func_nocf_checks() #0 { define i32 @func_guard_nocf() {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
%0 = load i32 ()*, i32 ()** %func_ptr, align 8 %0 = load i32 ()*, i32 ()** %func_ptr, align 8
%1 = call i32 %0() %1 = call i32 %0() #0
ret i32 %1 ret i32 %1
; X32-LABEL: func_nocf_checks ; X32-LABEL: func_guard_nocf
; X32: movl $_target_func, %eax ; X32: movl $_target_func, %eax
; X32-NOT: __guard_check_icall_fptr ; X32-NOT: __guard_check_icall_fptr
; X32: calll *%eax ; X32: calll *%eax
; X64-LABEL: func_nocf_checks ; X64-LABEL: func_guard_nocf
; X64: leaq target_func(%rip), %rax ; X64: leaq target_func(%rip), %rax
; X64-NOT: __guard_dispatch_icall_fptr ; X64-NOT: __guard_dispatch_icall_fptr
; X64: callq *%rax ; X64: callq *%rax
} }
attributes #0 = { nocf_check } attributes #0 = { "guard_nocf" }
; Test that Control Flow Guard checks are added even at -O0. ; Test that Control Flow Guard checks are added even at -O0.
; FIXME Ideally these checks should be added as a single call instruction, as in the optimized case. ; FIXME Ideally these checks should be added as a single call instruction, as in the optimized case.
define i32 @func_optnone_cf() #1 { define i32 @func_optnone_cf() #1 {
entry: entry:
%func_ptr = alloca i32 ()*, align 8 %func_ptr = alloca i32 ()*, align 8
store i32 ()* @target_func, i32 ()** %func_ptr, align 8 store i32 ()* @target_func, i32 ()** %func_ptr, align 8
▲ Show 20 LinesShow All 224 LinesShow Last 20 Lines