This is an archive of the discontinued LLVM Phabricator instance.

Differential D81402

[AArch64] Extend AArch64SLSHardeningPass to harden BLR instructions.
ClosedPublic

Authored by kristof.beyls on Jun 8 2020, 8:13 AM.

Details

Reviewers
ostannard
Commits
rGc35ed40f4f1b: [AArch64] Extend AArch64SLSHardeningPass to harden BLR instructions.
Summary

To make sure that no barrier gets placed on the architectural execution
path, each

BLR x<N>

instruction gets transformed to a

BL __llvm_slsblr_thunk_x<N>

instruction, with llvm_slsblr_thunk_x<N> a thunk that contains
llvm_slsblr_thunk_x<N>:

BR x<N>
<speculation barrier>

Therefore, the BLR instruction gets split into 2; one BL and one BR.
This transformation results in not inserting a speculation barrier on
the architectural execution path.

The mitigation is off by default and can be enabled by the
harden-sls-blr subtarget feature.

As a linker is allowed to clobber X16 and X17 on function calls, the
above code transformation would not be correct in case a linker does so
when N=16 or N=17. Therefore, when the mitigation is enabled, generation
of BLR x16 or BLR x17 is avoided.

As BLRA* indirect calls are not produced by LLVM currently, this does
not aim to implement support for those.

Diff Detail

Event Timeline

kristof.beyls created this revision.Jun 8 2020, 8:13 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2020, 8:13 AM
Herald added subscribers: llvm-commits, danielkiss, hiraditya. · View Herald Transcript
Harbormaster failed remote builds in B59490: Diff 269237!Jun 8 2020, 8:16 AM
kristof.beyls added a child revision: D81403: [IndirectThunks] Make generated MF structure as expected by all instruction selectors..Jun 8 2020, 8:45 AM
kristof.beyls added a parent revision: D81401: [NFC] Refactor ThunkInserter to make it available for all targets..
ostannard added a comment.Jun 8 2020, 9:43 AM

A few nits, but given the time sensitivity of this the only blocking one is how this will work with PLTs or long-branch veneers,

llvm/lib/Target/AArch64/AArch64SLSHardening.cpp
154

Is it possible for the call to these thunks to go through a long-branch veneer, PLT, etc, which could clobber x16 or x17 before it gets used in the thunk? Maybe we could avoid generating indirect calls using those registers, but we have the exact opposite restriction for tail calls when using BTI (grep for TCRETURNriBTI).

194

Style nit: Variable should be declared further down, when first set.

209

Is this something which could be fixed in ThunkInserter?

233

This comment is a bit misleading, we're not actually splitting the basic block (that's terminology used elsewhere in LLVM for replacing one basic block with two).

ostannard mentioned this in D81405: [AArch64] Avoid incompatibility between SLSBLR mitigation and BTI codegen..Jun 8 2020, 10:14 AM
kristof.beyls updated this revision to Diff 269838.Jun 10 2020, 7:16 AM
kristof.beyls edited the summary of this revision. (Show Details)

The updated patch addresses Oliver's review comments.
Especially, it addresses the review feedback regarding potential clobbering of X16 or X17 when the call to the thunks go through a long veneer.
It addresses this by avoiding generating indirect calls that use X16 or X17.

kristof.beyls marked 6 inline comments as done.Jun 10 2020, 7:18 AM
kristof.beyls added inline comments.
llvm/lib/Target/AArch64/AArch64SLSHardening.cpp
209

Maybe, but I think that should be done as a separate patch as it's probably target-independent.

233

Hopefully the new comment is better.

ostannard accepted this revision.Jun 10 2020, 8:17 AM

LGTM, with some comments which can be addressed later given the time-sensitivity of this.

llvm/lib/Target/AArch64/AArch64InstrInfo.td
2026

Is the BLRCall pseudo actually needed, or could we just use BLR when not doing the mitigation?

llvm/lib/Target/AArch64/AArch64SLSHardening.cpp
111

BLRCall shouldn't be selected when this pass is enabled, so maybe we should assert here?

154

Please add a comment noting that x16 and x17 are deliberately omitted.

160

X30 doesn't need to be in these lists either, it (correctly) isn't allowed with BLRCallNoIP.

This revision is now accepted and ready to land.Jun 10 2020, 8:17 AM
kristof.beyls updated this revision to Diff 270124.Jun 11 2020, 6:45 AM
kristof.beyls marked 2 inline comments as done.
kristof.beyls marked 6 inline comments as done.Jun 11 2020, 6:49 AM
kristof.beyls added inline comments.
llvm/lib/Target/AArch64/AArch64InstrInfo.td
2026

Indeed BLRCall is not needed. Now removed in the latest version of the patch.

llvm/lib/Target/AArch64/AArch64SLSHardening.cpp
111

I've changed the pseudo expansion to use PseudoInstExpansion.
Depending on when that expansion happens in the pipeline (before or after the mitigation pass), one could see BLR or BLRNoIP here.
I thought it's safest to just handle both here. There's an assert in ConvertBLRToBL that should catch what we actually care about, i.e. not using X16/X17 (nor LR).

kristof.beyls marked 3 inline comments as done.Jun 11 2020, 11:41 PM
kristof.beyls added inline comments.
llvm/lib/Target/AArch64/AArch64SLSHardening.cpp
209

I've now posted a fix for this in the ThunkInserter in D81403

Closed by commit rGc35ed40f4f1b: [AArch64] Extend AArch64SLSHardeningPass to harden BLR instructions. (authored by kristof.beyls). · Explain WhyJun 11 2020, 11:57 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

Diff 270311

llvm/lib/Target/AArch64/AArch64.h

Show All 33 Lines
FunctionPass *createAArch64CompressJumpTablesPass(); FunctionPass *createAArch64CompressJumpTablesPass();
FunctionPass *createAArch64ConditionalCompares(); FunctionPass *createAArch64ConditionalCompares();
FunctionPass *createAArch64AdvSIMDScalar(); FunctionPass *createAArch64AdvSIMDScalar();
FunctionPass *createAArch64ISelDag(AArch64TargetMachine &TM, FunctionPass *createAArch64ISelDag(AArch64TargetMachine &TM,
CodeGenOpt::Level OptLevel); CodeGenOpt::Level OptLevel);
FunctionPass *createAArch64StorePairSuppressPass(); FunctionPass *createAArch64StorePairSuppressPass();
FunctionPass *createAArch64ExpandPseudoPass(); FunctionPass *createAArch64ExpandPseudoPass();
FunctionPass *createAArch64SLSHardeningPass(); FunctionPass *createAArch64SLSHardeningPass();
FunctionPass *createAArch64IndirectThunks();
FunctionPass *createAArch64SpeculationHardeningPass(); FunctionPass *createAArch64SpeculationHardeningPass();
FunctionPass *createAArch64LoadStoreOptimizationPass(); FunctionPass *createAArch64LoadStoreOptimizationPass();
FunctionPass *createAArch64SIMDInstrOptPass(); FunctionPass *createAArch64SIMDInstrOptPass();
ModulePass *createAArch64PromoteConstantPass(); ModulePass *createAArch64PromoteConstantPass();
FunctionPass *createAArch64ConditionOptimizerPass(); FunctionPass *createAArch64ConditionOptimizerPass();
FunctionPass *createAArch64A57FPLoadBalancing(); FunctionPass *createAArch64A57FPLoadBalancing();
FunctionPass *createAArch64A53Fix835769(); FunctionPass *createAArch64A53Fix835769();
FunctionPass *createFalkorHWPFFixPass(); FunctionPass *createFalkorHWPFFixPass();
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64.td

Show First 20 LinesShow All 458 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Control codegen mitigation against Straight Line Speculation vulnerability. // Control codegen mitigation against Straight Line Speculation vulnerability.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
def FeatureHardenSlsRetBr : SubtargetFeature<"harden-sls-retbr", def FeatureHardenSlsRetBr : SubtargetFeature<"harden-sls-retbr",
"HardenSlsRetBr", "true", "HardenSlsRetBr", "true",
"Harden against straight line speculation across RET and BR instructions">; "Harden against straight line speculation across RET and BR instructions">;
def FeatureHardenSlsBlr : SubtargetFeature<"harden-sls-blr",
"HardenSlsBlr", "true",
"Harden against straight line speculation across BLR instructions">;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// AArch64 Processors supported. // AArch64 Processors supported.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Unsupported features to disable for scheduling models // Unsupported features to disable for scheduling models
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 573 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64FastISel.cpp

Show First 20 LinesShow All 3,264 Lines▼ Show 20 Linesbool AArch64FastISel::fastLowerCall(CallLoweringInfo &CLI) {
const AArch64RegisterInfo *RegInfo = Subtarget->getRegisterInfo(); const AArch64RegisterInfo *RegInfo = Subtarget->getRegisterInfo();
if (RegInfo->isAnyArgRegReserved(*MF)) if (RegInfo->isAnyArgRegReserved(*MF))
RegInfo->emitReservedArgRegCallError(*MF); RegInfo->emitReservedArgRegCallError(*MF);
// Issue the call. // Issue the call.
MachineInstrBuilder MIB; MachineInstrBuilder MIB;
if (Subtarget->useSmallAddressing()) { if (Subtarget->useSmallAddressing()) {
const MCInstrDesc &II = TII.get(Addr.getReg() ? AArch64::BLR : AArch64::BL); const MCInstrDesc &II = TII.get(Addr.getReg() ? getBLRCallOpcode(*MF) : AArch64::BL);
MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, DbgLoc, II); MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, DbgLoc, II);
if (Symbol) if (Symbol)
MIB.addSym(Symbol, 0); MIB.addSym(Symbol, 0);
else if (Addr.getGlobalValue()) else if (Addr.getGlobalValue())
MIB.addGlobalAddress(Addr.getGlobalValue(), 0, 0); MIB.addGlobalAddress(Addr.getGlobalValue(), 0, 0);
else if (Addr.getReg()) { else if (Addr.getReg()) {
unsigned Reg = constrainOperandRegClass(II, Addr.getReg(), 0); unsigned Reg = constrainOperandRegClass(II, Addr.getReg(), 0);
MIB.addReg(Reg); MIB.addReg(Reg);
Show All 16 Lines if (Subtarget->useSmallAddressing()) {
} else if (Addr.getGlobalValue()) } else if (Addr.getGlobalValue())
CallReg = materializeGV(Addr.getGlobalValue()); CallReg = materializeGV(Addr.getGlobalValue());
else if (Addr.getReg()) else if (Addr.getReg())
CallReg = Addr.getReg(); CallReg = Addr.getReg();
if (!CallReg) if (!CallReg)
return false; return false;
const MCInstrDesc &II = TII.get(AArch64::BLR); const MCInstrDesc &II = TII.get(getBLRCallOpcode(*MF));
CallReg = constrainOperandRegClass(II, CallReg, 0); CallReg = constrainOperandRegClass(II, CallReg, 0);
MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, DbgLoc, II).addReg(CallReg); MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, DbgLoc, II).addReg(CallReg);
} }
// Add implicit physical register uses to the call. // Add implicit physical register uses to the call.
for (auto Reg : CLI.OutRegs) for (auto Reg : CLI.OutRegs)
MIB.addReg(Reg, RegState::Implicit); MIB.addReg(Reg, RegState::Implicit);
▲ Show 20 LinesShow All 1,931 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64FrameLowering.cpp

Show First 20 LinesShow All 1,120 Lines▼ Show 20 Lines case CodeModel::Large:
.addExternalSymbol("__chkstk") .addExternalSymbol("__chkstk")
.setMIFlags(MachineInstr::FrameSetup); .setMIFlags(MachineInstr::FrameSetup);
if (NeedsWinCFI) { if (NeedsWinCFI) {
HasWinCFI = true; HasWinCFI = true;
BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_Nop)) BuildMI(MBB, MBBI, DL, TII->get(AArch64::SEH_Nop))
.setMIFlag(MachineInstr::FrameSetup); .setMIFlag(MachineInstr::FrameSetup);
} }
BuildMI(MBB, MBBI, DL, TII->get(AArch64::BLR)) BuildMI(MBB, MBBI, DL, TII->get(getBLRCallOpcode(MF)))
.addReg(AArch64::X16, RegState::Kill) .addReg(AArch64::X16, RegState::Kill)
.addReg(AArch64::X15, RegState::Implicit | RegState::Define) .addReg(AArch64::X15, RegState::Implicit | RegState::Define)
.addReg(AArch64::X16, RegState::Implicit | RegState::Define | RegState::Dead) .addReg(AArch64::X16, RegState::Implicit | RegState::Define | RegState::Dead)
.addReg(AArch64::X17, RegState::Implicit | RegState::Define | RegState::Dead) .addReg(AArch64::X17, RegState::Implicit | RegState::Define | RegState::Dead)
.addReg(AArch64::NZCV, RegState::Implicit | RegState::Define | RegState::Dead) .addReg(AArch64::NZCV, RegState::Implicit | RegState::Define | RegState::Dead)
.setMIFlags(MachineInstr::FrameSetup); .setMIFlags(MachineInstr::FrameSetup);
if (NeedsWinCFI) { if (NeedsWinCFI) {
HasWinCFI = true; HasWinCFI = true;
▲ Show 20 LinesShow All 1,996 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64InstrInfo.h

Show First 20 LinesShow All 391 Lines▼ Show 20 Linesstatic inline bool isIndirectBranchOpcode(int Opc) {
case AArch64::BRAB: case AArch64::BRAB:
case AArch64::BRAAZ: case AArch64::BRAAZ:
case AArch64::BRABZ: case AArch64::BRABZ:
return true; return true;
} }
return false; return false;
} }
/// Return opcode to be used for indirect calls.
unsigned getBLRCallOpcode(const MachineFunction &MF);
// struct TSFlags { // struct TSFlags {
#define TSFLAG_ELEMENT_SIZE_TYPE(X) (X) // 3-bits #define TSFLAG_ELEMENT_SIZE_TYPE(X) (X) // 3-bits
#define TSFLAG_DESTRUCTIVE_INST_TYPE(X) ((X) << 3) // 4-bit #define TSFLAG_DESTRUCTIVE_INST_TYPE(X) ((X) << 3) // 4-bit
#define TSFLAG_FALSE_LANE_TYPE(X) ((X) << 7) // 2-bits #define TSFLAG_FALSE_LANE_TYPE(X) ((X) << 7) // 2-bits
// } // }
namespace AArch64 { namespace AArch64 {
Show All 40 Lines

llvm/lib/Target/AArch64/AArch64InstrInfo.cpp

Show First 20 LinesShow All 6,086 Lines▼ Show 20 Linesoutliner::OutlinedFunction AArch64InstrInfo::getOutliningCandidateInfo(
// tail call all of the candidates. // tail call all of the candidates.
if (RepeatedSequenceLocs[0].back()->isTerminator()) { if (RepeatedSequenceLocs[0].back()->isTerminator()) {
FrameID = MachineOutlinerTailCall; FrameID = MachineOutlinerTailCall;
NumBytesToCreateFrame = 0; NumBytesToCreateFrame = 0;
SetCandidateCallInfo(MachineOutlinerTailCall, 4); SetCandidateCallInfo(MachineOutlinerTailCall, 4);
} }
else if (LastInstrOpcode == AArch64::BL || else if (LastInstrOpcode == AArch64::BL ||
(LastInstrOpcode == AArch64::BLR && !HasBTI)) { ((LastInstrOpcode == AArch64::BLR ||
LastInstrOpcode == AArch64::BLRNoIP) &&
!HasBTI)) {
// FIXME: Do we need to check if the code after this uses the value of LR? // FIXME: Do we need to check if the code after this uses the value of LR?
FrameID = MachineOutlinerThunk; FrameID = MachineOutlinerThunk;
NumBytesToCreateFrame = 0; NumBytesToCreateFrame = 0;
SetCandidateCallInfo(MachineOutlinerThunk, 4); SetCandidateCallInfo(MachineOutlinerThunk, 4);
} }
else { else {
// We need to decide how to emit calls + frames. We can always emit the same // We need to decide how to emit calls + frames. We can always emit the same
▲ Show 20 LinesShow All 300 Lines▼ Show 20 Lines if (MI.isCall()) {
if (Callee && Callee->getName() == "\01_mcount") if (Callee && Callee->getName() == "\01_mcount")
return outliner::InstrType::Illegal; return outliner::InstrType::Illegal;
// If we don't know anything about the callee, assume it depends on the // If we don't know anything about the callee, assume it depends on the
// stack layout of the caller. In that case, it's only legal to outline // stack layout of the caller. In that case, it's only legal to outline
// as a tail-call. Whitelist the call instructions we know about so we // as a tail-call. Whitelist the call instructions we know about so we
// don't get unexpected results with call pseudo-instructions. // don't get unexpected results with call pseudo-instructions.
auto UnknownCallOutlineType = outliner::InstrType::Illegal; auto UnknownCallOutlineType = outliner::InstrType::Illegal;
if (MI.getOpcode() == AArch64::BLR || MI.getOpcode() == AArch64::BL) if (MI.getOpcode() == AArch64::BLR ||
MI.getOpcode() == AArch64::BLRNoIP || MI.getOpcode() == AArch64::BL)
UnknownCallOutlineType = outliner::InstrType::LegalTerminator; UnknownCallOutlineType = outliner::InstrType::LegalTerminator;
if (!Callee) if (!Callee)
return UnknownCallOutlineType; return UnknownCallOutlineType;
// We have a function we have information about. Check it if it's something // We have a function we have information about. Check it if it's something
// can safely outline. // can safely outline.
MachineFunction *CalleeMF = MF->getMMI().getMachineFunction(*Callee); MachineFunction *CalleeMF = MF->getMMI().getMachineFunction(*Callee);
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Linesvoid AArch64InstrInfo::buildOutlinedFrame(
else if (OF.FrameConstructionID == MachineOutlinerThunk) { else if (OF.FrameConstructionID == MachineOutlinerThunk) {
// For thunk outlining, rewrite the last instruction from a call to a // For thunk outlining, rewrite the last instruction from a call to a
// tail-call. // tail-call.
MachineInstr *Call = &*--MBB.instr_end(); MachineInstr *Call = &*--MBB.instr_end();
unsigned TailOpcode; unsigned TailOpcode;
if (Call->getOpcode() == AArch64::BL) { if (Call->getOpcode() == AArch64::BL) {
TailOpcode = AArch64::TCRETURNdi; TailOpcode = AArch64::TCRETURNdi;
} else { } else {
assert(Call->getOpcode() == AArch64::BLR); assert(Call->getOpcode() == AArch64::BLR ||
Call->getOpcode() == AArch64::BLRNoIP);
TailOpcode = AArch64::TCRETURNriALL; TailOpcode = AArch64::TCRETURNriALL;
} }
MachineInstr *TC = BuildMI(MF, DebugLoc(), get(TailOpcode)) MachineInstr *TC = BuildMI(MF, DebugLoc(), get(TailOpcode))
.add(Call->getOperand(0)) .add(Call->getOperand(0))
.addImm(0); .addImm(0);
MBB.insert(MBB.end(), TC); MBB.insert(MBB.end(), TC);
Call->eraseFromParent(); Call->eraseFromParent();
▲ Show 20 LinesShow All 319 Lines▼ Show 20 LinesAArch64InstrInfo::describeLoadedValue(const MachineInstr &MI,
return TargetInstrInfo::describeLoadedValue(MI, Reg); return TargetInstrInfo::describeLoadedValue(MI, Reg);
} }
uint64_t AArch64InstrInfo::getElementSizeForOpcode(unsigned Opc) const { uint64_t AArch64InstrInfo::getElementSizeForOpcode(unsigned Opc) const {
return get(Opc).TSFlags & AArch64::ElementSizeMask; return get(Opc).TSFlags & AArch64::ElementSizeMask;
} }
unsigned llvm::getBLRCallOpcode(const MachineFunction &MF) {
if (MF.getSubtarget<AArch64Subtarget>().hardenSlsBlr())
return AArch64::BLRNoIP;
else
return AArch64::BLR;
}
#define GET_INSTRINFO_HELPERS #define GET_INSTRINFO_HELPERS
#define GET_INSTRMAP_INFO #define GET_INSTRMAP_INFO
#include "AArch64GenInstrInfo.inc" #include "AArch64GenInstrInfo.inc"

llvm/lib/Target/AArch64/AArch64InstrInfo.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 583 Lines▼ Show 20 Lineslet RecomputePerFunction = 1 in {
def ForCodeSize : Predicate<"shouldOptForSize(MF)">; def ForCodeSize : Predicate<"shouldOptForSize(MF)">;
def NotForCodeSize : Predicate<"!shouldOptForSize(MF)">; def NotForCodeSize : Predicate<"!shouldOptForSize(MF)">;
// Avoid generating STRQro if it is slow, unless we're optimizing for code size. // Avoid generating STRQro if it is slow, unless we're optimizing for code size.
def UseSTRQro : Predicate<"!Subtarget->isSTRQroSlow() || shouldOptForSize(MF)">; def UseSTRQro : Predicate<"!Subtarget->isSTRQroSlow() || shouldOptForSize(MF)">;
def UseBTI : Predicate<[{ MF->getFunction().hasFnAttribute("branch-target-enforcement") }]>; def UseBTI : Predicate<[{ MF->getFunction().hasFnAttribute("branch-target-enforcement") }]>;
def NotUseBTI : Predicate<[{ !MF->getFunction().hasFnAttribute("branch-target-enforcement") }]>; def NotUseBTI : Predicate<[{ !MF->getFunction().hasFnAttribute("branch-target-enforcement") }]>;
def SLSBLRMitigation : Predicate<[{ MF->getSubtarget<AArch64Subtarget>().hardenSlsBlr() }]>;
def NoSLSBLRMitigation : Predicate<[{ !MF->getSubtarget<AArch64Subtarget>().hardenSlsBlr() }]>;
// Toggles patterns which aren't beneficial in GlobalISel when we aren't // Toggles patterns which aren't beneficial in GlobalISel when we aren't
// optimizing. This allows us to selectively use patterns without impacting // optimizing. This allows us to selectively use patterns without impacting
// SelectionDAG's behaviour. // SelectionDAG's behaviour.
// FIXME: One day there will probably be a nicer way to check for this, but // FIXME: One day there will probably be a nicer way to check for this, but
// today is not that day. // today is not that day.
def OptimizedGISelOrOtherSelector : Predicate<"!MF->getFunction().hasOptNone() || MF->getProperties().hasProperty(MachineFunctionProperties::Property::FailedISel) || !MF->getProperties().hasProperty(MachineFunctionProperties::Property::Legalized)">; def OptimizedGISelOrOtherSelector : Predicate<"!MF->getFunction().hasOptNone() || MF->getProperties().hasProperty(MachineFunctionProperties::Property::FailedISel) || !MF->getProperties().hasProperty(MachineFunctionProperties::Property::Legalized)">;
} }
▲ Show 20 LinesShow All 1,415 Lines▼ Show 20 Lines
def DRPS : SpecialReturn<0b0101, "drps">; def DRPS : SpecialReturn<0b0101, "drps">;
def ERET : SpecialReturn<0b0100, "eret">; def ERET : SpecialReturn<0b0100, "eret">;
} // isReturn = 1, isTerminator = 1, isBarrier = 1 } // isReturn = 1, isTerminator = 1, isBarrier = 1
// Default to the LR register. // Default to the LR register.
def : InstAlias<"ret", (RET LR)>; def : InstAlias<"ret", (RET LR)>;
let isCall = 1, Defs = [LR], Uses = [SP] in { let isCall = 1, Defs = [LR], Uses = [SP] in {
def BLR : BranchReg<0b0001, "blr", [(AArch64call GPR64:$Rn)]>; def BLR : BranchReg<0b0001, "blr", []>;
def BLRNoIP : Pseudo<(outs), (ins GPR64noip:$Rn), []>,
ostannardUnsubmitted
Done
ReplyInline Actions

Is the BLRCall pseudo actually needed, or could we just use BLR when not doing the mitigation?

ostannard: Is the `BLRCall` pseudo actually needed, or could we just use `BLR` when not doing the…
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

Indeed BLRCall is not needed. Now removed in the latest version of the patch.

kristof.beyls: Indeed BLRCall is not needed. Now removed in the latest version of the patch.
Sched<[WriteBrReg]>,
PseudoInstExpansion<(BLR GPR64:$Rn)>;
} // isCall } // isCall
def : Pat<(AArch64call GPR64:$Rn),
(BLR GPR64:$Rn)>,
Requires<[NoSLSBLRMitigation]>;
def : Pat<(AArch64call GPR64noip:$Rn),
(BLRNoIP GPR64noip:$Rn)>,
Requires<[SLSBLRMitigation]>;
let isBranch = 1, isTerminator = 1, isBarrier = 1, isIndirectBranch = 1 in { let isBranch = 1, isTerminator = 1, isBarrier = 1, isIndirectBranch = 1 in {
def BR : BranchReg<0b0000, "br", [(brind GPR64:$Rn)]>; def BR : BranchReg<0b0000, "br", [(brind GPR64:$Rn)]>;
} // isBranch, isTerminator, isBarrier, isIndirectBranch } // isBranch, isTerminator, isBarrier, isIndirectBranch
// Create a separate pseudo-instruction for codegen to use so that we don't // Create a separate pseudo-instruction for codegen to use so that we don't
// flag lr as used in every function. It'll be restored before the RET by the // flag lr as used in every function. It'll be restored before the RET by the
// epilogue if it's legitimately used. // epilogue if it's legitimately used.
def RET_ReallyLR : Pseudo<(outs), (ins), [(AArch64retflag)]>, def RET_ReallyLR : Pseudo<(outs), (ins), [(AArch64retflag)]>,
▲ Show 20 LinesShow All 5,583 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64SLSHardening.cpp

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AArch64InstrInfo.h" #include "AArch64InstrInfo.h"
#include "AArch64Subtarget.h" #include "AArch64Subtarget.h"
#include "Utils/AArch64BaseInfo.h" #include "Utils/AArch64BaseInfo.h"
#include "llvm/ADT/BitVector.h" #include "llvm/ADT/BitVector.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/CodeGen/IndirectThunks.h"
#include "llvm/CodeGen/MachineBasicBlock.h" #include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineFunction.h" #include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineFunctionPass.h" #include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstr.h" #include "llvm/CodeGen/MachineInstr.h"
#include "llvm/CodeGen/MachineInstrBuilder.h" #include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/CodeGen/MachineOperand.h" #include "llvm/CodeGen/MachineOperand.h"
#include "llvm/CodeGen/MachineRegisterInfo.h" #include "llvm/CodeGen/MachineRegisterInfo.h"
#include "llvm/CodeGen/RegisterScavenging.h" #include "llvm/CodeGen/RegisterScavenging.h"
Show All 25 Linespublic:
} }
bool runOnMachineFunction(MachineFunction &Fn) override; bool runOnMachineFunction(MachineFunction &Fn) override;
StringRef getPassName() const override { return AARCH64_SLS_HARDENING_NAME; } StringRef getPassName() const override { return AARCH64_SLS_HARDENING_NAME; }
private: private:
bool hardenReturnsAndBRs(MachineBasicBlock &MBB) const; bool hardenReturnsAndBRs(MachineBasicBlock &MBB) const;
void insertSpeculationBarrier(MachineBasicBlock &MBB, bool hardenBLRs(MachineBasicBlock &MBB) const;
MachineBasicBlock::iterator MBBI, MachineBasicBlock &ConvertBLRToBL(MachineBasicBlock &MBB,
DebugLoc DL) const; MachineBasicBlock::iterator) const;
}; };
} // end anonymous namespace } // end anonymous namespace
char AArch64SLSHardening::ID = 0; char AArch64SLSHardening::ID = 0;
INITIALIZE_PASS(AArch64SLSHardening, "aarch64-sls-hardening", INITIALIZE_PASS(AArch64SLSHardening, "aarch64-sls-hardening",
AARCH64_SLS_HARDENING_NAME, false, false) AARCH64_SLS_HARDENING_NAME, false, false)
void AArch64SLSHardening::insertSpeculationBarrier( static void insertSpeculationBarrier(const AArch64Subtarget *ST,
MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI, MachineBasicBlock &MBB,
DebugLoc DL) const { MachineBasicBlock::iterator MBBI,
DebugLoc DL,
bool AlwaysUseISBDSB = false) {
assert(MBBI != MBB.begin() && assert(MBBI != MBB.begin() &&
"Must not insert SpeculationBarrierEndBB as only instruction in MBB."); "Must not insert SpeculationBarrierEndBB as only instruction in MBB.");
assert(std::prev(MBBI)->isBarrier() && assert(std::prev(MBBI)->isBarrier() &&
"SpeculationBarrierEndBB must only follow unconditional control flow " "SpeculationBarrierEndBB must only follow unconditional control flow "
"instructions."); "instructions.");
assert(std::prev(MBBI)->isTerminator() && assert(std::prev(MBBI)->isTerminator() &&
"SpeculatoinBarrierEndBB must only follow terminators."); "SpeculationBarrierEndBB must only follow terminators.");
if (ST->hasSB()) const TargetInstrInfo *TII = ST->getInstrInfo();
BuildMI(MBB, MBBI, DL, TII->get(AArch64::SpeculationBarrierSBEndBB)); unsigned BarrierOpc = ST->hasSB() && !AlwaysUseISBDSB
else ? AArch64::SpeculationBarrierSBEndBB
BuildMI(MBB, MBBI, DL, TII->get(AArch64::SpeculationBarrierISBDSBEndBB)); : AArch64::SpeculationBarrierISBDSBEndBB;
if (MBBI == MBB.end() ||
(MBBI->getOpcode() != AArch64::SpeculationBarrierSBEndBB &&
MBBI->getOpcode() != AArch64::SpeculationBarrierISBDSBEndBB))
BuildMI(MBB, MBBI, DL, TII->get(BarrierOpc));
} }
bool AArch64SLSHardening::runOnMachineFunction(MachineFunction &MF) { bool AArch64SLSHardening::runOnMachineFunction(MachineFunction &MF) {
ST = &MF.getSubtarget<AArch64Subtarget>(); ST = &MF.getSubtarget<AArch64Subtarget>();
TII = MF.getSubtarget().getInstrInfo(); TII = MF.getSubtarget().getInstrInfo();
TRI = MF.getSubtarget().getRegisterInfo(); TRI = MF.getSubtarget().getRegisterInfo();
bool Modified = false; bool Modified = false;
for (auto &MBB : MF) for (auto &MBB : MF) {
Modified |= hardenReturnsAndBRs(MBB); Modified |= hardenReturnsAndBRs(MBB);
Modified |= hardenBLRs(MBB);
}
return Modified; return Modified;
} }
static bool isBLR(const MachineInstr &MI) {
switch (MI.getOpcode()) {
case AArch64::BLR:
ostannardUnsubmitted
Done
ReplyInline Actions

BLRCall shouldn't be selected when this pass is enabled, so maybe we should assert here?

ostannard: `BLRCall` shouldn't be selected when this pass is enabled, so maybe we should assert here?
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

I've changed the pseudo expansion to use PseudoInstExpansion.
Depending on when that expansion happens in the pipeline (before or after the mitigation pass), one could see BLR or BLRNoIP here.
I thought it's safest to just handle both here. There's an assert in ConvertBLRToBL that should catch what we actually care about, i.e. not using X16/X17 (nor LR).

kristof.beyls: I've changed the pseudo expansion to use PseudoInstExpansion. Depending on when that expansion…
case AArch64::BLRNoIP:
return true;
case AArch64::BLRAA:
case AArch64::BLRAB:
case AArch64::BLRAAZ:
case AArch64::BLRABZ:
llvm_unreachable("Currently, LLVM's code generator does not support "
"producing BLRA* instructions. Therefore, there's no "
"support in this pass for those instructions.");
}
return false;
}
bool AArch64SLSHardening::hardenReturnsAndBRs(MachineBasicBlock &MBB) const { bool AArch64SLSHardening::hardenReturnsAndBRs(MachineBasicBlock &MBB) const {
if (!ST->hardenSlsRetBr()) if (!ST->hardenSlsRetBr())
return false; return false;
bool Modified = false; bool Modified = false;
MachineBasicBlock::iterator MBBI = MBB.getFirstTerminator(), E = MBB.end(); MachineBasicBlock::iterator MBBI = MBB.getFirstTerminator(), E = MBB.end();
MachineBasicBlock::iterator NextMBBI; MachineBasicBlock::iterator NextMBBI;
for (; MBBI != E; MBBI = NextMBBI) { for (; MBBI != E; MBBI = NextMBBI) {
MachineInstr &MI = *MBBI; MachineInstr &MI = *MBBI;
NextMBBI = std::next(MBBI); NextMBBI = std::next(MBBI);
if (MI.isReturn() || isIndirectBranchOpcode(MI.getOpcode())) { if (MI.isReturn() || isIndirectBranchOpcode(MI.getOpcode())) {
assert(MI.isTerminator()); assert(MI.isTerminator());
insertSpeculationBarrier(MBB, std::next(MBBI), MI.getDebugLoc()); insertSpeculationBarrier(ST, MBB, std::next(MBBI), MI.getDebugLoc());
Modified = true;
}
}
return Modified;
}
static const char SLSBLRNamePrefix[] = "__llvm_slsblr_thunk_";
static std::array<const char *, 29> SLSBLRThunkNames{
"__llvm_slsblr_thunk_x0", "__llvm_slsblr_thunk_x1",
"__llvm_slsblr_thunk_x2", "__llvm_slsblr_thunk_x3",
"__llvm_slsblr_thunk_x4", "__llvm_slsblr_thunk_x5",
"__llvm_slsblr_thunk_x6", "__llvm_slsblr_thunk_x7",
"__llvm_slsblr_thunk_x8", "__llvm_slsblr_thunk_x9",
"__llvm_slsblr_thunk_x10", "__llvm_slsblr_thunk_x11",
"__llvm_slsblr_thunk_x12", "__llvm_slsblr_thunk_x13",
"__llvm_slsblr_thunk_x14", "__llvm_slsblr_thunk_x15",
// X16 and X17 are deliberately missing, as the mitigation requires those
ostannardUnsubmitted
Done
ReplyInline Actions

Is it possible for the call to these thunks to go through a long-branch veneer, PLT, etc, which could clobber x16 or x17 before it gets used in the thunk? Maybe we could avoid generating indirect calls using those registers, but we have the exact opposite restriction for tail calls when using BTI (grep for TCRETURNriBTI).

ostannard: Is it possible for the call to these thunks to go through a long-branch veneer, PLT, etc, which…
ostannardUnsubmitted
Done
ReplyInline Actions

Please add a comment noting that x16 and x17 are deliberately omitted.

ostannard: Please add a comment noting that x16 and x17 are deliberately omitted.
// register to not be used in BLR. See comment in ConvertBLRToBL for more
// details.
"__llvm_slsblr_thunk_x18", "__llvm_slsblr_thunk_x19",
"__llvm_slsblr_thunk_x20", "__llvm_slsblr_thunk_x21",
"__llvm_slsblr_thunk_x22", "__llvm_slsblr_thunk_x23",
"__llvm_slsblr_thunk_x24", "__llvm_slsblr_thunk_x25",
ostannardUnsubmitted
Done
ReplyInline Actions

X30 doesn't need to be in these lists either, it (correctly) isn't allowed with BLRCallNoIP.

ostannard: X30 doesn't need to be in these lists either, it (correctly) isn't allowed with `BLRCallNoIP`.
"__llvm_slsblr_thunk_x26", "__llvm_slsblr_thunk_x27",
"__llvm_slsblr_thunk_x28", "__llvm_slsblr_thunk_x29",
// X30 is deliberately missing, for similar reasons as X16 and X17 are
// missing.
"__llvm_slsblr_thunk_x31",
};
static std::array<unsigned, 29> SLSBLRThunkRegs{
AArch64::X0, AArch64::X1, AArch64::X2, AArch64::X3, AArch64::X4,
AArch64::X5, AArch64::X6, AArch64::X7, AArch64::X8, AArch64::X9,
AArch64::X10, AArch64::X11, AArch64::X12, AArch64::X13, AArch64::X14,
AArch64::X15, AArch64::X18, AArch64::X19, AArch64::X20, AArch64::X21,
AArch64::X22, AArch64::X23, AArch64::X24, AArch64::X25, AArch64::X26,
AArch64::X27, AArch64::X28, AArch64::FP, AArch64::XZR};
namespace {
struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> {
const char *getThunkPrefix() { return SLSBLRNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) {
// FIXME: This could also check if there are any BLRs in the function
// to more accurately reflect if a thunk will be needed.
return MF.getSubtarget<AArch64Subtarget>().hardenSlsBlr();
}
void insertThunks(MachineModuleInfo &MMI);
void populateThunk(MachineFunction &MF);
};
} // namespace
void SLSBLRThunkInserter::insertThunks(MachineModuleInfo &MMI) {
// FIXME: It probably would be possible to filter which thunks to produce
// based on which registers are actually used in BLR instructions in this
// function. But would that be a worthwhile optimization?
for (StringRef Name : SLSBLRThunkNames)
createThunkFunction(MMI, Name);
}
ostannardUnsubmitted
Done
ReplyInline Actions

Style nit: Variable should be declared further down, when first set.

ostannard: Style nit: Variable should be declared further down, when first set.
void SLSBLRThunkInserter::populateThunk(MachineFunction &MF) {
// FIXME: How to better communicate Register number, rather than through
// name and lookup table?
assert(MF.getName().startswith(getThunkPrefix()));
int Index = -1;
for (int i = 0; i < (int)SLSBLRThunkNames.size(); ++i)
if (MF.getName() == SLSBLRThunkNames[i]) {
Index = i;
break;
}
assert(Index != -1);
Register ThunkReg = SLSBLRThunkRegs[Index];
const TargetInstrInfo *TII =
ostannardUnsubmitted
Done
ReplyInline Actions

Is this something which could be fixed in ThunkInserter?

ostannard: Is this something which could be fixed in ThunkInserter?
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

Maybe, but I think that should be done as a separate patch as it's probably target-independent.

kristof.beyls: Maybe, but I think that should be done as a separate patch as it's probably target-independent.
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

I've now posted a fix for this in the ThunkInserter in D81403

kristof.beyls: I've now posted a fix for this in the ThunkInserter in D81403
MF.getSubtarget<AArch64Subtarget>().getInstrInfo();
// Grab the entry MBB and erase any other blocks. O0 codegen appears to
// generate two bbs for the entry block.
MachineBasicBlock *Entry = &MF.front();
Entry->clear();
while (MF.size() > 1)
MF.erase(std::next(MF.begin()));
// These thunks need to consist of the following instructions:
// __llvm_slsblr_thunk_xN:
// BR xN
// barrierInsts
Entry->addLiveIn(ThunkReg);
BuildMI(Entry, DebugLoc(), TII->get(AArch64::BR)).addReg(ThunkReg);
// Make sure the thunks do not make use of the SB extension in case there is
// a function somewhere that will call to it that for some reason disabled
// the SB extension locally on that function, even though it's enabled for
// the module otherwise. Therefore set AlwaysUseISBSDB to true.
insertSpeculationBarrier(&MF.getSubtarget<AArch64Subtarget>(), *Entry,
Entry->end(), DebugLoc(), true /*AlwaysUseISBDSB*/);
}
MachineBasicBlock &
AArch64SLSHardening::ConvertBLRToBL(MachineBasicBlock &MBB,
ostannardUnsubmitted
Done
ReplyInline Actions

This comment is a bit misleading, we're not actually splitting the basic block (that's terminology used elsewhere in LLVM for replacing one basic block with two).

ostannard: This comment is a bit misleading, we're not actually splitting the basic block (that's…
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

Hopefully the new comment is better.

kristof.beyls: Hopefully the new comment is better.
MachineBasicBlock::iterator MBBI) const {
// Transform a BLR to a BL as follows:
// Before:
// |-----------------------------|
// | ... |
// | instI |
// | BLR xN |
// | instJ |
// | ... |
// |-----------------------------|
//
// After:
// |-----------------------------|
// | ... |
// | instI |
// | BL __llvm_slsblr_thunk_xN |
// | instJ |
// | ... |
// |-----------------------------|
//
// __llvm_slsblr_thunk_xN:
// |-----------------------------|
// | BR xN |
// | barrierInsts |
// |-----------------------------|
//
// The __llvm_slsblr_thunk_xN thunks are created by the SLSBLRThunkInserter.
// This function merely needs to transform BLR xN into BL
// __llvm_slsblr_thunk_xN.
//
// Since linkers are allowed to clobber X16 and X17 on function calls, the
// above mitigation only works if the original BLR instruction was not
// BLR X16 nor BLR X17. Code generation before must make sure that no BLR
// X16|X17 was produced if the mitigation is enabled.
MachineInstr &BLR = *MBBI;
assert(isBLR(BLR));
unsigned BLOpcode;
Register Reg;
bool RegIsKilled;
switch (BLR.getOpcode()) {
case AArch64::BLR:
case AArch64::BLRNoIP:
BLOpcode = AArch64::BL;
Reg = BLR.getOperand(0).getReg();
assert(Reg != AArch64::X16 && Reg != AArch64::X17 && Reg != AArch64::LR);
RegIsKilled = BLR.getOperand(0).isKill();
break;
case AArch64::BLRAA:
case AArch64::BLRAB:
case AArch64::BLRAAZ:
case AArch64::BLRABZ:
llvm_unreachable("BLRA instructions cannot yet be produced by LLVM, "
"therefore there is no need to support them for now.");
default:
llvm_unreachable("unhandled BLR");
}
DebugLoc DL = BLR.getDebugLoc();
// If we'd like to support also BLRAA and BLRAB instructions, we'd need
// a lot more different kind of thunks.
// For example, a
//
// BLRAA xN, xM
//
// instruction probably would need to be transformed to something like:
//
// BL __llvm_slsblraa_thunk_x<N>_x<M>
//
// __llvm_slsblraa_thunk_x<N>_x<M>:
// BRAA x<N>, x<M>
// barrierInsts
//
// Given that about 30 different values of N are possible and about 30
// different values of M are possible in the above, with the current way
// of producing indirect thunks, we'd be producing about 30 times 30, i.e.
// about 900 thunks (where most might not be actually called). This would
// multiply further by two to support both BLRAA and BLRAB variants of those
// instructions.
// If we'd want to support this, we'd probably need to look into a different
// way to produce thunk functions, based on which variants are actually
// needed, rather than producing all possible variants.
// So far, LLVM does never produce BLRA* instructions, so let's leave this
// for the future when LLVM can start producing BLRA* instructions.
MachineFunction &MF = *MBBI->getMF();
MCContext &Context = MBB.getParent()->getContext();
MCSymbol *Sym = Context.getOrCreateSymbol("__llvm_slsblr_thunk_x" +
utostr(Reg - AArch64::X0));
MachineInstr *BL = BuildMI(MBB, MBBI, DL, TII->get(BLOpcode)).addSym(Sym);
// Now copy the implicit operands from BLR to BL and copy other necessary
// info.
// However, both BLR and BL instructions implictly use SP and implicitly
// define LR. Blindly copying implicit operands would result in SP and LR
// operands to be present multiple times. While this may not be too much of
// an issue, let's avoid that for cleanliness, by removing those implicit
// operands from the BL created above before we copy over all implicit
// operands from the BLR.
int ImpLROpIdx = -1;
int ImpSPOpIdx = -1;
for (unsigned OpIdx = BL->getNumExplicitOperands();
OpIdx < BL->getNumOperands(); OpIdx++) {
MachineOperand Op = BL->getOperand(OpIdx);
if (!Op.isReg())
continue;
if (Op.getReg() == AArch64::LR && Op.isDef())
ImpLROpIdx = OpIdx;
if (Op.getReg() == AArch64::SP && !Op.isDef())
ImpSPOpIdx = OpIdx;
}
assert(ImpLROpIdx != -1);
assert(ImpSPOpIdx != -1);
int FirstOpIdxToRemove = std::max(ImpLROpIdx, ImpSPOpIdx);
int SecondOpIdxToRemove = std::min(ImpLROpIdx, ImpSPOpIdx);
BL->RemoveOperand(FirstOpIdxToRemove);
BL->RemoveOperand(SecondOpIdxToRemove);
// Now copy over the implicit operands from the original BLR
BL->copyImplicitOps(MF, BLR);
MF.moveCallSiteInfo(&BLR, BL);
// Also add the register called in the BLR as being used in the called thunk.
BL->addOperand(MachineOperand::CreateReg(Reg, false /*isDef*/, true /*isImp*/,
RegIsKilled /*isKill*/));
// Remove BLR instruction
MBB.erase(MBBI);
return MBB;
}
bool AArch64SLSHardening::hardenBLRs(MachineBasicBlock &MBB) const {
if (!ST->hardenSlsBlr())
return false;
bool Modified = false;
MachineBasicBlock::iterator MBBI = MBB.begin(), E = MBB.end();
MachineBasicBlock::iterator NextMBBI;
for (; MBBI != E; MBBI = NextMBBI) {
MachineInstr &MI = *MBBI;
NextMBBI = std::next(MBBI);
if (isBLR(MI)) {
ConvertBLRToBL(MBB, MBBI);
Modified = true; Modified = true;
} }
} }
return Modified; return Modified;
} }
FunctionPass *llvm::createAArch64SLSHardeningPass() { FunctionPass *llvm::createAArch64SLSHardeningPass() {
return new AArch64SLSHardening(); return new AArch64SLSHardening();
} }
namespace {
class AArch64IndirectThunks : public MachineFunctionPass {
public:
static char ID;
AArch64IndirectThunks() : MachineFunctionPass(ID) {}
StringRef getPassName() const override { return "AArch64 Indirect Thunks"; }
bool doInitialization(Module &M) override;
bool runOnMachineFunction(MachineFunction &MF) override;
void getAnalysisUsage(AnalysisUsage &AU) const override {
MachineFunctionPass::getAnalysisUsage(AU);
AU.addRequired<MachineModuleInfoWrapperPass>();
AU.addPreserved<MachineModuleInfoWrapperPass>();
}
private:
std::tuple<SLSBLRThunkInserter> TIs;
// FIXME: When LLVM moves to C++17, these can become folds
template <typename... ThunkInserterT>
static void initTIs(Module &M,
std::tuple<ThunkInserterT...> &ThunkInserters) {
(void)std::initializer_list<int>{
(std::get<ThunkInserterT>(ThunkInserters).init(M), 0)...};
}
template <typename... ThunkInserterT>
static bool runTIs(MachineModuleInfo &MMI, MachineFunction &MF,
std::tuple<ThunkInserterT...> &ThunkInserters) {
bool Modified = false;
(void)std::initializer_list<int>{
Modified |= std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF)...};
return Modified;
}
};
} // end anonymous namespace
char AArch64IndirectThunks::ID = 0;
FunctionPass *llvm::createAArch64IndirectThunks() {
return new AArch64IndirectThunks();
}
bool AArch64IndirectThunks::doInitialization(Module &M) {
initTIs(M, TIs);
return false;
}
bool AArch64IndirectThunks::runOnMachineFunction(MachineFunction &MF) {
LLVM_DEBUG(dbgs() << getPassName() << '\n');
auto &MMI = getAnalysis<MachineModuleInfoWrapperPass>().getMMI();
return runTIs(MMI, MF, TIs);
}

llvm/lib/Target/AArch64/AArch64Subtarget.h

Show First 20 LinesShow All 205 Lines▼ Show 20 Linesprotected:
bool DisableLatencySchedHeuristic = false; bool DisableLatencySchedHeuristic = false;
bool UseRSqrt = false; bool UseRSqrt = false;
bool Force32BitJumpTables = false; bool Force32BitJumpTables = false;
bool UseEL1ForTP = false; bool UseEL1ForTP = false;
bool UseEL2ForTP = false; bool UseEL2ForTP = false;
bool UseEL3ForTP = false; bool UseEL3ForTP = false;
bool AllowTaggedGlobals = false; bool AllowTaggedGlobals = false;
bool HardenSlsRetBr = false; bool HardenSlsRetBr = false;
bool HardenSlsBlr = false;
uint8_t MaxInterleaveFactor = 2; uint8_t MaxInterleaveFactor = 2;
uint8_t VectorInsertExtractBaseCost = 3; uint8_t VectorInsertExtractBaseCost = 3;
uint16_t CacheLineSize = 0; uint16_t CacheLineSize = 0;
uint16_t PrefetchDistance = 0; uint16_t PrefetchDistance = 0;
uint16_t MinPrefetchStride = 1; uint16_t MinPrefetchStride = 1;
unsigned MaxPrefetchIterationsAhead = UINT_MAX; unsigned MaxPrefetchIterationsAhead = UINT_MAX;
unsigned PrefFunctionLogAlignment = 0; unsigned PrefFunctionLogAlignment = 0;
unsigned PrefLoopLogAlignment = 0; unsigned PrefLoopLogAlignment = 0;
▲ Show 20 LinesShow All 138 Lines▼ Show 20 Linespublic:
/// Return true if the CPU supports any kind of instruction fusion. /// Return true if the CPU supports any kind of instruction fusion.
bool hasFusion() const { bool hasFusion() const {
return hasArithmeticBccFusion() || hasArithmeticCbzFusion() || return hasArithmeticBccFusion() || hasArithmeticCbzFusion() ||
hasFuseAES() || hasFuseArithmeticLogic() || hasFuseAES() || hasFuseArithmeticLogic() ||
hasFuseCCSelect() || hasFuseLiterals(); hasFuseCCSelect() || hasFuseLiterals();
} }
bool hardenSlsRetBr() const { return HardenSlsRetBr; } bool hardenSlsRetBr() const { return HardenSlsRetBr; }
bool hardenSlsBlr() const { return HardenSlsBlr; }
bool useEL1ForTP() const { return UseEL1ForTP; } bool useEL1ForTP() const { return UseEL1ForTP; }
bool useEL2ForTP() const { return UseEL2ForTP; } bool useEL2ForTP() const { return UseEL2ForTP; }
bool useEL3ForTP() const { return UseEL3ForTP; } bool useEL3ForTP() const { return UseEL3ForTP; }
bool useRSqrt() const { return UseRSqrt; } bool useRSqrt() const { return UseRSqrt; }
bool force32BitJumpTables() const { return Force32BitJumpTables; } bool force32BitJumpTables() const { return Force32BitJumpTables; }
unsigned getMaxInterleaveFactor() const { return MaxInterleaveFactor; } unsigned getMaxInterleaveFactor() const { return MaxInterleaveFactor; }
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/AArch64TargetMachine.cpp

Show First 20 LinesShow All 630 Lines▼ Show 20 Linesvoid AArch64PassConfig::addPreSched2() {
// The AArch64SpeculationHardeningPass destroys dominator tree and natural // The AArch64SpeculationHardeningPass destroys dominator tree and natural
// loop info, which is needed for the FalkorHWPFFixPass and also later on. // loop info, which is needed for the FalkorHWPFFixPass and also later on.
// Therefore, run the AArch64SpeculationHardeningPass before the // Therefore, run the AArch64SpeculationHardeningPass before the
// FalkorHWPFFixPass to avoid recomputing dominator tree and natural loop // FalkorHWPFFixPass to avoid recomputing dominator tree and natural loop
// info. // info.
addPass(createAArch64SpeculationHardeningPass()); addPass(createAArch64SpeculationHardeningPass());
addPass(createAArch64IndirectThunks());
addPass(createAArch64SLSHardeningPass()); addPass(createAArch64SLSHardeningPass());
if (TM->getOptLevel() != CodeGenOpt::None) { if (TM->getOptLevel() != CodeGenOpt::None) {
if (EnableFalkorHWPFFix) if (EnableFalkorHWPFFix)
addPass(createFalkorHWPFFixPass()); addPass(createFalkorHWPFFixPass());
} }
} }
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/GISel/AArch64CallLowering.cpp

Show First 20 LinesShow All 767 Lines▼ Show 20 Linesbool AArch64CallLowering::isEligibleForTailCallOptimization(
if (!areCalleeOutgoingArgsTailCallable(Info, MF, OutArgs)) if (!areCalleeOutgoingArgsTailCallable(Info, MF, OutArgs))
return false; return false;
LLVM_DEBUG( LLVM_DEBUG(
dbgs() << "... Call is eligible for tail call optimization.\n"); dbgs() << "... Call is eligible for tail call optimization.\n");
return true; return true;
} }
static unsigned getCallOpcode(const Function &CallerF, bool IsIndirect, static unsigned getCallOpcode(const MachineFunction &CallerF, bool IsIndirect,
bool IsTailCall) { bool IsTailCall) {
if (!IsTailCall) if (!IsTailCall)
return IsIndirect ? AArch64::BLR : AArch64::BL; return IsIndirect ? getBLRCallOpcode(CallerF) : AArch64::BL;
if (!IsIndirect) if (!IsIndirect)
return AArch64::TCRETURNdi; return AArch64::TCRETURNdi;
// When BTI is enabled, we need to use TCRETURNriBTI to make sure that we use // When BTI is enabled, we need to use TCRETURNriBTI to make sure that we use
// x16 or x17. // x16 or x17.
if (CallerF.hasFnAttribute("branch-target-enforcement")) if (CallerF.getFunction().hasFnAttribute("branch-target-enforcement"))
return AArch64::TCRETURNriBTI; return AArch64::TCRETURNriBTI;
return AArch64::TCRETURNri; return AArch64::TCRETURNri;
} }
bool AArch64CallLowering::lowerTailCall( bool AArch64CallLowering::lowerTailCall(
MachineIRBuilder &MIRBuilder, CallLoweringInfo &Info, MachineIRBuilder &MIRBuilder, CallLoweringInfo &Info,
SmallVectorImpl<ArgInfo> &OutArgs) const { SmallVectorImpl<ArgInfo> &OutArgs) const {
Show All 19 Linesbool AArch64CallLowering::lowerTailCall(
CCAssignFn *AssignFnFixed; CCAssignFn *AssignFnFixed;
CCAssignFn *AssignFnVarArg; CCAssignFn *AssignFnVarArg;
std::tie(AssignFnFixed, AssignFnVarArg) = getAssignFnsForCC(CalleeCC, TLI); std::tie(AssignFnFixed, AssignFnVarArg) = getAssignFnsForCC(CalleeCC, TLI);
MachineInstrBuilder CallSeqStart; MachineInstrBuilder CallSeqStart;
if (!IsSibCall) if (!IsSibCall)
CallSeqStart = MIRBuilder.buildInstr(AArch64::ADJCALLSTACKDOWN); CallSeqStart = MIRBuilder.buildInstr(AArch64::ADJCALLSTACKDOWN);
unsigned Opc = getCallOpcode(F, Info.Callee.isReg(), true); unsigned Opc = getCallOpcode(MF, Info.Callee.isReg(), true);
auto MIB = MIRBuilder.buildInstrNoInsert(Opc); auto MIB = MIRBuilder.buildInstrNoInsert(Opc);
MIB.add(Info.Callee); MIB.add(Info.Callee);
// Byte offset for the tail call. When we are sibcalling, this will always // Byte offset for the tail call. When we are sibcalling, this will always
// be 0. // be 0.
MIB.addImm(0); MIB.addImm(0);
// Tell the call which registers are clobbered. // Tell the call which registers are clobbered.
▲ Show 20 LinesShow All 143 Lines▼ Show 20 Linesbool AArch64CallLowering::lowerCall(MachineIRBuilder &MIRBuilder,
std::tie(AssignFnFixed, AssignFnVarArg) = std::tie(AssignFnFixed, AssignFnVarArg) =
getAssignFnsForCC(Info.CallConv, TLI); getAssignFnsForCC(Info.CallConv, TLI);
MachineInstrBuilder CallSeqStart; MachineInstrBuilder CallSeqStart;
CallSeqStart = MIRBuilder.buildInstr(AArch64::ADJCALLSTACKDOWN); CallSeqStart = MIRBuilder.buildInstr(AArch64::ADJCALLSTACKDOWN);
// Create a temporarily-floating call instruction so we can add the implicit // Create a temporarily-floating call instruction so we can add the implicit
// uses of arg registers. // uses of arg registers.
unsigned Opc = getCallOpcode(F, Info.Callee.isReg(), false); unsigned Opc = getCallOpcode(MF, Info.Callee.isReg(), false);
auto MIB = MIRBuilder.buildInstrNoInsert(Opc); auto MIB = MIRBuilder.buildInstrNoInsert(Opc);
MIB.add(Info.Callee); MIB.add(Info.Callee);
// Tell the call which registers are clobbered. // Tell the call which registers are clobbered.
auto TRI = MF.getSubtarget<AArch64Subtarget>().getRegisterInfo(); auto TRI = MF.getSubtarget<AArch64Subtarget>().getRegisterInfo();
const uint32_t *Mask = TRI->getCallPreservedMask(MF, Info.CallConv); const uint32_t *Mask = TRI->getCallPreservedMask(MF, Info.CallConv);
if (MF.getSubtarget<AArch64Subtarget>().hasCustomCallingConv()) if (MF.getSubtarget<AArch64Subtarget>().hasCustomCallingConv())
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

llvm/lib/Target/AArch64/GISel/AArch64InstructionSelector.cpp

Show First 20 LinesShow All 2,884 Lines▼ Show 20 Linesbool AArch64InstructionSelector::selectTLSGlobalValue(
auto Load = MIB.buildInstr(AArch64::LDRXui, {&AArch64::GPR64commonRegClass}, auto Load = MIB.buildInstr(AArch64::LDRXui, {&AArch64::GPR64commonRegClass},
{Register(AArch64::X0)}) {Register(AArch64::X0)})
.addImm(0); .addImm(0);
// TLS calls preserve all registers except those that absolutely must be // TLS calls preserve all registers except those that absolutely must be
// trashed: X0 (it takes an argument), LR (it's a call) and NZCV (let's not be // trashed: X0 (it takes an argument), LR (it's a call) and NZCV (let's not be
// silly). // silly).
MIB.buildInstr(AArch64::BLR, {}, {Load}) MIB.buildInstr(getBLRCallOpcode(MF), {}, {Load})
.addDef(AArch64::X0, RegState::Implicit) .addDef(AArch64::X0, RegState::Implicit)
.addRegMask(TRI.getTLSCallPreservedMask()); .addRegMask(TRI.getTLSCallPreservedMask());
MIB.buildCopy(I.getOperand(0).getReg(), Register(AArch64::X0)); MIB.buildCopy(I.getOperand(0).getReg(), Register(AArch64::X0));
RBI.constrainGenericRegister(I.getOperand(0).getReg(), AArch64::GPR64RegClass, RBI.constrainGenericRegister(I.getOperand(0).getReg(), AArch64::GPR64RegClass,
MRI); MRI);
I.eraseFromParent(); I.eraseFromParent();
return true; return true;
▲ Show 20 LinesShow All 2,684 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/O0-pipeline.ll

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines
; CHECK-NEXT: Fast Register Allocator ; CHECK-NEXT: Fast Register Allocator
; CHECK-NEXT: Fixup Statepoint Caller Saved ; CHECK-NEXT: Fixup Statepoint Caller Saved
; CHECK-NEXT: Lazy Machine Block Frequency Analysis ; CHECK-NEXT: Lazy Machine Block Frequency Analysis
; CHECK-NEXT: Machine Optimization Remark Emitter ; CHECK-NEXT: Machine Optimization Remark Emitter
; CHECK-NEXT: Prologue/Epilogue Insertion & Frame Finalization ; CHECK-NEXT: Prologue/Epilogue Insertion & Frame Finalization
; CHECK-NEXT: Post-RA pseudo instruction expansion pass ; CHECK-NEXT: Post-RA pseudo instruction expansion pass
; CHECK-NEXT: AArch64 pseudo instruction expansion pass ; CHECK-NEXT: AArch64 pseudo instruction expansion pass
; CHECK-NEXT: AArch64 speculation hardening pass ; CHECK-NEXT: AArch64 speculation hardening pass
; CHECK-NEXT: AArch64 Indirect Thunks
; CHECK-NEXT: AArch64 sls hardening pass ; CHECK-NEXT: AArch64 sls hardening pass
; CHECK-NEXT: Analyze Machine Code For Garbage Collection ; CHECK-NEXT: Analyze Machine Code For Garbage Collection
; CHECK-NEXT: Insert fentry calls ; CHECK-NEXT: Insert fentry calls
; CHECK-NEXT: Insert XRay ops ; CHECK-NEXT: Insert XRay ops
; CHECK-NEXT: Implement the 'patchable-function' attribute ; CHECK-NEXT: Implement the 'patchable-function' attribute
; CHECK-NEXT: AArch64 Branch Targets ; CHECK-NEXT: AArch64 Branch Targets
; CHECK-NEXT: Branch relaxation pass ; CHECK-NEXT: Branch relaxation pass
; CHECK-NEXT: Unpack machine instruction bundles ; CHECK-NEXT: Unpack machine instruction bundles
Show All 11 Lines

llvm/test/CodeGen/AArch64/O3-pipeline.ll

Show First 20 LinesShow All 172 Lines▼ Show 20 Lines
; CHECK-NEXT: Control Flow Optimizer ; CHECK-NEXT: Control Flow Optimizer
; CHECK-NEXT: Lazy Machine Block Frequency Analysis ; CHECK-NEXT: Lazy Machine Block Frequency Analysis
; CHECK-NEXT: Tail Duplication ; CHECK-NEXT: Tail Duplication
; CHECK-NEXT: Machine Copy Propagation Pass ; CHECK-NEXT: Machine Copy Propagation Pass
; CHECK-NEXT: Post-RA pseudo instruction expansion pass ; CHECK-NEXT: Post-RA pseudo instruction expansion pass
; CHECK-NEXT: AArch64 pseudo instruction expansion pass ; CHECK-NEXT: AArch64 pseudo instruction expansion pass
; CHECK-NEXT: AArch64 load / store optimization pass ; CHECK-NEXT: AArch64 load / store optimization pass
; CHECK-NEXT: AArch64 speculation hardening pass ; CHECK-NEXT: AArch64 speculation hardening pass
; CHECK-NEXT: AArch64 Indirect Thunks
; CHECK-NEXT: AArch64 sls hardening pass ; CHECK-NEXT: AArch64 sls hardening pass
; CHECK-NEXT: MachineDominator Tree Construction ; CHECK-NEXT: MachineDominator Tree Construction
; CHECK-NEXT: Machine Natural Loop Construction ; CHECK-NEXT: Machine Natural Loop Construction
; CHECK-NEXT: Falkor HW Prefetch Fix Late Phase ; CHECK-NEXT: Falkor HW Prefetch Fix Late Phase
; CHECK-NEXT: PostRA Machine Instruction Scheduler ; CHECK-NEXT: PostRA Machine Instruction Scheduler
; CHECK-NEXT: Analyze Machine Code For Garbage Collection ; CHECK-NEXT: Analyze Machine Code For Garbage Collection
; CHECK-NEXT: Machine Block Frequency Analysis ; CHECK-NEXT: Machine Block Frequency Analysis
; CHECK-NEXT: MachinePostDominator Tree Construction ; CHECK-NEXT: MachinePostDominator Tree Construction
Show All 36 Lines

llvm/test/CodeGen/AArch64/speculation-hardening-sls-blr.mir

  • This file was added.
# RUN: llc -verify-machineinstrs -mtriple=aarch64-none-linux-gnu \
# RUN: -start-before aarch64-sls-hardening \
# RUN: -stop-after aarch64-sls-hardening -o - %s \
# RUN: | FileCheck %s --check-prefixes=CHECK
# Check that the BLR SLS hardening transforms a BLR into a BL with operands as
# expected.
--- |
$__llvm_slsblr_thunk_x8 = comdat any
@a = dso_local local_unnamed_addr global i32 (...)* null, align 8
@b = dso_local local_unnamed_addr global i32 0, align 4
define dso_local void @fn1() local_unnamed_addr "target-features"="+harden-sls-blr" {
entry:
%0 = load i32 ()*, i32 ()** bitcast (i32 (...)** @a to i32 ()**), align 8
%call = tail call i32 %0() nounwind
store i32 %call, i32* @b, align 4
ret void
}
; Function Attrs: naked nounwind
define linkonce_odr hidden void @__llvm_slsblr_thunk_x8() naked nounwind comdat {
entry:
ret void
}
...
---
name: fn1
tracksRegLiveness: true
body: |
; CHECK-LABEL: name: fn1
bb.0.entry:
liveins: $lr
early-clobber $sp = frame-setup STRXpre killed $lr, $sp, -16 ; :: (store 8 into %stack.0)
frame-setup CFI_INSTRUCTION def_cfa_offset 16
frame-setup CFI_INSTRUCTION offset $w30, -16
renamable $x8 = ADRP target-flags(aarch64-page) @a
renamable $x8 = LDRXui killed renamable $x8, target-flags(aarch64-pageoff, aarch64-nc) @a :: (dereferenceable load 8 from `i32 ()** bitcast (i32 (...)** @a to i32 ()**)`)
BLRNoIP killed renamable $x8, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit-def $sp, implicit-def $w0
; CHECK: BL <mcsymbol __llvm_slsblr_thunk_x8>, csr_aarch64_aapcs, implicit-def dead $lr, implicit $sp, implicit-def $sp, implicit-def $w0, implicit killed $x8
renamable $x8 = ADRP target-flags(aarch64-page) @b
STRWui killed renamable $w0, killed renamable $x8, target-flags(aarch64-pageoff, aarch64-nc) @b :: (store 4 into @b)
early-clobber $sp, $lr = frame-destroy LDRXpost $sp, 16 ; :: (load 8 from %stack.0)
RET undef $lr
...
---
name: __llvm_slsblr_thunk_x8
tracksRegLiveness: true
body: |
bb.0.entry:
liveins: $x8
BR $x8
SpeculationBarrierISBDSBEndBB
...

llvm/test/CodeGen/AArch64/speculation-hardening-sls.ll

; RUN: llc -mattr=harden-sls-retbr -verify-machineinstrs -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefixes=CHECK,ISBDSB ; RUN: llc -mattr=harden-sls-retbr,harden-sls-blr -verify-machineinstrs -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefixes=CHECK,HARDEN,ISBDSB
; RUN: llc -mattr=harden-sls-retbr -mattr=+sb -verify-machineinstrs -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefixes=CHECK,SB ; RUN: llc -mattr=harden-sls-retbr,harden-sls-blr -mattr=+sb -verify-machineinstrs -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefixes=CHECK,HARDEN,SB
; RUN: llc -verify-machineinstrs -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefixes=CHECK,NOHARDEN
; Function Attrs: norecurse nounwind readnone ; Function Attrs: norecurse nounwind readnone
define dso_local i32 @double_return(i32 %a, i32 %b) local_unnamed_addr { define dso_local i32 @double_return(i32 %a, i32 %b) local_unnamed_addr {
entry: entry:
%cmp = icmp sgt i32 %a, 0 %cmp = icmp sgt i32 %a, 0
br i1 %cmp, label %if.then, label %if.else br i1 %cmp, label %if.then, label %if.else
if.then: ; preds = %entry if.then: ; preds = %entry
%div = sdiv i32 %a, %b %div = sdiv i32 %a, %b
ret i32 %div ret i32 %div
if.else: ; preds = %entry if.else: ; preds = %entry
%div1 = sdiv i32 %b, %a %div1 = sdiv i32 %b, %a
ret i32 %div1 ret i32 %div1
; CHECK-LABEL: double_return: ; CHECK-LABEL: double_return:
; CHECK: {{ret$}} ; CHECK: {{ret$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK: {{ret$}} ; CHECK: {{ret$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK-NEXT: .Lfunc_end
} }
@__const.indirect_branch.ptr = private unnamed_addr constant [2 x i8*] [i8* blockaddress(@indirect_branch, %return), i8* blockaddress(@indirect_branch, %l2)], align 8 @__const.indirect_branch.ptr = private unnamed_addr constant [2 x i8*] [i8* blockaddress(@indirect_branch, %return), i8* blockaddress(@indirect_branch, %l2)], align 8
; Function Attrs: norecurse nounwind readnone ; Function Attrs: norecurse nounwind readnone
define dso_local i32 @indirect_branch(i32 %a, i32 %b, i32 %i) { define dso_local i32 @indirect_branch(i32 %a, i32 %b, i32 %i) {
; CHECK-LABEL: indirect_branch:
entry: entry:
%idxprom = sext i32 %i to i64 %idxprom = sext i32 %i to i64
%arrayidx = getelementptr inbounds [2 x i8*], [2 x i8*]* @__const.indirect_branch.ptr, i64 0, i64 %idxprom %arrayidx = getelementptr inbounds [2 x i8*], [2 x i8*]* @__const.indirect_branch.ptr, i64 0, i64 %idxprom
%0 = load i8*, i8** %arrayidx, align 8 %0 = load i8*, i8** %arrayidx, align 8
indirectbr i8* %0, [label %return, label %l2] indirectbr i8* %0, [label %return, label %l2]
; CHECK: br x
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}}
l2: ; preds = %entry l2: ; preds = %entry
br label %return br label %return
; CHECK: {{ret$}}
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}}
return: ; preds = %entry, %l2 return: ; preds = %entry, %l2
%retval.0 = phi i32 [ 1, %l2 ], [ 0, %entry ] %retval.0 = phi i32 [ 1, %l2 ], [ 0, %entry ]
ret i32 %retval.0 ret i32 %retval.0
; CHECK-LABEL: indirect_branch:
; CHECK: br x
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}}
; CHECK: {{ret$}} ; CHECK: {{ret$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK-NEXT: .Lfunc_end
} }
; Check that RETAA and RETAB instructions are also protected as expected. ; Check that RETAA and RETAB instructions are also protected as expected.
define dso_local i32 @ret_aa(i32 returned %a) local_unnamed_addr "target-features"="+neon,+v8.3a" "sign-return-address"="all" "sign-return-address-key"="a_key" { define dso_local i32 @ret_aa(i32 returned %a) local_unnamed_addr "target-features"="+neon,+v8.3a" "sign-return-address"="all" "sign-return-address-key"="a_key" {
entry: entry:
; CHECK-LABEL: ret_aa: ; CHECK-LABEL: ret_aa:
; CHECK: {{ retaa$}} ; CHECK: {{ retaa$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK-NEXT: .Lfunc_end
ret i32 %a ret i32 %a
} }
define dso_local i32 @ret_ab(i32 returned %a) local_unnamed_addr "target-features"="+neon,+v8.3a" "sign-return-address"="all" "sign-return-address-key"="b_key" { define dso_local i32 @ret_ab(i32 returned %a) local_unnamed_addr "target-features"="+neon,+v8.3a" "sign-return-address"="all" "sign-return-address-key"="b_key" {
entry: entry:
; CHECK-LABEL: ret_ab: ; CHECK-LABEL: ret_ab:
; CHECK: {{ retab$}} ; CHECK: {{ retab$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK-NEXT: .Lfunc_end
ret i32 %a ret i32 %a
} }
define i32 @asmgoto() { define i32 @asmgoto() {
entry: entry:
; CHECK-LABEL: asmgoto: ; CHECK-LABEL: asmgoto:
callbr void asm sideeffect "B $0", "X"(i8* blockaddress(@asmgoto, %d)) callbr void asm sideeffect "B $0", "X"(i8* blockaddress(@asmgoto, %d))
to label %asm.fallthrough [label %d] to label %asm.fallthrough [label %d]
Show All 15 Lines
d: ; preds = %asm.fallthrough, %entry d: ; preds = %asm.fallthrough, %entry
ret i32 1 ret i32 1
; CHECK: {{ret$}} ; CHECK: {{ret$}}
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}} ; SB-NEXT: {{ sb$}}
; CHECK-NEXT: .Lfunc_end ; CHECK-NEXT: .Lfunc_end
} }
define dso_local i32 @indirect_call(
i32 (...)* nocapture %f1, i32 (...)* nocapture %f2) {
entry:
; CHECK-LABEL: indirect_call:
%callee.knr.cast = bitcast i32 (...)* %f1 to i32 ()*
%call = tail call i32 %callee.knr.cast()
; HARDEN: bl {{__llvm_slsblr_thunk_x[0-9]+$}}
%callee.knr.cast1 = bitcast i32 (...)* %f2 to i32 ()*
%call2 = tail call i32 %callee.knr.cast1()
; HARDEN: bl {{__llvm_slsblr_thunk_x[0-9]+$}}
%add = add nsw i32 %call2, %call
ret i32 %add
; CHECK: .Lfunc_end
}
; verify calling through a function pointer.
@a = dso_local local_unnamed_addr global i32 (...)* null, align 8
@b = dso_local local_unnamed_addr global i32 0, align 4
define dso_local void @indirect_call_global() local_unnamed_addr {
; CHECK-LABEL: indirect_call_global:
entry:
%0 = load i32 ()*, i32 ()** bitcast (i32 (...)** @a to i32 ()**), align 8
%call = tail call i32 %0() nounwind
; HARDEN: bl {{__llvm_slsblr_thunk_x[0-9]+$}}
store i32 %call, i32* @b, align 4
ret void
; CHECK: .Lfunc_end
}
; Verify that neither x16 nor x17 are used when the BLR mitigation is enabled,
; as a linker is allowed to clobber x16 or x17 on calls, which would break the
; correct execution of the code sequence produced by the mitigation.
; The below test carefully increases register pressure to persuade code
; generation to produce a BLR x16. Yes, that is a bit fragile.
define i64 @check_x16(i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** nocapture readonly %fp, i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** nocapture readonly %fp2) "target-features"="+neon,+reserve-x10,+reserve-x11,+reserve-x12,+reserve-x13,+reserve-x14,+reserve-x15,+reserve-x18,+reserve-x20,+reserve-x21,+reserve-x22,+reserve-x23,+reserve-x24,+reserve-x25,+reserve-x26,+reserve-x27,+reserve-x28,+reserve-x30,+reserve-x9" {
entry:
; CHECK-LABEL: check_x16:
%0 = load i64 (i8*, i64, i64, i64, i64, i64, i64, i64)*, i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** %fp, align 8
%1 = bitcast i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** %fp2 to i8**
%2 = load i8*, i8** %1, align 8
%call = call i64 %0(i8* %2, i64 0, i64 0, i64 0, i64 0, i64 0, i64 0, i64 0)
%3 = load i64 (i8*, i64, i64, i64, i64, i64, i64, i64)*, i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** %fp2, align 8
%4 = bitcast i64 (i8*, i64, i64, i64, i64, i64, i64, i64)** %fp to i8**
%5 = load i8*, i8** %4, align 8;, !tbaa !2
%call1 = call i64 %3(i8* %5, i64 0, i64 0, i64 0, i64 0, i64 0, i64 0, i64 0)
; NOHARDEN: blr x16
; ISBDSB-NOT: bl __llvm_slsblr_thunk_x16
; SB-NOT: bl __llvm_slsblr_thunk_x16
; CHECK
%add = add nsw i64 %call1, %call
ret i64 %add
; CHECK: .Lfunc_end
}
; HARDEN-label: __llvm_slsblr_thunk_x0:
; HARDEN: br x0
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: dsb sy
; SB-NEXT: isb
; HARDEN-NEXT: .Lfunc_end
; HARDEN-label: __llvm_slsblr_thunk_x19:
; HARDEN: br x19
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: dsb sy
; SB-NEXT: isb
; HARDEN-NEXT: .Lfunc_end