This is an archive of the discontinued LLVM Phabricator instance.

Differential D84471

[X86] Fix for ballooning compile times due to Load Value Injection (LVI) mitigations
ClosedPublic

Authored by sconstab on Jul 23 2020, 3:52 PM.

Details

Reviewers
mattdr
craig.topper
Commits
rGec1445c5afda: [X86] Fix for ballooning compile times due to Load Value Injection (LVI)…
Summary

Fix for the issue raised in https://github.com/rust-lang/rust/issues/74632.

The current heuristic for inserting LFENCEs uses a quadratic-time algorithm. This can apparently cause substantial compilation slowdowns for building Rust projects, where functions > 5000 LoC are apparently common.

The updated heuristic in this patch implements a linear-time algorithm. On a set of benchmarks, the slowdown factor for the generated code was comparable (2.55x geo mean for the quadratic-time heuristic, vs. 2.58x for the linear-time heuristic). Both heuristics offer the same security properties, namely, mitigating LVI.

This patch also includes some formatting fixes.

Diff Detail

Event Timeline

sconstab created this revision.Jul 23 2020, 3:52 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 23 2020, 3:52 PM
Herald added subscribers: jfb, JDevlieghere, hiraditya. · View Herald Transcript
mattdr added a comment.Jul 23 2020, 4:28 PM

Glad that we could make this simpler without making the resulting code much slower!

llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
684–686

nit: I spent some time trying to figure out how these are "implied" by the requirement and I don't think they are. Let's update the comment to make it clear we're describing one approach that happens to meet the requirement at a sweet spot of simplicity and speed.

703–706

Two things:

  1. What's the intuition for aggregating with "max" here rather than, say, summing the weights?
  1. It seems like we should be taking CutEdges into account somehow here. If we've already decided to cut an expensive edge, the *incremental* cost of cutting it again is zero and we shouldn't be including it here.
710

EdgeSet has |= for union, maybe that would be better here

sconstab updated this revision to Diff 280575.Jul 24 2020, 1:24 PM
sconstab marked 3 inline comments as done.

Addressed comments by @mattdr

llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
703–706

Thanks for pointing this out. I don't know why my intuition led me to use std::max. The minimum multi-cut algorithm would, in essence, also be adding the weights. And I think you're also correct that edges that have already been cut can be treated as having cost 0.

I implemented these changes, and measured (1) a small decrease in the number of LFENCEs inserted, (2) no significant performance difference, and (3) no exposed LVI vulnerabilities.

710

|= is not overloaded for an array-like container on the RHS. Unless you think that EdgesToCut should also be a BitVector?

mattdr accepted this revision.Jul 24 2020, 4:07 PM
mattdr added inline comments.
llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
704–705

I think this is clearer as:

if (!CutEdges.contains(*EgressEdge))
  EgressCutCost += EgressEdge->getValue();

likewise for the loop over IngressEdges.

710

Ah, my mistake -- one too many autos for me to trace through. This is fine.

This revision is now accepted and ready to land.Jul 24 2020, 4:07 PM
sconstab updated this revision to Diff 280618.Jul 24 2020, 4:32 PM

Addressed @mattdr 's lone comment on style.

sconstab updated this revision to Diff 280966.Jul 27 2020, 10:30 AM

Made one further optimization.

At line 669, I added a check that will only invoke elimMitigatedEdgesAndNodes() if the current function already has LFENCEs that may mitigate some gadgets. If the function does not have any LFENCEs, then elimMitigatedEdgesAndNodes() will not transform the gadget graph because (a) there are no fences to eliminate, and (b) the new heuristic only performs *one* round of cuts *after* elimMitigatedEdgesAndNodes() runs.

sconstab requested review of this revision.Jul 27 2020, 10:30 AM
mattdr added inline comments.Jul 27 2020, 11:51 AM
llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
674–675

Can we add this as an early-exit case in trimMitigatedEdges instead?

680–681

Seems like this early-exit case should not have been guarded by the if.

sconstab updated this revision to Diff 281041.Jul 27 2020, 1:20 PM
sconstab marked 2 inline comments as done.
sconstab added inline comments.
llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
674–675

That would negatively impact the hardenLoadsWithPlugin() flow that may need to trimMitigatedEdges() even if Graph->NumFences == 0.

mattdr accepted this revision.Jul 27 2020, 1:29 PM
This revision is now accepted and ready to land.Jul 27 2020, 1:29 PM
craig.topper added inline comments.Jul 27 2020, 2:26 PM
llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
663–670

I'm not a big fan of calling a pointer a "Ref". It makes me think its a reference but you have to dereference it. Do we gain much from omitting the '*' where this is used?

712

I think llvm::for_each is discouraged in this case by the statement here https://llvm.org/docs/CodingStandards.html#use-range-based-for-loops-wherever-possible

sconstab updated this revision to Diff 281064.Jul 27 2020, 3:28 PM
sconstab marked 2 inline comments as done.

Addressed @craig.topper 's comments, and also changed some autos to Edge/Node wherever possible to improve readability.

craig.topper accepted this revision.Jul 28 2020, 1:29 PM

LGTM

craig.topper added a comment.Jul 30 2020, 9:05 AM

@sconstab Do you need someone to commit this?

sconstab added a comment.Jul 30 2020, 9:22 AM

@craig.topper Yes.

Closed by commit rGec1445c5afda: [X86] Fix for ballooning compile times due to Load Value Injection (LVI)… (authored by sconstab, committed by craig.topper). · Explain WhyJul 30 2020, 5:44 PM
This revision was automatically updated to reflect the committed changes.
craig.topper added a commit: rGec1445c5afda: [X86] Fix for ballooning compile times due to Load Value Injection (LVI)….

Revision Contents

PathSize
llvm/
lib/
Target/
X86/
180 lines

Diff 282088

llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp

Show All 36 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ImmutableGraph.h" #include "ImmutableGraph.h"
#include "X86.h" #include "X86.h"
#include "X86Subtarget.h" #include "X86Subtarget.h"
#include "X86TargetMachine.h" #include "X86TargetMachine.h"
#include "llvm/ADT/DenseMap.h" #include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/DenseSet.h" #include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include "llvm/CodeGen/MachineBasicBlock.h" #include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineDominanceFrontier.h" #include "llvm/CodeGen/MachineDominanceFrontier.h"
#include "llvm/CodeGen/MachineDominators.h" #include "llvm/CodeGen/MachineDominators.h"
#include "llvm/CodeGen/MachineFunction.h" #include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineFunctionPass.h" #include "llvm/CodeGen/MachineFunctionPass.h"
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
static cl::opt<bool> EmitDotVerify( static cl::opt<bool> EmitDotVerify(
PASS_KEY "-dot-verify", PASS_KEY "-dot-verify",
cl::desc("For each function, emit a dot graph to stdout depicting " cl::desc("For each function, emit a dot graph to stdout depicting "
"potential LVI gadgets, used for testing purposes only"), "potential LVI gadgets, used for testing purposes only"),
cl::init(false), cl::Hidden); cl::init(false), cl::Hidden);
static llvm::sys::DynamicLibrary OptimizeDL; static llvm::sys::DynamicLibrary OptimizeDL;
typedef int (*OptimizeCutT)(unsigned int *nodes, unsigned int nodes_size, typedef int (*OptimizeCutT)(unsigned int *Nodes, unsigned int NodesSize,
unsigned int *edges, int *edge_values, unsigned int *Edges, int *EdgeValues,
int *cut_edges /* out */, unsigned int edges_size); int *CutEdges /* out */, unsigned int EdgesSize);
static OptimizeCutT OptimizeCut = nullptr; static OptimizeCutT OptimizeCut = nullptr;
namespace { namespace {
struct MachineGadgetGraph : ImmutableGraph<MachineInstr *, int> { struct MachineGadgetGraph : ImmutableGraph<MachineInstr *, int> {
static constexpr int GadgetEdgeSentinel = -1; static constexpr int GadgetEdgeSentinel = -1;
static constexpr MachineInstr *const ArgNodeSentinel = nullptr; static constexpr MachineInstr *const ArgNodeSentinel = nullptr;
Show All 25 Linespublic:
} }
void getAnalysisUsage(AnalysisUsage &AU) const override; void getAnalysisUsage(AnalysisUsage &AU) const override;
bool runOnMachineFunction(MachineFunction &MF) override; bool runOnMachineFunction(MachineFunction &MF) override;
static char ID; static char ID;
private: private:
using GraphBuilder = ImmutableGraphBuilder<MachineGadgetGraph>; using GraphBuilder = ImmutableGraphBuilder<MachineGadgetGraph>;
using Edge = MachineGadgetGraph::Edge;
using Node = MachineGadgetGraph::Node;
using EdgeSet = MachineGadgetGraph::EdgeSet; using EdgeSet = MachineGadgetGraph::EdgeSet;
using NodeSet = MachineGadgetGraph::NodeSet; using NodeSet = MachineGadgetGraph::NodeSet;
using Gadget = std::pair<MachineInstr *, MachineInstr *>;
const X86Subtarget *STI; const X86Subtarget *STI;
const TargetInstrInfo *TII; const TargetInstrInfo *TII;
const TargetRegisterInfo *TRI; const TargetRegisterInfo *TRI;
std::unique_ptr<MachineGadgetGraph> std::unique_ptr<MachineGadgetGraph>
getGadgetGraph(MachineFunction &MF, const MachineLoopInfo &MLI, getGadgetGraph(MachineFunction &MF, const MachineLoopInfo &MLI,
const MachineDominatorTree &MDT, const MachineDominatorTree &MDT,
const MachineDominanceFrontier &MDF) const; const MachineDominanceFrontier &MDF) const;
int hardenLoadsWithPlugin(MachineFunction &MF, int hardenLoadsWithPlugin(MachineFunction &MF,
std::unique_ptr<MachineGadgetGraph> Graph) const; std::unique_ptr<MachineGadgetGraph> Graph) const;
int hardenLoadsWithGreedyHeuristic( int hardenLoadsWithHeuristic(MachineFunction &MF,
MachineFunction &MF, std::unique_ptr<MachineGadgetGraph> Graph) const; std::unique_ptr<MachineGadgetGraph> Graph) const;
int elimMitigatedEdgesAndNodes(MachineGadgetGraph &G, int elimMitigatedEdgesAndNodes(MachineGadgetGraph &G,
EdgeSet &ElimEdges /* in, out */, EdgeSet &ElimEdges /* in, out */,
NodeSet &ElimNodes /* in, out */) const; NodeSet &ElimNodes /* in, out */) const;
std::unique_ptr<MachineGadgetGraph> std::unique_ptr<MachineGadgetGraph>
trimMitigatedEdges(std::unique_ptr<MachineGadgetGraph> Graph) const; trimMitigatedEdges(std::unique_ptr<MachineGadgetGraph> Graph) const;
void findAndCutEdges(MachineGadgetGraph &G, void findAndCutEdges(MachineGadgetGraph &G,
EdgeSet &CutEdges /* out */) const; EdgeSet &CutEdges /* out */) const;
int insertFences(MachineFunction &MF, MachineGadgetGraph &G, int insertFences(MachineFunction &MF, MachineGadgetGraph &G,
Show All 18 Lines
struct DOTGraphTraits<MachineGadgetGraph *> : DefaultDOTGraphTraits { struct DOTGraphTraits<MachineGadgetGraph *> : DefaultDOTGraphTraits {
using GraphType = MachineGadgetGraph; using GraphType = MachineGadgetGraph;
using Traits = llvm::GraphTraits<GraphType *>; using Traits = llvm::GraphTraits<GraphType *>;
using NodeRef = typename Traits::NodeRef; using NodeRef = typename Traits::NodeRef;
using EdgeRef = typename Traits::EdgeRef; using EdgeRef = typename Traits::EdgeRef;
using ChildIteratorType = typename Traits::ChildIteratorType; using ChildIteratorType = typename Traits::ChildIteratorType;
using ChildEdgeIteratorType = typename Traits::ChildEdgeIteratorType; using ChildEdgeIteratorType = typename Traits::ChildEdgeIteratorType;
DOTGraphTraits(bool isSimple = false) : DefaultDOTGraphTraits(isSimple) {} DOTGraphTraits(bool IsSimple = false) : DefaultDOTGraphTraits(IsSimple) {}
std::string getNodeLabel(NodeRef Node, GraphType *) { std::string getNodeLabel(NodeRef Node, GraphType *) {
if (Node->getValue() == MachineGadgetGraph::ArgNodeSentinel) if (Node->getValue() == MachineGadgetGraph::ArgNodeSentinel)
return "ARGS"; return "ARGS";
std::string Str; std::string Str;
raw_string_ostream OS(Str); raw_string_ostream OS(Str);
OS << *Node->getValue(); OS << *Node->getValue();
Show All 28 Linesvoid X86LoadValueInjectionLoadHardeningPass::getAnalysisUsage(
AnalysisUsage &AU) const { AnalysisUsage &AU) const {
MachineFunctionPass::getAnalysisUsage(AU); MachineFunctionPass::getAnalysisUsage(AU);
AU.addRequired<MachineLoopInfo>(); AU.addRequired<MachineLoopInfo>();
AU.addRequired<MachineDominatorTree>(); AU.addRequired<MachineDominatorTree>();
AU.addRequired<MachineDominanceFrontier>(); AU.addRequired<MachineDominanceFrontier>();
AU.setPreservesCFG(); AU.setPreservesCFG();
} }
static void WriteGadgetGraph(raw_ostream &OS, MachineFunction &MF, static void writeGadgetGraph(raw_ostream &OS, MachineFunction &MF,
MachineGadgetGraph *G) { MachineGadgetGraph *G) {
WriteGraph(OS, G, /*ShortNames*/ false, WriteGraph(OS, G, /*ShortNames*/ false,
"Speculative gadgets for \"" + MF.getName() + "\" function"); "Speculative gadgets for \"" + MF.getName() + "\" function");
} }
bool X86LoadValueInjectionLoadHardeningPass::runOnMachineFunction( bool X86LoadValueInjectionLoadHardeningPass::runOnMachineFunction(
MachineFunction &MF) { MachineFunction &MF) {
LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName() LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName()
Show All 19 Linesbool X86LoadValueInjectionLoadHardeningPass::runOnMachineFunction(
const auto &MDT = getAnalysis<MachineDominatorTree>(); const auto &MDT = getAnalysis<MachineDominatorTree>();
const auto &MDF = getAnalysis<MachineDominanceFrontier>(); const auto &MDF = getAnalysis<MachineDominanceFrontier>();
std::unique_ptr<MachineGadgetGraph> Graph = getGadgetGraph(MF, MLI, MDT, MDF); std::unique_ptr<MachineGadgetGraph> Graph = getGadgetGraph(MF, MLI, MDT, MDF);
LLVM_DEBUG(dbgs() << "Building gadget graph... Done\n"); LLVM_DEBUG(dbgs() << "Building gadget graph... Done\n");
if (Graph == nullptr) if (Graph == nullptr)
return false; // didn't find any gadgets return false; // didn't find any gadgets
if (EmitDotVerify) { if (EmitDotVerify) {
WriteGadgetGraph(outs(), MF, Graph.get()); writeGadgetGraph(outs(), MF, Graph.get());
return false; return false;
} }
if (EmitDot || EmitDotOnly) { if (EmitDot || EmitDotOnly) {
LLVM_DEBUG(dbgs() << "Emitting gadget graph...\n"); LLVM_DEBUG(dbgs() << "Emitting gadget graph...\n");
std::error_code FileError; std::error_code FileError;
std::string FileName = "lvi."; std::string FileName = "lvi.";
FileName += MF.getName(); FileName += MF.getName();
FileName += ".dot"; FileName += ".dot";
raw_fd_ostream FileOut(FileName, FileError); raw_fd_ostream FileOut(FileName, FileError);
if (FileError) if (FileError)
errs() << FileError.message(); errs() << FileError.message();
WriteGadgetGraph(FileOut, MF, Graph.get()); writeGadgetGraph(FileOut, MF, Graph.get());
FileOut.close(); FileOut.close();
LLVM_DEBUG(dbgs() << "Emitting gadget graph... Done\n"); LLVM_DEBUG(dbgs() << "Emitting gadget graph... Done\n");
if (EmitDotOnly) if (EmitDotOnly)
return false; return false;
} }
int FencesInserted; int FencesInserted;
if (!OptimizePluginPath.empty()) { if (!OptimizePluginPath.empty()) {
if (!OptimizeDL.isValid()) { if (!OptimizeDL.isValid()) {
std::string ErrorMsg; std::string ErrorMsg;
OptimizeDL = llvm::sys::DynamicLibrary::getPermanentLibrary( OptimizeDL = llvm::sys::DynamicLibrary::getPermanentLibrary(
OptimizePluginPath.c_str(), &ErrorMsg); OptimizePluginPath.c_str(), &ErrorMsg);
if (!ErrorMsg.empty()) if (!ErrorMsg.empty())
report_fatal_error("Failed to load opt plugin: \"" + ErrorMsg + '\"'); report_fatal_error("Failed to load opt plugin: \"" + ErrorMsg + '\"');
OptimizeCut = (OptimizeCutT)OptimizeDL.getAddressOfSymbol("optimize_cut"); OptimizeCut = (OptimizeCutT)OptimizeDL.getAddressOfSymbol("optimize_cut");
if (!OptimizeCut) if (!OptimizeCut)
report_fatal_error("Invalid optimization plugin"); report_fatal_error("Invalid optimization plugin");
} }
FencesInserted = hardenLoadsWithPlugin(MF, std::move(Graph)); FencesInserted = hardenLoadsWithPlugin(MF, std::move(Graph));
} else { // Use the default greedy heuristic } else { // Use the default greedy heuristic
FencesInserted = hardenLoadsWithGreedyHeuristic(MF, std::move(Graph)); FencesInserted = hardenLoadsWithHeuristic(MF, std::move(Graph));
} }
if (FencesInserted > 0) if (FencesInserted > 0)
++NumFunctionsMitigated; ++NumFunctionsMitigated;
NumFences += FencesInserted; NumFences += FencesInserted;
return (FencesInserted > 0); return (FencesInserted > 0);
} }
▲ Show 20 LinesShow All 210 Lines▼ Show 20 LinesX86LoadValueInjectionLoadHardeningPass::getGadgetGraph(
TraverseCFG(&MF.front(), ArgNode, 0); TraverseCFG(&MF.front(), ArgNode, 0);
std::unique_ptr<MachineGadgetGraph> G{Builder.get(FenceCount, GadgetCount)}; std::unique_ptr<MachineGadgetGraph> G{Builder.get(FenceCount, GadgetCount)};
LLVM_DEBUG(dbgs() << "Found " << G->nodes_size() << " nodes\n"); LLVM_DEBUG(dbgs() << "Found " << G->nodes_size() << " nodes\n");
return G; return G;
} }
// Returns the number of remaining gadget edges that could not be eliminated // Returns the number of remaining gadget edges that could not be eliminated
int X86LoadValueInjectionLoadHardeningPass::elimMitigatedEdgesAndNodes( int X86LoadValueInjectionLoadHardeningPass::elimMitigatedEdgesAndNodes(
MachineGadgetGraph &G, MachineGadgetGraph::EdgeSet &ElimEdges /* in, out */, MachineGadgetGraph &G, EdgeSet &ElimEdges /* in, out */,
MachineGadgetGraph::NodeSet &ElimNodes /* in, out */) const { NodeSet &ElimNodes /* in, out */) const {
if (G.NumFences > 0) { if (G.NumFences > 0) {
// Eliminate fences and CFG edges that ingress and egress the fence, as // Eliminate fences and CFG edges that ingress and egress the fence, as
// they are trivially mitigated. // they are trivially mitigated.
for (const auto &E : G.edges()) { for (const Edge &E : G.edges()) {
const MachineGadgetGraph::Node *Dest = E.getDest(); const Node *Dest = E.getDest();
if (isFence(Dest->getValue())) { if (isFence(Dest->getValue())) {
ElimNodes.insert(*Dest); ElimNodes.insert(*Dest);
ElimEdges.insert(E); ElimEdges.insert(E);
for (const auto &DE : Dest->edges()) for (const Edge &DE : Dest->edges())
ElimEdges.insert(DE); ElimEdges.insert(DE);
} }
} }
} }
// Find and eliminate gadget edges that have been mitigated. // Find and eliminate gadget edges that have been mitigated.
int MitigatedGadgets = 0, RemainingGadgets = 0; int MitigatedGadgets = 0, RemainingGadgets = 0;
MachineGadgetGraph::NodeSet ReachableNodes{G}; NodeSet ReachableNodes{G};
for (const auto &RootN : G.nodes()) { for (const Node &RootN : G.nodes()) {
if (llvm::none_of(RootN.edges(), MachineGadgetGraph::isGadgetEdge)) if (llvm::none_of(RootN.edges(), MachineGadgetGraph::isGadgetEdge))
continue; // skip this node if it isn't a gadget source continue; // skip this node if it isn't a gadget source
// Find all of the nodes that are CFG-reachable from RootN using DFS // Find all of the nodes that are CFG-reachable from RootN using DFS
ReachableNodes.clear(); ReachableNodes.clear();
std::function<void(const MachineGadgetGraph::Node *, bool)> std::function<void(const Node *, bool)> FindReachableNodes =
FindReachableNodes = [&](const Node *N, bool FirstNode) {
[&](const MachineGadgetGraph::Node *N, bool FirstNode) {
if (!FirstNode) if (!FirstNode)
ReachableNodes.insert(*N); ReachableNodes.insert(*N);
for (const auto &E : N->edges()) { for (const Edge &E : N->edges()) {
const MachineGadgetGraph::Node *Dest = E.getDest(); const Node *Dest = E.getDest();
if (MachineGadgetGraph::isCFGEdge(E) && if (MachineGadgetGraph::isCFGEdge(E) && !ElimEdges.contains(E) &&
!ElimEdges.contains(E) && !ReachableNodes.contains(*Dest)) !ReachableNodes.contains(*Dest))
FindReachableNodes(Dest, false); FindReachableNodes(Dest, false);
} }
}; };
FindReachableNodes(&RootN, true); FindReachableNodes(&RootN, true);
// Any gadget whose sink is unreachable has been mitigated // Any gadget whose sink is unreachable has been mitigated
for (const auto &E : RootN.edges()) { for (const Edge &E : RootN.edges()) {
if (MachineGadgetGraph::isGadgetEdge(E)) { if (MachineGadgetGraph::isGadgetEdge(E)) {
if (ReachableNodes.contains(*E.getDest())) { if (ReachableNodes.contains(*E.getDest())) {
// This gadget's sink is reachable // This gadget's sink is reachable
++RemainingGadgets; ++RemainingGadgets;
} else { // This gadget's sink is unreachable, and therefore mitigated } else { // This gadget's sink is unreachable, and therefore mitigated
++MitigatedGadgets; ++MitigatedGadgets;
ElimEdges.insert(E); ElimEdges.insert(E);
} }
} }
} }
} }
return RemainingGadgets; return RemainingGadgets;
} }
std::unique_ptr<MachineGadgetGraph> std::unique_ptr<MachineGadgetGraph>
X86LoadValueInjectionLoadHardeningPass::trimMitigatedEdges( X86LoadValueInjectionLoadHardeningPass::trimMitigatedEdges(
std::unique_ptr<MachineGadgetGraph> Graph) const { std::unique_ptr<MachineGadgetGraph> Graph) const {
MachineGadgetGraph::NodeSet ElimNodes{*Graph}; NodeSet ElimNodes{*Graph};
MachineGadgetGraph::EdgeSet ElimEdges{*Graph}; EdgeSet ElimEdges{*Graph};
int RemainingGadgets = int RemainingGadgets =
elimMitigatedEdgesAndNodes(*Graph, ElimEdges, ElimNodes); elimMitigatedEdgesAndNodes(*Graph, ElimEdges, ElimNodes);
if (ElimEdges.empty() && ElimNodes.empty()) { if (ElimEdges.empty() && ElimNodes.empty()) {
Graph->NumFences = 0; Graph->NumFences = 0;
Graph->NumGadgets = RemainingGadgets; Graph->NumGadgets = RemainingGadgets;
} else { } else {
Graph = GraphBuilder::trim(*Graph, ElimNodes, ElimEdges, 0 /* NumFences */, Graph = GraphBuilder::trim(*Graph, ElimNodes, ElimEdges, 0 /* NumFences */,
RemainingGadgets); RemainingGadgets);
Show All 14 Lines do {
LLVM_DEBUG(dbgs() << "Cutting edges...\n"); LLVM_DEBUG(dbgs() << "Cutting edges...\n");
EdgeSet CutEdges{*Graph}; EdgeSet CutEdges{*Graph};
auto Nodes = std::make_unique<unsigned int[]>(Graph->nodes_size() + auto Nodes = std::make_unique<unsigned int[]>(Graph->nodes_size() +
1 /* terminator node */); 1 /* terminator node */);
auto Edges = std::make_unique<unsigned int[]>(Graph->edges_size()); auto Edges = std::make_unique<unsigned int[]>(Graph->edges_size());
auto EdgeCuts = std::make_unique<int[]>(Graph->edges_size()); auto EdgeCuts = std::make_unique<int[]>(Graph->edges_size());
auto EdgeValues = std::make_unique<int[]>(Graph->edges_size()); auto EdgeValues = std::make_unique<int[]>(Graph->edges_size());
for (const auto &N : Graph->nodes()) { for (const Node &N : Graph->nodes()) {
Nodes[Graph->getNodeIndex(N)] = Graph->getEdgeIndex(*N.edges_begin()); Nodes[Graph->getNodeIndex(N)] = Graph->getEdgeIndex(*N.edges_begin());
} }
Nodes[Graph->nodes_size()] = Graph->edges_size(); // terminator node Nodes[Graph->nodes_size()] = Graph->edges_size(); // terminator node
for (const auto &E : Graph->edges()) { for (const Edge &E : Graph->edges()) {
Edges[Graph->getEdgeIndex(E)] = Graph->getNodeIndex(*E.getDest()); Edges[Graph->getEdgeIndex(E)] = Graph->getNodeIndex(*E.getDest());
EdgeValues[Graph->getEdgeIndex(E)] = E.getValue(); EdgeValues[Graph->getEdgeIndex(E)] = E.getValue();
} }
OptimizeCut(Nodes.get(), Graph->nodes_size(), Edges.get(), EdgeValues.get(), OptimizeCut(Nodes.get(), Graph->nodes_size(), Edges.get(), EdgeValues.get(),
EdgeCuts.get(), Graph->edges_size()); EdgeCuts.get(), Graph->edges_size());
for (int I = 0; I < Graph->edges_size(); ++I) for (int I = 0; I < Graph->edges_size(); ++I)
if (EdgeCuts[I]) if (EdgeCuts[I])
CutEdges.set(I); CutEdges.set(I);
LLVM_DEBUG(dbgs() << "Cutting edges... Done\n"); LLVM_DEBUG(dbgs() << "Cutting edges... Done\n");
LLVM_DEBUG(dbgs() << "Cut " << CutEdges.count() << " edges\n"); LLVM_DEBUG(dbgs() << "Cut " << CutEdges.count() << " edges\n");
LLVM_DEBUG(dbgs() << "Inserting LFENCEs...\n"); LLVM_DEBUG(dbgs() << "Inserting LFENCEs...\n");
FencesInserted += insertFences(MF, *Graph, CutEdges); FencesInserted += insertFences(MF, *Graph, CutEdges);
LLVM_DEBUG(dbgs() << "Inserting LFENCEs... Done\n"); LLVM_DEBUG(dbgs() << "Inserting LFENCEs... Done\n");
LLVM_DEBUG(dbgs() << "Inserted " << FencesInserted << " fences\n"); LLVM_DEBUG(dbgs() << "Inserted " << FencesInserted << " fences\n");
Graph = GraphBuilder::trim(*Graph, MachineGadgetGraph::NodeSet{*Graph}, Graph = GraphBuilder::trim(*Graph, NodeSet{*Graph}, CutEdges);
CutEdges);
} while (true); } while (true);
return FencesInserted; return FencesInserted;
} }
int X86LoadValueInjectionLoadHardeningPass::hardenLoadsWithGreedyHeuristic( int X86LoadValueInjectionLoadHardeningPass::hardenLoadsWithHeuristic(
MachineFunction &MF, std::unique_ptr<MachineGadgetGraph> Graph) const { MachineFunction &MF, std::unique_ptr<MachineGadgetGraph> Graph) const {
// If `MF` does not have any fences, then no gadgets would have been
// mitigated at this point.
if (Graph->NumFences > 0) {
LLVM_DEBUG(dbgs() << "Eliminating mitigated paths...\n"); LLVM_DEBUG(dbgs() << "Eliminating mitigated paths...\n");
Graph = trimMitigatedEdges(std::move(Graph)); Graph = trimMitigatedEdges(std::move(Graph));
LLVM_DEBUG(dbgs() << "Eliminating mitigated paths... Done\n"); LLVM_DEBUG(dbgs() << "Eliminating mitigated paths... Done\n");
}
craig.topperUnsubmitted
Done
ReplyInline Actions

I'm not a big fan of calling a pointer a "Ref". It makes me think its a reference but you have to dereference it. Do we gain much from omitting the '*' where this is used?

craig.topper: I'm not a big fan of calling a pointer a "Ref". It makes me think its a reference but you have…
if (Graph->NumGadgets == 0) if (Graph->NumGadgets == 0)
return 0; return 0;
LLVM_DEBUG(dbgs() << "Cutting edges...\n"); LLVM_DEBUG(dbgs() << "Cutting edges...\n");
MachineGadgetGraph::NodeSet ElimNodes{*Graph}, GadgetSinks{*Graph}; EdgeSet CutEdges{*Graph};
mattdrUnsubmitted
Not Done
ReplyInline Actions

Can we add this as an early-exit case in trimMitigatedEdges instead?

mattdr: Can we add this as an early-exit case in `trimMitigatedEdges` instead?
sconstabAuthorUnsubmitted
Done
ReplyInline Actions

That would negatively impact the hardenLoadsWithPlugin() flow that may need to trimMitigatedEdges() even if Graph->NumFences == 0.

sconstab: That would negatively impact the `hardenLoadsWithPlugin()` flow that may need to…
MachineGadgetGraph::EdgeSet ElimEdges{*Graph}, CutEdges{*Graph};
auto IsCFGEdge = [&ElimEdges, &CutEdges](const MachineGadgetGraph::Edge &E) {
return !ElimEdges.contains(E) && !CutEdges.contains(E) &&
MachineGadgetGraph::isCFGEdge(E);
};
auto IsGadgetEdge = [&ElimEdges,
&CutEdges](const MachineGadgetGraph::Edge &E) {
return !ElimEdges.contains(E) && !CutEdges.contains(E) &&
MachineGadgetGraph::isGadgetEdge(E);
};
// FIXME: this is O(E^2), we could probably do better. // Begin by collecting all ingress CFG edges for each node
do { DenseMap<const Node *, SmallVector<const Edge *, 2>> IngressEdgeMap;
// Find the cheapest CFG edge that will eliminate a gadget (by being for (const Edge &E : Graph->edges())
// egress from a SOURCE node or ingress to a SINK node), and cut it. if (MachineGadgetGraph::isCFGEdge(E))
const MachineGadgetGraph::Edge *CheapestSoFar = nullptr; IngressEdgeMap[E.getDest()].push_back(&E);
mattdrUnsubmitted
Done
ReplyInline Actions

Seems like this early-exit case should not have been guarded by the if.

mattdr: Seems like this early-exit case should not have been guarded by the `if`.
// First, collect all gadget source and sink nodes.
MachineGadgetGraph::NodeSet GadgetSources{*Graph}, GadgetSinks{*Graph};
for (const auto &N : Graph->nodes()) {
if (ElimNodes.contains(N))
continue;
for (const auto &E : N.edges()) {
if (IsGadgetEdge(E)) {
GadgetSources.insert(N);
GadgetSinks.insert(*E.getDest());
}
}
}
// Next, look for the cheapest CFG edge which, when cut, is guaranteed to // For each gadget edge, make cuts that guarantee the gadget will be
// mitigate at least one gadget by either: // mitigated. A computationally efficient way to achieve this is to either:
// (a) being egress from a gadget source, or // (a) cut all egress CFG edges from the gadget source, or
// (b) being ingress to a gadget sink. // (b) cut all ingress CFG edges to the gadget sink.
mattdrUnsubmitted
Done
ReplyInline Actions

nit: I spent some time trying to figure out how these are "implied" by the requirement and I don't think they are. Let's update the comment to make it clear we're describing one approach that happens to meet the requirement at a sweet spot of simplicity and speed.

mattdr: nit: I spent some time trying to figure out how these are "implied" by the requirement and I…
for (const auto &N : Graph->nodes()) { //
if (ElimNodes.contains(N)) // Moreover, the algorithm tries not to make a cut into a loop by preferring
// to make a (b)-type cut if the gadget source resides at a greater loop depth
// than the gadget sink, or an (a)-type cut otherwise.
for (const Node &N : Graph->nodes()) {
for (const Edge &E : N.edges()) {
if (!MachineGadgetGraph::isGadgetEdge(E))
continue; continue;
for (const auto &E : N.edges()) {
if (IsCFGEdge(E)) { SmallVector<const Edge *, 2> EgressEdges;
if (GadgetSources.contains(N) || GadgetSinks.contains(*E.getDest())) { SmallVector<const Edge *, 2> &IngressEdges = IngressEdgeMap[E.getDest()];
if (!CheapestSoFar || E.getValue() < CheapestSoFar->getValue()) for (const Edge &EgressEdge : N.edges())
CheapestSoFar = &E; if (MachineGadgetGraph::isCFGEdge(EgressEdge))
} EgressEdges.push_back(&EgressEdge);
}
int EgressCutCost = 0, IngressCutCost = 0;
for (const Edge *EgressEdge : EgressEdges)
if (!CutEdges.contains(*EgressEdge))
EgressCutCost += EgressEdge->getValue();
mattdrUnsubmitted
Not Done
ReplyInline Actions

I think this is clearer as:

if (!CutEdges.contains(*EgressEdge))
  EgressCutCost += EgressEdge->getValue();

likewise for the loop over IngressEdges.

mattdr: I think this is clearer as: ``` if (!CutEdges.contains(*EgressEdge)) EgressCutCost +=…
for (const Edge *IngressEdge : IngressEdges)
mattdrUnsubmitted
Not Done
ReplyInline Actions

Two things:

  1. What's the intuition for aggregating with "max" here rather than, say, summing the weights?
  1. It seems like we should be taking CutEdges into account somehow here. If we've already decided to cut an expensive edge, the *incremental* cost of cutting it again is zero and we shouldn't be including it here.
mattdr: Two things: 1. What's the intuition for aggregating with "max" here rather than, say, summing…
sconstabAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for pointing this out. I don't know why my intuition led me to use std::max. The minimum multi-cut algorithm would, in essence, also be adding the weights. And I think you're also correct that edges that have already been cut can be treated as having cost 0.

I implemented these changes, and measured (1) a small decrease in the number of LFENCEs inserted, (2) no significant performance difference, and (3) no exposed LVI vulnerabilities.

sconstab: Thanks for pointing this out. I don't know why my intuition led me to use `std::max`. The…
if (!CutEdges.contains(*IngressEdge))
IngressCutCost += IngressEdge->getValue();
auto &EdgesToCut =
mattdrUnsubmitted
Not Done
ReplyInline Actions

EdgeSet has |= for union, maybe that would be better here

mattdr: EdgeSet has `|=` for union, maybe that would be better here
sconstabAuthorUnsubmitted
Done
ReplyInline Actions

|= is not overloaded for an array-like container on the RHS. Unless you think that EdgesToCut should also be a BitVector?

sconstab: `|=` is not overloaded for an array-like container on the RHS. Unless you think that…
mattdrUnsubmitted
Not Done
ReplyInline Actions

Ah, my mistake -- one too many autos for me to trace through. This is fine.

mattdr: Ah, my mistake -- one too many `auto`s for me to trace through. This is fine.
IngressCutCost < EgressCutCost ? IngressEdges : EgressEdges;
for (const Edge *E : EdgesToCut)
craig.topperUnsubmitted
Done
ReplyInline Actions

I think llvm::for_each is discouraged in this case by the statement here https://llvm.org/docs/CodingStandards.html#use-range-based-for-loops-wherever-possible

craig.topper: I think llvm::for_each is discouraged in this case by the statement here https://llvm.
CutEdges.insert(*E);
} }
} }
assert(CheapestSoFar && "Failed to cut an edge");
CutEdges.insert(*CheapestSoFar);
ElimEdges.insert(*CheapestSoFar);
} while (elimMitigatedEdgesAndNodes(*Graph, ElimEdges, ElimNodes));
LLVM_DEBUG(dbgs() << "Cutting edges... Done\n"); LLVM_DEBUG(dbgs() << "Cutting edges... Done\n");
LLVM_DEBUG(dbgs() << "Cut " << CutEdges.count() << " edges\n"); LLVM_DEBUG(dbgs() << "Cut " << CutEdges.count() << " edges\n");
LLVM_DEBUG(dbgs() << "Inserting LFENCEs...\n"); LLVM_DEBUG(dbgs() << "Inserting LFENCEs...\n");
int FencesInserted = insertFences(MF, *Graph, CutEdges); int FencesInserted = insertFences(MF, *Graph, CutEdges);
LLVM_DEBUG(dbgs() << "Inserting LFENCEs... Done\n"); LLVM_DEBUG(dbgs() << "Inserting LFENCEs... Done\n");
LLVM_DEBUG(dbgs() << "Inserted " << FencesInserted << " fences\n"); LLVM_DEBUG(dbgs() << "Inserted " << FencesInserted << " fences\n");
return FencesInserted; return FencesInserted;
} }
int X86LoadValueInjectionLoadHardeningPass::insertFences( int X86LoadValueInjectionLoadHardeningPass::insertFences(
MachineFunction &MF, MachineGadgetGraph &G, MachineFunction &MF, MachineGadgetGraph &G,
EdgeSet &CutEdges /* in, out */) const { EdgeSet &CutEdges /* in, out */) const {
int FencesInserted = 0; int FencesInserted = 0;
for (const auto &N : G.nodes()) { for (const Node &N : G.nodes()) {
for (const auto &E : N.edges()) { for (const Edge &E : N.edges()) {
if (CutEdges.contains(E)) { if (CutEdges.contains(E)) {
MachineInstr *MI = N.getValue(), *Prev; MachineInstr *MI = N.getValue(), *Prev;
MachineBasicBlock *MBB; // Insert an LFENCE in this MBB MachineBasicBlock *MBB; // Insert an LFENCE in this MBB
MachineBasicBlock::iterator InsertionPt; // ...at this point MachineBasicBlock::iterator InsertionPt; // ...at this point
if (MI == MachineGadgetGraph::ArgNodeSentinel) { if (MI == MachineGadgetGraph::ArgNodeSentinel) {
// insert LFENCE at beginning of entry block // insert LFENCE at beginning of entry block
MBB = &MF.front(); MBB = &MF.front();
InsertionPt = MBB->begin(); InsertionPt = MBB->begin();
Prev = nullptr; Prev = nullptr;
} else if (MI->isBranch()) { // insert the LFENCE before the branch } else if (MI->isBranch()) { // insert the LFENCE before the branch
MBB = MI->getParent(); MBB = MI->getParent();
InsertionPt = MI; InsertionPt = MI;
Prev = MI->getPrevNode(); Prev = MI->getPrevNode();
// Remove all egress CFG edges from this branch because the inserted // Remove all egress CFG edges from this branch because the inserted
// LFENCE prevents gadgets from crossing the branch. // LFENCE prevents gadgets from crossing the branch.
for (const auto &E : N.edges()) { for (const Edge &E : N.edges()) {
if (MachineGadgetGraph::isCFGEdge(E)) if (MachineGadgetGraph::isCFGEdge(E))
CutEdges.insert(E); CutEdges.insert(E);
} }
} else { // insert the LFENCE after the instruction } else { // insert the LFENCE after the instruction
MBB = MI->getParent(); MBB = MI->getParent();
InsertionPt = MI->getNextNode() ? MI->getNextNode() : MBB->end(); InsertionPt = MI->getNextNode() ? MI->getNextNode() : MBB->end();
Prev = InsertionPt == MBB->end() Prev = InsertionPt == MBB->end()
? (MBB->empty() ? nullptr : &MBB->back()) ? (MBB->empty() ? nullptr : &MBB->back())
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines