This is an archive of the discontinued LLVM Phabricator instance.

Differential D92469

[ARM] harden-sls-blr: avoid r12 and lr in indirect calls
ClosedPublic

Authored by kristof.beyls on Dec 2 2020, 1:56 AM.

Details

Reviewers
ostannard
Commits
rGdf8ed3928377: [ARM] harden-sls-blr: avoid r12 and lr in indirect calls.
Summary

As a linker is allowed to clobber r12 on function calls, the
code transformation that hardens indirect calls is not correct in case a
linker does so. Similarly, the transformation is not correct when
register lr is used.

This patch makes sure that r12 or lr are not used for indirect calls
when harden-sls-blr is enabled.

Diff Detail

Event Timeline

kristof.beyls created this revision.Dec 2 2020, 1:56 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 2 2020, 1:56 AM
Herald added subscribers: llvm-commits, danielkiss, hiraditya. · View Herald Transcript
kristof.beyls requested review of this revision.Dec 2 2020, 1:56 AM
kristof.beyls added a parent revision: D92468: [ARM] Harden indirect calls against SLS.
Harbormaster completed remote builds in B80790: Diff 308915.Dec 2 2020, 1:57 AM
kristof.beyls added a child revision: D93221: [ARM] Add clang command line support for -mharden-sls=.Dec 14 2020, 8:18 AM
ostannard added inline comments.Dec 17 2020, 2:27 AM
llvm/lib/Target/ARM/ARMInstrInfo.td
2496

Wouldn't this also prevent use of the BLX instructions in inline assembly? I think it would be better to leave the requirements on the instructions as they are, and move the isel patterns out into separate Pattern records, which can have their own target requirements. I looks like that is already how the AArch64 backend does this.

llvm/test/CodeGen/ARM/speculation-hardening-sls.ll
195

A slightly less fragile way to do this would be to pass the function pointer into and out an inline asm statement, with an output constraint which forces it into r12/lr. The compiler can still move it to a different register (and will need to do that with slsblr enabled), but it won't be dependent on register allocation order.

kristof.beyls updated this revision to Diff 312778.Dec 18 2020, 6:06 AM

Updated patch based on review comments + rebased to ToT

kristof.beyls marked 2 inline comments as done.Dec 18 2020, 6:09 AM
kristof.beyls added inline comments.
llvm/lib/Target/ARM/ARMInstrInfo.td
2496

Agreed, I have separated out the patterns here and also in the Thumb instruction variants.
I also added a test to the test file that checks that "blx r12" is accepted if used in inline assembly.

llvm/test/CodeGen/ARM/speculation-hardening-sls.ll
195

Thanks for the suggestion, that is indeed better.
Now implemented.

ostannard accepted this revision.Dec 18 2020, 6:20 AM

LGTM

This revision is now accepted and ready to land.Dec 18 2020, 6:20 AM
Closed by commit rGdf8ed3928377: [ARM] harden-sls-blr: avoid r12 and lr in indirect calls. (authored by kristof.beyls). · Explain WhyDec 19 2020, 4:48 AM
This revision was automatically updated to reflect the committed changes.
kristof.beyls marked 2 inline comments as done.
kristof.beyls added a commit: rGdf8ed3928377: [ARM] harden-sls-blr: avoid r12 and lr in indirect calls..

Revision Contents

Diff 312928

llvm/lib/Target/ARM/ARMBaseInstrInfo.h

Show First 20 LinesShow All 634 Lines▼ Show 20 Linesbool isIndirectBranchOpcode(int Opc) {
return Opc == ARM::BX || Opc == ARM::MOVPCRX || Opc == ARM::tBRIND; return Opc == ARM::BX || Opc == ARM::MOVPCRX || Opc == ARM::tBRIND;
} }
static inline bool isIndirectCall(const MachineInstr &MI) { static inline bool isIndirectCall(const MachineInstr &MI) {
int Opc = MI.getOpcode(); int Opc = MI.getOpcode();
switch (Opc) { switch (Opc) {
// indirect calls: // indirect calls:
case ARM::BLX: case ARM::BLX:
case ARM::BLX_noip:
case ARM::BLX_pred: case ARM::BLX_pred:
case ARM::BLX_pred_noip:
case ARM::BX_CALL: case ARM::BX_CALL:
case ARM::BMOVPCRX_CALL: case ARM::BMOVPCRX_CALL:
case ARM::TCRETURNri: case ARM::TCRETURNri:
case ARM::TAILJMPr: case ARM::TAILJMPr:
case ARM::TAILJMPr4: case ARM::TAILJMPr4:
case ARM::tBLXr: case ARM::tBLXr:
case ARM::tBLXr_noip:
case ARM::tBLXNSr: case ARM::tBLXNSr:
case ARM::tBLXNS_CALL: case ARM::tBLXNS_CALL:
case ARM::tBX_CALL: case ARM::tBX_CALL:
case ARM::tTAILJMPr: case ARM::tTAILJMPr:
assert(MI.isCall(MachineInstr::IgnoreBundle)); assert(MI.isCall(MachineInstr::IgnoreBundle));
return true; return true;
// direct calls: // direct calls:
case ARM::BL: case ARM::BL:
▲ Show 20 LinesShow All 245 Lines▼ Show 20 Lines
// Return true if the given intrinsic is a gather or scatter // Return true if the given intrinsic is a gather or scatter
inline bool isGatherScatter(IntrinsicInst *IntInst) { inline bool isGatherScatter(IntrinsicInst *IntInst) {
if (IntInst == nullptr) if (IntInst == nullptr)
return false; return false;
return isGather(IntInst) || isScatter(IntInst); return isGather(IntInst) || isScatter(IntInst);
} }
unsigned getBLXOpcode(const MachineFunction &MF);
unsigned gettBLXrOpcode(const MachineFunction &MF);
unsigned getBLXpredOpcode(const MachineFunction &MF);
} // end namespace llvm } // end namespace llvm
#endif // LLVM_LIB_TARGET_ARM_ARMBASEINSTRINFO_H #endif // LLVM_LIB_TARGET_ARM_ARMBASEINSTRINFO_H

llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp

Show First 20 LinesShow All 5,797 Lines▼ Show 20 Linesoutliner::OutlinedFunction ARMBaseInstrInfo::getOutliningCandidateInfo(
// If the last instruction in any candidate is a terminator, then we should // If the last instruction in any candidate is a terminator, then we should
// tail call all of the candidates. // tail call all of the candidates.
if (RepeatedSequenceLocs[0].back()->isTerminator()) { if (RepeatedSequenceLocs[0].back()->isTerminator()) {
FrameID = MachineOutlinerTailCall; FrameID = MachineOutlinerTailCall;
NumBytesToCreateFrame = Costs.FrameTailCall; NumBytesToCreateFrame = Costs.FrameTailCall;
SetCandidateCallInfo(MachineOutlinerTailCall, Costs.CallTailCall); SetCandidateCallInfo(MachineOutlinerTailCall, Costs.CallTailCall);
} else if (LastInstrOpcode == ARM::BL || LastInstrOpcode == ARM::BLX || } else if (LastInstrOpcode == ARM::BL || LastInstrOpcode == ARM::BLX ||
LastInstrOpcode == ARM::tBL || LastInstrOpcode == ARM::tBLXr || LastInstrOpcode == ARM::BLX_noip || LastInstrOpcode == ARM::tBL ||
LastInstrOpcode == ARM::tBLXr ||
LastInstrOpcode == ARM::tBLXr_noip ||
LastInstrOpcode == ARM::tBLXi) { LastInstrOpcode == ARM::tBLXi) {
FrameID = MachineOutlinerThunk; FrameID = MachineOutlinerThunk;
NumBytesToCreateFrame = Costs.FrameThunk; NumBytesToCreateFrame = Costs.FrameThunk;
SetCandidateCallInfo(MachineOutlinerThunk, Costs.CallThunk); SetCandidateCallInfo(MachineOutlinerThunk, Costs.CallThunk);
} else { } else {
// We need to decide how to emit calls + frames. We can always emit the same // We need to decide how to emit calls + frames. We can always emit the same
// frame if we don't need to save to the stack. If we have to save to the // frame if we don't need to save to the stack. If we have to save to the
// stack, then we need a different frame. // stack, then we need a different frame.
▲ Show 20 LinesShow All 231 Lines▼ Show 20 Lines if (Callee &&
return outliner::InstrType::Illegal; return outliner::InstrType::Illegal;
// If we don't know anything about the callee, assume it depends on the // If we don't know anything about the callee, assume it depends on the
// stack layout of the caller. In that case, it's only legal to outline // stack layout of the caller. In that case, it's only legal to outline
// as a tail-call. Explicitly list the call instructions we know about so // as a tail-call. Explicitly list the call instructions we know about so
// we don't get unexpected results with call pseudo-instructions. // we don't get unexpected results with call pseudo-instructions.
auto UnknownCallOutlineType = outliner::InstrType::Illegal; auto UnknownCallOutlineType = outliner::InstrType::Illegal;
if (Opc == ARM::BL || Opc == ARM::tBL || Opc == ARM::BLX || if (Opc == ARM::BL || Opc == ARM::tBL || Opc == ARM::BLX ||
Opc == ARM::tBLXr || Opc == ARM::tBLXi) Opc == ARM::BLX_noip || Opc == ARM::tBLXr || Opc == ARM::tBLXr_noip ||
Opc == ARM::tBLXi)
UnknownCallOutlineType = outliner::InstrType::LegalTerminator; UnknownCallOutlineType = outliner::InstrType::LegalTerminator;
if (!Callee) if (!Callee)
return UnknownCallOutlineType; return UnknownCallOutlineType;
// We have a function we have information about. Check if it's something we // We have a function we have information about. Check if it's something we
// can safely outline. // can safely outline.
MachineFunction *MF = MI.getParent()->getParent(); MachineFunction *MF = MI.getParent()->getParent();
▲ Show 20 LinesShow All 275 Lines▼ Show 20 Lines
bool ARMBaseInstrInfo::isReallyTriviallyReMaterializable(const MachineInstr &MI, bool ARMBaseInstrInfo::isReallyTriviallyReMaterializable(const MachineInstr &MI,
AAResults *AA) const { AAResults *AA) const {
// Try hard to rematerialize any VCTPs because if we spill P0, it will block // Try hard to rematerialize any VCTPs because if we spill P0, it will block
// the tail predication conversion. This means that the element count // the tail predication conversion. This means that the element count
// register has to be live for longer, but that has to be better than // register has to be live for longer, but that has to be better than
// spill/restore and VPT predication. // spill/restore and VPT predication.
return isVCTP(&MI) && !isPredicated(MI); return isVCTP(&MI) && !isPredicated(MI);
} }
unsigned llvm::getBLXOpcode(const MachineFunction &MF) {
return (MF.getSubtarget<ARMSubtarget>().hardenSlsBlr()) ? ARM::BLX_noip
: ARM::BLX;
}
unsigned llvm::gettBLXrOpcode(const MachineFunction &MF) {
return (MF.getSubtarget<ARMSubtarget>().hardenSlsBlr()) ? ARM::tBLXr_noip
: ARM::tBLXr;
}
unsigned llvm::getBLXpredOpcode(const MachineFunction &MF) {
return (MF.getSubtarget<ARMSubtarget>().hardenSlsBlr()) ? ARM::BLX_pred_noip
: ARM::BLX_pred;
}

llvm/lib/Target/ARM/ARMCallLowering.cpp

Show First 20 LinesShow All 474 Lines▼ Show 20 Linesstruct CallReturnHandler : public ARMIncomingValueHandler {
void markPhysRegUsed(unsigned PhysReg) override { void markPhysRegUsed(unsigned PhysReg) override {
MIB.addDef(PhysReg, RegState::Implicit); MIB.addDef(PhysReg, RegState::Implicit);
} }
MachineInstrBuilder MIB; MachineInstrBuilder MIB;
}; };
// FIXME: This should move to the ARMSubtarget when it supports all the opcodes. // FIXME: This should move to the ARMSubtarget when it supports all the opcodes.
unsigned getCallOpcode(const ARMSubtarget &STI, bool isDirect) { unsigned getCallOpcode(const MachineFunction &MF, const ARMSubtarget &STI,
bool isDirect) {
if (isDirect) if (isDirect)
return STI.isThumb() ? ARM::tBL : ARM::BL; return STI.isThumb() ? ARM::tBL : ARM::BL;
if (STI.isThumb()) if (STI.isThumb())
return ARM::tBLXr; return gettBLXrOpcode(MF);
if (STI.hasV5TOps()) if (STI.hasV5TOps())
return ARM::BLX; return getBLXOpcode(MF);
if (STI.hasV4TOps()) if (STI.hasV4TOps())
return ARM::BX_CALL; return ARM::BX_CALL;
return ARM::BMOVPCRX_CALL; return ARM::BMOVPCRX_CALL;
} }
} // end anonymous namespace } // end anonymous namespace
Show All 11 Linesbool ARMCallLowering::lowerCall(MachineIRBuilder &MIRBuilder, CallLoweringInfo &Info) const {
if (STI.isThumb1Only()) if (STI.isThumb1Only())
return false; return false;
auto CallSeqStart = MIRBuilder.buildInstr(ARM::ADJCALLSTACKDOWN); auto CallSeqStart = MIRBuilder.buildInstr(ARM::ADJCALLSTACKDOWN);
// Create the call instruction so we can add the implicit uses of arg // Create the call instruction so we can add the implicit uses of arg
// registers, but don't insert it yet. // registers, but don't insert it yet.
bool IsDirect = !Info.Callee.isReg(); bool IsDirect = !Info.Callee.isReg();
auto CallOpcode = getCallOpcode(STI, IsDirect); auto CallOpcode = getCallOpcode(MF, STI, IsDirect);
auto MIB = MIRBuilder.buildInstrNoInsert(CallOpcode); auto MIB = MIRBuilder.buildInstrNoInsert(CallOpcode);
bool IsThumb = STI.isThumb(); bool IsThumb = STI.isThumb();
if (IsThumb) if (IsThumb)
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
MIB.add(Info.Callee); MIB.add(Info.Callee);
if (!IsDirect) { if (!IsDirect) {
▲ Show 20 LinesShow All 57 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMExpandPseudoInsts.cpp

Show First 20 LinesShow All 2,298 Lines▼ Show 20 Lines case ARM::TPsoft: {
MIB = MIB =
BuildMI(MBB, MBBI, MI.getDebugLoc(), BuildMI(MBB, MBBI, MI.getDebugLoc(),
TII->get(Thumb ? ARM::tLDRpci : ARM::LDRi12), Reg) TII->get(Thumb ? ARM::tLDRpci : ARM::LDRi12), Reg)
.addConstantPoolIndex(MCP->getConstantPoolIndex(CPV, Align(4))); .addConstantPoolIndex(MCP->getConstantPoolIndex(CPV, Align(4)));
if (!Thumb) if (!Thumb)
MIB.addImm(0); MIB.addImm(0);
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
MIB = BuildMI(MBB, MBBI, MI.getDebugLoc(), MIB =
TII->get(Thumb ? ARM::tBLXr : ARM::BLX)); BuildMI(MBB, MBBI, MI.getDebugLoc(),
TII->get(Thumb ? gettBLXrOpcode(*MF) : getBLXOpcode(*MF)));
if (Thumb) if (Thumb)
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
MIB.addReg(Reg, RegState::Kill); MIB.addReg(Reg, RegState::Kill);
} else { } else {
MIB = BuildMI(MBB, MBBI, MI.getDebugLoc(), MIB = BuildMI(MBB, MBBI, MI.getDebugLoc(),
TII->get(Thumb ? ARM::tBL : ARM::BL)); TII->get(Thumb ? ARM::tBL : ARM::BL));
if (Thumb) if (Thumb)
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
▲ Show 20 LinesShow All 577 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMFastISel.cpp

Show First 20 LinesShow All 2,167 Lines▼ Show 20 Linesbool ARMFastISel::SelectRet(const Instruction *I) {
AddOptionalDefs(MIB); AddOptionalDefs(MIB);
for (unsigned R : RetRegs) for (unsigned R : RetRegs)
MIB.addReg(R, RegState::Implicit); MIB.addReg(R, RegState::Implicit);
return true; return true;
} }
unsigned ARMFastISel::ARMSelectCallOp(bool UseReg) { unsigned ARMFastISel::ARMSelectCallOp(bool UseReg) {
if (UseReg) if (UseReg)
return isThumb2 ? ARM::tBLXr : ARM::BLX; return isThumb2 ? gettBLXrOpcode(*MF) : getBLXOpcode(*MF);
else else
return isThumb2 ? ARM::tBL : ARM::BL; return isThumb2 ? ARM::tBL : ARM::BL;
} }
unsigned ARMFastISel::getLibcallReg(const Twine &Name) { unsigned ARMFastISel::getLibcallReg(const Twine &Name) {
// Manually compute the global's type to avoid building it when unnecessary. // Manually compute the global's type to avoid building it when unnecessary.
Type *GVTy = Type::getInt32PtrTy(*Context, /*AS=*/0); Type *GVTy = Type::getInt32PtrTy(*Context, /*AS=*/0);
EVT LCREVT = TLI.getValueType(DL, GVTy); EVT LCREVT = TLI.getValueType(DL, GVTy);
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Linesbool ARMFastISel::ARMEmitLibcall(const Instruction *I, RTLIB::Libcall Call) {
// Issue the call. // Issue the call.
unsigned CallOpc = ARMSelectCallOp(Subtarget->genLongCalls()); unsigned CallOpc = ARMSelectCallOp(Subtarget->genLongCalls());
MachineInstrBuilder MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, MachineInstrBuilder MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt,
DbgLoc, TII.get(CallOpc)); DbgLoc, TII.get(CallOpc));
// BL / BLX don't take a predicate, but tBL / tBLX do. // BL / BLX don't take a predicate, but tBL / tBLX do.
if (isThumb2) if (isThumb2)
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
if (Subtarget->genLongCalls()) if (Subtarget->genLongCalls()) {
CalleeReg =
constrainOperandRegClass(TII.get(CallOpc), CalleeReg, isThumb2 ? 2 : 0);
MIB.addReg(CalleeReg); MIB.addReg(CalleeReg);
else } else
MIB.addExternalSymbol(TLI.getLibcallName(Call)); MIB.addExternalSymbol(TLI.getLibcallName(Call));
// Add implicit physical register uses to the call. // Add implicit physical register uses to the call.
for (Register R : RegArgs) for (Register R : RegArgs)
MIB.addReg(R, RegState::Implicit); MIB.addReg(R, RegState::Implicit);
// Add a register mask with the call-preserved registers. // Add a register mask with the call-preserved registers.
// Proper defs for return values will be added by setPhysRegsDeadExcept(). // Proper defs for return values will be added by setPhysRegsDeadExcept().
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Linesbool ARMFastISel::SelectCall(const Instruction *I,
// Issue the call. // Issue the call.
unsigned CallOpc = ARMSelectCallOp(UseReg); unsigned CallOpc = ARMSelectCallOp(UseReg);
MachineInstrBuilder MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt, MachineInstrBuilder MIB = BuildMI(*FuncInfo.MBB, FuncInfo.InsertPt,
DbgLoc, TII.get(CallOpc)); DbgLoc, TII.get(CallOpc));
// ARM calls don't take a predicate, but tBL / tBLX do. // ARM calls don't take a predicate, but tBL / tBLX do.
if(isThumb2) if(isThumb2)
MIB.add(predOps(ARMCC::AL)); MIB.add(predOps(ARMCC::AL));
if (UseReg) if (UseReg) {
CalleeReg =
constrainOperandRegClass(TII.get(CallOpc), CalleeReg, isThumb2 ? 2 : 0);
MIB.addReg(CalleeReg); MIB.addReg(CalleeReg);
else if (!IntrMemName) } else if (!IntrMemName)
MIB.addGlobalAddress(GV, 0, 0); MIB.addGlobalAddress(GV, 0, 0);
else else
MIB.addExternalSymbol(IntrMemName, 0); MIB.addExternalSymbol(IntrMemName, 0);
// Add implicit physical register uses to the call. // Add implicit physical register uses to the call.
for (Register R : RegArgs) for (Register R : RegArgs)
MIB.addReg(R, RegState::Implicit); MIB.addReg(R, RegState::Implicit);
▲ Show 20 LinesShow All 664 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMFeatures.h

Show First 20 LinesShow All 69 Lines▼ Show 20 Linesinline bool isV8EligibleForIT(const InstrType *Instr) {
case ARM::tSTRi: case ARM::tSTRi:
case ARM::tSTRr: case ARM::tSTRr:
case ARM::tSTRspi: case ARM::tSTRspi:
case ARM::tTST: case ARM::tTST:
return true; return true;
// there are some "conditionally deprecated" opcodes // there are some "conditionally deprecated" opcodes
case ARM::tADDspr: case ARM::tADDspr:
case ARM::tBLXr: case ARM::tBLXr:
case ARM::tBLXr_noip:
return Instr->getOperand(2).getReg() != ARM::PC; return Instr->getOperand(2).getReg() != ARM::PC;
// ADD PC, SP and BLX PC were always unpredictable, // ADD PC, SP and BLX PC were always unpredictable,
// now on top of it they're deprecated // now on top of it they're deprecated
case ARM::tADDrSP: case ARM::tADDrSP:
case ARM::tBX: case ARM::tBX:
return Instr->getOperand(0).getReg() != ARM::PC; return Instr->getOperand(0).getReg() != ARM::PC;
case ARM::tADDhirr: case ARM::tADDhirr:
return Instr->getOperand(0).getReg() != ARM::PC && return Instr->getOperand(0).getReg() != ARM::PC &&
Show All 11 Lines

llvm/lib/Target/ARM/ARMISelLowering.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 10,880 Lines▼ Show 20 Lines BuildMI(*MBB, MI, DL, TII.get(ARM::tBL))
RegState::Implicit | RegState::Define | RegState::Dead); RegState::Implicit | RegState::Define | RegState::Dead);
break; break;
case CodeModel::Large: { case CodeModel::Large: {
MachineRegisterInfo &MRI = MBB->getParent()->getRegInfo(); MachineRegisterInfo &MRI = MBB->getParent()->getRegInfo();
Register Reg = MRI.createVirtualRegister(&ARM::rGPRRegClass); Register Reg = MRI.createVirtualRegister(&ARM::rGPRRegClass);
BuildMI(*MBB, MI, DL, TII.get(ARM::t2MOVi32imm), Reg) BuildMI(*MBB, MI, DL, TII.get(ARM::t2MOVi32imm), Reg)
.addExternalSymbol("__chkstk"); .addExternalSymbol("__chkstk");
BuildMI(*MBB, MI, DL, TII.get(ARM::tBLXr)) BuildMI(*MBB, MI, DL, TII.get(gettBLXrOpcode(*MBB->getParent())))
.add(predOps(ARMCC::AL)) .add(predOps(ARMCC::AL))
.addReg(Reg, RegState::Kill) .addReg(Reg, RegState::Kill)
.addReg(ARM::R4, RegState::Implicit | RegState::Kill) .addReg(ARM::R4, RegState::Implicit | RegState::Kill)
.addReg(ARM::R4, RegState::Implicit | RegState::Define) .addReg(ARM::R4, RegState::Implicit | RegState::Define)
.addReg(ARM::R12, .addReg(ARM::R12,
RegState::Implicit | RegState::Define | RegState::Dead) RegState::Implicit | RegState::Define | RegState::Dead)
.addReg(ARM::CPSR, .addReg(ARM::CPSR,
RegState::Implicit | RegState::Define | RegState::Dead); RegState::Implicit | RegState::Define | RegState::Dead);
▲ Show 20 LinesShow All 8,418 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMInstrInfo.td

Show First 20 LinesShow All 2,486 Lines▼ Show 20 Lines def BL_pred : ABI<0b1011, (outs), (ins arm_bl_target:$func),
[(ARMcall_pred tglobaladdr:$func)]>, [(ARMcall_pred tglobaladdr:$func)]>,
Requires<[IsARM]>, Sched<[WriteBrL]> { Requires<[IsARM]>, Sched<[WriteBrL]> {
bits<24> func; bits<24> func;
let Inst{23-0} = func; let Inst{23-0} = func;
let DecoderMethod = "DecodeBranchImmInstruction"; let DecoderMethod = "DecodeBranchImmInstruction";
} }
// ARMv5T and above // ARMv5T and above
def BLX : AXI<(outs), (ins GPR:$func), BrMiscFrm, def BLX : AXI<(outs), (ins GPR:$func), BrMiscFrm, IIC_Br, "blx\t$func", []>,
IIC_Br, "blx\t$func",
[(ARMcall GPR:$func)]>,
Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]> { Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]> {
ostannardUnsubmitted
Done
ReplyInline Actions

Wouldn't this also prevent use of the BLX instructions in inline assembly? I think it would be better to leave the requirements on the instructions as they are, and move the isel patterns out into separate Pattern records, which can have their own target requirements. I looks like that is already how the AArch64 backend does this.

ostannard: Wouldn't this also prevent use of the BLX instructions in inline assembly? I think it would be…
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

Agreed, I have separated out the patterns here and also in the Thumb instruction variants.
I also added a test to the test file that checks that "blx r12" is accepted if used in inline assembly.

kristof.beyls: Agreed, I have separated out the patterns here and also in the Thumb instruction variants. I…
bits<4> func; bits<4> func;
let Inst{31-4} = 0b1110000100101111111111110011; let Inst{31-4} = 0b1110000100101111111111110011;
let Inst{3-0} = func; let Inst{3-0} = func;
} }
def BLX_noip : ARMPseudoExpand<(outs), (ins GPRnoip:$func),
4, IIC_Br, [], (BLX GPR:$func)>,
Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]>;
def BLX_pred : AI<(outs), (ins GPR:$func), BrMiscFrm, def BLX_pred : AI<(outs), (ins GPR:$func), BrMiscFrm,
IIC_Br, "blx", "\t$func", IIC_Br, "blx", "\t$func", []>,
[(ARMcall_pred GPR:$func)]>,
Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]> { Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]> {
bits<4> func; bits<4> func;
let Inst{27-4} = 0b000100101111111111110011; let Inst{27-4} = 0b000100101111111111110011;
let Inst{3-0} = func; let Inst{3-0} = func;
} }
def BLX_pred_noip : ARMPseudoExpand<(outs), (ins GPRnoip:$func),
4, IIC_Br, [],
(BLX_pred GPR:$func, (ops 14, zero_reg))>,
Requires<[IsARM, HasV5T]>, Sched<[WriteBrL]>;
// ARMv4T // ARMv4T
// Note: Restrict $func to the tGPR regclass to prevent it being in LR. // Note: Restrict $func to the tGPR regclass to prevent it being in LR.
def BX_CALL : ARMPseudoInst<(outs), (ins tGPR:$func), def BX_CALL : ARMPseudoInst<(outs), (ins tGPR:$func),
8, IIC_Br, [(ARMcall_nolink tGPR:$func)]>, 8, IIC_Br, [(ARMcall_nolink tGPR:$func)]>,
Requires<[IsARM, HasV4T]>, Sched<[WriteBr]>; Requires<[IsARM, HasV4T]>, Sched<[WriteBr]>;
// ARMv4 // ARMv4
Show All 9 Lineslet isCall = 1,
// push lr before the call // push lr before the call
def BL_PUSHLR : ARMPseudoInst<(outs), (ins GPRlr:$ra, arm_bl_target:$func), def BL_PUSHLR : ARMPseudoInst<(outs), (ins GPRlr:$ra, arm_bl_target:$func),
4, IIC_Br, 4, IIC_Br,
[]>, []>,
Requires<[IsARM]>, Sched<[WriteBr]>; Requires<[IsARM]>, Sched<[WriteBr]>;
} }
def : ARMPat<(ARMcall GPR:$func), (BLX $func)>,
Requires<[IsARM, HasV5T, NoSLSBLRMitigation]>;
def : ARMPat<(ARMcall GPRnoip:$func), (BLX_noip $func)>,
Requires<[IsARM, HasV5T, SLSBLRMitigation]>;
def : ARMPat<(ARMcall_pred GPR:$func), (BLX_pred $func)>,
Requires<[IsARM, HasV5T, NoSLSBLRMitigation]>;
def : ARMPat<(ARMcall_pred GPRnoip:$func), (BLX_pred_noip $func)>,
Requires<[IsARM, HasV5T, SLSBLRMitigation]>;
let isBranch = 1, isTerminator = 1 in { let isBranch = 1, isTerminator = 1 in {
// FIXME: should be able to write a pattern for ARMBrcond, but can't use // FIXME: should be able to write a pattern for ARMBrcond, but can't use
// a two-value operand where a dag node expects two operands. :( // a two-value operand where a dag node expects two operands. :(
def Bcc : ABI<0b1010, (outs), (ins arm_br_target:$target), def Bcc : ABI<0b1010, (outs), (ins arm_br_target:$target),
IIC_Br, "b", "\t$target", IIC_Br, "b", "\t$target",
[/*(ARMbrcond bb:$target, imm:$cc, CCR:$ccr)*/]>, [/*(ARMbrcond bb:$target, imm:$cc, CCR:$ccr)*/]>,
Sched<[WriteBr]> { Sched<[WriteBr]> {
bits<24> target; bits<24> target;
▲ Show 20 LinesShow All 3,872 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMInstrThumb.td

Show First 20 LinesShow All 542 Lines▼ Show 20 Lines def tBLXi : TIx2<0b11110, 0b11, 0,
let Inst{13} = func{22}; let Inst{13} = func{22};
let Inst{11} = func{21}; let Inst{11} = func{21};
let Inst{10-1} = func{10-1}; let Inst{10-1} = func{10-1};
let Inst{0} = 0; // func{0} is assumed zero let Inst{0} = 0; // func{0} is assumed zero
} }
// Also used for Thumb2 // Also used for Thumb2
def tBLXr : TI<(outs), (ins pred:$p, GPR:$func), IIC_Br, def tBLXr : TI<(outs), (ins pred:$p, GPR:$func), IIC_Br,
"blx${p}\t$func", "blx${p}\t$func", []>,
[(ARMcall GPR:$func)]>,
Requires<[IsThumb, HasV5T]>, Requires<[IsThumb, HasV5T]>,
T1Special<{1,1,1,?}>, Sched<[WriteBrL]> { // A6.2.3 & A8.6.24; T1Special<{1,1,1,?}>, Sched<[WriteBrL]> { // A6.2.3 & A8.6.24;
bits<4> func; bits<4> func;
let Inst{6-3} = func; let Inst{6-3} = func;
let Inst{2-0} = 0b000; let Inst{2-0} = 0b000;
} }
def tBLXr_noip : ARMPseudoExpand<(outs), (ins pred:$p, GPRnoip:$func),
2, IIC_Br, [], (tBLXr pred:$p, GPR:$func)>,
Requires<[IsThumb, HasV5T]>,
Sched<[WriteBrL]>;
// ARMv8-M Security Extensions // ARMv8-M Security Extensions
def tBLXNSr : TI<(outs), (ins pred:$p, GPRnopc:$func), IIC_Br, def tBLXNSr : TI<(outs), (ins pred:$p, GPRnopc:$func), IIC_Br,
"blxns${p}\t$func", []>, "blxns${p}\t$func", []>,
Requires<[IsThumb, Has8MSecExt]>, Requires<[IsThumb, Has8MSecExt]>,
T1Special<{1,1,1,?}>, Sched<[WriteBrL]> { T1Special<{1,1,1,?}>, Sched<[WriteBrL]> {
bits<4> func; bits<4> func;
let Inst{6-3} = func; let Inst{6-3} = func;
Show All 14 Lineslet isCall = 1,
// Also used for Thumb2 // Also used for Thumb2
// push lr before the call // push lr before the call
def tBL_PUSHLR : tPseudoInst<(outs), (ins GPRlr:$ra, pred:$p, thumb_bl_target:$func), def tBL_PUSHLR : tPseudoInst<(outs), (ins GPRlr:$ra, pred:$p, thumb_bl_target:$func),
4, IIC_Br, 4, IIC_Br,
[]>, []>,
Requires<[IsThumb]>, Sched<[WriteBr]>; Requires<[IsThumb]>, Sched<[WriteBr]>;
} }
def : ARMPat<(ARMcall GPR:$func), (tBLXr $func)>,
Requires<[IsThumb, HasV5T, NoSLSBLRMitigation]>;
def : ARMPat<(ARMcall GPRnoip:$func), (tBLXr_noip $func)>,
Requires<[IsThumb, HasV5T, SLSBLRMitigation]>;
let isBranch = 1, isTerminator = 1, isBarrier = 1 in { let isBranch = 1, isTerminator = 1, isBarrier = 1 in {
let isPredicable = 1 in let isPredicable = 1 in
def tB : T1pI<(outs), (ins t_brtarget:$target), IIC_Br, def tB : T1pI<(outs), (ins t_brtarget:$target), IIC_Br,
"b", "\t$target", [(br bb:$target)]>, "b", "\t$target", [(br bb:$target)]>,
T1Encoding<{1,1,1,0,0,?}>, Sched<[WriteBr]> { T1Encoding<{1,1,1,0,0,?}>, Sched<[WriteBr]> {
bits<11> target; bits<11> target;
let Inst{10-0} = target; let Inst{10-0} = target;
let AsmMatchConverter = "cvtThumbBranches"; let AsmMatchConverter = "cvtThumbBranches";
▲ Show 20 LinesShow All 1,166 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMPredicates.td

Show First 20 LinesShow All 183 Lines▼ Show 20 Lineslet RecomputePerFunction = 1 in {
def UseMovt : Predicate<"Subtarget->useMovt()">; def UseMovt : Predicate<"Subtarget->useMovt()">;
def DontUseMovt : Predicate<"!Subtarget->useMovt()">; def DontUseMovt : Predicate<"!Subtarget->useMovt()">;
def UseMovtInPic : Predicate<"Subtarget->useMovt() && Subtarget->allowPositionIndependentMovt()">; def UseMovtInPic : Predicate<"Subtarget->useMovt() && Subtarget->allowPositionIndependentMovt()">;
def DontUseMovtInPic : Predicate<"!Subtarget->useMovt() || !Subtarget->allowPositionIndependentMovt()">; def DontUseMovtInPic : Predicate<"!Subtarget->useMovt() || !Subtarget->allowPositionIndependentMovt()">;
def UseFPVMLx: Predicate<"((Subtarget->useFPVMLx() &&" def UseFPVMLx: Predicate<"((Subtarget->useFPVMLx() &&"
" TM.Options.AllowFPOpFusion != FPOpFusion::Fast) ||" " TM.Options.AllowFPOpFusion != FPOpFusion::Fast) ||"
"Subtarget->hasMinSize())">; "Subtarget->hasMinSize())">;
def SLSBLRMitigation : Predicate<[{ MF->getSubtarget<ARMSubtarget>().hardenSlsBlr() }]>;
def NoSLSBLRMitigation : Predicate<[{ !MF->getSubtarget<ARMSubtarget>().hardenSlsBlr() }]>;
} }
def UseMulOps : Predicate<"Subtarget->useMulOps()">; def UseMulOps : Predicate<"Subtarget->useMulOps()">;
// Prefer fused MAC for fp mul + add over fp VMLA / VMLS if they are available. // Prefer fused MAC for fp mul + add over fp VMLA / VMLS if they are available.
// But only select them if more precision in FP computation is allowed, and when // But only select them if more precision in FP computation is allowed, and when
// they are not slower than a mul + add sequence. // they are not slower than a mul + add sequence.
// Do not use them for Darwin platforms. // Do not use them for Darwin platforms.
def UseFusedMAC : Predicate<"TM.Options.AllowFPOpFusion ==" def UseFusedMAC : Predicate<"TM.Options.AllowFPOpFusion =="
Show All 24 Lines

llvm/lib/Target/ARM/ARMRegisterBankInfo.cpp

Show First 20 LinesShow All 150 Lines▼ Show 20 Lines static auto InitializeRegisterBankOnce = [&]() {
assert(RBGPR.covers(*TRI.getRegClass(ARM::GPRnopcRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::GPRnopcRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers(*TRI.getRegClass(ARM::rGPRRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::rGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers(*TRI.getRegClass(ARM::tGPRRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::tGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers(*TRI.getRegClass(ARM::tcGPRRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::tcGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers(*TRI.getRegClass(ARM::tGPR_and_tcGPRRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::GPRnoip_and_tcGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers( assert(RBGPR.covers(*TRI.getRegClass(
*TRI.getRegClass(ARM::tGPREven_and_tGPR_and_tcGPRRegClassID)) && ARM::tGPREven_and_GPRnoip_and_tcGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.covers(*TRI.getRegClass(ARM::tGPROdd_and_tcGPRRegClassID)) && assert(RBGPR.covers(*TRI.getRegClass(ARM::tGPROdd_and_tcGPRRegClassID)) &&
"Subclass not added?"); "Subclass not added?");
assert(RBGPR.getSize() == 32 && "GPRs should hold up to 32-bit"); assert(RBGPR.getSize() == 32 && "GPRs should hold up to 32-bit");
#ifndef NDEBUG #ifndef NDEBUG
ARM::checkPartialMappings(); ARM::checkPartialMappings();
ARM::checkValueMappings(); ARM::checkValueMappings();
#endif #endif
}; };
llvm::call_once(InitializeRegisterBankFlag, InitializeRegisterBankOnce); llvm::call_once(InitializeRegisterBankFlag, InitializeRegisterBankOnce);
} }
const RegisterBank & const RegisterBank &
ARMRegisterBankInfo::getRegBankFromRegClass(const TargetRegisterClass &RC, ARMRegisterBankInfo::getRegBankFromRegClass(const TargetRegisterClass &RC,
LLT) const { LLT) const {
using namespace ARM; using namespace ARM;
switch (RC.getID()) { switch (RC.getID()) {
case GPRRegClassID: case GPRRegClassID:
case GPRwithAPSRRegClassID: case GPRwithAPSRRegClassID:
case GPRnoipRegClassID:
case GPRnopcRegClassID: case GPRnopcRegClassID:
case GPRnoip_and_GPRnopcRegClassID:
case rGPRRegClassID: case rGPRRegClassID:
case GPRspRegClassID: case GPRspRegClassID:
case tGPR_and_tcGPRRegClassID: case GPRnoip_and_tcGPRRegClassID:
case tcGPRRegClassID: case tcGPRRegClassID:
case tGPRRegClassID: case tGPRRegClassID:
case tGPREvenRegClassID: case tGPREvenRegClassID:
case tGPROddRegClassID: case tGPROddRegClassID:
case tGPR_and_tGPREvenRegClassID: case tGPR_and_tGPREvenRegClassID:
case tGPR_and_tGPROddRegClassID: case tGPR_and_tGPROddRegClassID:
case tGPREven_and_tcGPRRegClassID: case tGPREven_and_tcGPRRegClassID:
case tGPREven_and_tGPR_and_tcGPRRegClassID: case tGPREven_and_GPRnoip_and_tcGPRRegClassID:
case tGPROdd_and_tcGPRRegClassID: case tGPROdd_and_tcGPRRegClassID:
return getRegBank(ARM::GPRRegBankID); return getRegBank(ARM::GPRRegBankID);
case HPRRegClassID: case HPRRegClassID:
case SPR_8RegClassID: case SPR_8RegClassID:
case SPRRegClassID: case SPRRegClassID:
case DPR_8RegClassID: case DPR_8RegClassID:
case DPRRegClassID: case DPRRegClassID:
case QPRRegClassID: case QPRRegClassID:
▲ Show 20 LinesShow All 282 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMRegisterInfo.td

Show First 20 LinesShow All 229 Lines▼ Show 20 Linesdef GPR : RegisterClass<"ARM", [i32], 32, (add (sequence "R%u", 0, 12),
let AltOrders = [(add LR, GPR), (trunc GPR, 8), let AltOrders = [(add LR, GPR), (trunc GPR, 8),
(add (trunc GPR, 8), R12, LR, (shl GPR, 8))]; (add (trunc GPR, 8), R12, LR, (shl GPR, 8))];
let AltOrderSelect = [{ let AltOrderSelect = [{
return MF.getSubtarget<ARMSubtarget>().getGPRAllocationOrder(MF); return MF.getSubtarget<ARMSubtarget>().getGPRAllocationOrder(MF);
}]; }];
let DiagnosticString = "operand must be a register in range [r0, r15]"; let DiagnosticString = "operand must be a register in range [r0, r15]";
} }
// Register set that excludes registers that are reserved for procedure calls.
// This is used for pseudo-instructions that are actually implemented using a
// procedure call.
def GPRnoip : RegisterClass<"ARM", [i32], 32, (sub GPR, R12, LR)> {
// Allocate LR as the first CSR since it is always saved anyway.
// For Thumb1 mode, we don't want to allocate hi regs at all, as we don't
// know how to spill them. If we make our prologue/epilogue code smarter at
// some point, we can go back to using the above allocation orders for the
// Thumb1 instructions that know how to use hi regs.
let AltOrders = [(add GPRnoip, GPRnoip), (trunc GPRnoip, 8),
(add (trunc GPRnoip, 8), (shl GPRnoip, 8))];
let AltOrderSelect = [{
return MF.getSubtarget<ARMSubtarget>().getGPRAllocationOrder(MF);
}];
let DiagnosticString = "operand must be a register in range [r0, r14]";
}
// GPRs without the PC. Some ARM instructions do not allow the PC in // GPRs without the PC. Some ARM instructions do not allow the PC in
// certain operand slots, particularly as the destination. Primarily // certain operand slots, particularly as the destination. Primarily
// useful for disassembly. // useful for disassembly.
def GPRnopc : RegisterClass<"ARM", [i32], 32, (sub GPR, PC)> { def GPRnopc : RegisterClass<"ARM", [i32], 32, (sub GPR, PC)> {
let AltOrders = [(add LR, GPRnopc), (trunc GPRnopc, 8), let AltOrders = [(add LR, GPRnopc), (trunc GPRnopc, 8),
(add (trunc GPRnopc, 8), R12, LR, (shl GPRnopc, 8))]; (add (trunc GPRnopc, 8), R12, LR, (shl GPRnopc, 8))];
let AltOrderSelect = [{ let AltOrderSelect = [{
return MF.getSubtarget<ARMSubtarget>().getGPRAllocationOrder(MF); return MF.getSubtarget<ARMSubtarget>().getGPRAllocationOrder(MF);
▲ Show 20 LinesShow All 348 LinesShow Last 20 Lines

llvm/lib/Target/ARM/ARMSLSHardening.cpp

Show First 20 LinesShow All 137 Lines▼ Show 20 Lines bool isThumb;
{"__llvm_slsblr_thunk_arm_r4", ARM::R4, false}, {"__llvm_slsblr_thunk_arm_r4", ARM::R4, false},
{"__llvm_slsblr_thunk_arm_r5", ARM::R5, false}, {"__llvm_slsblr_thunk_arm_r5", ARM::R5, false},
{"__llvm_slsblr_thunk_arm_r6", ARM::R6, false}, {"__llvm_slsblr_thunk_arm_r6", ARM::R6, false},
{"__llvm_slsblr_thunk_arm_r7", ARM::R7, false}, {"__llvm_slsblr_thunk_arm_r7", ARM::R7, false},
{"__llvm_slsblr_thunk_arm_r8", ARM::R8, false}, {"__llvm_slsblr_thunk_arm_r8", ARM::R8, false},
{"__llvm_slsblr_thunk_arm_r9", ARM::R9, false}, {"__llvm_slsblr_thunk_arm_r9", ARM::R9, false},
{"__llvm_slsblr_thunk_arm_r10", ARM::R10, false}, {"__llvm_slsblr_thunk_arm_r10", ARM::R10, false},
{"__llvm_slsblr_thunk_arm_r11", ARM::R11, false}, {"__llvm_slsblr_thunk_arm_r11", ARM::R11, false},
{"__llvm_slsblr_thunk_arm_r12", ARM::R12, false},
{"__llvm_slsblr_thunk_arm_sp", ARM::SP, false}, {"__llvm_slsblr_thunk_arm_sp", ARM::SP, false},
{"__llvm_slsblr_thunk_arm_lr", ARM::LR, false},
{"__llvm_slsblr_thunk_arm_pc", ARM::PC, false}, {"__llvm_slsblr_thunk_arm_pc", ARM::PC, false},
{"__llvm_slsblr_thunk_thumb_r0", ARM::R0, true}, {"__llvm_slsblr_thunk_thumb_r0", ARM::R0, true},
{"__llvm_slsblr_thunk_thumb_r1", ARM::R1, true}, {"__llvm_slsblr_thunk_thumb_r1", ARM::R1, true},
{"__llvm_slsblr_thunk_thumb_r2", ARM::R2, true}, {"__llvm_slsblr_thunk_thumb_r2", ARM::R2, true},
{"__llvm_slsblr_thunk_thumb_r3", ARM::R3, true}, {"__llvm_slsblr_thunk_thumb_r3", ARM::R3, true},
{"__llvm_slsblr_thunk_thumb_r4", ARM::R4, true}, {"__llvm_slsblr_thunk_thumb_r4", ARM::R4, true},
{"__llvm_slsblr_thunk_thumb_r5", ARM::R5, true}, {"__llvm_slsblr_thunk_thumb_r5", ARM::R5, true},
{"__llvm_slsblr_thunk_thumb_r6", ARM::R6, true}, {"__llvm_slsblr_thunk_thumb_r6", ARM::R6, true},
{"__llvm_slsblr_thunk_thumb_r7", ARM::R7, true}, {"__llvm_slsblr_thunk_thumb_r7", ARM::R7, true},
{"__llvm_slsblr_thunk_thumb_r8", ARM::R8, true}, {"__llvm_slsblr_thunk_thumb_r8", ARM::R8, true},
{"__llvm_slsblr_thunk_thumb_r9", ARM::R9, true}, {"__llvm_slsblr_thunk_thumb_r9", ARM::R9, true},
{"__llvm_slsblr_thunk_thumb_r10", ARM::R10, true}, {"__llvm_slsblr_thunk_thumb_r10", ARM::R10, true},
{"__llvm_slsblr_thunk_thumb_r11", ARM::R11, true}, {"__llvm_slsblr_thunk_thumb_r11", ARM::R11, true},
{"__llvm_slsblr_thunk_thumb_r12", ARM::R12, true},
{"__llvm_slsblr_thunk_thumb_sp", ARM::SP, true}, {"__llvm_slsblr_thunk_thumb_sp", ARM::SP, true},
{"__llvm_slsblr_thunk_thumb_lr", ARM::LR, true},
{"__llvm_slsblr_thunk_thumb_pc", ARM::PC, true}, {"__llvm_slsblr_thunk_thumb_pc", ARM::PC, true},
}; };
namespace { namespace {
struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> { struct SLSBLRThunkInserter : ThunkInserter<SLSBLRThunkInserter> {
const char *getThunkPrefix() { return SLSBLRNamePrefix; } const char *getThunkPrefix() { return SLSBLRNamePrefix; }
bool mayUseThunk(const MachineFunction &MF) { bool mayUseThunk(const MachineFunction &MF) {
// FIXME: This could also check if there are any indirect calls in the // FIXME: This could also check if there are any indirect calls in the
▲ Show 20 LinesShow All 74 Lines▼ Show 20 LinesMachineBasicBlock &ARMSLSHardening::ConvertIndirectCallToIndirectJump(
// | BX rN | // | BX rN |
// | barrierInsts | // | barrierInsts |
// |-----------------------------| // |-----------------------------|
// //
// The __llvm_slsblr_thunk_mode_xN thunks are created by the // The __llvm_slsblr_thunk_mode_xN thunks are created by the
// SLSBLRThunkInserter. // SLSBLRThunkInserter.
// This function merely needs to transform an indirect call to a direct call // This function merely needs to transform an indirect call to a direct call
// to __llvm_slsblr_thunk_xN. // to __llvm_slsblr_thunk_xN.
//
// Since linkers are allowed to clobber R12 on function calls, the above
// mitigation only works if the original indirect call instruction was not
// using R12. Code generation before must make sure that no indirect call
// using R12 was produced if the mitigation is enabled.
// Also, the transformation is incorrect if the indirect call uses LR, so
// also have to avoid that.
// FIXME: that will be done in a follow-on patch.
MachineInstr &IndirectCall = *MBBI; MachineInstr &IndirectCall = *MBBI;
assert(isIndirectCall(IndirectCall) && !IndirectCall.isReturn()); assert(isIndirectCall(IndirectCall) && !IndirectCall.isReturn());
int RegOpIdxOnIndirectCall = -1; int RegOpIdxOnIndirectCall = -1;
bool isThumb; bool isThumb;
switch (IndirectCall.getOpcode()) { switch (IndirectCall.getOpcode()) {
case ARM::BLX: // !isThumb2 case ARM::BLX: // !isThumb2
case ARM::BLX_noip: // !isThumb2
isThumb = false; isThumb = false;
RegOpIdxOnIndirectCall = 0; RegOpIdxOnIndirectCall = 0;
break; break;
case ARM::tBLXr: // isThumb2 case ARM::tBLXr: // isThumb2
case ARM::tBLXr_noip: // isThumb2
isThumb = true; isThumb = true;
RegOpIdxOnIndirectCall = 2; RegOpIdxOnIndirectCall = 2;
break; break;
default: default:
llvm_unreachable("unhandled Indirect Call"); llvm_unreachable("unhandled Indirect Call");
} }
Register Reg = IndirectCall.getOperand(RegOpIdxOnIndirectCall).getReg(); Register Reg = IndirectCall.getOperand(RegOpIdxOnIndirectCall).getReg();
// Since linkers are allowed to clobber R12 on function calls, the above
// mitigation only works if the original indirect call instruction was not
// using R12. Code generation before must make sure that no indirect call
// using R12 was produced if the mitigation is enabled.
// Also, the transformation is incorrect if the indirect call uses LR, so
// also have to avoid that.
assert(Reg != ARM::R12 && Reg != ARM::LR); assert(Reg != ARM::R12 && Reg != ARM::LR);
bool RegIsKilled = IndirectCall.getOperand(RegOpIdxOnIndirectCall).isKill(); bool RegIsKilled = IndirectCall.getOperand(RegOpIdxOnIndirectCall).isKill();
DebugLoc DL = IndirectCall.getDebugLoc(); DebugLoc DL = IndirectCall.getDebugLoc();
MachineFunction &MF = *MBBI->getMF(); MachineFunction &MF = *MBBI->getMF();
auto ThunkIt = llvm::find_if(SLSBLRThunks, [Reg, isThumb](auto T) { auto ThunkIt = llvm::find_if(SLSBLRThunks, [Reg, isThumb](auto T) {
return T.Reg == Reg && T.isThumb == isThumb; return T.Reg == Reg && T.isThumb == isThumb;
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines

llvm/test/CodeGen/ARM/speculation-hardening-sls.ll

Show First 20 LinesShow All 180 Lines▼ Show 20 Linesentry:
%call = tail call i32 %0() nounwind %call = tail call i32 %0() nounwind
; HARDENARM: bl {{__llvm_slsblr_thunk_arm_r[0-9]+$}} ; HARDENARM: bl {{__llvm_slsblr_thunk_arm_r[0-9]+$}}
; HARDENTHUMB: bl {{__llvm_slsblr_thunk_thumb_r[0-9]+$}} ; HARDENTHUMB: bl {{__llvm_slsblr_thunk_thumb_r[0-9]+$}}
store i32 %call, i32* @b, align 4 store i32 %call, i32* @b, align 4
ret void ret void
; CHECK: .Lfunc_end ; CHECK: .Lfunc_end
} }
; HARDEN-label: __llvm_slsblr_thunk_(arm|thumb)_r5: ; Verify that neither r12 nor lr are used as registers in indirect call
; instructions when the sls-hardening-blr mitigation is enabled, as
; (a) a linker is allowed to clobber r12 on calls, and
; (b) the hardening transformation isn't correct if lr is the register holding
; the address of the function called.
define i32 @check_r12(i32 ()** %fp) {
entry:
ostannardUnsubmitted
Done
ReplyInline Actions

A slightly less fragile way to do this would be to pass the function pointer into and out an inline asm statement, with an output constraint which forces it into r12/lr. The compiler can still move it to a different register (and will need to do that with slsblr enabled), but it won't be dependent on register allocation order.

ostannard: A slightly less fragile way to do this would be to pass the function pointer into and out an…
kristof.beylsAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for the suggestion, that is indeed better.
Now implemented.

kristof.beyls: Thanks for the suggestion, that is indeed better. Now implemented.
; CHECK-LABEL: check_r12:
%f = load i32 ()*, i32 ()** %fp, align 4
; Force f to be moved into r12
%r12_f = tail call i32 ()* asm "add $0, $1, #0", "={r12},{r12}"(i32 ()* %f) nounwind
%call = call i32 %r12_f()
; NOHARDENARM: blx r12
; NOHARDENTHUMB: blx r12
; HARDEN-NOT: bl {{__llvm_slsblr_thunk_(arm|thumb)_r12}}
ret i32 %call
; CHECK: .Lfunc_end
}
define i32 @check_lr(i32 ()** %fp) {
entry:
; CHECK-LABEL: check_lr:
%f = load i32 ()*, i32 ()** %fp, align 4
; Force f to be moved into lr
%lr_f = tail call i32 ()* asm "add $0, $1, #0", "={lr},{lr}"(i32 ()* %f) nounwind
%call = call i32 %lr_f()
; NOHARDENARM: blx lr
; NOHARDENTHUMB: blx lr
; HARDEN-NOT: bl {{__llvm_slsblr_thunk_(arm|thumb)_lr}}
ret i32 %call
; CHECK: .Lfunc_end
}
; Verify that even when sls-harden-blr is enabled, "blx r12" is still an
; instruction that is accepted by the inline assembler
define void @verify_inline_asm_blx_r12(void ()* %g) {
entry:
; CHECK-LABEL: verify_inline_asm_blx_r12:
%0 = bitcast void ()* %g to i8*
tail call void asm sideeffect "blx $0", "{r12}"(i8* %0) nounwind
; CHECK: blx r12
ret void
; CHECK: {{bx lr$}}
; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb
; SB-NEXT: {{ sb$}}
; CHECK: .Lfunc_end
}
; HARDEN-label: {{__llvm_slsblr_thunk_(arm|thumb)_r5}}:
; HARDEN: bx r5 ; HARDEN: bx r5
; ISBDSB-NEXT: dsb sy ; ISBDSB-NEXT: dsb sy
; ISBDSB-NEXT: isb ; ISBDSB-NEXT: isb
; SB-NEXT: dsb sy ; SB-NEXT: dsb sy
; SB-NEXT: isb ; SB-NEXT: isb
; HARDEN-NEXT: .Lfunc_end ; HARDEN-NEXT: .Lfunc_end