RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-11-22 10:42:39 +01:00
Code Issues Projects Releases Wiki Activity

[IR] add fn attr for no_stack_protector; prevent inlining on mismatch

Browse Source 
It's currently ambiguous in IR whether the source language explicitly
did not want a stack a stack protector (in C, via function attribute
no_stack_protector) or doesn't care for any given function.

It's common for code that manipulates the stack via inline assembly or
that has to set up its own stack canary (such as the Linux kernel) would
like to avoid stack protectors in certain functions. In this case, we've
been bitten by numerous bugs where a callee with a stack protector is
inlined into an __attribute__((__no_stack_protector__)) caller, which
generally breaks the caller's assumptions about not having a stack
protector. LTO exacerbates the issue.

While developers can avoid this by putting all no_stack_protector
functions in one translation unit together and compiling those with
-fno-stack-protector, it's generally not very ergonomic or as
ergonomic as a function attribute, and still doesn't work for LTO. See also:
https://lore.kernel.org/linux-pm/20200915172658.1432732-1-rkir@google.com/
https://lore.kernel.org/lkml/20200918201436.2932360-30-samitolvanen@google.com/T/#u

Typically, when inlining a callee into a caller, the caller will be
upgraded in its level of stack protection (see adjustCallerSSPLevel()).
By adding an explicit attribute in the IR when the function attribute is
used in the source language, we can now identify such cases and prevent
inlining.  Block inlining when the callee and caller differ in the case that one
contains `nossp` when the other has `ssp`, `sspstrong`, or `sspreq`.

Fixes pr/47479.

Reviewed By: void

Differential Revision: https://reviews.llvm.org/D87956
This commit is contained in:
Nick Desaulniers 2020-10-23 11:41:17 -07:00
parent 270ab79b5a
commit e95a065d26
26 changed files with 241 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bindings/go/llvm/ir_test.go
View File

@ -78,6 +78,7 @@ func TestAttributes(t *testing.T) {
"returns_twice",
"signext",
"safestack",
"nossp",
"ssp",
"sspreq",
"sspstrong",

1
bindings/ocaml/llvm/llvm.ml
View File

@ -122,6 +122,7 @@ module Attribute = struct
| Noinline
| Alwaysinline
| Optsize
| Nossp
| Ssp
| Sspreq
| Alignment of int

1
docs/BitCodeFormat.rst
View File

@ -1070,6 +1070,7 @@ The integer codes are mapped to well-known attributes as follows.
* code 68: ``noundef``
* code 69: ``byref``
* code 70: ``mustprogress``
* code 71: ``nossp``
.. note::
The ``allocsize`` attribute has a special encoding for its arguments. Its two

16
docs/LangRef.rst
View File

@ -1824,6 +1824,22 @@ example:
undefined behavior, the undefined behavior may be observed even
if the call site is dead code.
``nossp``
This attribute indicates the function should not emit a stack smashing
protector. This is useful for code that intentionally manipulates the stack
canary, such as operating system kernel code that must save/restore such
canary values on context switch.
If a function with the ``nossp`` attribute calls a callee function that has
a stack protector function attribute, such as ``ssp``, ``sspreq``, or
``sspstrong`` (or vice-versa), then the callee will not be inline
substituted into the caller. Even when the callee is ``alwaysinline``, the
above holds.
Such inlining might break assumptions in the function that was built
without stack protection. This permits the functions that would have stack
protection to retain their stack protector.
``ssp``
This attribute indicates that the function should emit a stack
smashing protector. It is in the form of a "canary" --- a random value

1
include/llvm/Bitcode/LLVMBitCodes.h
View File

@ -651,6 +651,7 @@ enum AttributeKindCodes {
ATTR_KIND_NOUNDEF = 68,
ATTR_KIND_BYREF = 69,
ATTR_KIND_MUSTPROGRESS = 70,
ATTR_KIND_NO_STACK_PROTECT = 71,
};
enum ComdatSelectionKindCodes {

3
include/llvm/IR/Attributes.td
View File

@ -179,6 +179,9 @@ def StackAlignment : IntAttr<"alignstack">;
/// Function can be speculated.
def Speculatable : EnumAttr<"speculatable">;
/// Stack protection explicitly disabled.
def NoStackProtect : EnumAttr<"nossp">;
/// Stack protection.
def StackProtect : EnumAttr<"ssp">;

1
lib/AsmParser/LLLexer.cpp
View File

@ -678,6 +678,7 @@ lltok::Kind LLLexer::LexIdentifier() {
KEYWORD(signext);
KEYWORD(speculatable);
KEYWORD(sret);
KEYWORD(nossp);
KEYWORD(ssp);
KEYWORD(sspreq);
KEYWORD(sspstrong);

5
lib/AsmParser/LLParser.cpp
View File

@ -1338,6 +1338,9 @@ bool LLParser::ParseFnAttributeValuePairs(AttrBuilder &B,
case lltok::kw_returns_twice:
B.addAttribute(Attribute::ReturnsTwice); break;
case lltok::kw_speculatable: B.addAttribute(Attribute::Speculatable); break;
case lltok::kw_nossp:
B.addAttribute(Attribute::NoStackProtect);
break;
case lltok::kw_ssp: B.addAttribute(Attribute::StackProtect); break;
case lltok::kw_sspreq: B.addAttribute(Attribute::StackProtectReq); break;
case lltok::kw_sspstrong:
@ -1749,6 +1752,7 @@ bool LLParser::ParseOptionalParamAttrs(AttrBuilder &B) {
case lltok::kw_sanitize_memory:
case lltok::kw_sanitize_thread:
case lltok::kw_speculative_load_hardening:
case lltok::kw_nossp:
case lltok::kw_ssp:
case lltok::kw_sspreq:
case lltok::kw_sspstrong:
@ -1854,6 +1858,7 @@ bool LLParser::ParseOptionalReturnAttrs(AttrBuilder &B) {
case lltok::kw_sanitize_memory:
case lltok::kw_sanitize_thread:
case lltok::kw_speculative_load_hardening:
case lltok::kw_nossp:
case lltok::kw_ssp:
case lltok::kw_sspreq:
case lltok::kw_sspstrong:

1
lib/AsmParser/LLToken.h
View File

@ -223,6 +223,7 @@ enum Kind {
kw_returns_twice,
kw_signext,
kw_speculatable,
kw_nossp,
kw_ssp,
kw_sspreq,
kw_sspstrong,

2
lib/Bitcode/Writer/BitcodeWriter.cpp
View File

@ -697,6 +697,8 @@ static uint64_t getAttrKindEncoding(Attribute::AttrKind Kind) {
return bitc::ATTR_KIND_SPECULATABLE;
case Attribute::StackAlignment:
return bitc::ATTR_KIND_STACK_ALIGNMENT;
case Attribute::NoStackProtect:
return bitc::ATTR_KIND_NO_STACK_PROTECT;
case Attribute::StackProtect:
return bitc::ATTR_KIND_STACK_PROTECT;
case Attribute::StackProtectReq:

6
lib/CodeGen/StackProtector.cpp
View File

@ -270,13 +270,15 @@ static const CallInst *findStackProtectorIntrinsic(Function &F) {
/// regardless of size, functions with any buffer regardless of type and size,
/// functions with aggregates that contain any buffer regardless of type and
/// size, and functions that contain stack-based variables that have had their
/// address taken.
/// address taken. The heuristic will be disregarded for functions explicitly
/// marked nossp.
bool StackProtector::RequiresStackProtector() {
bool Strong = false;
bool NeedsProtector = false;
HasPrologue = findStackProtectorIntrinsic(*F);
if (F->hasFnAttribute(Attribute::SafeStack))
if (F->hasFnAttribute(Attribute::SafeStack) ||
F->hasFnAttribute(Attribute::NoStackProtect))
return false;
// We are constructing the OptimizationRemarkEmitter on the fly rather than

14
lib/IR/Attributes.cpp
View File

@ -425,6 +425,8 @@ std::string Attribute::getAsString(bool InAttrGrp) const {
return "speculative_load_hardening";
if (hasAttribute(Attribute::Speculatable))
return "speculatable";
if (hasAttribute(Attribute::NoStackProtect))
return "nossp";
if (hasAttribute(Attribute::StackProtect))
return "ssp";
if (hasAttribute(Attribute::StackProtectReq))
@ -1939,9 +1941,17 @@ static void setOR(Function &Caller, const Function &Callee) {
/// If the inlined function had a higher stack protection level than the
/// calling function, then bump up the caller's stack protection level.
static void adjustCallerSSPLevel(Function &Caller, const Function &Callee) {
assert(!(Callee.hasFnAttribute(Attribute::NoStackProtect) &&
(Caller.hasFnAttribute(Attribute::StackProtect) ||
Caller.hasFnAttribute(Attribute::StackProtectStrong) ||
Caller.hasFnAttribute(Attribute::StackProtectReq))) &&
"stack protected caller but callee requested no stack protector");
assert(!(Caller.hasFnAttribute(Attribute::NoStackProtect) &&
(Callee.hasFnAttribute(Attribute::StackProtect) ||
Callee.hasFnAttribute(Attribute::StackProtectStrong) ||
Callee.hasFnAttribute(Attribute::StackProtectReq))) &&
"stack protected callee but caller requested no stack protector");
// If upgrading the SSP attribute, clear out the old SSP Attributes first.
// Having multiple SSP attributes doesn't actually hurt, but it adds useless
// clutter to the IR.
AttrBuilder OldSSPAttr;
OldSSPAttr.addAttribute(Attribute::StackProtect)
.addAttribute(Attribute::StackProtectStrong)

14
lib/IR/Verifier.cpp
View File

@ -1577,6 +1577,7 @@ static bool isFuncOnlyAttr(Attribute::AttrKind Kind) {
case Attribute::NoInline:
case Attribute::AlwaysInline:
case Attribute::OptimizeForSize:
case Attribute::NoStackProtect:
case Attribute::StackProtect:
case Attribute::StackProtectReq:
case Attribute::StackProtectStrong:
@ -1972,6 +1973,19 @@ void Verifier::verifyFunctionAttrs(FunctionType *FT, AttributeList Attrs,
CheckFailed(
"\"patchable-function-entry\" takes an unsigned integer: " + S, V);
}
{
unsigned N = 0;
if (Attrs.hasFnAttribute(Attribute::NoStackProtect))
++N;
if (Attrs.hasFnAttribute(Attribute::StackProtect))
++N;
if (Attrs.hasFnAttribute(Attribute::StackProtectReq))
++N;
if (Attrs.hasFnAttribute(Attribute::StackProtectStrong))
++N;
Assert(N < 2,
"nossp, ssp, sspreq, sspstrong fn attrs are mutually exclusive", V);
}
}
void Verifier::verifyFunctionMetadata(

1
lib/Transforms/IPO/ForceFunctionAttrs.cpp
View File

@ -68,6 +68,7 @@ static Attribute::AttrKind parseAttrKind(StringRef Kind) {
.Case("sanitize_thread", Attribute::SanitizeThread)
.Case("sanitize_memtag", Attribute::SanitizeMemTag)
.Case("speculative_load_hardening", Attribute::SpeculativeLoadHardening)
.Case("nossp", Attribute::NoStackProtect)
.Case("ssp", Attribute::StackProtect)
.Case("sspreq", Attribute::StackProtectReq)
.Case("sspstrong", Attribute::StackProtectStrong)

1
lib/Transforms/Utils/CodeExtractor.cpp
View File

@ -925,6 +925,7 @@ Function *CodeExtractor::constructFunction(const ValueSet &inputs,
case Attribute::SanitizeHWAddress:
case Attribute::SanitizeMemTag:
case Attribute::SpeculativeLoadHardening:
case Attribute::NoStackProtect:
case Attribute::StackProtect:
case Attribute::StackProtectReq:
case Attribute::StackProtectStrong:

16
lib/Transforms/Utils/InlineFunction.cpp
View File

@ -1676,6 +1676,22 @@ llvm::InlineResult llvm::InlineFunction(CallBase &CB, InlineFunctionInfo &IFI,
return InlineResult::failure("incompatible GC");
}
// Inlining a function that explicitly should not have a stack protector may
// break the code if inlined into a function that does have a stack
// protector.
if (LLVM_UNLIKELY(Caller->hasFnAttribute(Attribute::NoStackProtect)))
if (CalledFunc->hasFnAttribute(Attribute::StackProtect) ||
CalledFunc->hasFnAttribute(Attribute::StackProtectStrong) ||
CalledFunc->hasFnAttribute(Attribute::StackProtectReq))
return InlineResult::failure(
"stack protected callee but caller requested no stack protector");
if (LLVM_UNLIKELY(CalledFunc->hasFnAttribute(Attribute::NoStackProtect)))
if (Caller->hasFnAttribute(Attribute::StackProtect) ||
Caller->hasFnAttribute(Attribute::StackProtectStrong) ||
Caller->hasFnAttribute(Attribute::StackProtectReq))
return InlineResult::failure(
"stack protected caller but callee requested no stack protector");
// Get the personality function from the callee if it contains a landing pad.
Constant *CalledPersonality =
CalledFunc->hasPersonalityFn()

29
test/CodeGen/X86/stack-protector-2.ll
View File

@ -1,5 +1,5 @@
; RUN: llc -mtriple=x86_64-pc-linux-gnu -start-before=stack-protector -stop-after=stack-protector -o - < %s | FileCheck %s
; Bugs 42238/43308: Test some additional situations not caught previously.
; Bugs 42238/43308/47479: Test some additional situations not caught previously.
define void @store_captures() #0 {
; CHECK-LABEL: @store_captures(
@ -162,4 +162,31 @@ entry:
declare void @llvm.memset.p0i8.i64(i8* nocapture writeonly, i8, i64, i1 immarg)
; Test that the same function does not get a canary if nossp fn attr is set.
declare dso_local void @foo(i8*)
define dso_local void @bar_sspstrong(i64 %0) #0 {
; CHECK-LABEL: @bar_sspstrong
; CHECK-NEXT: %StackGuardSlot = alloca i8*
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
define dso_local void @bar_nossp(i64 %0) #1 {
; CHECK-LABEL: @bar_nossp
; CHECK-NEXT: %2 = alloca i64
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
attributes #0 = { sspstrong }
attributes #1 = { nossp }

4
test/Transforms/CodeExtractor/PartialInlineAttributes.ll
View File

@ -73,10 +73,10 @@ entry:
attributes #0 = {
inlinehint minsize noduplicate noimplicitfloat norecurse noredzone nounwind
nonlazybind optsize safestack sanitize_address sanitize_hwaddress sanitize_memory
sanitize_thread ssp sspreq sspstrong strictfp uwtable "foo"="bar"
sanitize_thread sspstrong strictfp uwtable "foo"="bar"
"patchable-function"="prologue-short-redirect" "probe-stack"="_foo_guard" "stack-probe-size"="4096" }
; CHECK: attributes [[FN_ATTRS]] = { inlinehint minsize noduplicate noimplicitfloat norecurse noredzone nounwind nonlazybind optsize safestack sanitize_address sanitize_hwaddress sanitize_memory sanitize_thread ssp sspreq sspstrong strictfp uwtable "foo"="bar" "patchable-function"="prologue-short-redirect" "probe-stack"="_foo_guard" "stack-probe-size"="4096" }
; CHECK: attributes [[FN_ATTRS]] = { inlinehint minsize noduplicate noimplicitfloat norecurse noredzone nounwind nonlazybind optsize safestack sanitize_address sanitize_hwaddress sanitize_memory sanitize_thread sspstrong strictfp uwtable "foo"="bar" "patchable-function"="prologue-short-redirect" "probe-stack"="_foo_guard" "stack-probe-size"="4096" }
; attributes to drop
attributes #1 = {

64
test/Transforms/Inline/inline_nossp.ll Normal file
View File

@ -0,0 +1,64 @@
; RUN: opt -inline -o - -S %s | FileCheck %s
; RUN: opt -passes='cgscc(inline)' %s -S | FileCheck %s
; RUN: opt -always-inline -o - -S %s | FileCheck %s
declare dso_local void @foo(i8*)
define dso_local void @ssp(i64 %0) #0 {
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
define dso_local void @ssp_alwaysinline(i64 %0) #1 {
%2 = alloca i64, align 8
store i64 %0, i64* %2, align 8
%3 = load i64, i64* %2, align 8
%4 = alloca i8, i64 %3, align 16
call void @foo(i8* %4)
ret void
}
define dso_local void @nossp() #2 {
; Check that the calls to @ssp and @ssp_alwaysinline are not inlined into
; @nossp, since @nossp does not want a stack protector.
; CHECK-LABEL: @nossp
; CHECK-NEXT: call void @ssp
; CHECK-NEXT: call void @ssp_alwaysinline
call void @ssp(i64 1024)
call void @ssp_alwaysinline(i64 1024)
ret void
}
define dso_local void @nossp_alwaysinline() #3 {
call void @ssp(i64 1024)
call void @ssp_alwaysinline(i64 1024)
ret void
}
define dso_local void @nossp_caller() #2 {
; Permit nossp callee to be inlined into nossp caller.
; CHECK-LABEL: @nossp_caller
; CHECK-NEXT: call void @ssp
; CHECK-NEXT: call void @ssp_alwaysinline
; CHECK-NOT: call void @nossp_alwaysinline
call void @nossp_alwaysinline()
ret void
}
define dso_local void @ssp2() #0 {
; Check the call to @nossp is not inlined, since @nossp should not have a stack
; protector.
; CHECK-LABEL: @ssp2
; CHECK-NEXT: call void @nossp
call void @nossp()
ret void
}
attributes #0 = { sspstrong }
attributes #1 = { sspstrong alwaysinline }
attributes #2 = { nossp }
attributes #3 = { nossp alwaysinline}

4
test/Transforms/Inline/inline_ssp.ll
View File

@ -1,6 +1,10 @@
; RUN: opt -inline %s -S | FileCheck %s
; RUN: opt -passes='cgscc(inline)' %s -S | FileCheck %s
; Ensure SSP attributes are propagated correctly when inlining.
; This test case covers callers that are unspecified in their level of stack
; protection. See also llvm/test/Transforms/Inline/inline_nossp.ll
; which tests callers with ``nossp`` function attribute which is stack
; protection explicitly disabled.
@.str = private unnamed_addr constant [11 x i8] c"fun_nossp\0A\00", align 1
@.str1 = private unnamed_addr constant [9 x i8] c"fun_ssp\0A\00", align 1

58
test/Verifier/function-attribute-nossp-ssp-sspreq-sspstrong.ll Normal file
View File

@ -0,0 +1,58 @@
; RUN: not opt -verify -o - %s 2>&1 | FileCheck %s
define void @test_1 () #1 { ret void }
define void @test_2 () #2 { ret void }
define void @test_3 () #3 { ret void }
define void @test_4 () #4 { ret void }
define void @test_5 () #5 { ret void }
define void @test_6 () #6 { ret void }
define void @test_7 () #7 { ret void }
define void @test_8 () #8 { ret void }
define void @test_9 () #9 { ret void }
define void @test_10 () #10 { ret void }
define void @test_11 () #10 { ret void }
define void @test_12 () #10 { ret void }
define void @test_13 () #10 { ret void }
define void @test_14 () #10 { ret void }
attributes #0 = { nossp }
attributes #1 = { ssp }
attributes #2 = { sspreq }
attributes #3 = { sspstrong }
attributes #4 = { nossp ssp }
attributes #5 = { nossp sspreq }
attributes #6 = { nossp sspstrong }
attributes #7 = { ssp sspreq }
attributes #8 = { ssp sspstrong }
attributes #9 = { sspreq sspstrong }
attributes #10 = { nossp ssp sspreq }
attributes #11 = { nossp ssp sspstrong }
attributes #12 = { nossp sspreq sspstrong }
attributes #13 = { ssp sspreq sspstrong }
attributes #14 = { nossp ssp sspreq sspstrong }
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_4
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_5
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_6
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_7
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_8
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_9
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_10
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_11
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_12
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_13
; CHECK: fn attrs are mutually exclusive
; CHECK-NEXT: void ()* @test_14

2
utils/emacs/llvm-mode.el
View File

@ -26,7 +26,7 @@
"inaccessiblemem_or_argmemonly" "inlinehint" "jumptable" "minsize" "mustprogress" "naked" "nobuiltin"
"noduplicate" "nofree" "noimplicitfloat" "noinline" "nonlazybind" "noredzone" "noreturn"
"norecurse" "noundef" "nounwind" "optnone" "optsize" "readnone" "readonly" "returns_twice"
"speculatable" "ssp" "sspreq" "sspstrong" "safestack" "sanitize_address" "sanitize_hwaddress" "sanitize_memtag"
"speculatable" "nossp" "ssp" "sspreq" "sspstrong" "safestack" "sanitize_address" "sanitize_hwaddress" "sanitize_memtag"
"sanitize_thread" "sanitize_memory" "strictfp" "uwtable" "willreturn" "writeonly" "immarg") 'symbols) . font-lock-constant-face)
;; Variables
'("%[-a-zA-Z$._][-a-zA-Z$._0-9]*" . font-lock-variable-name-face)

1
utils/kate/llvm.xml
View File

@ -93,6 +93,7 @@
<item> optsize </item>
<item> readnone </item>
<item> readonly </item>
<item> nossp </item>
<item> ssp </item>
<item> sspreq </item>
<item> sspstrong </item>

1
utils/llvm.grm
View File

@ -168,6 +168,7 @@ FuncAttr ::= noreturn
| noinline
| alwaysinline
| optsize
| nossp
| ssp
| sspreq
| returns_twice

1
utils/vim/syntax/llvm.vim
View File

@ -148,6 +148,7 @@ syn keyword llvmKeyword
\ spir_func
\ spir_kernel
\ sret
\ nossp
\ ssp
\ sspreq
\ sspstrong

1
utils/vscode/llvm/syntaxes/ll.tmLanguage.yaml
View File

@ -245,6 +245,7 @@ patterns:
\\bspir_func\\b|\
\\bspir_kernel\\b|\
\\bsret\\b|\
\\bnossp\\b|\
\\bssp\\b|\
\\bsspreq\\b|\
\\bsspstrong\\b|\