replica
/
hanchenye-llvm-project
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Revert "[X86] Add a Pass that builds a Condensed CFG for Load Value Injection (LVI) Gadgets" 

This reverts commit c74dd640fd.

Reverting to address coding standard issues raised in post-commit
review.
This commit is contained in:
Craig Topper 2020-04-03 16:54:38 -07:00
parent a505ad58cf
commit 1d42c0db9a
13 changed files with 2 additions and 1187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clang/include/clang/Driver/Options.td
View File

@ -2309,10 +2309,6 @@ def mspeculative_load_hardening : Flag<["-"], "mspeculative-load-hardening">,
Group<m_Group>, Flags<[CoreOption,CC1Option]>;
def mno_speculative_load_hardening : Flag<["-"], "mno-speculative-load-hardening">,
Group<m_Group>, Flags<[CoreOption]>;
def mlvi_hardening : Flag<["-"], "mlvi-hardening">, Group<m_Group>, Flags<[CoreOption,DriverOption]>,
HelpText<"Enable all mitigations for Load Value Injection (LVI)">;
def mno_lvi_hardening : Flag<["-"], "mno-lvi-hardening">, Group<m_Group>, Flags<[CoreOption,DriverOption]>,
HelpText<"Disable mitigations for Load Value Injection (LVI)">;
def mlvi_cfi : Flag<["-"], "mlvi-cfi">, Group<m_Group>, Flags<[CoreOption,DriverOption]>,
HelpText<"Enable only control-flow mitigations for Load Value Injection (LVI)">;
def mno_lvi_cfi : Flag<["-"], "mno-lvi-cfi">, Group<m_Group>, Flags<[CoreOption,DriverOption]>,

8
clang/lib/Driver/ToolChains/Arch/X86.cpp
View File

@ -173,13 +173,7 @@ void x86::getX86TargetFeatures(const Driver &D, const llvm::Triple &Triple,
}
auto LVIOpt = clang::driver::options::ID::OPT_INVALID;
if (Args.hasFlag(options::OPT_mlvi_hardening, options::OPT_mno_lvi_hardening,
false)) {
Features.push_back("+lvi-load-hardening");
Features.push_back("+lvi-cfi"); // load hardening implies CFI protection
LVIOpt = options::OPT_mlvi_hardening;
} else if (Args.hasFlag(options::OPT_mlvi_cfi, options::OPT_mno_lvi_cfi,
false)) {
if (Args.hasFlag(options::OPT_mlvi_cfi, options::OPT_mno_lvi_cfi, false)) {
Features.push_back("+lvi-cfi");
LVIOpt = options::OPT_mlvi_cfi;
}

5
clang/test/Driver/x86-target-features.c
View File

@ -159,11 +159,6 @@
// LVICFI: "-target-feature" "+lvi-cfi"
// NO-LVICFI-NOT: lvi-cfi
// RUN: %clang -target i386-linux-gnu -mlvi-hardening %s -### -o %t.o 2>&1 | FileCheck -check-prefix=LVIHARDENING %s
// RUN: %clang -target i386-linux-gnu -mno-lvi-hardening %s -### -o %t.o 2>&1 | FileCheck -check-prefix=NO-LVIHARDENING %s
// LVIHARDENING: "-target-feature" "+lvi-load-hardening" "-target-feature" "+lvi-cfi"
// NO-LVIHARDENING-NOT: lvi
// RUN: %clang -target i386-linux-gnu -mwaitpkg %s -### -o %t.o 2>&1 | FileCheck -check-prefix=WAITPKG %s
// RUN: %clang -target i386-linux-gnu -mno-waitpkg %s -### -o %t.o 2>&1 | FileCheck -check-prefix=NO-WAITPKG %s
// WAITPKG: "-target-feature" "+waitpkg"

1
llvm/lib/Target/X86/CMakeLists.txt
View File

@ -52,7 +52,6 @@ set(sources
X86InstrInfo.cpp
X86EvexToVex.cpp
X86LegalizerInfo.cpp
X86LoadValueInjectionLoadHardening.cpp
X86LoadValueInjectionRetHardening.cpp
X86MCInstLower.cpp
X86MachineFunctionInfo.cpp

432
llvm/lib/Target/X86/ImmutableGraph.h
View File

@ -1,432 +0,0 @@
//==========-- ImmutableGraph.h - A fast DAG implementation ---------=========//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Description: ImmutableGraph is a fast DAG implementation that cannot be
/// modified, except by creating a new ImmutableGraph. ImmutableGraph is
/// implemented as two arrays: one containing nodes, and one containing edges.
/// The advantages to this implementation are two-fold:
/// 1. Iteration and traversal operations should experience terrific caching
/// performance.
/// 2. Set representations and operations on nodes and edges become
/// extraordinarily efficient. For instance, a set of edges is implemented as
/// a bit vector, wherein each bit corresponds to one edge in the edge
/// array. This implies a lower bound of 64x spacial improvement over, e.g.,
/// an llvm::DenseSet or llvm::SmallSet. It also means that
/// insert/erase/contains operations complete in negligible constant time:
/// insert and erase require one load and one store, and contains requires
/// just one load.
///
//===----------------------------------------------------------------------===//
#ifndef IMMUTABLEGRAPH_H
#define IMMUTABLEGRAPH_H
#include "llvm/ADT/BitVector.h"
#include "llvm/ADT/GraphTraits.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/Support/raw_ostream.h"
#include <algorithm>
#include <iterator>
#include <utility>
#include <vector>
namespace llvm {
template <typename _NodeValueT, typename _EdgeValueT, typename _SizeT = int>
class ImmutableGraph {
using Traits = GraphTraits<ImmutableGraph<_NodeValueT, _EdgeValueT> *>;
template <typename> friend class ImmutableGraphBuilder;
public:
using NodeValueT = _NodeValueT;
using EdgeValueT = _EdgeValueT;
using size_type = _SizeT;
class Node;
class Edge {
friend class ImmutableGraph;
template <typename> friend class ImmutableGraphBuilder;
friend Traits;
Node *__dest;
EdgeValueT __value;
public:
EdgeValueT &value() { return __value; }
};
class Node {
friend class ImmutableGraph;
template <typename> friend class ImmutableGraphBuilder;
friend Traits;
Edge *__edges;
NodeValueT __value;
public:
NodeValueT &value() { return __value; }
};
protected:
ImmutableGraph(Node *Nodes, size_type NodesSize, Edge *Edges,
size_type EdgesSize)
: __nodes{Nodes}, __nodes_size{NodesSize}, __edges{Edges},
__edges_size{EdgesSize} {}
ImmutableGraph(const ImmutableGraph &) = delete;
ImmutableGraph(ImmutableGraph &&) = delete;
ImmutableGraph &operator=(const ImmutableGraph &) = delete;
ImmutableGraph &operator=(ImmutableGraph &&) = delete;
public:
~ImmutableGraph() {
delete[] __edges;
delete[] __nodes;
}
Node *nodes_begin() const { return __nodes; }
Node *nodes_end() const { return __nodes + __nodes_size; }
Edge *edges_begin() const { return __edges; }
Edge *edges_end() const { return __edges + __edges_size; }
size_type nodes_size() const { return __nodes_size; }
size_type edges_size() const { return __edges_size; }
bool empty() const { return __nodes_size == 0; }
class NodeSet {
friend class iterator;
const ImmutableGraph &__g;
BitVector __v;
public:
NodeSet(const ImmutableGraph &G, bool ContainsAll = false)
: __g{G}, __v{static_cast<unsigned>(__g.nodes_size()), ContainsAll} {}
bool insert(Node *N) {
size_type Idx = std::distance(__g.nodes_begin(), N);
bool AlreadyExists = __v.test(Idx);
__v.set(Idx);
return !AlreadyExists;
}
void erase(Node *N) {
size_type Idx = std::distance(__g.nodes_begin(), N);
__v.reset(Idx);
}
bool contains(Node *N) const {
size_type Idx = std::distance(__g.nodes_begin(), N);
return __v.test(Idx);
}
void clear() { __v.reset(); }
size_type empty() const { return __v.none(); }
/// Return the number of elements in the set
size_type count() const { return __v.count(); }
/// Return the size of the set's domain
size_type size() const { return __v.size(); }
/// Set union
NodeSet &operator|=(const NodeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v |= RHS.__v;
return *this;
}
/// Set intersection
NodeSet &operator&=(const NodeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v &= RHS.__v;
return *this;
}
/// Set disjoint union
NodeSet &operator^=(const NodeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v ^= RHS.__v;
return *this;
}
using index_iterator = typename BitVector::const_set_bits_iterator;
index_iterator index_begin() const { return __v.set_bits_begin(); }
index_iterator index_end() const { return __v.set_bits_end(); }
void set(size_type Idx) { __v.set(Idx); }
void reset(size_type Idx) { __v.reset(Idx); }
class iterator {
const NodeSet &__set;
size_type __current;
void advance() {
assert(__current != -1);
__current = __set.__v.find_next(__current);
}
public:
iterator(const NodeSet &Set, size_type Begin)
: __set{Set}, __current{Begin} {}
iterator operator++(int) {
iterator Tmp = *this;
advance();
return Tmp;
}
iterator &operator++() {
advance();
return *this;
}
Node *operator*() const {
assert(__current != -1);
return __set.__g.nodes_begin() + __current;
}
bool operator==(const iterator &other) const {
assert(&this->__set == &other.__set);
return this->__current == other.__current;
}
bool operator!=(const iterator &other) const { return !(*this == other); }
};
iterator begin() const { return iterator{*this, __v.find_first()}; }
iterator end() const { return iterator{*this, -1}; }
};
class EdgeSet {
const ImmutableGraph &__g;
BitVector __v;
public:
EdgeSet(const ImmutableGraph &G, bool ContainsAll = false)
: __g{G}, __v{static_cast<unsigned>(__g.edges_size()), ContainsAll} {}
bool insert(Edge *E) {
size_type Idx = std::distance(__g.edges_begin(), E);
bool AlreadyExists = __v.test(Idx);
__v.set(Idx);
return !AlreadyExists;
}
void erase(Edge *E) {
size_type Idx = std::distance(__g.edges_begin(), E);
__v.reset(Idx);
}
bool contains(Edge *E) const {
size_type Idx = std::distance(__g.edges_begin(), E);
return __v.test(Idx);
}
void clear() { __v.reset(); }
bool empty() const { return __v.none(); }
/// Return the number of elements in the set
size_type count() const { return __v.count(); }
/// Return the size of the set's domain
size_type size() const { return __v.size(); }
/// Set union
EdgeSet &operator|=(const EdgeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v |= RHS.__v;
return *this;
}
/// Set intersection
EdgeSet &operator&=(const EdgeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v &= RHS.__v;
return *this;
}
/// Set disjoint union
EdgeSet &operator^=(const EdgeSet &RHS) {
assert(&this->__g == &RHS.__g);
__v ^= RHS.__v;
return *this;
}
using index_iterator = typename BitVector::const_set_bits_iterator;
index_iterator index_begin() const { return __v.set_bits_begin(); }
index_iterator index_end() const { return __v.set_bits_end(); }
void set(size_type Idx) { __v.set(Idx); }
void reset(size_type Idx) { __v.reset(Idx); }
class iterator {
const EdgeSet &__set;
size_type __current;
void advance() {
assert(__current != -1);
__current = __set.__v.find_next(__current);
}
public:
iterator(const EdgeSet &Set, size_type Begin)
: __set{Set}, __current{Begin} {}
iterator operator++(int) {
iterator Tmp = *this;
advance();
return Tmp;
}
iterator &operator++() {
advance();
return *this;
}
Edge *operator*() const {
assert(__current != -1);
return __set.__g.edges_begin() + __current;
}
bool operator==(const iterator &other) const {
assert(&this->__set == &other.__set);
return this->__current == other.__current;
}
bool operator!=(const iterator &other) const { return !(*this == other); }
};
iterator begin() const { return iterator{*this, __v.find_first()}; }
iterator end() const { return iterator{*this, -1}; }
};
private:
Node *__nodes;
size_type __nodes_size;
Edge *__edges;
size_type __edges_size;
};
template <typename GraphT> class ImmutableGraphBuilder {
using NodeValueT = typename GraphT::NodeValueT;
using EdgeValueT = typename GraphT::EdgeValueT;
static_assert(
std::is_base_of<ImmutableGraph<NodeValueT, EdgeValueT>, GraphT>::value,
"Template argument to ImmutableGraphBuilder must derive from "
"ImmutableGraph<>");
using size_type = typename GraphT::size_type;
using NodeSet = typename GraphT::NodeSet;
using Node = typename GraphT::Node;
using EdgeSet = typename GraphT::EdgeSet;
using Edge = typename GraphT::Edge;
using BuilderEdge = std::pair<EdgeValueT, size_type>;
using EdgeList = std::vector<BuilderEdge>;
using BuilderVertex = std::pair<NodeValueT, EdgeList>;
using VertexVec = std::vector<BuilderVertex>;
public:
using NodeRef = size_type;
NodeRef addVertex(const NodeValueT &V) {
auto I = __adj_list.emplace(__adj_list.end(), V, EdgeList{});
return std::distance(__adj_list.begin(), I);
}
void addEdge(const EdgeValueT &E, NodeRef From, NodeRef To) {
__adj_list[From].second.emplace_back(E, To);
}
bool empty() const { return __adj_list.empty(); }
template <typename... ArgT> GraphT *get(ArgT &&... Args) {
size_type VertexSize = __adj_list.size(), EdgeSize = 0;
for (const auto &V : __adj_list) {
EdgeSize += V.second.size();
}
auto *VertexArray = new Node[VertexSize + 1 /* terminator node */];
auto *EdgeArray = new Edge[EdgeSize];
size_type VI = 0, EI = 0;
for (; VI < static_cast<size_type>(__adj_list.size()); ++VI) {
VertexArray[VI].__value = std::move(__adj_list[VI].first);
VertexArray[VI].__edges = &EdgeArray[EI];
auto NumEdges = static_cast<size_type>(__adj_list[VI].second.size());
if (NumEdges > 0) {
for (size_type VEI = 0; VEI < NumEdges; ++VEI, ++EI) {
auto &E = __adj_list[VI].second[VEI];
EdgeArray[EI].__value = std::move(E.first);
EdgeArray[EI].__dest = VertexArray + E.second;
}
}
}
assert(VI == VertexSize && EI == EdgeSize && "Gadget graph malformed");
VertexArray[VI].__edges = EdgeArray + EdgeSize; // terminator node
return new GraphT{VertexArray, VertexSize, EdgeArray, EdgeSize,
std::forward<ArgT>(Args)...};
}
template <typename... ArgT>
static GraphT *trim(const GraphT &G, const NodeSet &TrimNodes,
const EdgeSet &TrimEdges, ArgT &&... Args) {
size_type NewVertexSize = TrimNodes.size() - TrimNodes.count();
size_type NewEdgeSize = TrimEdges.size() - TrimEdges.count();
auto *NewVertexArray = new Node[NewVertexSize + 1 /* terminator node */];
auto *NewEdgeArray = new Edge[NewEdgeSize];
size_type TrimmedNodesSoFar = 0,
*TrimmedNodes = new size_type[TrimNodes.size()];
for (size_type I = 0; I < TrimNodes.size(); ++I) {
TrimmedNodes[I] = TrimmedNodesSoFar;
if (TrimNodes.contains(G.nodes_begin() + I))
++TrimmedNodesSoFar;
}
size_type VertexI = 0, EdgeI = 0;
for (Node *NI = G.nodes_begin(), *NE = G.nodes_end(); NI != NE; ++NI) {
if (TrimNodes.contains(NI))
continue;
size_type NewNumEdges =
static_cast<int>((NI + 1)->__edges - NI->__edges) > 0
? std::count_if(
NI->__edges, (NI + 1)->__edges,
[&TrimEdges](Edge &E) { return !TrimEdges.contains(&E); })
: 0;
NewVertexArray[VertexI].__value = NI->__value;
NewVertexArray[VertexI].__edges = &NewEdgeArray[EdgeI];
if (NewNumEdges > 0) {
for (Edge *EI = NI->__edges, *EE = (NI + 1)->__edges; EI != EE; ++EI) {
if (TrimEdges.contains(EI))
continue;
NewEdgeArray[EdgeI].__value = EI->__value;
size_type DestIdx = std::distance(G.nodes_begin(), EI->__dest);
size_type NewIdx = DestIdx - TrimmedNodes[DestIdx];
assert(NewIdx < NewVertexSize);
NewEdgeArray[EdgeI].__dest = NewVertexArray + NewIdx;
++EdgeI;
}
}
++VertexI;
}
delete[] TrimmedNodes;
assert(VertexI == NewVertexSize && EdgeI == NewEdgeSize &&
"Gadget graph malformed");
NewVertexArray[VertexI].__edges = NewEdgeArray + NewEdgeSize;
return new GraphT{NewVertexArray, NewVertexSize, NewEdgeArray, NewEdgeSize,
std::forward<ArgT>(Args)...};
}
private:
VertexVec __adj_list;
};
template <typename NodeValueT, typename EdgeValueT>
struct GraphTraits<ImmutableGraph<NodeValueT, EdgeValueT> *> {
using GraphT = ImmutableGraph<NodeValueT, EdgeValueT>;
using NodeRef = typename GraphT::Node *;
using EdgeRef = typename GraphT::Edge &;
static NodeRef edge_dest(EdgeRef E) { return E.__dest; }
using ChildIteratorType =
mapped_iterator<typename GraphT::Edge *, decltype(&edge_dest)>;
static NodeRef getEntryNode(GraphT *G) { return G->nodes_begin(); }
static ChildIteratorType child_begin(NodeRef N) {
return {N->__edges, &edge_dest};
}
static ChildIteratorType child_end(NodeRef N) {
return {(N + 1)->__edges, &edge_dest};
}
static NodeRef getNode(typename GraphT::Node &N) { return NodeRef{&N}; }
using nodes_iterator =
mapped_iterator<typename GraphT::Node *, decltype(&getNode)>;
static nodes_iterator nodes_begin(GraphT *G) {
return {G->nodes_begin(), &getNode};
}
static nodes_iterator nodes_end(GraphT *G) {
return {G->nodes_end(), &getNode};
}
using ChildEdgeIteratorType = typename GraphT::Edge *;
static ChildEdgeIteratorType child_edge_begin(NodeRef N) {
return N->__edges;
}
static ChildEdgeIteratorType child_edge_end(NodeRef N) {
return (N + 1)->__edges;
}
static typename GraphT::size_type size(GraphT *G) { return G->nodes_size(); }
};
} // end namespace llvm
#endif // IMMUTABLEGRAPH_H

2
llvm/lib/Target/X86/X86.h
View File

@ -142,7 +142,6 @@ InstructionSelector *createX86InstructionSelector(const X86TargetMachine &TM,
X86Subtarget &,
X86RegisterBankInfo &);
FunctionPass *createX86LoadValueInjectionLoadHardeningPass();
FunctionPass *createX86LoadValueInjectionRetHardeningPass();
FunctionPass *createX86SpeculativeLoadHardeningPass();
@ -160,7 +159,6 @@ void initializeX86DomainReassignmentPass(PassRegistry &);
void initializeX86ExecutionDomainFixPass(PassRegistry &);
void initializeX86ExpandPseudoPass(PassRegistry &);
void initializeX86FlagsCopyLoweringPassPass(PassRegistry &);
void initializeX86LoadValueInjectionLoadHardeningPassPass(PassRegistry &);
void initializeX86LoadValueInjectionRetHardeningPassPass(PassRegistry &);
void initializeX86OptimizeLEAPassPass(PassRegistry &);
void initializeX86PartialReductionPass(PassRegistry &);

7
llvm/lib/Target/X86/X86.td
View File

@ -442,13 +442,6 @@ def FeatureLVIControlFlowIntegrity
"LFENCE instruction to serialize control flow. Also decompose RET "
"instructions into a POP+LFENCE+JMP sequence.">;
// Mitigate LVI attacks against data loads
def FeatureLVILoadHardening
: SubtargetFeature<
"lvi-load-hardening", "UseLVILoadHardening", "true",
"Insert LFENCE instructions to prevent data speculatively injected "
"into loads from being used maliciously.">;
// Direct Move instructions.
def FeatureMOVDIRI : SubtargetFeature<"movdiri", "HasMOVDIRI", "true",
"Support movdiri instruction">;

586
llvm/lib/Target/X86/X86LoadValueInjectionLoadHardening.cpp
View File

@ -1,586 +0,0 @@
//==-- X86LoadValueInjectionLoadHardening.cpp - LVI load hardening for x86 --=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
///
/// Description: This pass finds Load Value Injection (LVI) gadgets consisting
/// of a load from memory (i.e., SOURCE), and any operation that may transmit
/// the value loaded from memory over a covert channel, or use the value loaded
/// from memory to determine a branch/call target (i.e., SINK).
///
//===----------------------------------------------------------------------===//
#include "ImmutableGraph.h"
#include "X86.h"
#include "X86Subtarget.h"
#include "X86TargetMachine.h"
#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/CodeGen/MachineBasicBlock.h"
#include "llvm/CodeGen/MachineDominanceFrontier.h"
#include "llvm/CodeGen/MachineDominators.h"
#include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstr.h"
#include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/CodeGen/MachineLoopInfo.h"
#include "llvm/CodeGen/MachineRegisterInfo.h"
#include "llvm/CodeGen/RDFGraph.h"
#include "llvm/CodeGen/RDFLiveness.h"
#include "llvm/InitializePasses.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/DOTGraphTraits.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/GraphWriter.h"
#include "llvm/Support/raw_ostream.h"
using namespace llvm;
#define PASS_KEY "x86-lvi-load"
#define DEBUG_TYPE PASS_KEY
STATISTIC(NumFunctionsConsidered, "Number of functions analyzed");
STATISTIC(NumFunctionsMitigated, "Number of functions for which mitigations "
"were deployed");
STATISTIC(NumGadgets, "Number of LVI gadgets detected during analysis");
static cl::opt<bool> NoConditionalBranches(
PASS_KEY "-no-cbranch",
cl::desc("Don't treat conditional branches as disclosure gadgets. This "
"may improve performance, at the cost of security."),
cl::init(false), cl::Hidden);
static cl::opt<bool> EmitDot(
PASS_KEY "-dot",
cl::desc(
"For each function, emit a dot graph depicting potential LVI gadgets"),
cl::init(false), cl::Hidden);
static cl::opt<bool> EmitDotOnly(
PASS_KEY "-dot-only",
cl::desc("For each function, emit a dot graph depicting potential LVI "
"gadgets, and do not insert any fences"),
cl::init(false), cl::Hidden);
static cl::opt<bool> EmitDotVerify(
PASS_KEY "-dot-verify",
cl::desc("For each function, emit a dot graph to stdout depicting "
"potential LVI gadgets, used for testing purposes only"),
cl::init(false), cl::Hidden);
static cl::opt<bool> NoFixedLoads(
PASS_KEY "-no-fixed",
cl::desc("Don't mitigate RIP-relative or RSP-relative loads. This "
"may improve performance, at the cost of security."),
cl::init(false), cl::Hidden);
#define ARG_NODE nullptr
#define GADGET_EDGE ((int)(-1))
#define WEIGHT(EdgeValue) ((double)(2 * (EdgeValue) + 1))
namespace {
class X86LoadValueInjectionLoadHardeningPass : public MachineFunctionPass {
public:
X86LoadValueInjectionLoadHardeningPass() : MachineFunctionPass(ID) {}
StringRef getPassName() const override {
return "X86 Load Value Injection (LVI) Load Hardening";
}
void getAnalysisUsage(AnalysisUsage &AU) const override;
bool runOnMachineFunction(MachineFunction &MF) override;
static char ID;
private:
struct MachineGadgetGraph : ImmutableGraph<MachineInstr *, int> {
using GraphT = ImmutableGraph<MachineInstr *, int>;
using Node = typename GraphT::Node;
using Edge = typename GraphT::Edge;
using size_type = typename GraphT::size_type;
MachineGadgetGraph(Node *Nodes, size_type NodesSize, Edge *Edges,
size_type EdgesSize, int NumFences = 0,
int NumGadgets = 0)
: GraphT{Nodes, NodesSize, Edges, EdgesSize}, NumFences{NumFences},
NumGadgets{NumGadgets} {}
MachineFunction &getMF() { // FIXME: This function should be cleaner
for (Node *NI = nodes_begin(), *const NE = nodes_end(); NI != NE; ++NI) {
if (NI->value()) {
return *NI->value()->getMF();
}
}
llvm_unreachable("Could not find a valid node");
}
static inline bool isCFGEdge(Edge &E) { return E.value() != GADGET_EDGE; }
static inline bool isGadgetEdge(Edge &E) {
return E.value() == GADGET_EDGE;
}
int NumFences;
int NumGadgets;
};
friend struct llvm::DOTGraphTraits<MachineGadgetGraph *>;
using GTraits = llvm::GraphTraits<MachineGadgetGraph *>;
using GraphBuilder = ImmutableGraphBuilder<MachineGadgetGraph>;
using EdgeSet = MachineGadgetGraph::EdgeSet;
using Gadget = std::pair<MachineInstr *, MachineInstr *>;
const X86Subtarget *STI;
const TargetInstrInfo *TII;
const TargetRegisterInfo *TRI;
int hardenLoads(MachineFunction &MF, bool Fixed) const;
std::unique_ptr<MachineGadgetGraph>
getGadgetGraph(MachineFunction &MF, const MachineLoopInfo &MLI,
const MachineDominatorTree &MDT,
const MachineDominanceFrontier &MDF, bool FixedLoads) const;
bool instrUsesRegToAccessMemory(const MachineInstr &I, unsigned Reg) const;
bool instrUsesRegToBranch(const MachineInstr &I, unsigned Reg) const;
template <unsigned K> bool hasLoadFrom(const MachineInstr &MI) const;
bool instrAccessesStackSlot(const MachineInstr &MI) const;
bool instrAccessesConstantPool(const MachineInstr &MI) const;
bool instrAccessesGOT(const MachineInstr &MI) const;
inline bool instrIsFixedAccess(const MachineInstr &MI) const {
return instrAccessesConstantPool(MI) || instrAccessesStackSlot(MI) ||
instrAccessesGOT(MI);
}
inline bool isFence(const MachineInstr *MI) const {
return MI && (MI->getOpcode() == X86::LFENCE ||
(STI->useLVIControlFlowIntegrity() && MI->isCall()));
}
};
} // end anonymous namespace
namespace llvm {
template <>
struct GraphTraits<X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph *>
: GraphTraits<ImmutableGraph<MachineInstr *, int> *> {};
template <>
struct DOTGraphTraits<
X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph *>
: DefaultDOTGraphTraits {
using GraphType = X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph;
using Traits = X86LoadValueInjectionLoadHardeningPass::GTraits;
using NodeRef = typename Traits::NodeRef;
using EdgeRef = typename Traits::EdgeRef;
using ChildIteratorType = typename Traits::ChildIteratorType;
using ChildEdgeIteratorType = typename Traits::ChildEdgeIteratorType;
DOTGraphTraits(bool isSimple = false) : DefaultDOTGraphTraits(isSimple) {}
static std::string getGraphName(GraphType *G) {
std::string GraphName{"Speculative gadgets for \""};
GraphName += G->getMF().getName();
GraphName += "\" function";
return GraphName;
}
std::string getNodeLabel(NodeRef Node, GraphType *) {
std::string str;
raw_string_ostream str_stream{str};
if (Node->value() == ARG_NODE)
return "ARGS";
str_stream << *Node->value();
return str_stream.str();
}
static std::string getNodeAttributes(NodeRef Node, GraphType *) {
MachineInstr *MI = Node->value();
if (MI == ARG_NODE)
return "color = blue";
else if (MI->getOpcode() == X86::LFENCE)
return "color = green";
else
return "";
}
static std::string getEdgeAttributes(NodeRef, ChildIteratorType E,
GraphType *) {
int EdgeVal = (*E.getCurrent()).value();
return EdgeVal >= 0 ? "label = " + std::to_string(EdgeVal)
: "color = red, style = \"dashed\"";
}
};
} // end namespace llvm
char X86LoadValueInjectionLoadHardeningPass::ID = 0;
void X86LoadValueInjectionLoadHardeningPass::getAnalysisUsage(
AnalysisUsage &AU) const {
MachineFunctionPass::getAnalysisUsage(AU);
AU.addRequired<MachineLoopInfo>();
AU.addRequired<MachineDominatorTree>();
AU.addRequired<MachineDominanceFrontier>();
AU.setPreservesCFG();
}
bool X86LoadValueInjectionLoadHardeningPass::runOnMachineFunction(
MachineFunction &MF) {
LLVM_DEBUG(dbgs() << "***** " << getPassName() << " : " << MF.getName()
<< " *****\n");
STI = &MF.getSubtarget<X86Subtarget>();
if (!STI->useLVILoadHardening() || !STI->is64Bit())
return false; // FIXME: support 32-bit
// Don't skip functions with the "optnone" attr but participate in opt-bisect.
const Function &F = MF.getFunction();
if (!F.hasOptNone() && skipFunction(F))
return false;
++NumFunctionsConsidered;
TII = STI->getInstrInfo();
TRI = STI->getRegisterInfo();
LLVM_DEBUG(dbgs() << "Hardening data-dependent loads...\n");
hardenLoads(MF, false);
LLVM_DEBUG(dbgs() << "Hardening data-dependent loads... Done\n");
if (!NoFixedLoads) {
LLVM_DEBUG(dbgs() << "Hardening fixed loads...\n");
hardenLoads(MF, true);
LLVM_DEBUG(dbgs() << "Hardening fixed loads... Done\n");
}
return false;
}
// Apply the mitigation to `MF`, return the number of fences inserted.
// If `FixedLoads` is `true`, then the mitigation will be applied to fixed
// loads; otherwise, mitigation will be applied to non-fixed loads.
int X86LoadValueInjectionLoadHardeningPass::hardenLoads(MachineFunction &MF,
bool FixedLoads) const {
LLVM_DEBUG(dbgs() << "Building gadget graph...\n");
const auto &MLI = getAnalysis<MachineLoopInfo>();
const auto &MDT = getAnalysis<MachineDominatorTree>();
const auto &MDF = getAnalysis<MachineDominanceFrontier>();
std::unique_ptr<MachineGadgetGraph> Graph =
getGadgetGraph(MF, MLI, MDT, MDF, FixedLoads);
LLVM_DEBUG(dbgs() << "Building gadget graph... Done\n");
if (Graph == nullptr)
return 0; // didn't find any gadgets
if (EmitDotVerify) {
WriteGraph(outs(), Graph.get());
return 0;
}
if (EmitDot || EmitDotOnly) {
LLVM_DEBUG(dbgs() << "Emitting gadget graph...\n");
std::error_code FileError;
std::string FileName = "lvi.";
if (FixedLoads)
FileName += "fixed.";
FileName += Graph->getMF().getName();
FileName += ".dot";
raw_fd_ostream FileOut(FileName, FileError);
if (FileError)
errs() << FileError.message();
WriteGraph(FileOut, Graph.get());
FileOut.close();
LLVM_DEBUG(dbgs() << "Emitting gadget graph... Done\n");
if (EmitDotOnly)
return 0;
}
return 0;
}
std::unique_ptr<X86LoadValueInjectionLoadHardeningPass::MachineGadgetGraph>
X86LoadValueInjectionLoadHardeningPass::getGadgetGraph(
MachineFunction &MF, const MachineLoopInfo &MLI,
const MachineDominatorTree &MDT, const MachineDominanceFrontier &MDF,
bool FixedLoads) const {
using namespace rdf;
// Build the Register Dataflow Graph using the RDF framework
TargetOperandInfo TOI{*TII};
DataFlowGraph DFG{MF, *TII, *TRI, MDT, MDF, TOI};
DFG.build();
Liveness L{MF.getRegInfo(), DFG};
L.computePhiInfo();
GraphBuilder Builder;
using GraphIter = typename GraphBuilder::NodeRef;
DenseMap<MachineInstr *, GraphIter> NodeMap;
int FenceCount = 0;
auto MaybeAddNode = [&NodeMap, &Builder](MachineInstr *MI) {
auto Ref = NodeMap.find(MI);
if (Ref == NodeMap.end()) {
auto I = Builder.addVertex(MI);
NodeMap[MI] = I;
return std::pair<GraphIter, bool>{I, true};
} else {
return std::pair<GraphIter, bool>{Ref->getSecond(), false};
}
};
// Analyze all machine instructions to find gadgets and LFENCEs, adding
// each interesting value to `Nodes`
DenseSet<std::pair<GraphIter, GraphIter>> GadgetEdgeSet;
auto AnalyzeDef = [&](NodeAddr<DefNode *> Def) {
MachineInstr *MI = Def.Addr->getFlags() & NodeAttrs::PhiRef
? ARG_NODE
: Def.Addr->getOp().getParent();
auto AnalyzeUse = [&](NodeAddr<UseNode *> Use) {
assert(!(Use.Addr->getFlags() & NodeAttrs::PhiRef));
MachineOperand &UseMO = Use.Addr->getOp();
MachineInstr &UseMI = *UseMO.getParent();
assert(UseMO.isReg());
// We naively assume that an instruction propagates any loaded Uses
// to all Defs, unless the instruction is a call
if (UseMI.isCall())
return false;
if (instrUsesRegToAccessMemory(UseMI, UseMO.getReg()) ||
(!NoConditionalBranches &&
instrUsesRegToBranch(UseMI, UseMO.getReg()))) { // found a gadget!
// add the root of this chain
auto GadgetBegin = MaybeAddNode(MI);
// and the instruction that (transitively) discloses the root
auto GadgetEnd = MaybeAddNode(&UseMI);
if (GadgetEdgeSet.insert({GadgetBegin.first, GadgetEnd.first}).second)
Builder.addEdge(GADGET_EDGE, GadgetBegin.first, GadgetEnd.first);
if (UseMI.mayLoad()) // FIXME: This should be more precise
return false; // stop traversing further uses of `Reg`
}
return true;
};
SmallSet<NodeId, 8> NodesVisited;
std::function<void(NodeAddr<DefNode *>)> AnalyzeDefUseChain =
[&](NodeAddr<DefNode *> Def) {
if (Def.Addr->getAttrs() & NodeAttrs::Dead)
return;
RegisterRef DefReg = DFG.getPRI().normalize(Def.Addr->getRegRef(DFG));
NodeList Uses;
for (auto UseID : L.getAllReachedUses(DefReg, Def)) {
auto Use = DFG.addr<UseNode *>(UseID);
if (Use.Addr->getFlags() & NodeAttrs::PhiRef) { // phi node
NodeAddr<PhiNode *> Phi = Use.Addr->getOwner(DFG);
for (auto I : L.getRealUses(Phi.Id)) {
if (DFG.getPRI().alias(RegisterRef(I.first), DefReg)) {
for (auto UA : I.second) {
auto PhiUse = DFG.addr<UseNode *>(UA.first);
Uses.push_back(PhiUse);
}
}
}
} else { // not a phi node
Uses.push_back(Use);
}
}
for (auto N : Uses) {
NodeAddr<UseNode *> Use{N};
if (NodesVisited.insert(Use.Id).second && AnalyzeUse(Use)) {
NodeAddr<InstrNode *> Owner{Use.Addr->getOwner(DFG)};
NodeList Defs = Owner.Addr->members_if(DataFlowGraph::IsDef, DFG);
std::for_each(Defs.begin(), Defs.end(), AnalyzeDefUseChain);
}
}
};
AnalyzeDefUseChain(Def);
};
LLVM_DEBUG(dbgs() << "Analyzing def-use chains to find gadgets\n");
// Analyze function arguments
if (!FixedLoads) { // only need to analyze function args once
NodeAddr<BlockNode *> EntryBlock = DFG.getFunc().Addr->getEntryBlock(DFG);
for (NodeAddr<PhiNode *> ArgPhi :
EntryBlock.Addr->members_if(DataFlowGraph::IsPhi, DFG)) {
NodeList Defs = ArgPhi.Addr->members_if(DataFlowGraph::IsDef, DFG);
std::for_each(Defs.begin(), Defs.end(), AnalyzeDef);
}
}
// Analyze every instruction in MF
for (NodeAddr<BlockNode *> BA : DFG.getFunc().Addr->members(DFG)) {
for (NodeAddr<StmtNode *> SA :
BA.Addr->members_if(DataFlowGraph::IsCode<NodeAttrs::Stmt>, DFG)) {
MachineInstr *MI = SA.Addr->getCode();
if (isFence(MI)) {
MaybeAddNode(MI);
++FenceCount;
} else if (MI->mayLoad() && ((FixedLoads && instrIsFixedAccess(*MI)) ||
(!FixedLoads && !instrIsFixedAccess(*MI)))) {
NodeList Defs = SA.Addr->members_if(DataFlowGraph::IsDef, DFG);
std::for_each(Defs.begin(), Defs.end(), AnalyzeDef);
}
}
}
int GadgetCount = static_cast<int>(GadgetEdgeSet.size());
LLVM_DEBUG(dbgs() << "Found " << FenceCount << " fences\n");
LLVM_DEBUG(dbgs() << "Found " << GadgetCount << " gadgets\n");
if (GadgetCount == 0)
return nullptr;
NumGadgets += GadgetCount;
// Traverse CFG to build the rest of the graph
SmallSet<MachineBasicBlock *, 8> BlocksVisited;
std::function<void(MachineBasicBlock *, GraphIter, unsigned)> TraverseCFG =
[&](MachineBasicBlock *MBB, GraphIter GI, unsigned ParentDepth) {
unsigned LoopDepth = MLI.getLoopDepth(MBB);
if (!MBB->empty()) {
// Always add the first instruction in each block
auto NI = MBB->begin();
auto BeginBB = MaybeAddNode(&*NI);
Builder.addEdge(ParentDepth, GI, BeginBB.first);
if (!BlocksVisited.insert(MBB).second)
return;
// Add any instructions within the block that are gadget components
GI = BeginBB.first;
while (++NI != MBB->end()) {
auto Ref = NodeMap.find(&*NI);
if (Ref != NodeMap.end()) {
Builder.addEdge(LoopDepth, GI, Ref->getSecond());
GI = Ref->getSecond();
}
}
// Always add the terminator instruction, if one exists
auto T = MBB->getFirstTerminator();
if (T != MBB->end()) {
auto EndBB = MaybeAddNode(&*T);
if (EndBB.second)
Builder.addEdge(LoopDepth, GI, EndBB.first);
GI = EndBB.first;
}
}
for (MachineBasicBlock *Succ : MBB->successors())
TraverseCFG(Succ, GI, LoopDepth);
};
// ARG_NODE is a pseudo-instruction that represents MF args in the GadgetGraph
GraphIter ArgNode = MaybeAddNode(ARG_NODE).first;
TraverseCFG(&MF.front(), ArgNode, 0);
std::unique_ptr<MachineGadgetGraph> G{Builder.get(FenceCount, GadgetCount)};
LLVM_DEBUG(dbgs() << "Found " << GTraits::size(G.get()) << " nodes\n");
return G;
}
bool X86LoadValueInjectionLoadHardeningPass::instrUsesRegToAccessMemory(
const MachineInstr &MI, unsigned Reg) const {
if (!MI.mayLoadOrStore() || MI.getOpcode() == X86::MFENCE ||
MI.getOpcode() == X86::SFENCE || MI.getOpcode() == X86::LFENCE)
return false;
// FIXME: This does not handle pseudo loading instruction like TCRETURN*
const MCInstrDesc &Desc = MI.getDesc();
int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags);
if (MemRefBeginIdx < 0) {
LLVM_DEBUG(dbgs() << "Warning: unable to obtain memory operand for loading "
"instruction:\n";
MI.print(dbgs()); dbgs() << '\n';);
return false;
}
MemRefBeginIdx += X86II::getOperandBias(Desc);
const MachineOperand &BaseMO =
MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg);
const MachineOperand &IndexMO =
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg);
return (BaseMO.isReg() && BaseMO.getReg() != X86::NoRegister &&
TRI->regsOverlap(BaseMO.getReg(), Reg)) ||
(IndexMO.isReg() && IndexMO.getReg() != X86::NoRegister &&
TRI->regsOverlap(IndexMO.getReg(), Reg));
}
bool X86LoadValueInjectionLoadHardeningPass::instrUsesRegToBranch(
const MachineInstr &MI, unsigned Reg) const {
if (!MI.isConditionalBranch())
return false;
for (const MachineOperand &Use : MI.uses())
if (Use.isReg() && Use.getReg() == Reg)
return true;
return false;
}
template <unsigned K>
bool X86LoadValueInjectionLoadHardeningPass::hasLoadFrom(
const MachineInstr &MI) const {
for (auto &MMO : MI.memoperands()) {
const PseudoSourceValue *PSV = MMO->getPseudoValue();
if (PSV && PSV->kind() == K && MMO->isLoad())
return true;
}
return false;
}
bool X86LoadValueInjectionLoadHardeningPass::instrAccessesStackSlot(
const MachineInstr &MI) const {
// Check the PSV first
if (hasLoadFrom<PseudoSourceValue::PSVKind::FixedStack>(MI))
return true;
// Some loads are not marked with a PSV, so we always need to double check
const MCInstrDesc &Desc = MI.getDesc();
int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags);
if (MemRefBeginIdx < 0)
return false;
MemRefBeginIdx += X86II::getOperandBias(Desc);
return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isFI() &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() &&
MI.getOperand(MemRefBeginIdx + X86::AddrDisp).isImm() &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() ==
X86::NoRegister &&
MI.getOperand(MemRefBeginIdx + X86::AddrDisp).getImm() == 0;
}
bool X86LoadValueInjectionLoadHardeningPass::instrAccessesConstantPool(
const MachineInstr &MI) const {
if (hasLoadFrom<PseudoSourceValue::PSVKind::ConstantPool>(MI))
return true;
const MCInstrDesc &Desc = MI.getDesc();
int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags);
if (MemRefBeginIdx < 0)
return false;
MemRefBeginIdx += X86II::getOperandBias(Desc);
return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isReg() &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() &&
MI.getOperand(MemRefBeginIdx + X86::AddrDisp).isCPI() &&
(MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() ==
X86::RIP ||
MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() ==
X86::NoRegister) &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() ==
X86::NoRegister;
}
bool X86LoadValueInjectionLoadHardeningPass::instrAccessesGOT(
const MachineInstr &MI) const {
if (hasLoadFrom<PseudoSourceValue::PSVKind::GOT>(MI))
return true;
const MCInstrDesc &Desc = MI.getDesc();
int MemRefBeginIdx = X86II::getMemoryOperandNo(Desc.TSFlags);
if (MemRefBeginIdx < 0)
return false;
MemRefBeginIdx += X86II::getOperandBias(Desc);
return MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).isReg() &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).isImm() &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).isReg() &&
MI.getOperand(MemRefBeginIdx + X86::AddrDisp).getTargetFlags() ==
X86II::MO_GOTPCREL &&
MI.getOperand(MemRefBeginIdx + X86::AddrBaseReg).getReg() ==
X86::RIP &&
MI.getOperand(MemRefBeginIdx + X86::AddrScaleAmt).getImm() == 1 &&
MI.getOperand(MemRefBeginIdx + X86::AddrIndexReg).getReg() ==
X86::NoRegister;
}
INITIALIZE_PASS_BEGIN(X86LoadValueInjectionLoadHardeningPass, PASS_KEY,
"X86 LVI load hardening", false, false)
INITIALIZE_PASS_DEPENDENCY(MachineLoopInfo)
INITIALIZE_PASS_DEPENDENCY(MachineDominatorTree)
INITIALIZE_PASS_DEPENDENCY(MachineDominanceFrontier)
INITIALIZE_PASS_END(X86LoadValueInjectionLoadHardeningPass, PASS_KEY,
"X86 LVI load hardening", false, false)
FunctionPass *llvm::createX86LoadValueInjectionLoadHardeningPass() {
return new X86LoadValueInjectionLoadHardeningPass();
}

5
llvm/lib/Target/X86/X86Subtarget.h
View File

@ -434,10 +434,6 @@ protected:
/// POP+LFENCE+JMP sequence.
bool UseLVIControlFlowIntegrity = false;
/// Insert LFENCE instructions to prevent data speculatively injected into
/// loads from being used maliciously.
bool UseLVILoadHardening = false;
/// Use software floating point for code generation.
bool UseSoftFloat = false;
@ -739,7 +735,6 @@ public:
bool preferMaskRegisters() const { return PreferMaskRegisters; }
bool useGLMDivSqrtCosts() const { return UseGLMDivSqrtCosts; }
bool useLVIControlFlowIntegrity() const { return UseLVIControlFlowIntegrity; }
bool useLVILoadHardening() const { return UseLVILoadHardening; }
unsigned getPreferVectorWidth() const { return PreferVectorWidth; }
unsigned getRequiredVectorWidth() const { return RequiredVectorWidth; }

2
llvm/lib/Target/X86/X86TargetMachine.cpp
View File

@ -83,7 +83,6 @@ extern "C" LLVM_EXTERNAL_VISIBILITY void LLVMInitializeX86Target() {
initializeX86SpeculativeLoadHardeningPassPass(PR);
initializeX86FlagsCopyLoweringPassPass(PR);
initializeX86CondBrFoldingPassPass(PR);
initializeX86LoadValueInjectionLoadHardeningPassPass(PR);
initializeX86LoadValueInjectionRetHardeningPassPass(PR);
initializeX86OptimizeLEAPassPass(PR);
initializeX86PartialReductionPass(PR);
@ -495,7 +494,6 @@ void X86PassConfig::addMachineSSAOptimization() {
void X86PassConfig::addPostRegAlloc() {
addPass(createX86FloatingPointStackifierPass());
addPass(createX86LoadValueInjectionLoadHardeningPass());
}
void X86PassConfig::addPreSched2() { addPass(createX86ExpandPseudoPass()); }

4
llvm/test/CodeGen/X86/O0-pipeline.ll
View File

@ -55,10 +55,6 @@
; CHECK-NEXT: Fast Register Allocator
; CHECK-NEXT: Bundle Machine CFG Edges
; CHECK-NEXT: X86 FP Stackifier
; CHECK-NEXT: MachineDominator Tree Construction
; CHECK-NEXT: Machine Natural Loop Construction
; CHECK-NEXT: Machine Dominance Frontier Construction
; CHECK-NEXT: X86 Load Value Injection (LVI) Load Hardening
; CHECK-NEXT: Lazy Machine Block Frequency Analysis
; CHECK-NEXT: Machine Optimization Remark Emitter
; CHECK-NEXT: Prologue/Epilogue Insertion & Frame Finalization

4
llvm/test/CodeGen/X86/O3-pipeline.ll
View File

@ -139,11 +139,9 @@
; CHECK-NEXT: Machine Loop Invariant Code Motion
; CHECK-NEXT: Bundle Machine CFG Edges
; CHECK-NEXT: X86 FP Stackifier
; CHECK-NEXT: MachineDominator Tree Construction
; CHECK-NEXT: Machine Dominance Frontier Construction
; CHECK-NEXT: X86 Load Value Injection (LVI) Load Hardening
; CHECK-NEXT: PostRA Machine Sink
; CHECK-NEXT: Machine Block Frequency Analysis
; CHECK-NEXT: MachineDominator Tree Construction
; CHECK-NEXT: MachinePostDominator Tree Construction
; CHECK-NEXT: Lazy Machine Block Frequency Analysis
; CHECK-NEXT: Machine Optimization Remark Emitter

129
llvm/test/CodeGen/X86/lvi-hardening-gadget-graph.ll
View File

@ -1,129 +0,0 @@
; RUN: llc -verify-machineinstrs -mtriple=x86_64-unknown -x86-lvi-load-dot-verify -o %t < %s | FileCheck %s
; Function Attrs: noinline nounwind optnone uwtable
define dso_local i32 @test(i32* %untrusted_user_ptr, i32* %secret, i32 %secret_size) #0 {
entry:
%untrusted_user_ptr.addr = alloca i32*, align 8
%secret.addr = alloca i32*, align 8
%secret_size.addr = alloca i32, align 4
%ret_val = alloca i32, align 4
%i = alloca i32, align 4
store i32* %untrusted_user_ptr, i32** %untrusted_user_ptr.addr, align 8
store i32* %secret, i32** %secret.addr, align 8
store i32 %secret_size, i32* %secret_size.addr, align 4
store i32 0, i32* %ret_val, align 4
call void @llvm.x86.sse2.lfence()
store i32 0, i32* %i, align 4
br label %for.cond
for.cond: ; preds = %for.inc, %entry
%0 = load i32, i32* %i, align 4
%1 = load i32, i32* %secret_size.addr, align 4
%cmp = icmp slt i32 %0, %1
br i1 %cmp, label %for.body, label %for.end
for.body: ; preds = %for.cond
%2 = load i32, i32* %i, align 4
%rem = srem i32 %2, 2
%cmp1 = icmp eq i32 %rem, 0
br i1 %cmp1, label %if.then, label %if.else
if.then: ; preds = %for.body
%3 = load i32*, i32** %secret.addr, align 8
%4 = load i32, i32* %ret_val, align 4
%idxprom = sext i32 %4 to i64
%arrayidx = getelementptr inbounds i32, i32* %3, i64 %idxprom
%5 = load i32, i32* %arrayidx, align 4
%6 = load i32*, i32** %untrusted_user_ptr.addr, align 8
store i32 %5, i32* %6, align 4
br label %if.end
if.else: ; preds = %for.body
%7 = load i32*, i32** %secret.addr, align 8
%8 = load i32, i32* %ret_val, align 4
%idxprom2 = sext i32 %8 to i64
%arrayidx3 = getelementptr inbounds i32, i32* %7, i64 %idxprom2
store i32 42, i32* %arrayidx3, align 4
br label %if.end
if.end: ; preds = %if.else, %if.then
%9 = load i32*, i32** %untrusted_user_ptr.addr, align 8
%10 = load i32, i32* %9, align 4
store i32 %10, i32* %ret_val, align 4
br label %for.inc
for.inc: ; preds = %if.end
%11 = load i32, i32* %i, align 4
%inc = add nsw i32 %11, 1
store i32 %inc, i32* %i, align 4
br label %for.cond
for.end: ; preds = %for.cond
%12 = load i32, i32* %ret_val, align 4
ret i32 %12
}
; CHECK: digraph "Speculative gadgets for \"test\" function" {
; CHECK-NEXT: label="Speculative gadgets for \"test\" function";
; CHECK: Node0x{{[0-9a-f]+}} [shape=record,color = green,label="{LFENCE\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.4.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.i)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JCC_1 %bb.6, 13, implicit killed $eflags\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{CMP32rm killed renamable $eax, %stack.2.secret_size.addr, 1, $noreg, 0, $noreg, implicit-def $eflags :: (dereferenceable load 4 from %ir.secret_size.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.4.i, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.i)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JCC_1 %bb.4, 5, implicit killed $eflags\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.1.secret.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.secret.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm killed renamable $rax, 4, killed renamable $rcx, 0, $noreg :: (load 4 from %ir.arrayidx)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOVSX64rm32 %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOV64rm %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.untrusted_user_ptr.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV32mr killed renamable $rcx, 1, $noreg, 0, $noreg, killed renamable $eax :: (store 4 into %ir.6)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.1.secret.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.secret.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV32mi killed renamable $rax, 4, killed renamable $rcx, 0, $noreg, 42 :: (store 4 into %ir.arrayidx3)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rcx = MOVSX64rm32 %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $rax = MOV64rm %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg :: (dereferenceable load 8 from %ir.untrusted_user_ptr.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[color = red, style = "dashed"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm killed renamable $rax, 1, $noreg, 0, $noreg :: (load 4 from %ir.9)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,color = blue,label="{ARGS}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{MOV64mr %stack.0.untrusted_user_ptr.addr, 1, $noreg, 0, $noreg, killed renamable $rdi :: (store 8 into %ir.untrusted_user_ptr.addr)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JMP_1 %bb.5\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{JMP_1 %bb.1\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 1];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{renamable $eax = MOV32rm %stack.3.ret_val, 1, $noreg, 0, $noreg :: (dereferenceable load 4 from %ir.ret_val)\n}"];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} -> Node0x{{[0-9a-f]+}}[label = 0];
; CHECK-NEXT: Node0x{{[0-9a-f]+}} [shape=record,label="{RET 0, $eax\n}"];
; CHECK-NEXT: }
; Function Attrs: nounwind
declare void @llvm.x86.sse2.lfence() #1
attributes #0 = { "target-features"="+lvi-cfi"
"target-features"="+lvi-load-hardening" }
attributes #1 = { nounwind }