LLDB mainline
InjectPointerSigningFixups.cpp
Go to the documentation of this file.
1//===----------------------------------------------------------------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// On arm64e, Clang emits ConstantPtrAuth expressions in global initializers
10// to represent signed pointers. These are normally resolved by the dynamic
11// linker, but LLDB's JIT does not run the linker, so they must be resolved
12// manually. This pass replaces each ConstantPtrAuth in a global initializer
13// with the unsigned pointer and emits a constructor function that signs the
14// pointer at runtime using the ptrauth intrinsics.
15//
16// Example: given "static int (*fp)(int, int) = &mul;", Clang emits:
17//
18// @fp = internal global ptr ptrauth (ptr @mul, i32 0)
19//
20// This pass transforms it into:
21//
22// @fp = internal global ptr @mul
23// @llvm.global_ctors = appending global [1 x { i32, ptr, ptr }]
24// [{ i32, ptr, ptr } { i32 0, ptr @ptrauth.sign, ptr null }]
25//
26// define internal void @ptrauth.sign() {
27// %1 = load ptr, ptr @fp, align 8
28// %2 = ptrtoint ptr %1 to i64
29// %3 = call i64 @llvm.ptrauth.sign(i64 %2, i32 0, i64 0)
30// %4 = inttoptr i64 %3 to ptr
31// store ptr %4, ptr @fp, align 8
32// ret void
33// }
34//
35//===----------------------------------------------------------------------===//
36
37#include "InjectPointerSigningFixups.h"
38#include "llvm/IR/Constants.h"
39#include "llvm/IR/Function.h"
40#include "llvm/IR/IRBuilder.h"
41#include "llvm/IR/Instructions.h"
42#include "llvm/IR/Module.h"
43#include "llvm/Support/raw_ostream.h"
44#include "llvm/TargetParser/Triple.h"
45
46using namespace llvm;
47
48namespace {
49struct ExprStep {
50 ConstantExpr *CE;
51 unsigned OperandIdx;
52};
53
54struct PtrAuthFixup {
55 GlobalVariable *GV;
56 ConstantPtrAuth *CPA;
57 /// ConstantAggregate types are walekd via GEP indices.
58 SmallVector<unsigned> GEPPath;
59 /// ConstantExpr types are traversed via ExprStep (ConstantExpr + Operand
60 /// index).
61 SmallVector<ExprStep> ExprPath;
62 PtrAuthFixup(GlobalVariable *GV, ConstantPtrAuth *CPA,
63 const SmallVectorImpl<unsigned> &GEPPath,
64 const SmallVectorImpl<ExprStep> &ExprPath)
65 : GV(GV), CPA(CPA), GEPPath(GEPPath.begin(), GEPPath.end()),
66 ExprPath(ExprPath.begin(), ExprPath.end()) {}
67};
68} // namespace
69
70/// Recursively walk a constant looking for ConstantPtrAuth expressions.
71static void findPtrAuth(Constant *C, GlobalVariable &GV,
72 SmallVectorImpl<unsigned> &GEPPath,
73 SmallVectorImpl<ExprStep> &ExprPath,
74 SmallVectorImpl<PtrAuthFixup> &Fixups) {
75 if (auto *CPA = dyn_cast<ConstantPtrAuth>(C)) {
76 Fixups.emplace_back(&GV, CPA, GEPPath, ExprPath);
77 return;
78 }
79 if (isa<ConstantAggregate>(C)) {
80 for (unsigned I = 0, E = C->getNumOperands(); I != E; ++I) {
81 if (auto *COp = dyn_cast<Constant>(C->getOperand(I))) {
82 GEPPath.push_back(I);
83 findPtrAuth(COp, GV, GEPPath, ExprPath, Fixups);
84 GEPPath.pop_back();
85 }
86 }
87 return;
88 }
89
90 if (auto *CE = dyn_cast<ConstantExpr>(C)) {
91 for (unsigned I = 0, E = C->getNumOperands(); I != E; ++I) {
92 if (auto *COp = dyn_cast<Constant>(C->getOperand(I))) {
93 ExprPath.push_back({CE, I});
94 findPtrAuth(COp, GV, GEPPath, ExprPath, Fixups);
95 ExprPath.pop_back();
96 }
97 }
98 }
99}
100
101namespace lldb_private {
102
103Error InjectPointerSigningFixupCode(llvm::Module &M,
104 ExecutionPolicy execution_policy) {
105 // If we cannot execute fixups, don't insert them.
106 if (execution_policy == eExecutionPolicyNever)
107 return Error::success();
108
109 llvm::Triple T(M.getTargetTriple());
110
111 // Bail out if we don't need pointer signing fixups.
112 if (!T.isArm64e())
113 return Error::success();
114
115 // Collect all ConstantPtrAuth expressions in global initializers.
116 SmallVector<PtrAuthFixup> Fixups;
117 for (auto &G : M.globals()) {
118 if (!G.hasInitializer())
119 continue;
120 SmallVector<unsigned> GEPPath;
121 SmallVector<ExprStep> ExprPath;
122 findPtrAuth(G.getInitializer(), G, GEPPath, ExprPath, Fixups);
123 }
124
125 if (Fixups.empty())
126 return Error::success();
127
128 // Set up types and intrinsics.
129 auto &Ctx = M.getContext();
130 Type *Int32Ty = Type::getInt32Ty(Ctx);
131 Type *IntPtrTy = Type::getInt64Ty(Ctx);
132 Function *BlendIntrinsic =
133 Intrinsic::getOrInsertDeclaration(&M, Intrinsic::ptrauth_blend);
134 Function *SignIntrinsic =
135 Intrinsic::getOrInsertDeclaration(&M, Intrinsic::ptrauth_sign);
136
137 // Create the fixup function.
138 Function *FixupFn =
139 Function::Create(FunctionType::get(Type::getVoidTy(Ctx), false),
140 GlobalValue::InternalLinkage, "ptrauth.sign", &M);
141 FixupFn->insert(FixupFn->end(), BasicBlock::Create(Ctx));
142 IRBuilder<> B(&FixupFn->back());
143
144 for (auto &Fixup : Fixups) {
145 GlobalVariable *GV = Fixup.GV;
146 ConstantPtrAuth *CPA = Fixup.CPA;
147
148 // Null pointers must remain zero.
149 if (isa<ConstantPointerNull>(CPA->getPointer())) {
150 CPA->replaceAllUsesWith(CPA->getPointer());
151 continue;
152 }
153
154 // Build a GEP to the location of the ConstantPtrAuth (or the expression
155 // path to the ConstantPtrAuth) within the global.
156 Value *Loc;
157 if (Fixup.GEPPath.empty()) {
158 Loc = GV;
159 } else {
160 SmallVector<Value *> GEPValues;
161 GEPValues.push_back(ConstantInt::get(Int32Ty, 0));
162 for (unsigned Idx : Fixup.GEPPath)
163 GEPValues.push_back(ConstantInt::get(Int32Ty, Idx));
164 Loc = B.CreateGEP(GV->getValueType(), GV, GEPValues);
165 }
166
167 Type *PtrTy = CPA->getType();
168
169 // Compute the discriminator, blending with the address if needed.
170 Value *Disc = CPA->getDiscriminator();
171 if (CPA->hasAddressDiscriminator())
172 Disc = B.CreateCall(BlendIntrinsic,
173 {B.CreatePointerCast(Loc, IntPtrTy), Disc});
174
175 if (!Fixup.ExprPath.empty()) {
176 // The CPA is wrapped in a ConstantExpr chain. Sign the CPA's pointer
177 // directly and re-evaluate the expr chain.
178 Value *SignedPtr = B.CreateCall(
179 SignIntrinsic, {B.CreatePointerCast(CPA->getPointer(), IntPtrTy),
180 CPA->getKey(), Disc});
181 Value *Result = B.CreateIntToPtr(SignedPtr, PtrTy);
182
183 for (auto &Step : llvm::reverse(Fixup.ExprPath)) {
184 Instruction *I = Step.CE->getAsInstruction();
185 I->setOperand(Step.OperandIdx, Result);
186 B.Insert(I);
187 Result = I;
188 }
189 B.CreateStore(Result, Loc);
190 } else {
191 // There is no expression chain. Load and sign the pointer directly.
192 Value *RawPtr = B.CreateLoad(PtrTy, Loc);
193 Value *SignedPtr =
194 B.CreateCall(SignIntrinsic, {B.CreatePointerCast(RawPtr, IntPtrTy),
195 CPA->getKey(), Disc});
196 B.CreateStore(B.CreateBitOrPointerCast(SignedPtr, PtrTy), Loc);
197 }
198 // Replace the ConstantPtrAuth in the initializer with the unsigned pointer.
199 CPA->replaceAllUsesWith(CPA->getPointer());
200 }
201
202 // Close off the fixup function.
203 B.CreateRetVoid();
204
205 // Update the global ctors list to call the pointer fixup function first.
206 auto *UInt8PtrTy = PointerType::getUnqual(Ctx);
207 StructType *CtorType =
208 StructType::get(Ctx, {Int32Ty, FixupFn->getType(), UInt8PtrTy});
209 Constant *PtrFixupCtor =
210 ConstantStruct::get(CtorType, {ConstantInt::get(Int32Ty, 0), FixupFn,
211 Constant::getNullValue(UInt8PtrTy)});
212
213 const char *LLVMGlobalCtorsName = "llvm.global_ctors";
214 GlobalVariable *OldCtorList = M.getNamedGlobal(LLVMGlobalCtorsName);
215 SmallVector<Constant *> CtorListArgs;
216 CtorListArgs.push_back(PtrFixupCtor);
217
218 if (OldCtorList) {
219 // If the old ctors list has any uses then bail out: we do not know how to
220 // rewrite them.
221 if (OldCtorList->getNumUses() != 0) {
222 std::string ErrStr;
223 raw_string_ostream S(ErrStr);
224 S << "Global ctors variable has users, so can not be rewritten to "
225 "include pointer fixups: '"
226 << *OldCtorList << "'";
227 return make_error<StringError>(S.str(), inconvertibleErrorCode());
228 }
229
230 for (auto &Op : OldCtorList->getInitializer()->operands())
231 CtorListArgs.push_back(cast<Constant>(Op.get()));
232 }
233
234 ArrayType *CtorListType = ArrayType::get(CtorType, CtorListArgs.size());
235 Constant *CtorListInit = ConstantArray::get(CtorListType, CtorListArgs);
236
237 GlobalVariable *NewCtorList = new GlobalVariable(
238 M, CtorListType, false, GlobalValue::AppendingLinkage, CtorListInit);
239
240 if (OldCtorList) {
241 NewCtorList->takeName(OldCtorList);
242 OldCtorList->eraseFromParent();
243 } else
244 NewCtorList->setName(LLVMGlobalCtorsName);
245
246 return Error::success();
247}
248
249} // namespace lldb_private
findPtrAuth
static void findPtrAuth(Constant *C, GlobalVariable &GV, SmallVectorImpl< unsigned > &GEPPath, SmallVectorImpl< ExprStep > &ExprPath, SmallVectorImpl< PtrAuthFixup > &Fixups)
Recursively walk a constant looking for ConstantPtrAuth expressions.
Definition InjectPointerSigningFixups.cpp:71
lldb_private::Function
A class that describes a function.
Definition Function.h:392
lldb_private::Instruction
Definition Disassembler.h:59
lldb_private::Type
Definition Type.h:417
lldb_private::Value
Definition Value.h:38
lldb_private
A class that represents a running process on the host machine.
Definition SBAddressRange.h:14
lldb_private::InjectPointerSigningFixupCode
Error InjectPointerSigningFixupCode(llvm::Module &M, ExecutionPolicy execution_policy)
Definition InjectPointerSigningFixups.cpp:103
lldb_private::ExecutionPolicy
ExecutionPolicy
Expression execution policies.
Definition lldb-private-enumerations.h:155
lldb_private::eExecutionPolicyNever
@ eExecutionPolicyNever
Definition lldb-private-enumerations.h:157
lldb_private::LLDBLog::Step
@ Step
Definition LLDBLog.h:41
lldb_private::B
Definition RISCVInstructions.h:102
Generated on for LLDB by doxygen 1.14.0