Dan Li <ashim...@linux.alibaba.com> writes:
Shadow Call Stack can be used to protect the return address of a
function at runtime, and clang already supports this feature[1].
To enable SCS in user mode, in addition to compiler, other support
is also required (as discussed in [2]). This patch only adds basic
support for SCS from the compiler side, and provides convenience
for users to enable SCS.
For linux kernel, only the support of the compiler is required.
[1] https://clang.llvm.org/docs/ShadowCallStack.html
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102768
Signed-off-by: Dan Li <ashim...@linux.alibaba.com>
gcc/ChangeLog:
* config/aarch64/aarch64.c (aarch64_layout_frame):
Change callee_adjust when scs is enabled.
(aarch64_restore_callee_saves): Avoid pop x30 twice
when scs is enabled.
(aarch64_expand_prologue): Push x30 onto SCS before it's
pushed onto stack.
(aarch64_expand_epilogue): Pop x30 frome SCS, while
preventing it from being popped from the regular stack again.
(aarch64_override_options_internal): Add SCS compile option check.
(TARGET_HAVE_SHADOW_CALL_STACK): New hook.
* config/aarch64/aarch64.h (struct GTY): Add is_scs_enabled.
* config/aarch64/aarch64.md (scs_push): New template.
(scs_pop): Likewise.
* doc/invoke.texi: Document -fsanitize=shadow-call-stack.
* doc/tm.texi: Regenerate.
* doc/tm.texi.in: Add hook have_shadow_call_stack.
* flag-types.h (enum sanitize_code):
Add SANITIZE_SHADOW_CALL_STACK.
* opts.c: Add shadow-call-stack.
* target.def: New hook.
* toplev.c (process_options): Add SCS compile option check.
gcc/testsuite/ChangeLog:
* gcc.target/aarch64/shadow_call_stack_1.c: New test.
* gcc.target/aarch64/shadow_call_stack_2.c: New test.
* gcc.target/aarch64/shadow_call_stack_3.c: New test.
* gcc.target/aarch64/shadow_call_stack_4.c: New test.
* gcc.target/aarch64/shadow_call_stack_5.c: New test.
* gcc.target/aarch64/shadow_call_stack_6.c: New test.
* gcc.target/aarch64/shadow_call_stack_7.c: New test.
* gcc.target/aarch64/shadow_call_stack_8.c: New test.
---
V3:
- Change scs_push/pop to standard move patterns.
- Optimize scs_pop to avoid pop x30 twice when shadow stack is enabled.
gcc/config/aarch64/aarch64.c | 66 +++++++++++++++++--
gcc/config/aarch64/aarch64.h | 4 ++
gcc/config/aarch64/aarch64.md | 10 +++
gcc/doc/invoke.texi | 30 +++++++++
gcc/doc/tm.texi | 5 ++
gcc/doc/tm.texi.in | 2 +
gcc/flag-types.h | 2 +
gcc/opts.c | 1 +
gcc/target.def | 8 +++
.../gcc.target/aarch64/shadow_call_stack_1.c | 6 ++
.../gcc.target/aarch64/shadow_call_stack_2.c | 6 ++
.../gcc.target/aarch64/shadow_call_stack_3.c | 45 +++++++++++++
.../gcc.target/aarch64/shadow_call_stack_4.c | 20 ++++++
.../gcc.target/aarch64/shadow_call_stack_5.c | 18 +++++
.../gcc.target/aarch64/shadow_call_stack_6.c | 18 +++++
.../gcc.target/aarch64/shadow_call_stack_7.c | 18 +++++
.../gcc.target/aarch64/shadow_call_stack_8.c | 24 +++++++
gcc/toplev.c | 10 +++
18 files changed, 289 insertions(+), 4 deletions(-)
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_1.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_2.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_3.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_4.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_5.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_6.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_7.c
create mode 100644 gcc/testsuite/gcc.target/aarch64/shadow_call_stack_8.c
diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
index 699c105a42a..461c205010e 100644
--- a/gcc/config/aarch64/aarch64.c
+++ b/gcc/config/aarch64/aarch64.c
@@ -79,6 +79,7 @@
#include "tree-ssa-loop-niter.h"
#include "fractional-cost.h"
#include "rtlanal.h"
+#include "asan.h"
/* This file should be included last. */
#include "target-def.h"
@@ -7478,10 +7479,31 @@ aarch64_layout_frame (void)
frame.sve_callee_adjust = 0;
frame.callee_offset = 0;
+ /* Shadow call stack only deal with functions where the LR is pushed
Typo: s/deal/deals/
+ onto the stack and without specifying the "no_sanitize" attribute
+ with the argument "shadow-call-stack". */
+ frame.is_scs_enabled
+ = (!crtl->calls_eh_return
+ && (sanitize_flags_p (SANITIZE_SHADOW_CALL_STACK)
+ && known_ge (cfun->machine->frame.reg_offset[LR_REGNUM], 0)));
Nit, but normal GCC style would be to use a single chain of &&s here:
frame.is_scs_enabled
= (!crtl->calls_eh_return
&& sanitize_flags_p (SANITIZE_SHADOW_CALL_STACK)
&& known_ge (cfun->machine->frame.reg_offset[LR_REGNUM], 0));
+
+ /* When shadow call stack is enabled, the scs_pop in the epilogue will
+ restore x30, and we don't need to pop x30 again in the traditional
+ way. At this time, if candidate2 is x30, we need to adjust
+ max_push_offset to 256 to ensure that the offset meets the requirements
+ of emit_move_insn. Similarly, if candidate1 is x30, we need to set
+ max_push_offset to 0, because x30 is not popped up at this time, so
+ callee_adjust cannot be adjusted. */
HOST_WIDE_INT max_push_offset = 0;
if (frame.wb_candidate2 != INVALID_REGNUM)
- max_push_offset = 512;
- else if (frame.wb_candidate1 != INVALID_REGNUM)
+ {
+ if (frame.is_scs_enabled && frame.wb_candidate2 == R30_REGNUM)
+ max_push_offset = 256;
+ else
+ max_push_offset = 512;
+ }
+ else if ((frame.wb_candidate1 != INVALID_REGNUM)
+ && !(frame.is_scs_enabled && frame.wb_candidate1 == R30_REGNUM))
max_push_offset = 256;
HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset;
Maybe we should instead add separate fields for wb_push_candidate[12] and
wb_pop_candidate[12]. The pop candidates would start out the same as the
push candidates, but R30_REGNUM would get replaced with INVALID_REGNUM
for SCS.
Admittedly, suppressing the restore of x30 is turning out to be a bit
more difficult than I'd realised :-/
[…]
diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h
index 2792bb29adb..1610a4fd74c 100644
--- a/gcc/config/aarch64/aarch64.h
+++ b/gcc/config/aarch64/aarch64.h
@@ -916,6 +916,10 @@ struct GTY (()) aarch64_frame
unsigned spare_pred_reg;
bool laid_out;
+
+ /* Nonzero if shadow call stack should be enabled for the current
+ function, otherwise return FALSE. */
“True” seems better than “Nonzero” given that this is a bool.
(A lot of GCC bools were originally ints, which is why “nonzero”
still appears in non-obvious places.)
I think we can just drop “otherwise return FALSE”: “return” doesn't
seem appropriate here, given that it's a variable.
Looks great otherwise. Thanks especially for testing the corner cases. :-)
One minor thing:
+/* { dg-final { scan-assembler-times "str\tx30, \\\[x18\\\], \[#|$\]?8" 2 } }
*/
+/* { dg-final { scan-assembler-times "ldr\tx30, \\\[x18, \[#|$\]?-8\\\]!" 2 }
} */
This sort of regexp can be easier to write if you quote them using {…}
rather than "…", since it reduces the number of backslashes needed. E.g.:
/* { dg-final { scan-assembler-times {str\tx30, \[x18\], [#|$]?8} 2 } } */
The current version is fine too though, and is widely used. Just mentioning
it in case it's useful in future.
Also, [#|$]? can be written #?.
Thanks,
Richard
