https://bugs.llvm.org/show_bug.cgi?id=44049
Bug ID: 44049
Summary: Control Flow Guard checking code is corrupting
function pointers
Product: new-bugs
Version: unspecified
Hardware: PC
OS: Windows NT
Status: NEW
Severity: enhancement
Priority: P
Component: new bugs
Assignee: unassignedb...@nondot.org
Reporter: dma...@mozilla.com
CC: froy...@gmail.com, htmldevelo...@gmail.com,
llvm-bugs@lists.llvm.org, r...@google.com,
t...@ritter.vg
With the improved CFG code in https://reviews.llvm.org/D65761, we see crashes
in Firefox because the inserted code overwrites the lower byte of function
pointers before jumping to them.
Without CFG:
xul!mozilla::AbstractCanonical<mozilla::Maybe<mozilla::media::TimeUnit>
>::`vcall'{8}':
00000001`80c18c10 4883ec28 sub rsp,28h
00000001`80c18c14 4c8b11 mov r10,qword ptr [rcx]
00000001`80c18c17 4d8b5208 mov r10,qword ptr [r10+8]
00000001`80c18c1b 4883c428 add rsp,28h
00000001`80c18c1f 49ffe2 jmp r10
With CFG:
xul!mozilla::AbstractCanonical<double>::`vcall'{8}':
00007ffd`5936c090 4883ec28 sub rsp,28h
00007ffd`5936c094 4189c2 mov r10d,eax
00007ffd`5936c097 488b01 mov rax,qword ptr [rcx]
00007ffd`5936c09a 488b4008 mov rax,qword ptr [rax+8]
00007ffd`5936c09e 4c8b1d636f4d05 mov r11,qword ptr
[xul!__guard_dispatch_icall_fptr (00007ffd`5e843008)]
00007ffd`5936c0a5 4488d0 mov al,r10b <--------------- ?!
00007ffd`5936c0a8 4883c428 add rsp,28h
00007ffd`5936c0ac 49ffe3 jmp r11
(Ignore the difference in function names, it's the same function with many
names, and ICF chose different names for these builds)
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
