[BOLT] Support for OpNegateRAState - second half

bgergely0 · bgergely0 · commit 6217b6664dfe · 2024-11-25T17:18:17.000+01:00
- create InsertNegateRAStatePass
    - this pass explores the CFG, and finds if a BB has
        signed or unsigned return address state
    - after exploration, it inserts OpNegateRAState at the end of BBs,
        where the following BB has a different RA State (or where RA
        State boundaries are)
diff --git a/bolt/include/bolt/Core/BinaryBasicBlock.h b/bolt/include/bolt/Core/BinaryBasicBlock.h
@@ -37,6 +37,11 @@ class JumpTable;
 
 class BinaryBasicBlock {
 public:
+  enum class RAStateEnum : char {
+    Unknown, /// Not discovered yet
+    Signed,
+    Unsigned,
+  };
   /// Profile execution information for a given edge in CFG.
   ///
   /// If MispredictedCount equals COUNT_INFERRED, then we have a profile
@@ -350,6 +355,17 @@ class BinaryBasicBlock {
                                                       BranchInfo.end());
   }
 
+  RAStateEnum RAState{RAStateEnum::Unknown};
+  void setRASigned() { RAState = RAStateEnum::Signed; }
+  bool isRAStateUnknown() { return RAState == RAStateEnum::Unknown; }
+  bool isRAStateSigned() { return RAState == RAStateEnum::Signed; }
+  /// Unsigned should only overwrite Unknown state, and not Signed
+  void setRAUnsigned() {
+    if (RAState == RAStateEnum::Unknown) {
+      RAState = RAStateEnum::Unsigned;
+    }
+  }
+
   /// Get instruction at given index.
   MCInst &getInstructionAtIndex(unsigned Index) { return Instructions[Index]; }
 
diff --git a/bolt/include/bolt/Passes/InsertNegateRAStatePass.h b/bolt/include/bolt/Passes/InsertNegateRAStatePass.h
@@ -0,0 +1,33 @@
+#ifndef BOLT_PASSES_INSERT_NEGATE_RA_STATE_PASS
+#define BOLT_PASSES_INSERT_NEGATE_RA_STATE_PASS
+
+#include "bolt/Passes/BinaryPasses.h"
+#include <stack>
+
+namespace llvm {
+namespace bolt {
+
+class InsertNegateRAState : public BinaryFunctionPass {
+public:
+  explicit InsertNegateRAState() : BinaryFunctionPass(false) {}
+
+  const char *getName() const override { return "insert-negate-ra-state-pass"; }
+
+  /// Pass entry point
+  Error runOnFunctions(BinaryContext &BC) override;
+  void runOnFunction(BinaryFunction &BF);
+  bool addNegateRAStateAfterPacOrAuth(BinaryFunction &BF);
+  bool BBhasAUTH(BinaryContext &BC, BinaryBasicBlock *BB);
+  bool BBhasSIGN(BinaryContext &BC, BinaryBasicBlock *BB);
+  void explore_call_graph(BinaryContext &BC, BinaryBasicBlock *BB);
+  void process_signed_BB(BinaryContext &BC, BinaryBasicBlock *BB,
+                         std::stack<BinaryBasicBlock *> *SignedStack,
+                         std::stack<BinaryBasicBlock *> *UnsignedStack);
+  void process_unsigned_BB(BinaryContext &BC, BinaryBasicBlock *BB,
+                           std::stack<BinaryBasicBlock *> *SignedStack,
+                           std::stack<BinaryBasicBlock *> *UnsignedStack);
+};
+
+} // namespace bolt
+} // namespace llvm
+#endif
diff --git a/bolt/lib/Passes/CMakeLists.txt b/bolt/lib/Passes/CMakeLists.txt
@@ -17,6 +17,7 @@ add_llvm_library(LLVMBOLTPasses
   IdenticalCodeFolding.cpp
   IndirectCallPromotion.cpp
   Inliner.cpp
+  InsertNegateRAStatePass.cpp
   Instrumentation.cpp
   JTFootprintReduction.cpp
   LongJmp.cpp
diff --git a/bolt/lib/Passes/InsertNegateRAStatePass.cpp b/bolt/lib/Passes/InsertNegateRAStatePass.cpp
@@ -0,0 +1,247 @@
+#include "bolt/Passes/InsertNegateRAStatePass.h"
+#include "bolt/Core/BinaryFunction.h"
+#include "bolt/Core/ParallelUtilities.h"
+#include "bolt/Utils/CommandLineOpts.h"
+#include <cstdlib>
+#include <fstream>
+#include <iterator>
+
+using namespace llvm;
+
+namespace llvm {
+namespace bolt {
+
+void InsertNegateRAState::runOnFunction(BinaryFunction &BF) {
+  BinaryContext &BC = BF.getBinaryContext();
+
+  if (BF.getState() == BinaryFunction::State::Empty) {
+    return;
+  }
+
+  if (BF.getState() != BinaryFunction::State::CFG &&
+      BF.getState() != BinaryFunction::State::CFG_Finalized) {
+    BC.errs() << "BOLT-WARNING: No CFG for " << BF.getPrintName()
+              << " in InsertNegateRAStatePass\n";
+    return;
+  }
+
+  if (BF.getState() == BinaryFunction::State::CFG_Finalized) {
+    BC.errs() << "BOLT-WARNING: CFG finalized for " << BF.getPrintName()
+              << " in InsertNegateRAStatePass\n";
+    return;
+  }
+
+  if (BF.isIgnored())
+    return;
+
+  if (!addNegateRAStateAfterPacOrAuth(BF)) {
+    // none inserted, function doesn't need more work
+    return;
+  }
+
+  auto FirstBB = BF.begin();
+  explore_call_graph(BC, &(*FirstBB));
+
+  // We have to do the walk again, starting from any undiscovered autiasp
+  // instructions, because some autiasp might not be reachable because of
+  // indirect branches but we know that autiasp block should have a Signed
+  // state, so we can work out other Unkown states starting from these nodes.
+  for (BinaryBasicBlock &BB : BF) {
+    if (BBhasAUTH(BC, &BB) && BB.isRAStateUnknown()) {
+      BB.setRASigned();
+      explore_call_graph(BC, &BB);
+    }
+  }
+
+  // insert negateRAState-s where there is a State boundary:
+  // that is: two consecutive BBs have different RA State
+  BinaryFunction::iterator PrevBB;
+  bool FirstIter = true;
+  for (auto BB = BF.begin(); BB != BF.end(); ++BB) {
+    if (!FirstIter) {
+      if ((PrevBB->RAState == BinaryBasicBlock::RAStateEnum::Signed &&
+           (*BB).RAState == BinaryBasicBlock::RAStateEnum::Unsigned &&
+           !BBhasAUTH(BC, &(*PrevBB))) ||
+          (PrevBB->RAState == BinaryBasicBlock::RAStateEnum::Signed &&
+           (*BB).RAState == BinaryBasicBlock::RAStateEnum::Signed &&
+           BBhasAUTH(BC, &(*PrevBB)))) {
+        auto InstRevIter = PrevBB->getLastNonPseudo();
+        MCInst LastNonPseudo = *InstRevIter;
+        auto InstIter = InstRevIter.base();
+        BF.addCFIInstruction(&(*PrevBB), InstIter,
+                             MCCFIInstruction::createNegateRAState(nullptr));
+      }
+    } else {
+      FirstIter = false;
+    }
+    PrevBB = BB;
+  }
+}
+
+void InsertNegateRAState::explore_call_graph(BinaryContext &BC,
+                                             BinaryBasicBlock *BB) {
+  std::stack<BinaryBasicBlock *> SignedStack;
+  std::stack<BinaryBasicBlock *> UnsignedStack;
+
+  // start according to the first BB
+  if (BBhasSIGN(BC, BB)) {
+    SignedStack.push(BB);
+    process_signed_BB(BC, BB, &SignedStack, &UnsignedStack);
+  } else {
+    UnsignedStack.push(BB);
+    process_unsigned_BB(BC, BB, &SignedStack, &UnsignedStack);
+  }
+
+  while (!(SignedStack.empty() && UnsignedStack.empty())) {
+    if (!SignedStack.empty()) {
+      BB = SignedStack.top();
+      SignedStack.pop();
+      process_signed_BB(BC, BB, &SignedStack, &UnsignedStack);
+    } else if (!UnsignedStack.empty()) {
+      BB = UnsignedStack.top();
+      UnsignedStack.pop();
+      process_unsigned_BB(BC, BB, &SignedStack, &UnsignedStack);
+    }
+  }
+}
+void InsertNegateRAState::process_signed_BB(
+    BinaryContext &BC, BinaryBasicBlock *BB,
+    std::stack<BinaryBasicBlock *> *SignedStack,
+    std::stack<BinaryBasicBlock *> *UnsignedStack) {
+
+  BB->setRASigned();
+
+  if (BBhasAUTH(BC, BB)) {
+    // successors of block with autiasp are stored in the Unsigned Stack
+    for (BinaryBasicBlock *Succ : BB->successors()) {
+      if (Succ->getFunction() == BB->getFunction() &&
+          Succ->isRAStateUnknown()) {
+        UnsignedStack->push(Succ);
+      }
+    }
+  } else {
+    for (BinaryBasicBlock *Succ : BB->successors()) {
+      if (Succ->getFunction() == BB->getFunction() &&
+          !Succ->isRAStateSigned()) {
+        SignedStack->push(Succ);
+      }
+    }
+  }
+  // process predecessors
+  if (BBhasSIGN(BC, BB)) {
+    for (BinaryBasicBlock *Pred : BB->predecessors()) {
+      if (Pred->getFunction() == BB->getFunction() &&
+          Pred->isRAStateUnknown()) {
+        UnsignedStack->push(Pred);
+      }
+    }
+  } else {
+    for (BinaryBasicBlock *Pred : BB->predecessors()) {
+      if (Pred->getFunction() == BB->getFunction() &&
+          !Pred->isRAStateSigned()) {
+        SignedStack->push(Pred);
+      }
+    }
+  }
+}
+
+void InsertNegateRAState::process_unsigned_BB(
+    BinaryContext &BC, BinaryBasicBlock *BB,
+    std::stack<BinaryBasicBlock *> *SignedStack,
+    std::stack<BinaryBasicBlock *> *UnsignedStack) {
+
+  BB->setRAUnsigned();
+
+  if (BBhasSIGN(BC, BB)) {
+    BB->setRASigned();
+    // successors of block with paciasp are stored in the Signed Stack
+    for (BinaryBasicBlock *Succ : BB->successors()) {
+      if (Succ->getFunction() == BB->getFunction() &&
+          !Succ->isRAStateSigned()) {
+        SignedStack->push(Succ);
+      }
+    }
+  } else {
+    for (BinaryBasicBlock *Succ : BB->successors()) {
+      if (Succ->getFunction() == BB->getFunction() &&
+          Succ->isRAStateUnknown()) {
+        UnsignedStack->push(Succ);
+      }
+    }
+  }
+
+  // process predecessors
+  if (BBhasAUTH(BC, BB)) {
+    BB->setRASigned();
+    for (BinaryBasicBlock *Pred : BB->predecessors()) {
+      if (Pred->getFunction() == BB->getFunction() &&
+          !Pred->isRAStateSigned()) {
+        SignedStack->push(Pred);
+      }
+    }
+  } else {
+    for (BinaryBasicBlock *Pred : BB->predecessors()) {
+      if (Pred->getFunction() == BB->getFunction() &&
+          Pred->isRAStateUnknown()) {
+        UnsignedStack->push(Pred);
+      }
+    }
+  }
+}
+
+bool InsertNegateRAState::BBhasAUTH(BinaryContext &BC, BinaryBasicBlock *BB) {
+  for (auto Iter = BB->begin(); Iter != BB->end(); ++Iter) {
+    MCInst Inst = *Iter;
+    if (BC.MIB->isPAuth(Inst)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool InsertNegateRAState::BBhasSIGN(BinaryContext &BC, BinaryBasicBlock *BB) {
+  for (auto Iter = BB->begin(); Iter != BB->end(); ++Iter) {
+    MCInst Inst = *Iter;
+    if (BC.MIB->isPSign(Inst)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+bool InsertNegateRAState::addNegateRAStateAfterPacOrAuth(BinaryFunction &BF) {
+  BinaryContext &BC = BF.getBinaryContext();
+  bool FoundAny = false;
+  for (BinaryBasicBlock &BB : BF) {
+    for (auto Iter = BB.begin(); Iter != BB.end(); ++Iter) {
+      MCInst Inst = *Iter;
+      if (BC.MIB->isPSign(Inst)) {
+        Iter = BF.addCFIInstruction(
+            &BB, Iter + 1, MCCFIInstruction::createNegateRAState(nullptr));
+        FoundAny = true;
+      }
+
+      if (BC.MIB->isPAuth(Inst)) {
+        Iter = BF.addCFIInstruction(
+            &BB, Iter + 1, MCCFIInstruction::createNegateRAState(nullptr));
+        FoundAny = true;
+      }
+    }
+  }
+  return FoundAny;
+}
+
+Error InsertNegateRAState::runOnFunctions(BinaryContext &BC) {
+  ParallelUtilities::WorkFuncTy WorkFun = [&](BinaryFunction &BF) {
+    runOnFunction(BF);
+  };
+
+  ParallelUtilities::runOnEachFunction(
+      BC, ParallelUtilities::SchedulingPolicy::SP_TRIVIAL, WorkFun, nullptr,
+      "InsertNegateRAStatePass");
+
+  return Error::success();
+}
+
+} // end namespace bolt
+} // end namespace llvm
diff --git a/bolt/lib/Rewrite/BinaryPassManager.cpp b/bolt/lib/Rewrite/BinaryPassManager.cpp
@@ -20,6 +20,7 @@
 #include "bolt/Passes/IdenticalCodeFolding.h"
 #include "bolt/Passes/IndirectCallPromotion.h"
 #include "bolt/Passes/Inliner.h"
+#include "bolt/Passes/InsertNegateRAStatePass.h"
 #include "bolt/Passes/Instrumentation.h"
 #include "bolt/Passes/JTFootprintReduction.h"
 #include "bolt/Passes/LongJmp.h"
@@ -499,6 +500,8 @@ Error BinaryFunctionPassManager::runAllPasses(BinaryContext &BC) {
     // targets. No extra instructions after this pass, otherwise we may have
     // relocations out of range and crash during linking.
     Manager.registerPass(std::make_unique<LongJmpPass>(PrintLongJmp));
+
+    Manager.registerPass(std::make_unique<InsertNegateRAState>());
   }
 
   // This pass should always run last.*
