[Clang][RISCV] Add support for double_check attribute

The ``clang::double_check`` attribute is used to annotate `if` statements
where the condition expression should be checked twice, as a mitigation for
hardware attacks. This attribute is currently RISC-V specific and only
applies to `if` statements with a binary expression where the operator is
one of ``==``, ``!=``, ``>``, ``>=``, ``<``, or ``<=`` and the operands are
of integer type.

Author: luismarques

clang/include/clang/AST/Stmt.h

@@ -177,6 +177,10 @@ class alignas(void *) Stmt {
     /// True if this if statement has storage for an init statement.
     unsigned HasInit : 1;
 
+    /// True if this if statement has been marked with the
+    /// [[clang::double_check]] attributed.
+    unsigned HasDoubleCheck : 1;
+
     /// The location of the "if".
     SourceLocation IfLoc;
   };
@@ -2024,6 +2028,9 @@ class IfStmt final
   /// True if this IfStmt has storage for an else statement.
   bool hasElseStorage() const { return IfStmtBits.HasElse; }
 
+  bool hasDoubleCheck() const { return IfStmtBits.HasDoubleCheck; }
+  void setDoubleCheck() { IfStmtBits.HasDoubleCheck = true; }
+
   Expr *getCond() {
     return reinterpret_cast<Expr *>(getTrailingObjects<Stmt *>()[condOffset()]);
   }

clang/include/clang/Basic/Attr.td

@@ -1422,6 +1422,12 @@ def ExtVectorType : Attr {
   let PragmaAttributeSupport = 0;
 }
 
+def DoubleCheck : StmtAttr, TargetSpecificAttr<TargetRISCV> {
+  let Spellings = [Clang<"double_check">];
+  let Documentation = [DoubleCheckDocs];
+  let Subjects = SubjectList<[IfStmt], ErrorDiag, "if statements">;
+}
+
 def FallThrough : StmtAttr {
   let Spellings = [CXX11<"", "fallthrough", 201603>,
                    C2x<"", "fallthrough", 201910>,

clang/include/clang/Basic/AttrDocs.td

@@ -1888,6 +1888,19 @@ use the annotated ``[[nodiscard]]`` constructor or result in an annotated type.
   }];
 }
 
+def DoubleCheckDocs : Documentation {
+  let Category = DocCatStmt;
+  let Heading = "double_check";
+  let Content = [{
+The ``clang::double_check`` attribute is used to annotate `if` statements where
+the condition expression should be checked twice, as a mitigation for hardware
+attacks. This attribute is currently RISC-V specific and only applies to `if`
+statements with a binary expression where the operator is one of ``==``,
+``!=``, ``>``, ``>=``, ``<``, or ``<=`` and the operands are of integer type.
+
+  }];
+}
+
 def FallthroughDocs : Documentation {
   let Category = DocCatStmt;
   let Heading = "fallthrough";

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -2965,6 +2965,9 @@ def warn_function_attribute_ignored_in_stmt : Warning<
   "use '%0' on statements">,
   InGroup<IgnoredAttributes>;
 
+def err_double_check_expr: Error<
+  "invalid expression for if statement with `double_check` attribute">;
+
 def err_musttail_needs_trivial_args : Error<
   "tail call requires that the return value, all parameters, and any "
   "temporaries created by the expression are trivially destructible">;

clang/lib/AST/Stmt.cpp

@@ -929,6 +929,7 @@ IfStmt::IfStmt(const ASTContext &Ctx, SourceLocation IL, IfStatementKind Kind,
   IfStmtBits.HasElse = HasElse;
   IfStmtBits.HasVar = HasVar;
   IfStmtBits.HasInit = HasInit;
+  IfStmtBits.HasDoubleCheck = false;
 
   setStatementKind(Kind);
 
@@ -951,6 +952,7 @@ IfStmt::IfStmt(EmptyShell Empty, bool HasElse, bool HasVar, bool HasInit)
   IfStmtBits.HasElse = HasElse;
   IfStmtBits.HasVar = HasVar;
   IfStmtBits.HasInit = HasInit;
+  IfStmtBits.HasDoubleCheck = false;
 }
 
 IfStmt *IfStmt::Create(const ASTContext &Ctx, SourceLocation IL,

clang/lib/CodeGen/CGStmt.cpp

@@ -830,7 +830,8 @@ void CodeGenFunction::EmitIfStmt(const IfStmt &S) {
   if (!ThenCount && !getCurrentProfileCount() &&
       CGM.getCodeGenOpts().OptimizationLevel)
     LH = Stmt::getLikelihood(S.getThen(), S.getElse());
-  EmitBranchOnBoolExpr(S.getCond(), ThenBlock, ElseBlock, ThenCount, LH);
+  EmitBranchOnBoolExpr(S.getCond(), ThenBlock, ElseBlock, ThenCount, LH,
+                       S.hasDoubleCheck());
 
   // Emit the 'then' code.
   EmitBlock(ThenBlock);

clang/lib/CodeGen/CodeGenFunction.cpp

@@ -39,6 +39,7 @@
 #include "llvm/IR/DataLayout.h"
 #include "llvm/IR/Dominators.h"
 #include "llvm/IR/FPEnv.h"
+#include "llvm/IR/InlineAsm.h"
 #include "llvm/IR/IntrinsicInst.h"
 #include "llvm/IR/Intrinsics.h"
 #include "llvm/IR/MDBuilder.h"
@@ -1690,19 +1691,77 @@ void CodeGenFunction::EmitBranchToCounterBlock(
   EmitBranch(NextBlock);
 }
 
+static std::string DoubleCheckAsm(BinaryOperator::Opcode Op) {
+  std::string AsmStr;
+  switch (Op) {
+  default:
+    llvm_unreachable("unexpected binary operation");
+  case BO_EQ:
+    AsmStr += "bne $0, $1, $3\nbeq $0, $1, $2\n";
+    break;
+  case BO_NE:
+    AsmStr += "beq $0, $1, $3\nbne $0, $1, $2\n";
+    break;
+  case BO_GT:
+    AsmStr += "ble $0, $1, $3\nbgt $0, $1, $2\n";
+    break;
+  case BO_GE:
+    AsmStr += "blt $0, $1, $3\nbge $0, $1, $2\n";
+    break;
+  case BO_LT:
+    AsmStr += "bge $0, $1, $3\nblt $0, $1, $2\n";
+    break;
+  case BO_LE:
+    AsmStr += "bgt $0, $1, $3\nble $0, $1, $2\n";
+    break;
+  }
+  AsmStr += "unimp\nunimp";
+  return AsmStr;
+}
+
 /// EmitBranchOnBoolExpr - Emit a branch on a boolean condition (e.g. for an if
 /// statement) to the specified blocks.  Based on the condition, this might try
 /// to simplify the codegen of the conditional based on the branch.
 /// \param LH The value of the likelihood attribute on the True branch.
-void CodeGenFunction::EmitBranchOnBoolExpr(const Expr *Cond,
-                                           llvm::BasicBlock *TrueBlock,
-                                           llvm::BasicBlock *FalseBlock,
-                                           uint64_t TrueCount,
-                                           Stmt::Likelihood LH) {
+void CodeGenFunction::EmitBranchOnBoolExpr(
+    const Expr *Cond, llvm::BasicBlock *TrueBlock, llvm::BasicBlock *FalseBlock,
+    uint64_t TrueCount, Stmt::Likelihood LH, bool DoubleCheck) {
   Cond = Cond->IgnoreParens();
 
   if (const BinaryOperator *CondBOp = dyn_cast<BinaryOperator>(Cond)) {
 
+    if (DoubleCheck) {
+      llvm::BasicBlock *FallthroughBlock = createBasicBlock("asm.fallthrough");
+
+      llvm::Type *ResultType = VoidTy;
+      llvm::Type *BinOpType = Int32Ty;
+      std::vector<llvm::Type *> ArgTypes;
+      std::vector<llvm::Value *> Args;
+      SmallVector<llvm::BasicBlock *, 2> Transfer;
+      std::string Constraints = "r,r,!i,!i";
+
+      Transfer.push_back(TrueBlock);
+      Transfer.push_back(FalseBlock);
+
+      llvm::Value *BinOpValue = EmitScalarExpr(CondBOp->getLHS());
+      Args.push_back(BinOpValue);
+      ArgTypes.push_back(BinOpType);
+
+      BinOpValue = EmitScalarExpr(CondBOp->getRHS());
+      Args.push_back(BinOpValue);
+      ArgTypes.push_back(BinOpType);
+
+      llvm::FunctionType *FTy =
+          llvm::FunctionType::get(ResultType, ArgTypes, false);
+      llvm::InlineAsm *IA = llvm::InlineAsm::get(
+          FTy, DoubleCheckAsm(CondBOp->getOpcode()), Constraints,
+          /*HasSideEffect*/ true, /*IsAlignStack*/ false,
+          /*AsmDialect*/ llvm::InlineAsm::AD_ATT, /*HasUnwindClobber*/ false);
+      Builder.CreateCallBr(IA, FallthroughBlock, Transfer, Args);
+      EmitBlock(FallthroughBlock);
+      return;
+    }
+
     // Handle X && Y in a condition.
     if (CondBOp->getOpcode() == BO_LAnd) {
       // If we have "1 && X", simplify the code.  "0 && X" would have constant

clang/lib/CodeGen/CodeGenFunction.h

@@ -4577,7 +4577,8 @@ class CodeGenFunction : public CodeGenTypeCache {
   /// evaluate to true based on PGO data.
   void EmitBranchOnBoolExpr(const Expr *Cond, llvm::BasicBlock *TrueBlock,
                             llvm::BasicBlock *FalseBlock, uint64_t TrueCount,
-                            Stmt::Likelihood LH = Stmt::LH_None);
+                            Stmt::Likelihood LH = Stmt::LH_None,
+                            bool DoubleCheck = false);
 
   /// Given an assignment `*LHS = RHS`, emit a test that checks if \p RHS is
   /// nonnull, if \p LHS is marked _Nonnull.

clang/lib/Sema/SemaStmt.cpp

@@ -590,6 +590,10 @@ StmtResult Sema::BuildAttributedStmt(SourceLocation AttrsLoc,
         return SubStmt;
       }
       setFunctionHasMustTail();
+    } else if (A->getKind() == attr::DoubleCheck) {
+      IfStmt *IS = dyn_cast<IfStmt>(SubStmt);
+      assert(IS && "clang::double_check attribute in unexpected statement");
+      IS->setDoubleCheck();
     }
   }
 

clang/lib/Sema/SemaStmtAttr.cpp

@@ -273,6 +273,36 @@ static Attr *handleMustTailAttr(Sema &S, Stmt *St, const ParsedAttr &A,
   return ::new (S.Context) MustTailAttr(S.Context, A);
 }
 
+static Attr *handleDoubleCheck(Sema &S, Stmt *St, const ParsedAttr &A,
+                               SourceRange Range) {
+  const Expr *Cond = cast<IfStmt>(St)->getCond();
+  bool Valid = false;
+  if (const BinaryOperator *CondBOp = dyn_cast<BinaryOperator>(Cond)) {
+    BinaryOperator::Opcode Op = CondBOp->getOpcode();
+    switch (Op) {
+    default:
+      break;
+    case BO_EQ:
+    case BO_NE:
+    case BO_GT:
+    case BO_GE:
+    case BO_LT:
+    case BO_LE: {
+      auto LHSType = CondBOp->getRHS()->getType();
+      auto RHSType = CondBOp->getRHS()->getType();
+      Valid = LHSType->isIntegerType() && RHSType->isIntegerType();
+      break;
+    }
+    }
+  }
+  if (!Valid) {
+    S.Diag(Cond->getBeginLoc(), diag::err_double_check_expr)
+        << A << Cond->getSourceRange();
+  }
+
+  return ::new (S.Context) DoubleCheckAttr(S.Context, A);
+}
+
 static Attr *handleLikely(Sema &S, Stmt *St, const ParsedAttr &A,
                           SourceRange Range) {
 
@@ -486,6 +516,8 @@ static Attr *ProcessStmtAttribute(Sema &S, Stmt *St, const ParsedAttr &A,
     return handleNoInlineAttr(S, St, A, Range);
   case ParsedAttr::AT_MustTail:
     return handleMustTailAttr(S, St, A, Range);
+  case ParsedAttr::AT_DoubleCheck:
+    return handleDoubleCheck(S, St, A, Range);
   case ParsedAttr::AT_Likely:
     return handleLikely(S, St, A, Range);
   case ParsedAttr::AT_Unlikely:

clang/test/CodeGenCXX/attr-double-check.cpp

@@ -0,0 +1,138 @@
+// RUN: %clang_cc1 -S -emit-llvm %s -triple riscv32 -o - | FileCheck %s
+// RUN: %clang_cc1 -S %s -triple riscv32 -o - | FileCheck -check-prefix=CHECK-ASM %s
+
+extern "C" {
+
+void test_eq(int a, int b) {
+  // CHECK: @test_eq
+  // CHECK: callbr void asm sideeffect "bne $0, $1, $3\0Abeq $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-NEXT: to label %asm.fallthrough [label %if.then, label %if.end]
+  // CHECK-EMPTY:
+  // CHECK-NEXT: asm.fallthrough:                                  ; preds = %entry
+  // CHECK-NEXT:   br label %if.then
+  // CHECK-EMPTY:
+  // CHECK-NEXT: if.then:                                          ; preds = %asm.fallthrough, %entry
+  // CHECK-NEXT:   br label %if.end
+  // CHECK-EMPTY:
+  // CHECK-NEXT: if.end:                                           ; preds = %if.then, %entry
+  // CHECK-NEXT:   ret void
+  //
+  // CHECK-ASM:      test_eq:
+  // CHECK-ASM:        #APP
+  // CHECK-ASM-NEXT:   bne a0, a1, .LBB0_3
+  // CHECK-ASM-NEXT:   beq a0, a1, .LBB0_2
+  // CHECK-ASM-NEXT:   unimp
+  // CHECK-ASM-NEXT:   unimp
+  // CHECK-ASM-NEXT:   #NO_APP
+  // CHECK-ASM-NEXT:   j .LBB0_1
+  // CHECK-ASM-NEXT: .LBB0_1:                                # %asm.fallthrough
+  // CHECK-ASM-NEXT:   j .LBB0_2
+  // CHECK-ASM-NEXT: .LBB0_2:                                # Block address taken
+  // CHECK-ASM-NEXT:                                         # %if.then
+  // CHECK-ASM-NEXT:                                         # Label of block must be emitted
+  // CHECK-ASM-NEXT:   j .LBB0_3
+  // CHECK-ASM-NEXT: .LBB0_3:                                # Block address taken
+  // CHECK-ASM-NEXT:                                         # %if.end
+  // CHECK-ASM-NEXT:                                         # Label of block must be emitted
+  [[clang::double_check]] if (a == b) {}
+}
+
+void test_ne(int a, int b) {
+  // CHECK: @test_ne
+  // CHECK: callbr void asm sideeffect "beq $0, $1, $3\0Abne $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-ASM:      test_ne:
+  // CHECK-ASM:        beq a0, a1, .LBB1_3
+  // CHECK-ASM-NEXT:   bne a0, a1, .LBB1_2
+  [[clang::double_check]] if (a != b) {}
+}
+
+void test_gt(int a, int b) {
+  // CHECK: @test_gt
+  // CHECK: callbr void asm sideeffect "ble $0, $1, $3\0Abgt $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-ASM:      test_gt:
+  // CHECK-ASM:        bge a1, a0, .LBB2_3
+  // CHECK-ASM-NEXT:   blt a1, a0, .LBB2_2
+  [[clang::double_check]] if (a > b) {}
+}
+
+void test_ge(int a, int b) {
+  // CHECK: @test_ge
+  // CHECK: callbr void asm sideeffect "blt $0, $1, $3\0Abge $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-ASM:      test_ge:
+  // CHECK-ASM:        blt a0, a1, .LBB3_3
+  // CHECK-ASM-NEXT:   bge a0, a1, .LBB3_2
+  [[clang::double_check]] if (a >= b) {}
+}
+
+void test_lt(int a, int b) {
+  // CHECK: @test_lt
+  // CHECK: callbr void asm sideeffect "bge $0, $1, $3\0Ablt $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-ASM:      test_lt:
+  // CHECK-ASM:        bge a0, a1, .LBB4_3
+  // CHECK-ASM-NEXT:   blt a0, a1, .LBB4_2
+  [[clang::double_check]] if (a < b) {}
+}
+
+void test_le(int a, int b) {
+  // CHECK: @test_le
+  // CHECK: callbr void asm sideeffect "bgt $0, $1, $3\0Able $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-ASM:      test_le:
+  // CHECK-ASM:        blt a1, a0, .LBB5_3
+  // CHECK-ASM-NEXT:   bge a1, a0, .LBB5_2
+  [[clang::double_check]] if (a <= b) {}
+}
+
+// The double check applies to the outer comparison expression only.
+void test_sub_expr(int a, int b) {
+  // CHECK: @test_sub_expr
+  // CHECK: callbr void asm sideeffect "bne $0, $1, $3\0Abeq $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %mul, i32 %add)
+  // CHECK-NOT: callbr
+  // CHECK: ret void
+  [[clang::double_check]] if ((a*b) == (a+b)) {}
+}
+
+int test_else(int a, int b) {
+  // CHECK: @test_else
+  // CHECK: callbr void asm sideeffect "bne $0, $1, $3\0Abeq $0, $1, $2\0Aunimp\0Aunimp", "r,r,!i,!i"(i32 %0, i32 %1)
+  // CHECK-NEXT: to label %asm.fallthrough [label %if.then, label %if.else]
+  // CHECK-EMPTY:
+  // CHECK-NEXT: asm.fallthrough:                                  ; preds = %entry
+  // CHECK-NEXT:   br label %if.then
+  // CHECK-EMPTY:
+  // CHECK-NEXT: if.then:                                          ; preds = %asm.fallthrough, %entry
+  // CHECK-NEXT:   store i32 1, ptr %retval, align 4
+  // CHECK-NEXT:   br label %return
+  // CHECK-EMPTY:
+  // CHECK-NEXT: if.else:                                          ; preds = %entry
+  // CHECK-NEXT:   store i32 2, ptr %retval, align 4
+  // CHECK-NEXT:   br label %return
+  // CHECK-EMPTY:
+  // CHECK-NEXT: return:                                           ; preds = %if.else, %if.then
+  // CHECK-NEXT:  %2 = load i32, ptr %retval, align 4
+  // CHECK-NEXT:  ret i32 %2
+  [[clang::double_check]] if (a == b) { return 1; } else { return 2; }
+}
+
+void test_else_unguarded_if(int a, int b) {
+  // CHECK: @test_else_unguarded_if
+  // CHECK: callbr void asm sideeffect
+  // CHECK-NOT: callbr
+  // CHECK: ret void
+  [[clang::double_check]] if (a == b) {} else if (b == 42) {}
+}
+
+void test_else_guarded_if(int a, int b) {
+  // CHECK: @test_else_guarded_if
+  // CHECK: callbr void asm sideeffect
+  // CHECK: callbr void asm sideeffect
+  // CHECK: ret void
+  // CHECK-ASM:      test_else_guarded_if:
+  // CHECK-ASM:        bne a0, a1, .LBB9_3
+  // CHECK-ASM-NEXT:   beq a0, a1, .LBB9_2
+  // CHECK-ASM:        li a1, 42
+  // CHECK-ASM:        bne a0, a1, .LBB9_6
+  // CHECK-ASM-NEXT:   beq a0, a1, .LBB9_5
+  [[clang::double_check]] if (a == b) {} else [[clang::double_check]] if (b == 42) {}
+}
+
+}