[AArch64] Stack probing for dynamic allocas in GlobalISel #67123
Conversation
momchil-velikov
requested review from
aemerson,
zatrazz,
serge-sans-paille,
SamTebbs33,
bzEq,
hassnaaHamdi,
davemgreen,
sdesmalen-arm,
CarolineConcatto,
JonPsson and
efriedma-quic
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
|
This looks like too many changes for a single PR. |
Yeah, it's too many, I have separate PRs for:
In the Phabricator days those would be dependent reviews, here they are just three branches on top of each other, Perhaps I should mark the head of each PR in the commit message, so the structure is evident and people can start review from the first one, while still seeing the big picture. |
There was a problem hiding this comment.
I found an interaction between -fstack-clash-protection and -ftrivial-auto-var-init=zero that can be triggered with:
// RUN: %clang_cc1 "-triple" "aarch64-none-linux-android28" "-emit-obj" "-Os" "-fstack-clash-protection" "-mstack-probe-size=65536" "-ftrivial-auto-var-init=zero" "-vectorize-loops" "-x" "c" "%s" "-o" "/dev/null"
// This test case examines a specific interaction between the -fstack-clash-protection
// mitigation and the -ftrivial-auto-var-init=zero option.
// The -fstack-clash-protection option inserts a stack probe loop into the compiled code to protect
// against stack clashes. The -ftrivial-auto-var-init=zero option initializes automatic variables to zero.
// The test case was reduced from an instance where the compiler crashed when these options were used together.
// The crash occurred when condition flags were situated at the insertion point of the stack probe loop.
# 4 "" 3
typedef a;
typedef b;
typedef struct {
b c
} d;
#define e(f, g, h) h f[g]
i(d *j) {
a k;
e(l, j->c == 2, a);
if (j->c == 2)
k = l;
m(k);
}
I have a fix but I do not know if it is the correct way to do it. I will add it inline.
Thank you, I'll take a look. |
|
Indeed, that's a bug in 86e003f , specifically in the definition on Thank you again, I will fix that in a follow-up update. |
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
9a6abc7
to
f6b6124
Compare
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
f6b6124
to
fe5016b
Compare
llvmbot
added
clang
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
fe5016b
to
e9cf239
Compare
|
I was able to confirm this stack works as expected in my local testing. I haven't uncovered any further interactions with other mitigations. Thank you for working on this! |
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
e9cf239
to
22a81e6
Compare
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
22a81e6
to
ceb5974
Compare
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
4 times, most recently
from
b678566
to
352cd0f
Compare
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
4 times, most recently
from
6a7b24a
to
dbf035f
Compare
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
2 times, most recently
from
e052a15
to
bb62d6b
Compare
This adds a stack probing instruction sequence for dynamic stack allocations, to protect against stack clash attacks. The instruction sequence used is the same one used for unknown-size allocations in function prologues. Change-Id: Iba5f94462d18bcf62d09bb9b4f0d7563f680c19c Co-authored-by: Oliver Stannard <[email protected]>
momchil-velikov
force-pushed
the
stack-clash-protection-dynalloc-global-isel
branch
from
bb62d6b
to
18960a9
Compare
momchil-velikov
deleted the
stack-clash-protection-dynalloc-global-isel
branch
No description provided.