[BOLT] Gadget scanner: do not crash on debug-printing CFI instructions #136151
+48
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Apr 17, 2025
|
@llvm/pr-subscribers-bolt Author: Anatoly Trosinenko (atrosinenko) ChangesSome instruction-printing code used under LLVM_DEBUG does not handle CFI Full diff: https://github.com/llvm/llvm-project/pull/136151.diff 2 Files Affected:
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
index f12354390c3f3..2d2126bf05ae1 100644
--- a/bolt/lib/Passes/PAuthGadgetScanner.cpp
+++ b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -433,6 +433,9 @@ class SrcSafetyAnalysis {
}
SrcState computeNext(const MCInst &Point, const SrcState &Cur) {
+ if (BC.MIB->isCFI(Point))
+ return Cur;
+
SrcStatePrinter P(BC);
LLVM_DEBUG({
dbgs() << " SrcSafetyAnalysis::ComputeNext(";
@@ -674,6 +677,8 @@ class CFGUnawareSrcSafetyAnalysis : public SrcSafetyAnalysis {
SrcState S = createEntryState();
for (auto &I : BF.instrs()) {
MCInst &Inst = I.second;
+ if (BC.MIB->isCFI(Inst))
+ continue;
// If there is a label before this instruction, it is possible that it
// can be jumped-to, thus conservatively resetting S. As an exception,
@@ -952,6 +957,9 @@ class DstSafetyAnalysis {
}
DstState computeNext(const MCInst &Point, const DstState &Cur) {
+ if (BC.MIB->isCFI(Point))
+ return Cur;
+
DstStatePrinter P(BC);
LLVM_DEBUG({
dbgs() << " DstSafetyAnalysis::ComputeNext(";
@@ -1130,6 +1138,8 @@ class CFGUnawareDstSafetyAnalysis : public DstSafetyAnalysis {
DstState S = createUnsafeState();
for (auto &I : llvm::reverse(BF.instrs())) {
MCInst &Inst = I.second;
+ if (BC.MIB->isCFI(Inst))
+ continue;
// If Inst can change the control flow, we cannot be sure that the next
// instruction (to be executed in analyzed program) is the one processed
@@ -1326,6 +1336,9 @@ void FunctionAnalysis::findUnsafeUses(
});
iterateOverInstrs(BF, [&](MCInstReference Inst) {
+ if (BC.MIB->isCFI(Inst))
+ return;
+
const SrcState &S = Analysis->getStateBefore(Inst);
// If non-empty state was never propagated from the entry basic block
@@ -1387,6 +1400,9 @@ void FunctionAnalysis::findUnsafeDefs(
});
iterateOverInstrs(BF, [&](MCInstReference Inst) {
+ if (BC.MIB->isCFI(Inst))
+ return;
+
const DstState &S = Analysis->getStateAfter(Inst);
if (auto Report = shouldReportAuthOracle(BC, Inst, S))
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
index fd55880921d06..07b61bea77e94 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -329,6 +329,38 @@ auth_oracle:
// PAUTH-EMPTY:
// PAUTH-NEXT: Attaching leakage info to: 00000000: autia x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
+// Gadget scanner should not crash on CFI instructions, including when debug-printing them.
+// Note that the particular debug output is not checked, but BOLT should be
+// compiled with assertions enabled to support -debug-only argument.
+
+ .globl cfi_inst_df
+ .type cfi_inst_df,@function
+cfi_inst_df:
+ .cfi_startproc
+ sub sp, sp, #16
+ .cfi_def_cfa_offset 16
+ add sp, sp, #16
+ .cfi_def_cfa_offset 0
+ ret
+ .size cfi_inst_df, .-cfi_inst_df
+ .cfi_endproc
+
+ .globl cfi_inst_nocfg
+ .type cfi_inst_nocfg,@function
+cfi_inst_nocfg:
+ .cfi_startproc
+ sub sp, sp, #16
+ .cfi_def_cfa_offset 16
+
+ adr x0, 1f
+ br x0
+1:
+ add sp, sp, #16
+ .cfi_def_cfa_offset 0
+ ret
+ .size cfi_inst_nocfg, .-cfi_inst_nocfg
+ .cfi_endproc
+
// CHECK-LABEL:Analyzing function main, AllocatorId = 1
.globl main
.type main,@function
|
08a7baa to
8d581df
Compare
cf8c516 to
4c18b44
Compare
8d581df to
f49ccac
Compare
4c18b44 to
7bb423f
Compare
f49ccac to
323acbd
Compare
7bb423f to
a6d5e43
Compare
543e183 to
e22ae5e
Compare
24f5590 to
c65779c
Compare
e22ae5e to
991e0e4
Compare
76d09c3 to
90b5432
Compare
992e377 to
a0a9cdf
Compare
Some instruction-printing code used under LLVM_DEBUG does not handle CFI instructions well. While CFI instructions seem to be harmless for the correctness of the analysis results, they do not convey any useful information to the analysis either, so skip them early.
298350c to
7181a6b
Compare
a0a9cdf to
268ba85
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some instruction-printing code used under LLVM_DEBUG does not handle CFI
instructions well. While CFI instructions seem to be harmless for the
correctness of the analysis results, they do not convey any useful
information to the analysis either, so skip them early.