File: speculation-hardening-sls-blr-bti.mir

package info (click to toggle)
swiftlang 6.0.3-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,519,992 kB
  • sloc: cpp: 9,107,863; ansic: 2,040,022; asm: 1,135,751; python: 296,500; objc: 82,456; f90: 60,502; lisp: 34,951; pascal: 19,946; sh: 18,133; perl: 7,482; ml: 4,937; javascript: 4,117; makefile: 3,840; awk: 3,535; xml: 914; fortran: 619; cs: 573; ruby: 573
file content (88 lines) | stat: -rw-r--r-- 3,117 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
# RUN: llc -verify-machineinstrs -mtriple=aarch64-none-linux-gnu \
# RUN:     -start-before aarch64-sls-hardening \
# RUN:     -stop-after aarch64-sls-hardening -o - %s \
# RUN:   | FileCheck %s --check-prefixes=CHECK

# Check when the BLR SLS hardening encounters a BLR/BTI bundle, the BTI
# instruction remains after the BLR is replaced with a BL.
# These BLR/BTI bundles are produced when calling a returns_twice function
# (like setjmp) indirectly.
--- |
  $__llvm_slsblr_thunk_x8 = comdat any

  define dso_local void @fn() #0 {
  entry:
    %fnptr = alloca ptr, align 8
    store ptr @setjmp, ptr %fnptr, align 8
    %0 = load ptr, ptr %fnptr, align 8
    %call1 = call i32 %0(ptr noundef null) #1
    ret void
  }

  ; Function Attrs: returns_twice
  declare i32 @setjmp(ptr noundef) #1

  ; Function Attrs: naked nounwind
  define linkonce_odr hidden void @__llvm_slsblr_thunk_x8() #2 comdat {
  entry:
    ret void
  }

  attributes #0 = { "target-features"="+harden-sls-blr" }
  attributes #1 = { returns_twice }
  attributes #2 = { naked nounwind }

  !llvm.module.flags = !{!0}
  !0 = !{i32 8, !"branch-target-enforcement", i32 1}
...
---
name:            fn
exposesReturnsTwice: true
tracksRegLiveness: true
fixedStack:      []
stack:
  - { id: 0, name: fnptr, type: default, offset: -8, size: 8, alignment: 8,
      stack-id: default, callee-saved-register: '', callee-saved-restored: true,
      local-offset: -8, debug-info-variable: '', debug-info-expression: '',
      debug-info-location: '' }
  - { id: 1, name: '', type: spill-slot, offset: -16, size: 8, alignment: 16,
      stack-id: default, callee-saved-register: '$lr', callee-saved-restored: true,
      debug-info-variable: '', debug-info-expression: '', debug-info-location: '' }
callSites:       []
debugValueSubstitutions: []
constants:       []
machineFunctionInfo:
  hasRedZone:      false
body:             |
  bb.0.entry:
    liveins: $lr

    early-clobber $sp = frame-setup STRXpre killed $lr, $sp, -16 :: (store (s64) into %stack.1)
    frame-setup CFI_INSTRUCTION def_cfa_offset 16
    frame-setup CFI_INSTRUCTION offset $w30, -16
    $x8 = ADRP target-flags(aarch64-page, aarch64-got) @setjmp
    renamable $x8 = LDRXui killed $x8, target-flags(aarch64-pageoff, aarch64-got, aarch64-nc) @setjmp
    STRXui renamable $x8, $sp, 1 :: (store (s64) into %ir.fnptr)
    $x0 = ORRXrs $xzr, $xzr, 0
    BUNDLE implicit-def $lr, implicit-def $w30, implicit killed $x8, implicit $sp {
      BLR killed renamable $x8, implicit-def $lr, implicit $sp
      HINT 36
    }
    ; CHECK:      BUNDLE implicit-def $lr, implicit-def $w30, implicit killed $x8, implicit $sp {
    ; CHECK-NEXT:   BL <mcsymbol __llvm_slsblr_thunk_x8>, implicit-def $lr, implicit $sp, implicit killed $x8
    ; CHECK-NEXT:   HINT 36
    ; CHECK-NEXT: }
    early-clobber $sp, $lr = frame-destroy LDRXpost $sp, 16 :: (load (s64) from %stack.1)
    RET undef $lr
...
---
name:            __llvm_slsblr_thunk_x8
tracksRegLiveness: true
body:             |
  bb.0.entry:
    liveins: $x8

    $x16 = ORRXrs $xzr, $x8, 0
    BR $x16
    SpeculationBarrierISBDSBEndBB
...