<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ThinLTO + -fno-sanitize-cfi-canonical-jump-tables doesn't work with function aliases"
href="https://bugs.llvm.org/show_bug.cgi?id=43652">43652</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ThinLTO + -fno-sanitize-cfi-canonical-jump-tables doesn't work with function aliases
</td>
</tr>
<tr>
<th>Product</th>
<td>new-bugs
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>new bugs
</td>
</tr>
<tr>
<th>Assignee</th>
<td>peter@pcc.me.uk
</td>
</tr>
<tr>
<th>Reporter</th>
<td>samitolvanen@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>htmldeveloper@gmail.com, jgalenson@google.com, llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>If I compile my program with ThinLTO and
-fno-sanitize-cfi-canonical-jump-tables, I cannot make an indirect call to a
function alias. I can reproduce the issue as follows:
$ cat test.c
#include <stdio.h>
typedef int (*func_t)(int);
int a(int n)
{
return 1;
}
int b(int n) __attribute__((alias("a")));
int main()
{
func_t f[] = { a, b, NULL };
for (int i = 0; f[i] != NULL; i++) {
printf("calling %016lx\n", (unsigned long)f[i]);
printf("\t-> %d\n", f[i](0));
}
return 0;
}
I would expect indirect calls to both a and b work fine with CFI, as seen here:
$ clang -flto=thin -fuse-ld=lld -fvisibility=default -fsanitize=cfi test.c
$ ./a.out
calling 00000000002017b0
-> 1
calling 00000000002017b0
-> 1
However, if I enable -fno-sanitize-cfi-canonical-jump-tables, the test program
fails to compile:
$ clang -flto=thin -fuse-ld=lld -fvisibility=default -fsanitize=cfi
-fno-sanitize-cfi-canonical-jump-tables test.c
ld.lld: error: undefined symbol: a
<span class="quote">>>> referenced by ld-temp.o
>>> lto.tmp:(a.cfi_jt)</span >
clang-10: error: linker command failed with exit code 1 (use -v to see
invocation)
Adding -fsanitize-cfi-cross-dso allows me to compile the program again, but it
now trips CFI:
$ clang -flto=thin -fuse-ld=lld -fvisibility=default -fsanitize=cfi
-fno-sanitize-cfi-canonical-jump-tables -fsanitize-cfi-cross-dso test.c
$ ./a.out
calling 00005648c2aab030
-> 1
calling 00005648c2aab040
Illegal instruction
Looking at a.out, we have:
1125: 0000000000029030 8 FUNC LOCAL HIDDEN 14 a.cfi_jt
1204: 0000000000029040 14 FUNC GLOBAL DEFAULT 14 a
1207: 0000000000029040 14 FUNC GLOBAL DEFAULT 14 b
Which means the alias points directly to a, instead of a.cfi_jt. Switching to
-flto works though:
$ clang -flto -fuse-ld=lld -fvisibility=default -fsanitize=cfi
-fno-sanitize-cfi-canonical-jump-tables -fsanitize-cfi-cross-dso test.c
$ ./a.out
calling 0000563f82e14030
-> 1
calling 0000563f82e14030
-> 1
This is currently reproducible with ToT LLVM:
$ clang --version | head -n1
clang version 10.0.0 (<a href="https://github.com/llvm/llvm-project.git">https://github.com/llvm/llvm-project.git</a>
b95d4c3a99794f57b3ac7accd86f5c061f6c69f9)
$ ld.lld --version
LLD 10.0.0 (<a href="https://github.com/llvm/llvm-project.git">https://github.com/llvm/llvm-project.git</a>
b95d4c3a99794f57b3ac7accd86f5c061f6c69f9) (compatible with GNU linkers)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>