<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Control Flow Guard checking code is corrupting function pointers"

   href="https://bugs.llvm.org/show_bug.cgi?id=44049">44049</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Control Flow Guard checking code is corrupting function pointers

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>new-bugs

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Windows NT

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>new bugs

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>dmajor@mozilla.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>froydnj@gmail.com, htmldeveloper@gmail.com, llvm-bugs@lists.llvm.org, rnk@google.com, tom@ritter.vg

          </td>

        </tr></table>

      <p>

        <div>

        <pre>With the improved CFG code in <a href="https://reviews.llvm.org/D65761">https://reviews.llvm.org/D65761</a>, we see crashes

in Firefox because the inserted code overwrites the lower byte of function

pointers before jumping to them.

    Without CFG:

    xul!mozilla::AbstractCanonical<mozilla::Maybe<mozilla::media::TimeUnit>

<span class="quote">>::`vcall'{8}':</span >

    00000001`80c18c10 4883ec28        sub     rsp,28h

    00000001`80c18c14 4c8b11          mov     r10,qword ptr [rcx]

    00000001`80c18c17 4d8b5208        mov     r10,qword ptr [r10+8]

    00000001`80c18c1b 4883c428        add     rsp,28h

    00000001`80c18c1f 49ffe2          jmp     r10

    With CFG:

    xul!mozilla::AbstractCanonical<double>::`vcall'{8}':

    00007ffd`5936c090 4883ec28        sub     rsp,28h

    00007ffd`5936c094 4189c2          mov     r10d,eax

    00007ffd`5936c097 488b01          mov     rax,qword ptr [rcx]

    00007ffd`5936c09a 488b4008        mov     rax,qword ptr [rax+8]

    00007ffd`5936c09e 4c8b1d636f4d05  mov     r11,qword ptr

[xul!__guard_dispatch_icall_fptr (00007ffd`5e843008)]

    00007ffd`5936c0a5 4488d0          mov     al,r10b   <--------------- ?!

    00007ffd`5936c0a8 4883c428        add     rsp,28h

    00007ffd`5936c0ac 49ffe3          jmp     r11

(Ignore the difference in function names, it's the same function with many

names, and ICF chose different names for these builds)</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>