<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/63598>63598</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
The lack of unwind info in epilogue(eh_frame) will cause pointer authentication exception unwind fails
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
hangl-qcom
</td>
</tr>
</table>
<pre>
Hi Clang Team,
**Environment**
- Clang version: 16.0.1
- Operating System: Android 14
- Arch: AArch64 (Armv9)
I noticed that `eh_frame` doesn't have unwind info for prologue and epilogue as c++ exception won't be thrown from there. Now many unwinder relies on `eh_frame` to unwind frame and get backtrace. And Armv8.3-A introduced the option of pointer authentication(PA) to mitigate against ROP attacks. Along with this feature, several AArch64 instructions were introduced, such as `paciasp` and `autiasp`. When `autiasp` authentication fails, an exception is raised. I'm afraid lacking unwind info for epilogue will make the unwind process failed for such exception. Below is the detailed example and analysis.
Example funtion is `android::ProcessState:spawnPooledThread` from libbinder.so. As you can see, 0x7f480 instructin already changed x29, but CFA calculation has not changed for 0x7f488 and 0x7f48c. I guess the unwind process will fail if it rely on the wrong CFI of epilogue. Could you please help check on this? Thanks!
BTW, the exception may occur in `autiasp` or `ret`, depending on whether below FEATURE is supported. If this feature is not supported, then `autiasp` will only return an invalid pointer, subsequent `ret` will cause exception as invalid pointer is used. If this feature is supported, then `autiasp` will generate exception.
> ARMv8.3-FPAC FEAT_FPAC Faulting on AUT* instructions
**[Disassembly codes of example function]**
```
000000000007f35c <android::ProcessState::spawnPooledThread(bool)>:
; android::ProcessState::spawnPooledThread(bool)():
7f35c: d503233f paciasp
7f360: d10143ff sub sp, sp, #80
7f364: a9027bfd stp x29, x30, [sp, #32]
7f368: a90357f6 stp x22, x21, [sp, #48]
7f36c: a9044ff4 stp x20, x19, [sp, #64]
7f370: 910083fd add x29, sp, #32
7f374: d53bd055 mrs x21, TPIDR_EL0
7f378: f94016a8 ldr x8, [x21, #40]
7f37c: f81f83a8 stur x8, [x29, #-8]
7f380: 3943a008 ldrb w8, [x0, #232]
7f384: 34000728 cbz w8, 0x7f468 <android::ProcessState::spawnPooledThread(bool)+0x10c>
7f388: 12000036 and w22, w1, #0x1
7f38c: 9103b008 add x8, x0, #236
7f390: f9000bff str xzr, [sp, #16]
7f394: 885f7d13 ldxr w19, [x8]
7f398: 11000669 add w9, w19, #1
7f39c: 880afd09 stlxr w10, w9, [x8]
7f3a0: 35ffffaa cbnz w10, 0x7f394 <android::ProcessState::spawnPooledThread(bool)+0x38>
7f3a4: 94005a93 bl 0x95df0 <getpid@plt>
7f3a8: 2a0003f4 mov w20, w0
7f3ac: 910043e0 add x0, sp, #16
7f3b0: f9000bff str xzr, [sp, #16]
7f3b4: 94005f03 bl 0x96fc0 <_ZN7android7String8C1Ev@plt>
7f3b8: 90fffdc1 adrp x1, 0x37000 <android::ProcessState::getStrongProxyForHandle(int)+0x234>
7f3bc: 910fb421 add x1, x1, #1005
7f3c0: 910043e0 add x0, sp, #16
7f3c4: 2a1403e2 mov w2, w20
7f3c8: 2a1303e3 mov w3, w19
7f3cc: 94006365 bl 0x98160 <_ZN7android7String812appendFormatEPKcz@plt>
7f3d0: 52801300 mov w0, #152
7f3d4: f90007ff str xzr, [sp, #8]
7f3d8: 94005abe bl 0x95ed0 <_Znwm@plt>
7f3dc: 91022014 add x20, x0, #136
7f3e0: aa0003f3 mov x19, x0
7f3e4: aa1403e0 mov x0, x20
7f3e8: 94005a8a bl 0x95e10 <_ZN7android7RefBaseC2Ev@plt>
7f3ec: d0000128 adrp x8, 0xa5000 <android::ProcessState::spawnPooledThread(bool)+0x128>
7f3f0: f9440108 ldr x8, [x8, #2048]
7f3f4: 52800022 mov w2, #1
7f3f8: aa1303e0 mov x0, x19
7f3fc: 91002101 add x1, x8, #8
7f400: 9400635c bl 0x98170 <_ZN7android6ThreadC2Eb@plt>
7f404: d0000128 adrp x8, 0xa5000 <android::ProcessState::becomeContextManager()+0x8>
7f408: f9440508 ldr x8, [x8, #2056]
7f40c: aa1403e0 mov x0, x20
7f410: aa1303e1 mov x1, x19
7f414: 39021276 strb w22, [x19, #132]
7f418: 91006109 add x9, x8, #24
7f41c: 91020108 add x8, x8, #128
7f420: f9000269 str x9, [x19]
7f424: f9004668 str x8, [x19, #136]
7f428: 94005a4e bl 0x95d60 <_ZNK7android7RefBase9incStrongEPKv@plt>
7f42c: f9400268 ldr x8, [x19]
7f430: f90007f3 str x19, [sp, #8]
7f434: f9400be1 ldr x1, [sp, #16]
7f438: aa1303e0 mov x0, x19
7f43c: f9400908 ldr x8, [x8, #16]
7f440: 2a1f03e2 mov w2, wzr
7f444: aa1f03e3 mov x3, xzr
7f448: d63f0100 blr x8
7f44c: f9400268 ldr x8, [x19]
7f450: 910023e1 add x1, sp, #8
7f454: f85e8108 ldur x8, [x8, #-24]
7f458: 8b080260 add x0, x19, x8
7f45c: 94005a4d bl 0x95d90 <_ZNK7android7RefBase9decStrongEPKv@plt>
7f460: 910043e0 add x0, sp, #16
7f464: 94005b83 bl 0x96270 <_ZN7android7String8D1Ev@plt>
7f468: f94016a8 ldr x8, [x21, #40]
7f46c: f85f83a9 ldur x9, [x29, #-8]
7f470: eb09011f cmp x8, x9
7f474: 540000e1 b.ne 0x7f490 <android::ProcessState::spawnPooledThread(bool)+0x134>
7f478: a9444ff4 ldp x20, x19, [sp, #64]
7f47c: a94357f6 ldp x22, x21, [sp, #48]
7f480: a9427bfd ldp x29, x30, [sp, #32]
7f484: 910143ff add sp, sp, #80
7f488: d50323bf autiasp
7f48c: d65f03c0 ret
7f490: 94005a48 bl 0x95db0 <__stack_chk_fail@plt>
```
**[CFI of example function]**
```
00009960 0000000000000024 00009964 FDE cie=00000000 pc=000000000007f35c..000000000007f494
LOC CFA x19 x20 x21 x22 x29 ra
000000000007f35c sp+0 u u u u u u
000000000007f360 sp+0 u u u u u u
000000000007f374 x29+48 c-8 c-16 c-24 c-32 c-48 c-40
```
**[Unwind info for 0x0x7f488: autiasp]**
```
taro:/ # unwind_reg_info /system/lib64/libbinder.so 0x7f488
Soname: libbinder.so
PC 0x7f488 (_ZN7android12ProcessState17spawnPooledThreadEb):
eh_frame:
cfa = r29 + 48
r19 = [cfa - 8]
r20 = [cfa - 16]
r21 = [cfa - 24]
r22 = [cfa - 32]
r29 = [cfa - 48]
r30 = [cfa - 40]
r34 = 1 (pseudo)
no debug_frame information
no gnu_debugdata (eh_frame)
gnu_debugdata (debug_frame):
No fde found.
```
**[Unwind info for 0x0x7f48c: ret]**
```
taro:/ # unwind_reg_info /system/lib64/libbinder.so 0x7f48c
Soname: libbinder.so
PC 0x7f48c (_ZN7android12ProcessState17spawnPooledThreadEb):
eh_frame:
cfa = r29 + 48
r19 = [cfa - 8]
r20 = [cfa - 16]
r21 = [cfa - 24]
r22 = [cfa - 32]
r29 = [cfa - 48]
r30 = [cfa - 40]
r34 = 1 (pseudo)
no debug_frame information
no gnu_debugdata (eh_frame)
gnu_debugdata (debug_frame):
No fde found.
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzsWstu4zizfhplQ8TgTbK0yMJ2YkxjbkF3BgOcTUBRpK0TmfJQVOz00x-Q1IWSnen09OAsfvxGoNgmq1hVX91ImjVNuVNC3EXxOorvb1hr9rW-2zO1q27_4vXhJq-Lt7ufSrCpmNqBJ8EOEd5E8D6Cq-6J7d-Dei11rQ5CGf-FH7zt6F6FbspaRWQFULKAC9QP_34UmplS7cCXt8aIg52xUoWuywIg2s9aab53I_ZNQkGE05U-vGYRzkJRPgFVm5KLApg9MyBKoNg_S80OIkogKGrRqAgvDdizVwFadSpVAUolayBrDY66rupdKwBTBRDHsvvQAB7hdYTXQJy5OJqyVuBUez65AGav65MCUtcHYPZCiwX4rT6BA1Nv3QpCAy2qUjSgVnORTN2L4b5yS--EATnjL0YzLhbWGMDqmi7I7QqUyui6aL2KAtRenlqCY10qIzSwAAplSs7sSITTx1WEM7vQoTTljhkB2I6VqjHg8--PgBnD-EuzAKuqVjtwKs0emH3ZACmYabWI8AY04lVoVg3Gt8S65ZZ_A05Ci0AqN7_le2u3KIFHxkvWHK2qVrUogaw13TcL8OdeqOl3M_GBZGXVWJ5MBeYvG6BZ2YhiAT5FeHkATGpWFqBi_MV60hzZAcxTWVXgwF6EM1437ahrLprGrSUKR-A0GNZbgLWo6pNd1pIVwviZ4swOx8qDxhSr3pqyWYTu-NBNkK3q5bbaeu-OyCoiq0e_-BfDjIjIqjmyk3qs60oUT3stWGFt4nyrKvPcOdOiqRdg1YC3ugWcKdAIBxI8LyVN4QiOAqyyHN4At9EsCnDGmZ2ZtwZstivAWcXbytt5zxobOsNUawTPMXXq-fd8AT6BXWuNdcV-zrjWiKCUoDTW6d-sy9upJ229a7P9ZF21h2MBNnVbFU6TYyVYI8BeVEfA94K_eMqyicgWPO2ZemkijEBo3fXTn1Ydy350jQN7AzXnrQbl3LVqbb_QwkQJtISFOApVWH-xEb0XNnpB7pDePqye_vj8YAFr2uOx1sb5mpyEhh21NhtmWKZWnPnCzjC1qt6AFqbVyjpzqV5ZVRZ92PqwyRvxVyuUGeX0tJy1Tagka-b0Vpa2eUfIiYDvybcTyibiYJmJK0fkAaw-_-qy0PZxtYlgZo303L9nbWU6U67-eIrwapIlLstFFK_vy4Y1jTjk1RvgdWHzoxxiSrbKkUbxfVhOLHT-z32E42spScxBRDZ_F15XIwyneV1XtpKQBzun03cNfoATTh2_jhkAwIlnK1gRQ4IJkSCCWZ8dg0kJdJMQRJRICewrglnT5vZ5dG7inhEmKZwQUkvIMoiXuSwckTlGMOuC_kycz0fxeqAn2Bo3ZJF2LEi8lMmwdscGOzYYzdnQdM6Gd2wolZLO2Tgxziibs0nojM3SWSJDEKZEFj0bVhSjUqEqISX1hiZ5AeO4pzzoxlE6BZ4eP91_fn74ZWLCpdNfZhSihKU9XVVoS5d2AvcWwITCucROcZkimZKRvjHtjEHWMbidWy51KpOMEgZhKIBF_zQwgB09vkAwdZoTauMBDwx4_nWgd4k8SX8wUPAanhHkNmDC1Z39ELbhSBKHlrJonbzvnHrDwTOakPEOaJIHWndAO6EDjZOOcilJBj1cEMI8CBXjrP1Vzx0MJTNjZc5YaRrLZYGIt_TZEp8G7zzPEcq8ighCmCTZVNZT5rXs4Z0omXG_GGSygNkobNWt6DQ8vbsu854RSyklYyOw6utIbaElGf0XoCXpDFnmTJVRCGOWkX75vIpgBs9ZXEhoV90JcyyLiMJjZeYMnN0ws54x5oRD_ercwys_iUXWOwWkRMCZU8BJ8KMkJMynXvFdHpGPakp4oWYiuVPz-X9-W3YGXn4xulS7dIMeXq_qnTu9MyilLDga1dAuGSIPG1lCCD8A206YL8Y2Uo-6Pr9ta_0TU0UlIpyWdtPlscOEzmXoTSlzitHMlMin494iEMYhKYf_EAVOPd6IQiLwHG8HN57gzTsHQQQSQYLJpA-qcDLvcUpIEs9xSlHyHk4Is6Nt-ra1PjDz8Pgz_3oVtsLpHeMUImKhGaTpExGKJxWnoIPTLT-QiubRXaRjeOXiIrxE0emjTofr4vYIYwwRnZdKOEmhiEyAEk5T5gOTTIHqqvR5ApTwfYZHNjCNX-A8RVUEiqXsUjF0AdRnIdesERv8TkAJ30TZEoNwOg-orsSx-GMB9c0Sh-eJUHbZhVKIYHqtPUj7UgUvGiNJe6-CEF8NiqBq2PlpZ2oCg-ibmHsaF3JImhjB65GeDi440lEIx3iK-WU8LecwJd5cG_yQz1Gy7Oi_iFEueH0Qm1oZcTa_MsV2dreU9hDNAKIwHQCKvwVQPMv_FPKJb18z-MS_KYIBQmgePZcIUeQbtAxihJdBi-07PN8nWSHHJmLe41GU9iAnCM5akHM2ARnTCeGQJXrfnfRYPZF1-oAKj_UUJ9kstWWBvFMp8ZARaZKkM7L0ippzLHCQOuhlTiyGHP_zPHdkpeK-Tj48_nw1i1DM-04f4uTdTv9CKQKDNE9mSl1uadI5OR1WzQUKVrzYU807E0q-MxVQMmqYwXc1TN9bj8KuHMt36_dXPSHoy4J09XsqoKvh5xmB06hIiITIl9i86oQLZ_0zoOKhb8HEWzpMggFAIY1HJ41FikKLtddNdouDDasld_qkOUwhTq62Sn05na7KAzcvpi6eve_ihfiWiyfT1u1DbRtNxgY4Ty8bYHxRCPrG6v6dBpgmP7anpkm3p47tnjqbo5J9c09N_TGCyGEGEXL7AX4Y69B5EjT-4CC222c4pvN8oYQzwFLS7F9pK-YtOl12Jy_UH5k4Db_vuIQuu1MXOjm86dl89PCG-iMIllF_jDRj89GjJOoPIrLZMZb3wL87xqL-DMEfkuUjYXdYOUSbPzMoErtP40O0aWFCXhkMYiu9LCG59-bnxjD-8sz3L8-SldXMjWcnjrMzzP5E-7tPLbMsgQBOXpiCboSC7f0D4KWIyH0_Co48-NQfeC4Wk29oNlb8X37fgPG12a78mzOyUXTG0LqDe4fd036rmbfR1aNVC9jam7q98gw_XeOQwG9xCJ_XOCypv8FYOyz5rX-ixD4xtU-C7dMO81sKwUcA_GN2VQTP3bWHC4PO7f4WTcN0beMeb603d5ciz1rsnh3TCG8bf7GJt1WZJ9T_H-5y-msWz-xLrdjBppHJfU8o-eNmuJiJcBqkYoTDTISWF1noIQ_PpP1zuIscj6q5ZCAi90DjDER4DehQrzTK3EgUr-2kWxAmD43hdHDSU2iMpqNh9dQYTwcn6cTJEY5OcpYms2UnFUQT6kaRtdWxEW1Rz26MVQ0Kkbc7bwbnB_rgr06ns3aqfXYzC2aYZTeYbsrwYl7Afnon8FsNZCGArFtVLH7EV10utLnv_8FP-Xf7Kf-vn_6n--lNcUeKjGTsRtyhJE0hTgnBN_s7ghlLEIYyQwwTnHOE8wwvCRVQQMazm_IOQ0xggjOY0pjgBY9tG5bCQtI8T4mIKBQHVlaLqno9LGq9uymbphV3CYmz9KZiuaga99sVjJU4ATcYYYvLjb6zNLd5u2siCquyMc3IxZSmEndPe-F-NGBrePijgVINl9RTC4b3sdd_cRFc0_a_7GBl1dy0urrbG3NsfAxGeLsrzb7NF7x2IVe99v9uj7r-X8FNhLdOnSbCW6fu_wUAAP__Y5KREg">