[all-commits] [llvm/llvm-project] a4c1f5: [ARM] Harden indirect calls against SLS
Kristof Beyls via All-commits
all-commits at lists.llvm.org
Sat Dec 19 04:44:24 PST 2020
Branch: refs/heads/master
Home: https://github.com/llvm/llvm-project
Commit: a4c1f5160e6d1de9a9959ecbf329c2acf4f3ed31
https://github.com/llvm/llvm-project/commit/a4c1f5160e6d1de9a9959ecbf329c2acf4f3ed31
Author: Kristof Beyls <kristof.beyls at arm.com>
Date: 2020-12-19 (Sat, 19 Dec 2020)
Changed paths:
M llvm/lib/Target/ARM/ARM.h
M llvm/lib/Target/ARM/ARM.td
M llvm/lib/Target/ARM/ARMBaseInstrInfo.cpp
M llvm/lib/Target/ARM/ARMBaseInstrInfo.h
M llvm/lib/Target/ARM/ARMSLSHardening.cpp
M llvm/lib/Target/ARM/ARMSubtarget.h
M llvm/lib/Target/ARM/ARMTargetMachine.cpp
M llvm/test/CodeGen/ARM/O3-pipeline.ll
M llvm/test/CodeGen/ARM/speculation-hardening-sls.ll
Log Message:
-----------
[ARM] Harden indirect calls against SLS
To make sure that no barrier gets placed on the architectural execution
path, each indirect call calling the function in register rN, it gets
transformed to a direct call to __llvm_slsblr_thunk_mode_rN. mode is
either arm or thumb, depending on the mode of where the indirect call
happens.
The llvm_slsblr_thunk_mode_rN thunk contains:
bx rN
<speculation barrier>
Therefore, the indirect call gets split into 2; one direct call and one
indirect jump.
This transformation results in not inserting a speculation barrier on
the architectural execution path.
The mitigation is off by default and can be enabled by the
harden-sls-blr subtarget feature.
As a linker is allowed to clobber r12 on function calls, the
above code transformation is not correct in case a linker does so.
Similarly, the transformation is not correct when register lr is used.
Avoiding r12/lr being used is done in a follow-on patch to make
reviewing this code easier.
Differential Revision: https://reviews.llvm.org/D92468
More information about the All-commits
mailing list