[PATCH] D108479: [Clang] Add __builtin_addressof_nocfi

Peter Collingbourne via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Thu Nov 4 14:02:48 PDT 2021


pcc requested changes to this revision.
pcc added subscribers: rjmccall, rsmith.
pcc added a comment.
This revision now requires changes to proceed.

In D108479#3108360 <https://reviews.llvm.org/D108479#3108360>, @ardb wrote:

> I would argue that the existing __builtin_addressof() should absorb this behavior, rather than adding a special builtin related to CFI.
>
> As is documented for __builtin_addressof(), its intended use is in cases where the & operator may return something other than the address of the object, which is exactly the case we are dealing with here.

Maybe. It does imply two slightly orthogonal use cases for `__builtin_addressof`, one for implementing std::addressof and the other for the no-CFI use case. One question is then whether these two use cases will conflict. In libc++ we have

  template <class _Tp>
  inline _LIBCPP_CONSTEXPR_AFTER_CXX14
  _LIBCPP_NO_CFI _LIBCPP_INLINE_VISIBILITY
  _Tp*
  addressof(_Tp& __x) _NOEXCEPT
  {
      return __builtin_addressof(__x);
  }

So as long as the additional use case for `__builtin_addressof` is only activated when the argument is (syntactically) a reference to a function I don't think this libc++ code will be affected. I guess it's possible that there could be other users of `__builtin_addressof` that could be relying on the existing behavior, although it seems unlikely to me.

A similar use case that we may want to consider is for removing the pointer authentication bits when using the proposed PAuth ABI. D112941 <https://reviews.llvm.org/D112941> proposes adding a separate builtin `__builtin_ptrauth_strip` for this purpose, although I believe that it cannot be used in constant expressions. If we decide to let `__builtin_addressof` absorb the no-CFI behavior then it seems reasonable for it to absorb the PAuth stripping behavior as well, but again only if the argument is a syntactic function reference. I personally would find this somewhat confusing though because stripping in the PAuth ABI can be performed at runtime on any pointer value and not just syntactic function references.

Should the builtin return a value of type `void*` instead of a pointer to the type of its argument? This would make it clear that the value returned by the builtin is not meant to be called in the usual way (this applies to both CFI and the PAuth ABI) and I suppose is another point in favor of this being a separate builtin.

Adding @rsmith and @rjmccall who may have opinions on the above.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D108479/new/

https://reviews.llvm.org/D108479



More information about the cfe-commits mailing list