[PATCH] D148573: Port -fsanitize=function to AArch64

Tue Apr 18 15:21:05 PDT 2023

MaskRay added a comment.

In D148573#4277573 <https://reviews.llvm.org/D148573#4277573>, @peter.smith wrote:

> As it stands I think this may have problems with -mbranch-protection. In that case we'll need a `BTI c` to be the target of the indirect branch. I'm guessing something like:
>
>   _Z3funv
>   BTI C ; In hint space
>   B . + 8 
>   .word .L__llvm_rtti_proxy-_Z3funv
>
> Otherwise when the indirect call is made then it will fail on a system with BTI enabled.
>
> Not too sure how much of a problem this is for the implementation. The `BTI c` can't be used as a signature, I guess the code in the caller could check the value at `_z3funv + 4` . The feature could be marked as incompatible with `-mbranch-protection`. I guess it may not work well with patchable functions either.
>
> I would expect the emitGlobalConstant to emit data. This would be visible in the object file as we'd have:
>
>   $d
>   <signature>
>   <rtti>
>   $x
>   instructions.
>
> At the moment I don't think that this would affect anything except disassemblers, and the LLD cortex-a53 eratta work around which excludes $d from the disassembly. It is something that it could be worth fixing, expecially if there is a `BTI C` involved.

Thanks. I forgot to check this interaction with `-mbranch-protection=bti`. x86 `-fcf-protection=branch` has a similar problem.

The current AArch64 bti instrumentation always adds a bti (even for local linkage functions that are not taken addresses) to accommodate range extension thunks, but I can think of possible improvement to make `bti` optional in more cases in the future.

I think `-fsanitize=function` has to do something similar to `-fsanitize=kcfi` by moving the two words before the function entry: D148665 <https://reviews.llvm.org/D148665>

Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D148573/new/

https://reviews.llvm.org/D148573