[libcxx-commits] [PATCH] D63006: [libunwind][AArch64] Fix libunwind::Registers_arm64::jumpto

Mikhail Maltsev via Phabricator via libcxx-commits libcxx-commits at lists.llvm.org
Fri Jun 7 07:18:02 PDT 2019 

miyuki created this revision.
miyuki added a reviewer: phosek.
Herald added subscribers: christof, kristof.beyls, javed.absar.
Herald added a project: libc++.

The AArch64 version of the libunwind function which restores the
CPU state and resumes execution is not interrupt-safe. It restores
the target value of SP before loading the floating-point registers
from the context struct, but that struct is allocated on the stack
which is being deallocated. This means that if an interrupt occurs
during this function, and uses a lot of stack space, it could
overwrite the values about to be loaded into the floating-point
registers.

This patch fixes the issue.

Patch by Oliver Stannard.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D63006

Files:
  libunwind/src/UnwindRegistersRestore.S


Index: libunwind/src/UnwindRegistersRestore.S
===================================================================
--- libunwind/src/UnwindRegistersRestore.S
+++ libunwind/src/UnwindRegistersRestore.S
@@ -575,7 +575,8 @@
   ldp    x10,x11, [x0, #0x050]
   ldp    x12,x13, [x0, #0x060]
   ldp    x14,x15, [x0, #0x070]
-  ldp    x16,x17, [x0, #0x080]
+  // x16 and x17 were clobbered by the call into the unwinder, so no point in
+  // restoring them.
   ldp    x18,x19, [x0, #0x090]
   ldp    x20,x21, [x0, #0x0A0]
   ldp    x22,x23, [x0, #0x0B0]
@@ -583,8 +584,6 @@
   ldp    x26,x27, [x0, #0x0D0]
   ldp    x28,x29, [x0, #0x0E0]
   ldr    x30,     [x0, #0x100]  // restore pc into lr
-  ldr    x1,      [x0, #0x0F8]
-  mov    sp,x1                  // restore sp
 
   ldp    d0, d1,  [x0, #0x110]
   ldp    d2, d3,  [x0, #0x120]
@@ -604,7 +603,13 @@
   ldr    d30,     [x0, #0x200]
   ldr    d31,     [x0, #0x208]
 
+  // Finally, restore sp. This must be done after the the last read from the
+  // context struct, because it is allocated on the stack, and an exception
+  // could clobber the de-allocated portion of the stack after sp has been
+  // restored.
+  ldr    x16,     [x0, #0x0F8]
   ldp    x0, x1,  [x0, #0x000]  // restore x0,x1
+  mov    sp,x16                 // restore sp
   ret    x30                    // jump to pc
 
 #elif defined(__arm__) && !defined(__APPLE__)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D63006.203554.patch
Type: text/x-patch
Size: 1388 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/libcxx-commits/attachments/20190607/1ff33ad2/attachment-0001.bin>

More information about the libcxx-commits mailing list