[PATCH] D49069: Introduce control flow speculation tracking for AArch64.
Kristof Beyls via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Mon Jul 9 04:36:20 PDT 2018
kristof.beyls created this revision.
Herald added subscribers: llvm-commits, mgorny.
Herald added a reviewer: javed.absar.
This is part of implementing a technique to mitigate against Spectre v1,
similar in spirit to what has been proposed by Chandler for X86_64 at
http://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html.
This patch introduces the AArch64SpeculationHardeningPass. The pass
modifies code to track whether any previously executed direct
conditional branch has been mispredicted. The command line argument to
do so is -aarch64-track-speculation.
As is, the patch makes use of the AArch64 ABI convention that X16 and
X17 can be clobbered on function call boundaries to store the
miss-speculation state in register X16 and on function call boundaries
temporarily use X17 to help encode this information in the stack pointer
register.
Register X16 contains value 0 when any misprediction has been detected,
and otherwise contains value 0xFFF..FFF. This makes it easy to use it as
a mask for any value that needs to be nullified when miss-speculation
has happened. This patch only implements this tracking of
miss-speculation in register X16. Actually using the value in X16 to
protect specific values against leaking under miss-speculation is
implemented in follow-on patches.
On a function call, control flow miss-speculation is encoded by making
the stack pointer have value 0. On correct control flow speculation, the
value of the stack pointer remains unchanged. Since 0 is not a value the
stack pointer should have on any valid function call, this is a reliable
backwards ABI-compatible way to encode the miss-speculation information.
In between function calls, as implied above, the information is encoded
in register X16 as value 0, so that it is cheap to use that value
(implemented in a later patch) to nullify values that must not be used
on a miss-speculated execution path.
I hope that splitting the patches this way makes it easier to review
them.
Repository:
rL LLVM
https://reviews.llvm.org/D49069
Files:
lib/Target/AArch64/AArch64.h
lib/Target/AArch64/AArch64FastISel.cpp
lib/Target/AArch64/AArch64ISelLowering.cpp
lib/Target/AArch64/AArch64InstructionSelector.cpp
lib/Target/AArch64/AArch64RegisterInfo.cpp
lib/Target/AArch64/AArch64SpeculationHardening.cpp
lib/Target/AArch64/AArch64TargetMachine.cpp
lib/Target/AArch64/CMakeLists.txt
test/CodeGen/AArch64/O0-pipeline.ll
test/CodeGen/AArch64/O3-pipeline.ll
test/CodeGen/AArch64/speculation-hardening.ll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D49069.154568.patch
Type: text/x-patch
Size: 23361 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180709/811a52ff/attachment.bin>
More information about the llvm-commits
mailing list