[PATCH] D49070: Introduce llvm.speculation_safe_value intrinsic.

Kristof Beyls via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Jul 9 04:39:41 PDT 2018 

kristof.beyls created this revision.
Herald added a reviewer: javed.absar.
Herald added a subscriber: llvm-commits.

This is part of implementing a technique to mitigate against Spectre v1,
similar in spirit to what has been proposed by Chandler for X86_64 at
http://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html.

This patch adds a new llvm intrinsic:

  T @llvm.speculation_safe_value(T %val)

where T can be any integer or any pointer type.

- This intrinsic returns either value %val or 0. When this intrinsic is executed on a miss-speculated path, where the miss-speculation is caused by at least one miss-predicted direct conditional branch, the intrinsic guarantees that value 0 is returned.
- This intrinsic is close to what Philip Reames suggested as an alternative on https://reviews.llvm.org/D41761.
- This could be extended to become T @llvm.speculation_safe_value(T %val, T %miss_spec_val) where the intrinsics returns %miss_spec_val instead of 0 when executed on miss-speculated path. However, that is currently not implemented in this patch.

The introduction of this intrinsic has multiple advantages in helping to
mitigate against Spectre v1 attacks:

- It enables users to only mark the specific values they need to be protected under miss-speculation - if they know which values/program locations need protection.
- For automatic protection of all values loaded: this enables relatively easy experimentation with different heuristics of where the intrinsic/protection should get inserted. One such example heuristic is implemented in a follow-on patch. In other words, even when only focussing on a fully automated approach, separating the decisions on where to insert protection vs doing the necessary transforms/lowering on where protection is needed makes the code slightly easier to understand, review and maintain.

The intrinsic (as implemented in this patch) assumes control flow
miss-speculation tracking has been enabled (see previous patch).
A follow-on patch will make this intrinsic also work without needing
the miss-speculation tracking.


Repository:
  rL LLVM

https://reviews.llvm.org/D49070

Files:
  docs/LangRef.rst
  include/llvm/CodeGen/ISDOpcodes.h
  include/llvm/IR/Intrinsics.td
  include/llvm/Target/TargetSelectionDAG.td
  lib/CodeGen/SelectionDAG/LegalizeIntegerTypes.cpp
  lib/CodeGen/SelectionDAG/LegalizeTypes.h
  lib/CodeGen/SelectionDAG/SelectionDAGBuilder.cpp
  lib/CodeGen/SelectionDAG/SelectionDAGDumper.cpp
  lib/Target/AArch64/AArch64ISelLowering.cpp
  lib/Target/AArch64/AArch64ISelLowering.h
  lib/Target/AArch64/AArch64InstrInfo.cpp
  lib/Target/AArch64/AArch64InstrInfo.h
  lib/Target/AArch64/AArch64InstrInfo.td
  lib/Target/AArch64/AArch64SpeculationHardening.cpp
  test/CodeGen/AArch64/speculation-hardening.ll

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D49070.154570.patch
Type: text/x-patch
Size: 23137 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180709/72533f2c/attachment-0001.bin>

More information about the llvm-commits mailing list