[llvm] MachineVerifier: Check stack protector is top-most in frame (PR #121481)

Guy David via llvm-commits llvm-commits at lists.llvm.org
Thu Jan 2 07:02:13 PST 2025


https://github.com/guy-david created https://github.com/llvm/llvm-project/pull/121481

Somewhat paranoid, but mitigates potential bugs in the future that might place it elsewhere and render the mechanism useless.

>From 27431aa1a2b6fff64be05907a30c3dc07f719d5b Mon Sep 17 00:00:00 2001
From: Guy David <guyda96 at gmail.com>
Date: Thu, 2 Jan 2025 16:28:13 +0200
Subject: [PATCH] MachineVerifier: Check stack protector is top-most in frame

Mitigate against potential bugs that might place it elsewhere and render
the mechanism useless.
---
 llvm/include/llvm/CodeGen/MachineFrameInfo.h  |  6 ++-
 llvm/lib/CodeGen/MachineVerifier.cpp          | 43 +++++++++++++++++++
 .../stack-protector-offset.mir                | 17 ++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 llvm/test/MachineVerifier/stack-protector-offset.mir

diff --git a/llvm/include/llvm/CodeGen/MachineFrameInfo.h b/llvm/include/llvm/CodeGen/MachineFrameInfo.h
index 213b7ec6b3fbfb..6eed8439c172db 100644
--- a/llvm/include/llvm/CodeGen/MachineFrameInfo.h
+++ b/llvm/include/llvm/CodeGen/MachineFrameInfo.h
@@ -358,7 +358,11 @@ class MachineFrameInfo {
 
   /// Return the index for the stack protector object.
   int getStackProtectorIndex() const { return StackProtectorIdx; }
-  void setStackProtectorIndex(int I) { StackProtectorIdx = I; }
+  void setStackProtectorIndex(int I) {
+    assert(StackProtectorIdx == -1 && "Stack protector index already set");
+    assert(I >= 0 && "Invalid stack protector index");
+    StackProtectorIdx = I;
+  }
   bool hasStackProtectorIndex() const { return StackProtectorIdx != -1; }
 
   /// Return the index for the function context object.
diff --git a/llvm/lib/CodeGen/MachineVerifier.cpp b/llvm/lib/CodeGen/MachineVerifier.cpp
index bec36b728ae328..3375ae167ab4a7 100644
--- a/llvm/lib/CodeGen/MachineVerifier.cpp
+++ b/llvm/lib/CodeGen/MachineVerifier.cpp
@@ -353,6 +353,8 @@ struct MachineVerifier {
                        LaneBitmask LaneMask = LaneBitmask::getNone());
 
   void verifyStackFrame();
+  // Check that the stack protector is the top-most object in the stack.
+  void verifyStackProtector();
 
   void verifySlotIndexes() const;
   void verifyProperties(const MachineFunction &MF);
@@ -4038,3 +4040,44 @@ void MachineVerifier::verifyStackFrame() {
     }
   }
 }
+
+void MachineVerifier::verifyStackProtector() {
+  const MachineFrameInfo &MFI = MF->getFrameInfo();
+  if (!MFI.hasStackProtectorIndex())
+    return;
+  // Only applicable when the offsets of frame objects have been determined,
+  // which is indicated by a non-zero stack size.
+  if (!MFI.getStackSize())
+    return;
+  const TargetFrameLowering &TFI = *MF->getSubtarget().getFrameLowering();
+  bool StackGrowsDown =
+      TFI.getStackGrowthDirection() == TargetFrameLowering::StackGrowsDown;
+  assert(StackGrowsDown && "Only support stack growth down");
+  assert(MFI.isCalleeSavedInfoValid() &&
+         "Callee saved info is expected to be valid at this point");
+  // Collect the frame indices of the callee-saved registers which are spilled
+  // to the stack. These are the registers that are stored above the stack
+  // protector.
+  SmallSet<unsigned, 4> CalleeSavedFrameIndices;
+  for (const CalleeSavedInfo &Info : MFI.getCalleeSavedInfo()) {
+    if (!Info.isSpilledToReg())
+      CalleeSavedFrameIndices.insert(Info.getFrameIdx());
+  }
+  unsigned FI = MFI.getStackProtectorIndex();
+  int64_t SPOffset = MFI.getObjectOffset(FI);
+  for (unsigned I = 0, E = MFI.getObjectIndexEnd(); I != E; ++I) {
+    if (I == FI)
+      continue;
+    // Variable-sized objects do not have a fixed offset.
+    if (MFI.isVariableSizedObjectIndex(I))
+      continue;
+    if (CalleeSavedFrameIndices.contains(I))
+      continue;
+    if (SPOffset < MFI.getObjectOffset(I)) {
+      report("Stack protector is not the top-most object on the stack", MF);
+      OS << "Stack protector is not the top-most object on the stack in "
+         << MF->getName() << '\n';
+      break;
+    }
+  }
+}
diff --git a/llvm/test/MachineVerifier/stack-protector-offset.mir b/llvm/test/MachineVerifier/stack-protector-offset.mir
new file mode 100644
index 00000000000000..3fbeab2eb3b46b
--- /dev/null
+++ b/llvm/test/MachineVerifier/stack-protector-offset.mir
@@ -0,0 +1,17 @@
+# RUN: not --crash llc -mtriple=aarch64 -run-pass=machineverifier -o - %s 2>&1 | FileCheck %s
+# REQUIRES: aarch64-registered-target
+
+# CHECK: *** Bad machine code: Stack protector is not the top-most object on the stack ***
+
+---
+name:            main
+frameInfo:
+  stackSize:       16
+  stackProtector:  '%stack.1'
+  isCalleeSavedInfoValid: true
+stack:
+  - { id: 0, offset: -16, size: 8, alignment: 8, stack-id: default }
+  - { id: 1, offset: -32, size: 8, alignment: 8, stack-id: default }
+body:             |
+  bb.0:
+...



More information about the llvm-commits mailing list