[llvm] [PAC][InstCombine] Replace auth+sign with resign (PR #130807)
Anatoly Trosinenko via llvm-commits
llvm-commits at lists.llvm.org
Fri Mar 14 06:56:54 PDT 2025
atrosinenko wrote:
> but it seems this is a "best effort" fix
This is only a best-effort fix and it can even increase the code size sometimes, as it effectively turns this code
```
tmp = auth(old, schema1)
new1 = sign(tmp, schema2)
new2 = sign(tmp, schema3)
new3 = sign(tmp, schema4)
```
into this
```
tmp = auth(old, schema1)
new1 = sign(tmp, schema2)
tmp = auth(old, schema1)
new2 = sign(tmp, schema3)
tmp = auth(old, schema1)
new3 = sign(tmp, schema4)
```
Though, the correct approach of emitting `resign` from the start would have the same effect on code size, I think.
> I wonder if you could share any insights into where these auth and sign sequences typically originate from.
Considering these signing oracles being observed "in the wild", I experimented with your gadget-scanner prototype to search for other kinds of gadgets, and for the entire llvm-test-suite (excluding `Bitcode/` and a few other places) built at O2 optimization level, it found 349 signing oracles that are fixed by this PR, but all they seem to originate either from `MicroBenchmarks/libs/benchmark/src/sysinfo.cc` (6 reports per executable in `benchmark::CPUInfo::CPUInfo()`) or from `MicroBenchmarks/libs/benchmark/test/output_test_helper.cc` (5 reports per executable: 3 in `RunOutputTests(int, char**)::ReporterTest::~ReporterTest()` and 2 in `GetFileReporterOutput(int, char**)`).
I tried tracing the origins of these `auth` and `sign` intrinsics when this instcombine rule triggers and found the following call stacks: [`CodeGenFunction::InitializeVTablePointer`](https://github.com/llvm/llvm-project/blob/737a0aeb6b4ec5bee87af6b5b1cb987427aef5f8/clang/lib/CodeGen/CGClass.cpp#L2612) creates the `auth` intrinsic call here:
* `clang::CodeGen::CodeGenFunction::InitializeVTablePointer` ([clang/lib/CodeGen/CGClass.cpp:2618](https://github.com/llvm/llvm-project/blob/52225d2702592b220f87aa82fb434bf776d4f745/clang/lib/CodeGen/CGClass.cpp#L2618))
* `ItaniumCXXABI::getVTableAddressPointInStructor` ([clang/lib/CodeGen/ItaniumCXXABI.cpp:2077](https://github.com/llvm/llvm-project/blob/52225d2702592b220f87aa82fb434bf776d4f745/clang/lib/CodeGen/ItaniumCXXABI.cpp#L2077))
* `ItaniumCXXABI::getVTableAddressPointInStructorWithVTT` ([clang/lib/CodeGen/ItaniumCXXABI.cpp:2139](https://github.com/llvm/llvm-project/blob/52225d2702592b220f87aa82fb434bf776d4f745/clang/lib/CodeGen/ItaniumCXXABI.cpp#L2139))
* calls `EmitPointerAuthAuth`...
and `sign` is created here:
* `clang::CodeGen::CodeGenFunction::InitializeVTablePointer` ([clang/lib/CodeGen/CGClass.cpp:2659](https://github.com/llvm/llvm-project/blob/52225d2702592b220f87aa82fb434bf776d4f745/clang/lib/CodeGen/CGClass.cpp#L2659))
* calls `EmitPointerAuthSign`...
Note that this was an arbitrary pair of auth+sign that was combined by this rule, not necessarily one of those actually usable as a signing oracle. By the way, `rr` helps significantly by making it possible to reverse-continue from the breakpoint with watchpoints set at `II->SubclassID` and `CI->SubclassID`.
https://github.com/llvm/llvm-project/pull/130807
More information about the llvm-commits
mailing list