[llvm] [BOLT] Gadget scanner: detect non-protected indirect calls (PR #131899)
Anatoly Trosinenko via llvm-commits
llvm-commits at lists.llvm.org
Tue Mar 25 11:57:20 PDT 2025
https://github.com/atrosinenko updated https://github.com/llvm/llvm-project/pull/131899
>From 2d82b35ff28c12db2ad249133a9b931d1a25ea6e Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Tue, 18 Mar 2025 21:32:11 +0300
Subject: [PATCH] [BOLT] Gadget scanner: detect non-protected indirect calls
---
bolt/include/bolt/Core/MCPlusBuilder.h | 10 +
bolt/lib/Passes/PAuthGadgetScanner.cpp | 33 +-
.../Target/AArch64/AArch64MCPlusBuilder.cpp | 42 ++
.../binary-analysis/AArch64/gs-pauth-calls.s | 676 ++++++++++++++++++
.../AArch64/gs-pauth-debug-output.s | 49 +-
5 files changed, 796 insertions(+), 14 deletions(-)
create mode 100644 bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
diff --git a/bolt/include/bolt/Core/MCPlusBuilder.h b/bolt/include/bolt/Core/MCPlusBuilder.h
index 76ea2489e7038..8b6dc14121480 100644
--- a/bolt/include/bolt/Core/MCPlusBuilder.h
+++ b/bolt/include/bolt/Core/MCPlusBuilder.h
@@ -577,6 +577,16 @@ class MCPlusBuilder {
return getNoRegister();
}
+ /// Returns the register used as call destination, or no-register, if not
+ /// an indirect call. Sets IsAuthenticatedInternally if the instruction
+ /// accepts a signed pointer as its operand and authenticates it internally.
+ virtual MCPhysReg
+ getRegUsedAsCallDest(const MCInst &Inst,
+ bool &IsAuthenticatedInternally) const {
+ llvm_unreachable("not implemented");
+ return getNoRegister();
+ }
+
virtual bool isTerminator(const MCInst &Inst) const;
virtual bool isNoop(const MCInst &Inst) const {
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
index e9940372f5c92..dcc7d93183900 100644
--- a/bolt/lib/Passes/PAuthGadgetScanner.cpp
+++ b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -401,11 +401,11 @@ class PacRetAnalysis
public:
std::vector<MCInstReference>
- getLastClobberingInsts(const MCInst Ret, BinaryFunction &BF,
- const ArrayRef<MCPhysReg> UsedDirtyRegs) const {
+ getLastClobberingInsts(const MCInst &Inst, BinaryFunction &BF,
+ const ArrayRef<MCPhysReg> UsedDirtyRegs) {
if (RegsToTrackInstsFor.empty())
return {};
- auto MaybeState = getStateAt(Ret);
+ auto MaybeState = getStateBefore(Inst);
if (!MaybeState)
llvm_unreachable("Expected State to be present");
const State &S = *MaybeState;
@@ -453,6 +453,29 @@ shouldReportReturnGadget(const BinaryContext &BC, const MCInstReference &Inst,
return std::make_shared<GadgetReport>(RetKind, Inst, RetReg);
}
+static std::shared_ptr<Report>
+shouldReportCallGadget(const BinaryContext &BC, const MCInstReference &Inst,
+ const State &S) {
+ static const GadgetKind CallKind("non-protected call found");
+ if (!BC.MIB->isCall(Inst) && !BC.MIB->isBranch(Inst))
+ return nullptr;
+
+ bool IsAuthenticated = false;
+ MCPhysReg DestReg = BC.MIB->getRegUsedAsCallDest(Inst, IsAuthenticated);
+ if (IsAuthenticated || DestReg == BC.MIB->getNoRegister())
+ return nullptr;
+
+ LLVM_DEBUG({
+ traceInst(BC, "Found call inst", Inst);
+ traceReg(BC, "Call destination reg", DestReg);
+ traceRegMask(BC, "SafeToDerefRegs", S.SafeToDerefRegs);
+ });
+ if (S.SafeToDerefRegs[DestReg])
+ return nullptr;
+
+ return std::make_shared<GadgetReport>(CallKind, Inst, DestReg);
+}
+
FunctionAnalysisResult
Analysis::findGadgets(BinaryFunction &BF,
MCPlusBuilder::AllocatorIdTy AllocatorId) {
@@ -469,7 +492,7 @@ Analysis::findGadgets(BinaryFunction &BF,
for (BinaryBasicBlock &BB : BF) {
for (int64_t I = 0, E = BB.size(); I < E; ++I) {
MCInstReference Inst(&BB, I);
- const State &S = *PRA.getStateAt(Inst);
+ const State &S = *PRA.getStateBefore(Inst);
// If non-empty state was never propagated from the entry basic block
// to Inst, assume it to be unreachable and report a warning.
@@ -481,6 +504,8 @@ Analysis::findGadgets(BinaryFunction &BF,
if (auto Report = shouldReportReturnGadget(BC, Inst, S))
Result.Diagnostics.push_back(Report);
+ if (auto Report = shouldReportCallGadget(BC, Inst, S))
+ Result.Diagnostics.push_back(Report);
}
}
return Result;
diff --git a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
index d238a1df5c7d7..9ce1514639f95 100644
--- a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
+++ b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
@@ -277,6 +277,48 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
}
}
+ MCPhysReg
+ getRegUsedAsCallDest(const MCInst &Inst,
+ bool &IsAuthenticatedInternally) const override {
+ assert(isCall(Inst) || isBranch(Inst));
+ IsAuthenticatedInternally = false;
+
+ switch (Inst.getOpcode()) {
+ case AArch64::B:
+ case AArch64::BL:
+ assert(Inst.getOperand(0).isExpr());
+ return getNoRegister();
+ case AArch64::Bcc:
+ case AArch64::CBNZW:
+ case AArch64::CBNZX:
+ case AArch64::CBZW:
+ case AArch64::CBZX:
+ assert(Inst.getOperand(1).isExpr());
+ return getNoRegister();
+ case AArch64::TBNZW:
+ case AArch64::TBNZX:
+ case AArch64::TBZW:
+ case AArch64::TBZX:
+ assert(Inst.getOperand(2).isExpr());
+ return getNoRegister();
+ case AArch64::BR:
+ case AArch64::BLR:
+ return Inst.getOperand(0).getReg();
+ case AArch64::BRAA:
+ case AArch64::BRAB:
+ case AArch64::BRAAZ:
+ case AArch64::BRABZ:
+ case AArch64::BLRAA:
+ case AArch64::BLRAB:
+ case AArch64::BLRAAZ:
+ case AArch64::BLRABZ:
+ IsAuthenticatedInternally = true;
+ return Inst.getOperand(0).getReg();
+ default:
+ llvm_unreachable("Unhandled call instruction");
+ }
+ }
+
bool isADRP(const MCInst &Inst) const override {
return Inst.getOpcode() == AArch64::ADRP;
}
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
new file mode 100644
index 0000000000000..3098e8ec954d2
--- /dev/null
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
@@ -0,0 +1,676 @@
+// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe
+// RUN: llvm-bolt-binary-analysis --scanners=pacret %t.exe 2>&1 | FileCheck %s
+
+// FIXME In the below test cases, LR is usually not spilled as needed, as it is
+// not checked by BOLT.
+
+ .text
+
+ .globl good_direct_call
+ .type good_direct_call, at function
+good_direct_call:
+// CHECK-NOT: good_direct_call
+ paciasp
+ bl callee_ext
+ autiasp
+ ret
+ .size good_direct_call, .-good_direct_call
+
+ .globl good_indirect_call_arg
+ .type good_indirect_call_arg, at function
+good_indirect_call_arg:
+// CHECK-NOT: good_indirect_call_arg
+ paciasp
+ autia x0, x1
+ blr x0
+ autiasp
+ ret
+ .size good_indirect_call_arg, .-good_indirect_call_arg
+
+ .globl good_indirect_call_mem
+ .type good_indirect_call_mem, at function
+good_indirect_call_mem:
+// CHECK-NOT: good_indirect_call_mem
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ blr x16
+ autiasp
+ ret
+ .size good_indirect_call_mem, .-good_indirect_call_mem
+
+ .globl good_indirect_call_arg_v83
+ .type good_indirect_call_arg_v83, at function
+good_indirect_call_arg_v83:
+// CHECK-NOT: good_indirect_call_arg_v83
+ paciasp
+ blraa x0, x1
+ autiasp
+ ret
+ .size good_indirect_call_arg_v83, .-good_indirect_call_arg_v83
+
+ .globl good_indirect_call_mem_v83
+ .type good_indirect_call_mem_v83, at function
+good_indirect_call_mem_v83:
+// CHECK-NOT: good_indirect_call_mem_v83
+ paciasp
+ ldr x16, [x0]
+ blraa x16, x0
+ autiasp
+ ret
+ .size good_indirect_call_mem_v83, .-good_indirect_call_mem_v83
+
+ .globl bad_indirect_call_arg
+ .type bad_indirect_call_arg, at function
+bad_indirect_call_arg:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg, .-bad_indirect_call_arg
+
+ .globl bad_indirect_call_mem
+ .type bad_indirect_call_mem, at function
+bad_indirect_call_mem:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem, .-bad_indirect_call_mem
+
+ .globl bad_indirect_call_arg_clobber
+ .type bad_indirect_call_arg_clobber, at function
+bad_indirect_call_arg_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x0, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w0, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ autia x0, x1
+ mov w0, w2
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_clobber, .-bad_indirect_call_arg_clobber
+
+ .globl bad_indirect_call_mem_clobber
+ .type bad_indirect_call_mem_clobber, at function
+bad_indirect_call_mem_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_clobber, .-bad_indirect_call_mem_clobber
+
+ .globl good_indirect_call_mem_chain_of_auts
+ .type good_indirect_call_mem_chain_of_auts, at function
+good_indirect_call_mem_chain_of_auts:
+// CHECK-NOT: good_indirect_call_mem_chain_of_auts
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ blr x16
+ autiasp
+ ret
+ .size good_indirect_call_mem_chain_of_auts, .-good_indirect_call_mem_chain_of_auts
+
+ .globl bad_indirect_call_mem_chain_of_auts
+ .type bad_indirect_call_mem_chain_of_auts, at function
+bad_indirect_call_mem_chain_of_auts:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_chain_of_auts, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ // Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_chain_of_auts, .-bad_indirect_call_mem_chain_of_auts
+
+// Multi-BB test cases.
+//
+// Positive ("good") test cases are designed so that the register is made safe
+// in one BB and used in the other. Negative ("bad") ones are designed so that
+// there are two predecessors, one of them ends with the register in a safe
+// state and the other ends with that register being unsafe.
+
+ .globl good_indirect_call_arg_multi_bb
+ .type good_indirect_call_arg_multi_bb, at function
+good_indirect_call_arg_multi_bb:
+// CHECK-NOT: good_indirect_call_arg_multi_bb
+ paciasp
+ autia x0, x1
+ cbz x2, 1f
+ blr x0
+1:
+ ldr x1, [x0]
+ autiasp
+ ret
+ .size good_indirect_call_arg_multi_bb, .-good_indirect_call_arg_multi_bb
+
+ .globl good_indirect_call_mem_multi_bb
+ .type good_indirect_call_mem_multi_bb, at function
+good_indirect_call_mem_multi_bb:
+// CHECK-NOT: good_indirect_call_mem_multi_bb
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
+1:
+ ldr w0, [x16]
+ autiasp
+ ret
+ .size good_indirect_call_mem_multi_bb, .-good_indirect_call_mem_multi_bb
+
+ .globl bad_indirect_call_arg_multi_bb
+ .type bad_indirect_call_arg_multi_bb, at function
+bad_indirect_call_arg_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ cbz x2, 1f
+ autia x0, x1
+1:
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_multi_bb, .-bad_indirect_call_arg_multi_bb
+
+ .globl bad_indirect_call_mem_multi_bb
+ .type bad_indirect_call_mem_multi_bb, at function
+bad_indirect_call_mem_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+ paciasp
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_multi_bb, .-bad_indirect_call_mem_multi_bb
+
+ .globl bad_indirect_call_arg_clobber_multi_bb
+ .type bad_indirect_call_arg_clobber_multi_bb, at function
+bad_indirect_call_arg_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w3
+ paciasp
+ autia x0, x1
+ cbz x2, 1f
+ mov w0, w3
+1:
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_clobber_multi_bb, .-bad_indirect_call_arg_clobber_multi_bb
+
+ .globl bad_indirect_call_mem_clobber_multi_bb
+ .type bad_indirect_call_mem_clobber_multi_bb, at function
+bad_indirect_call_mem_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_clobber_multi_bb, .-bad_indirect_call_mem_clobber_multi_bb
+
+ .globl good_indirect_call_mem_chain_of_auts_multi_bb
+ .type good_indirect_call_mem_chain_of_auts_multi_bb, at function
+good_indirect_call_mem_chain_of_auts_multi_bb:
+// CHECK-NOT: good_indirect_call_mem_chain_of_auts_multi_bb
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
+1:
+ ldr w0, [x16]
+ autiasp
+ ret
+ .size good_indirect_call_mem_chain_of_auts_multi_bb, .-good_indirect_call_mem_chain_of_auts_multi_bb
+
+ .globl bad_indirect_call_mem_chain_of_auts_multi_bb
+ .type bad_indirect_call_mem_chain_of_auts_multi_bb, at function
+bad_indirect_call_mem_chain_of_auts_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_chain_of_auts_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ cbz x2, 1f
+ autia x16, x0
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_chain_of_auts_multi_bb, .-bad_indirect_call_mem_chain_of_auts_multi_bb
+
+// Test that noreturn function calls via BR are checked as well.
+
+ .globl good_indirect_noreturn_call
+ .type good_indirect_noreturn_call, at function
+good_indirect_noreturn_call:
+// CHECK-NOT: good_indirect_noreturn_call
+ paciasp
+ cbz x0, 2f
+ autiasp
+ ldr w1, [x30]
+ autia x0, x1
+ br x0
+2:
+ autiasp
+ ret
+ .size good_indirect_noreturn_call, .-good_indirect_noreturn_call
+
+ .globl bad_indirect_noreturn_call
+ .type bad_indirect_noreturn_call, at function
+bad_indirect_noreturn_call:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_noreturn_call, basic block .LFT{{[0-9]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ cbz x0, 2f
+ br x0
+2:
+ autiasp
+ ret
+ .size bad_indirect_noreturn_call, .-bad_indirect_noreturn_call
+
+// Test tail calls. To somewhat decrease the number of test cases and not
+// duplicate all of the above, only implement "mem" variant of test cases and
+// mostly test negative cases.
+
+ .globl good_direct_tailcall
+ .type good_direct_tailcall, at function
+good_direct_tailcall:
+// CHECK-NOT: good_direct_tailcall
+ b callee_ext
+ .size good_direct_tailcall, .-good_direct_tailcall
+
+ .globl good_indirect_tailcall_mem
+ .type good_indirect_tailcall_mem, at function
+good_indirect_tailcall_mem:
+// CHECK-NOT: good_indirect_tailcall_mem
+ ldr x16, [x0]
+ autia x16, x0
+ br x16
+ .size good_indirect_tailcall_mem, .-good_indirect_tailcall_mem
+
+ .globl good_indirect_tailcall_mem_v83
+ .type good_indirect_tailcall_mem_v83, at function
+good_indirect_tailcall_mem_v83:
+// CHECK-NOT: good_indirect_tailcall_mem_v83
+ ldr x16, [x0]
+ braa x16, x0
+ .size good_indirect_tailcall_mem_v83, .-good_indirect_tailcall_mem_v83
+
+ .globl bad_indirect_tailcall_mem
+ .type bad_indirect_tailcall_mem, at function
+bad_indirect_tailcall_mem:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ br x16
+ .size bad_indirect_tailcall_mem, .-bad_indirect_tailcall_mem
+
+ .globl bad_indirect_tailcall_mem_clobber
+ .type bad_indirect_tailcall_mem_clobber, at function
+bad_indirect_tailcall_mem_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ br x16
+ .size bad_indirect_tailcall_mem_clobber, .-bad_indirect_tailcall_mem_clobber
+
+ .globl bad_indirect_tailcall_mem_chain_of_auts
+ .type bad_indirect_tailcall_mem_chain_of_auts, at function
+bad_indirect_tailcall_mem_chain_of_auts:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_chain_of_auts, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ // Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
+ br x16
+ .size bad_indirect_tailcall_mem_chain_of_auts, .-bad_indirect_tailcall_mem_chain_of_auts
+
+ .globl bad_indirect_tailcall_mem_multi_bb
+ .type bad_indirect_tailcall_mem_multi_bb, at function
+bad_indirect_tailcall_mem_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
+1:
+ br x16
+ .size bad_indirect_tailcall_mem_multi_bb, .-bad_indirect_tailcall_mem_multi_bb
+
+ .globl bad_indirect_tailcall_mem_clobber_multi_bb
+ .type bad_indirect_tailcall_mem_clobber_multi_bb, at function
+bad_indirect_tailcall_mem_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
+1:
+ br x16
+ .size bad_indirect_tailcall_mem_clobber_multi_bb, .-bad_indirect_tailcall_mem_clobber_multi_bb
+
+// Test that calling a function is considered as invalidating safety of every
+// register. Note that we only have to consider "returning" function calls
+// (via branch-with-link), but both direct and indirect variants.
+// Checking different registers:
+// * x2 - function argument
+// * x8 - indirect result location
+// * x10 - temporary
+// * x16 - intra-procedure-call scratch register
+// * x18 - platform register
+// * x20 - callee-saved register
+
+ .globl direct_call_invalidates_safety
+ .type direct_call_invalidates_safety, at function
+direct_call_invalidates_safety:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x2
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// FIXME: Print the destination of BL as callee_ext instead of .LtmpN
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x8
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x10
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x18
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x20
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+
+ paciasp
+
+ mov x2, x0
+ autiza x2
+ bl callee_ext
+ blr x2
+
+ mov x8, x0
+ autiza x8
+ bl callee_ext
+ blr x8
+
+ mov x10, x0
+ autiza x10
+ bl callee_ext
+ blr x10
+
+ mov x16, x0
+ autiza x16
+ bl callee_ext
+ blr x16
+
+ mov x18, x0
+ autiza x18
+ bl callee_ext
+ blr x18
+
+ mov x20, x0
+ autiza x20
+ bl callee_ext
+ blr x20
+
+ autiasp
+ ret
+ .size direct_call_invalidates_safety, .-direct_call_invalidates_safety
+
+ .globl indirect_call_invalidates_safety
+ .type indirect_call_invalidates_safety, at function
+indirect_call_invalidates_safety:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x2
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x2
+// Check that only one error is reported per pair of BLRs.
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x2
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x8
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x8
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x8
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x10
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x10
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x10
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x16
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x16
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x18
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x18
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x18
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x20
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x20
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x20
+
+ paciasp
+
+ mov x2, x0
+ autiza x2
+ blr x2 // protected call, but makes x2 unsafe
+ blr x2 // unprotected call
+
+ mov x8, x0
+ autiza x8
+ blr x8 // protected call, but makes x2 unsafe
+ blr x8 // unprotected call
+
+ mov x10, x0
+ autiza x10
+ blr x10 // protected call, but makes x2 unsafe
+ blr x10 // unprotected call
+
+ mov x16, x0
+ autiza x16
+ blr x16 // protected call, but makes x2 unsafe
+ blr x16 // unprotected call
+
+ mov x19, x0
+ autiza x18
+ blr x18 // protected call, but makes x2 unsafe
+ blr x18 // unprotected call
+
+ mov x20, x0
+ autiza x20
+ blr x20 // protected call, but makes x2 unsafe
+ blr x20 // unprotected call
+
+ autiasp
+ ret
+ .size indirect_call_invalidates_safety, .-indirect_call_invalidates_safety
+
+// Test that fused auth+use Armv8.3 instruction do not mark register as safe.
+
+ .globl blraa_no_mark_safe
+ .type blraa_no_mark_safe, at function
+blraa_no_mark_safe:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function blraa_no_mark_safe, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blraa x0, x1
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: blraa x0, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ blraa x0, x1 // safe, no write-back, clobbers everything
+ blr x0 // unsafe
+ autiasp
+ ret
+ .size blraa_no_mark_safe, .-blraa_no_mark_safe
+
+// Check that the correct set of registers is used to compute the set of last
+// writing instructions.
+
+ .globl last_insts_writing_to_reg
+ .type last_insts_writing_to_reg, at function
+last_insts_writing_to_reg:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function last_insts_writing_to_reg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function last_insts_writing_to_reg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ blr x16
+ ldr x17, [x1]
+ blr x17
+ autiasp
+ ret
+ .size last_insts_writing_to_reg, .-last_insts_writing_to_reg
+
+ .globl main
+ .type main, at function
+main:
+ mov x0, 0
+ ret
+ .size main, .-main
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
index 30b70b060b94b..3376b79b5b814 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -12,8 +12,12 @@
.type simple, at function
simple:
paciasp
+ stp x29, x30, [sp, #-0x10]!
b 1f
1:
+ autiza x0
+ blr x0
+ ldp x29, x30, [sp], #0x10
autiasp
ret
.size simple, .-simple
@@ -25,16 +29,20 @@ simple:
// ...
// CHECK: BB Layout : [[BB0:[0-9a-zA-Z.]+]], [[BB1:[0-9a-zA-Z.]+]]
// CHECK-NEXT: }
-// CHECK-NEXT: [[BB0]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB0]] (3 instructions, align : 1)
// CHECK-NEXT: Entry Point
// CHECK-NEXT: 00000000: paciasp
-// CHECK-NEXT: 00000004: b [[BB1]]
+// CHECK-NEXT: 00000004: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: 00000008: b [[BB1]]
// CHECK-NEXT: Successors: [[BB1]]
// CHECK-EMPTY:
-// CHECK-NEXT: [[BB1]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB1]] (5 instructions, align : 1)
// CHECK-NEXT: Predecessors: [[BB0]]
-// CHECK-NEXT: 00000008: autiasp
-// CHECK-NEXT: 0000000c: ret
+// CHECK-NEXT: 0000000c: autiza x0
+// CHECK-NEXT: 00000010: blr x0
+// CHECK-NEXT: 00000014: ldp x29, x30, [sp], #0x10
+// CHECK-NEXT: 00000018: autiasp
+// CHECK-NEXT: 0000001c: ret
// CHECK-EMPTY:
// CHECK-NEXT: DWARF CFI Instructions:
// CHECK-NEXT: <empty>
@@ -42,12 +50,20 @@ simple:
// CHECK-EMPTY:
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #25, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( stp x29, x30, [sp, #-0x10]!, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( b [[BB1]], pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::Confluence(
// CHECK-NEXT: State 1: pacret-state<empty>
// CHECK-NEXT: State 2: pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: merged state: pacret-state<SafeToDerefRegs: , Insts: >
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( autiza x0, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( blr x0, pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( ldp x29, x30, [sp], #0x10, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #29, pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( ret x30, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
@@ -56,6 +72,12 @@ simple:
// CHECK-NEXT: State 1: pacret-state<SafeToDerefRegs: , Insts: >
// CHECK-NEXT: State 2: pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: merged state: pacret-state<SafeToDerefRegs: , Insts: >
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( autiza x0, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( blr x0, pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( ldp x29, x30, [sp], #0x10, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #29, pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( ret x30, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
@@ -67,21 +89,28 @@ simple:
// ...
// CHECK: BB Layout : [[BB0]], [[BB1]]
// CHECK-NEXT: }
-// CHECK-NEXT: [[BB0]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB0]] (3 instructions, align : 1)
// CHECK-NEXT: Entry Point
// CHECK-NEXT: 00000000: paciasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
-// CHECK-NEXT: 00000004: b [[BB1]] # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000004: stp x29, x30, [sp, #-0x10]! # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000008: b [[BB1]] # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-NEXT: Successors: [[BB1]]
// CHECK-EMPTY:
-// CHECK-NEXT: [[BB1]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB1]] (5 instructions, align : 1)
// CHECK-NEXT: Predecessors: [[BB0]]
-// CHECK-NEXT: 00000008: autiasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
-// CHECK-NEXT: 0000000c: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 0000000c: autiza x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000010: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000014: ldp x29, x30, [sp], #0x10 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000018: autiasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 0000001c: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-EMPTY:
// CHECK-NEXT: DWARF CFI Instructions:
// CHECK-NEXT: <empty>
// CHECK-NEXT: End of Function "simple"
// CHECK-EMPTY:
+// CHECK-NEXT: Found call inst: 00000000: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: Call destination reg: X0
+// CHECK-NEXT: SafeToDerefRegs: W0 X0 W0_HI{{[ \t]*$}}
// CHECK-NEXT: Found RET inst: 00000000: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-NEXT: RetReg: LR
// CHECK-NEXT: Authenticated reg: (none)
More information about the llvm-commits
mailing list