[llvm] [BOLT] Gadget scanner: detect non-protected indirect calls (PR #131899)
Anatoly Trosinenko via llvm-commits
llvm-commits at lists.llvm.org
Wed Mar 26 09:52:18 PDT 2025
https://github.com/atrosinenko updated https://github.com/llvm/llvm-project/pull/131899
>From 2d82b35ff28c12db2ad249133a9b931d1a25ea6e Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Tue, 18 Mar 2025 21:32:11 +0300
Subject: [PATCH 1/6] [BOLT] Gadget scanner: detect non-protected indirect
calls
---
bolt/include/bolt/Core/MCPlusBuilder.h | 10 +
bolt/lib/Passes/PAuthGadgetScanner.cpp | 33 +-
.../Target/AArch64/AArch64MCPlusBuilder.cpp | 42 ++
.../binary-analysis/AArch64/gs-pauth-calls.s | 676 ++++++++++++++++++
.../AArch64/gs-pauth-debug-output.s | 49 +-
5 files changed, 796 insertions(+), 14 deletions(-)
create mode 100644 bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
diff --git a/bolt/include/bolt/Core/MCPlusBuilder.h b/bolt/include/bolt/Core/MCPlusBuilder.h
index 76ea2489e7038..8b6dc14121480 100644
--- a/bolt/include/bolt/Core/MCPlusBuilder.h
+++ b/bolt/include/bolt/Core/MCPlusBuilder.h
@@ -577,6 +577,16 @@ class MCPlusBuilder {
return getNoRegister();
}
+ /// Returns the register used as call destination, or no-register, if not
+ /// an indirect call. Sets IsAuthenticatedInternally if the instruction
+ /// accepts a signed pointer as its operand and authenticates it internally.
+ virtual MCPhysReg
+ getRegUsedAsCallDest(const MCInst &Inst,
+ bool &IsAuthenticatedInternally) const {
+ llvm_unreachable("not implemented");
+ return getNoRegister();
+ }
+
virtual bool isTerminator(const MCInst &Inst) const;
virtual bool isNoop(const MCInst &Inst) const {
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
index e9940372f5c92..dcc7d93183900 100644
--- a/bolt/lib/Passes/PAuthGadgetScanner.cpp
+++ b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -401,11 +401,11 @@ class PacRetAnalysis
public:
std::vector<MCInstReference>
- getLastClobberingInsts(const MCInst Ret, BinaryFunction &BF,
- const ArrayRef<MCPhysReg> UsedDirtyRegs) const {
+ getLastClobberingInsts(const MCInst &Inst, BinaryFunction &BF,
+ const ArrayRef<MCPhysReg> UsedDirtyRegs) {
if (RegsToTrackInstsFor.empty())
return {};
- auto MaybeState = getStateAt(Ret);
+ auto MaybeState = getStateBefore(Inst);
if (!MaybeState)
llvm_unreachable("Expected State to be present");
const State &S = *MaybeState;
@@ -453,6 +453,29 @@ shouldReportReturnGadget(const BinaryContext &BC, const MCInstReference &Inst,
return std::make_shared<GadgetReport>(RetKind, Inst, RetReg);
}
+static std::shared_ptr<Report>
+shouldReportCallGadget(const BinaryContext &BC, const MCInstReference &Inst,
+ const State &S) {
+ static const GadgetKind CallKind("non-protected call found");
+ if (!BC.MIB->isCall(Inst) && !BC.MIB->isBranch(Inst))
+ return nullptr;
+
+ bool IsAuthenticated = false;
+ MCPhysReg DestReg = BC.MIB->getRegUsedAsCallDest(Inst, IsAuthenticated);
+ if (IsAuthenticated || DestReg == BC.MIB->getNoRegister())
+ return nullptr;
+
+ LLVM_DEBUG({
+ traceInst(BC, "Found call inst", Inst);
+ traceReg(BC, "Call destination reg", DestReg);
+ traceRegMask(BC, "SafeToDerefRegs", S.SafeToDerefRegs);
+ });
+ if (S.SafeToDerefRegs[DestReg])
+ return nullptr;
+
+ return std::make_shared<GadgetReport>(CallKind, Inst, DestReg);
+}
+
FunctionAnalysisResult
Analysis::findGadgets(BinaryFunction &BF,
MCPlusBuilder::AllocatorIdTy AllocatorId) {
@@ -469,7 +492,7 @@ Analysis::findGadgets(BinaryFunction &BF,
for (BinaryBasicBlock &BB : BF) {
for (int64_t I = 0, E = BB.size(); I < E; ++I) {
MCInstReference Inst(&BB, I);
- const State &S = *PRA.getStateAt(Inst);
+ const State &S = *PRA.getStateBefore(Inst);
// If non-empty state was never propagated from the entry basic block
// to Inst, assume it to be unreachable and report a warning.
@@ -481,6 +504,8 @@ Analysis::findGadgets(BinaryFunction &BF,
if (auto Report = shouldReportReturnGadget(BC, Inst, S))
Result.Diagnostics.push_back(Report);
+ if (auto Report = shouldReportCallGadget(BC, Inst, S))
+ Result.Diagnostics.push_back(Report);
}
}
return Result;
diff --git a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
index d238a1df5c7d7..9ce1514639f95 100644
--- a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
+++ b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
@@ -277,6 +277,48 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
}
}
+ MCPhysReg
+ getRegUsedAsCallDest(const MCInst &Inst,
+ bool &IsAuthenticatedInternally) const override {
+ assert(isCall(Inst) || isBranch(Inst));
+ IsAuthenticatedInternally = false;
+
+ switch (Inst.getOpcode()) {
+ case AArch64::B:
+ case AArch64::BL:
+ assert(Inst.getOperand(0).isExpr());
+ return getNoRegister();
+ case AArch64::Bcc:
+ case AArch64::CBNZW:
+ case AArch64::CBNZX:
+ case AArch64::CBZW:
+ case AArch64::CBZX:
+ assert(Inst.getOperand(1).isExpr());
+ return getNoRegister();
+ case AArch64::TBNZW:
+ case AArch64::TBNZX:
+ case AArch64::TBZW:
+ case AArch64::TBZX:
+ assert(Inst.getOperand(2).isExpr());
+ return getNoRegister();
+ case AArch64::BR:
+ case AArch64::BLR:
+ return Inst.getOperand(0).getReg();
+ case AArch64::BRAA:
+ case AArch64::BRAB:
+ case AArch64::BRAAZ:
+ case AArch64::BRABZ:
+ case AArch64::BLRAA:
+ case AArch64::BLRAB:
+ case AArch64::BLRAAZ:
+ case AArch64::BLRABZ:
+ IsAuthenticatedInternally = true;
+ return Inst.getOperand(0).getReg();
+ default:
+ llvm_unreachable("Unhandled call instruction");
+ }
+ }
+
bool isADRP(const MCInst &Inst) const override {
return Inst.getOpcode() == AArch64::ADRP;
}
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
new file mode 100644
index 0000000000000..3098e8ec954d2
--- /dev/null
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
@@ -0,0 +1,676 @@
+// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe
+// RUN: llvm-bolt-binary-analysis --scanners=pacret %t.exe 2>&1 | FileCheck %s
+
+// FIXME In the below test cases, LR is usually not spilled as needed, as it is
+// not checked by BOLT.
+
+ .text
+
+ .globl good_direct_call
+ .type good_direct_call, at function
+good_direct_call:
+// CHECK-NOT: good_direct_call
+ paciasp
+ bl callee_ext
+ autiasp
+ ret
+ .size good_direct_call, .-good_direct_call
+
+ .globl good_indirect_call_arg
+ .type good_indirect_call_arg, at function
+good_indirect_call_arg:
+// CHECK-NOT: good_indirect_call_arg
+ paciasp
+ autia x0, x1
+ blr x0
+ autiasp
+ ret
+ .size good_indirect_call_arg, .-good_indirect_call_arg
+
+ .globl good_indirect_call_mem
+ .type good_indirect_call_mem, at function
+good_indirect_call_mem:
+// CHECK-NOT: good_indirect_call_mem
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ blr x16
+ autiasp
+ ret
+ .size good_indirect_call_mem, .-good_indirect_call_mem
+
+ .globl good_indirect_call_arg_v83
+ .type good_indirect_call_arg_v83, at function
+good_indirect_call_arg_v83:
+// CHECK-NOT: good_indirect_call_arg_v83
+ paciasp
+ blraa x0, x1
+ autiasp
+ ret
+ .size good_indirect_call_arg_v83, .-good_indirect_call_arg_v83
+
+ .globl good_indirect_call_mem_v83
+ .type good_indirect_call_mem_v83, at function
+good_indirect_call_mem_v83:
+// CHECK-NOT: good_indirect_call_mem_v83
+ paciasp
+ ldr x16, [x0]
+ blraa x16, x0
+ autiasp
+ ret
+ .size good_indirect_call_mem_v83, .-good_indirect_call_mem_v83
+
+ .globl bad_indirect_call_arg
+ .type bad_indirect_call_arg, at function
+bad_indirect_call_arg:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg, .-bad_indirect_call_arg
+
+ .globl bad_indirect_call_mem
+ .type bad_indirect_call_mem, at function
+bad_indirect_call_mem:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem, .-bad_indirect_call_mem
+
+ .globl bad_indirect_call_arg_clobber
+ .type bad_indirect_call_arg_clobber, at function
+bad_indirect_call_arg_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x0, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w0, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ autia x0, x1
+ mov w0, w2
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_clobber, .-bad_indirect_call_arg_clobber
+
+ .globl bad_indirect_call_mem_clobber
+ .type bad_indirect_call_mem_clobber, at function
+bad_indirect_call_mem_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_clobber, .-bad_indirect_call_mem_clobber
+
+ .globl good_indirect_call_mem_chain_of_auts
+ .type good_indirect_call_mem_chain_of_auts, at function
+good_indirect_call_mem_chain_of_auts:
+// CHECK-NOT: good_indirect_call_mem_chain_of_auts
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ blr x16
+ autiasp
+ ret
+ .size good_indirect_call_mem_chain_of_auts, .-good_indirect_call_mem_chain_of_auts
+
+ .globl bad_indirect_call_mem_chain_of_auts
+ .type bad_indirect_call_mem_chain_of_auts, at function
+bad_indirect_call_mem_chain_of_auts:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_chain_of_auts, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ // Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_chain_of_auts, .-bad_indirect_call_mem_chain_of_auts
+
+// Multi-BB test cases.
+//
+// Positive ("good") test cases are designed so that the register is made safe
+// in one BB and used in the other. Negative ("bad") ones are designed so that
+// there are two predecessors, one of them ends with the register in a safe
+// state and the other ends with that register being unsafe.
+
+ .globl good_indirect_call_arg_multi_bb
+ .type good_indirect_call_arg_multi_bb, at function
+good_indirect_call_arg_multi_bb:
+// CHECK-NOT: good_indirect_call_arg_multi_bb
+ paciasp
+ autia x0, x1
+ cbz x2, 1f
+ blr x0
+1:
+ ldr x1, [x0]
+ autiasp
+ ret
+ .size good_indirect_call_arg_multi_bb, .-good_indirect_call_arg_multi_bb
+
+ .globl good_indirect_call_mem_multi_bb
+ .type good_indirect_call_mem_multi_bb, at function
+good_indirect_call_mem_multi_bb:
+// CHECK-NOT: good_indirect_call_mem_multi_bb
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
+1:
+ ldr w0, [x16]
+ autiasp
+ ret
+ .size good_indirect_call_mem_multi_bb, .-good_indirect_call_mem_multi_bb
+
+ .globl bad_indirect_call_arg_multi_bb
+ .type bad_indirect_call_arg_multi_bb, at function
+bad_indirect_call_arg_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ cbz x2, 1f
+ autia x0, x1
+1:
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_multi_bb, .-bad_indirect_call_arg_multi_bb
+
+ .globl bad_indirect_call_mem_multi_bb
+ .type bad_indirect_call_mem_multi_bb, at function
+bad_indirect_call_mem_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+ paciasp
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_multi_bb, .-bad_indirect_call_mem_multi_bb
+
+ .globl bad_indirect_call_arg_clobber_multi_bb
+ .type bad_indirect_call_arg_clobber_multi_bb, at function
+bad_indirect_call_arg_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_arg_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w3
+ paciasp
+ autia x0, x1
+ cbz x2, 1f
+ mov w0, w3
+1:
+ blr x0
+ autiasp
+ ret
+ .size bad_indirect_call_arg_clobber_multi_bb, .-bad_indirect_call_arg_clobber_multi_bb
+
+ .globl bad_indirect_call_mem_clobber_multi_bb
+ .type bad_indirect_call_mem_clobber_multi_bb, at function
+bad_indirect_call_mem_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+ paciasp
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_clobber_multi_bb, .-bad_indirect_call_mem_clobber_multi_bb
+
+ .globl good_indirect_call_mem_chain_of_auts_multi_bb
+ .type good_indirect_call_mem_chain_of_auts_multi_bb, at function
+good_indirect_call_mem_chain_of_auts_multi_bb:
+// CHECK-NOT: good_indirect_call_mem_chain_of_auts_multi_bb
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
+1:
+ ldr w0, [x16]
+ autiasp
+ ret
+ .size good_indirect_call_mem_chain_of_auts_multi_bb, .-good_indirect_call_mem_chain_of_auts_multi_bb
+
+ .globl bad_indirect_call_mem_chain_of_auts_multi_bb
+ .type bad_indirect_call_mem_chain_of_auts_multi_bb, at function
+bad_indirect_call_mem_chain_of_auts_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_call_mem_chain_of_auts_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+ paciasp
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ cbz x2, 1f
+ autia x16, x0
+1:
+ blr x16
+ autiasp
+ ret
+ .size bad_indirect_call_mem_chain_of_auts_multi_bb, .-bad_indirect_call_mem_chain_of_auts_multi_bb
+
+// Test that noreturn function calls via BR are checked as well.
+
+ .globl good_indirect_noreturn_call
+ .type good_indirect_noreturn_call, at function
+good_indirect_noreturn_call:
+// CHECK-NOT: good_indirect_noreturn_call
+ paciasp
+ cbz x0, 2f
+ autiasp
+ ldr w1, [x30]
+ autia x0, x1
+ br x0
+2:
+ autiasp
+ ret
+ .size good_indirect_noreturn_call, .-good_indirect_noreturn_call
+
+ .globl bad_indirect_noreturn_call
+ .type bad_indirect_noreturn_call, at function
+bad_indirect_noreturn_call:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_noreturn_call, basic block .LFT{{[0-9]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x0
+// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
+ paciasp
+ cbz x0, 2f
+ br x0
+2:
+ autiasp
+ ret
+ .size bad_indirect_noreturn_call, .-bad_indirect_noreturn_call
+
+// Test tail calls. To somewhat decrease the number of test cases and not
+// duplicate all of the above, only implement "mem" variant of test cases and
+// mostly test negative cases.
+
+ .globl good_direct_tailcall
+ .type good_direct_tailcall, at function
+good_direct_tailcall:
+// CHECK-NOT: good_direct_tailcall
+ b callee_ext
+ .size good_direct_tailcall, .-good_direct_tailcall
+
+ .globl good_indirect_tailcall_mem
+ .type good_indirect_tailcall_mem, at function
+good_indirect_tailcall_mem:
+// CHECK-NOT: good_indirect_tailcall_mem
+ ldr x16, [x0]
+ autia x16, x0
+ br x16
+ .size good_indirect_tailcall_mem, .-good_indirect_tailcall_mem
+
+ .globl good_indirect_tailcall_mem_v83
+ .type good_indirect_tailcall_mem_v83, at function
+good_indirect_tailcall_mem_v83:
+// CHECK-NOT: good_indirect_tailcall_mem_v83
+ ldr x16, [x0]
+ braa x16, x0
+ .size good_indirect_tailcall_mem_v83, .-good_indirect_tailcall_mem_v83
+
+ .globl bad_indirect_tailcall_mem
+ .type bad_indirect_tailcall_mem, at function
+bad_indirect_tailcall_mem:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ br x16
+ .size bad_indirect_tailcall_mem, .-bad_indirect_tailcall_mem
+
+ .globl bad_indirect_tailcall_mem_clobber
+ .type bad_indirect_tailcall_mem_clobber, at function
+bad_indirect_tailcall_mem_clobber:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_clobber, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
+// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ br x16
+ .size bad_indirect_tailcall_mem_clobber, .-bad_indirect_tailcall_mem_clobber
+
+ .globl bad_indirect_tailcall_mem_chain_of_auts
+ .type bad_indirect_tailcall_mem_chain_of_auts, at function
+bad_indirect_tailcall_mem_chain_of_auts:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_chain_of_auts, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
+// CHECK-NEXT: {{[0-9a-f]+}}: br x16
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ // Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
+ br x16
+ .size bad_indirect_tailcall_mem_chain_of_auts, .-bad_indirect_tailcall_mem_chain_of_auts
+
+ .globl bad_indirect_tailcall_mem_multi_bb
+ .type bad_indirect_tailcall_mem_multi_bb, at function
+bad_indirect_tailcall_mem_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
+1:
+ br x16
+ .size bad_indirect_tailcall_mem_multi_bb, .-bad_indirect_tailcall_mem_multi_bb
+
+ .globl bad_indirect_tailcall_mem_clobber_multi_bb
+ .type bad_indirect_tailcall_mem_clobber_multi_bb, at function
+bad_indirect_tailcall_mem_clobber_multi_bb:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_tailcall_mem_clobber_multi_bb, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
+1:
+ br x16
+ .size bad_indirect_tailcall_mem_clobber_multi_bb, .-bad_indirect_tailcall_mem_clobber_multi_bb
+
+// Test that calling a function is considered as invalidating safety of every
+// register. Note that we only have to consider "returning" function calls
+// (via branch-with-link), but both direct and indirect variants.
+// Checking different registers:
+// * x2 - function argument
+// * x8 - indirect result location
+// * x10 - temporary
+// * x16 - intra-procedure-call scratch register
+// * x18 - platform register
+// * x20 - callee-saved register
+
+ .globl direct_call_invalidates_safety
+ .type direct_call_invalidates_safety, at function
+direct_call_invalidates_safety:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x2
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// FIXME: Print the destination of BL as callee_ext instead of .LtmpN
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x8
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x10
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x18
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function direct_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x20
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
+
+ paciasp
+
+ mov x2, x0
+ autiza x2
+ bl callee_ext
+ blr x2
+
+ mov x8, x0
+ autiza x8
+ bl callee_ext
+ blr x8
+
+ mov x10, x0
+ autiza x10
+ bl callee_ext
+ blr x10
+
+ mov x16, x0
+ autiza x16
+ bl callee_ext
+ blr x16
+
+ mov x18, x0
+ autiza x18
+ bl callee_ext
+ blr x18
+
+ mov x20, x0
+ autiza x20
+ bl callee_ext
+ blr x20
+
+ autiasp
+ ret
+ .size direct_call_invalidates_safety, .-direct_call_invalidates_safety
+
+ .globl indirect_call_invalidates_safety
+ .type indirect_call_invalidates_safety, at function
+indirect_call_invalidates_safety:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x2
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x2
+// Check that only one error is reported per pair of BLRs.
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x2
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x8
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x8
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x8
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x10
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x10
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x10
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x16
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x16
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x18
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x18
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x18
+
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function indirect_call_invalidates_safety, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x20
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x20
+// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x20
+
+ paciasp
+
+ mov x2, x0
+ autiza x2
+ blr x2 // protected call, but makes x2 unsafe
+ blr x2 // unprotected call
+
+ mov x8, x0
+ autiza x8
+ blr x8 // protected call, but makes x2 unsafe
+ blr x8 // unprotected call
+
+ mov x10, x0
+ autiza x10
+ blr x10 // protected call, but makes x2 unsafe
+ blr x10 // unprotected call
+
+ mov x16, x0
+ autiza x16
+ blr x16 // protected call, but makes x2 unsafe
+ blr x16 // unprotected call
+
+ mov x19, x0
+ autiza x18
+ blr x18 // protected call, but makes x2 unsafe
+ blr x18 // unprotected call
+
+ mov x20, x0
+ autiza x20
+ blr x20 // protected call, but makes x2 unsafe
+ blr x20 // unprotected call
+
+ autiasp
+ ret
+ .size indirect_call_invalidates_safety, .-indirect_call_invalidates_safety
+
+// Test that fused auth+use Armv8.3 instruction do not mark register as safe.
+
+ .globl blraa_no_mark_safe
+ .type blraa_no_mark_safe, at function
+blraa_no_mark_safe:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function blraa_no_mark_safe, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: blraa x0, x1
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: blraa x0, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ blraa x0, x1 // safe, no write-back, clobbers everything
+ blr x0 // unsafe
+ autiasp
+ ret
+ .size blraa_no_mark_safe, .-blraa_no_mark_safe
+
+// Check that the correct set of registers is used to compute the set of last
+// writing instructions.
+
+ .globl last_insts_writing_to_reg
+ .type last_insts_writing_to_reg, at function
+last_insts_writing_to_reg:
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function last_insts_writing_to_reg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+// CHECK-LABEL: GS-PAUTH: non-protected call found in function last_insts_writing_to_reg, basic block {{[^,]+}}, at address
+// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
+// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: This happens in the following basic block:
+// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
+// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
+// CHECK-NEXT: {{[0-9a-f]+}}: ret
+ paciasp
+ ldr x16, [x0]
+ blr x16
+ ldr x17, [x1]
+ blr x17
+ autiasp
+ ret
+ .size last_insts_writing_to_reg, .-last_insts_writing_to_reg
+
+ .globl main
+ .type main, at function
+main:
+ mov x0, 0
+ ret
+ .size main, .-main
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
index 30b70b060b94b..3376b79b5b814 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -12,8 +12,12 @@
.type simple, at function
simple:
paciasp
+ stp x29, x30, [sp, #-0x10]!
b 1f
1:
+ autiza x0
+ blr x0
+ ldp x29, x30, [sp], #0x10
autiasp
ret
.size simple, .-simple
@@ -25,16 +29,20 @@ simple:
// ...
// CHECK: BB Layout : [[BB0:[0-9a-zA-Z.]+]], [[BB1:[0-9a-zA-Z.]+]]
// CHECK-NEXT: }
-// CHECK-NEXT: [[BB0]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB0]] (3 instructions, align : 1)
// CHECK-NEXT: Entry Point
// CHECK-NEXT: 00000000: paciasp
-// CHECK-NEXT: 00000004: b [[BB1]]
+// CHECK-NEXT: 00000004: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: 00000008: b [[BB1]]
// CHECK-NEXT: Successors: [[BB1]]
// CHECK-EMPTY:
-// CHECK-NEXT: [[BB1]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB1]] (5 instructions, align : 1)
// CHECK-NEXT: Predecessors: [[BB0]]
-// CHECK-NEXT: 00000008: autiasp
-// CHECK-NEXT: 0000000c: ret
+// CHECK-NEXT: 0000000c: autiza x0
+// CHECK-NEXT: 00000010: blr x0
+// CHECK-NEXT: 00000014: ldp x29, x30, [sp], #0x10
+// CHECK-NEXT: 00000018: autiasp
+// CHECK-NEXT: 0000001c: ret
// CHECK-EMPTY:
// CHECK-NEXT: DWARF CFI Instructions:
// CHECK-NEXT: <empty>
@@ -42,12 +50,20 @@ simple:
// CHECK-EMPTY:
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #25, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( stp x29, x30, [sp, #-0x10]!, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( b [[BB1]], pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::Confluence(
// CHECK-NEXT: State 1: pacret-state<empty>
// CHECK-NEXT: State 2: pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: merged state: pacret-state<SafeToDerefRegs: , Insts: >
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( autiza x0, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( blr x0, pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( ldp x29, x30, [sp], #0x10, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #29, pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( ret x30, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
@@ -56,6 +72,12 @@ simple:
// CHECK-NEXT: State 1: pacret-state<SafeToDerefRegs: , Insts: >
// CHECK-NEXT: State 2: pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: merged state: pacret-state<SafeToDerefRegs: , Insts: >
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( autiza x0, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( blr x0, pacret-state<SafeToDerefRegs: W0 X0 W0_HI , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: PacRetAnalysis::ComputeNext( ldp x29, x30, [sp], #0x10, pacret-state<SafeToDerefRegs: , Insts: >)
+// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( hint #29, pacret-state<SafeToDerefRegs: , Insts: >)
// CHECK-NEXT: .. result: (pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
// CHECK-NEXT: PacRetAnalysis::ComputeNext( ret x30, pacret-state<SafeToDerefRegs: LR W30 W30_HI , Insts: >)
@@ -67,21 +89,28 @@ simple:
// ...
// CHECK: BB Layout : [[BB0]], [[BB1]]
// CHECK-NEXT: }
-// CHECK-NEXT: [[BB0]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB0]] (3 instructions, align : 1)
// CHECK-NEXT: Entry Point
// CHECK-NEXT: 00000000: paciasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
-// CHECK-NEXT: 00000004: b [[BB1]] # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000004: stp x29, x30, [sp, #-0x10]! # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000008: b [[BB1]] # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-NEXT: Successors: [[BB1]]
// CHECK-EMPTY:
-// CHECK-NEXT: [[BB1]] (2 instructions, align : 1)
+// CHECK-NEXT: [[BB1]] (5 instructions, align : 1)
// CHECK-NEXT: Predecessors: [[BB0]]
-// CHECK-NEXT: 00000008: autiasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
-// CHECK-NEXT: 0000000c: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 0000000c: autiza x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000010: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000014: ldp x29, x30, [sp], #0x10 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 00000018: autiasp # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: 0000001c: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-EMPTY:
// CHECK-NEXT: DWARF CFI Instructions:
// CHECK-NEXT: <empty>
// CHECK-NEXT: End of Function "simple"
// CHECK-EMPTY:
+// CHECK-NEXT: Found call inst: 00000000: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// CHECK-NEXT: Call destination reg: X0
+// CHECK-NEXT: SafeToDerefRegs: W0 X0 W0_HI{{[ \t]*$}}
// CHECK-NEXT: Found RET inst: 00000000: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-NEXT: RetReg: LR
// CHECK-NEXT: Authenticated reg: (none)
>From 9074fad2e95e0cce645823988f978f0f26706124 Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Wed, 26 Mar 2025 13:12:27 +0300
Subject: [PATCH 2/6] Add a separate scanner category: pauth
---
bolt/include/bolt/Passes/PAuthGadgetScanner.h | 6 +++-
bolt/include/bolt/Utils/CommandLineOpts.h | 4 +--
bolt/lib/Passes/PAuthGadgetScanner.cpp | 4 +++
bolt/lib/Rewrite/RewriteInstance.cpp | 32 ++++++++++++-------
.../binary-analysis/AArch64/cmdline-args.test | 5 +--
.../binary-analysis/AArch64/gs-pauth-calls.s | 5 ++-
.../AArch64/gs-pauth-debug-output.s | 8 +++--
7 files changed, 43 insertions(+), 21 deletions(-)
diff --git a/bolt/include/bolt/Passes/PAuthGadgetScanner.h b/bolt/include/bolt/Passes/PAuthGadgetScanner.h
index 700059b814ab9..622e6721dea55 100644
--- a/bolt/include/bolt/Passes/PAuthGadgetScanner.h
+++ b/bolt/include/bolt/Passes/PAuthGadgetScanner.h
@@ -248,6 +248,9 @@ struct FunctionAnalysisResult {
};
class Analysis : public BinaryFunctionPass {
+ /// Only search for pac-ret violations.
+ bool PacRetGadgetsOnly;
+
void runOnFunction(BinaryFunction &Function,
MCPlusBuilder::AllocatorIdTy AllocatorId);
FunctionAnalysisResult findGadgets(BinaryFunction &BF,
@@ -261,7 +264,8 @@ class Analysis : public BinaryFunctionPass {
std::mutex AnalysisResultsMutex;
public:
- explicit Analysis() : BinaryFunctionPass(false) {}
+ explicit Analysis(bool PacRetGadgetsOnly)
+ : BinaryFunctionPass(false), PacRetGadgetsOnly(PacRetGadgetsOnly) {}
const char *getName() const override { return "pauth-gadget-scanner"; }
diff --git a/bolt/include/bolt/Utils/CommandLineOpts.h b/bolt/include/bolt/Utils/CommandLineOpts.h
index 19f8c6b2646d7..3de945f6a1507 100644
--- a/bolt/include/bolt/Utils/CommandLineOpts.h
+++ b/bolt/include/bolt/Utils/CommandLineOpts.h
@@ -81,9 +81,9 @@ extern llvm::cl::opt<unsigned> Verbosity;
/// Return true if we should process all functions in the binary.
bool processAllFunctions();
-enum GadgetScannerKind { GS_PACRET, GS_ALL };
+enum GadgetScannerKind { GS_PACRET, GS_PAUTH, GS_ALL };
-extern llvm::cl::list<GadgetScannerKind> GadgetScannersToRun;
+extern llvm::cl::bits<GadgetScannerKind> GadgetScannersToRun;
} // namespace opts
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
index dcc7d93183900..a3b320c545734 100644
--- a/bolt/lib/Passes/PAuthGadgetScanner.cpp
+++ b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -504,6 +504,10 @@ Analysis::findGadgets(BinaryFunction &BF,
if (auto Report = shouldReportReturnGadget(BC, Inst, S))
Result.Diagnostics.push_back(Report);
+
+ if (PacRetGadgetsOnly)
+ continue;
+
if (auto Report = shouldReportCallGadget(BC, Inst, S))
Result.Diagnostics.push_back(Report);
}
diff --git a/bolt/lib/Rewrite/RewriteInstance.cpp b/bolt/lib/Rewrite/RewriteInstance.cpp
index 409c2bbe35d4e..6e95e3580c913 100644
--- a/bolt/lib/Rewrite/RewriteInstance.cpp
+++ b/bolt/lib/Rewrite/RewriteInstance.cpp
@@ -247,12 +247,14 @@ static cl::opt<bool> WriteBoltInfoSection(
"bolt-info", cl::desc("write bolt info section in the output binary"),
cl::init(true), cl::Hidden, cl::cat(BoltOutputCategory));
-cl::list<GadgetScannerKind>
- GadgetScannersToRun("scanners", cl::desc("which gadget scanners to run"),
- cl::values(clEnumValN(GS_PACRET, "pacret", "pac-ret"),
- clEnumValN(GS_ALL, "all", "all")),
- cl::ZeroOrMore, cl::CommaSeparated,
- cl::cat(BinaryAnalysisCategory));
+cl::bits<GadgetScannerKind> GadgetScannersToRun(
+ "scanners", cl::desc("which gadget scanners to run"),
+ cl::values(clEnumValN(GS_PACRET, "pacret",
+ "Return address protection (subset of \"pauth\")"),
+ clEnumValN(GS_PAUTH, "pauth",
+ "All Pointer Authentication scanners"),
+ clEnumValN(GS_ALL, "all", "All implemented scanners")),
+ cl::ZeroOrMore, cl::CommaSeparated, cl::cat(BinaryAnalysisCategory));
} // namespace opts
@@ -3539,12 +3541,18 @@ void RewriteInstance::runBinaryAnalyses() {
// FIXME: add a pass that warns about which functions do not have CFG,
// and therefore, analysis is most likely to be less accurate.
using GSK = opts::GadgetScannerKind;
- // if no command line option was given, act as if "all" was specified.
- if (opts::GadgetScannersToRun.empty())
- opts::GadgetScannersToRun.addValue(GSK::GS_ALL);
- for (GSK ScannerToRun : opts::GadgetScannersToRun) {
- if (ScannerToRun == GSK::GS_PACRET || ScannerToRun == GSK::GS_ALL)
- Manager.registerPass(std::make_unique<PAuthGadgetScanner::Analysis>());
+ using PAuthScanner = PAuthGadgetScanner::Analysis;
+
+ // If no command line option was given, act as if "all" was specified.
+ bool RunAll = !opts::GadgetScannersToRun.getBits() ||
+ opts::GadgetScannersToRun.isSet(GSK::GS_ALL);
+
+ if (RunAll || opts::GadgetScannersToRun.isSet(GSK::GS_PAUTH)) {
+ Manager.registerPass(
+ std::make_unique<PAuthScanner>(/*OnlyPacRetChecks=*/false));
+ } else if (RunAll || opts::GadgetScannersToRun.isSet(GSK::GS_PACRET)) {
+ Manager.registerPass(
+ std::make_unique<PAuthScanner>(/*OnlyPacRetChecks=*/true));
}
BC->logBOLTErrorsAndQuitOnFatal(Manager.runPasses());
diff --git a/bolt/test/binary-analysis/AArch64/cmdline-args.test b/bolt/test/binary-analysis/AArch64/cmdline-args.test
index 1204d5b1289af..17ae9a143ddf4 100644
--- a/bolt/test/binary-analysis/AArch64/cmdline-args.test
+++ b/bolt/test/binary-analysis/AArch64/cmdline-args.test
@@ -33,7 +33,8 @@ HELP-EMPTY:
HELP-NEXT: BinaryAnalysis options:
HELP-EMPTY:
HELP-NEXT: --scanners=<value> - which gadget scanners to run
-HELP-NEXT: =pacret - pac-ret
-HELP-NEXT: =all - all
+HELP-NEXT: =pacret - Return address protection (subset of "pauth")
+HELP-NEXT: =pauth - All Pointer Authentication scanners
+HELP-NEXT: =all - All implemented scanners
HELP-EMPTY:
HELP-NEXT: Generic Options:
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
index 3098e8ec954d2..a5c5becdc05d6 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
@@ -1,5 +1,8 @@
// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe
-// RUN: llvm-bolt-binary-analysis --scanners=pacret %t.exe 2>&1 | FileCheck %s
+// RUN: llvm-bolt-binary-analysis --scanners=pacret %t.exe 2>&1 | FileCheck -check-prefix=PACRET %s
+// RUN: llvm-bolt-binary-analysis --scanners=pauth %t.exe 2>&1 | FileCheck %s
+
+// PACRET-NOT: non-protected call found in function
// FIXME In the below test cases, LR is usually not spilled as needed, as it is
// not checked by BOLT.
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
index 3376b79b5b814..b271cda9da62f 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -3,6 +3,8 @@
// RUN: %clang %cflags -march=armv8.3-a %s -o %t.exe
// RUN: llvm-bolt-binary-analysis --scanners=pacret -no-threads \
// RUN: -debug-only bolt-pauth-scanner %t.exe 2>&1 | FileCheck %s
+// RUN: llvm-bolt-binary-analysis --scanners=pauth -no-threads \
+// RUN: -debug-only bolt-pauth-scanner %t.exe 2>&1 | FileCheck -check-prefixes=CHECK,PAUTH %s
// Check the debug output generated by PAuth gadget scanner to make sure the
// that output is kept meaningful and to provide an overview of what happens
@@ -108,9 +110,9 @@ simple:
// CHECK-NEXT: <empty>
// CHECK-NEXT: End of Function "simple"
// CHECK-EMPTY:
-// CHECK-NEXT: Found call inst: 00000000: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
-// CHECK-NEXT: Call destination reg: X0
-// CHECK-NEXT: SafeToDerefRegs: W0 X0 W0_HI{{[ \t]*$}}
+// PAUTH-NEXT: Found call inst: 00000000: blr x0 # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
+// PAUTH-NEXT: Call destination reg: X0
+// PAUTH-NEXT: SafeToDerefRegs: W0 X0 W0_HI{{[ \t]*$}}
// CHECK-NEXT: Found RET inst: 00000000: ret # PacRetAnalysis: pacret-state<SafeToDerefRegs: BitVector, Insts: >
// CHECK-NEXT: RetReg: LR
// CHECK-NEXT: Authenticated reg: (none)
>From a1516bb4eb6513776f194d8e6553c4e823bd2817 Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Wed, 26 Mar 2025 14:57:35 +0300
Subject: [PATCH 3/6] Tests: spill LR, format, drop redundant cases
---
.../binary-analysis/AArch64/gs-pauth-calls.s | 388 +++++++++++-------
1 file changed, 243 insertions(+), 145 deletions(-)
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
index a5c5becdc05d6..0cff9b0cabcbc 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
@@ -4,9 +4,6 @@
// PACRET-NOT: non-protected call found in function
-// FIXME In the below test cases, LR is usually not spilled as needed, as it is
-// not checked by BOLT.
-
.text
.globl good_direct_call
@@ -14,7 +11,12 @@
good_direct_call:
// CHECK-NOT: good_direct_call
paciasp
- bl callee_ext
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ bl callee_ext
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_direct_call, .-good_direct_call
@@ -24,8 +26,13 @@ good_direct_call:
good_indirect_call_arg:
// CHECK-NOT: good_indirect_call_arg
paciasp
- autia x0, x1
- blr x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1
+ blr x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_arg, .-good_indirect_call_arg
@@ -35,9 +42,14 @@ good_indirect_call_arg:
good_indirect_call_mem:
// CHECK-NOT: good_indirect_call_mem
paciasp
- ldr x16, [x0]
- autia x16, x0
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x0
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_mem, .-good_indirect_call_mem
@@ -47,7 +59,12 @@ good_indirect_call_mem:
good_indirect_call_arg_v83:
// CHECK-NOT: good_indirect_call_arg_v83
paciasp
- blraa x0, x1
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ blraa x0, x1
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_arg_v83, .-good_indirect_call_arg_v83
@@ -57,8 +74,13 @@ good_indirect_call_arg_v83:
good_indirect_call_mem_v83:
// CHECK-NOT: good_indirect_call_mem_v83
paciasp
- ldr x16, [x0]
- blraa x16, x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ blraa x16, x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_mem_v83, .-good_indirect_call_mem_v83
@@ -70,7 +92,12 @@ bad_indirect_call_arg:
// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
paciasp
- blr x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ blr x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_arg, .-bad_indirect_call_arg
@@ -84,13 +111,21 @@ bad_indirect_call_mem:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- ldr x16, [x0]
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_mem, .-bad_indirect_call_mem
@@ -104,15 +139,23 @@ bad_indirect_call_arg_clobber:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w2
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: autia x0, x1
// CHECK-NEXT: {{[0-9a-f]+}}: mov w0, w2
// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- autia x0, x1
- mov w0, w2
- blr x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1
+ mov w0, w2
+ blr x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_arg_clobber, .-bad_indirect_call_arg_clobber
@@ -126,17 +169,25 @@ bad_indirect_call_mem_clobber:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- ldr x16, [x0]
- autia x16, x0
- mov w16, w2
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_mem_clobber, .-bad_indirect_call_mem_clobber
@@ -146,11 +197,16 @@ bad_indirect_call_mem_clobber:
good_indirect_call_mem_chain_of_auts:
// CHECK-NOT: good_indirect_call_mem_chain_of_auts
paciasp
- ldr x16, [x0]
- autia x16, x1
- ldr x16, [x16]
- autia x16, x0
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_mem_chain_of_auts, .-good_indirect_call_mem_chain_of_auts
@@ -164,18 +220,26 @@ bad_indirect_call_mem_chain_of_auts:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- ldr x16, [x0]
- autia x16, x1
- ldr x16, [x16]
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
// Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
- blr x16
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_mem_chain_of_auts, .-bad_indirect_call_mem_chain_of_auts
@@ -192,11 +256,16 @@ bad_indirect_call_mem_chain_of_auts:
good_indirect_call_arg_multi_bb:
// CHECK-NOT: good_indirect_call_arg_multi_bb
paciasp
- autia x0, x1
- cbz x2, 1f
- blr x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1
+ cbz x2, 1f
+ blr x0
1:
- ldr x1, [x0]
+ ldr x1, [x0] // prevent authentication oracle
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_arg_multi_bb, .-good_indirect_call_arg_multi_bb
@@ -206,12 +275,17 @@ good_indirect_call_arg_multi_bb:
good_indirect_call_mem_multi_bb:
// CHECK-NOT: good_indirect_call_mem_multi_bb
paciasp
- ldr x16, [x0]
- autia x16, x0
- cbz x2, 1f
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
1:
- ldr w0, [x16]
+ ldr w0, [x16] // prevent authentication oracle
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_mem_multi_bb, .-good_indirect_call_mem_multi_bb
@@ -223,10 +297,15 @@ bad_indirect_call_arg_multi_bb:
// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x0
// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
paciasp
- cbz x2, 1f
- autia x0, x1
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ cbz x2, 1f
+ autia x0, x1
1:
- blr x0
+ blr x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_arg_multi_bb, .-bad_indirect_call_arg_multi_bb
@@ -239,11 +318,16 @@ bad_indirect_call_mem_multi_bb:
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
paciasp
- ldr x16, [x0]
- cbz x2, 1f
- autia x16, x1
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
1:
- blr x16
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_mem_multi_bb, .-bad_indirect_call_mem_multi_bb
@@ -256,11 +340,16 @@ bad_indirect_call_arg_clobber_multi_bb:
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w0, w3
paciasp
- autia x0, x1
- cbz x2, 1f
- mov w0, w3
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ autia x0, x1
+ cbz x2, 1f
+ mov w0, w3
1:
- blr x0
+ blr x0
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_arg_clobber_multi_bb, .-bad_indirect_call_arg_clobber_multi_bb
@@ -273,12 +362,17 @@ bad_indirect_call_mem_clobber_multi_bb:
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
paciasp
- ldr x16, [x0]
- autia x16, x0
- cbz x2, 1f
- mov w16, w2
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
1:
- blr x16
+ blr x16
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size bad_indirect_call_mem_clobber_multi_bb, .-bad_indirect_call_mem_clobber_multi_bb
@@ -288,14 +382,19 @@ bad_indirect_call_mem_clobber_multi_bb:
good_indirect_call_mem_chain_of_auts_multi_bb:
// CHECK-NOT: good_indirect_call_mem_chain_of_auts_multi_bb
paciasp
- ldr x16, [x0]
- autia x16, x1
- ldr x16, [x16]
- autia x16, x0
- cbz x2, 1f
- blr x16
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ autia x16, x0
+ cbz x2, 1f
+ blr x16
1:
- ldr w0, [x16]
+ ldr w0, [x16] // prevent authentication oracle
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size good_indirect_call_mem_chain_of_auts_multi_bb, .-good_indirect_call_mem_chain_of_auts_multi_bb
@@ -308,47 +407,21 @@ bad_indirect_call_mem_chain_of_auts_multi_bb:
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
paciasp
- ldr x16, [x0]
- autia x16, x1
- ldr x16, [x16]
- cbz x2, 1f
- autia x16, x0
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
+ cbz x2, 1f
+ autia x16, x0
1:
- blr x16
- autiasp
- ret
- .size bad_indirect_call_mem_chain_of_auts_multi_bb, .-bad_indirect_call_mem_chain_of_auts_multi_bb
-
-// Test that noreturn function calls via BR are checked as well.
-
- .globl good_indirect_noreturn_call
- .type good_indirect_noreturn_call, at function
-good_indirect_noreturn_call:
-// CHECK-NOT: good_indirect_noreturn_call
- paciasp
- cbz x0, 2f
- autiasp
- ldr w1, [x30]
- autia x0, x1
- br x0
-2:
- autiasp
- ret
- .size good_indirect_noreturn_call, .-good_indirect_noreturn_call
+ blr x16
- .globl bad_indirect_noreturn_call
- .type bad_indirect_noreturn_call, at function
-bad_indirect_noreturn_call:
-// CHECK-LABEL: GS-PAUTH: non-protected call found in function bad_indirect_noreturn_call, basic block .LFT{{[0-9]+}}, at address
-// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x0
-// CHECK-NEXT: The 0 instructions that write to the affected registers after any authentication are:
- paciasp
- cbz x0, 2f
- br x0
-2:
+ ldp x29, x30, [sp], #16
autiasp
ret
- .size bad_indirect_noreturn_call, .-bad_indirect_noreturn_call
+ .size bad_indirect_call_mem_chain_of_auts_multi_bb, .-bad_indirect_call_mem_chain_of_auts_multi_bb
// Test tail calls. To somewhat decrease the number of test cases and not
// duplicate all of the above, only implement "mem" variant of test cases and
@@ -358,24 +431,24 @@ bad_indirect_noreturn_call:
.type good_direct_tailcall, at function
good_direct_tailcall:
// CHECK-NOT: good_direct_tailcall
- b callee_ext
+ b callee_ext
.size good_direct_tailcall, .-good_direct_tailcall
.globl good_indirect_tailcall_mem
.type good_indirect_tailcall_mem, at function
good_indirect_tailcall_mem:
// CHECK-NOT: good_indirect_tailcall_mem
- ldr x16, [x0]
- autia x16, x0
- br x16
+ ldr x16, [x0]
+ autia x16, x0
+ br x16
.size good_indirect_tailcall_mem, .-good_indirect_tailcall_mem
.globl good_indirect_tailcall_mem_v83
.type good_indirect_tailcall_mem_v83, at function
good_indirect_tailcall_mem_v83:
// CHECK-NOT: good_indirect_tailcall_mem_v83
- ldr x16, [x0]
- braa x16, x0
+ ldr x16, [x0]
+ braa x16, x0
.size good_indirect_tailcall_mem_v83, .-good_indirect_tailcall_mem_v83
.globl bad_indirect_tailcall_mem
@@ -388,8 +461,8 @@ bad_indirect_tailcall_mem:
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: br x16
- ldr x16, [x0]
- br x16
+ ldr x16, [x0]
+ br x16
.size bad_indirect_tailcall_mem, .-bad_indirect_tailcall_mem
.globl bad_indirect_tailcall_mem_clobber
@@ -404,10 +477,10 @@ bad_indirect_tailcall_mem_clobber:
// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x0
// CHECK-NEXT: {{[0-9a-f]+}}: mov w16, w2
// CHECK-NEXT: {{[0-9a-f]+}}: br x16
- ldr x16, [x0]
- autia x16, x0
- mov w16, w2
- br x16
+ ldr x16, [x0]
+ autia x16, x0
+ mov w16, w2
+ br x16
.size bad_indirect_tailcall_mem_clobber, .-bad_indirect_tailcall_mem_clobber
.globl bad_indirect_tailcall_mem_chain_of_auts
@@ -422,11 +495,11 @@ bad_indirect_tailcall_mem_chain_of_auts:
// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: {{[0-9a-f]+}}: br x16
- ldr x16, [x0]
- autia x16, x1
- ldr x16, [x16]
+ ldr x16, [x0]
+ autia x16, x1
+ ldr x16, [x16]
// Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
- br x16
+ br x16
.size bad_indirect_tailcall_mem_chain_of_auts, .-bad_indirect_tailcall_mem_chain_of_auts
.globl bad_indirect_tailcall_mem_multi_bb
@@ -436,11 +509,11 @@ bad_indirect_tailcall_mem_multi_bb:
// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
- ldr x16, [x0]
- cbz x2, 1f
- autia x16, x1
+ ldr x16, [x0]
+ cbz x2, 1f
+ autia x16, x1
1:
- br x16
+ br x16
.size bad_indirect_tailcall_mem_multi_bb, .-bad_indirect_tailcall_mem_multi_bb
.globl bad_indirect_tailcall_mem_clobber_multi_bb
@@ -450,12 +523,12 @@ bad_indirect_tailcall_mem_clobber_multi_bb:
// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: br x16
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: mov w16, w2
- ldr x16, [x0]
- autia x16, x0
- cbz x2, 1f
- mov w16, w2
+ ldr x16, [x0]
+ autia x16, x0
+ cbz x2, 1f
+ mov w16, w2
1:
- br x16
+ br x16
.size bad_indirect_tailcall_mem_clobber_multi_bb, .-bad_indirect_tailcall_mem_clobber_multi_bb
// Test that calling a function is considered as invalidating safety of every
@@ -497,39 +570,41 @@ direct_call_invalidates_safety:
// CHECK-NEXT: The instruction is {{[0-9a-f]+}}: blr x20
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: bl
-
paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
mov x2, x0
autiza x2
- bl callee_ext
+ bl callee_ext
blr x2
mov x8, x0
autiza x8
- bl callee_ext
+ bl callee_ext
blr x8
mov x10, x0
autiza x10
- bl callee_ext
+ bl callee_ext
blr x10
mov x16, x0
autiza x16
- bl callee_ext
+ bl callee_ext
blr x16
mov x18, x0
autiza x18
- bl callee_ext
+ bl callee_ext
blr x18
mov x20, x0
autiza x20
- bl callee_ext
+ bl callee_ext
blr x20
+ ldp x29, x30, [sp], #16
autiasp
ret
.size direct_call_invalidates_safety, .-direct_call_invalidates_safety
@@ -573,8 +648,9 @@ indirect_call_invalidates_safety:
// CHECK-NEXT: The 1 instructions that write to the affected registers after any authentication are:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: blr x20
// CHECK-NOT: The instruction is {{[0-9a-f]+}}: blr x20
-
paciasp
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
mov x2, x0
autiza x2
@@ -583,29 +659,30 @@ indirect_call_invalidates_safety:
mov x8, x0
autiza x8
- blr x8 // protected call, but makes x2 unsafe
+ blr x8 // protected call, but makes x8 unsafe
blr x8 // unprotected call
mov x10, x0
autiza x10
- blr x10 // protected call, but makes x2 unsafe
+ blr x10 // protected call, but makes x10 unsafe
blr x10 // unprotected call
mov x16, x0
autiza x16
- blr x16 // protected call, but makes x2 unsafe
+ blr x16 // protected call, but makes x16 unsafe
blr x16 // unprotected call
mov x19, x0
autiza x18
- blr x18 // protected call, but makes x2 unsafe
+ blr x18 // protected call, but makes x18 unsafe
blr x18 // unprotected call
mov x20, x0
autiza x20
- blr x20 // protected call, but makes x2 unsafe
+ blr x20 // protected call, but makes x20 unsafe
blr x20 // unprotected call
+ ldp x29, x30, [sp], #16
autiasp
ret
.size indirect_call_invalidates_safety, .-indirect_call_invalidates_safety
@@ -621,19 +698,29 @@ blraa_no_mark_safe:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: blraa x0, x1
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: blraa x0, x1
// CHECK-NEXT: {{[0-9a-f]+}}: blr x0
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- blraa x0, x1 // safe, no write-back, clobbers everything
- blr x0 // unsafe
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ blraa x0, x1 // safe, no write-back, clobbers everything
+ blr x0 // unsafe
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size blraa_no_mark_safe, .-blraa_no_mark_safe
// Check that the correct set of registers is used to compute the set of last
-// writing instructions.
+// writing instructions: both x16 and x17 are tracked in this function, but
+// only one particular register is used to compute the set of clobbering
+// instructions in each report.
.globl last_insts_writing_to_reg
.type last_insts_writing_to_reg, at function
@@ -644,10 +731,13 @@ last_insts_writing_to_reg:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
// CHECK-LABEL: GS-PAUTH: non-protected call found in function last_insts_writing_to_reg, basic block {{[^,]+}}, at address
@@ -656,17 +746,25 @@ last_insts_writing_to_reg:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x17, [x1]
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: paciasp
+// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
+// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x17, [x1]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x17
+// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
// CHECK-NEXT: {{[0-9a-f]+}}: autiasp
// CHECK-NEXT: {{[0-9a-f]+}}: ret
paciasp
- ldr x16, [x0]
- blr x16
- ldr x17, [x1]
- blr x17
+ stp x29, x30, [sp, #-16]!
+ mov x29, sp
+
+ ldr x16, [x0]
+ blr x16
+ ldr x17, [x1]
+ blr x17
+
+ ldp x29, x30, [sp], #16
autiasp
ret
.size last_insts_writing_to_reg, .-last_insts_writing_to_reg
>From bbd4791a3e4bc4c44e27e8e187978ae35c1e845f Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Wed, 26 Mar 2025 14:58:48 +0300
Subject: [PATCH 4/6] Streamline getRegUsedAsCallDest()
---
.../Target/AArch64/AArch64MCPlusBuilder.cpp | 21 +++----------------
1 file changed, 3 insertions(+), 18 deletions(-)
diff --git a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
index 9ce1514639f95..9b01b39251c29 100644
--- a/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
+++ b/bolt/lib/Target/AArch64/AArch64MCPlusBuilder.cpp
@@ -284,23 +284,6 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
IsAuthenticatedInternally = false;
switch (Inst.getOpcode()) {
- case AArch64::B:
- case AArch64::BL:
- assert(Inst.getOperand(0).isExpr());
- return getNoRegister();
- case AArch64::Bcc:
- case AArch64::CBNZW:
- case AArch64::CBNZX:
- case AArch64::CBZW:
- case AArch64::CBZX:
- assert(Inst.getOperand(1).isExpr());
- return getNoRegister();
- case AArch64::TBNZW:
- case AArch64::TBNZX:
- case AArch64::TBZW:
- case AArch64::TBZX:
- assert(Inst.getOperand(2).isExpr());
- return getNoRegister();
case AArch64::BR:
case AArch64::BLR:
return Inst.getOperand(0).getReg();
@@ -315,7 +298,9 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
IsAuthenticatedInternally = true;
return Inst.getOperand(0).getReg();
default:
- llvm_unreachable("Unhandled call instruction");
+ if (isIndirectCall(Inst) || isIndirectBranch(Inst))
+ llvm_unreachable("Unhandled indirect branch");
+ return getNoRegister();
}
}
>From 8865d1ac35a1d1b34229db2243c9d825d63285df Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Wed, 26 Mar 2025 19:25:37 +0300
Subject: [PATCH 5/6] Address the review comments
---
bolt/lib/Rewrite/RewriteInstance.cpp | 2 +-
.../test/binary-analysis/AArch64/cmdline-args.test | 2 +-
bolt/test/binary-analysis/AArch64/gs-pauth-calls.s | 14 +++++++-------
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/bolt/lib/Rewrite/RewriteInstance.cpp b/bolt/lib/Rewrite/RewriteInstance.cpp
index 6e95e3580c913..b400c5caa8226 100644
--- a/bolt/lib/Rewrite/RewriteInstance.cpp
+++ b/bolt/lib/Rewrite/RewriteInstance.cpp
@@ -250,7 +250,7 @@ static cl::opt<bool> WriteBoltInfoSection(
cl::bits<GadgetScannerKind> GadgetScannersToRun(
"scanners", cl::desc("which gadget scanners to run"),
cl::values(clEnumValN(GS_PACRET, "pacret",
- "Return address protection (subset of \"pauth\")"),
+ "pac-ret: return address protection (subset of \"pauth\")"),
clEnumValN(GS_PAUTH, "pauth",
"All Pointer Authentication scanners"),
clEnumValN(GS_ALL, "all", "All implemented scanners")),
diff --git a/bolt/test/binary-analysis/AArch64/cmdline-args.test b/bolt/test/binary-analysis/AArch64/cmdline-args.test
index 17ae9a143ddf4..76f7c3ba0a1c7 100644
--- a/bolt/test/binary-analysis/AArch64/cmdline-args.test
+++ b/bolt/test/binary-analysis/AArch64/cmdline-args.test
@@ -33,7 +33,7 @@ HELP-EMPTY:
HELP-NEXT: BinaryAnalysis options:
HELP-EMPTY:
HELP-NEXT: --scanners=<value> - which gadget scanners to run
-HELP-NEXT: =pacret - Return address protection (subset of "pauth")
+HELP-NEXT: =pacret - pac-ret: return address protection (subset of "pauth")
HELP-NEXT: =pauth - All Pointer Authentication scanners
HELP-NEXT: =all - All implemented scanners
HELP-EMPTY:
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
index 0cff9b0cabcbc..9b26c4b1b26ed 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-calls.s
@@ -201,7 +201,7 @@ good_indirect_call_mem_chain_of_auts:
mov x29, sp
ldr x16, [x0]
- autia x16, x1
+ autda x16, x1
ldr x16, [x16]
autia x16, x0
blr x16
@@ -223,7 +223,7 @@ bad_indirect_call_mem_chain_of_auts:
// CHECK-NEXT: {{[0-9a-f]+}}: stp x29, x30, [sp, #-0x10]!
// CHECK-NEXT: {{[0-9a-f]+}}: mov x29, sp
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
-// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: autda x16, x1
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: {{[0-9a-f]+}}: blr x16
// CHECK-NEXT: {{[0-9a-f]+}}: ldp x29, x30, [sp], #0x10
@@ -234,7 +234,7 @@ bad_indirect_call_mem_chain_of_auts:
mov x29, sp
ldr x16, [x0]
- autia x16, x1
+ autda x16, x1
ldr x16, [x16]
// Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
blr x16
@@ -386,7 +386,7 @@ good_indirect_call_mem_chain_of_auts_multi_bb:
mov x29, sp
ldr x16, [x0]
- autia x16, x1
+ autda x16, x1
ldr x16, [x16]
autia x16, x0
cbz x2, 1f
@@ -411,7 +411,7 @@ bad_indirect_call_mem_chain_of_auts_multi_bb:
mov x29, sp
ldr x16, [x0]
- autia x16, x1
+ autda x16, x1
ldr x16, [x16]
cbz x2, 1f
autia x16, x0
@@ -492,11 +492,11 @@ bad_indirect_tailcall_mem_chain_of_auts:
// CHECK-NEXT: 1. {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: This happens in the following basic block:
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x0]
-// CHECK-NEXT: {{[0-9a-f]+}}: autia x16, x1
+// CHECK-NEXT: {{[0-9a-f]+}}: autda x16, x1
// CHECK-NEXT: {{[0-9a-f]+}}: ldr x16, [x16]
// CHECK-NEXT: {{[0-9a-f]+}}: br x16
ldr x16, [x0]
- autia x16, x1
+ autda x16, x1
ldr x16, [x16]
// Missing AUT of x16. The fact that x16 was authenticated above has nothing to do with it.
br x16
>From 656e100d6d5c5e5d80e479ce792bbfb1c640ba2e Mon Sep 17 00:00:00 2001
From: Anatoly Trosinenko <atrosinenko at accesssoftek.com>
Date: Wed, 26 Mar 2025 19:50:30 +0300
Subject: [PATCH 6/6] Fix formatting
---
bolt/lib/Rewrite/RewriteInstance.cpp | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/bolt/lib/Rewrite/RewriteInstance.cpp b/bolt/lib/Rewrite/RewriteInstance.cpp
index b400c5caa8226..627ccd30add39 100644
--- a/bolt/lib/Rewrite/RewriteInstance.cpp
+++ b/bolt/lib/Rewrite/RewriteInstance.cpp
@@ -249,11 +249,11 @@ static cl::opt<bool> WriteBoltInfoSection(
cl::bits<GadgetScannerKind> GadgetScannersToRun(
"scanners", cl::desc("which gadget scanners to run"),
- cl::values(clEnumValN(GS_PACRET, "pacret",
- "pac-ret: return address protection (subset of \"pauth\")"),
- clEnumValN(GS_PAUTH, "pauth",
- "All Pointer Authentication scanners"),
- clEnumValN(GS_ALL, "all", "All implemented scanners")),
+ cl::values(
+ clEnumValN(GS_PACRET, "pacret",
+ "pac-ret: return address protection (subset of \"pauth\")"),
+ clEnumValN(GS_PAUTH, "pauth", "All Pointer Authentication scanners"),
+ clEnumValN(GS_ALL, "all", "All implemented scanners")),
cl::ZeroOrMore, cl::CommaSeparated, cl::cat(BinaryAnalysisCategory));
} // namespace opts
More information about the llvm-commits
mailing list