[compiler-rt] [libcxxabi] [libunwind] [runtimes][PAC] Harden unwinding when possible (#138571) (PR #143230)

Anatoly Trosinenko via llvm-commits llvm-commits at lists.llvm.org
Wed Jun 18 13:35:21 PDT 2025 

================
@@ -238,7 +282,20 @@ COMPILER_RT_ABI _Unwind_Reason_Code __gcc_personality_v0(
       _Unwind_SetGR(context, __builtin_eh_return_data_regno(0),
                     (uintptr_t)exceptionObject);
       _Unwind_SetGR(context, __builtin_eh_return_data_regno(1), 0);
-      _Unwind_SetIP(context, (funcStart + landingPad));
+#define LANDING_PAD_DISCRIMINATOR "__gcc_personality_v0'landingPad"
+      size_t PERSONALITY_PTRAUTH_RI_RA(LANDING_PAD_DISCRIMINATOR) landingPad =
+          funcStart + landingPadOffset;
+#if defined(__APPLE__) && __has_feature(ptrauth_qualifier)
+      uintptr_t stack_pointer = _Unwind_GetGR(context, -2);
+      const uintptr_t existingDiscriminator = ptrauth_blend_discriminator(
+          &landingPad, ptrauth_string_discriminator(LANDING_PAD_DISCRIMINATOR));
+      uintptr_t newIP = (uintptr_t)ptrauth_auth_and_resign(
+          *(void **)&landingPad, ptrauth_key_function_pointer,
+          existingDiscriminator, ptrauth_key_return_address, stack_pointer);
+      _Unwind_SetIP(context, newIP);
+#else
+      _Unwind_SetIP(context, landingPad);
+#endif
----------------
atrosinenko wrote:

This seems to assume `__has_feature(ptrauth_returns)` as well. On the other hand, I doubt we expect any valid build configuration to have `__has_feature(ptrauth_calls) == true` and `__has_feature(ptrauth_returns) == false`, so something as simple as
```cpp
#if !__has_feature(ptrauth_returns)
#error Hardened libunwing expects pac-ret
#endif
```
should be perfectly enough for the sake of documentating this dependecy and just to be sure :)

But what if we build libunwind on AArch64 **with** pac-ret, but **without** extra libunwind hardening (`ptrauth_calls` feature is false, unsupported platform, etc.): we probably want to manually apply a pac-ret-style protection to the argument passed to `_Unwind_SetIP` (and we will probably crash at some later point if pac-ret-style protection is not applied). Probably, a simplified version of this code should be added under
```cpp
      _Unwind_SetIP(context, newIP);
#elif __has_feature(ptrauth_returns)
      // Just sign unprotected newIP with stack pointer and pass it to _Unwind_SetIP
#else
      _Unwind_SetIP(context, landingPad);
#endif
```

https://github.com/llvm/llvm-project/pull/143230

More information about the llvm-commits mailing list