[llvm] [BOLT] Gadget scanner: account for BRK when searching for auth oracles (PR #137975)
Kristof Beyls via llvm-commits
llvm-commits at lists.llvm.org
Thu Aug 21 06:51:44 PDT 2025
================
@@ -1751,6 +1750,25 @@ class AArch64MCPlusBuilder : public MCPlusBuilder {
Inst.addOperand(MCOperand::createImm(0));
}
+ bool isTrap(const MCInst &Inst) const override {
+ if (Inst.getOpcode() != AArch64::BRK)
+ return false;
+ // Only match the immediate values that are likely to indicate this BRK
+ // instruction is emitted to terminate the program immediately and not to
+ // be handled by a SIGTRAP handler, for example.
+ switch (Inst.getOperand(0).getImm()) {
+ case 0xc470:
+ case 0xc471:
+ case 0xc472:
+ case 0xc473:
+ // Explicit Pointer Authentication check failed, see
+ // AArch64AsmPrinter::emitPtrauthCheckAuthenticatedValue().
----------------
kbeyls wrote:
Thank you for investigating this in detail!
It is unfortunate that we have to hard-code assumptions of what the meanings are of specific immediates in the `brk` instruction. Really, this is some form of non-documented "ABI" now.
Anyway, I agree that what you've implemented in the current version of this patch seems to be the most reasonable way to implement this.
https://github.com/llvm/llvm-project/pull/137975
More information about the llvm-commits
mailing list