File Manager

003 File Manager

Current Path: /usr/src/contrib/llvm-project/llvm/lib/Target/X86

usr / src / contrib / llvm-project / llvm / lib / Target / X86 /

📁 ..
📁 AsmParser
📁 Disassembler
📄 ImmutableGraph.h(15.15 KB)
📁 MCTargetDesc
📁 TargetInfo
📄 X86.h(7.41 KB)
📄 X86.td(68.44 KB)
📄 X86AsmPrinter.cpp(27.18 KB)
📄 X86AsmPrinter.h(5.96 KB)
📄 X86AvoidStoreForwardingBlocks.cpp(27.94 KB)
📄 X86AvoidTrailingCall.cpp(4.91 KB)
📄 X86CallFrameOptimization.cpp(23.07 KB)
📄 X86CallLowering.cpp(17.62 KB)
📄 X86CallLowering.h(1.74 KB)
📄 X86CallingConv.cpp(13.34 KB)
📄 X86CallingConv.h(1.09 KB)
📄 X86CallingConv.td(46.15 KB)
📄 X86CmovConversion.cpp(34.07 KB)
📄 X86CondBrFolding.cpp(18.4 KB)
📄 X86DiscriminateMemOps.cpp(7.11 KB)
📄 X86DomainReassignment.cpp(25.87 KB)
📄 X86EvexToVex.cpp(8.8 KB)
📄 X86ExpandPseudo.cpp(16.95 KB)
📄 X86FastISel.cpp(139.28 KB)
📄 X86FixupBWInsts.cpp(18.09 KB)
📄 X86FixupLEAs.cpp(24.44 KB)
📄 X86FixupSetCC.cpp(4.44 KB)
📄 X86FlagsCopyLowering.cpp(40.36 KB)
📄 X86FloatingPoint.cpp(62.66 KB)
📄 X86FrameLowering.cpp(138.71 KB)
📄 X86FrameLowering.h(11.64 KB)
📄 X86GenRegisterBankInfo.def(3.32 KB)
📄 X86ISelDAGToDAG.cpp(208.37 KB)
📄 X86ISelLowering.cpp(1.94 MB)
📄 X86ISelLowering.h(60.88 KB)
📄 X86IndirectBranchTracking.cpp(6.17 KB)
📄 X86IndirectThunks.cpp(9.78 KB)
📄 X86InsertPrefetch.cpp(9.64 KB)
📄 X86InsertWait.cpp(4.47 KB)
📄 X86Instr3DNow.td(5.24 KB)
📄 X86InstrAMX.td(5.6 KB)
📄 X86InstrAVX512.td(653.76 KB)
📄 X86InstrArithmetic.td(75.61 KB)
📄 X86InstrBuilder.h(8.45 KB)
📄 X86InstrCMovSetCC.td(5.76 KB)
📄 X86InstrCompiler.td(95.78 KB)
📄 X86InstrControl.td(20.53 KB)
📄 X86InstrExtension.td(11.64 KB)
📄 X86InstrFMA.td(33.23 KB)
📄 X86InstrFMA3Info.cpp(6.21 KB)
📄 X86InstrFMA3Info.h(3.25 KB)
📄 X86InstrFPStack.td(39.52 KB)
📄 X86InstrFoldTables.cpp(393.01 KB)
📄 X86InstrFoldTables.h(3.03 KB)
📄 X86InstrFormats.td(41.05 KB)
📄 X86InstrFragmentsSIMD.td(61.14 KB)
📄 X86InstrInfo.cpp(322.72 KB)
📄 X86InstrInfo.h(29.34 KB)
📄 X86InstrInfo.td(169.76 KB)
📄 X86InstrMMX.td(29.55 KB)
📄 X86InstrMPX.td(3.63 KB)
📄 X86InstrSGX.td(1.12 KB)
📄 X86InstrSSE.td(385.01 KB)
📄 X86InstrSVM.td(2.16 KB)
📄 X86InstrShiftRotate.td(49.56 KB)
📄 X86InstrSystem.td(34.03 KB)
📄 X86InstrTSX.td(2.1 KB)
📄 X86InstrVMX.td(3.53 KB)
📄 X86InstrVecCompiler.td(21.09 KB)
📄 X86InstrXOP.td(23.81 KB)
📄 X86InstructionSelector.cpp(61.11 KB)
📄 X86InterleavedAccess.cpp(32.7 KB)
📄 X86IntrinsicsInfo.h(73.96 KB)
📄 X86LegalizerInfo.cpp(15.6 KB)
📄 X86LegalizerInfo.h(1.65 KB)
📄 X86LoadValueInjectionLoadHardening.cpp(32.4 KB)
📄 X86LoadValueInjectionRetHardening.cpp(4.93 KB)
📄 X86MCInstLower.cpp(96.53 KB)
📄 X86MachineFunctionInfo.cpp(1.1 KB)
📄 X86MachineFunctionInfo.h(8.87 KB)
📄 X86MacroFusion.cpp(2.62 KB)
📄 X86MacroFusion.h(992 B)
📄 X86OptimizeLEAs.cpp(27.47 KB)
📄 X86PadShortFunction.cpp(7.33 KB)
📄 X86PartialReduction.cpp(15.46 KB)
📄 X86PfmCounters.td(10.18 KB)
📄 X86RegisterBankInfo.cpp(10.55 KB)
📄 X86RegisterBankInfo.h(2.87 KB)
📄 X86RegisterBanks.td(629 B)
📄 X86RegisterInfo.cpp(29 KB)
📄 X86RegisterInfo.h(5.61 KB)
📄 X86RegisterInfo.td(26.07 KB)
📄 X86SchedBroadwell.td(69.45 KB)
📄 X86SchedHaswell.td(73.96 KB)
📄 X86SchedPredicates.td(4.23 KB)
📄 X86SchedSandyBridge.td(50 KB)
📄 X86SchedSkylakeClient.td(74.65 KB)
📄 X86SchedSkylakeServer.td(113.85 KB)
📄 X86Schedule.td(36.9 KB)
📄 X86ScheduleAtom.td(38.26 KB)
📄 X86ScheduleBdVer2.td(56.78 KB)
📄 X86ScheduleBtVer2.td(46.98 KB)
📄 X86ScheduleSLM.td(22.91 KB)
📄 X86ScheduleZnver1.td(48.97 KB)
📄 X86ScheduleZnver2.td(48.12 KB)
📄 X86SelectionDAGInfo.cpp(12.02 KB)
📄 X86SelectionDAGInfo.h(1.8 KB)
📄 X86ShuffleDecodeConstantPool.cpp(11.22 KB)
📄 X86ShuffleDecodeConstantPool.h(2.13 KB)
📄 X86SpeculativeExecutionSideEffectSuppression.cpp(6.97 KB)
📄 X86SpeculativeLoadHardening.cpp(93.16 KB)
📄 X86Subtarget.cpp(13.25 KB)
📄 X86Subtarget.h(32.08 KB)
📄 X86TargetMachine.cpp(18.88 KB)
📄 X86TargetMachine.h(2.04 KB)
📄 X86TargetObjectFile.cpp(2.61 KB)
📄 X86TargetObjectFile.h(2.13 KB)
📄 X86TargetTransformInfo.cpp(189.14 KB)
📄 X86TargetTransformInfo.h(9.63 KB)
📄 X86VZeroUpper.cpp(12.59 KB)
📄 X86WinAllocaExpander.cpp(9.54 KB)
📄 X86WinEHState.cpp(28.97 KB)

Editing: X86IndirectThunks.cpp

//==- X86IndirectThunks.cpp - Construct indirect call/jump thunks for x86  --=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
/// \file
///
/// Pass that injects an MI thunk that is used to lower indirect calls in a way
/// that prevents speculation on some x86 processors and can be used to mitigate
/// security vulnerabilities due to targeted speculative execution and side
/// channels such as CVE-2017-5715.
///
/// Currently supported thunks include:
/// - Retpoline -- A RET-implemented trampoline that lowers indirect calls
/// - LVI Thunk -- A CALL/JMP-implemented thunk that forces load serialization
///   before making an indirect call/jump
///
/// Note that the reason that this is implemented as a MachineFunctionPass and
/// not a ModulePass is that ModulePasses at this point in the LLVM X86 pipeline
/// serialize all transformations, which can consume lots of memory.
///
/// TODO(chandlerc): All of this code could use better comments and
/// documentation.
///
//===----------------------------------------------------------------------===//

#include "X86.h"
#include "X86InstrBuilder.h"
#include "X86Subtarget.h"
#include "llvm/CodeGen/IndirectThunks.h"
#include "llvm/CodeGen/MachineFunction.h"
#include "llvm/CodeGen/MachineInstrBuilder.h"
#include "llvm/CodeGen/MachineModuleInfo.h"
#include "llvm/CodeGen/Passes.h"
#include "llvm/CodeGen/TargetPassConfig.h"
#include "llvm/IR/IRBuilder.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/Module.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/Target/TargetMachine.h"

using namespace llvm;

#define DEBUG_TYPE "x86-retpoline-thunks"

static const char RetpolineNamePrefix[] = "__llvm_retpoline_";
static const char R11RetpolineName[] = "__llvm_retpoline_r11";
static const char EAXRetpolineName[] = "__llvm_retpoline_eax";
static const char ECXRetpolineName[] = "__llvm_retpoline_ecx";
static const char EDXRetpolineName[] = "__llvm_retpoline_edx";
static const char EDIRetpolineName[] = "__llvm_retpoline_edi";

static const char LVIThunkNamePrefix[] = "__llvm_lvi_thunk_";
static const char R11LVIThunkName[] = "__llvm_lvi_thunk_r11";

namespace {
struct RetpolineThunkInserter : ThunkInserter<RetpolineThunkInserter> {
  const char *getThunkPrefix() { return RetpolineNamePrefix; }
  bool mayUseThunk(const MachineFunction &MF) {
    const auto &STI = MF.getSubtarget<X86Subtarget>();
    return (STI.useRetpolineIndirectCalls() ||
            STI.useRetpolineIndirectBranches()) &&
           !STI.useRetpolineExternalThunk();
  }
  void insertThunks(MachineModuleInfo &MMI);
  void populateThunk(MachineFunction &MF);
};

struct LVIThunkInserter : ThunkInserter<LVIThunkInserter> {
  const char *getThunkPrefix() { return LVIThunkNamePrefix; }
  bool mayUseThunk(const MachineFunction &MF) {
    return MF.getSubtarget<X86Subtarget>().useLVIControlFlowIntegrity();
  }
  void insertThunks(MachineModuleInfo &MMI) {
    createThunkFunction(MMI, R11LVIThunkName);
  }
  void populateThunk(MachineFunction &MF) {
    assert (MF.size() == 1);
    MachineBasicBlock *Entry = &MF.front();
    Entry->clear();

// This code mitigates LVI by replacing each indirect call/jump with a
    // direct call/jump to a thunk that looks like:
    // ```
    // lfence
    // jmpq *%r11
    // ```
    // This ensures that if the value in register %r11 was loaded from memory,
    // then the value in %r11 is (architecturally) correct prior to the jump.
    const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
    BuildMI(&MF.front(), DebugLoc(), TII->get(X86::LFENCE));
    BuildMI(&MF.front(), DebugLoc(), TII->get(X86::JMP64r)).addReg(X86::R11);
    MF.front().addLiveIn(X86::R11);
    return;
  }
};

class X86IndirectThunks : public MachineFunctionPass {
public:
  static char ID;

X86IndirectThunks() : MachineFunctionPass(ID) {}

StringRef getPassName() const override { return "X86 Indirect Thunks"; }

bool doInitialization(Module &M) override;
  bool runOnMachineFunction(MachineFunction &MF) override;

private:
  std::tuple<RetpolineThunkInserter, LVIThunkInserter> TIs;

// FIXME: When LLVM moves to C++17, these can become folds
  template <typename... ThunkInserterT>
  static void initTIs(Module &M,
                      std::tuple<ThunkInserterT...> &ThunkInserters) {
    (void)std::initializer_list<int>{
        (std::get<ThunkInserterT>(ThunkInserters).init(M), 0)...};
  }
  template <typename... ThunkInserterT>
  static bool runTIs(MachineModuleInfo &MMI, MachineFunction &MF,
                     std::tuple<ThunkInserterT...> &ThunkInserters) {
    bool Modified = false;
    (void)std::initializer_list<int>{
        Modified |= std::get<ThunkInserterT>(ThunkInserters).run(MMI, MF)...};
    return Modified;
  }
};

} // end anonymous namespace

void RetpolineThunkInserter::insertThunks(MachineModuleInfo &MMI) {
  if (MMI.getTarget().getTargetTriple().getArch() == Triple::x86_64)
    createThunkFunction(MMI, R11RetpolineName);
  else
    for (StringRef Name : {EAXRetpolineName, ECXRetpolineName, EDXRetpolineName,
                           EDIRetpolineName})
      createThunkFunction(MMI, Name);
}

void RetpolineThunkInserter::populateThunk(MachineFunction &MF) {
  bool Is64Bit = MF.getTarget().getTargetTriple().getArch() == Triple::x86_64;
  Register ThunkReg;
  if (Is64Bit) {
    assert(MF.getName() == "__llvm_retpoline_r11" &&
           "Should only have an r11 thunk on 64-bit targets");

// __llvm_retpoline_r11:
    //   callq .Lr11_call_target
    // .Lr11_capture_spec:
    //   pause
    //   lfence
    //   jmp .Lr11_capture_spec
    // .align 16
    // .Lr11_call_target:
    //   movq %r11, (%rsp)
    //   retq
    ThunkReg = X86::R11;
  } else {
    // For 32-bit targets we need to emit a collection of thunks for various
    // possible scratch registers as well as a fallback that uses EDI, which is
    // normally callee saved.
    //   __llvm_retpoline_eax:
    //         calll .Leax_call_target
    //   .Leax_capture_spec:
    //         pause
    //         jmp .Leax_capture_spec
    //   .align 16
    //   .Leax_call_target:
    //         movl %eax, (%esp)  # Clobber return addr
    //         retl
    //
    //   __llvm_retpoline_ecx:
    //   ... # Same setup
    //         movl %ecx, (%esp)
    //         retl
    //
    //   __llvm_retpoline_edx:
    //   ... # Same setup
    //         movl %edx, (%esp)
    //         retl
    //
    //   __llvm_retpoline_edi:
    //   ... # Same setup
    //         movl %edi, (%esp)
    //         retl
    if (MF.getName() == EAXRetpolineName)
      ThunkReg = X86::EAX;
    else if (MF.getName() == ECXRetpolineName)
      ThunkReg = X86::ECX;
    else if (MF.getName() == EDXRetpolineName)
      ThunkReg = X86::EDX;
    else if (MF.getName() == EDIRetpolineName)
      ThunkReg = X86::EDI;
    else
      llvm_unreachable("Invalid thunk name on x86-32!");
  }

const TargetInstrInfo *TII = MF.getSubtarget<X86Subtarget>().getInstrInfo();
  assert (MF.size() == 1);
  MachineBasicBlock *Entry = &MF.front();
  Entry->clear();

MachineBasicBlock *CaptureSpec =
      MF.CreateMachineBasicBlock(Entry->getBasicBlock());
  MachineBasicBlock *CallTarget =
      MF.CreateMachineBasicBlock(Entry->getBasicBlock());
  MCSymbol *TargetSym = MF.getContext().createTempSymbol();
  MF.push_back(CaptureSpec);
  MF.push_back(CallTarget);

const unsigned CallOpc = Is64Bit ? X86::CALL64pcrel32 : X86::CALLpcrel32;
  const unsigned RetOpc = Is64Bit ? X86::RETQ : X86::RETL;

Entry->addLiveIn(ThunkReg);
  BuildMI(Entry, DebugLoc(), TII->get(CallOpc)).addSym(TargetSym);

// The MIR verifier thinks that the CALL in the entry block will fall through
  // to CaptureSpec, so mark it as the successor. Technically, CaptureTarget is
  // the successor, but the MIR verifier doesn't know how to cope with that.
  Entry->addSuccessor(CaptureSpec);

// In the capture loop for speculation, we want to stop the processor from
  // speculating as fast as possible. On Intel processors, the PAUSE instruction
  // will block speculation without consuming any execution resources. On AMD
  // processors, the PAUSE instruction is (essentially) a nop, so we also use an
  // LFENCE instruction which they have advised will stop speculation as well
  // with minimal resource utilization. We still end the capture with a jump to
  // form an infinite loop to fully guarantee that no matter what implementation
  // of the x86 ISA, speculating this code path never escapes.
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::PAUSE));
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::LFENCE));
  BuildMI(CaptureSpec, DebugLoc(), TII->get(X86::JMP_1)).addMBB(CaptureSpec);
  CaptureSpec->setHasAddressTaken();
  CaptureSpec->addSuccessor(CaptureSpec);

CallTarget->addLiveIn(ThunkReg);
  CallTarget->setHasAddressTaken();
  CallTarget->setAlignment(Align(16));

// Insert return address clobber
  const unsigned MovOpc = Is64Bit ? X86::MOV64mr : X86::MOV32mr;
  const Register SPReg = Is64Bit ? X86::RSP : X86::ESP;
  addRegOffset(BuildMI(CallTarget, DebugLoc(), TII->get(MovOpc)), SPReg, false,
               0)
      .addReg(ThunkReg);

CallTarget->back().setPreInstrSymbol(MF, TargetSym);
  BuildMI(CallTarget, DebugLoc(), TII->get(RetOpc));
}

FunctionPass *llvm::createX86IndirectThunksPass() {
  return new X86IndirectThunks();
}

char X86IndirectThunks::ID = 0;

bool X86IndirectThunks::doInitialization(Module &M) {
  initTIs(M, TIs);
  return false;
}

bool X86IndirectThunks::runOnMachineFunction(MachineFunction &MF) {
  LLVM_DEBUG(dbgs() << getPassName() << '\n');
  auto &MMI = getAnalysis<MachineModuleInfoWrapperPass>().getMMI();
  return runTIs(MMI, MF, TIs);
}

003 File Manager

Editing: X86IndirectThunks.cpp

Upload File

Create Folder