-fsanitize=function: use type hashes instead of RTTI objects

Currently we use RTTI objects to check type compatibility. To support non-unique RTTI objects, commit 5745eccef54ddd3caca278d1d292a88b2281528b added a `checkTypeInfoEquality` string matching to the runtime. The scheme is inefficient. ``` _Z1fv: .long 846595819 # jmp .long .L__llvm_rtti_proxy-_Z3funv ... main: ... # Load the second word (pointer to the RTTI object) and dereference it. movslq 4(%rsi), %rax movq (%rax,%rsi), %rdx # Is it the desired typeinfo object? leaq _ZTIFvvE(%rip), %rax # If not, call __ubsan_handle_function_type_mismatch_v1, which may recover if checkTypeInfoEquality allows cmpq %rax, %rdx jne .LBB1_2 ... .section .data.rel.ro,"aw",@progbits .p2align 3, 0x0 .L__llvm_rtti_proxy: .quad _ZTIFvvE ``` Let's replace the indirect `_ZTI` pointer with a type hash similar to `-fsanitize=kcfi`. ``` _Z1fv: .long 3238382334 .long 2772461324 # type hash main: ... # Load the second word (callee type hash) and check whether it is expected cmpl $-1522505972, -4(%rax) # If not, fail: call __ubsan_handle_function_type_mismatch jne .LBB2_2 ``` The RTTI object derives its name from `clang::MangleContext::mangleCXXRTTI`, which uses `mangleType`. `mangleTypeName` uses `mangleType` as well. So the type compatibility change is high-fidelity. Since we no longer need RTTI pointers in `__ubsan::__ubsan_handle_function_type_mismatch_v1`, let's switch it back to version 0, the original signature before e215996a2932ed7c472f4e94dc4345b30fd0c373 (2019). `__ubsan::__ubsan_handle_function_type_mismatch_abort` is not recoverable, so we can revert some changes from e215996a2932ed7c472f4e94dc4345b30fd0c373. Reviewed By: samitolvanen Differential Revision: https://reviews.llvm.org/D148785
author: Fangrui Song <i@maskray.me> 2023-05-20 08:24:20 -0700
committer: Fangrui Song <i@maskray.me> 2023-05-20 08:24:20 -0700
commit: 46f366494f3ca8cc98daa6fb4f29c7c446c176b6 (patch)
tree: 849a12b9d50f5aed8fc1d228e7ebe606d419b573 /clang/lib/CodeGen/CodeGenFunction.cpp
parent: c96c5edb58ed29e0fd936bc082ec6cae7082854e (diff)
download: llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.zip
llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.tar.gz
llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.tar.bz2
1 files changed, 15 insertions, 23 deletions
diff --git a/clang/lib/CodeGen/CodeGenFunction.cpp b/clang/lib/CodeGen/CodeGenFunction.cpp
index 5c8b882..e52c483 100644
--- a/clang/lib/CodeGen/CodeGenFunction.cpp
+++ b/clang/lib/CodeGen/CodeGenFunction.cpp
@@ -44,6 +44,7 @@
 #include "llvm/IR/MDBuilder.h"
 #include "llvm/IR/Operator.h"
 #include "llvm/Support/CRC.h"
+#include "llvm/Support/xxhash.h"
 #include "llvm/Transforms/Scalar/LowerExpectIntrinsic.h"
 #include "llvm/Transforms/Utils/PromoteMemToReg.h"
 #include <optional>
@@ -567,18 +568,16 @@ bool CodeGenFunction::AlwaysEmitXRayTypedEvents() const {
               XRayInstrKind::Typed);
 }
 
-llvm::Value *
-CodeGenFunction::DecodeAddrUsedInPrologue(llvm::Value *F,
-                                          llvm::Value *EncodedAddr) {
-  // Reconstruct the address of the global.
-  auto *PCRelAsInt = Builder.CreateSExt(EncodedAddr, IntPtrTy);
-  auto *FuncAsInt = Builder.CreatePtrToInt(F, IntPtrTy, "func_addr.int");
-  auto *GOTAsInt = Builder.CreateAdd(PCRelAsInt, FuncAsInt, "global_addr.int");
-  auto *GOTAddr = Builder.CreateIntToPtr(GOTAsInt, Int8PtrPtrTy, "global_addr");
-
-  // Load the original pointer through the global.
-  return Builder.CreateLoad(Address(GOTAddr, Int8PtrTy, getPointerAlign()),
-                            "decoded_addr");
+llvm::ConstantInt *
+CodeGenFunction::getUBSanFunctionTypeHash(QualType Ty) const {
+  // Remove any (C++17) exception specifications, to allow calling e.g. a
+  // noexcept function through a non-noexcept pointer.
+  auto ProtoTy = getContext().getFunctionTypeWithExceptionSpec(Ty, EST_None);
+  std::string Mangled;
+  llvm::raw_string_ostream Out(Mangled);
+  CGM.getCXXABI().getMangleContext().mangleTypeName(ProtoTy, Out, false);
+  return llvm::ConstantInt::get(CGM.Int32Ty,
+                                static_cast<uint32_t>(llvm::xxHash64(Mangled)));
 }
 
 void CodeGenFunction::EmitKernelMetadata(const FunctionDecl *FD,
@@ -948,19 +947,12 @@ void CodeGenFunction::StartFunction(GlobalDecl GD, QualType RetTy,
   // prologue data.
   if (FD && getLangOpts().CPlusPlus && SanOpts.has(SanitizerKind::Function)) {
     if (llvm::Constant *PrologueSig = getPrologueSignature(CGM, FD)) {
-      // Remove any (C++17) exception specifications, to allow calling e.g. a
-      // noexcept function through a non-noexcept pointer.
-      auto ProtoTy = getContext().getFunctionTypeWithExceptionSpec(
-          FD->getType(), EST_None);
-      llvm::Constant *FTRTTIConst =
-          CGM.GetAddrOfRTTIDescriptor(ProtoTy, /*ForEH=*/true);
-      llvm::GlobalVariable *FTRTTIProxy =
-          CGM.GetOrCreateRTTIProxyGlobalVariable(FTRTTIConst);
       llvm::LLVMContext &Ctx = Fn->getContext();
       llvm::MDBuilder MDB(Ctx);
-      Fn->setMetadata(llvm::LLVMContext::MD_func_sanitize,
-                      MDB.createRTTIPointerPrologue(PrologueSig, FTRTTIProxy));
-      CGM.addCompilerUsedGlobal(FTRTTIProxy);
+      Fn->setMetadata(
+          llvm::LLVMContext::MD_func_sanitize,
+          MDB.createRTTIPointerPrologue(
+              PrologueSig, getUBSanFunctionTypeHash(FD->getType())));
     }
   }
author	Fangrui Song <i@maskray.me>	2023-05-20 08:24:20 -0700
committer	Fangrui Song <i@maskray.me>	2023-05-20 08:24:20 -0700
commit	46f366494f3ca8cc98daa6fb4f29c7c446c176b6 (patch)
tree	849a12b9d50f5aed8fc1d228e7ebe606d419b573 /clang/lib/CodeGen/CodeGenFunction.cpp
parent	c96c5edb58ed29e0fd936bc082ec6cae7082854e (diff)
download	llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.zip llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.tar.gz llvm-46f366494f3ca8cc98daa6fb4f29c7c446c176b6.tar.bz2