Add Windows Control Flow Guard checks (/guard:cf).

Summary:
A new function pass (Transforms/CFGuard/CFGuard.cpp) inserts CFGuard checks on
indirect function calls, using either the check mechanism (X86, ARM, AArch64) or
or the dispatch mechanism (X86-64). The check mechanism requires a new calling
convention for the supported targets. The dispatch mechanism adds the target as
an operand bundle, which is processed by SelectionDAG. Another pass
(CodeGen/CFGuardLongjmp.cpp) identifies and emits valid longjmp targets, as
required by /guard:cf. This feature is enabled using the `cfguard` CC1 option.

Reviewers: thakis, rnk, theraven, pcc

Subscribers: ychen, hans, metalcanine, dmajor, tomrittervg, alex, mehdi_amini, mgorny, javed.absar, kristof.beyls, hiraditya, steven_wu, dexonsmith, cfe-commits, llvm-commits

Tags: #clang, #llvm

Differential Revision: https://reviews.llvm.org/D65761

1 files changed, 119 insertions, 0 deletions

diff --git a/llvm/lib/CodeGen/CFGuardLongjmp.cpp b/llvm/lib/CodeGen/CFGuardLongjmp.cpp
new file mode 100644
index 00000000000..42ad22b6cfa
--- /dev/null
+++ b/llvm/lib/CodeGen/CFGuardLongjmp.cpp
@@ -0,0 +1,119 @@
+//===-- CFGuardLongjmp.cpp - Longjmp symbols for CFGuard --------*- C++ -*-===//

+//

+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

+// See https://llvm.org/LICENSE.txt for license information.

+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

+//

+//===----------------------------------------------------------------------===//

+///

+/// \file

+/// This file contains a machine function pass to insert a symbol after each

+/// call to _setjmp and store this in the MachineFunction's LongjmpTargets

+/// vector. This will be used to emit the table of valid longjmp targets used

+/// by Control Flow Guard.

+///

+//===----------------------------------------------------------------------===//

+

+#include "llvm/ADT/Statistic.h"

+#include "llvm/CodeGen/MachineBasicBlock.h"

+#include "llvm/CodeGen/MachineFunctionPass.h"

+#include "llvm/CodeGen/MachineInstr.h"

+#include "llvm/CodeGen/MachineModuleInfo.h"

+#include "llvm/CodeGen/MachineOperand.h"

+#include "llvm/CodeGen/Passes.h"

+

+using namespace llvm;

+

+#define DEBUG_TYPE "cfguard-longjmp"

+

+STATISTIC(CFGuardLongjmpTargets,

+          "Number of Control Flow Guard longjmp targets");

+

+namespace {

+

+/// MachineFunction pass to insert a symbol after each call to _setjmp and store

+/// this in the MachineFunction's LongjmpTargets vector.

+class CFGuardLongjmp : public MachineFunctionPass {

+public:

+  static char ID;

+

+  CFGuardLongjmp() : MachineFunctionPass(ID) {

+    initializeCFGuardLongjmpPass(*PassRegistry::getPassRegistry());

+  }

+

+  StringRef getPassName() const override {

+    return "Control Flow Guard longjmp targets";

+  }

+

+  bool runOnMachineFunction(MachineFunction &MF) override;

+};

+

+} // end anonymous namespace

+

+char CFGuardLongjmp::ID = 0;

+

+INITIALIZE_PASS(CFGuardLongjmp, "CFGuardLongjmp",

+                "Insert symbols at valid longjmp targets for /guard:cf", false,

+                false)

+FunctionPass *llvm::createCFGuardLongjmpPass() { return new CFGuardLongjmp(); }

+

+bool CFGuardLongjmp::runOnMachineFunction(MachineFunction &MF) {

+

+  // Skip modules for which the cfguard flag is not set.

+  if (!MF.getMMI().getModule()->getModuleFlag("cfguard"))

+    return false;

+

+  // Skip functions that do not have calls to _setjmp.

+  if (!MF.getFunction().callsFunctionThatReturnsTwice())

+    return false;

+

+  SmallVector<MachineInstr *, 8> SetjmpCalls;

+

+  // Iterate over all instructions in the function and add calls to functions

+  // that return twice to the list of targets.

+  for (MachineBasicBlock &MBB : MF) {

+    for (MachineInstr &MI : MBB) {

+

+      // Skip instructions that are not calls.

+      if (!MI.isCall() || MI.getNumOperands() < 1)

+        continue;

+

+      // Iterate over operands to find calls to global functions.

+      for (MachineOperand &MO : MI.operands()) {

+        if (!MO.isGlobal())

+          continue;

+

+        auto *F = dyn_cast<Function>(MO.getGlobal());

+        if (!F)

+          continue;

+

+        // If the instruction calls a function that returns twice, add

+        // it to the list of targets.

+        if (F->hasFnAttribute(Attribute::ReturnsTwice)) {

+          SetjmpCalls.push_back(&MI);

+          break;

+        }

+      }

+    }

+  }

+

+  if (SetjmpCalls.empty())

+    return false;

+

+  unsigned SetjmpNum = 0;

+

+  // For each possible target, create a new symbol and insert it immediately

+  // after the call to setjmp. Add this symbol to the MachineFunction's list

+  // of longjmp targets.

+  for (MachineInstr *Setjmp : SetjmpCalls) {

+    SmallString<128> SymbolName;

+    raw_svector_ostream(SymbolName) << "$cfgsj_" << MF.getName() << SetjmpNum++;

+    MCSymbol *SjSymbol = MF.getContext().getOrCreateSymbol(SymbolName);

+

+    Setjmp->setPostInstrSymbol(MF, SjSymbol);

+    MF.addLongjmpTarget(SjSymbol);

+    CFGuardLongjmpTargets++;

+  }

+

+  return true;

+}