Add Windows Control Flow Guard checks (/guard:cf).

Summary:
A new function pass (Transforms/CFGuard/CFGuard.cpp) inserts CFGuard checks on
indirect function calls, using either the check mechanism (X86, ARM, AArch64) or
or the dispatch mechanism (X86-64). The check mechanism requires a new calling
convention for the supported targets. The dispatch mechanism adds the target as
an operand bundle, which is processed by SelectionDAG. Another pass
(CodeGen/CFGuardLongjmp.cpp) identifies and emits valid longjmp targets, as
required by /guard:cf. This feature is enabled using the `cfguard` CC1 option.

Reviewers: thakis, rnk, theraven, pcc

Subscribers: ychen, hans, metalcanine, dmajor, tomrittervg, alex, mehdi_amini, mgorny, javed.absar, kristof.beyls, hiraditya, steven_wu, dexonsmith, cfe-commits, llvm-commits

Tags: #clang, #llvm

Differential Revision: https://reviews.llvm.org/D65761

2 files changed, 177 insertions, 0 deletions

diff --git a/llvm/test/CodeGen/ARM/cfguard-checks.ll b/llvm/test/CodeGen/ARM/cfguard-checks.ll
new file mode 100644
index 00000000000..1835bcfc1b5
--- /dev/null
+++ b/llvm/test/CodeGen/ARM/cfguard-checks.ll
@@ -0,0 +1,151 @@
+; RUN: llc < %s -mtriple=arm-pc-windows-msvc | FileCheck %s

+; Control Flow Guard is currently only available on Windows

+

+; Test that Control Flow Guard checks are correctly added when required.

+

+

+declare i32 @target_func()

+

+

+; Test that Control Flow Guard checks are not added to functions with nocf_checks attribute.

+define i32 @func_nocf_checks() #0 {

+entry:

+  %func_ptr = alloca i32 ()*, align 8

+  store i32 ()* @target_func, i32 ()** %func_ptr, align 8

+  %0 = load i32 ()*, i32 ()** %func_ptr, align 8

+  %1 = call arm_aapcs_vfpcc i32 %0()

+  ret i32 %1

+

+  ; CHECK-LABEL: func_nocf_checks

+  ; CHECK:       movw r0, :lower16:target_func

+	; CHECK:       movt r0, :upper16:target_func

+  ; CHECK-NOT:   __guard_check_icall_fptr

+	; CHECK:       blx r0

+}

+attributes #0 = { nocf_check "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}

+

+

+; Test that Control Flow Guard checks are added even at -O0.

+define i32 @func_optnone_cf() #1 {

+entry:

+  %func_ptr = alloca i32 ()*, align 8

+  store i32 ()* @target_func, i32 ()** %func_ptr, align 8

+  %0 = load i32 ()*, i32 ()** %func_ptr, align 8

+  %1 = call i32 %0()

+  ret i32 %1

+

+  ; The call to __guard_check_icall_fptr should come immediately before the call to the target function.

+  ; CHECK-LABEL: func_optnone_cf

+	; CHECK:       movw r0, :lower16:target_func

+	; CHECK:       movt r0, :upper16:target_func

+	; CHECK:       str r0, [sp]

+	; CHECK:       ldr r4, [sp]

+	; CHECK:       movw r0, :lower16:__guard_check_icall_fptr

+	; CHECK:       movt r0, :upper16:__guard_check_icall_fptr

+	; CHECK:       ldr r1, [r0]

+	; CHECK:       mov r0, r4

+	; CHECK:       blx r1

+	; CHECK-NEXT:  blx r4

+}

+attributes #1 = { noinline optnone "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}

+

+

+; Test that Control Flow Guard checks are correctly added in optimized code (common case).

+define i32 @func_cf() #2 {

+entry:

+  %func_ptr = alloca i32 ()*, align 8

+  store i32 ()* @target_func, i32 ()** %func_ptr, align 8

+  %0 = load i32 ()*, i32 ()** %func_ptr, align 8

+  %1 = call i32 %0()

+  ret i32 %1

+

+  ; The call to __guard_check_icall_fptr should come immediately before the call to the target function.

+  ; CHECK-LABEL: func_cf

+  ; CHECK:       movw r0, :lower16:__guard_check_icall_fptr

+	; CHECK:       movt r0, :upper16:__guard_check_icall_fptr

+	; CHECK:       ldr r1, [r0]

+  ; CHECK:       movw r4, :lower16:target_func

+	; CHECK:       movt r4, :upper16:target_func

+	; CHECK:       mov r0, r4

+	; CHECK:       blx r1

+	; CHECK-NEXT:  blx r4

+}

+attributes #2 = { "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3"}

+

+

+; Test that Control Flow Guard checks are correctly added on invoke instructions.

+define i32 @func_cf_invoke() #2 personality i8* bitcast (void ()* @h to i8*) {

+entry:

+  %0 = alloca i32, align 4

+  %func_ptr = alloca i32 ()*, align 8

+  store i32 ()* @target_func, i32 ()** %func_ptr, align 8

+  %1 = load i32 ()*, i32 ()** %func_ptr, align 8

+  %2 = invoke i32 %1()

+          to label %invoke.cont unwind label %lpad

+invoke.cont:                                      ; preds = %entry

+  ret i32 %2

+

+lpad:                                             ; preds = %entry

+  %tmp = landingpad { i8*, i32 }

+          catch i8* null

+  ret i32 -1

+

+  ; The call to __guard_check_icall_fptr should come immediately before the call to the target function.

+  ; CHECK-LABEL: func_cf_invoke

+  ; CHECK:       movw r0, :lower16:__guard_check_icall_fptr

+	; CHECK:       movt r0, :upper16:__guard_check_icall_fptr

+	; CHECK:       ldr r1, [r0]

+  ; CHECK:       movw r4, :lower16:target_func

+	; CHECK:       movt r4, :upper16:target_func

+	; CHECK:       mov r0, r4

+	; CHECK:       blx r1

+  ; CHECK-NEXT:  $Mtmp0:

+	; CHECK-NEXT:  blx r4

+  ; CHECK:       ; %invoke.cont

+  ; CHECK:       ; %lpad

+}

+

+declare void @h()

+

+

+; Test that longjmp targets have public labels and are included in the .gljmp section.

+%struct._SETJMP_FLOAT128 = type { [2 x i64] }

+@buf1 = internal global [16 x %struct._SETJMP_FLOAT128] zeroinitializer, align 16

+

+define i32 @func_cf_setjmp() #2 {

+  %1 = alloca i32, align 4

+  %2 = alloca i32, align 4

+  store i32 0, i32* %1, align 4

+  store i32 -1, i32* %2, align 4

+  %3 = call i8* @llvm.frameaddress(i32 0)

+  %4 = call i32 @_setjmp(i8* bitcast ([16 x %struct._SETJMP_FLOAT128]* @buf1 to i8*), i8* %3) #3

+

+  ; CHECK-LABEL: func_cf_setjmp

+  ; CHECK:       bl _setjmp

+  ; CHECK-NEXT:  $cfgsj_func_cf_setjmp0:

+

+  %5 = call i8* @llvm.frameaddress(i32 0)

+  %6 = call i32 @_setjmp(i8* bitcast ([16 x %struct._SETJMP_FLOAT128]* @buf1 to i8*), i8* %5) #3

+

+  ; CHECK:       bl _setjmp

+  ; CHECK-NEXT:  $cfgsj_func_cf_setjmp1:

+

+  store i32 1, i32* %2, align 4

+  %7 = load i32, i32* %2, align 4

+  ret i32 %7

+

+  ; CHECK:       .section .gljmp$y,"dr"

+  ; CHECK-NEXT:  .symidx $cfgsj_func_cf_setjmp0

+  ; CHECK-NEXT:  .symidx $cfgsj_func_cf_setjmp1

+}

+

+declare i8* @llvm.frameaddress(i32)

+

+; Function Attrs: returns_twice

+declare dso_local i32 @_setjmp(i8*, i8*) #3

+

+attributes #3 = { returns_twice }

+

+

+!llvm.module.flags = !{!0}

+!0 = !{i32 2, !"cfguard", i32 2}

diff --git a/llvm/test/CodeGen/ARM/cfguard-module-flag.ll b/llvm/test/CodeGen/ARM/cfguard-module-flag.ll
new file mode 100644
index 00000000000..87878a084dc
--- /dev/null
+++ b/llvm/test/CodeGen/ARM/cfguard-module-flag.ll
@@ -0,0 +1,26 @@
+

+; RUN: llc < %s -mtriple=arm-pc-windows-msvc | FileCheck %s

+; Control Flow Guard is currently only available on Windows

+

+; Test that Control Flow Guard checks are not added in modules with the

+; cfguard=1 flag (emit tables but no checks).

+

+

+declare void @target_func()

+

+define void @func_in_module_without_cfguard() #0 {

+entry:

+  %func_ptr = alloca void ()*, align 8

+  store void ()* @target_func, void ()** %func_ptr, align 8

+  %0 = load void ()*, void ()** %func_ptr, align 8

+

+  call void %0()

+  ret void

+

+  ; CHECK-NOT: __guard_check_icall_fptr

+  ; CHECK-NOT: __guard_dispatch_icall_fptr

+}

+attributes #0 = { "correctly-rounded-divide-sqrt-fp-math"="false" "disable-tail-calls"="false" "less-precise-fpmad"="false" "no-frame-pointer-elim"="true" "no-frame-pointer-elim-non-leaf" "no-infs-fp-math"="false" "no-nans-fp-math"="false" "no-signed-zeros-fp-math"="false" "no-trapping-math"="false" "stack-protector-buffer-size"="8" "target-cpu"="cortex-a9" "target-features"="+armv7-a,+dsp,+fp16,+neon,+strict-align,+thumb-mode,+vfp3" "unsafe-fp-math"="false" "use-soft-float"="false"}

+

+!llvm.module.flags = !{!0}

+!0 = !{i32 2, !"cfguard", i32 1}