From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2140) id 85DA33851ABD; Wed, 24 Aug 2022 16:52:58 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 85DA33851ABD DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1661359978; bh=3gB+RNtOH4zq7QSHjHHqwcXgA+o2XTWOSnmE61qY67A=; h=From:To:Subject:Date:From; b=oroF432p6GkDgy0lNFfOY8xgdaz8GfY+i0QW0KJJkYPUy5wfI48TNVdS73MTXMjVZ /VpM12E9hDCnkRHpEXFRWkkyYjlwN6YB+DXVgz0wXuQyQG04s4WAi8uiOHhTWhBoUw daBmv73914eQv45018WRXHrzBTdX9cRqadlbH11U= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Alexandre Oliva To: gcc-cvs@gcc.gnu.org Subject: [gcc(refs/users/aoliva/heads/testme)] hardcfr: add checking at exceptions and noreturn calls X-Act-Checkin: gcc X-Git-Author: Alexandre Oliva X-Git-Refname: refs/users/aoliva/heads/testme X-Git-Oldrev: 02a199b6b017a22a72e49f0d7ffef9edb7f90e42 X-Git-Newrev: 88092167547fe32bb3ac36239d8643cd63ea8f9c Message-Id: <20220824165258.85DA33851ABD@sourceware.org> Date: Wed, 24 Aug 2022 16:52:58 +0000 (GMT) List-Id: https://gcc.gnu.org/g:88092167547fe32bb3ac36239d8643cd63ea8f9c commit 88092167547fe32bb3ac36239d8643cd63ea8f9c Author: Alexandre Oliva Date: Wed Aug 24 13:36:59 2022 -0300 hardcfr: add checking at exceptions and noreturn calls Diff: --- gcc/doc/invoke.texi | 7 +- gcc/gimple-harden-control-flow.cc | 270 +++++++++++++++++++++++++++++++------- 2 files changed, 226 insertions(+), 51 deletions(-) diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index df626a0ea39..9c8f2eecb6c 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -16556,9 +16556,10 @@ conditionals. @item -fharden-control-flow-redundancy @opindex fharden-control-flow-redundancy Emit extra code to set booleans when entering basic blocks, and to -verify, at function exits, that they amount to an execution path that is -consistent with the control flow graph, trapping otherwise. Tuning -options @option{--param hardcfr-max-blocks} and @option{--param +verify, at function exits (returns, escaping exceptions, and before tail +and noreturn calls), and trap when they indicate an execution path that +is incompatible with the control flow graph. Tuning options +@option{--param hardcfr-max-blocks} and @option{--param hardcfr-max-inline-blocks} are available. @item -fstack-protector diff --git a/gcc/gimple-harden-control-flow.cc b/gcc/gimple-harden-control-flow.cc index 8932d548a20..5066a43fe6c 100644 --- a/gcc/gimple-harden-control-flow.cc +++ b/gcc/gimple-harden-control-flow.cc @@ -30,6 +30,9 @@ along with GCC; see the file COPYING3. If not see #include "ssa.h" #include "gimple-iterator.h" #include "tree-cfg.h" +#include "tree-eh.h" +#include "except.h" +#include "sbitmap.h" #include "basic-block.h" #include "cfghooks.h" #include "cfgloop.h" @@ -60,9 +63,7 @@ const pass_data pass_data_harden_control_flow_redundancy = { 0, // properties_provided 0, // properties_destroyed TODO_cleanup_cfg, // properties_start - TODO_update_ssa - | TODO_cleanup_cfg - | TODO_verify_il, // properties_finish + 0, // properties_finish }; class pass_harden_control_flow_redundancy : public gimple_opt_pass @@ -79,16 +80,6 @@ public: if (!flag_harden_control_flow_redundancy) return false; - /* We don't verify when an exception escapes, propagated or raised - by the function itself, so we're only concerned with edges to - the exit block. If there aren't any, the function doesn't - return normally, so there won't be any checking point, so - there's no point in running the pass. Should we add - verification at exception escapes, we should at least look at - !flag_exceptions here. */ - if (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0) - return false; - /* Functions that return more than once, like setjmp and vfork (that also gets this flag set), will start recording a path after the first return, and then may take another path when @@ -276,7 +267,7 @@ class rt_bb_visited public: /* Prepare to add control flow redundancy testing to CFUN. */ - rt_bb_visited () + rt_bb_visited (int noreturn_blocks) : nblocks (n_basic_blocks_for_fn (cfun)), vword_type (NULL), ckseq (NULL), rtcfg (NULL) { @@ -360,7 +351,9 @@ public: gimple_seq_add_stmt (&ckseq, detach); if (nblocks - 2 > blknum (param_hardcfr_max_inline_blocks) - || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun))) + || !single_pred_p (EXIT_BLOCK_PTR_FOR_FN (cfun)) + || (EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (cfun)->preds) + + noreturn_blocks > 1)) { /* Make sure vword_bits is wide enough for the representation of nblocks in rtcfg. Compare with vword_bits << vword_bits, @@ -385,12 +378,10 @@ public: gimple_seq_add_stmt (&ckseq, ckfail_init); } - /* Insert SEQ on E, or close enough (e.g., before a noreturn or tail - call at the end of E->src). */ - void insert_exit_check (gimple_seq seq, edge e) + /* Insert SEQ before a resx, or noreturn or tail call at the end of + INSBB, and return TRUE, otherwise return FALSE. */ + bool insert_exit_check (gimple_seq seq, basic_block insbb) { - basic_block insbb = e->src; - /* If the returning block ends with a noreturn call, insert checking before it. This is particularly important for __builtin_return. Other noreturn calls won't have an edge to @@ -407,43 +398,44 @@ public: optimization is detected too late for us. */ gimple_stmt_iterator gsi = gsi_last_bb (insbb); gimple *ret = gsi_stmt (gsi); + + if (ret && is_a (ret)) + { + gsi_insert_seq_before (&gsi, seq, GSI_SAME_STMT); + return true; + } + if (ret && is_a (ret)) { gsi_prev (&gsi); if (!gsi_end_p (gsi)) ret = gsi_stmt (gsi); } - if (ret && is_a (ret) + if (ret + && is_a (ret) && (gimple_call_noreturn_p (ret) || gimple_call_must_tail_p (as_a (ret)) || gimple_call_tail_p (as_a (ret)))) gsi_insert_seq_before (&gsi, seq, GSI_SAME_STMT); else + return false; + + return true; + } + + /* Insert SEQ on E, or close enough (e.g., before a noreturn or tail + call at the end of E->src). */ + void insert_exit_check (gimple_seq seq, edge e) + { + if (!insert_exit_check (seq, e->src)) gsi_insert_seq_on_edge_immediate (e, seq); } /* Add checking code on every exit edge, and initialization code on the entry edge. Before this point, the CFG has been undisturbed, and all the needed data has been collected and safely stowed. */ - void check () + void check (int count_noreturn, auto_sbitmap const &noreturn_blocks) { - /* Insert initializers for visited at the entry. */ - gimple_seq iseq = NULL; - - gcall *vinit = gimple_build_call (builtin_decl_explicit - (BUILT_IN_MEMSET), 3, - build1 (ADDR_EXPR, - build_pointer_type - (TREE_TYPE (visited)), - visited), - integer_zero_node, - TYPE_SIZE_UNIT (TREE_TYPE (visited))); - gimple_seq_add_stmt (&iseq, vinit); - - gsi_insert_seq_on_edge_immediate (single_succ_edge - (ENTRY_BLOCK_PTR_FOR_FN (cfun)), - iseq); - /* If we're using out-of-line checking, create and statically initialize the CFG checking representation, generate the checker call for the checking sequence, and insert it in all @@ -512,12 +504,32 @@ public: gimple_seq seq = ckseq; /* Copy the sequence, unless we're dealing with the last edge (we're counting down to zero). */ - if (i) + if (i || count_noreturn) + seq = gimple_seq_copy (seq); + + edge e = EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i); + + insert_exit_check (seq, e); + + gcc_checking_assert (!bitmap_bit_p (noreturn_blocks, e->src->index)); + } + + sbitmap_iterator it; + unsigned i; + EXECUTE_IF_SET_IN_BITMAP (noreturn_blocks, 0, i, it) + { + basic_block bb = BASIC_BLOCK_FOR_FN (cfun, i); + + gimple_seq seq = ckseq; + gcc_checking_assert (count_noreturn > 0); + if (--count_noreturn) seq = gimple_seq_copy (seq); - insert_exit_check (seq, - EDGE_PRED (EXIT_BLOCK_PTR_FOR_FN (cfun), i)); + if (!insert_exit_check (seq, bb)) + gcc_unreachable (); } + + gcc_checking_assert (count_noreturn == 0); } else { @@ -570,6 +582,24 @@ public: if (dom_info_available_p (CDI_DOMINATORS)) set_immediate_dominator (CDI_DOMINATORS, trp, gimple_bb (last)); } + + /* Insert initializers for visited at the entry. Do this after + other insertions, to avoid messing with block numbers. */ + gimple_seq iseq = NULL; + + gcall *vinit = gimple_build_call (builtin_decl_explicit + (BUILT_IN_MEMSET), 3, + build1 (ADDR_EXPR, + build_pointer_type + (TREE_TYPE (visited)), + visited), + integer_zero_node, + TYPE_SIZE_UNIT (TREE_TYPE (visited))); + gimple_seq_add_stmt (&iseq, vinit); + + gsi_insert_seq_on_edge_immediate (single_succ_edge + (ENTRY_BLOCK_PTR_FOR_FN (cfun)), + iseq); } /* Push onto RTCFG a (mask, index) pair to test for IBB when BB is @@ -697,17 +727,161 @@ public: verify at exit that an expect path was taken. */ unsigned int -pass_harden_control_flow_redundancy::execute (function *) +pass_harden_control_flow_redundancy::execute (function *fun) { - rt_bb_visited vstd; - + basic_block bb_eh_cleanup = NULL; basic_block bb; - FOR_EACH_BB_FN (bb, cfun) + + if (flag_exceptions) + { + int lp_eh_cleanup = -1; + + /* Record the preexisting blocks, to avoid visiting newly-created + blocks. */ + auto_sbitmap to_visit (last_basic_block_for_fn (fun)); + bitmap_clear (to_visit); + + FOR_EACH_BB_FN (bb, fun) + bitmap_set_bit (to_visit, bb->index); + + /* Scan the blocks for stmts with escaping exceptions, that + wouldn't be denoted in the CFG, and associate them with an + empty cleanup handler around the whole function. Walk + backwards, so that even when we split the block, */ + sbitmap_iterator it; + unsigned i; + EXECUTE_IF_SET_IN_BITMAP (to_visit, 0, i, it) + { + bb = BASIC_BLOCK_FOR_FN (fun, i); + + for (gimple_stmt_iterator gsi = gsi_last_bb (bb); + !gsi_end_p (gsi); gsi_prev (&gsi)) + { + gimple *stmt = gsi_stmt (gsi); + if (!gimple_could_trap_p (stmt)) + continue; + + /* If it must not throw, or if it already has a handler, + we need not worry about it. */ + if (lookup_stmt_eh_lp (stmt) != 0) + continue; + + if (!stmt_ends_bb_p (stmt)) + split_block (bb, stmt); + + if (!bb_eh_cleanup) + { + bb_eh_cleanup = create_empty_bb (bb); + if (dom_info_available_p (CDI_DOMINATORS)) + set_immediate_dominator (CDI_DOMINATORS, bb_eh_cleanup, bb); + if (current_loops) + add_bb_to_loop (bb_eh_cleanup, current_loops->tree_root); + + /* Make the new block an EH cleanup for the call. */ + eh_region new_r = gen_eh_region_cleanup (NULL); + eh_landing_pad lp = gen_eh_landing_pad (new_r); + tree label = gimple_block_label (bb_eh_cleanup); + lp->post_landing_pad = label; + EH_LANDING_PAD_NR (label) = lp_eh_cleanup = lp->index; + + /* Just propagate the exception. + We will later insert the verifier call. */ + gimple_stmt_iterator ehgsi; + ehgsi = gsi_after_labels (bb_eh_cleanup); + gresx *resx = gimple_build_resx (new_r->index); + gsi_insert_before (&ehgsi, resx, GSI_SAME_STMT); + } + else + { + // Update immedite dominator and loop? + } + + add_stmt_to_eh_lp (stmt, lp_eh_cleanup); + /* Finally, wire the EH cleanup block into the CFG. */ + make_eh_edges (stmt); } + } + } + + /* We wish to add verification at blocks without successors, such as + noreturn calls (raising or not) and the reraise at the cleanup + block, but not other reraises: they will go through the cleanup + block. */ + int count_noreturn = 0; + auto_sbitmap noreturn_blocks (last_basic_block_for_fn (fun)); + bitmap_clear (noreturn_blocks); + FOR_EACH_BB_FN (bb, fun) + { + if (EDGE_COUNT (bb->succs) == 0) + { + if (bitmap_set_bit (noreturn_blocks, bb->index)) + count_noreturn++; + continue; + } + + /* If there are no exceptions, then any noreturn call must have + zero successor edges. Otherwise, check for blocks without + non-EH successors, but skip those with resx stmts and edges + (i.e., those other than that in bb_eh_cleanup), since those + will go through bb_eh_cleanup, that will have been counted as + noreturn above because it has no successors. */ + gcc_checking_assert (bb != bb_eh_cleanup); + if (!flag_exceptions) + continue; + + bool found_non_eh_edge = false; + bool found_eh_edge = false; + edge e; + edge_iterator ei; + FOR_EACH_EDGE (e, ei, bb->succs) + { + if ((e->flags & EDGE_EH)) + found_eh_edge = true; + else + found_non_eh_edge = true; + if (found_non_eh_edge && found_eh_edge) + break; + } + + if (found_non_eh_edge) + continue; + + if (found_eh_edge) + { + /* We don't wish to check before (re?)raises, those will + have checking performed at bb_eh_cleanup. The one + exception is bb_eh_cleanup itself. */ + gimple_stmt_iterator gsi = gsi_last_bb (bb); + gcc_checking_assert (!gsi_end_p (gsi)); + gimple *stmt = gsi_stmt (gsi); + if (is_a (stmt)) + continue; + } + + if (bitmap_set_bit (noreturn_blocks, bb->index)) + count_noreturn++; + } + + gcc_checking_assert (!bb_eh_cleanup + || bitmap_bit_p (noreturn_blocks, bb_eh_cleanup->index)); + + /* If we don't have edges to exit nor noreturn calls (including the + cleanup reraise), then we may skip instrumentation: that would + amount to a function that ends with an infinite loop. */ + if (!count_noreturn + && EDGE_COUNT (EXIT_BLOCK_PTR_FOR_FN (fun)->preds) == 0) + return 0; + + rt_bb_visited vstd (count_noreturn); + + FOR_EACH_BB_FN (bb, fun) vstd.visit (bb); - vstd.check (); + vstd.check (count_noreturn, noreturn_blocks); - return 0; + return + TODO_update_ssa + | TODO_cleanup_cfg + | TODO_verify_il; } /* Instantiate a hardcfr pass. */