[CHERIoT] Launder sealed pointers when calling cheri.cap.address.get intrinsic

xdoardo · xdoardo · commit e77afe098944 · 2025-11-24T11:10:59.000+01:00
diff --git a/clang/lib/CodeGen/CGBuiltin.cpp b/clang/lib/CodeGen/CGBuiltin.cpp
@@ -6026,10 +6026,14 @@ RValue CodeGenFunction::EmitBuiltinExpr(const GlobalDecl GD, unsigned BuiltinID,
       return RValue::get(Builder.CreateIntToPtr(Ptr, ResultTy));
   }
 
-  case Builtin::BI__builtin_cheri_address_get:
-    return RValue::get(
-        Builder.CreateIntrinsic(llvm::Intrinsic::cheri_cap_address_get,
-                                {IntPtrTy}, {EmitScalarExpr(E->getArg(0))}));
+  case Builtin::BI__builtin_cheri_address_get: {
+    const auto *Arg = E->getArg(0);
+    auto *RArg = EmitScalarExpr(Arg);
+    if (Arg->getType()->isCHERISealedCapabilityType(getContext()))
+      RArg = Builder.CreateLaunderInvariantGroup(RArg);
+    return RValue::get(Builder.CreateIntrinsic(
+        llvm::Intrinsic::cheri_cap_address_get, {IntPtrTy}, {RArg}));
+  }
   case Builtin::BI__builtin_cheri_address_set: {
     Value *Cap = EmitScalarExpr(E->getArg(0));
     Value *Address = EmitScalarExpr(E->getArg(1));
diff --git a/clang/test/CodeGen/cheri/riscv/cheriot-static-sealed-value-attr.c b/clang/test/CodeGen/cheri/riscv/cheriot-static-sealed-value-attr.c
@@ -25,18 +25,32 @@ SealedInt Obj2 = 10;
 // CHECK: @llvm.compiler.used = appending addrspace(200) global [2 x ptr addrspace(200)] [ptr addrspace(200) @Obj1, ptr addrspace(200) @Obj2], section "llvm.metadata"
 
 void doSomething(struct SealedStructObj *__sealed_capability obj);
+void doSomethingWithAddr(int addr);
 void doSomething2(SealedInt *__sealed_capability obj);
 
 // CHECK: ; Function Attrs: minsize nounwind optsize
 // CHECK: define dso_local void @func() local_unnamed_addr addrspace(200) #1 {
 void func() {
 // CHECK: entry:
-// CHECK: 	tail call void @doSomething(ptr addrspace(200) noundef nonnull @Obj1) #3
+// CHECK: 	tail call void @doSomething(ptr addrspace(200) noundef nonnull @Obj1) #5
   doSomething(&Obj1);
 
-// CHECK: 	tail call void @doSomething2(ptr addrspace(200) noundef nonnull @Obj2) #3
+// Verify that observing the address of a sealed global value is done through a call to the launder built-in, so that 
+// the KnownBits optimisation pass can't assume anything about the value of the pointer, specifically nothing about the alignment of the pointer.
+// This is because the CHERIoT RTOS uses the lower bits of the address to store the permissions of the sealed capability, and KnownBits can in turn 
+// optimise away logical computations on lower parts of the address.
+
+// CHECK:  %0 = tail call ptr addrspace(200) @llvm.launder.invariant.group.p200(ptr addrspace(200) nonnull @Obj1)
+// CHECK:  %1 = tail call i32 @llvm.cheri.cap.address.get.i32(ptr addrspace(200) nonnull %0)
+// CHECK:  tail call void @doSomethingWithAddr(i32 noundef %1) #5
+  doSomethingWithAddr(__builtin_cheri_address_get(&Obj1));
+
+// CHECK: 	tail call void @doSomething2(ptr addrspace(200) noundef nonnull @Obj2) #5
   doSomething2(&Obj2);
 }
 
 // CHECK: declare void @doSomething(ptr addrspace(200) noundef) local_unnamed_addr addrspace(200) #2
+// CHECK: declare void @doSomethingWithAddr(i32 noundef) local_unnamed_addr addrspace(200) #2
+// CHECK: declare ptr addrspace(200) @llvm.launder.invariant.group.p200(ptr addrspace(200)) addrspace(200) #3
+// CHECK: declare i32 @llvm.cheri.cap.address.get.i32(ptr addrspace(200)) addrspace(200) #4
 // CHECK: declare void @doSomething2(ptr addrspace(200) noundef) local_unnamed_addr addrspace(200) #2
