[ELF][RISCV] Support .got.plt with lazy binding for CHERI-RISC-V

jrtc27 · jrtc27 · commit a913ff1527a8 · 2025-06-03T21:53:33.000+01:00
This is currently behind an opt-in -z cheri-riscv-jump-slot flag as it
requires support in CheriBSD, but in future will become the default and
only supported mode.
diff --git a/lld/ELF/Arch/RISCV.cpp b/lld/ELF/Arch/RISCV.cpp
@@ -221,6 +221,10 @@ void RISCV::writeGotHeader(uint8_t *buf) const {
 }
 
 void RISCV::writeGotPlt(uint8_t *buf, const Symbol &s) const {
+  // Initialised by __cap_relocs for CHERI
+  if (config->isCheriAbi)
+    return;
+
   if (config->is64)
     write64le(buf, in.plt->getVA());
   else
@@ -237,14 +241,7 @@ void RISCV::writeIgotPlt(uint8_t *buf, const Symbol &s) const {
 }
 
 void RISCV::writePltHeader(uint8_t *buf) const {
-  // TODO: Remove once we have a CHERI .got.plt and R_RISCV_CHERI_JUMP_SLOT.
-  // Without those there can be no lazy binding support (though the former
-  // requirement can be relaxed provided .captable[0] is _dl_runtime_resolve,
-  // at least when the PLT is non-empty), so for now we emit a header full of
-  // trapping instructions to ensure we don't accidentally end up trying to use
-  // it. Ideally we would have a header size of 0, but isCheriAbi isn't known
-  // in the constructor.
-  if (config->isCheriAbi) {
+  if (config->isCheriAbi && !config->zCheriRiscvJumpSlot) {
     memset(buf, 0, pltHeaderSize);
     return;
   }
@@ -286,7 +283,9 @@ void RISCV::writePlt(uint8_t *buf, const Symbol &sym,
   // nop
   uint32_t ptrload = config->isCheriAbi ? config->is64 ? CLC_128 : CLC_64
                                         : config->is64 ? LD : LW;
-  uint32_t entryva = config->isCheriAbi ? sym.getGotVA() : sym.getGotPltVA();
+  uint32_t entryva = config->isCheriAbi && !config->zCheriRiscvJumpSlot
+                         ? sym.getGotVA()
+                         : sym.getGotPltVA();
   uint32_t offset = entryva - pltEntryAddr;
   write32le(buf + 0, utype(AUIPC, X_T3, hi20(offset)));
   write32le(buf + 4, itype(ptrload, X_T3, X_T3, lo12(offset)));
diff --git a/lld/ELF/Config.h b/lld/ELF/Config.h
@@ -308,6 +308,7 @@ struct Config {
   // -z captabledebug: add additional symbols $captable_load_<symbols> before
   // each captable clc instruction that indicates which symbol should be loaded
   bool zCapTableDebug;
+  bool zCheriRiscvJumpSlot;
   bool zCombreloc;
   bool zCopyreloc;
   bool zForceBti;
diff --git a/lld/ELF/Driver.cpp b/lld/ELF/Driver.cpp
@@ -535,6 +535,7 @@ static uint8_t getZStartStopVisibility(opt::InputArgList &args) {
 
 constexpr const char *knownZFlags[] = {
     "captabledebug",
+    "cheri-riscv-jump-slot",
     "combreloc",
     "copyreloc",
     "defs",
@@ -1433,6 +1434,7 @@ static void readConfigs(opt::InputArgList &args) {
       args.hasFlag(OPT_warn_symbol_ordering, OPT_no_warn_symbol_ordering, true);
   config->whyExtract = args.getLastArgValue(OPT_why_extract);
   config->zCapTableDebug = getZFlag(args, "captabledebug", "nocaptabledebug", false);
+  config->zCheriRiscvJumpSlot = hasZOption(args, "cheri-riscv-jump-slot");
   config->zCombreloc = getZFlag(args, "combreloc", "nocombreloc", true);
   config->zCopyreloc = getZFlag(args, "copyreloc", "nocopyreloc", true);
   config->zForceBti = hasZOption(args, "force-bti");
diff --git a/lld/ELF/Relocations.cpp b/lld/ELF/Relocations.cpp
@@ -891,20 +891,29 @@ static void addPltEntry(PltSection &plt, GotPltSection &gotPlt,
                         RelocationBaseSection &rel, RelType type, Symbol &sym) {
   plt.addEntry(sym);
 
-  // For CHERI-RISC-V we mark the symbol NEEDS_GOT so it will end up in .got as
-  // a function pointer, and uses .rela.dyn rather than .rela.plt, so no rtld
-  // changes are needed.
+  // For CHERI-RISC-V if JUMP_SLOT relocations are disabled (to be compatible
+  // with old CheriBSD) we mark the symbol NEEDS_GOT so it will end up in .got
+  // as a function pointer, and uses .rela.dyn rather than .rela.plt, so no
+  // rtld changes are needed.
   //
-  // TODO: More normal .got.plt with lazy-binding rather than piggy-backing on
-  // .got once rtld supports it.
-  if (config->emachine == EM_RISCV && config->isCheriAbi)
+  // TODO: Remove this option.
+  if (config->emachine == EM_RISCV && config->isCheriAbi &&
+      !config->zCheriRiscvJumpSlot)
     return;
 
+  if (config->isCheriAbi && !sym.isPreemptible)
+    error("cannot create non-preemptible PLT entry on CHERI against symbol: " +
+          toString(sym));
+
   gotPlt.addEntry(sym);
   rel.addReloc({type, &gotPlt, sym.getGotPltOffset(),
                 sym.isPreemptible ? DynamicReloc::AgainstSymbol
                                   : DynamicReloc::AddendOnlyWithTargetVA,
                 sym, 0, R_ABS});
+  if (config->isCheriAbi)
+    invokeELFT(addCapabilityRelocation, &plt, *target->cheriCapRel, &gotPlt,
+               sym.getGotPltOffset(), R_CHERI_CAPABILITY, 0, false,
+               [] { return ""; });
 }
 
 static void addGotEntry(Symbol &sym) {
@@ -1116,7 +1125,8 @@ void RelocationScanner::processAux(RelExpr expr, RelType type, uint64_t offset,
   } else if (needsPlt(expr)) {
     sym.setFlags(NEEDS_PLT);
     // See addPltEntry
-    if (config->emachine == EM_RISCV && config->isCheriAbi)
+    if (config->emachine == EM_RISCV && config->isCheriAbi &&
+        !config->zCheriRiscvJumpSlot)
       sym.setFlags(NEEDS_GOT);
   } else if (LLVM_UNLIKELY(isIfunc)) {
     sym.setFlags(HAS_DIRECT_RELOC);
@@ -1262,7 +1272,8 @@ void RelocationScanner::processAux(RelExpr expr, RelType type, uint64_t offset,
                     getLocation(*sec, sym, offset));
       sym.setFlags(NEEDS_COPY | NEEDS_PLT);
       // See addPltEntry
-      if (config->emachine == EM_RISCV && config->isCheriAbi)
+      if (config->emachine == EM_RISCV && config->isCheriAbi &&
+          !config->zCheriRiscvJumpSlot)
         sym.setFlags(NEEDS_GOT);
       sec->addReloc({expr, type, offset, addend, &sym});
       return;
diff --git a/lld/test/ELF/cheri/riscv/plt.s b/lld/test/ELF/cheri/riscv/plt.s
@@ -4,20 +4,30 @@
 # RUN: %riscv32_cheri_purecap_llvm-mc -filetype=obj %t1.s -o %t1.32.o
 # RUN: ld.lld -shared %t1.32.o -soname=t1.32.so -o %t1.32.so
 # RUN: %riscv32_cheri_purecap_llvm-mc -filetype=obj %s -o %t.32.o
-# RUN: ld.lld %t.32.o %t1.32.so -z separate-code -o %t.32
-# RUN: llvm-readelf -S -s %t.32 | FileCheck --check-prefixes=SEC,NM %s
-# RUN: llvm-readobj -r %t.32 | FileCheck --check-prefix=RELOC32 %s
-# RUN: llvm-readelf -x .got %t.32 | FileCheck --check-prefix=GOT32 %s
-# RUN: llvm-objdump -d --no-show-raw-insn %t.32 | FileCheck --check-prefixes=DIS,DIS32 %s
+# RUN: ld.lld %t.32.o %t1.32.so -z separate-code -o %t.32.got
+# RUN: llvm-readelf -S -s %t.32.got | FileCheck --check-prefixes=SEC,NM %s
+# RUN: llvm-readobj -r --cap-relocs %t.32.got | FileCheck --check-prefix=RELOCGOT32 %s
+# RUN: llvm-readelf -x .got %t.32.got | FileCheck --check-prefix=GOT32 %s
+# RUN: llvm-objdump -d --no-show-raw-insn %t.32.got | FileCheck --check-prefixes=DIS,DISGOT,DISGOT32 %s
+# RUN: ld.lld %t.32.o %t1.32.so -z separate-code -z cheri-riscv-jump-slot -o %t.32.got.plt
+# RUN: llvm-readelf -S -s %t.32.got.plt | FileCheck --check-prefixes=SEC,NM %s
+# RUN: llvm-readobj -r --cap-relocs %t.32.got.plt | FileCheck --check-prefix=RELOCGOTPLT32 %s
+# RUN: llvm-readelf -x .got.plt %t.32.got.plt | FileCheck --check-prefix=GOTPLT32 %s
+# RUN: llvm-objdump -d --no-show-raw-insn %t.32.got.plt | FileCheck --check-prefixes=DIS,DISGOTPLT,DISGOTPLT32 %s
 
 # RUN: %riscv64_cheri_purecap_llvm-mc -filetype=obj %t1.s -o %t1.64.o
 # RUN: ld.lld -shared %t1.64.o -soname=t1.64.so -o %t1.64.so
 # RUN: %riscv64_cheri_purecap_llvm-mc -filetype=obj %s -o %t.64.o
-# RUN: ld.lld %t.64.o %t1.64.so -z separate-code -o %t.64
-# RUN: llvm-readelf -S -s %t.64 | FileCheck --check-prefixes=SEC,NM %s
-# RUN: llvm-readobj -r %t.64 | FileCheck --check-prefix=RELOC64 %s
-# RUN: llvm-readelf -x .got %t.64 | FileCheck --check-prefix=GOT64 %s
-# RUN: llvm-objdump -d --no-show-raw-insn %t.64 | FileCheck --check-prefixes=DIS,DIS64 %s
+# RUN: ld.lld %t.64.o %t1.64.so -z separate-code -o %t.64.got
+# RUN: llvm-readelf -S -s %t.64.got | FileCheck --check-prefixes=SEC,NM %s
+# RUN: llvm-readobj -r --cap-relocs %t.64.got | FileCheck --check-prefix=RELOCGOT64 %s
+# RUN: llvm-readelf -x .got %t.64.got | FileCheck --check-prefix=GOT64 %s
+# RUN: llvm-objdump -d --no-show-raw-insn %t.64.got | FileCheck --check-prefixes=DIS,DISGOT,DISGOT64 %s
+# RUN: ld.lld %t.64.o %t1.64.so -z separate-code -z cheri-riscv-jump-slot -o %t.64.got.plt
+# RUN: llvm-readelf -S -s %t.64.got.plt | FileCheck --check-prefixes=SEC,NM %s
+# RUN: llvm-readobj -r --cap-relocs %t.64.got.plt | FileCheck --check-prefix=RELOCGOTPLT64 %s
+# RUN: llvm-readelf -x .got.plt %t.64.got.plt | FileCheck --check-prefix=GOTPLT64 %s
+# RUN: llvm-objdump -d --no-show-raw-insn %t.64.got.plt | FileCheck --check-prefixes=DIS,DISGOTPLT,DISGOTPLT64 %s
 
 # SEC: .plt PROGBITS {{0*}}00011030
 
@@ -26,23 +36,51 @@
 # NM: {{0*}}00000000 0 FUNC GLOBAL DEFAULT UND bar
 # NM: {{0*}}00000000 0 FUNC WEAK   DEFAULT UND weak
 
-# RELOC32:      .rela.dyn {
-# RELOC32-NEXT:   0x12068 R_RISCV_CHERI_CAPABILITY bar 0x0
-# RELOC32-NEXT:   0x12070 R_RISCV_CHERI_CAPABILITY weak 0x0
-# RELOC32-NEXT: }
+# RELOCGOT32:      .rela.dyn {
+# RELOCGOT32-NEXT:   0x12068 R_RISCV_CHERI_CAPABILITY bar 0x0
+# RELOCGOT32-NEXT:   0x12070 R_RISCV_CHERI_CAPABILITY weak 0x0
+# RELOCGOT32-NEXT: }
+# RELOCGOT32:      There is no __cap_relocs section in the file.
 # GOT32:      section '.got'
 # GOT32-NEXT: 0x00012060 00200100 00000000 00000000 00000000
 # GOT32-NEXT: 0x00012070 00000000 00000000
 
-# RELOC64:      .rela.dyn {
-# RELOC64-NEXT:   0x120D0 R_RISCV_CHERI_CAPABILITY bar 0x0
-# RELOC64-NEXT:   0x120E0 R_RISCV_CHERI_CAPABILITY weak 0x0
-# RELOC64-NEXT: }
+# RELOCGOTPLT32:      .rela.plt {
+# RELOCGOTPLT32-NEXT:   0x13088 R_RISCV_JUMP_SLOT bar 0x0
+# RELOCGOTPLT32-NEXT:   0x13090 R_RISCV_JUMP_SLOT weak 0x0
+# RELOCGOTPLT32-NEXT: }
+# RELOCGOTPLT32:      CHERI __cap_relocs [
+# RELOCGOTPLT32-NEXT:   0x013088 Base: 0x11030 (<unknown symbol>+0) Length: 64 Perms: Function
+# RELOCGOTPLT32-NEXT:   0x013090 Base: 0x11030 (<unknown symbol>+0) Length: 64 Perms: Function
+# RELOCGOTPLT32-NEXT: ]
+# GOTPLT32:      section '.got.plt'
+# GOTPLT32-NEXT: 0x00013078 00000000 00000000 00000000 00000000
+# GOTPLT32-NEXT: 0x00013088 00000000 00000000 00000000 00000000
+
+# RELOCGOT64:      .rela.dyn {
+# RELOCGOT64-NEXT:   0x120D0 R_RISCV_CHERI_CAPABILITY bar 0x0
+# RELOCGOT64-NEXT:   0x120E0 R_RISCV_CHERI_CAPABILITY weak 0x0
+# RELOCGOT64-NEXT: }
+# RELOCGOT64:      There is no __cap_relocs section in the file.
 # GOT64:      section '.got'
 # GOT64-NEXT: 0x000120c0 00200100 00000000 00000000 00000000
 # GOT64-NEXT: 0x000120d0 00000000 00000000 00000000 00000000
 # GOT64-NEXT: 0x000120e0 00000000 00000000 00000000 00000000
 
+# RELOCGOTPLT64:      .rela.plt {
+# RELOCGOTPLT64-NEXT:   0x13110 R_RISCV_JUMP_SLOT bar 0x0
+# RELOCGOTPLT64-NEXT:   0x13120 R_RISCV_JUMP_SLOT weak 0x0
+# RELOCGOTPLT64-NEXT: }
+# RELOCGOTPLT64:      CHERI __cap_relocs [
+# RELOCGOTPLT64-NEXT:   0x013110 Base: 0x11030 (<unknown symbol>+0) Length: 64 Perms: Function
+# RELOCGOTPLT64-NEXT:   0x013120 Base: 0x11030 (<unknown symbol>+0) Length: 64 Perms: Function
+# RELOCGOTPLT64-NEXT: ]
+# GOTPLT64:      section '.got.plt'
+# GOTPLT64-NEXT: 0x000130f0 00000000 00000000 00000000 00000000
+# GOTPLT64-NEXT: 0x00013100 00000000 00000000 00000000 00000000
+# GOTPLT64-NEXT: 0x00013110 00000000 00000000 00000000 00000000
+# GOTPLT64-NEXT: 0x00013120 00000000 00000000 00000000 00000000
+
 # DIS:      <_start>:
 ## Direct call
 ## foo - . = 0x11020-0x11000 = 32
@@ -60,25 +98,49 @@
 # DIS:      <foo>:
 # DIS-NEXT:   11020:
 
-# DIS:      Disassembly of section .plt:
-# DIS:      <.plt>:
-# DIS-NEXT:     ...
+# DIS:              Disassembly of section .plt:
+# DIS:              <.plt>:
+# DISGOT-NEXT:          ...
+# DISGOTPLT-NEXT:       auipcc ct2, 2
+# DISGOTPLT-NEXT:       sub t1, t1, t3
+## 32-bit: .got.plt - .plt = 0x13078 - 0x11030 = 4096*2+72
+## 64-bit: .got.plt - .plt = 0x130f0 - 0x11030 = 4096*2+192
+# DISGOTPLT32-NEXT:     lc ct3, 72(ct2)
+# DISGOTPLT64-NEXT:     lc ct3, 192(ct2)
+# DISGOTPLT-NEXT:       addi t1, t1, -44
+# DISGOTPLT32-NEXT:     cincoffset ct0, ct2, 72
+# DISGOTPLT64-NEXT:     cincoffset ct0, ct2, 192
+# DISGOTPLT32-NEXT:     srli t1, t1, 1
+# DISGOTPLT32-NEXT:     lc ct0, 8(ct0)
+# DISGOTPLT64-NEXT:     lc ct0, 16(ct0)
+# DISGOTPLT-NEXT:       jr ct3
+# DISGOTPLT64-NEXT:     nop
 
-## 32-bit: &.got[bar]-. = 0x12068-0x11050 = 4096*1+24
-## 64-bit: &.got[bar]-. = 0x120d0-0x11050 = 4096*1+128
-# DIS:        11050: auipcc ct3, 1
-# DIS32-NEXT:   lc ct3, 24(ct3)
-# DIS64-NEXT:   lc ct3, 128(ct3)
-# DIS-NEXT:     jalr ct1, ct3
-# DIS-NEXT:     nop
+## 32-bit (.got): &.got[bar]-. = 0x12068-0x11050 = 4096*1+24
+## 64-bit (.got): &.got[bar]-. = 0x120d0-0x11050 = 4096*1+128
+## 32-bit (.got.plt): &.got.plt[bar]-. = 0x13088-0x11050 = 4096*2+56
+## 64-bit (.got.plt): &.got.plt[bar]-. = 0x13110-0x11050 = 4096*2+192
+# DISGOT:           11050: auipcc ct3, 1
+# DISGOTPLT:        11050: auipcc ct3, 2
+# DISGOT32-NEXT:      lc ct3, 24(ct3)
+# DISGOT64-NEXT:      lc ct3, 128(ct3)
+# DISGOTPLT32-NEXT:   lc ct3, 56(ct3)
+# DISGOTPLT64-NEXT:   lc ct3, 192(ct3)
+# DIS-NEXT:           jalr ct1, ct3
+# DIS-NEXT:           nop
 
-## 32-bit: &.got[weak]-. = 0x12070-0x11060 = 4096*1+16
-## 64-bit: &.got[weak]-. = 0x120e0-0x11060 = 4096*1+128
-# DIS:        11060: auipcc ct3, 1
-# DIS32-NEXT:   lc ct3, 16(ct3)
-# DIS64-NEXT:   lc ct3, 128(ct3)
-# DIS-NEXT:     jalr ct1, ct3
-# DIS-NEXT:     nop
+## 32-bit (.got): &.got[weak]-. = 0x12070-0x11060 = 4096*1+16
+## 64-bit (.got): &.got[weak]-. = 0x120e0-0x11060 = 4096*1+128
+## 32-bit (.got.plt): &.got.plt[weak]-. = 0x13090-0x11060 = 4096*2+48
+## 64-bit (.got.plt): &.got.plt[weak]-. = 0x13120-0x11060 = 4096*2+192
+# DISGOT:           11060: auipcc ct3, 1
+# DISGOTPLT:        11060: auipcc ct3, 2
+# DISGOT32-NEXT:      lc ct3, 16(ct3)
+# DISGOT64-NEXT:      lc ct3, 128(ct3)
+# DISGOTPLT32-NEXT:   lc ct3, 48(ct3)
+# DISGOTPLT64-NEXT:   lc ct3, 192(ct3)
+# DIS-NEXT:           jalr ct1, ct3
+# DIS-NEXT:           nop
 
 .global _start, foo, bar
 .weak weak
