[aarch64] XOR the frame pointer with the stack cookie when protecting the stack

[PanTao2]

This strengthens the guard and matches MSVC.

Fixes #156573 .

[llvmbot]

@llvm/pr-subscribers-llvm-globalisel
@llvm/pr-subscribers-llvm-selectiondag
@llvm/pr-subscribers-backend-x86

@llvm/pr-subscribers-backend-aarch64

Author: Pan Tao (PanTao2)

Changes

---

Full diff: https://github.com/llvm/llvm-project/pull/161114.diff

3 Files Affected:

• (modified) llvm/lib/Target/AArch64/AArch64ISelLowering.cpp (+11-1)
• (modified) llvm/lib/Target/AArch64/AArch64ISelLowering.h (+3)
• (modified) llvm/lib/Target/AArch64/AArch64SelectionDAGInfo.cpp (+1-1)

diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
index a4c1e265f0e63..fffc060bbe7cd 100644
--- a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
+++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp
@@ -28818,7 +28818,17 @@ void AArch64TargetLowering::ReplaceNodeResults(
 bool AArch64TargetLowering::useLoadStackGuardNode(const Module &M) const {
   if (Subtarget->isTargetAndroid() || Subtarget->isTargetFuchsia())
     return TargetLowering::useLoadStackGuardNode(M);
-  return true;
+  return false;
+}
+
+bool AArch64TargetLowering::useStackGuardXorFP() const { return true; }
+
+SDValue AArch64TargetLowering::emitStackGuardXorFP(SelectionDAG &DAG,
+                                                   SDValue Val,
+                                                   const SDLoc &DL) const {
+  return DAG.getNode(
+      ISD::XOR, DL, Val.getValueType(), Val,
+      DAG.getRegister(getStackPointerRegisterToSaveRestore(), MVT::i64));
 }
 
 unsigned AArch64TargetLowering::combineRepeatedFPDivisors() const {
diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.h b/llvm/lib/Target/AArch64/AArch64ISelLowering.h
index d8072d15853ee..8073b0677a11b 100644
--- a/llvm/lib/Target/AArch64/AArch64ISelLowering.h
+++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.h
@@ -349,6 +349,9 @@ class AArch64TargetLowering : public TargetLowering {
   shouldExpandAtomicCmpXchgInIR(AtomicCmpXchgInst *AI) const override;
 
   bool useLoadStackGuardNode(const Module &M) const override;
+  bool useStackGuardXorFP() const override;
+  SDValue emitStackGuardXorFP(SelectionDAG &DAG, SDValue Val,
+                              const SDLoc &DL) const override;
   TargetLoweringBase::LegalizeTypeAction
   getPreferredVectorAction(MVT VT) const override;
 
diff --git a/llvm/lib/Target/AArch64/AArch64SelectionDAGInfo.cpp b/llvm/lib/Target/AArch64/AArch64SelectionDAGInfo.cpp
index d3b1aa621b61a..163de52386221 100644
--- a/llvm/lib/Target/AArch64/AArch64SelectionDAGInfo.cpp
+++ b/llvm/lib/Target/AArch64/AArch64SelectionDAGInfo.cpp
@@ -32,7 +32,7 @@ AArch64SelectionDAGInfo::AArch64SelectionDAGInfo()
 
 void AArch64SelectionDAGInfo::verifyTargetNode(const SelectionDAG &DAG,
                                                const SDNode *N) const {
-  SelectionDAGGenTargetInfo::verifyTargetNode(DAG, N);
+  //  SelectionDAGGenTargetInfo::verifyTargetNode(DAG, N);
 
 #ifndef NDEBUG
   // Some additional checks not yet implemented by verifyTargetNode.

[PanTao2]

@efriedma-quic Could you please review this PR? Is AArch64SelectionDAGInfo::verifyTargetNode() necessary? Only RISCV and AArch64 have implemented this function.

[efriedma-quic]

Not sure why you're commenting this out?

verifyTargetNode is there to allow targets to implement additional verification for target-specific nodes, to try to catch mistakes early. It isn't strictly necessary to implement it for new nodes, but it's nice to have.

[PanTao2]

Thank you for your review and explanation!
There is fatal error:

LLVM ERROR: invalid node: operand #0 has invalid type; expected ch, got i64
t18: ch = AArch64ISD::BRCOND t3, BasicBlock:ch<entry 0x59e981fa35b0>, Constant:i32<1>, t16:1
  t3: i64,ch = load<(volatile load (s64) from %stack.0.StackGuardSlot)> t0, FrameIndex:i64<0>, undef:i64
  t16: i64,i32 = AArch64ISD::SUBS t8, t6

This fatal error is triggered by the following stack:
llvm::report_fatal_error
checkOperandType
llvm::SDNodeInfo::verifyNode "if (HasChain) checkOperandType(DAG, N, 0, MVT::Other);"
llvm::SelectionDAGGenTargetInfo::verifyTargetNode
llvm::AArch64SelectionDAGInfo::verifyTargetNode

What do you suggest in this situation?

[efriedma-quic]

That's an actual issue with the structure of the DAG: a node which is supposed to have a chain as the first operand has an operand that isn't a chain. I suspect there's some code that's supposed to return the chain of the load, but is accidentally returning the value of the load instead. (An SDValue is a struct with two members: an SDNode*, and an integer for which result of the SDNode is being referenced.)

[efriedma-quic]

This might not be relevant if you switch away from modifying useLoadStackGuardNode.

[PanTao2]

Yes, this is not relevant after removing the modification of useLoadStackGuardNode.

[efriedma-quic]

It's probably worth making the test check for the "eor" instruction.

[PanTao2]

I added test check for the "eor" instruction.

[efriedma-quic]

I'd prefer not to disable useLoadStackGuardNode; it provides additional protection because it prevents later optimizations from incorrectly hoisting the address computations.

You can add the EOR instruction in AArch64InstrInfo::expandPostRAPseudo.

[PanTao2]

I added the EOR instruction in AArch64InstrInfo::expandPostRAPseudo. Could you please further review it?

[efriedma-quic]

Do we need the EnableGlobalISel check here?

Probably needs a comment explaining why we're doing this specifically for for MSVCRT targets (to match MSVC).

Can we move this outside the if statement, so it doesn't depend on the code model? We should usually be using small code model for Windows targets, due to the inherent limits of PE-COFF, but some unusual configs like JITs can use other code models.

[PanTao2]

Yes. Without the EnableGlobalISel check here, the test https://github.com/llvm/llvm-project/blob/main/llvm/test/CodeGen/AArch64/GlobalISel/irtranslator-stack-protector-windows.ll#L2 crash.
I added a simple comment.
Yes. I have moved this outside the if statement.
The eor instruction in the failure BB can not be added in AArch64InstrInfo::expandPostRAPseudo. Therefor, I have modified the existing interface emitStackGuardXorFP to add the eor instruction.
Could you please further review it?

[efriedma-quic]

Suggested change

	BuildMI(MBB, MI, DL, get(AArch64::EORWrr), Reg)
	BuildMI(MBB, MI, DL, get(AArch64::EORXrr), Reg)

[PanTao2]

Done.

[omjavaid]

Hi @PanTao2 thanks for writing this patch. I have general comment first as I think we need some further consideration before going ahead with this change.
On Windows MSVC does this a bit differently on AArch64 vs x64. MSVC uses push pop helpers for /GS checks on AArch64 while on x64 it just inlines the checks and calls security_check_cookie at the end.
Also note MSVC on AArch64 mixes the cookie using sub (sp - cookie) but x64 uses xor (cookie ^ rsp) both do the same job but with diff tradeoffs. XOR is smaller and reversible and sub fits better with overall Arm's stack arithmetic. So if the goal here is to exactly mimic MSVC behavior maybe worth thinking which one is closer or better for LLVM side.... maybe just match the semantics not the exact instr choice what do you think?

[PanTao2]

Hi @omjavaid thanks for your comment. I think you prefer 'only matching semantics'. I think this is great.
My understanding of the difference between aarch64 and x86_64 on Windows MSVC, please correct me if there are any errors.

1. MSVC uses push pop helpers (calls _security{push|pop}_cookie) on aarch64, while it inlines the checks on x86_64.
2. MSVC mixes the cookie using sub (sp - cookie) on aarch64, while it mixes the cookie using xor (cookie ^ rsp) on x86_64.

Regarding 1, based on recent optimizations (PR #95904 and PR #136290), I think you prefer inline checks on aarch64. I think it's great.
Regarding 2, thanks for your reminding, I think this is great that using sub (sp - cookie) for fitting better with overall Arm’s stack arithmetic.
What do you think of changing the implementation of this PR to inline sub (sp - cookie)?

[PanTao2]

Hi @omjavaid ping.

[omjavaid]

What do you think of changing the implementation of this PR to inline sub (sp - cookie)?

Yes, I think I tend to prefer inlining with sub (sp - cookie)

[omjavaid]

My understanding of the difference between aarch64 and x86_64 on Windows MSVC, please correct me if there are any errors.

1. MSVC uses push pop helpers (calls _security{push|pop}_cookie) on aarch64, while it inlines the checks on x86_64.
2. MSVC mixes the cookie using sub (sp - cookie) on aarch64, while it mixes the cookie using xor (cookie ^ rsp) on x86_64.

Yes. This is correct. Lets mix the cookie using sub instruction on AArch64 while keep the existing inlining logic intact.

[PanTao2]

Hi @omjavaid I changed the mixed instruction from xor to sub, could you please review the new implementation?

[PanTao2]

Hi @omjavaid ping, thanks.

[PanTao2]

Hi @efriedma-quic, @omjavaid may be on vacation, could you please help to continue to review this PR?

[efriedma-quic]

Can you commute the operands of the add? add x0, x8, sp is not a legal instruction, but add x0, sp, x8 is legal.

[PanTao2]

Thank you for correcting.

[efriedma-quic]

Please regenerate with update_llc_test_checks.py ; don't edit check lines of autogenerated tests by hand.

[PanTao2]

Thanks, I regenerate this file with update_llc_test_checks.py.

[efriedma-quic]

Is update_llc_test_checks.py not happy if you write --check-prefixes=CHECK,CHECK-GI. If that doesn't work, this is fine, I guess.

[PanTao2]

Sorry for making unnecessary changes. I changed it back to --check-prefixes=CHECK,CHECK-GI and regenerated this file.

[efriedma-quic]

Does this actually produce the correct instruction? I'm not sure SP is in the right register class; I suspect you end up subtracting from zero. The wouldn't show up in assembly output, but it would show up in disassembly. (SUBXrx64 can refer to SP this way, though.)

[efriedma-quic]

Any reply here?

[PanTao2]

I changed SUBXrr to SUBXrx64. Could you please check it?

[efriedma-quic]

Oh, hmm, this still doesn't actually remove the extra instruction because that would require using a different encoding (ADDXrs vs. ADDXrx64). Shouldn't be too hard to fix; see d337c1f .

[github-actions]

🐧 Linux x64 Test Results

• 186635 tests passed
• 4888 tests skipped

[efriedma-quic]

Please don't use the result of getRegister as an operand to a target-independent ISD::ADD. Register operands aren't values; they are intended only for use with specific operations which are expecting them.

It might appear to work here, sort-of, but other parts of the DAG aren't expecting it, and it will lead to weird results in general. And I'm not sure it actually is working correctly here... what's the actual encoding you're getting?

[PanTao2]

When running llvm/test/CodeGen/AArch64/stack-protector-target.ll, the SDValue returned by DAG.getRegister (getRegister(getStackPointerRegisterToSaveRestore(), MVT:: i64) is "t4: i64 = Register $physreg8".
DAG.getRegister wraps Register as SDValue, while DAG.getCopyFromReg (used in previous version) uses DAG.getRegister and adds a move (copy) instruction.

[PanTao2]

I moved the target-independent ISD::ADD to the target-independent class SelectionDAG. Could you please further review it?

[efriedma-quic]

Is update_llc_test_checks.py not happy if you write --check-prefixes=CHECK,CHECK-GI. If that doesn't work, this is fine, I guess.

[efriedma-quic]

Any reply here?

[efriedma-quic]

Moving the code around doesn't solve the fundamental issue that you actually need to CopyFromReg for correctness.

Please take another look at d337c1f , specifically how it added the copyFromSP pattern.

[PanTao2]

I deleted the copyFromSp instruction by referring to d337c1f. Could you please check it?

[efriedma-quic]

Maybe extend this comment a little to explain what exactly we're matching.

[PanTao2]

Could you please review the added comment?

[efriedma-quic]

Is there any particular reason to check for a LOAD? The pattern seems like it should still work for non-LOAD operands.

[PanTao2]

If the LOAD is not checked, there will be many unexpected changes. E.g., the following code

stur x10, [x29, #-200]               // 8-byte Folded Spill
mov x15, sp
subs x10, x15, #16

will be changed to

stur x10, [x29, #-200]
mov x15, sp
add x10, x15, x8, uxtx

[PanTao2]

I'm very sorry, I was informed that some of my comments were not sent out.

[PanTao2]

Yes. Without the EnableGlobalISel check here, the test https://github.com/llvm/llvm-project/blob/main/llvm/test/CodeGen/AArch64/GlobalISel/irtranslator-stack-protector-windows.ll#L2 crash.
I added a simple comment.
Yes. I have moved this outside the if statement.
The eor instruction in the failure BB can not be added in AArch64InstrInfo::expandPostRAPseudo. Therefor, I have modified the existing interface emitStackGuardXorFP to add the eor instruction.
Could you please further review it?

[PanTao2]

Done.

[PanTao2]

Thank you for correcting.

[PanTao2]

Thanks, I regenerate this file with update_llc_test_checks.py.

[PanTao2]

When running llvm/test/CodeGen/AArch64/stack-protector-target.ll, the SDValue returned by DAG.getRegister (getRegister(getStackPointerRegisterToSaveRestore(), MVT:: i64) is "t4: i64 = Register $physreg8".
DAG.getRegister wraps Register as SDValue, while DAG.getCopyFromReg (used in previous version) uses DAG.getRegister and adds a move (copy) instruction.

[PanTao2]

I moved the target-independent ISD::ADD to the target-independent class SelectionDAG. Could you please further review it?

[PanTao2]

Sorry for making unnecessary changes. I changed it back to --check-prefixes=CHECK,CHECK-GI and regenerated this file.

[PanTao2]

I deleted the copyFromSp instruction by referring to d337c1f. Could you please check it?

[PanTao2]

I changed SUBXrr to SUBXrx64. Could you please check it?