Skip to content

[BOLT] Gadget scanner: do not crash on debug-printing CFI instructions #136151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
atrosinenko merged 1 commit into from
Jun 19, 2025
Merged

[BOLT] Gadget scanner: do not crash on debug-printing CFI instructions #136151

atrosinenko merged 1 commit into from
Jun 19, 2025

Conversation

@atrosinenko
Copy link
Contributor

@atrosinenko atrosinenko commented Apr 17, 2025

Some instruction-printing code used under LLVM_DEBUG does not handle CFI
instructions well. While CFI instructions seem to be harmless for the
correctness of the analysis results, they do not convey any useful
information to the analysis either, so skip them early.

This was referenced Apr 17, 2025
Merged
Merged
Merged
Merged
Merged
Merged
@atrosinenko atrosinenko marked this pull request as ready for review April 17, 2025 15:56
@atrosinenko Graphite App
Copy link
Contributor Author

atrosinenko commented Apr 17, 2025
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@atrosinenko atrosinenko mentioned this pull request Apr 17, 2025
Merged
@llvmbot llvmbot added the BOLT label Apr 17, 2025
@llvmbot
Copy link
Member

llvmbot commented Apr 17, 2025

@llvm/pr-subscribers-bolt

Author: Anatoly Trosinenko (atrosinenko)

Changes

Some instruction-printing code used under LLVM_DEBUG does not handle CFI
instructions well. While CFI instructions seem to be harmless for the
correctness of the analysis results, they do not convey any useful
information to the analysis either, so skip them early.

Full diff: https://github.com/llvm/llvm-project/pull/136151.diff

2 Files Affected:

  • (modified) bolt/lib/Passes/PAuthGadgetScanner.cpp (+16)
  • (modified) bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s (+32)
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
index f12354390c3f3..2d2126bf05ae1 100644
--- a/bolt/lib/Passes/PAuthGadgetScanner.cpp
+++ b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -433,6 +433,9 @@ class SrcSafetyAnalysis {
   }
 
   SrcState computeNext(const MCInst &Point, const SrcState &Cur) {
+    if (BC.MIB->isCFI(Point))
+      return Cur;
+
     SrcStatePrinter P(BC);
     LLVM_DEBUG({
       dbgs() << "  SrcSafetyAnalysis::ComputeNext(";
@@ -674,6 +677,8 @@ class CFGUnawareSrcSafetyAnalysis : public SrcSafetyAnalysis {
     SrcState S = createEntryState();
     for (auto &I : BF.instrs()) {
       MCInst &Inst = I.second;
+      if (BC.MIB->isCFI(Inst))
+        continue;
 
       // If there is a label before this instruction, it is possible that it
       // can be jumped-to, thus conservatively resetting S. As an exception,
@@ -952,6 +957,9 @@ class DstSafetyAnalysis {
   }
 
   DstState computeNext(const MCInst &Point, const DstState &Cur) {
+    if (BC.MIB->isCFI(Point))
+      return Cur;
+
     DstStatePrinter P(BC);
     LLVM_DEBUG({
       dbgs() << "  DstSafetyAnalysis::ComputeNext(";
@@ -1130,6 +1138,8 @@ class CFGUnawareDstSafetyAnalysis : public DstSafetyAnalysis {
     DstState S = createUnsafeState();
     for (auto &I : llvm::reverse(BF.instrs())) {
       MCInst &Inst = I.second;
+      if (BC.MIB->isCFI(Inst))
+        continue;
 
       // If Inst can change the control flow, we cannot be sure that the next
       // instruction (to be executed in analyzed program) is the one processed
@@ -1326,6 +1336,9 @@ void FunctionAnalysis::findUnsafeUses(
   });
 
   iterateOverInstrs(BF, [&](MCInstReference Inst) {
+    if (BC.MIB->isCFI(Inst))
+      return;
+
     const SrcState &S = Analysis->getStateBefore(Inst);
 
     // If non-empty state was never propagated from the entry basic block
@@ -1387,6 +1400,9 @@ void FunctionAnalysis::findUnsafeDefs(
   });
 
   iterateOverInstrs(BF, [&](MCInstReference Inst) {
+    if (BC.MIB->isCFI(Inst))
+      return;
+
     const DstState &S = Analysis->getStateAfter(Inst);
 
     if (auto Report = shouldReportAuthOracle(BC, Inst, S))
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
index fd55880921d06..07b61bea77e94 100644
--- a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
+++ b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -329,6 +329,38 @@ auth_oracle:
 // PAUTH-EMPTY:
 // PAUTH-NEXT:   Attaching leakage info to:     00000000:      autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
 
+// Gadget scanner should not crash on CFI instructions, including when debug-printing them.
+// Note that the particular debug output is not checked, but BOLT should be
+// compiled with assertions enabled to support -debug-only argument.
+
+        .globl  cfi_inst_df
+        .type   cfi_inst_df,@function
+cfi_inst_df:
+        .cfi_startproc
+        sub     sp, sp, #16
+        .cfi_def_cfa_offset 16
+        add     sp, sp, #16
+        .cfi_def_cfa_offset 0
+        ret
+        .size   cfi_inst_df, .-cfi_inst_df
+        .cfi_endproc
+
+        .globl  cfi_inst_nocfg
+        .type   cfi_inst_nocfg,@function
+cfi_inst_nocfg:
+        .cfi_startproc
+        sub     sp, sp, #16
+        .cfi_def_cfa_offset 16
+
+        adr     x0, 1f
+        br      x0
+1:
+        add     sp, sp, #16
+        .cfi_def_cfa_offset 0
+        ret
+        .size   cfi_inst_nocfg, .-cfi_inst_nocfg
+        .cfi_endproc
+
 // CHECK-LABEL:Analyzing function main, AllocatorId = 1
         .globl  main
         .type   main,@function

@atrosinenko atrosinenko mentioned this pull request Apr 17, 2025
Merged
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 08a7baa to 8d581df Compare April 18, 2025 16:34
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from cf8c516 to 4c18b44 Compare April 18, 2025 16:34
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 8d581df to f49ccac Compare April 18, 2025 18:43
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 4c18b44 to 7bb423f Compare April 18, 2025 18:43
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from f49ccac to 323acbd Compare April 22, 2025 16:08
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 7bb423f to a6d5e43 Compare April 22, 2025 16:08
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch 2 times, most recently from 543e183 to e22ae5e Compare April 24, 2025 18:17
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 24f5590 to c65779c Compare April 24, 2025 18:17
This was referenced May 7, 2025
Merged
Open
Merged
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch 2 times, most recently from e192166 to f81401c Compare May 20, 2025 10:03
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from a1b9851 to cd88368 Compare May 20, 2025 10:44
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch 2 times, most recently from 2ff1c2f to 50343fd Compare May 20, 2025 11:38
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from cd88368 to 2d719c8 Compare May 20, 2025 11:38
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 50343fd to f12d5f5 Compare May 22, 2025 15:35
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 2d719c8 to a5f1cf3 Compare May 22, 2025 15:35
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from f12d5f5 to eae7596 Compare May 22, 2025 19:19
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 19f983e to d0346f9 Compare May 26, 2025 11:32
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from eae7596 to 1e97d81 Compare May 26, 2025 11:32
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from d0346f9 to e0c736c Compare May 26, 2025 15:32
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch 2 times, most recently from 36837ce to 25fda06 Compare May 27, 2025 20:05
@atrosinenko atrosinenko mentioned this pull request May 27, 2025
Merged
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 25fda06 to 9d8fedf Compare May 28, 2025 17:07
@atrosinenko atrosinenko mentioned this pull request May 28, 2025
Merged
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 9d8fedf to fcfd5f6 Compare June 16, 2025 13:14
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-auth-oracles branch from 2a43e9b to a1df727 Compare June 19, 2025 11:09
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from fcfd5f6 to 9c7da2b Compare June 19, 2025 11:09
Base automatically changed from users/atrosinenko/bolt-gs-auth-oracles to main June 19, 2025 12:15
@atrosinenko
[BOLT] Gadget scanner: do not crash on debug-printing CFI instructions
bcf2f83 
Some instruction-printing code used under LLVM_DEBUG does not handle CFI
instructions well. While CFI instructions seem to be harmless for the
correctness of the analysis results, they do not convey any useful
information to the analysis either, so skip them early.
@atrosinenko atrosinenko force-pushed the users/atrosinenko/bolt-gs-cfi-debug-printing branch from 9c7da2b to bcf2f83 Compare June 19, 2025 12:16
@atrosinenko atrosinenko merged commit e873fd1 into main Jun 19, 2025
7 checks passed
@atrosinenko atrosinenko deleted the users/atrosinenko/bolt-gs-cfi-debug-printing branch June 19, 2025 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kbeyls kbeyls kbeyls approved these changes

@aaupov aaupov Awaiting requested review from aaupov aaupov is a code owner

@maksfb maksfb Awaiting requested review from maksfb maksfb is a code owner

@rafaelauler rafaelauler Awaiting requested review from rafaelauler rafaelauler is a code owner

@ayermolo ayermolo Awaiting requested review from ayermolo ayermolo is a code owner

@dcci dcci Awaiting requested review from dcci

@yota9 yota9 Awaiting requested review from yota9 yota9 is a code owner

@asl asl Awaiting requested review from asl

@jacobbramley jacobbramley Awaiting requested review from jacobbramley

@paschalis-mpeis paschalis-mpeis Awaiting requested review from paschalis-mpeis paschalis-mpeis is a code owner

Assignees

No one assigned

Labels

BOLT

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@atrosinenko @llvmbot @kbeyls