compiler-rt: Introduce runtime functions for emulated PAC. #133530
Conversation
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1
|
✅ With the latest revision this PR passed the undef deprecator. |
compiler-rt/lib/builtins/xxhash.h
Outdated
| * Header File | ||
| * Copyright (C) 2012-2023 Yann Collet | ||
| * | ||
| * BSD 2-Clause License (https://www.opensource.org/licenses/bsd-license.php) |
There was a problem hiding this comment.
This is a license different from Apache-2.0 WITH LLVM-exception.
Therefore, the process described at https://llvm.org/docs/DeveloperPolicy.html#copyright-license-and-patents should be followed to check whether this is acceptable in this specific case.
That being said, xxhash is already present under llvm/lib/Support/xxhash.cpp, as you pointed out in the RFC.
Making sure we don't have multiple copies of non-Apache-2.0 WITH LLVM-exception code would be preferable. I'll tag @beanz, as he had ideas about how to better structure vendored third party code in LLVM.
I'm not sure if moving non-Apache-2.0 WITH LLVM-exception licensed code to a run-time library (for the first time?) triggers new concerns.
I'll note that other hashing algorithms, such as Blake3 and SipHash, which are available under the Apache-2.0 WITH LLVM-exception, are also already present in the LLVM Support library.
Would one of these preferably-licensed hashing algorithms be a good fit for the hashing functionality needed for this use case?
There was a problem hiding this comment.
Okay, I will contact [email protected] about this new usage.
I don't have a strong opinion about the hash algorithm. XXH3_64 was chosen for these reasons:
- It was the easiest to incorporate into compiler-rt as it was already available as a header-only library without dependencies.
- It was already being used in LLVM, so I imagined that licensing wouldn't be as much of a concern.
- It was faster than the other algorithms according to the xxhash homepage. BLAKE3 isn't listed there but we can extrapolate from BLAKE3's claim of being ~7x faster than BLAKE2. (I know I said elsewhere that performance is less of a concern for these functions, but all other things being equal, we may as well go with the algorithm with the best performance.)
If the board decides not to allow use in compiler-rt it should be possible to switch to one of the other algorithms after changing its code as needed to remove dependencies.
There was a problem hiding this comment.
The introduction of BSD-licensed code to compiler-rt (and especially to compiler-rt's builtins library) poses significant licensing difficulty.
The BSD 2-clause license requires attribution when code is distributed in object form as well as source form, and since the compiler-rt builtins are linked into binaries built with LLVM (not just LLVM itself), the impact of the license here would be transitive to products built using LLVM-based compilers.
This is extremely undesirable, and as such this change will need to replace the xxhash with an alternative hash (ideally under the LLVM license) in order to be integrated.
There was a problem hiding this comment.
Understood, I've uploaded a new change that replaces the hash with SipHash.
Unfortunately SipHash is subtantially slower than xxhash and led to a ~3.5x slowdown (vs native PAC instructions) on the benchmark cited in my original RFC (and BLAKE3 isn't header only which would make it substantially harder to integrate here). Hopefully the performance hit doesn't turn out to be a problem here.
| @@ -0,0 +1,115 @@ | |||
| #include <stdint.h> | |||
There was a problem hiding this comment.
This new file needs a license header, I guess?
There was a problem hiding this comment.
Correct, I forgot to add one. Will add.
| } | ||
|
|
||
| uint64_t __emupac_autda_impl(uint64_t ptr, uint64_t disc) { | ||
| if (pac_supported()) { |
There was a problem hiding this comment.
Might be worth writing a lazy ifunc-like resolver for this so it doesn't have to be checked on every call. Something like:
typedef BOOL (*fptr_ty)(void);
static BOOL resolver(void);
// Should be signed with address diversity
fptr_ty __emupac_autda_impl = resolver;
static BOOL resolver(void) {
if (pac_supported())
__emupac_autda_impl = __emupac_autda_pac;
else
__emupac_autda_impl = __emupac_autda_nopac;
return __emupac_autda_impl();
}
If we had FMV support for PAC I'd suggest __attribute__((target_version("pac"))). cc @labrinea
You might also want to consider giving __emupac_autda a preserves-none calling convention, so you don't have to save/restore around them.
There was a problem hiding this comment.
The problem with using ifuncs here is that this function will itself be called from ifunc resolvers (see this), so that could lead to order of initialization issues.
Since performance is not that important for this function's use case I didn't try to avoid checking every time or experiment with other calling conventions. Also, if compiler-rt needs to be buildable with non-Clang compilers, I'm not sure that we can use the other calling conventions anyway.
There was a problem hiding this comment.
The choice of calling convention to use will probably affect register allocation significantly in the caller functions. I wonder if it could hide some subtle codegen issues. On the other hand, it may uncover other ones :)
There was a problem hiding this comment.
We haven't noticed codegen issues like this in our internal testing (other than the performance hit which is expected).
There was a problem hiding this comment.
We cannot introduce BSD-licensed code to compiler-rt. Please see my comment for more details.
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1
You can test this locally with the following command:git-clang-format --diff HEAD~1 HEAD --extensions c,cpp -- compiler-rt/lib/builtins/aarch64/emupac.cpp compiler-rt/test/builtins/Unit/aarch64/emupac.cView the diff from clang-format here.diff --git a/compiler-rt/lib/builtins/aarch64/emupac.cpp b/compiler-rt/lib/builtins/aarch64/emupac.cpp
index 4ccd68f1c..772640fb7 100644
--- a/compiler-rt/lib/builtins/aarch64/emupac.cpp
+++ b/compiler-rt/lib/builtins/aarch64/emupac.cpp
@@ -110,7 +110,7 @@ __emupac_pacda_impl(uint64_t ptr, uint64_t disc) {
}
uint64_t hash;
siphash<1, 3>(reinterpret_cast<uint8_t *>(&ptr), 8, emu_da_key,
- *reinterpret_cast<uint8_t(*)[8]>(&hash));
+ *reinterpret_cast<uint8_t (*)[8]>(&hash));
return (ptr & ~pac_mask) | (hash & pac_mask);
}
@@ -129,7 +129,7 @@ __emupac_autda_impl(uint64_t ptr, uint64_t disc) {
(ptr & ttbr1_mask) ? (ptr | pac_mask) : (ptr & ~pac_mask);
uint64_t hash;
siphash<1, 3>(reinterpret_cast<uint8_t *>(&ptr_without_pac), 8, emu_da_key,
- *reinterpret_cast<uint8_t(*)[8]>(&hash));
+ *reinterpret_cast<uint8_t (*)[8]>(&hash));
if (((ptr & ~pac_mask) | (hash & pac_mask)) != ptr) {
__builtin_trap();
}
|
Thanks, resolved by switching to SipHash. #134197 extracts the existing SipHash implementation into a header that can be included here. |
The emulated PAC runtime functions emulate the ARMv8.3a pointer authentication instructions and are intended for use in heterogeneous testing environments. For more information, see the associated RFC: https://discourse.llvm.org/t/rfc-emulated-pac/85557 TODO: - Add tests. - Figure out how to get emupac.cpp to build with CMake. For some reason any .cpp files added to the builtins library are ignored. So for now only the gn build works. Pull Request: llvm#133530
Created using spr 1.3.6-beta.1
The emulated PAC runtime functions emulate the ARMv8.3a pointer authentication instructions and are intended for use in heterogeneous testing environments. For more information, see the associated RFC: https://discourse.llvm.org/t/rfc-emulated-pac/85557 TODO: - Add tests. Pull Request: llvm#133530
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1 [skip ci]
The emulated PAC runtime functions emulate the ARMv8.3a pointer authentication instructions and are intended for use in heterogeneous testing environments. For more information, see the associated RFC: https://discourse.llvm.org/t/rfc-emulated-pac/85557 Pull Request: llvm#133530
|
Since this PR enables another language (CXX in addition to C and ASM) in the |
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1
There was a problem hiding this comment.
@petrhosek can you review this as the CMake maintainer?
I also ran the tests with GCC as the compiler which revealed that GCC does not support the naked attribute on functions on AArch64 (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77882) causing a test failure. To fix the test failure I replaced the entry points with module-level inline asm.
| 0x4a, 0x79, 0x6f, 0xec, 0x8b, 0x1b, | ||
| 0x42, 0x87, 0x81, 0xd4}; | ||
|
|
||
| extern "C" __attribute__((flatten)) uint64_t |
There was a problem hiding this comment.
Since this file is C++, can we use the C++ (and C23) attribute syntax?
| extern "C" __attribute__((flatten)) uint64_t | |
| extern "C" [[gnu::flatten]] uint64_t |
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1 [skip ci]
Created using spr 1.3.6-beta.1
pcc
changed the base branch from
users/pcc/spr/main.compiler-rt-introduce-runtime-functions-for-emulated-pac
to
main
pcc
deleted the
users/pcc/spr/compiler-rt-introduce-runtime-functions-for-emulated-pac
branch
The emulated PAC runtime functions emulate the ARMv8.3a pointer authentication instructions and are intended for use in heterogeneous testing environments. For more information, see the associated RFC: https://discourse.llvm.org/t/rfc-emulated-pac/85557 Reviewers: llvm-beanz, petrhosek Pull Request: llvm/llvm-project#133530
Attempt to fix these build failures: https://lab.llvm.org/buildbot/#/builders/107/builds/12601 The suspected cause is that #133530 caused us to start passing -std:c11 to MSVC, which activated this code path that uses _Complex, which MSVC does not support. See: https://learn.microsoft.com/en-us/cpp/c-runtime-library/complex-math-support Fix it by also checking _MSC_VER.
|
This seems to cause failures in running the compiler-rt tests on Windows on aarch64: https://github.com/mstorsjo/llvm-mingw/actions/runs/16183738002/job/45702529351#step:8:1964 It doesn't seem to contain much other details about the issue, unless the compiler warnings about the size of long for printfs are related. Separately, a build of LLVM on macOS, using the latest Clang+LLVM+compiler-rt, also seems to be failing now (but that's possibly related to another PR than this one): https://github.com/mstorsjo/llvm-mingw/actions/runs/16183738002/job/45692829706 |
|
Turned my CI red, should a revert be considered? |
|
If I get the log posted by @pawosm-arm right, this test case should crash but it doesn't: case 3: {
// Test that a corrupted signature crashes the program.
uint64_t signed_ptr = __emupac_pacda(ptr1, ptr2);
__emupac_autda(signed_ptr + (1ULL << 48), ptr2);
break;
}I guess the reason is that the CPU supports |
Not sure about that case, but my case on Windows above also seems to error on running case 3. That is running on the free github actions runners, which AFAIK run "Azure Cobalt 100" processors, which are Neoverse N2 based. The feature detection on Windows might not set all the same feature flags as the feature detection on Linux though. |
According to our CI maintainers, it's Neoverse V2. |
|
Hmm, my guess seems to be wrong, as both Neoverse N2 and V2 support FEAT_FPAC, if I understand corresponding TRMs correcly.
@mstorsjo As far as I see, this patch does not ask the OS about supported CPU features, it just executes a backward-compatible XPACLRI instruction and checks whether it behaves as NOP or not. |
|
The test failures could be for two reasons:
The latter seems the more likely explanation if it's Neoverse V2.
I think it's this PR again. IIRC Mach-O name mangling prepends a Let me revert this for now and bring it back with a fix for both of these issues. |
|
Revert: 0c0aa56 |
This is quite likely the reason on Windows as well - it wouldn't surprise me if PAC is universally disabled so far (at least on whatever version of Windows running on the github actions runners) even if the HW supports it.
Yeah, it looks like a clear case of that. I was surprised to see this issue crop up here on its own though, because I don't see why anything should be pulling in the new emupac object file from the builtins library; either the builtins library is being linked with
Thank you! |
|
Proposed reland: #148094 |
The emulated PAC runtime functions emulate the ARMv8.3a pointer
authentication instructions and are intended for use in heterogeneous
testing environments. For more information, see the associated RFC:
https://discourse.llvm.org/t/rfc-emulated-pac/85557