llvm-project.git/bolt/lib/Passes/PAuthGadgetScanner.cpp, branch users/mingmingl-llvm/samplefdo-profile-format Unnamed repository; edit this file 'description' to name the repository. Revert "[BOLT] Refactor MCInstReference and move it to Core (NFC)" (#155639) 2025-08-27T15:45:32+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-08-27T15:45:32+00:00 0ae0b1657d801d4b5317cb4d67c0112c91969874 Reverts llvm/llvm-project#138655. 
Reverts llvm/llvm-project#138655.
 [BOLT] Refactor MCInstReference and move it to Core (NFC) (#138655) 2025-08-27T11:19:30+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-08-27T11:19:30+00:00 fa5557f1254cb9cb657f33f0171c29783a98665d Refactor MCInstReference class and move it from PAuth gadget scanner to Core. MCInstReference is a class representing a constant reference to an instruction inside a parent entity - either inside a basic block (which has a reference to its parent function) or directly inside a function (when CFG information is not available). 
Refactor MCInstReference class and move it from PAuth gadget scanner to
Core.

MCInstReference is a class representing a constant reference to an
instruction inside a parent entity - either inside a basic block (which
has a reference to its parent function) or directly inside a function
(when CFG information is not available).
 [BOLT] Gadget scanner: account for BRK when searching for auth oracles (#137975) 2025-08-25T11:24:19+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-08-25T11:24:19+00:00 58edd2767097cfcbeb4a076ca51b379e307a3573 An authenticated pointer can be explicitly checked by the compiler via a sequence of instructions that executes BRK on failure. It is important to recognize such BRK instruction as checking every register (as it is expected to immediately trigger an abnormal program termination) to prevent false positive reports about authentication oracles: autia x2, x3 autia x0, x1 ; neither x0 nor x2 are checked at this point eor x16, x0, x0, lsl #1 tbz x16, #62, on_success ; marks x0 as checked ; end of BB: for x2 to be checked here, it must be checked in both ; successor basic blocks on_failure: brk 0xc470 on_success: ; x2 is checked ldr x1, [x2] ; marks x2 as checked 
An authenticated pointer can be explicitly checked by the compiler via a
sequence of instructions that executes BRK on failure. It is important
to recognize such BRK instruction as checking every register (as it is
expected to immediately trigger an abnormal program termination) to
prevent false positive reports about authentication oracles:

      autia   x2, x3
      autia   x0, x1
      ; neither x0 nor x2 are checked at this point
      eor     x16, x0, x0, lsl #1
      tbz     x16, #62, on_success ; marks x0 as checked
      ; end of BB: for x2 to be checked here, it must be checked in both
      ; successor basic blocks
    on_failure:
      brk     0xc470
    on_success:
      ; x2 is checked
      ldr     x1, [x2] ; marks x2 as checked
 [BOLT] Gadget scanner: detect untrusted LR before tail call (#137224) 2025-06-26T09:37:25+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-06-26T09:37:25+00:00 7a5af4f6b850a3594a0510c66c64563f3e7da883 Implement the detection of tail calls performed with untrusted link register, which violates the assumption made on entry to every function. Unlike other pauth gadgets, detection of this one involves some amount of guessing which branch instructions should be checked as tail calls. 
Implement the detection of tail calls performed with untrusted link
register, which violates the assumption made on entry to every function.

Unlike other pauth gadgets, detection of this one involves some amount
of guessing which branch instructions should be checked as tail calls.
 [BOLT] Gadget scanner: fix LR to be safe in leaf functions without CFG (#141824) 2025-06-25T10:11:23+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-06-25T10:11:23+00:00 a8a2c6fa882d8e3956cd189ff9f654bf91ced4b1 After a label in a function without CFG information, use a reasonably pessimistic estimation of register state (assume that any register that can be clobbered in this function was actually clobbered) instead of the most pessimistic "all registers are unsafe". This is the same estimation as used by the dataflow variant of the analysis when the preceding instruction is not known for sure. Without this, leaf functions without CFG information are likely to have false positive reports about non-protected return instructions, as 1) LR is unlikely to be signed and authenticated in a leaf function and 2) LR is likely to be used by a return instruction near the end of the function and 3) the register state is likely to be reset at least once during the linear scan through the function 
After a label in a function without CFG information, use a reasonably
pessimistic estimation of register state (assume that any register that
can be clobbered in this function was actually clobbered) instead of the
most pessimistic "all registers are unsafe". This is the same estimation
as used by the dataflow variant of the analysis when the preceding
instruction is not known for sure.

Without this, leaf functions without CFG information are likely to have
false positive reports about non-protected return instructions, as
1) LR is unlikely to be signed and authenticated in a leaf function and
2) LR is likely to be used by a return instruction near the end of the
   function and
3) the register state is likely to be reset at least once during the
   linear scan through the function
 [BOLT] Gadget scanner: improve handling of unreachable basic blocks (#136183) 2025-06-25T09:29:41+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-06-25T09:29:41+00:00 20a72083fdff012b6ec45c38475f49c7f2a3dc56 Instead of refusing to analyze an instruction completely when it is unreachable according to the CFG reconstructed by BOLT, use pessimistic assumption of register state when possible. Nevertheless, unreachable basic blocks found in optimized code likely means imprecise CFG reconstruction, thus report a warning once per function. 
Instead of refusing to analyze an instruction completely when it is
unreachable according to the CFG reconstructed by BOLT, use pessimistic
assumption of register state when possible. Nevertheless, unreachable
basic blocks found in optimized code likely means imprecise CFG
reconstruction, thus report a warning once per function.
 [BOLT] Gadget scanner: do not crash on debug-printing CFI instructions (#136151) 2025-06-19T12:52:54+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-06-19T12:52:54+00:00 e873fd157eda617ffd42edad3c4a6ab495e6e375 Some instruction-printing code used under LLVM_DEBUG does not handle CFI instructions well. While CFI instructions seem to be harmless for the correctness of the analysis results, they do not convey any useful information to the analysis either, so skip them early. 
Some instruction-printing code used under LLVM_DEBUG does not handle CFI
instructions well. While CFI instructions seem to be harmless for the
correctness of the analysis results, they do not convey any useful
information to the analysis either, so skip them early.
 [BOLT] Gadget scanner: detect authentication oracles (#135663) 2025-06-19T12:15:26+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-06-19T12:15:26+00:00 2b4d757290226e0185e17294339aae1588efd07e Implement the detection of authentication instructions whose results can be inspected by an attacker to know whether authentication succeeded. As the properties of output registers of authentication instructions are inspected, add a second set of analysis-related classes to iterate over the instructions in reverse order. 
Implement the detection of authentication instructions whose results can
be inspected by an attacker to know whether authentication succeeded.

As the properties of output registers of authentication instructions are
inspected, add a second set of analysis-related classes to iterate over
the instructions in reverse order.
 [BOLT] Gadget scanner: clarify MCPlusBuilder callbacks interface (#136147) 2025-05-26T15:31:20+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-05-26T15:31:20+00:00 e1328fd9adf534af7615308455d608ef76a7541f Clarify the semantics of `getAuthenticatedReg` and remove a redundant `isAuthenticationOfReg` method, as combined auth+something instructions (such as `retaa` on AArch64) should be handled carefully, especially when searching for authentication oracles: usually, such instructions cannot be authentication oracles and only some of them actually write an authenticated pointer to a register (such as "ldra x0, [x1]!"). Use `std::optional<MCPhysReg>` returned type instead of plain MCPhysReg and returning `getNoRegister()` as a "not applicable" indication. Document a few existing methods, add information about preconditions. 
Clarify the semantics of `getAuthenticatedReg` and remove a redundant
`isAuthenticationOfReg` method, as combined auth+something instructions
(such as `retaa` on AArch64) should be handled carefully, especially
when searching for authentication oracles: usually, such instructions
cannot be authentication oracles and only some of them actually write an
authenticated pointer to a register (such as "ldra x0, [x1]!").

Use `std::optional<MCPhysReg>` returned type instead of plain MCPhysReg
and returning `getNoRegister()` as a "not applicable" indication.

Document a few existing methods, add information about preconditions.
 [BOLT] Gadget scanner: refactor issue reporting (#135662) 2025-05-22T15:27:46+00:00 Anatoly Trosinenko atrosinenko@accesssoftek.com 2025-05-22T15:27:46+00:00 f578f56feaf9e578cedf9854efe7041353e7e55c Remove `getAffectedRegisters` and `setOverwritingInstrs` methods from the base `Report` class. Instead, rename the `Report` class to `Diagnostic` and make it always represent the brief version of the report, which is kept unchanged since initially found. Throughout its life-cycle, an instance of `Diagnostic` is first wrapped into `PartialReport<ReqT>` together with an optional request for extra details. Then, on the second run of the analysis, it is re-wrapped into `FinalReport` together with the requested detailed information. 
Remove `getAffectedRegisters` and `setOverwritingInstrs` methods from
the base `Report` class. Instead, rename the `Report` class to
`Diagnostic` and make it always represent the brief version of the
report, which is kept unchanged since initially found. Throughout its
life-cycle, an instance of `Diagnostic` is first wrapped into
`PartialReport<ReqT>` together with an optional request for extra
details. Then, on the second run of the analysis, it is re-wrapped into
`FinalReport` together with the requested detailed information.