| blob | 6a5fc3fb9e1a27c4feaf0df70374210b5b3b5260 |
1 /* Harden conditionals.
2 Copyright (C) 2021-2022 Free Software Foundation, Inc.
3 Contributed by Alexandre Oliva <oliva@adacore.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
44 /* These passes introduces redundant, but reversed conditionals at
45 compares, such as those used in conditional branches, and those
46 that compute boolean results. This doesn't make much sense for
47 abstract CPUs, but this kind of hardening may avoid undesirable
48 execution paths on actual CPUs under such attacks as of power
49 deprivation. */
51 /* Define a pass to harden conditionals other than branches. */
54 GIMPLE_PASS,
56 OPTGROUP_NONE,
57 TV_NONE,
62 TODO_update_ssa
63 | TODO_cleanup_cfg
65 };
68 {
72 {}
76 }
78 };
80 /* Define a pass to harden conditionals in branches. This pass must
81 run after the above, otherwise it will re-harden the checks
82 introduced by the above. */
85 GIMPLE_PASS,
87 OPTGROUP_NONE,
88 TV_NONE,
93 TODO_update_ssa
94 | TODO_cleanup_cfg
96 };
99 {
103 {}
107 }
109 };
111 }
113 /* If VAL is an SSA name, return an SSA name holding the same value,
114 but without the compiler's knowing that it holds the same value, so
115 that uses thereof can't be optimized the way VAL might. Insert
116 stmts that initialize it before *GSIP, with LOC.
118 Otherwise, VAL must be an invariant, returned unchanged. */
122 {
124 {
127 }
129 /* Create a SSA "copy" of VAL. This could be an anonymous
130 temporary, but it's nice to have it named after the corresponding
131 variable. Alas, when VAL is a DECL_BY_REFERENCE RESULT_DECL,
132 setting (a copy of) it would be flagged by checking, so we don't
133 use copy_ssa_name: we create an anonymous SSA name, and then give
134 it the same identifier (rather than decl) as VAL. */
138 /* Some modes won't fit in general regs, so we fall back to memory
139 for them. ??? It would be ideal to try to identify an alternate,
140 wider or more suitable register class, and use the corresponding
141 constraint, but there's no logic to go from register class to
142 constraint, even if there is a corresponding constraint, and even
143 if we could enumerate constraints, we can't get to their string
144 either. So this will do for now. */
151 {
154 }
162 {
171 }
173 /* Output an asm statement with matching input and output. It does
174 nothing, but after it the compiler no longer knows the output
175 still holds the same value as the input. */
179 build_tree_list
180 (build_tree_list
182 constraint_out)),
183 asmoutput));
185 build_tree_list
186 (build_tree_list
188 constraint_in)),
189 asminput));
196 {
203 build_clobber
207 }
208 else
212 }
214 /* Build a cond stmt out of COP, LHS, RHS, insert it before *GSIP with
215 location LOC. *GSIP must be at the end of a basic block. The succ
216 edge out of the block becomes the true or false edge opposite to
217 that in FLAGS. Create a new block with a single trap stmt, in the
218 cold partition if the function is partitioned,, and a new edge to
219 it as the other edge for the cond. */
224 {
250 /* Remove the fallthru bit, and set the truth value for the
251 preexisting edge and for the newly-created one. In hardcbr,
252 FLAGS is taken from the edge of the original cond expr that we're
253 dealing with, so the reversed compare is expected to yield the
254 negated result, and the same result calls for a trap. In
255 hardcmp, we're comparing the boolean results of the original and
256 of the reversed compare, so we're passed FLAGS to trap on
257 equality. */
267 }
269 /* Split edge E, and insert_check_and_trap (see above) in the
270 newly-created block, using detached copies of LHS's and RHS's
271 values (see detach_value above) for the COP compare. */
276 {
300 }
302 /* Harden cond stmts at the end of FUN's blocks. */
304 unsigned int
306 {
307 basic_block bb;
309 {
319 /* Turn:
321 if (x op y) goto l1; else goto l2;
323 into:
325 if (x op y) goto l1'; else goto l2';
326 l1': if (x' cop y') goto l1'trap; else goto l1;
327 l1'trap: __builtin_trap ();
328 l2': if (x' cop y') goto l2; else goto l2'trap;
329 l2'trap: __builtin_trap ();
331 where cop is a complementary boolean operation to op; l1', l1'trap,
332 l2' and l2'trap are newly-created labels; and x' and y' hold the same
333 value as x and y, but in a way that does not enable the compiler to
334 optimize the redundant compare away.
335 */
345 /* ??? Can we do better? */
350 }
353 }
355 /* Instantiate a hardcbr pass. */
357 gimple_opt_pass *
359 {
361 }
363 /* Return the fallthru edge of a block whose other edge is an EH
364 edge. If EHP is not NULL, store the EH edge in it. */
367 {
382 }
384 /* Harden boolean-yielding compares in FUN. */
386 unsigned int
388 {
389 basic_block bb;
390 /* Go backwards over BBs and stmts, so that, even if we split the
391 block multiple times to insert a cond_expr after each compare we
392 find, we remain in the same block, visiting every preexisting
393 stmt exactly once, and not visiting newly-added blocks or
394 stmts. */
398 {
403 /* Turn:
405 z = x op y;
407 into:
409 z = x op y;
410 z' = x' cop y';
411 if (z == z') __builtin_trap ();
413 where cop is a complementary boolean operation to op; and x'
414 and y' hold the same value as x and y, but in a way that does
415 not enable the compiler to optimize the redundant compare
416 away.
417 */
424 {
440 HONOR_NANS
444 /* ??? Can we do better? */
449 /* ??? Maybe handle these too? */
451 /* ??? The code below assumes binary ops, it would have to
452 be adjusted for TRUTH_NOT_EXPR, since it's unary. */
460 }
462 /* These are the operands for the verification. */
468 /* Vector booleans can't be used in conditional branches. ???
469 Can we do better? How to reduce compare and
470 reversed-compare result vectors to a single boolean? */
474 /* useless_type_conversion_p enables conversions from 1-bit
475 integer types to boolean to be discarded. */
483 /* Don't separate the original assignment from debug stmts
484 that might be associated with it, and arrange to split the
485 block after debug stmts, so as to make sure the split block
486 won't be debug stmts only. */
491 {
498 "Splitting non-EH edge from block %i into %i"
501 }
511 /* We wish to insert a cond_expr after the compare, so arrange
512 for it to be at the end of a block if it isn't. */
514 {
525 "Splitting block %i into %i"
528 }
530 /* If the check assignment must end a basic block, we can't
531 insert the conditional branch in the same block, so split
532 the block again, and prepare to insert the conditional
533 branch in the new block.
535 Also assign an EH region to the compare. Even though it's
536 unlikely that the hardening compare will throw after the
537 original compare didn't, the compiler won't even know that
538 it's the same compare operands, so add the EH edge anyway. */
540 {
544 edge ckeh;
551 "Splitting non-EH edge from block %i into %i after"
556 {
557 edge aseh;
564 {
568 }
574 }
575 }
581 }
584 }
586 /* Instantiate a hardcmp pass. */
588 gimple_opt_pass *
590 {
592 }