| blob | 19ceb8a4bd61e00caf345e1342fd5c1844a87733 |
1 /* Harden conditionals.
2 Copyright (C) 2021-2022 Free Software Foundation, Inc.
3 Contributed by Alexandre Oliva <oliva@adacore.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it under
8 the terms of the GNU General Public License as published by the Free
9 Software Foundation; either version 3, or (at your option) any later
10 version.
12 GCC is distributed in the hope that it will be useful, but WITHOUT ANY
13 WARRANTY; without even the implied warranty of MERCHANTABILITY or
14 FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
44 /* These passes introduces redundant, but reversed conditionals at
45 compares, such as those used in conditional branches, and those
46 that compute boolean results. This doesn't make much sense for
47 abstract CPUs, but this kind of hardening may avoid undesirable
48 execution paths on actual CPUs under such attacks as of power
49 deprivation. */
51 /* Define a pass to harden conditionals other than branches. */
54 GIMPLE_PASS,
56 OPTGROUP_NONE,
57 TV_NONE,
62 TODO_update_ssa
63 | TODO_cleanup_cfg
65 };
68 {
72 {}
76 }
78 };
80 /* Define a pass to harden conditionals in branches. This pass must
81 run after the above, otherwise it will re-harden the checks
82 introduced by the above. */
85 GIMPLE_PASS,
87 OPTGROUP_NONE,
88 TV_NONE,
93 TODO_update_ssa
94 | TODO_cleanup_cfg
96 };
99 {
103 {}
107 }
109 };
111 }
113 /* If VAL is an SSA name, return an SSA name holding the same value,
114 but without the compiler's knowing that it holds the same value, so
115 that uses thereof can't be optimized the way VAL might. Insert
116 stmts that initialize it before *GSIP, with LOC.
118 Otherwise, VAL must be an invariant, returned unchanged. */
122 {
124 {
127 }
129 /* Create a SSA "copy" of VAL. It would be nice to have it named
130 after the corresponding variable, but sharing the same decl is
131 problematic when VAL is a DECL_BY_REFERENCE RESULT_DECL, and
132 copying just the identifier hits -fcompare-debug failures. */
135 /* Some modes won't fit in general regs, so we fall back to memory
136 for them. ??? It would be ideal to try to identify an alternate,
137 wider or more suitable register class, and use the corresponding
138 constraint, but there's no logic to go from register class to
139 constraint, even if there is a corresponding constraint, and even
140 if we could enumerate constraints, we can't get to their string
141 either. So this will do for now. */
148 {
151 }
159 {
168 }
170 /* Output an asm statement with matching input and output. It does
171 nothing, but after it the compiler no longer knows the output
172 still holds the same value as the input. */
176 build_tree_list
177 (build_tree_list
179 constraint_out)),
180 asmoutput));
182 build_tree_list
183 (build_tree_list
185 constraint_in)),
186 asminput));
193 {
200 build_clobber
204 }
205 else
209 }
211 /* Build a cond stmt out of COP, LHS, RHS, insert it before *GSIP with
212 location LOC. *GSIP must be at the end of a basic block. The succ
213 edge out of the block becomes the true or false edge opposite to
214 that in FLAGS. Create a new block with a single trap stmt, in the
215 cold partition if the function is partitioned,, and a new edge to
216 it as the other edge for the cond. */
221 {
247 /* Remove the fallthru bit, and set the truth value for the
248 preexisting edge and for the newly-created one. In hardcbr,
249 FLAGS is taken from the edge of the original cond expr that we're
250 dealing with, so the reversed compare is expected to yield the
251 negated result, and the same result calls for a trap. In
252 hardcmp, we're comparing the boolean results of the original and
253 of the reversed compare, so we're passed FLAGS to trap on
254 equality. */
266 }
268 /* Split edge E, and insert_check_and_trap (see above) in the
269 newly-created block, using detached copies of LHS's and RHS's
270 values (see detach_value above) for the COP compare. */
275 {
299 }
301 /* Harden cond stmts at the end of FUN's blocks. */
303 unsigned int
305 {
306 basic_block bb;
308 {
318 /* Turn:
320 if (x op y) goto l1; else goto l2;
322 into:
324 if (x op y) goto l1'; else goto l2';
325 l1': if (x' cop y') goto l1'trap; else goto l1;
326 l1'trap: __builtin_trap ();
327 l2': if (x' cop y') goto l2; else goto l2'trap;
328 l2'trap: __builtin_trap ();
330 where cop is a complementary boolean operation to op; l1', l1'trap,
331 l2' and l2'trap are newly-created labels; and x' and y' hold the same
332 value as x and y, but in a way that does not enable the compiler to
333 optimize the redundant compare away.
334 */
344 /* ??? Can we do better? */
349 }
352 }
354 /* Instantiate a hardcbr pass. */
356 gimple_opt_pass *
358 {
360 }
362 /* Return the fallthru edge of a block whose other edge is an EH
363 edge. If EHP is not NULL, store the EH edge in it. */
366 {
381 }
383 /* Harden boolean-yielding compares in FUN. */
385 unsigned int
387 {
388 basic_block bb;
389 /* Go backwards over BBs and stmts, so that, even if we split the
390 block multiple times to insert a cond_expr after each compare we
391 find, we remain in the same block, visiting every preexisting
392 stmt exactly once, and not visiting newly-added blocks or
393 stmts. */
397 {
402 /* Turn:
404 z = x op y;
406 into:
408 z = x op y;
409 z' = x' cop y';
410 if (z == z') __builtin_trap ();
412 where cop is a complementary boolean operation to op; and x'
413 and y' hold the same value as x and y, but in a way that does
414 not enable the compiler to optimize the redundant compare
415 away.
416 */
423 {
439 HONOR_NANS
443 /* ??? Can we do better? */
448 /* ??? Maybe handle these too? */
450 /* ??? The code below assumes binary ops, it would have to
451 be adjusted for TRUTH_NOT_EXPR, since it's unary. */
459 }
461 /* These are the operands for the verification. */
467 /* Vector booleans can't be used in conditional branches. ???
468 Can we do better? How to reduce compare and
469 reversed-compare result vectors to a single boolean? */
473 /* useless_type_conversion_p enables conversions from 1-bit
474 integer types to boolean to be discarded. */
482 /* Don't separate the original assignment from debug stmts
483 that might be associated with it, and arrange to split the
484 block after debug stmts, so as to make sure the split block
485 won't be debug stmts only. */
490 {
497 "Splitting non-EH edge from block %i into %i"
500 }
510 /* We wish to insert a cond_expr after the compare, so arrange
511 for it to be at the end of a block if it isn't, and for it
512 to have a single successor in case there's more than
513 one, as in PR104975. */
516 {
519 else
530 "Splitting block %i into %i"
533 }
535 /* If the check assignment must end a basic block, we can't
536 insert the conditional branch in the same block, so split
537 the block again, and prepare to insert the conditional
538 branch in the new block.
540 Also assign an EH region to the compare. Even though it's
541 unlikely that the hardening compare will throw after the
542 original compare didn't, the compiler won't even know that
543 it's the same compare operands, so add the EH edge anyway. */
545 {
549 edge ckeh;
556 "Splitting non-EH edge from block %i into %i after"
561 {
562 edge aseh;
569 {
573 }
579 }
580 }
586 }
589 }
591 /* Instantiate a hardcmp pass. */
593 gimple_opt_pass *
595 {
597 }