Sometimes, R_RISCV_CHERIOT_COMPARTMENT_HI relocations are broken during compartment linking

[davidchisnall]

Building this example fails, specifically in linking the firmware image with all of the demo code in the same compartment.

Specifically, in the set_secret function, prior to linking the compartment (in secret.cc.o), we see this:

00000022 <.LBB0_4>:
      22: 17 05 00 00  	auipcc	ca0, 0
			00000022:  R_RISCV_CHERIOT_COMPARTMENT_HI	template parameter object for (anonymous namespace)::DebugContext<23u>{char [23]{(char)74, (char)97, (char)118, (char)97, (char)83, (char)99, (char)114, (char)105, (char)112, (char)116, (char)32, (char)99, (char)111, (char)109, (char)112, (char)97, (char)114, (char)116, (char)109, (char)101, (char)110, (char)116}}
			00000022:  R_RISCV_RELAX	*ABS*
      26: 5b 15 05 00  	cincoffset	ca0, ca0, 0
			00000026:  R_RISCV_CHERIOT_COMPARTMENT_LO_I	.LBB0_4
			00000026:  R_RISCV_RELAX	*ABS*
      2a: 5b 25 05 00  	csetbounds	ca0, ca0, 0
			0000002a:  R_RISCV_CHERIOT_COMPARTMENT_SIZE	template parameter object for (anonymous namespace)::DebugContext<23u>{char [23]{(char)74, (char)97, (char)118, (char)97, (char)83, (char)99, (char)114, (char)105, (char)112, (char)116, (char)32, (char)99, (char)111, (char)109, (char)112, (char)97, (char)114, (char)116, (char)109, (char)101, (char)110, (char)116}}

But in the insecure_js.compartment file, we see this:

000013ac <.LBB0_4>:
; .LBB0_4():
; 				debug_log_message_write(
    13ac: 17 05 00 00  	auipcc	ca0, 0
			000013ac:  R_RISCV_CHERIOT_COMPARTMENT_HI	*ABS*
			000013ac:  R_RISCV_RELAX	*ABS*
    13b0: 5b 15 05 00  	cincoffset	ca0, ca0, 0
			000013b0:  R_RISCV_CHERIOT_COMPARTMENT_LO_I	.LBB0_4
			000013b0:  R_RISCV_RELAX	*ABS*
    13b4: 5b 25 05 00  	csetbounds	ca0, ca0, 0
			000013b4:  R_RISCV_CHERIOT_COMPARTMENT_SIZE	*ABS*

Note that the R_RISCV_CHERIOT_COMPARTMENT_HI relocation has been replaced. I have a couple of guesses about why this may happen, both may be wrong:

• Something in GC is deleting the string from the template parameter and so the relocation becomes dangling.
• The linker is determining that the string is <4 KiB away and so processing the relocation.

Unfortunately, RISC-V relocations that use AUIPC expect to find the address of the symbol when via the HI reloc when processing the LO one (so the reloc on the cincoffset is pointing at .LBB0_4 to find the symbol in the reloc for that instruction).

[resistor]

Note that the R_RISCV_CHERIOT_COMPARTMENT_HI relocation has been replaced.

Can you clarify what's missing? I see a R_RISCV_CHERIOT_COMPARTMENT_HI relocation in both snippets...

[davidchisnall]

The relocation is there, the symbol that is the target is not.

[davidchisnall]

Digging a bit more, I think this may be related to COMDAT merging. Two of the .o files being linked with -compartment have the same template parameter (which means the same COMDAT). One copy is being retained and relocations that point to one copy are fixed, relocations that point to the other are not.

[davidchisnall]

(The fun thing here is that the failure is triggered by something that is actually a bug in the demo, so I can fix that and stop triggering the bug, but the bug will still be there)

[davidchisnall]

https://github.com/CHERIoT-Platform/cheriot-demos/tree/linker-bug-108 <- Branch with a snapshot that triggers the bug.

[davidchisnall]

Removing --gc-sections does not prevent this, so it looks as if it is COMDAT merging that causes problems.

[resistor]

I don't completely understand why yet, but the problematic code path is here:

llvm-project/lld/ELF/SyntheticSections.cpp

Line 2273 in 6d22636

if (config->compartment) {

It seems like by forcing the symbols to be local, we prevent it from having a symbol table entry, which causes us to read back a null symbol index when emitting the relocations.

[resistor]

Ignore that, I messed up my testing environment.

It's still the case that we're reading back a null symbol index when emitting relocations because the Sym* has never gotten added to the output file's symbol table, but the diagnosis of which code path causes it is not accurate.

[resistor]

I am still suspicious of this code, and whether it might be breaking symbol indexing somehow:

llvm-project/lld/ELF/SyntheticSections.cpp

Line 2284 in 6d22636

bool hashIt = b->isLocal();

[davidchisnall]

I wonder if the reference to the symbol is assuming that it’s global but the definition is now local so the lookup fails?

[resistor]

This line is the problem:

llvm-project/lld/ELF/Writer.cpp

Line 737 in 6d22636

if (!dr)

The object file with the discarded COMDAT doesn't insert its Symbol* into the symbol table map. Then when we update symbol indices when copying over the relocations to the output file, we do the lookup by Symbol* identity rather than by string:

llvm-project/lld/ELF/SyntheticSections.cpp

Line 2309 in 6d22636

return symbolIndexMap.lookup(sym);

[resistor]

The symbol gets marked undefined here:

llvm-project/lld/ELF/InputFiles.cpp

Line 1150 in 72ed786

new (symbols[i]) Undefined(this, name, STB_LOCAL, eSym.st_other, type,

[davidchisnall]

I guess that should have a check for SHF_GROUP and look up the symbol by name if it’s set to see if another copy of the signal exists?

[resistor]

I guess that should have a check for SHF_GROUP and look up the symbol by name if it’s set to see if another copy of the signal exists?

It could either be done here, or on the output end. Either way, I'm still trying to figure out why we have this issue and upstream doesn't.

[resistor]

MaskRay pointed out that our object file appears to be in violation of the ELF spec: local symbols in section groups are not permitted to be referred to from outside of the section group. https://www.sco.com/developers/gabi/latest/ch4.sheader.html#section_groups

I believe I can reproduce this non-conformance in upstream clang as well: https://godbolt.org/z/YE9fxvTYv