Skip to content
Permalink
Browse files

[X86] Enable IndirectBranchTracking in JIT with CET

IBT should be enabled in jitted code generated by CET-enabled JIT
compiler.
  • Loading branch information
hjl-tools committed Mar 23, 2020
1 parent 72d1419 commit 2bd54ce7fa9e94fcd1118b948e14d1b6fc54dfd2
@@ -18,6 +18,7 @@
#include "X86.h"
#include "X86InstrInfo.h"
#include "X86Subtarget.h"
#include "X86TargetMachine.h"
#include "llvm/ADT/Statistic.h"
#include "llvm/CodeGen/MachineFunctionPass.h"
#include "llvm/CodeGen/MachineInstrBuilder.h"
@@ -102,7 +103,16 @@ bool X86IndirectBranchTrackingPass::runOnMachineFunction(MachineFunction &MF) {
// Check that the cf-protection-branch is enabled.
Metadata *isCFProtectionSupported =
MF.getMMI().getModule()->getModuleFlag("cf-protection-branch");
if (!isCFProtectionSupported && !IndirectBranchTracking)
// NB: We need to enable IBT in jitted code if JIT compiler is CET
// enabled.
#ifdef __CET__
const X86TargetMachine *TM =
static_cast<const X86TargetMachine *>(&MF.getTarget());
bool isJITwithCET = TM->isJIT();
#else
bool isJITwithCET = false;
#endif
if (!isCFProtectionSupported && !IndirectBranchTracking && !isJITwithCET)
return false;

// True if the current MF was changed and false otherwise.
@@ -111,10 +121,12 @@ bool X86IndirectBranchTrackingPass::runOnMachineFunction(MachineFunction &MF) {
TII = SubTarget.getInstrInfo();
EndbrOpcode = SubTarget.is64Bit() ? X86::ENDBR64 : X86::ENDBR32;

// Non-internal function or function whose address was taken, can be
// accessed through indirect calls. Mark the first BB with ENDBR instruction
// Jitted code generated by CET-enabled JIT compiler, non-internal
// function or function whose address was taken, can be accessed
// through indirect calls. Mark the first BB with ENDBR instruction
// unless nocf_check attribute is used.
if ((MF.getFunction().hasAddressTaken() ||
if ((isJITwithCET ||
MF.getFunction().hasAddressTaken() ||
!MF.getFunction().hasLocalLinkage()) &&
!MF.getFunction().doesNoCfCheck()) {
auto MBB = MF.begin();
@@ -212,7 +212,7 @@ X86TargetMachine::X86TargetMachine(const Target &T, const Triple &TT,
getEffectiveRelocModel(TT, JIT, RM),
getEffectiveX86CodeModel(CM, JIT, TT.getArch() == Triple::x86_64),
OL),
TLOF(createTLOF(getTargetTriple())) {
TLOF(createTLOF(getTargetTriple())), IsJIT(JIT) {
// On PS4, the "return address" of a 'noreturn' call must still be within
// the calling function, and TrapUnreachable is an easy way to get that.
if (TT.isPS4() || TT.isOSBinFormatMachO()) {
@@ -30,6 +30,8 @@ class TargetTransformInfo;
class X86TargetMachine final : public LLVMTargetMachine {
std::unique_ptr<TargetLoweringObjectFile> TLOF;
mutable StringMap<std::unique_ptr<X86Subtarget>> SubtargetMap;
// True if this is used in JIT.
bool IsJIT;

public:
X86TargetMachine(const Target &T, const Triple &TT, StringRef CPU,
@@ -52,6 +54,8 @@ class X86TargetMachine final : public LLVMTargetMachine {
TargetLoweringObjectFile *getObjFileLowering() const override {
return TLOF.get();
}

bool isJIT() const { return IsJIT; }
};

} // end namespace llvm

0 comments on commit 2bd54ce

Please sign in to comment.