-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8308503: AArch64: SIGILL when running with -XX:UseBranchProtection=pac-ret on hardware without PAC feature #14095
Conversation
…c-ret on hardware without PAC feature When revisiting the behavior of UseBranchProtection [1], we get one SIGILL error when running with -XX:UseBranchProtection=pac-ret on hardware without PAC. Problem: We build and run `java --version` with the following configuration matrix `Config X VMoption X Machine`. ``` Config = {--enable-branch-protection, null} VMoption = {-XX:UseBranchProtection=pac-ret, -XX:UseBranchProtection=standard} Machine = {w/ PAC, w/o PAC} ``` VM crashes with SIGILL error for configure `Config=null, VMoption=pac-ret, Machine=w/o PAC`. The unrecognized instruction is `pacia x30, x29`, i.e. `pacia(lr, rfp)` generated by function `MacroAssembler::protect_return_address()`. [2] Root cause: 1. Instruction `pacia` is not in the NOP space. That's why `Config=null, VMoption=pac-ret` passes on hardware w/ PAC, but fails on hardware w/o PAC. 2. -XX:UseBranchProtection=pac-ret behaves differently from the document [3], i.e. ``` In order to use Branch Protection features in the VM, --enable-branch-protection must be used ``` `_rop_protection` is not turned off for `Config=null`. That's why `VMoption=pac-ret, Machine=w/o PAC` passes with `Config=--enable-branch-protection` but fails with `Config=null`. Fix: This patch refines the parsing of -XX:UseBranchProtection=pac-ret: 1. We handle "pac-ret" and "standard" in the same way, since only one type of branch protection is implemented for now, i.e. "pac-ret". We may update "standard" in the future if "bti" protection is added. 2. `_rop_protection` is not turned on unless all the three conditions are satisfied [4]. Otherwise, it's kept off and one warning message is emitted. ``` // Enable PAC if this code has been built with branch-protection, the // CPU/OS supports it, and incompatible preview features aren't enabled. ``` [1] https://bugs.openjdk.org/browse/JDK-8287325?focusedCommentId=14581099&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14581099 [2] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp#L5976 [3] https://github.com/openjdk/jdk/blob/master/doc/building.md#branch-protection [4] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/aarch64/vm_version_aarch64.cpp#L457
👋 Welcome back haosun! A progress list of the required criteria for merging this PR into |
Webrevs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, but please read https://bugs.openjdk.org/browse/JDK-8287325 before you commit anything.
Thanks for reviewing this patch. I personally thought they are two different issues, and should be fixed separately. JDK-8287325 is the incompatible issue between pac-ret and virtual threads, whereas Regarding JDK-8287325, we have proposed the zero modifier solution (See #13322). But we currently set that PR as draft, as we're trying to implement another solution of using "relative sp" as the modifier (which was suggested by Dean Long). We just finished one prototype of relative sp modifier, but there're still several jtreg failures. We're trying to fix them. We will upload our prototype for review once it's ready. As for your comment, do you mean we should fix these two issues in one patch? Thanks. |
No, but you do need to align. I added a suggestion above, for clarity. |
Virtual threads are proposed to be a permanent feature in JDK 21, and Arguments:enable_preview check no longer works. As an alternative, we check if VMContinuations is on. In this way, ROP protection is enabled only with VM options `-XX:UseBranchProtection=standard|pac-ret -XX:+UnlockExperimentalVMOptions -XX:-VMContinuations` on hardware with the support of PAC feature.
In the new commit, we disable ROP-protection if Test for the new commit: I built and ran
I further ran tier1~3 with |
@shqking This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 145 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Can anyone else help take a look at this patch? |
Thanks for your review! /integrate |
Going to push as commit a46b5ac.
Your commit was automatically rebased without conflicts. |
When revisiting the behavior of UseBranchProtection [1], we get one SIGILL error when running with -XX:UseBranchProtection=pac-ret on hardware without PAC.
Problem:
We build and run
java --version
with the following configuration matrixConfig X VMoption X Machine
.VM crashes with SIGILL error for configure
Config=null, VMoption=pac-ret, Machine=w/o PAC
. The unrecognized instruction ispacia x30, x29
, i.e.pacia(lr, rfp)
generated by functionMacroAssembler::protect_return_address()
. [2]Root cause:
Instruction
pacia
is not in the NOP space. That's whyConfig=null, VMoption=pac-ret
passes onhardware w/ PAC
, but fails onhardware w/o PAC
.-XX:UseBranchProtection=pac-ret behaves differently from the document [3], i.e.
_rop_protection
is not turned off forConfig=null
. That's whyVMoption=pac-ret, Machine=w/o PAC
passes withConfig=--enable-branch-protection
but fails withConfig=null
.Fix:
This patch refines the parsing of -XX:UseBranchProtection=pac-ret:
We handle "pac-ret" and "standard" in the same way, since only one type of branch protection is implemented for now, i.e. "pac-ret". We may update "standard" in the future if "bti" protection is added.
_rop_protection
is not turned on unless all the three conditions are satisfied [4]. Otherwise, it's kept off and one warning message is emitted.[1] https://bugs.openjdk.org/browse/JDK-8287325?focusedCommentId=14581099&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14581099
[2] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp#L5976
[3] https://github.com/openjdk/jdk/blob/master/doc/building.md#branch-protection
[4] https://github.com/openjdk/jdk/blob/master/src/hotspot/cpu/aarch64/vm_version_aarch64.cpp#L457
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/14095/head:pull/14095
$ git checkout pull/14095
Update a local copy of the PR:
$ git checkout pull/14095
$ git pull https://git.openjdk.org/jdk.git pull/14095/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 14095
View PR using the GUI difftool:
$ git pr show -t 14095
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/14095.diff
Webrev
Link to Webrev Comment