1 /* Branch Target Identification for AArch64 architecture. 2 Copyright (C) 2019-2024 Free Software Foundation, Inc. 3 Contributed by Arm Ltd. 4 5 This file is part of GCC. 6 7 GCC is free software; you can redistribute it and/or modify it 8 under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 3, or (at your option) 10 any later version. 11 12 GCC is distributed in the hope that it will be useful, but 13 WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 15 General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with GCC; see the file COPYING3. If not see 19 <http://www.gnu.org/licenses/>. */ 20 21 #define IN_TARGET_CODE 1 22 23 #include "config.h" 24 #define INCLUDE_STRING 25 #include "system.h" 26 #include "coretypes.h" 27 #include "backend.h" 28 #include "target.h" 29 #include "rtl.h" 30 #include "tree.h" 31 #include "memmodel.h" 32 #include "gimple.h" 33 #include "tm_p.h" 34 #include "stringpool.h" 35 #include "attribs.h" 36 #include "emit-rtl.h" 37 #include "gimplify.h" 38 #include "gimple-iterator.h" 39 #include "dumpfile.h" 40 #include "rtl-iter.h" 41 #include "cfgrtl.h" 42 #include "tree-pass.h" 43 #include "cgraph.h" 44 45 /* This pass enables the support for Branch Target Identification Mechanism for 46 Arm/AArch64. This is a security feature introduced in ARMv8.5-A 47 architecture and ARMv8.1-M. A BTI instruction is used to guard against the 48 execution of instructions which are not the intended target of an indirect 49 branch. 50 51 Outside of a guarded memory region, a BTI instruction executes as a NOP. 52 Within a guarded memory region any target of an indirect branch must be 53 a compatible BTI or BRK, HLT, PACIASP, PACIBASP instruction (even if the 54 branch is triggered in a non-guarded memory region). An incompatibility 55 generates a Branch Target Exception. 56 57 The compatibility of the BTI instruction is as follows (AArch64 58 examples): 59 BTI j : Can be a target of any indirect jump (BR Xn). 60 BTI c : Can be a target of any indirect call (BLR Xn and BR X16/X17). 61 BTI jc: Can be a target of any indirect call or indirect jump. 62 BTI : Can not be a target of any indirect call or indirect jump. 63 64 In order to enable this mechanism, this pass iterates through the 65 control flow of the code and adds appropriate BTI instructions : 66 * Add a new "BTI C" at the beginning of a function, unless its already 67 protected by a "PACIASP/PACIBSP". We exempt the functions that are only 68 called directly. 69 * Add a new "BTI J" for every target of an indirect jump, jump table targets, 70 non-local goto targets or labels that might be referenced by variables, 71 constant pools, etc (NOTE_INSN_DELETED_LABEL) 72 73 Since we have already changed the use of indirect tail calls to only x16 74 and x17, we do not have to use "BTI JC". 75 76 This pass is triggered by the command line option -mbranch-protection=bti or 77 -mbranch-protection=standard. Since all the BTI instructions are in the HINT 78 space, this pass does not require any minimum architecture version. */ 79 80 namespace { 81 82 const pass_data pass_data_insert_bti = 83 { 84 RTL_PASS, /* type. */ 85 "bti", /* name. */ 86 OPTGROUP_NONE, /* optinfo_flags. */ 87 TV_MACH_DEP, /* tv_id. */ 88 0, /* properties_required. */ 89 0, /* properties_provided. */ 90 0, /* properties_destroyed. */ 91 0, /* todo_flags_start. */ 92 0, /* todo_flags_finish. */ 93 }; 94 95 /* Insert the BTI instruction. */ 96 /* This is implemented as a late RTL pass that runs before branch 97 shortening and does the following. */ 98 static unsigned int 99 rest_of_insert_bti (void) 100 { 101 timevar_push (TV_MACH_DEP); 102 103 rtx bti_insn; 104 rtx_insn *insn; 105 basic_block bb; 106 107 bb = 0; 108 FOR_EACH_BB_FN (bb, cfun) 109 { 110 for (insn = BB_HEAD (bb); insn != NEXT_INSN (BB_END (bb)); 111 insn = NEXT_INSN (insn)) 112 { 113 /* If a label is marked to be preserved or can be a non-local goto 114 target, it must be protected with a BTI J. */ 115 if (LABEL_P (insn) 116 && (LABEL_PRESERVE_P (insn) 117 || bb->flags & BB_NON_LOCAL_GOTO_TARGET)) 118 { 119 bti_insn = aarch_gen_bti_j (); 120 emit_insn_after (bti_insn, insn); 121 continue; 122 } 123 124 /* There could still be more labels that are valid targets of a 125 BTI J instuction. To find them we start looking through the 126 JUMP_INSN. If it jumps to a jump table, then we find all labels 127 of the jump table to protect with a BTI J. */ 128 if (JUMP_P (insn)) 129 { 130 rtx_jump_table_data *table; 131 if (tablejump_p (insn, NULL, &table)) 132 { 133 rtvec vec = table->get_labels (); 134 int j; 135 rtx_insn *label; 136 137 for (j = GET_NUM_ELEM (vec) - 1; j >= 0; --j) 138 { 139 label = as_a <rtx_insn *> (XEXP (RTVEC_ELT (vec, j), 0)); 140 rtx_insn *next = next_nonnote_nondebug_insn (label); 141 if (aarch_bti_j_insn_p (next)) 142 continue; 143 144 bti_insn = aarch_gen_bti_j (); 145 emit_insn_after (bti_insn, label); 146 } 147 } 148 } 149 150 /* Also look for calls to setjmp () which would be marked with 151 REG_SETJMP note and put a BTI J after. This is where longjump () 152 will return. */ 153 if (CALL_P (insn) && (find_reg_note (insn, REG_SETJMP, NULL))) 154 { 155 bti_insn = aarch_gen_bti_j (); 156 emit_insn_after (bti_insn, insn); 157 continue; 158 } 159 } 160 } 161 162 /* Since a Branch Target Exception can only be triggered by an indirect call, 163 we exempt function that are only called directly. We also exempt 164 functions that are already protected by Return Address Signing (PACIASP/ 165 PACIBSP). For all other cases insert a BTI C at the beginning of the 166 function. */ 167 if (!cgraph_node::get (cfun->decl)->only_called_directly_p ()) 168 { 169 bb = ENTRY_BLOCK_PTR_FOR_FN (cfun)->next_bb; 170 insn = BB_HEAD (bb); 171 if (!aarch_pac_insn_p (get_first_nonnote_insn ())) 172 { 173 bti_insn = aarch_gen_bti_c (); 174 emit_insn_before (bti_insn, insn); 175 } 176 } 177 178 timevar_pop (TV_MACH_DEP); 179 return 0; 180 } 181 182 183 class pass_insert_bti : public rtl_opt_pass 184 { 185 public: 186 pass_insert_bti (gcc::context *ctxt) 187 : rtl_opt_pass (pass_data_insert_bti, ctxt) 188 {} 189 190 /* opt_pass methods: */ 191 virtual bool gate (function *) 192 { 193 if (aarch_bti_enabled ()) 194 { 195 aarch_bti_arch_check (); 196 return true; 197 } 198 return false; 199 } 200 201 virtual unsigned int execute (function *) 202 { 203 return rest_of_insert_bti (); 204 } 205 206 }; // class pass_insert_bti 207 208 } // anon namespace 209 210 rtl_opt_pass * 211 make_pass_insert_bti (gcc::context *ctxt) 212 { 213 return new pass_insert_bti (ctxt); 214 } 215
Indexes created Sat Feb 28 05:31:39 UTC 2026