Fix handling of DstState::FirstInstLeakingReg

atrosinenko · atrosinenko · commit cd883680966f · 2025-05-20T13:43:39.000+03:00
diff --git a/bolt/lib/Passes/PAuthGadgetScanner.cpp b/bolt/lib/Passes/PAuthGadgetScanner.cpp
@@ -232,12 +232,11 @@ struct SrcState {
   bool operator!=(const SrcState &RHS) const { return !((*this) == RHS); }
 };
 
-static void
-printLastInsts(raw_ostream &OS,
-               ArrayRef<SmallPtrSet<const MCInst *, 4>> LastInstWritingReg) {
+static void printInstsShort(raw_ostream &OS,
+                            ArrayRef<SmallPtrSet<const MCInst *, 4>> Insts) {
   OS << "Insts: ";
-  for (unsigned I = 0; I < LastInstWritingReg.size(); ++I) {
-    auto &Set = LastInstWritingReg[I];
+  for (unsigned I = 0; I < Insts.size(); ++I) {
+    auto &Set = Insts[I];
     OS << "[" << I << "](";
     for (const MCInst *MCInstP : Set)
       OS << MCInstP << " ";
@@ -252,7 +251,7 @@ raw_ostream &operator<<(raw_ostream &OS, const SrcState &S) {
   } else {
     OS << "SafeToDerefRegs: " << S.SafeToDerefRegs << ", ";
     OS << "TrustedRegs: " << S.TrustedRegs << ", ";
-    printLastInsts(OS, S.LastInstWritingReg);
+    printInstsShort(OS, S.LastInstWritingReg);
   }
   OS << ">";
   return OS;
@@ -281,7 +280,7 @@ void SrcStatePrinter::print(raw_ostream &OS, const SrcState &S) const {
     OS << ", TrustedRegs: ";
     RegStatePrinter.print(OS, S.TrustedRegs);
     OS << ", ";
-    printLastInsts(OS, S.LastInstWritingReg);
+    printInstsShort(OS, S.LastInstWritingReg);
   }
   OS << ">";
 }
@@ -752,7 +751,7 @@ SrcSafetyAnalysis::create(BinaryFunction &BF,
 struct DstState {
   /// The set of registers whose values cannot be inspected by an attacker in
   /// a way usable as an authentication oracle. The results of authentication
-  /// instructions should be written to such registers.
+  /// instructions should only be written to such registers.
   BitVector CannotEscapeUnchecked;
 
   std::vector<SmallPtrSet<const MCInst *, 4>> FirstInstLeakingReg;
@@ -770,6 +769,9 @@ struct DstState {
       return (*this = StateIn);
 
     CannotEscapeUnchecked &= StateIn.CannotEscapeUnchecked;
+    for (unsigned I = 0; I < FirstInstLeakingReg.size(); ++I)
+      for (const MCInst *J : StateIn.FirstInstLeakingReg[I])
+        FirstInstLeakingReg[I].insert(J);
     return *this;
   }
 
@@ -778,7 +780,8 @@ struct DstState {
   bool empty() const { return CannotEscapeUnchecked.empty(); }
 
   bool operator==(const DstState &RHS) const {
-    return CannotEscapeUnchecked == RHS.CannotEscapeUnchecked;
+    return CannotEscapeUnchecked == RHS.CannotEscapeUnchecked &&
+           FirstInstLeakingReg == RHS.FirstInstLeakingReg;
   }
   bool operator!=(const DstState &RHS) const { return !((*this) == RHS); }
 };
@@ -788,7 +791,8 @@ raw_ostream &operator<<(raw_ostream &OS, const DstState &S) {
   if (S.empty()) {
     OS << "empty";
   } else {
-    OS << "CannotEscapeUnchecked: " << S.CannotEscapeUnchecked;
+    OS << "CannotEscapeUnchecked: " << S.CannotEscapeUnchecked << ", ";
+    printInstsShort(OS, S.FirstInstLeakingReg);
   }
   OS << ">";
   return OS;
@@ -808,10 +812,13 @@ void DstStatePrinter::print(raw_ostream &OS, const DstState &S) const {
   OS << "dst-state<";
   if (S.empty()) {
     assert(S.CannotEscapeUnchecked.empty());
+    assert(S.FirstInstLeakingReg.empty());
     OS << "empty";
   } else {
     OS << "CannotEscapeUnchecked: ";
     RegStatePrinter.print(OS, S.CannotEscapeUnchecked);
+    OS << ", ";
+    printInstsShort(OS, S.FirstInstLeakingReg);
   }
   OS << ">";
 }
@@ -841,6 +848,7 @@ class DstSafetyAnalysis {
   const unsigned NumRegs;
 
   const TrackedRegisters RegsToTrackInstsFor;
+
   /// Stores information about the detected instruction sequences emitted to
   /// check an authenticated pointer. Specifically, if such sequence is detected
   /// in a basic block, it maps the first instruction of that sequence to the
@@ -897,7 +905,6 @@ class DstSafetyAnalysis {
                                               const BitVector &LeakedRegs,
                                               const DstState &Cur) const {
     SmallVector<MCPhysReg> Regs;
-    const MCPhysReg NoReg = BC.MIB->getNoRegister();
 
     // A pointer can be checked, or
     if (auto CheckedReg =
@@ -911,7 +918,7 @@ class DstSafetyAnalysis {
       bool IsAuthenticated;
       MCPhysReg BranchDestReg =
           BC.MIB->getRegUsedAsIndirectBranchDest(Inst, IsAuthenticated);
-      assert(BranchDestReg != NoReg);
+      assert(BranchDestReg != BC.MIB->getNoRegister());
       if (!IsAuthenticated)
         Regs.push_back(BranchDestReg);
     }
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-authentication-oracles.s b/bolt/test/binary-analysis/AArch64/gs-pauth-authentication-oracles.s
@@ -350,7 +350,8 @@ bad_leaked_to_subroutine_multi_bb:
 bad_unknown_usage_read_multi_bb:
 // CHECK-LABEL: GS-PAUTH: authentication oracle found in function bad_unknown_usage_read_multi_bb, basic block {{[^,]+}}, at address
 // CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x0, x1
-// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+// CHECK-NEXT:  The 1 instructions that leak the affected registers are:
+// CHECK-NEXT:  1.     {{[0-9a-f]+}}:      mul     x3, x0, x1
         autia   x0, x1
         cbz     x3, 1f
         mul     x3, x0, x1
@@ -364,7 +365,8 @@ bad_unknown_usage_read_multi_bb:
 bad_unknown_usage_subreg_read_multi_bb:
 // CHECK-LABEL: GS-PAUTH: authentication oracle found in function bad_unknown_usage_subreg_read_multi_bb, basic block {{[^,]+}}, at address
 // CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x0, x1
-// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+// CHECK-NEXT:  The 1 instructions that leak the affected registers are:
+// CHECK-NEXT:  1.     {{[0-9a-f]+}}:      mul     w3, w0, w1
         autia   x0, x1
         cbz     x3, 1f
         mul     w3, w0, w1
@@ -378,7 +380,8 @@ bad_unknown_usage_subreg_read_multi_bb:
 bad_unknown_usage_update_multi_bb:
 // CHECK-LABEL: GS-PAUTH: authentication oracle found in function bad_unknown_usage_update_multi_bb, basic block {{[^,]+}}, at address
 // CHECK-NEXT:  The instruction is     {{[0-9a-f]+}}:      autia   x0, x1
-// CHECK-NEXT:  The 0 instructions that leak the affected registers are:
+// CHECK-NEXT:  The 1 instructions that leak the affected registers are:
+// CHECK-NEXT:  1.     {{[0-9a-f]+}}:      movk    x0, #0x2a, lsl #16
         autia   x0, x1
         cbz     x3, 1f
         movk    x0, #42, lsl #16  // does not overwrite x0 completely
diff --git a/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s b/bolt/test/binary-analysis/AArch64/gs-pauth-debug-output.s
@@ -282,10 +282,10 @@ auth_oracle:
 // CHECK:      End of Function "auth_oracle"
 // ...
 // PAUTH:      Running dst register safety analysis...
-// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       ret     x30, dst-state<CannotEscapeUnchecked: >)
-// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
-// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       autia   x0, x1, dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
-// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
+// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       ret     x30, dst-state<CannotEscapeUnchecked: , Insts: >)
+// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: >)
+// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       autia   x0, x1, dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: >)
+// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: >)
 // PAUTH-NEXT: After dst register safety analysis:
 // PAUTH-NEXT: Binary Function "auth_oracle"  {
 // PAUTH-NEXT:   Number      : 4
@@ -295,22 +295,22 @@ auth_oracle:
 // PAUTH-NEXT: }
 // PAUTH-NEXT: [[BB0]] (2 instructions, align : 1)
 // PAUTH-NEXT:   Entry Point
-// PAUTH-NEXT:     00000000:   autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
-// PAUTH-NEXT:     00000004:   ret # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
+// PAUTH-NEXT:     00000000:   autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: >
+// PAUTH-NEXT:     00000004:   ret # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: >
 // PAUTH-EMPTY:
 // PAUTH-NEXT: DWARF CFI Instructions:
 // PAUTH-NEXT:     <empty>
 // PAUTH-NEXT: End of Function "auth_oracle"
 // PAUTH-EMPTY:
-// PAUTH-NEXT:   Found auth inst:     00000000:        autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
+// PAUTH-NEXT:   Found auth inst:     00000000:        autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: >
 // PAUTH-NEXT:     Authenticated reg: X0
 // PAUTH-NEXT:     safe output registers: LR W30 W30_HI
 // PAUTH-EMPTY:
 // PAUTH-NEXT: Running detailed dst register safety analysis...
-// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       ret     x30, dst-state<CannotEscapeUnchecked: >)
-// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
-// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       autia   x0, x1, dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
-// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI >)
+// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       ret     x30, dst-state<CannotEscapeUnchecked: , Insts: [0]()>)
+// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: [0]()>)
+// PAUTH-NEXT:   DstSafetyAnalysis::ComputeNext(       autia   x0, x1, dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: [0]()>)
+// PAUTH-NEXT:     .. result: (dst-state<CannotEscapeUnchecked: LR W30 W30_HI , Insts: [0](0x{{[0-9a-f]+}} )>)
 // PAUTH-NEXT: After detailed dst register safety analysis:
 // PAUTH-NEXT: Binary Function "auth_oracle"  {
 // PAUTH-NEXT:   Number      : 4
@@ -320,14 +320,14 @@ auth_oracle:
 // PAUTH-NEXT: }
 // PAUTH-NEXT: [[BB0]] (2 instructions, align : 1)
 // PAUTH-NEXT:   Entry Point
-// PAUTH-NEXT:     00000000:   autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
-// PAUTH-NEXT:     00000004:   ret # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
+// PAUTH-NEXT:     00000000:   autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: [0](0x{{[0-9a-f]+}} )>
+// PAUTH-NEXT:     00000004:   ret # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: [0]()>
 // PAUTH-EMPTY:
 // PAUTH-NEXT: DWARF CFI Instructions:
 // PAUTH-NEXT:     <empty>
 // PAUTH-NEXT: End of Function "auth_oracle"
 // PAUTH-EMPTY:
-// PAUTH-NEXT:   Attaching leakage info to:     00000000:      autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector>
+// PAUTH-NEXT:   Attaching leakage info to:     00000000:      autia   x0, x1 # DataflowDstSafetyAnalysis: dst-state<CannotEscapeUnchecked: BitVector, Insts: [0](0x{{[0-9a-f]+}} )>
 
 // CHECK-LABEL:Analyzing function main, AllocatorId = 1
         .globl  main
