llvm-for-llvmta/test/CodeGen/X86/shadow-stack.ll

; NOTE: Assertions have been autogenerated by utils/update_llc_test_checks.py
; RUN: llc -mtriple x86_64-apple-macosx10.13.0 < %s | FileCheck %s --check-prefix=X86_64
; RUN: llc -mtriple i386-apple-macosx10.13.0 < %s | FileCheck %s --check-prefix=X86

; The MacOS tripples are used to get trapping behavior on the "unreachable" IR
; instruction, so that the placement of the ud2 instruction could be verified.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; The IR was created using the following C code:
;; typedef void *jmp_buf;
;; jmp_buf buf;
;;
;; __attribute__((noinline)) int bar(int i) {
;;   int j = i - 111;
;;   __builtin_longjmp(&buf, 1);
;;   return j;
;; }
;;
;; int foo(int i) {
;;   int j = i * 11;
;;   if (!__builtin_setjmp(&buf)) {
;;     j += 33 + bar(j);
;;   }
;;   return j + i;
;; }
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

@buf = common local_unnamed_addr global i8* null, align 8

; Functions that use LongJmp should fix the Shadow Stack using previosuly saved
; ShadowStackPointer in the input buffer.
; The fix requires unwinding the shadow stack to the last SSP.
define i32 @bar(i32 %i) local_unnamed_addr {
; X86_64-LABEL: bar:
; X86_64:       ## %bb.0: ## %entry
; X86_64-NEXT:    pushq %rbp
; X86_64-NEXT:    .cfi_def_cfa_offset 16
; X86_64-NEXT:    .cfi_offset %rbp, -16
; X86_64-NEXT:    movq _buf@{{.*}}(%rip), %rax
; X86_64-NEXT:    movq (%rax), %rax
; X86_64-NEXT:    xorl %edx, %edx
; X86_64-NEXT:    rdsspq %rdx
; X86_64-NEXT:    testq %rdx, %rdx
; X86_64-NEXT:    je LBB0_5
; X86_64-NEXT:  ## %bb.1: ## %entry
; X86_64-NEXT:    movq 24(%rax), %rcx
; X86_64-NEXT:    subq %rdx, %rcx
; X86_64-NEXT:    jbe LBB0_5
; X86_64-NEXT:  ## %bb.2: ## %entry
; X86_64-NEXT:    shrq $3, %rcx
; X86_64-NEXT:    incsspq %rcx
; X86_64-NEXT:    shrq $8, %rcx
; X86_64-NEXT:    je LBB0_5
; X86_64-NEXT:  ## %bb.3: ## %entry
; X86_64-NEXT:    shlq %rcx
; X86_64-NEXT:    movq $128, %rdx
; X86_64-NEXT:  LBB0_4: ## %entry
; X86_64-NEXT:    ## =>This Inner Loop Header: Depth=1
; X86_64-NEXT:    incsspq %rdx
; X86_64-NEXT:    decq %rcx
; X86_64-NEXT:    jne LBB0_4
; X86_64-NEXT:  LBB0_5: ## %entry
; X86_64-NEXT:    movq (%rax), %rbp
; X86_64-NEXT:    movq 8(%rax), %rcx
; X86_64-NEXT:    movq 16(%rax), %rsp
; X86_64-NEXT:    jmpq *%rcx
;
; X86-LABEL: bar:
; X86:       ## %bb.0: ## %entry
; X86-NEXT:    pushl %ebp
; X86-NEXT:    .cfi_def_cfa_offset 8
; X86-NEXT:    .cfi_offset %ebp, -8
; X86-NEXT:    movl L_buf$non_lazy_ptr, %eax
; X86-NEXT:    movl (%eax), %eax
; X86-NEXT:    xorl %edx, %edx
; X86-NEXT:    rdsspd %edx
; X86-NEXT:    testl %edx, %edx
; X86-NEXT:    je LBB0_5
; X86-NEXT:  ## %bb.1: ## %entry
; X86-NEXT:    movl 12(%eax), %ecx
; X86-NEXT:    subl %edx, %ecx
; X86-NEXT:    jbe LBB0_5
; X86-NEXT:  ## %bb.2: ## %entry
; X86-NEXT:    shrl $2, %ecx
; X86-NEXT:    incsspd %ecx
; X86-NEXT:    shrl $8, %ecx
; X86-NEXT:    je LBB0_5
; X86-NEXT:  ## %bb.3: ## %entry
; X86-NEXT:    shll %ecx
; X86-NEXT:    movl $128, %edx
; X86-NEXT:  LBB0_4: ## %entry
; X86-NEXT:    ## =>This Inner Loop Header: Depth=1
; X86-NEXT:    incsspd %edx
; X86-NEXT:    decl %ecx
; X86-NEXT:    jne LBB0_4
; X86-NEXT:  LBB0_5: ## %entry
; X86-NEXT:    movl (%eax), %ebp
; X86-NEXT:    movl 4(%eax), %ecx
; X86-NEXT:    movl 8(%eax), %esp
; X86-NEXT:    jmpl *%ecx
entry:
  %0 = load i8*, i8** @buf, align 8
  tail call void @llvm.eh.sjlj.longjmp(i8* %0)
  unreachable
}

declare void @llvm.eh.sjlj.longjmp(i8*)

; Functions that call SetJmp should save the current ShadowStackPointer for
; future fixing of the Shadow Stack.
define i32 @foo(i32 %i) local_unnamed_addr {
; X86_64-LABEL: foo:
; X86_64:       ## %bb.0: ## %entry
; X86_64-NEXT:    pushq %rbp
; X86_64-NEXT:    .cfi_def_cfa_offset 16
; X86_64-NEXT:    .cfi_offset %rbp, -16
; X86_64-NEXT:    movq %rsp, %rbp
; X86_64-NEXT:    .cfi_def_cfa_register %rbp
; X86_64-NEXT:    pushq %r15
; X86_64-NEXT:    pushq %r14
; X86_64-NEXT:    pushq %r13
; X86_64-NEXT:    pushq %r12
; X86_64-NEXT:    pushq %rbx
; X86_64-NEXT:    pushq %rax
; X86_64-NEXT:    .cfi_offset %rbx, -56
; X86_64-NEXT:    .cfi_offset %r12, -48
; X86_64-NEXT:    .cfi_offset %r13, -40
; X86_64-NEXT:    .cfi_offset %r14, -32
; X86_64-NEXT:    .cfi_offset %r15, -24
; X86_64-NEXT:    ## kill: def $edi killed $edi def $rdi
; X86_64-NEXT:    movq %rdi, {{[-0-9]+}}(%r{{[sb]}}p) ## 8-byte Spill
; X86_64-NEXT:    movq _buf@{{.*}}(%rip), %rax
; X86_64-NEXT:    movq (%rax), %rax
; X86_64-NEXT:    movq %rbp, (%rax)
; X86_64-NEXT:    movq %rsp, 16(%rax)
; X86_64-NEXT:    leaq {{.*}}(%rip), %rcx
; X86_64-NEXT:    movq %rcx, 8(%rax)
; X86_64-NEXT:    xorq %rcx, %rcx
; X86_64-NEXT:    rdsspq %rcx
; X86_64-NEXT:    movq %rcx, 24(%rax)
; X86_64-NEXT:    #EH_SjLj_Setup LBB1_4
; X86_64-NEXT:  ## %bb.1: ## %entry
; X86_64-NEXT:    xorl %eax, %eax
; X86_64-NEXT:    jmp LBB1_2
; X86_64-NEXT:  LBB1_4: ## Block address taken
; X86_64-NEXT:    ## %entry
; X86_64-NEXT:    movl $1, %eax
; X86_64-NEXT:  LBB1_2: ## %entry
; X86_64-NEXT:    testl %eax, %eax
; X86_64-NEXT:    je LBB1_5
; X86_64-NEXT:  ## %bb.3: ## %if.end
; X86_64-NEXT:    movq {{[-0-9]+}}(%r{{[sb]}}p), %rax ## 8-byte Reload
; X86_64-NEXT:    shll $2, %eax
; X86_64-NEXT:    leal (%rax,%rax,2), %eax
; X86_64-NEXT:    addq $8, %rsp
; X86_64-NEXT:    popq %rbx
; X86_64-NEXT:    popq %r12
; X86_64-NEXT:    popq %r13
; X86_64-NEXT:    popq %r14
; X86_64-NEXT:    popq %r15
; X86_64-NEXT:    popq %rbp
; X86_64-NEXT:    retq
; X86_64-NEXT:  LBB1_5: ## %if.then
; X86_64-NEXT:    callq _bar
; X86_64-NEXT:    ud2
;
; X86-LABEL: foo:
; X86:       ## %bb.0: ## %entry
; X86-NEXT:    pushl %ebp
; X86-NEXT:    .cfi_def_cfa_offset 8
; X86-NEXT:    .cfi_offset %ebp, -8
; X86-NEXT:    movl %esp, %ebp
; X86-NEXT:    .cfi_def_cfa_register %ebp
; X86-NEXT:    pushl %ebx
; X86-NEXT:    pushl %edi
; X86-NEXT:    pushl %esi
; X86-NEXT:    subl $12, %esp
; X86-NEXT:    .cfi_offset %esi, -20
; X86-NEXT:    .cfi_offset %edi, -16
; X86-NEXT:    .cfi_offset %ebx, -12
; X86-NEXT:    movl L_buf$non_lazy_ptr, %eax
; X86-NEXT:    movl (%eax), %eax
; X86-NEXT:    movl %ebp, (%eax)
; X86-NEXT:    movl %esp, 16(%eax)
; X86-NEXT:    movl $LBB1_4, 4(%eax)
; X86-NEXT:    xorl %ecx, %ecx
; X86-NEXT:    rdsspd %ecx
; X86-NEXT:    movl %ecx, 12(%eax)
; X86-NEXT:    #EH_SjLj_Setup LBB1_4
; X86-NEXT:  ## %bb.1: ## %entry
; X86-NEXT:    xorl %eax, %eax
; X86-NEXT:    jmp LBB1_2
; X86-NEXT:  LBB1_4: ## Block address taken
; X86-NEXT:    ## %entry
; X86-NEXT:    movl $1, %eax
; X86-NEXT:  LBB1_2: ## %entry
; X86-NEXT:    testl %eax, %eax
; X86-NEXT:    je LBB1_5
; X86-NEXT:  ## %bb.3: ## %if.end
; X86-NEXT:    movl 8(%ebp), %eax
; X86-NEXT:    shll $2, %eax
; X86-NEXT:    leal (%eax,%eax,2), %eax
; X86-NEXT:    addl $12, %esp
; X86-NEXT:    popl %esi
; X86-NEXT:    popl %edi
; X86-NEXT:    popl %ebx
; X86-NEXT:    popl %ebp
; X86-NEXT:    retl
; X86-NEXT:  LBB1_5: ## %if.then
; X86-NEXT:    calll _bar
; X86-NEXT:    ud2
entry:
  %0 = load i8*, i8** @buf, align 8
  %1 = bitcast i8* %0 to i8**
  %2 = tail call i8* @llvm.frameaddress(i32 0)
  store i8* %2, i8** %1, align 8
  %3 = tail call i8* @llvm.stacksave()
  %4 = getelementptr inbounds i8, i8* %0, i64 16
  %5 = bitcast i8* %4 to i8**
  store i8* %3, i8** %5, align 8
  %6 = tail call i32 @llvm.eh.sjlj.setjmp(i8* %0)
  %tobool = icmp eq i32 %6, 0
  br i1 %tobool, label %if.then, label %if.end

if.then:                                          ; preds = %entry
  %call = tail call i32 @bar(i32 undef)
  unreachable

if.end:                                           ; preds = %entry
  %add2 = mul nsw i32 %i, 12
  ret i32 %add2
}

declare i8* @llvm.frameaddress(i32)
declare i8* @llvm.stacksave()
declare i32 @llvm.eh.sjlj.setjmp(i8*)

!llvm.module.flags = !{!0}

!0 = !{i32 4, !"cf-protection-return", i32 1}