[clang] Implement pointer authentication for C++ virtual functions, v-tables, and VTTs (#94056)

Virtual function pointer entries in v-tables are signed with address
discrimination in addition to de

[clang] Implement pointer authentication for C++ virtual functions, v-tables, and VTTs (#94056)

Virtual function pointer entries in v-tables are signed with address
discrimination in addition to declaration-based discrimination, where an
integer discriminator the string hash (see
`ptrauth_string_discriminator`) of the mangled name of the overridden
method. This notably provides diversity based on the full signature of
the overridden method, including the method name and parameter types.
This patch introduces ItaniumVTableContext logic to find the original
declaration of the overridden method.
On AArch64, these pointers are signed using the `IA` key (the
process-independent code key.)

V-table pointers can be signed with either no discrimination, or a
similar scheme using address and decl-based discrimination. In this
case, the integer discriminator is the string hash of the mangled
v-table identifier of the class that originally introduced the vtable
pointer.
On AArch64, these pointers are signed using the `DA` key (the
process-independent data key.)

Not using discrimination allows attackers to simply copy valid v-table
pointers from one object to another. However, using a uniform
discriminator of 0 does have positive performance and code-size
implications on AArch64, and diversity for the most important v-table
access pattern (virtual dispatch) is already better assured by the
signing schemas used on the virtual functions. It is also known that
some code in practice copies objects containing v-tables with `memcpy`,
and while this is not permitted formally, it is something that may be
invasive to eliminate.

This is controlled by:
```
-fptrauth-vtable-pointer-type-discrimination
-fptrauth-vtable-pointer-address-discrimination
```

In addition, this provides fine-grained controls in the
ptrauth_vtable_pointer attribute, which allows overriding the default
ptrauth schema for vtable pointers on a given class hierarchy, e.g.:
```
[[clang::ptrauth_vtable_pointer(no_authentication, no_address_discrimination,
no_extra_discrimination)]]
[[clang::ptrauth_vtable_pointer(default_key, default_address_discrimination,
custom_discrimination, 0xf00d)]]
```

The override is then mangled as a parametrized vendor extension:
```
"__vtptrauth" I
<key>
<addressDiscriminated>
<extraDiscriminator>
E
```

To support this attribute, this patch adds a small extension to the
attribute-emitter tablegen backend.

Note that there are known areas where signing is either missing
altogether or can be strengthened. Some will be addressed in later
changes (e.g., member function pointers, some RTTI).
`dynamic_cast` in particular is handled by emitting an artificial
v-table pointer load (in a way that always authenticates it) before the
runtime call itself, as the runtime doesn't have enough information
today to properly authenticate it. Instead, the runtime is currently
expected to strip the v-table pointer.

---------

Co-authored-by: John McCall <rjmccall@apple.com>
Co-authored-by: Ahmed Bougacha <ahmed@bougacha.org>

show more ...

[llvm-project] Fix typo "seperate" (#95373)

[InstallAPI] Condense std::pair unwrapping in CategoryRecord NFC

[clang-installapi] Remove unnecessary copy (#86808)

Reported by Static Analyzer Tool:

In clang::installapi::InstallAPIVisitor::VisitFunctionDecl(clang::FunctionDecl
const *): Using the auto keyw

[clang-installapi] Remove unnecessary copy (#86808)

Reported by Static Analyzer Tool:

In clang::installapi::InstallAPIVisitor::VisitFunctionDecl(clang::FunctionDecl
const *): Using the auto keyword without an & causes the copy of an
object of type DynTypedNode.

show more ...

[InstallAPI] Silence unused variable warning, NFC

[InstallAPI] Verify that declarations in headers map to exports found in dylib (#85348)

* This completes support for verifying every declaration found in a
header is discovered in the dylib. Diagno

[InstallAPI] Verify that declarations in headers map to exports found in dylib (#85348)

* This completes support for verifying every declaration found in a
header is discovered in the dylib. Diagnostics are reported for each
class for differences that are representable in TBD files.

* This patch also now captures unavailable attributes that depend on
target triples. This is needed for proper tbd file generation.

show more ...

[InstallAPI] Introduce Basic Verifier (#85106)

This adds basic support for calling the verifier on global declarations
that are expected to represent symbol exports. The driver now
exclusively use

[InstallAPI] Introduce Basic Verifier (#85106)

This adds basic support for calling the verifier on global declarations
that are expected to represent symbol exports. The driver now
exclusively uses this for knowing what symbols make up a TBD file.
Future patches will check against the dylib's symbol table.

show more ...

[InstallAPI] Break up headers and add common header for TextAPI types (#84960)

Before it gets too unwieldy, add a common header for all MachO types
that are used across InstallAPI. Also, break up t

[InstallAPI] Break up headers and add common header for TextAPI types (#84960)

Before it gets too unwieldy, add a common header for all MachO types
that are used across InstallAPI. Also, break up the types in
`InstallAPI/Frontend`. This both avoids circular dependencies and is
logically easier to maintain as more functionality gets added.

show more ...

[InstallAPI] Collect C++ Decls (#84403)

This includes capturing symbols for global variables, functions,
classes, and templated defintions. As pre-determing what symbols are
generated from C++ dec

[InstallAPI] Collect C++ Decls (#84403)

This includes capturing symbols for global variables, functions,
classes, and templated defintions. As pre-determing what symbols are
generated from C++ declarations can be non-trivial, InstallAPI only
parses select declarations for symbol generation when parsing c++.

For example, installapi only looks at explicit template instantiations
or full template specializations, instead of general function or class
templates, for symbol emittion.

show more ...

[InstallAPI] Collect global functions (#83952)

* Include whether functions are inlinable as they impact whether to add
them into the tbd file and for future verification.
* Fix how clang arguments

[InstallAPI] Collect global functions (#83952)

* Include whether functions are inlinable as they impact whether to add
them into the tbd file and for future verification.
* Fix how clang arguments got passed along, previously spacing was
passed along to CC1 causing search path inputs to look non-existent.

show more ...

[InstallAPI] Collect symbols from ObjC Ivars (#83632)

[InstallAPI] Collect frontend attributes & ObjCInterface decls (#83378)

* This patch introduces a container class, for holding records and
attributes only collectible from the clang frontend, which

[InstallAPI] Collect frontend attributes & ObjCInterface decls (#83378)

* This patch introduces a container class, for holding records and
attributes only collectible from the clang frontend, which is a subclass
of `llvm::MachO::RecordsSlice`
* This also prunes out collecting declarations from headers that aren't
considered input to installapi.
* Uses these constructs for collecting global objective-c interfaces.

show more ...

[TextAPI][InstallAPI] Fix documentation typos, NFC

[InstallAPI] Hookup Input files & basic ASTVisitor (#82552)

This patch takes in json files as input to determine that header files
to process, and in which order, to pass along for CC1 invocations.

[InstallAPI] Hookup Input files & basic ASTVisitor (#82552)

This patch takes in json files as input to determine that header files
to process, and in which order, to pass along for CC1 invocations. This
patch also includes an ASTVisitor to collect simple global variables.

show more ...