1 //===- bolt/Rewrite/LinuxKernelRewriter.cpp -------------------------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Support for updating Linux Kernel metadata. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #include "bolt/Core/BinaryFunction.h" 14 #include "bolt/Rewrite/MetadataRewriter.h" 15 #include "bolt/Rewrite/MetadataRewriters.h" 16 #include "bolt/Utils/CommandLineOpts.h" 17 #include "llvm/ADT/ArrayRef.h" 18 #include "llvm/ADT/DenseSet.h" 19 #include "llvm/MC/MCDisassembler/MCDisassembler.h" 20 #include "llvm/Support/BinaryStreamWriter.h" 21 #include "llvm/Support/CommandLine.h" 22 #include "llvm/Support/Debug.h" 23 #include "llvm/Support/Errc.h" 24 25 #define DEBUG_TYPE "bolt-linux" 26 27 using namespace llvm; 28 using namespace bolt; 29 30 namespace opts { 31 32 static cl::opt<bool> 33 AltInstHasPadLen("alt-inst-has-padlen", 34 cl::desc("specify that .altinstructions has padlen field"), 35 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 36 37 static cl::opt<uint32_t> 38 AltInstFeatureSize("alt-inst-feature-size", 39 cl::desc("size of feature field in .altinstructions"), 40 cl::init(2), cl::Hidden, cl::cat(BoltCategory)); 41 42 static cl::opt<bool> 43 DumpAltInstructions("dump-alt-instructions", 44 cl::desc("dump Linux alternative instructions info"), 45 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 46 47 static cl::opt<bool> 48 DumpExceptions("dump-linux-exceptions", 49 cl::desc("dump Linux kernel exception table"), 50 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 51 52 static cl::opt<bool> 53 DumpORC("dump-orc", cl::desc("dump raw ORC unwind information (sorted)"), 54 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 55 56 static cl::opt<bool> DumpParavirtualPatchSites( 57 "dump-para-sites", cl::desc("dump Linux kernel paravitual patch sites"), 58 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 59 60 static cl::opt<bool> 61 DumpPCIFixups("dump-pci-fixups", 62 cl::desc("dump Linux kernel PCI fixup table"), 63 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 64 65 static cl::opt<bool> DumpSMPLocks("dump-smp-locks", 66 cl::desc("dump Linux kernel SMP locks"), 67 cl::init(false), cl::Hidden, 68 cl::cat(BoltCategory)); 69 70 static cl::opt<bool> DumpStaticCalls("dump-static-calls", 71 cl::desc("dump Linux kernel static calls"), 72 cl::init(false), cl::Hidden, 73 cl::cat(BoltCategory)); 74 75 static cl::opt<bool> 76 DumpStaticKeys("dump-static-keys", 77 cl::desc("dump Linux kernel static keys jump table"), 78 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 79 80 static cl::opt<bool> LongJumpLabels( 81 "long-jump-labels", 82 cl::desc("always use long jumps/nops for Linux kernel static keys"), 83 cl::init(false), cl::Hidden, cl::cat(BoltCategory)); 84 85 static cl::opt<bool> 86 PrintORC("print-orc", 87 cl::desc("print ORC unwind information for instructions"), 88 cl::init(true), cl::Hidden, cl::cat(BoltCategory)); 89 90 } // namespace opts 91 92 /// Linux Kernel supports stack unwinding using ORC (oops rewind capability). 93 /// ORC state at every IP can be described by the following data structure. 94 struct ORCState { 95 int16_t SPOffset; 96 int16_t BPOffset; 97 int16_t Info; 98 99 bool operator==(const ORCState &Other) const { 100 return SPOffset == Other.SPOffset && BPOffset == Other.BPOffset && 101 Info == Other.Info; 102 } 103 104 bool operator!=(const ORCState &Other) const { return !(*this == Other); } 105 }; 106 107 /// Section terminator ORC entry. 108 static ORCState NullORC = {0, 0, 0}; 109 110 /// Basic printer for ORC entry. It does not provide the same level of 111 /// information as objtool (for now). 112 inline raw_ostream &operator<<(raw_ostream &OS, const ORCState &E) { 113 if (!opts::PrintORC) 114 return OS; 115 if (E != NullORC) 116 OS << format("{sp: %d, bp: %d, info: 0x%x}", E.SPOffset, E.BPOffset, 117 E.Info); 118 else 119 OS << "{terminator}"; 120 121 return OS; 122 } 123 124 namespace { 125 126 class LinuxKernelRewriter final : public MetadataRewriter { 127 /// Information required for updating metadata referencing an instruction. 128 struct InstructionFixup { 129 BinarySection &Section; // Section referencing the instruction. 130 uint64_t Offset; // Offset in the section above. 131 BinaryFunction &BF; // Function containing the instruction. 132 MCSymbol &Label; // Label marking the instruction. 133 bool IsPCRelative; // If the reference type is relative. 134 }; 135 std::vector<InstructionFixup> Fixups; 136 137 /// Size of an entry in .smp_locks section. 138 static constexpr size_t SMP_LOCKS_ENTRY_SIZE = 4; 139 140 /// Linux ORC sections. 141 ErrorOr<BinarySection &> ORCUnwindSection = std::errc::bad_address; 142 ErrorOr<BinarySection &> ORCUnwindIPSection = std::errc::bad_address; 143 144 /// Size of entries in ORC sections. 145 static constexpr size_t ORC_UNWIND_ENTRY_SIZE = 6; 146 static constexpr size_t ORC_UNWIND_IP_ENTRY_SIZE = 4; 147 148 struct ORCListEntry { 149 uint64_t IP; /// Instruction address. 150 BinaryFunction *BF; /// Binary function corresponding to the entry. 151 ORCState ORC; /// Stack unwind info in ORC format. 152 153 /// ORC entries are sorted by their IPs. Terminator entries (NullORC) 154 /// should precede other entries with the same address. 155 bool operator<(const ORCListEntry &Other) const { 156 if (IP < Other.IP) 157 return 1; 158 if (IP > Other.IP) 159 return 0; 160 return ORC == NullORC && Other.ORC != NullORC; 161 } 162 }; 163 164 using ORCListType = std::vector<ORCListEntry>; 165 ORCListType ORCEntries; 166 167 /// Number of entries in the input file ORC sections. 168 uint64_t NumORCEntries = 0; 169 170 /// Section containing static keys jump table. 171 ErrorOr<BinarySection &> StaticKeysJumpSection = std::errc::bad_address; 172 uint64_t StaticKeysJumpTableAddress = 0; 173 static constexpr size_t STATIC_KEYS_JUMP_ENTRY_SIZE = 8; 174 175 struct JumpInfoEntry { 176 bool Likely; 177 bool InitValue; 178 }; 179 SmallVector<JumpInfoEntry, 16> JumpInfo; 180 181 /// Static key entries that need nop conversion. 182 DenseSet<uint32_t> NopIDs; 183 184 /// Section containing static call table. 185 ErrorOr<BinarySection &> StaticCallSection = std::errc::bad_address; 186 uint64_t StaticCallTableAddress = 0; 187 static constexpr size_t STATIC_CALL_ENTRY_SIZE = 8; 188 189 struct StaticCallInfo { 190 uint32_t ID; /// Identifier of the entry in the table. 191 BinaryFunction *Function; /// Function containing associated call. 192 MCSymbol *Label; /// Label attached to the call. 193 }; 194 using StaticCallListType = std::vector<StaticCallInfo>; 195 StaticCallListType StaticCallEntries; 196 197 /// Section containing the Linux exception table. 198 ErrorOr<BinarySection &> ExceptionsSection = std::errc::bad_address; 199 static constexpr size_t EXCEPTION_TABLE_ENTRY_SIZE = 12; 200 201 /// Functions with exception handling code. 202 DenseSet<BinaryFunction *> FunctionsWithExceptions; 203 204 /// Section with paravirtual patch sites. 205 ErrorOr<BinarySection &> ParavirtualPatchSection = std::errc::bad_address; 206 207 /// Alignment of paravirtual patch structures. 208 static constexpr size_t PARA_PATCH_ALIGN = 8; 209 210 /// .altinstructions section. 211 ErrorOr<BinarySection &> AltInstrSection = std::errc::bad_address; 212 213 /// Section containing Linux bug table. 214 ErrorOr<BinarySection &> BugTableSection = std::errc::bad_address; 215 216 /// Size of bug_entry struct. 217 static constexpr size_t BUG_TABLE_ENTRY_SIZE = 12; 218 219 /// List of bug entries per function. 220 using FunctionBugListType = 221 DenseMap<BinaryFunction *, SmallVector<uint32_t, 2>>; 222 FunctionBugListType FunctionBugList; 223 224 /// .pci_fixup section. 225 ErrorOr<BinarySection &> PCIFixupSection = std::errc::bad_address; 226 static constexpr size_t PCI_FIXUP_ENTRY_SIZE = 16; 227 228 /// Process linux kernel special sections and their relocations. 229 void processLKSections(); 230 231 /// Process __ksymtab and __ksymtab_gpl. 232 void processLKKSymtab(bool IsGPL = false); 233 234 // Create relocations in sections requiring fixups. 235 // 236 // Make sure functions that will not be emitted are marked as such before this 237 // function is executed. 238 void processInstructionFixups(); 239 240 /// Process .smp_locks section. 241 Error processSMPLocks(); 242 243 /// Read ORC unwind information and annotate instructions. 244 Error readORCTables(); 245 246 /// Update ORC for functions once CFG is constructed. 247 Error processORCPostCFG(); 248 249 /// Update ORC data in the binary. 250 Error rewriteORCTables(); 251 252 /// Validate written ORC tables after binary emission. 253 Error validateORCTables(); 254 255 /// Static call table handling. 256 Error readStaticCalls(); 257 Error rewriteStaticCalls(); 258 259 Error readExceptionTable(); 260 Error rewriteExceptionTable(); 261 262 /// Paravirtual instruction patch sites. 263 Error readParaInstructions(); 264 Error rewriteParaInstructions(); 265 266 /// __bug_table section handling. 267 Error readBugTable(); 268 Error rewriteBugTable(); 269 270 /// Do no process functions containing instruction annotated with 271 /// \p Annotation. 272 void skipFunctionsWithAnnotation(StringRef Annotation) const; 273 274 /// Handle alternative instruction info from .altinstructions. 275 Error readAltInstructions(); 276 Error tryReadAltInstructions(uint32_t AltInstFeatureSize, 277 bool AltInstHasPadLen, bool ParseOnly); 278 Error rewriteAltInstructions(); 279 280 /// Read .pci_fixup 281 Error readPCIFixupTable(); 282 283 /// Handle static keys jump table. 284 Error readStaticKeysJumpTable(); 285 Error rewriteStaticKeysJumpTable(); 286 Error updateStaticKeysJumpTablePostEmit(); 287 288 public: 289 LinuxKernelRewriter(BinaryContext &BC) 290 : MetadataRewriter("linux-kernel-rewriter", BC) {} 291 292 Error preCFGInitializer() override { 293 processLKSections(); 294 295 if (Error E = processSMPLocks()) 296 return E; 297 298 if (Error E = readORCTables()) 299 return E; 300 301 if (Error E = readStaticCalls()) 302 return E; 303 304 if (Error E = readExceptionTable()) 305 return E; 306 307 if (Error E = readParaInstructions()) 308 return E; 309 310 if (Error E = readBugTable()) 311 return E; 312 313 if (Error E = readAltInstructions()) 314 return E; 315 316 if (Error E = readPCIFixupTable()) 317 return E; 318 319 if (Error E = readStaticKeysJumpTable()) 320 return E; 321 322 return Error::success(); 323 } 324 325 Error postCFGInitializer() override { 326 if (Error E = processORCPostCFG()) 327 return E; 328 329 return Error::success(); 330 } 331 332 Error preEmitFinalizer() override { 333 // Since rewriteExceptionTable() can mark functions as non-simple, run it 334 // before other rewriters that depend on simple/emit status. 335 if (Error E = rewriteExceptionTable()) 336 return E; 337 338 if (Error E = rewriteAltInstructions()) 339 return E; 340 341 if (Error E = rewriteParaInstructions()) 342 return E; 343 344 if (Error E = rewriteORCTables()) 345 return E; 346 347 if (Error E = rewriteStaticCalls()) 348 return E; 349 350 if (Error E = rewriteStaticKeysJumpTable()) 351 return E; 352 353 if (Error E = rewriteBugTable()) 354 return E; 355 356 processInstructionFixups(); 357 358 return Error::success(); 359 } 360 361 Error postEmitFinalizer() override { 362 if (Error E = updateStaticKeysJumpTablePostEmit()) 363 return E; 364 365 if (Error E = validateORCTables()) 366 return E; 367 368 return Error::success(); 369 } 370 }; 371 372 void LinuxKernelRewriter::processLKSections() { 373 processLKKSymtab(); 374 processLKKSymtab(true); 375 } 376 377 /// Process __ksymtab[_gpl] sections of Linux Kernel. 378 /// This section lists all the vmlinux symbols that kernel modules can access. 379 /// 380 /// All the entries are 4 bytes each and hence we can read them by one by one 381 /// and ignore the ones that are not pointing to the .text section. All pointers 382 /// are PC relative offsets. Always, points to the beginning of the function. 383 void LinuxKernelRewriter::processLKKSymtab(bool IsGPL) { 384 StringRef SectionName = "__ksymtab"; 385 if (IsGPL) 386 SectionName = "__ksymtab_gpl"; 387 ErrorOr<BinarySection &> SectionOrError = 388 BC.getUniqueSectionByName(SectionName); 389 assert(SectionOrError && 390 "__ksymtab[_gpl] section not found in Linux Kernel binary"); 391 const uint64_t SectionSize = SectionOrError->getSize(); 392 const uint64_t SectionAddress = SectionOrError->getAddress(); 393 assert((SectionSize % 4) == 0 && 394 "The size of the __ksymtab[_gpl] section should be a multiple of 4"); 395 396 for (uint64_t I = 0; I < SectionSize; I += 4) { 397 const uint64_t EntryAddress = SectionAddress + I; 398 ErrorOr<int64_t> Offset = BC.getSignedValueAtAddress(EntryAddress, 4); 399 assert(Offset && "Reading valid PC-relative offset for a ksymtab entry"); 400 const int32_t SignedOffset = *Offset; 401 const uint64_t RefAddress = EntryAddress + SignedOffset; 402 BinaryFunction *BF = BC.getBinaryFunctionAtAddress(RefAddress); 403 if (!BF) 404 continue; 405 406 BC.addRelocation(EntryAddress, BF->getSymbol(), Relocation::getPC32(), 0, 407 *Offset); 408 } 409 } 410 411 /// .smp_locks section contains PC-relative references to instructions with LOCK 412 /// prefix. The prefix can be converted to NOP at boot time on non-SMP systems. 413 Error LinuxKernelRewriter::processSMPLocks() { 414 ErrorOr<BinarySection &> SMPLocksSection = 415 BC.getUniqueSectionByName(".smp_locks"); 416 if (!SMPLocksSection) 417 return Error::success(); 418 419 const uint64_t SectionSize = SMPLocksSection->getSize(); 420 const uint64_t SectionAddress = SMPLocksSection->getAddress(); 421 if (SectionSize % SMP_LOCKS_ENTRY_SIZE) 422 return createStringError(errc::executable_format_error, 423 "bad size of .smp_locks section"); 424 425 DataExtractor DE = DataExtractor(SMPLocksSection->getContents(), 426 BC.AsmInfo->isLittleEndian(), 427 BC.AsmInfo->getCodePointerSize()); 428 DataExtractor::Cursor Cursor(0); 429 while (Cursor && Cursor.tell() < SectionSize) { 430 const uint64_t Offset = Cursor.tell(); 431 const uint64_t IP = SectionAddress + Offset + (int32_t)DE.getU32(Cursor); 432 433 // Consume the status of the cursor. 434 if (!Cursor) 435 return createStringError(errc::executable_format_error, 436 "error while reading .smp_locks: %s", 437 toString(Cursor.takeError()).c_str()); 438 439 if (opts::DumpSMPLocks) 440 BC.outs() << "SMP lock at 0x: " << Twine::utohexstr(IP) << '\n'; 441 442 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(IP); 443 if (!BF || !BC.shouldEmit(*BF)) 444 continue; 445 446 MCInst *Inst = BF->getInstructionAtOffset(IP - BF->getAddress()); 447 if (!Inst) 448 return createStringError(errc::executable_format_error, 449 "no instruction matches lock at 0x%" PRIx64, IP); 450 451 // Check for duplicate entries. 452 if (BC.MIB->hasAnnotation(*Inst, "SMPLock")) 453 return createStringError(errc::executable_format_error, 454 "duplicate SMP lock at 0x%" PRIx64, IP); 455 456 BC.MIB->addAnnotation(*Inst, "SMPLock", true); 457 MCSymbol *Label = 458 BC.MIB->getOrCreateInstLabel(*Inst, "__SMPLock_", BC.Ctx.get()); 459 460 Fixups.push_back({*SMPLocksSection, Offset, *BF, *Label, 461 /*IsPCRelative*/ true}); 462 } 463 464 const uint64_t NumEntries = SectionSize / SMP_LOCKS_ENTRY_SIZE; 465 BC.outs() << "BOLT-INFO: parsed " << NumEntries << " SMP lock entries\n"; 466 467 return Error::success(); 468 } 469 470 void LinuxKernelRewriter::processInstructionFixups() { 471 for (InstructionFixup &Fixup : Fixups) { 472 if (!BC.shouldEmit(Fixup.BF)) 473 continue; 474 475 Fixup.Section.addRelocation(Fixup.Offset, &Fixup.Label, 476 Fixup.IsPCRelative ? ELF::R_X86_64_PC32 477 : ELF::R_X86_64_64, 478 /*Addend*/ 0); 479 } 480 } 481 482 Error LinuxKernelRewriter::readORCTables() { 483 // NOTE: we should ignore relocations for orc tables as the tables are sorted 484 // post-link time and relocations are not updated. 485 ORCUnwindSection = BC.getUniqueSectionByName(".orc_unwind"); 486 ORCUnwindIPSection = BC.getUniqueSectionByName(".orc_unwind_ip"); 487 488 if (!ORCUnwindSection && !ORCUnwindIPSection) 489 return Error::success(); 490 491 if (!ORCUnwindSection || !ORCUnwindIPSection) 492 return createStringError(errc::executable_format_error, 493 "missing ORC section"); 494 495 NumORCEntries = ORCUnwindIPSection->getSize() / ORC_UNWIND_IP_ENTRY_SIZE; 496 if (ORCUnwindSection->getSize() != NumORCEntries * ORC_UNWIND_ENTRY_SIZE || 497 ORCUnwindIPSection->getSize() != NumORCEntries * ORC_UNWIND_IP_ENTRY_SIZE) 498 return createStringError(errc::executable_format_error, 499 "ORC entries number mismatch detected"); 500 501 const uint64_t IPSectionAddress = ORCUnwindIPSection->getAddress(); 502 DataExtractor OrcDE = DataExtractor(ORCUnwindSection->getContents(), 503 BC.AsmInfo->isLittleEndian(), 504 BC.AsmInfo->getCodePointerSize()); 505 DataExtractor IPDE = DataExtractor(ORCUnwindIPSection->getContents(), 506 BC.AsmInfo->isLittleEndian(), 507 BC.AsmInfo->getCodePointerSize()); 508 DataExtractor::Cursor ORCCursor(0); 509 DataExtractor::Cursor IPCursor(0); 510 uint64_t PrevIP = 0; 511 for (uint32_t Index = 0; Index < NumORCEntries; ++Index) { 512 const uint64_t IP = 513 IPSectionAddress + IPCursor.tell() + (int32_t)IPDE.getU32(IPCursor); 514 515 // Consume the status of the cursor. 516 if (!IPCursor) 517 return createStringError(errc::executable_format_error, 518 "out of bounds while reading ORC IP table: %s", 519 toString(IPCursor.takeError()).c_str()); 520 521 if (IP < PrevIP && opts::Verbosity) 522 BC.errs() << "BOLT-WARNING: out of order IP 0x" << Twine::utohexstr(IP) 523 << " detected while reading ORC\n"; 524 525 PrevIP = IP; 526 527 // Store all entries, includes those we are not going to update as the 528 // tables need to be sorted globally before being written out. 529 ORCEntries.push_back(ORCListEntry()); 530 ORCListEntry &Entry = ORCEntries.back(); 531 532 Entry.IP = IP; 533 Entry.ORC.SPOffset = (int16_t)OrcDE.getU16(ORCCursor); 534 Entry.ORC.BPOffset = (int16_t)OrcDE.getU16(ORCCursor); 535 Entry.ORC.Info = (int16_t)OrcDE.getU16(ORCCursor); 536 Entry.BF = nullptr; 537 538 // Consume the status of the cursor. 539 if (!ORCCursor) 540 return createStringError(errc::executable_format_error, 541 "out of bounds while reading ORC: %s", 542 toString(ORCCursor.takeError()).c_str()); 543 544 if (Entry.ORC == NullORC) 545 continue; 546 547 BinaryFunction *&BF = Entry.BF; 548 BF = BC.getBinaryFunctionContainingAddress(IP, /*CheckPastEnd*/ true); 549 550 // If the entry immediately pointing past the end of the function is not 551 // the terminator entry, then it does not belong to this function. 552 if (BF && BF->getAddress() + BF->getSize() == IP) 553 BF = 0; 554 555 if (!BF) { 556 if (opts::Verbosity) 557 BC.errs() << "BOLT-WARNING: no binary function found matching ORC 0x" 558 << Twine::utohexstr(IP) << ": " << Entry.ORC << '\n'; 559 continue; 560 } 561 562 BF->setHasORC(true); 563 564 if (!BF->hasInstructions()) 565 continue; 566 567 MCInst *Inst = BF->getInstructionAtOffset(IP - BF->getAddress()); 568 if (!Inst) 569 return createStringError( 570 errc::executable_format_error, 571 "no instruction at address 0x%" PRIx64 " in .orc_unwind_ip", IP); 572 573 // Some addresses will have two entries associated with them. The first 574 // one being a "weak" section terminator. Since we ignore the terminator, 575 // we should only assign one entry per instruction. 576 if (BC.MIB->hasAnnotation(*Inst, "ORC")) 577 return createStringError( 578 errc::executable_format_error, 579 "duplicate non-terminal ORC IP 0x%" PRIx64 " in .orc_unwind_ip", IP); 580 581 BC.MIB->addAnnotation(*Inst, "ORC", Entry.ORC); 582 } 583 584 BC.outs() << "BOLT-INFO: parsed " << NumORCEntries << " ORC entries\n"; 585 586 if (opts::DumpORC) { 587 BC.outs() << "BOLT-INFO: ORC unwind information:\n"; 588 for (const ORCListEntry &E : ORCEntries) { 589 BC.outs() << "0x" << Twine::utohexstr(E.IP) << ": " << E.ORC; 590 if (E.BF) 591 BC.outs() << ": " << *E.BF; 592 BC.outs() << '\n'; 593 } 594 } 595 596 // Add entries for functions that don't have explicit ORC info at the start. 597 // We'll have the correct info for them even if ORC for the preceding function 598 // changes. 599 ORCListType NewEntries; 600 for (BinaryFunction &BF : llvm::make_second_range(BC.getBinaryFunctions())) { 601 auto It = llvm::partition_point(ORCEntries, [&](const ORCListEntry &E) { 602 return E.IP <= BF.getAddress(); 603 }); 604 if (It != ORCEntries.begin()) 605 --It; 606 607 if (It->BF == &BF) 608 continue; 609 610 if (It->ORC == NullORC && It->IP == BF.getAddress()) { 611 assert(!It->BF); 612 It->BF = &BF; 613 continue; 614 } 615 616 NewEntries.push_back({BF.getAddress(), &BF, It->ORC}); 617 if (It->ORC != NullORC) 618 BF.setHasORC(true); 619 } 620 621 llvm::copy(NewEntries, std::back_inserter(ORCEntries)); 622 llvm::sort(ORCEntries); 623 624 if (opts::DumpORC) { 625 BC.outs() << "BOLT-INFO: amended ORC unwind information:\n"; 626 for (const ORCListEntry &E : ORCEntries) { 627 BC.outs() << "0x" << Twine::utohexstr(E.IP) << ": " << E.ORC; 628 if (E.BF) 629 BC.outs() << ": " << *E.BF; 630 BC.outs() << '\n'; 631 } 632 } 633 634 return Error::success(); 635 } 636 637 Error LinuxKernelRewriter::processORCPostCFG() { 638 if (!NumORCEntries) 639 return Error::success(); 640 641 // Propagate ORC to the rest of the function. We can annotate every 642 // instruction in every function, but to minimize the overhead, we annotate 643 // the first instruction in every basic block to reflect the state at the 644 // entry. This way, the ORC state can be calculated based on annotations 645 // regardless of the basic block layout. Note that if we insert/delete 646 // instructions, we must take care to attach ORC info to the new/deleted ones. 647 for (BinaryFunction &BF : llvm::make_second_range(BC.getBinaryFunctions())) { 648 649 std::optional<ORCState> CurrentState; 650 for (BinaryBasicBlock &BB : BF) { 651 for (MCInst &Inst : BB) { 652 ErrorOr<ORCState> State = 653 BC.MIB->tryGetAnnotationAs<ORCState>(Inst, "ORC"); 654 655 if (State) { 656 CurrentState = *State; 657 continue; 658 } 659 660 // Get state for the start of the function. 661 if (!CurrentState) { 662 // A terminator entry (NullORC) can match the function address. If 663 // there's also a non-terminator entry, it will be placed after the 664 // terminator. Hence, we are looking for the last ORC entry that 665 // matches the address. 666 auto It = 667 llvm::partition_point(ORCEntries, [&](const ORCListEntry &E) { 668 return E.IP <= BF.getAddress(); 669 }); 670 if (It != ORCEntries.begin()) 671 --It; 672 673 assert(It->IP == BF.getAddress() && (!It->BF || It->BF == &BF) && 674 "ORC info at function entry expected."); 675 676 if (It->ORC == NullORC && BF.hasORC()) { 677 BC.errs() << "BOLT-WARNING: ORC unwind info excludes prologue for " 678 << BF << '\n'; 679 } 680 681 It->BF = &BF; 682 683 CurrentState = It->ORC; 684 if (It->ORC != NullORC) 685 BF.setHasORC(true); 686 } 687 688 // While printing ORC, attach info to every instruction for convenience. 689 if (opts::PrintORC || &Inst == &BB.front()) 690 BC.MIB->addAnnotation(Inst, "ORC", *CurrentState); 691 } 692 } 693 } 694 695 return Error::success(); 696 } 697 698 Error LinuxKernelRewriter::rewriteORCTables() { 699 if (!NumORCEntries) 700 return Error::success(); 701 702 // Update ORC sections in-place. As we change the code, the number of ORC 703 // entries may increase for some functions. However, as we remove terminator 704 // redundancy (see below), more space is freed up and we should always be able 705 // to fit new ORC tables in the reserved space. 706 auto createInPlaceWriter = [&](BinarySection &Section) -> BinaryStreamWriter { 707 const size_t Size = Section.getSize(); 708 uint8_t *NewContents = new uint8_t[Size]; 709 Section.updateContents(NewContents, Size); 710 Section.setOutputFileOffset(Section.getInputFileOffset()); 711 return BinaryStreamWriter({NewContents, Size}, BC.AsmInfo->isLittleEndian() 712 ? endianness::little 713 : endianness::big); 714 }; 715 BinaryStreamWriter UnwindWriter = createInPlaceWriter(*ORCUnwindSection); 716 BinaryStreamWriter UnwindIPWriter = createInPlaceWriter(*ORCUnwindIPSection); 717 718 uint64_t NumEmitted = 0; 719 std::optional<ORCState> LastEmittedORC; 720 auto emitORCEntry = [&](const uint64_t IP, const ORCState &ORC, 721 MCSymbol *Label = 0, bool Force = false) -> Error { 722 if (LastEmittedORC && ORC == *LastEmittedORC && !Force) 723 return Error::success(); 724 725 LastEmittedORC = ORC; 726 727 if (++NumEmitted > NumORCEntries) 728 return createStringError(errc::executable_format_error, 729 "exceeded the number of allocated ORC entries"); 730 731 if (Label) 732 ORCUnwindIPSection->addRelocation(UnwindIPWriter.getOffset(), Label, 733 Relocation::getPC32(), /*Addend*/ 0); 734 735 const int32_t IPValue = 736 IP - ORCUnwindIPSection->getAddress() - UnwindIPWriter.getOffset(); 737 if (Error E = UnwindIPWriter.writeInteger(IPValue)) 738 return E; 739 740 if (Error E = UnwindWriter.writeInteger(ORC.SPOffset)) 741 return E; 742 if (Error E = UnwindWriter.writeInteger(ORC.BPOffset)) 743 return E; 744 if (Error E = UnwindWriter.writeInteger(ORC.Info)) 745 return E; 746 747 return Error::success(); 748 }; 749 750 // Emit new ORC entries for the emitted function. 751 auto emitORC = [&](const FunctionFragment &FF) -> Error { 752 ORCState CurrentState = NullORC; 753 for (BinaryBasicBlock *BB : FF) { 754 for (MCInst &Inst : *BB) { 755 ErrorOr<ORCState> ErrorOrState = 756 BC.MIB->tryGetAnnotationAs<ORCState>(Inst, "ORC"); 757 if (!ErrorOrState || *ErrorOrState == CurrentState) 758 continue; 759 760 // Issue label for the instruction. 761 MCSymbol *Label = 762 BC.MIB->getOrCreateInstLabel(Inst, "__ORC_", BC.Ctx.get()); 763 764 if (Error E = emitORCEntry(0, *ErrorOrState, Label)) 765 return E; 766 767 CurrentState = *ErrorOrState; 768 } 769 } 770 771 return Error::success(); 772 }; 773 774 // Emit ORC entries for cold fragments. We assume that these fragments are 775 // emitted contiguously in memory using reserved space in the kernel. This 776 // assumption is validated in post-emit pass validateORCTables() where we 777 // check that ORC entries are sorted by their addresses. 778 auto emitColdORC = [&]() -> Error { 779 for (BinaryFunction &BF : 780 llvm::make_second_range(BC.getBinaryFunctions())) { 781 if (!BC.shouldEmit(BF)) 782 continue; 783 for (FunctionFragment &FF : BF.getLayout().getSplitFragments()) 784 if (Error E = emitORC(FF)) 785 return E; 786 } 787 788 return Error::success(); 789 }; 790 791 bool ShouldEmitCold = !BC.BOLTReserved.empty(); 792 for (ORCListEntry &Entry : ORCEntries) { 793 if (ShouldEmitCold && Entry.IP > BC.BOLTReserved.start()) { 794 if (Error E = emitColdORC()) 795 return E; 796 797 // Emit terminator entry at the end of the reserved region. 798 if (Error E = emitORCEntry(BC.BOLTReserved.end(), NullORC)) 799 return E; 800 801 ShouldEmitCold = false; 802 } 803 804 // Emit original entries for functions that we haven't modified. 805 if (!Entry.BF || !BC.shouldEmit(*Entry.BF)) { 806 // Emit terminator only if it marks the start of a function. 807 if (Entry.ORC == NullORC && !Entry.BF) 808 continue; 809 if (Error E = emitORCEntry(Entry.IP, Entry.ORC)) 810 return E; 811 continue; 812 } 813 814 // Emit all ORC entries for a function referenced by an entry and skip over 815 // the rest of entries for this function by resetting its ORC attribute. 816 if (Entry.BF->hasORC()) { 817 if (Error E = emitORC(Entry.BF->getLayout().getMainFragment())) 818 return E; 819 Entry.BF->setHasORC(false); 820 } 821 } 822 823 LLVM_DEBUG(dbgs() << "BOLT-DEBUG: emitted " << NumEmitted 824 << " ORC entries\n"); 825 826 // Populate ORC tables with a terminator entry with max address to match the 827 // original table sizes. 828 const uint64_t LastIP = std::numeric_limits<uint64_t>::max(); 829 while (UnwindWriter.bytesRemaining()) { 830 if (Error E = emitORCEntry(LastIP, NullORC, nullptr, /*Force*/ true)) 831 return E; 832 } 833 834 return Error::success(); 835 } 836 837 Error LinuxKernelRewriter::validateORCTables() { 838 if (!ORCUnwindIPSection) 839 return Error::success(); 840 841 const uint64_t IPSectionAddress = ORCUnwindIPSection->getAddress(); 842 DataExtractor IPDE = DataExtractor(ORCUnwindIPSection->getOutputContents(), 843 BC.AsmInfo->isLittleEndian(), 844 BC.AsmInfo->getCodePointerSize()); 845 DataExtractor::Cursor IPCursor(0); 846 uint64_t PrevIP = 0; 847 for (uint32_t Index = 0; Index < NumORCEntries; ++Index) { 848 const uint64_t IP = 849 IPSectionAddress + IPCursor.tell() + (int32_t)IPDE.getU32(IPCursor); 850 if (!IPCursor) 851 return createStringError(errc::executable_format_error, 852 "out of bounds while reading ORC IP table: %s", 853 toString(IPCursor.takeError()).c_str()); 854 855 assert(IP >= PrevIP && "Unsorted ORC table detected"); 856 (void)PrevIP; 857 PrevIP = IP; 858 } 859 860 return Error::success(); 861 } 862 863 /// The static call site table is created by objtool and contains entries in the 864 /// following format: 865 /// 866 /// struct static_call_site { 867 /// s32 addr; 868 /// s32 key; 869 /// }; 870 /// 871 Error LinuxKernelRewriter::readStaticCalls() { 872 const BinaryData *StaticCallTable = 873 BC.getBinaryDataByName("__start_static_call_sites"); 874 if (!StaticCallTable) 875 return Error::success(); 876 877 StaticCallTableAddress = StaticCallTable->getAddress(); 878 879 const BinaryData *Stop = BC.getBinaryDataByName("__stop_static_call_sites"); 880 if (!Stop) 881 return createStringError(errc::executable_format_error, 882 "missing __stop_static_call_sites symbol"); 883 884 ErrorOr<BinarySection &> ErrorOrSection = 885 BC.getSectionForAddress(StaticCallTableAddress); 886 if (!ErrorOrSection) 887 return createStringError(errc::executable_format_error, 888 "no section matching __start_static_call_sites"); 889 890 StaticCallSection = *ErrorOrSection; 891 if (!StaticCallSection->containsAddress(Stop->getAddress() - 1)) 892 return createStringError(errc::executable_format_error, 893 "__stop_static_call_sites not in the same section " 894 "as __start_static_call_sites"); 895 896 if ((Stop->getAddress() - StaticCallTableAddress) % STATIC_CALL_ENTRY_SIZE) 897 return createStringError(errc::executable_format_error, 898 "static call table size error"); 899 900 const uint64_t SectionAddress = StaticCallSection->getAddress(); 901 DataExtractor DE(StaticCallSection->getContents(), 902 BC.AsmInfo->isLittleEndian(), 903 BC.AsmInfo->getCodePointerSize()); 904 DataExtractor::Cursor Cursor(StaticCallTableAddress - SectionAddress); 905 uint32_t EntryID = 0; 906 while (Cursor && Cursor.tell() < Stop->getAddress() - SectionAddress) { 907 const uint64_t CallAddress = 908 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 909 const uint64_t KeyAddress = 910 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 911 912 // Consume the status of the cursor. 913 if (!Cursor) 914 return createStringError(errc::executable_format_error, 915 "out of bounds while reading static calls: %s", 916 toString(Cursor.takeError()).c_str()); 917 918 ++EntryID; 919 920 if (opts::DumpStaticCalls) { 921 BC.outs() << "Static Call Site: " << EntryID << '\n'; 922 BC.outs() << "\tCallAddress: 0x" << Twine::utohexstr(CallAddress) 923 << "\n\tKeyAddress: 0x" << Twine::utohexstr(KeyAddress) 924 << '\n'; 925 } 926 927 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(CallAddress); 928 if (!BF) 929 continue; 930 931 if (!BC.shouldEmit(*BF)) 932 continue; 933 934 if (!BF->hasInstructions()) 935 continue; 936 937 MCInst *Inst = BF->getInstructionAtOffset(CallAddress - BF->getAddress()); 938 if (!Inst) 939 return createStringError(errc::executable_format_error, 940 "no instruction at call site address 0x%" PRIx64, 941 CallAddress); 942 943 // Check for duplicate entries. 944 if (BC.MIB->hasAnnotation(*Inst, "StaticCall")) 945 return createStringError(errc::executable_format_error, 946 "duplicate static call site at 0x%" PRIx64, 947 CallAddress); 948 949 BC.MIB->addAnnotation(*Inst, "StaticCall", EntryID); 950 951 MCSymbol *Label = 952 BC.MIB->getOrCreateInstLabel(*Inst, "__SC_", BC.Ctx.get()); 953 954 StaticCallEntries.push_back({EntryID, BF, Label}); 955 } 956 957 BC.outs() << "BOLT-INFO: parsed " << StaticCallEntries.size() 958 << " static call entries\n"; 959 960 return Error::success(); 961 } 962 963 /// The static call table is sorted during boot time in 964 /// static_call_sort_entries(). This makes it possible to update existing 965 /// entries in-place ignoring their relative order. 966 Error LinuxKernelRewriter::rewriteStaticCalls() { 967 if (!StaticCallTableAddress || !StaticCallSection) 968 return Error::success(); 969 970 for (auto &Entry : StaticCallEntries) { 971 if (!Entry.Function) 972 continue; 973 974 BinaryFunction &BF = *Entry.Function; 975 if (!BC.shouldEmit(BF)) 976 continue; 977 978 // Create a relocation against the label. 979 const uint64_t EntryOffset = StaticCallTableAddress - 980 StaticCallSection->getAddress() + 981 (Entry.ID - 1) * STATIC_CALL_ENTRY_SIZE; 982 StaticCallSection->addRelocation(EntryOffset, Entry.Label, 983 ELF::R_X86_64_PC32, /*Addend*/ 0); 984 } 985 986 return Error::success(); 987 } 988 989 /// Instructions that access user-space memory can cause page faults. These 990 /// faults will be handled by the kernel and execution will resume at the fixup 991 /// code location if the address was invalid. The kernel uses the exception 992 /// table to match the faulting instruction to its fixup. The table consists of 993 /// the following entries: 994 /// 995 /// struct exception_table_entry { 996 /// int insn; 997 /// int fixup; 998 /// int data; 999 /// }; 1000 /// 1001 /// More info at: 1002 /// https://www.kernel.org/doc/Documentation/x86/exception-tables.txt 1003 Error LinuxKernelRewriter::readExceptionTable() { 1004 ExceptionsSection = BC.getUniqueSectionByName("__ex_table"); 1005 if (!ExceptionsSection) 1006 return Error::success(); 1007 1008 if (ExceptionsSection->getSize() % EXCEPTION_TABLE_ENTRY_SIZE) 1009 return createStringError(errc::executable_format_error, 1010 "exception table size error"); 1011 1012 const uint64_t SectionAddress = ExceptionsSection->getAddress(); 1013 DataExtractor DE(ExceptionsSection->getContents(), 1014 BC.AsmInfo->isLittleEndian(), 1015 BC.AsmInfo->getCodePointerSize()); 1016 DataExtractor::Cursor Cursor(0); 1017 uint32_t EntryID = 0; 1018 while (Cursor && Cursor.tell() < ExceptionsSection->getSize()) { 1019 const uint64_t InstAddress = 1020 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1021 const uint64_t FixupAddress = 1022 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1023 const uint64_t Data = DE.getU32(Cursor); 1024 1025 // Consume the status of the cursor. 1026 if (!Cursor) 1027 return createStringError( 1028 errc::executable_format_error, 1029 "out of bounds while reading exception table: %s", 1030 toString(Cursor.takeError()).c_str()); 1031 1032 ++EntryID; 1033 1034 if (opts::DumpExceptions) { 1035 BC.outs() << "Exception Entry: " << EntryID << '\n'; 1036 BC.outs() << "\tInsn: 0x" << Twine::utohexstr(InstAddress) << '\n' 1037 << "\tFixup: 0x" << Twine::utohexstr(FixupAddress) << '\n' 1038 << "\tData: 0x" << Twine::utohexstr(Data) << '\n'; 1039 } 1040 1041 MCInst *Inst = nullptr; 1042 MCSymbol *FixupLabel = nullptr; 1043 1044 BinaryFunction *InstBF = BC.getBinaryFunctionContainingAddress(InstAddress); 1045 if (InstBF && BC.shouldEmit(*InstBF)) { 1046 Inst = InstBF->getInstructionAtOffset(InstAddress - InstBF->getAddress()); 1047 if (!Inst) 1048 return createStringError(errc::executable_format_error, 1049 "no instruction at address 0x%" PRIx64 1050 " in exception table", 1051 InstAddress); 1052 BC.MIB->addAnnotation(*Inst, "ExceptionEntry", EntryID); 1053 FunctionsWithExceptions.insert(InstBF); 1054 } 1055 1056 if (!InstBF && opts::Verbosity) { 1057 BC.outs() << "BOLT-INFO: no function matches instruction at 0x" 1058 << Twine::utohexstr(InstAddress) 1059 << " referenced by Linux exception table\n"; 1060 } 1061 1062 BinaryFunction *FixupBF = 1063 BC.getBinaryFunctionContainingAddress(FixupAddress); 1064 if (FixupBF && BC.shouldEmit(*FixupBF)) { 1065 const uint64_t Offset = FixupAddress - FixupBF->getAddress(); 1066 if (!FixupBF->getInstructionAtOffset(Offset)) 1067 return createStringError(errc::executable_format_error, 1068 "no instruction at fixup address 0x%" PRIx64 1069 " in exception table", 1070 FixupAddress); 1071 FixupLabel = Offset ? FixupBF->addEntryPointAtOffset(Offset) 1072 : FixupBF->getSymbol(); 1073 if (Inst) 1074 BC.MIB->addAnnotation(*Inst, "Fixup", FixupLabel->getName()); 1075 FunctionsWithExceptions.insert(FixupBF); 1076 } 1077 1078 if (!FixupBF && opts::Verbosity) { 1079 BC.outs() << "BOLT-INFO: no function matches fixup code at 0x" 1080 << Twine::utohexstr(FixupAddress) 1081 << " referenced by Linux exception table\n"; 1082 } 1083 } 1084 1085 BC.outs() << "BOLT-INFO: parsed " 1086 << ExceptionsSection->getSize() / EXCEPTION_TABLE_ENTRY_SIZE 1087 << " exception table entries\n"; 1088 1089 return Error::success(); 1090 } 1091 1092 /// Depending on the value of CONFIG_BUILDTIME_TABLE_SORT, the kernel expects 1093 /// the exception table to be sorted. Hence we have to sort it after code 1094 /// reordering. 1095 Error LinuxKernelRewriter::rewriteExceptionTable() { 1096 // Disable output of functions with exceptions before rewrite support is 1097 // added. 1098 for (BinaryFunction *BF : FunctionsWithExceptions) 1099 BF->setSimple(false); 1100 1101 return Error::success(); 1102 } 1103 1104 /// .parainsrtuctions section contains information for patching parvirtual call 1105 /// instructions during runtime. The entries in the section are in the form: 1106 /// 1107 /// struct paravirt_patch_site { 1108 /// u8 *instr; /* original instructions */ 1109 /// u8 type; /* type of this instruction */ 1110 /// u8 len; /* length of original instruction */ 1111 /// }; 1112 /// 1113 /// Note that the structures are aligned at 8-byte boundary. 1114 Error LinuxKernelRewriter::readParaInstructions() { 1115 ParavirtualPatchSection = BC.getUniqueSectionByName(".parainstructions"); 1116 if (!ParavirtualPatchSection) 1117 return Error::success(); 1118 1119 DataExtractor DE = DataExtractor(ParavirtualPatchSection->getContents(), 1120 BC.AsmInfo->isLittleEndian(), 1121 BC.AsmInfo->getCodePointerSize()); 1122 uint32_t EntryID = 0; 1123 DataExtractor::Cursor Cursor(0); 1124 while (Cursor && !DE.eof(Cursor)) { 1125 const uint64_t NextOffset = alignTo(Cursor.tell(), Align(PARA_PATCH_ALIGN)); 1126 if (!DE.isValidOffset(NextOffset)) 1127 break; 1128 1129 Cursor.seek(NextOffset); 1130 1131 const uint64_t InstrLocation = DE.getU64(Cursor); 1132 const uint8_t Type = DE.getU8(Cursor); 1133 const uint8_t Len = DE.getU8(Cursor); 1134 1135 if (!Cursor) 1136 return createStringError( 1137 errc::executable_format_error, 1138 "out of bounds while reading .parainstructions: %s", 1139 toString(Cursor.takeError()).c_str()); 1140 1141 ++EntryID; 1142 1143 if (opts::DumpParavirtualPatchSites) { 1144 BC.outs() << "Paravirtual patch site: " << EntryID << '\n'; 1145 BC.outs() << "\tInstr: 0x" << Twine::utohexstr(InstrLocation) 1146 << "\n\tType: 0x" << Twine::utohexstr(Type) << "\n\tLen: 0x" 1147 << Twine::utohexstr(Len) << '\n'; 1148 } 1149 1150 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(InstrLocation); 1151 if (!BF && opts::Verbosity) { 1152 BC.outs() << "BOLT-INFO: no function matches address 0x" 1153 << Twine::utohexstr(InstrLocation) 1154 << " referenced by paravirutal patch site\n"; 1155 } 1156 1157 if (BF && BC.shouldEmit(*BF)) { 1158 MCInst *Inst = 1159 BF->getInstructionAtOffset(InstrLocation - BF->getAddress()); 1160 if (!Inst) 1161 return createStringError(errc::executable_format_error, 1162 "no instruction at address 0x%" PRIx64 1163 " in paravirtual call site %d", 1164 InstrLocation, EntryID); 1165 BC.MIB->addAnnotation(*Inst, "ParaSite", EntryID); 1166 } 1167 } 1168 1169 BC.outs() << "BOLT-INFO: parsed " << EntryID << " paravirtual patch sites\n"; 1170 1171 return Error::success(); 1172 } 1173 1174 void LinuxKernelRewriter::skipFunctionsWithAnnotation( 1175 StringRef Annotation) const { 1176 for (BinaryFunction &BF : llvm::make_second_range(BC.getBinaryFunctions())) { 1177 if (!BC.shouldEmit(BF)) 1178 continue; 1179 for (const BinaryBasicBlock &BB : BF) { 1180 const bool HasAnnotation = llvm::any_of(BB, [&](const MCInst &Inst) { 1181 return BC.MIB->hasAnnotation(Inst, Annotation); 1182 }); 1183 if (HasAnnotation) { 1184 BF.setSimple(false); 1185 break; 1186 } 1187 } 1188 } 1189 } 1190 1191 Error LinuxKernelRewriter::rewriteParaInstructions() { 1192 // Disable output of functions with paravirtual instructions before the 1193 // rewrite support is complete. 1194 skipFunctionsWithAnnotation("ParaSite"); 1195 1196 return Error::success(); 1197 } 1198 1199 /// Process __bug_table section. 1200 /// This section contains information useful for kernel debugging, mostly 1201 /// utilized by WARN()/WARN_ON() macros and deprecated BUG()/BUG_ON(). 1202 /// 1203 /// Each entry in the section is a struct bug_entry that contains a pointer to 1204 /// the ud2 instruction corresponding to the bug, corresponding file name (both 1205 /// pointers use PC relative offset addressing), line number, and flags. 1206 /// The definition of the struct bug_entry can be found in 1207 /// `include/asm-generic/bug.h`. The first entry in the struct is an instruction 1208 /// address encoded as a PC-relative offset. In theory, it could be an absolute 1209 /// address if CONFIG_GENERIC_BUG_RELATIVE_POINTERS is not set, but in practice 1210 /// the kernel code relies on it being a relative offset on x86-64. 1211 Error LinuxKernelRewriter::readBugTable() { 1212 BugTableSection = BC.getUniqueSectionByName("__bug_table"); 1213 if (!BugTableSection) 1214 return Error::success(); 1215 1216 if (BugTableSection->getSize() % BUG_TABLE_ENTRY_SIZE) 1217 return createStringError(errc::executable_format_error, 1218 "bug table size error"); 1219 1220 const uint64_t SectionAddress = BugTableSection->getAddress(); 1221 DataExtractor DE(BugTableSection->getContents(), BC.AsmInfo->isLittleEndian(), 1222 BC.AsmInfo->getCodePointerSize()); 1223 DataExtractor::Cursor Cursor(0); 1224 uint32_t EntryID = 0; 1225 while (Cursor && Cursor.tell() < BugTableSection->getSize()) { 1226 const uint64_t Pos = Cursor.tell(); 1227 const uint64_t InstAddress = 1228 SectionAddress + Pos + (int32_t)DE.getU32(Cursor); 1229 Cursor.seek(Pos + BUG_TABLE_ENTRY_SIZE); 1230 1231 if (!Cursor) 1232 return createStringError(errc::executable_format_error, 1233 "out of bounds while reading __bug_table: %s", 1234 toString(Cursor.takeError()).c_str()); 1235 1236 ++EntryID; 1237 1238 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(InstAddress); 1239 if (!BF && opts::Verbosity) { 1240 BC.outs() << "BOLT-INFO: no function matches address 0x" 1241 << Twine::utohexstr(InstAddress) 1242 << " referenced by bug table\n"; 1243 } 1244 1245 if (BF && BC.shouldEmit(*BF)) { 1246 MCInst *Inst = BF->getInstructionAtOffset(InstAddress - BF->getAddress()); 1247 if (!Inst) 1248 return createStringError(errc::executable_format_error, 1249 "no instruction at address 0x%" PRIx64 1250 " referenced by bug table entry %d", 1251 InstAddress, EntryID); 1252 BC.MIB->addAnnotation(*Inst, "BugEntry", EntryID); 1253 1254 FunctionBugList[BF].push_back(EntryID); 1255 } 1256 } 1257 1258 BC.outs() << "BOLT-INFO: parsed " << EntryID << " bug table entries\n"; 1259 1260 return Error::success(); 1261 } 1262 1263 /// find_bug() uses linear search to match an address to an entry in the bug 1264 /// table. Hence, there is no need to sort entries when rewriting the table. 1265 /// When we need to erase an entry, we set its instruction address to zero. 1266 Error LinuxKernelRewriter::rewriteBugTable() { 1267 if (!BugTableSection) 1268 return Error::success(); 1269 1270 for (BinaryFunction &BF : llvm::make_second_range(BC.getBinaryFunctions())) { 1271 if (!BC.shouldEmit(BF)) 1272 continue; 1273 1274 if (!FunctionBugList.count(&BF)) 1275 continue; 1276 1277 // Bugs that will be emitted for this function. 1278 DenseSet<uint32_t> EmittedIDs; 1279 for (BinaryBasicBlock &BB : BF) { 1280 for (MCInst &Inst : BB) { 1281 if (!BC.MIB->hasAnnotation(Inst, "BugEntry")) 1282 continue; 1283 const uint32_t ID = BC.MIB->getAnnotationAs<uint32_t>(Inst, "BugEntry"); 1284 EmittedIDs.insert(ID); 1285 1286 // Create a relocation entry for this bug entry. 1287 MCSymbol *Label = 1288 BC.MIB->getOrCreateInstLabel(Inst, "__BUG_", BC.Ctx.get()); 1289 const uint64_t EntryOffset = (ID - 1) * BUG_TABLE_ENTRY_SIZE; 1290 BugTableSection->addRelocation(EntryOffset, Label, ELF::R_X86_64_PC32, 1291 /*Addend*/ 0); 1292 } 1293 } 1294 1295 // Clear bug entries that were not emitted for this function, e.g. as a 1296 // result of DCE, but setting their instruction address to zero. 1297 for (const uint32_t ID : FunctionBugList[&BF]) { 1298 if (!EmittedIDs.count(ID)) { 1299 const uint64_t EntryOffset = (ID - 1) * BUG_TABLE_ENTRY_SIZE; 1300 BugTableSection->addRelocation(EntryOffset, nullptr, ELF::R_X86_64_PC32, 1301 /*Addend*/ 0); 1302 } 1303 } 1304 } 1305 1306 return Error::success(); 1307 } 1308 1309 /// The kernel can replace certain instruction sequences depending on hardware 1310 /// it is running on and features specified during boot time. The information 1311 /// about alternative instruction sequences is stored in .altinstructions 1312 /// section. The format of entries in this section is defined in 1313 /// arch/x86/include/asm/alternative.h: 1314 /// 1315 /// struct alt_instr { 1316 /// s32 instr_offset; 1317 /// s32 repl_offset; 1318 /// uXX feature; 1319 /// u8 instrlen; 1320 /// u8 replacementlen; 1321 /// u8 padlen; // present in older kernels 1322 /// } __packed; 1323 /// 1324 /// Note that the structure is packed. 1325 /// 1326 /// Since the size of the "feature" field could be either u16 or u32, and 1327 /// "padlen" presence is unknown, we attempt to parse .altinstructions section 1328 /// using all possible combinations (four at this time). Since we validate the 1329 /// contents of the section and its size, the detection works quite well. 1330 /// Still, we leave the user the opportunity to specify these features on the 1331 /// command line and skip the guesswork. 1332 Error LinuxKernelRewriter::readAltInstructions() { 1333 AltInstrSection = BC.getUniqueSectionByName(".altinstructions"); 1334 if (!AltInstrSection) 1335 return Error::success(); 1336 1337 // Presence of "padlen" field. 1338 std::vector<bool> PadLenVariants; 1339 if (opts::AltInstHasPadLen.getNumOccurrences()) 1340 PadLenVariants.push_back(opts::AltInstHasPadLen); 1341 else 1342 PadLenVariants = {false, true}; 1343 1344 // Size (in bytes) variants of "feature" field. 1345 std::vector<uint32_t> FeatureSizeVariants; 1346 if (opts::AltInstFeatureSize.getNumOccurrences()) 1347 FeatureSizeVariants.push_back(opts::AltInstFeatureSize); 1348 else 1349 FeatureSizeVariants = {2, 4}; 1350 1351 for (bool AltInstHasPadLen : PadLenVariants) { 1352 for (uint32_t AltInstFeatureSize : FeatureSizeVariants) { 1353 LLVM_DEBUG({ 1354 dbgs() << "BOLT-DEBUG: trying AltInstHasPadLen = " << AltInstHasPadLen 1355 << "; AltInstFeatureSize = " << AltInstFeatureSize << ";\n"; 1356 }); 1357 if (Error E = tryReadAltInstructions(AltInstFeatureSize, AltInstHasPadLen, 1358 /*ParseOnly*/ true)) { 1359 consumeError(std::move(E)); 1360 continue; 1361 } 1362 1363 LLVM_DEBUG(dbgs() << "Matched .altinstructions format\n"); 1364 1365 if (!opts::AltInstHasPadLen.getNumOccurrences()) 1366 BC.outs() << "BOLT-INFO: setting --" << opts::AltInstHasPadLen.ArgStr 1367 << '=' << AltInstHasPadLen << '\n'; 1368 1369 if (!opts::AltInstFeatureSize.getNumOccurrences()) 1370 BC.outs() << "BOLT-INFO: setting --" << opts::AltInstFeatureSize.ArgStr 1371 << '=' << AltInstFeatureSize << '\n'; 1372 1373 return tryReadAltInstructions(AltInstFeatureSize, AltInstHasPadLen, 1374 /*ParseOnly*/ false); 1375 } 1376 } 1377 1378 // We couldn't match the format. Read again to properly propagate the error 1379 // to the user. 1380 return tryReadAltInstructions(opts::AltInstFeatureSize, 1381 opts::AltInstHasPadLen, /*ParseOnly*/ false); 1382 } 1383 1384 Error LinuxKernelRewriter::tryReadAltInstructions(uint32_t AltInstFeatureSize, 1385 bool AltInstHasPadLen, 1386 bool ParseOnly) { 1387 const uint64_t Address = AltInstrSection->getAddress(); 1388 DataExtractor DE = DataExtractor(AltInstrSection->getContents(), 1389 BC.AsmInfo->isLittleEndian(), 1390 BC.AsmInfo->getCodePointerSize()); 1391 uint64_t EntryID = 0; 1392 DataExtractor::Cursor Cursor(0); 1393 while (Cursor && !DE.eof(Cursor)) { 1394 const uint64_t OrgInstAddress = 1395 Address + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1396 const uint64_t AltInstAddress = 1397 Address + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1398 const uint64_t Feature = DE.getUnsigned(Cursor, AltInstFeatureSize); 1399 const uint8_t OrgSize = DE.getU8(Cursor); 1400 const uint8_t AltSize = DE.getU8(Cursor); 1401 1402 // Older kernels may have the padlen field. 1403 const uint8_t PadLen = AltInstHasPadLen ? DE.getU8(Cursor) : 0; 1404 1405 if (!Cursor) 1406 return createStringError( 1407 errc::executable_format_error, 1408 "out of bounds while reading .altinstructions: %s", 1409 toString(Cursor.takeError()).c_str()); 1410 1411 ++EntryID; 1412 1413 if (opts::DumpAltInstructions) { 1414 BC.outs() << "Alternative instruction entry: " << EntryID 1415 << "\n\tOrg: 0x" << Twine::utohexstr(OrgInstAddress) 1416 << "\n\tAlt: 0x" << Twine::utohexstr(AltInstAddress) 1417 << "\n\tFeature: 0x" << Twine::utohexstr(Feature) 1418 << "\n\tOrgSize: " << (int)OrgSize 1419 << "\n\tAltSize: " << (int)AltSize << '\n'; 1420 if (AltInstHasPadLen) 1421 BC.outs() << "\tPadLen: " << (int)PadLen << '\n'; 1422 } 1423 1424 if (AltSize > OrgSize) 1425 return createStringError(errc::executable_format_error, 1426 "error reading .altinstructions"); 1427 1428 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(OrgInstAddress); 1429 if (!BF && opts::Verbosity) { 1430 BC.outs() << "BOLT-INFO: no function matches address 0x" 1431 << Twine::utohexstr(OrgInstAddress) 1432 << " of instruction from .altinstructions\n"; 1433 } 1434 1435 BinaryFunction *AltBF = 1436 BC.getBinaryFunctionContainingAddress(AltInstAddress); 1437 if (!ParseOnly && AltBF && BC.shouldEmit(*AltBF)) { 1438 BC.errs() 1439 << "BOLT-WARNING: alternative instruction sequence found in function " 1440 << *AltBF << '\n'; 1441 AltBF->setIgnored(); 1442 } 1443 1444 if (!BF || !BC.shouldEmit(*BF)) 1445 continue; 1446 1447 if (OrgInstAddress + OrgSize > BF->getAddress() + BF->getSize()) 1448 return createStringError(errc::executable_format_error, 1449 "error reading .altinstructions"); 1450 1451 MCInst *Inst = 1452 BF->getInstructionAtOffset(OrgInstAddress - BF->getAddress()); 1453 if (!Inst) 1454 return createStringError(errc::executable_format_error, 1455 "no instruction at address 0x%" PRIx64 1456 " referenced by .altinstructions entry %d", 1457 OrgInstAddress, EntryID); 1458 1459 if (ParseOnly) 1460 continue; 1461 1462 // There could be more than one alternative instruction sequences for the 1463 // same original instruction. Annotate each alternative separately. 1464 std::string AnnotationName = "AltInst"; 1465 unsigned N = 2; 1466 while (BC.MIB->hasAnnotation(*Inst, AnnotationName)) 1467 AnnotationName = "AltInst" + std::to_string(N++); 1468 1469 BC.MIB->addAnnotation(*Inst, AnnotationName, EntryID); 1470 1471 // Annotate all instructions from the original sequence. Note that it's not 1472 // the most efficient way to look for instructions in the address range, 1473 // but since alternative instructions are uncommon, it will do for now. 1474 for (uint32_t Offset = 1; Offset < OrgSize; ++Offset) { 1475 Inst = BF->getInstructionAtOffset(OrgInstAddress + Offset - 1476 BF->getAddress()); 1477 if (Inst) 1478 BC.MIB->addAnnotation(*Inst, AnnotationName, EntryID); 1479 } 1480 } 1481 1482 if (!ParseOnly) 1483 BC.outs() << "BOLT-INFO: parsed " << EntryID 1484 << " alternative instruction entries\n"; 1485 1486 return Error::success(); 1487 } 1488 1489 Error LinuxKernelRewriter::rewriteAltInstructions() { 1490 // Disable output of functions with alt instructions before the rewrite 1491 // support is complete. 1492 skipFunctionsWithAnnotation("AltInst"); 1493 1494 return Error::success(); 1495 } 1496 1497 /// When the Linux kernel needs to handle an error associated with a given PCI 1498 /// device, it uses a table stored in .pci_fixup section to locate a fixup code 1499 /// specific to the vendor and the problematic device. The section contains a 1500 /// list of the following structures defined in include/linux/pci.h: 1501 /// 1502 /// struct pci_fixup { 1503 /// u16 vendor; /* Or PCI_ANY_ID */ 1504 /// u16 device; /* Or PCI_ANY_ID */ 1505 /// u32 class; /* Or PCI_ANY_ID */ 1506 /// unsigned int class_shift; /* should be 0, 8, 16 */ 1507 /// int hook_offset; 1508 /// }; 1509 /// 1510 /// Normally, the hook will point to a function start and we don't have to 1511 /// update the pointer if we are not relocating functions. Hence, while reading 1512 /// the table we validate this assumption. If a function has a fixup code in the 1513 /// middle of its body, we issue a warning and ignore it. 1514 Error LinuxKernelRewriter::readPCIFixupTable() { 1515 PCIFixupSection = BC.getUniqueSectionByName(".pci_fixup"); 1516 if (!PCIFixupSection) 1517 return Error::success(); 1518 1519 if (PCIFixupSection->getSize() % PCI_FIXUP_ENTRY_SIZE) 1520 return createStringError(errc::executable_format_error, 1521 "PCI fixup table size error"); 1522 1523 const uint64_t Address = PCIFixupSection->getAddress(); 1524 DataExtractor DE = DataExtractor(PCIFixupSection->getContents(), 1525 BC.AsmInfo->isLittleEndian(), 1526 BC.AsmInfo->getCodePointerSize()); 1527 uint64_t EntryID = 0; 1528 DataExtractor::Cursor Cursor(0); 1529 while (Cursor && !DE.eof(Cursor)) { 1530 const uint16_t Vendor = DE.getU16(Cursor); 1531 const uint16_t Device = DE.getU16(Cursor); 1532 const uint32_t Class = DE.getU32(Cursor); 1533 const uint32_t ClassShift = DE.getU32(Cursor); 1534 const uint64_t HookAddress = 1535 Address + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1536 1537 if (!Cursor) 1538 return createStringError(errc::executable_format_error, 1539 "out of bounds while reading .pci_fixup: %s", 1540 toString(Cursor.takeError()).c_str()); 1541 1542 ++EntryID; 1543 1544 if (opts::DumpPCIFixups) { 1545 BC.outs() << "PCI fixup entry: " << EntryID << "\n\tVendor 0x" 1546 << Twine::utohexstr(Vendor) << "\n\tDevice: 0x" 1547 << Twine::utohexstr(Device) << "\n\tClass: 0x" 1548 << Twine::utohexstr(Class) << "\n\tClassShift: 0x" 1549 << Twine::utohexstr(ClassShift) << "\n\tHookAddress: 0x" 1550 << Twine::utohexstr(HookAddress) << '\n'; 1551 } 1552 1553 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(HookAddress); 1554 if (!BF && opts::Verbosity) { 1555 BC.outs() << "BOLT-INFO: no function matches address 0x" 1556 << Twine::utohexstr(HookAddress) 1557 << " of hook from .pci_fixup\n"; 1558 } 1559 1560 if (!BF || !BC.shouldEmit(*BF)) 1561 continue; 1562 1563 if (const uint64_t Offset = HookAddress - BF->getAddress()) { 1564 BC.errs() << "BOLT-WARNING: PCI fixup detected in the middle of function " 1565 << *BF << " at offset 0x" << Twine::utohexstr(Offset) << '\n'; 1566 BF->setSimple(false); 1567 } 1568 } 1569 1570 BC.outs() << "BOLT-INFO: parsed " << EntryID << " PCI fixup entries\n"; 1571 1572 return Error::success(); 1573 } 1574 1575 /// Runtime code modification used by static keys is the most ubiquitous 1576 /// self-modifying feature of the Linux kernel. The idea is to eliminate the 1577 /// condition check and associated conditional jump on a hot path if that 1578 /// condition (based on a boolean value of a static key) does not change often. 1579 /// Whenever the condition changes, the kernel runtime modifies all code paths 1580 /// associated with that key flipping the code between nop and (unconditional) 1581 /// jump. The information about the code is stored in a static key jump table 1582 /// and contains the list of entries of the following type from 1583 /// include/linux/jump_label.h: 1584 // 1585 /// struct jump_entry { 1586 /// s32 code; 1587 /// s32 target; 1588 /// long key; // key may be far away from the core kernel under KASLR 1589 /// }; 1590 /// 1591 /// The list does not have to be stored in any sorted way, but it is sorted at 1592 /// boot time (or module initialization time) first by "key" and then by "code". 1593 /// jump_label_sort_entries() is responsible for sorting the table. 1594 /// 1595 /// The key in jump_entry structure uses lower two bits of the key address 1596 /// (which itself is aligned) to store extra information. We are interested in 1597 /// the lower bit which indicates if the key is likely to be set on the code 1598 /// path associated with this jump_entry. 1599 /// 1600 /// static_key_{enable,disable}() functions modify the code based on key and 1601 /// jump table entries. 1602 /// 1603 /// jump_label_update() updates all code entries for a given key. Batch mode is 1604 /// used for x86. 1605 /// 1606 /// The actual patching happens in text_poke_bp_batch() that overrides the first 1607 /// byte of the sequence with int3 before proceeding with actual code 1608 /// replacement. 1609 Error LinuxKernelRewriter::readStaticKeysJumpTable() { 1610 const BinaryData *StaticKeysJumpTable = 1611 BC.getBinaryDataByName("__start___jump_table"); 1612 if (!StaticKeysJumpTable) 1613 return Error::success(); 1614 1615 StaticKeysJumpTableAddress = StaticKeysJumpTable->getAddress(); 1616 1617 const BinaryData *Stop = BC.getBinaryDataByName("__stop___jump_table"); 1618 if (!Stop) 1619 return createStringError(errc::executable_format_error, 1620 "missing __stop___jump_table symbol"); 1621 1622 ErrorOr<BinarySection &> ErrorOrSection = 1623 BC.getSectionForAddress(StaticKeysJumpTableAddress); 1624 if (!ErrorOrSection) 1625 return createStringError(errc::executable_format_error, 1626 "no section matching __start___jump_table"); 1627 1628 StaticKeysJumpSection = *ErrorOrSection; 1629 if (!StaticKeysJumpSection->containsAddress(Stop->getAddress() - 1)) 1630 return createStringError(errc::executable_format_error, 1631 "__stop___jump_table not in the same section " 1632 "as __start___jump_table"); 1633 1634 if ((Stop->getAddress() - StaticKeysJumpTableAddress) % 1635 STATIC_KEYS_JUMP_ENTRY_SIZE) 1636 return createStringError(errc::executable_format_error, 1637 "static keys jump table size error"); 1638 1639 const uint64_t SectionAddress = StaticKeysJumpSection->getAddress(); 1640 DataExtractor DE(StaticKeysJumpSection->getContents(), 1641 BC.AsmInfo->isLittleEndian(), 1642 BC.AsmInfo->getCodePointerSize()); 1643 DataExtractor::Cursor Cursor(StaticKeysJumpTableAddress - SectionAddress); 1644 uint32_t EntryID = 0; 1645 while (Cursor && Cursor.tell() < Stop->getAddress() - SectionAddress) { 1646 const uint64_t JumpAddress = 1647 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1648 const uint64_t TargetAddress = 1649 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1650 const uint64_t KeyAddress = 1651 SectionAddress + Cursor.tell() + (int64_t)DE.getU64(Cursor); 1652 1653 // Consume the status of the cursor. 1654 if (!Cursor) 1655 return createStringError( 1656 errc::executable_format_error, 1657 "out of bounds while reading static keys jump table: %s", 1658 toString(Cursor.takeError()).c_str()); 1659 1660 ++EntryID; 1661 1662 JumpInfo.push_back(JumpInfoEntry()); 1663 JumpInfoEntry &Info = JumpInfo.back(); 1664 Info.Likely = KeyAddress & 1; 1665 1666 if (opts::DumpStaticKeys) { 1667 BC.outs() << "Static key jump entry: " << EntryID 1668 << "\n\tJumpAddress: 0x" << Twine::utohexstr(JumpAddress) 1669 << "\n\tTargetAddress: 0x" << Twine::utohexstr(TargetAddress) 1670 << "\n\tKeyAddress: 0x" << Twine::utohexstr(KeyAddress) 1671 << "\n\tIsLikely: " << Info.Likely << '\n'; 1672 } 1673 1674 BinaryFunction *BF = BC.getBinaryFunctionContainingAddress(JumpAddress); 1675 if (!BF && opts::Verbosity) { 1676 BC.outs() 1677 << "BOLT-INFO: no function matches address 0x" 1678 << Twine::utohexstr(JumpAddress) 1679 << " of jump instruction referenced from static keys jump table\n"; 1680 } 1681 1682 if (!BF || !BC.shouldEmit(*BF)) 1683 continue; 1684 1685 MCInst *Inst = BF->getInstructionAtOffset(JumpAddress - BF->getAddress()); 1686 if (!Inst) 1687 return createStringError( 1688 errc::executable_format_error, 1689 "no instruction at static keys jump site address 0x%" PRIx64, 1690 JumpAddress); 1691 1692 if (!BF->containsAddress(TargetAddress)) 1693 return createStringError( 1694 errc::executable_format_error, 1695 "invalid target of static keys jump at 0x%" PRIx64 " : 0x%" PRIx64, 1696 JumpAddress, TargetAddress); 1697 1698 const bool IsBranch = BC.MIB->isBranch(*Inst); 1699 if (!IsBranch && !BC.MIB->isNoop(*Inst)) 1700 return createStringError(errc::executable_format_error, 1701 "jump or nop expected at address 0x%" PRIx64, 1702 JumpAddress); 1703 1704 const uint64_t Size = BC.computeInstructionSize(*Inst); 1705 if (Size != 2 && Size != 5) { 1706 return createStringError( 1707 errc::executable_format_error, 1708 "unexpected static keys jump size at address 0x%" PRIx64, 1709 JumpAddress); 1710 } 1711 1712 MCSymbol *Target = BF->registerBranch(JumpAddress, TargetAddress); 1713 MCInst StaticKeyBranch; 1714 1715 // Create a conditional branch instruction. The actual conditional code type 1716 // should not matter as long as it's a valid code. The instruction should be 1717 // treated as a conditional branch for control-flow purposes. Before we emit 1718 // the code, it will be converted to a different instruction in 1719 // rewriteStaticKeysJumpTable(). 1720 // 1721 // NB: for older kernels, under LongJumpLabels option, we create long 1722 // conditional branch to guarantee that code size estimation takes 1723 // into account the extra bytes needed for long branch that will be used 1724 // by the kernel patching code. Newer kernels can work with both short 1725 // and long branches. The code for long conditional branch is larger 1726 // than unconditional one, so we are pessimistic in our estimations. 1727 if (opts::LongJumpLabels) 1728 BC.MIB->createLongCondBranch(StaticKeyBranch, Target, 0, BC.Ctx.get()); 1729 else 1730 BC.MIB->createCondBranch(StaticKeyBranch, Target, 0, BC.Ctx.get()); 1731 BC.MIB->moveAnnotations(std::move(*Inst), StaticKeyBranch); 1732 BC.MIB->setDynamicBranch(StaticKeyBranch, EntryID); 1733 *Inst = StaticKeyBranch; 1734 1735 // IsBranch = InitialValue ^ LIKELY 1736 // 1737 // 0 0 0 1738 // 1 0 1 1739 // 1 1 0 1740 // 0 1 1 1741 // 1742 // => InitialValue = IsBranch ^ LIKELY 1743 Info.InitValue = IsBranch ^ Info.Likely; 1744 1745 // Add annotations to facilitate manual code analysis. 1746 BC.MIB->addAnnotation(*Inst, "Likely", Info.Likely); 1747 BC.MIB->addAnnotation(*Inst, "InitValue", Info.InitValue); 1748 if (!BC.MIB->getSize(*Inst)) 1749 BC.MIB->setSize(*Inst, Size); 1750 1751 if (!BC.MIB->getOffset(*Inst)) 1752 BC.MIB->setOffset(*Inst, JumpAddress - BF->getAddress()); 1753 1754 if (opts::LongJumpLabels) 1755 BC.MIB->setSize(*Inst, 5); 1756 } 1757 1758 BC.outs() << "BOLT-INFO: parsed " << EntryID << " static keys jump entries\n"; 1759 1760 return Error::success(); 1761 } 1762 1763 // Pre-emit pass. Convert dynamic branch instructions into jumps that could be 1764 // relaxed. In post-emit pass we will convert those jumps into nops when 1765 // necessary. We do the unconditional conversion into jumps so that the jumps 1766 // can be relaxed and the optimal size of jump/nop instruction is selected. 1767 Error LinuxKernelRewriter::rewriteStaticKeysJumpTable() { 1768 if (!StaticKeysJumpSection) 1769 return Error::success(); 1770 1771 uint64_t NumShort = 0; 1772 uint64_t NumLong = 0; 1773 for (BinaryFunction &BF : llvm::make_second_range(BC.getBinaryFunctions())) { 1774 if (!BC.shouldEmit(BF)) 1775 continue; 1776 1777 for (BinaryBasicBlock &BB : BF) { 1778 for (MCInst &Inst : BB) { 1779 if (!BC.MIB->isDynamicBranch(Inst)) 1780 continue; 1781 1782 const uint32_t EntryID = *BC.MIB->getDynamicBranchID(Inst); 1783 MCSymbol *Target = 1784 const_cast<MCSymbol *>(BC.MIB->getTargetSymbol(Inst)); 1785 assert(Target && "Target symbol should be set."); 1786 1787 const JumpInfoEntry &Info = JumpInfo[EntryID - 1]; 1788 const bool IsBranch = Info.Likely ^ Info.InitValue; 1789 1790 uint32_t Size = *BC.MIB->getSize(Inst); 1791 if (Size == 2) 1792 ++NumShort; 1793 else if (Size == 5) 1794 ++NumLong; 1795 else 1796 llvm_unreachable("Wrong size for static keys jump instruction."); 1797 1798 MCInst NewInst; 1799 // Replace the instruction with unconditional jump even if it needs to 1800 // be nop in the binary. 1801 if (opts::LongJumpLabels) { 1802 BC.MIB->createLongUncondBranch(NewInst, Target, BC.Ctx.get()); 1803 } else { 1804 // Newer kernels can handle short and long jumps for static keys. 1805 // Optimistically, emit short jump and check if it gets relaxed into 1806 // a long one during post-emit. Only then convert the jump to a nop. 1807 BC.MIB->createUncondBranch(NewInst, Target, BC.Ctx.get()); 1808 } 1809 1810 BC.MIB->moveAnnotations(std::move(Inst), NewInst); 1811 Inst = NewInst; 1812 1813 // Mark the instruction for nop conversion. 1814 if (!IsBranch) 1815 NopIDs.insert(EntryID); 1816 1817 MCSymbol *Label = 1818 BC.MIB->getOrCreateInstLabel(Inst, "__SK_", BC.Ctx.get()); 1819 1820 // Create a relocation against the label. 1821 const uint64_t EntryOffset = StaticKeysJumpTableAddress - 1822 StaticKeysJumpSection->getAddress() + 1823 (EntryID - 1) * 16; 1824 StaticKeysJumpSection->addRelocation(EntryOffset, Label, 1825 ELF::R_X86_64_PC32, 1826 /*Addend*/ 0); 1827 StaticKeysJumpSection->addRelocation(EntryOffset + 4, Target, 1828 ELF::R_X86_64_PC32, /*Addend*/ 0); 1829 } 1830 } 1831 } 1832 1833 BC.outs() << "BOLT-INFO: the input contains " << NumShort << " short and " 1834 << NumLong << " long static keys jumps in optimized functions\n"; 1835 1836 return Error::success(); 1837 } 1838 1839 // Post-emit pass of static keys jump section. Convert jumps to nops. 1840 Error LinuxKernelRewriter::updateStaticKeysJumpTablePostEmit() { 1841 if (!StaticKeysJumpSection || !StaticKeysJumpSection->isFinalized()) 1842 return Error::success(); 1843 1844 const uint64_t SectionAddress = StaticKeysJumpSection->getAddress(); 1845 DataExtractor DE(StaticKeysJumpSection->getOutputContents(), 1846 BC.AsmInfo->isLittleEndian(), 1847 BC.AsmInfo->getCodePointerSize()); 1848 DataExtractor::Cursor Cursor(StaticKeysJumpTableAddress - SectionAddress); 1849 const BinaryData *Stop = BC.getBinaryDataByName("__stop___jump_table"); 1850 uint32_t EntryID = 0; 1851 uint64_t NumShort = 0; 1852 uint64_t NumLong = 0; 1853 while (Cursor && Cursor.tell() < Stop->getAddress() - SectionAddress) { 1854 const uint64_t JumpAddress = 1855 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1856 const uint64_t TargetAddress = 1857 SectionAddress + Cursor.tell() + (int32_t)DE.getU32(Cursor); 1858 const uint64_t KeyAddress = 1859 SectionAddress + Cursor.tell() + (int64_t)DE.getU64(Cursor); 1860 1861 // Consume the status of the cursor. 1862 if (!Cursor) 1863 return createStringError(errc::executable_format_error, 1864 "out of bounds while updating static keys: %s", 1865 toString(Cursor.takeError()).c_str()); 1866 1867 ++EntryID; 1868 1869 LLVM_DEBUG({ 1870 dbgs() << "\n\tJumpAddress: 0x" << Twine::utohexstr(JumpAddress) 1871 << "\n\tTargetAddress: 0x" << Twine::utohexstr(TargetAddress) 1872 << "\n\tKeyAddress: 0x" << Twine::utohexstr(KeyAddress) << '\n'; 1873 }); 1874 (void)TargetAddress; 1875 (void)KeyAddress; 1876 1877 BinaryFunction *BF = 1878 BC.getBinaryFunctionContainingAddress(JumpAddress, 1879 /*CheckPastEnd*/ false, 1880 /*UseMaxSize*/ true); 1881 assert(BF && "Cannot get function for modified static key."); 1882 1883 if (!BF->isEmitted()) 1884 continue; 1885 1886 // Disassemble instruction to collect stats even if nop-conversion is 1887 // unnecessary. 1888 MutableArrayRef<uint8_t> Contents = MutableArrayRef<uint8_t>( 1889 reinterpret_cast<uint8_t *>(BF->getImageAddress()), BF->getImageSize()); 1890 assert(Contents.size() && "Non-empty function image expected."); 1891 1892 MCInst Inst; 1893 uint64_t Size; 1894 const uint64_t JumpOffset = JumpAddress - BF->getAddress(); 1895 if (!BC.DisAsm->getInstruction(Inst, Size, Contents.slice(JumpOffset), 0, 1896 nulls())) { 1897 llvm_unreachable("Unable to disassemble jump instruction."); 1898 } 1899 assert(BC.MIB->isBranch(Inst) && "Branch instruction expected."); 1900 1901 if (Size == 2) 1902 ++NumShort; 1903 else if (Size == 5) 1904 ++NumLong; 1905 else 1906 llvm_unreachable("Unexpected size for static keys jump instruction."); 1907 1908 // Check if we need to convert jump instruction into a nop. 1909 if (!NopIDs.contains(EntryID)) 1910 continue; 1911 1912 SmallString<15> NopCode; 1913 raw_svector_ostream VecOS(NopCode); 1914 BC.MAB->writeNopData(VecOS, Size, BC.STI.get()); 1915 for (uint64_t I = 0; I < Size; ++I) 1916 Contents[JumpOffset + I] = NopCode[I]; 1917 } 1918 1919 BC.outs() << "BOLT-INFO: written " << NumShort << " short and " << NumLong 1920 << " long static keys jumps in optimized functions\n"; 1921 1922 return Error::success(); 1923 } 1924 1925 } // namespace 1926 1927 std::unique_ptr<MetadataRewriter> 1928 llvm::bolt::createLinuxKernelRewriter(BinaryContext &BC) { 1929 return std::make_unique<LinuxKernelRewriter>(BC); 1930 } 1931