From 0b35afd79d4cfbddbb54de76b262d7213a3a418d Mon Sep 17 00:00:00 2001 From: Zola Bridges Date: Tue, 27 Nov 2018 02:22:00 +0000 Subject: [PATCH] Revert "[clang][slh] add attribute for speculative load hardening" until I figure out why the build is failing or timing out *************************** Summary: The prior diff had to be reverted because there were two tests that failed. I updated the two tests in this diff clang/test/Misc/pragma-attribute-supported-attributes-list.test clang/test/SemaCXX/attr-speculative-load-hardening.cpp LLVM IR already has an attribute for speculative_load_hardening. Before this commit, when a user passed the -mspeculative-load-hardening flag to Clang, every function would have this attribute added to it. This Clang attribute will allow users to opt into SLH on a function by function basis. This can be applied to functions and Objective C methods. Reviewers: chandlerc, echristo, kristof.beyls, aaron.ballman Subscribers: llvm-commits Differential Revision: https://reviews.llvm.org/D54915 This reverts commit a5b3c232d1e3613f23efbc3960f8e23ea70f2a79. (r347617) llvm-svn: 347628 --- clang/include/clang/Basic/Attr.td | 6 ---- clang/include/clang/Basic/AttrDocs.td | 24 --------------- clang/lib/CodeGen/CGCall.cpp | 4 --- clang/lib/Sema/SemaDeclAttr.cpp | 3 -- .../CodeGen/attr-speculative-load-hardening.cpp | 18 ------------ .../test/CodeGen/attr-speculative-load-hardening.m | 9 ------ ...pragma-attribute-supported-attributes-list.test | 3 +- .../SemaCXX/attr-speculative-load-hardening.cpp | 34 ---------------------- llvm/docs/LangRef.rst | 22 ++++++++------ 9 files changed, 14 insertions(+), 109 deletions(-) delete mode 100644 clang/test/CodeGen/attr-speculative-load-hardening.cpp delete mode 100644 clang/test/CodeGen/attr-speculative-load-hardening.m delete mode 100644 clang/test/SemaCXX/attr-speculative-load-hardening.cpp diff --git a/clang/include/clang/Basic/Attr.td b/clang/include/clang/Basic/Attr.td index 5b52ba4..a6be48c 100644 --- a/clang/include/clang/Basic/Attr.td +++ b/clang/include/clang/Basic/Attr.td @@ -3091,9 +3091,3 @@ def AlwaysDestroy : InheritableAttr { let Subjects = SubjectList<[Var]>; let Documentation = [AlwaysDestroyDocs]; } - -def SpeculativeLoadHardening : InheritableAttr { - let Spellings = [Clang<"speculative_load_hardening">]; - let Subjects = SubjectList<[Function, ObjCMethod], ErrorDiag>; - let Documentation = [SpeculativeLoadHardeningDocs]; -} diff --git a/clang/include/clang/Basic/AttrDocs.td b/clang/include/clang/Basic/AttrDocs.td index 203ae82..e38c557 100644 --- a/clang/include/clang/Basic/AttrDocs.td +++ b/clang/include/clang/Basic/AttrDocs.td @@ -3629,27 +3629,3 @@ GNU inline semantics are the default behavior with ``-std=gnu89``, ``-std=c89``, ``-std=c94``, or ``-fgnu89-inline``. }]; } - -def SpeculativeLoadHardeningDocs : Documentation { - let Category = DocCatFunction; - let Content = [{ - This attribute can be applied to a function declaration in order to indicate - that `Speculative Load Hardening `_ - should be enabled for the function body. This can also be applied to a method - in Objective C. - - Speculative Load Hardening is a best-effort mitigation against - information leak attacks that make use of control flow - miss-speculation - specifically miss-speculation of whether a branch - is taken or not. Typically vulnerabilities enabling such attacks are - classified as "Spectre variant #1". Notably, this does not attempt to - mitigate against miss-speculation of branch target, classified as - "Spectre variant #2" vulnerabilities. - - When inlining, the attribute is sticky. Inlining a function that - carries this attribute will cause the caller to gain the - attribute. This is intended to provide a maximally conservative model - where the code in a function annotated with this attribute will always - (even after inlining) end up hardened. - }]; -} diff --git a/clang/lib/CodeGen/CGCall.cpp b/clang/lib/CodeGen/CGCall.cpp index 6d89f39..0ec5c7f 100644 --- a/clang/lib/CodeGen/CGCall.cpp +++ b/clang/lib/CodeGen/CGCall.cpp @@ -1791,8 +1791,6 @@ void CodeGenModule::ConstructDefaultFnAttrList(StringRef Name, bool HasOptnone, if (CodeGenOpts.Backchain) FuncAttrs.addAttribute("backchain"); - // FIXME: The interaction of this attribute with the SLH command line flag - // has not been determined. if (CodeGenOpts.SpeculativeLoadHardening) FuncAttrs.addAttribute(llvm::Attribute::SpeculativeLoadHardening); } @@ -1856,8 +1854,6 @@ void CodeGenModule::ConstructAttributeList( FuncAttrs.addAttribute(llvm::Attribute::NoDuplicate); if (TargetDecl->hasAttr()) FuncAttrs.addAttribute(llvm::Attribute::Convergent); - if (TargetDecl->hasAttr()) - FuncAttrs.addAttribute(llvm::Attribute::SpeculativeLoadHardening); if (const FunctionDecl *Fn = dyn_cast(TargetDecl)) { AddAttributesFromFunctionProtoType( diff --git a/clang/lib/Sema/SemaDeclAttr.cpp b/clang/lib/Sema/SemaDeclAttr.cpp index be662b9..9f5325d 100644 --- a/clang/lib/Sema/SemaDeclAttr.cpp +++ b/clang/lib/Sema/SemaDeclAttr.cpp @@ -6373,9 +6373,6 @@ static void ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D, case ParsedAttr::AT_Section: handleSectionAttr(S, D, AL); break; - case ParsedAttr::AT_SpeculativeLoadHardening: - handleSimpleAttribute(S, D, AL); - break; case ParsedAttr::AT_CodeSeg: handleCodeSegAttr(S, D, AL); break; diff --git a/clang/test/CodeGen/attr-speculative-load-hardening.cpp b/clang/test/CodeGen/attr-speculative-load-hardening.cpp deleted file mode 100644 index e2eb805..0000000 --- a/clang/test/CodeGen/attr-speculative-load-hardening.cpp +++ /dev/null @@ -1,18 +0,0 @@ -// RUN: %clang_cc1 -std=c++11 -disable-llvm-passes -emit-llvm %s -o - | FileCheck %s --check-prefix=CHECK1 -// RUN: %clang_cc1 -std=c++11 -disable-llvm-passes -emit-llvm %s -o - | FileCheck %s --check-prefix=CHECK2 -// -// Check that we set the attribute on each function. - -[[clang::speculative_load_hardening]] -int test1() { - return 42; -} - -int __attribute__((speculative_load_hardening)) test2() { - return 42; -} -// CHECK1: @{{.*}}test1{{.*}}[[SLH1:#[0-9]+]] -// CHECK1: attributes [[SLH1]] = { {{.*}}speculative_load_hardening{{.*}} } - -// CHECK2: @{{.*}}test2{{.*}}[[SLH2:#[0-9]+]] -// CHECK2: attributes [[SLH2]] = { {{.*}}speculative_load_hardening{{.*}} } diff --git a/clang/test/CodeGen/attr-speculative-load-hardening.m b/clang/test/CodeGen/attr-speculative-load-hardening.m deleted file mode 100644 index 2de945b..0000000 --- a/clang/test/CodeGen/attr-speculative-load-hardening.m +++ /dev/null @@ -1,9 +0,0 @@ -// RUN: %clang -emit-llvm %s -o - -S | FileCheck %s -check-prefix=SLH - -int main() __attribute__((speculative_load_hardening)) { - return 0; -} - -// SLH: @{{.*}}main{{.*}}[[SLH:#[0-9]+]] - -// SLH: attributes [[SLH]] = { {{.*}}speculative_load_hardening{{.*}} } diff --git a/clang/test/Misc/pragma-attribute-supported-attributes-list.test b/clang/test/Misc/pragma-attribute-supported-attributes-list.test index 0aa923d..0a54c6c 100644 --- a/clang/test/Misc/pragma-attribute-supported-attributes-list.test +++ b/clang/test/Misc/pragma-attribute-supported-attributes-list.test @@ -2,7 +2,7 @@ // The number of supported attributes should never go down! -// CHECK: #pragma clang attribute supports 130 attributes: +// CHECK: #pragma clang attribute supports 129 attributes: // CHECK-NEXT: AMDGPUFlatWorkGroupSize (SubjectMatchRule_function) // CHECK-NEXT: AMDGPUNumSGPR (SubjectMatchRule_function) // CHECK-NEXT: AMDGPUNumVGPR (SubjectMatchRule_function) @@ -116,7 +116,6 @@ // CHECK-NEXT: ScopedLockable (SubjectMatchRule_record) // CHECK-NEXT: Section (SubjectMatchRule_function, SubjectMatchRule_variable_is_global, SubjectMatchRule_objc_method, SubjectMatchRule_objc_property) // CHECK-NEXT: SetTypestate (SubjectMatchRule_function_is_member) -// CHECK-NEXT: SpeculativeLoadHardening (SubjectMatchRule_function, SubjectMatchRule_objc_method) // CHECK-NEXT: SwiftContext (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: SwiftErrorResult (SubjectMatchRule_variable_is_parameter) // CHECK-NEXT: SwiftIndirectResult (SubjectMatchRule_variable_is_parameter) diff --git a/clang/test/SemaCXX/attr-speculative-load-hardening.cpp b/clang/test/SemaCXX/attr-speculative-load-hardening.cpp deleted file mode 100644 index bba3b69..0000000 --- a/clang/test/SemaCXX/attr-speculative-load-hardening.cpp +++ /dev/null @@ -1,34 +0,0 @@ -// RUN: %clang_cc1 -std=c++11 -fsyntax-only -verify %s - -int i __attribute__((speculative_load_hardening)); // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - -void f1() __attribute__((speculative_load_hardening)); -void f2() __attribute__((speculative_load_hardening(1))); // expected-error {{'speculative_load_hardening' attribute takes no arguments}} - -template -void tf1() __attribute__((speculative_load_hardening)); - -int f3(int __attribute__((speculative_load_hardening)), int); // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - -struct A { - int f __attribute__((speculative_load_hardening)); // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - void mf1() __attribute__((speculative_load_hardening)); - static void mf2() __attribute__((speculative_load_hardening)); -}; - -int ci [[clang::speculative_load_hardening]]; // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - -[[clang::speculative_load_hardening]] void cf1(); -[[clang::speculative_load_hardening(1)]] void cf2(); // expected-error {{'speculative_load_hardening' attribute takes no arguments}} - -template -[[clang::speculative_load_hardening]] -void ctf1(); - -int cf3(int c[[clang::speculative_load_hardening]], int); // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - -struct CA { - int f [[clang::speculative_load_hardening]]; // expected-error {{'speculative_load_hardening' attribute only applies to functions}} - [[clang::speculative_load_hardening]] void mf1(); - [[clang::speculative_load_hardening]] static void mf2(); -}; diff --git a/llvm/docs/LangRef.rst b/llvm/docs/LangRef.rst index fa85b6e..7ec157f 100644 --- a/llvm/docs/LangRef.rst +++ b/llvm/docs/LangRef.rst @@ -1643,15 +1643,19 @@ example: ``speculative_load_hardening`` This attribute indicates that `Speculative Load Hardening `_ - should be enabled for the function body. - - Speculative Load Hardening is a best-effort mitigation against - information leak attacks that make use of control flow - miss-speculation - specifically miss-speculation of whether a branch - is taken or not. Typically vulnerabilities enabling such attacks are - classified as "Spectre variant #1". Notably, this does not attempt to - mitigate against miss-speculation of branch target, classified as - "Spectre variant #2" vulnerabilities. + should be enabled for the function body. This is a best-effort attempt to + mitigate all known speculative execution information leak vulnerabilities + that are based on the fundamental principles of modern processors' + speculative execution. These vulnerabilities are classified as "Spectre + variant #1" vulnerabilities typically. Notably, this does not attempt to + mitigate any vulnerabilities where the speculative execution and/or + prediction devices of specific processors can be *completely* undermined + (such as "Branch Target Injection", a.k.a, "Spectre variant #2"). Instead, + this is a target-independent request to harden against the completely + generic risk posed by speculative execution to incorrectly load secret data, + making it available to some micro-architectural side-channel for information + leak. For a processor without any speculative execution or predictors, this + is expected to be a no-op. When inlining, the attribute is sticky. Inlining a function that carries this attribute will cause the caller to gain the attribute. This is intended -- 2.7.4