From f6366ef7f4f3cf1182fd70e0c50a9fa54374b612 Mon Sep 17 00:00:00 2001
From: Daniel Kiss <daniel.kiss@arm.com>
Date: Fri, 13 May 2022 09:12:07 +0200
Subject: [PATCH] [libunwind][AArch64] Add support for DWARF expression for
 RA_SIGN_STATE.

Program may set the RA_SIGN_STATE pseudo register by expressions.
Libunwind expected only the DW_CFA_AARCH64_negate_ra_state could change the value
of the register which leads to runtime errors on PAC enabled systems.
In the recent version of the aadwarf64[1] a limitation is added[2] to forbid the mixing the
DW_CFA_AARCH64_negate_ra_state with other DWARF Register Rule Instructions.

[1] https://github.com/ARM-software/abi-aa/releases/tag/2022Q1
[2] https://github.com/ARM-software/abi-aa/pull/129

Reviewed By: #libunwind, MaskRay

Differential Revision: https://reviews.llvm.org/D123692
---
 libunwind/src/DwarfInstructions.hpp           | 21 ++++++++-
 libunwind/test/aarch64.ra_sign_state.pass.cpp | 63 +++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 libunwind/test/aarch64.ra_sign_state.pass.cpp

diff --git a/libunwind/src/DwarfInstructions.hpp b/libunwind/src/DwarfInstructions.hpp
index ab83b0c..865a489 100644
--- a/libunwind/src/DwarfInstructions.hpp
+++ b/libunwind/src/DwarfInstructions.hpp
@@ -72,6 +72,10 @@ private:
     assert(0 && "getCFA(): unknown location");
     __builtin_unreachable();
   }
+#if defined(_LIBUNWIND_TARGET_AARCH64)
+  static bool getRA_SIGN_STATE(A &addressSpace, R registers, pint_t cfa,
+                               PrologInfo &prolog);
+#endif
 };
 
 template <typename R>
@@ -166,6 +170,21 @@ v128 DwarfInstructions<A, R>::getSavedVectorRegister(
   }
   _LIBUNWIND_ABORT("unsupported restore location for vector register");
 }
+#if defined(_LIBUNWIND_TARGET_AARCH64)
+template <typename A, typename R>
+bool DwarfInstructions<A, R>::getRA_SIGN_STATE(A &addressSpace, R registers,
+                                               pint_t cfa, PrologInfo &prolog) {
+  pint_t raSignState;
+  auto regloc = prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE];
+  if (regloc.location == CFI_Parser<A>::kRegisterUnused)
+    raSignState = regloc.value;
+  else
+    raSignState = getSavedRegister(addressSpace, registers, cfa, regloc);
+
+  // Only bit[0] is meaningful.
+  return raSignState & 0x01;
+}
+#endif
 
 template <typename A, typename R>
 int DwarfInstructions<A, R>::stepWithDwarf(A &addressSpace, pint_t pc,
@@ -235,7 +254,7 @@ int DwarfInstructions<A, R>::stepWithDwarf(A &addressSpace, pint_t pc,
       // restored. autia1716 is used instead of autia as autia1716 assembles
       // to a NOP on pre-v8.3a architectures.
       if ((R::getArch() == REGISTERS_ARM64) &&
-          prolog.savedRegisters[UNW_AARCH64_RA_SIGN_STATE].value &&
+          getRA_SIGN_STATE(addressSpace, registers, cfa, prolog) &&
           returnAddress != 0) {
 #if !defined(_LIBUNWIND_IS_NATIVE_ONLY)
         return UNW_ECROSSRASIGNING;
diff --git a/libunwind/test/aarch64.ra_sign_state.pass.cpp b/libunwind/test/aarch64.ra_sign_state.pass.cpp
new file mode 100644
index 0000000..1e09c93
--- /dev/null
+++ b/libunwind/test/aarch64.ra_sign_state.pass.cpp
@@ -0,0 +1,63 @@
+// -*- C++ -*-
+//===----------------------------------------------------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+// REQUIRES: linux && target={{aarch64-.+}}
+
+// This test ensures the .cfi_negate_ra_state the RA_SIGN_STATE pseudo register
+// could be set directly set by a DWARF expression and the unwinder handles it
+// correctly. The two directives can't be mixed in one CIE/FDE sqeuence.
+
+#include <stdlib.h>
+
+__attribute__((noinline, target("branch-protection=pac-ret+leaf")))
+void bar() {
+  // ".cfi_negate_ra_state" is emitted by the compiler.
+  throw 1;
+}
+
+__attribute__((noinline, target("branch-protection=none")))
+void foo() {
+  // Here a DWARF expression sets RA_SIGN_STATE.
+  // The LR is signed manually and stored on the stack.
+  asm volatile(
+      ".cfi_escape 0x16,"    // DW_CFA_val_expression
+                    "34,"    // REG_34(RA_SIGN_STATE)
+                     "1,"    // expression_length(1)
+                    "0x31\n" // DW_OP_lit1
+      "add sp, sp, 16\n"     // Restore SP's value before the stack frame is
+                             // created.
+      "paciasp\n"            // Sign the LR.
+      "str lr, [sp, -0x8]\n" // Overwrite LR on the stack.
+      "sub sp, sp, 16\n"     // Restore SP's value.
+  );
+  bar();
+  _Exit(-1);
+}
+
+__attribute__((noinline, target("branch-protection=pac-ret")))
+void bazz() {
+  // ".cfi_negate_ra_state" is emitted by the compiler.
+  try {
+    foo();
+  } catch (int i) {
+    if (i == 1)
+      throw i;
+    throw 2;
+  }
+}
+
+int main() {
+  try {
+    bazz();
+  } catch (int i) {
+    if (i == 1)
+      _Exit(0);
+  }
+  return -1;
+}
-- 
2.7.4