compiler-rt: Introduce runtime functions for emulated PAC.

The emulated PAC runtime functions emulate the ARMv8.3a pointer
authentication instructions and are intended for use in heterogeneous
testing environments. For more information, see the associated RFC:
https://discourse.llvm.org/t/rfc-emulated-pac/85557

TODO:
- Add tests.

Pull Request: llvm#133530

Author: pcc

compiler-rt/cmake/Modules/AddCompilerRT.cmake

@@ -172,7 +172,7 @@ function(add_compiler_rt_runtime name type)
   cmake_parse_arguments(LIB
     ""
     "PARENT_TARGET"
-    "OS;ARCHS;SOURCES;CFLAGS;LINK_FLAGS;DEFS;DEPS;LINK_LIBS;OBJECT_LIBS;ADDITIONAL_HEADERS;EXTENSIONS"
+    "OS;ARCHS;SOURCES;CFLAGS;LINK_FLAGS;DEFS;DEPS;LINK_LIBS;OBJECT_LIBS;ADDITIONAL_HEADERS;EXTENSIONS;C_STANDARD;CXX_STANDARD"
     ${ARGN})
   set(libnames)
   # Until we support this some other way, build compiler-rt runtime without LTO
@@ -360,6 +360,12 @@ function(add_compiler_rt_runtime name type)
       set_target_link_flags(${libname} ${extra_link_flags_${libname}})
       set_property(TARGET ${libname} APPEND PROPERTY
                    COMPILE_DEFINITIONS ${LIB_DEFS})
+      if(LIB_C_STANDARD)
+        set_property(TARGET ${libname} PROPERTY C_STANDARD ${LIB_C_STANDARD})
+      endif()
+      if(LIB_CXX_STANDARD)
+        set_property(TARGET ${libname} PROPERTY CXX_STANDARD ${LIB_CXX_STANDARD})
+      endif()
       set_target_output_directories(${libname} ${output_dir_${libname}})
       install(TARGETS ${libname}
         ARCHIVE DESTINATION ${install_dir_${libname}}

compiler-rt/cmake/builtin-config-ix.cmake

@@ -26,6 +26,7 @@ builtin_check_c_compiler_flag("-Xclang -mcode-object-version=none" COMPILER_RT_H
 builtin_check_c_compiler_flag(-Wbuiltin-declaration-mismatch COMPILER_RT_HAS_WBUILTIN_DECLARATION_MISMATCH_FLAG)
 builtin_check_c_compiler_flag(/Zl COMPILER_RT_HAS_ZL_FLAG)
 builtin_check_c_compiler_flag(-fcf-protection=full COMPILER_RT_HAS_FCF_PROTECTION_FLAG)
+builtin_check_c_compiler_flag(-nostdinc++          COMPILER_RT_HAS_NOSTDINCXX_FLAG)
 
 builtin_check_c_compiler_source(COMPILER_RT_HAS_ATOMIC_KEYWORD
 "

compiler-rt/lib/builtins/CMakeLists.txt

@@ -6,7 +6,7 @@ if (CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
   cmake_minimum_required(VERSION 3.20.0)
 
   set(CMAKE_TRY_COMPILE_TARGET_TYPE STATIC_LIBRARY)
-  project(CompilerRTBuiltins C ASM)
+  project(CompilerRTBuiltins C CXX ASM)
   set(COMPILER_RT_STANDALONE_BUILD TRUE)
   set(COMPILER_RT_BUILTINS_STANDALONE_BUILD TRUE)
 
@@ -64,6 +64,8 @@ include(CMakePushCheckState)
 option(COMPILER_RT_BUILTINS_HIDE_SYMBOLS
   "Do not export any symbols from the static library." ON)
 
+include_directories(../../../third-party/siphash/include)
+
 # TODO: Need to add a mechanism for logging errors when builtin source files are
 # added to a sub-directory and not this CMakeLists file.
 set(GENERIC_SOURCES
@@ -570,6 +572,7 @@ set(aarch64_SOURCES
   ${GENERIC_TF_SOURCES}
   ${GENERIC_SOURCES}
   cpu_model/aarch64.c
+  aarch64/emupac.cpp
   aarch64/fp_mode.c
 )
 
@@ -802,7 +805,7 @@ else ()
     append_list_if(COMPILER_RT_ENABLE_CET -fcf-protection=full BUILTIN_CFLAGS)
   endif()
 
-  append_list_if(COMPILER_RT_HAS_STD_C11_FLAG -std=c11 BUILTIN_CFLAGS)
+  append_list_if(COMPILER_RT_HAS_NOSTDINCXX_FLAG -nostdinc++ BUILTIN_CFLAGS)
   append_list_if(COMPILER_RT_HAS_WBUILTIN_DECLARATION_MISMATCH_FLAG -Werror=builtin-declaration-mismatch BUILTIN_CFLAGS)
 
   # Don't embed directives for picking any specific CRT
@@ -917,6 +920,8 @@ else ()
                               SOURCES ${${arch}_SOURCES}
                               DEFS ${BUILTIN_DEFS}
                               CFLAGS ${BUILTIN_CFLAGS_${arch}}
+                              C_STANDARD 11
+                              CXX_STANDARD 17
                               PARENT_TARGET builtins)
       cmake_pop_check_state()
     endif ()

compiler-rt/lib/builtins/aarch64/emupac.cpp

@@ -0,0 +1,132 @@
+//===--- emupac.cpp - Emulated PAC implementation -------------------------===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+//  This file implements Emulated PAC using SipHash_2_4 as the IMPDEF hashing
+//  scheme.
+//
+//===----------------------------------------------------------------------===//
+
+#include <stdint.h>
+
+#include "siphash/SipHash.h"
+
+// EmuPAC implements runtime emulation of PAC instructions. If the current
+// CPU supports PAC, EmuPAC uses real PAC instructions. Otherwise, it uses the
+// emulation, which is effectively an implementation of PAC with an IMPDEF
+// hashing scheme based on SipHash_2_4.
+//
+// The purpose of the emulation is to allow programs to be built to be portable
+// to machines without PAC support, with some performance loss and increased
+// probability of false positives (due to not being able to portably determine
+// the VA size), while being functionally almost equivalent to running on a
+// machine with PAC support. One example of a use case is if PAC is used in
+// production as a security mitigation, but the testing environment is
+// heterogeneous (i.e. some machines lack PAC support). In this case we would
+// like the testing machines to be able to detect issues resulting
+// from the use of PAC instructions that would affect production by running
+// tests. This can be achieved by building test binaries with EmuPAC and
+// production binaries with real PAC.
+//
+// The emulation assumes that the VA size is at most 48 bits. The architecture
+// as of ARMv8.2, which was the last architecture version in which PAC was not
+// mandatory, permitted VA size up to 52 bits via ARMv8.2-LVA, but we are
+// unaware of an ARMv8.2 CPU that implemented ARMv8.2-LVA.
+
+const uint64_t kMaxVASize = 48;
+const uint64_t kPACMask = ((1ULL << 55) - 1) & ~((1ULL << kMaxVASize) - 1);
+const uint64_t kTTBR1Mask = 1ULL << 55;
+
+// Determine whether PAC is supported without accessing memory. This utilizes
+// the XPACLRI instruction which will copy bit 55 of x30 into at least bit 54 if
+// PAC is supported and acts as a NOP if PAC is not supported.
+static bool pac_supported() {
+  register uintptr_t x30 __asm__("x30") = 1ULL << 55;
+  __asm__ __volatile__("xpaclri" : "+r"(x30));
+  return x30 & (1ULL << 54);
+}
+
+// This asm snippet is used to force the creation of a frame record when
+// calling the EmuPAC functions. This is important because the EmuPAC functions
+// may crash if an auth failure is detected and may be unwound past using a
+// frame pointer based unwinder.
+#ifdef __GCC_HAVE_DWARF2_CFI_ASM
+#define frame_pointer_wrap(sym) \
+  "stp x29, x30, [sp, #-16]!\n" \
+  ".cfi_def_cfa_offset 16\n" \
+  "mov x29, sp\n" \
+  ".cfi_def_cfa w29, 16\n" \
+  ".cfi_offset w30, -8\n" \
+  ".cfi_offset w29, -16\n" \
+  "bl " #sym "\n" \
+  ".cfi_def_cfa wsp, 16\n" \
+  "ldp x29, x30, [sp], #16\n" \
+  ".cfi_def_cfa_offset 0\n" \
+  ".cfi_restore w30\n" \
+  ".cfi_restore w29\n" \
+  "ret"
+#else
+#define frame_pointer_wrap(sym) \
+  "stp x29, x30, [sp, #-16]!\n" \
+  "mov x29, sp\n" \
+  "bl " #sym "\n" \
+  "ldp x29, x30, [sp], #16\n" \
+  "ret"
+#endif
+
+static const uint8_t K[16] = {0xb5, 0xd4, 0xc9, 0xeb, 0x79, 0x10, 0x4a, 0x79,
+                              0x6f, 0xec, 0x8b, 0x1b, 0x42, 0x87, 0x81, 0xd4};
+
+__attribute__((flatten))
+extern "C" uint64_t __emupac_pacda_impl(uint64_t ptr, uint64_t disc) {
+  if (pac_supported()) {
+    __asm__ __volatile__(".arch_extension pauth\npacda %0, %1"
+                         : "+r"(ptr)
+                         : "r"(disc));
+    return ptr;
+  }
+  if (ptr & kTTBR1Mask) {
+    if ((ptr & kPACMask) != kPACMask) {
+      return ptr | kPACMask;
+    }
+  } else {
+    if (ptr & kPACMask) {
+      return ptr & ~kPACMask;
+    }
+  }
+  uint64_t hash;
+  siphash<2, 4>(reinterpret_cast<uint8_t *>(&ptr), 8, K,
+                *reinterpret_cast<uint8_t (*)[8]>(&hash));
+  return (ptr & ~kPACMask) | (hash & kPACMask);
+}
+
+extern "C" __attribute__((naked)) uint64_t __emupac_pacda(uint64_t ptr, uint64_t disc) {
+  __asm__(frame_pointer_wrap(__emupac_pacda_impl));
+}
+
+__attribute__((flatten))
+extern "C" uint64_t __emupac_autda_impl(uint64_t ptr, uint64_t disc) {
+  if (pac_supported()) {
+    __asm__ __volatile__(".arch_extension pauth\nautda %0, %1"
+                         : "+r"(ptr)
+                         : "r"(disc));
+    return ptr;
+  }
+  uint64_t ptr_without_pac =
+      (ptr & kTTBR1Mask) ? (ptr | kPACMask) : (ptr & ~kPACMask);
+  uint64_t hash;
+  siphash<2, 4>(reinterpret_cast<uint8_t *>(&ptr_without_pac), 8, K,
+                *reinterpret_cast<uint8_t (*)[8]>(&hash));
+  if (((ptr & ~kPACMask) | (hash & kPACMask)) != ptr) {
+    __builtin_trap();
+  }
+  return ptr_without_pac;
+}
+
+extern "C" __attribute__((naked)) uint64_t __emupac_autda(uint64_t ptr, uint64_t disc) {
+  __asm__(frame_pointer_wrap(__emupac_autda_impl));
+}

llvm/utils/gn/secondary/compiler-rt/lib/builtins/BUILD.gn

@@ -87,6 +87,7 @@ static_library("builtins") {
       cflags += [ "-fomit-frame-pointer" ]
     }
     cflags_c = [ "-std=c11" ]
+    cflags_cc = [ "-nostdinc++" ]
   }
 
   sources = [
@@ -500,6 +501,7 @@ static_library("builtins") {
   if (current_cpu == "arm64") {
     sources -= [ "fp_mode.c" ]
     sources += [
+      "aarch64/emupac.cpp",
       "aarch64/fp_mode.c",
       "cpu_model/aarch64.c",
     ]
@@ -601,6 +603,7 @@ static_library("builtins") {
   }
 
   deps = lse_targets
+  include_dirs = [ "//third-party/siphash/include" ]
 }
 
 # Currently unused but necessary to make sync_source_lists_from_cmake.py happy.