LLD's control flow guard relocation scanning is less precise than MSVC's |
||
Issue descriptionIn issue 857012 , Hans noticed that LLD adds more functions to the control flow guard table than MSVC does. Here are some things we can do to improve it: """ - ignore REL32 relocations on 32-bit, but not 64-bit (see below) - ignore relocations not referring to symbols marked as functions in the symbol table - ignore relocations in the .xdata section - make clang emit the .gfid$y table in chromium builds (/guard:cf might not be the right flag because we're still not emitting the instrumentation) It was interesting to see how relocations are scanned differently on 32-bit and 64-bit: void foo() { return; } void bar() { return; } int main() { foo(); void (*arr[])() = { &bar }; (*arr[0])(); return 0; } cl /c \src\tmp\a.cc && dumpbin /all /disasm a.obj > a.txt && link a.obj /guard:cf /map:map.txt && dumpbin /loadconfig a.exe In a 32-bit build, main has a REL32 relocation for foo and a DIR32 for bar. Only bar ends up in the cfgid table, so it seems safe to say link.exe ignores REL32 relocations in 32-bit. In 64-bit, main uses REL32 relocations for both foo and bar (the latter with a rip-relative lea to get the absolute address). And both foo and bar end up in the cfgid table. So it looks like on 64-bit, link.exe also considers REL32 relocations, and ends up including also regular call targets in the table. """
,
Aug 8
,
Aug 9
> Patch: https://reviews.llvm.org/D50430 That's in lld r339345 > - make clang emit the .gfid$y table in chromium builds (/guard:cf might not be the right flag because we're still not emitting the instrumentation) Taking a stab at this: https://reviews.llvm.org/D50513
,
Aug 9
,
Aug 10
clang r339420 supports /guard:cf,nochecks
,
Sep 18
Getting back to this: it turns out LLD doesn't pick up the .gfid$y unless the 0x800 bit is set in @feat.00. If I make LLVM set that, the CF function count goes from 0x12C6 to 0x68A on 64-bit, so that's a good improvement. On 32-bit the difference is probably a bit smaller since relocation scanning should be more precise there. LLVM patch: https://reviews.llvm.org/D52235
,
Sep 18
On 32-bit x86 the CF function count goes from 5F1 to 699, so not actually a reduction. I'll have to look into that.
,
Sep 20
Diff between the relocation-based and .gfid$y-based CFG tables: --- \src\tmp\relocation_based.txt Thu Sep 20 15:09:07 2018 +++ \src\tmp\table_based.txt Thu Sep 20 15:09:06 2018 @@ -901,6 +901,7 @@ addSymbolToRVASet ?Next@StringOutputStream@io@protobuf@google@@UAE_NPAPAXPAH@Z addSymbolToRVASet ?NotifyAffinitizedWork@CacheLocalScheduleGroupSegment@details@Concurrency@@UAEXXZ addSymbolToRVASet ?NotifyWrapper@?$ObserverListThreadSafe@VObserver@FieldTrialList@base@@@base@@AAEXPAVObserver@FieldTrialList@2@ABUNotificationData@12@@Z +addSymbolToRVASet ?Now@TimeTicks@base@@SA?AV12@XZ addSymbolToRVASet ?OSServer@SystemSnapshotWin@internal@crashpad@@UBE_NXZ addSymbolToRVASet ?OSVersion@SystemSnapshotWin@internal@crashpad@@UBEXPAH00PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z addSymbolToRVASet ?OSVersionFull@SystemSnapshotWin@internal@crashpad@@UBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ @@ -974,6 +975,7 @@ addSymbolToRVASet ?RVAToFileOffset@DisassemblerElf32@courgette@@UBEII@Z addSymbolToRVASet ?RVAToFileOffset@DisassemblerWin32@courgette@@UBEII@Z addSymbolToRVASet ?RVAToPointer@Disassembler@courgette@@UBEPBEI@Z +addSymbolToRVASet ?RandInt@base@@YAHHH@Z addSymbolToRVASet ?Read@FileIOReadExactly@?A0x13213FEA@crashpad@@EAEJPAXI_N@Z addSymbolToRVASet ?Read@FileReader@crashpad@@UAEJPAXI@Z addSymbolToRVASet ?Read@FileReaderReadExactly@?A0x473CD318@crashpad@@EAEJPAXI_N@Z @@ -1105,6 +1107,7 @@ addSymbolToRVASet ?ShowModal@HTMLDialogWin@installer@@UAE?AW4DialogResult@HTMLDialog@2@PAXPAVCustomizationCallback@42@@Z addSymbolToRVASet ?Shutdown@SchedulerProxy@details@Concurrency@@UAEXXZ addSymbolToRVASet ?ShutdownFactory@FreeThreadProxyFactory@details@Concurrency@@UAEXXZ +addSymbolToRVASet ?Signal@WaitableEvent@base@@QAEXXZ addSymbolToRVASet ?SingleSatisfy@MultiWaitBlock@details@Concurrency@@MAEXPAPAVContext@3@PAVEventWaitNode@23@@Z addSymbolToRVASet ?Size@MemorySnapshotWin@internal@crashpad@@UBEIXZ addSymbolToRVASet ?Size@ModuleSnapshotWin@internal@crashpad@@UBE_KXZ @@ -1207,6 +1210,7 @@ addSymbolToRVASet ?TypeOfWorkPending@SchedulerBase@details@Concurrency@@MAE?AW4PendingWorkType@123@XZ addSymbolToRVASet ?UUIDAndAge@ModuleSnapshotMinidump@internal@crashpad@@UBEXPAUUUID@3@PAI@Z addSymbolToRVASet ?UUIDAndAge@ModuleSnapshotWin@internal@crashpad@@UBEXPAUUUID@3@PAI@Z +addSymbolToRVASet ?UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z addSymbolToRVASet ?UnSetVar@EnvironmentImpl@?A0xFAC7EB4F@base@@UAE_NV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@Z addSymbolToRVASet ?UnbindContext@SchedulerProxy@details@Concurrency@@UAEXPAUIExecutionContext@3@@Z addSymbolToRVASet ?Unblock@ExternalContextBase@details@Concurrency@@UAEXXZ @@ -1330,19 +1334,6 @@ addSymbolToRVASet ?do_unshift@?$codecvt@DDU_Mbstatet@@@std@@MBEHAAU_Mbstatet@@PAD1AAPAD@Z addSymbolToRVASet ?do_widen@?$ctype@D@std@@MBEDD@Z addSymbolToRVASet ?do_widen@?$ctype@D@std@@MBEPBDPBD0PAD@Z -addSymbolToRVASet ?dtor$118@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$131@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$133@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$135@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$136@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$137@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$29@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$39@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$51@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$81@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$83@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$98@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA -addSymbolToRVASet ?dtor$9@?0??UnPack@LzmaUtilImpl@@QAEKABVFilePath@base@@PAV23@@Z@4HA addSymbolToRVASet ?equivalent@error_category@std@@UBE_NABVerror_code@2@H@Z addSymbolToRVASet ?equivalent@error_category@std@@UBE_NHABVerror_condition@2@@Z addSymbolToRVASet ?file_description@FileVersionInfoWin@@UAE?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ @@ -1434,9 +1425,35 @@ addSymbolToRVASet ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z addSymbolToRVASet @CrcUpdateT4@16 addSymbolToRVASet @CrcUpdateT8@16 +addSymbolToRVASet _AnalysisVaaInfoIntra_sse2 +addSymbolToRVASet _AnalysisVaaInfoIntra_ssse3 +addSymbolToRVASet _BilateralLumaFilter8_sse2 +addSymbolToRVASet _CPU_Is_InOrder +addSymbolToRVASet _CavlcParamCal_sse42 addSymbolToRVASet _CountryEnumProc@4 addSymbolToRVASet _Cr_z_zcalloc +addSymbolToRVASet _Cr_z_zcfree +addSymbolToRVASet _DeblockChromaEq4H_ssse3 +addSymbolToRVASet _DeblockChromaEq4V_ssse3 +addSymbolToRVASet _DeblockChromaLt4H_ssse3 +addSymbolToRVASet _DeblockChromaLt4V_ssse3 +addSymbolToRVASet _DeblockLumaEq4V_ssse3 +addSymbolToRVASet _DeblockLumaLt4V_ssse3 +addSymbolToRVASet _DyadicBilinearDownsamplerWidthx16_sse +addSymbolToRVASet _DyadicBilinearDownsamplerWidthx16_ssse3 +addSymbolToRVASet _DyadicBilinearDownsamplerWidthx32_sse +addSymbolToRVASet _DyadicBilinearDownsamplerWidthx32_ssse3 +addSymbolToRVASet _DyadicBilinearOneThirdDownsampler_sse4 +addSymbolToRVASet _DyadicBilinearOneThirdDownsampler_ssse3 +addSymbolToRVASet _DyadicBilinearQuarterDownsampler_sse +addSymbolToRVASet _DyadicBilinearQuarterDownsampler_sse4 +addSymbolToRVASet _DyadicBilinearQuarterDownsampler_ssse3 +addSymbolToRVASet _ExpandPictureChromaAlign_sse2 +addSymbolToRVASet _ExpandPictureChromaUnalign_sse2 +addSymbolToRVASet _ExpandPictureLuma_sse2 +addSymbolToRVASet _FillQpelLocationByFeatureValue_sse2 addSymbolToRVASet _GetHandleVerifier +addSymbolToRVASet _InitializeHashforFeature_sse2 addSymbolToRVASet _LangCountryEnumProc@4 addSymbolToRVASet _LangCountryEnumProcEx@12 addSymbolToRVASet _LanguageEnumProc@4 @@ -1446,8 +1463,111 @@ addSymbolToRVASet _LookToRead_Read addSymbolToRVASet _LookToRead_Seek addSymbolToRVASet _LookToRead_Skip +addSymbolToRVASet _McChromaWidthEq4_mmx +addSymbolToRVASet _McChromaWidthEq8_sse2 +addSymbolToRVASet _McChromaWidthEq8_ssse3 +addSymbolToRVASet _McHorVer02_ssse3 +addSymbolToRVASet _McHorVer20Width5Or9Or17_ssse3 +addSymbolToRVASet _McHorVer20_ssse3 +addSymbolToRVASet _MdInterAnalysisVaaInfo_sse2 +addSymbolToRVASet _MdInterAnalysisVaaInfo_sse41 +addSymbolToRVASet _PixelAvgWidthEq16_sse2 +addSymbolToRVASet _PixelAvgWidthEq8_mmx +addSymbolToRVASet _SampleSad16x16Hor8_sse41 +addSymbolToRVASet _SampleSad8x8Hor8_sse41 +addSymbolToRVASet _SampleVariance16x16_sse2 +addSymbolToRVASet _SumOf16x16BlockOfFrame_sse2 +addSymbolToRVASet _SumOf16x16BlockOfFrame_sse4 +addSymbolToRVASet _SumOf16x16SingleBlock_sse2 +addSymbolToRVASet _SumOf8x8BlockOfFrame_sse2 +addSymbolToRVASet _SumOf8x8BlockOfFrame_sse4 +addSymbolToRVASet _SumOf8x8SingleBlock_sse2 addSymbolToRVASet _SzAlloc -addSymbolToRVASet _SzFree +addSymbolToRVASet _TransposeMatrixBlock16x16_sse2 +addSymbolToRVASet _TransposeMatrixBlock8x8_mmx +addSymbolToRVASet _TransposeMatrixBlocksx16_sse2 +addSymbolToRVASet _TransposeMatrixBlocksx8_mmx +addSymbolToRVASet _UpdateMbMv_sse2 +addSymbolToRVASet _VAACalcSadBgd_sse2 +addSymbolToRVASet _VAACalcSadSsdBgd_sse2 +addSymbolToRVASet _VAACalcSadSsd_sse2 +addSymbolToRVASet _VAACalcSadVar_sse2 +addSymbolToRVASet _VAACalcSad_sse2 +addSymbolToRVASet _WTSFreeMemory@4 +addSymbolToRVASet _WaverageChromaFilter8_sse2 +addSymbolToRVASet _WelsCalculateSingleCtr4x4_sse2 +addSymbolToRVASet _WelsCopy16x16NotAligned_sse2 +addSymbolToRVASet _WelsCopy16x16_sse2 +addSymbolToRVASet _WelsCopy16x8NotAligned_sse2 +addSymbolToRVASet _WelsCopy8x16_mmx +addSymbolToRVASet _WelsCopy8x8_mmx +addSymbolToRVASet _WelsDctFourT4_sse2 +addSymbolToRVASet _WelsDctT4_mmx +addSymbolToRVASet _WelsDctT4_sse2 +addSymbolToRVASet _WelsDequant4x4_sse2 +addSymbolToRVASet _WelsDequantFour4x4_sse2 +addSymbolToRVASet _WelsDequantIHadamard4x4_sse2 +addSymbolToRVASet _WelsGetNoneZeroCount_sse2 +addSymbolToRVASet _WelsGetNoneZeroCount_sse42 +addSymbolToRVASet _WelsHadamardQuant2x2Skip_mmx +addSymbolToRVASet _WelsHadamardQuant2x2_mmx +addSymbolToRVASet _WelsHadamardT4Dc_sse2 +addSymbolToRVASet _WelsI16x16LumaPredDc_sse2 +addSymbolToRVASet _WelsI16x16LumaPredH_sse2 +addSymbolToRVASet _WelsI16x16LumaPredPlane_sse2 +addSymbolToRVASet _WelsI16x16LumaPredV_sse2 +addSymbolToRVASet _WelsI4x4LumaPredDDL_mmx +addSymbolToRVASet _WelsI4x4LumaPredDDR_mmx +addSymbolToRVASet _WelsI4x4LumaPredDc_sse2 +addSymbolToRVASet _WelsI4x4LumaPredHD_mmx +addSymbolToRVASet _WelsI4x4LumaPredHU_mmx +addSymbolToRVASet _WelsI4x4LumaPredH_sse2 +addSymbolToRVASet _WelsI4x4LumaPredVL_mmx +addSymbolToRVASet _WelsI4x4LumaPredVR_mmx +addSymbolToRVASet _WelsI4x4LumaPredV_sse2 +addSymbolToRVASet _WelsIChromaPredDc_sse2 +addSymbolToRVASet _WelsIChromaPredH_mmx +addSymbolToRVASet _WelsIChromaPredPlane_sse2 +addSymbolToRVASet _WelsIChromaPredV_sse2 +addSymbolToRVASet _WelsIDctFourT4Rec_sse2 +addSymbolToRVASet _WelsIDctRecI16x16Dc_sse2 +addSymbolToRVASet _WelsIDctT4Rec_mmx +addSymbolToRVASet _WelsIDctT4Rec_sse2 +addSymbolToRVASet _WelsIntra16x16Combined3Sad_ssse3 +addSymbolToRVASet _WelsIntra16x16Combined3Satd_sse41 +addSymbolToRVASet _WelsIntraChroma8x8Combined3Satd_sse41 +addSymbolToRVASet _WelsNonZeroCount_sse2 +addSymbolToRVASet _WelsQuant4x4Dc_sse2 +addSymbolToRVASet _WelsQuant4x4_sse2 +addSymbolToRVASet _WelsQuantFour4x4Max_sse2 +addSymbolToRVASet _WelsQuantFour4x4_sse2 +addSymbolToRVASet _WelsSampleSad16x16_sse2 +addSymbolToRVASet _WelsSampleSad16x8_sse2 +addSymbolToRVASet _WelsSampleSad4x4_mmx +addSymbolToRVASet _WelsSampleSad8x16_sse2 +addSymbolToRVASet _WelsSampleSad8x8_sse21 +addSymbolToRVASet _WelsSampleSadFour16x16_sse2 +addSymbolToRVASet _WelsSampleSadFour16x8_sse2 +addSymbolToRVASet _WelsSampleSadFour4x4_sse2 +addSymbolToRVASet _WelsSampleSadFour8x16_sse2 +addSymbolToRVASet _WelsSampleSadFour8x8_sse2 +addSymbolToRVASet _WelsSampleSatd16x16_sse2 +addSymbolToRVASet _WelsSampleSatd16x16_sse41 +addSymbolToRVASet _WelsSampleSatd16x8_sse2 +addSymbolToRVASet _WelsSampleSatd16x8_sse41 +addSymbolToRVASet _WelsSampleSatd4x4_sse2 +addSymbolToRVASet _WelsSampleSatd4x4_sse41 +addSymbolToRVASet _WelsSampleSatd8x16_sse2 +addSymbolToRVASet _WelsSampleSatd8x16_sse41 +addSymbolToRVASet _WelsSampleSatd8x8_sse2 +addSymbolToRVASet _WelsSampleSatd8x8_sse41 +addSymbolToRVASet _WelsSampleSatdThree4x4_sse2 +addSymbolToRVASet _WelsScan4x4Ac_sse2 +addSymbolToRVASet _WelsScan4x4DcAc_sse2 +addSymbolToRVASet _WelsScan4x4DcAc_ssse3 +addSymbolToRVASet _WelsSetMemZeroAligned64_sse2 +addSymbolToRVASet _WelsSetMemZeroSize64_mmx +addSymbolToRVASet _WelsSetMemZeroSize8_mmx addSymbolToRVASet __GLOBAL__sub_I_WelsThreadPool.cpp addSymbolToRVASet __RTC_Terminate addSymbolToRVASet ___DestructExceptionObject @@ -1508,9 +1628,15 @@ addSymbolToRVASet _deflate_fast addSymbolToRVASet _deflate_slow addSymbolToRVASet _deflate_stored +addSymbolToRVASet _gcm_ghash_4bit_mmx +addSymbolToRVASet _gcm_ghash_clmul +addSymbolToRVASet _gcm_gmult_4bit_mmx +addSymbolToRVASet _gcm_gmult_clmul addSymbolToRVASet _initialize_c addSymbolToRVASet _initialize_global_variables addSymbolToRVASet _initialize_pointers +addSymbolToRVASet _isdigit +addSymbolToRVASet _malloc addSymbolToRVASet _thread_local_destructor@12 addSymbolToRVASet _thread_local_init addSymbolToRVASet _tidy_global @@ -1518,3 +1644,45 @@ addSymbolToRVASet _uninitialize_allocated_memory addSymbolToRVASet _uninitialize_environment addSymbolToRVASet _uninitialize_vcruntime +addSymbolToRVASet _vpaes_cbc_encrypt +addSymbolToRVASet _vpaes_decrypt +addSymbolToRVASet _vpaes_encrypt +addSymbolToRVASet _vpx_d153_predictor_16x16_ssse3 +addSymbolToRVASet _vpx_d153_predictor_32x32_ssse3 +addSymbolToRVASet _vpx_d153_predictor_4x4_ssse3 +addSymbolToRVASet _vpx_d153_predictor_8x8_ssse3 +addSymbolToRVASet _vpx_d207_predictor_16x16_ssse3 +addSymbolToRVASet _vpx_d207_predictor_32x32_ssse3 +addSymbolToRVASet _vpx_d207_predictor_8x8_ssse3 +addSymbolToRVASet _vpx_d45_predictor_16x16_ssse3 +addSymbolToRVASet _vpx_d45_predictor_32x32_ssse3 +addSymbolToRVASet _vpx_d63_predictor_16x16_ssse3 +addSymbolToRVASet _vpx_d63_predictor_32x32_ssse3 +addSymbolToRVASet _vpx_d63_predictor_4x4_ssse3 +addSymbolToRVASet _vpx_d63_predictor_8x8_ssse3 +addSymbolToRVASet _vpx_highbd_convolve_avg_sse2 +addSymbolToRVASet _vpx_highbd_convolve_copy_sse2 +addSymbolToRVASet _vpx_sad16x16x3_sse3 +addSymbolToRVASet _vpx_sad16x16x3_ssse3 +addSymbolToRVASet _vpx_sad16x16x8_sse4_1 +addSymbolToRVASet _vpx_sad16x8x3_sse3 +addSymbolToRVASet _vpx_sad16x8x3_ssse3 +addSymbolToRVASet _vpx_sad16x8x8_sse4_1 +addSymbolToRVASet _vpx_sad32x16_avg_sse2 +addSymbolToRVASet _vpx_sad32x16_sse2 +addSymbolToRVASet _vpx_sad32x32_avg_sse2 +addSymbolToRVASet _vpx_sad32x32_sse2 +addSymbolToRVASet _vpx_sad32x32x4d_sse2 +addSymbolToRVASet _vpx_sad32x64_avg_sse2 +addSymbolToRVASet _vpx_sad32x64_sse2 +addSymbolToRVASet _vpx_sad4x4x3_sse3 +addSymbolToRVASet _vpx_sad4x4x8_sse4_1 +addSymbolToRVASet _vpx_sad64x32_avg_sse2 +addSymbolToRVASet _vpx_sad64x32_sse2 +addSymbolToRVASet _vpx_sad64x64_avg_sse2 +addSymbolToRVASet _vpx_sad64x64_sse2 +addSymbolToRVASet _vpx_sad64x64x4d_sse2 +addSymbolToRVASet _vpx_sad8x16x3_sse3 +addSymbolToRVASet _vpx_sad8x16x8_sse4_1 +addSymbolToRVASet _vpx_sad8x8x3_sse3 +addSymbolToRVASet _vpx_sad8x8x8_sse4_1
,
Sep 20
Symbols like vpx_d153_predictor_16x16_ssse3 are definitely address-taken. But it feels weird that they'd be part of setup.exe, so I wonder if they're actually dropped but still ending up in the table somehow.. |
||
►
Sign in to add a comment |
||
Comment 1 by h...@chromium.org
, Aug 7Status: Started (was: Available)