dotnet · SwapnilGaikwad · Dec 6, 2024 · Jan 24, 2025 · Jan 24, 2025 · Jan 30, 2025
diff --git a/src/coreclr/debug/ee/controller.cpp b/src/coreclr/debug/ee/controller.cpp
@@ -21,6 +21,10 @@
 #include "../../vm/methoditer.h"
 #include "../../vm/tailcallhelp.h"
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 const char *GetTType( TraceType tt);
 
 #define IsSingleStep(exception) ((exception) == EXCEPTION_SINGLE_STEP)
@@ -5842,6 +5846,11 @@ static bool IsTailCall(const BYTE * ip, ControllerStackInfo* info, TailCallFunct
     TailCallTls* tls = GetThread()->GetTailCallTls();
     LPVOID tailCallAwareRetAddr = tls->GetFrame()->TailCallAwareReturnAddress;
 
+#if defined(TARGET_ARM64)
+    retAddr = PacStripPtr(retAddr);
+    tailCallAwareRetAddr = PacStripPtr(tailCallAwareRetAddr);
+#endif // TARGET_ARM64
+
     LOG((LF_CORDB,LL_INFO1000, "ITCTR: ret addr is %p, tailcall aware ret addr is %p\n",
         retAddr, tailCallAwareRetAddr));
 

diff --git a/src/coreclr/inc/cfi.h b/src/coreclr/inc/cfi.h
@@ -9,7 +9,9 @@ enum CFI_OPCODE
 {
    CFI_ADJUST_CFA_OFFSET,    // Offset is adjusted relative to the current one.
    CFI_DEF_CFA_REGISTER,     // New register is used to compute CFA
-   CFI_REL_OFFSET            // Register is saved at offset from the current CFA
+   CFI_REL_OFFSET,           // Register is saved at offset from the current CFA
+   CFI_DEF_CFA,              // Used by ILC, not emitted by JIT
+   CFI_NEGATE_RA_STATE,      // Sign the return address in lr with pacibsp
 };
 
 struct CFI_CODE

diff --git a/src/coreclr/jit/codegenarm64.cpp b/src/coreclr/jit/codegenarm64.cpp
@@ -271,6 +271,8 @@ void CodeGen::genPopCalleeSavedRegistersAndFreeLclFrame(bool jmpEpilog)
         GetEmitter()->emitIns_R_R_I(INS_add, EA_PTRSIZE, REG_SPBASE, REG_SPBASE, spAdjust);
         compiler->unwindAllocStack(spAdjust);
     }
+
+    GetEmitter()->emitPacInEpilog();
 }
 
 //------------------------------------------------------------------------
@@ -1342,6 +1344,7 @@ void CodeGen::genFuncletProlog(BasicBlock* block)
     gcInfo.gcResetForBB();
 
     compiler->unwindBegProlog();
+    GetEmitter()->emitPacInProlog();
 
     regMaskTP maskSaveRegsFloat = genFuncletInfo.fiSaveRegs & RBM_ALLFLOAT;
     regMaskTP maskSaveRegsInt   = genFuncletInfo.fiSaveRegs & ~maskSaveRegsFloat;
@@ -1628,6 +1631,8 @@ void CodeGen::genFuncletEpilog()
         }
     }
 
+    GetEmitter()->emitPacInEpilog();
+
     inst_RV(INS_ret, REG_LR, TYP_I_IMPL);
     compiler->unwindReturn(REG_LR);
 

diff --git a/src/coreclr/jit/codegenarmarch.cpp b/src/coreclr/jit/codegenarmarch.cpp
@@ -4731,6 +4731,9 @@ void CodeGen::genPushCalleeSavedRegisters()
     }
 #endif // DEBUG
 
+    // Sign LR as part of Pointer Authentication (PAC) support
+    GetEmitter()->emitPacInProlog();
+
     // The frameType number is arbitrary, is defined below, and corresponds to one of the frame styles we
     // generate based on various sizes.
     int frameType = 0;

diff --git a/src/coreclr/jit/compiler.h b/src/coreclr/jit/compiler.h
@@ -8804,6 +8804,7 @@ class Compiler
     void unwindSaveRegPair(regNumber reg1, regNumber reg2, int offset);           // stp reg1, reg2, [sp, #offset]
     void unwindSaveRegPairPreindexed(regNumber reg1, regNumber reg2, int offset); // stp reg1, reg2, [sp, #offset]!
     void unwindSaveNext();                                                        // unwind code: save_next
+    void unwindPacSignLR();                                                       // unwind code: pac_sign_lr
     void unwindReturn(regNumber reg);                                             // ret lr
 #endif                                                                            // defined(TARGET_ARM64)
 

diff --git a/src/coreclr/jit/emit.h b/src/coreclr/jit/emit.h
@@ -3211,6 +3211,11 @@ class emitter
     instrDescAlign* emitNewInstrAlign();
 #endif
 
+#if defined(TARGET_ARM64)
+    void emitPacInProlog();
+    void emitPacInEpilog();
+#endif
+
     instrDesc* emitNewInstrSmall(emitAttr attr);
     instrDesc* emitNewInstr(emitAttr attr = EA_4BYTE);
     instrDesc* emitNewInstrSC(emitAttr attr, cnsval_ssize_t cns);

diff --git a/src/coreclr/jit/emitarm64.cpp b/src/coreclr/jit/emitarm64.cpp
@@ -1397,6 +1397,32 @@ static const char * const  bRegNames[] =
 
 // clang-format on
 
+//------------------------------------------------------------------------
+// emitPacInProlog: Sign LR as part of Pointer Authentication (PAC) support
+//
+void emitter::emitPacInProlog()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+    emitIns(INS_paciaz);
+    emitComp->unwindPacSignLR();
+}
+
+//------------------------------------------------------------------------
+// emitPacInEpilog: unsign LR as part of Pointer Authentication (PAC) support
+//
+void emitter::emitPacInEpilog()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+    emitIns(INS_autiaz);
+    emitComp->unwindPacSignLR();
+}
+
 //------------------------------------------------------------------------
 // emitRegName: Returns a general-purpose register name or SIMD and floating-point scalar register name.
 //

diff --git a/src/coreclr/jit/jitconfigvalues.h b/src/coreclr/jit/jitconfigvalues.h
@@ -125,6 +125,7 @@ CONFIG_STRING(JitInlineMethodsWithEHRange, "JitInlineMethodsWithEHRange")
 
 CONFIG_INTEGER(JitLongAddress, "JitLongAddress", 0) // Force using the large pseudo instruction form for long address
 CONFIG_INTEGER(JitMaxUncheckedOffset, "JitMaxUncheckedOffset", 8)
+RELEASE_CONFIG_INTEGER(JitPacEnabled, "JitPacEnabled", 1)
 
 //
 // MinOpts

diff --git a/src/coreclr/jit/unwind.cpp b/src/coreclr/jit/unwind.cpp
@@ -399,6 +399,11 @@ void Compiler::DumpCfiInfo(bool                  isHotCode,
                 assert(dwarfReg == DWARF_REG_ILLEGAL);
                 printf("    CodeOffset: 0x%02X Op: AdjustCfaOffset Offset:0x%X\n", codeOffset, offset);
                 break;
+            case CFI_NEGATE_RA_STATE:
+                assert(dwarfReg == DWARF_REG_ILLEGAL);
+                assert(offset == 0);
+                printf("    CodeOffset: 0x%02X Op: NegateRAState\n", codeOffset);
+                break;
             default:
                 printf("    Unrecognized CFI_CODE: 0x%llX\n", *(UINT64*)pCode);
                 break;

diff --git a/src/coreclr/jit/unwindarm64.cpp b/src/coreclr/jit/unwindarm64.cpp
@@ -635,6 +635,33 @@ void Compiler::unwindSaveNext()
     pu->AddCode(0xE6);
 }
 
+void Compiler::unwindPacSignLR()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+#if defined(FEATURE_CFI_SUPPORT)
+    if (generateCFIUnwindCodes())
+    {
+        FuncInfoDsc*   func     = funCurrentFunc();
+        UNATIVE_OFFSET cbProlog = 0;
+        if (compGeneratingProlog)
+        {
+            cbProlog = unwindGetCurrentOffset(func);
+        }
+
+        // Maps to DW_CFA_AARCH64_negate_ra_state
+        createCfiCode(func, cbProlog, CFI_NEGATE_RA_STATE, DWARF_REG_ILLEGAL);
+
+        return;
+    }
+#endif // FEATURE_CFI_SUPPORT
+
+    // pac_sign_lr: 11111100: sign the return address in lr with pacibsp
+    funCurrentFunc()->uwi.AddCode(0xFC);
+}
+
 void Compiler::unwindReturn(regNumber reg)
 {
     // Nothing to do; we will always have at least one trailing "end" opcode in our padding.
@@ -1081,6 +1108,12 @@ void DumpUnwindInfo(Compiler*         comp,
 
             printf("    %02X          save_next\n", b1);
         }
+        else if (b1 == 0xFC)
+        {
+            // pac_sign_lr: 11111100 : sign the return address in lr with pacibsp.
+
+            printf("    %02X          pac_sign_lr\n", b1);
+        }
         else
         {
             // Unknown / reserved unwind code

@@ -69,6 +69,10 @@ EXTERN_C CODE_LOCATION RhpRethrow2;
 #define FAILFAST_OR_DAC_FAIL_UNCONDITIONALLY(msg) { ASSERT_UNCONDITIONALLY(msg); RhFailFast(); }
 #endif
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 StackFrameIterator::StackFrameIterator(Thread * pThreadToWalk, PInvokeTransitionFrame* pInitialTransitionFrame)
 {
     STRESS_LOG0(LF_STACKWALK, LL_INFO10000, "----Init---- [ GC ]\n");
@@ -1790,7 +1794,11 @@ void StackFrameIterator::NextInternal()
         // if the thread is safe to walk, it better not have a hijack in place.
         ASSERT(!m_pThread->IsHijacked());
 
+#if defined(TARGET_ARM64)
+        SetControlPC(PacStripPtr(dac_cast<PTR_VOID>(PCODEToPINSTR(m_RegDisplay.GetIP()))));
+#else
         SetControlPC(dac_cast<PTR_VOID>(PCODEToPINSTR(m_RegDisplay.GetIP())));
+#endif // TARGET_ARM64
 
         PTR_VOID collapsingTargetFrame = NULL;
 
@@ -2121,6 +2129,10 @@ void StackFrameIterator::CalculateCurrentMethodState()
         return;
     }
 
+#if defined(TARGET_ARM64)
+    m_ControlPC = PacStripPtr(m_ControlPC);
+#endif // TARGET_ARM64
+
     // Assume that the caller is likely to be in the same module
     if (m_pCodeManager == NULL || !m_pCodeManager->FindMethodInfo(m_ControlPC, &m_methodInfo))
     {

@@ -3,3 +3,29 @@
 
 #include <unixasmmacros.inc>
 #include "AsmOffsets.inc"
+
+// void* PacStripPtr(void *);
+// This function strips the pointer of PAC info that is passed as an agrument.
+// To avoid failing on non-PAC enabled machines, we use xpaclri (instead of xpaci) which strips lr explicitly.
+// Thus we move need to move input in lr, strip it and copy it back to the result register.
+.arch_extension pauth
+    LEAF_ENTRY PacStripPtr, _TEXT
+        mov x9, lr
+        mov lr, x0
+        xpaclri
+        mov x0, lr
+        ret x9
+    LEAF_END PacStripPtr, _TEXT
+
+// void* PacSignPtr(void *);
+// This function sign the input pointer using zero as salt.
+// To avoid failing on non-PAC enabled machines, we use paciaz (instead of paciza) which signs lr explicitly.
+// Thus we need to move input in lr, sign it and then copy it back to the result register.
+.arch_extension pauth
+    LEAF_ENTRY PacSignPtr, _TEXT
+        mov x9, lr
+        mov lr, x0
+        paciaz
+        mov x0, lr
+        ret x9
+    LEAF_END PacSignPtr, _TEXT
@@ -5,4 +5,28 @@
 
     TEXTAREA
 
+; void* PacStripPtr(void *);
+; This function strips the pointer of PAC info that is passed as an agrument.
+; To avoid failing on non-PAC enabled machines, we use xpaclri (instead of xpaci) which strips lr explicitly.
+; Thus we move need to move input in lr, strip it and copy it back to the result register.
+    LEAF_ENTRY PacStripPtr
+        mov x9, lr
+        mov lr, x0
+        DCD     0xD50320FF  ; xpaclri instruction in binary to avoid error while compiling with non-PAC enabled compilers
+        mov x0, lr
+        ret     x9
+    LEAF_END PacStripPtr
+
+; void* PacSignPtr(void *);
+; This function sign the input pointer using zero as salt.
+; To avoid failing on non-PAC enabled machines, we use paciaz (instead of paciza) which signs lr explicitly.
+; Thus we need to move input in lr, sign it and then copy it back to the result register.
+    LEAF_ENTRY PacSignPtr
+        mov x9, lr
+        mov lr, x0
+        DCD 0xD503231F  ; paciaz instruction in binary to avoid error while compiling with non-PAC enabled compilers
+        mov x0, lr
+        ret x9
+    LEAF_END PacSignPtr
+
     end
@@ -38,6 +38,11 @@ static Thread* g_RuntimeInitializingThread;
 
 #endif //!DACCESS_COMPILE
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+extern "C" void* PacSignPtr(void* ptr);
+#endif // TARGET_ARM64
+
 ee_alloc_context::PerThreadRandom::PerThreadRandom()
 {
     minipal_xoshiro128pp_init(&random_state, (uint32_t)PalGetTickCount64());
@@ -805,6 +810,10 @@ void Thread::HijackReturnAddressWorker(StackFrameIterator* frameIterator, Hijack
         CrossThreadUnhijack();
 
         void* pvRetAddr = *ppvRetAddrLocation;
+#if defined(TARGET_ARM64)
+        pvRetAddr = PacStripPtr(pvRetAddr);
+#endif // TARGET_ARM64
+
         ASSERT(pvRetAddr != NULL);
         ASSERT(StackFrameIterator::IsValidReturnAddress(pvRetAddr));
 
@@ -817,6 +826,9 @@ void Thread::HijackReturnAddressWorker(StackFrameIterator* frameIterator, Hijack
 #endif
 
         *ppvRetAddrLocation = (void*)pfnHijackFunction;
+#if defined(TARGET_ARM64)
+        *ppvRetAddrLocation = PacSignPtr(*ppvRetAddrLocation);
+#endif // TARGET_ARM64
 
         STRESS_LOG2(LF_STACKWALK, LL_INFO10000, "InternalHijack: TgtThread = %llx, IP = %p\n",
             GetPalThreadIdForLogging(), frameIterator->GetRegisterSet()->GetIP());
@@ -944,7 +956,11 @@ void Thread::UnhijackWorker()
 
     // Restore the original return address.
     ASSERT(m_ppvHijackedReturnAddressLocation != NULL);
+
     *m_ppvHijackedReturnAddressLocation = m_pvHijackedReturnAddress;
+#if defined(TARGET_ARM64)
+    *m_ppvHijackedReturnAddressLocation = PacSignPtr(*m_ppvHijackedReturnAddressLocation);
+#endif // TARGET_ARM64
 
     // Clear the hijack state.
     m_ppvHijackedReturnAddressLocation  = NULL;

@@ -11,6 +11,7 @@ internal enum CFI_OPCODE
         CFI_ADJUST_CFA_OFFSET,    // Offset is adjusted relative to the current one.
         CFI_DEF_CFA_REGISTER,     // New register is used to compute CFA
         CFI_REL_OFFSET,           // Register is saved at offset from the current CFA
-        CFI_DEF_CFA               // Take address from register and add offset to it.
+        CFI_DEF_CFA,              // Take address from register and add offset to it.
+        CFI_NEGATE_RA_STATE,      // Sign the return address in lr with pacibsp
     }
 }
@@ -113,6 +113,9 @@ private static byte[] CfiCodeToInstructions(DwarfCie cie, byte[] blobData)
                         cfaOffset = cfiOffset;
                         cfiCodeOffset += DwarfHelper.WriteULEB128(cfiCode.AsSpan(cfiCodeOffset), (uint)cfaOffset);
                         break;
+                    case CFI_OPCODE.CFI_NEGATE_RA_STATE:
+                        cfiCode[cfiCodeOffset++] = DW_CFA_AARCH64_negate_ra_state;
+                        break;
                 }
             }
 

@@ -844,6 +844,10 @@ private static uint GetArm64CompactUnwindCode(byte[] blobData)
                                     registerOffset[i] += cfiOffset;
                         }
                         break;
+
+                    case CFI_OPCODE.CFI_NEGATE_RA_STATE:
+                        // Nothing to compress here. It just has the code.
+                        break;
                 }
             }
 

@@ -89,7 +89,8 @@ private enum CFI_OPCODE
             CFI_ADJUST_CFA_OFFSET,    // Offset is adjusted relative to the current one.
             CFI_DEF_CFA_REGISTER,     // New register is used to compute CFA
             CFI_REL_OFFSET,           // Register is saved at offset from the current CFA
-            CFI_DEF_CFA               // Take address from register and add offset to it.
+            CFI_DEF_CFA,              // Take address from register and add offset to it.
+            CFI_NEGATE_RA_STATE,      // Sign the return address in lr with pacibsp
         }
 
         // Get the CFI data in the same shape as clang/LLVM generated one. This improves the compatibility with libunwind and other unwind solutions
@@ -173,6 +174,9 @@ private static byte[] CompressARM64CFI(byte[] blobData)
                             }
                         }
                         break;
+                    case CFI_OPCODE.CFI_NEGATE_RA_STATE:
+                        // Nothing to compress here. It just has the code.
+                        break;
                 }
             }
-Original file line number
+Diff line change
@@ Expand Up @@
                                         registerOffset[i] += cfiOffset;
                             }
                             break;
+                        case CFI_OPCODE.CFI_NEGATE_RA_STATE:
+                            // Nothing to compress here. It just has the code.
+                            break;
                     }
                 }
@@ Expand Down @@