Use shadow stack to share variables between AOT and JIT.

When we trace code that contains pointers into the stack which are then
passed around, we can get into trouble after deoptimisation. This is
because a compiled trace has its own stack and references created inside
the trace point into its own stack. When these references are then
passed into another function which guard fails, we would have to
recreate those references with the AOT stack as a source and swap them
with the JIT references. Unfortunately, LLVM and stackmaps can't provide
us with enough information to do this.

An alternative solution is to create shadow stack on the heap which is
shared between AOT and JIT. So any references created inside the JIT
will point into the shadow stack, so when we deoptimise the references
are still valid. To do so we first create a shadow stack at the programs
entry point (typically `main`). Then, in each function, we replace the
`alloca`s with `getelemenptr` instructions which point at different
offsets into the shadow stack. Similar to the real stack, we need to
create stack frames before calls. We can do this by adjusting the offset
of a global before and after each call. At the beginning of each
function we can read this global to retrieve this function's stack frame
offset.

Author: ptersilie

llvm/include/llvm/Transforms/Yk/ShadowStack.h

@@ -0,0 +1,10 @@
+#ifndef LLVM_TRANSFORMS_YK_SHADOWSTACK_H
+#define LLVM_TRANSFORMS_YK_SHADOWSTACK_H
+
+#include "llvm/Pass.h"
+
+namespace llvm {
+ModulePass *createYkShadowStackPass();
+} // namespace llvm
+
+#endif

llvm/lib/CodeGen/TargetPassConfig.cpp

@@ -50,6 +50,7 @@
 #include "llvm/Transforms/Utils.h"
 #include "llvm/Transforms/Yk/BlockDisambiguate.h"
 #include "llvm/Transforms/Yk/ControlPoint.h"
+#include "llvm/Transforms/Yk/ShadowStack.h"
 #include "llvm/Transforms/Yk/Stackmaps.h"
 #include <cassert>
 #include <string>
@@ -275,6 +276,10 @@ static cl::opt<bool> YkPatchCtrlPoint("yk-patch-control-point", cl::init(false),
                                       cl::NotHidden,
                                       cl::desc("Patch yk_mt_control_point()"));
 
+static cl::opt<bool>
+    YkShadowStack("yk-shadow-stack", cl::init(false), cl::NotHidden,
+                  cl::desc("Use a shadow stack for stack values."));
+
 static cl::opt<bool>
     YkInsertStackMaps("yk-insert-stackmaps", cl::init(false), cl::NotHidden,
                       cl::desc("Insert stackmaps for JIT deoptimisation"));
@@ -1134,6 +1139,9 @@ bool TargetPassConfig::addISelPasses() {
   if (YkBlockDisambiguate)
     addPass(createYkBlockDisambiguatePass());
 
+  if (YkShadowStack) {
+    addPass(createYkShadowStackPass());
+  }
   // We insert the yk control point pass as late as possible. It has to run
   // before instruction selection (or the machine IR won't reflect our
   // patching), but after other passes which mutate the IR (e.g.
@@ -1145,11 +1153,13 @@ bool TargetPassConfig::addISelPasses() {
   // point could be changed, e.g. the control point's struct argument could be
   // decomposed into scalar arguments. The JIT runtime relies on the interface
   // *not* being changed.
-  if (YkPatchCtrlPoint)
+  if (YkPatchCtrlPoint) {
     addPass(createYkControlPointPass());
+  }
 
-  if (YkInsertStackMaps)
+  if (YkInsertStackMaps) {
     addPass(createYkStackmapsPass());
+  }
 
   addISelPrepare();
   return addCoreISelPasses();

llvm/lib/Transforms/Yk/CMakeLists.txt

@@ -3,6 +3,7 @@ add_llvm_component_library(LLVMYkPasses
   ControlPoint.cpp
   LivenessAnalysis.cpp
   StackMaps.cpp
+  ShadowStack.cpp
 
   DEPENDS
   intrinsics_gen

llvm/lib/Transforms/Yk/ShadowStack.cpp

@@ -0,0 +1,240 @@
+//===- ShadowStack.cpp - Pass to add shadow stacks to the AOT module --===//
+//
+// Add shadow stacks to store variables that may have their references taken.
+// Storing such variables on a shadow stack allows AOT to share them with
+// compiled traces, and back (i.e. references created inside a trace will still
+// be valid when we return from the trace via deoptimisation).
+// YKFIXME: This can be optimised by only putting variables on the shadow stack
+// that actually have their reference taken.
+
+#include "llvm/Transforms/Yk/ShadowStack.h"
+#include "llvm/IR/BasicBlock.h"
+#include "llvm/IR/DataLayout.h"
+#include "llvm/IR/Function.h"
+#include "llvm/IR/IRBuilder.h"
+#include "llvm/IR/Instructions.h"
+#include "llvm/IR/Module.h"
+#include "llvm/IR/Value.h"
+#include "llvm/IR/Verifier.h"
+#include "llvm/InitializePasses.h"
+#include "llvm/Pass.h"
+#include "llvm/Transforms/Yk/LivenessAnalysis.h"
+
+#include <map>
+
+#define DEBUG_TYPE "yk-shadowstack"
+#define YK_MT_NEW "yk_mt_new"
+#define G_SHADOW_STACK "shadowstack_0"
+// The size of the shadow stack. Defaults to 1MB.
+// YKFIXME: Make this adjustable by a compiler flag.
+#define SHADOW_STACK_SIZE 1000000
+
+using namespace llvm;
+
+namespace llvm {
+void initializeYkShadowStackPass(PassRegistry &);
+} // namespace llvm
+
+namespace {
+class YkShadowStack : public ModulePass {
+public:
+  static char ID;
+  YkShadowStack() : ModulePass(ID) {
+    initializeYkShadowStackPass(*PassRegistry::getPassRegistry());
+  }
+
+  // Checks whether the given instruction is the alloca of the call to
+  // `yk_mt_new`.
+  bool isYkMTNewAlloca(Instruction *I) {
+    for (User *U : I->users()) {
+      if (U && isa<StoreInst>(U)) {
+        Value *V = cast<StoreInst>(U)->getValueOperand();
+        if (isa<CallInst>(V)) {
+          CallInst *CI = cast<CallInst>(V);
+          if (CI->isInlineAsm())
+            return false;
+          if (!CI->getCalledFunction())
+            return false;
+          return (CI->getCalledFunction()->getName() == YK_MT_NEW);
+        }
+      }
+    }
+    return false;
+  }
+
+  bool runOnModule(Module &M) override {
+    LLVMContext &Context = M.getContext();
+
+    DataLayout DL(&M);
+    Type *Int8Ty = Type::getInt8Ty(Context);
+    Type *Int32Ty = Type::getInt32Ty(Context);
+    Type *PointerSizedIntTy = DL.getIntPtrType(Context);
+    Type *Int8PtrTy = Type::getInt8PtrTy(Context);
+
+    // Create a global variable which will store the pointer to the heap memory
+    // allocated for the shadow stack.
+    Constant *GShadowStackPtr = M.getOrInsertGlobal(G_SHADOW_STACK, Int8PtrTy);
+    GlobalVariable *GVar = M.getNamedGlobal(G_SHADOW_STACK);
+    GVar->setInitializer(
+        ConstantPointerNull::get(cast<PointerType>(Int8PtrTy)));
+
+    // We only need to create one shadow stack per module so we'll do this
+    // inside the module's entry point.
+    // YKFIXME: Investigate languages that don't have/use main as the first
+    // entry point.
+    Function *Main = M.getFunction("main");
+    if (Main == nullptr) {
+      Context.emitError(
+          "Unable to add shadow stack: could not find \"main\" function!");
+      return false;
+    }
+    Instruction *First = Main->getEntryBlock().getFirstNonPHI();
+    IRBuilder<> Builder(First);
+
+    // Now create some memory on the heap for the shadow stack.
+    FunctionCallee MF =
+        M.getOrInsertFunction("malloc", Int8PtrTy, PointerSizedIntTy);
+    CallInst *Malloc = Builder.CreateCall(
+        MF, {ConstantInt::get(PointerSizedIntTy, SHADOW_STACK_SIZE)}, "");
+    Builder.CreateStore(Malloc, GShadowStackPtr);
+
+    Value *SSPtr;
+    for (Function &F : M) {
+      if (F.empty()) // skip declarations.
+        continue;
+
+      if (&F != Main) {
+        // At the top of each function in the module, load the heap pointer
+        // from the global shadow stack variable.
+        Builder.SetInsertPoint(F.getEntryBlock().getFirstNonPHI());
+        SSPtr = Builder.CreateLoad(Int8PtrTy, GShadowStackPtr);
+      } else {
+        SSPtr = cast<Value>(Malloc);
+      }
+
+      size_t Offset = 0;
+      // Remember which allocas were replaced, so we can remove them later in
+      // one swoop. Removing them here messes up the loop.
+      std::vector<Instruction *> RemoveAllocas;
+      for (BasicBlock &BB : F) {
+        for (Instruction &I : BB) {
+          if (isa<AllocaInst>(I)) {
+            // Replace allocas with pointers into the shadow stack.
+            AllocaInst &AI = cast<AllocaInst>(I);
+            if (isYkMTNewAlloca(&AI)) {
+              // The variable created by `yk_mt_new` will never be traced, so
+              // there's no need to store it on the shadow stack.
+              continue;
+            }
+            if (isa<StructType>(AI.getAllocatedType())) {
+              StructType *ST = cast<StructType>(AI.getAllocatedType());
+              // Some yk specific variables that will never be traced and thus
+              // can live happily on the normal stack.
+              // YKFIXME: This is somewhat fragile since `struct.YkLocation` is
+              // a name given by LLVM which could theoretically change. Luckily,
+              // this should all go away once we only move variables to the
+              // shadowstack that have their reference taken.
+              if (ST->getName() == "YkCtrlPointVars" ||
+                  ST->getName() == "struct.YkLocation") {
+                continue;
+              }
+            }
+            Builder.SetInsertPoint(&I);
+            auto AllocaSizeInBits = AI.getAllocationSizeInBits(DL);
+            if (!AllocaSizeInBits) {
+              // YKFIXME: Deal with functions where the stack size isn't know at
+              // compile time, e.g. when `alloca` is used.
+              Context.emitError("Unable to add shadow stack: function has "
+                                "dynamically sized stack!");
+              return false;
+            }
+            // Calculate this `AllocaInst`s size and create a replacement
+            // pointer into the shadow stack.
+            size_t AllocaSize = *AllocaSizeInBits / 8;
+            GetElementPtrInst *GEP = GetElementPtrInst::Create(
+                Int8Ty, SSPtr, {ConstantInt::get(Int32Ty, Offset)}, "",
+                cast<Instruction>(&AI));
+            Builder.SetInsertPoint(GEP);
+            Builder.CreateBitCast(GEP, AI.getAllocatedType()->getPointerTo());
+            cast<Value>(I).replaceAllUsesWith(GEP);
+            RemoveAllocas.push_back(cast<Instruction>(&AI));
+            Offset += AllocaSize;
+          } else if (isa<CallInst>(I)) {
+            // When we see a call, we need make space for a new stack frame. We
+            // do this by simply adjusting the pointer stored in the global
+            // shadow stack. When the function returns the global is reset. This
+            // is similar to how the RSP is adjusted inside the
+            // prologue/epilogue of a function, but here the prologue/epilogue
+            // are handled by the caller.
+            CallInst &CI = cast<CallInst>(I);
+            if (&CI == Malloc) {
+              // Don't do this for the `malloc` that created the shadow stack.
+              continue;
+            }
+            // Inline asm can't be traced.
+            if (CI.isInlineAsm()) {
+              continue;
+            }
+
+            // YKFIXME: Skip functions that are marked with `yk_outline`
+            // (as those won't be traced and thus don't require a shadow
+            // stack).
+            // YKFIXME: Skip functions (direct or indirect) that we don't have
+            // IR for.
+
+            if (CI.getCalledFunction()) {
+              if (CI.getCalledFunction()->getName() == "pthread_create") {
+                // The global shadow stack needs to be thread local. In each new
+                // thread created we need to malloc a new shadow stack and
+                // assign it to that threads shadow stack global. Note: it's not
+                // enough to look for `pthread_create` in here, as this call
+                // could be hidden inside an external library.
+                Context.emitError(
+                    "Unable to add shadow stack: No support for threads yet!");
+                return false;
+              }
+              // Skip some known intrinsics. YKFIXME: Is there a more general
+              // solution, e.g. skip all intrinsics?
+              else if (CI.getCalledFunction()->getName() ==
+                       "llvm.experimental.stackmap") {
+                continue;
+              } else if (CI.getCalledFunction()->getName() ==
+                         "llvm.dbg.declare") {
+                continue;
+              }
+            }
+
+            // Adjust shadow stack pointer before a call, and reset it back to
+            // its previous value upon returning.
+            GetElementPtrInst *GEP = GetElementPtrInst::Create(
+                Int8Ty, SSPtr, {ConstantInt::get(Int32Ty, Offset)}, "", &I);
+            Builder.SetInsertPoint(&I);
+            Builder.CreateStore(GEP, GShadowStackPtr);
+            Builder.SetInsertPoint(I.getNextNonDebugInstruction());
+            Builder.CreateStore(SSPtr, GShadowStackPtr);
+          }
+        }
+      }
+      for (Instruction *I : RemoveAllocas) {
+        I->removeFromParent();
+      }
+      RemoveAllocas.clear();
+    }
+
+#ifndef NDEBUG
+    // Our pass runs after LLVM normally does its verify pass. In debug builds
+    // we run it again to check that our pass is generating valid IR.
+    if (verifyModule(M, &errs())) {
+      Context.emitError("ShadowStack insertion pass generated invalid IR!");
+      return false;
+    }
+#endif
+    return true;
+  }
+};
+} // namespace
+
+char YkShadowStack::ID = 0;
+INITIALIZE_PASS(YkShadowStack, DEBUG_TYPE, "yk shadowstack", false, false)
+
+ModulePass *llvm::createYkShadowStackPass() { return new YkShadowStack(); }