dotnet · SwapnilGaikwad · Dec 6, 2024 · Jan 24, 2025 · Jan 24, 2025 · Jan 30, 2025
diff --git a/src/coreclr/debug/ee/controller.cpp b/src/coreclr/debug/ee/controller.cpp
@@ -21,6 +21,10 @@
 #include "../../vm/methoditer.h"
 #include "../../vm/tailcallhelp.h"
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 const char *GetTType( TraceType tt);
 
 #define IsSingleStep(exception) ((exception) == EXCEPTION_SINGLE_STEP)
@@ -5829,6 +5833,11 @@ static bool IsTailCall(const BYTE * ip, ControllerStackInfo* info, TailCallFunct
     TailCallTls* tls = GetThread()->GetTailCallTls();
     LPVOID tailCallAwareRetAddr = tls->GetFrame()->TailCallAwareReturnAddress;
 
+#if defined(TARGET_ARM64)
+    retAddr = PacStripPtr(retAddr);
+    tailCallAwareRetAddr = PacStripPtr(tailCallAwareRetAddr);
+#endif // TARGET_ARM64
+
     LOG((LF_CORDB,LL_INFO1000, "ITCTR: ret addr is %p, tailcall aware ret addr is %p\n",
         retAddr, tailCallAwareRetAddr));
 

diff --git a/src/coreclr/inc/cfi.h b/src/coreclr/inc/cfi.h
@@ -9,7 +9,9 @@ enum CFI_OPCODE
 {
    CFI_ADJUST_CFA_OFFSET,    // Offset is adjusted relative to the current one.
    CFI_DEF_CFA_REGISTER,     // New register is used to compute CFA
-   CFI_REL_OFFSET            // Register is saved at offset from the current CFA
+   CFI_REL_OFFSET,           // Register is saved at offset from the current CFA
+   CFI_DEF_CFA,              // Take address from register and add offset to it
+   CFI_NEGATE_RA_STATE,      // Sign the return address in lr with paciaz
 };
 
 struct CFI_CODE

diff --git a/src/coreclr/inc/clrconfigvalues.h b/src/coreclr/inc/clrconfigvalues.h
@@ -703,6 +703,7 @@ RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableArm64Rcpc,              W("EnableArm64Rc
 RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableArm64Rcpc2,             W("EnableArm64Rcpc2"),          1, "Allows Arm64 Rcpc2+ hardware intrinsics to be disabled")
 RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableArm64Sve,               W("EnableArm64Sve"),            1, "Allows Arm64 SVE hardware intrinsics to be disabled")
 RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableArm64Sve2,              W("EnableArm64Sve2"),           1, "Allows Arm64 SVE2 hardware intrinsics to be disabled")
+RETAIL_CONFIG_DWORD_INFO(EXTERNAL_JitPacEnabled,                W("JitPacEnabled"),             1, "Allows Arm64 Pointer Authentication (PAC) to be disabled")
 #elif defined(TARGET_RISCV64)
 RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableRiscV64Zba,             W("EnableRiscV64Zba"),          1, "Allows RiscV64 Zba hardware intrinsics to be disabled")
 RETAIL_CONFIG_DWORD_INFO(EXTERNAL_EnableRiscV64Zbb,             W("EnableRiscV64Zbb"),          1, "Allows RiscV64 Zbb hardware intrinsics to be disabled")

diff --git a/src/coreclr/inc/gcinfodecoder.h b/src/coreclr/inc/gcinfodecoder.h
@@ -76,6 +76,10 @@ typedef void * OBJECTREF;
 
 #ifndef __cgencpu_h__
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 inline void SetIP(T_CONTEXT* context, PCODE rip)
 {
     _ASSERTE(!"don't call this");
@@ -105,7 +109,7 @@ inline PCODE GetIP(T_CONTEXT* context)
 #elif defined(TARGET_ARM)
     return (PCODE)context->Pc;
 #elif defined(TARGET_ARM64)
-    return (PCODE)context->Pc;
+    return (PCODE) PacStripPtr((void *)context->Pc);
 #elif defined(TARGET_LOONGARCH64)
     return (PCODE)context->Pc;
 #elif defined(TARGET_RISCV64)

diff --git a/src/coreclr/jit/codegenarm64.cpp b/src/coreclr/jit/codegenarm64.cpp
@@ -271,6 +271,8 @@ void CodeGen::genPopCalleeSavedRegistersAndFreeLclFrame(bool jmpEpilog)
         GetEmitter()->emitIns_R_R_I(INS_add, EA_PTRSIZE, REG_SPBASE, REG_SPBASE, spAdjust);
         compiler->unwindAllocStack(spAdjust);
     }
+
+    GetEmitter()->emitPacInEpilog();
 }
 
 //------------------------------------------------------------------------
@@ -1342,6 +1344,7 @@ void CodeGen::genFuncletProlog(BasicBlock* block)
     gcInfo.gcResetForBB();
 
     compiler->unwindBegProlog();
+    GetEmitter()->emitPacInProlog();
 
     regMaskTP maskSaveRegsFloat = genFuncletInfo.fiSaveRegs & RBM_ALLFLOAT;
     regMaskTP maskSaveRegsInt   = genFuncletInfo.fiSaveRegs & ~maskSaveRegsFloat;
@@ -1628,6 +1631,8 @@ void CodeGen::genFuncletEpilog()
         }
     }
 
+    GetEmitter()->emitPacInEpilog();
+
     inst_RV(INS_ret, REG_LR, TYP_I_IMPL);
     compiler->unwindReturn(REG_LR);
 

diff --git a/src/coreclr/jit/codegenarmarch.cpp b/src/coreclr/jit/codegenarmarch.cpp
@@ -4464,6 +4464,9 @@ void CodeGen::genPushCalleeSavedRegisters()
     }
 #endif // DEBUG
 
+    // Sign LR as part of Pointer Authentication (PAC) support
+    GetEmitter()->emitPacInProlog();
+
     // The frameType number is arbitrary, is defined below, and corresponds to one of the frame styles we
     // generate based on various sizes.
     int frameType = 0;

diff --git a/src/coreclr/jit/compiler.h b/src/coreclr/jit/compiler.h
@@ -8818,6 +8818,7 @@ class Compiler
     void unwindSaveRegPair(regNumber reg1, regNumber reg2, int offset);           // stp reg1, reg2, [sp, #offset]
     void unwindSaveRegPairPreindexed(regNumber reg1, regNumber reg2, int offset); // stp reg1, reg2, [sp, #offset]!
     void unwindSaveNext();                                                        // unwind code: save_next
+    void unwindPacSignLR();                                                       // unwind code: pac_sign_lr
     void unwindReturn(regNumber reg);                                             // ret lr
 #endif                                                                            // defined(TARGET_ARM64)
 

diff --git a/src/coreclr/jit/emit.h b/src/coreclr/jit/emit.h
@@ -3237,6 +3237,11 @@ class emitter
     instrDescAlign* emitNewInstrAlign();
 #endif
 
+#if defined(TARGET_ARM64)
+    void emitPacInProlog();
+    void emitPacInEpilog();
+#endif
+
     instrDesc* emitNewInstrSmall(emitAttr attr);
     instrDesc* emitNewInstr(emitAttr attr = EA_4BYTE);
     instrDesc* emitNewInstrSC(emitAttr attr, cnsval_ssize_t cns);

diff --git a/src/coreclr/jit/emitarm64.cpp b/src/coreclr/jit/emitarm64.cpp
@@ -1397,6 +1397,32 @@ static const char * const  bRegNames[] =
 
 // clang-format on
 
+//------------------------------------------------------------------------
+// emitPacInProlog: Sign LR as part of Pointer Authentication (PAC) support
+//
+void emitter::emitPacInProlog()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+    emitIns(INS_paciaz);
+    emitComp->unwindPacSignLR();
+}
+
+//------------------------------------------------------------------------
+// emitPacInEpilog: unsign LR as part of Pointer Authentication (PAC) support
+//
+void emitter::emitPacInEpilog()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+    emitIns(INS_autiaz);
+    emitComp->unwindPacSignLR();
+}
+
 //------------------------------------------------------------------------
 // emitRegName: Returns a general-purpose register name or SIMD and floating-point scalar register name.
 //

diff --git a/src/coreclr/jit/jitconfigvalues.h b/src/coreclr/jit/jitconfigvalues.h
@@ -125,6 +125,7 @@ CONFIG_STRING(JitInlineMethodsWithEHRange, "JitInlineMethodsWithEHRange")
 
 CONFIG_INTEGER(JitLongAddress, "JitLongAddress", 0) // Force using the large pseudo instruction form for long address
 CONFIG_INTEGER(JitMaxUncheckedOffset, "JitMaxUncheckedOffset", 8)
+RELEASE_CONFIG_INTEGER(JitPacEnabled, "JitPacEnabled", 1)
 
 //
 // MinOpts

diff --git a/src/coreclr/jit/unwind.cpp b/src/coreclr/jit/unwind.cpp
@@ -413,6 +413,11 @@ void Compiler::DumpCfiInfo(bool                  isHotCode,
                 assert(dwarfReg == DWARF_REG_ILLEGAL);
                 printf("    CodeOffset: 0x%02X Op: AdjustCfaOffset Offset:0x%X\n", codeOffset, offset);
                 break;
+            case CFI_NEGATE_RA_STATE:
+                assert(dwarfReg == DWARF_REG_ILLEGAL);
+                assert(offset == 0);
+                printf("    CodeOffset: 0x%02X Op: NegateRAState\n", codeOffset);
+                break;
             default:
                 printf("    Unrecognized CFI_CODE: 0x%llX\n", *(UINT64*)pCode);
                 break;

diff --git a/src/coreclr/jit/unwindarm64.cpp b/src/coreclr/jit/unwindarm64.cpp
@@ -635,6 +635,33 @@ void Compiler::unwindSaveNext()
     pu->AddCode(0xE6);
 }
 
+void Compiler::unwindPacSignLR()
+{
+    if (JitConfig.JitPacEnabled() == 0)
+    {
+        return;
+    }
+#if defined(FEATURE_CFI_SUPPORT)
+    if (generateCFIUnwindCodes())
+    {
+        FuncInfoDsc*   func     = funCurrentFunc();
+        UNATIVE_OFFSET cbProlog = 0;
+        if (compGeneratingProlog)
+        {
+            cbProlog = unwindGetCurrentOffset(func);
+        }
+
+        // Maps to DW_CFA_AARCH64_negate_ra_state
+        createCfiCode(func, cbProlog, CFI_NEGATE_RA_STATE, DWARF_REG_ILLEGAL);
+
+        return;
+    }
+#endif // FEATURE_CFI_SUPPORT
+
+    // pac_sign_lr: 11111100: sign the return address in lr with paciaz
+    funCurrentFunc()->uwi.AddCode(0xFC);
+}
+
 void Compiler::unwindReturn(regNumber reg)
 {
     // Nothing to do; we will always have at least one trailing "end" opcode in our padding.
@@ -1081,6 +1108,12 @@ void DumpUnwindInfo(Compiler*         comp,
 
             printf("    %02X          save_next\n", b1);
         }
+        else if (b1 == 0xFC)
+        {
+            // pac_sign_lr: 11111100 : sign the return address in lr with paciaz.
+
+            printf("    %02X          pac_sign_lr\n", b1);
+        }
         else
         {
             // Unknown / reserved unwind code

@@ -161,6 +161,11 @@ class ICodeManager
 
     virtual bool IsUnwindable(PTR_VOID pvAddress) PURE_VIRTUAL
 
+#ifdef TARGET_ARM64
+    virtual bool IsPacPresent(MethodInfo *    pMethodInfo,
+                              REGDISPLAY *    pRegisterSet ) PURE_VIRTUAL
+#endif
+
     virtual bool GetReturnAddressHijackInfo(MethodInfo *    pMethodInfo,
                                             REGDISPLAY *    pRegisterSet,          // in
                                             PTR_PTR_VOID *  ppvRetAddrLocation     // out

@@ -65,6 +65,10 @@ EXTERN_C CODE_LOCATION RhpRethrow2;
 #define FAILFAST_OR_DAC_FAIL_UNCONDITIONALLY(msg) { ASSERT_UNCONDITIONALLY(msg); RhFailFast(); }
 #endif
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 StackFrameIterator::StackFrameIterator(Thread * pThreadToWalk, PInvokeTransitionFrame* pInitialTransitionFrame)
 {
     STRESS_LOG0(LF_STACKWALK, LL_INFO10000, "----Init---- [ GC ]\n");
@@ -1786,7 +1790,11 @@ void StackFrameIterator::NextInternal()
         // if the thread is safe to walk, it better not have a hijack in place.
         ASSERT(!m_pThread->IsHijacked());
 
+#if defined(TARGET_ARM64)
+        SetControlPC(PacStripPtr(dac_cast<PTR_VOID>(PCODEToPINSTR(m_RegDisplay.GetIP()))));
+#else
         SetControlPC(dac_cast<PTR_VOID>(PCODEToPINSTR(m_RegDisplay.GetIP())));
+#endif // TARGET_ARM64
 
         PTR_VOID collapsingTargetFrame = NULL;
 
@@ -2117,6 +2125,10 @@ void StackFrameIterator::CalculateCurrentMethodState()
         return;
     }
 
+#if defined(TARGET_ARM64)
+    m_ControlPC = PacStripPtr(m_ControlPC);
+#endif // TARGET_ARM64
+
     // Assume that the caller is likely to be in the same module
     if (m_pCodeManager == NULL || !m_pCodeManager->FindMethodInfo(m_ControlPC, &m_methodInfo))
     {

@@ -107,6 +107,7 @@
     // Fix the stack by restoring the original return address
     //
     ldr         lr, [x2, #OFFSETOF__Thread__m_pvHijackedReturnAddress]
+    xpaclri
 
     //
     // Clear hijack state

@@ -116,6 +116,7 @@ PROBE_FRAME_SIZE    field 0
         ;; Fix the stack by restoring the original return address
         ;;
         ldr         lr, [x2, #OFFSETOF__Thread__m_pvHijackedReturnAddress]
+        DCD     0xD50320FF  ;; xpaclri instruction in binary to avoid error while compiling with non-PAC enabled compilers
 
         ;;
         ;; Clear hijack state

@@ -3,3 +3,29 @@
 
 #include <unixasmmacros.inc>
 #include "AsmOffsets.inc"
+
+// void* PacStripPtr(void *);
+// This function strips the pointer of PAC info that is passed as an agrument.
+// To avoid failing on non-PAC enabled machines, we use xpaclri (instead of xpaci) which strips lr explicitly.
+// Thus we move need to move input in lr, strip it and copy it back to the result register.
+.arch_extension pauth
+    LEAF_ENTRY PacStripPtr, _TEXT
+        mov x9, lr
+        mov lr, x0
+        xpaclri
+        mov x0, lr
+        ret x9
+    LEAF_END PacStripPtr, _TEXT
+
+// void* PacSignPtr(void *);
+// This function sign the input pointer using zero as salt.
+// To avoid failing on non-PAC enabled machines, we use paciaz (instead of paciza) which signs lr explicitly.
+// Thus we need to move input in lr, sign it and then copy it back to the result register.
+.arch_extension pauth
+    LEAF_ENTRY PacSignPtr, _TEXT
+        mov x9, lr
+        mov lr, x0
+        paciaz
+        mov x0, lr
+        ret x9
+    LEAF_END PacSignPtr, _TEXT
@@ -5,4 +5,28 @@
 
     TEXTAREA
 
+; void* PacStripPtr(void *);
+; This function strips the pointer of PAC info that is passed as an agrument.
+; To avoid failing on non-PAC enabled machines, we use xpaclri (instead of xpaci) which strips lr explicitly.
+; Thus we move need to move input in lr, strip it and copy it back to the result register.
+    LEAF_ENTRY PacStripPtr
+        mov x9, lr
+        mov lr, x0
+        DCD     0xD50320FF  ; xpaclri instruction in binary to avoid error while compiling with non-PAC enabled compilers
+        mov x0, lr
+        ret     x9
+    LEAF_END PacStripPtr
+
+; void* PacSignPtr(void *);
+; This function sign the input pointer using zero as salt.
+; To avoid failing on non-PAC enabled machines, we use paciaz (instead of paciza) which signs lr explicitly.
+; Thus we need to move input in lr, sign it and then copy it back to the result register.
+    LEAF_ENTRY PacSignPtr
+        mov x9, lr
+        mov lr, x0
+        DCD 0xD503231F  ; paciaz instruction in binary to avoid error while compiling with non-PAC enabled compilers
+        mov x0, lr
+        ret x9
+    LEAF_END PacSignPtr
+
     end
@@ -36,6 +36,11 @@ static Thread* g_RuntimeInitializingThread;
 
 #endif //!DACCESS_COMPILE
 
+#if defined(TARGET_ARM64)
+extern "C" void* PacSignPtr(void* ptr);
+extern "C" void* PacStripPtr(void* ptr);
+#endif // TARGET_ARM64
+
 ee_alloc_context::PerThreadRandom::PerThreadRandom()
 {
     minipal_xoshiro128pp_init(&random_state, (uint32_t)minipal_lowres_ticks());
@@ -809,8 +814,14 @@ void Thread::HijackReturnAddressWorker(StackFrameIterator* frameIterator, Hijack
         CrossThreadUnhijack();
 
         void* pvRetAddr = *ppvRetAddrLocation;
+
         ASSERT(pvRetAddr != NULL);
+
+#if defined(TARGET_ARM64)
+        ASSERT(StackFrameIterator::IsValidReturnAddress(PacStripPtr(pvRetAddr)));
+#else
         ASSERT(StackFrameIterator::IsValidReturnAddress(pvRetAddr));
+#endif // TARGET_ARM64
 
         m_ppvHijackedReturnAddressLocation = ppvRetAddrLocation;
         m_pvHijackedReturnAddress = pvRetAddr;
@@ -820,7 +831,14 @@ void Thread::HijackReturnAddressWorker(StackFrameIterator* frameIterator, Hijack
                                                                 frameIterator->GetRegisterSet()));
 #endif
 
-        *ppvRetAddrLocation = (void*)pfnHijackFunction;
+        void* pvHijackedAddr = (void*)pfnHijackFunction;
+#if defined(TARGET_ARM64)
+        if (frameIterator->GetCodeManager()->IsPacPresent(frameIterator->GetMethodInfo(), frameIterator->GetRegisterSet()))
+        {
+            pvHijackedAddr = PacSignPtr(pvHijackedAddr);
+        }
+#endif // TARGET_ARM64
+        *ppvRetAddrLocation = pvHijackedAddr;
 
         STRESS_LOG2(LF_STACKWALK, LL_INFO10000, "InternalHijack: TgtThread = %llx, IP = %p\n",
             GetPalThreadIdForLogging(), frameIterator->GetRegisterSet()->GetIP());
@@ -948,6 +966,7 @@ void Thread::UnhijackWorker()
 
     // Restore the original return address.
     ASSERT(m_ppvHijackedReturnAddressLocation != NULL);
+
     *m_ppvHijackedReturnAddressLocation = m_pvHijackedReturnAddress;
 
     // Clear the hijack state.
-Original file line number
+Diff line change
@@ Expand Up / @@ -107,6 +107,7 @@ @@
         // Fix the stack by restoring the original return address
         //
         ldr         lr, [x2, #OFFSETOF__Thread__m_pvHijackedReturnAddress]
+        xpaclri
         //
         // Clear hijack state
@@ Expand Down @@