[AArch64][PAC] Prevent immediate modifier substitution of AUT/PAC

Expand `blend(addr, imm)` in AsmPrinter, so that the discriminator
cannot be changed between blending `imm` in `addr` and using the
discriminator for signing or authenticating a pointer.

For that purpose, a new PAC pseudo instruction is introduced that has
separate operands for register and immediate modifiers. Instruction
selection is refactored along the way, so that AUT and PAC instructions
are selected by tablegen-erated patterns (always with a zero immediate
modifier at first) and a unified fixupBlendComponents function is used
by a custom inserter to fetch operands of `blend()` when possible. Aside
from unification, this helps inspecting operands of blend operation that
is located in another basic block which can be tricky for DAGISel.

This patch is somewhat related to
llvm#132857.

Author: atrosinenko

llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp

@@ -170,6 +170,9 @@ class AArch64AsmPrinter : public AsmPrinter {
   // Emit the sequence for AUT or AUTPAC.
   void emitPtrauthAuthResign(const MachineInstr *MI);
 
+  // Emit the sequence for PAC.
+  void emitPtrauthSign(const MachineInstr *MI);
+
   // Emit the sequence to compute the discriminator.
   //
   // ScratchReg should be x16/x17.
@@ -2172,6 +2175,30 @@ void AArch64AsmPrinter::emitPtrauthAuthResign(const MachineInstr *MI) {
     OutStreamer->emitLabel(EndSym);
 }
 
+void AArch64AsmPrinter::emitPtrauthSign(const MachineInstr *MI) {
+  Register Val = MI->getOperand(1).getReg();
+  auto Key = (AArch64PACKey::ID)MI->getOperand(2).getImm();
+  uint64_t Disc = MI->getOperand(3).getImm();
+  Register AddrDisc = MI->getOperand(4).getReg();
+  // Can isKill() be reliably used at this point?
+
+  // Compute aut discriminator into x17
+  assert(isUInt<16>(Disc));
+  Register DiscReg = emitPtrauthDiscriminator(Disc, AddrDisc, AArch64::X17);
+  bool IsZeroDisc = DiscReg == AArch64::XZR;
+  unsigned Opc = getPACOpcodeForKey(Key, IsZeroDisc);
+
+  //  paciza x16      ; if  IsZeroDisc
+  //  pacia x16, x17  ; if !IsZeroDisc
+  MCInst PACInst;
+  PACInst.setOpcode(Opc);
+  PACInst.addOperand(MCOperand::createReg(Val));
+  PACInst.addOperand(MCOperand::createReg(Val));
+  if (!IsZeroDisc)
+    PACInst.addOperand(MCOperand::createReg(DiscReg));
+  EmitToStreamer(*OutStreamer, PACInst);
+}
+
 void AArch64AsmPrinter::emitPtrauthBranch(const MachineInstr *MI) {
   bool IsCall = MI->getOpcode() == AArch64::BLRA;
   unsigned BrTarget = MI->getOperand(0).getReg();
@@ -2866,6 +2893,10 @@ void AArch64AsmPrinter::emitInstruction(const MachineInstr *MI) {
     emitPtrauthAuthResign(MI);
     return;
 
+  case AArch64::PAC:
+    emitPtrauthSign(MI);
+    return;
+
   case AArch64::LOADauthptrstatic:
     LowerLOADauthptrstatic(*MI);
     return;

llvm/lib/Target/AArch64/AArch64ISelDAGToDAG.cpp

@@ -361,7 +361,6 @@ class AArch64DAGToDAGISel : public SelectionDAGISel {
 
   bool tryIndexedLoad(SDNode *N);
 
-  void SelectPtrauthAuth(SDNode *N);
   void SelectPtrauthResign(SDNode *N);
 
   bool trySelectStackSlotTagP(SDNode *N);
@@ -1520,28 +1519,6 @@ extractPtrauthBlendDiscriminators(SDValue Disc, SelectionDAG *DAG) {
       AddrDisc);
 }
 
-void AArch64DAGToDAGISel::SelectPtrauthAuth(SDNode *N) {
-  SDLoc DL(N);
-  // IntrinsicID is operand #0
-  SDValue Val = N->getOperand(1);
-  SDValue AUTKey = N->getOperand(2);
-  SDValue AUTDisc = N->getOperand(3);
-
-  unsigned AUTKeyC = cast<ConstantSDNode>(AUTKey)->getZExtValue();
-  AUTKey = CurDAG->getTargetConstant(AUTKeyC, DL, MVT::i64);
-
-  SDValue AUTAddrDisc, AUTConstDisc;
-  std::tie(AUTConstDisc, AUTAddrDisc) =
-      extractPtrauthBlendDiscriminators(AUTDisc, CurDAG);
-
-  SDValue X16Copy = CurDAG->getCopyToReg(CurDAG->getEntryNode(), DL,
-                                         AArch64::X16, Val, SDValue());
-  SDValue Ops[] = {AUTKey, AUTConstDisc, AUTAddrDisc, X16Copy.getValue(1)};
-
-  SDNode *AUT = CurDAG->getMachineNode(AArch64::AUT, DL, MVT::i64, Ops);
-  ReplaceNode(N, AUT);
-}
-
 void AArch64DAGToDAGISel::SelectPtrauthResign(SDNode *N) {
   SDLoc DL(N);
   // IntrinsicID is operand #0
@@ -5645,10 +5622,6 @@ void AArch64DAGToDAGISel::Select(SDNode *Node) {
       SelectTagP(Node);
       return;
 
-    case Intrinsic::ptrauth_auth:
-      SelectPtrauthAuth(Node);
-      return;
-
     case Intrinsic::ptrauth_resign:
       SelectPtrauthResign(Node);
       return;

llvm/lib/Target/AArch64/AArch64ISelLowering.cpp

@@ -3384,78 +3384,108 @@ static MachineInstr *stripAndAccumulateOffset(const MachineRegisterInfo &MRI,
   return nullptr;
 }
 
-static std::pair<Register, unsigned>
-detectBlendComponents(const MachineRegisterInfo &MRI, Register Reg) {
+void AArch64TargetLowering::fixupBlendComponents(
+    MachineInstr &It, MachineBasicBlock *BB, MachineOperand &IntDiscOp,
+    MachineOperand &AddrDiscOp) const {
+  const TargetInstrInfo *TII = Subtarget->getInstrInfo();
+  MachineRegisterInfo &MRI = It.getMF()->getRegInfo();
+  const DebugLoc &DL = It.getDebugLoc();
+
+  Register AddrDisc = AddrDiscOp.getReg();
+  int64_t IntDisc = IntDiscOp.getImm();
+  // If the immediate modifier is non-zero, no fixup needed.
+  if (IntDisc != 0)
+    return;
+
   int64_t Offset = 0;
-  MachineInstr *MaybeBlend = stripAndAccumulateOffset(MRI, Reg, Offset);
-  // This should be a plain copy, without adding any offset.
-  if (!MaybeBlend || Offset != 0)
-    return std::make_pair(Reg, 0);
+  MachineInstr *MaybeBlend = stripAndAccumulateOffset(MRI, AddrDisc, Offset);
 
+  // This should be a plain copy, without adding any offset.
   // Detect blend(addr, imm) which is lowered as MOVK addr, #imm, 48.
-  if (MaybeBlend->getOpcode() != AArch64::MOVKXi ||
-      MaybeBlend->getOperand(3).getImm() != 48)
-    return std::make_pair(Reg, 0);
+  if (MaybeBlend && Offset == 0 && MaybeBlend->getOpcode() == AArch64::MOVKXi &&
+      MaybeBlend->getOperand(3).getImm() == 48) {
+    AddrDisc = MaybeBlend->getOperand(1).getReg();
+    IntDisc = MaybeBlend->getOperand(2).getImm();
+  }
+
+  if (AddrDisc == AArch64::NoRegister)
+    AddrDisc = AArch64::XZR;
+
+  if (AddrDisc != AArch64::XZR) {
+    Register TmpReg = MRI.createVirtualRegister(&AArch64::GPR64noipRegClass);
+    BuildMI(*BB, It, DL, TII->get(AArch64::COPY), TmpReg).addReg(AddrDisc);
+    AddrDisc = TmpReg;
+  }
 
-  return std::make_pair(MaybeBlend->getOperand(1).getReg(),
-                        MaybeBlend->getOperand(2).getImm());
+  AddrDiscOp.setReg(AddrDisc);
+  IntDiscOp.setImm(IntDisc);
 }
 
 MachineBasicBlock *
-AArch64TargetLowering::tryRewritingPAC(MachineInstr &MI,
-                                       MachineBasicBlock *BB) const {
+AArch64TargetLowering::EmitAUTxMxN(MachineInstr &MI,
+                                   MachineBasicBlock *BB) const {
+  const TargetInstrInfo *TII = Subtarget->getInstrInfo();
+  const DebugLoc &DL = MI.getDebugLoc();
+
+  Register AuthVal = MI.getOperand(0).getReg();
+  Register Val = MI.getOperand(2).getReg();
+  unsigned Key = MI.getOperand(3).getImm();
+  int64_t IntDisc = MI.getOperand(4).getImm();
+  Register AddrDisc = MI.getOperand(5).getReg();
+
+  BuildMI(*BB, MI, DL, TII->get(AArch64::COPY), AArch64::X16).addReg(Val);
+  BuildMI(*BB, MI, DL, TII->get(AArch64::AUT))
+      .addImm(Key)
+      .addImm(IntDisc)
+      .addReg(AddrDisc);
+  BuildMI(*BB, MI, DL, TII->get(AArch64::COPY), AuthVal).addReg(AArch64::X16);
+
+  MI.eraseFromParent();
+  return BB;
+}
+
+void AArch64TargetLowering::tryRewritingPAC(MachineInstr &MI,
+                                            MachineBasicBlock *BB) const {
   const TargetInstrInfo *TII = Subtarget->getInstrInfo();
   MachineRegisterInfo &MRI = MI.getMF()->getRegInfo();
   const DebugLoc &DL = MI.getDebugLoc();
 
+  Register Val = MI.getOperand(1).getReg();
+  unsigned Key = MI.getOperand(2).getImm();
+  int64_t IntDisc = MI.getOperand(3).getImm();
+  Register AddrDisc = MI.getOperand(4).getReg();
+
   // Try to find a known address-setting instruction, accumulating the offset
   // along the way. If no known pattern is found, keep everything as-is.
 
   int64_t AddrOffset = 0;
-  MachineInstr *AddrDefInstr =
-      stripAndAccumulateOffset(MRI, MI.getOperand(1).getReg(), AddrOffset);
+  MachineInstr *AddrDefInstr = stripAndAccumulateOffset(MRI, Val, AddrOffset);
   if (!AddrDefInstr)
-    return BB;
+    return;
 
   unsigned NewOpcode;
   if (AddrDefInstr->getOpcode() == AArch64::LOADgotAUTH)
     NewOpcode = AArch64::LOADgotPAC;
   else if (AddrDefInstr->getOpcode() == AArch64::MOVaddr)
     NewOpcode = AArch64::MOVaddrPAC;
   else
-    return BB; // Unknown opcode.
+    return; // Unknown opcode.
 
   MachineOperand &AddrOp = AddrDefInstr->getOperand(1);
   unsigned TargetFlags = AddrOp.getTargetFlags() & ~AArch64II::MO_PAGE;
   const GlobalValue *GV = AddrOp.getGlobal();
   AddrOffset += AddrOp.getOffset();
 
-  // Analyze the discriminator operand.
-  Register OriginalDisc = isPACWithZeroDisc(MI.getOpcode())
-                              ? AArch64::XZR
-                              : MI.getOperand(2).getReg();
-  auto [AddrDisc, IntDisc] = detectBlendComponents(MRI, OriginalDisc);
-
-  // MOVaddrPAC and LOADgotPAC pseudos are expanded so that they use X16/X17
-  // internally, thus their restrictions on the register class of $AddrDisc
-  // operand are stricter than those of MOVKXi and PAC* instructions.
-  if (AddrDisc != AArch64::XZR) {
-    Register TmpReg = MRI.createVirtualRegister(&AArch64::GPR64noipRegClass);
-    BuildMI(*BB, MI, DL, TII->get(AArch64::COPY), TmpReg).addReg(AddrDisc);
-    AddrDisc = TmpReg;
-  }
-
   BuildMI(*BB, MI, DL, TII->get(NewOpcode))
       .addGlobalAddress(GV, AddrOffset, TargetFlags)
-      .addImm(getKeyForPACOpcode(MI.getOpcode()))
+      .addImm(Key)
       .addReg(AddrDisc)
       .addImm(IntDisc);
 
   BuildMI(*BB, MI, DL, TII->get(AArch64::COPY), MI.getOperand(0).getReg())
       .addReg(AArch64::X16);
 
   MI.removeFromParent();
-  return BB;
 }
 
 MachineBasicBlock *AArch64TargetLowering::EmitInstrWithCustomInserter(
@@ -3557,15 +3587,17 @@ MachineBasicBlock *AArch64TargetLowering::EmitInstrWithCustomInserter(
   case AArch64::MOVT_TIZ_PSEUDO:
     return EmitZTInstr(MI, BB, AArch64::MOVT_TIZ, /*Op0IsDef=*/true);
 
-  case AArch64::PACDA:
-  case AArch64::PACDB:
-  case AArch64::PACIA:
-  case AArch64::PACIB:
-  case AArch64::PACDZA:
-  case AArch64::PACDZB:
-  case AArch64::PACIZA:
-  case AArch64::PACIZB:
-    return tryRewritingPAC(MI, BB);
+  case AArch64::PAC:
+    fixupBlendComponents(MI, BB, MI.getOperand(3), MI.getOperand(4));
+    tryRewritingPAC(MI, BB);
+    return BB;
+  case AArch64::AUTxMxN:
+    fixupBlendComponents(MI, BB, MI.getOperand(4), MI.getOperand(5));
+    return EmitAUTxMxN(MI, BB);
+  case AArch64::AUTPAC:
+    fixupBlendComponents(MI, BB, MI.getOperand(1), MI.getOperand(2));
+    fixupBlendComponents(MI, BB, MI.getOperand(4), MI.getOperand(5));
+    return BB;
   }
 }
 

llvm/lib/Target/AArch64/AArch64ISelLowering.h

@@ -680,8 +680,13 @@ class AArch64TargetLowering : public TargetLowering {
   MachineBasicBlock *EmitGetSMESaveSize(MachineInstr &MI,
                                         MachineBasicBlock *BB) const;
 
-  MachineBasicBlock *tryRewritingPAC(MachineInstr &MI,
-                                     MachineBasicBlock *BB) const;
+  void fixupBlendComponents(MachineInstr &It, MachineBasicBlock *BB,
+                            MachineOperand &IntDiscOp,
+                            MachineOperand &AddrDiscOp) const;
+
+  MachineBasicBlock *EmitAUTxMxN(MachineInstr &MI, MachineBasicBlock *BB) const;
+
+  void tryRewritingPAC(MachineInstr &MI, MachineBasicBlock *BB) const;
 
   MachineBasicBlock *
   EmitInstrWithCustomInserter(MachineInstr &MI,

llvm/lib/Target/AArch64/AArch64InstrInfo.td

@@ -1815,6 +1815,8 @@ def PAUTH_PROLOGUE : Pseudo<(outs), (ins), []>, Sched<[]> {
 def PAUTH_EPILOGUE : Pseudo<(outs), (ins), []>, Sched<[]>;
 }
 
+def ScratchReg : OptionalDefOperand<OtherVT, (ops GPR64), (ops (i64 zero_reg))>;
+
 // These pointer authentication instructions require armv8.3a
 let Predicates = [HasPAuth] in {
 
@@ -1845,9 +1847,7 @@ let Predicates = [HasPAuth] in {
     def DZB  : SignAuthZero<prefix_z,  0b11, !strconcat(asm, "dzb"), op>;
   }
 
-  let usesCustomInserter = true in
-  defm PAC : SignAuth<0b000, 0b010, "pac", int_ptrauth_sign>;
-
+  defm PAC : SignAuth<0b000, 0b010, "pac", null_frag>;
   defm AUT : SignAuth<0b001, 0b011, "aut", null_frag>;
 
   def XPACI : ClearAuth<0, "xpaci">;
@@ -1953,6 +1953,39 @@ let Predicates = [HasPAuth] in {
     let Uses = [X16];
   }
 
+  // ScratchReg could be used by
+  // https://github.com/llvm/llvm-project/pull/132857.
+  def AUTxMxN : Pseudo<(outs GPR64:$AuthVal, GPR64:$ScratchWb),
+                       (ins GPR64:$Val, i32imm:$Key,
+                            i64imm:$Disc, GPR64:$AddrDisc, ScratchReg:$Scratch),
+                       [], "$AuthVal = $Val, $ScratchWb = $Scratch">,
+                Sched<[WriteI, ReadI]> {
+    let isCodeGenOnly = 1;
+    let hasSideEffects = 0;
+    let mayStore = 0;
+    let mayLoad = 0;
+    let Size = 32;
+    let Defs = [NZCV];
+    let usesCustomInserter = true;
+  }
+
+  def PAC : Pseudo<(outs GPR64:$SignedVal),
+                   (ins GPR64:$Val, i32imm:$Key, i64imm:$Disc, GPR64noip:$AddrDisc),
+                   [], "$SignedVal = $Val">, Sched<[WriteI, ReadI]> {
+    let isCodeGenOnly = 1;
+    let hasSideEffects = 0;
+    let mayStore = 0;
+    let mayLoad = 0;
+    let Size = 12;
+    let Defs = [X17];
+    let usesCustomInserter = true;
+  }
+
+  def : Pat<(int_ptrauth_auth GPR64:$Val, timm:$Key, GPR64:$AddrDisc),
+            (AUTxMxN GPR64:$Val, $Key, 0, GPR64:$AddrDisc)>;
+  def : Pat<(int_ptrauth_sign GPR64:$Val, timm:$Key, GPR64noip:$AddrDisc),
+            (PAC GPR64:$Val, $Key, 0, GPR64noip:$AddrDisc)>;
+
   // AUT and re-PAC a value, using different keys/data.
   // This directly manipulates x16/x17, which are the only registers the OS
   // guarantees are safe to use for sensitive operations.
@@ -1968,6 +2001,7 @@ let Predicates = [HasPAuth] in {
     let Size = 48;
     let Defs = [X16,X17,NZCV];
     let Uses = [X16];
+    let usesCustomInserter = true;
   }
 
   // Materialize a signed global address, with adrp+add and PAC.

llvm/lib/Target/AArch64/GISel/AArch64InstructionSelector.cpp

@@ -6726,30 +6726,6 @@ bool AArch64InstructionSelector::selectIntrinsic(MachineInstr &I,
     I.eraseFromParent();
     return true;
   }
-  case Intrinsic::ptrauth_auth: {
-    Register DstReg = I.getOperand(0).getReg();
-    Register ValReg = I.getOperand(2).getReg();
-    uint64_t AUTKey = I.getOperand(3).getImm();
-    Register AUTDisc = I.getOperand(4).getReg();
-
-    Register AUTAddrDisc = AUTDisc;
-    uint16_t AUTConstDiscC = 0;
-    std::tie(AUTConstDiscC, AUTAddrDisc) =
-        extractPtrauthBlendDiscriminators(AUTDisc, MRI);
-
-    MIB.buildCopy({AArch64::X16}, {ValReg});
-    MIB.buildInstr(TargetOpcode::IMPLICIT_DEF, {AArch64::X17}, {});
-    MIB.buildInstr(AArch64::AUT)
-        .addImm(AUTKey)
-        .addImm(AUTConstDiscC)
-        .addUse(AUTAddrDisc)
-        .constrainAllUses(TII, TRI, RBI);
-    MIB.buildCopy({DstReg}, Register(AArch64::X16));
-
-    RBI.constrainGenericRegister(DstReg, AArch64::GPR64RegClass, MRI);
-    I.eraseFromParent();
-    return true;
-  }
   case Intrinsic::frameaddress:
   case Intrinsic::returnaddress: {
     MachineFunction &MF = *I.getParent()->getParent();