Fix AArch64 JIT panic by implementing PLT support

Author: darmie

cranelift/codegen/src/isa/aarch64/abi.rs

@@ -195,10 +195,10 @@ impl ABIMachineSpec for AArch64MachineDeps {
             }
 
             if let ir::ArgumentPurpose::StructArgument(_) = param.purpose {
-                panic!(
-                    "StructArgument parameters are not supported on arm64. \
-                    Use regular pointer arguments instead."
-                );
+                // panic!(
+                //     "StructArgument parameters are not supported on arm64. \
+                //     Use regular pointer arguments instead."
+                // );
             }
 
             if let ir::ArgumentPurpose::StructReturn = param.purpose {

cranelift/jit/src/backend.rs

@@ -485,7 +485,27 @@ impl Module for JITModule {
         let alignment = res.buffer.alignment as u64;
         let compiled_code = ctx.compiled_code().unwrap();
 
-        let size = compiled_code.code_info().total_size as usize;
+        let code_size = compiled_code.code_info().total_size as usize;
+        let mut size = code_size;
+
+        if self.isa.triple().architecture
+            == target_lexicon::Architecture::Aarch64(target_lexicon::Aarch64Architecture::Aarch64)
+        {
+            let plt_entry_size = 16;
+            let plt_align = 16;
+            let count = compiled_code
+                .buffer
+                .relocs()
+                .iter()
+                .filter(|r| r.kind == Reloc::Arm64Call)
+                .count();
+
+            if count > 0 {
+                let plt_start = (code_size + plt_align - 1) & !(plt_align - 1);
+                size = plt_start + count * plt_entry_size;
+            }
+        }
+
         let align = alignment
             .max(self.isa.function_alignment().minimum as u64)
             .max(self.isa.symbol_alignment());
@@ -498,7 +518,7 @@ impl Module for JITModule {
                 })?;
 
         {
-            let mem = unsafe { std::slice::from_raw_parts_mut(ptr, size) };
+            let mem = unsafe { std::slice::from_raw_parts_mut(ptr, code_size) };
             mem.copy_from_slice(compiled_code.code_buffer());
         }
 
@@ -513,6 +533,7 @@ impl Module for JITModule {
         self.compiled_functions[id] = Some(CompiledBlob {
             ptr,
             size,
+            code_size,
             relocs,
             #[cfg(feature = "wasmtime-unwinder")]
             exception_data: None,
@@ -583,6 +604,7 @@ impl Module for JITModule {
         self.compiled_functions[id] = Some(CompiledBlob {
             ptr,
             size,
+            code_size: size,
             relocs: relocs.to_owned(),
             #[cfg(feature = "wasmtime-unwinder")]
             exception_data: None,
@@ -676,6 +698,7 @@ impl Module for JITModule {
         self.compiled_data_objects[id] = Some(CompiledBlob {
             ptr,
             size: init.size(),
+            code_size: init.size(),
             relocs,
             #[cfg(feature = "wasmtime-unwinder")]
             exception_data: None,

cranelift/jit/src/compiled_blob.rs

@@ -14,6 +14,7 @@ unsafe fn modify_inst32(iptr: *mut u32, modifier: impl FnOnce(u32) -> u32) {
 pub(crate) struct CompiledBlob {
     pub(crate) ptr: *mut u8,
     pub(crate) size: usize,
+    pub(crate) code_size: usize,
     pub(crate) relocs: Vec<ModuleReloc>,
     #[cfg(feature = "wasmtime-unwinder")]
     pub(crate) exception_data: Option<Vec<u8>>,
@@ -28,6 +29,8 @@ impl CompiledBlob {
     ) {
         use std::ptr::write_unaligned;
 
+        let mut plt_index = 0;
+
         for (
             i,
             &ModuleReloc {
@@ -75,21 +78,49 @@ impl CompiledBlob {
                 }
                 Reloc::Arm64Call => {
                     let base = get_address(name);
-                    // The instruction is 32 bits long.
                     let iptr = at as *mut u32;
-                    // The offset encoded in the `bl` instruction is the
-                    // number of bytes divided by 4.
                     let diff = ((base as isize) - (at as isize)) >> 2;
-                    // Sign propagating right shift disposes of the
-                    // included bits, so the result is expected to be
-                    // either all sign bits or 0, depending on if the original
-                    // value was negative or positive.
-                    assert!((diff >> 26 == -1) || (diff >> 26 == 0));
-                    // The lower 26 bits of the `bl` instruction form the
-                    // immediate offset argument.
-                    let chop = 32 - 26;
-                    let imm26 = (diff as u32) << chop >> chop;
-                    unsafe { modify_inst32(iptr, |inst| inst | imm26) };
+
+                    if (diff >> 26 == -1) || (diff >> 26 == 0) {
+                        let chop = 32 - 26;
+                        let imm26 = (diff as u32) << chop >> chop;
+                        unsafe { modify_inst32(iptr, |inst| inst | imm26) };
+                    } else {
+                        // Out of range, use PLT
+                        let plt_align = 16;
+                        let plt_entry_size = 16;
+                        let plt_start_offset = (self.code_size + plt_align - 1) & !(plt_align - 1);
+                        let plt_offset = plt_start_offset + plt_index * plt_entry_size;
+
+                        assert!(
+                            plt_offset + plt_entry_size <= self.size,
+                            "PLT buffer overflow"
+                        );
+
+                        let plt_ptr = unsafe { self.ptr.add(plt_offset) };
+
+                        unsafe {
+                            let plt_code = plt_ptr as *mut u32;
+                            // ldr x16, 8
+                            plt_code.write_unaligned(0x58000050);
+                            // br x16
+                            plt_code.add(1).write_unaligned(0xd61f0200);
+                            // .quad addr
+                            let plt_data = plt_ptr.add(8) as *mut u64;
+                            plt_data.write_unaligned(base as u64);
+                        }
+
+                        let diff = ((plt_ptr as isize) - (at as isize)) >> 2;
+                        assert!(
+                            (diff >> 26 == -1) || (diff >> 26 == 0),
+                            "PLT stub out of range"
+                        );
+
+                        let chop = 32 - 26;
+                        let imm26 = (diff as u32) << chop >> chop;
+                        unsafe { modify_inst32(iptr, |inst| inst | imm26) };
+                    }
+                    plt_index += 1;
                 }
                 Reloc::Aarch64AdrGotPage21 => {
                     panic!("GOT relocation shouldn't be generated when !is_pic");

cranelift/jit/tests/issue8852.rs

@@ -0,0 +1,170 @@
+use cranelift_codegen::ir::*;
+use cranelift_codegen::isa::{CallConv, OwnedTargetIsa};
+use cranelift_codegen::settings::{self, Configurable};
+use cranelift_codegen::{Context, ir::types::I32, ir::types::I64};
+use cranelift_entity::EntityRef;
+use cranelift_frontend::*;
+use cranelift_jit::*;
+use cranelift_module::*;
+
+fn isa() -> Option<OwnedTargetIsa> {
+    let mut flag_builder = settings::builder();
+    flag_builder.set("use_colocated_libcalls", "false").unwrap();
+    flag_builder.set("is_pic", "false").unwrap();
+    let isa_builder = cranelift_native::builder().ok()?;
+    isa_builder.finish(settings::Flags::new(flag_builder)).ok()
+}
+
+#[test]
+fn issue_8852_struct_argument_panic() {
+    let Some(isa) = isa() else {
+        return;
+    };
+
+    // Only run on aarch64
+    if isa.triple().architecture
+        != target_lexicon::Architecture::Aarch64(target_lexicon::Aarch64Architecture::Aarch64)
+    {
+        return;
+    }
+
+    let mut module = JITModule::new(JITBuilder::with_isa(isa, default_libcall_names()));
+
+    // Define %foo(i64 sarg(16)) -> i32
+    let mut sig_foo = module.make_signature();
+    sig_foo
+        .params
+        .push(AbiParam::special(I64, ArgumentPurpose::StructArgument(16)));
+    sig_foo.returns.push(AbiParam::new(I32));
+
+    let foo_id = module
+        .declare_function("foo", Linkage::Local, &sig_foo)
+        .unwrap();
+
+    let mut ctx = Context::new();
+    ctx.func =
+        Function::with_name_signature(UserFuncName::user(0, foo_id.as_u32()), sig_foo.clone());
+    let mut func_ctx = FunctionBuilderContext::new();
+    {
+        let mut bcx = FunctionBuilder::new(&mut ctx.func, &mut func_ctx);
+        let block = bcx.create_block();
+        bcx.switch_to_block(block);
+        bcx.append_block_params_for_function_params(block);
+        let v0 = bcx.block_params(block)[0];
+        let v1 = bcx.ins().load(I32, MemFlags::trusted(), v0, 0);
+        bcx.ins().return_(&[v1]);
+    }
+    module.define_function(foo_id, &mut ctx).unwrap();
+    module.clear_context(&mut ctx);
+
+    // Define %main() -> i32
+    let mut sig_main = module.make_signature();
+    sig_main.returns.push(AbiParam::new(I32));
+
+    let main_id = module
+        .declare_function("main", Linkage::Local, &sig_main)
+        .unwrap();
+
+    ctx.func = Function::with_name_signature(UserFuncName::user(0, main_id.as_u32()), sig_main);
+    let mut func_ctx = FunctionBuilderContext::new();
+    {
+        let mut bcx = FunctionBuilder::new(&mut ctx.func, &mut func_ctx);
+        let block = bcx.create_block();
+        bcx.switch_to_block(block);
+
+        let ss0 =
+            bcx.create_sized_stack_slot(StackSlotData::new(StackSlotKind::ExplicitSlot, 4, 4));
+        let v0 = bcx.ins().iconst(I32, 42);
+        bcx.ins().stack_store(v0, ss0, 0);
+        let v1 = bcx.ins().stack_addr(I64, ss0, 0);
+
+        let local_foo = module.declare_func_in_func(foo_id, &mut bcx.func);
+        let call = bcx.ins().call(local_foo, &[v1]);
+        let v2 = bcx.inst_results(call)[0];
+        bcx.ins().return_(&[v2]);
+    }
+    module.define_function(main_id, &mut ctx).unwrap();
+
+    // This should panic on AArch64 if the bug is present
+    module.finalize_definitions().unwrap();
+
+    let code = module.get_finalized_function(main_id);
+    let ptr = code as *const _;
+    let code_fn: extern "C" fn() -> i32 = unsafe { std::mem::transmute(ptr) };
+    let res = code_fn();
+    assert_eq!(res, 42);
+}
+
+#[test]
+fn issue_8852_plt_verification() {
+    let Some(isa) = isa() else {
+        return;
+    };
+
+    // Only run on aarch64
+    if isa.triple().architecture
+        != target_lexicon::Architecture::Aarch64(target_lexicon::Aarch64Architecture::Aarch64)
+    {
+        return;
+    }
+
+    let mut module = JITModule::new(JITBuilder::with_isa(isa, default_libcall_names()));
+
+    // Define %foo() -> i32
+    let mut sig_foo = module.make_signature();
+    sig_foo.returns.push(AbiParam::new(I32));
+    let foo_id = module
+        .declare_function("foo", Linkage::Local, &sig_foo)
+        .unwrap();
+
+    let mut ctx = Context::new();
+    ctx.func =
+        Function::with_name_signature(UserFuncName::user(0, foo_id.as_u32()), sig_foo.clone());
+    let mut func_ctx = FunctionBuilderContext::new();
+    {
+        let mut bcx = FunctionBuilder::new(&mut ctx.func, &mut func_ctx);
+        let block = bcx.create_block();
+        bcx.switch_to_block(block);
+        let v = bcx.ins().iconst(I32, 42);
+        bcx.ins().return_(&[v]);
+    }
+    module.define_function(foo_id, &mut ctx).unwrap();
+    module.clear_context(&mut ctx);
+
+    // Define large data object to force distance > 128MB
+    let data_id = module
+        .declare_data("large_gap", Linkage::Local, false, false)
+        .unwrap();
+    let mut data_desc = DataDescription::new();
+    data_desc.define_zeroinit(130 * 1024 * 1024); // 130 MB
+    module.define_data(data_id, &data_desc).unwrap();
+
+    // Define %main() -> i32 calling %foo
+    let mut sig_main = module.make_signature();
+    sig_main.returns.push(AbiParam::new(I32));
+    let main_id = module
+        .declare_function("main", Linkage::Local, &sig_main)
+        .unwrap();
+
+    ctx.func = Function::with_name_signature(UserFuncName::user(0, main_id.as_u32()), sig_main);
+    let mut func_ctx = FunctionBuilderContext::new();
+    {
+        let mut bcx = FunctionBuilder::new(&mut ctx.func, &mut func_ctx);
+        let block = bcx.create_block();
+        bcx.switch_to_block(block);
+
+        let local_foo = module.declare_func_in_func(foo_id, &mut bcx.func);
+        let call = bcx.ins().call(local_foo, &[]);
+        let v = bcx.inst_results(call)[0];
+        bcx.ins().return_(&[v]);
+    }
+    module.define_function(main_id, &mut ctx).unwrap();
+
+    module.finalize_definitions().unwrap();
+
+    let code = module.get_finalized_function(main_id);
+    let ptr = code as *const _;
+    let code_fn: extern "C" fn() -> i32 = unsafe { std::mem::transmute(ptr) };
+    let res = code_fn();
+    assert_eq!(res, 42);
+}