Add support for LLVM ShadowCallStack.

[ivanloz]

LLVMs ShadowCallStack provides backward edge control flow integrity protection by using a separate shadow stack to store and retrieve a function's return address.

LLVM currently only supports this for AArch64 targets. The x18 register is used to hold the pointer to the shadow stack, and therefore this only works on ABIs which reserve x18. Further details are available in the LLVM ShadowCallStack docs.

Usage

-Zsanitizer=shadow-call-stack

Comments/Caveats

• Currently only enabled for the aarch64-linux-android target
• Requires the platform to define a runtime to initialize the shadow stack, see the LLVM docs for more detail.

[rust-highfive]

r? @compiler-errors

(rust-highfive has picked a reviewer for you, use r? to override)

[rust-highfive]

⚠️ Warning ⚠️

• These commits modify compiler targets. (See the Target Tier Policy.)

[compiler-errors]

I'm not an expert in codegen so passing this to another compiler person

r? rust-lang/compiler

[oli-obk]

cc @rust-lang/wg-llvm

[ivanloz]

Friendly ping for review? Thanks!

[oli-obk]

r? @nagisa

I don't really know enough about this to make a real decision.

[ivanloz]

Friendly ping for review, thanks!

[nikic]

Not familiar with this sanitizer, but the implementation looks fine to me. Only suggestion I'd make is to also add a #[no_sanitize(shadow-call-stack)] variant to your test -- for the unusual spelling if nothing else.

[nagisa]

Friendly ping for review, thanks!

FWIW I only really have time for reviews on the weekends, and summer is also a vacation season, so it might be some time before I can get to reviewing a PR.

[bors]

☔ The latest upstream changes (presumably #99422) made this pull request unmergeable. Please resolve the merge conflicts.

[ivanloz]

Thanks for the review! I believe I've addressed all the comments.

And also thanks for the heads up on when you're able to handle reviews -- totally understand and appreciate the value of recharging.

[nagisa]

@bors r+

[bors]

📌 Commit adf61e3 has been approved by nagisa

It is now in the queue for this repository.

[bors]

⌛ Testing commit adf61e3 with merge 93ffde6...

[bors]

☀️ Test successful - checks-actions
Approved by: nagisa
Pushing 93ffde6 to master...

[rust-timer]

Finished benchmarking commit (93ffde6): comparison url.

Instruction count

• Primary benchmarks: no relevant changes found
• Secondary benchmarks: 🎉 relevant improvement found

	mean1	max	count2
Regressions 😿 (primary)	N/A	N/A	0
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	-0.4%	-0.4%	1
All 😿🎉 (primary)	N/A	N/A	0

Max RSS (memory usage)

Results

• Primary benchmarks: 😿 relevant regression found
• Secondary benchmarks: no relevant changes found

	mean1	max	count2
Regressions 😿 (primary)	2.4%	2.4%	1
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	N/A	N/A	0
All 😿🎉 (primary)	2.4%	2.4%	1

Cycles

Results

• Primary benchmarks: 🎉 relevant improvement found
• Secondary benchmarks: 🎉 relevant improvements found

	mean1	max	count2
Regressions 😿 (primary)	N/A	N/A	0
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	-3.2%	-3.2%	1
Improvements 🎉 (secondary)	-2.7%	-3.4%	6
All 😿🎉 (primary)	-3.2%	-3.2%	1

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

@rustbot label: -perf-regression

Footnotes

1. the arithmetic mean of the percent change ↩ ↩² ↩³

2. number of relevant changes ↩ ↩² ↩³