Skip to content

Arm64: [PAC-RET] NativeAOT changes#128950

Open
SwapnilGaikwad wants to merge 26 commits into
dotnet:mainfrom
SwapnilGaikwad:github-aot-pac
Open

Arm64: [PAC-RET] NativeAOT changes#128950
SwapnilGaikwad wants to merge 26 commits into
dotnet:mainfrom
SwapnilGaikwad:github-aot-pac

Conversation

@SwapnilGaikwad

@SwapnilGaikwad SwapnilGaikwad commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This PR covers the final subset of changes from #125436 related to NativeAOT as suggested in comment.
It follows the previous work from- #127949, #127838 and #128147.

More details on PAC and its role in software security can be found (here).

cc: @dotnet/arm64-contrib @a74nh @jkotas @dhartglassMSFT

@SwapnilGaikwad
Arm64: [PAC-RET] NativeAOT changes
d14cb42 
As suggested in [comment](dotnet#125436 (comment)), this PR covers subset of changes from dotnet#125436 related to NativeAOT.

More details on PAC and its role in software security can be found ([here](https://llsoftsec.github.io/llsoftsecbook/#sec:pointer-authentication)).
@dotnet-policy-service dotnet-policy-service Bot added the community-contribution Indicates that the PR has been added by a community member label Jun 3, 2026
@dotnet-policy-service

dotnet-policy-service Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Tagging subscribers to this area: @agocke, @dotnet/ilc-contrib
See info in area-owners.md if you want to be subscribed.

This was referenced Jun 3, 2026
Open
Open
Open
@SwapnilGaikwad SwapnilGaikwad mentioned this pull request Jun 5, 2026
Open
5 tasks
jkotas
jkotas reviewed Jun 6, 2026
View reviewed changes
Comment thread src/coreclr/inc/daccess.h Outdated
@build-analysis build-analysis Bot mentioned this pull request Jun 8, 2026
Closed
This was referenced Jun 10, 2026
Closed
Closed
@jkotas

jkotas commented Jun 11, 2026

Copy link
Copy Markdown
Member

/azp run runtime-nativeaot-outerloop

@azure-pipelines

azure-pipelines Bot commented Jun 11, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

This was referenced Jun 11, 2026
Open
Closed
@jkotas

jkotas commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

Tests failing on linux-arm64 with

Debug Assertion Violation

Expression: 'IsUnwindable((PTR_VOID)pRegisterSet->IP)'

File: /__w/1/s/src/coreclr/nativeaot/Runtime/unix/UnixNativeCodeManager.cpp, Line: 1476

@build-analysis build-analysis Bot mentioned this pull request Jun 14, 2026
Closed
jkotas
jkotas reviewed Jun 14, 2026
View reviewed changes
Comment thread src/coreclr/nativeaot/Runtime/unix/UnixNativeCodeManager.cpp
jkotas
jkotas reviewed Jun 14, 2026
View reviewed changes
Comment thread src/coreclr/nativeaot/Runtime/unix/UnixNativeCodeManager.cpp Outdated
@build-analysis build-analysis Bot mentioned this pull request Jun 16, 2026
Open
@SwapnilGaikwad

SwapnilGaikwad commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

The CdacTest failures on MacOS seem unrelated to the patch.

jkotas
jkotas reviewed Jun 21, 2026
View reviewed changes
Comment thread src/coreclr/tools/aot/ILCompiler.RyuJit/JitInterface/CorInfoImpl.RyuJit.cs
@jkotas

jkotas commented Jun 21, 2026

Copy link
Copy Markdown
Member

/azp run runtime-nativeaot-outerloop

@azure-pipelines

azure-pipelines Bot commented Jun 21, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@build-analysis build-analysis Bot mentioned this pull request Jun 22, 2026
Closed
This was referenced Jun 25, 2026
Open
Closed
jkotas
jkotas reviewed Jun 28, 2026
View reviewed changes
Comment thread src/coreclr/tools/aot/ILCompiler.RyuJit/JitInterface/CorInfoImpl.RyuJit.cs Outdated
@jkotas

jkotas commented Jun 28, 2026

Copy link
Copy Markdown
Member

Tests are crashing on linux-arm64 and osx-arm64

@SwapnilGaikwad
Revert adding CFI_DEF_CFA before CFI_NEGATE_RA_STATE.
06190fe 
Add assert to ensure PAC is being emitted before stack adjustment

Change-Id: Ifb636d2bb3fd3c78d33274ea7786291b5ee83fd6
@SwapnilGaikwad
Avoid hijacking on RET only when PAC is enabled
6e6132d 
Change-Id: Ic64dd02db14e691d3ea88212544059e9d9892062
@SwapnilGaikwad

SwapnilGaikwad commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Tests are crashing on linux-arm64 and osx-arm64

These crashes came from changes to bail out if we interrupt on RET when pac is enabled. Previously PR was handling RET incorrect in TrailingEpilogueInstructionsCount that led to hijacking the current frame instead of the parent frame on return, now moved the check to PAC specific part.

jkotas
jkotas reviewed Jun 29, 2026
View reviewed changes
Comment thread src/coreclr/nativeaot/Runtime/unix/UnixNativeCodeManager.cpp
return false;
}

// At RET, FP/LR/SP have already been restored to the caller state so

@jkotas jkotas Jun 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this check be in TrailingEpilogueInstructionsCount so that all epilog-related checks are together?

@SwapnilGaikwad SwapnilGaikwad Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, it was in there before and returned 1 on RET instruction (cannot return 0/-1 as it means not in in epilog/unknown). However when PAC is disabled, it allowed hijacking the current frame when interrupted on the RET instruction. That caused the crashes that we saw earlier. To keep PAC related changes separate, I added them in PAC specific area. I can extract the RET check into a separate function for better readability.

jkotas
jkotas reviewed Jun 29, 2026
View reviewed changes
Comment thread src/coreclr/nativeaot/Runtime/unix/UnixNativeCodeManager.cpp Outdated
#if defined(TARGET_ARM64)
if (pacPresent && epilogueInstructions != 0)
{
// In an epilog, LR/SP may already be partially restored. Avoid hijacking

@jkotas jkotas Jun 29, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like unreachable code. TrailingEpilogueInstructionsCount on Arm64 returns -1 or 0. We have checked for -1 above, so epilogueInstructions should be 0 here.

@SwapnilGaikwad SwapnilGaikwad Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's unreachable code now. epilogueInstructions == 0 would be true for regular hijacks in function body so having that check will bailout regular hijacks in function body outside prolog/epilog. Removing the check as it's no longer needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkotas jkotas jkotas left review comments
@MichalStrehovsky MichalStrehovsky Awaiting requested review from MichalStrehovsky MichalStrehovsky is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area-NativeAOT-coreclr community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SwapnilGaikwad @jkotas