Fixing remaining issues

Stop using unions to deal with the pointer auth cast semantics,
instead perform manual re-signing. This means the templated helper
functions no longer need to be templates and so don't need to be
in a separated non-extern "C" block.

Fixing up the comments.

Author: ojhunt

libcxxabi/include/__cxxabi_config.h

@@ -116,7 +116,9 @@
 #  define __ptrauth_cxxabi_lsd __ptrauth(ptrauth_key_process_dependent_data, 1, 0xE8EE)
 
 // ptrauth_string_discriminator("__cxa_exception::catchTemp") == 0xFA58
-#  define __ptrauth_cxxabi_catch_temp __ptrauth(ptrauth_key_process_dependent_data, 1, 0xFA58)
+#  define __ptrauth_cxxabi_catch_temp_disc 0xFA58
+#  define __ptrauth_cxxabi_catch_temp_key ptrauth_key_process_dependent_data
+#  define __ptrauth_cxxabi_catch_temp __ptrauth(__ptrauth_cxxabi_catch_temp_key, 1, __ptrauth_cxxabi_catch_temp_disc)
 
 // ptrauth_string_discriminator("__cxa_exception::adjustedPtr") == 0x99E4
 #  define __ptrauth_cxxabi_adjusted_ptr __ptrauth(ptrauth_key_process_dependent_data, 1, 0x99E4)

libcxxabi/src/cxa_exception.h

@@ -79,8 +79,8 @@ struct _LIBCXXABI_HIDDEN __cxa_exception {
 // http://sourcery.mentor.com/archives/cxx-abi-dev/msg01924.html
 // The layout of this structure MUST match the layout of __cxa_exception, with
 // primaryException instead of referenceCount.
-// The tags used in the pointer authentication qualifiers also need to match
-// those of the corresponding members in __cxa_exception.
+// The pointer authentication schemas specified here must also match those of
+// the corresponding members in __cxa_exception.
 struct _LIBCXXABI_HIDDEN __cxa_dependent_exception {
 #if defined(__LP64__) || defined(_WIN64) || defined(_LIBCXXABI_ARM_EHABI)
     void* reserve; // padding.
@@ -101,7 +101,6 @@ struct _LIBCXXABI_HIDDEN __cxa_dependent_exception {
     int propagationCount;
 #else
     int handlerSwitchValue;
-
     const unsigned char *__ptrauth_cxxabi_action_record actionRecord;
     const unsigned char *__ptrauth_cxxabi_lsd languageSpecificData;
     void *__ptrauth_cxxabi_catch_temp catchTemp;

libcxxabi/src/cxa_personality.cpp

@@ -575,9 +575,9 @@ typedef void *__ptrauth_scan_results_landingpad landing_pad_ptr_t;
 struct scan_results
 {
     int64_t        ttypeIndex;   // > 0 catch handler, < 0 exception spec handler, == 0 a cleanup
-    action_ptr_t actionRecord;   // Currently unused.  Retained to ease future maintenance.
-    lsd_ptr_t languageSpecificData; // Needed only for __cxa_call_unexpected
-    landing_pad_t landingPad;       // null -> nothing found, else something found
+    action_ptr_t   actionRecord; // Currently unused.  Retained to ease future maintenance.
+    lsd_ptr_t      languageSpecificData; // Needed only for __cxa_call_unexpected
+    landing_pad_t  landingPad;   // null -> nothing found, else something found
     void*          adjustedPtr;  // Used in cxa_exception.cpp
     _Unwind_Reason_Code reason;  // One of _URC_FATAL_PHASE1_ERROR,
                                  //        _URC_FATAL_PHASE2_ERROR,
@@ -586,38 +586,7 @@ struct scan_results
 };
 
 }  // unnamed namespace
-} // extern "C"
-
-#if !defined(_LIBCXXABI_ARM_EHABI)
-namespace {
-// The logical model for casting authenticated function pointers makes
-// it impossible to directly cast them without breaking the authentication,
-// as a result we need this pair of helpers.
-//
-// __ptrauth_nop_cast cannot be used here as the authentication schemas include
-// address diversification.
-template <typename PtrType>
-void set_landing_pad_as_ptr(scan_results& results, const PtrType& landingPad) {
-  union {
-    landing_pad_t* as_landing_pad;
-    landing_pad_ptr_t* as_pointer;
-  } u;
-  u.as_landing_pad = &results.landingPad;
-  *u.as_pointer = landingPad;
-}
 
-static const landing_pad_ptr_t& get_landing_pad_as_ptr(const scan_results& results) {
-  union {
-    const landing_pad_t* as_landing_pad;
-    const landing_pad_ptr_t* as_pointer;
-  } u;
-  u.as_landing_pad = &results.landingPad;
-  return *u.as_pointer;
-}
-} // unnamed namespace
-#endif
-
-extern "C" {
 static
 void
 set_registers(_Unwind_Exception* unwind_exception, _Unwind_Context* context,
@@ -638,10 +607,14 @@ set_registers(_Unwind_Exception* unwind_exception, _Unwind_Context* context,
   // We manually re-sign the IP as the __ptrauth qualifiers cannot
   // express the required relationship with the destination address
   const auto existingDiscriminator =
-      ptrauth_blend_discriminator(&results.landingPad, __ptrauth_scan_results_landingpad_disc);
+      ptrauth_blend_discriminator(&results.landingPad,
+                                  __ptrauth_scan_results_landingpad_disc);
   unw_word_t newIP /* opaque __ptrauth(ptrauth_key_return_address, stackPointer, 0) */ =
-      (unw_word_t)ptrauth_auth_and_resign(*(void* const*)&results.landingPad, __ptrauth_scan_results_landingpad_key,
-                                          existingDiscriminator, ptrauth_key_return_address, stackPointer);
+      (unw_word_t)ptrauth_auth_and_resign(*(void* const*)&results.landingPad,
+                                          __ptrauth_scan_results_landingpad_key,
+                                          existingDiscriminator,
+                                          ptrauth_key_return_address,
+                                          stackPointer);
   _Unwind_SetIP(context, newIP);
 #else
   _Unwind_SetIP(context, results.landingPad);
@@ -991,6 +964,57 @@ _UA_CLEANUP_PHASE
 */
 
 #if !defined(_LIBCXXABI_ARM_EHABI)
+
+// We use these helper functions to work around the behavior of casting between
+// integers (even those that are authenticated) and authenticated pointers.
+// Because the schemas being used are address discriminated we cannot use a
+// trivial value union to coerce the types so instead we perform the re-signing
+// manually.
+using __cxa_catch_temp_type = decltype(__cxa_exception::catchTemp);
+static inline void set_landing_pad(scan_results& results,
+                                   const __cxa_catch_temp_type& source) {
+#if __has_feature(ptrauth_calls)
+  const uintptr_t sourceDiscriminator =
+      ptrauth_blend_discriminator(&source, __ptrauth_cxxabi_catch_temp_disc);
+  const uintptr_t targetDiscriminator =
+      ptrauth_blend_discriminator(&results.landingPad,
+                                  __ptrauth_scan_results_landingpad_disc);
+  uintptr_t reauthenticatedLandingPad =
+      (uintptr_t)ptrauth_auth_and_resign(*reinterpret_cast<void* const*>(&source),
+                                         __ptrauth_cxxabi_catch_temp_key,
+                                         sourceDiscriminator,
+                                         __ptrauth_scan_results_landingpad_key,
+                                         targetDiscriminator);
+  memmove(reinterpret_cast<void *>(&results.landingPad),
+          reinterpret_cast<void *>(&reauthenticatedLandingPad),
+          sizeof(reauthenticatedLandingPad));
+#else
+  results.landingPad = reinterpret_cast<landing_pad_t>(source);
+#endif
+}
+
+static inline void get_landing_pad(__cxa_catch_temp_type &dest,
+                                   const scan_results &results) {
+#if __has_feature(ptrauth_calls)
+  const uintptr_t sourceDiscriminator =
+      ptrauth_blend_discriminator(&results.landingPad,
+                                  __ptrauth_scan_results_landingpad_disc);
+  const uintptr_t targetDiscriminator =
+      ptrauth_blend_discriminator(&dest, __ptrauth_cxxabi_catch_temp_disc);
+  uintptr_t reauthenticatedPointer =
+      (uintptr_t)ptrauth_auth_and_resign(*reinterpret_cast<void* const*>(&results.landingPad),
+                                         __ptrauth_scan_results_landingpad_key,
+                                         sourceDiscriminator,
+                                         __ptrauth_cxxabi_catch_temp_key,
+                                         targetDiscriminator);
+  memmove(reinterpret_cast<void *>(&dest),
+          reinterpret_cast<void *>(&reauthenticatedPointer),
+          sizeof(reauthenticatedPointer));
+#else
+  dest = reinterpret_cast<__cxa_catch_temp_type>(results.landingPad);
+#endif
+}
+
 #ifdef __WASM_EXCEPTIONS__
 _Unwind_Reason_Code __gxx_personality_wasm0
 #elif defined(__SEH__) && !defined(__USING_SJLJ_EXCEPTIONS__)
@@ -1023,7 +1047,7 @@ __gxx_personality_v0
         results.ttypeIndex = exception_header->handlerSwitchValue;
         results.actionRecord = exception_header->actionRecord;
         results.languageSpecificData = exception_header->languageSpecificData;
-        set_landing_pad_as_ptr(results, exception_header->catchTemp);
+        set_landing_pad(results, exception_header->catchTemp);
         results.adjustedPtr = exception_header->adjustedPtr;
 
         // Jump to the handler.
@@ -1057,7 +1081,7 @@ __gxx_personality_v0
             exc->handlerSwitchValue = static_cast<int>(results.ttypeIndex);
             exc->actionRecord = results.actionRecord;
             exc->languageSpecificData = results.languageSpecificData;
-            exc->catchTemp = get_landing_pad_as_ptr(results);
+            get_landing_pad(exc->catchTemp, results);
             exc->adjustedPtr = results.adjustedPtr;
 #ifdef __WASM_EXCEPTIONS__
             // Wasm only uses a single phase (_UA_SEARCH_PHASE), so save the

libunwind/include/__libunwind_config.h

@@ -73,11 +73,11 @@
 #  define _LIBUNWIND_HIGHEST_DWARF_REGISTER _LIBUNWIND_HIGHEST_DWARF_REGISTER_PPC
 # elif defined(__aarch64__)
 #  define _LIBUNWIND_TARGET_AARCH64 1
-#  define _LIBUNWIND_CONTEXT_SIZE 67
+#define _LIBUNWIND_CONTEXT_SIZE 67
 #  if defined(__SEH__)
 #    define _LIBUNWIND_CURSOR_SIZE 164
 #  else
-#    define _LIBUNWIND_CURSOR_SIZE 79
+#define _LIBUNWIND_CURSOR_SIZE 79
 #  endif
 #  define _LIBUNWIND_HIGHEST_DWARF_REGISTER _LIBUNWIND_HIGHEST_DWARF_REGISTER_ARM64
 # elif defined(__arm__)
@@ -216,7 +216,7 @@
 #  define _LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING 1
 #elif __has_feature(ptrauth_calls) != __has_feature(ptrauth_returns)
 #  error "Either both or none of ptrauth_calls and ptrauth_returns "\
-           "is allowed to be enabled"
+         "is allowed to be enabled"
 #endif
 
 #endif // ____LIBUNWIND_CONFIG_H__

libunwind/include/libunwind.h

@@ -127,6 +127,7 @@
 
 #else
 
+  #define __unwind_ptrauth_restricted_intptr(...)
   #define __ptrauth_unwind_upi_handler
   #define __ptrauth_unwind_upi_handler_intptr
   #define __ptrauth_unwind_upi_startip
@@ -142,6 +143,7 @@
   #define __ptrauth_unwind_uis_compact_unwind_section
   #define __ptrauth_unwind_uis_compact_unwind_section_length
   #define __ptrauth_unwind_cie_info_personality
+
 #endif
 
 #if defined(_WIN32) && defined(__SEH__)
@@ -197,8 +199,8 @@ struct unw_proc_info_t {
   unw_word_t __ptrauth_unwind_upi_handler_intptr handler;
   unw_word_t  gp;                                   /* not used */
   unw_word_t __ptrauth_unwind_upi_flags flags;      /* not used */
-  uint32_t    format;                               /* compact unwind encoding, or zero if none */
-  uint32_t    unwind_info_size;                     /* size of DWARF unwind info, or zero if none */
+  uint32_t   format;                                /* compact unwind encoding, or zero if none */
+  uint32_t   unwind_info_size;                      /* size of DWARF unwind info, or zero if none */
   unw_word_t __ptrauth_unwind_upi_info unwind_info; /* address of DWARF unwind info, or zero */
   unw_word_t __ptrauth_unwind_upi_extra extra;      /* mach_header of mach-o image containing func */
 };

libunwind/src/CompactUnwinder.hpp

@@ -601,12 +601,16 @@ int CompactUnwinder_arm64<A>::stepWithCompactEncodingFrameless(
     savedRegisterLoc -= 8;
   }
 
+  // We load the link register prior to setting the new SP as the authentication
+  // schema for LR entangles the SP of the old frame into the diversifier.
   Registers_arm64::reg_t linkRegister = registers.getRegister(UNW_AARCH64_LR);
 
   // subtract stack size off of sp
   registers.setSP(savedRegisterLoc);
 
-  // set pc to be value in lr
+  // Set pc to be value in lr. This needs to be performed after the new SP has
+  // been set, as the PC authentication schema entangles the SP of the new
+  // frame.
   registers.setIP(linkRegister);
 
   return UNW_STEP_SUCCESS;
@@ -684,13 +688,14 @@ int CompactUnwinder_arm64<A>::stepWithCompactEncodingFrame(
 
   Registers_arm64::reg_t fp = registers.getFP();
 
-  // old sp is fp less saved fp and lr. Set this before LR because in arm64e
-  // it's the authentication discriminator.
-  registers.setSP(fp + 16);
-
   // fp points to old fp
   registers.setFP(addressSpace.get64(fp));
 
+  // Old sp is fp less saved fp and lr. We need to set this prior to setting
+  // the lr as the pointer authentication schema for the lr incorporates the
+  // sp as part of the diversifier.
+  registers.setSP(fp + 16);
+
   // pop return address into pc
   registers.setIP(addressSpace.get64(fp + 8));
 

libunwind/src/DwarfParser.hpp

@@ -23,6 +23,10 @@
 
 #include "config.h"
 
+#if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
+#include <ptrauth.h>
+#endif
+
 namespace libunwind {
 
 /// CFI_Parser does basic parsing of a CFI (Call Frame Information) records.
@@ -314,18 +318,6 @@ bool CFI_Parser<A>::findFDE(A &addressSpace, pint_t pc, pint_t ehSectionStart,
   }
   return false;
 }
-namespace {
-// This helper function handles setting the manually signed personality on
-// CIE_Info without attempt to authenticate and/or re-sign
-template <typename CIE_Info, typename T>
-[[maybe_unused]] void set_cie_info_personality(CIE_Info *info,
-                                               T signed_personality) {
-  static_assert(sizeof(info->personality) == sizeof(signed_personality),
-                "Signed personality is the wrong size");
-  memmove((void *)&info->personality, (void *)&signed_personality,
-          sizeof(signed_personality));
-}
-}
 
 /// Extract info from a CIE
 template <typename A>
@@ -420,7 +412,10 @@ const char *CFI_Parser<A>::parseCIE(A &addressSpace, pint_t cie,
           personality = (pint_t)signedPtr;
         }
 #endif
-        set_cie_info_personality(cieInfo, personality);
+        // We use memmove to set the CIE personality as we have already
+        // re-signed the pointer to the correct schema.
+        memmove((void *)&cieInfo->personality, (void *)&personality,
+                sizeof(personality));
         break;
       }
       case 'L':

libunwind/src/Registers.hpp

@@ -1950,7 +1950,7 @@ inline Registers_arm64::Registers_arm64(const void *registers) {
   // authenticating so that we maintain the signature for the resigning
   // performed by setIP.
   uint64_t pcRegister = 0;
-  memcpy(&pcRegister, ((uint8_t *)&_registers) + offsetof(GPRs, __pc),
+  memmove(&pcRegister, ((uint8_t *)&_registers) + offsetof(GPRs, __pc),
          sizeof(pcRegister));
   setIP(pcRegister);
 #endif
@@ -1962,9 +1962,9 @@ inline Registers_arm64::Registers_arm64(const Registers_arm64 &other) {
 
 inline Registers_arm64 &
 Registers_arm64::operator=(const Registers_arm64 &other) {
-  memcpy(&_registers, &other._registers, sizeof(_registers));
-  memcpy(_vectorHalfRegisters, &other._vectorHalfRegisters,
-         sizeof(_vectorHalfRegisters));
+  memmove(&_registers, &other._registers, sizeof(_registers));
+  memmove(_vectorHalfRegisters, &other._vectorHalfRegisters,
+          sizeof(_vectorHalfRegisters));
 #if defined(_LIBUNWIND_TARGET_AARCH64_AUTHENTICATED_UNWINDING)
   // We perform this step to ensure that we correctly authenticate and re-sign
   // the pc after the bitwise copy.

libunwind/src/UnwindCursor.hpp

@@ -1750,18 +1750,6 @@ bool UnwindCursor<A, R>::getInfoFromDwarfSection(
 
 
 #if defined(_LIBUNWIND_SUPPORT_COMPACT_UNWIND)
-// This helper function handles setting the manually signed handler on
-// unw_proc_info without attempt to authenticate and/or re-sign
-namespace {
-template <typename T>
-void set_proc_info_handler(unw_proc_info_t &info, T signed_handler) {
-  static_assert(sizeof(info.handler) == sizeof(signed_handler),
-                "Signed handler is the wrong size");
-  memmove((void *)&info.handler, (void *)&signed_handler,
-          sizeof(signed_handler));
-}
-} // unnamed namespace
-
 template <typename A, typename R>
 bool UnwindCursor<A, R>::getInfoFromCompactEncodingSection(
     const typename R::link_reg_t &pc, const UnwindInfoSections &sects) {
@@ -2018,7 +2006,12 @@ bool UnwindCursor<A, R>::getInfoFromCompactEncodingSection(
   _info.start_ip = funcStart;
   _info.end_ip = funcEnd;
   _info.lsda = lsda;
-  set_proc_info_handler(_info, personality);
+  // We use memmove to copy the personality function as we have already manually
+  // re-signed the pointer, and assigning directly will attempt to incorrectly
+  // sign the already signed value.
+  memmove(reinterpret_cast<void *>(&_info.handler),
+          reinterpret_cast<void *>(&personality),
+          sizeof(personality));
   _info.gp = 0;
   _info.flags = 0;
   _info.format = encoding;

libunwind/src/UnwindLevel1.c

@@ -90,30 +90,20 @@
   } while (0)
 #endif
 
-// There is not currently a clean way to cast between an authenticated
-// integer and an authenticated function pointer, so we need this helper
-// function to keep things clean.
+// We need this helper function as the semantics of casting between integers and
+// function pointers mean that we end up with a function pointer without the
+// correct signature. Instead we assign to an integer with a matching schema,
+// and then memmove the result into a variable of the correct type. This memmove
+// is possible as `_Unwind_Personality_Fn` is a standard function pointer, and
+// as such is not address diversified.
 static _Unwind_Personality_Fn get_handler_function(unw_proc_info_t *frameInfo) {
-  // Converting from an authenticated integer to a _Unwind_Personality_Fn
-  // requires multiple steps, but as the schema of _Unwind_Personality_Fn is
-  // not address diversified we can mostly just rely on automatic re-signing
-  // by clang.
-
-  // Step 1. Assign from the address diversified integer in frameInfo->handler
-  //         to the non-address diversified schema of `_Unwind_Personality_Fn`
   uintptr_t __unwind_ptrauth_restricted_intptr(ptrauth_key_function_pointer,
                                                0,
                                                ptrauth_function_pointer_type_discriminator(_Unwind_Personality_Fn))
     reauthenticatedIntegerHandler = frameInfo->handler;
-
-  // Step 2. Memcpy from our re-signed integer typed handler to an
-  //         _Unwind_Personality_Fn typed local - this avoids any confused
-  //         re-signing of values that already have a signature.
   _Unwind_Personality_Fn handler;
-  memcpy(&handler, (void *)&reauthenticatedIntegerHandler,
+  memmove(&handler, (void *)&reauthenticatedIntegerHandler,
          sizeof(_Unwind_Personality_Fn));
-
-  // Step 3. Finally return the correctly typed and signed value.
   return handler;
 }