Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Check Control Flow Guard on Windows #21154

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: Check Control Flow Guard on Windows #21154

wants to merge 1 commit into from
+26 −0

Conversation

a7ehuo
Copy link
Contributor

@a7ehuo a7ehuo commented Feb 20, 2025
edited
Loading

If Control Flow Guard (CFG) is enabled in Windows, set TR_NoResumableTrapHandler in the JIT.

This change relies on API GetProcessMitigationPolicy. Its minimum supported client version is Windows 8 and its minimum supported server version is Windows Server 2012.

Fixes: #19892

@a7ehuo a7ehuo requested a review from dsouzai as a code owner February 20, 2025 15:09
@a7ehuo a7ehuo requested review from keithc-ca and 0xdaryl and removed request for dsouzai February 20, 2025 15:09
@a7ehuo
Check Control Flow Guard on Windows
e547739 
If Control Flow Guard (CFG) is enabled in Windows, set
TR_NoResumableTrapHandler in the JIT.

This change relies on API GetProcessMitigationPolicy.
Its minimum supported client version is Windows 8 and
its minimum supported server version is Windows Server 2012.

Fixes: eclipse-openj9#19892

Signed-off-by: Annabelle Huo <[email protected]>
@a7ehuo a7ehuo force-pushed the windows-cfg-detection-4 branch from 703ed2d to e547739 Compare February 20, 2025 15:11
@a7ehuo
Copy link
Contributor Author

a7ehuo commented Feb 20, 2025

@0xdaryl @keithc-ca May I ask you to review this change? Thank you!

@JamesKingdon fyi

@a7ehuo a7ehuo mentioned this pull request Feb 20, 2025
Open
@0xdaryl 0xdaryl self-assigned this Feb 20, 2025
@0xdaryl
Copy link
Contributor

0xdaryl commented Feb 20, 2025

The JIT change is ok with me.

keithc-ca
keithc-ca requested changes Feb 20, 2025
View reviewed changes
runtime/compiler/control/J9Options.cpp
Comment on lines +3283 to +3284
// If Control Flow Guard (CFG) is enabled in Windows, set TR_NoResumableTrapHandler
if (J9_ARE_ALL_BITS_SET(javaVM->sigFlags, J9_SIG_WINDOWS_MITIGATION_POLICY_CFG_ENABLED))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please finish each sentence with a period.
This should use _ANY_ instead of _ALL_ (it's testing a single bit):

   // If Control Flow Guard (CFG) is enabled in Windows, set TR_NoResumableTrapHandler.
   if (J9_ARE_ANY_BITS_SET(javaVM->sigFlags, J9_SIG_WINDOWS_MITIGATION_POLICY_CFG_ENABLED))

While you're here, please correct the typo on line 3289 (jitt -> jit).

runtime/vm/jvminit.c
Comment on lines +8100 to +8101
#if defined(WIN32)
#if defined(_WIN32_WINNT_WINBLUE) && (_WIN32_WINNT_MAXVER >= _WIN32_WINNT_WINBLUE)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest merging these:

#if defined(WIN32) && defined(_WIN32_WINNT_WINBLUE) && (_WIN32_WINNT_MAXVER >= _WIN32_WINNT_WINBLUE)

then updating the #endif comment

#endif /* defined(WIN32) && defined(_WIN32_WINNT_WINBLUE) && (_WIN32_WINNT_MAXVER >= _WIN32_WINNT_WINBLUE) */

runtime/vm/jvminit.c
HMODULE h_kernel32 = GetModuleHandle(TEXT("kernel32.dll"));

if (h_kernel32 && IsWindows8OrGreater()) {
void *getProcessMitigationPolicyFunc = (void*)GetProcAddress(h_kernel32, "GetProcessMitigationPolicy");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest introducing a typdef, so fewer casts are needed:

		typedef (BOOL (WINAPI * PMP_func)(HANDLE, PROCESS_MITIGATION_POLICY, PVOID, SIZE_T);
		PMP_func getProcessMitigationPolicyFunc = (PMP_func)GetProcAddress(h_kernel32, "GetProcessMitigationPolicy");

Please make null checks explicit and split the condition according to our coding standard:

		if (((PMP_func)NULL != getProcessMitigationPolicyFunc)
			&& getProcessMitigationPolicyFunc(
					GetCurrentProcess(),
					ProcessControlFlowGuardPolicy,
					&cfgPolicy,
					sizeof(cfgPolicy))
			&& cfgPolicy.EnableControlFlowGuard
		) {

@a7ehuo a7ehuo changed the title Check Control Flow Guard on Windows WIP: Check Control Flow Guard on Windows Feb 20, 2025
@a7ehuo
Copy link
Contributor Author

a7ehuo commented Feb 20, 2025

Change status to WIP. I would like to explore a bit more on the solution based on internal discussions

@keithc-ca keithc-ca marked this pull request as draft February 20, 2025 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keithc-ca keithc-ca keithc-ca requested changes

@0xdaryl 0xdaryl Awaiting requested review from 0xdaryl

@dsouzai dsouzai Awaiting requested review from dsouzai dsouzai will be requested when the pull request is marked ready for review dsouzai is a code owner

Assignees

@0xdaryl 0xdaryl

Labels
comp:jit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

prunsrv.exe (Tomcat10.exe) killed when run on top of openj9
3 participants
@a7ehuo @0xdaryl @keithc-ca