Remove RFG code from Chakra

lib/Backend/IR.h

@@ -130,9 +130,6 @@ protected:
         m_src2(nullptr),
 #if DBG_DUMP
         globOptInstrString(nullptr),
-#endif
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-        isFsBased(false),
 #endif
         dstIsTempNumber(false),
         dstIsTempNumberTransferred(false),

lib/Backend/InterpreterThunkEmitter.cpp

@@ -56,49 +56,6 @@ const BYTE InterpreterThunkEmitter::Epilog[] = {
     0xC3                                                           // ret
 };
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-#define RFG_PROLOGUE_SIZE 9
-
-const BYTE InterpreterThunkEmitter::InterpreterThunkRFG[] = {
-    0x48, 0x8b, 0x04, 0x24,                                        // mov         rax,qword ptr [rsp] 
-    0x64, 0x48, 0x89, 0x04, 0x24,                                  // mov         qword ptr fs:[rsp],rax
-    0x48, 0x89, 0x54, 0x24, 0x10,                                  // mov         qword ptr [rsp+10h],rdx
-    0x48, 0x89, 0x4C, 0x24, 0x08,                                  // mov         qword ptr [rsp+8],rcx
-    0x4C, 0x89, 0x44, 0x24, 0x18,                                  // mov         qword ptr [rsp+18h],r8
-    0x4C, 0x89, 0x4C, 0x24, 0x20,                                  // mov         qword ptr [rsp+20h],r9
-    0x48, 0x8B, 0x41, 0x00,                                        // mov         rax, qword ptr [rcx+FunctionInfoOffset]
-    0x48, 0x8B, 0x48, 0x00,                                        // mov         rcx, qword ptr [rax+FunctionProxyOffset]
-    0x48, 0x8B, 0x51, 0x00,                                        // mov         rdx, qword ptr [rcx+DynamicThunkAddressOffset]
-                                                                   // Range Check for Valid call target
-    0x48, 0x83, 0xE2, 0xF8,                                        // and         rdx, 0xFFFFFFFFFFFFFFF8h  ;Force 8 byte alignment
-    0x48, 0x8b, 0xca,                                              // mov         rcx, rdx
-    0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    // mov         rax, CallBlockStartAddress
-    0x48, 0x2b, 0xc8,                                              // sub         rcx, rax
-    0x48, 0x81, 0xf9, 0x00, 0x00, 0x00, 0x00,                      // cmp         rcx, ThunkSize
-    0x76, 0x09,                                                    // jbe         $safe
-    0x48, 0xc7, 0xc1, 0x00, 0x00, 0x00, 0x00,                      // mov         rcx, errorcode
-    0xcd, 0x29,                                                    // int         29h
-
-    // $safe:
-    0x48, 0x8D, 0x4C, 0x24, 0x08,                                  // lea         rcx, [rsp+8]                ;Load the address to stack
-    0x48, 0x83, 0xEC, StackAllocSize,                              // sub         rsp,28h
-    0x48, 0xB8, 0x00, 0x00, 0x00 ,0x00, 0x00, 0x00, 0x00, 0x00,    // mov         rax, <thunk>
-    0xFF, 0xE2,                                                    // jmp         rdx
-    0xCC, 0xCC, 0xCC, 0xCC                                         // int         3                           ;for alignment to size of 8 we are adding this
-};
-
-const BYTE InterpreterThunkEmitter::EpilogRFG[] = {
-    0x48, 0x83, 0xC4, StackAllocSize,                              // add         rsp,28h
-    0x64, 0x4c, 0x8b, 0x1c, 0x24,                                  // mov         r11,qword ptr fs:[rsp]
-    0x4c, 0x3b, 0x1c, 0x24,                                        // cmp         r11,qword ptr [rsp]
-    0x75, 0x01,                                                    // jne         $fail
-    0xC3,                                                          // ret
-
-    // $fail:
-    0xb9, 0x2c, 0x00, 0x00, 0x00,                                  // mov         ecx, errorcode
-    0xcd, 0x29,                                                    // int         29h
-};
-#endif
 
 #else  // Sys V AMD64
 const BYTE InterpreterThunkEmitter::FunctionInfoOffset = 7;
@@ -280,11 +237,6 @@ const BYTE InterpreterThunkEmitter::ThunkSize = sizeof(Call);
 
 const BYTE InterpreterThunkEmitter::HeaderSize()
 {
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (_guard_rf_checks_enforced()) {
-        return sizeof(InterpreterThunkRFG);
-    }
-#endif
 
     return _HeaderSize;
 }
@@ -511,13 +463,6 @@ void InterpreterThunkEmitter::FillBuffer(
         interpreterThunk = SHIFT_ADDR(threadContext, &Js::InterpreterStackFrame::InterpreterThunk);
     }
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (_guard_rf_checks_enforced()) {
-        header = InterpreterThunkRFG;
-        epilog = EpilogRFG;
-        epilogSize = sizeof(EpilogRFG);
-    }
-#endif
 
     BYTE * currentBuffer = buffer;
     // Ensure there is space for PDATA at the end
@@ -760,11 +705,6 @@ void InterpreterThunkEmitter::EncodeInterpreterThunk(
 {
     _Analysis_assume_(thunkSize == HeaderSize());
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (_guard_rf_checks_enforced()) {
-        thunkBuffer += RFG_PROLOGUE_SIZE;
-    }
-#endif
 
     Emit(thunkBuffer, ThunkAddressOffset, (uintptr_t)interpreterThunk);
     thunkBuffer[DynamicThunkAddressOffset] = Js::FunctionBody::GetOffsetOfDynamicInterpreterThunk();

lib/Backend/InterpreterThunkEmitter.h

@@ -89,10 +89,6 @@ private:
 
     static const BYTE Epilog[];
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    static const BYTE InterpreterThunkRFG[];
-    static const BYTE EpilogRFG[];
-#endif
 
     static const BYTE PageCount = 1;
 #if defined(_M_X64)

lib/Backend/JnHelperMethod.h

@@ -17,9 +17,6 @@ extern "C"
 extern "C" PVOID __guard_check_icall_fptr;
 #endif
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-extern "C" void __guard_ss_verify_failure();
-#endif
 
 namespace IR
 {

lib/Backend/JnHelperMethodList.h

@@ -617,10 +617,6 @@ HELPERCALL( CRT_chkstk, _chkstk, 0 )
 HELPERCALL(CRT_chkstk, __chkstk, 0)
 #endif
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-// Statically linked CRT routine used when RFG violations.
-HELPERCALL(ReturnFlowGuardFailureRoutine, __guard_ss_verify_failure, 0)
-#endif
 
 #undef HELPERCALL_MATH
 #undef HELPERCALL_FULL_OR_INPLACE_MATH

lib/Backend/amd64/EncoderMD.cpp

@@ -685,12 +685,6 @@ EncoderMD::Encode(IR::Instr *instr, BYTE *pc, BYTE* beginCodeAddress)
 
     instrRestart = instrStart = m_pc;
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (instr->isFsBased)
-    {
-        *instrRestart++ = 0x64;
-    }
-#endif
 
     // put out 16bit override if any
     if (instrSize == 2 && (opdope & (DNO16 | DFLT)) == 0)

lib/Backend/amd64/LowererMDArch.cpp

@@ -1466,14 +1466,6 @@ LowererMDArch::MovArgFromReg2Stack(IR::Instr * instr, RegNum reg, uint16 slotNum
 IR::Instr *
 LowererMDArch::LowerEntryInstr(IR::EntryInstr * entryInstr)
 {
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    /* 
-     * If RFG is enabled for the process, then this precedes the prologue:
-     *
-     * mov    rax,                       [rsp]
-     * mov    fs:[rsp],                  rax
-     */
-#endif
     /*
      * push   rbp
      * mov    rbp,                       rsp
@@ -1688,31 +1680,6 @@ LowererMDArch::LowerEntryInstr(IR::EntryInstr * entryInstr)
     m_func->m_prologEncoder.RecordNonVolRegSave();
     firstPrologInstr = pushInstr;
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (_guard_rf_checks_enforced()) {
-        // Generate MOV FS:[RSP], RAX
-        raxOpnd = IR::RegOpnd::New(nullptr, RegRAX, TyMachReg, this->m_func);
-        IR::Instr * storeRetInstr = IR::Instr::New(Js::OpCode::MOV,
-                                                  IR::IndirOpnd::New(stackPointer,
-                                                                     0,
-                                                                     TyInt64,
-                                                                     this->m_func),
-                                                  raxOpnd,
-                                                  this->m_func);
-        storeRetInstr->isFsBased = true;
-        entryInstr->InsertAfter(storeRetInstr);
-
-        // Generate MOV RAX, [RSP]
-        IR::Instr * getRetInstr = IR::Instr::New(Js::OpCode::MOV,
-                                                  raxOpnd,
-                                                  IR::IndirOpnd::New(stackPointer,
-                                                                     0,
-                                                                     TyInt64,
-                                                                     this->m_func),
-                                                  this->m_func);
-        entryInstr->InsertAfter(getRetInstr);
-    }
-#endif
 
     //
     // Insert pragmas that tell the prolog encoder the extent of the prolog.
@@ -2106,35 +2073,6 @@ LowererMDArch::LowerExitInstr(IR::ExitInstr * exitInstr)
         retReg = IR::RegOpnd::New(nullptr, this->GetRegReturn(TyMachReg), TyMachReg, this->m_func);
     }
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    IR::LabelInstr * failLabel = nullptr;
-    if (_guard_rf_checks_enforced()) {
-        // Generate MOV RCX, FS:[RSP]
-        IR::Opnd * rcxOpnd = IR::RegOpnd::New(nullptr, RegRCX, TyMachReg, this->m_func);
-        IR::Instr * getRetInstr = IR::Instr::New(Js::OpCode::MOV,
-                                                rcxOpnd,
-                                                IR::IndirOpnd::New(stackPointer,
-                                                                    0,
-                                                                    TyInt64,
-                                                                    this->m_func),
-                                                this->m_func);
-        getRetInstr->isFsBased = true;
-        exitInstr->InsertBefore(getRetInstr);
-
-        // Generate CMP RCX, [RSP]
-        IR::Instr * cmpRetInstr = IR::Instr::New(Js::OpCode::CMP, m_func);
-        cmpRetInstr->SetSrc1(IR::IndirOpnd::New(stackPointer,
-                                                0,
-                                                TyInt64,
-                                                this->m_func));
-        cmpRetInstr->SetSrc2(rcxOpnd);
-        exitInstr->InsertBefore(cmpRetInstr);
-
-        // Generate JNE $fail
-        failLabel = IR::LabelInstr::New(Js::OpCode::Label, m_func, true);
-        exitInstr->InsertBefore(IR::BranchInstr::New(Js::OpCode::JNE, failLabel, m_func));
-    }
-#endif
 
     // Generate RET
     IR::Instr * retInstr = IR::Instr::New(Js::OpCode::RET, this->m_func);
@@ -2144,20 +2082,6 @@ LowererMDArch::LowerExitInstr(IR::ExitInstr * exitInstr)
 
     retInstr->m_opcode = Js::OpCode::RET;
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-    if (_guard_rf_checks_enforced() && failLabel != nullptr) {
-        // insert $fail
-        exitInstr->InsertBefore(failLabel);
-
-        // MOV RCX, __guard_ss_verify_failure
-        IR::RegOpnd * target = IR::RegOpnd::New(nullptr, RegRCX, TyMachReg, m_func);
-        this->lowererMD->CreateAssign(target, IR::HelperCallOpnd::New(IR::HelperReturnFlowGuardFailureRoutine, m_func), exitInstr);
-
-        // JMP RCX
-        IR::Instr * branch = IR::MultiBranchInstr::New(Js::OpCode::JMP, target, m_func);
-        exitInstr->InsertBefore(branch);
-    }
-#endif
 
     return exitInstr;
 }

lib/Runtime/Library/JavascriptFunction.cpp

@@ -1868,13 +1868,6 @@ LABEL1:
         // Read first  byte - check for prefix
         BYTE* beginPc = pc;
 
-#if _CONTROL_FLOW_GUARD_SHADOW_STACK
-        // skip first byte if it's 0x64 (fs-based mem access)
-        if (*pc == 0x64)
-        {
-            pc++;
-        }
-#endif
 
         if (((*pc) == 0x0F2) || ((*pc) == 0x0F3))
         {