From eb5ecbbcbb6ce38e29237ab5d17156fcb2e96e74 Mon Sep 17 00:00:00 2001 From: David Spickett Date: Mon, 14 Mar 2022 10:24:45 +0000 Subject: [PATCH] [llvm][AArch64] Insert "bti j" after call to setjmp Some implementations of setjmp will end with a br instead of a ret. This means that the next instruction after a call to setjmp must be a "bti j" (j for jump) to make this work when branch target identification is enabled. The BTI extension was added in armv8.5-a but the bti instruction is in the hint space. This means we can emit it for any architecture version as long as branch target enforcement flags are passed. The starting point for the hint number is 32 then call adds 2, jump adds 4. Hence "hint #36" for a "bti j" (and "hint #34" for the "bti c" you see at the start of functions). The existing Arm command line option -mno-bti-at-return-twice has been applied to AArch64 as well. Support is added to SelectionDAG Isel and GlobalIsel. FastIsel will defer to SelectionDAG. Based on the change done for M profile Arm in https://reviews.llvm.org/D112427 Fixes #48888 Reviewed By: danielkiss Differential Revision: https://reviews.llvm.org/D121707 --- clang/docs/ClangCommandLineReference.rst | 2 +- clang/docs/ReleaseNotes.rst | 5 ++ clang/include/clang/Driver/Options.td | 2 +- clang/lib/Driver/ToolChains/Arch/AArch64.cpp | 3 + llvm/lib/Target/AArch64/AArch64.td | 5 ++ .../Target/AArch64/AArch64ExpandPseudoInsts.cpp | 34 +++++++++ llvm/lib/Target/AArch64/AArch64FastISel.cpp | 8 +++ llvm/lib/Target/AArch64/AArch64ISelLowering.cpp | 10 ++- llvm/lib/Target/AArch64/AArch64ISelLowering.h | 2 + llvm/lib/Target/AArch64/AArch64InstrInfo.td | 10 +++ .../Target/AArch64/GISel/AArch64CallLowering.cpp | 11 ++- .../CodeGen/AArch64/setjmp-bti-no-enforcement.ll | 51 +++++++++++++ llvm/test/CodeGen/AArch64/setjmp-bti-outliner.ll | 83 ++++++++++++++++++++++ llvm/test/CodeGen/AArch64/setjmp-bti.ll | 55 ++++++++++++++ 14 files changed, 276 insertions(+), 5 deletions(-) create mode 100644 llvm/test/CodeGen/AArch64/setjmp-bti-no-enforcement.ll create mode 100644 llvm/test/CodeGen/AArch64/setjmp-bti-outliner.ll create mode 100644 llvm/test/CodeGen/AArch64/setjmp-bti.ll diff --git a/clang/docs/ClangCommandLineReference.rst b/clang/docs/ClangCommandLineReference.rst index 6815dca..9d097cc 100644 --- a/clang/docs/ClangCommandLineReference.rst +++ b/clang/docs/ClangCommandLineReference.rst @@ -3329,7 +3329,7 @@ Work around VLLDM erratum CVE-2021-35465 (ARM only) .. option:: -mno-bti-at-return-twice -Do not add a BTI instruction after a setjmp or other return-twice construct (Arm only) +Do not add a BTI instruction after a setjmp or other return-twice construct (AArch32/AArch64 only) .. option:: -mno-movt diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index c30512c..105d501 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -193,6 +193,11 @@ DWARF Support in Clang Arm and AArch64 Support in Clang -------------------------------- +- When using ``-mbranch-protection=bti`` with AArch64, calls to setjmp will + now be followed by a BTI instruction. This is done to be compatible with + setjmp implementations that return with a br instead of a ret. You can + disable this behaviour using the ``-mno-bti-at-return-twice`` option. + Floating Point Support in Clang ------------------------------- diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td index c56578b..41b3ca5 100644 --- a/clang/include/clang/Driver/Options.td +++ b/clang/include/clang/Driver/Options.td @@ -3414,7 +3414,7 @@ def mmark_bti_property : Flag<["-"], "mmark-bti-property">, def mno_bti_at_return_twice : Flag<["-"], "mno-bti-at-return-twice">, Group, HelpText<"Do not add a BTI instruction after a setjmp or other" - " return-twice construct (Arm only)">; + " return-twice construct (Arm/AArch64 only)">; foreach i = {1-31} in def ffixed_x#i : Flag<["-"], "ffixed-x"#i>, Group, diff --git a/clang/lib/Driver/ToolChains/Arch/AArch64.cpp b/clang/lib/Driver/ToolChains/Arch/AArch64.cpp index f9557ba..610c672 100644 --- a/clang/lib/Driver/ToolChains/Arch/AArch64.cpp +++ b/clang/lib/Driver/ToolChains/Arch/AArch64.cpp @@ -588,4 +588,7 @@ fp16_fml_fallthrough: // Enabled A53 errata (835769) workaround by default on android Features.push_back("+fix-cortex-a53-835769"); } + + if (Args.getLastArg(options::OPT_mno_bti_at_return_twice)) + Features.push_back("+no-bti-at-return-twice"); } diff --git a/llvm/lib/Target/AArch64/AArch64.td b/llvm/lib/Target/AArch64/AArch64.td index 84d388d..82161b1 100644 --- a/llvm/lib/Target/AArch64/AArch64.td +++ b/llvm/lib/Target/AArch64/AArch64.td @@ -466,6 +466,11 @@ def FeatureEL3 : SubtargetFeature<"el3", "HasEL3", "true", def FeatureFixCortexA53_835769 : SubtargetFeature<"fix-cortex-a53-835769", "FixCortexA53_835769", "true", "Mitigate Cortex-A53 Erratum 835769">; +def FeatureNoBTIAtReturnTwice : SubtargetFeature<"no-bti-at-return-twice", + "NoBTIAtReturnTwice", "true", + "Don't place a BTI instruction " + "after a return-twice">; + //===----------------------------------------------------------------------===// // Architectures. // diff --git a/llvm/lib/Target/AArch64/AArch64ExpandPseudoInsts.cpp b/llvm/lib/Target/AArch64/AArch64ExpandPseudoInsts.cpp index b0f739c..910f8cd 100644 --- a/llvm/lib/Target/AArch64/AArch64ExpandPseudoInsts.cpp +++ b/llvm/lib/Target/AArch64/AArch64ExpandPseudoInsts.cpp @@ -86,6 +86,7 @@ private: unsigned N); bool expandCALL_RVMARKER(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI); + bool expandCALL_BTI(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI); bool expandStoreSwiftAsyncContext(MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI); }; @@ -759,6 +760,37 @@ bool AArch64ExpandPseudo::expandCALL_RVMARKER( return true; } +bool AArch64ExpandPseudo::expandCALL_BTI(MachineBasicBlock &MBB, + MachineBasicBlock::iterator MBBI) { + // Expand CALL_BTI pseudo to: + // - a branch to the call target + // - a BTI instruction + // Mark the sequence as a bundle, to avoid passes moving other code in + // between. + + MachineInstr &MI = *MBBI; + MachineOperand &CallTarget = MI.getOperand(0); + assert((CallTarget.isGlobal() || CallTarget.isReg()) && + "invalid operand for regular call"); + unsigned Opc = CallTarget.isGlobal() ? AArch64::BL : AArch64::BLR; + MachineInstr *Call = + BuildMI(MBB, MBBI, MI.getDebugLoc(), TII->get(Opc)).getInstr(); + Call->addOperand(CallTarget); + + MachineInstr *BTI = + BuildMI(MBB, MBBI, MI.getDebugLoc(), TII->get(AArch64::HINT)) + // BTI J so that setjmp can to BR to this. + .addImm(36) + .getInstr(); + + if (MI.shouldUpdateCallSiteInfo()) + MBB.getParent()->moveCallSiteInfo(&MI, Call); + + MI.eraseFromParent(); + finalizeBundle(MBB, Call->getIterator(), std::next(BTI->getIterator())); + return true; +} + bool AArch64ExpandPseudo::expandStoreSwiftAsyncContext( MachineBasicBlock &MBB, MachineBasicBlock::iterator MBBI) { Register CtxReg = MBBI->getOperand(0).getReg(); @@ -1238,6 +1270,8 @@ bool AArch64ExpandPseudo::expandMI(MachineBasicBlock &MBB, return expandSVESpillFill(MBB, MBBI, AArch64::LDR_ZXI, 2); case AArch64::BLR_RVMARKER: return expandCALL_RVMARKER(MBB, MBBI); + case AArch64::BLR_BTI: + return expandCALL_BTI(MBB, MBBI); case AArch64::StoreSwiftAsyncContext: return expandStoreSwiftAsyncContext(MBB, MBBI); } diff --git a/llvm/lib/Target/AArch64/AArch64FastISel.cpp b/llvm/lib/Target/AArch64/AArch64FastISel.cpp index c67fa62..dc5e680 100644 --- a/llvm/lib/Target/AArch64/AArch64FastISel.cpp +++ b/llvm/lib/Target/AArch64/AArch64FastISel.cpp @@ -14,6 +14,7 @@ #include "AArch64.h" #include "AArch64CallingConvention.h" +#include "AArch64MachineFunctionInfo.h" #include "AArch64RegisterInfo.h" #include "AArch64Subtarget.h" #include "MCTargetDesc/AArch64AddressingModes.h" @@ -3127,6 +3128,13 @@ bool AArch64FastISel::fastLowerCall(CallLoweringInfo &CLI) { if (!Callee && !Symbol) return false; + // Allow SelectionDAG isel to handle calls to functions like setjmp that need + // a bti instruction following the call. + if (CLI.CB && CLI.CB->hasFnAttr(Attribute::ReturnsTwice) && + !Subtarget->noBTIAtReturnTwice() && + MF->getInfo()->branchTargetEnforcement()) + return false; + // Allow SelectionDAG isel to handle tail calls. if (IsTailCall) return false; diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp index 6e107ea..1eaac9e 100644 --- a/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp +++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp @@ -2274,6 +2274,7 @@ const char *AArch64TargetLowering::getTargetNodeName(unsigned Opcode) const { MAKE_CASE(AArch64ISD::MOPS_MEMSET_TAGGING) MAKE_CASE(AArch64ISD::MOPS_MEMCOPY) MAKE_CASE(AArch64ISD::MOPS_MEMMOVE) + MAKE_CASE(AArch64ISD::CALL_BTI) } #undef MAKE_CASE return nullptr; @@ -6178,6 +6179,12 @@ AArch64TargetLowering::LowerCall(CallLoweringInfo &CLI, AArch64FunctionInfo *FuncInfo = MF.getInfo(); bool TailCallOpt = MF.getTarget().Options.GuaranteedTailCallOpt; bool IsSibCall = false; + bool GuardWithBTI = false; + + if (CLI.CB && CLI.CB->getAttributes().hasFnAttr(Attribute::ReturnsTwice) && + !Subtarget->noBTIAtReturnTwice()) { + GuardWithBTI = FuncInfo->branchTargetEnforcement(); + } // Check callee args/returns for SVE registers and set calling convention // accordingly. @@ -6612,7 +6619,8 @@ AArch64TargetLowering::LowerCall(CallLoweringInfo &CLI, Function *ARCFn = *objcarc::getAttachedARCFunction(CLI.CB); auto GA = DAG.getTargetGlobalAddress(ARCFn, DL, PtrVT); Ops.insert(Ops.begin() + 1, GA); - } + } else if (GuardWithBTI) + CallOpc = AArch64ISD::CALL_BTI; // Returns a chain and a flag for retval copy to use. Chain = DAG.getNode(CallOpc, DL, NodeTys, Ops); diff --git a/llvm/lib/Target/AArch64/AArch64ISelLowering.h b/llvm/lib/Target/AArch64/AArch64ISelLowering.h index eb88572..47f922f 100644 --- a/llvm/lib/Target/AArch64/AArch64ISelLowering.h +++ b/llvm/lib/Target/AArch64/AArch64ISelLowering.h @@ -55,6 +55,8 @@ enum NodeType : unsigned { // x29, x29` marker instruction. CALL_RVMARKER, + CALL_BTI, // Function call followed by a BTI instruction. + // Produces the full sequence of instructions for getting the thread pointer // offset of a variable into X0, using the TLSDesc model. TLSDESC_CALLSEQ, diff --git a/llvm/lib/Target/AArch64/AArch64InstrInfo.td b/llvm/lib/Target/AArch64/AArch64InstrInfo.td index 3b50a2e..2206afa 100644 --- a/llvm/lib/Target/AArch64/AArch64InstrInfo.td +++ b/llvm/lib/Target/AArch64/AArch64InstrInfo.td @@ -473,6 +473,11 @@ def AArch64call : SDNode<"AArch64ISD::CALL", [SDNPHasChain, SDNPOptInGlue, SDNPOutGlue, SDNPVariadic]>; +def AArch64call_bti : SDNode<"AArch64ISD::CALL_BTI", + SDTypeProfile<0, -1, [SDTCisPtrTy<0>]>, + [SDNPHasChain, SDNPOptInGlue, SDNPOutGlue, + SDNPVariadic]>; + def AArch64call_rvmarker: SDNode<"AArch64ISD::CALL_RVMARKER", SDTypeProfile<0, -1, [SDTCisPtrTy<0>]>, [SDNPHasChain, SDNPOptInGlue, SDNPOutGlue, @@ -2328,6 +2333,8 @@ let isCall = 1, Defs = [LR], Uses = [SP] in { PseudoInstExpansion<(BLR GPR64:$Rn)>; def BLR_RVMARKER : Pseudo<(outs), (ins variable_ops), []>, Sched<[WriteBrReg]>; + def BLR_BTI : Pseudo<(outs), (ins GPR64:$Rn), []>, + Sched<[WriteBrReg]>; } // isCall def : Pat<(AArch64call GPR64:$Rn), @@ -2341,6 +2348,9 @@ def : Pat<(AArch64call_rvmarker (i64 tglobaladdr:$rvfunc), GPR64:$Rn), (BLR_RVMARKER tglobaladdr:$rvfunc, GPR64:$Rn)>, Requires<[NoSLSBLRMitigation]>; +def : Pat<(AArch64call_bti GPR64:$Rn), + (BLR_BTI GPR64:$Rn)>; + let isBranch = 1, isTerminator = 1, isBarrier = 1, isIndirectBranch = 1 in { def BR : BranchReg<0b0000, "br", [(brind GPR64:$Rn)]>; } // isBranch, isTerminator, isBarrier, isIndirectBranch diff --git a/llvm/lib/Target/AArch64/GISel/AArch64CallLowering.cpp b/llvm/lib/Target/AArch64/GISel/AArch64CallLowering.cpp index 3b4eaad..89e1d85 100644 --- a/llvm/lib/Target/AArch64/GISel/AArch64CallLowering.cpp +++ b/llvm/lib/Target/AArch64/GISel/AArch64CallLowering.cpp @@ -1129,12 +1129,20 @@ bool AArch64CallLowering::lowerCall(MachineIRBuilder &MIRBuilder, // Create a temporarily-floating call instruction so we can add the implicit // uses of arg registers. + const AArch64Subtarget &Subtarget = MF.getSubtarget(); + unsigned Opc = 0; // Calls with operand bundle "clang.arc.attachedcall" are special. They should // be expanded to the call, directly followed by a special marker sequence and // a call to an ObjC library function. - unsigned Opc = 0; if (Info.CB && objcarc::hasAttachedCallOpBundle(Info.CB)) Opc = AArch64::BLR_RVMARKER; + // A call to a returns twice function like setjmp must be followed by a bti + // instruction. + else if (Info.CB && + Info.CB->getAttributes().hasFnAttr(Attribute::ReturnsTwice) && + !Subtarget.noBTIAtReturnTwice() && + MF.getInfo()->branchTargetEnforcement()) + Opc = AArch64::BLR_BTI; else Opc = getCallOpcode(MF, Info.Callee.isReg(), false); @@ -1153,7 +1161,6 @@ bool AArch64CallLowering::lowerCall(MachineIRBuilder &MIRBuilder, // Tell the call which registers are clobbered. const uint32_t *Mask; - const AArch64Subtarget &Subtarget = MF.getSubtarget(); const auto *TRI = Subtarget.getRegisterInfo(); AArch64OutgoingValueAssigner Assigner(AssignFnFixed, AssignFnVarArg, diff --git a/llvm/test/CodeGen/AArch64/setjmp-bti-no-enforcement.ll b/llvm/test/CodeGen/AArch64/setjmp-bti-no-enforcement.ll new file mode 100644 index 0000000..cd48245 --- /dev/null +++ b/llvm/test/CodeGen/AArch64/setjmp-bti-no-enforcement.ll @@ -0,0 +1,51 @@ +; RUN: llc -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel < %s | FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel < %s | FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI + +; Same as setjmp-bti.ll except that we do not enable branch target enforcement for this +; module. There should be no combination of options that leads to a bti being emitted. + +; C source +; -------- +; extern int setjmp(void*); +; extern void notsetjmp(void); +; +; void bbb(void) { +; setjmp(0); +; int (*fnptr)(void*) = setjmp; +; fnptr(0); +; notsetjmp(); +; } + +define void @bbb() { +; NOBTI-LABEL: bbb: +; NOBTI: bl setjmp +; NOBTI-NOT: hint #36 +; NOBTI: blr x{{[0-9]+}} +; NOBTI-NOT: hint #36 +; NOBTI: bl notsetjmp +; NOBTI-NOT: hint #36 + +entry: + %fnptr = alloca i32 (i8*)*, align 8 + %call = call i32 @setjmp(i8* noundef null) #0 + store i32 (i8*)* @setjmp, i32 (i8*)** %fnptr, align 8 + %0 = load i32 (i8*)*, i32 (i8*)** %fnptr, align 8 + %call1 = call i32 %0(i8* noundef null) #0 + call void @notsetjmp() + ret void +} + +declare i32 @setjmp(i8* noundef) #0 +declare void @notsetjmp() + +attributes #0 = { returns_twice } + +; !llvm.module.flags = !{!0} +; !0 = !{i32 1, !"branch-target-enforcement", i32 1} diff --git a/llvm/test/CodeGen/AArch64/setjmp-bti-outliner.ll b/llvm/test/CodeGen/AArch64/setjmp-bti-outliner.ll new file mode 100644 index 0000000..f9c5416 --- /dev/null +++ b/llvm/test/CodeGen/AArch64/setjmp-bti-outliner.ll @@ -0,0 +1,83 @@ +; RUN: llc -mtriple=aarch64-none-linux-gnu -enable-machine-outliner < %s | FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel -enable-machine-outliner < %s | \ +; RUN: FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel -enable-machine-outliner < %s | \ +; RUN: FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -enable-machine-outliner -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel -enable-machine-outliner -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel -enable-machine-outliner -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI + +; Check that the outliner does not split up the call to setjmp and the bti after it. +; When we do not insert a bti, it is allowed to move the setjmp call into an outlined function. + +; C source +; -------- +; extern int setjmp(void*); +; +; int f(int a, int b, int c, int d) { +; setjmp(0); +; return 1 + a * (a + b) / (c + d); +; } +; +; int g(int a, int b, int c, int d) { +; setjmp(0); +; return 2 + a * (a + b) / (c + d); +; } + +define i32 @f(i32 noundef %a, i32 noundef %b, i32 noundef %c, i32 noundef %d) { +; BTI-LABEL: f: +; BTI: bl OUTLINED_FUNCTION_1 +; BTI-NEXT: bl setjmp +; BTI-NEXT: hint #36 +; BTI-NEXT: bl OUTLINED_FUNCTION_0 + +; NOBTI: f: +; NOBTI: bl OUTLINED_FUNCTION_0 +; NOBTI-NEXT: bl OUTLINED_FUNCTION_1 + +entry: + %call = call i32 @setjmp(i8* noundef null) #0 + %add = add nsw i32 %b, %a + %mul = mul nsw i32 %add, %a + %add1 = add nsw i32 %d, %c + %div = sdiv i32 %mul, %add1 + %add2 = add nsw i32 %div, 1 + ret i32 %add2 +} + +declare i32 @setjmp(i8* noundef) #0 + +define i32 @g(i32 noundef %a, i32 noundef %b, i32 noundef %c, i32 noundef %d) { +; BTI-LABEL: g: +; BTI: bl OUTLINED_FUNCTION_1 +; BTI-NEXT: bl setjmp +; BTI-NEXT: hint #36 +; BTI-NEXT: bl OUTLINED_FUNCTION_0 + +; NOBTI: g: +; NOBTI: bl OUTLINED_FUNCTION_0 +; NOBTI-NEXT: bl OUTLINED_FUNCTION_1 + +entry: + %call = call i32 @setjmp(i8* noundef null) #0 + %add = add nsw i32 %b, %a + %mul = mul nsw i32 %add, %a + %add1 = add nsw i32 %d, %c + %div = sdiv i32 %mul, %add1 + %add2 = add nsw i32 %div, 2 + ret i32 %add2 +} + +; NOBTI-LABEL: OUTLINED_FUNCTION_0: +; NOBTI: b setjmp +; NOBTI: OUTLINED_FUNCTION_1: +; NOBTI-LABEL: ret + +attributes #0 = { returns_twice } + +!llvm.module.flags = !{!0} + +!0 = !{i32 1, !"branch-target-enforcement", i32 1} diff --git a/llvm/test/CodeGen/AArch64/setjmp-bti.ll b/llvm/test/CodeGen/AArch64/setjmp-bti.ll new file mode 100644 index 0000000..ceea80c --- /dev/null +++ b/llvm/test/CodeGen/AArch64/setjmp-bti.ll @@ -0,0 +1,55 @@ +; RUN: llc -mtriple=aarch64-none-linux-gnu < %s | FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel < %s | FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel < %s | FileCheck %s --check-prefix=BTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -global-isel -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI +; RUN: llc -mtriple=aarch64-none-linux-gnu -fast-isel -mattr=+no-bti-at-return-twice < %s | \ +; RUN: FileCheck %s --check-prefix=NOBTI + +; C source +; -------- +; extern int setjmp(void*); +; extern void notsetjmp(void); +; +; void bbb(void) { +; setjmp(0); +; int (*fnptr)(void*) = setjmp; +; fnptr(0); +; notsetjmp(); +; } + +define void @bbb() { +; BTI-LABEL: bbb: +; BTI: bl setjmp +; BTI-NEXT: hint #36 +; BTI: blr x{{[0-9]+}} +; BTI-NEXT: hint #36 +; BTI: bl notsetjmp +; BTI-NOT: hint #36 + +; NOBTI-LABEL: bbb: +; NOBTI: bl setjmp +; NOBTI-NOT: hint #36 +; NOBTI: blr x{{[0-9]+}} +; NOBTI-NOT: hint #36 +; NOBTI: bl notsetjmp +; NOBTI-NOT: hint #36 +entry: + %fnptr = alloca i32 (i8*)*, align 8 + %call = call i32 @setjmp(i8* noundef null) #0 + store i32 (i8*)* @setjmp, i32 (i8*)** %fnptr, align 8 + %0 = load i32 (i8*)*, i32 (i8*)** %fnptr, align 8 + %call1 = call i32 %0(i8* noundef null) #0 + call void @notsetjmp() + ret void +} + +declare i32 @setjmp(i8* noundef) #0 +declare void @notsetjmp() + +attributes #0 = { returns_twice } + +!llvm.module.flags = !{!0} +!0 = !{i32 1, !"branch-target-enforcement", i32 1} -- 2.7.4