The handler argument must not be signed since that may come from outside the current module and exposing signed addresses is a pointer ABI break. (The signed address also may not be representable as void * which is why pac-ret is currently broken on ilp32.)
There is no point protecting the eh return path with pointer auth since arbitrary target can be reached with the instruction sequence in the caller function anyway, however this is a big hammer solution that turns off pac-ret for the caller completely not just on the eh return path. 2020-06-04 Szabolcs Nagy <szabolcs.n...@arm.com> * config/aarch64/aarch64.c (aarch64_return_address_signing_enabled): Disable return address signing if __builtin_eh_return is used. --- gcc/config/aarch64/aarch64.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c index 6a2f85c4af7..d9557f7c0a2 100644 --- a/gcc/config/aarch64/aarch64.c +++ b/gcc/config/aarch64/aarch64.c @@ -6954,6 +6954,10 @@ aarch64_return_address_signing_enabled (void) /* This function should only be called after frame laid out. */ gcc_assert (cfun->machine->frame.laid_out); + /* TODO: Big hammer handling of __builtin_eh_return. */ + if (crtl->calls_eh_return) + return false; + /* If signing scope is AARCH64_FUNCTION_NON_LEAF, we only sign a leaf function if its LR is pushed onto stack. */ return (aarch64_ra_sign_scope == AARCH64_FUNCTION_ALL -- 2.17.1