The handler argument must not be signed since that may come from
outside the current module and exposing signed addresses is a pointer
ABI break. (The signed address also may not be representable as void *
which is why pac-ret is currently broken on ilp32.)
There is no point protecting the eh return path with pointer auth
since arbitrary target can be reached with the instruction sequence
in the caller function anyway, however this is a big hammer solution
that turns off pac-ret for the caller completely not just on the eh
return path.
2020-06-04 Szabolcs Nagy <szabolcs.n...@arm.com>
* config/aarch64/aarch64.c (aarch64_return_address_signing_enabled):
Disable return address signing if __builtin_eh_return is used.
---
gcc/config/aarch64/aarch64.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c
index 6a2f85c4af7..d9557f7c0a2 100644
--- a/gcc/config/aarch64/aarch64.c
+++ b/gcc/config/aarch64/aarch64.c
@@ -6954,6 +6954,10 @@ aarch64_return_address_signing_enabled (void)
/* This function should only be called after frame laid out. */
gcc_assert (cfun->machine->frame.laid_out);
+ /* TODO: Big hammer handling of __builtin_eh_return. */
+ if (crtl->calls_eh_return)
+ return false;
+
/* If signing scope is AARCH64_FUNCTION_NON_LEAF, we only sign a leaf
function
if its LR is pushed onto stack. */
return (aarch64_ra_sign_scope == AARCH64_FUNCTION_ALL
--
2.17.1
