<table border="1" cellspacing="0" cellpadding="8">

    <tr>

        <th>Issue</th>

        <td>

            <a href=https://github.com/llvm/llvm-project/issues/60239>60239</a>

        </td>

    </tr>

    <tr>

        <th>Summary</th>

        <td>

            Incorrect code generation with `-arch arm64e -mbranch-protection=standard` or `=pac-ret`

        </td>

    </tr>

    <tr>

      <th>Labels</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Assignees</th>

      <td>

      </td>

    </tr>

    <tr>

      <th>Reporter</th>

      <td>

          lelegard

      </td>

    </tr>

</table>

<pre>

    ### Summary

On macOS, Arm64, the combination of options `-arch arm64e -mbranch-protection=standard` generates invalid code (redundant pointer authentication) leading to application crash on return.

### Platform

Demonstrated on a Macbook with M1 chip, macOS 13.1, arm64e API enabled, Apple clang 14.0.0. This is the clang version coming with the latest "Command Line Tools for Xcode 14.2" from December 13, 2022.

~~~

$ sw_vers 

ProductName:            macOS

ProductVersion: 13.1

BuildVersion:           22C65

$ 

$ uname -a

Darwin mactest 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:04:44 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T8103 arm64

$ 

$ nvram boot-args

boot-args       -arm64e_preview_abi

$ 

$ clang --version

Apple clang version 14.0.0 (clang-1400.0.29.202)

Target: arm64-apple-darwin22.2.0

Thread model: posix

InstalledDir: /Library/Developer/CommandLineTools/usr/bin

$ 

~~~

### Demonstration

This simple "hello world" code crashes with `-arch arm64e -mbranch-protection=standard`. It does not crash without `-mbranch-protection` or with `-mbranch-protection=bti` only.

~~~

$ cat hi.c

#include <stdio.h>

int main(int argc, char* argv[])

{

 printf("hi\n");

}

$

$ clang -O2 -march=armv8.5-a -arch arm64e hi.c -o hi

$ ./hi

hi

$ clang -O2 -march=armv8.5-a -arch arm64e hi.c -o hi -mbranch-protection=bti

$ ./hi

hi

$ clang -O2 -march=armv8.5-a -arch arm64e hi.c -o hi -mbranch-protection=standard

$ ./hi

hi

Segmentation fault: 11

$

~~~

### Details

The combination `-arch arm64e -mbranch-protection=standard` is fatal. The same problem is seen with `-mbranch-protection=pac-ret` instead of `standard` (the latter includes the former).

- `-mbranch-protection=pac-ret` or `=standard` authenticates the caller's return address using `pacia x30, sp`, updating x30 with a pointer authentication code.

- `-arch arm64e` authenticates the caller's return address using `pacibsp` (same as `pacib x30, sp`). This second instruction trashes the PAC in x30, recomputing a PAC with key B.

- The return sequence is `autibsp` and `retaa`. The `autibsp` removes the PAC from x30. When `retaa` authenticates x30, there is no longer any PAC, the authentication fails and the program crashes.

Solution: There must be only one authentication sequence. Using `-mbranch-protection=pac-ret` or `=standard` shall not add PACIA instructions when `-arch arm64e ` is specified since pointer authentication is already used. Alternatively, an error message may report the incompatible options. But no invalid code should be generated.

Generated code below:

~~~

$ clang -O2 -march=armv8.5-a -arch arm64e hi.c -mbranch-protection=standard -S -o -

        .section __TEXT,__text,regular,pure_instructions

        .build_version macos, 13, 0     sdk_version 13, 1

        .ptrauth_abi_version 0

        .globl _main                           ; -- Begin function main

        .p2align 2

_main:                                  ; @main

 .cfi_startproc

; %bb.0:

        bti     c

        pacia   x30, sp <------------ generated by -mbranch-protection=standard

 .cfi_negate_ra_state

        pacibsp             <------------ generated by -arch arm64e

        stp     x29, x30, [sp, #-16]!           ; 16-byte Folded Spill

        mov     x29, sp

        .cfi_def_cfa w29, 16

 .cfi_offset w30, -8

        .cfi_offset w29, -16

Lloh0:

 adrp    x0, l_str@PAGE

Lloh1:

        add     x0, x0, l_str@PAGEOFF

 bl      _puts

        mov     w0, #0

        ldp     x29, x30, [sp], #16             ; 16-byte Folded Reload

        autibsp <------------ generated by -arch arm64e

        retaa <------------ generated by -mbranch-protection=standard

        .loh AdrpAdd    Lloh0, Lloh1

        .cfi_endproc

 ; -- End function

        .section __TEXT,__cstring,cstring_literals

l_str: ; @str

        .asciz  "hi"

.subsections_via_symbols

$ 

~~~

</pre>

<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8WEtv4zjy_zTMpSBBomwnPuTgOPGg8e-ZDib5787NoMSyxW2K1JKUE--hP_uiKMmvJD3TvYsVBhOZVazHr55q4b3aGsRbNr1j0_sr0YXauluNGrfCyavSyv0t40X_Hzx1TSPcnmX3LFt8MdCI6ssT40tYuGY2oZdQI1S2KZURQVkDdgO2pTcPbJYlwlU1CGJGSJrSCVPVSetswIqYWHHvgzBSOMlmGWzRoBMBPSizE1pJqKxEYPzGoeyMFCZAa5UJ6IAsRxNUFfUyPgeNQiqzhWBBtK0eKFA54WuwBhyGzpm0d2b4_8HTRy3CxrqmP7_HxhofyBZJVwX8KqrS2q_wokINv-ZQ1aol_yMikBdpTr8GTxePnwCNKDXKCFbbaoRKC7OFfJJmaZbCc608KN_jFyk7dD7aaxvyIioiqiZAAjDOl7ZphJHwWRmEZ2u1h4118EcEKZ-knHEOG2cbuMcKmxId5AUZwDPOz_z-9u3bCMAE_MuadEN_8uis7Krwm2iQFQs4efrgnzL9rTeZ-CICkXbXKS1PKMeH8-VsetR7fOuMaBASMYAv3IuKuRYd5zzlaQbD6f-hM6hhkD8QSc3KKfjN7iDPIeOsWGQTViwmE3h8eo7-s-IOnLWBFYtX0yU313OezvKUf5swvvr94fPD4ulhvfj919lk_XyTZ0Ufy_esNTsnGiitDYlwW98TDj8HX5M-Fdatw53Cl7Uo1Xuy-tAnyRD8nnCaL2NW9HlDpRDPk3ySUR7xecozzvi8v_ks3BbJxd76hOoAExmhG6Dq-WqHQkJjJWribq1Xrz3pk_FBaI3yXjkiMb76rEpHXYCv7nGH2rboGF8N2UjJGHOR8VXniVAqc-nqMd8uyu5YaAfvY2V41RAGjPMatbbwYp2WlN4x12NJo-9r5IfbTAqfAkiLHowNQ3sgSbYLUdg792cZWHdU966GMqjIZ_T-41qrRIBapdUBB2Uq3VGPK5Y-SGXTmhUPPVWZAI1QhvEbehVuW1ExV7VwjFOEt7u-ix_Cz67v-hdonTJhw_gNIajYdGkYj2lS3I2s9wer3qTjFw5JQ5iy4l64ZneTThMBZyiTE5BYqE_SOmV8Nf4-Pf8ZqR-EkUD-X-o7pM13lT7htkET-nmzEZ2OJZjnFwh_pwqCUNqP-X8-UX98jCoPGxGEpimD4Km3ts6WGhsieUTzJ6nciipxGKIs4wO1Crsh9lMtjN8M44nG8ZDH_UCjQUo9Yn5WCMlfUmgdsV14dDLsBxUV9SjH-LUf5joIKR16D52n8clmWSsqJeC1yKhqfEtS-RK6VopAHK9F1sMgPtgpYq9JT20_CcN_ZFUZrSEEY3CEPxAuzJ0Pi4LHyhoZg-G6CBqEoQeS2sfFEpQZ7zqsbNN20UkRadHNr7iHu4M7lBmDiR7_2aGpkJKDzTLRhdFAWjbYLHMYhIiNk26dszhs7O7EjLh-vBZZCn-v0ZzevoBrMDbU6KJmY0Fbs6UomD2JGrfLi6BsqFKiZURsnd3SNB4mwlm-PVndhWEJeY5qms4HKDH2aLDmjewRiRT-fwzXz-Wrr4XWcbwIKcmZT4vT4Hl4GcA5q-yhdn2LldoolOAVheWD7FQehKYxvofOo0xhoQM6aho71Pu4jRpA56yDBr0XW4RG7MFha12I4ClDiSKCKjWOW3sKd12gYJxt4L62nZYE3biiyzOofxlPe_YStX1hxbsD8Ad783ebHSRP1L2TYegNT-p7Rlivnx_-eGZ8uV4HfA2MLx1uO03jc9l2DtenIbmQUdIWux63r0ZU1hOk_T6dRR4vvx4Y-vP8QkgbHAWNlr8DZ3bBs9W21LCmQQ8fP7S9Jgnc4VYZ2HSmdzBuBxcqudBqa4D351HuxR7_sQY2yU5EptVGrX0QLrTOjhsLcfFpWcal-1x3GVT8W50f920Yjp2Ndp3k5DnmFJT7vzSHe9MMbkXAtRNkZMC3WkvfXrj4Pb2nzf1MlA-9mFc-JwcGP9j0zscvQMaLJJ_FNSy_wDOfJeU-IKyslijhqVVan8tu7O5Utm8vwkl-Stysq42Al54nn52CYDcbjwFeeqOSm3fujyz99WS8_1nb-iSIQrro5msUpNc-ODbJHhe_PBzZ8zcxp_Z2vPX27pfVarhQ6v7Guu2Cfx-El2zA86JGtPw4AAR7vJPP3qTzBfy_o7ZCXtjfT7KfTY042_4L-TyGS9saFtK1ix7WPkR8CT34b0OLRh5rc2wSD0YeWsSfd8bKB6fMlvHl8LbWKqAT4zraR7NYjA2Cfp0LFb5S_wLovzQ4P50Lqe_KQadf75RY-31T2lH0O9-HV_K2kPNiLq7wNp9dTyY3-fV1dlXfVnlVFSIrJkUxLavyOi_z6fU1ylk-4xuc4pW65RkvspwXeTGZF1l6PS1KnhXXEueb6eSmYJMMG6F0qvWuSa3bXinvO7ydZbyYX2lRovbjP4u5W2JKym7r2STTygd_vBZU0Hj7yVTWOaxCP_KGmBO4P_dVelwkjsvFVef0bR1C66nw-Irx1VaFuivTyjaMr8ik4Q_J_QdWgfFVdIs-x6Nn_w4AAP__lDwFsg">