<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/62140>62140</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            LLD AArch64 range extension thunk to PLT entry is not generating BTI (when BTI enabled)
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            lld
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          smithp35
      </td>
    </tr>
</table>

<pre>
    LLD will produce BTI compliant PLT entries when -zforce-bti is used or when all input objects are marked with the BTI property.

Currently LLD will only put a BTI at the top of a PLT[N] entry in limited circumstances, the comment from the source file says:
```
// A BTI (Branch Target Indicator) Plt Entry is only required if the
  // address of the PLT entry can be taken by the program, which permits an
  // indirect jump to the PLT entry. This can happen when the address
  // of the PLT entry for a function is canonicalised due to the address of
  // the function in an executable being taken by a shared library, or
  // non-preemptible ifunc referenced by non-GOT-generating, non-PLT-generating
  // relocations.
 // The PAC PLT entries require dynamic loader support and this isn't known
  // from properties in the objects, so we use the command line flag.
```

There is also the rare, but can happen with large programs like Chrome built with instrumentation, case of a range extension thunk to the PLT entry. A contrived example:
```
        .text
 .global foo
func:
        .type func, %function
        bl foo
 ret
```
With linker script:
```
SECTIONS {
  .plt : { *(.plt) }
  .text 0xf0000000 : AT(0xf0000000) { *(.text) }
}
```
Using:
```
clang --target=aarch64-linux-gnu btiplt.s -c
ld.lld --shared btiplt.o -T btiplt.lds -zforce-bti -o btiplt
```
Has the following disassembly:
```
Disassembly of section .plt:

00000000000000b0 <.plt>:
      b0: d503245f      bti c
      b4: a9bf7bf0      stp     x16, x30, [sp, #-0x10]!
      b8: 90780010      adrp    x16, 0xf0000000 <func>
      bc: f9407611      ldr x17, [x16, #0xe8]
      c0: 9103a210      add     x16, x16, #0xe8
 c4: d61f0220      br      x17
      c8: d503201f      nop
      cc: d503201f      nop

00000000000000d0 <foo@plt>:
      d0: 90780010 adrp    x16, 0xf0000000 <func>
      d4: f9407a11      ldr     x17, [x16, #0xf0]
      d8: 9103c210      add     x16, x16, #0xf0
      dc: d61f0220      br      x17
      e0: d503201f      nop
      e4: d503201f      nop

Disassembly of section .text:

00000000f0000000 <func>:
f0000000: 94000002      bl 0xf0000008 <__AArch64ADRPThunk_foo>
f0000004: d65f03c0 ret

00000000f0000008 <__AArch64ADRPThunk_foo>:
f0000008: 90880010 adrp    x16, 0x0 <foo>
f000000c: 91034210      add     x16, x16, #0xd0
f0000010: d61f0200      br      x16
```
Note the indirect jumpt to the PLT entry, which doesn't have a BTI c landing pad so the program will crash if BTI is enabled.

The simplest way to fix this is to track which symbols with isInPlt() == true are the targets of range extension thunks. We can then extend the existing canonical PLT check to include thunks.

Other possibilities include BTI aware range extension thunks see AArch64 ABI issue for more details https://github.com/ARM-software/abi-aa/issues/196

   
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJyUV9uO2zgS_Rr1S8EGdfHtwQ_udno3QHbSmPFiHgOKLFmcpkgtScX2fv2iKPkixz3JGoHboaqODk8VyUPuvdobxHUye05m2yfehdq6tW9UqNt89lRaeVp_-bKFg9IaWmdlJxCed59B2KbVipsAb192gCY4hR4ONRqY_LeyTuCkDAqUh86jBOv6Z1xrUKbtAtjyLxTBA3cIDXfvKOGgQg2h7l_QOtuiC6dpwrYJ2_TfL51zaII-wYWUNfoEBMhjGg8RIdgWbAWc2CWz59-S2TaSPIEyoFWjAkoQyomu8YEbgT7JXmKmsE2DJkDlbBMHvO2cQKiURvD85JN8IJPM2fCv_2_2mmSvsIk0kmz57LgRNey422OAz0YqwYN1SbaCNx3gU8_G9xNw-J9OOZSgKnppjwgwYHIpHXpPMyJGZ8VPILiBEiHwdzRQnuLT1tm94w3N51ArUUOLrlGktLmDVUYqhyLAX13TQrBj8CnsauXjK2retmj6ClLMwOcO7gd2lXXAoeqMCMoa6MGsUYJrRU0hOzy_9TrDO1B6eEUwwA3gEUUXeKkRSlRmf50-B19zUlGr0nF3Ig2su0M01kxah9i0QRGGInhwWKFDI1ASEMX84-tuskeDjgdl9gRFo29fRqNjaIfaCk5U_dC25yc7EmbzMlosQ81BngxvlABtuUQHvmtb6wJwIyFQBZQ3SbYI8G7s4b6EsUuHpUKYqi_QsLiItLdwQFqEl-4mYK0MQqX5fvq4l-P3rkaHVDaufV8mxx0SaNmFUWPQwtXU6Ofu86DVO8JL7WyDUHZKhz5KGR9cRyss6kRggnvsF6vjZo-Ax4DGU71D3Zn3B425AWFJxO8oAY-8aTV-tCph-EwDHsMwNN1rW3INlbX9CHXABeCacWr73iOSSTY7t-E4rLzBAYfhIYs_o0DKvFN9hVNt-IjvH59edp-__vYHJIvn84umrQ6Q5BsagyTbJNmShmgnSRbbSxTNENixYv0nZmx2Sba8jvUpF5CoyS3K9ceY1b89NfsHlIXmZg-TSYg7XZJvOXeinhcTrUx3nOxNB2VQrQ5TDxPR52g51VrCZDIs2CHAwmR3_q2lHx0lEzs8eUjin9z3e4XV2h5oV5DKc--xKfXpI-bbawg1oMd-m4niXlLiNxt9ShL3pQ_7dNc4JSPd5YzlWTGrhrGgQIyCCgriq7JalBXrx3xo499jOqeGO-Ys9t3s2bd9A-YTdkxZMtsmWToCWxLYii2WjKUDGJeuvQEbdcVL3-6fRhjU_1CtCraYp2k_pqWDY7oYWAxISZazIy6JxU26iJNepSzn2ZWCHM1nnN8ni6iDnKcVy7Ihr3Qw5C1Gr1hedGXpoKux7ShE_E3IozrKXg5rk4I9LKZkI2n_X1VlcVGV36p6nt6PylbsTlm5PCsrfkXZarTtSfHL8iL7qbxY_FTejxZU3Gger6hHEp4jL9sWSVDEn9ll172ov6TUb982m7jrbLa_v-3o3PhGdT3XYwgd2m1WsVywm936EaOfwN5xHNbg8oNGuTTaHSFxrm7xK9WV7DY5Zdfqsh-qO3-44_1mQ28ERt4v_HDGXt2jtDj4j5p_x8FlC9DcSNplWy5hMAfD0d_bcuG4r8nNUrjygIYMm5ze-Qvwik5vH-DAT8SiUsez64mkHBfvAxN_akqr_eAj_GfzRmfgMh5g-TbJtxBch_FCEa8A8TiKpvmhr_BT-BOjiwnka-NTGTPxqDy5u6tdjcKIGkV0I8oI3Uk8w9xO6Wuo0UFrvVel0mrwZH14vJ4ciN5jPuARYWg32DyTbL7D6KIbSz4RA1faQx1CG28h0QLuVai7cipsk2Svm9__NfG2Cofo0155qSacJ9lrRPJJ9pqu5rd0AeBJrnO5ylf8CdfpfJkWy2wxmz3VazmbzatUlGy5EOVyxniZL3IuZiVDZHK1fFLrjGU5K9IiLfIsn01FWpQFLxZCLBdFluZJwbDhSk-1_t5Mrds_RR7reZYW7EnzErWPN88s01omWUZXULem6EnZ7X1SMK188Nf8oILGeCE96_ShZbxeQ5QHYwNcXfv5hhbvM_R7aM4kWz11Tq__RmBiMvyZtM6Sy76VN87sfwEAAP__Jqh5WQ">