[llvm] [BOLT] Gadget scanner: prevent false positives due to jump tables (PR #138884)

Anatoly Trosinenko via llvm-commits llvm-commits at lists.llvm.org
Fri Jan 30 07:18:14 PST 2026 

================
@@ -0,0 +1,705 @@
+// -Wl,--no-relax prevents converting ADRP+ADD pairs into NOP+ADR.
+// Without -Wl,--emit-relocs BOLT refuses to create CFG information for the below functions.
+
+// RUN: %clang %cflags -march=armv8.3-a -Wl,--no-relax -Wl,--emit-relocs %s -o %t.exe
+// RUN: llvm-bolt-binary-analysis --scanners=pauth                         %t.exe 2>&1 | FileCheck --check-prefixes=CHECK,CFG %s
+// RUN: llvm-bolt-binary-analysis --scanners=pauth --auth-traps-on-failure %t.exe 2>&1 | FileCheck --check-prefixes=CHECK,CFG %s
+// RUN: %clang %cflags -march=armv8.3-a -Wl,--no-relax %s -o %t.exe
+// RUN: llvm-bolt-binary-analysis --scanners=pauth                         %t.exe 2>&1 | FileCheck --check-prefixes=CHECK,NOCFG %s
+// RUN: llvm-bolt-binary-analysis --scanners=pauth --auth-traps-on-failure %t.exe 2>&1 | FileCheck --check-prefixes=CHECK,NOCFG %s
+
+// FIXME: Labels could be further validated. Specifically, it could be checked
+//        that the jump table itself is located in a read-only data section.
+
+// FIXME: BOLT does not reconstruct CFG correctly for jump tables yet, thus
+//        register state is pessimistically reset to unsafe at the beginning of
+//        each basic block without any predecessors.
+//        Until CFG reconstruction is fixed, add paciasp+autiasp instructions to
+//        silence "non-protected ret" false-positives and explicitly ignore
+//        "Warning: the function has unreachable basic blocks..." lines.
+
+        .text
+        .p2align 2
+        .globl  good_jump_table
+        .type   good_jump_table, at function
+good_jump_table:
+// CHECK-NOT: good_jump_table
+// CFG:       GS-PAUTH: Warning: possibly imprecise CFG, the analysis quality may be degraded in this function. According to BOLT, unreachable code is found in function good_jump_table
+// CHECK-NOT: good_jump_table
+        paciasp
+        cmp     x16, #0x2
----------------
atrosinenko wrote:

@yavtuk I'm not familiar with indirect call promotion, could you please provide me an example of assembly code? If I got it right, such optimization is performed at the LLVM IR level (and requires profiling information) and should hopefully be handled the same way as any other code emitted for if-then-else.

https://github.com/llvm/llvm-project/pull/138884

More information about the llvm-commits mailing list