i386: Add indirect_return function attribute

On x86, swapcontext may return via indirect branch when shadow stack
is enabled.  To support code instrumentation of control-flow transfers
with -fcf-protection, add indirect_return function attribute to inform
compiler that a function may return via indirect branch.

Note: Unlike setjmp, swapcontext only returns once.  Mark it return
twice will unnecessarily disable compiler optimization as shown in
the testcase here.

gcc/

	PR target/85620
	* config/i386/i386.c (rest_of_insert_endbranch): Also generate
	ENDBRANCH for non-tail call which may return via indirect branch.
	* doc/extend.texi: Document indirect_return attribute.

gcc/testsuite/

	PR target/85620
	* gcc.target/i386/pr85620-1.c: New test.
	* gcc.target/i386/pr85620-2.c: Likewise.
	* gcc.target/i386/pr85620-3.c: Likewise.
	* gcc.target/i386/pr85620-4.c: Likewise.

From-SVN: r262370

8 files changed, 107 insertions, 1 deletions

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index cd8f6ab..05d1e05 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,10 @@
+2018-07-03  H.J. Lu  <hongjiu.lu@intel.com>
+
+	PR target/85620
+	* config/i386/i386.c (rest_of_insert_endbranch): Also generate
+	ENDBRANCH for non-tail call which may return via indirect branch.
+	* doc/extend.texi: Document indirect_return attribute.
+
 2018-07-03  Martin Sebor  <msebor@redhat.com>
 
 	PR tree-optimization/86274
diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index e6d1763..41461d5 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -2621,7 +2621,26 @@ rest_of_insert_endbranch (void)
 	{
 	  if (CALL_P (insn))
 	    {
-	      if (find_reg_note (insn, REG_SETJMP, NULL) == NULL)
+	      bool need_endbr;
+	      need_endbr = find_reg_note (insn, REG_SETJMP, NULL) != NULL;
+	      if (!need_endbr && !SIBLING_CALL_P (insn))
+		{
+		  rtx call = get_call_rtx_from (insn);
+		  rtx fnaddr = XEXP (call, 0);
+
+		  /* Also generate ENDBRANCH for non-tail call which
+		     may return via indirect branch.  */
+		  if (MEM_P (fnaddr)
+		      && GET_CODE (XEXP (fnaddr, 0)) == SYMBOL_REF)
+		    {
+		      tree fndecl = SYMBOL_REF_DECL (XEXP (fnaddr, 0));
+		      if (fndecl
+			  && lookup_attribute ("indirect_return",
+					       DECL_ATTRIBUTES (fndecl)))
+			need_endbr = true;
+		    }
+		}
+	      if (!need_endbr)
 		continue;
 	      /* Generate ENDBRANCH after CALL, which can return more than
 		 twice, setjmp-like functions.  */
@@ -45897,6 +45916,8 @@ static const struct attribute_spec ix86_attribute_table[] =
     ix86_handle_fndecl_attribute, NULL },
   { "function_return", 1, 1, true, false, false, false,
     ix86_handle_fndecl_attribute, NULL },
+  { "indirect_return", 0, 0, true, false, false, false,
+    ix86_handle_fndecl_attribute, NULL },
 
   /* End element.  */
   { NULL, 0, 0, false, false, false, false, NULL, NULL }
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 19c2da2..071d0ff 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5886,6 +5886,12 @@ foo (void)
 @}
 @end smallexample
 
+@item indirect_return
+@cindex @code{indirect_return} function attribute, x86
+
+The @code{indirect_return} attribute on a function is used to inform
+the compiler that the function may return via indirect branch.
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index 020bed8..a0e6ec2 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,11 @@
+2018-07-03  H.J. Lu  <hongjiu.lu@intel.com>
+
+	PR target/85620
+	* gcc.target/i386/pr85620-1.c: New test.
+	* gcc.target/i386/pr85620-2.c: Likewise.
+	* gcc.target/i386/pr85620-3.c: Likewise.
+	* gcc.target/i386/pr85620-4.c: Likewise.
+
 2018-07-03  Martin Sebor  <msebor@redhat.com>
 
 	PR tree-optimization/86274
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-1.c b/gcc/testsuite/gcc.target/i386/pr85620-1.c
new file mode 100644
index 0000000..32efb08
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-1.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 2 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+extern int res;
+
+void
+foo (struct ucontext *oucp)
+{
+  res = bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-2.c b/gcc/testsuite/gcc.target/i386/pr85620-2.c
new file mode 100644
index 0000000..b2e680f
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-2.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 1 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+int
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-3.c b/gcc/testsuite/gcc.target/i386/pr85620-3.c
new file mode 100644
index 0000000..c70a5ca
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-3.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-4.c b/gcc/testsuite/gcc.target/i386/pr85620-4.c
new file mode 100644
index 0000000..13056c4
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-4.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__returns_twice__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp) /* { dg-error "setjmp" } */
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}