[10/15,V2] arm: Implement cortex-M return signing address codegen
Commit Message
Hi all,
this patch enables address return signature and verification based on
Armv8.1-M Pointer Authentication [1].
To sign the return address, we use the PAC R12, LR, SP instruction
upon function entry. This is signing LR using SP and storing the
result in R12. R12 will be pushed into the stack.
During function epilogue R12 will be popped and AUT R12, LR, SP will
be used to verify that the content of LR is still valid before return.
Here an example of PAC instrumented function prologue and epilogue:
void foo (void);
int main()
{
foo ();
return 0;
}
Compiled with '-march=armv8.1-m.main -mbranch-protection=pac-ret
-mthumb' translates into:
main:
pac ip, lr, sp
push {r3, r7, ip, lr}
add r7, sp, #0
bl foo
movs r3, #0
mov r0, r3
pop {r3, r7, ip, lr}
aut ip, lr, sp
bx lr
The patch also takes care of generating a PACBTI instruction in place
of the sequence BTI+PAC when Branch Target Identification is enabled
contextually.
Ex. the previous example compiled with '-march=armv8.1-m.main
-mbranch-protection=pac-ret+bti -mthumb' translates into:
main:
pacbti ip, lr, sp
push {r3, r7, ip, lr}
add r7, sp, #0
bl foo
movs r3, #0
mov r0, r3
pop {r3, r7, ip, lr}
aut ip, lr, sp
bx lr
As part of previous upstream suggestions a test for varargs has been
added and '-mtpcs-frame' is deemed being incompatible with this return
signing address feature being introduced.
[1] <https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension>
gcc/Changelog
2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
* config/arm/arm.c: (arm_compute_frame_layout)
(arm_expand_prologue, thumb2_expand_return, arm_expand_epilogue)
(arm_conditional_register_usage): Update for pac codegen.
(arm_current_function_pac_enabled_p): New function.
* config/arm/arm.md (pac_ip_lr_sp, pacbti_ip_lr_sp, aut_ip_lr_sp):
Add new patterns.
* config/arm/unspecs.md (UNSPEC_PAC_IP_LR_SP)
(UNSPEC_PACBTI_IP_LR_SP, UNSPEC_AUT_IP_LR_SP): Add unspecs.
gcc/testsuite/Changelog
2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
* gcc.target/arm/pac.h : New file.
* gcc.target/arm/pac-1.c : New test case.
* gcc.target/arm/pac-2.c : Likewise.
* gcc.target/arm/pac-3.c : Likewise.
* gcc.target/arm/pac-4.c : Likewise.
* gcc.target/arm/pac-5.c : Likewise.
* gcc.target/arm/pac-6.c : Likewise.
* gcc.target/arm/pac-7.c : Likewise.
* gcc.target/arm/pac-8.c : Likewise.
Comments
On 14/09/2022 15:20, Andrea Corallo via Gcc-patches wrote:
> Hi all,
>
> this patch enables address return signature and verification based on
> Armv8.1-M Pointer Authentication [1].
>
> To sign the return address, we use the PAC R12, LR, SP instruction
> upon function entry. This is signing LR using SP and storing the
> result in R12. R12 will be pushed into the stack.
>
> During function epilogue R12 will be popped and AUT R12, LR, SP will
> be used to verify that the content of LR is still valid before return.
>
> Here an example of PAC instrumented function prologue and epilogue:
>
> void foo (void);
>
> int main()
> {
> foo ();
> return 0;
> }
>
> Compiled with '-march=armv8.1-m.main -mbranch-protection=pac-ret
> -mthumb' translates into:
>
> main:
> pac ip, lr, sp
> push {r3, r7, ip, lr}
> add r7, sp, #0
> bl foo
> movs r3, #0
> mov r0, r3
> pop {r3, r7, ip, lr}
> aut ip, lr, sp
> bx lr
>
> The patch also takes care of generating a PACBTI instruction in place
> of the sequence BTI+PAC when Branch Target Identification is enabled
> contextually.
>
> Ex. the previous example compiled with '-march=armv8.1-m.main
> -mbranch-protection=pac-ret+bti -mthumb' translates into:
>
> main:
> pacbti ip, lr, sp
> push {r3, r7, ip, lr}
> add r7, sp, #0
> bl foo
> movs r3, #0
> mov r0, r3
> pop {r3, r7, ip, lr}
> aut ip, lr, sp
> bx lr
>
> As part of previous upstream suggestions a test for varargs has been
> added and '-mtpcs-frame' is deemed being incompatible with this return
> signing address feature being introduced.
>
> [1] <https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension>
>
> gcc/Changelog
>
> 2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
>
> * config/arm/arm.c: (arm_compute_frame_layout)
> (arm_expand_prologue, thumb2_expand_return, arm_expand_epilogue)
> (arm_conditional_register_usage): Update for pac codegen.
> (arm_current_function_pac_enabled_p): New function.
> * config/arm/arm.md (pac_ip_lr_sp, pacbti_ip_lr_sp, aut_ip_lr_sp):
> Add new patterns.
> * config/arm/unspecs.md (UNSPEC_PAC_IP_LR_SP)
> (UNSPEC_PACBTI_IP_LR_SP, UNSPEC_AUT_IP_LR_SP): Add unspecs.
>
> gcc/testsuite/Changelog
>
> 2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
>
> * gcc.target/arm/pac.h : New file.
> * gcc.target/arm/pac-1.c : New test case.
> * gcc.target/arm/pac-2.c : Likewise.
> * gcc.target/arm/pac-3.c : Likewise.
> * gcc.target/arm/pac-4.c : Likewise.
> * gcc.target/arm/pac-5.c : Likewise.
> * gcc.target/arm/pac-6.c : Likewise.
> * gcc.target/arm/pac-7.c : Likewise.
> * gcc.target/arm/pac-8.c : Likewise.
>
+ if (arm_current_function_pac_enabled_p () && !(arm_arch7 &&
arm_arch_cmse))
+ error ("This architecture does not support branch protection
instructions");
This test feels wrong. What does having cmse give us? I suspect you
want a test that ensures we have at least v8-m.main so that the NOP
instructions are correctly defined as NOPs (or, in this case, PACBTI
instructions) rather than unpredictable; but if that's the case then I
think you really want to write the test that way here (perhaps in a
macro) and then move this test into that so that it becomes
self-documenting - but don't we have a v8-m.main test anyway?
+ if (arm_current_function_pac_enabled_p ())
+ {
+ gcc_assert (!(saved_regs_mask & (1 << PC_REGNUM)));
+ arm_emit_multi_reg_pop (saved_regs_mask);
+ emit_insn (gen_aut_nop ());
+ emit_jump_insn (simple_return_rtx);
+ }
The assert is using indents that are just spaces, but the other lines
use tabs. Please use tabs everywhere rather than mixing like this.
+/* Return TRUE if return address signing mechanism is enabled. */
+bool
+arm_current_function_pac_enabled_p (void)
+{
+ return aarch_ra_sign_scope == AARCH_FUNCTION_ALL
+ || (aarch_ra_sign_scope == AARCH_FUNCTION_NON_LEAF
+ && !crtl->is_leaf);
+}
This is a case where you should use parenthesis around the expression so
that the continuation lines are correctly indented.
@@ -11518,7 +11518,7 @@ (define_expand "prologue"
arm_expand_prologue ();
else
thumb1_expand_prologue ();
- DONE;
+ DONE;
"
)
Although this is a trivial cleanup, it has nothing to do with this
patch. Please remove.
+ "arm_arch7 && arm_arch_cmse"
See my comments earlier about this test; the same applies here.
+ (unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
+ UNSPEC_PAC_NOP))]
+
Again you have a mix of lines indented with tabs and lines indented with
just spaces. Similarly with pacbti_nop and aut_nop.
Do you have a test for the nested functions case (I can't see it, but
perhaps I've missed it somewhere)?
R.
Richard Earnshaw <Richard.Earnshaw@foss.arm.com> writes:
> On 14/09/2022 15:20, Andrea Corallo via Gcc-patches wrote:
>> Hi all,
>>
>> this patch enables address return signature and verification based on
>> Armv8.1-M Pointer Authentication [1].
>>
>> To sign the return address, we use the PAC R12, LR, SP instruction
>> upon function entry. This is signing LR using SP and storing the
>> result in R12. R12 will be pushed into the stack.
>>
>> During function epilogue R12 will be popped and AUT R12, LR, SP will
>> be used to verify that the content of LR is still valid before return.
>>
>> Here an example of PAC instrumented function prologue and epilogue:
>>
>> void foo (void);
>>
>> int main()
>> {
>> foo ();
>> return 0;
>> }
>>
>> Compiled with '-march=armv8.1-m.main -mbranch-protection=pac-ret
>> -mthumb' translates into:
>>
>> main:
>> pac ip, lr, sp
>> push {r3, r7, ip, lr}
>> add r7, sp, #0
>> bl foo
>> movs r3, #0
>> mov r0, r3
>> pop {r3, r7, ip, lr}
>> aut ip, lr, sp
>> bx lr
>>
>> The patch also takes care of generating a PACBTI instruction in place
>> of the sequence BTI+PAC when Branch Target Identification is enabled
>> contextually.
>>
>> Ex. the previous example compiled with '-march=armv8.1-m.main
>> -mbranch-protection=pac-ret+bti -mthumb' translates into:
>>
>> main:
>> pacbti ip, lr, sp
>> push {r3, r7, ip, lr}
>> add r7, sp, #0
>> bl foo
>> movs r3, #0
>> mov r0, r3
>> pop {r3, r7, ip, lr}
>> aut ip, lr, sp
>> bx lr
>>
>> As part of previous upstream suggestions a test for varargs has been
>> added and '-mtpcs-frame' is deemed being incompatible with this return
>> signing address feature being introduced.
>>
>> [1] <https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/armv8-1-m-pointer-authentication-and-branch-target-identification-extension>
>>
>> gcc/Changelog
>>
>> 2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
>>
>> * config/arm/arm.c: (arm_compute_frame_layout)
>> (arm_expand_prologue, thumb2_expand_return, arm_expand_epilogue)
>> (arm_conditional_register_usage): Update for pac codegen.
>> (arm_current_function_pac_enabled_p): New function.
>> * config/arm/arm.md (pac_ip_lr_sp, pacbti_ip_lr_sp, aut_ip_lr_sp):
>> Add new patterns.
>> * config/arm/unspecs.md (UNSPEC_PAC_IP_LR_SP)
>> (UNSPEC_PACBTI_IP_LR_SP, UNSPEC_AUT_IP_LR_SP): Add unspecs.
>>
>> gcc/testsuite/Changelog
>>
>> 2021-11-03 Andrea Corallo <andrea.corallo@arm.com>
>>
>> * gcc.target/arm/pac.h : New file.
>> * gcc.target/arm/pac-1.c : New test case.
>> * gcc.target/arm/pac-2.c : Likewise.
>> * gcc.target/arm/pac-3.c : Likewise.
>> * gcc.target/arm/pac-4.c : Likewise.
>> * gcc.target/arm/pac-5.c : Likewise.
>> * gcc.target/arm/pac-6.c : Likewise.
>> * gcc.target/arm/pac-7.c : Likewise.
>> * gcc.target/arm/pac-8.c : Likewise.
>>
>
> + if (arm_current_function_pac_enabled_p () && !(arm_arch7 &&
> arm_arch_cmse))
> + error ("This architecture does not support branch protection
> instructions");
>
> This test feels wrong. What does having cmse give us? I suspect you
> want a test that ensures we have at least v8-m.main so that the NOP
> instructions are correctly defined as NOPs (or, in this case, PACBTI
> instructions) rather than unpredictable; but if that's the case then I
> think you really want to write the test that way here (perhaps in a
> macro) and then move this test into that so that it becomes
> self-documenting - but don't we have a v8-m.main test anyway?
Yep
> + if (arm_current_function_pac_enabled_p ())
> + {
> + gcc_assert (!(saved_regs_mask & (1 << PC_REGNUM)));
> + arm_emit_multi_reg_pop (saved_regs_mask);
> + emit_insn (gen_aut_nop ());
> + emit_jump_insn (simple_return_rtx);
> + }
>
> The assert is using indents that are just spaces, but the other lines
> use tabs. Please use tabs everywhere rather than mixing like this.
Ack.
> +/* Return TRUE if return address signing mechanism is enabled. */
> +bool
> +arm_current_function_pac_enabled_p (void)
> +{
> + return aarch_ra_sign_scope == AARCH_FUNCTION_ALL
> + || (aarch_ra_sign_scope == AARCH_FUNCTION_NON_LEAF
> + && !crtl->is_leaf);
> +}
>
> This is a case where you should use parenthesis around the expression so
> that the continuation lines are correctly indented.
Ack.
> @@ -11518,7 +11518,7 @@ (define_expand "prologue"
> arm_expand_prologue ();
> else
> thumb1_expand_prologue ();
> - DONE;
> + DONE;
> "
> )
>
> Although this is a trivial cleanup, it has nothing to do with this
> patch. Please remove.
Okay.
> + "arm_arch7 && arm_arch_cmse"
>
> See my comments earlier about this test; the same applies here.
>
> + (unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
> + UNSPEC_PAC_NOP))]
> +
> Again you have a mix of lines indented with tabs and lines indented with
> just spaces. Similarly with pacbti_nop and aut_nop.
>
> Do you have a test for the nested functions case (I can't see it, but
> perhaps I've missed it somewhere)?
We have gcc/testsuite/gcc.target/arm/pac-7.c added by this patch.
> R.
Andrea
@@ -379,6 +379,7 @@ extern int vfp3_const_double_for_bits (rtx);
extern void arm_emit_coreregs_64bit_shift (enum rtx_code, rtx, rtx, rtx, rtx,
rtx);
extern bool arm_fusion_enabled_p (tune_params::fuse_ops);
+extern bool arm_current_function_pac_enabled_p (void);
extern bool arm_valid_symbolic_address_p (rtx);
extern bool arm_validize_comparison (rtx *, rtx *, rtx *);
extern bool arm_expand_vector_compare (rtx, rtx_code, rtx, rtx, bool);
@@ -3209,6 +3209,9 @@ arm_option_override_internal (struct gcc_options *opts,
arm_stack_protector_guard_offset = offs;
}
+ if (arm_current_function_pac_enabled_p () && !(arm_arch7 && arm_arch_cmse))
+ error ("This architecture does not support branch protection instructions");
+
#ifdef SUBTARGET_OVERRIDE_INTERNAL_OPTIONS
SUBTARGET_OVERRIDE_INTERNAL_OPTIONS;
#endif
@@ -21139,6 +21142,9 @@ arm_compute_save_core_reg_mask (void)
save_reg_mask |= arm_compute_save_reg0_reg12_mask ();
+ if (arm_current_function_pac_enabled_p ())
+ save_reg_mask |= 1 << IP_REGNUM;
+
/* Decide if we need to save the link register.
Interrupt routines have their own banked link register,
so they never need to save it.
@@ -23362,6 +23368,12 @@ output_probe_stack_range (rtx reg1, rtx reg2)
return "";
}
+static bool
+aarch_bti_enabled ()
+{
+ return false;
+}
+
/* Generate the prologue instructions for entry into an ARM or Thumb-2
function. */
void
@@ -23440,12 +23452,13 @@ arm_expand_prologue (void)
/* The static chain register is the same as the IP register. If it is
clobbered when creating the frame, we need to save and restore it. */
- clobber_ip = IS_NESTED (func_type)
- && ((TARGET_APCS_FRAME && frame_pointer_needed && TARGET_ARM)
- || ((flag_stack_check == STATIC_BUILTIN_STACK_CHECK
- || flag_stack_clash_protection)
- && !df_regs_ever_live_p (LR_REGNUM)
- && arm_r3_live_at_start_p ()));
+ clobber_ip = (IS_NESTED (func_type)
+ && (((TARGET_APCS_FRAME && frame_pointer_needed && TARGET_ARM)
+ || ((flag_stack_check == STATIC_BUILTIN_STACK_CHECK
+ || flag_stack_clash_protection)
+ && !df_regs_ever_live_p (LR_REGNUM)
+ && arm_r3_live_at_start_p ()))
+ || (arm_current_function_pac_enabled_p ())));
/* Find somewhere to store IP whilst the frame is being created.
We try the following places in order:
@@ -23470,7 +23483,8 @@ arm_expand_prologue (void)
{
rtx addr, dwarf;
- gcc_assert(arm_compute_static_chain_stack_bytes() == 4);
+ gcc_assert(arm_compute_static_chain_stack_bytes() == 4
+ || arm_current_function_pac_enabled_p ());
saved_regs += 4;
addr = gen_rtx_PRE_DEC (Pmode, stack_pointer_rtx);
@@ -23521,6 +23535,14 @@ arm_expand_prologue (void)
}
}
+ if (arm_current_function_pac_enabled_p ())
+ {
+ if (aarch_bti_enabled ())
+ emit_insn (gen_pacbti_nop ());
+ else
+ emit_insn (gen_pac_nop ());
+ }
+
if (TARGET_APCS_FRAME && frame_pointer_needed && TARGET_ARM)
{
if (IS_INTERRUPT (func_type))
@@ -27309,7 +27331,7 @@ thumb2_expand_return (bool simple_return)
to assert it for now to ensure that future code changes do not silently
change this behavior. */
gcc_assert (!IS_CMSE_ENTRY (arm_current_func_type ()));
- if (num_regs == 1)
+ if (num_regs == 1 && !arm_current_function_pac_enabled_p ())
{
rtx par = gen_rtx_PARALLEL (VOIDmode, rtvec_alloc (2));
rtx reg = gen_rtx_REG (SImode, PC_REGNUM);
@@ -27324,10 +27346,20 @@ thumb2_expand_return (bool simple_return)
}
else
{
- saved_regs_mask &= ~ (1 << LR_REGNUM);
- saved_regs_mask |= (1 << PC_REGNUM);
- arm_emit_multi_reg_pop (saved_regs_mask);
- }
+ if (arm_current_function_pac_enabled_p ())
+ {
+ gcc_assert (!(saved_regs_mask & (1 << PC_REGNUM)));
+ arm_emit_multi_reg_pop (saved_regs_mask);
+ emit_insn (gen_aut_nop ());
+ emit_jump_insn (simple_return_rtx);
+ }
+ else
+ {
+ saved_regs_mask &= ~ (1 << LR_REGNUM);
+ saved_regs_mask |= (1 << PC_REGNUM);
+ arm_emit_multi_reg_pop (saved_regs_mask);
+ }
+ }
}
else
{
@@ -27733,7 +27765,8 @@ arm_expand_epilogue (bool really_return)
&& really_return
&& crtl->args.pretend_args_size == 0
&& saved_regs_mask & (1 << LR_REGNUM)
- && !crtl->calls_eh_return)
+ && !crtl->calls_eh_return
+ && !arm_current_function_pac_enabled_p ())
{
saved_regs_mask &= ~(1 << LR_REGNUM);
saved_regs_mask |= (1 << PC_REGNUM);
@@ -27847,6 +27880,9 @@ arm_expand_epilogue (bool really_return)
}
}
+ if (arm_current_function_pac_enabled_p ())
+ emit_insn (gen_aut_nop ());
+
if (!really_return)
return;
@@ -32941,6 +32977,15 @@ arm_fusion_enabled_p (tune_params::fuse_ops op)
return current_tune->fusible_ops & op;
}
+/* Return TRUE if return address signing mechanism is enabled. */
+bool
+arm_current_function_pac_enabled_p (void)
+{
+ return aarch_ra_sign_scope == AARCH_FUNCTION_ALL
+ || (aarch_ra_sign_scope == AARCH_FUNCTION_NON_LEAF
+ && !crtl->is_leaf);
+}
+
/* Implement TARGET_SCHED_CAN_SPECULATE_INSN. Return true if INSN can be
scheduled for speculative execution. Reject the long-running division
and square-root instructions. */
@@ -11518,7 +11518,7 @@ (define_expand "prologue"
arm_expand_prologue ();
else
thumb1_expand_prologue ();
- DONE;
+ DONE;
"
)
@@ -12890,6 +12890,29 @@ (define_insn "*speculation_barrier_insn"
(set_attr "length" "8")]
)
+(define_insn "pac_nop"
+ [(set (reg:SI IP_REGNUM)
+ (unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
+ UNSPEC_PAC_NOP))]
+ "arm_arch7 && arm_arch_cmse"
+ "pac\t%|ip, %|lr, %|sp"
+ [(set_attr "length" "4")])
+
+(define_insn "pacbti_nop"
+ [(set (reg:SI IP_REGNUM)
+ (unspec:SI [(reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
+ UNSPEC_PACBTI_NOP))]
+ "arm_arch7 && arm_arch_cmse"
+ "pacbti\t%|ip, %|lr, %|sp"
+ [(set_attr "length" "4")])
+
+(define_insn "aut_nop"
+ [(unspec:SI [(reg:SI IP_REGNUM) (reg:SI SP_REGNUM) (reg:SI LR_REGNUM)]
+ UNSPEC_AUT_NOP)]
+ "arm_arch7 && arm_arch_cmse"
+ "aut\t%|ip, %|lr, %|sp"
+ [(set_attr "length" "4")])
+
;; Vector bits common to IWMMXT, Neon and MVE
(include "vec-common.md")
;; Load the Intel Wireless Multimedia Extension patterns
@@ -159,6 +159,9 @@ (define_c_enum "unspec" [
UNSPEC_VCDE ; Custom Datapath Extension instruction.
UNSPEC_VCDEA ; Custom Datapath Extension instruction.
UNSPEC_DLS ; Used for DLS (Do Loop Start), Armv8.1-M Mainline instruction
+ UNSPEC_PAC_NOP ; Represents PAC signing LR
+ UNSPEC_PACBTI_NOP ; Represents PAC signing LR + valid landing pad
+ UNSPEC_AUT_NOP ; Represents PAC verifying LR
])
new file mode 100644
@@ -0,0 +1,12 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=pac-ret+leaf -mthumb -mfloat-abi=hard --save-temps -O0" } */
+
+#include "pac.h"
+
+/* { dg-final { scan-assembler-times "pac\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-times "aut\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
+
new file mode 100644
@@ -0,0 +1,11 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=pac-ret -mthumb -mfloat-abi=hard --save-temps -O0" } */
+
+#include "pac.h"
+
+/* { dg-final { scan-assembler "pac\tip, lr, sp" } } */
+/* { dg-final { scan-assembler "aut\tip, lr, sp" } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
new file mode 100644
@@ -0,0 +1,11 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=bti+pac-ret+leaf -mthumb -mfloat-abi=hard --save-temps -O2" } */
+
+#include "pac.h"
+
+/* { dg-final { scan-assembler-times "pacbti\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-times "aut\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
new file mode 100644
@@ -0,0 +1,10 @@
+/* Testing return address signing. */
+/* { dg-do compile } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mthumb -mfloat-abi=hard --save-temps -O2" } */
+
+#include "pac.h"
+
+/* { dg-final { scan-assembler-not "\tbti\t" } } */
+/* { dg-final { scan-assembler-not "\tpac\t" } } */
+/* { dg-final { scan-assembler-not "\tpacbti\t" } } */
new file mode 100644
@@ -0,0 +1,28 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=pac-ret+leaf -mthumb -mfloat-abi=hard --save-temps -O0" } */
+
+#include <stdlib.h>
+
+int
+__attribute__((noinline))
+foo1 (int a, int b)
+{
+ int square (int z) { return z * z; }
+ return square (a) + square (b);
+}
+
+int
+main (void)
+{
+ if (foo1 (1, 2) != 5)
+ abort ();
+
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "pac\tip, lr, sp" 3 } } */
+/* { dg-final { scan-assembler-times "aut\tip, lr, sp" 3 } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
new file mode 100644
@@ -0,0 +1,18 @@
+/* Check that GCC does .save and .cfi_offset directives with RA_AUTH_CODE pseudo hard-register. */
+/* { dg-do compile } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-options "-march=armv8.1-m.main+fp -mbranch-protection=pac-ret+leaf -mthumb --save-temps -O0 -g" } */
+
+int i;
+
+void foo (int);
+
+int bar()
+{
+ foo (i);
+ return 0;
+}
+
+/* { dg-final { scan-assembler "pac\tip, lr, sp" } } */
+/* { dg-final { scan-assembler "aut\tip, lr, sp" } } */
+/* { dg-final { scan-assembler-not "bti" } } */
new file mode 100644
@@ -0,0 +1,32 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=pac-ret+leaf -mthumb -mfloat-abi=hard --save-temps -O0" } */
+
+#include <stdlib.h>
+
+int
+__attribute__((noinline))
+foo1 (int a, int b)
+{
+ int x = 4;
+ int foo2 (int a, int b)
+ {
+ return a + b + x;
+ }
+ return foo2 (a, b);
+}
+
+int
+main (void)
+{
+ if (foo1 (1, 2) != 7)
+ abort ();
+
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "pac\tip, lr, sp" 3 } } */
+/* { dg-final { scan-assembler-times "aut\tip, lr, sp" 3 } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
new file mode 100644
@@ -0,0 +1,34 @@
+/* Testing return address signing. */
+/* { dg-do run } */
+/* { dg-require-effective-target mbranch_protection_ok } */
+/* { dg-require-effective-target arm_pacbti_hw } */
+/* { dg-options "-march=armv8.1-m.main+pacbti+fp -mbranch-protection=pac-ret+leaf -mthumb -mfloat-abi=hard --save-temps -O0" } */
+
+#include <stdarg.h>
+#include <stdlib.h>
+
+int acc (int n, ...)
+{
+ int sum = 0;
+ va_list ptr;
+
+ va_start (ptr, n);
+
+ for (int i = 0; i < n; i++)
+ sum += va_arg (ptr, int);
+ va_end (ptr);
+
+ return sum;
+}
+
+int main()
+{
+ if (acc (3, 1, 2, 3) != 6)
+ abort ();
+
+ return 0;
+}
+
+/* { dg-final { scan-assembler-times "pac\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-times "aut\tip, lr, sp" 2 } } */
+/* { dg-final { scan-assembler-not "\tbti" } } */
new file mode 100644
@@ -0,0 +1,17 @@
+#include <stdlib.h>
+
+int
+__attribute__((noinline))
+foo1 (int a, int b)
+{
+ return a + b;
+}
+
+int
+main (void)
+{
+ if (foo1 (1, 2) != 3)
+ abort ();
+
+ return 0;
+}