On Sun, 12 Dec 2021 10:19:30 GMT, Andrew Haley <a...@openjdk.org> wrote:
>> `-mbranch-protection` switches on both PAC-RET and BTI. This PR only covers >> a use of PAC that looks very ROP-focused to me. > > True, because we don't (yet) support BTI. Is there any point having two > separate flags for BTI and PAC-RET? If someone wants one, they'll very likely > want the other, won't they? You can support one without the other. The architecture allows you to have one without the other. The GCC flag is an enum of "none|standard|pac-ret[+leaf]|bti", with some of them changing depending on which cpu you specify to -mcpu (8.0,8.3,8.5 etc). Clang has the same flags. Interestingly, on MacOS Clang, -mbranch-protection is available but it'll give incorrect code. Instead you build with -arch arm64e. If your system had both, the only scenario I could see for only wanting just one would be for test/dev purposes. In a real production scenario you would want everything the system supports or nothing. An earlier version of my code had a UseBranchProtection="pac|bti|pac+bti|all|none" style option ------------- PR: https://git.openjdk.java.net/jdk/pull/6334
