https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104713
--- Comment #10 from James Addison <jay+g...@jp-hosting.net> ---
Hi folks,
Re-stating and confirming the bugreport details here: both gcc-11 (11.3.0) and
gcc-12 (12.2.0) emit bytecode instructions that aren't supported on all
i686-architecture CPUs.
This comment includes a demonstration/repro case to help verify the problem and
potential fixes, along with a suggested remediation approach that is a small
adjustment of Adrian's original suggestion.
As a recap, partly for my own understanding: the 'endbr32' instruction required
to implement Intel Control-flow Enforcement Technology (aka Intel CET) is a
renaming and repurposing of an existing long-NOP (aka NOPL) instruction that
was not documented in the original Pentium Pro specification and therefore is
not supported on all i686-class CPUs.
### Version information
$ gcc-11 --version
gcc-11 (Debian 11.3.0-12) 11.3.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ gcc-12 --version
gcc-12 (Debian 12.2.0-14) 12.2.0
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
$ objdump --version
GNU objdump (GNU Binutils for Debian) 2.40
Copyright (C) 2023 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.
### Replicating the problem
$ cat repro.c
int main() {}
$ for prot in full branch return none check; do gcc-11 -m32 -march=i686
-fcf-protection=$prot -c repro.c -o gcc-11-$prot.o; gcc-12 -m32 -march=i686
-fcf-protection=$prot -c repro.c -o gcc-12-$prot.o; done;
### Checking the results
$ for binary in gcc-*.o; do echo $binary; objdump -d $binary | grep -w endbr32
; done;
gcc-11-branch.o
0: f3 0f 1e fb endbr32
gcc-11-check.o
gcc-11-full.o
0: f3 0f 1e fb endbr32
gcc-11-none.o
gcc-11-return.o
gcc-12-branch.o
0: f3 0f 1e fb endbr32
gcc-12-check.o
gcc-12-full.o
0: f3 0f 1e fb endbr32
gcc-12-none.o
gcc-12-return.o
### Remedy
Please could GCC be updated to reject attempts to build binaries for the i686
architecture when fcf-protection is configured to -- or implied to include --
'branch' protection?
Values for the fcf-protection flag were sourced from the GCC documentation at:
https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fcf-protection
(as noted: this does duplicate some of the original bugreport's suggestion, but
is intended to be slightly more granular because I believe it's important to
note that not all fcf-protection values are unsupported by the i686
architecture)
