https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104713
--- Comment #10 from James Addison <jay+g...@jp-hosting.net> --- Hi folks, Re-stating and confirming the bugreport details here: both gcc-11 (11.3.0) and gcc-12 (12.2.0) emit bytecode instructions that aren't supported on all i686-architecture CPUs. This comment includes a demonstration/repro case to help verify the problem and potential fixes, along with a suggested remediation approach that is a small adjustment of Adrian's original suggestion. As a recap, partly for my own understanding: the 'endbr32' instruction required to implement Intel Control-flow Enforcement Technology (aka Intel CET) is a renaming and repurposing of an existing long-NOP (aka NOPL) instruction that was not documented in the original Pentium Pro specification and therefore is not supported on all i686-class CPUs. ### Version information $ gcc-11 --version gcc-11 (Debian 11.3.0-12) 11.3.0 Copyright (C) 2021 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ gcc-12 --version gcc-12 (Debian 12.2.0-14) 12.2.0 Copyright (C) 2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ objdump --version GNU objdump (GNU Binutils for Debian) 2.40 Copyright (C) 2023 Free Software Foundation, Inc. This program is free software; you may redistribute it under the terms of the GNU General Public License version 3 or (at your option) any later version. This program has absolutely no warranty. ### Replicating the problem $ cat repro.c int main() {} $ for prot in full branch return none check; do gcc-11 -m32 -march=i686 -fcf-protection=$prot -c repro.c -o gcc-11-$prot.o; gcc-12 -m32 -march=i686 -fcf-protection=$prot -c repro.c -o gcc-12-$prot.o; done; ### Checking the results $ for binary in gcc-*.o; do echo $binary; objdump -d $binary | grep -w endbr32 ; done; gcc-11-branch.o 0: f3 0f 1e fb endbr32 gcc-11-check.o gcc-11-full.o 0: f3 0f 1e fb endbr32 gcc-11-none.o gcc-11-return.o gcc-12-branch.o 0: f3 0f 1e fb endbr32 gcc-12-check.o gcc-12-full.o 0: f3 0f 1e fb endbr32 gcc-12-none.o gcc-12-return.o ### Remedy Please could GCC be updated to reject attempts to build binaries for the i686 architecture when fcf-protection is configured to -- or implied to include -- 'branch' protection? Values for the fcf-protection flag were sourced from the GCC documentation at: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-fcf-protection (as noted: this does duplicate some of the original bugreport's suggestion, but is intended to be slightly more granular because I believe it's important to note that not all fcf-protection values are unsupported by the i686 architecture)