musttail + no_caller_saved_registers + x86 PIC = bad jmp

[easyaspi314]

Don't ask me how I stumbled on this one.

The bug

LLVM will load the GOT address of bar into eax, then pop eax, then jump to the address in eax register.

Since eax is popped from the stack, it jumps to a garbage address.

What is expected to happen

Either LLVM must

1. clobber eax
2. push the address on to the stack then ret (does that mess with CET?)
3. or not allow musttail to be used with this attribute.

example code

void foo(void);
__attribute__((no_caller_saved_registers))
void bar(void)
{
    __attribute__((musttail))
    return foo();
}

clang --target=i386-linux-gnu -fPIC -march=i386 -O2 -S file.c -masm=intel

        .text
        .intel_syntax noprefix
        .file   "test.c"
        .globl  bar                             # -- Begin function bar
        .p2align        4, 0x90
        .type   bar,@function
bar:                                    # @bar
# %bb.0:
        push    edx
        push    ecx
        push    eax
        call    .L0$pb
.L0$pb:
        pop     eax
.Ltmp0:
        add     eax, offset _GLOBAL_OFFSET_TABLE_+(.Ltmp0-.L0$pb)
        # load the function pointer into eax
        mov     eax, dword ptr [eax + foo@GOT]
        # then immediately pop eax from the stack?????
        pop     eax
        pop     ecx
        pop     edx
        # then jump to eax which is not a function pointer??????
        jmp     eax                             # TAILCALL
.Lfunc_end0:
        .size   bar, .Lfunc_end0-bar
                                        # -- End function
        .ident  "clang version 13.0.0"
        .section        ".note.GNU-stack","",@progbits

Reproduced on Clang 13.0.0.

[llvmbot]

@llvm/issue-subscribers-backend-x86