> Date: Sat, 24 Feb 2024 21:40:53 +0100
> From: Jonathan Schleifer <js@nil.im>
> 
> Am 24.02.24 um 21:30 schrieb Mark Kettenis:
> 
> > Unless we explicitly mark them as not, yes, they will use IBT (but not
> > Shadow Stack).
> 
> Ah cool!
> 
> > No.  Tail call elimination will use a *direct* branch, which doesn't
> > need a landing pad at all.
> 
> Not necessarily - I've seen tail call elimination on function pointers, 
> because it *is* valid. E.g. `return func_ptr()` should be able to use 
> tail call elimination.

Ah, right.  What happens in that case is that the branch will use
register X16 or X17 and those are special in the sense that both "bti
c" and "bti j" landing pads are ok.

> > Right.  And this is what a direct branch looks like.  An indirect
> > branch is when you load the address of a function into a register and
> > then us that register in the branch instruction.
> 
> Ah, right, forgot about the indirect part :).
> 
> However, don't the functions referenced by section .init_array also need 
> those, then? Or is IBT only enabled later?

No, functions referenced from .init_array need a landing pad.  So the
init function in src/forwarding/forwarding-arm64-elf.S would indeed
need a "bti c" at its start.

> > Like endbr64 on amd64, the bti instructions are all executed as nop
> > instructions on older hardware.
> 
> Thanks for confirming!
> 
> -- 
> Jonathan
> 
>