Indirect goto crashes in purecap ABI

[arichardson]

// RUN: %cheri_purecap_cc1 -o - -O0 -emit-llvm %s
// RUN: %cheri_purecap_cc1 -o - -O0 -S %s
extern int x;

int a() {
  static void *b = &&label;
  if (x)
    goto *b;
  else
    return 1;
label:
  return 2;
}

I have fixed the IR generation, but when generating assembly it fails with the following error:

fatal error: error in backend: Cannot select: t3: ch = brind t0, t2
  t2: iFATPTR,ch = CopyFromReg t0, Register:iFATPTR %vreg2
    t1: iFATPTR = Register %vreg2
In function: a

[arichardson]

I guess the frontend has been fixed so this bug should move to LLVM?

[davidchisnall]

I think we need to think a bit about what the semantics of this should be. Should the address give you a capability, or a PCC-relative offset? @rwatson, do you have any opinions? A capability would mean that you'd get the integrity guarantees that you'd want, but it would also mean that you could violate CFI if you passed it to another function and used it as a jump target (passing it to another function and using it on return is the explicit use case for the address-of-label extension).

If we have a large enough sealing space, we'd want to make it a capability sealed with the current PC. I wonder if there's any other clever trick that we can use for doing it?

[khilangudka]

I'm now hitting this issue with WebKit. I similarly fixed the IR generation but am also hitting the above backend error. Do we have any thoughts about how we should deal with address-of-label?

[davidchisnall]

I think the best short-term solution is for address of label to give an offset that we can jump to relative to the function entry capability, but in the longer term we probably want to protect it as a capability.