i386; Add indirect_return function attribute

Message ID 20180608102748.GA110450@intel.com
State New
Headers show
Series
  • i386; Add indirect_return function attribute
Related show

Commit Message

H.J. Lu June 8, 2018, 10:27 a.m.
On x86, swapcontext may return via indirect branch when shadow stack
is enabled.  To support code instrumentation of control-flow transfers
with -fcf-protection, add indirect_return function attribute to inform
compiler that a function may return via indirect branch.

Note: Unlike setjmp, swapcontext only returns once.  Mark it return
twice will unnecessarily disable compiler optimization.

OK for trunk?

H.J.
----
gcc/

	PR target/85620
	* config/i386/i386.c (rest_of_insert_endbranch): Also generate
	ENDBRANCH for non-tail call which may return via indirect branch.
	* doc/extend.texi: Document indirect_return attribute.

gcc/testsuite/

	PR target/85620
	* gcc.target/i386/pr85620-1.c: New test.
	* gcc.target/i386/pr85620-2.c: Likewise.
---
 gcc/config/i386/i386.c                    | 23 ++++++++++++++++++++++-
 gcc/doc/extend.texi                       |  6 ++++++
 gcc/testsuite/gcc.target/i386/pr85620-1.c | 15 +++++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-2.c | 13 +++++++++++++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-1.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-2.c

-- 
2.17.1

Comments

H.J. Lu July 3, 2018, 3:32 p.m. | #1
On Fri, Jun 8, 2018 at 3:27 AM, H.J. Lu <hongjiu.lu@intel.com> wrote:
> On x86, swapcontext may return via indirect branch when shadow stack

> is enabled.  To support code instrumentation of control-flow transfers

> with -fcf-protection, add indirect_return function attribute to inform

> compiler that a function may return via indirect branch.

>

> Note: Unlike setjmp, swapcontext only returns once.  Mark it return

> twice will unnecessarily disable compiler optimization.

>

> OK for trunk?

>

> H.J.

> ----

> gcc/

>

>         PR target/85620

>         * config/i386/i386.c (rest_of_insert_endbranch): Also generate

>         ENDBRANCH for non-tail call which may return via indirect branch.

>         * doc/extend.texi: Document indirect_return attribute.

>

> gcc/testsuite/

>

>         PR target/85620

>         * gcc.target/i386/pr85620-1.c: New test.

>         * gcc.target/i386/pr85620-2.c: Likewise.

>


Here is the updated patch with a testcase to show the impact of
returns_twice attribute.

Jan, Uros, can you take a look?

Thanks.

-- 
H.J.
From 6115541e03073b93bd81f5eb81fdedd4e5b47b28 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Thu, 7 Jun 2018 20:05:15 -0700
Subject: [PATCH] i386; Add indirect_return function attribute

On x86, swapcontext may return via indirect branch when shadow stack
is enabled.  To support code instrumentation of control-flow transfers
with -fcf-protection, add indirect_return function attribute to inform
compiler that a function may return via indirect branch.

Note: Unlike setjmp, swapcontext only returns once.  Mark it return
twice will unnecessarily disable compiler optimization as shown in
the testcase here.

gcc/

	PR target/85620
	* config/i386/i386.c (rest_of_insert_endbranch): Also generate
	ENDBRANCH for non-tail call which may return via indirect branch.
	* doc/extend.texi: Document indirect_return attribute.

gcc/testsuite/

	PR target/85620
	* gcc.target/i386/pr85620-1.c: New test.
	* gcc.target/i386/pr85620-2.c: Likewise.
	* gcc.target/i386/pr85620-3.c: Likewise.
	* gcc.target/i386/pr85620-4.c: Likewise.
---
 gcc/config/i386/i386.c                    | 23 ++++++++++++++++++++++-
 gcc/doc/extend.texi                       |  6 ++++++
 gcc/testsuite/gcc.target/i386/pr85620-1.c | 15 +++++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-2.c | 13 +++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-3.c | 18 ++++++++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-4.c | 18 ++++++++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-1.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-2.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-3.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-4.c

diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index e6d17632142..41461d582a4 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -2621,7 +2621,26 @@ rest_of_insert_endbranch (void)
 	{
 	  if (CALL_P (insn))
 	    {
-	      if (find_reg_note (insn, REG_SETJMP, NULL) == NULL)
+	      bool need_endbr;
+	      need_endbr = find_reg_note (insn, REG_SETJMP, NULL) != NULL;
+	      if (!need_endbr && !SIBLING_CALL_P (insn))
+		{
+		  rtx call = get_call_rtx_from (insn);
+		  rtx fnaddr = XEXP (call, 0);
+
+		  /* Also generate ENDBRANCH for non-tail call which
+		     may return via indirect branch.  */
+		  if (MEM_P (fnaddr)
+		      && GET_CODE (XEXP (fnaddr, 0)) == SYMBOL_REF)
+		    {
+		      tree fndecl = SYMBOL_REF_DECL (XEXP (fnaddr, 0));
+		      if (fndecl
+			  && lookup_attribute ("indirect_return",
+					       DECL_ATTRIBUTES (fndecl)))
+			need_endbr = true;
+		    }
+		}
+	      if (!need_endbr)
 		continue;
 	      /* Generate ENDBRANCH after CALL, which can return more than
 		 twice, setjmp-like functions.  */
@@ -45897,6 +45916,8 @@ static const struct attribute_spec ix86_attribute_table[] =
     ix86_handle_fndecl_attribute, NULL },
   { "function_return", 1, 1, true, false, false, false,
     ix86_handle_fndecl_attribute, NULL },
+  { "indirect_return", 0, 0, true, false, false, false,
+    ix86_handle_fndecl_attribute, NULL },
 
   /* End element.  */
   { NULL, 0, 0, false, false, false, false, NULL, NULL }
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 19c2da2e5db..97b1f78cade 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5886,6 +5886,12 @@ foo (void)
 @}
 @end smallexample
 
+@item indirect_return
+@cindex @code{indirect_return} function attribute, x86
+
+The @code{indirect_return} attribute on a function is used to inform
+the compiler that the function may return via indiret branch.
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-1.c b/gcc/testsuite/gcc.target/i386/pr85620-1.c
new file mode 100644
index 00000000000..32efb08e59e
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-1.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 2 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+extern int res;
+
+void
+foo (struct ucontext *oucp)
+{
+  res = bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-2.c b/gcc/testsuite/gcc.target/i386/pr85620-2.c
new file mode 100644
index 00000000000..b2e680fa1fe
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-2.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 1 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+int
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-3.c b/gcc/testsuite/gcc.target/i386/pr85620-3.c
new file mode 100644
index 00000000000..c70a5caf930
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-3.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-4.c b/gcc/testsuite/gcc.target/i386/pr85620-4.c
new file mode 100644
index 00000000000..13056c46e49
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-4.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__returns_twice__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp) /* { dg-error "setjmp" } */
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}
Uros Bizjak July 3, 2018, 4:12 p.m. | #2
On Tue, Jul 3, 2018 at 5:32 PM, H.J. Lu <hjl.tools@gmail.com> wrote:
> On Fri, Jun 8, 2018 at 3:27 AM, H.J. Lu <hongjiu.lu@intel.com> wrote:

>> On x86, swapcontext may return via indirect branch when shadow stack

>> is enabled.  To support code instrumentation of control-flow transfers

>> with -fcf-protection, add indirect_return function attribute to inform

>> compiler that a function may return via indirect branch.

>>

>> Note: Unlike setjmp, swapcontext only returns once.  Mark it return

>> twice will unnecessarily disable compiler optimization.

>>

>> OK for trunk?

>>

>> H.J.

>> ----

>> gcc/

>>

>>         PR target/85620

>>         * config/i386/i386.c (rest_of_insert_endbranch): Also generate

>>         ENDBRANCH for non-tail call which may return via indirect branch.

>>         * doc/extend.texi: Document indirect_return attribute.

>>

>> gcc/testsuite/

>>

>>         PR target/85620

>>         * gcc.target/i386/pr85620-1.c: New test.

>>         * gcc.target/i386/pr85620-2.c: Likewise.

>>

>

> Here is the updated patch with a testcase to show the impact of

> returns_twice attribute.

>

> Jan, Uros, can you take a look?


LGTM for the implementation, can't say if attribute is really needed or not.

+@item indirect_return
+@cindex @code{indirect_return} function attribute, x86
+
+The @code{indirect_return} attribute on a function is used to inform
+the compiler that the function may return via indiret branch.

s/indiret/indirect/

Uros.
H.J. Lu July 3, 2018, 4:53 p.m. | #3
On Tue, Jul 3, 2018 at 9:12 AM, Uros Bizjak <ubizjak@gmail.com> wrote:
> On Tue, Jul 3, 2018 at 5:32 PM, H.J. Lu <hjl.tools@gmail.com> wrote:

>> On Fri, Jun 8, 2018 at 3:27 AM, H.J. Lu <hongjiu.lu@intel.com> wrote:

>>> On x86, swapcontext may return via indirect branch when shadow stack

>>> is enabled.  To support code instrumentation of control-flow transfers

>>> with -fcf-protection, add indirect_return function attribute to inform

>>> compiler that a function may return via indirect branch.

>>>

>>> Note: Unlike setjmp, swapcontext only returns once.  Mark it return

>>> twice will unnecessarily disable compiler optimization.

>>>

>>> OK for trunk?

>>>

>>> H.J.

>>> ----

>>> gcc/

>>>

>>>         PR target/85620

>>>         * config/i386/i386.c (rest_of_insert_endbranch): Also generate

>>>         ENDBRANCH for non-tail call which may return via indirect branch.

>>>         * doc/extend.texi: Document indirect_return attribute.

>>>

>>> gcc/testsuite/

>>>

>>>         PR target/85620

>>>         * gcc.target/i386/pr85620-1.c: New test.

>>>         * gcc.target/i386/pr85620-2.c: Likewise.

>>>

>>

>> Here is the updated patch with a testcase to show the impact of

>> returns_twice attribute.

>>

>> Jan, Uros, can you take a look?

>

> LGTM for the implementation, can't say if attribute is really needed or not.


This gives programmers more flexibly.

> +@item indirect_return

> +@cindex @code{indirect_return} function attribute, x86

> +

> +The @code{indirect_return} attribute on a function is used to inform

> +the compiler that the function may return via indiret branch.

>

> s/indiret/indirect/


Fixed.  Here is the updated patch.

Thanks.

-- 
H.J.
From bb98f6a31801659ae3c6689d6d31af33a3c28bb2 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Thu, 7 Jun 2018 20:05:15 -0700
Subject: [PATCH] i386; Add indirect_return function attribute

On x86, swapcontext may return via indirect branch when shadow stack
is enabled.  To support code instrumentation of control-flow transfers
with -fcf-protection, add indirect_return function attribute to inform
compiler that a function may return via indirect branch.

Note: Unlike setjmp, swapcontext only returns once.  Mark it return
twice will unnecessarily disable compiler optimization as shown in
the testcase here.

gcc/

	PR target/85620
	* config/i386/i386.c (rest_of_insert_endbranch): Also generate
	ENDBRANCH for non-tail call which may return via indirect branch.
	* doc/extend.texi: Document indirect_return attribute.

gcc/testsuite/

	PR target/85620
	* gcc.target/i386/pr85620-1.c: New test.
	* gcc.target/i386/pr85620-2.c: Likewise.
	* gcc.target/i386/pr85620-3.c: Likewise.
	* gcc.target/i386/pr85620-4.c: Likewise.
---
 gcc/config/i386/i386.c                    | 23 ++++++++++++++++++++++-
 gcc/doc/extend.texi                       |  6 ++++++
 gcc/testsuite/gcc.target/i386/pr85620-1.c | 15 +++++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-2.c | 13 +++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-3.c | 18 ++++++++++++++++++
 gcc/testsuite/gcc.target/i386/pr85620-4.c | 18 ++++++++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-1.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-2.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-3.c
 create mode 100644 gcc/testsuite/gcc.target/i386/pr85620-4.c

diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index e6d17632142..41461d582a4 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -2621,7 +2621,26 @@ rest_of_insert_endbranch (void)
 	{
 	  if (CALL_P (insn))
 	    {
-	      if (find_reg_note (insn, REG_SETJMP, NULL) == NULL)
+	      bool need_endbr;
+	      need_endbr = find_reg_note (insn, REG_SETJMP, NULL) != NULL;
+	      if (!need_endbr && !SIBLING_CALL_P (insn))
+		{
+		  rtx call = get_call_rtx_from (insn);
+		  rtx fnaddr = XEXP (call, 0);
+
+		  /* Also generate ENDBRANCH for non-tail call which
+		     may return via indirect branch.  */
+		  if (MEM_P (fnaddr)
+		      && GET_CODE (XEXP (fnaddr, 0)) == SYMBOL_REF)
+		    {
+		      tree fndecl = SYMBOL_REF_DECL (XEXP (fnaddr, 0));
+		      if (fndecl
+			  && lookup_attribute ("indirect_return",
+					       DECL_ATTRIBUTES (fndecl)))
+			need_endbr = true;
+		    }
+		}
+	      if (!need_endbr)
 		continue;
 	      /* Generate ENDBRANCH after CALL, which can return more than
 		 twice, setjmp-like functions.  */
@@ -45897,6 +45916,8 @@ static const struct attribute_spec ix86_attribute_table[] =
     ix86_handle_fndecl_attribute, NULL },
   { "function_return", 1, 1, true, false, false, false,
     ix86_handle_fndecl_attribute, NULL },
+  { "indirect_return", 0, 0, true, false, false, false,
+    ix86_handle_fndecl_attribute, NULL },
 
   /* End element.  */
   { NULL, 0, 0, false, false, false, false, NULL, NULL }
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 19c2da2e5db..071d0ffc414 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5886,6 +5886,12 @@ foo (void)
 @}
 @end smallexample
 
+@item indirect_return
+@cindex @code{indirect_return} function attribute, x86
+
+The @code{indirect_return} attribute on a function is used to inform
+the compiler that the function may return via indirect branch.
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-1.c b/gcc/testsuite/gcc.target/i386/pr85620-1.c
new file mode 100644
index 00000000000..32efb08e59e
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-1.c
@@ -0,0 +1,15 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 2 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+extern int res;
+
+void
+foo (struct ucontext *oucp)
+{
+  res = bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-2.c b/gcc/testsuite/gcc.target/i386/pr85620-2.c
new file mode 100644
index 00000000000..b2e680fa1fe
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-2.c
@@ -0,0 +1,13 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 1 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+int
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-3.c b/gcc/testsuite/gcc.target/i386/pr85620-3.c
new file mode 100644
index 00000000000..c70a5caf930
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-3.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-4.c b/gcc/testsuite/gcc.target/i386/pr85620-4.c
new file mode 100644
index 00000000000..13056c46e49
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-4.c
@@ -0,0 +1,18 @@
+/* { dg-do compile } */
+/* { dg-options "-O2 -Wno-attributes" } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__returns_twice__));
+
+static int __attribute__ ((__always_inline__))
+foo (struct ucontext *oucp) /* { dg-error "setjmp" } */
+{
+  return bar (oucp);
+}
+
+int
+test (struct ucontext *oucp)
+{
+  return foo (oucp);
+}
Jeff Law July 4, 2018, 2:36 a.m. | #4
On 07/03/2018 10:53 AM, H.J. Lu wrote:
> On Tue, Jul 3, 2018 at 9:12 AM, Uros Bizjak <ubizjak@gmail.com> wrote:

>> On Tue, Jul 3, 2018 at 5:32 PM, H.J. Lu <hjl.tools@gmail.com> wrote:

>>> On Fri, Jun 8, 2018 at 3:27 AM, H.J. Lu <hongjiu.lu@intel.com> wrote:

>>>> On x86, swapcontext may return via indirect branch when shadow stack

>>>> is enabled.  To support code instrumentation of control-flow transfers

>>>> with -fcf-protection, add indirect_return function attribute to inform

>>>> compiler that a function may return via indirect branch.

>>>>

>>>> Note: Unlike setjmp, swapcontext only returns once.  Mark it return

>>>> twice will unnecessarily disable compiler optimization.

>>>>

>>>> OK for trunk?

>>>>

>>>> H.J.

>>>> ----

>>>> gcc/

>>>>

>>>>         PR target/85620

>>>>         * config/i386/i386.c (rest_of_insert_endbranch): Also generate

>>>>         ENDBRANCH for non-tail call which may return via indirect branch.

>>>>         * doc/extend.texi: Document indirect_return attribute.

>>>>

>>>> gcc/testsuite/

>>>>

>>>>         PR target/85620

>>>>         * gcc.target/i386/pr85620-1.c: New test.

>>>>         * gcc.target/i386/pr85620-2.c: Likewise.

>>>>

>>> Here is the updated patch with a testcase to show the impact of

>>> returns_twice attribute.

>>>

>>> Jan, Uros, can you take a look?

>> LGTM for the implementation, can't say if attribute is really needed or not.

> This gives programmers more flexibly.

> 

>> +@item indirect_return

>> +@cindex @code{indirect_return} function attribute, x86

>> +

>> +The @code{indirect_return} attribute on a function is used to inform

>> +the compiler that the function may return via indiret branch.

>>

>> s/indiret/indirect/

> Fixed.  Here is the updated patch.

> 

> Thanks.

> 

> -- H.J.

> 

> 

> 0001-i386-Add-indirect_return-function-attribute.patch

> 

> 

> From bb98f6a31801659ae3c6689d6d31af33a3c28bb2 Mon Sep 17 00:00:00 2001

> From: "H.J. Lu" <hjl.tools@gmail.com>

> Date: Thu, 7 Jun 2018 20:05:15 -0700

> Subject: [PATCH] i386; Add indirect_return function attribute

> 

> On x86, swapcontext may return via indirect branch when shadow stack

> is enabled.  To support code instrumentation of control-flow transfers

> with -fcf-protection, add indirect_return function attribute to inform

> compiler that a function may return via indirect branch.

> 

> Note: Unlike setjmp, swapcontext only returns once.  Mark it return

> twice will unnecessarily disable compiler optimization as shown in

> the testcase here.

> 

> gcc/

> 

> 	PR target/85620

> 	* config/i386/i386.c (rest_of_insert_endbranch): Also generate

> 	ENDBRANCH for non-tail call which may return via indirect branch.

> 	* doc/extend.texi: Document indirect_return attribute.

OK
jeff

Patch

diff --git a/gcc/config/i386/i386.c b/gcc/config/i386/i386.c
index b95f0612562..3fb79178138 100644
--- a/gcc/config/i386/i386.c
+++ b/gcc/config/i386/i386.c
@@ -2625,7 +2625,26 @@  rest_of_insert_endbranch (void)
 	{
 	  if (CALL_P (insn))
 	    {
-	      if (find_reg_note (insn, REG_SETJMP, NULL) == NULL)
+	      bool need_endbr;
+	      need_endbr = find_reg_note (insn, REG_SETJMP, NULL) != NULL;
+	      if (!need_endbr && !SIBLING_CALL_P (insn))
+		{
+		  rtx call = get_call_rtx_from (insn);
+		  rtx fnaddr = XEXP (call, 0);
+
+		  /* Also generate ENDBRANCH for non-tail call which
+		     may return via indirect branch.  */
+		  if (MEM_P (fnaddr)
+		      && GET_CODE (XEXP (fnaddr, 0)) == SYMBOL_REF)
+		    {
+		      tree fndecl = SYMBOL_REF_DECL (XEXP (fnaddr, 0));
+		      if (fndecl
+			  && lookup_attribute ("indirect_return",
+					       DECL_ATTRIBUTES (fndecl)))
+			need_endbr = true;
+		    }
+		}
+	      if (!need_endbr)
 		continue;
 	      /* Generate ENDBRANCH after CALL, which can return more than
 		 twice, setjmp-like functions.  */
@@ -46769,6 +46788,8 @@  static const struct attribute_spec ix86_attribute_table[] =
     ix86_handle_fndecl_attribute, NULL },
   { "function_return", 1, 1, true, false, false, false,
     ix86_handle_fndecl_attribute, NULL },
+  { "indirect_return", 0, 0, true, false, false, false,
+    ix86_handle_fndecl_attribute, NULL },
 
   /* End element.  */
   { NULL, 0, 0, false, false, false, false, NULL, NULL }
diff --git a/gcc/doc/extend.texi b/gcc/doc/extend.texi
index 3e6c98a554a..ddd50b0da3e 100644
--- a/gcc/doc/extend.texi
+++ b/gcc/doc/extend.texi
@@ -5878,6 +5878,12 @@  foo (void)
 @}
 @end smallexample
 
+@item indirect_return
+@cindex @code{indirect_return} function attribute, x86
+
+The @code{indirect_return} attribute on a function is used to inform
+the compiler that the function may return via indiret branch.
+
 @end table
 
 On the x86, the inliner does not inline a
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-1.c b/gcc/testsuite/gcc.target/i386/pr85620-1.c
new file mode 100644
index 00000000000..32efb08e59e
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-1.c
@@ -0,0 +1,15 @@ 
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 2 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+extern int res;
+
+void
+foo (struct ucontext *oucp)
+{
+  res = bar (oucp);
+}
diff --git a/gcc/testsuite/gcc.target/i386/pr85620-2.c b/gcc/testsuite/gcc.target/i386/pr85620-2.c
new file mode 100644
index 00000000000..b2e680fa1fe
--- /dev/null
+++ b/gcc/testsuite/gcc.target/i386/pr85620-2.c
@@ -0,0 +1,13 @@ 
+/* { dg-do compile } */
+/* { dg-options "-O2 -fcf-protection" } */
+/* { dg-final { scan-assembler-times {\mendbr} 1 } } */
+
+struct ucontext;
+
+extern int bar (struct ucontext *) __attribute__((__indirect_return__));
+
+int
+foo (struct ucontext *oucp)
+{
+  return bar (oucp);
+}