Mislink with ICF and multi-instruction GOT entry references

[pcc]

With the attached reproducer, the f2_* functions containing the second half of a two-instruction GOT entry reference are ICF'd, but the f1_* functions containing the first half of the reference are not. Because the two functions refer to different GOT entries, about half of the f1_* functions end up loading from the wrong GOT entry (or potentially from an address outside the GOT entirely).

clang --target=aarch64-linux  -c icf-bug.s
ld.lld icf-bug.o --icf=all
objdump -d

[...]

00000000002128e4 <f1_504>:
  2128e4:       d0000080        adrp    x0, 224000 <f1_1000+0xffdc>
  2128e8:       d2803f01        mov     x1, #0x1f8                      // #504
  2128ec:       17fffa17        b       211148 <f2_0>

00000000002128f0 <f1_505>:
  2128f0:       d0000080        adrp    x0, 224000 <f1_1000+0xffdc>
  2128f4:       d2803f21        mov     x1, #0x1f9                      // #505
  2128f8:       17fffa14        b       211148 <f2_0>

00000000002128fc <f1_506>:
  2128fc:       f0000080        adrp    x0, 225000 <f1_1000+0x10fdc>
  212900:       d2803f41        mov     x1, #0x1fa                      // #506
  212904:       17fffa11        b       211148 <f2_0>

0000000000212908 <f1_507>:
  212908:       f0000080        adrp    x0, 225000 <f1_1000+0x10fdc>
  21290c:       d2803f61        mov     x1, #0x1fb                      // #507
  212910:       17fffa0e        b       211148 <f2_0>

icf-bug.s.txt

[MaskRay]

Simplify the example for clarity

callee:
ret

.macro f, index

# (Kept unique) first instruction of the GOT code sequence
.section .text.f1_\index,"ax",@progbits
f1_\index:
adrp x0, :got:g\index
mov x1, #\index
b f2_\index

# Folded, second instruction of the GOT code sequence
.section .text.f2_\index,"ax",@progbits
f2_\index:
ldr x0, [x0, :got_lo12:g\index]
b callee

# Folded
.section .rodata.g\index,"a",@progbits
g\index:
.byte 123

.section .text._start,"ax",@progbits
bl f1_\index

.endm

.section .text._start,"ax",@progbits
.globl _start
_start:

.rept 1001
f \+
.endr

In the output,

• .rodata.g* sections are folded into .rodata.g0. They are identical and have no relocations.
• .text.f2_* sections are folded into .text.f2_0. They are identical after g* are folded.
• g* have different GOT entries.

The code sequence is good for the first half f1 functions, whose g\index GOT entries reside in the same page of g0.
However, for the second half, whose g\index GOT entries reside in the next page, the code sequence is incorrect.

[llvmbot]

@llvm/issue-subscribers-lld-elf

Author: Peter Collingbourne (pcc)

With the attached reproducer, the `f2_*` functions containing the second half of a two-instruction GOT entry reference are ICF'd, but the `f1_*` functions containing the first half of the reference are not. Because the two functions refer to different GOT entries, about half of the `f1_*` functions end up loading from the wrong GOT entry (or potentially from an address outside the GOT entirely). ``` clang --target=aarch64-linux -c icf-bug.s ld.lld icf-bug.o --icf=all objdump -d ``` [...] ``` 00000000002128e4 <f1_504>: 2128e4: d0000080 adrp x0, 224000 <f1_1000+0xffdc> 2128e8: d2803f01 mov x1, #0x1f8 // #504 2128ec: 17fffa17 b 211148 <f2_0>

00000000002128f0 <f1_505>:
2128f0: d0000080 adrp x0, 224000 <f1_1000+0xffdc>
2128f4: d2803f21 mov x1, #0x1f9 // #505
2128f8: 17fffa14 b 211148 <f2_0>

00000000002128fc <f1_506>:
2128fc: f0000080 adrp x0, 225000 <f1_1000+0x10fdc>
212900: d2803f41 mov x1, #0x1fa // #506
212904: 17fffa11 b 211148 <f2_0>

0000000000212908 <f1_507>:
212908: f0000080 adrp x0, 225000 <f1_1000+0x10fdc>
21290c: d2803f61 mov x1, #0x1fb // #507
212910: 17fffa0e b 211148 <f2_0>

[icf-bug.s.txt](https://github.com/user-attachments/files/19016403/icf-bug.s.txt)
</details>