https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100665
--- Comment #1 from Matthew Malcomson <matmal01 at gcc dot gnu.org> --- Hi there. I believe this is how it should work (if I'm understanding & remembering correctly). When creating a nested function, we make a single object on the stack that includes all variables used in the nested function plus a trampoline. This is called the "nonlocal frame struct" as described in gcc/tree-nested.c. That single object gets a single tag like all other objects in tagged memory (trying to separate the closed-over objects from the trampoline and argument pointers would be pretty awkward when the object is just one struct as far as the expand code is concerned). That tag is checked when accessing the closed over variables (i.e. big_array in the example), so we definitely want to tag the object. Given that, the question of whether the function pointer (i.e. the pointer to the trampoline inside that object) should be tagged when passed elsewhere then has a few benefits: 1) In this case there is no check performed, but there may be checks performed if e.g. this function pointer gets cast to an integer pointer and some code elsewhere attempts to read that integer. 2) This is just more self-consistent. Every pointer to a tagged object is tagged with the same value. 3) There are hardware extensions to automatically check memory accesses. If the function pointer is not tagged in this case then (at least for AArch64) the PC-relative ldr's in the trampoline stored in that structure will end up without a tag and I believe that would trigger a fault. Point (1) is the main one. In general when passing a pointer into another function we don't know if it's going to be accessed or not, so we always need to pass tagged pointers.
