Index: ELF/Arch/X86.cpp
===================================================================
--- ELF/Arch/X86.cpp
+++ ELF/Arch/X86.cpp
@@ -181,6 +181,7 @@
         0xff, 0xa3, 0x08, 0x00, 0x00, 0x00, // jmp *GOTPLT+8(%ebx)
         0x90, 0x90, 0x90, 0x90              // nop
     };
+    assert(sizeof(V) == PltHeaderSize);
     memcpy(Buf, V, sizeof(V));
 
     uint32_t Ebx = InX::Got->getVA() + InX::Got->getSize();
@@ -195,6 +196,7 @@
       0xff, 0x25, 0, 0, 0, 0, // jmp *(GOTPLT+8)
       0x90, 0x90, 0x90, 0x90, // nop
   };
+  assert(sizeof(PltData) == PltHeaderSize);
   memcpy(Buf, PltData, sizeof(PltData));
   uint32_t GotPlt = InX::GotPlt->getVA();
   write32le(Buf + 2, GotPlt + 4);
@@ -209,6 +211,7 @@
       0x68, 0, 0, 0, 0,       // pushl $reloc_offset
       0xe9, 0, 0, 0, 0,       // jmp .PLT0@PC
   };
+  assert(sizeof(Inst) == PltEntrySize);
   memcpy(Buf, Inst, sizeof(Inst));
 
   if (Config->Pic) {
@@ -443,7 +446,9 @@
       0x89, 0xc8,                               // 2b:   mov %ecx, %eax
       0x59,                                     // 2d:   pop %ecx
       0xc3,                                     // 2e:   ret
+      0xcc,                                     // 2f:   int3; padding
   };
+  assert(sizeof(Insn) == PltHeaderSize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   uint32_t Ebx = InX::Got->getVA() + InX::Got->getSize();
@@ -462,7 +467,10 @@
       0xe9, 0,    0, 0, 0,    // jmp plt+0x12
       0x68, 0,    0, 0, 0,    // pushl $reloc_offset
       0xe9, 0,    0, 0, 0,    // jmp plt+0
+      0xcc, 0xcc, 0xcc, 0xcc, // int3; padding
+      0xcc,                   // int3; padding
   };
+  assert(sizeof(Insn) == PltEntrySize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   uint32_t Ebx = InX::Got->getVA() + InX::Got->getSize();
@@ -484,7 +492,7 @@
 }
 
 void RetpolineNoPic::writePltHeader(uint8_t *Buf) const {
-  const uint8_t PltData[] = {
+  const uint8_t Insn[] = {
       0xff, 0x35, 0,    0,    0,    0, // 0:    pushl GOTPLT+4
       0x50,                            // 6:    pushl %eax
       0xa1, 0,    0,    0,    0,       // 7:    mov GOTPLT+8, %eax
@@ -500,8 +508,10 @@
       0x89, 0xc8,                      // 2b:   mov %ecx, %eax
       0x59,                            // 2d:   pop %ecx
       0xc3,                            // 2e:   ret
+      0xcc,                            // 2f:   int3; padding
   };
-  memcpy(Buf, PltData, sizeof(PltData));
+  assert(sizeof(Insn) == PltHeaderSize);
+  memcpy(Buf, Insn, sizeof(Insn));
 
   uint32_t GotPlt = InX::GotPlt->getVA();
   write32le(Buf + 2, GotPlt + 4);
@@ -518,7 +528,10 @@
       0xe9, 0, 0, 0, 0, // b:  jmp plt+0x11
       0x68, 0, 0, 0, 0, // 10: pushl $reloc_offset
       0xe9, 0, 0, 0, 0, // 15: jmp plt+0
+      0xcc, 0xcc, 0xcc, // 1a: int3; padding
+      0xcc, 0xcc, 0xcc, // 1d: int3; padding
   };
+  assert(sizeof(Insn) == PltEntrySize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   unsigned Off = getPltEntryOffset(Index);
Index: ELF/Arch/X86_64.cpp
===================================================================
--- ELF/Arch/X86_64.cpp
+++ ELF/Arch/X86_64.cpp
@@ -132,6 +132,7 @@
       0xff, 0x25, 0, 0, 0, 0, // jmp *GOTPLT+16(%rip)
       0x0f, 0x1f, 0x40, 0x00, // nop
   };
+  assert(sizeof(PltData) == PltHeaderSize);
   memcpy(Buf, PltData, sizeof(PltData));
   uint64_t GotPlt = InX::GotPlt->getVA();
   uint64_t Plt = InX::Plt->getVA();
@@ -148,6 +149,7 @@
       0x68, 0, 0, 0, 0,       // pushq <relocation index>
       0xe9, 0, 0, 0, 0,       // jmpq plt[0]
   };
+  assert(sizeof(Inst) == PltEntrySize);
   memcpy(Buf, Inst, sizeof(Inst));
 
   write32le(Buf + 2, GotPltEntryAddr - PltEntryAddr - 6);
@@ -500,7 +502,10 @@
       0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, // 19:   int3; .align 16
       0x4c, 0x89, 0x1c, 0x24,                   // 20: next: mov %r11, (%rsp)
       0xc3,                                     // 24:   ret
+      0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, // 25:   int3; padding
+      0xcc, 0xcc, 0xcc, 0xcc,                   // 2c:   int3; padding
   };
+  assert(sizeof(Insn) == TargetInfo::PltHeaderSize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   uint64_t GotPlt = InX::GotPlt->getVA();
@@ -519,7 +524,9 @@
       0xe9, 0,    0,    0, 0,       // c:  jmp plt+0x12
       0x68, 0,    0,    0, 0,       // 11: pushq <relocation index>
       0xe9, 0,    0,    0, 0,       // 16: jmp plt+0
+      0xcc, 0xcc, 0xcc, 0xcc, 0xcc, // 1b: int3; padding
   };
+  assert(sizeof(Insn) == TargetInfo::PltEntrySize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   uint64_t Off = TargetInfo::getPltEntryOffset(Index);
@@ -546,7 +553,11 @@
       0xcc, 0xcc, 0xcc, 0xcc,       // c:    int3; .align 16
       0x4c, 0x89, 0x1c, 0x24,       // 10: next: mov %r11, (%rsp)
       0xc3,                         // 14:   ret
+      0xcc, 0xcc, 0xcc, 0xcc, 0xcc, // 15:   int3; padding
+      0xcc, 0xcc, 0xcc, 0xcc, 0xcc, // 1a:   int3; padding
+      0xcc,                         // 1f:   int3; padding
   };
+  assert(sizeof(Insn) == TargetInfo::PltHeaderSize);
   memcpy(Buf, Insn, sizeof(Insn));
 }
 
@@ -557,7 +568,9 @@
   const uint8_t Insn[] = {
       0x4c, 0x8b, 0x1d, 0, 0, 0, 0, // mov foo@GOTPLT(%rip), %r11
       0xe9, 0,    0,    0, 0,       // jmp plt+0
+      0xcc, 0xcc, 0xcc, 0xcc,       // int3; padding
   };
+  assert(sizeof(Insn) == TargetInfo::PltEntrySize);
   memcpy(Buf, Insn, sizeof(Insn));
 
   write32le(Buf + 3, GotPltEntryAddr - PltEntryAddr - 7);
Index: test/ELF/i386-retpoline-nopic-linkerscript.s
===================================================================
--- /dev/null
+++ test/ELF/i386-retpoline-nopic-linkerscript.s
@@ -0,0 +1,67 @@
+// REQUIRES: x86
+// RUN: llvm-mc -filetype=obj -triple=i386-unknown-linux %s -o %t1.o
+// RUN: llvm-mc -filetype=obj -triple=i386-unknown-linux %p/Inputs/shared.s -o %t2.o
+// RUN: ld.lld -shared %t2.o -o %t2.so
+
+// RUN: echo "SECTIONS { \
+// RUN:   .text : { *(.text) } \
+// RUN:   .plt : { *(.plt) } \
+// RUN:   .got.plt : { *(.got.plt) } \
+// RUN:   .dynstr : { *(.dynstr) } \
+// RUN: }" > %t.script
+// RUN: ld.lld %t1.o %t2.so -o %t.exe -z retpolineplt --script %t.script
+// RUN: llvm-objdump -d -s %t.exe | FileCheck %s
+
+// CHECK:      Disassembly of section .plt:
+// CHECK-NEXT: .plt:
+// CHECK-NEXT: 10:       ff 35 fc 00 00 00       pushl   252
+// CHECK-NEXT: 16:       50      pushl   %eax
+// CHECK-NEXT: 17:       a1 00 01 00 00  movl    256, %eax
+// CHECK-NEXT: 1c:       e8 0f 00 00 00  calll   15 <.plt+0x20>
+// CHECK-NEXT: 21:       f3 90   pause
+// CHECK-NEXT: 23:       0f ae e8        lfence
+// CHECK-NEXT: 26:       eb f9   jmp     -7 <.plt+0x11>
+// CHECK-NEXT: 28:       cc      int3
+// CHECK-NEXT: 29:       cc      int3
+// CHECK-NEXT: 2a:       cc      int3
+// CHECK-NEXT: 2b:       cc      int3
+// CHECK-NEXT: 2c:       cc      int3
+// CHECK-NEXT: 2d:       cc      int3
+// CHECK-NEXT: 2e:       cc      int3
+// CHECK-NEXT: 2f:       cc      int3
+// CHECK-NEXT: 30:       89 0c 24        movl    %ecx, (%esp)
+// CHECK-NEXT: 33:       8b 4c 24 04     movl    4(%esp), %ecx
+// CHECK-NEXT: 37:       89 44 24 04     movl    %eax, 4(%esp)
+// CHECK-NEXT: 3b:       89 c8   movl    %ecx, %eax
+// CHECK-NEXT: 3d:       59      popl    %ecx
+// CHECK-NEXT: 3e:       c3      retl
+// CHECK-NEXT: 3f:       cc      int3
+// CHECK-NEXT: 40:       50      pushl   %eax
+// CHECK-NEXT: 41:       a1 04 01 00 00  movl    260, %eax
+// CHECK-NEXT: 46:       e8 e5 ff ff ff  calll   -27 <.plt+0x20>
+// CHECK-NEXT: 4b:       e9 d1 ff ff ff  jmp     -47 <.plt+0x11>
+// CHECK-NEXT: 50:       68 00 00 00 00  pushl   $0
+// CHECK-NEXT: 55:       e9 b6 ff ff ff  jmp     -74 <.plt>
+// CHECK-NEXT: 5a:       cc      int3
+// CHECK-NEXT: 5b:       cc      int3
+// CHECK-NEXT: 5c:       cc      int3
+// CHECK-NEXT: 5d:       cc      int3
+// CHECK-NEXT: 5e:       cc      int3
+// CHECK-NEXT: 5f:       cc      int3
+// CHECK-NEXT: 60:       50      pushl   %eax
+// CHECK-NEXT: 61:       a1 08 01 00 00  movl    264, %eax
+// CHECK-NEXT: 66:       e8 c5 ff ff ff  calll   -59 <.plt+0x20>
+// CHECK-NEXT: 6b:       e9 b1 ff ff ff  jmp     -79 <.plt+0x11>
+// CHECK-NEXT: 70:       68 08 00 00 00  pushl   $8
+// CHECK-NEXT: 75:       e9 96 ff ff ff  jmp     -106 <.plt>
+// CHECK-NEXT: 7a:       cc      int3
+// CHECK-NEXT: 7b:       cc      int3
+// CHECK-NEXT: 7c:       cc      int3
+// CHECK-NEXT: 7d:       cc      int3
+// CHECK-NEXT: 7e:       cc      int3
+// CHECK-NEXT: 7f:       cc      int3
+
+.global _start
+_start:
+  jmp bar@PLT
+  jmp zed@PLT
Index: test/ELF/i386-retpoline-pic-linkerscript.s
===================================================================
--- /dev/null
+++ test/ELF/i386-retpoline-pic-linkerscript.s
@@ -0,0 +1,64 @@
+// REQUIRES: x86
+// RUN: llvm-mc -filetype=obj -triple=i386-unknown-linux -position-independent %s -o %t1.o
+// RUN: llvm-mc -filetype=obj -triple=i386-unknown-linux -position-independent %p/Inputs/shared.s -o %t2.o
+// RUN: ld.lld -shared %t2.o -o %t2.so
+
+// RUN: echo "SECTIONS { \
+// RUN:   .text : { *(.text) } \
+// RUN:   .plt : { *(.plt) } \
+// RUN:   .got.plt : { *(.got.plt) } \
+// RUN:   .dynstr : { *(.dynstr) } \
+// RUN: }" > %t.script
+// RUN: ld.lld %t1.o %t2.so -o %t.exe -z retpolineplt -pie --script %t.script
+// RUN: llvm-objdump -d -s %t.exe | FileCheck %s
+
+// CHECK:      Disassembly of section .plt:
+// CHECK-NEXT: .plt:
+// CHECK-NEXT: 10:       ff b3 fc 00 00 00       pushl   252(%ebx)
+// CHECK-NEXT: 16:       50      pushl   %eax
+// CHECK-NEXT: 17:       8b 83 00 01 00 00       movl    256(%ebx), %eax
+// CHECK-NEXT: 1d:       e8 0e 00 00 00  calll   14 <.plt+0x20>
+// CHECK-NEXT: 22:       f3 90   pause
+// CHECK-NEXT: 24:       0f ae e8        lfence
+// CHECK-NEXT: 27:       eb f9   jmp     -7 <.plt+0x12>
+// CHECK-NEXT: 29:       cc      int3
+// CHECK-NEXT: 2a:       cc      int3
+// CHECK-NEXT: 2b:       cc      int3
+// CHECK-NEXT: 2c:       cc      int3
+// CHECK-NEXT: 2d:       cc      int3
+// CHECK-NEXT: 2e:       cc      int3
+// CHECK-NEXT: 2f:       cc      int3
+// CHECK-NEXT: 30:       89 0c 24        movl    %ecx, (%esp)
+// CHECK-NEXT: 33:       8b 4c 24 04     movl    4(%esp), %ecx
+// CHECK-NEXT: 37:       89 44 24 04     movl    %eax, 4(%esp)
+// CHECK-NEXT: 3b:       89 c8   movl    %ecx, %eax
+// CHECK-NEXT: 3d:       59      popl    %ecx
+// CHECK-NEXT: 3e:       c3      retl
+// CHECK-NEXT: 3f:       cc      int3
+// CHECK-NEXT: 40:       50      pushl   %eax
+// CHECK-NEXT: 41:       8b 83 04 01 00 00       movl    260(%ebx), %eax
+// CHECK-NEXT: 47:       e8 e4 ff ff ff  calll   -28 <.plt+0x20>
+// CHECK-NEXT: 4c:       e9 d1 ff ff ff  jmp     -47 <.plt+0x12>
+// CHECK-NEXT: 51:       68 00 00 00 00  pushl   $0
+// CHECK-NEXT: 56:       e9 b5 ff ff ff  jmp     -75 <.plt>
+// CHECK-NEXT: 5b:       cc      int3
+// CHECK-NEXT: 5c:       cc      int3
+// CHECK-NEXT: 5d:       cc      int3
+// CHECK-NEXT: 5e:       cc      int3
+// CHECK-NEXT: 5f:       cc      int3
+// CHECK-NEXT: 60:       50      pushl   %eax
+// CHECK-NEXT: 61:       8b 83 08 01 00 00       movl    264(%ebx), %eax
+// CHECK-NEXT: 67:       e8 c4 ff ff ff  calll   -60 <.plt+0x20>
+// CHECK-NEXT: 6c:       e9 b1 ff ff ff  jmp     -79 <.plt+0x12>
+// CHECK-NEXT: 71:       68 08 00 00 00  pushl   $8
+// CHECK-NEXT: 76:       e9 95 ff ff ff  jmp     -107 <.plt>
+// CHECK-NEXT: 7b:       cc      int3
+// CHECK-NEXT: 7c:       cc      int3
+// CHECK-NEXT: 7d:       cc      int3
+// CHECK-NEXT: 7e:       cc      int3
+// CHECK-NEXT: 7f:       cc      int3
+
+.global _start
+_start:
+  jmp bar@PLT
+  jmp zed@PLT
Index: test/ELF/x86-64-retpoline-linkerscript.s
===================================================================
--- /dev/null
+++ test/ELF/x86-64-retpoline-linkerscript.s
@@ -0,0 +1,67 @@
+// REQUIRES: x86
+// RUN: llvm-mc -filetype=obj -triple=x86_64-unknown-linux %s -o %t1.o
+// RUN: llvm-mc -filetype=obj -triple=x86_64-unknown-linux %p/Inputs/shared.s -o %t2.o
+// RUN: ld.lld -shared %t2.o -o %t2.so
+
+// RUN: echo "SECTIONS { \
+// RUN:   .text : { *(.text) } \
+// RUN:   .plt : { *(.plt) } \
+// RUN:   .got.plt : { *(.got.plt) } \
+// RUN:   .dynstr : { *(.dynstr) } \
+// RUN: }" > %t.script
+// RUN: ld.lld -shared %t1.o %t2.so -o %t.exe -z retpolineplt --script %t.script
+// RUN: llvm-objdump -d -s %t.exe | FileCheck %s
+
+// CHECK:      Disassembly of section .plt:
+// CHECK-NEXT: .plt:
+// CHECK-NEXT: 10:       ff 35 4a 01 00 00       pushq   330(%rip)
+// CHECK-NEXT: 16:       4c 8b 1d 4b 01 00 00    movq    331(%rip), %r11
+// CHECK-NEXT: 1d:       e8 0e 00 00 00  callq   14 <.plt+0x20>
+// CHECK-NEXT: 22:       f3 90   pause
+// CHECK-NEXT: 24:       0f ae e8        lfence
+// CHECK-NEXT: 27:       eb f9   jmp     -7 <.plt+0x12>
+// CHECK-NEXT: 29:       cc      int3
+// CHECK-NEXT: 2a:       cc      int3
+// CHECK-NEXT: 2b:       cc      int3
+// CHECK-NEXT: 2c:       cc      int3
+// CHECK-NEXT: 2d:       cc      int3
+// CHECK-NEXT: 2e:       cc      int3
+// CHECK-NEXT: 2f:       cc      int3
+// CHECK-NEXT: 30:       4c 89 1c 24     movq    %r11, (%rsp)
+// CHECK-NEXT: 34:       c3      retq
+// CHECK-NEXT: 35:       cc      int3
+// CHECK-NEXT: 36:       cc      int3
+// CHECK-NEXT: 37:       cc      int3
+// CHECK-NEXT: 38:       cc      int3
+// CHECK-NEXT: 39:       cc      int3
+// CHECK-NEXT: 3a:       cc      int3
+// CHECK-NEXT: 3b:       cc      int3
+// CHECK-NEXT: 3c:       cc      int3
+// CHECK-NEXT: 3d:       cc      int3
+// CHECK-NEXT: 3e:       cc      int3
+// CHECK-NEXT: 3f:       cc      int3
+// CHECK-NEXT: 40:       4c 8b 1d 29 01 00 00    movq    297(%rip), %r11
+// CHECK-NEXT: 47:       e8 e4 ff ff ff  callq   -28 <.plt+0x20>
+// CHECK-NEXT: 4c:       e9 d1 ff ff ff  jmp     -47 <.plt+0x12>
+// CHECK-NEXT: 51:       68 00 00 00 00  pushq   $0
+// CHECK-NEXT: 56:       e9 b5 ff ff ff  jmp     -75 <.plt>
+// CHECK-NEXT: 5b:       cc      int3
+// CHECK-NEXT: 5c:       cc      int3
+// CHECK-NEXT: 5d:       cc      int3
+// CHECK-NEXT: 5e:       cc      int3
+// CHECK-NEXT: 5f:       cc      int3
+// CHECK-NEXT: 60:       4c 8b 1d 11 01 00 00    movq    273(%rip), %r11
+// CHECK-NEXT: 67:       e8 c4 ff ff ff  callq   -60 <.plt+0x20>
+// CHECK-NEXT: 6c:       e9 b1 ff ff ff  jmp     -79 <.plt+0x12>
+// CHECK-NEXT: 71:       68 01 00 00 00  pushq   $1
+// CHECK-NEXT: 76:       e9 95 ff ff ff  jmp     -107 <.plt>
+// CHECK-NEXT: 7b:       cc      int3
+// CHECK-NEXT: 7c:       cc      int3
+// CHECK-NEXT: 7d:       cc      int3
+// CHECK-NEXT: 7e:       cc      int3
+// CHECK-NEXT: 7f:       cc      int3
+
+.global _start
+_start:
+  jmp bar@PLT
+  jmp zed@PLT
Index: test/ELF/x86-64-retpoline-znow-linkerscript.s
===================================================================
--- /dev/null
+++ test/ELF/x86-64-retpoline-znow-linkerscript.s
@@ -0,0 +1,54 @@
+// REQUIRES: x86
+// RUN: llvm-mc -filetype=obj -triple=x86_64-unknown-linux %s -o %t1.o
+// RUN: llvm-mc -filetype=obj -triple=x86_64-unknown-linux %p/Inputs/shared.s -o %t2.o
+// RUN: ld.lld -shared %t2.o -o %t2.so
+
+// RUN: echo "SECTIONS { \
+// RUN:   .text : { *(.text) } \
+// RUN:   .plt : { *(.plt) } \
+// RUN:   .got.plt : { *(.got.plt) } \
+// RUN:   .dynstr : { *(.dynstr) } \
+// RUN: }" > %t.script
+// RUN: ld.lld -shared %t1.o %t2.so -o %t.exe -z retpolineplt -z now --script %t.script
+// RUN: llvm-objdump -d -s %t.exe | FileCheck %s
+
+// CHECK:      Disassembly of section .plt:
+// CHECK-NEXT: .plt:
+// CHECK-NEXT: 10:	e8 0b 00 00 00 	callq	11 <.plt+0x10>
+// CHECK-NEXT: 15:	f3 90 	pause
+// CHECK-NEXT: 17:	0f ae e8 	lfence
+// CHECK-NEXT: 1a:	eb f9 	jmp	-7 <.plt+0x5>
+// CHECK-NEXT: 1c:	cc 	int3
+// CHECK-NEXT: 1d:	cc 	int3
+// CHECK-NEXT: 1e:	cc 	int3
+// CHECK-NEXT: 1f:	cc 	int3
+// CHECK-NEXT: 20:	4c 89 1c 24 	movq	%r11, (%rsp)
+// CHECK-NEXT: 24:	c3 	retq
+// CHECK-NEXT: 25:	cc 	int3
+// CHECK-NEXT: 26:	cc 	int3
+// CHECK-NEXT: 27:	cc 	int3
+// CHECK-NEXT: 28:	cc 	int3
+// CHECK-NEXT: 29:	cc 	int3
+// CHECK-NEXT: 2a:	cc 	int3
+// CHECK-NEXT: 2b:	cc 	int3
+// CHECK-NEXT: 2c:	cc 	int3
+// CHECK-NEXT: 2d:	cc 	int3
+// CHECK-NEXT: 2e:	cc 	int3
+// CHECK-NEXT: 2f:	cc 	int3
+// CHECK-NEXT: 30:	4c 8b 1d 09 01 00 00 	movq	265(%rip), %r11
+// CHECK-NEXT: 37:	e9 d4 ff ff ff 	jmp	-44 <.plt>
+// CHECK-NEXT: 3c:	cc 	int3
+// CHECK-NEXT: 3d:	cc 	int3
+// CHECK-NEXT: 3e:	cc 	int3
+// CHECK-NEXT: 3f:	cc 	int3
+// CHECK-NEXT: 40: 4c 8b 1d 01 01 00 00 	movq	257(%rip), %r11
+// CHECK-NEXT: 47:	e9 c4 ff ff ff 	jmp	-60 <.plt>
+// CHECK-NEXT: 4c:	cc 	int3
+// CHECK-NEXT: 4d:	cc 	int3
+// CHECK-NEXT: 4e:	cc 	int3
+// CHECK-NEXT: 4f:	cc 	int3
+
+.global _start
+_start:
+  jmp bar@PLT
+  jmp zed@PLT