<html>
    <head>
      <base href="http://llvm.org/bugs/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - shadow stack not reserved for 64-bit ms_abi function pointer with optimization on"
   href="http://llvm.org/bugs/show_bug.cgi?id=22709">22709</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>shadow stack not reserved for 64-bit ms_abi function pointer with optimization on
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>clang
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>3.4
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>-New Bugs
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>unassignedclangbugs@nondot.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>dlehman@esri.com
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>llvmbugs@cs.uiuc.edu
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=13948" name="attach_13948" title="test case with instructions">attachment 13948</a> <a href="attachment.cgi?id=13948&action=edit" title="test case with instructions">[details]</a></span>
test case with instructions

a shadow stack is not reserved for a function pointer with the ms_abi attribute
on 64-bit when optimization is turned on.  the function called then can
overwrite the caller's stack, causing a crash

test case is attached but is very simple:

typedef int (*__attribute__((ms_abi)) callback_t)(int);
int wrapper(callback_t cb, int arg)
{
    return (*cb)(arg);
}

when compiled with 'clang case.c -O2 -c' the result is:
0000000000000000 <wrapper>:
   0:   89 f1                   mov    %esi,%ecx <- correct register for ms_abi
   2:   ff e7                   jmpq   *%rdi     <- but no 32-byte shadow stack

a stack is reserved if optimization is disabled:
0000000000000000 <wrapper>:
   0:   55                      push   %rbp
   1:   48 89 e5                mov    %rsp,%rbp
   4:   48 83 ec 30             sub    $0x30,%rsp
   8:   48 89 7d f8             mov    %rdi,-0x8(%rbp)
   c:   89 75 f4                mov    %esi,-0xc(%rbp)
   f:   48 8b 7d f8             mov    -0x8(%rbp),%rdi
  13:   8b 4d f4                mov    -0xc(%rbp),%ecx
  16:   ff d7                   callq  *%rdi
  18:   48 83 c4 30             add    $0x30,%rsp
  1c:   5d                      pop    %rbp
  1d:   c3                      retq  

stack space is reserved for straight function calls.  seems to be just an issue
for function pointers

found with 3.4.1 but also happens with 3.5.1</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are on the CC list for the bug.</li>
      </ul>
    </body>
</html>