<html>
<head>
<base href="https://llvm.org/bugs/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW --- - SafeStack: unsafe alloca pointers are live throughout the function"
href="https://llvm.org/bugs/show_bug.cgi?id=27844">27844</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>SafeStack: unsafe alloca pointers are live throughout the function
</td>
</tr>
<tr>
<th>Product</th>
<td>libraries
</td>
</tr>
<tr>
<th>Version</th>
<td>trunk
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>Common Code Generator Code
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>eugeni.stepanov@gmail.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr></table>
<p>
<div>
<pre>In the following example, the address of each local variable is calculated in
advance and kept live in a register, and even spilled as necessary. It would be
enough to keep the base address of the unsafe stack frame (%r15 in this case)
in a register and calculate the addresses of variables when they are needed.
$ cat 1.cc
void capture(int *);
void f() {
int x0; capture(&x0);
int x1; capture(&x1);
int x2; capture(&x2);
int x3; capture(&x3);
int x4; capture(&x4);
int x5; capture(&x5);
int x6; capture(&x6);
int x7; capture(&x7);
int x8; capture(&x8);
int x9; capture(&x9);
}
$ clang++ 1.cc -O3 -c -fsanitize=safe-stack && objdump -drl 1.o
0000000000000000 <_Z1fv>:
_Z1fv():
0: 55 push %rbp
1: 41 57 push %r15
3: 41 56 push %r14
5: 41 55 push %r13
7: 41 54 push %r12
9: 53 push %rbx
a: 48 83 ec 28 sub $0x28,%rsp
e: 48 8b 0d 00 00 00 00 mov 0x0(%rip),%rcx # 15
<_Z1fv+0x15>
11: R_X86_64_GOTTPOFF __safestack_unsafe_stack_ptr-0x4
15: 64 4c 8b 39 mov %fs:(%rcx),%r15
19: 49 8d 47 d0 lea -0x30(%r15),%rax
1d: 64 48 89 01 mov %rax,%fs:(%rcx)
21: 49 8d 7f fc lea -0x4(%r15),%rdi
25: 49 8d 5f f8 lea -0x8(%r15),%rbx
29: 4d 8d 67 f4 lea -0xc(%r15),%r12
2d: 4d 8d 6f f0 lea -0x10(%r15),%r13
31: 49 8d 6f ec lea -0x14(%r15),%rbp
35: 4d 8d 77 e8 lea -0x18(%r15),%r14
39: 49 8d 47 e4 lea -0x1c(%r15),%rax
3d: 48 89 44 24 08 mov %rax,0x8(%rsp)
42: 49 8d 47 e0 lea -0x20(%r15),%rax
46: 48 89 44 24 10 mov %rax,0x10(%rsp)
4b: 49 8d 47 dc lea -0x24(%r15),%rax
4f: 48 89 44 24 18 mov %rax,0x18(%rsp)
54: 49 8d 47 d8 lea -0x28(%r15),%rax
58: 48 89 44 24 20 mov %rax,0x20(%rsp)
5d: e8 00 00 00 00 callq 62 <_Z1fv+0x62>
5e: R_X86_64_PC32 _Z7capturePi-0x4
62: 48 89 df mov %rbx,%rdi
65: e8 00 00 00 00 callq 6a <_Z1fv+0x6a>
66: R_X86_64_PC32 _Z7capturePi-0x4
6a: 4c 89 e7 mov %r12,%rdi
6d: e8 00 00 00 00 callq 72 <_Z1fv+0x72>
6e: R_X86_64_PC32 _Z7capturePi-0x4
72: 4c 89 ef mov %r13,%rdi
75: e8 00 00 00 00 callq 7a <_Z1fv+0x7a>
76: R_X86_64_PC32 _Z7capturePi-0x4
7a: 48 89 ef mov %rbp,%rdi
7d: e8 00 00 00 00 callq 82 <_Z1fv+0x82>
7e: R_X86_64_PC32 _Z7capturePi-0x4
82: 4c 89 f7 mov %r14,%rdi
85: e8 00 00 00 00 callq 8a <_Z1fv+0x8a>
86: R_X86_64_PC32 _Z7capturePi-0x4
8a: 48 8b 7c 24 08 mov 0x8(%rsp),%rdi
8f: e8 00 00 00 00 callq 94 <_Z1fv+0x94>
90: R_X86_64_PC32 _Z7capturePi-0x4
94: 48 8b 7c 24 10 mov 0x10(%rsp),%rdi
99: e8 00 00 00 00 callq 9e <_Z1fv+0x9e>
9a: R_X86_64_PC32 _Z7capturePi-0x4
9e: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
a3: e8 00 00 00 00 callq a8 <_Z1fv+0xa8>
a4: R_X86_64_PC32 _Z7capturePi-0x4
a8: 48 8b 7c 24 20 mov 0x20(%rsp),%rdi
ad: e8 00 00 00 00 callq b2 <_Z1fv+0xb2>
ae: R_X86_64_PC32 _Z7capturePi-0x4
b2: 48 8b 05 00 00 00 00 mov 0x0(%rip),%rax # b9
<_Z1fv+0xb9>
b5: R_X86_64_GOTTPOFF __safestack_unsafe_stack_ptr-0x4
b9: 64 4c 89 38 mov %r15,%fs:(%rax)
bd: 48 83 c4 28 add $0x28,%rsp
c1: 5b pop %rbx
c2: 41 5c pop %r12
c4: 41 5d pop %r13
c6: 41 5e pop %r14
c8: 41 5f pop %r15
ca: 5d pop %rbp
cb: c3 retq</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>