<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - inlining of stack-protected functions into non-stack-protected functions dangerous"

   href="https://bugs.llvm.org/show_bug.cgi?id=47479">47479</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>inlining of stack-protected functions into non-stack-protected functions dangerous

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>libraries

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>trunk

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Interprocedural Optimizations

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>ndesaulniers@google.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llozano@chromium.org, llvm-bugs@lists.llvm.org, manojgupta@google.com, peter@pcc.me.uk, samitolvanen@google.com, srhines@google.com

          </td>

        </tr>

        <tr>

          <th>Blocks</th>

          <td>4068

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Forked from internal google bug b/166163480.

If we have code that is compiled without a stack protector (such as code in the

Linux kernel that's trying to restore registers containing the stack canaries),

then inlining code that was compiled with stack protector into it can break

code.  LTO makes this more likely to occur across TUs which may or may not be

compiled with the same -fstack-protector flag.

The inliner probably should not inline functions if the caller does not use a

stack protector, but the callee does.

Toy example:

// foo.c

#include <alloca.h>

void foo(void *);

void bar(size_t n) {

  foo(alloca(n));

}

__attribute__((no_stack_protector))

void baz(void) {

  bar(1024);

}

$ clang -O2 baz.c -c -fstack-protector-strong

$ llvm-objdump -dr baz.o

0000000000000000 <bar>:

...

      41: c3                            retq

      42: e8 00 00 00 00                callq   0x47 <bar+0x47>

                0000000000000043:  R_X86_64_PLT32       __stack_chk_fail-0x4

...

0000000000000050 <baz>:

...

      8a: c3                            retq

      8b: e8 00 00 00 00                callq   0x90 <baz+0x40>

                000000000000008c:  R_X86_64_PLT32       __stack_chk_fail-0x4

Oh, no! `bar` was compiled with stack protection, was inlined into `baz` (bad),

which now has stack protection, even though we explicitly disabled it for that

function.</pre>

        </div>

      </p>

        <div id="referenced">

          <hr style="border: 1px dashed #969696">

          <b>Referenced Bugs:</b>

          <ul>

              <li>

                [<a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [Meta] Compiling the Linux kernel with clang"

   href="https://bugs.llvm.org/show_bug.cgi?id=4068">Bug 4068</a>] [Meta] Compiling the Linux kernel with clang

              </li>

          </ul>

        </div>

        <br>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>