<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Book Antiqua";
panose-1:2 4 6 2 5 3 5 3 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Book Antiqua","serif";
color:#943634;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Your understanding matches mine. It is not a particularly robust check, but can help detect some programming mistakes. PS4 has it on by default and we've
caught some real bugs with it.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">You could force it off for your target if you really don't want it. Look for OPT_fstack_protector in Driver.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">--paulr<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> llvm-dev [mailto:llvm-dev-bounces@lists.llvm.org]
<b>On Behalf Of </b>Martin J. O'Riordan via llvm-dev<br>
<b>Sent:</b> Friday, July 01, 2016 2:51 AM<br>
<b>To:</b> 'David Majnemer'<br>
<b>Cc:</b> 'LLVM Developers'<br>
<b>Subject:</b> Re: [llvm-dev] Implementing stack probes<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">In our case we have to implement our libc as this is for an embedded multicore device, and this why I need to understand the semantics of the mechanism. What the
compiler inserts and what the runtime library support expects have to work together and I do not understand the mechanism in order to implement them.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">However, from what you say, the “canary” is just a value (could be anything) that is planted in the function’s own stack frame, and on return if it is altered then
the check decides that a stack overflow occurred and aborts.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">But this means that a stack overflow that corrupts an adjacent data region which will be visited at another time will not be detected unless by coincidence something
writes to that region during the lifetime of the function. It also means that if the function’s own stack is corrupted by overlapping writes, then its own return address may also be clobbered along with the canary, and there is no guarantee it will resume
control at all.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">This seems like a very error prone approach. Or am I misunderstanding the semantics?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">In a simple runtime context like ours, the stack is a simple area of memory. We have a programmer specified stack begin address, and the programmer also determines
how much stack to allocate to the program (specified at link-time).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">What I would really like to do, is test if there is enough room on the stack before I use the reservation, and abort if there is not. Our stack grows from high address
to low, so currently the function prologue does something like:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">SP -= #bytes to reserve<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">execute code<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">SP += #bytes to reserve<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">return<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">I would like:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">SP -= #bytes to reserve<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">OPTIONAL: update SP high-water mark<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">IF: SP < __top_of_stack THEN abort<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">execute code<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">SP += #bytes to reserve<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-IE" style="font-family:"Courier New";color:black">return<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">The symbol ‘</span><span lang="EN-IE" style="font-family:"Courier New";color:black">__top_of_stack</span><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">’
can be provided by the linker when laying out memory for the program. This approach would work well as there is no chance that the function’s stack frame will clobber data as the test and abort happen before the reserved stack is used.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">I don’t see how the ‘</span><span lang="EN-IE" style="font-family:"Courier New";color:black">__stack_chk_</span><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">’
approach can do this, or ensure that the frame does not corrupt adjacent memory.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:black"> MartinO<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE" style="font-family:"Book Antiqua","serif";color:#943634"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> David Majnemer [<a href="mailto:david.majnemer@gmail.com">mailto:david.majnemer@gmail.com</a>]
<br>
<b>Sent:</b> 30 June 2016 18:00<br>
<b>To:</b> Martin J. O'Riordan <<a href="mailto:martin.oriordan@movidius.com">martin.oriordan@movidius.com</a>><br>
<b>Cc:</b> LLVM Developers <<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a>><br>
<b>Subject:</b> Re: [llvm-dev] Implementing stack probes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-IE">On Thu, Jun 30, 2016 at 8:29 AM, Martin J. O'Riordan via llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>> wrote:<o:p></o:p></span></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif"">I am trying to implement stack probes for our SHAVE target, and I see that the compiler injects references to ‘__stack_chk_guard’
and ‘__stack_chk_fail’. The code that gets generated is horribly wrong, but in order to understand how to fix it I was wondering if there is a clear statement of how the mechanism is supposed to work?</span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE">__stack_chk_guard is loaded and the resulting value is stored on the stack. The location on the stack contains the "canary". Before the function returns, the canary and __stack_chk_guard are compared again. If they
compare unequal, __stack_chk_fail is called. Typically, the implementation of __stack_chk_fail is expected to abort the program.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE">I believe your libc is responsible for implementing these symbols. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-IE"> <o:p></o:p></span></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif"">The variable ‘__stack_chk_guard’ appears to be a pointer to an unsigned integer. Where is this supposed to reside,
and what value should it contain? And the function ‘__stack_chk_fail’ is called when the test fails - presumably this just aborts.</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif"">We have done nothing to support these hooks, so the junk instructions that come out are unsurprising. I am presuming
that we need to handle their lowering in a target specific way, but before I can do that I am wondering if there is a clear definition of the semantics of how the probe is supposed to work?</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif"">Thanks,</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> MartinO</span><span lang="EN-IE"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-IE" style="font-family:"Book Antiqua","serif""> </span><span lang="EN-IE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-IE"><br>
_______________________________________________<br>
LLVM Developers mailing list<br>
<a href="mailto:llvm-dev@lists.llvm.org">llvm-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-IE"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>