Yes. It must also be dynamic to respect pthread stack limits and system-wide rlimits.

There are magic numbers here again. Please reference either an ABI document or equivalent that indicates that these are safe locations to use.

Why is this Linux only? If the goal is to avoid LD_PRELOAD and similar interceptions, then it should be done everywhere (possibly with the exception of Darwin)

On FreeBSD, MAP_STACK should also be passed. Not sure about other BSDs. In general, however, these checks should be of the form:
#ifdef MAP_STACK

#endif
Not #if defined(linux)

This seems somewhat fragile. It doesn't guarantee that the other destructors won't be run after this, only that they get several opportunities to run before.

Why is this not on Linux?

This should check RLIMIT_STACK.

Why noinline? It is externally visible, so a non-inline version will be produced anyway. Why not let LTO builds inline it? Or is the noinline attribute because this function must be compiled *without* the safe stack support itself? If so, document it (or perhaps add the no_safestack attribute instead, to prevent it from being inlined in unsafe contexts).

I believe that this should work on most ELF platforms.

You may find lots of utilities in sanitizer_common useful here.
E.g. try CHECK, CHECK_EQ, etc instead of assert.
In general, I'd like to see more code reuse between safe_stack and sanitizers.

Why not simply force -lpthread in the driver?

I might be missing something, but can't we just use TLS to store the second stack?

Don't you want to use internal_mmap from sanitizer_common/sanitizer_libc.h?

Where possible, please reuse functions from sanitizer_common, e.g. here you may try GetThreadStackTopAndBottom

please use static for anything that is is not supposed to be called/used from another module.

why NDEBUG?
I would prefer tnot to have a separate build for compiler-rt

can you use SANITIZER_INTERFACE_ATTRIBUTE?

The overhead of adding -pthread (-lpthread is non-portable) to single-threaded programs is measurably greater than the overhead of safe stack. We (current hat: FreeBSD) are willing to ship packages with SSP by default and would be very willing to ship packages with safe-stack, but if it forced -pthread then the overhead would be more than we'd be willing to accept.

C11 TLS does not have a way of attaching destructors. C++11 does (although the standard is undefined in the presence of shared library loading and unloading, which makes it less useful), but does not have any way of ordering the destruction.

The main reason of putting the unsafe stack pointer in the tcb directly is performance: that way, the unsafe stack pointer can be loaded/stored with just one memory access. It's exactly the same optimization as the existing stack protector uses (see X86TargetLowering::getStackCookieLocation in X86ISelLowering.cpp:1925).

Following David's suggestion, I will remove this optimization on Linux for now, until it can be properly implemented on the glibc side as well. I plan to only keep it on Darwin (where it seems to be cleaner, as I will explain in the comments). I will use TLS for unsafe_stack_(start|size|guard) on all platforms, as those are not performance critical in any way.

I don't think we want to support configure/make

can this code use more of sanitizer_common?
(here and in the rest of this file)

Why?
The recent OSX should support TLS well (or not?)

(for all tests) please add a one-line test description

Removed.

Yep, this now uses internal_mmap/internal_munmap and internal_mprotect below.

This now uses a __thread variable on all platforms.

According to Laszlo this was done solely for efficiency reasons, so we should be fine using __thread at least to begin with. I imagine that if the overhead matters in practice we can try to persuade the relevant people at Apple to allocate a TLS slot for us.

Done

I thought you need to add this if COMPILER_RT_HAS_SAFESTACK is true.

I believe you also need ${SANIITIZER_COMMON_LIT_TEST_DEPS}

use not (here and below)

You don't use this attribute anywhere, delete it.

is this still valid?
Don't we use -fsanitize= syntax?

please no macros where constants work

do you really need this?

Mmm. I don't like that.
Why can't we just ensure that pthread is linked?

no macros, please, unless you have too, in which case describe in comments why.

I would use MmapOrDie (or create a similar one in sanitizer_common/sanitizer_posix.cc)
and get rid of mmap includes in this file.

use CHECK_EQ

UnmapOrDie

use CHECK

please make this similar to other sanitizers (SANITIZER_CAN_USE_PREINIT_ARRAY).

Please check if you still need so many headers. Remove anything you don't need.

MmapOrDie dies if it fails. You should not need the check

do you still need this comment?

kBufferSize

This should also use SANITIZER_CAN_USE_PREINIT_ARRAY: attribute((constructor(0))) should be added whenever preinit_array is not used.

I haven't been through the LLVM-side code yet, but what prevents other architectures from being supported? IIUC nothing is x86 specific since it's in `lib/Transforms`, right?

What's missing for Windows support? Thread and TLS support? It's the most significant platform for Chrome (well, and Android), and we're looking forward to LLVM support on Windows. Not having SafeStack would be sad. This can be a different patch, but I think it's important.

nullptr here and other pointers below.

It's probably not a huge issue for the unsafe stack, but I'd rather check that size + guard doesn't overflow uptr before calling MmapOrDie. The same applies in other parts of the code below.

Drop the (void) case.

s/intersepting/intercepting/

s/rutine/routine/

Though I'm not sure the comment is really helping me understand much here, I'd just drop it.

Is this initialization check useful if __attribute__((constructor(0))) was used? Can this be done concurrently, or is it just called multiple times from the same thread of execution? If concurrent then initialization is racy.

Please add a comment on why 2*sizeof(void*) is correct.

Does this force-build gold for this test? Or does it refuse to build the test if gold wasn't built? Also, comment on why PIC and+binutils_incdir require gold for testing.

Why does Apple require LTO for testing?

Could you do the same test with a VLA?

Writing and then immediately reading back is pretty brittle if the optimizer decides to kick in and prove the code trivially dead. Could you add some optimizer smarts defeat mechanism here? I'm not sure if compiler-rt has a preferred method of doing this (asm volatile, barrier, volatile, separate noinline call, ...).

noinline would be appropriate, though IPO could still kick in. Maybe slap a volatile on there too?

I'd rather memset a bigger range which includes the buffer itself than just changing two values.

The optimizer knows that value1 and value2 don't escape main. This check is trivially true.

The buffer allocation and memset are dead code and can be eliminated.

Good point, in principle the code is fairly cross platform (although we only tested it on x86).

The primary reason for this check is to handle cases when libsafestack is linked into multiple DSOs and __safestack_init ends up being on multiple constructor lists. It can only be called concurrently if multiple DSOs are being dlopen'ed in parallel. I think that dlopen itself isn't thread-safe and shouldn't be used that way but, perhaps, for extra safety it's useful to make this code non-racy using atomics.

In fact, it might depend on the architecture and even on the calling convention. Perhaps we should just remove this function altogether, as it is not really related to SafeStack, and we ended up not using it anyway neither in Chrome nor FreeBSD.

Tagging @rnk FYI.

Overflow check here too, and with guard.

Gotcha. Would it be useful to have nothing here for now (@pcc just deleted the code), but add a comment explaining @ksvladimir's point?

I don't think we need to add an explanation here. It would only make sense to do so if we supported multiple copies of the library in multiple DSOs, which isn't necessarily something we'll even want to support.