is this still valid?
Don't we use -fsanitize= syntax?

please no macros where constants work

do you really need this?

Mmm. I don't like that.
Why can't we just ensure that pthread is linked?

no macros, please, unless you have too, in which case describe in comments why.

I would use MmapOrDie (or create a similar one in sanitizer_common/sanitizer_posix.cc)
and get rid of mmap includes in this file.

use CHECK_EQ

UnmapOrDie

use CHECK

please make this similar to other sanitizers (SANITIZER_CAN_USE_PREINIT_ARRAY).

Please check if you still need so many headers. Remove anything you don't need.

MmapOrDie dies if it fails. You should not need the check

do you still need this comment?

kBufferSize

This should also use SANITIZER_CAN_USE_PREINIT_ARRAY: attribute((constructor(0))) should be added whenever preinit_array is not used.

I haven't been through the LLVM-side code yet, but what prevents other architectures from being supported? IIUC nothing is x86 specific since it's in `lib/Transforms`, right?

What's missing for Windows support? Thread and TLS support? It's the most significant platform for Chrome (well, and Android), and we're looking forward to LLVM support on Windows. Not having SafeStack would be sad. This can be a different patch, but I think it's important.

nullptr here and other pointers below.

It's probably not a huge issue for the unsafe stack, but I'd rather check that size + guard doesn't overflow uptr before calling MmapOrDie. The same applies in other parts of the code below.

Drop the (void) case.

s/intersepting/intercepting/

s/rutine/routine/

Though I'm not sure the comment is really helping me understand much here, I'd just drop it.

Is this initialization check useful if __attribute__((constructor(0))) was used? Can this be done concurrently, or is it just called multiple times from the same thread of execution? If concurrent then initialization is racy.

Please add a comment on why 2*sizeof(void*) is correct.

Does this force-build gold for this test? Or does it refuse to build the test if gold wasn't built? Also, comment on why PIC and+binutils_incdir require gold for testing.

Why does Apple require LTO for testing?

Could you do the same test with a VLA?

Writing and then immediately reading back is pretty brittle if the optimizer decides to kick in and prove the code trivially dead. Could you add some optimizer smarts defeat mechanism here? I'm not sure if compiler-rt has a preferred method of doing this (asm volatile, barrier, volatile, separate noinline call, ...).

noinline would be appropriate, though IPO could still kick in. Maybe slap a volatile on there too?

I'd rather memset a bigger range which includes the buffer itself than just changing two values.

The optimizer knows that value1 and value2 don't escape main. This check is trivially true.

The buffer allocation and memset are dead code and can be eliminated.

Good point, in principle the code is fairly cross platform (although we only tested it on x86).

The primary reason for this check is to handle cases when libsafestack is linked into multiple DSOs and __safestack_init ends up being on multiple constructor lists. It can only be called concurrently if multiple DSOs are being dlopen'ed in parallel. I think that dlopen itself isn't thread-safe and shouldn't be used that way but, perhaps, for extra safety it's useful to make this code non-racy using atomics.

In fact, it might depend on the architecture and even on the calling convention. Perhaps we should just remove this function altogether, as it is not really related to SafeStack, and we ended up not using it anyway neither in Chrome nor FreeBSD.

Tagging @rnk FYI.

Overflow check here too, and with guard.

Gotcha. Would it be useful to have nothing here for now (@pcc just deleted the code), but add a comment explaining @ksvladimir's point?

I don't think we need to add an explanation here. It would only make sense to do so if we supported multiple copies of the library in multiple DSOs, which isn't necessarily something we'll even want to support.