You may find lots of utilities in sanitizer_common useful here.
E.g. try CHECK, CHECK_EQ, etc instead of assert.
In general, I'd like to see more code reuse between safe_stack and sanitizers.

Please check if you still need so many headers. Remove anything you don't need.

Done

Yes. It must also be dynamic to respect pthread stack limits and system-wide rlimits.

please no macros where constants work

Done

Why not simply force -lpthread in the driver?

The overhead of adding -pthread (-lpthread is non-portable) to single-threaded programs is measurably greater than the overhead of safe stack. We (current hat: FreeBSD) are willing to ship packages with SSP by default and would be very willing to ship packages with safe-stack, but if it forced -pthread then the overhead would be more than we'd be willing to accept.

nullptr here and other pointers below.

Done

do you really need this?

Removed; they are hints and are not required for correctness. We can bring them back if benchmarks show a clear benefit.

I might be missing something, but can't we just use TLS to store the second stack?

C11 TLS does not have a way of attaching destructors. C++11 does (although the standard is undefined in the presence of shared library loading and unloading, which makes it less useful), but does not have any way of ordering the destruction.

The main reason of putting the unsafe stack pointer in the tcb directly is performance: that way, the unsafe stack pointer can be loaded/stored with just one memory access. It's exactly the same optimization as the existing stack protector uses (see X86TargetLowering::getStackCookieLocation in X86ISelLowering.cpp:1925).

Following David's suggestion, I will remove this optimization on Linux for now, until it can be properly implemented on the glibc side as well. I plan to only keep it on Darwin (where it seems to be cleaner, as I will explain in the comments). I will use TLS for unsafe_stack_(start|size|guard) on all platforms, as those are not performance critical in any way.

It's probably not a huge issue for the unsafe stack, but I'd rather check that size + guard doesn't overflow uptr before calling MmapOrDie. The same applies in other parts of the code below.

Done

can this code use more of sanitizer_common?
(here and in the rest of this file)

Yep, this now uses internal_mmap/internal_munmap and internal_mprotect below.

Mmm. I don't like that.
Why can't we just ensure that pthread is linked?

My understanding is that on some platforms (FreeBSD?) linking the pthread library has a performance impact.

We could probably consider moving pthread stuff to a separate library which is only linked when pthread is linked. I guess for now we can use the pthread symbols unconditionally. Then any later change will mostly be a matter of moving code around.

Overflow check here too, and with guard.

MmapOrDie dies if it fails. You should not need the check

Removed

Drop the (void) case.

Done

There are magic numbers here again. Please reference either an ABI document or equivalent that indicates that these are safe locations to use.

no macros, please, unless you have too, in which case describe in comments why.

Removed

do you still need this comment?

Removed

Why?
The recent OSX should support TLS well (or not?)

This now uses a __thread variable on all platforms.

According to Laszlo this was done solely for efficiency reasons, so we should be fine using __thread at least to begin with. I imagine that if the overhead matters in practice we can try to persuade the relevant people at Apple to allocate a TLS slot for us.

I would use MmapOrDie (or create a similar one in sanitizer_common/sanitizer_posix.cc)
and get rid of mmap includes in this file.

Done

s/intersepting/intercepting/

Done

s/rutine/routine/

Though I'm not sure the comment is really helping me understand much here, I'd just drop it.

Removed

use CHECK_EQ

Done

UnmapOrDie

Done

Why is this Linux only? If the goal is to avoid LD_PRELOAD and similar interceptions, then it should be done everywhere (possibly with the exception of Darwin)

Don't you want to use internal_mmap from sanitizer_common/sanitizer_libc.h?

On FreeBSD, MAP_STACK should also be passed. Not sure about other BSDs. In general, however, these checks should be of the form:
#ifdef MAP_STACK

#endif
Not #if defined(linux)

This should also use SANITIZER_CAN_USE_PREINIT_ARRAY: attribute((constructor(0))) should be added whenever preinit_array is not used.

Done

Is this initialization check useful if __attribute__((constructor(0))) was used? Can this be done concurrently, or is it just called multiple times from the same thread of execution? If concurrent then initialization is racy.

Is this initialization check useful if attribute((constructor(0))) was used?

I don't think it is. Removed.

(Regarding Vova's comment, we don't currently support linking SafeStack into DSOs.)

The primary reason for this check is to handle cases when libsafestack is linked into multiple DSOs and __safestack_init ends up being on multiple constructor lists. It can only be called concurrently if multiple DSOs are being dlopen'ed in parallel. I think that dlopen itself isn't thread-safe and shouldn't be used that way but, perhaps, for extra safety it's useful to make this code non-racy using atomics.

Gotcha. Would it be useful to have nothing here for now (@pcc just deleted the code), but add a comment explaining @ksvladimir's point?

I don't think we need to add an explanation here. It would only make sense to do so if we supported multiple copies of the library in multiple DSOs, which isn't necessarily something we'll even want to support.

use CHECK

Done

This seems somewhat fragile. It doesn't guarantee that the other destructors won't be run after this, only that they get several opportunities to run before.

Why is this not on Linux?

This should check RLIMIT_STACK.

Why noinline? It is externally visible, so a non-inline version will be produced anyway. Why not let LTO builds inline it? Or is the noinline attribute because this function must be compiled *without* the safe stack support itself? If so, document it (or perhaps add the no_safestack attribute instead, to prevent it from being inlined in unsafe contexts).

I believe that this should work on most ELF platforms.

please use static for anything that is is not supposed to be called/used from another module.

Where possible, please reuse functions from sanitizer_common, e.g. here you may try GetThreadStackTopAndBottom

why NDEBUG?
I would prefer tnot to have a separate build for compiler-rt

can you use SANITIZER_INTERFACE_ATTRIBUTE?

please make this similar to other sanitizers (SANITIZER_CAN_USE_PREINIT_ARRAY).

Done

Please add a comment on why 2*sizeof(void*) is correct.

Removed

In fact, it might depend on the architecture and even on the calling convention. Perhaps we should just remove this function altogether, as it is not really related to SafeStack, and we ended up not using it anyway neither in Chrome nor FreeBSD.