Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARC classic GCC produce FP-based addressing which breaks HW stack checking #643

Open
evgeniy-paltsev opened this issue Aug 9, 2024 · 0 comments
Open

ARC classic GCC produce FP-based addressing which breaks HW stack checking #643

evgeniy-paltsev opened this issue Aug 9, 2024 · 0 comments
Assignees
@artemiy-volkov
Labels
bug
Milestone
2024.12

Comments

@evgeniy-paltsev
Copy link

evgeniy-paltsev commented Aug 9, 2024
edited
Loading

If we use stack variables in function (and if frame pointer is enabled) we address to the stack variables using access relative to FP register (instead of SP). The advantages of such FP usage are not clear and there is one big issue with it - the ARC HW stack checking checks the instructions, which use SP as the base register - so if we use FP the illegal access to stack are not caught by HW.

The simplest way to reproduce such behavior is to build code without optimization, i.e.:

0000007c <stack_smasher>:
      7c:  c3e2                  enter_s  [r13,fp,blink]
      7e:  c1a2                  sub_s  sp,sp,0x8
      80:  1bf8 b000             st  r0,[fp,-8]                // <<----
      84:  13f8 b002             ld  r2,[fp,-8]                // <<----
      88:  1bfc b080             st  r2,[fp,-4]                // <<----
      8c:  13fc b002             ld  r2,[fp,-4]                // <<----
      90:  6a51                  asl_s  r2,r2,0x1
      92:  4040                  mov_s  r0,r2
      94:  0fea ffcf             bl  -24  ;7c <stack_smasher>
      98:  4508                  mov_s  r13,r0
      .....

It's not clear why we use FP instead of SP here and if there is a way to avoid it (without just disabling frame pointer for the build).

Note that we can easily replace FP by SP here without making code bigger, etc.. Here is an example:

original asm:

0000007c <stack_smasher>:
      7c:  c3e2                  enter_s  [r13,fp,blink]
      7e:  c1a2                  sub_s  sp,sp,0x8
      80:  1bf8 b000             st  r0,[fp,-8]
      84:  13f8 b002             ld  r2,[fp,-8]
      88:  1bfc b080             st  r2,[fp,-4]
      8c:  13fc b002             ld  r2,[fp,-4]
      90:  6a51                  asl_s  r2,r2,0x1
      92:  4040                  mov_s  r0,r2
      .....

alternative asm:

0000007c <stack_smasher>:
      7c:  c3e2                  enter_s  [r13,fp,blink]
      7e:  c1a2                  sub_s  sp,sp,0x8
      80:  1bf8 b000             st  r0,[sp]
      84:  13f8 b002             ld  r2,[sp]
      88:  1bfc b080             st  r2,[sp, 4]
      8c:  13fc b002             ld  r2,[sp, 4]
      90:  6a51                  asl_s  r2,r2,0x1
      92:  4040                  mov_s  r0,r2
      .....

NOTE: the MWDT toolchain generates access to the stack variables with SP used as a base (so HW stack checking works correctly) and the issue exists only with GNU toolchain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artemiy-volkov artemiy-volkov

Labels
bug
Projects
None yet
Milestone
2024.12
Development

No branches or pull requests
3 participants
@abrodkin @evgeniy-paltsev @artemiy-volkov