-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
setjmp
on linux mangles ebp
leading to early collection
#10625
Comments
One workaround for the |
I'd prefer to use inline assembler for the "store registers on the stack" operation. We can base the implementations on setjmp's implementation. Hey, we only support about 18 different CPU archs, cannot be hard, right? |
well, yeah, that would work as well, but strikes me as the less attractive option, at least to begin with - one could start with no-omit-fp in the standard options and then selectively use I kind of doubt the impact is that great on In addition, on |
This GC bug occurs on MacOS as well. Not sure which version at started at, but disassembling MacOS 10.15's
|
On embedded Linux, Eglibc does the same as Glibc, as noticed by CVE-2013-4788 - Eglibc PTR MANGLE vulnerability. I looked into using In the SIOD discussion, a proposed patch checks for Another proposed patch (at the SIOD link above) checks for For x86, there actually is register-saving assembly in Nim already at I don't think relying on register-saving assembly is a great idea, though. It is possible a compiler might store pointers in additional CPU registers that are part of a CPU extension, and not saved by any particular home-grown function. Again, because it's such a critical function for the GC, and missing something would lead to a very subtle bug. That circles back to |
I've hit this bug when working on my GC implementation using |
@edubart That sounds like a good solution! Just make sure to guard against old versions of GCC/Clang that may not have that intrinisc (if it's relatively recent) and situations where the backend compiler is VCC |
d503368
when the GC calls
setjmp
, the assumption is that it will put register values on the stack. some registers however, notablyRBP
, are mangled so as to protect against stack overwrite attacks. This leads to trouble, because mark-and-sweep will miss pointers and prematurely reclaim memory.RBP
is used as a general-purpose register whenever frame pointers are omitted: https://stackoverflow.com/questions/41912684/what-is-the-purpose-of-the-rbp-register-in-x86-64-assemblerGenerally,
-fomit-frame-pointer
is enabled at all optimization levels, in gcc, meaning that even though the test suite might be passing, release compiles will be more likely to crash randomly.https://github.com/lattera/glibc/blob/895ef79e04a953cac1493863bcae29ad85657ee1/sysdeps/x86_64/setjmp.S#L33 shows how
RBP
is mangled.The text was updated successfully, but these errors were encountered: