On Fri, Nov 16, 2018 at 02:56:46PM +0000, Thomas Preudhomme wrote: > In case of high register pressure in PIC mode, address of the stack > protector's guard can be spilled on ARM targets as shown in PR85434, > thus allowing an attacker to control what the canary would be compared > against. ARM does lack stack_protect_set and stack_protect_test insn > patterns, defining them does not help as the address is expanded > regularly and the patterns only deal with the copy and test of the > guard with the canary. > > This problem does not occur for x86 targets because the PIC access and > the test can be done in the same instruction. Aarch64 is exempt too > because PIC access insn pattern are mov of UNSPEC which prevents it from > the second access in the epilogue being CSEd in cse_local pass with the > first access in the prologue.
The unspecs are not CSEd because they are *different* unspecs (UNSPEC_SP_SET vs. UNSPEC_SP_TEST; they have different args too, different number of args even). Two the same unspecs can be CSEd just fine. Segher
