From 2373fabe47dc2989e1700359b1ddd6def3b23622 Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Fri, 12 Jun 2026 22:57:39 -0400 Subject: [PATCH 1/6] [stack-canaries] added protection modes --- src/build_settings.cpp | 12 +++++++++++- src/llvm_backend_proc.cpp | 10 ++++++++++ src/main.cpp | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index f31830598..19414fc89 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -278,6 +278,14 @@ enum RelocMode : u8 { RelocMode_DynamicNoPIC, }; +enum StackProtector : u8 { + StackProtector_Default, + StackProtector_None, + StackProtector_Ssp, + StackProtector_SspReq, + StackProtector_SspStrong, +}; + enum BuildPath : u8 { BuildPath_Main_Package, // Input Path to the package directory (or file) we're building. BuildPath_RC, // Input Path for .rc file, can be set with `-resource:`. @@ -599,7 +607,9 @@ struct BuildContext { bool print_linker_flags; - RelocMode reloc_mode; + RelocMode reloc_mode; + StackProtector stack_protector; + bool disable_red_zone; bool disable_unwind; bool no_plt; diff --git a/src/llvm_backend_proc.cpp b/src/llvm_backend_proc.cpp index 8738dbc9c..738f763cf 100644 --- a/src/llvm_backend_proc.cpp +++ b/src/llvm_backend_proc.cpp @@ -160,6 +160,16 @@ gb_internal lbProcedure *lb_create_procedure(lbModule *m, Entity *entity, bool i lb_add_attribute_to_proc(m, p->value, "nonlazybind"); } + switch (build_context.stack_protector) { + case StackProtector_Default: + case StackProtector_Ssp: + lb_add_attribute_to_proc(m, p->value, "ssp"); + case StackProtector_SspReq: + lb_add_attribute_to_proc(m, p->value, "sspreq"); + case StackProtector_SspStrong: + lb_add_attribute_to_proc(m, p->value, "sspstrong"); + } + if (build_context.disable_unwind) { lb_add_attribute_to_proc(m, p->value, "nounwind"); } diff --git a/src/main.cpp b/src/main.cpp index a63cee5e0..b8fcafd44 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -354,6 +354,7 @@ enum BuildFlagKind { BuildFlag_NoThreadLocal, BuildFlag_RelocMode, + BuildFlag_StackProtector, BuildFlag_DisableRedZone, BuildFlag_DisableUnwind, @@ -587,6 +588,7 @@ gb_internal bool parse_build_flags(Array args) { add_flag(&build_flags, BuildFlag_MinimumOSVersion, str_lit("minimum-os-version"), BuildFlagParam_String, Command__does_build | Command_bundle_android); add_flag(&build_flags, BuildFlag_RelocMode, str_lit("reloc-mode"), BuildFlagParam_String, Command__does_build); + add_flag(&build_flags, BuildFlag_StackProtector, str_lit("stack-protector"), BuildFlagParam_String, Command__does_build); add_flag(&build_flags, BuildFlag_DisableRedZone, str_lit("disable-red-zone"), BuildFlagParam_None, Command__does_build); add_flag(&build_flags, BuildFlag_DisableUnwind, str_lit("disable-unwind"), BuildFlagParam_None, Command__does_build); @@ -1431,6 +1433,29 @@ gb_internal bool parse_build_flags(Array args) { break; } + case BuildFlag_StackProtector: { + GB_ASSERT(value.kind == ExactValue_String); + String v = value.value_string; + if (v == "default") { + build_context.stack_protector = StackProtector_Default; + } else if (v == "none") { + build_context.stack_protector = StackProtector_None; + } else if (v == "base") { + build_context.stack_protector = StackProtector_Ssp; + } else if (v == "all") { + build_context.stack_protector = StackProtector_SspReq; + } else if (v == "strong") { + build_context.stack_protector = StackProtector_SspStrong; + } else { + gb_printf_err("-stack-protector flag expected one of the following\n"); + gb_printf_err("\tdefault\n"); + gb_printf_err("\tnone\n"); + gb_printf_err("\tbase\n"); + gb_printf_err("\tall\n"); + gb_printf_err("\tstrong\n"); + bad_flags = true; + } + } case BuildFlag_DisableRedZone: build_context.disable_red_zone = true; break; @@ -2986,6 +3011,16 @@ gb_internal int print_show_help(String const arg0, String command, String option print_usage_line(3, "-reloc-mode:dynamic-no-pic"); } + if (print_flag("-stack-protector:")) { + print_usage_line(2, "Specifies the stack protector."); + print_usage_line(2, "Available options:"); + print_usage_line(3, "-stack-protector:default"); + print_usage_line(3, "-stack-protector:none"); + print_usage_line(3, "-stack-protector:base"); + print_usage_line(3, "-stack-protector:all"); + print_usage_line(3, "-stack-protector:strong"); + } + #if defined(GB_SYSTEM_WINDOWS) if (print_flag("-resource:")) { print_usage_line(2, "[Windows only]"); From 8ccee661574490ecf1a43dd76b70fae0cb2ed56f Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Fri, 12 Jun 2026 23:27:32 -0400 Subject: [PATCH 2/6] [stack-canaries] fixed platform behavior --- src/build_settings.cpp | 39 ++++++++++++++++++++++++++++----------- src/llvm_backend_proc.cpp | 4 +++- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index 19414fc89..6a1b296d0 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -1909,16 +1909,6 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta } break; } - } else if (metrics->os == TargetOs_linux) { - if (bc->reloc_mode == RelocMode_Default) { - bc->reloc_mode = RelocMode_PIC; - } - switch (metrics->arch) { - case TargetArch_arm64: - case TargetArch_amd64: - bc->no_plt = LLVM_VERSION_MAJOR >= 19; - break; - } } else if (metrics->os == TargetOs_openbsd) { // Always use PIC for OpenBSD: it defaults to PIE if (bc->reloc_mode == RelocMode_Default) { @@ -1947,10 +1937,37 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta bc->metrics.target_triplet = str_lit("i686-linux-android"); bc->reloc_mode = RelocMode_PIC; break; - default: GB_PANIC("Unknown architecture for -subtarget:android"); } + } else if (metrics->os == TargetOs_linux) { + if (bc->reloc_mode == RelocMode_Default) { + bc->reloc_mode = RelocMode_PIC; + } + switch (metrics->arch) { + case TargetArch_arm64: + case TargetArch_amd64: + bc->no_plt = LLVM_VERSION_MAJOR >= 19; + break; + } + } + + if (metrics->os == TargetOs_windows || + metrics->os == TargetOs_darwin || + metrics->os == TargetOs_linux || + metrics->os == TargetOs_freebsd || + metrics->os == TargetOs_openbsd || + metrics->os == TargetOs_netbsd) { + if (bc->stack_protector == StackProtector_Default) { + bc->stack_protector = StackProtector_Ssp; + } + } else { + if (bc->stack_protector == StackProtector_Default) { + bc->stack_protector = StackProtector_None; + } else { + gb_printf_err("-stack-protector is not supported on this target\n"); + gb_exit(1); + } } if (bc->metrics.os == TargetOs_windows) { diff --git a/src/llvm_backend_proc.cpp b/src/llvm_backend_proc.cpp index 738f763cf..7994ab4ba 100644 --- a/src/llvm_backend_proc.cpp +++ b/src/llvm_backend_proc.cpp @@ -161,13 +161,15 @@ gb_internal lbProcedure *lb_create_procedure(lbModule *m, Entity *entity, bool i } switch (build_context.stack_protector) { - case StackProtector_Default: case StackProtector_Ssp: lb_add_attribute_to_proc(m, p->value, "ssp"); + break; case StackProtector_SspReq: lb_add_attribute_to_proc(m, p->value, "sspreq"); + break; case StackProtector_SspStrong: lb_add_attribute_to_proc(m, p->value, "sspstrong"); + break; } if (build_context.disable_unwind) { From f850fef613f83060974d4852124f98256d60b9e6 Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Fri, 12 Jun 2026 23:54:26 -0400 Subject: [PATCH 3/6] [stack-canaries] disallow stack canaries on non-intel linux --- src/build_settings.cpp | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index 6a1b296d0..ff184ff63 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -1952,9 +1952,18 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta } } - if (metrics->os == TargetOs_windows || + // note: there are some stack protection toolchain issues on non-intel + // platforms that will clash with PIC/PIE: + // `unresolvable R_AARCH64_ADR_PREL_PG_HI21 relocation against symbol` + if (metrics->os == TargetOs_linux && ( + metrics->arch == TargetArch_amd64 || + metrics->arch == TargetArch_i386 + )) { + if (bc->stack_protector == StackProtector_Default) { + bc->stack_protector = StackProtector_Ssp; + } + } else if (metrics->os == TargetOs_windows || metrics->os == TargetOs_darwin || - metrics->os == TargetOs_linux || metrics->os == TargetOs_freebsd || metrics->os == TargetOs_openbsd || metrics->os == TargetOs_netbsd) { From 3598e351a46e449e960bade194dc0a9ee895aa45 Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Fri, 12 Jun 2026 23:56:55 -0400 Subject: [PATCH 4/6] [stack-canaries] restricted to only non-arm --- src/build_settings.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index ff184ff63..7af3e008b 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -1952,13 +1952,13 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta } } - // note: there are some stack protection toolchain issues on non-intel + // note: there are some stack protection toolchain issues on arm // platforms that will clash with PIC/PIE: // `unresolvable R_AARCH64_ADR_PREL_PG_HI21 relocation against symbol` - if (metrics->os == TargetOs_linux && ( - metrics->arch == TargetArch_amd64 || - metrics->arch == TargetArch_i386 - )) { + if (metrics->os == TargetOs_linux && + metrics->arch != TargetArch_arm32 && + metrics->arch != TargetArch_arm64 + ) { if (bc->stack_protector == StackProtector_Default) { bc->stack_protector = StackProtector_Ssp; } From 8bd95d40826edfaa0e88be5df96fe918db962f7f Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Sat, 13 Jun 2026 01:52:19 -0400 Subject: [PATCH 5/6] [stack-canaries] fixed stack canaries on arm linux --- src/build_settings.cpp | 13 ++----------- src/llvm_backend.cpp | 22 +--------------------- src/llvm_backend_general.cpp | 29 +++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 32 deletions(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index 7af3e008b..6a1b296d0 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -1952,18 +1952,9 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta } } - // note: there are some stack protection toolchain issues on arm - // platforms that will clash with PIC/PIE: - // `unresolvable R_AARCH64_ADR_PREL_PG_HI21 relocation against symbol` - if (metrics->os == TargetOs_linux && - metrics->arch != TargetArch_arm32 && - metrics->arch != TargetArch_arm64 - ) { - if (bc->stack_protector == StackProtector_Default) { - bc->stack_protector = StackProtector_Ssp; - } - } else if (metrics->os == TargetOs_windows || + if (metrics->os == TargetOs_windows || metrics->os == TargetOs_darwin || + metrics->os == TargetOs_linux || metrics->os == TargetOs_freebsd || metrics->os == TargetOs_openbsd || metrics->os == TargetOs_netbsd) { diff --git a/src/llvm_backend.cpp b/src/llvm_backend.cpp index 15ff125d4..1b0f32fe9 100644 --- a/src/llvm_backend.cpp +++ b/src/llvm_backend.cpp @@ -3154,32 +3154,12 @@ gb_internal bool lb_generate_code(lbGenerator *gen) { // NOTE(bill, 2021-05-04): Target machines must be unique to each module because they are not thread safe auto target_machines = array_make(permanent_allocator(), 0, gen->modules.count); - // NOTE(dweiler): Dynamic libraries require position-independent code. - LLVMRelocMode reloc_mode = LLVMRelocDefault; - if (build_context.build_mode == BuildMode_DynamicLibrary) { - reloc_mode = LLVMRelocPIC; - } - - switch (build_context.reloc_mode) { - case RelocMode_Default: - break; - case RelocMode_Static: - reloc_mode = LLVMRelocStatic; - break; - case RelocMode_PIC: - reloc_mode = LLVMRelocPIC; - break; - case RelocMode_DynamicNoPIC: - reloc_mode = LLVMRelocDynamicNoPic; - break; - } - for (auto const &entry : gen->modules) { LLVMTargetMachineRef target_machine = LLVMCreateTargetMachine( target, target_triple, (const char *)llvm_cpu.text, llvm_features, code_gen_level, - reloc_mode, + get_reloc_mode(), code_mode); lbModule *m = entry.value; m->target_machine = target_machine; diff --git a/src/llvm_backend_general.cpp b/src/llvm_backend_general.cpp index 27a8c66e3..64829d4c4 100644 --- a/src/llvm_backend_general.cpp +++ b/src/llvm_backend_general.cpp @@ -1,5 +1,6 @@ gb_internal void lb_add_debug_local_variable(lbProcedure *p, LLVMValueRef ptr, Type *type, Token const &token); gb_internal LLVMValueRef llvm_const_string_internal(lbModule *m, Type *t, LLVMValueRef data, LLVMValueRef len); +gb_internal LLVMRelocMode get_reloc_mode(); gb_global Entity *lb_global_type_info_data_entity = {}; gb_global lbAddr lb_global_type_info_member_types = {}; @@ -65,6 +66,12 @@ gb_internal WORKER_TASK_PROC(lb_init_module_worker_proc) { "RtLibUseGOT", 11, LLVMValueAsMetadata(LLVMConstInt(LLVMInt32TypeInContext(m->ctx), 1, true))); } + + LLVMAddModuleFlag(m->mod, + LLVMModuleFlagBehaviorWarning, + "PIC Level", 9, + LLVMValueAsMetadata(LLVMConstInt(LLVMInt32TypeInContext(m->ctx), get_reloc_mode(), true))); + if (build_context.ODIN_DEBUG) { enum {DEBUG_METADATA_VERSION = 3}; @@ -3667,3 +3674,25 @@ gb_internal void lb_set_linkage_from_entity_flags(lbModule *m, LLVMValueRef valu LLVMSetLinkage(value, LLVMLinkOnceAnyLinkage); } } + +LLVMRelocMode get_reloc_mode() { + // NOTE(dweiler): Dynamic libraries require position-independent code. + LLVMRelocMode reloc_mode = LLVMRelocDefault; + if (build_context.build_mode == BuildMode_DynamicLibrary) { + reloc_mode = LLVMRelocPIC; + } + switch (build_context.reloc_mode) { + case RelocMode_Default: + break; + case RelocMode_Static: + reloc_mode = LLVMRelocStatic; + break; + case RelocMode_PIC: + reloc_mode = LLVMRelocPIC; + break; + case RelocMode_DynamicNoPIC: + reloc_mode = LLVMRelocDynamicNoPic; + break; + } + return reloc_mode; +} From 863b2aea800598102d4140fe96adb4b28b0bd672 Mon Sep 17 00:00:00 2001 From: A1029384756 Date: Sun, 14 Jun 2026 13:36:55 -0400 Subject: [PATCH 6/6] [stack-canaries] default to sspstrong --- src/build_settings.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/build_settings.cpp b/src/build_settings.cpp index 6a1b296d0..2c6008515 100644 --- a/src/build_settings.cpp +++ b/src/build_settings.cpp @@ -1959,7 +1959,7 @@ gb_internal void init_build_context(TargetMetrics *cross_target, Subtarget subta metrics->os == TargetOs_openbsd || metrics->os == TargetOs_netbsd) { if (bc->stack_protector == StackProtector_Default) { - bc->stack_protector = StackProtector_Ssp; + bc->stack_protector = StackProtector_SspStrong; } } else { if (bc->stack_protector == StackProtector_Default) {