Re: ada compiler?

[Samuel Tardieu <sam@rfc1149.net>]

>>>>> "Ludovic" == Ludovic Brenta <ludovic@ludovic-brenta.org> writes:

Ludovic> Does someone here know GNAT internals in sufficient detail as
Ludovic> to enlighten us? Also can someone explain what "reliable"
Ludovic> stack checking is in GNAT parlance?

You have two ways of doing stack checking:

 1- at the GCC level by checking the stack at the entry of every
    subprogram and comparing it to a thread/task specific marker; this
    is costly

 2- at the OS level by mapping a page after the stack which does not
    allow either reads or writes to the page (or, when this is not
    possible, which doesn't allow writes)

Let me describe how solution 2 is implemented, assuming the stack
grows downwards: (from higher to lower addresses)

     |
     | Stack for task T1
     |
     v
     |
     | Allowed space for stack for task T1
     |
     -
     |
     | Protected memory page
     |
     -
     |
     | Stack for task T2
     |
     v
     
If stack for task T1 slowly grows downwards, it will eventually reach
the protected memory page and raise a SIGSEGV to represent the access
violation.

However, if you allocate an object on stack T1 larger than the
remaining task space + the size of a protected memory page, then you
may end up with something looking like: (say a large T1Obj array is
allocated on the stack)

     |
     | Stack for task T1
     |
     | Return address for previous function call
     | Stack frame (I won't detail here what it is) for current funcall
     | Address of T1Obj[6]
     | Address of T1Obj[5]
     -
     | Address of T1Obj[4]
     | Address of T1Obj[3]   Protected memory page
     | Address of T1Obj[2]
     - 
     | Address of T1Obj[1]
     | Stack for task T2
     |
     v

You may then write T1Obj[1] without triggering a memory protection
error and overwrite the stack of task T2 without noticing. If you
modify only T1Obj[1] and return, you will leave T2 with a corrupted
task.

So to make this scheme work, every subprogram must use a stack area
smaller than a page size (typically 4KB, but this may vary from system
to system and you may also have pages of different sizes to reduce the
number of MMU [memory management unit] lookups that you need to map
your process virtual address space into the physical+swap address space).

I have not checked if GNAT knows how to mix those two schemes, i.e. if
it can generate a call to Stack_Check only in functions where the local
stack area is large enough to mandate the check and in subprograms
callable from other languages (because they may have had the same
problem and not done the check themselves -- in case of problems, the
program should be aborted as other stacks may already have been
corrupted).

An obvious improvement would be to increase the number of protected
memory pages between different stacks. However, this would reduce the
number of tasks that you can run simultaneously because on a 32 bits
system you have access to a maximum 4GB of addressable memory from any
processus (usually 3GB under Linux for example).

Does that answer your question?

  Sam
-- 
Samuel Tardieu -- sam@rfc1149.net -- http://www.rfc1149.net/