Change startup ABI for untrusted code to be C-compatible

src/trusted/service_runtime/sel_ldr_standard.c

 /*
  * Copyright (c) 2011 The Native Client Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 /*
  * NaCl Simple/secure ELF loader (NaCl SEL).
  */
 
@@ skipping 637 matching lines @@
                          char const *const  *envv) {
   /*
    * Compute size of string tables for argv and envv
    */
   int                   retval;
   int                   envc;
   size_t                size;
   int                   auxv_entries;
   size_t                ptr_tbl_size;
   int                   i;
-  char                  *p;
+  uint32_t              *p;
   char                  *strp;
   size_t                *argv_len;
   size_t                *envv_len;
   struct NaClAppThread  *natp;
   uintptr_t             stack_ptr;
 
   retval = 0;  /* fail */
   CHECK(argc > 0);
   CHECK(NULL != argv);
 
@@ skipping 44 matching lines @@
   }
   for (i = 0; i < envc; ++i) {
     envv_len[i] = strlen(envv[i]) + 1;
     size += envv_len[i];
   }
 
   /*
    * NaCl modules are ILP32, so the argv, envv pointers, as well as
    * the terminating NULL pointers at the end of the argv/envv tables,
    * are 32-bit values.  We also have the auxv to take into account.
-   * Note that on nacl64, argc is popped, and is an 8-byte value!
    *
    * The argv and envv pointer tables came from trusted code and is
    * part of memory.  Thus, by the same argument above, adding in
    * "ptr_tbl_size" cannot possibly overflow the "size" variable since
    * it is a size_t object.  However, the extra pointers for auxv and
    * the space for argv could cause an overflow.  The fact that we
    * used stack to get here etc means that ptr_tbl_size could not have
    * overflowed.
    *
    * NB: the underlying OS would have limited the amount of space used
    * for argv and envv -- on linux, it is ARG_MAX, or 128KB -- and
    * hence the overflow check is for obvious auditability rather than
    * for correctness.
    */
   auxv_entries = 1;
   if (0 != nap->user_entry_pt) {
     auxv_entries++;
   }
-  ptr_tbl_size = (argc + envc + 2 + auxv_entries * 2) * sizeof(uint32_t)
-                 + sizeof(nacl_reg_t);
+  ptr_tbl_size = (((NACL_STACK_GETS_ARG ? 1 : 0) +
+                   (3 + argc + 1 + envc + 1 + auxv_entries * 2)) *
+                  sizeof(uint32_t));
 
   if (SIZE_T_MAX - size < ptr_tbl_size) {
     NaClLog(LOG_WARNING,
             "NaClCreateMainThread: ptr_tbl_size cause size of"
             " argv / environment copy to overflow!?!\n");
     retval = 0;
     goto cleanup;
   }
   size += ptr_tbl_size;
 
   size = (size + NACL_STACK_ALIGN_MASK) & ~NACL_STACK_ALIGN_MASK;
 
   if (size > nap->stack_size) {
     retval = 0;
     goto cleanup;
   }
 
   /* write strings and char * arrays to stack */
   stack_ptr = (nap->mem_start + ((uintptr_t) 1U << nap->addr_bits) - size);
 
   NaClLog(2, "setting stack to : %016"NACL_PRIxPTR"\n", stack_ptr);
 
   VCHECK(0 == (stack_ptr & NACL_STACK_ALIGN_MASK),
          ("stack_ptr not aligned: %016"NACL_PRIxPTR"\n", stack_ptr));
 
-  p = (char *) stack_ptr;
-  strp = p + ptr_tbl_size;
+  p = (uint32_t *) stack_ptr;
+  strp = (char *) stack_ptr + ptr_tbl_size;
 
-#define BLAT(t, v) do { \
-    *(t *) p = (t) v; p += sizeof(t);           \
-  } while (0);
+  /*
+   * For x86-32, we push an initial argument that is the address of
+   * the main argument block.  For other machines, this is passed
+   * in a register and that's set in NaClStartThreadInApp.
+   */
+  if (NACL_STACK_GETS_ARG) {
+    uint32_t *argloc = p++;
+    *argloc = NaClSysToUser(nap, (uintptr_t) p);
+  }
 
-  BLAT(nacl_reg_t, argc);
+  *p++ = 0;  /* Cleanup function pointer, always NULL.  */
+  *p++ = envc;
+  *p++ = argc;
 
   for (i = 0; i < argc; ++i) {
-    BLAT(uint32_t, NaClSysToUser(nap, (uintptr_t) strp));
+    *p++ = NaClSysToUser(nap, (uintptr_t) strp);
     NaClLog(2, "copying arg %d  %p -> %p\n",
             i, argv[i], strp);
     strcpy(strp, argv[i]);
     strp += argv_len[i];
   }
-  BLAT(uint32_t, 0);
+  *p++ = 0;  /* argv[argc] is NULL.  */
 
   for (i = 0; i < envc; ++i) {
-    BLAT(uint32_t, NaClSysToUser(nap, (uintptr_t) strp));
+    *p++ = NaClSysToUser(nap, (uintptr_t) strp);
     NaClLog(2, "copying env %d  %p -> %p\n",
             i, envv[i], strp);
     strcpy(strp, envv[i]);
     strp += envv_len[i];
   }
-  BLAT(uint32_t, 0);
+  *p++ = 0;  /* envp[envc] is NULL.  */
+
   /* Push an auxv */
   if (0 != nap->user_entry_pt) {
-    BLAT(uint32_t, AT_ENTRY);
-    BLAT(uint32_t, nap->user_entry_pt);
+    *p++ = AT_ENTRY;
+    *p++ = nap->user_entry_pt;
   }
-  BLAT(uint32_t, AT_NULL);
-  BLAT(uint32_t, 0);
-#undef BLAT
-  CHECK(p == (char *) stack_ptr + ptr_tbl_size);
+  *p++ = AT_NULL;
+  *p++ = 0;
+
+  CHECK((char *) p == (char *) stack_ptr + ptr_tbl_size);
 
   /* now actually spawn the thread */
   natp = malloc(sizeof *natp);
   if (!natp) {
     goto cleanup;
   }
 
   /* We are ready to distinguish crashes in trusted and untrusted code. */
   NaClSignalRegisterApp(nap);
 
   /* NaClApp initialization is completed, call OOP debugger hook. */
   NaClOopDebuggerAppCreateHook(nap);
 
   NaClXMutexLock(&nap->mu);
   nap->running = 1;
   NaClXMutexUnlock(&nap->mu);
 
   NaClVmHoleWaitToStartThread(nap);
 
+  /*
+   * For x86, we adjust the stack pointer down to push a dummy return
+   * address.  This happens after the stack pointer alignment.
+   */
+  if (NACL_STACK_PAD_BELOW_ALIGN != 0) {

[bsy, 2011/06/29 18:23:07]

if NACL_STACK_PAD_BELOW_ALIGN is zero, i bet the compilers are smart enough --
with memset an intrinsic -- that the if is actually not needed.  dead code
elimination of the constant boolean expression vs DCE of subtraction by zero and
memset of zero length....  i think it's slightly more readable to not have the
if, but your choice.

+    stack_ptr -= NACL_STACK_PAD_BELOW_ALIGN;
+    memset((void *) stack_ptr, 0, NACL_STACK_PAD_BELOW_ALIGN);
+  }
+
   NaClLog(2, "system stack ptr : %016"NACL_PRIxPTR"\n", stack_ptr);
   NaClLog(2, "  user stack ptr : %016"NACL_PRIxPTR"\n",
           NaClSysToUserStackAddr(nap, stack_ptr));
 
   /* e_entry is user addr */
   if (!NaClAppThreadAllocSegCtor(natp,
                                  nap,
                                  nap->initial_entry_pt,
                                  NaClSysToUserStackAddr(nap, stack_ptr),
                                  NaClUserToSys(nap, nap->break_addr))) {
@@ skipping 77 matching lines @@
                                  stack_ptr,
                                  sys_tls)) {
     NaClLog(LOG_WARNING,
             ("NaClCreateAdditionalThread: could not allocate thread index."
              "  Returning EAGAIN per POSIX specs.\n"));
     free(natp);
     return -NACL_ABI_EAGAIN;
   }
   return 0;
 }