feat(mem): VCR-MEM-001 layer-1 — native-pointer shadow-stack reservation shrink (#383, #242)#409
Merged
Merged
Conversation
…ion shrink (#383, #242) Implements the `--shadow-stack-size B` shrink that PR#388 scaffolded as honest-Err. Under --native-pointer-abi, re-bases the SP global slot sp_init→B and resizes the NOBITS .bss reservation to B + static-tail, unblocking tiny-RAM targets (gale's gust kernel: declared (memory 17)≈1 MiB → 8 KiB STM32F100). Correct-by-construction for the verified gust geometry (stack-first: statics at/above sp_init are retargeted into the packed .data via #354, so the only static relocs still pointing into the .bss are addend-0 region-base pointers, stable because __synth_wasm_data stays at offset 0). REFUSES honestly (typed Err) for any geometry it can't prove safe: one-PROGBITS fallback, budget > sp_init, a non-zero inline static addend into the reservation (down-shift = deferred general case), a non-Abs32 reservation reloc, or an ambiguous SP global. Opt-in: default unset reserves the full page. Measured on gust_kernel.wasm: --shadow-stack-size 4096 → bss 1048720 → 4240, SP slot 1048576 → 4096, text/data + all 10 relocs unchanged. Frozen fixtures (control_step/flight_seam/flight_seam_flat) byte-identical with the flag off (verified by cmp vs clean main). gale on-silicon reflash on this fixture is the final gate. Tests (shadow_stack_shrink_383.rs, via the real binary + object .bss parse): shrink→4240, no-flag→1048720, budget>sp_init→honest refuse. Implements: VCR-MEM-001 Trace: VCR-MEM-001 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Implements the
--shadow-stack-size Bshrink that PR#388 scaffolded as honest-Err. Under--native-pointer-abi, re-bases the SP global slotsp_init→Band resizes the NOBITS.bssreservation toB + static-tail— unblocking tiny-RAM targets (gale's gust kernel: declared(memory 17)≈1 MiB → 8 KiB STM32F100). Opt-in: default unset reserves the full page.Correctness model
Correct-by-construction for the verified gust geometry (stack-first): statics at/above
sp_initare retargeted into the packed.data(#354), so the only static relocs still pointing into the.bssare addend-0 region-base pointers — stable because__synth_wasm_datastays at offset 0. Refuses honestly (typed Err) for any geometry it can't prove safe: one-PROGBITS fallback,B > sp_init, a non-zero inline static addend into the reservation (down-shift = deferred general case), a non-Abs32 reservation reloc, or an ambiguous SP global.Verification
msgq_put_359.wasm(--native-pointer-abi, the elf: high-offset init segment defeats the #345 .bss split — stack_push dissolves to a 64KB PROGBITS .data (MCU-unshippable) #354/Arg-register lowering drops/shifts the first arg for calls with 5 args + struct(sret) return (cortex-m4f, --native-pointer-abi) #359 mixed-split case):cmpidentical vs clean main. (The non-native frozen fixtures are unaffected by construction — they take the early return.)native_pointer_shadow_stack:frame_roundtripcorrect, SP restored).native_pointer_shadow_stackwith--shadow-stack-size 2048(sp_init 4096→2048) →frame_roundtripreturns correct values for all inputs — the store through the re-based shadow-stack pointer lands correctly in the shrunk region (the base-pointer+offset access a reloc scan can't see). SP slot reads the re-based 2048 as intended.--shadow-stack-size 4096→ bss1048720 → 4240, SP slot1048576 → 4096, text/data + all 10 relocs unchanged.shadow_stack_shrink_383.rs, real binary +object.bssparse): shrink→4240, no-flag→1048720,budget>sp_init→honest refuse.Gate
This is the link-fragile native-pointer flight path (#345/#354/#359 history). gale's on-silicon reflash on this exact
gust_kernel.wasmis the final runtime gate — green CI here is necessary, not sufficient. The asserted-budget contract (B must cover everything live above address 0, incl. heap; safe for no-grow MCU images) is documented in the flag help text.Implements VCR-MEM-001 layer-1. Refs: gale#383, gale#91, #242.
🤖 Generated with Claude Code