[llvm-bugs] [Bug 151015] [lld][WebAssembly] `--stack-first` should be the default for wasm-ld

Mon, 28 Jul 2025 11:37:30 -0700

Issue 151015
Summary [lld][WebAssembly] `--stack-first` should be the default for wasm-ld
Labels lld
Assignees
Reporter whitequark 
    There are several arguments in favor of doing so:
- Without stack protectors enabled by default, any dynamic stack overflow checks, a default stack size of 64K (the smallest of any platform), and no memory protection, WebAssembly is [uniquely vulnerable](https://arxiv.org/abs/2410.17925) to stack smashing in a way that only the simplest microcontrollers that lack an MPU also are.
- Even ignoring the security aspect, the developer experience of encountering a stack overflow in the wild is [confusing and difficult to recognize even for a professional systems developer](https://github.com/WebAssembly/wasi-sdk/issues/551), tools like Wasmtime's `wmemcheck` do not recognize it, and LLVM's suite of sanitizers isn't available to detect it.
- Using `--stack-first` has [no code size overhead](https://github.com/WebAssembly/wasi-sdk/issues/551#issuecomment-3127799692) for the resulting artifact when otherwise default linker options are used.
 - Using `--stack-first` in conjunction with `--compress-relocations` has [well below 1% size overhead](https://github.com/WebAssembly/wasi-sdk/issues/551#issuecomment-3127841325).
- Other languages like Rust and Zig pass this option by default for the same reasons.

Although the [memory control](https://github.com/WebAssembly/memory-control) proposal will mitigate the need for this change, that proposal doesn't negate the need to make `--stack-first` the default now:
- Memory control is a Phase 1 proposal with uncertain design and adoption. We need to solve the problems listed above _yesterday_.
- Without inserting `__stkchk` calls, using guard pages won't be enough to eliminate stack smashing for functions that use VLAs or alloca, so even if memory control was widely available, `--stack-first` has its merit.

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

Reply via email to