Implement stack clash protection if necessary

[yorickpeterse]

Description

Looking into #925 reminded me that we don't implement stack clash protection, meaning it's in theory possible to allocate data on the stack that hops over guard pages.

While we could implement runtime probing (see https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/ and LLVM's probe-stack function attribute), I wonder if a similarly sufficient protection is to just limit stack types to at most 4 KiB (the smallest page size that I think is in use today).

We should first figure out if this is even necessary, and ideally come up with something that won't require runtime overhead (if at all possible).

Related work

• https://lwn.net/Articles/725832/
• https://blog.llvm.org/posts/2021-01-05-stack-clash-protection/
• Use probe-stack=inline-asm in LLVM 11+ rust-lang/rust#77885
• https://github.com/search?q=repo%3Allvm%2Fllvm-project+%22inline-asm%22+%22probe-stack%22&type=code&p=1
• Enable stack probes on aarch64 for LLVM 18 rust-lang/rust#118491

[yorickpeterse]

Based on the Rust code it seems you can set the LLVM function attribute probe-stack to inline-asm and it will generate the assembly for you. However, thus far I've not been able to find where this is actually documented.

[yorickpeterse]

I quickly hacked together the following diff to see if this would resolve #925:

diff --git a/compiler/src/llvm/context.rs b/compiler/src/llvm/context.rs
index 0b47615d..0cecd015 100644
--- a/compiler/src/llvm/context.rs
+++ b/compiler/src/llvm/context.rs
@@ -55,6 +55,14 @@ impl Context {
         self.inner.create_enum_attribute(id, 0)
     }

+    pub(crate) fn string_attribute(
+        &self,
+        name: &str,
+        value: &str,
+    ) -> Attribute {
+        self.inner.create_string_attribute(name, value)
+    }
+
     pub(crate) fn pointer_type(&self) -> PointerType<'_> {
         self.inner.ptr_type(AddressSpace::default())
     }
diff --git a/compiler/src/llvm/module.rs b/compiler/src/llvm/module.rs
index f6aff0a1..52681731 100644
--- a/compiler/src/llvm/module.rs
+++ b/compiler/src/llvm/module.rs
@@ -223,6 +223,11 @@ impl<'a, 'ctx> Module<'a, 'ctx> {
                 fn_val.add_attribute(AttributeLoc::Function, noret);
             }

+            let probe =
+                self.context.string_attribute("probe-stack", "inline-asm");
+
+            fn_val.add_attribute(AttributeLoc::Function, probe);
+
             fn_val
         })
     }

This however doesn't fix the issue, so it doesn't seem like we're jumping past guard pages?