Zircon Kernel Invariants

On x86, Zircon needs to maintain the following invariants for code running in ring 0 (kernel mode).

These invariants are documented here because they are not necessarily easy to test -- breaking an invariant will not necessarily be caught by Zircon's test suite.

  • Flags register:

    • The direction flag (DF) should be 0. This is required by the x86 calling conventions.

    If this flag is set to 1, uses of x86 string instructions (e.g. rep movs in memcpy() or inlined by the compiler) can go wrong and copy in the wrong direction. It is OK for a function to set this flag to 1 temporarily as long as it changes it back to 0 before returning or calling other functions.

    • The alignment check flag (AC) should normally be 0. On CPUs that support SMAP, this prevents the kernel from accidentally reading or writing userland data.
  • The gs_base register must point to the current CPU's x86_percpu struct whenever running in kernel mode with interrupts enabled. gs_base should only be changed to point to something else while interrupts are disabled. For example, the swapgs instruction should only be used when interrupts are disabled.

  • The following are partially enforced by the compiler:

    • No use of extended registers (SSE, AVX, x87, etc.) is allowed, because that would clobber userland's register state.

    This is partially achieved by passing -mno-sse to the compiler. This option is necessary to prevent the compiler from using SSE registers in optimizations (e.g. memory copies).

    We would like to prevent accidentally using the float or double types in kernel code, but GCC and Clang won't do that for us in all cases. -mno-sse does not prevent using float/double with either compiler -- the compilers will use x87 instructions instead.

    We compile with -msoft-float, which seems to prevent GCC from generating x87 instructions (and hence using x87 registers): GCC 6.3.0 will give an error on float/double arithmetic and return values, but it does not prevent passing these types around as arguments. However, passing -msoft-float to Clang seems to have no effect: Clang 7.0.0 will still generate x87 instructions (and use x87 registers) for code using float or double.

    • No storing data below %rsp on the stack. Note that userland code can do this: the SysV x86-64 ABI allows functions to store data in the "red zone", which is the 128 bytes below %rsp. However, kernel code cannot use the red zone because interrupts may clobber this region -- the CPU pushes data onto the stack immediately below %rsp when it invokes an interrupt handler.

    This is generally enforced by passing -mno-red-zone to the compiler.