An anonymous reader quotes a report from 404 Media, written by Jason Koebler: Over the last few months, various academics and AI companies have attempted to predict how artificial intelligence is going to impact the labor market. These studies, including a high-profile paper published by Anthropic earlier this month, largely try to take the things AI is good at, or could be good at, and match them to existing job categories and job tasks. But the papers ignore some of the most impactful and most common uses of AI today: AI porn and AI slop. Anthropic's paper, called "Labor market impacts of AI: A new measure and early evidence," essentially attempts to find 1:1 correlations between tasks that people do today at their jobs and things people are using Claude for. The researchers also try to predict if a job's tasks "are theoretically possible with AI," which resulted in this chart, which has gone somewhat viral and was included in a newsletter by MSNOW's Phillip Bump and threaded about by tech journalist Christopher Mims. (Because everything is terrible, the research is now also feeding into a gambling website where you can see the apparent odds of having your job replaced by AI.) In his thread, Mims makes the case that the "theoretical capability" of AI to do different jobs in different sectors is totally made up, and that this chart basically means nothing. Mims makes a good and fair observation: The nature of the many, many studies that attempt to predict which people are going to lose their jobs to AI are all flawed because the inputs must be guessed, to some degree. But I believe most of these studies are flawed in a deeper way: They do not take into account how people are actually actually using AI, though Anthropic claims that that is exactly what it is doing. "We introduce a new measure of AI displacement risk, observed exposure, that combines theoretical LLM capability and real-world usage data, weighting automated (rather than augmentative) and work-related uses more heavily," the researchers write. This is based in part on the "Anthropic Economic Index," which was introduced in an extremely long paper published in January that tries to catalog all the high-minded uses of AI in specific work-related contexts. These uses include "Complete humanities and social science academic assignments across multiple disciplines," "Draft and revise professional workplace correspondence and business communications," and "Build, debug, and customize web applications and websites." Not included in any of Anthropic's research are extremely popular uses of AI such as "create AI porn" and "create AI slop and spam." These uses are destroying discoverability on the internet, cause cascading societal and economic harms. "Anthropic's research continues a time-honored tradition by AI companies who want to highlight the 'good' uses of AI that show up in their marketing materials while ignoring the world-destroying applications that people actually use it for," argues Koebler. "Meanwhile, as we have repeatedly shown, huge parts of social media websites and Google search results have been overtaken by AI slop. Chatbots themselves have killed traffic to lots of websites that were once able to rely on ad revenue to employ people, so on and so forth..." "This is all to say that these studies about the economic impacts of AI are ignoring a hugely important piece of context: AI is eating and breaking the internet and social media," writes Koebler, in closing. "We are moving from a many-to-many publishing environment that created untold millions of jobs and businesses towards a system where AI tools can easily overwhelm human-created websites, businesses, art, writing, videos, and human activity on the internet. What's happening may be too chaotic, messy, and unpleasant for AI companies to want to reckon with, but to ignore it entirely is malpractice."

Read more of this story at Slashdot.

Big Tech is set to agree to build its own power plants for data centers and shield consumers from rising electricity costs, but companies face daunting logistical obstacles to delivering on the pledge championed by President Donald Trump.

At a White House event on Wednesday, executives from Amazon, Google, Meta, Microsoft, xAI, Oracle, and OpenAI are due to sign the pledge to supply their own power instead of relying on a grid connection.

Trump hailed the plan in his State of the Union speech last week, promising US consumers that “no one’s prices will go up” as a result of “energy demand from AI data centers.”

But industry executives have suggested the commitment will not be binding, while experts warn it is likely impossible to fully insulate consumers from the extra power demand coming from the vast expansion of data centers to run AI.

“Regardless of how these data centers connect, behind the meter or as part of the network, you’re going to increase demand,” said Ari Peskoe, director at Harvard Law School’s Electricity Law Initiative.

Independent power supplies for data centers most often come from gas turbines, which are in short supply and not always designed to provide continuous power. “We still need more of these turbines,” Peskoe added.

Trump’s pressure on big data center operators comes in response to consumer backlash and political pressure over rising power bills.

On the campaign trail in 2024, Trump pledged to cut energy bills in half within a year of taking office.

In reality, residential electricity costs rose by 6 percent nationwide in February, compared with a year before, according to the US Energy Information Administration.

States such as New Jersey and Pennsylvania, which have clusters of data centers, reported bigger increases at 16 percent and 19 percent respectively.

Natural gas prices, extreme weather, and the need to upgrade aging grid infrastructure have all contributed to higher costs—after decades of low investment in power plants and transmission lines. The hit to energy supplies from Trump’s war against Iran could add to the problem.

Critics of data centers say they are increasing energy bills by adding to demand. US data center power demand will more than triple by 2035, rising from almost 35 gigawatts in 2024 to 106 GW, according to data from BloombergNEF.

To avoid political backlash and waits of up to four years for grid connections, tech companies are already building their own power supplies for many new data centers.

Nearly three-quarters of planned generation equipment for data centers is natural gas fired, according to energy research firm Cleanview, which is tracking 56 GW of projects across the US.

Wednesday’s pledge would see tech companies expand these efforts to prevent higher power costs being pushed on to customer bills.

Josh Price, director of energy and utilities at strategy firm Capstone, said Big Tech was “trying to push back against the narrative that they’re the bad guy.”

But the boom in data center building is already pushing the limits of the supply chain for power generation, making it difficult for companies to meet their commitment to Trump.

Competition for gas turbines is fierce, with waits as long as seven years for new orders.

Turbine-maker GE Vernova said it would expand production by 25 percent, and Mitsubishi Power announced plans to double its output over the next two years. But manufacturers have been cautious about expanding capacity, and it may not be enough to meet booming demand.

Two-thirds of gas projects in development in the US have not announced a turbine manufacturer, according to Global Energy Monitor.

The price of gas turbines has risen sharply, and greater competition from tech companies will mean higher costs for utilities and industrial customers who also need generating capacity—costs that could still be passed on to ratepayers.

To overcome shortages, data centers are increasingly relying on alternatives. Companies, including Google and Microsoft, have also struck deals to reopen nuclear power plants, but these plans will take years to deliver.

In the near term, companies are using options such as reciprocal engines and diesel generators. Experts point out that these power sources, as well as ordinary gas turbines, are not designed to provide the kind of continuous power needed by data centers.

“They say, ‘we have documented evidence that these can run 90 percent of the time’... But that’s not the average use case,” said Jigar Shah, an energy investor and former Department of Energy official.

Keeping these data centers, and their power supplies, operational for decades would also present challenges around securing spare parts and qualified technicians, he added.

Shah said: “The level of ineptitude by which the data center companies are sleepwalking into major problems just seems shocking for trillion-dollar companies.”

© 2026 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

Read full article

Comments

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.

A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com.

The cyber intelligence firm Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$. Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.

The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “Qoft.”

“I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data.

Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03).

Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.

Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an address at a domain for the Ottawa-Carelton District School Board.

Data indexed by the breach tracking service Spycloud suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password “jacobsplugs.” Neither Jacob nor any of the other Butler household members responded to requests for comment.

The open source intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket — one of Dort’s early monikers.

Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network, which explored research into the botnet by Benjamin Brundage, founder of the proxy tracking service Synthient. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices — like TV boxes and digital photo frames — plugged into the internal, private networks of proxy endpoints.

By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.

Last week, Dort and friends used that same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.

Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the user DortDev that included a stickied message from Dort saying, “Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.”

“It’s a pretty hefty penny for a new front door,” the diss track intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?”

With any luck, Dort will soon be able to tell us all exactly what it’s like.

Update, 10:29 a.m.: Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn’t notice earlier requests for comment because he hasn’t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn’t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.

“It was a really old cheat and I don’t remember the name of it,” Butler said of his Minecraft modification. “I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest.”

When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.

“Someone is actually probably impersonating me, and now I’m really worried,” Butler said. “This is making me relive everything.”

But there are issues with Butler’s timeline. For example, Jacob’s voice in our phone conversation was remarkably similar to the Jacob/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.

Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.

“I would like to clarify that was absolutely not me,” Butler said. “There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff.”

President Trump and the Federal Communications Commission chairman are demanding more positive media coverage of the Iran war. On Saturday, FCC Chairman Brendan Carr issued yet another threat to revoke licenses from news broadcasters, claiming without evidence that they are running "hoaxes and news distortions" related to the war in Iran.

In an X post, Carr shared a complaint about an Iran war headline that Trump had made on Truth Social and added his own commentary. "Broadcasters that are running hoaxes and news distortions—also known as the fake news—have a chance now to correct course before their license renewals come up," Carr wrote. "The law is clear. Broadcasters must operate in the public interest, and they will lose their licenses if they do not."

Carr making vague threats about enforcing rules against hoaxes and news distortion is nothing new. Given how difficult it is to actually revoke a broadcast license, and the fact that no TV station licenses are up for renewal until 2028, the threats so far have been attempts to intimidate news organizations without any concrete punishment.

What's slightly odd about Carr's latest threat is that it's based on a Trump complaint about a newspaper headline, not broadcast news coverage. The Trump post that spurred Carr's latest threat was about a Wall Street Journal article.

Carr has repeatedly claimed he's only targeting licensed broadcasters because they have an obligation to operate in the public interest as users of the public airwaves. Carr said in his Saturday message, "The American people have subsidized broadcasters to the tune of billions of dollars by providing free access to the nation’s airwaves." But the only example Carr provided was Trump's Truth Social post that didn't mention any broadcast reports.

Trump's quibble

Trump's complaint said, "Yet again, an intentionally misleading headline by the Fake News Media about the five tanker planes that were supposedly struck down at an Airport in Saudi Arabia, and of no further use. In actuality, the Base was hit a few days ago, but the planes were not 'struck' or 'destroyed.' Four of the five had virtually no damage, and are already back in service. One had slightly more damage, but will be in the air shortly. None were destroyed, or close to that, as the Fake News said in headlines."

The only specific news outlets Trump's post mentioned were The New York Times and The Wall Street Journal, but he was referring to a Wall Street Journal article. Even if Trump's version of events is true, his complaint wouldn't meet the legal standard for proving a hoax or news distortion, or even prove that the Journal got anything wrong. Trump claims the planes were not "struck" but said four out of five "had virtually no damage," which seemingly indicates that all five were struck and suffered some damage.

Trump's post seems to accuse the Journal of falsely reporting that the planes were destroyed and would not be used again. But the Journal article makes it clear the planes were merely damaged, not destroyed, and would be repaired. It said:

Five US Air Force refueling planes were struck and damaged on the ground at Prince Sultan air base in Saudi Arabia, according to two US officials.

The tankers were hit during an Iranian missile strike on the Saudi base in recent days, the officials said. US Central Command declined to comment. The tankers were damaged but not fully destroyed and are being repaired, one of the officials said. No one was killed in the strikes.

The Journal article was published on Friday, and Trump issued his complaint on Truth Social on Saturday morning. The Journal article was updated on Saturday afternoon to include a quote from Trump's Truth Social post. As far as we can tell, the article never claimed that any of the five tanker planes were destroyed. A Reuters article on Friday that quotes the WSJ report also uses the phrases "struck and damaged," and "not fully destroyed," undercutting Trump's claim of false reporting.

The Journal article's only reference to destroyed planes is related to a previous crash that killed six US military members. It said:

The news brings the total number of Air Force refueling planes damaged or destroyed to at least seven. It comes after two Air Force KC-135 refueling planes collided on Thursday, leading one of the aircraft to crash into the ground. All six crew members were killed, the Pentagon announced on Friday.

Trump "thrilled" by Carr's latest threat

While it doesn't appear that the Journal got anything wrong, it was the only example Carr provided in his complaint about fake news, hoaxes, and news distortions.

"It is very important to bring trust back into media, which has earned itself the label of fake news," Carr wrote. "When a political candidate is able to win a landslide election victory after in [sic] the face of hoaxes and distortions, there is something very wrong. It means the public has lost faith and confidence in the media. And we can’t allow that to happen. Time for change!"

Carr has repeatedly made statements of this sort during Trump's second term despite writing himself in 2019 that the government should not "censor speech it doesn’t like" and that the "FCC does not have a roving mandate to police speech in the name of the 'public interest.'"

Trump wrote last night that he is "thrilled to see Brendan Carr... looking at the licenses of some of these Corrupt and Highly Unpatriotic 'News' Organizations. They get Billions of Dollars of FREE American Airwaves, and use it to perpetuate LIES, both in News and almost all of their Shows, including the Late Night Morons, who get gigantic Salaries for horrible Ratings, and never get, as I used to say in The Apprentice, 'FIRED.'"

Secretary of Defense Pete Hegseth is also demanding more positive media coverage of the Iran war. Criticizing CNN reporting at a press conference on Friday, Hegseth said, "The sooner David Ellison takes over that network, the better." Hegseth was referring to Paramount Skydance's planned purchase of Warner Bros. Discovery, a deal that was helped along by the Trump administration.

Carr's threat to broadcast licenses was roundly criticized by Democrats. "If Trump doesn't like your coverage of the war, his FCC will pull your broadcast license. That is flagrantly unconstitutional," California Gov. Gavin Newsom wrote.

Sen. Elizabeth Warren (D-Mass.) wrote, "Constitutional law 101: it’s illegal for the government to censor free speech it just doesn’t like about Trump’s Iran war. This threat is straight out of the authoritarian playbook." Carr replied by quoting the Supreme Court's Red Lion Broadcasting decision in 1969, which said, "No one has a First Amendment right to a license or to monopolize a radio frequency; to deny a station license because 'the public interest' requires it 'is not a denial of free speech.'"

"This is worse than the comedian stuff"

Sen. Brian Schatz (D-Hawaii) wrote, "This is a clear directive to provide positive war coverage or else licenses may not be renewed. This is worse than the comedian stuff, and by a lot. The stakes here are much higher. He’s not talking about late night shows, he’s talking about how a war is covered."

Schatz was referring to Carr's previous threats to stations regarding late-night talk show hosts such as ABC host Jimmy Kimmel. Even some Republicans criticized Carr's Kimmel threats last year.

FCC Democrat Anna Gomez said the agency's threats are dangerous because they have a chilling effect on media coverage. But the threats themselves have no legal backing, she said.

"Once again, this FCC pretends it has the power to control news coverage," Gomez said in a statement today. "In reality, the FCC has vanishingly little power over national news networks. It licenses local broadcast stations, not networks, and no licenses are up for renewal until 2028. Early renewal attempts are exceedingly rare, and the process is so demanding that any effort would almost certainly fail, especially given the well-documented First Amendment violations underlying these moves. These threats are grounded in neither reality nor law and would not survive judicial scrutiny, just as other recent attempts by this administration to push beyond constitutional limits have repeatedly failed in court."

At least one Republican seems concerned about Carr's latest threat. On Fox News yesterday, Sen. Ron Johnson (R-Wis.) was asked about Carr threatening broadcast licenses over Iran war coverage, and whether he thinks it is the role of government to police that kind of coverage.

"I'm a big supporter of the First Amendment," Johnson responded. "I do not like the heavy hand of government no matter who's wielding it. I'd rather the federal government stay out of the private sector as much as possible. And really, the federal government's role is to protect our freedoms, to protect our constitutional rights."

Read full article

Comments

Judges are frequently confronted with cases that hinge upon scientific information that their educational backgrounds may leave them ill-equipped to manage. Because of this challenge, the Federal Judicial Center, a group within the judicial branch of the government, has collaborated with the National Academies of Sciences (NAS) to produce a reference manual that provides background on a range of scientific and medical issues that frequently confront the court system. The Reference Manual on Scientific Evidence is currently on its fourth edition, and it has turned out to be an unexpectedly controversial one.

For the first time, this edition of the Reference Manual has included a chapter on climate change, meant to prepare judges to manage and potentially decide cases focused on everything from federal environmental rules to charges that fossil fuel producers engaged in fraud by ignoring the many warnings of harms caused by their products. That didn't sit well with Republican politicians; a collection of red-state attorneys general sent a letter demanding that the Federal Judicial Center pull the chapter. Back in February, it complied, posting a modified version of the Reference Manual with the climate chapter deleted.

But, as noted above, the NAS arranges for the production of the Reference Manual, and it hosts a copy in its extensive library of publications. So, fresh off their success with the government, the same collection of attorneys general turned their sights on the Academies. In a letter dated February 19, they "urge" the NAS to follow the judiciary's example and delete the chapter. Citing sources such as a Wall Street Journal editorial and their own threatening letter, the attorneys general accuse the NAS of engaging in “one-sided advocacy” and “judicial indoctrination,” and say it "is building a reputation as a partisan actor."

The supposed partisan problems with the chapter? The authors and reviewers of the climate chapter accept that our emissions are warming the planet and argue that we need to dramatically reduce them—a position in keeping with the conclusions of the scientists on the Intergovernmental Panel on Climate change. The chapter also cites lawyers who have participated in climate-focused lawsuits, presumably because they are actually experts on the topic.

The attorneys general requested a response by March 2, one that addresses a set of leading questions, such as, "Why did the National Academies include a chapter on climate science that is not based on balanced or sound science?" and "What procedures will the National Academies establish to prevent similar advocacy-based chapters in future editions?" Since then, Ars has been contacting both the NAS and the Montana attorney general's office (which published the letter) to try to find out whether a response was provided.

We finally learned yesterday that the response had been issued two days ahead of the deadline (it's the final page of this PDF). Weighing in at just two sentences, the NAS says it used the same procedures to generate the climate chapter as it did for every other chapter, procedures that had been developed jointly with the Federal Judicial Center. "The manual, including the chapter on climate science, will continue to be available on the Academy's website," the response concludes.

The response leaves no obvious next step for the attorneys general. Their letter notes that the NAS is heavily dependent upon funding from the federal government to prepare its expert reports, and so producing reports that displease Republicans could be risky, but they have no ability to directly influence that funding.

Meanwhile, the political interference with the report drew a second response, this coming from many of the authors of the other chapters of the Reference Manual, who published an open letter decrying the political interference. In addition to noting the value of the Reference Manual and the rigorous peer review all chapters go through, the authors highlight the dangers posed by the actions of the attorneys general:

If political actors can determine which fields of established science are disfavored and off-limits to judicial education, every scientific discipline relevant to complex litigation becomes vulnerable to the same tactic. The integrity of the process by which judges evaluate scientific evidence should not be subject to political interference or veto.

The real danger is long term. If chapters continue to get deleted any time they run afoul of the current political winds, then it will become increasingly challenging to get the best scientists and legal scholars to contribute to the manual or its peer review. Over time, the quality of the material will decay, leaving judges less well-prepared to face cases with a heavy scientific component. Society as a whole will end up the loser.

Read full article

Comments

The last time we looked at the Windows stack limit checker on x86-32 (also known as i386), we noted that the function has changed over the years. Here’s the revised version.

_chkstk:
    push    ecx             ; remember desired allocation size

    lea     ecx, [esp][4]   ; ecx = original stack pointer - 4
    sub     ecx, eax        ; ecx = new stack pointer - 4

    sbb     eax, eax        ; clamp ecx to zero if underflow
    not     eax
    and     ecx, eax

    mov     eax, esp        ; round current stack pointer
    and     eax, -PAGE_SIZE ; to page boundary

    ; eax = most recently probed page
    ; ecx = desired final stack pointer

check:
    cmp     ecx, eax        ; done probing?
    jb      probe           ; N: keep probing

    mov     eax, ecx        ; eax = desired final stack pointer - 4
    pop     ecx             ; recover original stack size
    xchg    esp, eax        ; move stack pointer to final home - 4
                            ; eax gets old stack pointer
    mov     eax, [eax]      ; get return address
    mov     [esp], eax      ; put it on top of the stack
    ret                     ; and "return" to it

cs20:
    sub     eax, PAGE_SIZE  ; move to next page
    test    [eax], eax      ; probe it
    jmp     check           ; go back to see if we're done

Instead of jumping to the caller, the code copies the caller’s address to the top of the stack and performs a ret. This is a significant change because it avoids desynchronizing the return address predictor.

The ret will increment the stack pointer by four bytes, so the code over-allocates the stack by 4 bytes to compensate.

This code remains a drop-in replacement for the old chkstk function, so there is no need to change the compiler’s code generator. It also means that you can link together code compiled with the old chkstk and the new chkstk since the two versions are compatible. It does mean that we still has the wacky calling convention of returning with an adjusted stack pointer, but that’s now part of the ABI so we have to live with it.

Since we perform a ret instruction on a return address that was not placed there by a matching call instruction, this code is not compatible with shadow stacks (which Intel calls Control-Flow Enforcement Technology, or CET). The chkstk function’s wacky calling convention makes it incompatible with shadow stacks.

Okay, so much for that sadness. Next time, we’ll look at the Alpha AXP.

The post Windows stack limit checking retrospective: x86-32 also known as i386, second try appeared first on The Old New Thing.