gdb has some automatic support for nexting over longjmp. It relies on the user setting LD_POINTER_GUARD=0 to avoid pointer mangling. This code does not work on glibc 2.8 (Fedora 9). I believe the problem is that on x86 (and x86-64), LD_POINTER_GUARD=0 still does a transformation. From libc/sysdeps/unix/sysv/linux/i386/sysdep.h: # define PTR_MANGLE(reg) xorl %gs:POINTER_GUARD, reg; \ roll $9, reg The rotate is done unconditionally. (x86-64 is similar)
There is nothing that can be realistically done. Pointer encryption is performed in meant to be possible in performance critical situations. There the additional test to see whether the envvar is set is too expensive. The effect of the envvar is that no formula is needed to decode the pointers. No randomness involved. Just always shift the pointers.