https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191
--- Comment #3 from Jim Wilson <wilson at gcc dot gnu.org> --- The location of the canary is not known to the attacker. You are not supposed to leak the address of the canary or the value of the canary. If you leak either, then an attacker has a chance to restore the canary after clobbering it. See the descriptions of the stack_protect_set and stack_protect_test patterns in gcc/doc/md.texi which make clear that no intermediate values should be allowed to survive past the end of the pattern.
