1 /* Stack overflow handling.
3 Copyright (C) 2002, 2004, 2006, 2008-2021 Free Software Foundation, Inc.
5 This program is free software: you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 3 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <https://www.gnu.org/licenses/>. */
18 /* Written by Paul Eggert. */
22 A program that uses alloca, dynamic arrays, or large local
23 variables may extend the stack by more than a page at a time. If
24 so, when the stack overflows the operating system may not detect
25 the overflow until the program uses the array, and this module may
26 incorrectly report a program error instead of a stack overflow.
28 To avoid this problem, allocate only small objects on the stack; a
29 program should be OK if it limits single allocations to a page or
30 less. Allocate larger arrays in static storage, or on the heap
31 (e.g., with malloc). Yes, this is a pain, but we don't know of any
32 better solution that is portable.
34 No attempt has been made to deal with multithreaded applications. */
44 #if ! HAVE_STACK_T && ! defined stack_t
45 typedef struct sigaltstack stack_t
;
53 /* Pre-2008 POSIX declared ucontext_t in ucontext.h instead of signal.h. */
55 # include <ucontext.h>
67 #define _(msgid) gettext (msgid)
69 /* Use libsigsegv only if needed; kernels like Solaris can detect
70 stack overflow without the overhead of an external library. */
71 #define USE_LIBSIGSEGV (!HAVE_XSI_STACK_OVERFLOW_HEURISTIC && HAVE_LIBSIGSEGV)
78 #include "ignore-value.h"
80 #include "getprogname.h"
82 #if defined SA_ONSTACK && defined SA_SIGINFO
83 # define SIGINFO_WORKS 1
85 # define SIGINFO_WORKS 0
91 /* Storage for the alternate signal stack.
92 64 KiB is not too large for Gnulib-using apps, and is large enough
93 for all known platforms. Smaller sizes may run into trouble.
94 For example, libsigsegv 2.6 through 2.8 have a bug where some
95 architectures use more than the Linux default of an 8 KiB alternate
96 stack when deciding if a fault was caused by stack overflow. */
97 static max_align_t alternate_signal_stack
[(64 * 1024
98 + sizeof (max_align_t
) - 1)
99 / sizeof (max_align_t
)];
101 /* The user-specified action to take when a SEGV-related program error
102 or stack overflow occurs. */
103 static _GL_ASYNC_SAFE
void (* volatile segv_action
) (int);
105 /* Translated messages for program errors and stack overflow. Do not
106 translate them in the signal handler, since gettext is not
107 async-signal-safe. */
108 static char const * volatile program_error_message
;
109 static char const * volatile stack_overflow_message
;
111 #if (USE_LIBSIGSEGV \
112 || (HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING))
114 /* Output an error message, then exit with status EXIT_FAILURE if it
115 appears to have been a stack overflow, or with a core dump
116 otherwise. This function is async-signal-safe. */
118 static char const * volatile progname
;
120 static _GL_ASYNC_SAFE _Noreturn
void
123 # if !SIGINFO_WORKS && !USE_LIBSIGSEGV
124 /* We can't easily determine whether it is a stack overflow; so
125 assume that the rest of our program is perfect (!) and that
126 this segmentation violation is a stack overflow. */
130 char const *message
= signo
? program_error_message
: stack_overflow_message
;
132 /* If the message is short, write it all at once to avoid
133 interleaving with other messages. Avoid writev as it is not
134 documented to be async-signal-safe. */
135 size_t prognamelen
= strlen (progname
);
136 size_t messagelen
= strlen (message
);
137 static char const separator
[] = {':', ' '};
138 char buf
[sizeof alternate_signal_stack
/ 16 + sizeof separator
];
140 if (prognamelen
+ messagelen
< sizeof buf
- sizeof separator
)
142 char *p
= mempcpy (buf
, progname
, prognamelen
);
143 p
= mempcpy (p
, separator
, sizeof separator
);
144 p
= mempcpy (p
, message
, messagelen
);
150 ignore_value (write (STDERR_FILENO
, progname
, prognamelen
));
151 ignore_value (write (STDERR_FILENO
, separator
, sizeof separator
));
152 ignore_value (write (STDERR_FILENO
, message
, messagelen
));
156 ignore_value (write (STDERR_FILENO
, buf
, buflen
));
159 _exit (exit_failure
);
164 static _GL_ASYNC_SAFE
void
165 null_action (int signo _GL_UNUSED
)
169 #endif /* SIGALTSTACK || LIBSIGSEGV */
173 /* Pacify GCC 9.3.1, which otherwise would complain about segv_handler. */
174 # if __GNUC_PREREQ (4, 6)
175 # pragma GCC diagnostic ignored "-Wsuggest-attribute=pure"
178 /* Nonzero if general segv handler could not be installed. */
179 static volatile int segv_handler_missing
;
181 /* Handle a segmentation violation and exit if it cannot be stack
182 overflow. This function is async-signal-safe. */
184 static _GL_ASYNC_SAFE
int
185 segv_handler (void *address _GL_UNUSED
, int serious
)
190 int saved_errno
= errno
;
191 ignore_value (write (STDERR_FILENO
, buf
,
192 sprintf (buf
, "segv_handler serious=%d\n", serious
)));
197 /* If this fault is not serious, return 0 to let the stack overflow
198 handler take a shot at it. */
204 /* Handle a segmentation violation that is likely to be a stack
205 overflow and exit. This function is async-signal-safe. */
207 static _GL_ASYNC_SAFE _Noreturn
void
208 overflow_handler (int emergency
, stackoverflow_context_t context _GL_UNUSED
)
213 ignore_value (write (STDERR_FILENO
, buf
,
214 sprintf (buf
, ("overflow_handler emergency=%d"
215 " segv_handler_missing=%d\n"),
216 emergency
, segv_handler_missing
)));
220 die ((!emergency
|| segv_handler_missing
) ? 0 : SIGSEGV
);
224 c_stack_action (_GL_ASYNC_SAFE
void (*action
) (int))
226 segv_action
= action
? action
: null_action
;
227 program_error_message
= _("program error");
228 stack_overflow_message
= _("stack overflow");
229 progname
= getprogname ();
231 /* Always install the overflow handler. */
232 if (stackoverflow_install_handler (overflow_handler
,
233 alternate_signal_stack
,
234 sizeof alternate_signal_stack
))
239 /* Try installing a general handler; if it fails, then treat all
240 segv as stack overflow. */
241 segv_handler_missing
= sigsegv_install_handler (segv_handler
);
245 #elif HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING
249 static size_t volatile page_size
;
251 /* Handle a segmentation violation and exit. This function is
252 async-signal-safe. */
254 static _GL_ASYNC_SAFE _Noreturn
void
255 segv_handler (int signo
, siginfo_t
*info
, void *context _GL_UNUSED
)
257 /* Clear SIGNO if it seems to have been a stack overflow. */
259 /* If si_code is nonpositive, something like raise (SIGSEGV) occurred
260 so it cannot be a stack overflow. */
261 bool cannot_be_stack_overflow
= info
->si_code
<= 0;
263 /* An unaligned address cannot be a stack overflow. */
264 # if FAULT_YIELDS_SIGBUS
265 cannot_be_stack_overflow
|= signo
== SIGBUS
&& info
->si_code
== BUS_ADRALN
;
268 /* If we can't easily determine that it is not a stack overflow,
269 assume that the rest of our program is perfect (!) and that
270 this segmentation violation is a stack overflow.
272 Note that although both Linux and Solaris provide
273 sigaltstack, SA_ONSTACK, and SA_SIGINFO, currently only
274 Solaris satisfies the XSI heuristic. This is because
275 Solaris populates uc_stack with the details of the
276 interrupted stack, while Linux populates it with the details
277 of the current stack. */
278 if (!cannot_be_stack_overflow
)
280 /* If the faulting address is within the stack, or within one
281 page of the stack, assume that it is a stack overflow. */
282 uintptr_t faulting_address
= (uintptr_t) info
->si_addr
;
284 /* On all platforms we know of, the first page is not in the
285 stack to catch null pointer dereferening. However, all other
286 pages might be in the stack. */
287 void *stack_base
= (void *) (uintptr_t) page_size
;
288 uintptr_t stack_size
= 0; stack_size
-= page_size
;
289 # if HAVE_XSI_STACK_OVERFLOW_HEURISTIC
290 /* Tighten the stack bounds via the XSI heuristic. */
291 ucontext_t
const *user_context
= context
;
292 stack_base
= user_context
->uc_stack
.ss_sp
;
293 stack_size
= user_context
->uc_stack
.ss_size
;
295 uintptr_t base
= (uintptr_t) stack_base
,
296 lo
= (INT_SUBTRACT_WRAPV (base
, page_size
, &lo
) || lo
< page_size
298 hi
= ((INT_ADD_WRAPV (base
, stack_size
, &hi
)
299 || INT_ADD_WRAPV (hi
, page_size
- 1, &hi
))
301 if (lo
<= faulting_address
&& faulting_address
<= hi
)
307 ignore_value (write (STDERR_FILENO
, buf
,
309 ("segv_handler code=%d fault=%p base=%p"
310 " size=0x%zx page=0x%zx signo=%d\n"),
311 info
->si_code
, info
->si_addr
, stack_base
,
312 stack_size
, page_size
, signo
)));
322 c_stack_action (_GL_ASYNC_SAFE
void (*action
) (int))
326 st
.ss_sp
= alternate_signal_stack
;
327 st
.ss_size
= sizeof alternate_signal_stack
;
328 # if SIGALTSTACK_SS_REVERSED
329 /* Irix mistakenly treats ss_sp as the upper bound, rather than
330 lower bound, of the alternate stack. */
331 st
.ss_size
-= sizeof (void *);
332 char *ss_sp
= st
.ss_sp
;
333 st
.ss_sp
= ss_sp
+ st
.ss_size
;
335 int r
= sigaltstack (&st
, NULL
);
339 segv_action
= action
? action
: null_action
;
340 program_error_message
= _("program error");
341 stack_overflow_message
= _("stack overflow");
342 progname
= getprogname ();
345 page_size
= sysconf (_SC_PAGESIZE
);
348 struct sigaction act
;
349 sigemptyset (&act
.sa_mask
);
352 /* POSIX 1003.1-2001 says SA_RESETHAND implies SA_NODEFER, but
353 this is not true on Solaris 8 at least. It doesn't hurt to use
354 SA_NODEFER here, so leave it in. */
355 act
.sa_flags
= SA_NODEFER
| SA_ONSTACK
| SA_RESETHAND
| SA_SIGINFO
;
356 act
.sa_sigaction
= segv_handler
;
358 act
.sa_flags
= SA_NODEFER
| SA_ONSTACK
| SA_RESETHAND
;
359 act
.sa_handler
= die
;
362 # if FAULT_YIELDS_SIGBUS
363 if (sigaction (SIGBUS
, &act
, NULL
) < 0)
366 return sigaction (SIGSEGV
, &act
, NULL
);
369 #else /* ! (USE_LIBSIGSEGV
370 || (HAVE_DECL_SIGALTSTACK && HAVE_STACK_OVERFLOW_HANDLING)) */
373 c_stack_action (_GL_ASYNC_SAFE
void (*action
) (int) _GL_UNUSED
)