// Copyright 2012 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. //go:build unix package runtime import ( "internal/abi" "internal/runtime/atomic" "internal/runtime/sys" "unsafe" ) // sigTabT is the type of an entry in the global sigtable array. // sigtable is inherently system dependent, and appears in OS-specific files, // but sigTabT is the same for all Unixy systems. // The sigtable array is indexed by a system signal number to get the flags // and printable name of each signal. type sigTabT struct { flags int32 name string } //go:linkname os_sigpipe os.sigpipe func os_sigpipe() { systemstack(sigpipe) } func signame(sig uint32) string { if sig >= uint32(len(sigtable)) { return "" } return sigtable[sig].name } const ( _SIG_DFL uintptr = 0 _SIG_IGN uintptr = 1 ) // sigPreempt is the signal used for non-cooperative preemption. // // There's no good way to choose this signal, but there are some // heuristics: // // 1. It should be a signal that's passed-through by debuggers by // default. On Linux, this is SIGALRM, SIGURG, SIGCHLD, SIGIO, // SIGVTALRM, SIGPROF, and SIGWINCH, plus some glibc-internal signals. // // 2. It shouldn't be used internally by libc in mixed Go/C binaries // because libc may assume it's the only thing that can handle these // signals. For example SIGCANCEL or SIGSETXID. // // 3. It should be a signal that can happen spuriously without // consequences. For example, SIGALRM is a bad choice because the // signal handler can't tell if it was caused by the real process // alarm or not (arguably this means the signal is broken, but I // digress). SIGUSR1 and SIGUSR2 are also bad because those are often // used in meaningful ways by applications. // // 4. We need to deal with platforms without real-time signals (like // macOS), so those are out. // // We use SIGURG because it meets all of these criteria, is extremely // unlikely to be used by an application for its "real" meaning (both // because out-of-band data is basically unused and because SIGURG // doesn't report which socket has the condition, making it pretty // useless), and even if it is, the application has to be ready for // spurious SIGURG. SIGIO wouldn't be a bad choice either, but is more // likely to be used for real. const sigPreempt = _SIGURG // Stores the signal handlers registered before Go installed its own. // These signal handlers will be invoked in cases where Go doesn't want to // handle a particular signal (e.g., signal occurred on a non-Go thread). // See sigfwdgo for more information on when the signals are forwarded. // // This is read by the signal handler; accesses should use // atomic.Loaduintptr and atomic.Storeuintptr. var fwdSig [_NSIG]uintptr // handlingSig is indexed by signal number and is non-zero if we are // currently handling the signal. Or, to put it another way, whether // the signal handler is currently set to the Go signal handler or not. // This is uint32 rather than bool so that we can use atomic instructions. var handlingSig [_NSIG]uint32 // channels for synchronizing signal mask updates with the signal mask // thread var ( disableSigChan chan uint32 enableSigChan chan uint32 maskUpdatedChan chan struct{} ) func init() { // _NSIG is the number of signals on this operating system. // sigtable should describe what to do for all the possible signals. if len(sigtable) != _NSIG { print("runtime: len(sigtable)=", len(sigtable), " _NSIG=", _NSIG, "\n") throw("bad sigtable len") } } var signalsOK bool // Initialize signals. // Called by libpreinit so runtime may not be initialized. // //go:nosplit //go:nowritebarrierrec func initsig(preinit bool) { if !preinit { // It's now OK for signal handlers to run. signalsOK = true } // For c-archive/c-shared this is called by libpreinit with // preinit == true. if (isarchive || islibrary) && !preinit { return } for i := uint32(0); i < _NSIG; i++ { t := &sigtable[i] if t.flags == 0 || t.flags&_SigDefault != 0 { continue } // We don't need to use atomic operations here because // there shouldn't be any other goroutines running yet. fwdSig[i] = getsig(i) if !sigInstallGoHandler(i) { // Even if we are not installing a signal handler, // set SA_ONSTACK if necessary. if fwdSig[i] != _SIG_DFL && fwdSig[i] != _SIG_IGN { setsigstack(i) } else if fwdSig[i] == _SIG_IGN { sigInitIgnored(i) } continue } handlingSig[i] = 1 setsig(i, abi.FuncPCABIInternal(sighandler)) } } //go:nosplit //go:nowritebarrierrec func sigInstallGoHandler(sig uint32) bool { // For some signals, we respect an inherited SIG_IGN handler // rather than insist on installing our own default handler. // Even these signals can be fetched using the os/signal package. switch sig { case _SIGHUP, _SIGINT: if atomic.Loaduintptr(&fwdSig[sig]) == _SIG_IGN { return false } } if (GOOS == "linux" || GOOS == "android") && !iscgo && sig == sigPerThreadSyscall { // sigPerThreadSyscall is the same signal used by glibc for // per-thread syscalls on Linux. We use it for the same purpose // in non-cgo binaries. return true } t := &sigtable[sig] if t.flags&_SigSetStack != 0 { return false } // When built using c-archive or c-shared, only install signal // handlers for synchronous signals and SIGPIPE and sigPreempt. if (isarchive || islibrary) && t.flags&_SigPanic == 0 && sig != _SIGPIPE && sig != sigPreempt { return false } return true } // sigenable enables the Go signal handler to catch the signal sig. // It is only called while holding the os/signal.handlers lock, // via os/signal.enableSignal and signal_enable. func sigenable(sig uint32) { if sig >= uint32(len(sigtable)) { return } // SIGPROF is handled specially for profiling. if sig == _SIGPROF { return } t := &sigtable[sig] if t.flags&_SigNotify != 0 { ensureSigM() enableSigChan <- sig <-maskUpdatedChan if atomic.Cas(&handlingSig[sig], 0, 1) { atomic.Storeuintptr(&fwdSig[sig], getsig(sig)) setsig(sig, abi.FuncPCABIInternal(sighandler)) } } } // sigdisable disables the Go signal handler for the signal sig. // It is only called while holding the os/signal.handlers lock, // via os/signal.disableSignal and signal_disable. func sigdisable(sig uint32) { if sig >= uint32(len(sigtable)) { return } // SIGPROF is handled specially for profiling. if sig == _SIGPROF { return } t := &sigtable[sig] if t.flags&_SigNotify != 0 { ensureSigM() disableSigChan <- sig <-maskUpdatedChan // If initsig does not install a signal handler for a // signal, then to go back to the state before Notify // we should remove the one we installed. if !sigInstallGoHandler(sig) { atomic.Store(&handlingSig[sig], 0) setsig(sig, atomic.Loaduintptr(&fwdSig[sig])) } } } // sigignore ignores the signal sig. // It is only called while holding the os/signal.handlers lock, // via os/signal.ignoreSignal and signal_ignore. func sigignore(sig uint32) { if sig >= uint32(len(sigtable)) { return } // SIGPROF is handled specially for profiling. if sig == _SIGPROF { return } t := &sigtable[sig] if t.flags&_SigNotify != 0 { atomic.Store(&handlingSig[sig], 0) setsig(sig, _SIG_IGN) } } // clearSignalHandlers clears all signal handlers that are not ignored // back to the default. This is called by the child after a fork, so that // we can enable the signal mask for the exec without worrying about // running a signal handler in the child. // //go:nosplit //go:nowritebarrierrec func clearSignalHandlers() { for i := uint32(0); i < _NSIG; i++ { if atomic.Load(&handlingSig[i]) != 0 { setsig(i, _SIG_DFL) } } } // setProcessCPUProfilerTimer is called when the profiling timer changes. // It is called with prof.signalLock held. hz is the new timer, and is 0 if // profiling is being disabled. Enable or disable the signal as // required for -buildmode=c-archive. func setProcessCPUProfilerTimer(hz int32) { if hz != 0 { // Enable the Go signal handler if not enabled. if atomic.Cas(&handlingSig[_SIGPROF], 0, 1) { h := getsig(_SIGPROF) // If no signal handler was installed before, then we record // _SIG_IGN here. When we turn off profiling (below) we'll start // ignoring SIGPROF signals. We do this, rather than change // to SIG_DFL, because there may be a pending SIGPROF // signal that has not yet been delivered to some other thread. // If we change to SIG_DFL when turning off profiling, the // program will crash when that SIGPROF is delivered. We assume // that programs that use profiling don't want to crash on a // stray SIGPROF. See issue 19320. // We do the change here instead of when turning off profiling, // because there we may race with a signal handler running // concurrently, in particular, sigfwdgo may observe _SIG_DFL and // die. See issue 43828. if h == _SIG_DFL { h = _SIG_IGN } atomic.Storeuintptr(&fwdSig[_SIGPROF], h) setsig(_SIGPROF, abi.FuncPCABIInternal(sighandler)) } var it itimerval it.it_interval.tv_sec = 0 it.it_interval.set_usec(1000000 / hz) it.it_value = it.it_interval setitimer(_ITIMER_PROF, &it, nil) } else { setitimer(_ITIMER_PROF, &itimerval{}, nil) // If the Go signal handler should be disabled by default, // switch back to the signal handler that was installed // when we enabled profiling. We don't try to handle the case // of a program that changes the SIGPROF handler while Go // profiling is enabled. if !sigInstallGoHandler(_SIGPROF) { if atomic.Cas(&handlingSig[_SIGPROF], 1, 0) { h := atomic.Loaduintptr(&fwdSig[_SIGPROF]) setsig(_SIGPROF, h) } } } } // setThreadCPUProfilerHz makes any thread-specific changes required to // implement profiling at a rate of hz. // No changes required on Unix systems when using setitimer. func setThreadCPUProfilerHz(hz int32) { getg().m.profilehz = hz } func sigpipe() { if signal_ignored(_SIGPIPE) || sigsend(_SIGPIPE) { return } dieFromSignal(_SIGPIPE) } // doSigPreempt handles a preemption signal on gp. func doSigPreempt(gp *g, ctxt *sigctxt) { // Check if this G wants to be preempted and is safe to // preempt. if wantAsyncPreempt(gp) { if ok, newpc := isAsyncSafePoint(gp, ctxt.sigpc(), ctxt.sigsp(), ctxt.siglr()); ok { // Adjust the PC and inject a call to asyncPreempt. ctxt.pushCall(abi.FuncPCABI0(asyncPreempt), newpc) } } // Acknowledge the preemption. gp.m.preemptGen.Add(1) gp.m.signalPending.Store(0) if GOOS == "darwin" || GOOS == "ios" { pendingPreemptSignals.Add(-1) } } const preemptMSupported = true // preemptM sends a preemption request to mp. This request may be // handled asynchronously and may be coalesced with other requests to // the M. When the request is received, if the running G or P are // marked for preemption and the goroutine is at an asynchronous // safe-point, it will preempt the goroutine. It always atomically // increments mp.preemptGen after handling a preemption request. func preemptM(mp *m) { // On Darwin, don't try to preempt threads during exec. // Issue #41702. if GOOS == "darwin" || GOOS == "ios" { execLock.rlock() } if mp.signalPending.CompareAndSwap(0, 1) { if GOOS == "darwin" || GOOS == "ios" { pendingPreemptSignals.Add(1) } // If multiple threads are preempting the same M, it may send many // signals to the same M such that it hardly make progress, causing // live-lock problem. Apparently this could happen on darwin. See // issue #37741. // Only send a signal if there isn't already one pending. signalM(mp, sigPreempt) } if GOOS == "darwin" || GOOS == "ios" { execLock.runlock() } } // sigFetchG fetches the value of G safely when running in a signal handler. // On some architectures, the g value may be clobbered when running in a VDSO. // See issue #32912. // //go:nosplit func sigFetchG(c *sigctxt) *g { switch GOARCH { case "arm", "arm64", "loong64", "ppc64", "ppc64le", "riscv64", "s390x": if !iscgo && inVDSOPage(c.sigpc()) { // When using cgo, we save the g on TLS and load it from there // in sigtramp. Just use that. // Otherwise, before making a VDSO call we save the g to the // bottom of the signal stack. Fetch from there. // TODO: in efence mode, stack is sysAlloc'd, so this wouldn't // work. sp := sys.GetCallerSP() s := spanOf(sp) if s != nil && s.state.get() == mSpanManual && s.base() < sp && sp < s.limit { gp := *(**g)(unsafe.Pointer(s.base())) return gp } return nil } } return getg() } // sigtrampgo is called from the signal handler function, sigtramp, // written in assembly code. // This is called by the signal handler, and the world may be stopped. // // It must be nosplit because getg() is still the G that was running // (if any) when the signal was delivered, but it's (usually) called // on the gsignal stack. Until this switches the G to gsignal, the // stack bounds check won't work. // //go:nosplit //go:nowritebarrierrec func sigtrampgo(sig uint32, info *siginfo, ctx unsafe.Pointer) { if sigfwdgo(sig, info, ctx) { return } c := &sigctxt{info, ctx} gp := sigFetchG(c) setg(gp) if gp == nil || (gp.m != nil && gp.m.isExtraInC) { if sig == _SIGPROF { // Some platforms (Linux) have per-thread timers, which we use in // combination with the process-wide timer. Avoid double-counting. if validSIGPROF(nil, c) { sigprofNonGoPC(c.sigpc()) } return } if sig == sigPreempt && preemptMSupported && debug.asyncpreemptoff == 0 { // This is probably a signal from preemptM sent // while executing Go code but received while // executing non-Go code. // We got past sigfwdgo, so we know that there is // no non-Go signal handler for sigPreempt. // The default behavior for sigPreempt is to ignore // the signal, so badsignal will be a no-op anyway. if GOOS == "darwin" || GOOS == "ios" { pendingPreemptSignals.Add(-1) } return } c.fixsigcode(sig) // Set g to nil here and badsignal will use g0 by needm. // TODO: reuse the current m here by using the gsignal and adjustSignalStack, // since the current g maybe a normal goroutine and actually running on the signal stack, // it may hit stack split that is not expected here. if gp != nil { setg(nil) } badsignal(uintptr(sig), c) // Restore g if gp != nil { setg(gp) } return } setg(gp.m.gsignal) // If some non-Go code called sigaltstack, adjust. var gsignalStack gsignalStack setStack := adjustSignalStack(sig, gp.m, &gsignalStack) if setStack { gp.m.gsignal.stktopsp = sys.GetCallerSP() } if gp.stackguard0 == stackFork { signalDuringFork(sig) } c.fixsigcode(sig) sighandler(sig, info, ctx, gp) setg(gp) if setStack { restoreGsignalStack(&gsignalStack) } } // If the signal handler receives a SIGPROF signal on a non-Go thread, // it tries to collect a traceback into sigprofCallers. // sigprofCallersUse is set to non-zero while sigprofCallers holds a traceback. var sigprofCallers cgoCallers var sigprofCallersUse uint32 // sigprofNonGo is called if we receive a SIGPROF signal on a non-Go thread, // and the signal handler collected a stack trace in sigprofCallers. // When this is called, sigprofCallersUse will be non-zero. // g is nil, and what we can do is very limited. // // It is called from the signal handling functions written in assembly code that // are active for cgo programs, cgoSigtramp and sigprofNonGoWrapper, which have // not verified that the SIGPROF delivery corresponds to the best available // profiling source for this thread. // //go:nosplit //go:nowritebarrierrec func sigprofNonGo(sig uint32, info *siginfo, ctx unsafe.Pointer) { if prof.hz.Load() != 0 { c := &sigctxt{info, ctx} // Some platforms (Linux) have per-thread timers, which we use in // combination with the process-wide timer. Avoid double-counting. if validSIGPROF(nil, c) { n := 0 for n < len(sigprofCallers) && sigprofCallers[n] != 0 { n++ } cpuprof.addNonGo(sigprofCallers[:n]) } } atomic.Store(&sigprofCallersUse, 0) } // sigprofNonGoPC is called when a profiling signal arrived on a // non-Go thread and we have a single PC value, not a stack trace. // g is nil, and what we can do is very limited. // //go:nosplit //go:nowritebarrierrec func sigprofNonGoPC(pc uintptr) { if prof.hz.Load() != 0 { stk := []uintptr{ pc, abi.FuncPCABIInternal(_ExternalCode) + sys.PCQuantum, } cpuprof.addNonGo(stk) } } // adjustSignalStack adjusts the current stack guard based on the // stack pointer that is actually in use while handling a signal. // We do this in case some non-Go code called sigaltstack. // This reports whether the stack was adjusted, and if so stores the old // signal stack in *gsigstack. // //go:nosplit func adjustSignalStack(sig uint32, mp *m, gsigStack *gsignalStack) bool { sp := uintptr(unsafe.Pointer(&sig)) if sp >= mp.gsignal.stack.lo && sp < mp.gsignal.stack.hi { return false } var st stackt sigaltstack(nil, &st) stsp := uintptr(unsafe.Pointer(st.ss_sp)) if st.ss_flags&_SS_DISABLE == 0 && sp >= stsp && sp < stsp+st.ss_size { setGsignalStack(&st, gsigStack) return true } if sp >= mp.g0.stack.lo && sp < mp.g0.stack.hi { // The signal was delivered on the g0 stack. // This can happen when linked with C code // using the thread sanitizer, which collects // signals then delivers them itself by calling // the signal handler directly when C code, // including C code called via cgo, calls a // TSAN-intercepted function such as malloc. // // We check this condition last as g0.stack.lo // may be not very accurate (see mstart). st := stackt{ss_size: mp.g0.stack.hi - mp.g0.stack.lo} setSignalstackSP(&st, mp.g0.stack.lo) setGsignalStack(&st, gsigStack) return true } // sp is not within gsignal stack, g0 stack, or sigaltstack. Bad. setg(nil) needm(true) if st.ss_flags&_SS_DISABLE != 0 { noSignalStack(sig) } else { sigNotOnStack(sig, sp, mp) } dropm() return false } // crashing is the number of m's we have waited for when implementing // GOTRACEBACK=crash when a signal is received. var crashing atomic.Int32 // testSigtrap and testSigusr1 are used by the runtime tests. If // non-nil, it is called on SIGTRAP/SIGUSR1. If it returns true, the // normal behavior on this signal is suppressed. var testSigtrap func(info *siginfo, ctxt *sigctxt, gp *g) bool var testSigusr1 func(gp *g) bool // sigsysIgnored is non-zero if we are currently ignoring SIGSYS. See issue #69065. var sigsysIgnored uint32 //go:linkname ignoreSIGSYS os.ignoreSIGSYS func ignoreSIGSYS() { atomic.Store(&sigsysIgnored, 1) } //go:linkname restoreSIGSYS os.restoreSIGSYS func restoreSIGSYS() { atomic.Store(&sigsysIgnored, 0) } // sighandler is invoked when a signal occurs. The global g will be // set to a gsignal goroutine and we will be running on the alternate // signal stack. The parameter gp will be the value of the global g // when the signal occurred. The sig, info, and ctxt parameters are // from the system signal handler: they are the parameters passed when // the SA is passed to the sigaction system call. // // The garbage collector may have stopped the world, so write barriers // are not allowed. // //go:nowritebarrierrec func sighandler(sig uint32, info *siginfo, ctxt unsafe.Pointer, gp *g) { // The g executing the signal handler. This is almost always // mp.gsignal. See delayedSignal for an exception. gsignal := getg() mp := gsignal.m c := &sigctxt{info, ctxt} // Cgo TSAN (not the Go race detector) intercepts signals and calls the // signal handler at a later time. When the signal handler is called, the // memory may have changed, but the signal context remains old. The // unmatched signal context and memory makes it unsafe to unwind or inspect // the stack. So we ignore delayed non-fatal signals that will cause a stack // inspection (profiling signal and preemption signal). // cgo_yield is only non-nil for TSAN, and is specifically used to trigger // signal delivery. We use that as an indicator of delayed signals. // For delayed signals, the handler is called on the g0 stack (see // adjustSignalStack). delayedSignal := *cgo_yield != nil && mp != nil && gsignal.stack == mp.g0.stack if sig == _SIGPROF { // Some platforms (Linux) have per-thread timers, which we use in // combination with the process-wide timer. Avoid double-counting. if !delayedSignal && validSIGPROF(mp, c) { sigprof(c.sigpc(), c.sigsp(), c.siglr(), gp, mp) } return } if sig == _SIGTRAP && testSigtrap != nil && testSigtrap(info, (*sigctxt)(noescape(unsafe.Pointer(c))), gp) { return } if sig == _SIGUSR1 && testSigusr1 != nil && testSigusr1(gp) { return } if (GOOS == "linux" || GOOS == "android") && sig == sigPerThreadSyscall { // sigPerThreadSyscall is the same signal used by glibc for // per-thread syscalls on Linux. We use it for the same purpose // in non-cgo binaries. Since this signal is not _SigNotify, // there is nothing more to do once we run the syscall. runPerThreadSyscall() return } if sig == sigPreempt && debug.asyncpreemptoff == 0 && !delayedSignal { // Might be a preemption signal. doSigPreempt(gp, c) // Even if this was definitely a preemption signal, it // may have been coalesced with another signal, so we // still let it through to the application. } flags := int32(_SigThrow) if sig < uint32(len(sigtable)) { flags = sigtable[sig].flags } if !c.sigFromUser() && flags&_SigPanic != 0 && (gp.throwsplit || gp != mp.curg) { // We can't safely sigpanic because it may grow the // stack. Abort in the signal handler instead. // // Also don't inject a sigpanic if we are not on a // user G stack. Either we're in the runtime, or we're // running C code. Either way we cannot recover. flags = _SigThrow } if isAbortPC(c.sigpc()) { // On many architectures, the abort function just // causes a memory fault. Don't turn that into a panic. flags = _SigThrow } if !c.sigFromUser() && flags&_SigPanic != 0 { // The signal is going to cause a panic. // Arrange the stack so that it looks like the point // where the signal occurred made a call to the // function sigpanic. Then set the PC to sigpanic. // Have to pass arguments out of band since // augmenting the stack frame would break // the unwinding code. gp.sig = sig gp.sigcode0 = uintptr(c.sigcode()) gp.sigcode1 = c.fault() gp.sigpc = c.sigpc() c.preparePanic(sig, gp) return } if c.sigFromUser() || flags&_SigNotify != 0 { if sigsend(sig) { return } } if c.sigFromUser() && signal_ignored(sig) { return } if sig == _SIGSYS && c.sigFromSeccomp() && atomic.Load(&sigsysIgnored) != 0 { return } if flags&_SigKill != 0 { dieFromSignal(sig) } // _SigThrow means that we should exit now. // If we get here with _SigPanic, it means that the signal // was sent to us by a program (c.sigFromUser() is true); // in that case, if we didn't handle it in sigsend, we exit now. if flags&(_SigThrow|_SigPanic) == 0 { return } mp.throwing = throwTypeRuntime mp.caughtsig.set(gp) if crashing.Load() == 0 { startpanic_m() } gp = fatalsignal(sig, c, gp, mp) level, _, docrash := gotraceback() if level > 0 { goroutineheader(gp) tracebacktrap(c.sigpc(), c.sigsp(), c.siglr(), gp) if crashing.Load() > 0 && gp != mp.curg && mp.curg != nil && readgstatus(mp.curg)&^_Gscan == _Grunning { // tracebackothers on original m skipped this one; trace it now. goroutineheader(mp.curg) traceback(^uintptr(0), ^uintptr(0), 0, mp.curg) } else if crashing.Load() == 0 { tracebackothers(gp) print("\n") } dumpregs(c) } if docrash { var crashSleepMicros uint32 = 5000 var watchdogTimeoutMicros uint32 = 2000 * crashSleepMicros isCrashThread := false if crashing.CompareAndSwap(0, 1) { isCrashThread = true } else { crashing.Add(1) } if crashing.Load() < mcount()-int32(extraMLength.Load()) { // There are other m's that need to dump their stacks. // Relay SIGQUIT to the next m by sending it to the current process. // All m's that have already received SIGQUIT have signal masks blocking // receipt of any signals, so the SIGQUIT will go to an m that hasn't seen it yet. // The first m will wait until all ms received the SIGQUIT, then crash/exit. // Just in case the relaying gets botched, each m involved in // the relay sleeps for 5 seconds and then does the crash/exit itself. // The faulting m is crashing first so it is the faulting thread in the core dump (see issue #63277): // in expected operation, the first m will wait until the last m has received the SIGQUIT, // and then run crash/exit and the process is gone. // However, if it spends more than 10 seconds to send SIGQUIT to all ms, // any of ms may crash/exit the process after waiting for 10 seconds. print("\n-----\n\n") raiseproc(_SIGQUIT) } if isCrashThread { // Sleep for short intervals so that we can crash quickly after all ms have received SIGQUIT. // Reset the timer whenever we see more ms received SIGQUIT // to make it have enough time to crash (see issue #64752). timeout := watchdogTimeoutMicros maxCrashing := crashing.Load() for timeout > 0 && (crashing.Load() < mcount()-int32(extraMLength.Load())) { usleep(crashSleepMicros) timeout -= crashSleepMicros if c := crashing.Load(); c > maxCrashing { // We make progress, so reset the watchdog timeout maxCrashing = c timeout = watchdogTimeoutMicros } } } else { maxCrashing := int32(0) c := crashing.Load() for c > maxCrashing { maxCrashing = c usleep(watchdogTimeoutMicros) c = crashing.Load() } } printDebugLog() crash() } printDebugLog() exit(2) } func fatalsignal(sig uint32, c *sigctxt, gp *g, mp *m) *g { if sig < uint32(len(sigtable)) { print(sigtable[sig].name, "\n") } else { print("Signal ", sig, "\n") } if isSecureMode() { exit(2) } print("PC=", hex(c.sigpc()), " m=", mp.id, " sigcode=", c.sigcode()) if sig == _SIGSEGV || sig == _SIGBUS { print(" addr=", hex(c.fault())) } print("\n") if mp.incgo && gp == mp.g0 && mp.curg != nil { print("signal arrived during cgo execution\n") // Switch to curg so that we get a traceback of the Go code // leading up to the cgocall, which switched from curg to g0. gp = mp.curg } if sig == _SIGILL || sig == _SIGFPE { // It would be nice to know how long the instruction is. // Unfortunately, that's complicated to do in general (mostly for x86 // and s930x, but other archs have non-standard instruction lengths also). // Opt to print 16 bytes, which covers most instructions. const maxN = 16 n := uintptr(maxN) // We have to be careful, though. If we're near the end of // a page and the following page isn't mapped, we could // segfault. So make sure we don't straddle a page (even though // that could lead to printing an incomplete instruction). // We're assuming here we can read at least the page containing the PC. // I suppose it is possible that the page is mapped executable but not readable? pc := c.sigpc() if n > physPageSize-pc%physPageSize { n = physPageSize - pc%physPageSize } print("instruction bytes:") b := (*[maxN]byte)(unsafe.Pointer(pc)) for i := uintptr(0); i < n; i++ { print(" ", hex(b[i])) } println() } print("\n") return gp } // sigpanic turns a synchronous signal into a run-time panic. // If the signal handler sees a synchronous panic, it arranges the // stack to look like the function where the signal occurred called // sigpanic, sets the signal's PC value to sigpanic, and returns from // the signal handler. The effect is that the program will act as // though the function that got the signal simply called sigpanic // instead. // // This must NOT be nosplit because the linker doesn't know where // sigpanic calls can be injected. // // The signal handler must not inject a call to sigpanic if // getg().throwsplit, since sigpanic may need to grow the stack. // // This is exported via linkname to assembly in runtime/cgo. // //go:linkname sigpanic func sigpanic() { gp := getg() if !canpanic() { throw("unexpected signal during runtime execution") } switch gp.sig { case _SIGBUS: if gp.sigcode0 == _BUS_ADRERR && gp.sigcode1 < 0x1000 { panicmem() } // Support runtime/debug.SetPanicOnFault. if gp.paniconfault { panicmemAddr(gp.sigcode1) } print("unexpected fault address ", hex(gp.sigcode1), "\n") throw("fault") case _SIGSEGV: if (gp.sigcode0 == 0 || gp.sigcode0 == _SEGV_MAPERR || gp.sigcode0 == _SEGV_ACCERR) && gp.sigcode1 < 0x1000 { panicmem() } // Support runtime/debug.SetPanicOnFault. if gp.paniconfault { panicmemAddr(gp.sigcode1) } if inUserArenaChunk(gp.sigcode1) { // We could check that the arena chunk is explicitly set to fault, // but the fact that we faulted on accessing it is enough to prove // that it is. print("accessed data from freed user arena ", hex(gp.sigcode1), "\n") } else { print("unexpected fault address ", hex(gp.sigcode1), "\n") } throw("fault") case _SIGFPE: switch gp.sigcode0 { case _FPE_INTDIV: panicdivide() case _FPE_INTOVF: panicoverflow() } panicfloat() } if gp.sig >= uint32(len(sigtable)) { // can't happen: we looked up gp.sig in sigtable to decide to call sigpanic throw("unexpected signal value") } panic(errorString(sigtable[gp.sig].name)) } // dieFromSignal kills the program with a signal. // This provides the expected exit status for the shell. // This is only called with fatal signals expected to kill the process. // //go:nosplit //go:nowritebarrierrec func dieFromSignal(sig uint32) { unblocksig(sig) // Mark the signal as unhandled to ensure it is forwarded. atomic.Store(&handlingSig[sig], 0) raise(sig) // That should have killed us. On some systems, though, raise // sends the signal to the whole process rather than to just // the current thread, which means that the signal may not yet // have been delivered. Give other threads a chance to run and // pick up the signal. osyield() osyield() osyield() // If that didn't work, try _SIG_DFL. setsig(sig, _SIG_DFL) raise(sig) osyield() osyield() osyield() // If we are still somehow running, just exit with the wrong status. exit(2) } // raisebadsignal is called when a signal is received on a non-Go // thread, and the Go program does not want to handle it (that is, the // program has not called os/signal.Notify for the signal). func raisebadsignal(sig uint32, c *sigctxt) { if sig == _SIGPROF { // Ignore profiling signals that arrive on non-Go threads. return } var handler uintptr var flags int32 if sig >= _NSIG { handler = _SIG_DFL } else { handler = atomic.Loaduintptr(&fwdSig[sig]) flags = sigtable[sig].flags } // If the signal is ignored, raising the signal is no-op. if handler == _SIG_IGN || (handler == _SIG_DFL && flags&_SigIgn != 0) { return } // Reset the signal handler and raise the signal. // We are currently running inside a signal handler, so the // signal is blocked. We need to unblock it before raising the // signal, or the signal we raise will be ignored until we return // from the signal handler. We know that the signal was unblocked // before entering the handler, or else we would not have received // it. That means that we don't have to worry about blocking it // again. unblocksig(sig) setsig(sig, handler) // If we're linked into a non-Go program we want to try to // avoid modifying the original context in which the signal // was raised. If the handler is the default, we know it // is non-recoverable, so we don't have to worry about // re-installing sighandler. At this point we can just // return and the signal will be re-raised and caught by // the default handler with the correct context. // // On FreeBSD, the libthr sigaction code prevents // this from working so we fall through to raise. if GOOS != "freebsd" && (isarchive || islibrary) && handler == _SIG_DFL && !c.sigFromUser() { return } raise(sig) // Give the signal a chance to be delivered. // In almost all real cases the program is about to crash, // so sleeping here is not a waste of time. usleep(1000) // If the signal didn't cause the program to exit, restore the // Go signal handler and carry on. // // We may receive another instance of the signal before we // restore the Go handler, but that is not so bad: we know // that the Go program has been ignoring the signal. setsig(sig, abi.FuncPCABIInternal(sighandler)) } //go:nosplit func crash() { dieFromSignal(_SIGABRT) } // ensureSigM starts one global, sleeping thread to make sure at least one thread // is available to catch signals enabled for os/signal. func ensureSigM() { if maskUpdatedChan != nil { return } maskUpdatedChan = make(chan struct{}) disableSigChan = make(chan uint32) enableSigChan = make(chan uint32) go func() { // Signal masks are per-thread, so make sure this goroutine stays on one // thread. LockOSThread() defer UnlockOSThread() // The sigBlocked mask contains the signals not active for os/signal, // initially all signals except the essential. When signal.Notify()/Stop is called, // sigenable/sigdisable in turn notify this thread to update its signal // mask accordingly. sigBlocked := sigset_all for i := range sigtable { if !blockableSig(uint32(i)) { sigdelset(&sigBlocked, i) } } sigprocmask(_SIG_SETMASK, &sigBlocked, nil) for { select { case sig := <-enableSigChan: if sig > 0 { sigdelset(&sigBlocked, int(sig)) } case sig := <-disableSigChan: if sig > 0 && blockableSig(sig) { sigaddset(&sigBlocked, int(sig)) } } sigprocmask(_SIG_SETMASK, &sigBlocked, nil) maskUpdatedChan <- struct{}{} } }() } // This is called when we receive a signal when there is no signal stack. // This can only happen if non-Go code calls sigaltstack to disable the // signal stack. func noSignalStack(sig uint32) { println("signal", sig, "received on thread with no signal stack") throw("non-Go code disabled sigaltstack") } // This is called if we receive a signal when there is a signal stack // but we are not on it. This can only happen if non-Go code called // sigaction without setting the SS_ONSTACK flag. func sigNotOnStack(sig uint32, sp uintptr, mp *m) { println("signal", sig, "received but handler not on signal stack") print("mp.gsignal stack [", hex(mp.gsignal.stack.lo), " ", hex(mp.gsignal.stack.hi), "], ") print("mp.g0 stack [", hex(mp.g0.stack.lo), " ", hex(mp.g0.stack.hi), "], sp=", hex(sp), "\n") throw("non-Go code set up signal handler without SA_ONSTACK flag") } // signalDuringFork is called if we receive a signal while doing a fork. // We do not want signals at that time, as a signal sent to the process // group may be delivered to the child process, causing confusion. // This should never be called, because we block signals across the fork; // this function is just a safety check. See issue 18600 for background. func signalDuringFork(sig uint32) { println("signal", sig, "received during fork") throw("signal received during fork") } // This runs on a foreign stack, without an m or a g. No stack split. // //go:nosplit //go:norace //go:nowritebarrierrec func badsignal(sig uintptr, c *sigctxt) { if !iscgo && !cgoHasExtraM { // There is no extra M. needm will not be able to grab // an M. Instead of hanging, just crash. // Cannot call split-stack function as there is no G. writeErrStr("fatal: bad g in signal handler\n") exit(2) *(*uintptr)(unsafe.Pointer(uintptr(123))) = 2 } needm(true) if !sigsend(uint32(sig)) { // A foreign thread received the signal sig, and the // Go code does not want to handle it. raisebadsignal(uint32(sig), c) } dropm() } //go:noescape func sigfwd(fn uintptr, sig uint32, info *siginfo, ctx unsafe.Pointer) // Determines if the signal should be handled by Go and if not, forwards the // signal to the handler that was installed before Go's. Returns whether the // signal was forwarded. // This is called by the signal handler, and the world may be stopped. // //go:nosplit //go:nowritebarrierrec func sigfwdgo(sig uint32, info *siginfo, ctx unsafe.Pointer) bool { if sig >= uint32(len(sigtable)) { return false } fwdFn := atomic.Loaduintptr(&fwdSig[sig]) flags := sigtable[sig].flags // If we aren't handling the signal, forward it. if atomic.Load(&handlingSig[sig]) == 0 || !signalsOK { // If the signal is ignored, doing nothing is the same as forwarding. if fwdFn == _SIG_IGN || (fwdFn == _SIG_DFL && flags&_SigIgn != 0) { return true } // We are not handling the signal and there is no other handler to forward to. // Crash with the default behavior. if fwdFn == _SIG_DFL { setsig(sig, _SIG_DFL) dieFromSignal(sig) return false } sigfwd(fwdFn, sig, info, ctx) return true } // This function and its caller sigtrampgo assumes SIGPIPE is delivered on the // originating thread. This property does not hold on macOS (golang.org/issue/33384), // so we have no choice but to ignore SIGPIPE. if (GOOS == "darwin" || GOOS == "ios") && sig == _SIGPIPE { return true } // If there is no handler to forward to, no need to forward. if fwdFn == _SIG_DFL { return false } c := &sigctxt{info, ctx} // Only forward synchronous signals and SIGPIPE. // Unfortunately, user generated SIGPIPEs will also be forwarded, because si_code // is set to _SI_USER even for a SIGPIPE raised from a write to a closed socket // or pipe. if (c.sigFromUser() || flags&_SigPanic == 0) && sig != _SIGPIPE { return false } // Determine if the signal occurred inside Go code. We test that: // (1) we weren't in VDSO page, // (2) we were in a goroutine (i.e., m.curg != nil), and // (3) we weren't in CGO. // (4) we weren't in dropped extra m. gp := sigFetchG(c) if gp != nil && gp.m != nil && gp.m.curg != nil && !gp.m.isExtraInC && !gp.m.incgo { return false } // Signal not handled by Go, forward it. if fwdFn != _SIG_IGN { sigfwd(fwdFn, sig, info, ctx) } return true } // sigsave saves the current thread's signal mask into *p. // This is used to preserve the non-Go signal mask when a non-Go // thread calls a Go function. // This is nosplit and nowritebarrierrec because it is called by needm // which may be called on a non-Go thread with no g available. // //go:nosplit //go:nowritebarrierrec func sigsave(p *sigset) { sigprocmask(_SIG_SETMASK, nil, p) } // msigrestore sets the current thread's signal mask to sigmask. // This is used to restore the non-Go signal mask when a non-Go thread // calls a Go function. // This is nosplit and nowritebarrierrec because it is called by dropm // after g has been cleared. // //go:nosplit //go:nowritebarrierrec func msigrestore(sigmask sigset) { sigprocmask(_SIG_SETMASK, &sigmask, nil) } // sigsetAllExiting is used by sigblock(true) when a thread is // exiting. var sigsetAllExiting = func() sigset { res := sigset_all // Apply GOOS-specific overrides here, rather than in osinit, // because osinit may be called before sigsetAllExiting is // initialized (#51913). if GOOS == "linux" && iscgo { // #42494 glibc and musl reserve some signals for // internal use and require they not be blocked by // the rest of a normal C runtime. When the go runtime // blocks...unblocks signals, temporarily, the blocked // interval of time is generally very short. As such, // these expectations of *libc code are mostly met by // the combined go+cgo system of threads. However, // when go causes a thread to exit, via a return from // mstart(), the combined runtime can deadlock if // these signals are blocked. Thus, don't block these // signals when exiting threads. // - glibc: SIGCANCEL (32), SIGSETXID (33) // - musl: SIGTIMER (32), SIGCANCEL (33), SIGSYNCCALL (34) sigdelset(&res, 32) sigdelset(&res, 33) sigdelset(&res, 34) } return res }() // sigblock blocks signals in the current thread's signal mask. // This is used to block signals while setting up and tearing down g // when a non-Go thread calls a Go function. When a thread is exiting // we use the sigsetAllExiting value, otherwise the OS specific // definition of sigset_all is used. // This is nosplit and nowritebarrierrec because it is called by needm // which may be called on a non-Go thread with no g available. // //go:nosplit //go:nowritebarrierrec func sigblock(exiting bool) { if exiting { sigprocmask(_SIG_SETMASK, &sigsetAllExiting, nil) return } sigprocmask(_SIG_SETMASK, &sigset_all, nil) } // unblocksig removes sig from the current thread's signal mask. // This is nosplit and nowritebarrierrec because it is called from // dieFromSignal, which can be called by sigfwdgo while running in the // signal handler, on the signal stack, with no g available. // //go:nosplit //go:nowritebarrierrec func unblocksig(sig uint32) { var set sigset sigaddset(&set, int(sig)) sigprocmask(_SIG_UNBLOCK, &set, nil) } // minitSignals is called when initializing a new m to set the // thread's alternate signal stack and signal mask. func minitSignals() { minitSignalStack() minitSignalMask() } // minitSignalStack is called when initializing a new m to set the // alternate signal stack. If the alternate signal stack is not set // for the thread (the normal case) then set the alternate signal // stack to the gsignal stack. If the alternate signal stack is set // for the thread (the case when a non-Go thread sets the alternate // signal stack and then calls a Go function) then set the gsignal // stack to the alternate signal stack. We also set the alternate // signal stack to the gsignal stack if cgo is not used (regardless // of whether it is already set). Record which choice was made in // newSigstack, so that it can be undone in unminit. func minitSignalStack() { mp := getg().m var st stackt sigaltstack(nil, &st) if st.ss_flags&_SS_DISABLE != 0 || !iscgo { signalstack(&mp.gsignal.stack) mp.newSigstack = true } else { setGsignalStack(&st, &mp.goSigStack) mp.newSigstack = false } } // minitSignalMask is called when initializing a new m to set the // thread's signal mask. When this is called all signals have been // blocked for the thread. This starts with m.sigmask, which was set // either from initSigmask for a newly created thread or by calling // sigsave if this is a non-Go thread calling a Go function. It // removes all essential signals from the mask, thus causing those // signals to not be blocked. Then it sets the thread's signal mask. // After this is called the thread can receive signals. func minitSignalMask() { nmask := getg().m.sigmask for i := range sigtable { if !blockableSig(uint32(i)) { sigdelset(&nmask, i) } } sigprocmask(_SIG_SETMASK, &nmask, nil) } // unminitSignals is called from dropm, via unminit, to undo the // effect of calling minit on a non-Go thread. // //go:nosplit func unminitSignals() { if getg().m.newSigstack { st := stackt{ss_flags: _SS_DISABLE} sigaltstack(&st, nil) } else { // We got the signal stack from someone else. Restore // the Go-allocated stack in case this M gets reused // for another thread (e.g., it's an extram). Also, on // Android, libc allocates a signal stack for all // threads, so it's important to restore the Go stack // even on Go-created threads so we can free it. restoreGsignalStack(&getg().m.goSigStack) } } // blockableSig reports whether sig may be blocked by the signal mask. // We never want to block the signals marked _SigUnblock; // these are the synchronous signals that turn into a Go panic. // We never want to block the preemption signal if it is being used. // In a Go program--not a c-archive/c-shared--we never want to block // the signals marked _SigKill or _SigThrow, as otherwise it's possible // for all running threads to block them and delay their delivery until // we start a new thread. When linked into a C program we let the C code // decide on the disposition of those signals. func blockableSig(sig uint32) bool { flags := sigtable[sig].flags if flags&_SigUnblock != 0 { return false } if sig == sigPreempt && preemptMSupported && debug.asyncpreemptoff == 0 { return false } if isarchive || islibrary { return true } return flags&(_SigKill|_SigThrow) == 0 } // gsignalStack saves the fields of the gsignal stack changed by // setGsignalStack. type gsignalStack struct { stack stack stackguard0 uintptr stackguard1 uintptr stktopsp uintptr } // setGsignalStack sets the gsignal stack of the current m to an // alternate signal stack returned from the sigaltstack system call. // It saves the old values in *old for use by restoreGsignalStack. // This is used when handling a signal if non-Go code has set the // alternate signal stack. // //go:nosplit //go:nowritebarrierrec func setGsignalStack(st *stackt, old *gsignalStack) { gp := getg() if old != nil { old.stack = gp.m.gsignal.stack old.stackguard0 = gp.m.gsignal.stackguard0 old.stackguard1 = gp.m.gsignal.stackguard1 old.stktopsp = gp.m.gsignal.stktopsp } stsp := uintptr(unsafe.Pointer(st.ss_sp)) gp.m.gsignal.stack.lo = stsp gp.m.gsignal.stack.hi = stsp + st.ss_size gp.m.gsignal.stackguard0 = stsp + stackGuard gp.m.gsignal.stackguard1 = stsp + stackGuard } // restoreGsignalStack restores the gsignal stack to the value it had // before entering the signal handler. // //go:nosplit //go:nowritebarrierrec func restoreGsignalStack(st *gsignalStack) { gp := getg().m.gsignal gp.stack = st.stack gp.stackguard0 = st.stackguard0 gp.stackguard1 = st.stackguard1 gp.stktopsp = st.stktopsp } // signalstack sets the current thread's alternate signal stack to s. // //go:nosplit func signalstack(s *stack) { st := stackt{ss_size: s.hi - s.lo} setSignalstackSP(&st, s.lo) sigaltstack(&st, nil) } // setsigsegv is used on darwin/arm64 to fake a segmentation fault. // // This is exported via linkname to assembly in runtime/cgo. // //go:nosplit //go:linkname setsigsegv func setsigsegv(pc uintptr) { gp := getg() gp.sig = _SIGSEGV gp.sigpc = pc gp.sigcode0 = _SEGV_MAPERR gp.sigcode1 = 0 // TODO: emulate si_addr }