Improve crash handler on XNU

This avoids an issue where a crash signal could cause the MacOS process to freeze and consume all CPU rather than dying as it rightfully should
2025-07-04 02:08:30 +00:00 · 2024-05-26 18:41:15 -07:00 · 2024-05-26 18:41:15 -07:00 · 086d7006da
commit 086d7006da
parent 0a51241f7a
5 changed files with 53 additions and 9 deletions
--- a/libc/integral/c.inc
+++ b/libc/integral/c.inc
@ -66,9 +66,10 @@
 #endif

 #if (!defined(__llvm__) && !__has_builtin(__builtin_assume))
-#define __builtin_assume(x)            \
-  do {                                 \
-    if (!(x)) __builtin_unreachable(); \
+#define __builtin_assume(x)    \
+  do {                         \
+    if (!(x))                  \
+      __builtin_unreachable(); \
  } while (0)
 #endif

@ -598,10 +599,21 @@ typedef struct {

 #ifdef __x86_64__
 #define DebugBreak() __asm__("int3")
+#elif defined(__aarch64__)
+#define DebugBreak() __asm__("brk\t#0x666")
 #else
 #define DebugBreak() __builtin_trap()
 #endif

+#ifdef __aarch64__
+/* raise sigill (not sigtrap) like x86 does */
+#define __builtin_trap()     \
+  do {                       \
+    __asm__("udf\t#0x666");  \
+    __builtin_unreachable(); \
+  } while (0)
+#endif
+
 #endif /* _COSMO_SOURCE */

 #define __veil(CONSTRAINT, EXPRESSION)                               \
--- a/libc/log/oncrash_amd64.c
+++ b/libc/log/oncrash_amd64.c
@ -192,8 +192,6 @@ void ShowCrashReportHook(int, int, int, struct siginfo *, ucontext_t *);

 static relegated void ShowCrashReport(int err, int sig, struct siginfo *si,
                                      ucontext_t *ctx) {
-  if (sig != SIGTRAP && sig != SIGQUIT)
-    sigaddset(&ctx->uc_sigmask, sig);
 #pragma GCC push_options
 #pragma GCC diagnostic ignored "-Walloca-larger-than="
  long size = __get_safe_size(8192, 4096);
@ -276,6 +274,21 @@ relegated void __oncrash(int sig, struct siginfo *si, void *arg) {
  int err = errno;
  __restore_tty();
  ShowCrashReport(err, sig, si, arg);
+
+  // ensure execution doesn't resume for anything but SIGTRAP / SIGQUIT
+  if (arg && sig != SIGTRAP && sig != SIGQUIT) {
+    if (!IsXnu()) {
+      sigaddset(&((ucontext_t *)arg)->uc_sigmask, sig);
+    } else {
+      sigdelset(&((ucontext_t *)arg)->uc_sigmask, sig);
+      struct sigaction sa;
+      sigemptyset(&sa.sa_mask);
+      sa.sa_handler = SIG_DFL;
+      sa.sa_flags = 0;
+      sigaction(sig, &sa, 0);
+    }
+  }
+
  SpinUnlock(&lock);
  ALLOW_CANCELATION;
 }
--- a/libc/log/oncrash_arm64.c
+++ b/libc/log/oncrash_arm64.c
@ -191,8 +191,6 @@ static relegated char *GetSymbolName(struct SymbolTable *st, int symbol) {

 static relegated void __oncrash_impl(int sig, struct siginfo *si,
                                     ucontext_t *ctx) {
-  if (sig != SIGTRAP && sig != SIGQUIT)
-    sigaddset(&ctx->uc_sigmask, sig);
 #pragma GCC push_options
 #pragma GCC diagnostic ignored "-Walloca-larger-than="
  long size = __get_safe_size(10000, 4096);
@ -396,6 +394,27 @@ relegated void __oncrash(int sig, struct siginfo *si, void *arg) {
  BLOCK_CANCELATION;
  SpinLock(&lock);
  __oncrash_impl(sig, si, arg);
+
+  // unlike amd64, the instruction pointer on arm64 isn't advanced past
+  // the debugger breakpoint instruction automatically. we need this so
+  // execution can resume after __builtin_trap().
+  if (arg && sig == SIGTRAP)
+    ((ucontext_t *)arg)->uc_mcontext.PC += 4;
+
+  // ensure execution doesn't resume for anything but SIGTRAP / SIGQUIT
+  if (arg && sig != SIGTRAP && sig != SIGQUIT) {
+    if (!IsXnu()) {
+      sigaddset(&((ucontext_t *)arg)->uc_sigmask, sig);
+    } else {
+      sigdelset(&((ucontext_t *)arg)->uc_sigmask, sig);
+      struct sigaction sa;
+      sigemptyset(&sa.sa_mask);
+      sa.sa_handler = SIG_DFL;
+      sa.sa_flags = 0;
+      sigaction(sig, &sa, 0);
+    }
+  }
+
  SpinUnlock(&lock);
  ALLOW_CANCELATION;
 }