• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Kernel bug in handling signals (bug 15615281)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kernel bug in handling signals (bug 15615281)

  • Subject: Re: Kernel bug in handling signals (bug 15615281)
  • From: "Ben L. Titzer" <email@hidden>
  • Date: Thu, 19 Dec 2013 19:27:31 +0100
Well I supposed you passed the of first test of trust :)

Although you might not like the source code--none of it is written in C :)

Checkout the repository here:

https://code.google.com/p/virgil/

The binary in question is generated by my compiler from the test program in test/execute/rtex_divzero06.v3

% bin/v3c -target=x86-darwin-test -output=/tmp/ test/execute/rtex_divzero06.v3

There is some assembly language linkage that is generated by the compiler itself that sets up the default signal handlers. That assembly is generated in 

https://code.google.com/p/virgil/source/browse/aeneas/src/x86/X86Darwin.v3



in genSignalHandlerInstall()

That code is basically:



	// generate code that installs a signal handler


	def genSigHandlerInstall(asm: X86Assembler, signo: int, handler: Addr) {


		asm.push_i(0);			// sa_flags

		asm.push_i(0);			// sa_mask

		asm.push_i(X86Addrs.ABS_CONST);	// sa_handler: handler address

		recordPatch(asm, handler);
		asm.push_i(2);			// TODO: why a nonzero value here?


		asm.movd_rm_r(X86Regs.EBX, X86Regs.ESP);


		asm.push_i(0);			// sigaction *oact

		asm.push(X86Regs.EBX);		// sigaction *act

		asm.push_i(signo);		// signal number
		asm.push_i(0);			// "dummy" value


		asm.movd_rm_i(X86Regs.EAX, 46); // sigaction


		asm.intK(0x80);

		asm.add.rm_i(X86Regs.ESP, 32);	// pop params off stack

	}


As you can see there is some hackery going on there. I wasn't exactly sure what I should be passing to the kernel, since it has been a pain to trace through exactly how all the structs are encoded. This all works fine on 10.6. I use the signal handlers to catch access violations (e.g. a null pointer deref by the program generates a SIGSEGV, by design of my address layout), and then generate a stacktrace.



Perhaps I am misusing the syscall. But still, I should *not* be able to crash the kernel, and the behavior certainly shouldn't depend on the 64-bitness of the forking shell (!). As noted above, when forked from a 32-bit shell, then it all works as expected.


On Thu, Dec 19, 2013 at 7:09 PM, sk <email@hidden> wrote:
Why on earth would anyone run your attached binary?
Please provide source … I’ll compile myself. 

On Dec 19, 2013, at 11:17 AM, Ben L. Titzer <email@hidden> wrote:

Hello,

Last week I filed bug #15615281. I wanted to ask on this list if anyone has any idea.

I am trying to do basic signal handling directly in assembly. The problem seems to be a 32/64 bit issue that crashes the kernel. I am cutting and pasting the contents of that bug here, for reference.

I am also attaching an assembly program that shows the bug.

-----------------------------------

Summary:
My compiler generates programs that handle signals directly from the kernel without going through any of libc. Thus these programs use the kernel system calls to set up signal handlers.

There appears to be a bug on 10.8 and later (64 bit kernels), where such programs hang when trying to handle any signals. This only appears to be the case when the program handling the signal is 32bit and is forked from a 64bit shell. See steps below for test case reproduction.

Steps to Reproduce:
1. Download the attached executable.
2. Run the executable from a 32-bit shell:
  % arch -arch i386 sh -c './rtex_divzero06 1'
This should produce the expected output:
!DivideByZeroException

3. Run the executable from a 64-bit shell:
  % arch -arch x86_64 sh -c './rtex_divzero06 1'

This unfortunately hangs on 10.8 and 10.9.

Worse, on 10.9, it causes a kernel panic when trying to kill the program when it is launched directly from the shell:

% ./rtex_divzero06 1
<hangs>
<CTRL+C> causes a kernel panic

Expected Results:
See above. Program should print !DivideByZeroException.

Actual Results:
Program hangs on 10.8 and 10.9. When CTRL+C'ing the program, causes a kernel panic on 10.9.

Version:
10.8
10.9

%uname -a
Darwin <machine> 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64

Notes:
The program is a compiled test case from the Virgil programming language:

https://code.google.com/p/virgil/

Configuration:
This always occurs on 10.8 and 10.9. It never occurs on 10.6. Have not tested on 10.7.



<rtex_divzero06> _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: Kernel bug in handling signals (bug 15615281) (From: sk <email@hidden>)

  • Prev by Date: Re: Kernel bug in handling signals (bug 15615281)
  • Next by Date: Rewriting Mach in AppleScript?!
  • Previous by thread: Re: Kernel bug in handling signals (bug 15615281)
  • Next by thread: Re: Kernel bug in handling signals (bug 15615281)
  • Index(es):
    • Date
    • Thread