Re: Invalid program counters and unwinding

[Jakub Jelinek <jakub@redhat.com>]

On Tue, Jun 26, 2018 at 01:01:06PM +0200, Florian Weimer wrote:
> On 06/26/2018 12:56 PM, Nathan Sidwell wrote:
> > On 06/26/2018 05:26 AM, Florian Weimer wrote:
> > 
> > > So it looks to me that the caller of _Unwind_Find_FDE needs to
> > > ensure that the PC is a valid element of the call stack.  Is this a
> > > correct assumption?
> > 
> > I thought this was an (implicit?) requirement. You're unwinding a stack
> > to deliver an exception up it.  Are there use cases where that is not
> > the case?
> 
> We have something approaching this scenario.
> 
> pthread_cancel in glibc unwinds the stack using DWARF information until
> encounters a frame without unwind information, when it switches to longjmp
> to get past that obstacle.
> 
> However, at the point of transition from a valid DWARF frame into the
> wilderness (without unwind data), we should still have accurate information
> on the caller's PC, so _Unwind_Find_FDE will reliably fail to find any
> unwind data for it.  It's not a random pointer somewhere else, so I think
> even the pthread_cancel case is fully supported.

The usual ways to get bogus PCs in the frames is:
1) stack corruption
2) setcontext/swapcontext with uninitialized or corrupted ucontext_t
3) bogus unwind info (compiler or linker etc. bug)

At least for unwinding, I think we don't and shouldn't care, we assume only
valid programs.  For cases like _Unwind_Backtrace when used to print info in
case of fatal signal or stack corruption, it is more questionable, but at
least the current implmentation doesn't care either.  There have been some
requests e.g. to use extremely slow safe accesses like syscalls from the
potential invalid memory, or mincore, or parsing of /proc/self/maps to make
it work even if everything is corrupted, but so far nothing thankfully made
it in.

	Jakub