Improve memory manager and signal handling

On Windows, mmap() now chooses addresses transactionally. It reduces the
risk of badness when interacting with the WIN32 memory manager. We don't
throw darts anymore. There is also no more retry limit, since we recover
from mystery maps more gracefully. The subroutine for combining adjacent
maps has been rewritten for clarity. The print maps subroutine is better

This change goes to great lengths to perfect the stack overflow code. On
Windows you can now longjmp() out of a crash signal handler. Guard pages
previously weren't being restored properly by the signal handler. That's
fixed, so on Windows you can now handle a stack overflow multiple times.
Great thought has been put into selecting the perfect SIGSTKSZ constants
so you can save sigaltstack() memory. You can now use kprintf() with 512
bytes of stack available. The guard pages beneath the main stack are now
recorded in the memory manager.

This change fixes getcontext() so it works right with the %rax register.

Author: jart

libc/calls/sigaltstack.c

@@ -113,19 +113,24 @@ static int sigaltstack_bsd(const struct sigaltstack *neu,
  *     struct sigaction sa;
  *     struct sigaltstack ss;
  *     ss.ss_flags = 0;
- *     ss.ss_size = sysconf(_SC_MINSIGSTKSZ) + 8192;
+ *     ss.ss_size = sysconf(_SC_SIGSTKSZ);
  *     ss.ss_sp = malloc(ss.ss_size);
  *     sigaltstack(&ss, 0);
  *     sigemptyset(&sa.ss_mask);
  *     sa.sa_flags = SA_ONSTACK;
  *     sa.sa_handler = OnStackOverflow;
  *     sigaction(SIGSEGV, &sa, 0);
  *
+ * Your stack size should be `sysconf(_SC_SIGSTKSZ)` which should be
+ * somewhere in the ballpark of 32kb to 64kb. You should go no lower
+ * than `sysconf(_SC_MINSIGSTKSZ) + 2048` which could be 4kb - 34kb.
+ * Cosmo also defines `SIGSTKSZ` as 32kb, which should also be safe.
+ *
  * @param neu if non-null will install new signal alt stack
  * @param old if non-null will receive current signal alt stack
  * @return 0 on success, or -1 w/ errno
  * @raise EFAULT if bad memory was supplied
- * @raise ENOMEM if `neu->ss_size` is less than `MINSIGSTKSZ`
+ * @raise ENOMEM if `neu->ss_size` is beneath `sysconf(_SC_MINSIGSTKSZ)`
  */
 int sigaltstack(const struct sigaltstack *neu, struct sigaltstack *old) {
   int rc;

libc/calls/sigenter-xnu.c

@@ -33,6 +33,7 @@
 #include "libc/runtime/syslib.internal.h"
 #include "libc/str/str.h"
 #include "libc/sysv/consts/sa.h"
+#include "libc/sysv/consts/sig.h"
 
 /**
  * @fileoverview XNU kernel callback normalization.
@@ -513,6 +514,7 @@ privileged void __sigenter_xnu(int sig, struct siginfo_xnu *xnuinfo,
     flags = __sighandflags[sig];
 
 #ifdef __aarch64__
+
     // xnu silicon claims to support sa_resethand but it does nothing
     // this can be tested, since it clears the bit from flags as well
     if (flags & SA_RESETHAND) {
@@ -521,6 +523,13 @@ privileged void __sigenter_xnu(int sig, struct siginfo_xnu *xnuinfo,
       __sighandflags[sig] = 0;
       __sighandrvas[sig] = 0;
     }
+
+    // unlike amd64, the instruction pointer on arm64 isn't advanced
+    // past the debugger breakpoint instruction automatically. we need
+    // this so execution can resume after __builtin_trap().
+    if (xnuctx && sig == SIGTRAP)
+      xnuctx->uc_mcontext->__ss.__pc += 4;
+
 #endif
 
     if (~flags & SA_SIGINFO) {

libc/calls/struct/ucontext.internal.h

@@ -1,13 +1,14 @@
 #ifndef COSMOPOLITAN_LIBC_CALLS_STRUCT_UCONTEXT_INTERNAL_H_
 #define COSMOPOLITAN_LIBC_CALLS_STRUCT_UCONTEXT_INTERNAL_H_
 #include "libc/calls/ucontext.h"
-#include "libc/nt/struct/context.h"
 COSMOPOLITAN_C_START_
 
 #ifdef __x86_64__
 #define PC   rip
 #define SP   rsp
 #define BP   rbp
+#define RES0 rax
+#define RES1 rdx
 #define ARG0 rdi
 #define ARG1 rsi
 #define ARG2 rdx
@@ -18,6 +19,8 @@ COSMOPOLITAN_C_START_
 #define PC   pc
 #define SP   sp
 #define BP   regs[29]
+#define RES0 regs[0]
+#define RES1 regs[1]
 #define ARG0 regs[0]
 #define ARG1 regs[1]
 #define ARG2 regs[2]
@@ -28,8 +31,5 @@ COSMOPOLITAN_C_START_
 #error "unsupported architecture"
 #endif
 
-void _ntcontext2linux(struct ucontext *, const struct NtContext *);
-void _ntlinux2context(struct NtContext *, const ucontext_t *);
-
 COSMOPOLITAN_C_END_
 #endif /* COSMOPOLITAN_LIBC_CALLS_STRUCT_UCONTEXT_INTERNAL_H_ */

libc/dlopen/dlopen.c

@@ -810,7 +810,7 @@ void *cosmo_dlopen(const char *path, int mode) {
   }
   ALLOW_CANCELATION;
   ALLOW_SIGNALS;
-  STRACE("dlopen(%#s, %d) → %p% m", path, mode, res);
+  STRACE("cosmo_dlopen(%#s, %d) → %p% m", path, mode, res);
   return res;
 }
 
@@ -855,7 +855,7 @@ void *cosmo_dlsym(void *handle, const char *name) {
   } else {
     func = 0;
   }
-  STRACE("dlsym(%p, %#s) → %p", handle, name, func);
+  STRACE("cosmo_dlsym(%p, %#s) → %p", handle, name, func);
   return func;
 }
 
@@ -890,7 +890,7 @@ int cosmo_dlclose(void *handle) {
   } else {
     res = -1;
   }
-  STRACE("dlclose(%p) → %d", handle, res);
+  STRACE("cosmo_dlclose(%p) → %d", handle, res);
   return res;
 }
 
@@ -909,6 +909,6 @@ char *cosmo_dlerror(void) {
   } else {
     res = dlerror_buf;
   }
-  STRACE("dlerror() → %#s", res);
+  STRACE("cosmo_dlerror() → %#s", res);
   return res;
 }

libc/dlopen/stubs.c

@@ -17,6 +17,10 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/dlopen/dlfcn.h"
+#include "libc/intrin/strace.h"
+
+#define DLOPEN_ERROR \
+  "dlopen() isn't supported; consider using cosmo_dlopen() and read its docs"
 
 /**
  * Opens dynamic shared object using host platform libc.
@@ -27,12 +31,13 @@
  *
  * @return null always
  */
-void *dlopen(const char *, int) {
+void *dlopen(const char *path, int mode) {
+  STRACE("dlopen(%#s, %d) → 0 [%s]", path, mode, DLOPEN_ERROR);
   return 0;
 }
 
 char *dlerror(void) {
-  return "dlopen() isn't supported by cosmo; try using cosmo_dlopen()";
+  return DLOPEN_ERROR;
 }
 
 void *dlsym(void *, const char *) {

libc/intrin/directmap.c

@@ -16,12 +16,13 @@
 │ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/intrin/directmap.h"
 #include "libc/calls/calls.h"
 #include "libc/calls/syscall-sysv.internal.h"
 #include "libc/dce.h"
 #include "libc/errno.h"
+#include "libc/intrin/describebacktrace.h"
 #include "libc/intrin/describeflags.h"
-#include "libc/intrin/directmap.h"
 #include "libc/intrin/strace.h"
 #include "libc/nt/runtime.h"
 #include "libc/runtime/memtrack.internal.h"

libc/intrin/getminsigstksz.c

@@ -16,18 +16,47 @@
 │ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
+#include "libc/calls/struct/siginfo.h"
+#include "libc/calls/ucontext.h"
+#include "libc/dce.h"
 #include "libc/intrin/getauxval.h"
-#include "libc/macros.h"
 #include "libc/runtime/runtime.h"
 #include "libc/sysv/consts/auxv.h"
 #include "libc/sysv/consts/ss.h"
 
 long __get_minsigstksz(void) {
-  struct AuxiliaryValue x;
-  x = __getauxval(AT_MINSIGSTKSZ);
-  if (x.isfound) {
-    return MAX(_MINSIGSTKSZ - 1024, x.value) + 1024;
+  struct AuxiliaryValue av;
+  av = __getauxval(AT_MINSIGSTKSZ);
+  if (av.isfound) {
+    long res = av.value;
+    if (!IsLinux())
+      res += sizeof(struct ucontext) + sizeof(struct siginfo) + 128;
+    if (res < _MINSIGSTKSZ)
+      res = _MINSIGSTKSZ;
+    return res;
   } else {
+    // _MINSIGSTKSZ takes these things into consideration:
+    //
+    // 1. The platform definition of MINSIGSTKSZ. This will probably be
+    //    enforced by the kernel when calling sys_sigaltstack(). On ARM
+    //    platforms this might be several kilobytes larger than x86. On
+    //    Linux they really want you to use AT_MINSIGSTKSZ instead. The
+    //    kernel should ideally set this to be the number of bytes that
+    //    get subtracted from the stack pointer when delivering signals
+    //    meaning that if you use this for a stack size your handler is
+    //    called successfully but if it uses the stack then it'll crash
+    //
+    // 2. Cosmo sigenter overhead. On non-Linux OSes the kernel calls a
+    //    trampoline in the libc runtime, which translates the platform
+    //    specific signal frame to the Linux memory layout. It means we
+    //    need to push ~1024 extra bytes on the stack to call a handler
+    //
+    // 3. Sanity testing. Assume we use sysconf(_SC_MINSIGSTKSZ) + 2048
+    //    as our stack size (see stackoverflow1_test.c). Then we should
+    //    have enough room to use kprintf() from our signal handler. If
+    //    that isn't the case, then this should be increased a bit more
+    //    noting that if 1024 is used then kprintf should print refusal
+    //
     return _MINSIGSTKSZ;
   }
 }

libc/intrin/getsafesize.greg.c

@@ -17,8 +17,8 @@
 │ PERFORMANCE OF THIS SOFTWARE.                                                │
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "ape/sections.internal.h"
-#include "libc/intrin/kprintf.h"
 #include "libc/runtime/memtrack.internal.h"
+#include "libc/runtime/runtime.h"
 #include "libc/runtime/stack.h"
 #include "libc/thread/posixthread.internal.h"
 #include "libc/thread/tls.h"
@@ -37,12 +37,13 @@ privileged optimizesize long __get_safe_size(long want, long extraspace) {
   struct PosixThread *pt;
   struct CosmoTib *tib = __get_tls_privileged();
   long bottom, sp = GetStackPointer();
-  if ((char *)sp >= tib->tib_sigstack_addr &&
-      (char *)sp <= tib->tib_sigstack_addr + tib->tib_sigstack_size) {
+  if (sp >= (long)tib->tib_sigstack_addr &&
+      sp < (long)tib->tib_sigstack_addr + tib->tib_sigstack_size) {
     bottom = (long)tib->tib_sigstack_addr;
   } else if ((pt = (struct PosixThread *)tib->tib_pthread) &&
-             pt->pt_attr.__stacksize) {
-    bottom = (long)pt->pt_attr.__stackaddr + pt->pt_attr.__guardsize;
+             sp >= (long)pt->pt_attr.__stackaddr &&
+             sp < (long)pt->pt_attr.__stackaddr + pt->pt_attr.__stacksize) {
+    bottom = (long)pt->pt_attr.__stackaddr;
   } else {
     return want;
   }

libc/intrin/kisdangerous.c

@@ -18,6 +18,7 @@
 ╚─────────────────────────────────────────────────────────────────────────────*/
 #include "libc/intrin/kprintf.h"
 #include "libc/intrin/maps.h"
+#include "libc/runtime/runtime.h"
 
 privileged optimizesize bool32 kisdangerous(const void *addr) {
   bool32 res = true;
@@ -26,7 +27,8 @@ privileged optimizesize bool32 kisdangerous(const void *addr) {
     struct Map *map;
     if ((map = __maps_floor(addr)))
       if ((const char *)addr >= map->addr &&
-          (const char *)addr < map->addr + map->size)
+          (const char *)addr <
+              map->addr + ((map->size + __pagesize - 1) & -__pagesize))
         res = false;
   } else {
     res = false;

libc/intrin/kprintf.greg.c

@@ -352,9 +352,8 @@ ABI void klog(const char *b, size_t n) {
   long h;
   uint32_t wrote;
   long rax, rdi, rsi, rdx;
-  if ((h = kloghandle()) == -1) {
+  if ((h = kloghandle()) == -1)
     return;
-  }
   if (IsWindows()) {
     bool32 ok;
     intptr_t ev;
@@ -408,10 +407,11 @@ ABI void klog(const char *b, size_t n) {
 ABI static size_t kformat(char *b, size_t n, const char *fmt, va_list va) {
   int si;
   wint_t t, u;
+  char *cxxbuf;
   const char *abet;
   signed char type;
   const char *s, *f;
-  char cxxbuf[3000];
+  int cxxbufsize = 0;
   struct CosmoTib *tib;
   unsigned long long x;
   unsigned i, j, m, rem, sign, hash, cols, prec;
@@ -755,13 +755,25 @@ ABI static size_t kformat(char *b, size_t n, const char *fmt, va_list va) {
           x = va_arg(va, intptr_t);
           if (_weaken(__symtab) && *_weaken(__symtab) &&
               (idx = _weaken(__get_symbol)(0, x)) != -1) {
-            /* if (p + 1 <= e) */
-            /*   *p++ = '&'; */
             s = (*_weaken(__symtab))->name_base +
                 (*_weaken(__symtab))->names[idx];
-            if (_weaken(__is_mangled) && _weaken(__is_mangled)(s) &&
-                _weaken(__demangle)(cxxbuf, s, sizeof(cxxbuf)) != -1)
-              s = cxxbuf;
+#pragma GCC push_options
+#pragma GCC diagnostic ignored "-Walloca-larger-than="
+            // decipher c++ symbols if there's enough stack memory
+            // stack size requirement assumes max_depth's still 20
+            if (_weaken(__demangle) &&    //
+                _weaken(__is_mangled) &&  //
+                _weaken(__is_mangled)(s)) {
+              if (!cxxbufsize)
+                if ((cxxbufsize = __get_safe_size(8192, 8192)) >= 512) {
+                  cxxbuf = alloca(cxxbufsize);
+                  CheckLargeStackAllocation(cxxbuf, sizeof(cxxbufsize));
+                }
+              if (cxxbufsize >= 512)
+                if (_weaken(__demangle)(cxxbuf, s, cxxbufsize) != -1)
+                  s = cxxbuf;
+            }
+#pragma GCC pop_options
             goto FormatString;
           }
           base = 4;
@@ -1050,7 +1062,7 @@ ABI size_t kvsnprintf(char *b, size_t n, const char *fmt, va_list v) {
 ABI void kvprintf(const char *fmt, va_list v) {
 #pragma GCC push_options
 #pragma GCC diagnostic ignored "-Walloca-larger-than="
-  long size = __get_safe_size(8000, 8000);
+  long size = __get_safe_size(8192, 2048);
   if (size < 80) {
     klog(STACK_ERROR, sizeof(STACK_ERROR) - 1);
     return;