runtime: ensure abort actually crashes the process

On all non-x86 arches, runtime.abort simply reads from nil.
Unfortunately, if this happens on a user stack, the signal handler
will dutifully turn this into a panicmem, which lets user defers run
and which user code can even recover from.

To fix this, add an explicit check to the signal handler that turns
faults in abort into hard crashes directly in the signal handler. This
has the added benefit of giving a register dump at the abort point.

Change-Id: If26a7f13790745ee3867db7f53b72d8281176d70
Reviewed-on: https://go-review.googlesource.com/93661
Run-TryBot: Austin Clements <austin@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Keith Randall <khr@golang.org>

7 files changed, 66 insertions, 0 deletions

diff --git a/src/runtime/crash_test.go b/src/runtime/crash_test.go
index cd1aa51542..843b415006 100644
--- a/src/runtime/crash_test.go
+++ b/src/runtime/crash_test.go
@@ -637,3 +637,20 @@ func TestTimePprof(t *testing.T) {
 		t.Error("profiler refers to ExternalCode")
 	}
 }
+
+// Test that runtime.abort does so.
+func TestAbort(t *testing.T) {
+	output := runTestProg(t, "testprog", "Abort")
+	if want := "runtime.abort"; !strings.Contains(output, want) {
+		t.Errorf("output does not contain %q:\n%s", want, output)
+	}
+	if strings.Contains(output, "BAD") {
+		t.Errorf("output contains BAD:\n%s", output)
+	}
+	// Check that it's a signal-style traceback.
+	if runtime.GOOS != "windows" {
+		if want := "PC="; !strings.Contains(output, want) {
+			t.Errorf("output does not contain %q:\n%s", want, output)
+		}
+	}
+}
diff --git a/src/runtime/os3_plan9.go b/src/runtime/os3_plan9.go
index b05965b63d..9158c44f2f 100644
--- a/src/runtime/os3_plan9.go
+++ b/src/runtime/os3_plan9.go
@@ -35,6 +35,10 @@ func sighandler(_ureg *ureg, note *byte, gp *g) int {
 		print("sighandler: note is longer than ERRMAX\n")
 		goto Throw
 	}
+	if c.pc() == funcPC(abort) || (GOARCH == "arm" && c.pc() == funcPC(abort)+4) {
+		// Never turn abort into a panic.
+		goto Throw
+	}
 	// See if the note matches one of the patterns in sigtab.
 	// Notes that do not match any pattern can be handled at a higher
 	// level by the program but will otherwise be ignored.
diff --git a/src/runtime/signal_sighandler.go b/src/runtime/signal_sighandler.go
index 13448929bc..3004e36769 100644
--- a/src/runtime/signal_sighandler.go
+++ b/src/runtime/signal_sighandler.go
@@ -43,6 +43,11 @@ func sighandler(sig uint32, info *siginfo, ctxt unsafe.Pointer, gp *g) {
 		// stack. Abort in the signal handler instead.
 		flags = (flags &^ _SigPanic) | _SigThrow
 	}
+	if c.sigpc() == funcPC(abort) || (GOARCH == "arm" && c.sigpc() == funcPC(abort)+4) {
+		// On many architectures, the abort function just
+		// causes a memory fault. Don't turn that into a panic.
+		flags = _SigThrow
+	}
 	if c.sigcode() != _SI_USER && flags&_SigPanic != 0 {
 		// The signal is going to cause a panic.
 		// Arrange the stack so that it looks like the point
diff --git a/src/runtime/signal_windows.go b/src/runtime/signal_windows.go
index 518aac3c48..4d55f0fe6c 100644
--- a/src/runtime/signal_windows.go
+++ b/src/runtime/signal_windows.go
@@ -46,6 +46,11 @@ func isgoexception(info *exceptionrecord, r *context) bool {
 		return false
 	}
 
+	if r.ip() == funcPC(abort) || (GOARCH == "arm" && r.ip() == funcPC(abort)+4) {
+		// Never turn abort into a panic.
+		return false
+	}
+
 	// Go will only handle some exceptions.
 	switch info.exceptioncode {
 	default:
diff --git a/src/runtime/stubs.go b/src/runtime/stubs.go
index 6019005fbe..7818fd3683 100644
--- a/src/runtime/stubs.go
+++ b/src/runtime/stubs.go
@@ -313,3 +313,10 @@ func bool2int(x bool) int {
 	// exactly what you would want it to.
 	return int(uint8(*(*uint8)(unsafe.Pointer(&x))))
 }
+
+// abort crashes the runtime in situations where even throw might not
+// work. In general it should do something a debugger will recognize
+// (e.g., an INT3 on x86). A crash in abort is recognized by the
+// signal handler, which will attempt to tear down the runtime
+// immediately.
+func abort()
diff --git a/src/runtime/testdata/testprog/abort.go b/src/runtime/testdata/testprog/abort.go
new file mode 100644
index 0000000000..9e79d4dea3
--- /dev/null
+++ b/src/runtime/testdata/testprog/abort.go
@@ -0,0 +1,23 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import _ "unsafe" // for go:linkname
+
+func init() {
+	register("Abort", Abort)
+}
+
+//go:linkname runtimeAbort runtime.abort
+func runtimeAbort()
+
+func Abort() {
+	defer func() {
+		recover()
+		panic("BAD: recovered from abort")
+	}()
+	runtimeAbort()
+	println("BAD: after abort")
+}
diff --git a/src/runtime/testdata/testprog/empty.s b/src/runtime/testdata/testprog/empty.s
new file mode 100644
index 0000000000..c5aa6f8a54
--- /dev/null
+++ b/src/runtime/testdata/testprog/empty.s
@@ -0,0 +1,5 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This exists solely so we can linkname in symbols from runtime.