Linux 如何编写信号处理程序来捕获 SIGSEGV?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2663456/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to write a signal handler to catch SIGSEGV?
提问by Adi
I want to write a signal handler to catch SIGSEGV. I protect a block of memory for read or write using
我想编写一个信号处理程序来捕获 SIGSEGV。我保护一块内存用于读取或写入使用
char *buffer;
char *p;
char a;
int pagesize = 4096;
mprotect(buffer,pagesize,PROT_NONE)
This protects pagesize bytes of memory starting at buffer against any reads or writes.
这可以保护从缓冲区开始的内存的 pagesize 字节免受任何读取或写入。
Second, I try to read the memory:
其次,我尝试读取内存:
p = buffer;
a = *p
This will generate a SIGSEGV, and my handler will be called. So far so good. My problem is that, once the handler is called, I want to change the access write of the memory by doing
这将生成一个 SIGSEGV,并且将调用我的处理程序。到现在为止还挺好。我的问题是,一旦调用处理程序,我想通过执行以下操作来更改内存的访问写入
mprotect(buffer,pagesize,PROT_READ);
and continue normal functioning of my code. I do not want to exit the function. On future writes to the same memory, I want to catch the signal again and modify the write rights and then record that event.
并继续我的代码的正常运行。我不想退出该功能。在将来写入同一内存时,我想再次捕获信号并修改写入权限,然后记录该事件。
Here is the code:
这是代码:
#include <signal.h>
#include <stdio.h>
#include <malloc.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/mman.h>
#define handle_error(msg) \
do { perror(msg); exit(EXIT_FAILURE); } while (0)
char *buffer;
int flag=0;
static void handler(int sig, siginfo_t *si, void *unused)
{
printf("Got SIGSEGV at address: 0x%lx\n",(long) si->si_addr);
printf("Implements the handler only\n");
flag=1;
//exit(EXIT_FAILURE);
}
int main(int argc, char *argv[])
{
char *p; char a;
int pagesize;
struct sigaction sa;
sa.sa_flags = SA_SIGINFO;
sigemptyset(&sa.sa_mask);
sa.sa_sigaction = handler;
if (sigaction(SIGSEGV, &sa, NULL) == -1)
handle_error("sigaction");
pagesize=4096;
/* Allocate a buffer aligned on a page boundary;
initial protection is PROT_READ | PROT_WRITE */
buffer = memalign(pagesize, 4 * pagesize);
if (buffer == NULL)
handle_error("memalign");
printf("Start of region: 0x%lx\n", (long) buffer);
printf("Start of region: 0x%lx\n", (long) buffer+pagesize);
printf("Start of region: 0x%lx\n", (long) buffer+2*pagesize);
printf("Start of region: 0x%lx\n", (long) buffer+3*pagesize);
//if (mprotect(buffer + pagesize * 0, pagesize,PROT_NONE) == -1)
if (mprotect(buffer + pagesize * 0, pagesize,PROT_NONE) == -1)
handle_error("mprotect");
//for (p = buffer ; ; )
if(flag==0)
{
p = buffer+pagesize/2;
printf("It comes here before reading memory\n");
a = *p; //trying to read the memory
printf("It comes here after reading memory\n");
}
else
{
if (mprotect(buffer + pagesize * 0, pagesize,PROT_READ) == -1)
handle_error("mprotect");
a = *p;
printf("Now i can read the memory\n");
}
/* for (p = buffer;p<=buffer+4*pagesize ;p++ )
{
//a = *(p);
*(p) = 'a';
printf("Writing at address %p\n",p);
}*/
printf("Loop completed\n"); /* Should never happen */
exit(EXIT_SUCCESS);
}
The problem is that only the signal handler runs and I can't return to the main function after catching the signal.
问题是只有信号处理程序运行,我无法在捕获信号后返回主函数。
采纳答案by Chris Dodd
When your signal handler returns (assuming it doesn't call exit or longjmp or something that prevents it from actually returning), the code will continue at the point the signal occurred, reexecuting the same instruction. Since at this point, the memory protection has not been changed, it will just throw the signal again, and you'll be back in your signal handler in an infinite loop.
当您的信号处理程序返回时(假设它没有调用 exit 或 longjmp 或阻止它实际返回的东西),代码将在信号发生的点继续,重新执行相同的指令。由于此时内存保护没有改变,它只会再次抛出信号,并且您将在无限循环中返回到您的信号处理程序中。
So to make it work, you have to call mprotect in the signal handler. Unfortunately, as Steven Schansker notes, mprotect is not async-safe, so you can't safely call it from the signal handler. So, as far as POSIX is concerned, you're screwed.
因此,要使其工作,您必须在信号处理程序中调用 mprotect。不幸的是,正如 Steven Schansker 所指出的,mprotect 不是异步安全的,因此您不能安全地从信号处理程序中调用它。所以,就 POSIX 而言,你被搞砸了。
Fortunately on most implementations (all modern UNIX and Linux variants as far as I know), mprotect is a system call, so is safe to call from within a signal handler, so you can do most of what you want. The problem is that if you want to change the protections back after the read, you'll have to do that in the main program after the read.
幸运的是,在大多数实现(据我所知,所有现代 UNIX 和 Linux 变体)中, mprotect 是一个系统调用,因此从信号处理程序中调用是安全的,因此您可以做大部分您想做的事情。问题是,如果您想在读取后更改保护,则必须在读取后在主程序中执行此操作。
Another possibility is to do something with the third argument to the signal handler, which points at an OS and arch specific structure that contains info about where the signal occurred. On Linux, this is a ucontextstructure, which contains machine-specific info about the $PC address and other register contents where the signal occurred. If you modify this, you change where the signal handler will return to, so you can change the $PC to be just after the faulting instruction so it won't re-execute after the handler returns. This is very tricky to get right (and non-portable too).
另一种可能性是对信号处理程序的第三个参数做一些事情,它指向一个操作系统和架构特定的结构,其中包含有关信号发生位置的信息。在 Linux 上,这是一个ucontext结构,其中包含有关 $PC 地址和其他发生信号的寄存器内容的机器特定信息。如果你修改它,你会改变信号处理程序将返回的位置,所以你可以将 $PC 更改为紧跟在错误指令之后,这样它就不会在处理程序返回后重新执行。这很难做到正确(并且也不是便携式的)。
edit
编辑
The ucontextstructure is defined in <ucontext.h>. Within the ucontextthe field uc_mcontextcontains the machine context, and within that, the array gregscontains the general register context. So in your signal handler:
该ucontext结构在 中定义<ucontext.h>。内的ucontext所述字段uc_mcontext包含了机器上下文,并在其中,阵列gregs包含通用寄存器上下文。所以在你的信号处理程序中:
ucontext *u = (ucontext *)unused;
unsigned char *pc = (unsigned char *)u->uc_mcontext.gregs[REG_RIP];
will give you the pc where the exception occurred. You can read it to figure out what instruction it was that faulted, and do something different.
会给你发生异常的电脑。您可以阅读它以找出错误的指令,然后做一些不同的事情。
As far as the portability of calling mprotect in the signal handler is concerned, any system that follows either the SVID spec or the BSD4 spec should be safe -- they allow calling any system call (anything in section 2 of the manual) in a signal handler.
就在信号处理程序中调用 mprotect 的可移植性而言,任何遵循 SVID 规范或 BSD4 规范的系统都应该是安全的——它们允许在信号中调用任何系统调用(手册第 2 节中的任何内容)处理程序。
回答by Steven Schlansker
You've fallen into the trap that all people do when they first try to handle signals. The trap? Thinking that you can actually do anything usefulwith signal handlers. From a signal handler, you are only allowed to call asynchronous and reentrant-safe library calls.
你已经落入了所有人第一次尝试处理信号时都会犯的陷阱。陷阱?认为您实际上可以使用信号处理程序做任何有用的事情。从信号处理程序中,您只能调用异步和可重入安全库调用。
See this CERT advisoryas to why and a list of the POSIX functions that are safe.
请参阅此 CERT 公告以了解原因以及安全的 POSIX 函数列表。
Note that printf(), which you are already calling, is not on that list.
请注意,您已经调用的 printf() 不在该列表中。
Nor is mprotect. You're not allowed to call it from a signal handler. It mightwork, but I can promise you'll run into problems down the road. Be really careful with signal handlers, they're tricky to get right!
mprotect 也不是。您不能从信号处理程序中调用它。它可能会奏效,但我可以保证你以后会遇到问题。对信号处理程序要非常小心,他们很难做到正确!
EDIT
编辑
Since I'm being a portability douchebag at the moment already, I'll point out that you also shouldn't write to shared (i.e. global) variableswithout taking the proper precautions.
由于我现在已经是一个可移植的混蛋,我会指出你也不应该在没有采取适当预防措施的情况下写入共享(即全局)变量。
回答by Ben Voigt
You can recover from SIGSEGV on linux. Also you can recover from segmentation faults on Windows (you'll see a structured exception instead of a signal). But the POSIX standard doesn't guarantee recovery, so your code will be very non-portable.
您可以在 linux 上从 SIGSEGV 中恢复。您还可以从 Windows 上的分段错误中恢复(您将看到结构化异常而不是信号)。但是POSIX 标准不保证恢复,因此您的代码将非常不可移植。
Take a look at libsigsegv.
看看libsigsegv。
回答by shreshtha
There is a compilation problem using ucontext_tor struct ucontext(present in /usr/include/sys/ucontext.h)
使用ucontext_t或 struct 时ucontext存在编译问题(存在于 中/usr/include/sys/ucontext.h)
回答by Demi
You should not return from the signal handler, as then behavior is undefined. Rather, jump out of it with longjmp.
你不应该从信号处理程序返回,因为行为是未定义的。相反,使用 longjmp 跳出它。
This is only okay if the signal is generated in an async-signal-safe function. Otherwise, behavior is undefined if the program ever calls another async-signal-unsafe function. Hence, the signal handler should only be established immediately before it is necessary, and disestablished as soon as possible.
只有在异步信号安全函数中生成信号时,这才可以。否则,如果程序调用另一个异步信号不安全函数,则行为未定义。因此,信号处理程序应该只在需要之前立即建立,并尽快解除。
In fact, I know of very few uses of a SIGSEGV handler:
事实上,我知道 SIGSEGV 处理程序的用途很少:
- use an async-signal-safe backtrace library to log a backtrace, then die.
- in a VM such as the JVM or CLR: check if the SIGSEGV occurred in JIT-compiled code. If not, die; if so, then throw a language-specific exception (nota C++ exception), which works because the JIT compiler knew that the trap could happen and generated appropriate frame unwind data.
- clone() and exec() a debugger (do notuse fork() – that calls callbacks registered by pthread_atfork()).
- 使用异步信号安全回溯库记录回溯,然后死亡。
- 在 JVM 或 CLR 等 VM 中:检查 SIGSEGV 是否出现在 JIT 编译的代码中。如果没有,就去死;如果是,则抛出一个特定于语言的异常(不是C++ 异常),这是因为 JIT 编译器知道陷阱可能发生并生成适当的帧展开数据。
- 克隆()和exec()一个调试器(千万不能使用fork() -通过pthread_atfork注册的电话回调())。
Finally, note that any action that triggers SIGSEGV is probably UB, as this is accessing invalid memory. However, this would not be the case if the signal was, say, SIGFPE.
最后,请注意,触发 SIGSEGV 的任何操作都可能是 UB,因为这是访问无效内存。但是,如果信号是 SIGFPE,则情况并非如此。
