unix: Unsafe-wrap stack_overflow::signal_handler · model-checking/verify-rust-std@9fb6e49 (original) (raw)

`@@ -86,13 +86,18 @@ mod imp {

`

86

86

`// out many large systems and all implementations allow returning from a

`

87

87

`// signal handler to work. For a more detailed explanation see the

`

88

88

`// comments on #26458.

`

``

89

`+

/// SIGSEGV/SIGBUS entry point

`

``

90

`+

/// # Safety

`

``

91

`+

/// Rust doesn't call this, it gets called.

`

``

92

`+

#[forbid(unsafe_op_in_unsafe_fn)]

`

89

93

`unsafe extern "C" fn signal_handler(

`

90

94

`signum: libc::c_int,

`

91

95

`info: *mut libc::siginfo_t,

`

92

96

`_data: *mut libc::c_void,

`

93

97

`) {

`

94

98

`let (start, end) = GUARD.get();

`

95

``

`-

let addr = (*info).si_addr() as usize;

`

``

99

`` +

// SAFETY: this pointer is provided by the system and will always point to a valid siginfo_t.

``

``

100

`+

let addr = unsafe { (*info).si_addr().addr() };

`

96

101

``

97

102

`// If the faulting address is within the guard page, then we print a

`

98

103

`// message saying so and abort.

`

`@@ -104,9 +109,11 @@ mod imp {

`

104

109

`rtabort!("stack overflow");

`

105

110

`} else {

`

106

111

`// Unregister ourselves by reverting back to the default behavior.

`

107

``

`-

let mut action: sigaction = mem::zeroed();

`

``

112

`+

// SAFETY: assuming all platforms define struct sigaction as "zero-initializable"

`

``

113

`+

let mut action: sigaction = unsafe { mem::zeroed() };

`

108

114

` action.sa_sigaction = SIG_DFL;

`

109

``

`-

sigaction(signum, &action, ptr::null_mut());

`

``

115

`+

// SAFETY: pray this is a well-behaved POSIX implementation of fn sigaction

`

``

116

`+

unsafe { sigaction(signum, &action, ptr::null_mut()) };

`

110

117

``

111

118

`// See comment above for why this function returns.

`

112

119

`}

`