runtime: don't call libc sigaction function in forked child

If we are using vfork, and if something (such as TSAN) is intercepting the sigaction function, then we must call the system call, not the libc function. Otherwise the intercepted sigaction call in the child may trash the data structures in the parent. Change-Id: Id9588bfeaa934f32c920bf829c5839be5cacf243 Reviewed-on: https://go-review.googlesource.com/50251 Reviewed-by: Joe Tsai <thebrokentoaster@gmail.com> Reviewed-by: Austin Clements <austin@google.com>
2025-12-08 06:10:04 +00:00 · 2017-07-19 23:42:27 -07:00 · 2017-07-19 23:42:27 -07:00 · 28f650a2f7
commit 28f650a2f7
parent 5125a96710
2 changed files with 18 additions and 1 deletions
--- a/src/runtime/cgo_sigaction.go
+++ b/src/runtime/cgo_sigaction.go
@ -30,7 +30,7 @@ func rt_sigaction(sig uintptr, new, old *sigactiont, size uintptr) int32 {

 	var ret int32

-	if _cgo_sigaction == nil {
+	if _cgo_sigaction == nil || inForkedChild {
 		ret = sysSigaction(sig, new, old, size)
 	} else {
 		// We need to call _cgo_sigaction, which means we need a big enough stack
--- a/src/runtime/proc.go
+++ b/src/runtime/proc.go
@ -2851,18 +2851,35 @@ func syscall_runtime_AfterFork() {
 	systemstack(afterfork)
 }

+// inForkedChild is true while manipulating signals in the child process.
+// This is used to avoid calling libc functions in case we are using vfork.
+var inForkedChild bool
+
 // Called from syscall package after fork in child.
 // It resets non-sigignored signals to the default handler, and
 // restores the signal mask in preparation for the exec.
+//
+// Because this might be called during a vfork, and therefore may be
+// temporarily sharing address space with the parent process, this must
+// not change any global variables or calling into C code that may do so.
+//
 //go:linkname syscall_runtime_AfterForkInChild syscall.runtime_AfterForkInChild
 //go:nosplit
 //go:nowritebarrierrec
 func syscall_runtime_AfterForkInChild() {
+	// It's OK to change the global variable inForkedChild here
+	// because we are going to change it back. There is no race here,
+	// because if we are sharing address space with the parent process,
+	// then the parent process can not be running concurrently.
+	inForkedChild = true
+
 	clearSignalHandlers()

 	// When we are the child we are the only thread running,
 	// so we know that nothing else has changed gp.m.sigmask.
 	msigrestore(getg().m.sigmask)
+
+	inForkedChild = false
 }

 // Called from syscall package before Exec.