QEMU used MOVW(2) (0x9300), which loads the syscall number from PC+4, instead of the kernel's MOVW(7) (0x9305), which loads from PC+14. The kernel uses five "or r0,r0" nop pads between TRAP_NOARG and the syscall number word to reach that offset. libunwind's unw_is_signal_frame checks for the exact kernel byte pattern 0xc3109305 at the frame PC, so QEMU's compact layout was not detected, breaking unwinding through signal frames.
Expand each trampoline from 6 to 16 bytes matching the kernel layout defined in arch/sh/kernel/signal_32.c: #define MOVW(n) (0x9300|((n)-2)) /* Move mem word at PC+n to R3 */ #define TRAP_NOARG 0xc310 /* Syscall w/no args (NR in R3) */ #define OR_R0_R0 0x200b /* or r0,r0 (insert to avoid hardware bug) */ __put_user(MOVW(7), &frame->retcode[0]); /* 0x9305 */ __put_user(TRAP_NOARG, &frame->retcode[1]); /* 0xc310 */ __put_user(OR_R0_R0, &frame->retcode[2]); /* 0x200b */ __put_user(OR_R0_R0, &frame->retcode[3]); /* 0x200b */ __put_user(OR_R0_R0, &frame->retcode[4]); /* 0x200b */ __put_user(OR_R0_R0, &frame->retcode[5]); /* 0x200b */ __put_user(OR_R0_R0, &frame->retcode[6]); /* 0x200b */ __put_user((__NR_sigreturn), &frame->retcode[7]); The first two halfwords (MOVW(7) || TRAP_NOARG = 0xc3109305) form the 32-bit value libunwind checks at the frame PC, followed by two OR_R0_R0 halfwords (0x200b200b) at PC+4. The same layout applies to the rt_sigreturn trampoline (lines 366-373 of signal_32.c). Neither this fix nor the companion tuc_link fix is independently sufficient: this fix makes signal frames detectable but register reads remain garbage without the correct ucontext layout; that fix corrects the ucontext layout but libunwind still cannot detect the frame without the correct trampoline pattern. Together they fix the following libunwind tests on a 64-bit host: Gtest-sig-context, Gtest-trace, Ltest-init-local-signal, Ltest-sig-context, Ltest-trace Signed-off-by: Matt Turner <[email protected]> Cc: [email protected] --- linux-user/sh4/signal.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git ./linux-user/sh4/signal.c ./linux-user/sh4/signal.c index 20d2bc8b2c..d70be24c38 100644 --- ./linux-user/sh4/signal.c +++ ./linux-user/sh4/signal.c @@ -329,20 +329,42 @@ badframe: return -QEMU_ESIGRETURN; } +/* + * "or r0,r0" nop used by the Linux kernel inline sigreturn trampolines to + * avoid a hardware bug (OR_R0_R0 in arch/sh/kernel/signal_32.c). Five of + * these nops follow TRAP_NOARG, placing the syscall number word 14 bytes + * past the MOVW(7) instruction (at MOVW(7)'s load offset). This yields the + * fixed 16-byte layout that libunwind's unw_is_signal_frame detects: + * [MOVW(7), TRAP_NOARG, 5x NOP_OR, .word syscall_nr] + */ +#define NOP_OR 0x200b + void setup_sigtramp(abi_ulong sigtramp_page) { - uint16_t *tramp = lock_user(VERIFY_WRITE, sigtramp_page, 2 * 6, 0); + uint16_t *tramp = lock_user(VERIFY_WRITE, sigtramp_page, 2 * 16, 0); assert(tramp != NULL); + /* sigreturn trampoline (non-RT) at offset 0 */ default_sigreturn = sigtramp_page; - __put_user(MOVW(2), &tramp[0]); + __put_user(MOVW(7), &tramp[0]); __put_user(TRAP_NOARG, &tramp[1]); - __put_user(TARGET_NR_sigreturn, &tramp[2]); + __put_user(NOP_OR, &tramp[2]); + __put_user(NOP_OR, &tramp[3]); + __put_user(NOP_OR, &tramp[4]); + __put_user(NOP_OR, &tramp[5]); + __put_user(NOP_OR, &tramp[6]); + __put_user(TARGET_NR_sigreturn, &tramp[7]); - default_rt_sigreturn = sigtramp_page + 6; - __put_user(MOVW(2), &tramp[3]); - __put_user(TRAP_NOARG, &tramp[4]); - __put_user(TARGET_NR_rt_sigreturn, &tramp[5]); + /* rt_sigreturn trampoline at offset 16 */ + default_rt_sigreturn = sigtramp_page + 16; + __put_user(MOVW(7), &tramp[8]); + __put_user(TRAP_NOARG, &tramp[9]); + __put_user(NOP_OR, &tramp[10]); + __put_user(NOP_OR, &tramp[11]); + __put_user(NOP_OR, &tramp[12]); + __put_user(NOP_OR, &tramp[13]); + __put_user(NOP_OR, &tramp[14]); + __put_user(TARGET_NR_rt_sigreturn, &tramp[15]); - unlock_user(tramp, sigtramp_page, 2 * 6); + unlock_user(tramp, sigtramp_page, 2 * 16); } -- 2.52.0
