1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runtime
6
7import (
8	"internal/abi"
9	"runtime/internal/sys"
10	"unsafe"
11)
12
13const (
14	_SEM_FAILCRITICALERRORS = 0x0001
15	_SEM_NOGPFAULTERRORBOX  = 0x0002
16	_SEM_NOOPENFILEERRORBOX = 0x8000
17
18	_WER_FAULT_REPORTING_NO_UI = 0x0020
19)
20
21func preventErrorDialogs() {
22	errormode := stdcall0(_GetErrorMode)
23	stdcall1(_SetErrorMode, errormode|_SEM_FAILCRITICALERRORS|_SEM_NOGPFAULTERRORBOX|_SEM_NOOPENFILEERRORBOX)
24
25	// Disable WER fault reporting UI.
26	// Do this even if WER is disabled as a whole,
27	// as WER might be enabled later with setTraceback("wer")
28	// and we still want the fault reporting UI to be disabled if this happens.
29	var werflags uintptr
30	stdcall2(_WerGetFlags, currentProcess, uintptr(unsafe.Pointer(&werflags)))
31	stdcall1(_WerSetFlags, werflags|_WER_FAULT_REPORTING_NO_UI)
32}
33
34// enableWER re-enables Windows error reporting without fault reporting UI.
35func enableWER() {
36	// re-enable Windows Error Reporting
37	errormode := stdcall0(_GetErrorMode)
38	if errormode&_SEM_NOGPFAULTERRORBOX != 0 {
39		stdcall1(_SetErrorMode, errormode^_SEM_NOGPFAULTERRORBOX)
40	}
41}
42
43// in sys_windows_386.s, sys_windows_amd64.s, sys_windows_arm.s, and sys_windows_arm64.s
44func exceptiontramp()
45func firstcontinuetramp()
46func lastcontinuetramp()
47func sehtramp()
48func sigresume()
49
50func initExceptionHandler() {
51	stdcall2(_AddVectoredExceptionHandler, 1, abi.FuncPCABI0(exceptiontramp))
52	if GOARCH == "386" {
53		// use SetUnhandledExceptionFilter for windows-386.
54		// note: SetUnhandledExceptionFilter handler won't be called, if debugging.
55		stdcall1(_SetUnhandledExceptionFilter, abi.FuncPCABI0(lastcontinuetramp))
56	} else {
57		stdcall2(_AddVectoredContinueHandler, 1, abi.FuncPCABI0(firstcontinuetramp))
58		stdcall2(_AddVectoredContinueHandler, 0, abi.FuncPCABI0(lastcontinuetramp))
59	}
60}
61
62// isAbort returns true, if context r describes exception raised
63// by calling runtime.abort function.
64//
65//go:nosplit
66func isAbort(r *context) bool {
67	pc := r.ip()
68	if GOARCH == "386" || GOARCH == "amd64" || GOARCH == "arm" {
69		// In the case of an abort, the exception IP is one byte after
70		// the INT3 (this differs from UNIX OSes). Note that on ARM,
71		// this means that the exception IP is no longer aligned.
72		pc--
73	}
74	return isAbortPC(pc)
75}
76
77// isgoexception reports whether this exception should be translated
78// into a Go panic or throw.
79//
80// It is nosplit to avoid growing the stack in case we're aborting
81// because of a stack overflow.
82//
83//go:nosplit
84func isgoexception(info *exceptionrecord, r *context) bool {
85	// Only handle exception if executing instructions in Go binary
86	// (not Windows library code).
87	// TODO(mwhudson): needs to loop to support shared libs
88	if r.ip() < firstmoduledata.text || firstmoduledata.etext < r.ip() {
89		return false
90	}
91
92	// Go will only handle some exceptions.
93	switch info.exceptioncode {
94	default:
95		return false
96	case _EXCEPTION_ACCESS_VIOLATION:
97	case _EXCEPTION_IN_PAGE_ERROR:
98	case _EXCEPTION_INT_DIVIDE_BY_ZERO:
99	case _EXCEPTION_INT_OVERFLOW:
100	case _EXCEPTION_FLT_DENORMAL_OPERAND:
101	case _EXCEPTION_FLT_DIVIDE_BY_ZERO:
102	case _EXCEPTION_FLT_INEXACT_RESULT:
103	case _EXCEPTION_FLT_OVERFLOW:
104	case _EXCEPTION_FLT_UNDERFLOW:
105	case _EXCEPTION_BREAKPOINT:
106	case _EXCEPTION_ILLEGAL_INSTRUCTION: // breakpoint arrives this way on arm64
107	}
108	return true
109}
110
111const (
112	callbackVEH = iota
113	callbackFirstVCH
114	callbackLastVCH
115)
116
117// sigFetchGSafe is like getg() but without panicking
118// when TLS is not set.
119// Only implemented on windows/386, which is the only
120// arch that loads TLS when calling getg(). Others
121// use a dedicated register.
122func sigFetchGSafe() *g
123
124func sigFetchG() *g {
125	if GOARCH == "386" {
126		return sigFetchGSafe()
127	}
128	return getg()
129}
130
131// sigtrampgo is called from the exception handler function, sigtramp,
132// written in assembly code.
133// Return EXCEPTION_CONTINUE_EXECUTION if the exception is handled,
134// else return EXCEPTION_CONTINUE_SEARCH.
135//
136// It is nosplit for the same reason as exceptionhandler.
137//
138//go:nosplit
139func sigtrampgo(ep *exceptionpointers, kind int) int32 {
140	gp := sigFetchG()
141	if gp == nil {
142		return _EXCEPTION_CONTINUE_SEARCH
143	}
144
145	var fn func(info *exceptionrecord, r *context, gp *g) int32
146	switch kind {
147	case callbackVEH:
148		fn = exceptionhandler
149	case callbackFirstVCH:
150		fn = firstcontinuehandler
151	case callbackLastVCH:
152		fn = lastcontinuehandler
153	default:
154		throw("unknown sigtramp callback")
155	}
156
157	// Check if we are running on g0 stack, and if we are,
158	// call fn directly instead of creating the closure.
159	// for the systemstack argument.
160	//
161	// A closure can't be marked as nosplit, so it might
162	// call morestack if we are at the g0 stack limit.
163	// If that happens, the runtime will call abort
164	// and end up in sigtrampgo again.
165	// TODO: revisit this workaround if/when closures
166	// can be compiled as nosplit.
167	//
168	// Note that this scenario should only occur on
169	// TestG0StackOverflow. Any other occurrence should
170	// be treated as a bug.
171	var ret int32
172	if gp != gp.m.g0 {
173		systemstack(func() {
174			ret = fn(ep.record, ep.context, gp)
175		})
176	} else {
177		ret = fn(ep.record, ep.context, gp)
178	}
179	if ret == _EXCEPTION_CONTINUE_SEARCH {
180		return ret
181	}
182
183	// Check if we need to set up the control flow guard workaround.
184	// On Windows, the stack pointer in the context must lie within
185	// system stack limits when we resume from exception.
186	// Store the resume SP and PC in alternate registers
187	// and return to sigresume on the g0 stack.
188	// sigresume makes no use of the stack at all,
189	// loading SP from RX and jumping to RY, being RX and RY two scratch registers.
190	// Note that blindly smashing RX and RY is only safe because we know sigpanic
191	// will not actually return to the original frame, so the registers
192	// are effectively dead. But this does mean we can't use the
193	// same mechanism for async preemption.
194	if ep.context.ip() == abi.FuncPCABI0(sigresume) {
195		// sigresume has already been set up by a previous exception.
196		return ret
197	}
198	prepareContextForSigResume(ep.context)
199	ep.context.set_sp(gp.m.g0.sched.sp)
200	ep.context.set_ip(abi.FuncPCABI0(sigresume))
201	return ret
202}
203
204// Called by sigtramp from Windows VEH handler.
205// Return value signals whether the exception has been handled (EXCEPTION_CONTINUE_EXECUTION)
206// or should be made available to other handlers in the chain (EXCEPTION_CONTINUE_SEARCH).
207//
208// This is nosplit to avoid growing the stack until we've checked for
209// _EXCEPTION_BREAKPOINT, which is raised by abort() if we overflow the g0 stack.
210//
211//go:nosplit
212func exceptionhandler(info *exceptionrecord, r *context, gp *g) int32 {
213	if !isgoexception(info, r) {
214		return _EXCEPTION_CONTINUE_SEARCH
215	}
216
217	if gp.throwsplit || isAbort(r) {
218		// We can't safely sigpanic because it may grow the stack.
219		// Or this is a call to abort.
220		// Don't go through any more of the Windows handler chain.
221		// Crash now.
222		winthrow(info, r, gp)
223	}
224
225	// After this point, it is safe to grow the stack.
226
227	// Make it look like a call to the signal func.
228	// Have to pass arguments out of band since
229	// augmenting the stack frame would break
230	// the unwinding code.
231	gp.sig = info.exceptioncode
232	gp.sigcode0 = info.exceptioninformation[0]
233	gp.sigcode1 = info.exceptioninformation[1]
234	gp.sigpc = r.ip()
235
236	// Only push runtime·sigpanic if r.ip() != 0.
237	// If r.ip() == 0, probably panicked because of a
238	// call to a nil func. Not pushing that onto sp will
239	// make the trace look like a call to runtime·sigpanic instead.
240	// (Otherwise the trace will end at runtime·sigpanic and we
241	// won't get to see who faulted.)
242	// Also don't push a sigpanic frame if the faulting PC
243	// is the entry of asyncPreempt. In this case, we suspended
244	// the thread right between the fault and the exception handler
245	// starting to run, and we have pushed an asyncPreempt call.
246	// The exception is not from asyncPreempt, so not to push a
247	// sigpanic call to make it look like that. Instead, just
248	// overwrite the PC. (See issue #35773)
249	if r.ip() != 0 && r.ip() != abi.FuncPCABI0(asyncPreempt) {
250		sp := unsafe.Pointer(r.sp())
251		delta := uintptr(sys.StackAlign)
252		sp = add(sp, -delta)
253		r.set_sp(uintptr(sp))
254		if usesLR {
255			*((*uintptr)(sp)) = r.lr()
256			r.set_lr(r.ip())
257		} else {
258			*((*uintptr)(sp)) = r.ip()
259		}
260	}
261	r.set_ip(abi.FuncPCABI0(sigpanic0))
262	return _EXCEPTION_CONTINUE_EXECUTION
263}
264
265// sehhandler is reached as part of the SEH chain.
266//
267// It is nosplit for the same reason as exceptionhandler.
268//
269//go:nosplit
270func sehhandler(_ *exceptionrecord, _ uint64, _ *context, dctxt *_DISPATCHER_CONTEXT) int32 {
271	g0 := getg()
272	if g0 == nil || g0.m.curg == nil {
273		// No g available, nothing to do here.
274		return _EXCEPTION_CONTINUE_SEARCH_SEH
275	}
276	// The Windows SEH machinery will unwind the stack until it finds
277	// a frame with a handler for the exception or until the frame is
278	// outside the stack boundaries, in which case it will call the
279	// UnhandledExceptionFilter. Unfortunately, it doesn't know about
280	// the goroutine stack, so it will stop unwinding when it reaches the
281	// first frame not running in g0. As a result, neither non-Go exceptions
282	// handlers higher up the stack nor UnhandledExceptionFilter will be called.
283	//
284	// To work around this, manually unwind the stack until the top of the goroutine
285	// stack is reached, and then pass the control back to Windows.
286	gp := g0.m.curg
287	ctxt := dctxt.ctx()
288	var base, sp uintptr
289	for {
290		entry := stdcall3(_RtlLookupFunctionEntry, ctxt.ip(), uintptr(unsafe.Pointer(&base)), 0)
291		if entry == 0 {
292			break
293		}
294		stdcall8(_RtlVirtualUnwind, 0, base, ctxt.ip(), entry, uintptr(unsafe.Pointer(ctxt)), 0, uintptr(unsafe.Pointer(&sp)), 0)
295		if sp < gp.stack.lo || gp.stack.hi <= sp {
296			break
297		}
298	}
299	return _EXCEPTION_CONTINUE_SEARCH_SEH
300}
301
302// It seems Windows searches ContinueHandler's list even
303// if ExceptionHandler returns EXCEPTION_CONTINUE_EXECUTION.
304// firstcontinuehandler will stop that search,
305// if exceptionhandler did the same earlier.
306//
307// It is nosplit for the same reason as exceptionhandler.
308//
309//go:nosplit
310func firstcontinuehandler(info *exceptionrecord, r *context, gp *g) int32 {
311	if !isgoexception(info, r) {
312		return _EXCEPTION_CONTINUE_SEARCH
313	}
314	return _EXCEPTION_CONTINUE_EXECUTION
315}
316
317// lastcontinuehandler is reached, because runtime cannot handle
318// current exception. lastcontinuehandler will print crash info and exit.
319//
320// It is nosplit for the same reason as exceptionhandler.
321//
322//go:nosplit
323func lastcontinuehandler(info *exceptionrecord, r *context, gp *g) int32 {
324	if islibrary || isarchive {
325		// Go DLL/archive has been loaded in a non-go program.
326		// If the exception does not originate from go, the go runtime
327		// should not take responsibility of crashing the process.
328		return _EXCEPTION_CONTINUE_SEARCH
329	}
330
331	// VEH is called before SEH, but arm64 MSVC DLLs use SEH to trap
332	// illegal instructions during runtime initialization to determine
333	// CPU features, so if we make it to the last handler and we're
334	// arm64 and it's an illegal instruction and this is coming from
335	// non-Go code, then assume it's this runtime probing happen, and
336	// pass that onward to SEH.
337	if GOARCH == "arm64" && info.exceptioncode == _EXCEPTION_ILLEGAL_INSTRUCTION &&
338		(r.ip() < firstmoduledata.text || firstmoduledata.etext < r.ip()) {
339		return _EXCEPTION_CONTINUE_SEARCH
340	}
341
342	winthrow(info, r, gp)
343	return 0 // not reached
344}
345
346// Always called on g0. gp is the G where the exception occurred.
347//
348//go:nosplit
349func winthrow(info *exceptionrecord, r *context, gp *g) {
350	g0 := getg()
351
352	if panicking.Load() != 0 { // traceback already printed
353		exit(2)
354	}
355	panicking.Store(1)
356
357	// In case we're handling a g0 stack overflow, blow away the
358	// g0 stack bounds so we have room to print the traceback. If
359	// this somehow overflows the stack, the OS will trap it.
360	g0.stack.lo = 0
361	g0.stackguard0 = g0.stack.lo + stackGuard
362	g0.stackguard1 = g0.stackguard0
363
364	print("Exception ", hex(info.exceptioncode), " ", hex(info.exceptioninformation[0]), " ", hex(info.exceptioninformation[1]), " ", hex(r.ip()), "\n")
365
366	print("PC=", hex(r.ip()), "\n")
367	if g0.m.incgo && gp == g0.m.g0 && g0.m.curg != nil {
368		if iscgo {
369			print("signal arrived during external code execution\n")
370		}
371		gp = g0.m.curg
372	}
373	print("\n")
374
375	g0.m.throwing = throwTypeRuntime
376	g0.m.caughtsig.set(gp)
377
378	level, _, docrash := gotraceback()
379	if level > 0 {
380		tracebacktrap(r.ip(), r.sp(), r.lr(), gp)
381		tracebackothers(gp)
382		dumpregs(r)
383	}
384
385	if docrash {
386		dieFromException(info, r)
387	}
388
389	exit(2)
390}
391
392func sigpanic() {
393	gp := getg()
394	if !canpanic() {
395		throw("unexpected signal during runtime execution")
396	}
397
398	switch gp.sig {
399	case _EXCEPTION_ACCESS_VIOLATION, _EXCEPTION_IN_PAGE_ERROR:
400		if gp.sigcode1 < 0x1000 {
401			panicmem()
402		}
403		if gp.paniconfault {
404			panicmemAddr(gp.sigcode1)
405		}
406		if inUserArenaChunk(gp.sigcode1) {
407			// We could check that the arena chunk is explicitly set to fault,
408			// but the fact that we faulted on accessing it is enough to prove
409			// that it is.
410			print("accessed data from freed user arena ", hex(gp.sigcode1), "\n")
411		} else {
412			print("unexpected fault address ", hex(gp.sigcode1), "\n")
413		}
414		throw("fault")
415	case _EXCEPTION_INT_DIVIDE_BY_ZERO:
416		panicdivide()
417	case _EXCEPTION_INT_OVERFLOW:
418		panicoverflow()
419	case _EXCEPTION_FLT_DENORMAL_OPERAND,
420		_EXCEPTION_FLT_DIVIDE_BY_ZERO,
421		_EXCEPTION_FLT_INEXACT_RESULT,
422		_EXCEPTION_FLT_OVERFLOW,
423		_EXCEPTION_FLT_UNDERFLOW:
424		panicfloat()
425	}
426	throw("fault")
427}
428
429// Following are not implemented.
430
431func initsig(preinit bool) {
432}
433
434func sigenable(sig uint32) {
435}
436
437func sigdisable(sig uint32) {
438}
439
440func sigignore(sig uint32) {
441}
442
443func signame(sig uint32) string {
444	return ""
445}
446
447//go:nosplit
448func crash() {
449	dieFromException(nil, nil)
450}
451
452// dieFromException raises an exception that bypasses all exception handlers.
453// This provides the expected exit status for the shell.
454//
455//go:nosplit
456func dieFromException(info *exceptionrecord, r *context) {
457	if info == nil {
458		gp := getg()
459		if gp.sig != 0 {
460			// Try to reconstruct an exception record from
461			// the exception information stored in gp.
462			info = &exceptionrecord{
463				exceptionaddress: gp.sigpc,
464				exceptioncode:    gp.sig,
465				numberparameters: 2,
466			}
467			info.exceptioninformation[0] = gp.sigcode0
468			info.exceptioninformation[1] = gp.sigcode1
469		} else {
470			// By default, a failing Go application exits with exit code 2.
471			// Use this value when gp does not contain exception info.
472			info = &exceptionrecord{
473				exceptioncode: 2,
474			}
475		}
476	}
477	const FAIL_FAST_GENERATE_EXCEPTION_ADDRESS = 0x1
478	stdcall3(_RaiseFailFastException, uintptr(unsafe.Pointer(info)), uintptr(unsafe.Pointer(r)), FAIL_FAST_GENERATE_EXCEPTION_ADDRESS)
479}
480
481// gsignalStack is unused on Windows.
482type gsignalStack struct{}
483