unix: Unsafe-wrap stack_overflow::signal_handler · patricklam/verify-rust-std@9fb6e49
@@ -86,13 +86,18 @@ mod imp {
8686// out many large systems and all implementations allow returning from a
8787// signal handler to work. For a more detailed explanation see the
8888// comments on #26458.
89+/// SIGSEGV/SIGBUS entry point
90+ /// # Safety
91+ /// Rust doesn't call this, it *gets called*.
92+ #[forbid(unsafe_op_in_unsafe_fn)]
8993unsafe extern "C" fn signal_handler(
9094signum: libc::c_int,
9195info: *mut libc::siginfo_t,
9296_data: *mut libc::c_void,
9397) {
9498let (start, end) = GUARD.get();
95-let addr = (*info).si_addr() as usize;
99+// SAFETY: this pointer is provided by the system and will always point to a valid `siginfo_t`.
100+let addr = unsafe { (*info).si_addr().addr() };
9610197102// If the faulting address is within the guard page, then we print a
98103// message saying so and abort.
@@ -104,9 +109,11 @@ mod imp {
104109rtabort!("stack overflow");
105110} else {
106111// Unregister ourselves by reverting back to the default behavior.
107-let mut action: sigaction = mem::zeroed();
112+// SAFETY: assuming all platforms define struct sigaction as "zero-initializable"
113+let mut action: sigaction = unsafe { mem::zeroed() };
108114 action.sa_sigaction = SIG_DFL;
109-sigaction(signum, &action, ptr::null_mut());
115+// SAFETY: pray this is a well-behaved POSIX implementation of fn sigaction
116+unsafe { sigaction(signum, &action, ptr::null_mut()) };
110117111118// See comment above for why this function returns.
112119}