adjust signal handler to not always be so stack-hungry

Because the Lucet signal handler is run on any arbitrary thread that
recives a signal, if the signal handler is installed anywhere in the
process, it may be run on a signal stack we didn't set up. This means we
are still bound to be careful about how much stack is present, which
will often be SIGSTKSZ (observed to be ~8kb on Debian-likes, at least).

`handle_signal` is the entrypoint for any signal in the process, so its
call frame, locals, etc, are active for any path through the signal
handler. For other paths through the signal handler that may involve
subsequent calls, and in debug builds of lucet-runtime, the body of the
`SignalBehavior::Default` arm would include several `UContext` local
variables, as well as a `State` local which itself contains another
`UContext`. x86_64 `UContext` are large, resulting in this match arm
being responsible for ~5kb of stack usage in `handle_signal`, that is
only _actually_ used in this match arm.

So, by moving the arm to a closure and immediately calling it, we force
Rust to defer that stack usage in debug builds to only be used when the
closure is called. In release builds, the closure is likely inlined, but
all intermediate copies of UContext _probably_ go away and the entire
issue is _probably_ avoided.

A subsequent commit will introduce tests around signal handler stack use
for these various paths.

Author: awortman-fastly

lucet-runtime/lucet-runtime-internals/src/instance/signals.rs

@@ -180,31 +180,48 @@ extern "C" fn handle_signal(signum: c_int, siginfo_ptr: *mut siginfo_t, ucontext
                 true
             }
             SignalBehavior::Default => {
-                // safety: pointer is checked for null at the top of the function, and the
-                // manpage guarantees that a siginfo_t will be passed as the second argument
-                let siginfo = unsafe { *siginfo_ptr };
-                let rip_addr = rip as usize;
-                // If the trap table lookup returned unknown, it is a fatal error
-                let unknown_fault = trapcode.is_none();
-
-                // If the trap was a segv or bus fault and the addressed memory was outside the
-                // guard pages, it is also a fatal error
-                let outside_guard = (siginfo.si_signo == SIGSEGV || siginfo.si_signo == SIGBUS)
-                    && !inst.alloc.addr_in_guard_page(siginfo.si_addr_ext());
-
-                // record the fault and jump back to the host context
-                inst.state = State::Faulted {
-                    details: FaultDetails {
-                        fatal: unknown_fault || outside_guard,
-                        trapcode: trapcode,
-                        rip_addr,
-                        // Details set to `None` here: have to wait until `verify_trap_safety` to
-                        // fill in these details, because access may not be signal safe.
-                        rip_addr_details: None,
-                    },
-                    siginfo,
-                    context: ctx.into(),
+                /*
+                 * /!\ WARNING: LOAD-BEARING THUNK /!\
+                 *
+                 * This thunk, in debug builds, introduces multiple copies of UContext in the local
+                 * stack frame. This also includes a local `State`, which is quite large as well.
+                 * In total, this thunk accounts for roughly 5kb of stack use, where default signal
+                 * stack sizes are typically 8kb total.
+                 *
+                 * In code paths that do not pass through this (such as immediately reraising as a
+                 * host signal), the code in this thunk would force an exhaustion of more than half
+                 * the stack, significantly increasing the likelihood the Lucet signal handler may
+                 * overflow some other thread with a minimal stack size.
+                 */
+                let mut thunk = || {
+                    // safety: pointer is checked for null at the top of the function, and the
+                    // manpage guarantees that a siginfo_t will be passed as the second argument
+                    let siginfo = unsafe { *siginfo_ptr };
+                    let rip_addr = rip as usize;
+                    // If the trap table lookup returned unknown, it is a fatal error
+                    let unknown_fault = trapcode.is_none();
+
+                    // If the trap was a segv or bus fault and the addressed memory was outside the
+                    // guard pages, it is also a fatal error
+                    let outside_guard = (siginfo.si_signo == SIGSEGV || siginfo.si_signo == SIGBUS)
+                        && !inst.alloc.addr_in_guard_page(siginfo.si_addr_ext());
+
+                    // record the fault and jump back to the host context
+                    inst.state = State::Faulted {
+                        details: FaultDetails {
+                            fatal: unknown_fault || outside_guard,
+                            trapcode: trapcode,
+                            rip_addr,
+                            // Details set to `None` here: have to wait until `verify_trap_safety` to
+                            // fill in these details, because access may not be signal safe.
+                            rip_addr_details: None,
+                        },
+                        siginfo,
+                        context: ctx.into(),
+                    };
                 };
+
+                thunk();
                 true
             }
         }