[release/9.0] Enhance createdump to detect alt stack execution#127067
Open
hoyosjs wants to merge 1 commit intodotnet:release/9.0from
Open
[release/9.0] Enhance createdump to detect alt stack execution#127067hoyosjs wants to merge 1 commit intodotnet:release/9.0from
hoyosjs wants to merge 1 commit intodotnet:release/9.0from
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes createdump native stack unwinding when crashes occur on an alternate signal stack (SA_ONSTACK) by detecting signal trampoline frames and allowing a single stack-pointer decrease to unwind back onto the original thread stack.
Changes:
- Extend
PAL_VirtualUnwindOutOfProcto optionally report whether the current frame is a signal trampoline (viaunw_is_signal_frame). - Update createdump’s
UnwindNativeFramesmonotonic-SP guard to allow one SP decrease when crossing a signal trampoline. - Plumb the updated unwind API through createdump PAL shim and DAC minimal prototypes.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
src/coreclr/pal/src/exception/remote-unwind.cpp |
Detects signal trampoline frames in out-of-proc unwinding and surfaces that via a new out-parameter. |
src/coreclr/pal/inc/pal.h |
Updates the PAL API signature for PAL_VirtualUnwindOutOfProc to include isSignalFrame. |
src/coreclr/debug/daccess/dacfn.cpp |
Updates DAC-side minimal prototype and call site to pass the new parameter (null). |
src/coreclr/debug/createdump/threadinfo.cpp |
Allows a single SP decrease after unwinding a signal trampoline to capture the original stack. |
src/coreclr/debug/createdump/createdumppal.cpp |
Updates the dynamically-loaded PAL function pointer signature and forwards the new argument. |
hoyosjs
force-pushed
the
juhoyosa/signal-detection-createdump-9
branch
from
6085053 to
eb628ba
Compare
This was referenced Apr 17, 2026
Use CFI entries in libc trampoline frames to detect and allow for stack unwind finding SP backwards jumps.
hoyosjs
force-pushed
the
juhoyosa/signal-detection-createdump-9
branch
from
eb628ba to
5649912
Compare
| extern | ||
| BOOL | ||
| PAL_VirtualUnwindOutOfProc(PT_CONTEXT context, PT_KNONVOLATILE_CONTEXT_POINTERS contextPointers, PULONG64 functionStart, SIZE_T baseAddress, UnwindReadMemoryCallback readMemoryCallback); | ||
| PAL_VirtualUnwindOutOfProc(PT_CONTEXT context, PT_KNONVOLATILE_CONTEXT_POINTERS contextPointers, PULONG64 functionStart, SIZE_T baseAddress, UnwindReadMemoryCallback readMemoryCallback, BOOL *isSignalFrame); |
There was a problem hiding this comment.
The cross-OS DAC minimal prototype uses BOOL* isSignalFrame, but the PAL declaration/implementation uses bool*. In C++ this changes the mangled symbol name and can break linking/calls in HOST_WINDOWS/TARGET_UNIX builds. Update the prototype to take bool* (and keep it consistent with pal.h).
Suggested change
| PAL_VirtualUnwindOutOfProc(PT_CONTEXT context, PT_KNONVOLATILE_CONTEXT_POINTERS contextPointers, PULONG64 functionStart, SIZE_T baseAddress, UnwindReadMemoryCallback readMemoryCallback, BOOL *isSignalFrame); | |
| PAL_VirtualUnwindOutOfProc(PT_CONTEXT context, PT_KNONVOLATILE_CONTEXT_POINTERS contextPointers, PULONG64 functionStart, SIZE_T baseAddress, UnwindReadMemoryCallback readMemoryCallback, bool *isSignalFrame); |
Member
There was a problem hiding this comment.
This looks like valid feedback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes .NET 9 version of #126981
Description
createdump's UnwindNativeFrames fails to capture the original thread stack when a crash occurs on a thread using an alternate signal stack. The native unwinder's monotonic-SP guard breaks we cross crosses the signal trampoline back to the original stack, because the SP legitimately decreases. This causes the unwinder to stop early, omitting the original stack memory from the dump.
The fix uses libunwind's
unw_is_signal_frameinPAL_VirtualUnwindOutOfProcto detect signal trampoline frames. When a signal frame is detected,UnwindNativeFramesallows a SP decrease, enabling the unwinder to cross back to the original stack and capture its memory.Customer Impact
Minidumps collected via createdump for crashes on alternate signal stacks are missing the original thread's stack memory. This makes the dumps incomplete and difficult to debug - native frames below the signal handler are absent from the stack walk, and you can only get the managed stack separately via clrstack. Watson and WinDBG both fail to do this automatically.
Regression
We added the SP monotonic check ~7 years ago to prevent corruption unwinding issues.
Testing
The following scenario was tested as proxy of customer's issue: Pinvoke into native library with some frames before hitting a nullref on a secondary thread. Pre-fix the repro shows the early bail unwind. The fix captured the full unwind across the signal trampoline, identifies the libc trampoline, and includes original stack memory in the dump. I also validated the fix works both with and without dwarf unwind info in the crashing native library.
Risk
Low. The change is narrowly scoped to createdump's native unwind path and some of the DAC's lazy state machine unwinding. unw_get_proc_info reuses the same cache unw_step populates - no additional remote memory reads. If unw_is_signal_frame returns false due to some libc not marking the trampoline correctly, behavior is identical to before - no regression.