6 files changed, 397 insertions, 0 deletions
diff --git a/signal/Makefile b/signal/Makefile
index 647ce242e6..9597287bca 100644
--- a/signal/Makefile
+++ b/signal/Makefile
@@ -47,6 +47,8 @@ routines	:= signal raise killpg \
 
 tests		:= tst-signal tst-sigset tst-sigsimple tst-raise tst-sigset2 \
 		   tst-sigwait-eintr tst-sigaction \
+		   tst-minsigstksz-1 tst-minsigstksz-2 tst-minsigstksz-3 \
+		   tst-minsigstksz-3a tst-minsigstksz-4 \
 
 include ../Rules
 
diff --git a/signal/tst-minsigstksz-1.c b/signal/tst-minsigstksz-1.c
new file mode 100644
index 0000000000..00344d5fbf
--- /dev/null
+++ b/signal/tst-minsigstksz-1.c
@@ -0,0 +1,131 @@
+/* Tests of signal delivery on an alternate stack (nonlethal).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/xsignal.h>
+#include <support/support.h>
+#include <support/check.h>
+
+/* C2011 7.4.1.1p5 specifies that only the following operations are
+   guaranteed to be well-defined inside an asynchronous signal handler:
+     * any operation on a lock-free atomic object
+     * assigning a value to an object declared as volatile sig_atomic_t
+     * calling abort, _Exit, quick_exit, or signal
+       * signal may only be called with its first argument equal to the
+         number of the signal that caused the handler to be called
+
+   We use this list as a guideline for the set of operations that ought
+   also to be safe in a _synchronous_ signal delivered on an alternate
+   signal stack with only MINSIGSTKSZ bytes of space.
+
+   This test program tests all of the above operations that do not,
+   one way or another, cause the program to be terminated.  */
+
+/* We do not try to test atomic operations exhaustively, only a simple
+   atomic counter increment.  This is only safe if atomic_[u]int is
+   unconditionally lock-free.  */
+#ifdef __STDC_NO_ATOMICS__
+# define TEST_ATOMIC_OPS 0
+#else
+# include <stdatomic.h>
+# if ATOMIC_INT_LOCK_FREE != 2
+#  define TEST_ATOMIC_OPS 0
+# else
+#  define TEST_ATOMIC_OPS 1
+# endif
+#endif
+
+static volatile sig_atomic_t signal_flag = 0;
+static volatile sig_atomic_t signal_err = 0;
+static void
+handler_set_flag (int unused)
+{
+  signal_flag = 1;
+}
+
+static void
+handler_set_flag_once (int sig)
+{
+  signal_flag = 1;
+  if (signal (sig, SIG_IGN) == SIG_ERR)
+    /* It is not safe to call FAIL_EXIT1 here.  Set another flag instead.  */
+    signal_err = 1;
+}
+
+#if TEST_ATOMIC_OPS
+static atomic_uint signal_count = 0;
+static void
+handler_count_up_1 (int unused)
+{
+  atomic_fetch_add (&signal_count, 1);
+}
+#endif
+
+int
+do_test (void)
+{
+  void *sstk = xalloc_sigstack (0);
+  struct sigaction sa;
+
+  /* Test 1: setting a volatile sig_atomic_t flag.  */
+  sa.sa_handler = handler_set_flag;
+  sa.sa_flags   = SA_RESTART | SA_ONSTACK;
+  sigfillset (&sa.sa_mask);
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_EXIT1 ("sigaction (SIGUSR1, handler_set_flag): %m\n");
+
+  TEST_VERIFY_EXIT (signal_flag == 0);
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (signal_flag == 1);
+  signal_flag = 0;
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (signal_flag == 1);
+  signal_flag = 0;
+
+  /* Test 1: setting a volatile sig_atomic_t flag and then ignoring
+     further delivery of the signal. */
+  sa.sa_handler = handler_set_flag_once;
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_EXIT1 ("sigaction (SIGUSR1, handler_set_flag_once): %m\n");
+
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (signal_flag == 1);
+  /* Note: if signal_err is 1, a system call failed, but we can't
+     report the error code because errno is indeterminate.  */
+  TEST_VERIFY_EXIT (signal_err == 0);
+
+  signal_flag = 0;
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (signal_flag == 0);
+  TEST_VERIFY_EXIT (signal_err == 0);
+
+#if TEST_ATOMIC_OPS
+  sa.sa_handler = handler_count_up_1;
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_EXIT1 ("sigaction (SIGUSR1, handler_count_up_1): %m\n");
+
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (atomic_load (&signal_count) == 1);
+  raise (SIGUSR1);
+  TEST_VERIFY_EXIT (atomic_load (&signal_count) == 2);
+#endif
+
+  xfree_sigstack (sstk);
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/signal/tst-minsigstksz-2.c b/signal/tst-minsigstksz-2.c
new file mode 100644
index 0000000000..3368dde6b8
--- /dev/null
+++ b/signal/tst-minsigstksz-2.c
@@ -0,0 +1,66 @@
+/* Tests of signal delivery on an alternate stack (abort).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/xsignal.h>
+#include <support/support.h>
+#include <support/check.h>
+#include <stdlib.h>
+
+/* C2011 7.4.1.1p5 specifies that only the following operations are
+   guaranteed to be well-defined inside an asynchronous signal handler:
+     * any operation on a lock-free atomic object
+     * assigning a value to an object declared as volatile sig_atomic_t
+     * calling abort, _Exit, quick_exit, or signal
+       * signal may only be called with its first argument equal to the
+         number of the signal that caused the handler to be called
+
+   We use this list as a guideline for the set of operations that ought
+   also to be safe in a _synchronous_ signal delivered on an alternate
+   signal stack with only MINSIGSTKSZ bytes of space.
+
+   This test program tests calls to abort.  Note that it does _not_
+   install a handler for SIGABRT, because that signal would also be
+   delivered on the alternate stack and MINSIGSTKSZ does not provide
+   enough space for delivery of nested signals.  */
+
+static void
+handler (int unused)
+{
+  abort ();
+}
+
+int
+do_test (void)
+{
+  void *sstk = xalloc_sigstack (0);
+  struct sigaction sa;
+
+  sa.sa_handler = handler;
+  sa.sa_flags   = SA_RESTART | SA_ONSTACK;
+  sigfillset (&sa.sa_mask);
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_RET ("sigaction (SIGUSR1, handler): %m\n");
+
+  raise (SIGUSR1);
+
+  xfree_sigstack (sstk);
+  FAIL_RET ("test process was not terminated by abort in signal handler");
+}
+
+#define EXPECTED_SIGNAL SIGABRT
+#include <support/test-driver.c>
diff --git a/signal/tst-minsigstksz-3.c b/signal/tst-minsigstksz-3.c
new file mode 100644
index 0000000000..a8d9a6369c
--- /dev/null
+++ b/signal/tst-minsigstksz-3.c
@@ -0,0 +1,64 @@
+/* Tests of signal delivery on an alternate stack (_Exit).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/xsignal.h>
+#include <support/support.h>
+#include <support/check.h>
+#include <stdlib.h>
+
+/* C2011 7.4.1.1p5 specifies that only the following operations are
+   guaranteed to be well-defined inside an asynchronous signal handler:
+     * any operation on a lock-free atomic object
+     * assigning a value to an object declared as volatile sig_atomic_t
+     * calling abort, _Exit, quick_exit, or signal
+       * signal may only be called with its first argument equal to the
+         number of the signal that caused the handler to be called
+
+   We use this list as a guideline for the set of operations that ought
+   also to be safe in a _synchronous_ signal delivered on an alternate
+   signal stack with only MINSIGSTKSZ bytes of space.
+
+   This test program tests calls to _Exit.  */
+
+#define EXPECTED_STATUS 3
+
+static void
+handler (int unused)
+{
+  _Exit (EXPECTED_STATUS);
+}
+
+int
+do_test (void)
+{
+  void *sstk = xalloc_sigstack (0);
+  struct sigaction sa;
+
+  sa.sa_handler = handler;
+  sa.sa_flags   = SA_RESTART | SA_ONSTACK;
+  sigfillset (&sa.sa_mask);
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_RET ("sigaction (SIGUSR1, handler): %m\n");
+
+  raise (SIGUSR1);
+
+  xfree_sigstack (sstk);
+  FAIL_RET ("test process was not terminated by _Exit in signal handler");
+}
+
+#include <support/test-driver.c>
diff --git a/signal/tst-minsigstksz-3a.c b/signal/tst-minsigstksz-3a.c
new file mode 100644
index 0000000000..b58b8d01ba
--- /dev/null
+++ b/signal/tst-minsigstksz-3a.c
@@ -0,0 +1,69 @@
+/* Tests of signal delivery on an alternate stack (_exit).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/xsignal.h>
+#include <support/support.h>
+#include <support/check.h>
+#include <unistd.h>
+
+/* C2011 7.4.1.1p5 specifies that only the following operations are
+   guaranteed to be well-defined inside an asynchronous signal handler:
+     * any operation on a lock-free atomic object
+     * assigning a value to an object declared as volatile sig_atomic_t
+     * calling abort, _Exit, quick_exit, or signal
+       * signal may only be called with its first argument equal to the
+         number of the signal that caused the handler to be called
+
+   We use this list as a guideline for the set of operations that ought
+   also to be safe in a _synchronous_ signal delivered on an alternate
+   signal stack with only MINSIGSTKSZ bytes of space.
+
+   This test program tests calls to _exit, which is the same function
+   as _Exit, but specified by POSIX rather than ISO C.  For reasons
+   unknown to the author of this program, the C committee did not
+   think it could standardize _exit under that name; regardless, in a
+   POSIX-conformant environment, they should be completely
+   interchangeable.  */
+
+#define EXPECTED_STATUS 3
+
+static void
+handler (int unused)
+{
+  _exit (EXPECTED_STATUS);
+}
+
+int
+do_test (void)
+{
+  void *sstk = xalloc_sigstack (0);
+  struct sigaction sa;
+
+  sa.sa_handler = handler;
+  sa.sa_flags   = SA_RESTART | SA_ONSTACK;
+  sigfillset (&sa.sa_mask);
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_RET ("sigaction (SIGUSR1, handler): %m\n");
+
+  raise (SIGUSR1);
+
+  xfree_sigstack (sstk);
+  FAIL_RET ("test process was not terminated by _exit in signal handler");
+}
+
+#include <support/test-driver.c>
diff --git a/signal/tst-minsigstksz-4.c b/signal/tst-minsigstksz-4.c
new file mode 100644
index 0000000000..0dc63b4dd4
--- /dev/null
+++ b/signal/tst-minsigstksz-4.c
@@ -0,0 +1,65 @@
+/* Tests of signal delivery on an alternate stack (quick_exit).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <support/xsignal.h>
+#include <support/support.h>
+#include <support/check.h>
+#include <stdlib.h>
+
+/* C2011 7.4.1.1p5 specifies that only the following operations are
+   guaranteed to be well-defined inside an asynchronous signal handler:
+     * any operation on a lock-free atomic object
+     * assigning a value to an object declared as volatile sig_atomic_t
+     * calling abort, _Exit, quick_exit, or signal
+       * signal may only be called with its first argument equal to the
+         number of the signal that caused the handler to be called
+
+   We use this list as a guideline for the set of operations that ought
+   also to be safe in a _synchronous_ signal delivered on an alternate
+   signal stack with only MINSIGSTKSZ bytes of space.
+
+   This test program tests calls to quick_exit.  Note that this is only
+   safe when there are no at_quick_exit callbacks.  */
+
+#define EXPECTED_STATUS 3
+
+static void
+handler (int unused)
+{
+  quick_exit (EXPECTED_STATUS);
+}
+
+int
+do_test (void)
+{
+  void *sstk = xalloc_sigstack (0);
+  struct sigaction sa;
+
+  sa.sa_handler = handler;
+  sa.sa_flags   = SA_RESTART | SA_ONSTACK;
+  sigfillset (&sa.sa_mask);
+  if (sigaction (SIGUSR1, &sa, 0))
+    FAIL_RET ("sigaction (SIGUSR1, handler): %m\n");
+
+  raise (SIGUSR1);
+
+  xfree_sigstack (sstk);
+  FAIL_RET ("test process was not terminated by quick_exit in signal handler");
+}
+
+#include <support/test-driver.c>