Make ReadOnlyError on PROT_NONE consistent

This replaces #36625. Essentially the question is what should
reading from PROT_NONE memory do. At the moment we throw
ReadOnlyMemoryError on Linux and pass through the segfault on
Windows/Mac. It's not super clear what the right answer is,
though it would be nice to be consistent. After some discussion,
it seemed that not throwing ReadOnlyMemoryError on Linux was probably
the better consistency direction for two reasons:

1. Getting a ReadOnlyMemoryError is confusing if the failing operation
   is a read. We could of course rename the error, but that would be
   a bigger breaking change.
2. The purpose of this exception is to protect people who accidentally
   try to write to mmap'ed memory that they don't have write permissions
   to. It was never intended to become a general memory access error
   exception, so it seems prudent to restrict it as much as possible.

To make this happen, there is some platform specific code here to
read the memory error register out of the signal context.
Decoding this register is shared code between the operating systems,
but the register itself is in an OS-specifc location in the signal
frame. I have implemented the retrieval code for all our CI'ed
platforms. Other users will get an appropriate `#warning` (similar
to other code in this file) and can fill in the necessary code
at their leisure. A new test in test/misc.jl will indicate whether
or not the check is correct.

Author: Keno

src/signals-mach.c

@@ -146,12 +146,6 @@ typedef x86_exception_state64_t host_exception_state_t;
 #define HOST_EXCEPTION_STATE x86_EXCEPTION_STATE64
 #define HOST_EXCEPTION_STATE_COUNT x86_EXCEPTION_STATE64_COUNT
 
-enum x86_trap_flags {
-    USER_MODE = 0x4,
-    WRITE_FAULT = 0x2,
-    PAGE_PRESENT = 0x1
-};
-
 #elif defined(_CPU_AARCH64_)
 typedef arm_thread_state64_t host_thread_state_t;
 typedef arm_exception_state64_t host_exception_state_t;
@@ -167,11 +161,11 @@ static void jl_call_in_state(jl_ptls_t ptls2, host_thread_state_t *state,
     uint64_t rsp = (uint64_t)ptls2->signal_stack + sig_stack_size;
     assert(rsp % 16 == 0);
 
+#ifdef _CPU_X86_64_
     // push (null) $RIP onto the stack
     rsp -= sizeof(void*);
     *(void**)rsp = NULL;
 
-#ifdef _CPU_X86_64_
     state->__rsp = rsp; // set stack pointer
     state->__rip = (uint64_t)fptr; // "call" the function
 #else
@@ -180,6 +174,21 @@ static void jl_call_in_state(jl_ptls_t ptls2, host_thread_state_t *state,
 #endif
 }
 
+#ifdef _CPU_X86_64_
+int is_write_fault(host_exception_state_t exc_state) {
+    return exc_reg_is_write_fault(exc_state.__err);
+}
+#elif defined(_CPU_AARCH64_)
+int is_write_fault(host_exception_state_t exc_state) {
+    return exc_reg_is_write_fault(exc_state.__esr);
+}
+#else
+#warning Implement this query for consistent PROT_NONE handling
+int is_write_fault(host_exception_state_t exc_state) {
+    return 0;
+}
+#endif
+
 static void jl_throw_in_thread(int tid, mach_port_t thread, jl_value_t *exception)
 {
     unsigned int count = THREAD_STATE_COUNT;
@@ -279,8 +288,8 @@ kern_return_t catch_exception_raise(mach_port_t            exception_port,
         }
 #endif
         else {
-            if (!(exc_state.__err & WRITE_FAULT))
-                return KERN_INVALID_ARGUMENT; // rethrow the SEGV since it wasn't an error with writing to read-only memory
+            if (!is_write_fault(exc_state))
+                return KERN_INVALID_ARGUMENT;
             excpt = jl_readonlymemory_exception;
         }
         jl_throw_in_thread(tid, thread, excpt);

src/signals-unix.c

@@ -225,10 +225,70 @@ static void sigdie_handler(int sig, siginfo_t *info, void *context)
     // fall-through return to re-execute faulting statement (but without the error handler)
 }
 
+#if defined(_CPU_X86_64_) || defined(_CPU_X86_)
+enum x86_trap_flags {
+    USER_MODE = 0x4,
+    WRITE_FAULT = 0x2,
+    PAGE_PRESENT = 0x1
+};
+
+int exc_reg_is_write_fault(uintptr_t err) {
+    return err & WRITE_FAULT;
+}
+#elif defined(_CPU_AARCH64_)
+enum aarch64_esr_layout {
+    EC_MASK = ((uint32_t)0b111111) << 25,
+    EC_DATA_ABORT = ((uint32_t)0b100100) << 25,
+    ISR_DA_WnR = ((uint32_t)1) << 6
+};
+
+int exc_reg_is_write_fault(uintptr_t esr) {
+    return (esr & EC_MASK) == EC_DATA_ABORT && (esr & ISR_DA_WnR);
+}
+#endif
+
 #if defined(HAVE_MACH)
 #include "signals-mach.c"
 #else
 
+
+#if defined(_OS_LINUX_) && (defined(_CPU_X86_64_) || defined(_CPU_X86_))
+int is_write_fault(void *context) {
+    ucontext_t *ctx = (ucontext_t*)context;
+    return exc_reg_is_write_fault(ctx->uc_mcontext.gregs[REG_ERR]);
+}
+#elif defined(_OS_LINUX_) && defined(_CPU_AARCH64_)
+struct linux_aarch64_ctx_header {
+	uint32_t magic;
+	uint32_t size;
+};
+const uint32_t linux_esr_magic = 0x45535201;
+
+int is_write_fault(void *context) {
+    ucontext_t *ctx = (ucontext_t*)context;
+    struct linux_aarch64_ctx_header *extra =
+        (struct linux_aarch64_ctx_header *)ctx->uc_mcontext.__reserved;
+    while (extra->magic != 0) {
+        if (extra->magic == linux_esr_magic) {
+            return exc_reg_is_write_fault(*(uint64_t*)&extra[1]);
+        }
+        extra = (struct linux_aarch64_ctx_header *)
+            (((uint8_t*)&extra[1]) + extra->size);
+    }
+    return 0;
+}
+#elif defined(_OS_FREEBSD_) && (defined(_CPU_X86_64_) || defined(_CPU_X86_))
+int is_write_fault(void *context) {
+    ucontext_t *ctx = (ucontext_t*)context;
+    return exc_reg_is_write_fault(ctx->uc_mcontext.mc_err);
+}
+#else
+#warning Implement this query for consistent PROT_NONE handling
+int is_write_fault(void *context) {
+    return 0;
+}
+#endif
+
 static int is_addr_on_sigstack(jl_ptls_t ptls, void *ptr)
 {
     // One guard page for signal_stack.
@@ -273,7 +333,7 @@ static void segv_handler(int sig, siginfo_t *info, void *context)
         jl_safe_printf("ERROR: Signal stack overflow, exit\n");
         _exit(sig + 128);
     }
-    else if (sig == SIGSEGV && info->si_code == SEGV_ACCERR) {  // writing to read-only memory (e.g., mmap)
+    else if (sig == SIGSEGV && info->si_code == SEGV_ACCERR && is_write_fault(context)) {  // writing to read-only memory (e.g., mmap)
         jl_throw_in_ctx(ptls, jl_readonlymemory_exception, sig, context);
     }
     else {

test/misc.jl

@@ -952,3 +952,15 @@ end
 @testset "issue #28188" begin
     @test `$(@__FILE__)` == let file = @__FILE__; `$file` end
 end
+
+# Test that read fault on a prot-none region does not incorrectly give
+# ReadOnlyMemoryEror, but rather crashes the program
+const MAP_ANONYMOUS_PRIVATE = Sys.isbsd() ? 0x1002 : 0x22
+let script = :(let ptr = Ptr{Cint}(ccall(:jl_mmap, Ptr{Cvoid},
+    (Ptr{Cvoid}, Csize_t, Cint, Cint, Cint, Int),
+    C_NULL, 16*1024, 0, $MAP_ANONYMOUS_PRIVATE, -1, 0)); try
+    unsafe_load(ptr)
+    catch e; println(e) end; end)
+    @test !success(`$(Base.julia_cmd()) -e $script`)
+end
+