Intercept sigaction to prevent wasmtime from overwriting signal handlers

Wasmtime's SIGSEGV handler calls malloc() via __tls_get_addr, which is
not async-signal-safe and causes deadlocks when profiler uses safefetch.

Patch wasmtime's sigaction GOT entry to intercept handler installations.
Their handlers are stored as chain targets and called from our handlers.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: jbachorik

ddprof-lib/src/main/cpp/codeCache.cpp

@@ -338,6 +338,11 @@ void CodeCache::addImport(void **entry, const char *name) {
               saveImport(im_realloc, entry);
           }
           break;
+      case 's':
+          if (strcmp(name, "sigaction") == 0) {
+              saveImport(im_sigaction, entry);
+          }
+          break;
     }
 }
 

ddprof-lib/src/main/cpp/codeCache.h

@@ -31,6 +31,7 @@ enum ImportId {
   im_calloc,
   im_realloc,
   im_free,
+  im_sigaction,
   NUM_IMPORTS
 };
 

ddprof-lib/src/main/cpp/libraries.h

@@ -24,7 +24,7 @@ class Libraries {
   // Note: Parameter is uint32_t to match lib_index packing (17 bits = max 131K libraries)
   CodeCache *getLibraryByIndex(uint32_t index) const {
     if (index < _native_libs.count()) {
-      return _native_libs[index];  // may be NULL during concurrent add()
+      return _native_libs[index];
     }
     return nullptr;
   }

ddprof-lib/src/main/cpp/libraryPatcher.h

@@ -24,13 +24,19 @@ class LibraryPatcher {
   static int         _size;
   static bool        _patch_pthread_create;
 
+  // Separate tracking for sigaction patches
+  static PatchEntry  _sigaction_entries[MAX_NATIVE_LIBS];
+  static int         _sigaction_size;
+
   static void patch_library_unlocked(CodeCache* lib);
   static void patch_pthread_create();
   static void patch_pthread_setspecific();
+  static void patch_sigaction_in_library(CodeCache* lib);
 public:
   static void initialize();
   static void patch_libraries();
   static void unpatch_libraries();
+  static void patch_sigaction();
 };
 
 #else

ddprof-lib/src/main/cpp/libraryPatcher_linux.cpp

@@ -17,6 +17,8 @@ SpinLock LibraryPatcher::_lock;
 const char* LibraryPatcher::_profiler_name = nullptr;
 PatchEntry LibraryPatcher::_patched_entries[MAX_NATIVE_LIBS];
 int        LibraryPatcher::_size = 0;
+PatchEntry LibraryPatcher::_sigaction_entries[MAX_NATIVE_LIBS];
+int        LibraryPatcher::_sigaction_size = 0;
 
 void LibraryPatcher::initialize() {
   if (_profiler_name == nullptr) {
@@ -238,8 +240,63 @@ void LibraryPatcher::patch_pthread_create() {
      }
   }
 }
-#endif // __linux__
 
+// Patch sigaction in all libraries to prevent any library from overwriting
+// our SIGSEGV/SIGBUS handlers. This protects against misbehaving libraries
+// (like wasmtime) that install broken signal handlers calling malloc().
+void LibraryPatcher::patch_sigaction_in_library(CodeCache* lib) {
+  if (lib->name() == nullptr) return;
+  if (_profiler_name == nullptr) return;  // Not initialized yet
 
+  // Don't patch ourselves
+  char path[PATH_MAX];
+  char* resolved_path = realpath(lib->name(), path);
+  if (resolved_path != nullptr && strcmp(resolved_path, _profiler_name) == 0) {
+    return;
+  }
 
+  // Don't patch sanitizer runtime libraries
+  const char* base = strrchr(lib->name(), '/');
+  base = (base != nullptr) ? base + 1 : lib->name();
+  if (strncmp(base, "libasan", 7) == 0 ||
+      strncmp(base, "libtsan", 7) == 0 ||
+      strncmp(base, "libubsan", 8) == 0) {
+    return;
+  }
 
+  void** sigaction_location = (void**)lib->findImport(im_sigaction);
+  if (sigaction_location == nullptr) {
+    return;
+  }
+
+  // Check if already patched or array is full
+  if (_sigaction_size >= MAX_NATIVE_LIBS) {
+    return;
+  }
+  for (int index = 0; index < _sigaction_size; index++) {
+    if (_sigaction_entries[index]._lib == lib) {
+      return;
+    }
+  }
+
+  void* hook = OS::getSigactionHook();
+  _sigaction_entries[_sigaction_size]._lib = lib;
+  _sigaction_entries[_sigaction_size]._location = sigaction_location;
+  _sigaction_entries[_sigaction_size]._func = (void*)__atomic_load_n(sigaction_location, __ATOMIC_RELAXED);
+  __atomic_store_n(sigaction_location, hook, __ATOMIC_RELAXED);
+  _sigaction_size++;
+}
+
+void LibraryPatcher::patch_sigaction() {
+  const CodeCacheArray& native_libs = Libraries::instance()->native_libs();
+  int num_of_libs = native_libs.count();
+  ExclusiveLockGuard locker(&_lock);
+  for (int index = 0; index < num_of_libs; index++) {
+    CodeCache* lib = native_libs.at(index);
+    if (lib != nullptr) {
+      patch_sigaction_in_library(lib);
+    }
+  }
+}
+
+#endif // __linux__

ddprof-lib/src/main/cpp/os.h

@@ -152,6 +152,12 @@ class OS {
     static SigAction replaceSigsegvHandler(SigAction action);
     static SigAction replaceSigbusHandler(SigAction action);
 
+    // Signal handler protection - prevents other libraries from overwriting our handlers
+    static void protectSignalHandlers(SigAction segvHandler, SigAction busHandler);
+    static SigAction getSegvChainTarget();
+    static SigAction getBusChainTarget();
+    static void* getSigactionHook();
+
     static int getMaxThreadId(int floor) {
         int maxThreadId = getMaxThreadId();
         return maxThreadId < floor ? floor : maxThreadId;

ddprof-lib/src/main/cpp/os_linux.cpp

@@ -726,4 +726,86 @@ SigAction OS::replaceSigbusHandler(SigAction action) {
     return old_action;
 }
 
+// ============================================================================
+// sigaction interposition to prevent other libraries from overwriting our
+// SIGSEGV/SIGBUS handlers. This is needed because libraries like wasmtime
+// install broken signal handlers that call malloc() (not async-signal-safe).
+// ============================================================================
+
+// Our protected handlers and their chain targets
+static SigAction _protected_segv_handler = nullptr;
+static SigAction _protected_bus_handler = nullptr;
+static volatile SigAction _segv_chain_target = nullptr;
+static volatile SigAction _bus_chain_target = nullptr;
+
+// Real sigaction function pointer (resolved via dlsym)
+typedef int (*real_sigaction_t)(int, const struct sigaction*, struct sigaction*);
+static real_sigaction_t _real_sigaction = nullptr;
+
+void OS::protectSignalHandlers(SigAction segvHandler, SigAction busHandler) {
+    // Resolve real sigaction BEFORE enabling protection, while we can still use RTLD_DEFAULT
+    if (_real_sigaction == nullptr) {
+        _real_sigaction = (real_sigaction_t)dlsym(RTLD_DEFAULT, "sigaction");
+    }
+    _protected_segv_handler = segvHandler;
+    _protected_bus_handler = busHandler;
+}
+
+SigAction OS::getSegvChainTarget() {
+    return __atomic_load_n(&_segv_chain_target, __ATOMIC_ACQUIRE);
+}
+
+SigAction OS::getBusChainTarget() {
+    return __atomic_load_n(&_bus_chain_target, __ATOMIC_ACQUIRE);
+}
+
+// sigaction hook - called via GOT patching to intercept sigaction calls
+static int sigaction_hook(int signum, const struct sigaction* act, struct sigaction* oldact) {
+    // _real_sigaction must be resolved before any GOT patching happens
+    if (_real_sigaction == nullptr) {
+        errno = EFAULT;
+        return -1;
+    }
+
+    // If this is SIGSEGV or SIGBUS and we have protected handlers installed,
+    // intercept the call to keep our handler on top
+    if (act != nullptr) {
+        if (signum == SIGSEGV && _protected_segv_handler != nullptr) {
+            // Only intercept SA_SIGINFO handlers (3-arg form) for safe chaining
+            if (act->sa_flags & SA_SIGINFO) {
+                SigAction new_handler = act->sa_sigaction;
+                // Don't intercept if it's our own handler being installed
+                if (new_handler != _protected_segv_handler) {
+                    // Save their handler as our chain target
+                    __atomic_exchange_n(&_segv_chain_target, new_handler, __ATOMIC_ACQ_REL);
+                    if (oldact != nullptr) {
+                        _real_sigaction(signum, nullptr, oldact);
+                    }
+                    // Don't actually install their handler - keep ours on top
+                    return 0;
+                }
+            }
+            // Let 1-arg handlers (without SA_SIGINFO) pass through - we can't safely chain them
+        } else if (signum == SIGBUS && _protected_bus_handler != nullptr) {
+            if (act->sa_flags & SA_SIGINFO) {
+                SigAction new_handler = act->sa_sigaction;
+                if (new_handler != _protected_bus_handler) {
+                    __atomic_exchange_n(&_bus_chain_target, new_handler, __ATOMIC_ACQ_REL);
+                    if (oldact != nullptr) {
+                        _real_sigaction(signum, nullptr, oldact);
+                    }
+                    return 0;
+                }
+            }
+        }
+    }
+
+    // For all other cases, pass through to real sigaction
+    return _real_sigaction(signum, act, oldact);
+}
+
+void* OS::getSigactionHook() {
+    return (void*)sigaction_hook;
+}
+
 #endif // __linux__

ddprof-lib/src/main/cpp/profiler.cpp

@@ -1007,20 +1007,27 @@ void Profiler::writeHeapUsage(long value, bool live) {
 
 void *Profiler::dlopen_hook(const char *filename, int flags) {
   void *result = dlopen(filename, flags);
+
   if (result != NULL) {
     // Static function of Profiler -> can not use the instance variable _libs
     // Since Libraries is a singleton, this does not matter
     Libraries::instance()->updateSymbols(false);
+    // Patch sigaction in wasmtime if it was just loaded
+    LibraryPatcher::patch_sigaction();
     // Extract build-ids for newly loaded libraries if remote symbolication is enabled
     Profiler* profiler = instance();
     if (profiler != nullptr && profiler->_remote_symbolication) {
       Libraries::instance()->updateBuildIds();
     }
   }
+
   return result;
 }
 
 void Profiler::switchLibraryTrap(bool enable) {
+  if (_dlopen_entry == NULL) {
+    return;  // Not initialized yet, nothing to do
+  }
   void *impl = enable ? (void *)dlopen_hook : (void *)dlopen;
   __atomic_store_n(_dlopen_entry, impl, __ATOMIC_RELEASE);
 }
@@ -1037,13 +1044,25 @@ void Profiler::disableEngines() {
 
 void Profiler::segvHandler(int signo, siginfo_t *siginfo, void *ucontext) {
   if (!crashHandler(signo, siginfo, ucontext)) {
-    orig_segvHandler(signo, siginfo, ucontext);
+    // Check dynamic chain target first (set by intercepted sigaction calls)
+    SigAction chain = OS::getSegvChainTarget();
+    if (chain != nullptr) {
+      chain(signo, siginfo, ucontext);
+    } else if (orig_segvHandler != nullptr) {
+      orig_segvHandler(signo, siginfo, ucontext);
+    }
   }
 }
 
 void Profiler::busHandler(int signo, siginfo_t *siginfo, void *ucontext) {
   if (!crashHandler(signo, siginfo, ucontext)) {
-    orig_busHandler(signo, siginfo, ucontext);
+    // Check dynamic chain target first (set by intercepted sigaction calls)
+    SigAction chain = OS::getBusChainTarget();
+    if (chain != nullptr) {
+      chain(signo, siginfo, ucontext);
+    } else if (orig_busHandler != nullptr) {
+      orig_busHandler(signo, siginfo, ucontext);
+    }
   }
 }
 
@@ -1102,17 +1121,22 @@ bool Profiler::crashHandler(int signo, siginfo_t *siginfo, void *ucontext) {
 }
 
 void Profiler::setupSignalHandlers() {
-  // do not re-run the signal setup (run only when VM has not been loaded yet)
+  // Do not re-run the signal setup (run only when VM has not been loaded yet)
   if (__sync_bool_compare_and_swap(&_signals_initialized, false, true)) {
       if (VM::isHotspot() || VM::isOpenJ9()) {
-        // HotSpot and J9 tolerate interposed SIGSEGV/SIGBUS handler; other JVMs
-        // probably not
+        // HotSpot and J9 tolerate interposed SIGSEGV/SIGBUS handler; other JVMs probably not
         orig_segvHandler = OS::replaceSigsegvHandler(segvHandler);
         orig_busHandler = OS::replaceSigbusHandler(busHandler);
+        // Protect our handlers from being overwritten by other libraries (e.g., wasmtime).
+        // Their handlers will be stored as chain targets and called from our handlers.
+        OS::protectSignalHandlers(segvHandler, busHandler);
+        // Patch sigaction GOT in libraries with broken signal handlers (already loaded)
+        LibraryPatcher::patch_sigaction();
       }
   }
 }
 
+
 /**
  * Update thread name for the given thread
  */
@@ -1417,7 +1441,8 @@ Error Profiler::start(Arguments &args, bool reset) {
 
   enableEngines();
 
-  switchLibraryTrap(_cstack == CSTACK_DWARF || _remote_symbolication);
+  // Always enable library trap to catch wasmtime loading and patch its broken sigaction
+  switchLibraryTrap(true);
 
   JfrMetadata::initialize(args._context_attributes);
   _num_context_attributes = args._context_attributes.size();