navit/navit/coffeejni.h

/* CoffeeCatch, a tiny native signal handler/catcher for JNI code.
 * (especially for Android/Dalvik)
 *
 * Copyright (c) 2013, Xavier Roche (http://www.httrack.com/)
 * All rights reserved.
 * See the "License" section below for the licensing terms.
 *
 * Description:
 *
 * Allows to "gracefully" recover from a signal (segv, sibus...) as if it was
 * a Java exception. It will not gracefully recover from allocator/mutexes
 * corruption etc., however, but at least "most" gentle crashes (null pointer
 * dereferencing, integer division, stack overflow etc.) should be handled
 * without too much troubles.
 *
 * The handler is thread-safe, but client must have exclusive control on the
 * signal handlers (ie. the library is installing its own signal handlers on
 * top of the existing ones).
 *
 * You must build all your libraries with `-funwind-tables', to get proper
 * unwinding information on all binaries. On ARM, you may also use the
 * `--no-merge-exidx-entries` linker switch, to solve certain issues with
 * unwinding (the switch is possibly not needed anymore).
 * On Android, this can be achieved by using this line in the Android.mk file
 * in each library block:
 *   LOCAL_CFLAGS := -funwind-tables -Wl,--no-merge-exidx-entries
 *
 * Example:
 * COFFEE_TRY_JNI(env, *retcode = call_dangerous_function(env, object));
 *
 * Implementation notes:
 *
 * Currently the library is installing both alternate stack and signal
 * handlers for known signals (SIGABRT, SIGILL, SIGTRAP, SIGBUS, SIGFPE,
 * SIGSEGV, SIGSTKFLT), and is using sigsetjmp()/siglongjmp() to return to
 * "userland" (compared to signal handler context). As a security, an alarm
 * is started as soon as a fatal signal is detected (ie. not something the
 * JVM will handle) to kill the process after a grace period. Be sure your
 * program will exit quickly after the error is caught, or call alarm(0)
 * to cancel the pending time-bomb.
 * The signal handlers had to be written with caution, because the virtual
 * machine might be using signals (including SEGV) to handle JIT compiler,
 * and some clever optimizations (such as NullPointerException handling)
 * We are using several signal-unsafe functions, namely:
 * - siglongjmp() to return to userland
 * - pthread_getspecific() to get thread-specific setup
 *
 * License:
 *
 * Copyright (c) 2013, Xavier Roche (http://www.httrack.com/)
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * 1. Redistributions of source code must retain the above copyright notice, this
 *    list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef COFFEECATCH_JNI_H
#define COFFEECATCH_JNI_H

#include <jni.h>

#ifdef __cplusplus
extern "C" {
#endif

/**
 * Setup crash handler to enter in a protected section. If a recognized signal
 * is received in this section, an appropriate native Java Error will be
 * raised.
 *
 * You can not exit the protected section block CODE_TO_BE_EXECUTED, using
 * statements such as "return", because the cleanup code would not be
 * executed.
 *
 * It is advised to enclose the complete CODE_TO_BE_EXECUTED block in a
 * dedicated function declared extern or __attribute__ ((noinline)).
 *
 * You must build all your libraries with `-funwind-tables', to get proper
 * unwinding information on all binaries. On Android, this can be achieved
 * by using this line in the Android.mk file in each library block:
 *   LOCAL_CFLAGS := -funwind-tables
 *
 * Example:
 *
 * void my_native_function(JNIEnv* env, jobject object, jint *retcode) {
 *   COFFEE_TRY_JNI(env, *retcode = call_dangerous_function(env, object));
 * }
 *
 * In addition, the following restrictions MUST be followed:
 * - the function must be declared extern, or with the special attribute
 *   __attribute__ ((noinline)).
 * - you must not use local variables before the COFFEE_TRY_JNI block,
 *   or define them as "volatile".
 *
COFFEE_TRY_JNI(JNIEnv* env, CODE_TO_BE_EXECUTED)
 */

/** Internal functions & definitions, not to be used directly. **/
extern void coffeecatch_throw_exception(JNIEnv* env);
#define COFFEE_TRY_JNI(ENV, CODE)       \
  do {                                  \
    COFFEE_TRY() {                      \
      CODE;                             \
    } COFFEE_CATCH() {                  \
      coffeecatch_throw_exception(ENV); \
    } COFFEE_END();                     \
  } while(0)
/** End of internal functions & definitions. **/

#ifdef __cplusplus
}
#endif

#endif
1	/* CoffeeCatch, a tiny native signal handler/catcher for JNI code.
2	* (especially for Android/Dalvik)
3	*
4	* Copyright (c) 2013, Xavier Roche (http://www.httrack.com/)
5	* All rights reserved.
6	* See the "License" section below for the licensing terms.
7	*
8	* Description:
9	*
10	* Allows to "gracefully" recover from a signal (segv, sibus...) as if it was
11	* a Java exception. It will not gracefully recover from allocator/mutexes
12	* corruption etc., however, but at least "most" gentle crashes (null pointer
13	* dereferencing, integer division, stack overflow etc.) should be handled
14	* without too much troubles.
15	*
16	* The handler is thread-safe, but client must have exclusive control on the
17	* signal handlers (ie. the library is installing its own signal handlers on
18	* top of the existing ones).
19	*
20	* You must build all your libraries with `-funwind-tables', to get proper
21	* unwinding information on all binaries. On ARM, you may also use the
22	* `--no-merge-exidx-entries` linker switch, to solve certain issues with
23	* unwinding (the switch is possibly not needed anymore).
24	* On Android, this can be achieved by using this line in the Android.mk file
25	* in each library block:
26	* LOCAL_CFLAGS := -funwind-tables -Wl,--no-merge-exidx-entries
27	*
28	* Example:
29	* COFFEE_TRY_JNI(env, *retcode = call_dangerous_function(env, object));
30	*
31	* Implementation notes:
32	*
33	* Currently the library is installing both alternate stack and signal
34	* handlers for known signals (SIGABRT, SIGILL, SIGTRAP, SIGBUS, SIGFPE,
35	* SIGSEGV, SIGSTKFLT), and is using sigsetjmp()/siglongjmp() to return to
36	* "userland" (compared to signal handler context). As a security, an alarm
37	* is started as soon as a fatal signal is detected (ie. not something the
38	* JVM will handle) to kill the process after a grace period. Be sure your
39	* program will exit quickly after the error is caught, or call alarm(0)
40	* to cancel the pending time-bomb.
41	* The signal handlers had to be written with caution, because the virtual
42	* machine might be using signals (including SEGV) to handle JIT compiler,
43	* and some clever optimizations (such as NullPointerException handling)
44	* We are using several signal-unsafe functions, namely:
45	* - siglongjmp() to return to userland
46	* - pthread_getspecific() to get thread-specific setup
47	*
48	* License:
49	*
50	* Copyright (c) 2013, Xavier Roche (http://www.httrack.com/)
51	* All rights reserved.
52	*
53	* Redistribution and use in source and binary forms, with or without
54	* modification, are permitted provided that the following conditions are met:
55	*
56	* 1. Redistributions of source code must retain the above copyright notice, this
57	* list of conditions and the following disclaimer.
58	* 2. Redistributions in binary form must reproduce the above copyright notice,
59	* this list of conditions and the following disclaimer in the documentation
60	* and/or other materials provided with the distribution.
61	*
62	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
63	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
64	* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
65	* DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
66	* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
67	* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
68	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
69	* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
70	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
71	* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
72	*/
73
74	#ifndef COFFEECATCH_JNI_H
75	#define COFFEECATCH_JNI_H
76
77	#include <jni.h>
78
79	#ifdef __cplusplus
80	extern "C" {
81	#endif
82
83	/**
84	* Setup crash handler to enter in a protected section. If a recognized signal
85	* is received in this section, an appropriate native Java Error will be
86	* raised.
87	*
88	* You can not exit the protected section block CODE_TO_BE_EXECUTED, using
89	* statements such as "return", because the cleanup code would not be
90	* executed.
91	*
92	* It is advised to enclose the complete CODE_TO_BE_EXECUTED block in a
93	* dedicated function declared extern or __attribute__ ((noinline)).
94	*
95	* You must build all your libraries with `-funwind-tables', to get proper
96	* unwinding information on all binaries. On Android, this can be achieved
97	* by using this line in the Android.mk file in each library block:
98	* LOCAL_CFLAGS := -funwind-tables
99	*
100	* Example:
101	*
102	* void my_native_function(JNIEnv* env, jobject object, jint *retcode) {
103	* COFFEE_TRY_JNI(env, *retcode = call_dangerous_function(env, object));
104	* }
105	*
106	* In addition, the following restrictions MUST be followed:
107	* - the function must be declared extern, or with the special attribute
108	* __attribute__ ((noinline)).
109	* - you must not use local variables before the COFFEE_TRY_JNI block,
110	* or define them as "volatile".
111	*
112	COFFEE_TRY_JNI(JNIEnv* env, CODE_TO_BE_EXECUTED)
113	*/
114
115	/ Internal functions & definitions, not to be used directly. /
116	extern void coffeecatch_throw_exception(JNIEnv* env);
117	#define COFFEE_TRY_JNI(ENV, CODE) \
118	do { \
119	COFFEE_TRY() { \
120	CODE; \
121	} COFFEE_CATCH() { \
122	coffeecatch_throw_exception(ENV); \
123	} COFFEE_END(); \
124	} while(0)
125	/ End of internal functions & definitions. /
126
127	#ifdef __cplusplus
128	}
129	#endif
130
131	#endif