Fix nonvolatile context restoration

[janvorli]

There is a possibility of a race between the
ClrRestoreNonVolatileContext and an async signal handling (like the one we use for runtime suspension). If the signal kicks in after we've loaded Rsp, but before we jumped to the target address, the context we are loading the registers from could get overwritten by the signal handler stack. So the ClrRestoreNonVolatileContext would end up jumping into a wrong target address.

The fix is to load the target address into a register before loading the Rsp and then jumping using the register.

Close #101060, #98292

[dotnet-policy-service]

Tagging subscribers to this area: @mangod9
See info in area-owners.md if you want to be subscribed.

[jakobbotsch]

LGTM! This seems like the most plausible explanation.
Is only x64 affected?

[janvorli]

Actually, the other targets use RtlRestoreContext in PAL and it also has this issue on some targets (arm, x86, most likely riscv64 and loongarch64, not sure about s390x and ppc64le). Arm64 is ok. Let me add fixes for more architectures here.

[AndyAyersMS]

We expect this to fix #98292 and #101060, right?

Seems like a very small race window, which jives with the fact that these are very hard to repro.

[janvorli]

We expect this to fix #98292 and #101060, right?

I think so as they both seem to be OSR related.

[janvorli]

@t-mustafin, @shushanhf, @vikasgupta8, @uweigand can you please check if the architectures you have added support for also need a fix like this? It seems to me that RISCV64 and LoongArch64 do need to be fixed, I have no idea about the S390x and PPC64LE.

[janvorli]

@jakobbotsch can you please take a look again? I have added arm and x86 fixes. Arm64 was already ok. I will leave possible fixes for the other architectures on the external people who have added support for those.

[janvorli]

The CI failure is a known issue.

[jakobbotsch]

Is there any possibility that these stores accidentally overwrite some of the registers in the context that we are going to use later, if the context happens to be at this location in the stack? Or does the context not end with the GPR registers?

[janvorli]

The context contains GPR registers first, then all the NEON ones, debug registers and two DWORDS of padding at the end. So worst case scenario, if we ever overwritten anything from the context, it could only be the padding.

[janvorli]

See here:

runtime/src/coreclr/pal/inc/pal.h

Lines 1739 to 1797 in 017593d

	typedef struct DECLSPEC_ALIGN(8) _CONTEXT {
	//
	// Control flags.
	//
	DWORD ContextFlags;
	//
	// Integer registers
	//
	DWORD R0;
	DWORD R1;
	DWORD R2;
	DWORD R3;
	DWORD R4;
	DWORD R5;
	DWORD R6;
	DWORD R7;
	DWORD R8;
	DWORD R9;
	DWORD R10;
	DWORD R11;
	DWORD R12;
	//
	// Control Registers
	//
	DWORD Sp;
	DWORD Lr;
	DWORD Pc;
	DWORD Cpsr;
	//
	// Floating Point/NEON Registers
	//
	DWORD Fpscr;
	DWORD Padding;
	union {
	NEON128 Q[16];
	ULONGLONG D[32];
	DWORD S[32];
	};
	//
	// Debug registers
	//
	DWORD Bvr[ARM_MAX_BREAKPOINTS];
	DWORD Bcr[ARM_MAX_BREAKPOINTS];
	DWORD Wvr[ARM_MAX_WATCHPOINTS];
	DWORD Wcr[ARM_MAX_WATCHPOINTS];
	DWORD Padding2[2];
	} CONTEXT, *PCONTEXT, *LPCONTEXT;

[jakobbotsch]

It looks good to me, just one hypothetical wondering.

[t-mustafin]

@t-mustafin, @shushanhf, @vikasgupta8, @uweigand can you please check if the architectures you have added support for also need a fix like this? It seems to me that RISCV64 and LoongArch64 do need to be fixed, I have no idea about the S390x and PPC64LE.

@janvorli thanks for notification. Are this changes needed on release/8.0 branch?

cc @dotnet/samsung

[uweigand]

@t-mustafin, @shushanhf, @vikasgupta8, @uweigand can you please check if the architectures you have added support for also need a fix like this? It seems to me that RISCV64 and LoongArch64 do need to be fixed, I have no idea about the S390x and PPC64LE.

Thanks for the heads-up! The s390x patch is here: #101854