Memory Safe Context Switching (longjmp, setjmp) in Fil-C
3 hours ago
- #memory safety
- #Fil-C
- #context switching
- Fil-C supports memory-safe context switching with ucontext APIs since release 0.680, requiring building from source to use them.
- The document explains how Fil-C ensures memory safety for longjmp/setjmp and ucontext APIs, preventing stack corruption and capability model violations.
- setjmp/longjmp are commonly used for exception handling, especially in signal handlers, while ucontext APIs implement coroutines and fibers like in Boost.
- Misusing these APIs can lead to restoring dangling stacks, but Fil-C prevents this by enforcing safety rules and tracking valid contexts.
- Fil-C implements setjmp/longjmp by using opaque zjmp_buf objects, restricting direct calls, and validating ancestor frames during longjmp.
- For ucontext, Fil-C uses opaque zfiber_context with a state machine, thread affinity, and GC integration to manage safe context switches.
- GC integration handles grey fibers to prevent race conditions during marking, ensuring no unmarked objects are missed in fiber stacks.
- The ucontext implementation is available in glibc builds like /opt/fil and Pizlix, with support for getcontext, setcontext, makecontext, and swapcontext.
- Fil-C prohibits mixing longjmp/setjmp with ucontext to maintain safety, aligning with other security technologies that require this separation.