Propagate GDB/C++ exceptions across readline using sj/lj-based TRY/CATCH

If we map GDB'S TRY/CATCH macros to C++ try/catch, GDB breaks on
systems where readline isn't built with exceptions support.  The
problem is that readline calls into GDB through the callback
interface, and if GDB's callback throws a C++ exception/error, the
system unwinder won't manage to unwind past the readline frame, and
ends up calling std::terminate(), which aborts the process:

 (gdb) whatever-command-that-causes-an-error
 terminate called after throwing an instance of 'gdb_exception_RETURN_MASK_ERROR'
 Aborted
 $

This went unnoticed for so long because:

- the x86-64 ABI requires -fasynchronous-unwind-tables, making it
  possible for exceptions to cross readline with no special handling.
  But e.g., on ARM or AIX, unless you build readline with
  -fexceptions, you trip on the problem.

- TRY/CATCH was mapped to setjmp/longjmp, even in C++ mode, until
  quite recently.

The fix is to catch and save any GDB exception that is thrown inside
the GDB readline callback, and then once the callback returns back to
the GDB code that called into readline in the first place, rethrow the
saved GDB exception.

This is similar in spirit to how we catch/map GDB exceptions at the
GDB/Python and GDB/Guile API boundaries.

The next question is then: if we intercept all exceptions within GDB's
readline callback, should we simply return normally to readline?  The
callback prototype has no way to signal an error back to readline (*).
The answer is no -- if we return normally, we'll be returning to a
loop inside rl_callback_read_char that continues processing pending
input, calling into GDB again, redisplaying the prompt, etc.  Thus if
we want to error out of rl_callback_read_char, we need to long jump
across it, just like we always did before TRY/CATCH were ever mapped
to C++ exceptions.

My first approach built a specialized API to handle this, with a
couple macros to hide the setjmp/longjmp and the struct gdb_exception
saving/rethrowing.

However, I realized that we need to:

 - Handle multiple active rl_callback_read_char invocations.  If,
   while processing input something triggers a secondary prompt, we
   end up in a nested rl_callback_read_char call, through
   gdb_readline_wrapper.

 - Propagate a struct gdb_exception along with the longjmp.

... and that this is exactly what the setjmp/longjmp-based TRY/CATCH
does.

So the fix makes the setjmp/longjmp TRY/CATCH always available under
new TRY_SJLJ/CATCH_SJLJ aliases, even when TRY/CATCH is mapped to C++
try/catch, and then uses TRY_SJLJ/CATCH_SJLJ to propagate GDB
exceptions across the readline callback.

This turns out to be a much better looking fix than my bespoke API
attempt, even.  We'll probably be able to simplify TRY_SJLJ/CATCH_SJLJ
when we finally get rid of TRY/CATCH all over the tree, but until
then, this reuse seems quite nice for avoiding a second parallel
setjmp/longjmp mechanism.

(*) - maybe we could propose a readline API change, but we still need
      to handle current readline, anyway.

gdb/ChangeLog:
2016-04-22  Pedro Alves  <palves@redhat.com>

	* common/common-exceptions.c (enum catcher_state, struct catcher)
	(current_catcher): Define in C++ mode too.
	(exceptions_state_mc_catch): Call throw_exception_sjlj instead of
	throw_exception.
	(throw_exception_sjlj, throw_exception_cxx): New functions,
	factored out from throw_exception.
	(throw_exception): Reimplement.
	* common/common-exceptions.h (exceptions_state_mc_init)
	(exceptions_state_mc_action_iter)
	(exceptions_state_mc_action_iter_1, exceptions_state_mc_catch):
	Declare in C++ mode too.
	(TRY): Rename to ...
	(TRY_SJLJ): ... this.
	(CATCH): Rename to ...
	(CATCH_SJLJ): ... this.
	(END_CATCH): Rename to ...
	(END_CATCH_SJLJ): ... this.
	[GDB_XCPT == GDB_XCPT_SJMP] (TRY, CATCH, END_CATCH): Map to SJLJ
	equivalents.
	(throw_exception): Update comments.
	(throw_exception_sjlj): Declare.
	* event-top.c (gdb_rl_callback_read_char_wrapper): Extend intro
	comment.  Wrap body in TRY_SJLJ/CATCH_SJLJ and rethrow any
	intercepted exception.
	(gdb_rl_callback_handler): New function.
	(gdb_rl_callback_handler_install): Always install
	gdb_rl_callback_handler as readline callback.

1 files changed, 90 insertions, 7 deletions

diff --git a/gdb/event-top.c b/gdb/event-top.c
index b9947c4..f43fd0a 100644
--- a/gdb/event-top.c
+++ b/gdb/event-top.c
@@ -145,15 +145,98 @@ static struct async_signal_handler *async_sigterm_token;
 void (*after_char_processing_hook) (void);
 
 
-/* Wrapper function for calling into the readline library.  The event
-   loop expects the callback function to have a paramter, while
-   readline expects none.  */
+/* Wrapper function for calling into the readline library.  This takes
+   care of a couple things:
+
+   - The event loop expects the callback function to have a parameter,
+     while readline expects none.
+
+   - Propagation of GDB exceptions/errors thrown from INPUT_HANDLER
+     across readline requires special handling.
+
+   On the exceptions issue:
+
+   DWARF-based unwinding cannot cross code built without -fexceptions.
+   Any exception that tries to propagate through such code will fail
+   and the result is a call to std::terminate.  While some ABIs, such
+   as x86-64, require all code to be built with exception tables,
+   others don't.
+
+   This is a problem when GDB calls some non-EH-aware C library code,
+   that calls into GDB again through a callback, and that GDB callback
+   code throws a C++ exception.  Turns out this is exactly what
+   happens with GDB's readline callback.
+
+   In such cases, we must catch and save any C++ exception that might
+   be thrown from the GDB callback before returning to the
+   non-EH-aware code.  When the non-EH-aware function itself returns
+   back to GDB, we then rethrow the original C++ exception.
+
+   In the readline case however, the right thing to do is to longjmp
+   out of the callback, rather than do a normal return -- there's no
+   way for the callback to return to readline an indication that an
+   error happened, so a normal return would have rl_callback_read_char
+   potentially continue processing further input, redisplay the
+   prompt, etc.  Instead of raw setjmp/longjmp however, we use our
+   sjlj-based TRY/CATCH mechanism, which knows to handle multiple
+   levels of active setjmp/longjmp frames, needed in order to handle
+   the readline callback recursing, as happens with e.g., secondary
+   prompts / queries, through gdb_readline_wrapper.  */
+
 static void
 gdb_rl_callback_read_char_wrapper (gdb_client_data client_data)
 {
-  rl_callback_read_char ();
-  if (after_char_processing_hook)
-    (*after_char_processing_hook) ();
+  struct gdb_exception gdb_expt = exception_none;
+
+  /* C++ exceptions can't normally be thrown across readline (unless
+     it is built with -fexceptions, but it won't by default on many
+     ABIs).  So we instead wrap the readline call with a sjlj-based
+     TRY/CATCH, and rethrow the GDB exception once back in GDB.  */
+  TRY_SJLJ
+    {
+      rl_callback_read_char ();
+      if (after_char_processing_hook)
+	(*after_char_processing_hook) ();
+    }
+  CATCH_SJLJ (ex, RETURN_MASK_ALL)
+    {
+      gdb_expt = ex;
+    }
+  END_CATCH_SJLJ
+
+  /* Rethrow using the normal EH mechanism.  */
+  if (gdb_expt.reason < 0)
+    throw_exception (gdb_expt);
+}
+
+/* GDB's readline callback handler.  Calls the current INPUT_HANDLER,
+   and propagates GDB exceptions/errors thrown from INPUT_HANDLER back
+   across readline.  See gdb_rl_callback_read_char_wrapper.  */
+
+static void
+gdb_rl_callback_handler (char *rl)
+{
+  struct gdb_exception gdb_rl_expt = exception_none;
+
+  TRY
+    {
+      input_handler (rl);
+    }
+  CATCH (ex, RETURN_MASK_ALL)
+    {
+      gdb_rl_expt = ex;
+    }
+  END_CATCH
+
+  /* If we caught a GDB exception, longjmp out of the readline
+     callback.  There's no other way for the callback to signal to
+     readline that an error happened.  A normal return would have
+     readline potentially continue processing further input, redisplay
+     the prompt, etc.  (This is what GDB historically did when it was
+     a C program.)  Note that since we're long jumping, local variable
+     dtors are NOT run automatically.  */
+  if (gdb_rl_expt.reason < 0)
+    throw_exception_sjlj (gdb_rl_expt);
 }
 
 /* Initialize all the necessary variables, start the event loop,
@@ -236,7 +319,7 @@ gdb_rl_callback_handler_install (const char *prompt)
      therefore loses input.  */
   gdb_assert (!callback_handler_installed);
 
-  rl_callback_handler_install (prompt, input_handler);
+  rl_callback_handler_install (prompt, gdb_rl_callback_handler);
   callback_handler_installed = 1;
 }