Fix i686 FPU restore: do not treat fpregs as kernel _fpstate

cary-ilm · cary-ilm · commit 912100f7a3bf · 2026-04-22T10:29:46.000-07:00
On Linux i386, uc_mcontext.fpregs points at glibc struct _libc_fpstate, which does not match the kernel struct _fpstate layout at the mxcsr and magic offsets. Reinterpreting the pointer and loading mxcsr could pass arbitrary bits to LDMXCSR and corrupt SSE state, matching ASan SEGVs in std::ostream::sentry after a SIGFPE-driven MathExc.

Read MXCSR from the live CPU on Linux i386 (with the same 0x1f80 fallback when needed) instead of through a struct _fpstate cast. Also append CMAKE_C_FLAGS and CMAKE_CXX_FLAGS to CMAKE_REQUIRED_FLAGS while probing ucontext/fpstate members so multilib -m32 configure tests see the same struct layout as the build.

Made-with: Cursor
diff --git a/cmake/CMakeLists.txt b/cmake/CMakeLists.txt
@@ -86,13 +86,20 @@ check_include_files(ucontext.h IEX_HAVE_UCONTEXT_H)
 if(IEX_HAVE_UCONTEXT_H)
   # TODO: remove this once we cleanly have IEX_ prefix on all #defines
   set(HAVE_UCONTEXT_H ON)
+  # Multilib (-m32) builds must run these try-compiles with the same arch
+  # flags as the main target, or feature checks use the wrong ucontext layout.
+  set(_openexr_iex_saved_cmake_required_flags "${CMAKE_REQUIRED_FLAGS}")
+  set(CMAKE_REQUIRED_FLAGS
+      "${CMAKE_REQUIRED_FLAGS} ${CMAKE_C_FLAGS} ${CMAKE_CXX_FLAGS}")
   check_struct_has_member("struct _libc_fpstate" mxcsr ucontext.h IEX_HAVE_CONTROL_REGISTER_SUPPORT)
   if(NOT IEX_HAVE_CONTROL_REGISTER_SUPPORT)
     check_include_files(asm/sigcontext.h IEX_HAVE_SIGCONTEXT_H)
     if(IEX_HAVE_SIGCONTEXT_H)
       check_struct_has_member("struct _fpstate" mxcsr asm/sigcontext.h IEX_HAVE_SIGCONTEXT_CONTROL_REGISTER_SUPPORT)
     endif()
   endif()
+  set(CMAKE_REQUIRED_FLAGS "${_openexr_iex_saved_cmake_required_flags}")
+  unset(_openexr_iex_saved_cmake_required_flags)
 endif()
 
 ###check_include_files(pthread.h ILMTHREAD_HAVE_PTHREAD)
diff --git a/src/lib/Iex/IexMathFpu.cpp b/src/lib/Iex/IexMathFpu.cpp
@@ -250,20 +250,19 @@ restoreControlRegs (const ucontext_t& ucon, bool clearExceptions)
     setCw ((ucon.uc_mcontext.fpregs->cwd & cwRestoreMask) | cwRestoreVal);
 #        endif
 
-    _fpstate* kfp = reinterpret_cast<_fpstate*> (ucon.uc_mcontext.fpregs);
 #        if defined(__linux__) && defined(__i386__)
     //
-    // Choose MXCSR from the signal-frame _fpstate when magic == 0 (kernel
-    // layout matches this struct); otherwise read it from the CPU because
-    // the saved mxcsr offset may not apply. LDMXCSR must not be given 0,
-    // which is not a valid control value on x86—substitute 0x1f80 (typical
-    // default) before setMxcsr clears sticky exception bits per
-    // clearExceptions.
+    // uc_mcontext.fpregs points at glibc's struct _libc_fpstate, which is
+    // not layout-compatible with the kernel's struct _fpstate where mxcsr
+    // and the FXSR magic field live. Reinterpreting fpregs as struct _fpstate
+    // reads unrelated memory as MXCSR and can pass garbage to LDMXCSR.
+    // Use the processor's MXCSR instead, then clear sticky exception bits.
     //
-    uint32_t mxcsr = (kfp->magic == 0) ? kfp->mxcsr : getMxcsr ();
+    uint32_t mxcsr = getMxcsr ();
     if (mxcsr == 0) mxcsr = 0x1f80;
     setMxcsr (mxcsr, clearExceptions);
 #        else
+    _fpstate* kfp = reinterpret_cast<_fpstate*> (ucon.uc_mcontext.fpregs);
     setMxcsr (kfp->mxcsr, clearExceptions);
 #        endif
 }
