fix(crashtracking): guard sigchld and sigpipe during crashtracker signal handler execution (#1771)

# What does this PR do?

Guards SIGCHLD and SIGPIPE during crashtracker signal handler execution

# Motivation

During execution of the signal handler, it cannot be guaranteed that the signal is handled without SA_NODEFER, thus it also cannot be guaranteed that signals like SIGCHLD and SIGPIPE will _not_ be emitted during this handler as a result of the handler itself. At the same time, it isn't known whether it is safe to merely block all signals, as the user's own handler will be given the chance to execute after ours. Thus, we need to prevent the emission of signals we might create (and cannot be created during a signal handler except by our own execution) and defer any other signals. To put it another way, it is conceivable that the crash handling code will emit SIGCHLD or SIGPIPE, and instead of risking responding to those signals, it needs to suppress them. On the other hand, it can't just "block" (`sigprocmask()`) those signals because this will only defer them to the next handler.

# Additional Notes

This was originally implemented in: [Crashtracker receiver is spawned on crash](#692)
but subsequently removed.

# How to test the change?
Unit tests for saguard.rs. Integration test will be in a following PR

Co-authored-by: gyuheon.oh <gyuheon.oh@datadoghq.com>

Author: gyuheon0h

bin_tests/tests/crashtracker_bin_test.rs

@@ -299,7 +299,7 @@ fn test_collector_no_allocations_stacktrace_modes() {
         let _ = fs::remove_file(&detector_log_path);
 
         let config = CrashTestConfig::new(
-            BuildProfile::Debug,
+            BuildProfile::Release,
             TestMode::RuntimePreloadLogger,
             CrashType::NullDeref,
         )

libdd-crashtracker/src/collector/crash_handler.rs

@@ -5,6 +5,7 @@
 
 use super::collector_manager::Collector;
 use super::receiver_manager::Receiver;
+use super::saguard::SaGuard;
 use super::signal_handler_manager::chain_signal_handler;
 use crate::crash_info::Metadata;
 use crate::shared::configuration::CrashtrackerConfiguration;
@@ -263,6 +264,15 @@ fn handle_posix_signal_impl(
         return Ok(());
     }
 
+    // Block SIGCHLD and SIGPIPE during crash handling. Our collector spawns child processes
+    // and writes to pipes, both of which can generate these signals. Rather than risk
+    // re-entering a signal handler or aborting due to SIGPIPE, suppress them for the
+    // duration and restore when the guard drops
+    let _sa_guard = SaGuard::new(&[
+        nix::sys::signal::Signal::SIGCHLD,
+        nix::sys::signal::Signal::SIGPIPE,
+    ]);
+
     // Take config and metadata out of global storage.
     // We borrow via raw pointer and intentionally leak (do not reconstruct the Box) to avoid
     // calling `drop`, and therefore `free`, inside a signal handler, which is not

libdd-crashtracker/src/collector/mod.rs

@@ -10,6 +10,7 @@ mod crash_handler;
 mod emitters;
 mod process_handle;
 mod receiver_manager;
+mod saguard;
 mod signal_handler_manager;
 mod spans;
 

libdd-crashtracker/src/collector/saguard.rs

@@ -84,3 +84,76 @@ impl<const N: usize> Drop for SaGuard<N> {
         );
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use nix::sys::signal::{self, Signal};
+    use nix::unistd::Pid;
+    use std::sync::atomic::{AtomicBool, Ordering};
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn signal_is_ignored_while_guard_is_active() {
+        let _guard = SaGuard::<1>::new(&[Signal::SIGUSR1]).unwrap();
+
+        // Send SIGUSR1 to the process. The default action is to terminate, so if
+        // the guard didn't set SIG_IGN this test process would die
+        signal::kill(Pid::this(), Signal::SIGUSR1).unwrap();
+    }
+
+    /// After the guard is dropped, the original handler should be restored.
+    /// Install a custom handler, create a guard,drop the guard, then send the
+    /// signal and verify the custom handler fires
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn original_handler_restored_after_drop() {
+        static HANDLER_CALLED: AtomicBool = AtomicBool::new(false);
+
+        extern "C" fn custom_handler(_: libc::c_int) {
+            HANDLER_CALLED.store(true, Ordering::SeqCst);
+        }
+
+        // Install a custom handler
+        let custom_action = SigAction::new(
+            SigHandler::Handler(custom_handler),
+            SaFlags::empty(),
+            signal::SigSet::empty(),
+        );
+        let prev = unsafe { signal::sigaction(Signal::SIGUSR2, &custom_action).unwrap() };
+
+        // Create then drop the guard (dropped when out of scope)
+        {
+            let _guard = SaGuard::<1>::new(&[Signal::SIGUSR2]).unwrap();
+            signal::kill(Pid::this(), Signal::SIGUSR2).unwrap();
+            assert!(
+                !HANDLER_CALLED.load(Ordering::SeqCst),
+                "custom handler should not fire while guard is active"
+            );
+        }
+        // Guard is dropped; custom handler should be restored
+        HANDLER_CALLED.store(false, Ordering::SeqCst);
+        unsafe {
+            libc::raise(Signal::SIGUSR2 as libc::c_int);
+        }
+        assert!(
+            HANDLER_CALLED.load(Ordering::SeqCst),
+            "custom handler should fire after guard is dropped"
+        );
+
+        // Restore original handler
+        unsafe {
+            signal::sigaction(Signal::SIGUSR2, &prev).unwrap();
+        }
+    }
+
+    #[test]
+    #[cfg_attr(miri, ignore)]
+    fn multiple_signals_ignored() {
+        let _guard = SaGuard::<2>::new(&[Signal::SIGUSR1, Signal::SIGUSR2]).unwrap();
+
+        // Both signals should be safely ignored
+        signal::kill(Pid::this(), Signal::SIGUSR1).unwrap();
+        signal::kill(Pid::this(), Signal::SIGUSR2).unwrap();
+    }
+}