userspace_pagefault/

lib.rs

#![warn(static_mut_refs)]
pub use nix::libc;
use nix::libc::c_void;
use nix::sys::mman::MapFlags;
pub use nix::sys::mman::ProtFlags;
use nix::sys::signal;
use nix::unistd;
use parking_lot::Mutex;
use std::num::NonZeroUsize;
use std::os::fd::{AsRawFd, BorrowedFd, IntoRawFd, RawFd};
use std::ptr::NonNull;
use std::sync::Arc;
use std::sync::atomic::{AtomicBool, AtomicPtr, Ordering};

mod machdep;

const ADDR_SIZE: usize = std::mem::size_of::<usize>();

type SignalHandler = extern "C" fn(libc::c_int, *mut libc::siginfo_t, *mut c_void);

#[derive(Debug, PartialEq, Eq)]
pub enum AccessType {
    Read,
    Write,
}

pub trait PageStore {
    /// Callback that is triggered upon a page fault. Return `Some()` if the page needs to be loaded with the given data.
    fn page_fault(
        &mut self, offset: usize, length: usize, access: AccessType,
    ) -> Option<Box<dyn Iterator<Item = Box<dyn AsRef<[u8]> + '_>> + '_>>;
}

pub struct MappedMemory {
    base: AtomicPtr<u8>,
    length: usize,
    unmap: bool,
    shared: Mutex<Vec<SharedMemory>>,
}

impl MappedMemory {
    pub fn new(base: Option<*mut u8>, mut length: usize, page_size: usize, flags: ProtFlags) -> Result<Self, Error> {
        let rem = length & (page_size - 1);
        match base {
            Some(base) => {
                if (base as usize) % page_size != 0 {
                    return Err(Error::BaseNotAligned);
                }
                if rem != 0 {
                    return Err(Error::LengthNotAligned);
                }
            }
            None => {
                if rem != 0 {
                    length += page_size - rem
                }
            }
        }

        let addr = match base {
            Some(b) => Some(NonZeroUsize::new(b as usize).ok_or(Error::NullBase)?),
            None => None,
        };
        let length_nz = NonZeroUsize::new(length).ok_or(Error::LengthIsZero)?;
        let map_flags = match base {
            Some(_) => MapFlags::MAP_FIXED,
            None => MapFlags::empty(),
        } | MapFlags::MAP_PRIVATE;

        let new_base = unsafe {
            nix::sys::mman::mmap_anonymous(addr, length_nz, flags, map_flags)
                .map_err(Error::UnixError)?
                .cast::<u8>()
        };
        let new_base_ptr = new_base.as_ptr();

        if let Some(base) = base {
            if base != new_base_ptr {
                return Err(Error::NotSupported);
            }
        }

        Ok(Self {
            base: AtomicPtr::new(new_base_ptr),
            length,
            unmap: base.is_none(),
            shared: Mutex::new(Vec::new()),
        })
    }
    #[inline(always)]
    pub fn base(&self) -> *mut u8 {
        unsafe { *self.base.as_ptr() }
    }

    #[inline(always)]
    pub fn as_slice(&self) -> &mut [u8] {
        unsafe { std::slice::from_raw_parts_mut(self.base(), self.length) }
    }

    pub fn make_shared(&self, offset: usize, shm: &SharedMemory, flags: ProtFlags) -> Result<(), Error> {
        let len = shm.0.size;
        if offset + len >= self.length {
            return Err(Error::MemoryOverflow);
        }
        unsafe {
            nix::sys::mman::mmap(
                Some(NonZeroUsize::new(self.base().add(offset) as usize).unwrap()),
                NonZeroUsize::new(len).unwrap(),
                flags,
                MapFlags::MAP_FIXED | MapFlags::MAP_SHARED,
                &shm.0.fd,
                0,
            )
            .map_err(Error::UnixError)?;
        }
        // keep a reference to the shared memory so it is not deallocated
        self.shared.lock().push(shm.clone());
        Ok(())
    }
}

impl Drop for MappedMemory {
    fn drop(&mut self) {
        if self.unmap {
            unsafe {
                if let Some(ptr) = NonNull::new(self.base() as *mut c_void) {
                    nix::sys::mman::munmap(ptr, self.length).unwrap();
                }
            }
        }
    }
}

pub struct PagedMemory<'a> {
    mem: Arc<MappedMemory>,
    page_size: usize,
    _phantom: std::marker::PhantomData<&'a ()>,
}

struct PagedMemoryEntry {
    start: usize,
    len: usize,
    mem: Arc<MappedMemory>,
    store: Box<dyn PageStore + Send + 'static>,
    page_size: usize,
}

#[derive(Debug, PartialEq, Eq)]
pub enum Error {
    BaseNotAligned,
    NullBase,
    LengthNotAligned,
    LengthIsZero,
    PageSizeNotAvail,
    NotSupported,
    UnixError(nix::errno::Errno),
    MemoryOverlap,
    MemoryOverflow,
}

static HANDLER_SPIN: AtomicBool = AtomicBool::new(false);
static HANDLER_INITIALIZED: AtomicBool = AtomicBool::new(false);
static HANDLER_THREAD: Mutex<Option<std::thread::JoinHandle<()>>> = Mutex::new(None);
static mut TO_HANDLER: (RawFd, RawFd) = (0, 1);
static mut FROM_HANDLER: (RawFd, RawFd) = (0, 1);
static mut FALLBACK_SIGSEGV_HANDLER: Option<SignalHandler> = None;
static mut FALLBACK_SIGBUS_HANDLER: Option<SignalHandler> = None;

#[inline]
fn handle_page_fault_(info: *mut libc::siginfo_t, ctx: *mut c_void) -> bool {
    // NOTE: this function should be SIGBUS/SIGSEGV-free, another signal can't be raised during the
    // handling of the signal.
    let (tx, rx, addr, ctx) = unsafe {
        let (rx, _) = TO_HANDLER;
        let (_, tx) = FROM_HANDLER;
        (tx, rx, (*info).si_addr() as usize, &mut *(ctx as *mut libc::ucontext_t))
    };
    let flag = machdep::check_page_fault_rw_flag_from_context(*ctx);
    let mut buff = [0; ADDR_SIZE + 1];
    buff[..ADDR_SIZE].copy_from_slice(&addr.to_le_bytes());
    buff[ADDR_SIZE] = flag;
    // use a spin lock to avoid ABA (another thread could interfere in-between read and write)
    while HANDLER_SPIN.swap(true, Ordering::Acquire) {
        std::thread::yield_now();
    }
    if unistd::write(unsafe { BorrowedFd::borrow_raw(tx) }, &buff).is_err() {
        HANDLER_SPIN.swap(false, Ordering::Release);
        return true;
    }
    let _ = unistd::read(unsafe { BorrowedFd::borrow_raw(rx) }, &mut buff[..1]);
    HANDLER_SPIN.swap(false, Ordering::Release);
    buff[0] == 1
}

// The fallback signal handling was inspired by wasmtime trap handlers:
// https://github.com/bytecodealliance/wasmtime/blob/v22.0.0/crates/wasmtime/src/runtime/vm/sys/unix/signals.rs
extern "C" fn handle_page_fault(signum: libc::c_int, info: *mut libc::siginfo_t, ctx: *mut c_void) {
    if !handle_page_fault_(info, ctx) {
        return;
    }
    // Otherwise, not hitting a managed memory region, fallback to previous handler

    unsafe {
        let sig = signal::Signal::try_from(signum).expect("invalid signum");
        let fallback_handler = match sig {
            signal::SIGSEGV => FALLBACK_SIGSEGV_HANDLER,
            signal::SIGBUS => FALLBACK_SIGBUS_HANDLER,
            _ => panic!("unknown signal: {}", sig),
        };

        if let Some(handler) = fallback_handler {
            // Delegate to the fallback handler
            handler(signum, info, ctx);
        } else {
            // No fallback handler (was SIG_DFL or SIG_IGN), reset to default and raise
            let sig_action = signal::SigAction::new(
                signal::SigHandler::SigDfl,
                signal::SaFlags::empty(),
                signal::SigSet::empty(),
            );
            signal::sigaction(sig, &sig_action).expect("fail to reset signal handler");
            signal::raise(sig).expect("fail to raise signal");
            unreachable!("SIG_DFL should have terminated the process");
        }
    }
}

unsafe fn register_signal_handlers(handler: SignalHandler) {
    let register = |fallback_handler: *mut Option<SignalHandler>, sig: signal::Signal| {
        // The flags here are relatively careful, and they are...
        //
        // SA_SIGINFO gives us access to information like the program
        // counter from where the fault happened.
        //
        // SA_ONSTACK allows us to handle signals on an alternate stack,
        // so that the handler can run in response to running out of
        // stack space on the main stack. Rust installs an alternate
        // stack with sigaltstack, so we rely on that.
        //
        // SA_NODEFER allows us to reenter the signal handler if we
        // crash while handling the signal, and fall through to the
        // Breakpad handler by testing handlingSegFault.
        let sig_action = signal::SigAction::new(
            signal::SigHandler::SigAction(handler),
            signal::SaFlags::SA_NODEFER | signal::SaFlags::SA_SIGINFO | signal::SaFlags::SA_ONSTACK,
            signal::SigSet::empty(),
        );

        // Extract and save the fallback handler function pointer if it's a SigAction with SA_SIGINFO
        unsafe {
            let sig = signal::sigaction(sig, &sig_action).expect("fail to register signal handler");
            *fallback_handler = match sig.handler() {
                signal::SigHandler::SigAction(h)
                    if sig.flags() & signal::SaFlags::SA_SIGINFO == signal::SaFlags::SA_SIGINFO =>
                {
                    Some(h)
                }
                _ => None,
            };
        }
    };

    register(&raw mut FALLBACK_SIGSEGV_HANDLER, signal::SIGSEGV);
    register(&raw mut FALLBACK_SIGBUS_HANDLER, signal::SIGBUS);
}

struct PagedMemoryManager {
    entries: Vec<PagedMemoryEntry>,
}

impl PagedMemoryManager {
    fn insert(&mut self, entry: PagedMemoryEntry) -> bool {
        for (i, PagedMemoryEntry { start, len, .. }) in self.entries.iter().enumerate() {
            if entry.start + entry.len <= *start {
                // insert before this entry
                self.entries.insert(i, entry);
                return true;
            }
            if entry.start < *start + *len {
                // overlapping space
                return false;
            }
        }
        self.entries.push(entry);
        true
    }

    fn remove(&mut self, start_: usize, len_: usize) {
        for (i, PagedMemoryEntry { start, len, .. }) in self.entries.iter().enumerate() {
            if *start == start_ && *len == len_ {
                self.entries.remove(i);
                return;
            }
        }
        panic!(
            "failed to locate PagedMemoryEntry (start = 0x{:x}, end = 0x{:x})",
            start_,
            start_ + len_
        )
    }
}

static MANAGER: Mutex<PagedMemoryManager> = Mutex::new(PagedMemoryManager { entries: Vec::new() });

fn handler_init() {
    let (to_read, to_write) = nix::unistd::pipe().expect("fail to create pipe to the handler");
    let (from_read, from_write) = nix::unistd::pipe().expect("fail to create pipe from the handler");
    let from_handler = unsafe { BorrowedFd::borrow_raw(from_read.as_raw_fd()) };
    let to_handler = unsafe { BorrowedFd::borrow_raw(to_write.as_raw_fd()) };
    unsafe {
        TO_HANDLER = (to_read.into_raw_fd(), to_write.into_raw_fd());
        FROM_HANDLER = (from_read.into_raw_fd(), from_write.into_raw_fd());
        register_signal_handlers(handle_page_fault);
    }
    std::sync::atomic::fence(Ordering::SeqCst);
    let handle = std::thread::spawn(move || {
        let mut buff = [0; ADDR_SIZE + 1];
        loop {
            if unistd::read(&from_handler, &mut buff).is_err() {
                // Pipe closed, exit thread
                break;
            }
            let addr = usize::from_le_bytes(buff[..ADDR_SIZE].try_into().unwrap());
            let (access_type, mprotect_flag) = match buff[ADDR_SIZE] {
                0 => (AccessType::Read, ProtFlags::PROT_READ),
                _ => (AccessType::Write, ProtFlags::PROT_READ | ProtFlags::PROT_WRITE),
            };
            let mut mgr = MANAGER.lock();
            let mut fallback = 1;
            for entry in mgr.entries.iter_mut() {
                if entry.start <= addr && addr < entry.start + entry.len {
                    let page_mask = usize::MAX ^ (entry.page_size - 1);
                    let page_addr = addr & page_mask;
                    let page_ptr = unsafe { NonNull::new_unchecked(page_addr as *mut c_void) };
                    // load the page data
                    let slice = entry.mem.as_slice();
                    let base = slice.as_ptr() as usize;
                    let page_offset = page_addr - base;
                    if let Some(page) = entry.store.page_fault(page_offset, entry.page_size, access_type) {
                        unsafe {
                            nix::sys::mman::mprotect(
                                page_ptr,
                                entry.page_size,
                                ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
                            )
                            .expect("mprotect failed");
                        }
                        let target = &mut slice[page_offset..page_offset + entry.page_size];
                        let mut base = 0;
                        for chunk in page {
                            let chunk = (*chunk).as_ref();
                            let chunk_len = chunk.len();
                            target[base..base + chunk_len].copy_from_slice(&chunk);
                            base += chunk_len;
                        }
                    }
                    // mark as readable/writable
                    unsafe {
                        nix::sys::mman::mprotect(page_ptr, entry.page_size, mprotect_flag).expect("mprotect failed");
                    }
                    fallback = 0;
                    break;
                }
            }
            // otherwise this SIGSEGV falls through and we don't do anything about it
            if unistd::write(&to_handler, &[fallback]).is_err() {
                // Pipe closed, exit thread
                break;
            }
        }
    });
    *HANDLER_THREAD.lock() = Some(handle);
}

impl<'a> PagedMemory<'a> {
    /// Make the memory paged in userspace with raw base pointer and length. Note that the range of
    /// addresses should be valid throughout the lifetime of [PagedMemory] and no access should be
    /// made to the memory unless it is wrapped in [PagedMemory::run].
    pub unsafe fn from_raw<S: PageStore + Send + 'static>(
        base: *mut u8, length: usize, store: S, page_size: Option<usize>,
    ) -> Result<PagedMemory<'static>, Error> {
        let mem: &'static mut [u8] = unsafe { std::slice::from_raw_parts_mut(base, length) };
        Self::new_(Some(mem.as_ptr() as *mut u8), mem.len(), store, page_size)
    }

    /// Create a slice of memory that is pagged.
    pub fn new<S: PageStore + Send + 'static>(
        length: usize, store: S, page_size: Option<usize>,
    ) -> Result<PagedMemory<'static>, Error> {
        Self::new_(None, length, store, page_size)
    }

    fn new_<'b, S: PageStore + Send + 'static>(
        base: Option<*mut u8>, length: usize, store: S, page_size: Option<usize>,
    ) -> Result<PagedMemory<'b>, Error> {
        if !HANDLER_INITIALIZED.swap(true, Ordering::SeqCst) {
            handler_init();
        }
        let page_size = match page_size {
            Some(s) => s,
            None => get_page_size()?,
        };
        let mem = std::sync::Arc::new(MappedMemory::new(base, length, page_size, ProtFlags::PROT_NONE)?);
        let mut mgr = MANAGER.lock();
        if !mgr.insert(PagedMemoryEntry {
            start: mem.base() as usize,
            len: length,
            mem: mem.clone(),
            store: Box::new(store),
            page_size,
        }) {
            return Err(Error::MemoryOverlap);
        }

        Ok(PagedMemory {
            mem,
            page_size,
            _phantom: std::marker::PhantomData,
        })
    }

    /*
    /// Run code that possibly accesses the paged memory. Because an access to the memory could
    /// wait upon the [PageStore] to load the page in case of a page fault, to avoid dead-lock,
    /// make sure the resources the store will acquire will not be held by this code before
    /// accessing the paged memory. For example, using `println!("{}", mem[0])` could dead-lock the
    /// system if the `read()` implementation of [PageStore] also uses `println`: the I/O is first
    /// locked before the dereference of `mem[0]` which could possibly induces a page fault that
    /// invokes `read()` to bring in the page content, then when the page store tries to invoke
    /// `println`, it gets stuck (the dereference is imcomplete). As a good practice, always make
    /// sure [PageStore] grabs the least resources that do not overlap with the code here.
    pub fn run<F, T>(&mut self, f: F) -> std::thread::JoinHandle<T>
    where
        F: FnOnce(&mut [u8]) -> T + Send + 'static,
        T: Send + 'static,
    {
        let mem = self.mem.clone();
        std::thread::spawn(move || f(mem.as_slice()))
    }
    */

    /// Because an access to the memory could
    /// wait upon the [PageStore] to load the page in case of a page fault, to avoid dead-lock,
    /// make sure the resources the store will acquire will not be held by this code before
    /// accessing the paged memory. For example, using `println!("{}", mem.as_slice()[0])` could dead-lock the
    /// system if the `read()` implementation of [PageStore] also uses `println`: the I/O is first
    /// locked before the dereference of `mem[0]` which could possibly induces a page fault that
    /// invokes `read()` to bring in the page content, then when the page store tries to invoke
    /// `println`, it gets stuck (the dereference is imcomplete). As a good practice, always make
    /// sure [PageStore] grabs the least resources that do not overlap with the code here.
    pub fn as_slice_mut(&mut self) -> &mut [u8] {
        self.mem.as_slice()
    }

    pub fn as_slice(&self) -> &[u8] {
        self.mem.as_slice()
    }

    pub fn as_raw_parts(&self) -> (*mut u8, usize) {
        let s = self.mem.as_slice();
        (s.as_mut_ptr(), s.len())
    }

    /// Return the configured page size.
    pub fn page_size(&self) -> usize {
        self.page_size
    }

    /// Mark the entire PagedMemory to be read-only, this will trigger write-access page faults
    /// again when write operation is made in the future.
    pub fn mark_read_only(&self, offset: usize, length: usize) {
        assert!(offset + length <= self.mem.length);
        unsafe {
            let ptr = NonNull::new_unchecked(self.mem.base().add(offset) as *mut c_void);
            nix::sys::mman::mprotect(ptr, length, ProtFlags::PROT_READ).expect("mprotect failed");
        }
    }

    /// Release the page content loaded from PageStore. The next access to an address within this
    /// page will trigger a page fault. `page_offset` must be one of the offset passed in by page
    /// fault handler.
    pub fn release_page(&self, page_offset: usize) {
        if page_offset & (self.page_size - 1) != 0 || page_offset >= self.mem.length {
            panic!("invalid page offset: {:x}", page_offset);
        }
        let page_addr = self.mem.base() as usize + page_offset;
        unsafe {
            nix::sys::mman::mmap_anonymous(
                Some(NonZeroUsize::new(page_addr).unwrap()),
                NonZeroUsize::new(self.page_size).unwrap(),
                ProtFlags::PROT_NONE,
                MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE,
            )
            .expect("mmap failed");
        }
    }

    pub fn release_all_pages(&self) {
        unsafe {
            nix::sys::mman::mmap_anonymous(
                Some(NonZeroUsize::new(self.mem.base() as usize).unwrap()),
                NonZeroUsize::new(self.mem.length).unwrap(),
                ProtFlags::PROT_NONE,
                MapFlags::MAP_FIXED | MapFlags::MAP_PRIVATE,
            )
            .expect("mmap failed");
        }
        self.mem.shared.lock().clear();
    }

    pub fn make_shared(&self, offset: usize, shm: &SharedMemory) -> Result<(), Error> {
        self.mem.make_shared(offset, shm, ProtFlags::PROT_NONE)
    }
}

impl<'a> Drop for PagedMemory<'a> {
    fn drop(&mut self) {
        let mut mgr = MANAGER.lock();
        mgr.remove(self.mem.base() as usize, self.mem.length);
    }
}

pub struct VecPageStore(Vec<u8>);

impl VecPageStore {
    pub fn new(vec: Vec<u8>) -> Self {
        Self(vec)
    }
}

impl PageStore for VecPageStore {
    fn page_fault(
        &mut self, offset: usize, length: usize, _access: AccessType,
    ) -> Option<Box<dyn Iterator<Item = Box<dyn AsRef<[u8]> + '_>> + '_>> {
        #[cfg(debug_assertions)]
        println!(
            "{:?} loading page at 0x{:x} access={:?}",
            self as *mut Self, offset, _access,
        );
        Some(Box::new(std::iter::once(
            Box::new(&self.0[offset..offset + length]) as Box<dyn AsRef<[u8]>>
        )))
    }
}

#[derive(Clone)]
pub struct SharedMemory(Arc<SharedMemoryInner>);

struct SharedMemoryInner {
    fd: std::os::fd::OwnedFd,
    size: usize,
}

impl SharedMemory {
    pub fn new(size: usize) -> Result<Self, Error> {
        let fd = machdep::get_shared_memory()?;
        nix::unistd::ftruncate(&fd, size as libc::off_t).map_err(Error::UnixError)?;
        Ok(Self(Arc::new(SharedMemoryInner { fd, size })))
    }
}

pub fn get_page_size() -> Result<usize, Error> {
    Ok(unistd::sysconf(unistd::SysconfVar::PAGE_SIZE)
        .map_err(Error::UnixError)?
        .ok_or(Error::PageSizeNotAvail)? as usize)
}

#[cfg(test)]
mod tests {
    use super::*;
    use lazy_static::lazy_static;
    use parking_lot::Mutex;

    lazy_static! {
        static ref PAGE_SIZE: usize = unistd::sysconf(unistd::SysconfVar::PAGE_SIZE).unwrap().unwrap() as usize;
    }

    static TEST_MUTEX: Mutex<()> = Mutex::new(());

    #[test]
    fn test1() {
        let _guard = TEST_MUTEX.lock();
        for _ in 0..100 {
            let mut v = Vec::new();
            v.resize(*PAGE_SIZE * 100, 0);
            v[0] = 42;
            v[*PAGE_SIZE * 10 + 1] = 43;
            v[*PAGE_SIZE * 20 + 1] = 44;

            let pm = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v), None).unwrap();
            let m = pm.as_slice();
            assert_eq!(m[0], 42);
            assert_eq!(m[*PAGE_SIZE * 10 + 1], 43);
            assert_eq!(m[*PAGE_SIZE * 20 + 1], 44);
        }
    }

    #[test]
    fn test2() {
        let _guard = TEST_MUTEX.lock();
        for _ in 0..100 {
            let mut v = Vec::new();
            v.resize(*PAGE_SIZE * 100, 0);
            v[0] = 1;
            v[*PAGE_SIZE * 10 + 1] = 2;
            v[*PAGE_SIZE * 20 + 1] = 3;

            let pm1 = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v), None).unwrap();

            let mut v = Vec::new();
            v.resize(*PAGE_SIZE * 100, 0);
            for (i, v) in v.iter_mut().enumerate() {
                *v = i as u8;
            }
            let mut pm2 = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v), None).unwrap();

            let m2 = pm2.as_slice_mut();
            let m1 = pm1.as_slice();

            assert_eq!(m2[100], 100);
            m2[100] = 0;
            assert_eq!(m2[100], 0);

            assert_eq!(m1[0], 1);
            assert_eq!(m1[*PAGE_SIZE * 10 + 1], 2);
            assert_eq!(m1[*PAGE_SIZE * 20 + 1], 3);
        }
    }

    #[test]
    fn test_shared_memory() {
        let _guard = TEST_MUTEX.lock();
        let mut v = Vec::new();
        v.resize(*PAGE_SIZE * 100, 0);
        v[0] = 42;
        v[*PAGE_SIZE * 10 + 1] = 43;
        v[*PAGE_SIZE * 20 + 1] = 44;

        let shm = SharedMemory::new(*PAGE_SIZE).unwrap();
        let mut pm1 = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v.clone()), None).unwrap();
        let pm2 = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v), None).unwrap();
        pm1.make_shared(*PAGE_SIZE * 10, &shm).unwrap();
        pm2.make_shared(*PAGE_SIZE * 10, &shm).unwrap();

        assert_eq!(pm1.as_slice()[*PAGE_SIZE * 10 + 1], 43);
        assert_eq!(pm2.as_slice()[*PAGE_SIZE * 10 + 1], 43);
        pm1.as_slice_mut()[*PAGE_SIZE * 10 + 1] = 99;
        assert_eq!(pm2.as_slice()[*PAGE_SIZE * 10 + 1], 99);
        assert_eq!(pm1.as_slice()[*PAGE_SIZE * 10 + 1], 99);

        let m = pm1.as_slice();
        assert_eq!(m[0], 42);
        assert_eq!(m[*PAGE_SIZE * 20 + 1], 44);
    }

    #[test]
    fn test_release_page() {
        let _guard = TEST_MUTEX.lock();
        let mut v = Vec::new();
        v.resize(*PAGE_SIZE * 20, 0);
        v[0] = 42;
        v[*PAGE_SIZE * 10 + 1] = 43;

        let pm = PagedMemory::new(*PAGE_SIZE * 100, VecPageStore::new(v), None).unwrap();
        let m = pm.as_slice();
        assert_eq!(m[0], 42);
        assert_eq!(m[*PAGE_SIZE * 10 + 1], 43);
        for _ in 0..5 {
            pm.release_page(0);
            pm.release_page(*PAGE_SIZE * 10);
            assert_eq!(m[0], 42);
            assert_eq!(m[*PAGE_SIZE * 10 + 1], 43);
        }
    }

    #[test]
    fn out_of_order_scan() {
        let _guard = TEST_MUTEX.lock();
        let mut v = Vec::new();
        v.resize(*PAGE_SIZE * 100, 0);
        for (i, v) in v.iter_mut().enumerate() {
            *v = i as u8;
        }
        let store = VecPageStore::new(v);
        let pm = PagedMemory::new(*PAGE_SIZE * 100, store, None).unwrap();
        use rand::{SeedableRng, seq::SliceRandom};
        use rand_chacha::ChaChaRng;
        let seed = [0; 32];
        let mut rng = ChaChaRng::from_seed(seed);

        let m = pm.as_slice();
        let mut idxes = Vec::new();
        for i in 0..m.len() {
            idxes.push(i);
        }
        idxes.shuffle(&mut rng);
        for i in idxes.into_iter() {
            #[cfg(debug_assertions)]
            {
                let x = m[i];
                println!("m[0x{:08x}] = {}", i, x);
            }
            assert_eq!(m[i], i as u8);
        }
    }

    use signal::{SaFlags, SigAction, SigHandler, SigSet, Signal};

    /// Reset the handler state for testing
    unsafe fn handler_reset_init() {
        unsafe {
            // Close pipe file descriptors to cause the handler thread to exit
            let (to_read, to_write) = TO_HANDLER;
            let (from_read, from_write) = FROM_HANDLER;

            if to_read != 0 {
                let _ = nix::unistd::close(to_read);
            }
            if to_write != 1 {
                let _ = nix::unistd::close(to_write);
            }
            if from_read != 0 {
                let _ = nix::unistd::close(from_read);
            }
            if from_write != 1 {
                let _ = nix::unistd::close(from_write);
            }

            // Wait for the handler thread to exit
            if let Some(handle) = HANDLER_THREAD.lock().take() {
                let _ = handle.join();
            }

            // Reset signal handlers to SIG_DFL so next init sees default handlers
            let sig_dfl = SigAction::new(SigHandler::SigDfl, SaFlags::empty(), SigSet::empty());
            let _ = signal::sigaction(Signal::SIGSEGV, &sig_dfl);
            let _ = signal::sigaction(Signal::SIGBUS, &sig_dfl);

            // Reset the init flag so handler_init can run again
            HANDLER_INITIALIZED.store(false, Ordering::SeqCst);

            // Clear fallback handlers
            FALLBACK_SIGSEGV_HANDLER = None;
            FALLBACK_SIGBUS_HANDLER = None;

            // Reset pipe fds to initial values
            TO_HANDLER = (0, 1);
            FROM_HANDLER = (0, 1);
        }
    }

    static SIGSEGV_CALLED: AtomicBool = AtomicBool::new(false);
    static SIGBUS_CALLED: AtomicBool = AtomicBool::new(false);

    extern "C" fn test_sigsegv_handler(_signum: libc::c_int, info: *mut libc::siginfo_t, _ctx: *mut c_void) {
        SIGSEGV_CALLED.store(true, Ordering::SeqCst);
        // Make the memory accessible so the instruction can succeed on retry
        unsafe {
            let addr = (*info).si_addr();
            let page_size = nix::unistd::sysconf(nix::unistd::SysconfVar::PAGE_SIZE)
                .unwrap()
                .unwrap() as usize;
            let page_addr = (addr as usize) & !(page_size - 1);
            nix::sys::mman::mprotect(
                NonNull::new_unchecked(page_addr as *mut c_void),
                page_size,
                ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
            )
            .expect("mprotect failed in handler");
        }
    }

    extern "C" fn test_sigbus_handler(_signum: libc::c_int, info: *mut libc::siginfo_t, _ctx: *mut c_void) {
        SIGBUS_CALLED.store(true, Ordering::SeqCst);
        unsafe {
            let addr = (*info).si_addr();
            let page_size = nix::unistd::sysconf(nix::unistd::SysconfVar::PAGE_SIZE)
                .unwrap()
                .unwrap() as usize;
            let page_addr = (addr as usize) & !(page_size - 1);
            nix::sys::mman::mprotect(
                NonNull::new_unchecked(page_addr as *mut c_void),
                page_size,
                ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
            )
            .expect("mprotect failed in handler");
        }
    }

    #[test]
    fn test_fallback_handlers_set_and_called() {
        let _guard = TEST_MUTEX.lock();

        unsafe {
            // Reset handler state before test
            handler_reset_init();

            // Register the SIGSEGV handler handler
            let sigsegv_action = SigAction::new(
                SigHandler::SigAction(test_sigsegv_handler),
                SaFlags::SA_SIGINFO | SaFlags::SA_NODEFER,
                SigSet::empty(),
            );
            signal::sigaction(Signal::SIGSEGV, &sigsegv_action).expect("failed to set SIGSEGV handler");

            // Register the fallback SIGBUS handler
            let sigbus_action = SigAction::new(
                SigHandler::SigAction(test_sigbus_handler),
                SaFlags::SA_SIGINFO | SaFlags::SA_NODEFER,
                SigSet::empty(),
            );
            signal::sigaction(Signal::SIGBUS, &sigbus_action).expect("failed to set SIGBUS handler");

            // Create a PagedMemory - this will trigger handler_init() which considers the fallback
            // handlers.
            let _pm1 = PagedMemory::new(*PAGE_SIZE, VecPageStore::new(vec![0u8; *PAGE_SIZE]), None).unwrap();

            // Save the handler pointers to verify they don't change
            let saved_sigsegv = FALLBACK_SIGSEGV_HANDLER.map(|f| f as usize);
            let saved_sigbus = FALLBACK_SIGBUS_HANDLER.map(|f| f as usize);

            // Verify that the fallback handlers were saved
            assert!(saved_sigsegv.is_some(), "SIGSEGV fallback handler should be saved");
            assert!(saved_sigbus.is_some(), "SIGBUS fallback handler should be saved");

            // Create another PagedMemory - handler_init() should NOT run again due to Once guard
            let _pm2 = PagedMemory::new(*PAGE_SIZE, VecPageStore::new(vec![0u8; *PAGE_SIZE]), None).unwrap();

            // Verify the handler pointers haven't changed (Once guard prevented re-registration)
            let current_sigsegv = FALLBACK_SIGSEGV_HANDLER.map(|f| f as usize);
            let current_sigbus = FALLBACK_SIGBUS_HANDLER.map(|f| f as usize);
            assert_eq!(
                current_sigsegv, saved_sigsegv,
                "SIGSEGV fallback handler should not change"
            );
            assert_eq!(
                current_sigbus, saved_sigbus,
                "SIGBUS fallback handler should not change"
            );

            // Test SIGSEGV/SIGBUS fallback by accessing memory protected with PROT_NONE
            SIGSEGV_CALLED.store(false, Ordering::SeqCst);
            SIGBUS_CALLED.store(false, Ordering::SeqCst);

            // Allocate memory with PROT_NONE to trigger SIGSEGV or SIGBUS when accessed
            let test_mem = nix::sys::mman::mmap_anonymous(
                None,
                NonZeroUsize::new(*PAGE_SIZE).unwrap(),
                ProtFlags::PROT_NONE,
                MapFlags::MAP_PRIVATE | MapFlags::MAP_ANONYMOUS,
            )
            .expect("mmap failed");

            // Access the protected memory - this triggers SIGSEGV or SIGBUS, handler makes it accessible
            std::ptr::write_volatile(test_mem.cast::<u8>().as_ptr(), 42);

            // Verify at least one fallback handler was called (platform dependent)
            assert!(
                SIGSEGV_CALLED.load(Ordering::SeqCst) || SIGBUS_CALLED.load(Ordering::SeqCst),
                "SIGSEGV or SIGBUS fallback handler should have been called"
            );

            // Clean up
            nix::sys::mman::munmap(test_mem.cast(), *PAGE_SIZE).expect("munmap failed");

            // Reset handler state after test
            handler_reset_init();
        }
    }
}