1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
|
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "DEBUG"
#include "libdebuggerd/tombstone.h"
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <signal.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <time.h>
#include <memory>
#include <string>
#include <async_safe/log.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
#include <android/log.h>
#include <bionic/macros.h>
#include <log/log.h>
#include <log/log_read.h>
#include <log/logprint.h>
#include <private/android_filesystem_config.h>
#include <unwindstack/Maps.h>
#include <unwindstack/Memory.h>
#include <unwindstack/Regs.h>
#include <unwindstack/Unwinder.h>
#include "libdebuggerd/open_files_list.h"
#include "libdebuggerd/utility.h"
#include "util.h"
#include "tombstone.pb.h"
using android::base::StringPrintf;
// Use the demangler from libc++.
extern "C" char* __cxa_demangle(const char*, char*, size_t*, int* status);
static Architecture get_arch() {
#if defined(__arm__)
return Architecture::ARM32;
#elif defined(__aarch64__)
return Architecture::ARM64;
#elif defined(__i386__)
return Architecture::X86;
#elif defined(__x86_64__)
return Architecture::X86_64;
#else
#error Unknown architecture!
#endif
}
static std::optional<std::string> get_stack_overflow_cause(uint64_t fault_addr, uint64_t sp,
unwindstack::Maps* maps) {
static constexpr uint64_t kMaxDifferenceBytes = 256;
uint64_t difference;
if (sp >= fault_addr) {
difference = sp - fault_addr;
} else {
difference = fault_addr - sp;
}
if (difference <= kMaxDifferenceBytes) {
// The faulting address is close to the current sp, check if the sp
// indicates a stack overflow.
// On arm, the sp does not get updated when the instruction faults.
// In this case, the sp will still be in a valid map, which is the
// last case below.
// On aarch64, the sp does get updated when the instruction faults.
// In this case, the sp will be in either an invalid map if triggered
// on the main thread, or in a guard map if in another thread, which
// will be the first case or second case from below.
unwindstack::MapInfo* map_info = maps->Find(sp);
if (map_info == nullptr) {
return "stack pointer is in a non-existent map; likely due to stack overflow.";
} else if ((map_info->flags & (PROT_READ | PROT_WRITE)) != (PROT_READ | PROT_WRITE)) {
return "stack pointer is not in a rw map; likely due to stack overflow.";
} else if ((sp - map_info->start) <= kMaxDifferenceBytes) {
return "stack pointer is close to top of stack; likely stack overflow.";
}
}
return {};
}
static void dump_probable_cause(Tombstone* tombstone, const siginfo_t* si, unwindstack::Maps* maps,
unwindstack::Regs* regs) {
std::optional<std::string> cause;
if (si->si_signo == SIGSEGV && si->si_code == SEGV_MAPERR) {
if (si->si_addr < reinterpret_cast<void*>(4096)) {
cause = "null pointer dereference";
} else if (si->si_addr == reinterpret_cast<void*>(0xffff0ffc)) {
cause = "call to kuser_helper_version";
} else if (si->si_addr == reinterpret_cast<void*>(0xffff0fe0)) {
cause = "call to kuser_get_tls";
} else if (si->si_addr == reinterpret_cast<void*>(0xffff0fc0)) {
cause = "call to kuser_cmpxchg";
} else if (si->si_addr == reinterpret_cast<void*>(0xffff0fa0)) {
cause = "call to kuser_memory_barrier";
} else if (si->si_addr == reinterpret_cast<void*>(0xffff0f60)) {
cause = "call to kuser_cmpxchg64";
} else {
cause = get_stack_overflow_cause(reinterpret_cast<uint64_t>(si->si_addr), regs->sp(), maps);
}
} else if (si->si_signo == SIGSEGV && si->si_code == SEGV_ACCERR) {
uint64_t fault_addr = reinterpret_cast<uint64_t>(si->si_addr);
unwindstack::MapInfo* map_info = maps->Find(fault_addr);
if (map_info != nullptr && map_info->flags == PROT_EXEC) {
cause = "execute-only (no-read) memory access error; likely due to data in .text.";
} else {
cause = get_stack_overflow_cause(fault_addr, regs->sp(), maps);
}
} else if (si->si_signo == SIGSYS && si->si_code == SYS_SECCOMP) {
cause = StringPrintf("seccomp prevented call to disallowed %s system call %d", ABI_STRING,
si->si_syscall);
}
if (cause) {
tombstone->mutable_cause()->set_human_readable(*cause);
}
}
static void dump_abort_message(Tombstone* tombstone, unwindstack::Unwinder* unwinder,
const ProcessInfo& process_info) {
std::shared_ptr<unwindstack::Memory> process_memory = unwinder->GetProcessMemory();
uintptr_t address = process_info.abort_msg_address;
if (address == 0) {
return;
}
size_t length;
if (!process_memory->ReadFully(address, &length, sizeof(length))) {
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, "failed to read abort message header: %s",
strerror(errno));
return;
}
// The length field includes the length of the length field itself.
if (length < sizeof(size_t)) {
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG,
"abort message header malformed: claimed length = %zu", length);
return;
}
length -= sizeof(size_t);
// The abort message should be null terminated already, but reserve a spot for NUL just in case.
std::string msg;
msg.resize(length);
if (!process_memory->ReadFully(address + sizeof(length), &msg[0], length)) {
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, "failed to read abort message header: %s",
strerror(errno));
return;
}
tombstone->set_abort_message(msg);
}
static void dump_open_fds(Tombstone* tombstone, const OpenFilesList* open_files) {
if (open_files) {
for (auto& [fd, entry] : *open_files) {
FD f;
f.set_fd(fd);
const std::optional<std::string>& path = entry.path;
if (path) {
f.set_path(*path);
}
const std::optional<uint64_t>& fdsan_owner = entry.fdsan_owner;
if (fdsan_owner) {
const char* type = android_fdsan_get_tag_type(*fdsan_owner);
uint64_t value = android_fdsan_get_tag_value(*fdsan_owner);
f.set_owner(type);
f.set_tag(value);
}
*tombstone->add_open_fds() = f;
}
}
}
static void dump_thread(Tombstone* tombstone, unwindstack::Unwinder* unwinder,
const ThreadInfo& thread_info, bool memory_dump = false) {
Thread thread;
thread.set_id(thread_info.tid);
thread.set_name(thread_info.thread_name);
unwindstack::Maps* maps = unwinder->GetMaps();
unwindstack::Memory* memory = unwinder->GetProcessMemory().get();
thread_info.registers->IterateRegisters(
[&thread, memory_dump, maps, memory](const char* name, uint64_t value) {
Register r;
r.set_name(name);
r.set_u64(value);
*thread.add_registers() = r;
if (memory_dump) {
MemoryDump dump;
char buf[256];
size_t start_offset = 0;
ssize_t bytes = dump_memory(buf, sizeof(buf), &start_offset, &value, memory);
if (bytes == -1) {
return;
}
dump.set_register_name(name);
unwindstack::MapInfo* map_info = maps->Find(untag_address(value));
if (map_info) {
dump.set_mapping_name(map_info->name);
}
dump.set_begin_address(value);
if (start_offset + bytes > sizeof(buf)) {
async_safe_fatal("dump_memory overflowed? start offset = %zu, bytes read = %zd",
start_offset, bytes);
}
dump.set_memory(buf, start_offset + bytes);
*thread.add_memory_dump() = std::move(dump);
}
});
std::unique_ptr<unwindstack::Regs> regs_copy(thread_info.registers->Clone());
unwinder->SetRegs(regs_copy.get());
unwinder->Unwind();
if (unwinder->NumFrames() == 0) {
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, "failed to unwind");
if (unwinder->LastErrorCode() != unwindstack::ERROR_NONE) {
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, " error code: %s",
unwinder->LastErrorCodeString());
async_safe_format_log(ANDROID_LOG_ERROR, LOG_TAG, " error address: 0x%" PRIx64,
unwinder->LastErrorAddress());
}
} else {
unwinder->SetDisplayBuildID(true);
for (const auto& frame : unwinder->frames()) {
BacktraceFrame* f = thread.add_current_backtrace();
f->set_rel_pc(frame.rel_pc);
f->set_pc(frame.pc);
f->set_sp(frame.sp);
if (!frame.function_name.empty()) {
// TODO: Should this happen here, or on the display side?
char* demangled_name =
__cxa_demangle(frame.function_name.c_str(), nullptr, nullptr, nullptr);
if (demangled_name) {
f->set_function_name(demangled_name);
free(demangled_name);
} else {
f->set_function_name(frame.function_name);
}
}
f->set_function_offset(frame.function_offset);
if (frame.map_start == frame.map_end) {
// No valid map associated with this frame.
f->set_file_name("<unknown>");
} else if (!frame.map_name.empty()) {
f->set_file_name(frame.map_name);
} else {
f->set_file_name(StringPrintf("<anonymous:%" PRIx64 ">", frame.map_start));
}
f->set_file_map_offset(frame.map_elf_start_offset);
unwindstack::MapInfo* map_info = maps->Find(frame.map_start);
if (map_info) {
f->set_build_id(map_info->GetPrintableBuildID());
}
}
}
auto& threads = *tombstone->mutable_threads();
threads[thread_info.tid] = thread;
}
static void dump_main_thread(Tombstone* tombstone, unwindstack::Unwinder* unwinder,
const ThreadInfo& thread_info) {
dump_thread(tombstone, unwinder, thread_info, true);
}
static void dump_mappings(Tombstone* tombstone, unwindstack::Unwinder* unwinder) {
unwindstack::Maps* maps = unwinder->GetMaps();
std::shared_ptr<unwindstack::Memory> process_memory = unwinder->GetProcessMemory();
for (const auto& map_info : *maps) {
auto* map = tombstone->add_memory_mappings();
map->set_begin_address(map_info->start);
map->set_end_address(map_info->end);
map->set_offset(map_info->offset);
if (map_info->flags & PROT_READ) {
map->set_read(true);
}
if (map_info->flags & PROT_WRITE) {
map->set_write(true);
}
if (map_info->flags & PROT_EXEC) {
map->set_execute(true);
}
map->set_mapping_name(map_info->name);
std::string build_id = map_info->GetPrintableBuildID();
if (!build_id.empty()) {
map->set_build_id(build_id);
}
map->set_load_bias(map_info->GetLoadBias(process_memory));
}
}
static void dump_log_file(Tombstone* tombstone, const char* logger, pid_t pid) {
logger_list* logger_list =
android_logger_list_open(android_name_to_log_id(logger), ANDROID_LOG_NONBLOCK, 0, pid);
LogBuffer buffer;
while (true) {
log_msg log_entry;
ssize_t actual = android_logger_list_read(logger_list, &log_entry);
if (actual < 0) {
if (actual == -EINTR) {
// interrupted by signal, retry
continue;
}
if (actual == -EAGAIN) {
// non-blocking EOF; we're done
break;
} else {
break;
}
} else if (actual == 0) {
break;
}
char timestamp_secs[32];
time_t sec = static_cast<time_t>(log_entry.entry.sec);
tm tm;
localtime_r(&sec, &tm);
strftime(timestamp_secs, sizeof(timestamp_secs), "%m-%d %H:%M:%S", &tm);
std::string timestamp =
StringPrintf("%s.%03d", timestamp_secs, log_entry.entry.nsec / 1'000'000);
// Msg format is: <priority:1><tag:N>\0<message:N>\0
char* msg = log_entry.msg();
if (msg == nullptr) {
continue;
}
unsigned char prio = msg[0];
char* tag = msg + 1;
msg = tag + strlen(tag) + 1;
// consume any trailing newlines
char* nl = msg + strlen(msg) - 1;
while (nl >= msg && *nl == '\n') {
*nl-- = '\0';
}
// Look for line breaks ('\n') and display each text line
// on a separate line, prefixed with the header, like logcat does.
do {
nl = strchr(msg, '\n');
if (nl != nullptr) {
*nl = '\0';
++nl;
}
LogMessage* log_msg = buffer.add_logs();
log_msg->set_timestamp(timestamp);
log_msg->set_pid(log_entry.entry.pid);
log_msg->set_tid(log_entry.entry.tid);
log_msg->set_priority(prio);
log_msg->set_tag(tag);
log_msg->set_message(msg);
} while ((msg = nl));
}
android_logger_list_free(logger_list);
if (!buffer.logs().empty()) {
buffer.set_name(logger);
*tombstone->add_log_buffers() = std::move(buffer);
}
}
static void dump_logcat(Tombstone* tombstone, pid_t pid) {
dump_log_file(tombstone, "system", pid);
dump_log_file(tombstone, "main", pid);
}
void engrave_tombstone_proto(Tombstone* tombstone, unwindstack::Unwinder* unwinder,
const std::map<pid_t, ThreadInfo>& threads, pid_t target_thread,
const ProcessInfo& process_info, const OpenFilesList* open_files) {
Tombstone result;
result.set_arch(get_arch());
result.set_build_fingerprint(android::base::GetProperty("ro.build.fingerprint", "unknown"));
result.set_revision(android::base::GetProperty("ro.revision", "unknown"));
result.set_timestamp(get_timestamp());
const ThreadInfo& main_thread = threads.at(target_thread);
result.set_pid(main_thread.pid);
result.set_tid(main_thread.tid);
result.set_uid(main_thread.uid);
result.set_selinux_label(main_thread.selinux_label);
result.set_process_name(main_thread.process_name);
if (!main_thread.siginfo) {
async_safe_fatal("siginfo missing");
}
Signal sig;
sig.set_number(main_thread.signo);
sig.set_name(get_signame(main_thread.siginfo));
sig.set_code(main_thread.siginfo->si_code);
sig.set_code_name(get_sigcode(main_thread.siginfo));
if (signal_has_sender(main_thread.siginfo, main_thread.pid)) {
sig.set_has_sender(true);
sig.set_sender_uid(main_thread.siginfo->si_uid);
sig.set_sender_pid(main_thread.siginfo->si_pid);
}
if (process_info.has_fault_address) {
sig.set_has_fault_address(true);
sig.set_fault_address(process_info.untagged_fault_address);
}
*result.mutable_signal_info() = sig;
dump_abort_message(&result, unwinder, process_info);
dump_main_thread(&result, unwinder, main_thread);
for (const auto& [tid, thread_info] : threads) {
if (tid != target_thread) {
dump_thread(&result, unwinder, thread_info);
}
}
dump_probable_cause(&result, main_thread.siginfo, unwinder->GetMaps(),
main_thread.registers.get());
dump_mappings(&result, unwinder);
// Only dump logs on debuggable devices.
if (android::base::GetBoolProperty("ro.debuggable", false)) {
dump_logcat(&result, main_thread.pid);
}
dump_open_fds(&result, open_files);
*tombstone = std::move(result);
}
|
