1 // Copyright 2019 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef THIRD_PARTY_BASE_IMMEDIATE_CRASH_H_
6 #define THIRD_PARTY_BASE_IMMEDIATE_CRASH_H_
7
8 #include "build/build_config.h"
9
10 // Crashes in the fastest possible way with no attempt at logging.
11 // There are several constraints; see http://crbug.com/664209 for more context.
12 //
13 // - TRAP_SEQUENCE_() must be fatal. It should not be possible to ignore the
14 // resulting exception or simply hit 'continue' to skip over it in a debugger.
15 // - Different instances of TRAP_SEQUENCE_() must not be folded together, to
16 // ensure crash reports are debuggable. Unlike __builtin_trap(), asm volatile
17 // blocks will not be folded together.
18 // Note: TRAP_SEQUENCE_() previously required an instruction with a unique
19 // nonce since unlike clang, GCC folds together identical asm volatile
20 // blocks.
21 // - TRAP_SEQUENCE_() must produce a signal that is distinct from an invalid
22 // memory access.
23 // - TRAP_SEQUENCE_() must be treated as a set of noreturn instructions.
24 // __builtin_unreachable() is used to provide that hint here. clang also uses
25 // this as a heuristic to pack the instructions in the function epilogue to
26 // improve code density.
27 //
28 // Additional properties that are nice to have:
29 // - TRAP_SEQUENCE_() should be as compact as possible.
30 // - The first instruction of TRAP_SEQUENCE_() should not change, to avoid
31 // shifting crash reporting clusters. As a consequence of this, explicit
32 // assembly is preferred over intrinsics.
33 // Note: this last bullet point may no longer be true, and may be removed in
34 // the future.
35
36 // Note: TRAP_SEQUENCE Is currently split into two macro helpers due to the fact
37 // that clang emits an actual instruction for __builtin_unreachable() on certain
38 // platforms (see https://crbug.com/958675). In addition, the int3/bkpt/brk will
39 // be removed in followups, so splitting it up like this now makes it easy to
40 // land the followups.
41
42 #if defined(COMPILER_GCC)
43
44 #if BUILDFLAG(IS_NACL)
45
46 // Crash report accuracy is not guaranteed on NaCl.
47 #define TRAP_SEQUENCE1_() __builtin_trap()
48 #define TRAP_SEQUENCE2_() asm volatile("")
49
50 #elif defined(ARCH_CPU_X86_FAMILY)
51
52 // TODO(https://crbug.com/958675): In theory, it should be possible to use just
53 // int3. However, there are a number of crashes with SIGILL as the exception
54 // code, so it seems likely that there's a signal handler that allows execution
55 // to continue after SIGTRAP.
56 #define TRAP_SEQUENCE1_() asm volatile("int3")
57
58 #if BUILDFLAG(IS_APPLE)
59 // Intentionally empty: __builtin_unreachable() is always part of the sequence
60 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Mac.
61 #define TRAP_SEQUENCE2_() asm volatile("")
62 #else
63 #define TRAP_SEQUENCE2_() asm volatile("ud2")
64 #endif // BUILDFLAG(IS_APPLE)
65
66 #elif defined(ARCH_CPU_ARMEL)
67
68 // bkpt will generate a SIGBUS when running on armv7 and a SIGTRAP when running
69 // as a 32 bit userspace app on arm64. There doesn't seem to be any way to
70 // cause a SIGTRAP from userspace without using a syscall (which would be a
71 // problem for sandboxing).
72 // TODO(https://crbug.com/958675): Remove bkpt from this sequence.
73 #define TRAP_SEQUENCE1_() asm volatile("bkpt #0")
74 #define TRAP_SEQUENCE2_() asm volatile("udf #0")
75
76 #elif defined(ARCH_CPU_ARM64)
77
78 // This will always generate a SIGTRAP on arm64.
79 // TODO(https://crbug.com/958675): Remove brk from this sequence.
80 #define TRAP_SEQUENCE1_() asm volatile("brk #0")
81 #define TRAP_SEQUENCE2_() asm volatile("hlt #0")
82
83 #else
84
85 // Crash report accuracy will not be guaranteed on other architectures, but at
86 // least this will crash as expected.
87 #define TRAP_SEQUENCE1_() __builtin_trap()
88 #define TRAP_SEQUENCE2_() asm volatile("")
89
90 #endif // ARCH_CPU_*
91
92 #elif defined(COMPILER_MSVC)
93
94 #if !defined(__clang__)
95
96 // MSVC x64 doesn't support inline asm, so use the MSVC intrinsic.
97 #define TRAP_SEQUENCE1_() __debugbreak()
98 #define TRAP_SEQUENCE2_()
99
100 #elif defined(ARCH_CPU_ARM64)
101
102 // Windows ARM64 uses "BRK #F000" as its breakpoint instruction, and
103 // __debugbreak() generates that in both VC++ and clang.
104 #define TRAP_SEQUENCE1_() __debugbreak()
105 // Intentionally empty: __builtin_unreachable() is always part of the sequence
106 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Win64,
107 // https://crbug.com/958373
108 #define TRAP_SEQUENCE2_() __asm volatile("")
109
110 #else
111
112 #define TRAP_SEQUENCE1_() asm volatile("int3")
113 #define TRAP_SEQUENCE2_() asm volatile("ud2")
114
115 #endif // __clang__
116
117 #else
118
119 #error No supported trap sequence!
120
121 #endif // COMPILER_GCC
122
123 #define TRAP_SEQUENCE_() \
124 do { \
125 TRAP_SEQUENCE1_(); \
126 TRAP_SEQUENCE2_(); \
127 } while (false)
128
129 // This version of ALWAYS_INLINE inlines even in is_debug=true.
130 // TODO(pbos): See if NDEBUG can be dropped from ALWAYS_INLINE as well, and if
131 // so merge. Otherwise document why it cannot inline in debug in
132 // base/compiler_specific.h.
133 #if defined(COMPILER_GCC)
134 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline __attribute__((__always_inline__))
135 #elif defined(COMPILER_MSVC)
136 #define IMMEDIATE_CRASH_ALWAYS_INLINE __forceinline
137 #else
138 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline
139 #endif
140
141 namespace pdfium {
142 namespace base {
143
ImmediateCrash()144 [[noreturn]] IMMEDIATE_CRASH_ALWAYS_INLINE void ImmediateCrash() {
145 TRAP_SEQUENCE_();
146 #if defined(__clang__) || defined(COMPILER_GCC)
147 __builtin_unreachable();
148 #endif // defined(__clang__) || defined(COMPILER_GCC)
149 }
150
151 } // namespace base
152 } // namespace pdfium
153
154 #endif // THIRD_PARTY_BASE_IMMEDIATE_CRASH_H_
155