1 // Copyright 2019 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef BASE_IMMEDIATE_CRASH_H_
6 #define BASE_IMMEDIATE_CRASH_H_
7
8 #include "base/fuzzing_buildflags.h"
9 #include "build/build_config.h"
10
11 #if !(defined(OFFICIAL_BUILD) || BUILDFLAG(IS_WIN))
12 #include <stdlib.h>
13 #endif
14
15 #if BUILDFLAG(USE_FUZZING_ENGINE) && BUILDFLAG(IS_LINUX)
16 // The fuzzing coverage display wants to record coverage even
17 // for failure cases. It's Linux-only. So on Linux, dump coverage
18 // before we immediately exit. We provide a weak symbol so that
19 // this causes no link problems on configurations that don't involve
20 // coverage. (This wouldn't work on Windows due to limitations of
21 // weak symbol linkage.)
22 extern "C" int __attribute__((weak)) __llvm_profile_write_file(void);
23 #endif // BUILDFLAG(USE_FUZZING_ENGINE) && BUILDFLAG(IS_LINUX)
24
25 // Crashes in the fastest possible way with no attempt at logging.
26 // There are several constraints; see http://crbug.com/664209 for more context.
27 //
28 // - TRAP_SEQUENCE_() must be fatal. It should not be possible to ignore the
29 // resulting exception or simply hit 'continue' to skip over it in a debugger.
30 // - Different instances of TRAP_SEQUENCE_() must not be folded together, to
31 // ensure crash reports are debuggable. Unlike __builtin_trap(), asm volatile
32 // blocks will not be folded together.
33 // Note: TRAP_SEQUENCE_() previously required an instruction with a unique
34 // nonce since unlike clang, GCC folds together identical asm volatile
35 // blocks.
36 // - TRAP_SEQUENCE_() must produce a signal that is distinct from an invalid
37 // memory access.
38 // - TRAP_SEQUENCE_() must be treated as a set of noreturn instructions.
39 // __builtin_unreachable() is used to provide that hint here. clang also uses
40 // this as a heuristic to pack the instructions in the function epilogue to
41 // improve code density.
42 // - base::ImmediateCrash() is used in allocation hooks. To prevent recursions,
43 // TRAP_SEQUENCE_() must not allocate.
44 //
45 // Additional properties that are nice to have:
46 // - TRAP_SEQUENCE_() should be as compact as possible.
47 // - The first instruction of TRAP_SEQUENCE_() should not change, to avoid
48 // shifting crash reporting clusters. As a consequence of this, explicit
49 // assembly is preferred over intrinsics.
50 // Note: this last bullet point may no longer be true, and may be removed in
51 // the future.
52
53 // Note: TRAP_SEQUENCE Is currently split into two macro helpers due to the fact
54 // that clang emits an actual instruction for __builtin_unreachable() on certain
55 // platforms (see https://crbug.com/958675). In addition, the int3/bkpt/brk will
56 // be removed in followups, so splitting it up like this now makes it easy to
57 // land the followups.
58
59 #if defined(COMPILER_GCC)
60
61 #if BUILDFLAG(IS_NACL)
62
63 // Crash report accuracy is not guaranteed on NaCl.
64 #define TRAP_SEQUENCE1_() __builtin_trap()
65 #define TRAP_SEQUENCE2_() asm volatile("")
66
67 #elif defined(ARCH_CPU_X86_FAMILY)
68
69 // TODO(crbug.com/40625592): In theory, it should be possible to use just
70 // int3. However, there are a number of crashes with SIGILL as the exception
71 // code, so it seems likely that there's a signal handler that allows execution
72 // to continue after SIGTRAP.
73 #define TRAP_SEQUENCE1_() asm volatile("int3")
74
75 #if BUILDFLAG(IS_APPLE)
76 // Intentionally empty: __builtin_unreachable() is always part of the sequence
77 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Mac.
78 #define TRAP_SEQUENCE2_() asm volatile("")
79 #else
80 #define TRAP_SEQUENCE2_() asm volatile("ud2")
81 #endif // BUILDFLAG(IS_APPLE)
82
83 #elif defined(ARCH_CPU_ARMEL)
84
85 // bkpt will generate a SIGBUS when running on armv7 and a SIGTRAP when running
86 // as a 32 bit userspace app on arm64. There doesn't seem to be any way to
87 // cause a SIGTRAP from userspace without using a syscall (which would be a
88 // problem for sandboxing).
89 // TODO(crbug.com/40625592): Remove bkpt from this sequence.
90 #define TRAP_SEQUENCE1_() asm volatile("bkpt #0")
91 #define TRAP_SEQUENCE2_() asm volatile("udf #0")
92
93 #elif defined(ARCH_CPU_ARM64)
94
95 // This will always generate a SIGTRAP on arm64.
96 // TODO(crbug.com/40625592): Remove brk from this sequence.
97 #define TRAP_SEQUENCE1_() asm volatile("brk #0")
98 #define TRAP_SEQUENCE2_() asm volatile("hlt #0")
99
100 #else
101
102 // Crash report accuracy will not be guaranteed on other architectures, but at
103 // least this will crash as expected.
104 #define TRAP_SEQUENCE1_() __builtin_trap()
105 #define TRAP_SEQUENCE2_() asm volatile("")
106
107 #endif // ARCH_CPU_*
108
109 #elif defined(COMPILER_MSVC)
110
111 #if !defined(__clang__)
112
113 // MSVC x64 doesn't support inline asm, so use the MSVC intrinsic.
114 #define TRAP_SEQUENCE1_() __debugbreak()
115 #define TRAP_SEQUENCE2_()
116
117 #elif defined(ARCH_CPU_ARM64)
118
119 // Windows ARM64 uses "BRK #F000" as its breakpoint instruction, and
120 // __debugbreak() generates that in both VC++ and clang.
121 #define TRAP_SEQUENCE1_() __debugbreak()
122 // Intentionally empty: __builtin_unreachable() is always part of the sequence
123 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Win64,
124 // https://crbug.com/958373
125 #define TRAP_SEQUENCE2_() __asm volatile("")
126
127 #else
128
129 #define TRAP_SEQUENCE1_() asm volatile("int3")
130 #define TRAP_SEQUENCE2_() asm volatile("ud2")
131
132 #endif // __clang__
133
134 #else
135
136 #error No supported trap sequence!
137
138 #endif // COMPILER_GCC
139
140 #define TRAP_SEQUENCE_() \
141 do { \
142 TRAP_SEQUENCE1_(); \
143 TRAP_SEQUENCE2_(); \
144 } while (false)
145
146 // This version of ALWAYS_INLINE inlines even in is_debug=true.
147 // TODO(pbos): See if NDEBUG can be dropped from ALWAYS_INLINE as well, and if
148 // so merge. Otherwise document why it cannot inline in debug in
149 // base/compiler_specific.h.
150 #if defined(COMPILER_GCC)
151 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline __attribute__((__always_inline__))
152 #elif defined(COMPILER_MSVC)
153 #define IMMEDIATE_CRASH_ALWAYS_INLINE __forceinline
154 #else
155 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline
156 #endif
157
158 namespace base {
159
ImmediateCrash()160 [[noreturn]] IMMEDIATE_CRASH_ALWAYS_INLINE void ImmediateCrash() {
161 #if BUILDFLAG(USE_FUZZING_ENGINE) && BUILDFLAG(IS_LINUX)
162 // A fuzzer run will often handle many successful cases then
163 // find one which crashes and dies. It's important that the
164 // coverage of those successful cases is represented when we're
165 // considering fuzzing coverage. At the moment fuzzing coverage
166 // is only measured on Linux, which is why this is Linux-
167 // specific.
168 // exit() arranges to write out coverage information because
169 // an atexit handler is registered to do so, but there is no
170 // such action in the std::abort case. Instead, manually write
171 // out such coverage.
172 // We could extend this step to all coverage builds, but
173 // at present failing tests don't get coverage reported,
174 // so we're retaining that behavior.
175 // TODO(crbug.com/40948553): consider doing this for all coverage builds
176 if (__llvm_profile_write_file) {
177 __llvm_profile_write_file();
178 }
179 #endif // BUILDFLAG(USE_FUZZING_ENGINE) && BUILDFLAG(IS_LINUX)
180
181 #if defined(OFFICIAL_BUILD) || BUILDFLAG(IS_WIN)
182 // We can't use abort() on Windows because it results in the
183 // abort/retry/ignore dialog which disrupts automated tests.
184 // TODO(crbug.com/40948553): investigate if such dialogs can
185 // be suppressed
186 TRAP_SEQUENCE_();
187 #if defined(__clang__) || defined(COMPILER_GCC)
188 __builtin_unreachable();
189 #endif // defined(__clang__) || defined(COMPILER_GCC)
190 #else // defined(OFFICIAL_BUILD) || BUILDFLAG(IS_WIN)
191 abort();
192 #endif // defined(OFFICIAL_BUILD)
193 }
194
195 } // namespace base
196
197 #endif // BASE_IMMEDIATE_CRASH_H_
198