immediate_crash.h (5602B)
1 // Copyright 2019 The Chromium Authors 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef BASE_IMMEDIATE_CRASH_H_ 6 #define BASE_IMMEDIATE_CRASH_H_ 7 8 #include "build/build_config.h" 9 10 // Crashes in the fastest possible way with no attempt at logging. 11 // There are several constraints; see http://crbug.com/664209 for more context. 12 // 13 // - TRAP_SEQUENCE_() must be fatal. It should not be possible to ignore the 14 // resulting exception or simply hit 'continue' to skip over it in a debugger. 15 // - Different instances of TRAP_SEQUENCE_() must not be folded together, to 16 // ensure crash reports are debuggable. Unlike __builtin_trap(), asm volatile 17 // blocks will not be folded together. 18 // Note: TRAP_SEQUENCE_() previously required an instruction with a unique 19 // nonce since unlike clang, GCC folds together identical asm volatile 20 // blocks. 21 // - TRAP_SEQUENCE_() must produce a signal that is distinct from an invalid 22 // memory access. 23 // - TRAP_SEQUENCE_() must be treated as a set of noreturn instructions. 24 // __builtin_unreachable() is used to provide that hint here. clang also uses 25 // this as a heuristic to pack the instructions in the function epilogue to 26 // improve code density. 27 // - base::ImmediateCrash() is used in allocation hooks. To prevent recursions, 28 // TRAP_SEQUENCE_() must not allocate. 29 // 30 // Additional properties that are nice to have: 31 // - TRAP_SEQUENCE_() should be as compact as possible. 32 // - The first instruction of TRAP_SEQUENCE_() should not change, to avoid 33 // shifting crash reporting clusters. As a consequence of this, explicit 34 // assembly is preferred over intrinsics. 35 // Note: this last bullet point may no longer be true, and may be removed in 36 // the future. 37 38 // Note: TRAP_SEQUENCE Is currently split into two macro helpers due to the fact 39 // that clang emits an actual instruction for __builtin_unreachable() on certain 40 // platforms (see https://crbug.com/958675). In addition, the int3/bkpt/brk will 41 // be removed in followups, so splitting it up like this now makes it easy to 42 // land the followups. 43 44 #if defined(COMPILER_GCC) 45 46 #if BUILDFLAG(IS_NACL) 47 48 // Crash report accuracy is not guaranteed on NaCl. 49 #define TRAP_SEQUENCE1_() __builtin_trap() 50 #define TRAP_SEQUENCE2_() asm volatile("") 51 52 #elif defined(ARCH_CPU_X86_FAMILY) 53 54 // TODO(https://crbug.com/958675): In theory, it should be possible to use just 55 // int3. However, there are a number of crashes with SIGILL as the exception 56 // code, so it seems likely that there's a signal handler that allows execution 57 // to continue after SIGTRAP. 58 #define TRAP_SEQUENCE1_() asm volatile("int3") 59 60 #if BUILDFLAG(IS_APPLE) 61 // Intentionally empty: __builtin_unreachable() is always part of the sequence 62 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Mac. 63 #define TRAP_SEQUENCE2_() asm volatile("") 64 #else 65 #define TRAP_SEQUENCE2_() asm volatile("ud2") 66 #endif // BUILDFLAG(IS_APPLE) 67 68 #elif defined(ARCH_CPU_ARMEL) 69 70 // bkpt will generate a SIGBUS when running on armv7 and a SIGTRAP when running 71 // as a 32 bit userspace app on arm64. There doesn't seem to be any way to 72 // cause a SIGTRAP from userspace without using a syscall (which would be a 73 // problem for sandboxing). 74 // TODO(https://crbug.com/958675): Remove bkpt from this sequence. 75 #define TRAP_SEQUENCE1_() asm volatile("bkpt #0") 76 #define TRAP_SEQUENCE2_() asm volatile("udf #0") 77 78 #elif defined(ARCH_CPU_ARM64) 79 80 // This will always generate a SIGTRAP on arm64. 81 // TODO(https://crbug.com/958675): Remove brk from this sequence. 82 #define TRAP_SEQUENCE1_() asm volatile("brk #0") 83 #define TRAP_SEQUENCE2_() asm volatile("hlt #0") 84 85 #else 86 87 // Crash report accuracy will not be guaranteed on other architectures, but at 88 // least this will crash as expected. 89 #define TRAP_SEQUENCE1_() __builtin_trap() 90 #define TRAP_SEQUENCE2_() asm volatile("") 91 92 #endif // ARCH_CPU_* 93 94 #elif defined(COMPILER_MSVC) 95 96 #if !defined(__clang__) 97 98 // MSVC x64 doesn't support inline asm, so use the MSVC intrinsic. 99 #define TRAP_SEQUENCE1_() __debugbreak() 100 #define TRAP_SEQUENCE2_() 101 102 #elif defined(ARCH_CPU_ARM64) 103 104 // Windows ARM64 uses "BRK #F000" as its breakpoint instruction, and 105 // __debugbreak() generates that in both VC++ and clang. 106 #define TRAP_SEQUENCE1_() __debugbreak() 107 // Intentionally empty: __builtin_unreachable() is always part of the sequence 108 // (see IMMEDIATE_CRASH below) and already emits a ud2 on Win64, 109 // https://crbug.com/958373 110 #define TRAP_SEQUENCE2_() __asm volatile("") 111 112 #else 113 114 #define TRAP_SEQUENCE1_() asm volatile("int3") 115 #define TRAP_SEQUENCE2_() asm volatile("ud2") 116 117 #endif // __clang__ 118 119 #else 120 121 #error No supported trap sequence! 122 123 #endif // COMPILER_GCC 124 125 #define TRAP_SEQUENCE_() \ 126 do { \ 127 TRAP_SEQUENCE1_(); \ 128 TRAP_SEQUENCE2_(); \ 129 } while (false) 130 131 // This version of ALWAYS_INLINE inlines even in is_debug=true. 132 // TODO(pbos): See if NDEBUG can be dropped from ALWAYS_INLINE as well, and if 133 // so merge. Otherwise document why it cannot inline in debug in 134 // base/compiler_specific.h. 135 #if defined(COMPILER_GCC) 136 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline __attribute__((__always_inline__)) 137 #elif defined(COMPILER_MSVC) 138 #define IMMEDIATE_CRASH_ALWAYS_INLINE __forceinline 139 #else 140 #define IMMEDIATE_CRASH_ALWAYS_INLINE inline 141 #endif 142 143 namespace base { 144 145 [[noreturn]] IMMEDIATE_CRASH_ALWAYS_INLINE void ImmediateCrash() { 146 TRAP_SEQUENCE_(); 147 #if defined(__clang__) || defined(COMPILER_GCC) 148 __builtin_unreachable(); 149 #endif // defined(__clang__) || defined(COMPILER_GCC) 150 } 151 152 } // namespace base 153 154 #endif // BASE_IMMEDIATE_CRASH_H_